DB-Mehari 2010 Exc en 2-20

MEHARI 2010 - release 2-2
Mehari 2010 knowledge base

Worksheet
Objective
Description and pointers within the worksheets of the file.
If the security policy of your organisation forbids the use of macros, it will not be possible to use
Intro
Scheme of navigation within the knowledge base

Nav
Reminder of the public licence of MEHARI
License
Stakes analysis and asset classification module.
Classification tables
T1, T2 and T3
Asset classification
Classif
Security services diagnostic module (or Audit)
Domain 01 Org to 14 ISM Questionnaires relative to MEHARI security domains (01 to 14)
Services
Themes
ISO 27002
Recap of the quality of the security services

MEHARI security themes
ISO 27002 scoring table following the diagnostic of MEHARI security
services
Risk analysis module (identification, assessment and classification of risks)

Table of natural likelihood of threats (or natural exposure)
Expo
Table of risk scenarios including formulas for risk assessment
Scenarios
Risk%Asset
Display of seriousness for the scenarios based on the asset involved
Risk%event
Display fo the seriousness of scenarios based on the origin or event

considered
Risk treatment : options, risk reduction plans and follow on

Action_plans
Risk reduction plans selected
Obj_PA
Tab used for the selection of risk reduction plans
Obj_Projects
Tab used for the selection of risk reduction projects
Parameters and permanent elements of the method
This tab and the following are provided by the method
Vulnerabilities
Seriousness Table function on Impact and Likelihood
Seriousness
Impact and Likelihood tables for the scenarios
IP Grids
You can use the forum www.mehari.info to post questions, remarks or comments
Date
Revision status and comments
October 2010
April 2011
Edition 2-1
Edition 2-2
Edition of a few formulas in ISO scoring and IP grids
Methods space
Club de la Scurit de l'Information Franais
11, rue de Mogador, 75009 PARIS
T : +33 1 53 25 08 80 / F : +33 1 53 25 08 88
http://www.clusif.asso.fr/
in the worksheets of the file.

of macros, it will not be possible to use the masks below.
Classification tables:
T1, T2, T3 & Classif
Mask
Questionnaires:
from 01Org to 14 ISM
+ Themes & ISO 27002
scoring
Mask
Risk analysis:
Events,
Risks per asset or event
Risk treatment:
ActionPlans,
Obj_PA,
Obj_Projects
Mask
Mask
Grids for risk acceptability,

Impact and Likelyhood
Mask
evaluation
Translation managed by
Jean-Louis Roule
Jean-Philippe Jouas
Navigation in the knowledge base

Busines stakes
Threats
Vulnerabilities
T2
Expo
Security
services
Analyze and evaluate

risks
T1
T3
Classif
Impact
Themes
Potentiality or likelihood
Intrinsic seriousness
ISO 27002
Current seriousness
Risk%asset
Scenarios selection
Reduce
Treat
risks
Risk%event
Action_plans
Obj_PA
Retain
Obj_Projects
Planned seriousness
Avoid
Transfer
Public License agreement for Mehari 2010

Version 2010 : 12 January 2010
MEHARI is an Open Information security risk management methodology provided as a spreadsheet containing a knowledg
with attached document like:
- manuel de rfrence de la base de connaissances Excel,
Redistribution and use of this knowledge base and associated documentation ("MEHARI"), with or without modification, are
provided that the following conditions are met:
1. Redistributions in any form must reproduce applicable copyright statements and notices, this list of conditions, and the f
in the documentation and/or other materials provided with the distribution, and
2. Redistributions must contain a verbatim copy of this document.
3. No persons may sell this Methodology, charge for the distribution of this Methodology, or any medium of which this Meth
without explicit consent from the copyright holder.
4. No persons may modify or change this Methodology for republication without explicit consent from the copyright holder.
5. All persons may utilize the Methodology or any portion of it to create or enhance commercial or free software, and copy
software under any terms, provided that they strictly meet all of the above conditions.
The CLUSIF may revise this license from time to time.
Each revision is distinguished by a version number.
You may use Mehari under terms of this license or under the terms of any subsequent revision of the license.
MEHARI IS PROVIDED BY THE CLUSIF AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARR
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PART
PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE CLUSIF, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF MEHARI BE LIABL
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTE
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF MEHARI EVEN IF ADVISED OF THE PO
SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or o
Mehari without specific, written prior permission from CLUSIF. Title to copyright in MEHARI shall at all times remain with c
MEHARI is a registered trademark of the CLUSIF.

Copyright 1997-2010 The CLUSIF, PARIS, France.
https://www.clusif.asso.fr/
NIVEAUX DE SENSIBILITE DES APPLICATIONS, DONNEES ET INFORMATIONS

Table T1
Business processes, domains of
application or activity,
CLASSIFICATION OF DATA
FONCTION
(description)
Common services
Asset type
Application
data (data
bases)
Application
data
individually
sensible
(transient,
Messages)
Shared Office
data
Personal
Office data
Personal
docu
ments
D01 D01 D01 D06 D06 D06 D02 D02 D02 D03 D03 D03 D04 D04
Listings
or prints
C
D05
Electronic
mail
Snail mail
Fax
Archived
docu
ments
Digitalized
archives
web data
on-line
(external or
internal)
D07 D07 D07 D08 D08 D08 D09 D09 D10 D10 D10 D11 D11 D11
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Transverse Processes
Overall Management & policy
Classification
In order to add or suppress a business domain or process, use the line "add" or "suppress" functions.
The classification level is a value from 1 to 4, the maximum in each column is automatically copied out in the "classification" line
and reproduced into the "intrinsic impact table" (tab: Classif) for each type of data and criteria (A, I or C).
Le 01/04/2017
Page 5 / 654

Table T2
Business processes, domains of
application or activity,
Common services
CLASSIFICATION OF SERVICES
FUNCTION
(description)
Asset type
Common
Services,
working
environmen
t
Local Area
Network
Services
R01
R01
R02
R02
S01
S01
S01
S02
S02
S03
S04
S04
S05
S05
G01
G02
G02
Shared Office
Application Services
Services
Users'
disposal of
Equipments
IT Services
(Systems,
peripherals,
etc.)
Extended
Network
Services
Web editing
Service
Telecom
Services
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Classification
In order to add or suppress a business domain or process, use the line "add" or "suppress" functions.
The classification level is a value from 1 to 4, the maximum in each column is automatically calculated in the "classification" line
and reproduced into the "intrinsic impact table" (tab: Classif) for each type of service and criteria (A, I or C).
Le 01/04/2017
Page 6 / 654
Le 01/04/2017
Page 7 / 654
T3
Table T3
Business processes, domains
of application or activity,
Common services
CLASSIFICATION OF the COMPLIANCE to LAWS AND REGULATIONS relative to:

FUNCTION
(description)
Asset type
personal
information
protection
financial
communication
digital accounting
control
intellectual
property
C01
C02
C03
C04
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Classification
There is only one criteria for classification:

E: Efficiency (of the management process in order to comply to the legal, regulatory or contractual requirements, for the
Domain)
Page 8
T3
ND REGULATIONS relative to:

the protection of
information
systems
people safety and

protection of
environment
C05
C06
contractual requirements, for the
Page 9
Intrinsic Impact table

Data and information assets
Service assets
Data and information

D01 Data files and data bases accessed by applications
D02 Shared office files and data
D03 Personal office files (on user work stations and equipments)
D04 Written or printed information and data kept by users and personal archives
D05 Listings or printed documents
D06 Exchanged messages, screen views, data individually sensitive
D07 electronic mailing
D08 (Post) Mails and faxes
D09 Patrimonial archives or documents used as proofs
D10 IT related Archives
D11 Data and information published on public or internal sites
General Services
G01 User workspace and environment
G02 Telecommunication Services (voice, fax, audio & videoconferencing, etc.)
IT and Networking Services
R01 Extended Network Service
R02 Local Area Network Service
S01 Services provided by applications
S02 Shared Office Services (servers, document management, shared printers, etc.)
S03 Users' disposal of Equipments (workstations, local printers, peripherals, specific interfaces,
etc.)
Nota : Applies to a massive loss of these services, not for one or few users.
S04 Common Services, working environment: messaging, archiving, print, editing, etc.
S05 Web editing Service (internal or public)
Management process type of assets
Management Processes for compliance to law or regulations

C01 Compliance to law or regulations relative to personal information protection
C02 Compliance to law or regulations relative to financial communication
C03 Compliance to law or regulations relative to digital accounting control
C04 Compliance to law or regulations relative to intellectual property
C05 Compliance to law or regulations relative to the protection of information systems
C06 Compliance to law or regulations relative to people safety and protection of environment
Nota : Grey cells represent those asset security criteria for which, in general, no classification is needed and no
scenario exists in the knowledge base.
Lgende :
A
Availability
I
Integrity
C
Confidentiality
E
Efficiency (of the management process, regarding compliance to law and regulations). For
this criteria, the decision grid L will be used for impact reduction.
341702815.xls ! Classif
10
Dcembre 2006
Asset
selection
For selecting an asset, set a 1 in the F column

(asset selection)
For unselecting an asset, set a 0
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
341702815.xls ! Classif
11
Dcembre 2006
Audit Questionnaire : Organization of security

Number
01A
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
ISO 27002
Roles and structures of security
01A01
Organization and piloting of general security
01A01-01
Do all areas concerned with security have a dedicated manager (computer and telecom security, general security in the workplace
(documents, fax, telephone), general physical security of the sites and premises) or a designated point of contact (HR for
awareness and training, work contracts, user account and access rights management, responsibility for disciplining malicious acts
or internal negligence)?
01A01-02
For each security manager, is there a clear definition of the job function detailing, in particular, its objectives, responsibilities and
interfaces with other areas concerned with security?
01A01-03
Are security management actions represented on dashboards and regularly reviewed?
E2
01A01-04
Is there a committee or structure bringing together all security managers, from all disciplines, in order to coordinate the various
security related actions and able to make transversal decisions and does it meet regularly?
R1
01A01-05
Is the approach to security clearly recognized and supported by senior management?
E2
01A02
E1
E2
Organization and piloting of Information Systems security
01A02-01
Is there a document describing the security policy related to information systems and in particular the organization, management
and piloting of security (roles and responsibilities) as well as the fundamental principles underlying information security
management?
E1
5.1.1
01A02-02
Is this Security Policy revised, on a regular basis or when major changes are done, to ensure the upholding of its relevancy and
efficiency?
E2
5.1.2
01A02-03
Have the structure and organization of the management of information systems security been defined in detail: CISO, local
responsibilities and contacts, roles and responsibilities towards operational managers and is this organizational structure in
operation?
E2
6.1.2
01A02-04
Has this structure the capacity to alert senior management without delay in the case of a serious incident?
E2
6.1.2
01A02-05
Have the mode of managing security and the decision processes been defined in detail : methodology used (for audit of exposure,
risk analysis etc.), associated tools, actors (organization, support, training, expertise, advice etc.)?
E2
6.1.2
01A02-06
Have the respective roles of security managers, operational managers and managers of functional domains (information owners)
been clearly defined with regard to final decision making and arbitration?
E2
6.1.3
01A02-07
Has a mode of information systems security piloting been defined: dashboards (contents and frequency), management structure,
orientation and reporting?
E2
6.1.3
01A02-08
Is an annual information systems security plan established which brings together all action plans, means to put in place, planning,
budget?
01A02-09
Is the Company's Management involved in the organization of the information security, particularly in the development and the
approbation of the security policy, responsibilities definition, resource allocation, and the efficiency control of the actions taken?
E2
6.1.1
01A02-10
Is a contact maintained with the concerned authorities regarding information security and crisis situation (Police, Reporting
Services, Legal Administration, Firemen, Public Services, etc.) ?
E2
6.1.6
01A02-11
Does the organization improve knowledge about best security practices and maintain contacts with interest groups, associations,
conferences, etc?
E2
6.1.7
01A02-12
Are the responsibilities and procedures established to provide quick and efficient solutions to the security incidents?
E2
13.2.1; 13.1.1
01A02-13
Is there a procedure for regularly updating organizational documents related to information systems security in line with changing
organization structures?
R1
6.1.8
01A03
E2
General reporting system and incident management system
Mise jour : janvier 2010
341702815.xls ! 01 Org
page 12

Number
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
01A03-01
Is there an incident reporting system which relays incidents to Information Systems Security correspondents including an incident
summary for the CISO?
01A03-02
Does this reporting system include all incidents (operation, development, maintenance, usage of the information system) physical,
logical or organizational?
01A03-03
Does this reporting system include malevolent actions and failed attempts to breach security?
01A03-04
Is this reporting system applied in all locations and organizations including subsidiaries?
01A03-05
Are the form and description of incidents recorded in a database enabling continuous improvement as well as easy selective
access in order to be able to follow up the resolution of individual incidents?
01A03-06
Is the collection of forensic proofs performed each time a legal action is considered?
01A03-07
Is the implementation and updating of the incident management system followed-up using a dashboard and a regular review which
are transformed into action plans?
R1
E2
01A04
E1
13.1.1
E1
13.1.1
E3
13.1.1
E2
13.1.1; 13.2.1
E2
13.2.2
E2
13.2.3
Organization of audits and audit program
01A04-01
Has the security function communicated to internal auditors (or the structure responsible for internal audits) a reference guide
related to the information system security, describing in particular, the obligations of each category of personnel, the mandatory
directives and the recommendations?
01A04-02
Is the procedure, allowing derogation from internal directives, written into the audit reference documentation and is the procedure
auditable?
E2
01A04-03
Is there a coordination structure or a procedure enabling information security managers to define the annual audit program or to
participate in its definition?
E3
01A04-04
Is the CISO informed of the audit results which concern information systems security?
01A04-05
Is the CISO informed of summary audit results not specifically related to information systems security and does (s)he have access
to corresponding detailed audit reports?
01A04-06
Has the annual audit program been presented to and approved by the management?
01A04-07
Is the organization of annual information system audits subject to a regularly reviewed and followed-up dashboard?
R1
E1
01A05
ISO 27002
E2
E2
E2
Crisis management related to information security
01A05-01
Is there a crisis plan in all buildings which details, as a function of various symptoms, the names and contact details of all persons
to notify in order that they may effect an initial diagnosis and, as a function of this diagnosis, the members of the crisis team to
convoke and the most urgent actions to carry out?
01A05-02
Is there an alert procedure, distributed to the entire organization, which enables directly or indirectly (via surveillance personnel) to
contact the various persons likely to initiate a crisis plan?
01A05-03
Does the crisis plan describe in detail the major crisis situations linked to information systems and does it address issues specific
to them?
E2
01A05-04
Does the crisis plan include the implementation of corresponding logistical means (equipped war room, communications etc.)?
E2
01A05-05
Are there tools or procedures which enable the updating of the crisis plan and is this updating audited?
R1
E1
Security Reference Guide
01B
01B01
Obligations and responsibilities of personnel and management

This includes all staff, internal and external (temporary contractors, trainees, etc.)
01B01-01
Are the responsibilities and obligations of staff with regard to the usage, preservation, archiving and non disclosure of information
detailed in a memo or document available to management?
E1
01B01-02
Does this document specify the personnel's duties and responsibilities regarding the use and protection of the authentication
means (passwords, keys, tokens, badges, etc.) at its disposal?
E2
341702815.xls ! 01 Org
11.3.1
page 13

Number
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
ISO 27002
01B01-03
Do the personnel's duties and responsibilities specify how to react when the workstation is left vacant (logout, logoff, screen
savers, lock-out, etc.) ?
E2
01B01-04
Are the obligations and responsibilities of personnel related to the usage and protection of assets and resources belonging to the
company detailed in a memo or document available to management?
E2
01B01-05
Does this document detail what is tolerated and the limits that cannot be disregarded (personal use of company possessions for
example)?
E2
01B01-06
Does this document detail the course of action in case of excess or abuse?
E2
01B01-07
Is there a formal disciplinary process to cover a breach to security rules or infringement of procedure?
E3
01B01-08
Are the obligations and responsibilities of management in the domain of protection of information and of company resources
detailed in a document distributed to all staff managers?
E2
01B01-09
Are the Management's duties and responsibilities at the time of an employee's termination or change of functions (internal or
contract) defined and specified by a procedure or a document disclosed to all the managers ?
E2
8.3.1
01B01-10
Does the previous procedure (or the equivalent document) cover the questioning and deletion of access rights to all relevant parts
of the information system?
E2
8.3.3
01B01-11
Are all documents or charters concerning staff obligations and responsibilities authenticated?
E3
01B01-12
Are the Managers ensuring and held accountable for their colleagues' compliance to the policies and standards in force?
R1
01B01-13
Is there a regular review of such documents or charters relating to staff obligations and responsibilities?
R1
01B02
11.3.2
15.1.5
8.2.3
15.2.1
General directives related to information protection
01B02-01
Is there document defining the general rules for site protection from external threats, the required conditions for access to each site
from outside and the protection of sensitive premises?
E2
11.4.2
01B02-02
Is there a document defining the general rules to apply in order to protect the internal network from external threats, the conditions
required to access the internal network from the outside and vice versa and the separation required between internal subnetworks?
E2
11.4.2; 11.4.5
01B02-03
Is there a document defining the general rules applied to the access protection of computing resources (storage and networking
elements, systems, applications, data, media, etc.) and the conditions required for the granting, the management and control of
access rights?
E2
10.8.1; 10.7.3
01B02-04
Are these rules established according to the concerned assets' classification level?
E2
10.7.3; 10.8.1;
7.2.2
01B02-05
Is there a document defining the rules applied to the usage of computing (networks, servers etc.) and communications resources?
E2
10.8.1; 11.4.1;
10.7.3
01B02-06
Is there a document defining the general rules applied to software development and security considerations in project
management?
E2
10.7.3
01B02-07
Is there a document defining the general day-to-day rules applicable to the management of the working environment (documents,
workstations, telephone, fax, off-site work)?
E2
10.8.1; 11.3.3;
10.7.3
01B02-08
Is there a document defining additional security procedures to apply regarding mobile computing and teleworking?
E2
10.8.1; 11.7.1
01B02-09
Is there a document setting out the requirements, responsibilities and procedures to apply to protect archives that are important for
the company?
E1
15.1.3
01B02-10
Do the overall regulatory, contractual, and legal requirements explicitly identified, and does their application by the organization
appear in an updated document?
E2
15.1.1
01B02-11
Are the resources and solutions available to managers and users in line with above documents?
E2
01B02-12
Are the rules concerning information and resource protection easily accessible to all staff (for example via intranet)?
E2
341702815.xls ! 01 Org
page 14

Number
01B02-13
01B03
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Is there a procedure to control or audit the relevance and authenticity of the rules, pertaining to information protection and
information system resources, distributed to all staff?
Max
Min
Typ
ISO 27002
R1
Classification of resources
01B03-01
Is there a hierarchy or system enabling the classification of information assets reflecting their protection as a function of the context
of the organization and taking into account availability, integrity and confidentiality?
01B03-02
Does this categorization scheme define the marking of different types of assets according to its classification?
01B03-03
Have information sources (documents, data, files, databases etc.) been classified as a function of the impact that a security breach
might have on the organization?
01B03-04
Has the classification been effected for each of the criteria availability, integrity and confidentiality?
01B03-05
Have sensitive resources been classified (information systems, telecom equipment, sites etc.) as a function of the impact that a
security breach affecting these assets might have on the organization?
E2
01B03-06
Has this classification been effected for each of the criteria availability, integrity, confidentiality?
E2
01B03-07
Have sensitive programs and transactions been classified as a function of the impact a security breach on these assets might have
on the organization?
E2
01B03-08
Has this classification been effected for the criteria availability, integrity and confidentiality?
E2
01B03-09
Are these classifications easily available when needed to the staff concerned?
E2
01B03-10
Is there a procedure for regular review of the classifications and is this procedure controlled?
E3
7.2.1
01B04
E1
E2
7.2.2
E2
7.2.1
E2
Asset management
01B04-01
Are the types of assets - that need to be identified and inventoried - defined?
Assets can be information (databases, files, contracts, agreements, documentation, guides, procedures, plans, archives, etc.),
software (applications, firmware, middleware, tools and utilities, etc.), equipment (computers, network equipment, media, etc.),
services and supporting utilities (energy, heating, air conditioning, etc.), people or know-how, intangible assets such as reputation
or image.
E2
7.1.1
01B04-02
Is an inventory of the types of assets - as identified and defined herein - kept up-to-date?
E2
7.1.1
01B04-03
Is an "owner" appointed for each identified and inventoried asset?

An owner is the individual or the entity appointed to assume responsibility of the development, maintenance, operation, use and
security of this asset. The word owner does not mean that the individual or entity holds a property right for this asset.
E2
7.1.2
01B04-04
Is an acceptable set of usage rules defined and documented for each asset?
This implies, particularly, defining the private use an employee can make of the company's assets.
E2
7.1.3
01B04-05
Are the rules regarding the return to the company or organization of assets entrusted to employees at the time of termination or
change of functions clearly defined and set forth by Management ?
E2
8.3.2
01B04-06
Are there rules regarding outside taking of asset (prior authorization, authorized individuals, log for returning or taking asset
outside, deletion of unnecessary data, etc.)?
E2
9.2.7
01B05
Protection of assets having value of evidence
01B05-01
Have the assets that may be used as elements of evidence been identified and itemized?
E2
01B05-02
Has it been identified, for each of these assets, the proclamations that it would allow to check and the associated checking
process?
E2
01B05-03
Has it been analyzed, for each verification process, reasons that could foil or weaken the capacity to provide conviction?
E2
01B05-04
Have all necessary measures been taken consequently?
E2
01B05-05
Is the aptness of these measures periodically reviewed?
R2
341702815.xls ! 01 Org
page 15

Number
01B05-06
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Are these measures periodically subject to an audit?
Max
Min
Typ
C1
ISO 27002
Human Resource Management
01C
01C01
Staff involvement, contractual clauses
01C01-01
Has a note been distributed to all personnel (including temporary staff) detailing staff obligations and responsibilities such that they
cannot deny having received it?
E2
6.1.5; 8.1.3
01C01-02
Is there, within work contracts or within internal regulations, a clause which clearly states the obligation to adhere to the security
rules in force?
E2
6.1.5; 8.1.3
01C01-03
Has a note been distributed to all personnel informing them of all legal, regulatory or contractual obligations?
E2
6.1.5
01C01-04
Are the security obligations and responsibilities embodied in contracts (in either of general or specific clauses) of all staff acting for
the organization and who for this reason may have or require access to information or sensitive resources?
E3
6.1.5
01C01-05
Are contractor companies, who may have access to sensitive information or systems, obliged to ensure that all staff sign a
personal commitment that they will abide by the specified security clauses?
E3
6.1.5
01C01-06
Is Management responsible to ensure that the personnel, contractors and third parties respect the company's security policies and
procedures?
E2
8.2.1
01C01-07
Is there a control procedure validating and authenticating all rules distributed to staff?
R1
01C02
Management of strategic personnel, partners and providers
01C02-01
Are strategic skills regularly identified in the organization?
E2
01C02-02
Are backup solutions available in the absence of strategic skills?
E3
01C02-03
Are strategic partners and service providers regularly identified?
E2
01C02-04
Are backup solutions ready for the unavailability of strategic partners or providers?
E3
01C02-05
Are these backup solutions regarding internal staff or providers ) able to guarantee the normal functioning of the organization
without major disruption?
E3
01C02-06
Are strategic personnel subject to specific career management?
01C02-07
Are strategic partners subject to a specific contractual management?
01C02-08
Is there a relevant control and update procedure for the preceding measures?
01C03
E3
E3
3
R1
Staff screening procedure
01C03-01
Is there a preliminary information procedure for the personnel (internal or contractual) regarding its duties and responsibilities, and
security requirements before any assignment or hiring?
E2
8.1.1
01C03-02
Is screening information collected at time of recruitment of staff likely to be involved in sensitive tasks?
E2
8.1.2
01C03-03
Have external contractors, working on site on sensitive tasks, been checked for security clearance approval by an official
organization?
E2
8.1.2
01C03-04
Is additional (clearance) information collected when staff are affected to sensitive tasks?
NB: an open interview may be used in order to avoid placing people in a situation of conflict of interest
E2
8.1.2
E1
8.2.2
01C04
Awareness and training in security
01C04-01
Is there a program to raise awareness of staff to risks of accident, error or malevolence in the processing of information?
01C04-02
Are all staff members trained on a regular basis in security awareness?
E2
8.2.2
01C04-03
Is there a program to train staff in the rules and general measures of information protection?
E2
8.2.2
01C04-04
Do these rules and general measures cover all relevant domains (documents, computer equipment, premises, systems and
application access, telephone, fax, behavior in meetings and out of office etc.)?
E2
8.2.2
341702815.xls ! 01 Org
page 16

Number
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
ISO 27002
01C04-05
Are these rules and general measures easily accessible to staff in case of need (intranet for example) and has communication
been done on this matter?
E2
8.2.2
01C04-06
Do these regulations specify reporting processes for the incidents and faults observed, and how to react?
E2
13.1.2
01C04-07
Do people with responsibility for security issues receive regular relevant training?
E2
01C04-08
Is there a dashboard detailing the effective implementation of actions related to security awareness and training?
R1
01C04-09
Is there a follow up carried out of the level of satisfaction and compliance of staff related to actions of raising awareness and
training in information systems security?
R1
01C05
Third Parties Management (partners, suppliers, clients, public, etc.)
01C05-01
Have the risks associated with access by third-party personnel (providers) to the information system (in full or in part) or on the
premises containing information been assessed, and thus the necessary security measures been defined?
E2
6.2.1
01C05-02
Have the risks associated with client or public's access to the information system (in full or in part) or on the premises containing
information) been assessed, and thus the necessary security measures been defined?
E2
6.2.2
01C05-03
Have the risks associated to information or software transfers to a third party been assessed and have the procedures and
responsibilities for each party been formalized by contract?
E2
10.8.2
01C05-04
Have the overall security clauses been defined, that should be included in each Agreement signed with a third party involving an
access to the information system or to the premises containing information?
The information system, including any data support or means of processing, carrying or communicating information.
E2
6.2.3
01C05-05
Are all accesses by a third party to the information system or on the premises containing sensitive information authorized uniquely
after a formal Agreement restating these clauses?
E3
6.2.3; 15.1.5
01C06
People Registration
01C06-01
Are there formal registration and revocation procedures for the individuals?
E2
11.2.1
01C06-02
Do these procedures involve personnel management and hierarchy?
E2
11.2.1
01C06-03
Is a unique identifier (ID) assigned to each user (employee, external, etc.) who could have access to the information system?
E2
11.2.1
01C06-04
Are the rights granted to the users as they register (shared services, messaging, etc.) approved by the owners of the concerned
assets?
E2
11.2.1
01C06-05
Are all users kept informed, at time of registration, of all the vested rights and of his/her duties regarding any adjudication of rights
(vested at the time of registration or he/she could be granted afterwards)?
E2
11.2.1
01C06-06
Are these procedures controlled and are possible defects documented and corrected in real time?
The responsiveness of the managerial chain must forbid exception procedures that may result from delays with (de)registration
processes.
R1
11.2.1
E1
Insurance
01D
01D01
Insurance against property (or material) damages
01D01-01
Are information systems covered by an insurance policy which accounts for material damage (fire damage, miscellaneous risks
and accidents, damage to machines, all computing risks, "all risks except", named risks etc.)?
01D01-02
Does the insurance policy cover all computer and telecommunications systems, cabling and computer rooms?
E2
01D01-03
Does the insurance policy cover all usual causes of disaster: accident (fire, water damage, lightning etc.), human error, sabotage,
vandalism (including by company personnel or third party engaged in operations, maintenance or upkeep)?
E2
341702815.xls ! 01 Org
page 17

Number
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
01D01-04
Does the insurance policy cover (real) costs of information system re-initialization incurred by a disaster (installation, restart and
system test, data and media reconstruction)?
E2
01D01-05
Does the insurance policy cover all additional operational costs (continuing expenses and fees, avoid or limit halting of work
activity)?
E2
01D01-06
Does the insurance policy cover costs incurred by the company in order to re-establish its image with clients or partners?
01D01-07
Does the insurance policy cover the global losses incurred by the disaster?
01D01-08
Is the coverage of computer and information system (exclusions, guarantees) decided jointly with Information Technology
management and updated regularly?
01D01-09
Does the level of guarantee and deductible cover the survival of the company in the case of a disaster?
E2
01D01-10
Does the level of guarantee and deductible allow the company to survive a disaster without major consequences?
E2
01D02
E2
3
E2
E2
Insurance of consequential losses (non-material damages)
01D02-01
Are the information systems covered by an insurance policy which covers non material damage (malevolence, non authorized
usage, accidental loss of data or programs, denial of service)?
01D02-02
Does this policy cover all computer systems (internal systems, intranet, extranet, web sites etc.)?
E2
01D02-03
Does the contract cover the usual causes of this type of damages: accident (breakage, bugs etc.), human error (data entry errors,
programming errors etc.), malicious entry (frauds, intrusions, service denial, including company personnel or third party responsible
for its operation or maintenance)?
E2
01D02-04
Does this contract cover all (real) costs of investigation and research of the causes and consequences of the disaster?
E2
01D02-05
Does the insurance contract cover (real) costs of re-initialization of information systems affected by the disaster (restart costs and
cost of tests following restart, costs of data reconstruction)?
E2
01D02-06
Does this contract cover all additional operating costs (cover of costs and expenses liabilities, costs incurred to limit operational
shutdown)?
E2
01D02-07
Does the insurance policy cover additional costs incurred by the organization to re-establish its image with clients or partners?
01D02-08
Does the policy cover overall loss of turnover incurred due to the disaster?
01D02-09
Is the choice of computer and information system cover (exclusions, guarantees) decided jointly with Information Technology
management and reviewed regularly?
01D02-10
E2
01D02-11
E2
01D03
ISO 27002
E1
E2
3
E2
E2
Personal Liability Insurance (PLI)
01D03-01
Is the organization covered by personal liability insurance including the consequences of computer disasters (Professional Liability,
Product Personal Liability)?
E1
01D03-02
Does the contract cover the usual causes of this type of damages: accident (breakage, bugs etc.), human error (data entry errors,
programming errors etc.), malicious entry (frauds, intrusions, service denial, including company personnel or third party responsible
for its operation or maintenance)?
E2
01D03-03
E2
01D03-04
Is the choice of computer and information system cover (exclusions, guarantees) decided jointly with Information Technology
management and reviewed regularly?
E2
01D03-05
341702815.xls ! 01 Org
E2
page 18

Number
01D03-06
01D04
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
E2
Insurance against loss of Key Personnel
01D04-01
Is the organization covered by insurance covering exposure to loss of key personnel?
01D04-02
Does the contract cover all possible causes of loss of key personnel such as airplane or automobile accidents, illness, individual or
group resignation?
E2
01D04-03
Does the insurance policy cover additional running costs incurred by loss of key personnel?
E2
01D04-04
E2
01D04-05
Does the insurance policy cover operational losses incurred by the disaster?
E2
01D04-06
Is the choice of computer and information system cover (exclusions, deductibles) decided jointly with Information Technology
management and updated regularly?
E2
01D04-07
Does the level of guarantee and deductibles cover the survival of the company in the case of a disaster?
E2
01D04-08
Does the level of guarantee and deductibles allow the company to survive a disaster without major consequences?
E2
01D05
ISO 27002
E2
Management of insurance contracts
01D05-01
Is there a person responsible for the insurances within the organization?
E1
01D05-02
Is the level of guarantee for IT related assets the result of a specific study made in conjunction with the IT department (on the
basis of a risk analysis carried out recently -within less than three years)?
E1
01D05-03
Is there a regular check (at least once per year) of the insurance contracts by the insurance manager, in consultation with the
relevant sector managers, with an adjustment of the cover with the broker or insurance agent if required?
E2
01D05-04
Is there a regular check (at least once per year) of the insurance contracts by the insurance manager, in consultation with the
relevant sector managers, with an adjustment of the cover with the broker or insurance agent if required?
E2
01D05-05
Do the relevant sector managers participate in the study of the coverage limits (exclusions, deductible, ceiling, etc) defined in the
contracts?
E2
01D05-06
Has there been an analysis of the transfer of risks depending to the various types of partners ?
E.g. service and product providers, hosting services, clients
E2
01E
Business continuity
01E01
Taking into account the need for business continuity
01E01-01
Has an analysis been carried out of the criticality of applications in order to underscore the requirements of service continuity?
An in-depth analysis supposes that a list of incidents or failure scenarios and all the foreseeable consequences is established
E1
14.1.2
01E01-02
Has this analysis allowed the minimum service requirements to be defined for each application and system and have these
minimum service requirements been accepted by the users (information owners)?
E1
14.1.2
01E01-03
Are there processes, regularly implemented, for risk analysis linked to information, possibly leading to a disruption of the company
activities and thus a definition of the security requirements, responsibilities, procedures to apply and implement to allow the
development of a business continuity plan?
E2
14.1.1
E1
14.1.3
E2
14.1.3
E2
14.1.3
01E02
Business continuity Plans
01E02-01
Have Business Continuity Plans (BCP) been designed, from a criticality analysis, for each critical activity?
01E02-02
Do these plans foresee all measures to undertake to ensure business continuity between the alert and the eventual
implementation of alternative solutions set forth by the technical Disaster Recovery plans?
01E02-03
Do these plans cover all organizational aspects related to the "manual" continuity solution (personnel, logistics, coaching, etc.)?
341702815.xls ! 01 Org
page 19

Number
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
ISO 27002
01E02-04
Have instructions and training been given to implied personnel for the operation of the continuity plans?
01E02-05
Do the business continuity plans include procedures for returning to normal activity?
01E02-06
Is there a crisis trigger plan associated with each of these plans?
01E02-07
Does implementation of these plans result in an acceptable level (impact limited to 2) of all critical malfunctions?
This question is intended to insure that the effectiveness of this service is not overstated.
01E02-08
Is there a manager responsible for the creation, monitoring, and testing of these plans?
C1
14.1.5
01E02-09
Are these plans tested regularly (at least once a year)?
C1
14.1.5
01E02-10
Are the test results analyzed by management and the relevant stakeholders?
C1
14.1.5
01E02-11
01E03
Are updates to plans audited regularly (at least once a year)?
14.1.3
E2
14.1.3
E2
2
Are the business continuity plans updated regularly?

An update should be required to take account of changes in personnel concerned, technical changes, or the results of tests.
01E02-12
E2
E2
14.1.5
C1
R1
E1
Workplace Recovery Plans (WRP)
01E03-01
Are there recovery solutions to reduce the impact if the work environment is not available (workplace unavailable, power outage,
telephone outage, etc)?
01E03-02
Are these solutions described in detail in the Workplace Recovery Plans (WRP), including trigger rules, actions to take, priorities,
people to mobilize and their contact details?
01E03-03
Are these plans tested at least once a year?
R1
01E03-04
Is the case of failure or non-availability of a crisis solution envisaged, and for each case is there a secondary backup plan?
R2
01E03-05
Are the recovery solutions usable for an unlimited period of time, and if not, has a second solution been identified to replace the
initial solution after a predetermined time period?
E2
01E03-06
Is the existence, relevance, and activation of the WRP audited regularly?
C1
341702815.xls ! 01 Org
E1
page 20
Comments
341702815.xls ! 01 Org
page 21
Comments
341702815.xls ! 01 Org
page 22
Comments
341702815.xls ! 01 Org
page 23
Comments
341702815.xls ! 01 Org
page 24
Comments
341702815.xls ! 01 Org
page 25
Comments
341702815.xls ! 01 Org
page 26
Comments
341702815.xls ! 01 Org
page 27
Comments
341702815.xls ! 01 Org
page 28
Comments
341702815.xls ! 01 Org
page 29
341702815.xls ! 01 Org
page 30
341702815.xls ! 01 Org
page 31
341702815.xls ! 01 Org
page 32
341702815.xls ! 01 Org
page 33
341702815.xls ! 01 Org
page 34
341702815.xls ! 01 Org
page 35
341702815.xls ! 01 Org
page 36
341702815.xls ! 01 Org
page 37
341702815.xls ! 01 Org
page 38
341702815.xls ! 01 Org
page 39
341702815.xls ! 01 Org
page 40
341702815.xls ! 01 Org
page 41
341702815.xls ! 01 Org
page 42
341702815.xls ! 01 Org
page 43
341702815.xls ! 01 Org
page 44
341702815.xls ! 01 Org
page 45
341702815.xls ! 01 Org
page 46
341702815.xls ! 01 Org
page 47
Audit Questionnaire: Sites Security

Number
02A
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
ISO 27002
Physical access control to the site and the building

Here is considered control of access to the whole of the site or the building, or a certain number of
floors, which represents the "site" in which are situated the sensitive locations
02A01
Management of access rights to the site or building
02A01-01
Are permanent or semi permanent (for a specific length of time) access rights to each site or building (or to a number of floors)
based on typical profiles (staff on permanent or limited contracts, temporary staff, students, service providers etc.) and to
functional roles in the organization?
Access rights should be granted to activity profiles and not to named individuals.
E1
02A01-02
Is there a list, kept up-to-date, of these profiles and the people responsible for granting access rights for each of them?
E2
02A01-03
Are the rights and the validity conditions attributed to profiles reviewed by the site or general security manager?
E2
02A01-04
Do the profiles also allow definition of working time limits (daily hours and periods in the working calendar, weekends, holidays
etc.)?
E2
02A01-05
Are these rights and profiles as defined above protected against any possibility of alteration or falsification during their storage or
when transferred between decision makers and the personnel in charge of implementing the rights?
R1
02A01-06
Is there a regular audit, at least once a year of all rights attributed to the various categories of personnel and a review of the
pertinence of those access rights?
C1
02A02
Management of access authorizations granted to the site or the building
02A02-01
Does the procedure of granting permanent or semi permanent access authorization require the formal acceptance of line
management or of the unit managing the external contractor (at a sufficiently senior level)?
An access authorization is granted to a person, it may provide access rights based on the job profile he or she is linked to. It is
usually materialized by a badge carried by the employee.
E1
02A02-02
Is the procedure for granting (or modification or retraction) of access authorization documented and strictly controlled?
A strict control requires a formal recognition of the signature (electronic or otherwise) of the requestor, that the implementation of
the profile attributed to users is highly secure and that each operation is recorded (mentioning the date of issue of the badge and
its length of validity) that there be a reinforced access control over the modification of such records and that any modification of
records be logged and audited.
E2
02A02-03
Are access authorizations granted to named individuals as a function of their profile?
E2
02A02-04
Are the access authorizations to the site materialized by a badge or a card?
E2
02A02-05
Are these access authorization badges or cards personalized i.e. with the name and picture of the owner?
E2
02A02-06
Can the list of valid access authorizations and corresponding profile be reviewed at any time?
02A02-07
Is there a rapid and systematic process for revoking access authorizations (revocation of the badge to the automatic access
control equipments) and return of the corresponding badge or card at the time of departure of internal or external personnel,
change of site attachment (when the authorization is site dependent) or at the end of mission?
02A02-08
Is there a procedure enabling the subsequent detection of irregularities in the management of access authorizations (badge or
card not returned, usage of a lost badge, false badge etc.)?
02A03
02A03-01
E2
2
E2
C1
Access control to the site or the building

Is the site completely enclosed by a perimeter fence which is difficult to cross or to scale?
For a building on the public highway to be considered secure, all windows on the ground floor must be locked shut and all access
points must have been taken into consideration (garages or underground car parks, roof etc.)
341702815.xls ! 02 Sit
E1
9.1.1
page 48

Number
1 variant
W
Max
02A03-02
Is there an operational system (automatic or by security guard) for controlling pedestrian and vehicular access to the site?
E2
02A03-03
Does this system guarantee that all people entering are checked?
An efficient control assumes a double or revolving door, or a security guard who allows only one person to pass at a time (for
pedestrians) and for vehicles entering the site, controls all people present in the vehicle.
E3
02A03-04
Does such a system, if dependent on a badge, guarantee that the same badge cannot be used by a second person (by, for
example, memorizing all entries and not allowing a further entry without an intervening exit)?
02A03-05
In the case where presentation of a badge or card is required to gain access to a site, is there the possibility to immediately
validate the authenticity and validity of the card or badge?
E2
02A03-06
Are the automatic access control systems under 24 hr surveillance enabling the detection of a failure, a system deactivation or
the usage of emergency exits in real time?
R1
02A03-07
Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of failure of the
access control system (or the usage of an emergency exit)?
R2
02A03-08
Is there a control procedure enabling the detection of irregularities in the access control procedure (audit of procedures and
parameters of access control systems, audit of exceptions and of interventions etc.)?
C1
02A04
Question
R-V1 R-V2 R-V3 R-V4
Min
Typ
E3
9.1.1
Intrusion detection to the site or the building
02A04-01
Is there an operational intrusion detection system to the site, linked to a 24 hr monitoring center?
02A04-02
Does this system detect all boundary incursion, all forced attempts to open locked exits (windows and doors), all opening of
emergency exits and all exits kept open abnormally?
E2
02A04-03
Is this system backed up by a video and audio control system which allows the surveillance team to make a first analysis or
dismiss uncertainty from a distance?
E3
02A04-04
Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms immediately detected and
treated as the highest priority?
E3
02A04-05
In the case of an intrusion detection alarm, does the surveillance team have the possibility of sending out an intervention team
without delay to verify the cause of the alarm and to take appropriate action?
E2
02A04-06
Sites Security
E3
02A04-07
Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged?
02A04-08
Is the intrusion detection system itself under surveillance (alarm in the case of inhibition, auto-surveillance by camera etc.)?
R1
02A04-09
Are intrusion control points and procedures for reaction to intrusions audited regularly?
C1
02A05
ISO 27002
9.1.1
E2
9.1.1
E2
Access to the loading and unloading areas (goods receipt and consignment) or to areas open to public
02A05-01
Are there specific access control mechanisms from outside through delivery and loading zones in place?
E2
9.1.6
02A05-02
Are the delivery and loading zones established in such a way that the delivery men cannot have access to inner parts of the
building or the site?
E2
9.1.6
02A05-03
Are there specific measures allowing to isolate the moves of external public and the access from the rest of the building?
E2
9.1.6
E3
9.1.4
02B
Protection Against Miscellaneous Environmental Risks
02B01
02B01-01
Analysis of Miscellaneous Environmental Risks

Has a thorough and systematic analysis of all the conceivable environmental risks for the site been conducted?
Potential risks are : Avalanche, hurricane, storm, flooding, forest fire, land slide, earthquake, Volcano, broken dam or dike,
torrential flood, falling rocks, collapse, gullies, drought
341702815.xls ! 02 Sit
page 49

Number
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
ISO 27002
02B01-02
Has a thorough and systematic analysis of all the conceivable industrial risks for the site been conducted?
Potential risks are: high risk site nearby (Seveso like), dangerous internal installations, gas station, transport of dangerous
materials...
E3
9.1.4
02B01-03
Was each situation considered highly improbable or were appropriate measures taken?
E3
9.1.4
11.1.1
02C
Control of access to office areas
02C01
Partitioning of office areas into protected zones
02C01-01
Has it been established a management policy for access rights to office area, built from an analysis of the security requirements
based on the business stakes?
E1
02C01-02
Have office areas been partitioned into protected security zones corresponding to homogeneous security constraints and spaces
of confidence within which information can be freely exchanged?
E2
02C01-03
Has it been ensured that the access control rules to assets are coherent with this partitioning into protected zones?
Assets considered may be data, documents and equipments installed within these zones or accessible from them.
E2
02C01-04
Have specific procedures been defined for each kind of external person, including providers, induced to intervene in the offices
(consultants, maintenance or cleaning staff, etc.): specific budge, accompanying person, previous authorization mentioning the
identity of the beneficiary, etc)?
02C01-05
Is there a systematic updating process for the partitioning rules of the office zones?
C1
02C02
E2
Physical access control to the protected office zones
02C02-01
Is an automatic authentication and access control system used for protected areas?
E2
02C02-02
Are there a procedure and calling means that people who do not have authorization can use to access the protected areas?
E3
02C02-03
In the case of a person without authorization entering these areas, does the procedure, guarantee that the person will be
accompanied?
E3
02C02-04
Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of failure or
invalidation of the access control system?
R1
02C02-05
Is the access control system for protected office areas equipped with a no pass-back mechanism?
E3
02C02-06
Is authentication based on tamper-proof means associated with the user (for example a badge, smart card, or biometric
recognition system)?
E2
02C02-07
Does the mechanism use strong authentication of the user, with two identifying factors?
E3
02C02-08
Does the mechanism provide a temporary means of access, to allow for lost, stolen or forgotten badges?
02C02-09
Does the temporary means of access grant only access to a strictly limited area?
E3
02C02-10
Does the access control system guarantee exhaustive checking of the people entering the premises (turnstile preventing more
than one person from entering at a time, a process to prevent a badge being used by more than one person, etc)?
E3
02C02-11
In addition to controlling access by the normal routes, is access by other routes (such as windows accessible from outside,
emergency exits, or through false floors or ceilings) monitored?
E1
02C02-12
Are the systems that provide automatic access control to protected areas operational and monitored permanently (24x24) so that
any outage or deactivation is flagged in real time?
02C02-13
Are the emergency exits monitored permanently (24x24) so that their use can be checked in real time?
E2
02C02-14
Is there an audit process to detect, after the event, any anomalies in the access control system (audit of the procedures and
configuration of the access control system, audit of exception procedures and intervention, etc)?
C1
02C02-15
Is there a process for systematically updating access control policies?
C1
341702815.xls ! 02 Sit
E3
R1
page 50

Number
02C03
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
02C03-01
Does the procedure of granting access rights to a protected office area require the formal authorization of the manager of the
protected area?
E1
02C03-02
Is the authenticity of requests for attribution of access rights verifiable and verified (signature control ) ?
E2
02C03-03
Are the authorizations accorded to named individuals and registered (with a mention of the day of the authorization and the
duration of its validity)?
E2
02C03-04
Is the validity of these authorizations limited in time?

The validity duration shall be defined accordingly to the profile of the person.
E3
02C03-05
Is there a systematic process of removal of access rights to a protected office area at the time of departure ?
E2
02C03-06
Is there a systematic process of removal of access rights to a protected office area at the time of transfer or role change of staff?
E3
02C03-07
Is there a regular audit, at least once a year, of all access rights currently attributed to each protected office area?
This audit should also analyze the relevance of the authorizations granted.
C1
02C03-08
Are all entries into protected zones recorded?
E2
02C03-09
Are also all leavings from protected zones recorded?
E3
02C03-10
Is there a procedure enabling the subsequent detection of irregularities in the management or the use of access rights (badge or
R1
02C04
Detection of intrusions into protected office areas
02C04-01
Is there an operational system, linked to a 24 hr monitoring center, detecting the forcing of exits to the protected office zones?
This system must monitor forced openings of exits (doors and windows), the usage of an emergency exit or their being kept
open, etc.
E2
02C04-02
Is there an operational system detecting the presence of persons outside normal working hours, linked to a 24 hr monitoring
center?
This system should control the presence of persons (volumetric detection, etc.). It may also be a video surveillance system linked
to a 24 hr monitoring center.
E2
02C04-03
Is this system backed up by a video and audio control system which allows the security team to make a first analysis or remotely
dismiss uncertainty?
E2
02C04-04
E2
02C04-05
Has the security team sufficient resources to cover the eventuality of multiple alarms set off intentionally?
E2
02C04-06
Is the location of electronic systems for detection and processing of alarms protected 24 hrs a day by an access control system
and by an intrusion detection system?
R1
02C04-07
Is the intrusion detection system itself monitored (alarm in the case of shutdown, video auto-surveillance etc.)?
R2
02C04-08
Are the control points for intrusion detection and the procedures for action subsequent to intrusion subject to regular audit?
C1
02C05
ISO 27002
Management of access authorizations to protected office area
Monitoring of protected office areas
02C05-01
Is there a complementary video surveillance system, complete and coherent, for protected office areas, able to detect movement
and abnormal behavior?
02C05-02
In the case of an alarm, does the surveillance team have the possibility of sending out an intervention team without delay to verify
the cause of the alarm and to take appropriate action?
E2
02C05-03
E2
341702815.xls ! 02 Sit
E2
page 51

Number
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
02C05-04
Is the security surveillance team also on duty at times when cleaning of sensitive locations is done?
02C05-05
Is video surveillance material recorded and kept for a long period?
E3
02C05-06
Is the intrusion detection system itself under surveillance (alarm in the case of shutdown, video auto-surveillance etc.)?
R2
02C05-07
Are procedures for surveillance and intervention in the case of abnormal behavior audited regularly?
C2
02C06
ISO 27002
E2
Control of movement of visitors and occasional service providers required to work in the offices
02C06-01
Is there a general control of movement of visitors and occasional service providers (time stamping at arrival and departure,
signature of the person visited, etc.)?
E1
9.1.2
02C06-02
Are visitors and occasional service providers always accompanied (on the way in, return to reception, intervening movements )?
E1
9.1.2
02C06-03
Are visitor reception zones set aside specifically for that purpose comprising only welcoming areas, meeting rooms or zones
accessible to the public?
E2
9.1.2
02C06-04
Have specific procedures been defined for each type of external service provider given to operate in the offices (IT service
company, maintenance company, cleaning staff, etc.) such as the wearing of a personalized badge, accompaniment by staff, prior
authorization indicating the name of the operative etc?
E2
9.1.2
02C06-05
Do these procedures ensure that the service provided corresponds to the expressed requirement and that the actions of the
service provider are limited only to that requirement?
E2
02C06-06
Are visitors and occasional service providers recorded in such a way as to enable a subsequent verification of the reason of their
visit and has a procedure been put in place which enables the detection of dishonesty or abuse?
E2
02C06-07
Is there a secure way to register the departure of visitors (e.g. keeping their identity card)?
E2
02C06-08
Are the control procedures of visitors and occasional service providers movements regularly audited?
C1
02D
Protection of written information
02D01
Conservation and protection of important commonly used documents
02D01-01
Are there facilities available for the staff to put away, close to their desk, commonly used documents requiring a high degree of
preservation or protection?
E2
02D01-02
Do these facilities allow to protect important documents from risks of water damage or flooding?
E2
02D01-03
Do these facilities allow to protect important documents from risks of fire (fireproof vaults) ?
E2
02D01-04
Are the premises used for the storage of these documents equipped with reinforced access control and intrusion detection?
E2
02D01-05
Does the shutdown of these security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a
surveillance center able to intervene rapidly?
R1
02D01-06
Are these storage conditions subject to regular audit?
02D02
C2
Protection of documents and removable support media
02D02-01
Do security procedures and instructions define the rules for protecting documents and information support media situated in
offices (regardless of the type of support media)?
E1
02D02-02
Do the security procedures and instructions detail the rules for protecting laptop microcomputers (storage, securing by cable
etc.)?
E1
02D02-03
Do the security procedures and instructions also detail the rules for protecting Tablet PCs, electronic personal assistant or
telephones which may contain sensitive information?
E2
02D02-03
Do the security procedures and instructions detail the rules relative to the printing of sensible documents?
E2
02D02-04
Do the security procedures and instructions detail the rules for the distribution of sensible documents?
E2
341702815.xls ! 02 Sit
10.7.1
page 52

Number
1 variant
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
02D02-05
Do the security procedures and instructions detail the rules relative to the handling of sensible documents while carried outside
the organization?
02D02-06
Do staff have secure storage facilities (secure cupboards ) immediately available on request, in the office or in close proximity to
the office at any time?
02D02-07
Are staff regularly made aware of the necessity to protect documents and other sensitive support media in their offices ?
E2
02D02-08
Do security staff regularly check (effecting regular rounds) the application of document tidying rules and various support media
situated in offices ?
C1
02D02-09
Are these controls also effected during opening hours, in the absence of the regular occupants of the offices?
C2
02D02-10
Is the application of the security rules relative to the printing and distribution of sensitive documents regularly audited?
C2
02D03
E2
Paper-bin collection and destruction of documents
02D03-01
Are the contents of all paper-bins subject to a system of secure destruction?
E2
02D03-02
Do staff have available a means of secure destruction for sensitive documents (shredders, special paper collection )?
E1
02D03-03
Do the paper destruction facilities available to personnel offer a solid guarantee that documents destroyed cannot be
reconstituted?
For this, the shredder used must cross cut.
E2
02D03-04
Is the capacity of the paper destruction facilities available to personnel compatible with the average volume of documents to
destroy?
E1
02D03-05
Has a shredder of sufficient capacity been installed next to each photocopier?

Note: the capacity necessary must take into account the maximum thickness that photocopied document can generally attain.
E2
02D03-06
Are all paper destruction procedures and facilities regularly audited?
02D04
C1
Security of post mail
02D04-01
Is the incoming and outgoing mail sorting and dispatching office kept locked when staff are not present?
E1
02D04-02
Is the incoming and outgoing mail sorting and dispatching office protected against risks of fire and water damage (automatic
detection and triggering of an alarm with a surveillance center able to intervene rapidly?
E1
02D04-03
Does the mail delivery round ensure that only the intended recipient department or person has access to its or their mail (locked
post boxes, direct distribution and delivery direct to the intended person etc.)?
E1
02D04-04
Within the office spaces, is any mail, either outgoing or incoming, kept aside so as not to be read by an unintended third party?
E2
02D04-05
Is confidential mail rendered neutral (double envelope with the degree of classification only being indicated on the internal
envelope)?
E2
02D04-06
Are important mails sent systematically registered with acknowledgement of receipt?
E2
02D04-07
Is the application of mail security advice and procedures regularly audited?
C1
02D05
ISO 27002
E2
Security of faxes (traditional)
02D05-01
Is there a procedure or instruction stating the modes for sending and receiving confidential faxes?
E1
02D05-02
Is the location of each fax machine kept locked when staff are not present?
E1
02D05-03
Is the incoming and outgoing faxes office protected against risks of fire and water damage (automatic detection and triggering of
an alarm with a surveillance center able to intervene rapidly?
E1
02D05-04
Does the fax delivery round ensure that only the intended recipients department or person has access to its or their faxes (locked
post boxes, direct distribution and delivery direct to the intended person)?
E1
341702815.xls ! 02 Sit
page 53

Number
1 variant
W
Max
02D05-05
Have the possibilities and modes of remote fax retrieval with password been explained to personnel and relevant advice
displayed near to fax machines?
E2
02D05-06
Is the remote retrieval with password mode obligatory for the sending or receipt of a confidential fax?
02D05-07
Is the application of fax security advice and procedures regularly audited?
C1
02D06
Question
R-V1 R-V2 R-V3 R-V4
Min
Typ
ISO 27002
E2
Conservation and protection of important documents (to be preserved during a long period)
02D06-01
Is there a department specifically responsible for keeping and protecting important documents that need to be kept for a long
period of time?
Such as important originals, elements usable as proof, documentary evidence, etc.
E2
13.2.3
02D06-02
Is there a procedure which obliges users to use this service for all documents usable as proof, documentary evidence or
important originals?
E2
13.2.3
02D06-03
Are the corresponding documents kept in fireproof safes, themselves located in rooms with appropriate equipments for fire
detection and extinguishing, flooding detection and water draining?
E2
02D06-04
Are the rooms used to store these documents equipped with reinforced access control and intrusion detection systems?
E2
02D06-05
Does the shutdown of security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a
R1
02D06-06
Is the capacity to work on these documents ensured on a long range?
C1
02D06-07
Are the storage conditions and associated security systems subject to regular audit?
C1
02D07
Management of archived documents
02D07-01
Is there a department specifically responsible for archiving documents to be kept for a long range?
E2
02D07-02
Is there a procedure which obliges users to use this archiving service for all documents to be kept for a long range?
E2
02D07-03
Are the delays for archiving or returning documents in accordance with the expectations of users?
Otherwise users may prefer to keep the documents next to them.
E2
02D07-04
Are the rooms used for archives quipped with appropriate equipments for fire detection and extinguishing, flooding detection
and water draining?
E2
02D07-05
Are these rooms equipped with reinforced access control and intrusion detection systems?
E2
02D07-06
Are the archive rooms under video-survey when they are not occupied?
E3
02D07-07
Are the cartons for archives marked without reference to their content?
E2
02D07-08
Are the correspondence tables associating the content to the reference of archives not accessible to the personnel in charge of
managing physically the cartons of archives?
02D07-09
Are these tables subject to a saving policy ?
E2
02D07-10
Does the shutdown of security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a
R1
E3
02D07-11
Is the requester of an archive authenticated with a strong procedure?
E2
02D07-12
Is the delivery of an archive registered and logged?
E2
02D07-13
Is there a specific procedure used for the destruction of archives?
02D07-14
Does this procedure guarantee that the requester has the appropriate rights?
02D07-15
Are the archives protected against any diversion during their transport between the archiving room and the requester?
02D07-16
Are the storage conditions for archives and associated security systems subject to regular audit?
341702815.xls ! 02 Sit
E2
3
E2
E2
C1
page 54
Comments
341702815.xls ! 02 Sit
page 55
Comments
341702815.xls ! 02 Sit
page 56
Comments
341702815.xls ! 02 Sit
page 57
Comments
341702815.xls ! 02 Sit
page 58
Comments
341702815.xls ! 02 Sit
page 59
Comments
341702815.xls ! 02 Sit
page 60
Comments
341702815.xls ! 02 Sit
page 61
341702815.xls ! 02 Sit
page 62
341702815.xls ! 02 Sit
page 63
341702815.xls ! 02 Sit
page 64
341702815.xls ! 02 Sit
page 65
341702815.xls ! 02 Sit
page 66
341702815.xls ! 02 Sit
page 67
341702815.xls ! 02 Sit
page 68
Audit Questionnaire: Security of Premises

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
General Maintenance
03A
03A01
Quality of energy supply
03A01-01
Does the energy supply conform to the maximum load levels specified by installed equipment suppliers and with a sufficient
margin?
E2
9.2.2
03A01-02
Is there an electricity regulation system which includes at least an uninterruptible power supply for the most sensitive equipment?
E2
9.2.2
03A01-03
Are there backup batteries (supplying one or more uninterruptible power supplies) guaranteeing sufficient autonomy that
equipment shuts down safely and properly?
E2
9.2.2
03A01-04
Is the energy supply system fitted with a control system which signals to the intervention team any partial or complete failure of
equipment (disconnection of batteries, insufficient charge, uninterruptible supply system shutdown etc.)?
03A01-05
Are energy regulation systems checked frequently (battery capacities in particular) in comparison to system requirements
(autonomy needed to ensure a proper shutdown)?
03A01-06
Is the regular replacement of intermediate batteries effected in accordance to the manufacturers' specifications?
E2
E1
9.2.2
E1
9.2.2
03A02
R1
C2
Continuity of energy supply
03A02-01
Has it been established a documented policy relative to the requirements about power supply continuity (and all fluids in
general)?
03A02-02
Is there a backup energy supply capable of guaranteeing service continuity of critical equipment (making use a generator and
sufficient independent supply of fuel or independent energy feed)?
03A02-03
Is the backup system tested regularly in order to define the appropriate load required (retaining only critical equipment load
levels)?
03A02-04
Is the start-up routine for the backup system tested regularly and its compatibility with the requirements of service continuity (tests
include system run-down and eventual reconfiguration needed)?
E2
03A02-05
Is the backup energy supply system equipped with an alarm which signals to the intervention team any partial unavailability or
failure of equipment (failure of the backup system, low fuel, shutdown of detection or switching system etc.)?
R1
03A03
C1
Air conditioning security
03A03-01
Is there an air conditioning system which regulates air quality (temperature, pressure, water content, dust) corresponding to the
specifications of builders of installed equipment?
E2
03A03-02
Is the air conditioning system regularly tested to ensure that it will continue to function even in the worst climatic conditions
possible?
C1
03A03-03
Will the air conditioning system continue to function within the specifications despite a simple component failure (sufficient
equipment redundancy, backup air conditioning system etc.)?
E3
03A03-04
Is the capacity of the air conditioning system tested regularly in spite of a simple equipment failure and under the worst possible
climatic conditions?
03A03-05
Is there a redundancy system for the most critical air conditioning equipments?
03A03-06
Is the accidental or deliberately caused failure (shutdown) of the air conditioning system detected and signaled to an intervention
team able to react swiftly?
03A03-07
Is the security of the air-conditioning system (detection of failure, shutdown, intervention procedures) subject to a regular audit?
03A04
03A04-01
C2
R1
C1
9.2.2
9.2.2
E2
Quality of cabling
Is a file maintained detailing all cable paths and bays (with a backup copy) and associated cabling cabinets and their
characteristics?
341702815.xls ! 03 Pre
E1
9.2.3
page 69
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
03A04-02
Are the cables individually labeled at each end?
03A04-03
Is cabling protected from accident risk (protected conduit ends)?
03A04-04
Are high and low voltage circuits properly separated?
03A04-05
Is cabling quality and protection checked regularly?
C1
03A04-06
Is the update of the cabling map regularly audited?
C1
03A05
Min
Typ
9.2.3
E2
9.2.3
E1
9.2.3
Lightning protection
Is the building protected by a lightning conductor?
03A05-02
Are electrical circuits and cabling protected against surges and against lightning by specialized equipment?
03A05-03
Is circuit protection equipment checked regularly?
E1
E1
3
C1
Dependability of service equipment
03A06-01
Is there a complete and accurate list of all the service equipment required by the IT and communications systems (cold water, air,
specific supplies, etc)?
E2
03A06-02
Is each equipment covered by a maintenance contract tailored to the requirements of the expected service?
C1
03A06-03
For the most critical services, is there system redundancy or a rapid replacement capability?
03A06-04
Are all outages, whether unplanned (breakdown) or planned (stoppage), of service equipment detected and flagged to an
intervention team for rapid reaction?
R1
03A06-05
Is the dependability of service equipment (detection of breakdown or outage, intervention procedures, etc) audited regularly?
C1
03B
ISO 27002
E2
03A05-01
03A06
Max
2
9.2.2
E2
Control of access to sensitive locations (other than office zones)
03B01
Access rights management to sensitive locations
03B01-01
Are permanent or semi permanent (for a specific length of time) access rights to sensitive locations defined in relation to standard
profiles accounting for the function and status of staff?
These profiles should consider technical, telecom, general maintenance or security staff, fire brigade, service providers, students
or visitors, etc.
03B01-02
Have an inventory and a classification of all the types of sensitive locations been taken?
E2
03B01-03
Has, for each sensitive location or type of location, a manager been named to maintain up-to-date security access rights
attributed to each category of personnel and has each of the managers taken up their post?
E1
03B01-04
Do these persons in charge actually assuming this function and do they provide reports to the CISO about it?
03B01-05
etc.)?
03B01-06
Are these rights and profiles as defined above protected against alteration or falsification during their storage or when
transferred between decision makers and the personnel in charge of implementing the rights?
R1
03B01-07
Is there a regular audit or inspection, at least once a year, of all rights given to the various categories of personnel and of the
management processes for these rights as well?
C1
E1
03B02
03B02-01
E1
9.1.2
E2
E2
9.1.2
Management of access authorizations granted to sensitive locations

Does the procedure of granting permanent or temporary access authorizations require the formal authorization of line
management or of the unit managing external contractors (at a sufficiently senior level)?
341702815.xls ! 03 Pre
page 70
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
Max
03B02-02
Is the procedure for granting (or modification or revocation) of access authorizations, for each type of sensitive location,
documented and strictly controlled?
the profile attributed to users is highly secure and that each operation is recorded (mentioning the date of issue of the badge and
its length of validity) that there be a reinforced access control over the modification of such records and that all record
modifications be logged and audited.
03B02-03
Are access authorizations granted to named individuals as a function of profile and materialized by a badge or a card or a key?
E2
03B02-04
Are badges or cards which represent access authorizations personalized using the name of the holder and his or her
photograph?
E2
03B02-05
Can the list of access authorizations and corresponding profile be reviewed at any time?
E3
03B02-06
Is there a rapid and systematic process of attribution and revocation of access authorizations (with invalidation of the badge in
automatic control systems) and the return of the badge or corresponding card at time of change of site (if access rights depend
on the site), departure from the company or at the end of a contract and applied both to internal and external staff?
E2
03B02-07
Are keys or badges stored in a locked secure box or cupboard resistant to break in?
For example: certified safes
E2
03B02-08
Is it prohibited to enter the sensible premises with means of photo, video, or audio taping?
03B02-09
Is there a regular audit, at least once a year, of all the badges attributed to all categories of staff and of the pertinence of the
corresponding authorizations?
C1
03B02-10
Is there a procedure enabling the subsequent detection of irregularities in the management of access authorizations (badge or
03B03
Min
Typ
E3
9.1.5
C2
Access control to sensitive locations
03B03-01
Is use made of an automatic system controlling access to sensitive locations?
03B03-02
Does authentication employ user related data that cannot be falsified (smart cards or biometric data for example)?
For example :(smart cards, biometric data, digital key, ...
E3
03B03-03
Does the access control system guarantee that all personnel entering the location are verified?
For example: double door limiting the number of people entering to one-at-a-time or a process which prohibits the usage of a
badge by more than one person etc.
E2
03B03-04
Is control assured of all entry and exit points including both normal exits and others such as windows accessible from outside,
emergency exits, potential access via raised flooring and false ceilings?
E2
03B03-05
Are the automatic access control systems under 24 hr surveillance enabling the detection of a failure, a system deactivation or
the usage of emergency exits in real time?
R1
03B03-06
Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of a shutdown alarm
of the access control system (or usage of emergency exit)?
R2
03B03-07
Is there an audit procedure enabling the detection of irregularities in the access control procedures (audit of procedures and
C1
03B04
ISO 27002
E2
E1
9.1.2; 9.1.5
Intruder detection in sensitive locations
03B04-01
Is there an operational on site intrusion detection system for sensitive locations linked to a 24 hr monitoring center?
E1
03B04-02
Does this system detect all attempts to force open locked exits (windows and doors), all opening of emergency exits and all
normal exits abnormally kept open?
E2
03B04-03
Does this system detect the presence of personnel outside of normal working hours?
E2
341702815.xls ! 03 Pre
page 71
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
Max
03B04-04
Is this system backed up by a video and audio control system which allows the security team to make a first analysis or dismiss
uncertainty from a distance?
E3
03B04-05
Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms immediately detected
E3
03B04-06
E2
03B04-07
E3
03B04-08
03B04-09
Is the intrusion detection system itself under surveillance (alarm in the case of shutdown, auto-surveillance by camera etc.)?
R1
03B04-10
Are intrusion control points and procedures for reaction to intrusions audited regularly?
C1
03B05
Min
Typ
E2
Perimeter monitoring (surveillance of entry points and surroundings of sensitive locations)
03B05-01
Is the perimeter or surroundings of sensitive locations under complete and coherent surveillance by video or direct visual means?
03B05-02
Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms immediately detected and
03B05-03
03B05-04
03B05-05
E2
03B05-06
E3
03B05-07
R1
03B05-08
Are surveillance and intervention procedures audited regularly?
C1
03B06
E2
3
E3
E2
E3
Surveillance of sensitive locations
03B06-01
For sensitive locations, is there an additional, complete and coherent, video surveillance system which detects movement inside
the sensitive location and able to detect abnormal behavior?
03B06-02
Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms detected immediately
E3
03B06-03
E2
03B06-04
E3
03B06-05
Is the security surveillance team also on duty at times when cleaning of sensitive locations is done?
E2
03B06-06
03B06-07
R1
03B06-08
Are procedures for surveillance and intervention in the case of abnormal behavior audited regularly?
C1
03B07
ISO 27002
E2
9.1.5
E3
Cabling access control
03B07-01
Is physical access to cabling protected (specific conduits difficult to access or kept locked)?
E2
03B07-02
Are all cable paths kept under video surveillance with alerts in the case of abnormal presence (to signal to staff which screen to
pay particular attention to)?
E3
341702815.xls ! 03 Pre
page 72
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
Max
03B07-03
Are locations where it would be possible to place a parasitic device on a LAN or WAN under reinforced security (named
personnel with badge access, biometric security)?
E2
03B07-04
Are locations where it would be possible to place a parasitic device on a LAN or WAN under video surveillance as soon as
accessed (with an alert to surveillance personnel)?
E2
03B07-05
Are there regular security audits of cabling?

including effective control of access to conducts, audit of access rights attributed and the intervention procedures on violation of
rights, inspection of locations where parasitic devices could be placed.
C1
03B08
Min
Typ
ISO 27002
Location of sensible premises.
03B08-01
Are the sensible premises located in areas not accessible to the public?
E2
9.1.3
03B08-02
Are the data processing premises exempt of all exterior indication of their content?
E2
9.1.3
03B08-03
Is the location of sensible premises not displayed in telephone directories?
E2
9.1.3
E2
9.1.4
Security against water damage
03C
03C01
Prevention of risk of water damage
03C01-01
Has there been a systematic and exhaustive analysis of all the possible points at which water might enter?
For example: position of locations relative to natural overflows in the case of flood or violent storms, flooding from floors above,
rupture of hidden or exposed pipes, usage of fire extinguisher systems, overflow of water evacuation conduits, untimely start of
humidifier systems etc.
03C01-02
Have each of the possible water entry points been determined as low risk or have measures been taken to ensure that the risk of
flooding is very low?
For example: pre-emptive fire extinguisher systems, one way valves on exhaust pipes, independent measurement of humidity,
etc.
03C01-03
Are each of the various systems to avoid water damage protected from shutdown and under constant monitoring?
R2
03C01-04
Is there a regular audit of the proper implementation of the measures to prevent water damage and methods to ensure that they
remain pertinent (verification of risk analysis)?
C2
03C02
E3
Detection of water damage
03C02-01
Are there humidity detectors near to sensitive equipment (in particular in raised flooring) linked to a 24 hr monitoring center?
E2
9.1.4
03C02-02
Are there water detectors nearby sensitive equipment (in particular in raised flooring) linked to a 24 hr monitoring center?
E2
9.1.4
03C02-03
Is there a water leakage detection system on the floor above the location of sensitive equipment linked to a 24 hr monitoring
center?
E3
9.1.4
03C02-04
Does the security desk have the possibility of sending in a rapid intervention team which has sufficient means to act?
For example: knowledge of the location of water cut off points and protected shunts, computers with up-to-date piping plans and
cut off points, plastic covers in order to protect equipment etc.
E2
03C02-05
E3
03C02-06
03C02-07
In any shutdown of detection systems systematically signaled to a 24 hr monitoring center?
03C02-08
Is the detection equipment regularly tested and are procedures and intervention capabilities regularly audited?
03C02-09
Are procedures and intervention capabilities regularly audited?
03C03
E2
R1
C1
C1
Water evacuation
341702815.xls ! 03 Pre
page 73

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
03C03-01
Are there permanent means for evacuating water (pumps, natural drain-ways etc.) and a team able to use them effectively?
03C03-02
Is the shutdown of any water evacuation system signaled immediately to a 24 hr monitoring center?
03C03-03
Are water evacuation systems regularly tested?
E2
03C03-04
C2
ISO 27002
E2
2
E2
Fire security
03D
03D01
Fire risk prevention
03D01-01
Has an in-depth and systematic analysis been carried out of all fire risks?
For example: short circuits in cables, the effect of lightning, staff smoking areas, normal electrical equipment, heating equipment,
fire spread from outside, spread via technical conduits or via the air conditioning system etc.
03D01-02
Has it been possible to evaluate each risk as highly improbable or taken action to render the risk of fire starting or spreading
highly improbable?
For example: protection of cables in specially adapted conduits, separation of transmission cables from energy supply cables,
protection of sensitive equipment from lightning strikes, smoking ban, fire resistant bins, non-inflammable materials, protection of
electrical circuits by differential circuit breakers, fire detection equipment in nearby locations and in risers etc.
03D01-03
Are the different fire protection systems protected from shutdown and under continual monitoring?
03D01-04
Is there a regular audit of the electric cabling due to changes of the power supply configurations?
For example : control of possible hot points using an infrared camera
03D01-05
Is there a regular audit of the proper implementation of fire prevention measures and methods to ensure that they remain
pertinent?
verification of risk analysis
03D02
E2
E3
R2
C2
C2
Fire detection
03D02-01
Is there an automatic fire detection system for sensitive locations (raised floors and false ceilings if they exist)?
03D02-02
Does the fire detection system have at least two types of detector (for example ionic and optical smoke detector)?
03D02-03
Are the automatic detectors linked to a 24 hr monitoring center, equipped with a system which clearly identifies the location of the
alarms which have been set off?
03D02-04
Is any shutdown of fire detection systems systematically signaled to a 24 hr monitoring center?
R1
03D02-05
Is the detection equipment regularly tested? and are procedures and intervention capabilities regularly audited?
C1
03D02-06
C1
03D03
9.1.4
E1
2
9.1.4
E2
E2
Fire extinguishing
03D03-01
Is the monitoring center able to rapidly send in a team which has sufficient means to act (precise diagnosis of the situation,
manual extinguishers, triggering of automatic extinguishers, emergency call)?
E1
03D03-02
Has the security team sufficient resources to cover the eventuality of multiple alarms?
E2
03D03-03
E2
03D03-04
Is there specific and regular training of intervention personnel?
E2
03D03-05
Are all mobile fire extinguishers regularly controlled by a competent authority (filling, usage manuals, risk reduction, location
etc.)?
E2
03D03-06
Are sensitive locations protected by an automatic extinguishing system (air, raised floors, false ceilings)?
03D03-07
Are automatic extinguishing systems regularly maintained and tested by approved specialists?
03D03-08
Is the shutdown of an automatic fire extinguisher system immediately signaled to a 24 hr monitoring center?
341702815.xls ! 03 Pre
E2
9.1.4
E2
2
R1
page 74
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
03D03-09
Is there an installation of armed fire taps near to computer rooms and is this installation periodically and regularly verified and
maintained?
03D03-10
Is the intervention time of the fire brigade under 15 minutes?
03D03-11
Are regular tests of fire extinguishing equipment and procedures carried out and intervention capabilities regularly audited?
341702815.xls ! 03 Pre
Max
Min
Typ
ISO 27002
E1
E2
3
C1
page 75
Comments
341702815.xls ! 03 Pre
page 76
Comments
341702815.xls ! 03 Pre
page 77
Comments
341702815.xls ! 03 Pre
page 78
Comments
341702815.xls ! 03 Pre
page 79
Comments
341702815.xls ! 03 Pre
page 80
Comments
341702815.xls ! 03 Pre
page 81
Comments
341702815.xls ! 03 Pre
page 82
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
341702815.xls ! 03 Pre
page 83
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
341702815.xls ! 03 Pre
page 84
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
341702815.xls ! 03 Pre
page 85
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
341702815.xls ! 03 Pre
page 86
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
341702815.xls ! 03 Pre
page 87
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
341702815.xls ! 03 Pre
page 88
0
0
0
341702815.xls ! 03 Pre
page 89
Audit Questionnaire: Extended Network (intersite)
1 variant
The extended network is seen here as the network linking separate sites. It is the network architecture between independent units, each
managing their own network (LAN). Connections of mobile machines are assumed to be managed through the local network.
Number
Question
04A
04A01
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ ISO 27002
Security of the extended network architecture and service continuity

Functional security of the extended network architecture
04A01-01
Have the requirements of service continuity of the extended network been analyzed and, if necessary, has a redundant
architecture been determined for network connection points, equipment and network meshing?
E2
04A01-02
Has a systematic search for single points of failure been carried out and has it been ensured that subsidiary equipment (power
supply and air conditioning etc.) does not introduce or eliminate the redundancy expected in the equipment or network
architecture?
E3
04A01-03
Has a verification of the average and peak load been carried out for each segment of the extended network and has the
compatibility of the network and associated equipment at this load level been verified and is this verification regularly repeated?
E2
04A01-04
Has this analysis been complemented by a study of network capacity to ensure reliability of communications in all cases of failure
of a single link or piece of equipment?
E3
04A01-05
Is there a dynamic measurement of network load and are load balancing tools available?
04A01-06
Do network monitoring and configuration tools allow real time corrective action compatible with the needs of the users?
E2
04A01-07
Are overload detection and load balancing tools accessible only by administrators and are they protected by strengthened access
control?
R2
04A01-08
Is any failure or shutdown of network overload detection and equilibrating equipment signaled immediately to the monitoring
center and to network administrators?
R1
04A01-09
Are regular performance tests of load detection equipment and reconfiguration mechanisms carried out?
C1
04A01-10
Are regular audits carried out of equipment parameters and procedures associated with the load detection and reconfiguration
systems?
C1
04A01-11
Are regular audits carried out of the procedures associated to the load detection and reconfiguration systems?
C1
04A02
E2
Management of extended network equipment maintenance
04A02-01
Is all equipment covered by a maintenance contract?
E1
04A02-02
Has all critical production equipment been identified, has their performance capability been controlled and have the acceptable
and maximum downtime limits been documented?
E2
04A02-03
Have specifically adapted clauses related to these requirements been set down within maintenance contracts?
04A02-04
Are the penalties of non-compliance with these clauses sufficiently persuasive for the contract holder?
E3
04A02-05
Have escalation procedures been detailed in the case of non-compliance or difficulties in maintenance and do they anticipate the
intervention of specialists within a short delay commensurate with the criticality of the equipment?
R1
04A02-06
Has the number and proximity of specialists been detailed and do they guarantee a sufficiently good level of maintenance within
an acceptable delay?
R2
04A02-07
Do the maintenance contracts anticipate a complete replacement of equipment in the case of significant damage which would not
normally be taken into account by curative maintenance?
E3
04A02-08
Are maintenance contracts and procedures regularly audited?
04A03
04A03-01
9.2.4
E2
C1
Procedures and Business Contingency Planning following incidents on the extended network
Has a list been established of incidents which could affect the proper functioning of the extended network and analyzed the
seriousness level, for each of them?
341702815.xls ! 04 Wan
E2
page 90
Number
R-V1 R-V2 R-V3 R-V4
Question
04A03-02
Has it been established, for each critical incident, the solution to implement and the action to execute by operational personnel?
04A03-03
Have sufficient means of intervention (reconfiguration) on the extended network been put in place which cover satisfactorily all of
the scenarios identified and do they allow for the actions decided to be implemented within the specified delays?
04A03-04
For each possible critical incident on the extended network has an expected resolution time and escalation procedure been
determined in the case of failure or delay of the specified corrective actions?
04A03-05
Are the diagnostic, management and reconfiguration tools of the extended network protected against all possible untimely or
malicious action?
04A03-06
Do incident recovery plans and procedures cover the eventual loss of data (especially e-mail messages)?
04A03-07
Are diagnostic and reconfiguration facilities regularly audited in order to assure a satisfactory minimum functioning of the
extended network in the case of an incident?
04A04
Max
Min
Typ ISO 27002

E2
E2
E3
3
R1
E3
C1
Backup plan of extended network configurations
04A04-01
Has a backup plan been established encompassing all network configurations, defining all objects to save and the frequency of
backups?
E1
10.5.1
04A04-02
Has this plan been translated into automatic operational routines?
04A04-03
Has the backup of programs, (source and executables), documentation and parameters been regularly tested in order to be able
to reconstitute the production environment at any time?
E2
10.5.1
E1
10.5.1
04A04-04
Are operational automatic routines protected by a high level of protection against illicit or unintentional modification?
Such a mechanism may be a digital seal or any equivalent protection system.
R1
10.5.1
04A04-05
Are all configuration backups and files which enable the restoration of the extended network production environment also saved
at a location off premises (recourse backup) ?
E3
10.5.1
04A04-06
Are recourse backup copies stored in a secure location and protected against accidental risk or theft?
Such a location must be protected by strict access control as well as protected against fire or water damage risk.
E3
10.5.1
04A04-07
Are regular tests carried out to read backups and recourse backups?
C1
10.5.1
04A04-08
Are all procedures and plans for backup of configuration files regularly audited?
C1
04A05
Business Contingency Planning (BCP) of the Extended Network
04A05-01
Is there an operational recovery solution to make up for the unavailability of any critical equipment or link on the extended
network?
E1
14.1.3
04A05-02
Is this recovery solution satisfactorily operational?
E2
14.1.3
04A05-03
Are these alternative solutions described in detail in one (or several) Disaster Recovery Plan formal and complete?
A complete recovery plan must include the conditions for triggering, the actions to execute, the priorities, the actors to mobilize
and their contact details as well as the conditions for considering the return to the normal state.
E1
14.1.3
04A05-04
Are these plans tested in operational conditions at least once a year?
C1
14.1.5
04A05-05
Is there a formal guarantee that the capacity and compatibility of these recovery solutions will support a sufficient operational load
which has been approved by all connected entities?
E2
14.1.5
04A05-06
If the recovery solutions include delivery of hardware components which cannot be triggered during tests, is there a contractual
engagement within the recovery plan for the delivery of the replacement hardware within fixed and anticipated time limits
guaranteed by the manufacturer or other third party (leaser, broker, other)?
E2
04A05-07
If the recovery facility (hot site, equipment etc.) is subscribed through a service provider, is the number of other subscribers
known and limited?
E3
04A05-08
Has the possible unavailability or failure of the recovery facility been considered and has a second level backup been organized?
04A05-09
Is the backup solution usable for an unlimited duration and, if not, has a follow on backup solution been established?
341702815.xls ! 04 Wan
R1
E3
page 91
Number
04A05-10
04A06
R-V1 R-V2 R-V3 R-V4
Question
Are the existence, the pertinence and the updates of the Disaster Recovery Plans regularly audited?
Max
Min
Typ ISO 27002

C1
Management of critical suppliers as regards a permanent maintenance service
04A06-01
Have the consequences of the disappearance of a supplier of equipment, network service or software been analyzed (in the case
of failure, a bug or change requirement) and has a list of critical points been established?
E2
04A06-02
For each critical point is there a corrective solution to cope with the failure or disappearance of a supplier (consignment of
maintenance documentation with a trusted third party, replacement of equipment or of software by available market solutions
etc.)?
E2
04A06-03
Is it certain that this corrective solution could be made operational to enable company activity to restart within a time delay
sufficiently short to be acceptable to the users ?
04A06-04
Have variants to the primary solution been considered in case the latter might encounter unforeseen difficulties?
E3
04A06-05
Is there a regular review of critical points and corrective solutions envisaged?
C1
04B
E3
Control of connections on the extended network
04B01
Security profiles for entities connected to the extended network
04B01-01
Has a set of rules been defined such that an entity can be connected to the extended network (which is considered to be a
domain of confidence)?
E1
04B01-02
Do these rules cover the necessary organization for each entity connected to the network?
E3
04B01-03
Within each entity connected, are managers designed and known responsible of security in various domains (such as physical
security, operating systems security, etc.)?
E3
04B01-04
Do the rules establishing the connection criteria to the extended network define the physical security measures required to
protect the network equipment and cabling?
E2
04B01-05
Do these rules establishing the connection criteria to the extended network define the logical security measures required to
protect the network equipment and cabling?
04B01-06
Do these rules detail the filtering rules required for the control of incoming as well as outgoing accesses?
04B01-07
Do these rules detail controls to effect on the network equipment configurations?
04B01-08
Do these rules detail controls to effect on the configurations of users stations?
04B01-09
Do these rules define the required management methods to cover anomalies and incidents?
04B01-10
E2
11.4.6
E2
11.4.6
E2
E2
E3
Do these rules impose to send a report to a central authority for any anomaly and incident challenging the security of the
extended network?
E3
04B01-11
Is there a management procedure covering the authorization requests for the binding of any entity to the extended network and a
structure empowered to analyze these requests and provide the corresponding authorization?
E2
04B01-12
Is there a structure empowered to audit the application of the rules and to remove specific rights which are no longer needed or
when the conditions are no longer met?
E3
04B01-13
Is there a regular audit of the required conditions and application of the rules in each entity authorized to be part of the extended
network?
C1
04B01-14
Are reviews of the authorized connections (standard and non-standard) and of their relevance regularly conducted?
C1
04B02
11.4.7
Authentication of the entity for an incoming access from the extended network
04B02-01
Is there, for any access arriving from the extended network to the local area network, a mechanism controlling the authentication
and access control rights of the accessing entity prior to any action?
E1
04B02-02
Does the authentication mechanism provide a recognized "strong" level of security?

Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is to say
observable without divulging information, are those based on cryptographic algorithms.
E2
341702815.xls ! 04 Wan
page 92
R-V1 R-V2 R-V3 R-V4
Number
Question
Max
04B02-03
Does the security equipment that retains and uses reference data (secret elements) to support access authentication use
mechanisms which guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms used for the creation, modification and storage of
reference elements (public keys in particular) must guarantee a level of security comparable to the authentication protocol itself.
E2
04B02-04
Does the transmission between systems and security equipments of reference data (secret elements, secret or public keys, etc.)
use mechanisms which guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms used for the transmission of reference elements
(public keys in particular) must guarantee a level of security comparable to the authentication protocol itself.
E3
04B02-05
Does the management procedure of revoked keys systematically test that the keys have not been revoked?
E2
04B02-06
Does the management procedure of revoked keys guarantee that the control systems take in consideration in real time any
revocation?
E3
04B02-07
Are the processes that guarantee authentication under strict control?

A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there
is an audit at least once a year of the authentication procedures and processes.
C1
04B03
Min
Typ ISO 27002
Authentication of the entity accessed for an outgoing access across the extended network
04B03-01
Is there a mechanism for the authentication of the called entity before any outgoing access from the internal network across the
extended network?
E1
04B03-02
Is the authentication mechanism recognized as "strong"?

The only methods recognized as "strong", that is to say observable without divulging information, are those based on
cryptographic algorithms.
E2
04B03-03
Does the security equipment that retains and uses reference data (secret elements) to support authentication use mechanisms
which guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms of modification, storage and transmission of
reference elements (public keys in particular) must use a level of security comparable to the authentication protocol itself.
E2
04B03-04
Does the transmission between equipments of reference data (secret elements) to support authentication use mechanisms which
guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms of transmission of reference elements (secret
elements, public keys, etc.) must guarantee a level of security comparable to the authentication protocol itself.
E3
04B03-05
Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have
not been revoked?
E2
04B03-06
Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any
revocation of keys?
E3
04B03-07

A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that an
audit is performed at least once a year of authentication procedures and processes.
C1
04C
Security during data exchanges and communication
341702815.xls ! 04 Wan
page 93
Number
04C01
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ ISO 27002
Encryption of exchanges on the extended network

Encryption can be effected at layer 2 (encrypting modem ), 3 (IPSEC VPN) or at level 4-5 (SSL) or directly effected by the
application (level 6-7, for example encryption before or during transmission), case really treated by domain 09
It could be systematically on the "pipeline" (physical or logical) or limited only to certain data flows (as a function of address or
type, etc.) it can also be performed on intermediate systems (VPN boxes) or end systems (stations, server) or both.
04C01-01
Have the permanent links and data exchanges which must be protected by encryption solutions been defined and such solutions
been implemented on the extended network?
04C01-02
Does the encryption solution offer valid and solid guarantees and has it been approved by the Information Security Officer?
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm) . The
recommendation of an official organization can be a confidence factor.
E2
04C01-03
Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the
keys offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
E3
04C01-04
Are the encryption mechanisms embodied in electronic components which are strictly protected at a physical level against
intrusion or change?
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain a
04C01-05
Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day capable of
triggering an immediate reaction?
R1
04C01-06
In the case of inhibition or bypass of the encryption solution or the activation of an unprotected fail-over link of the network, is
there a procedure to immediately alert all users?
For example by a warning requiring the user to acknowledge its receipt.
R1
04C01-07
Is there a regular audit, at least once a year, of all data exchange, encryption systems and associated procedures?
C1
04C02
E2
12.3.1
12.3.2
R2
Integrity control of exchanges on the extended network
04C02-01
Have all data exchanges and permanent links which must be protected by sealing solutions been defined and implemented on
the extended network?
04C02-02
Does the sealing solution offer valid and solid guarantees and has it been approved by the Information Security Officer?
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm) . The
E2
04C02-03
Do the procedure and mechanisms for storage, distribution and exchange of keys and more generally the management of keys
offer a sufficient level of confidence and have they been approved by the Information Security Officer?
E3
04C02-04
Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against
Sealing mechanisms should be contained within protected enclosures to which it should be impossible to gain access. The
algorithm is contained within the microprocessor or a microprocessor card which is protected physically and logically.
04C02-05
Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day capable of
341702815.xls ! 04 Wan
E2
R2
R1
page 94
R-V1 R-V2 R-V3 R-V4
Max
04C02-06
In the case of inhibition or bypass of the sealing solution or the activation of an unprotected fail-over link, is there a procedure to
immediately alert all users?
For example by a warning requiring the user to actively validate its receipt.
R1
04C02-07
Is there a regular audit, at least once a year, of all systems of sealing of the data exchanged and associated procedures?
C1
Number
Question
Min
Typ ISO 27002
Control, Detection and Handling of incidents on the extended network
04D
04D01
Real-time monitoring of the extended network
04D01-01
Have events or successions of events which might reveal abnormal behavior or illicit action on the extended network been
analyzed and, as a consequence, have specific monitoring points and indicators been established?
E2
10.10.2
04D01-02
Is the system equipped with an automatic real time monitoring system in the case of an accumulation of abnormal events (for
example unsuccessful connection attempts on non-open ports)?
E3
10.10.2
04D01-03
Is use made of a system capable of detecting intrusion and anomalies on the extended network?
E2
10.10.2
04D01-04
Are there one or more applications capable of analyzing the individual anomaly diagnostic data on the extended network and of
triggering an alert to operational personnel?
E3
04D01-05
Is there within operational personnel a permanent dedicated team or group capable of reacting in the case of a monitoring alert
on the extended network?
E3
04D01-06
For each case of alert has the expected response from the intervention team been defined and is the availability of the
intervention team sufficient to face this expectation?
E3
04D01-07
Are the parameters defining alarms strictly protected (restricted access rights and strict authentication ) against illicit
modification?
04D01-08
Does the inhibition of an alert system on the extended network, trigger an alarm with the surveillance team?
04D01-09
Are the elements which enable the detection of an anomaly or incident archived (on disk, cassette or optical disk etc.)?
04D01-10
Are the procedures for monitoring the extended network, for the detection of the anomalies and the reactivity of the surveillance
team subject to regular audit?
04D02
R1
3
R1
10.10.2
E2
10.10.3
C1
Offline analysis of traces, log files and event journals on the extended network
04D02-01
Has detailed analysis been carried out of the events or succession of events on the extended network which may have had an
impact on security (refused connections, re-routings, reconfigurations, changes in performance, access to sensitive data or tools
etc.)?
E1
10.10.1
04D02-02
Are these events recorded as well as the parameters used for their subsequent analysis?
E1
10.10.1
04D02-03
Is there an application capable of analyzing these records as well as performance measures, of establishing statistics, a
dashboard and anomaly diagnostics for examination by a competent team of specialists?
04D02-04
Is the structure empowered to analyze these summaries (or incidents logs and security related events) required to do so within a
fixed and determined period and does it have sufficient availability?
E2
04D02-05
Has the expected response from the surveillance team been defined for each case of alert and are its availability and staffing
level sufficient to meet these expectations?
E3
04D02-06
Are the parameters defining the elements to record and the analyses to effect strictly protected against unauthorized change
(limited rights and strong authentication)?
R1
04D02-07
Is any inhibition of the recording and processing system immediately signaled to the surveillance team?
R1
04D02-08
Are the records and summary analyses protected against any destruction or modification?
E2
10.10.3
04D02-09
Are the records and summary analyses kept for a long period?
E2
10.10.3
04D02-10
Are the procedures for recording, processing and analyzing of the records and summaries as well as the availability of the
analysis and corrective team subject to regular audit?
C1
04D03
E2
10.10.3
Management of incidents on the extended network
341702815.xls ! 04 Wan
page 95
Number
R-V1 R-V2 R-V3 R-V4
Question
04D03-01
Is there a hot-line charged with taking and recording calls related to the extended network and to escalate all incidents?
04D03-02
Is this hot-line team available 24 hours a day?
04D03-03
Is there a system to support incident management?
04D03-04
Does this system centralize incidents detected both by operational personnel and by users?
04D03-05
Max
Min
Typ ISO 27002

E1
10.10.5
E2
10.10.5
E2
10.10.5
E2
10.10.5
Does the system cater for a systematic follow-up of necessary actions?
E3
10.10.5
04D03-06
Does this system incorporate a categorization of incidents including statistics and dashboards generation destined for use by the
Information Security Officer?
E3
04D03-07
Is the incident management system strictly controlled with regard to unauthorized or illicit modification?
A strict control requires a reinforced protection in order to modify records and an audit trail or protection by electronic seal of all
modifications of records.
04D03-08
Is each major incident on the network subject to a specific follow-up (nature and description, priority, technical solution, progress
analysis, expected resolution lead time etc.)?
341702815.xls ! 04 Wan
R1
E2
13.2.1
page 96
Comments
341702815.xls ! 04 Wan
page 97
Comments
341702815.xls ! 04 Wan
page 98
Comments
341702815.xls ! 04 Wan
page 99
Comments
341702815.xls ! 04 Wan
page 100
Comments
341702815.xls ! 04 Wan
page 101
Comments
341702815.xls ! 04 Wan
page 102
Comments
341702815.xls ! 04 Wan
page 103
341702815.xls ! 04 Wan
page 104
341702815.xls ! 04 Wan
page 105
341702815.xls ! 04 Wan
page 106
341702815.xls ! 04 Wan
page 107
341702815.xls ! 04 Wan
page 108
341702815.xls ! 04 Wan
page 109
341702815.xls ! 04 Wan
page 110
Audit questionnaire: Local Area Network (LAN)
1 variant
The LAN is seen, here, as the network linking the various servers and user workstations of the site. The remote connexions from nomadic stations are
also included in this questionnaire.
Number
05A
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
ISO 27002
Security of the architecture of the local area network
05A01
Partitioning of the local area network into security domains
05A01-01
Has a partitioning of the local area network been effected in order to separate what is strictly the internal network from the areas which
communicate externally (DMZ)?
A DMZ, or demilitarized zone, is an exchange zone to the outside, isolated from the internal network (e.g. using a firewall).
05A01-02
Has the local area network been partitioned into security domains, each requiring a consistent set of security rules, and into zones of
confidence within which controls may be specifically adapted?
E1
11.4.5
05A01-03
In particular, has any wireless network (WLAN) been considered as a distinct domain, strictly isolated from the rest of the network (by
firewall or filtering router, etc.)?
E1
11.4.5
05A01-04
Have these partitions been documented and is the documentation kept up to date?
E2
11.4.5
05A01-05
Is there a complete description of the links and communication equipment in place?
E2
11.4.5
05A01-06
Is each domain isolated from the others domains, by using specific security means (filtering router, firewall, etc)?
E2
11.4.5; 11.4.6
05A01-07
Is the security proper to this filtering equipment subject to active maintenance and follow-up by an appropriate expert?
E3
05A01-08
For each of the domains, has a strictly limited list of authorized inter-domain links, communications and protocols been defined and, by
default, are all other protocols shut off ("nothing except" policy)?
E2
05A01-09
Is there a procedure for the management of inter-domain connection requests and a group in charge of the analysis of these requests, of
their authorization and the definition of filtering rules which will be put in place (firewall, service requests, protocols etc.)?
E3
05A01-10
Is there a group in charge of controlling the application of the defined rules and the removal of specific rights when the requirement is no
longer needed or the conditions are no longer met?
E3
05A01-11
Are any addition to the authorized connection list for a domain and any modification of its parameters logged and audited?
C1
05A01-12
Is there a regular review of all authorized connections (standard and non-standard) and of their pertinence?
C1
05A02
E1
11.4.6
11.4.7
Security of the functioning of the local area network architecture
05A02-01
Has each security domain been analyzed to determine the requirements of continuity of service and, if necessary, has redundancy been
incorporated into interconnection points, networking equipment and meshed links?
E2
05A02-02
Has a systematic analysis of potential single points of failure been carried out in order to ensure that service equipments (such as
energy supply, air conditioning, etc.) do not affect the redundancy planned for network equipment or architecture?
E3
05A02-03
Has a control of the average and peak load been carried out for each element of the network and of the compatibility of the network and
associated equipment at this load level and is this control regularly repeated?
E2
05A02-04
Has this analysis been complemented by a study of network capacity to ensure reliability of communications even in the case of failure
of a single link or piece of equipment?
E3
05A02-05
Is there a dynamic measurement of network load and of the load balancing tools?
05A02-06
Do network monitoring and reconfiguration tools allow real time corrective action compatible with the requirements of the users?
05A02-07
Does the architecture of network equipment allow easy adaptation to changes of load levels (clusters, load balancing etc.)?
341702815.xls ! 05 Lan
E2
2
E2
E2
page 111
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Questions
Max
05A02-08
Are overload detection and load balancing appliances and devices accessible only by administrators and is their access protected by
strengthened access control?
R1
05A02-09
Is any inhibition or shutdown of network overload detection and load balancing equipment signaled immediately to the monitoring center
or to network administrators?
R1
05A02-10
Are regular performance tests of detection and reconfiguration mechanisms carried out?
C1
05A02-11
Are regular audits of the parameterization of detection and reconfiguration systems carried out?
C1
05A02-12
Are regular audits carried out of procedures associated with the detection and reconfiguration systems?
C1
05A03
Min
Typ
Organization of the maintenance of local area network equipment
05A03-01
Are all local area network equipments covered by a maintenance contract?
E1
05A03-02
Have all equipment, critical to the provision of expected operation and performance of the network, been identified and, for each of
them, have the required acceptable and maximum downtime delays been published?
E2
05A03-03
Have specifically adapted clauses related to these requirements been specified within maintenance contracts?
E2
05A03-04
Are the penalties of non-compliance with these causes sufficiently persuasive for the contract holder?
E3
05A03-05
Have escalation procedures been detailed in the case of non-compliance or difficulties in maintenance and do they anticipate the
intervention of specialists within a short delay commensurate with the criticality of the equipment?
R1
05A03-06
Have the number and proximity of specialists been detailed and do they guarantee a sufficiently good level of maintenance within an
acceptable delay?
R1
05A03-07
Do the maintenance contracts anticipate a complete replacement of equipment in the case of significant damage which would not
normally be taken into account by curative maintenance?
E3
05A03-08
Are maintenance contracts and procedures regularly audited?
05A04
9.2.4
C1
Procedures and Recovery Plans following incidents on the local area network
05A04-01
Has a list been established of incidents which could affect the proper functioning of the local area network and, for each of them, the
seriousness level?
E1
05A04-02
Has it been established, for each serious incident, the solutions to implement and the actions to execute by operational personnel?
E1
05A04-03
Are the means of intervention over the LAN (for diagnostic as well as for reconfiguration) able to cover satisfactorily all of the scenarios
identified and do they ensure that the actions can be implemented within the specified time delays?
05A04-04
For each serious incident on the local area network, have an expected resolution time and escalation procedure been determined in the
case of failure or delay of the anticipated corrective actions?
05A04-05
Are the diagnostic, management and reconfiguration tools of the local area network protected against all possible untimely or malicious
action?
05A04-06
Do incident recovery plans and procedures cover the eventual loss of data (especially loss of requests and messages)?
05A04-07
Are diagnostic and reconfiguration means regularly audited in order to assure a satisfactory minimum functioning of the local area
network in the case of an incident?
05A05
ISO 27002
E2
E3
R1
C1
E3
Save and Restore plans of local area network configurations
05A05-01
Has a backup plan been established, encompassing all local area network configurations, defining all objects to save and the frequency
of backups?
05A05-02
Has this plan been translated into automatic operational routines?
05A05-03
Has the backup of programs (source and executables, documentation and parameters) been regularly tested in order to be able to
reconstitute the production environment at any time?
341702815.xls ! 05 Lan
E1
10.5.1
E2
10.5.1
E1
10.5.1
page 112
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Questions
Max
05A05-04
Are automatic operational backup routines protected by a high level of security against illicit or unintentional modification?
Such a mechanism may be a digital seal or any equivalent modification detection system.
R1
10.5.1
05A05-05
Are all configuration and file backups, necessary for the restoration of the local area network production environment, also saved at a
location off premises (recourse backup)?
E3
10.5.1
05A05-06
Are recourse backup copies stored in a secure location and protected against accidental or human risks?
Such a location must be protected by strict access control as well as protected against fire or water damage risk.
E3
10.5.1
05A05-07
Are regular tests carried out to read backups and recourse backups?
R2
10.5.1
05A05-08
Are all procedures and plans for backup of configuration files regularly audited?
C1
05A06
Min
Typ
ISO 27002
Disaster Recovery Plan (DRP) of the local area network
05A06-01
Is there a recovery solution to make up for the unavailability of any equipment or critical link in the local area network?
E1
14.1.3
05A06-02
Is this recovery solution fully operational?
E2
14.1.3
05A06-03
Are these solutions described in detail in one (or several) Disaster Recovery Plan?
A complete Disaster Recovery plan must describe the rules for triggering, the actions to execute, the priorities, the actors to mobilize and
their contact details, as well as the conditions for return to normal operating conditions.
E1
14.1.3
05A06-04
Are these plans tested operationally at least once a year?
C1
14.1.5
05A06-05
Is there a formal guarantee of compatibility and capacity that these recovery solutions will support a sufficient operational load which has
been approved by all concerned parties?
E2
14.1.5
05A06-06
If the recovery solutions include delivery of hardware components, which cannot be triggered during tests, is there a contractual
engagement within the recovery plan for the delivery of hardware within fixed and anticipated time limits, guaranteed by the
manufacturer or other third party (leaser, broker, other)?
E2
05A06-07
If the recovery equipment and/or solution are pooled, is the number of other subscribers known and limited?
05A06-08
Has the unavailability or failure of the recovery facility been considered and has a second level backup been organized?
05A06-09
Is the backup solution usable for an unlimited duration and if not, has a follow on solution been established?
05A06-10
Are the existence, the pertinence and the updates of the Disaster Recovery Plans regularly audited?
05A07
E3
3
R1
E3
C1
05A07-01
Have the consequences of the disappearance of a supplier of equipment, network service or software been analyzed (in the case of
failure, of a bug or change requirement) and has a list of critical points been established?
E2
05A07-02
For each critical point, is there a corrective solution to cope with the failure or disappearance of a supplier (maintenance documentation
lodged with a trusted third party, replacement of equipment or of software by widely available market solutions etc.)?
E2
05A07-03
Is it certain that this corrective solution could be made operational within a sufficiently short time to enable the business activity to restart
and which is acceptable to the users ?
E3
05A07-04
Have alternate options to the basic solution been considered for the case where the latter might encounter unforeseen difficulties?
E3
05A07-05
Is there a regular review of critical points and of the corrective solutions envisaged?
C1
05B
Access control to the local area network
05B01
05B01-01
Management of access profiles on the local area network

Has a management policy for access rights to the local network been established according to an analysis of the security requirements
as per the business stakes?
341702815.xls ! 05 Lan
E1
11.1.1
page 113
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Questions
05B01-02
Is this policy documented, regularly revised and approved by the concerned managers in charge?
05B01-03
Is access to the local area network and to the various parts of this network defined in terms of job profiles which regroup roles or
functions within the organization (profiles define access rights which are available to the holders of the profile)?
Note: in certain circumstances, the notion of "profile" may be replaced by a notion of "group". In addition, access rights which may be
attributed to partners must also be considered.
Access profiles must comprise the access rights towards each partition of the network, for a station connected directly to the network as
well as for connections from outside the LAN (mobile users, teleworking, partners, etc.).
E1
05B01-04
Have various variable parameters been introduced into the access rights definition rules (which determine the rights that are attributed to
profiles) as a function of context, in particular, the location of the requesting station (direct LAN access, extended network (WAN),
external), the nature of the connection used (LAN, Leased line, Internet, type of protocol etc.) or the classification of the sub-network
requested?
E2
05B01-05
Do the profiles also allow definition of working time limits (daily working hours) and calendars (weekends, holidays, etc.)?
05B01-06
Have these profiles and the access rights attributed to the different profiles, as a function of context, been approved by the information
owners and the Information Security Officer?
E2
05B01-07
Is the process of definition and management of rights attributed to profiles under strict control?
A strict control requires that the list of people allowed to change rights attributed to profiles be strictly limited, that the implementation of
these rights into tables be strictly secure at the time of transmission and storage and that there exists a reinforced access control in
order to be able to modify these rights and that any modification of these rights be logged and audited.
R1
05B01-08
Is there a regular audit, at least once a year, of the access rights attributed to each profile and of the profile management procedures?
C1
E1
05B02
Max
Min
Typ
E2
ISO 27002
11.2.2
E3
11.2.4
Management of privileges and access authorizations (granting, delegation, revocation)
05B02-01
Does the procedure of granting access authorizations to the local area network require the formal authorization of line management or of
the unit managing external contractors (at a sufficiently senior level)?
05B02-02
Are access authorizations granted to named individuals and only as a function of their profile?
05B02-03
Is the procedure for granting (or modification or revocation) of access authorizations to the local area network (directly or via a profile)
strictly controlled?
A strict control requires a formal recognition of the signature (electronic or otherwise) of the requestor, that the
implementation of the profile attributed to users in the form of tables is highly secure during transmission and storage
and that there be a reinforced access control over the modification of such records and that any modification of records
be logged and audited.
05B02-04
Is there a systematic process of updating the table of access authorizations at the time of departure of in house personnel?
05B02-05
E2
E3
11.2.2
E2
11.2.4
Is there a systematic process of updating the table of access authorizations at the time of change of function (at the end of contract for
external personnel or internal change of function)?
E3
11.2.4
05B02-06
Is there a list of all personnel who have access to the local area network?
05B02-07
Is there a regular audit, at least once a year, of all access authorizations granted to the personnel to the local area network and all those
granted to partners?
05B03
C1
2
C1
11.2.4
User or entity authentication for access requests to the local area network from an internal access point
This mechanism corresponds, for example, to the authentication implemented in a Windows domain controller.
341702815.xls ! 05 Lan
page 114
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Questions
Max
05B03-01
Is there a mechanism of authentication of each user before any access to a local area network resource?
E1
05B03-02
Does the process of modification or definition of a user credential respect a set of rules which ensures its robustness?
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less than
once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard systems", first
names, anagrams of username, dates etc.
In the case of certificates or authentication based on cryptographic mechanisms, a generation process evaluated or publicly recognized,
encryption keys of a sufficient length etc.
E2
05B03-03
Does the process of providing user credentials guarantee its inviolability?

The usage of a typed password will always be a weak point. the only process which does not divulge observable information consists
either of introducing an object containing a secret code (smart card), or using a code which changes at every moment (token card ) or
using a means which contains some biometric characteristic.
E3
05B03-04
Do the security equipment that retain and use reference data (passwords, calling number, etc.) in support of authentication use
mechanisms which guarantee inviolability and authenticity?
Passwords must be stored encrypted and a preliminary control of the user must be made before usage.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
E2
05B03-05
Does the transmission of reference data in support of authentication (password, calling number, etc.) between the user equipment and
security systems, use mechanisms which guarantee inviolability and authenticity?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
organization.
E3
05B03-06
Is there an automatic process of invalidation of the calling station or the user account in the case of multiple incorrect attempts, so as to
require the intervention of an administrator to reinstate the station or the user?
E2
05B03-07
Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) lead to the instant deactivation of
this credential?
E2
05B03-08
Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) impose an effective control of the
requestor's identity?
E3
05B03-09
Are authentication parameters under strict control?

A strict control requires that people allowed to change the definition rules of identifiers, the identifiers themselves, rules of surveillance of
connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these modifications, that these
modifications be logged and audited and that there exists a regular general audit at least once a year of all authentication parameters.
C1
05B03-10
Are the processes that ensure authentication under strict control?

A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is an
audit, at least once a year, of authentication procedures and processes.
C1
05B04
Min
Typ
ISO 27002
11.2.3
User or requestor authentication before access to the local area network from a remote site via the extended network
05B04-01
Do membership rules of the extended network impose that all users are authenticated prior to any outgoing access using the extended
network?
E1
05B04-02
Do membership rules to the extended network and the controls effected mean that the same level of confidence can be attributed to
users of the extended network as those of the local area network?
E2
341702815.xls ! 05 Lan
page 115
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Questions
Max
05B04-03
Is the pertinence of the rules of membership to the extended network regularly audited?
C1
05B04-04
Is a regular audit carried out to ensure that the rules of membership to the extended network are applied by all the entities which are
authorized to connect to it?
C1
E1
11.4.2
05B05
05B05-01
User or requestor authentication for outside access to the local area network
(e.g. from the switched telephone network (POTS), X25, ISDN, broadband, Internet, etc.)
Is there a mechanism of authentication of all users connecting to the local area network from the outside?
Min
Typ
ISO 27002
05B05-02
Does the process of modification or definition of a user credential in support of access control respect a set of rules which ensures its
intrinsic validity?
In the case of certificates or authentication based on cryptographic mechanisms, a generation process evaluated or publicly recognized,
encryption keys of a sufficient length etc.
E2
11.4.2
05B05-03
Does the process of using a credential guarantee its impregnability?

The usage of a password will always be a weak point. the only process which does not divulge observable information consists either of
introducing an object containing a secret (smart card), or using a code which changes at every moment (token card type SecureId) or
using a means which contains some biometric characteristic.
E3
11.4.2
05B05-04
Do the security equipment that retain reference data (e.g. passwords, calling number, etc.) to support access authentication use
mechanisms which guarantee impregnability and authenticity?
organization.
E2
05B05-05
Does the transmission of reference data in support of authentication (e.g. passwords, calling address, etc.) between user equipment and
security systems use mechanisms which guarantee impregnability and authenticity?
organization.
E3
05B05-06
Is there an automatic process of invalidation of the calling station or the user account in the case of multiple incorrect attempts, so as to
E2
05B05-07
this credential?
E2
05B05-08
E3
05B05-09

A strict control requires that people allowed to change the definition rules of identifiers, the identifiers themselves, rules of surveillance of
connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these modifications, that these
C1
05B05-10

audit, at least once a year, of authentication procedures and processes.
C1
341702815.xls ! 05 Lan
page 116
1 variant
Number
05B06
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
05B06-01
Are all WiFi networks isolated from the local area network by a firewall?
E1
05B06-02
Is there a method of authentication of all users connecting to the local area network from a WiFi sub-network?
E1
05B06-03
Does the process of definition or modification of user credential for access control from a WiFi sub network respect a set of rules which
ensures its intrinsic validity?
In the case of certificates or authentication based on cryptographic mechanisms, the generation process must be evaluated or publicly
recognized, encryption keys of a sufficient length etc.
In the case of simple access identifiers (e.g. calling phone number), a call back procedure is recommended.
E2
05B06-04
Does the authentication system guarantee the impregnability of the user's credential?
E3
05B06-05
Do the security equipment that retain reference data (e.g. passwords, calling address, etc.) to support access authentication use
mechanisms which guarantee impregnability and authenticity?
organization.
E2
05B06-06
Does the transmission of reference data in support of authentication (e.g. passwords, calling address, etc.) between calling user
equipment and authentication systems use mechanisms which guarantee impregnability and authenticity?
organization.
E3
05B06-07
Is there an automatic process of invalidation of the user account and/or workstation in the case of multiple incorrect attempts so as to
E2
05B06-08
this credential?
E2
05B06-09
E3
05B06-10
Are authentication parameters for the access from a WiFi sub-network under strict control?
A strict control requires that people able to change the definition rules of identifiers, the identifiers themselves, rules of monitoring
connection attempts etc., be strictly limited and that there exist a reinforced access control to effect these modifications, that these
C1
05B06-11
Are the processes that guarantee authentication from a WiFi sub network under strict control?
audit, audit, at least once a year, of authentication procedures and processes.
C1
05B07
ISO 27002
User or requestor authentication for access requests to the local area network from a WiFi sub-network
General filtering of access to the local area network
05B07-01
Do all access to the local area network require the use of an identifier recognized by the system?
05B07-02
Is there a one to one correspondence between an identifier and a real physical person?
E2
05B07-03
Have all generic or by-default accounts and passwords been changed or deleted?
E2
341702815.xls ! 05 Lan
E1
page 117
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Questions
Max
05B07-04
Is the identifier provided for access to the local area network systematically subject to authentication?
Systematic authentication requires that the control process be in place for all possible access paths (internal access, all types of access
from the outside including reserved ports such as an those used for remote maintenance).
E1
05B07-05
Is there a systematic control of the context of the access requestor (local area network, extended network, external link, nature of the
link and protocols used )?
E3
05B07-06
Is there a systematic control of the profile and the context of the connection of the requestor and the appropriateness of that profile and
context with the access requested?
E3
05B07-07
Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay, which requires user re-identification
and re-authentication?
E2
05B07-08
For connections requiring it, is there an identification for the calling equipment (MAC address, IP address, etc.) as per the access control
rules?
E3
05B07-09
Are the processes of definition and management of access filtering rules under strict control?
A strict control requires that the list of persons allowed to change the filtering security parameters be extremely limited, and that there be
a reinforced access control in order to be able to effect such modification and that any modification be logged and audited.
R1
05B07-10
Are there regular penetration tests into the network carried out in addition to detailed technical audits?
C1
15.2.2
05B08
Min
Typ
ISO 27002
11.4.3
Routing control of outgoing access
05B08-01
Do all outgoing accesses require the use of an identifier recognized by the system?
E1
11.4.2
05B08-02
Does this identifier correspond to a unique and directly or indirectly identifiable physical person?
E2
11.4.2
05B08-03
Is the identifier used in outgoing access control systematically subject to authentication?

Systematic authentication requires that there is a process in place for all access paths and all outgoing ports.
E2
11.4.2
05B08-04
Has it been defined, in a security policy relatively to outgoing accesses, rules specifying the connections authorized (type of external
network, authorized links and protocols) function of the internal sub-networks considered?
E2
05B08-05
Is there, before authorizing any outgoing access, a control of the rules defined in the security policy?
E2
05B08-06
Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay which requires user re-identification
and re-authentication?
05B08-07
Are the processes of definition and management of outgoing access filtering rules under strict control?
A strict control requires that the list of persons allowed to change the filtering security parameters be extremely limited, and that there be
a reinforced access control in order to be able to effect such modification and that any modification be logged and audited.
R1
05B08-08
Are there regular penetration tests of the network carried out and regular specialized technical audits effected?
C1
05B09
E2
Authentication of the external entity accessed for outgoing access to sensitive sites
05B09-01
Is there a possibility to declare sites or remote access points as sensitive and, as such, requiring an authentication of the entity
accessed?
E2
05B09-02
Is there a mechanism of authentication of the entity called before access to sensitive sites from the internal network?
E2
05B09-03
Does the authentication mechanism of the accessed entity provide a recognized "strong" level of security?
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable without
divulging information, are those based on cryptographic algorithms.
E3
341702815.xls ! 05 Lan
page 118
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Questions
Max
05B09-04
Do the security equipment that retain credentials (e.g. passwords, calling number, etc.) use mechanisms which guarantee their
impregnability and authenticity?
organization.
E2
05B09-05
Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication systems
use mechanisms which guarantee their impregnability and authenticity?
organization.
E3
05B09-06
Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any revocation of
keys?
E2
05B09-07
Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have not been
revoked?
E3
05B09-08
Are the processes that guarantee the authentication of the accessed entities under strict control?
audit at least once a year of the authentication procedures and processes.
R1
Min
Typ
ISO 27002
Security of data exchange and communication on the local network
05C
05C01
Encryption of exchanges on the local area network

Encryption can be effected at layer 3 (IPSEC VPN) or at level 4-5 (SSL) or directly effected by the application (level 6-7, for example
encryption before or during transmission), case really treated by domain 09.
It could be systematic on the "pipeline" (physical or logical) or limited only to certain data flows (as a function of address or type, etc.) it
can also be performed on intermediate systems (VPN boxes) or end systems (stations, server) or both.
05C01-01
Have the permanent links and data exchanges which must be protected by encryption solutions been defined and such solutions been
implemented on the local area network?
05C01-02
The sufficient length of the keys is one of among many parameters to take into consideration (as a function of the algorithm) . The
E2
05C01-03
Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys offer a
sufficient level of confidence and have they been approved by the Information Security Officer?
E2
05C01-04
Are the encryption mechanisms embodied in electronic components which are strictly protected at a physical level against intrusion or
change?
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart cards and protected physically and logically.
05C01-05
Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day capable of
R1
05C01-06
In the case of inhibition or bypass of the encryption solution or the activation of an unprotected fail-over link of the network, is there a
procedure to immediately alert all users?
For example by a warning requiring the user to acknowledge its receipt.
R1
05C01-07
Is there a regular audit, at least once a year, of all data exchange, encryption systems and associated procedures?
C1
341702815.xls ! 05 Lan
E1
12.3.1
12.3.2
R2
page 119
1 variant
Number
05C02
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
05C02-01
Have the permanent links and data exchanges which must be protected by sealing solutions been defined and implemented on the
local area network?
05C02-02
The sufficient length of the keys is one of among many parameters to take into consideration (as a function of the algorithm). The
E2
05C02-03
Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the keys offer
solid guarantees which merit confidence and have they been approved by the Information Security Officer?
E2
05C02-04
Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against intrusion
or change?
Sealing mechanisms should be contained within protected appliances to which it should be impossible to gain access, i.e. within a
microprocessor or smart card, and protected physically and logically.
05C02-05
Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day capable of triggering
an immediate reaction?
R1
05C02-06
In the case of inhibition or bypass of the sealing solution or the activation of an unprotected fail-over link, is there a procedure to
immediately alert all users?
For example by a warning requiring the user to actively validate its receipt.
R1
05C02-07
Is there a regular audit, at least once a year, of all systems of data integrity protection and of associated procedures?
C1
05C03
E1
R2
Encryption of exchanges in the case of remote access to the local area network
05C03-01
Have encryption solutions been defined and implemented for exchanges with users connecting from outside (mobile staff, authorized
service providers etc.) ?
05C03-02
E2
05C03-03
Do the procedure and mechanisms of storage, distribution and exchange of keys, and more generally the management of the keys, offer
solid guarantees which merit confidence and are they approved by the Information Security Officer?
E2
05C03-04
Are the encryption mechanisms embodied in physical electronic components which are strictly protected at a physical level against
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart card and protected physically and logically.
05C03-05
Is access to the network from the outside impossible without using encryption
05C04
ISO 27002
Integrity control of exchanges on the local area network
E1
12.3.1
12.3.2
R1
R1
Protection of the integrity of exchanges in the case of remote access to the local area network
05C04-01
Have solutions for sealing or integrity control of exchanges with users connecting from the outside (mobile staff, authorized service
providers etc.) been defined and implemented?
05C04-02
E2
05C04-03
Do the procedures and mechanisms of storage, distribution and exchange of keys and more generally the management of keys offer
solid guarantees which merit confidence and have they been approved by the Information Security Officer?
E3
341702815.xls ! 05 Lan
E2
page 120
1 variant
Number
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
05C04-04
Questions
Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against intrusion
or change?
Sealing mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart card and protected physically and logically.
R2
05C04-05
Is access to the network from the outside impossible without using integrity control?
ISO 27002
R1
Control, detection and resolution of incidents on the local network
05D
05D01
Real-time monitoring of the local area network
05D01-01
Have events or successions of events been analyzed which might reveal abnormal behavior or illicit action on the local area network
and as a consequence have specific monitoring indicators or control points been identified?
E2
10.10.2
05D01-02
Is the system equipped with an automatic real time monitoring system in the case of an accumulation of abnormal events (for example
unsuccessful connection attempts on non-open ports)?
E3
10.10.2
05D01-03
Is use made of an intrusion detection system or capable of detecting anomalies on the local area network?
E2
10.10.2
05D01-04
Are there one or more applications capable of analyzing the individual anomaly diagnostic data on the local area network and of
triggering an alert to operational personnel?
E3
05D01-05
Is there within operational personnel a team available 24 hrs a day or group capable of reacting in the case of a monitoring alert on the
network?
E3
05D01-06
For each case of alert has the expected response from the intervention team been defined and is the availability of the intervention team
sufficient to face this expectation?
E3
05D01-07
Are the parameters defining alarms strictly protected (restricted access rights and strict authentication) against illicit modification?
05D01-08
Does any stoppage of the alarm system, linked to the local area network, trigger an alarm towards the surveillance team?
05D01-09
Are the elements enabling the detection of an anomaly or incident archived (on disk, cassette or optical disk etc.)?
05D01-10
Are the monitoring procedures of the local area network, the detection of the anomalies and the availability of the surveillance team
subject to regular audit?
05D02
R1
3
3
R1
10.10.2
E2
10.10.3
C1
Offline analysis of traces, log files and event journals on the local area network
05D02-01
Has detailed analysis been carried out of the events or succession of events on the local area network which may have an impact on
security (refused connections, re-routings, reconfigurations, changes in performance, access to sensitive data or tools etc.)?
05D02-02
Are these events recorded as well as the parameters used for their subsequent analysis?
05D02-03
Is there an application capable of analyzing these records as well as performance measures, of establishing statistics, a dashboard and
anomaly diagnostics for examination by a competent team of specialists?
05D02-04
Is the structure, empowered to analyze these summaries (or incidents logs) and security related events, required to do so within a fixed
and determined period and does it have sufficient availability?
E2
05D02-05
Has the expected reaction from the surveillance team been defined for each case of alert and are its availability and staffing level
sufficient to meet these expectations?
E3
05D02-06
Are the parameters defining the elements to record and the analyses to effect strictly protected against unauthorized change (limited
rights and strong authentication)?
R1
05D02-07
Is any inhibition of this recording and processing system immediately signaled to the surveillance team?
R1
05D02-08
Are the records and summary analyses protected against any alteration or destruction??
E2
10.10.3
05D02-09
E2
10.10.3
341702815.xls ! 05 Lan
E1
10.10.1
E1
10.10.1
E2
10.10.3
page 121
1 variant
Number
05D02-10
05D03
R-V1 R-V2 R-V3 R-V4
Questions
Are the procedures for recording, processing and analysis of the records and summaries as well as the availability of the analysis and
corrective team subject to regular audit?
Max
Min
Typ
C1
ISO 27002
Management of incidents on the local area network
05D03-01
Is there a hot-line charged with taking, recording and escalating all calls related to the local area network incidents?
E1
10.10.5
05D03-02
Is this hot-line available 24 hours a day?
E2
10.10.5
05D03-03
E2
10.10.5
05D03-04
E2
10.10.5
05D03-05
Does this system cater for a systematic follow-up of necessary actions?
E3
10.10.5
05D03-06
Does this system incorporate a categorization of incidents including statistics and dashboards generation destined for use by the
E3
05D03-07
Is the incident management system strictly controlled with regard to unauthorized or illicit modification?
A strict control requires a reinforced protection in order to modify records and an audit trail or protection by electronic seal of all
modifications of records.
05D03-08
Is each major incident on the network subject to a specific follow-up (nature and description, priority, technical solution, analysis in
progress, expected resolution lead time etc.)?
341702815.xls ! 05 Lan
R1
E2
13.2.1
page 122
Comments
341702815.xls ! 05 Lan
page 123
Comments
341702815.xls ! 05 Lan
page 124
Comments
341702815.xls ! 05 Lan
page 125
Comments
341702815.xls ! 05 Lan
page 126
Comments
341702815.xls ! 05 Lan
page 127
Comments
341702815.xls ! 05 Lan
page 128
Comments
341702815.xls ! 05 Lan
page 129
Comments
341702815.xls ! 05 Lan
page 130
Comments
341702815.xls ! 05 Lan
page 131
Comments
341702815.xls ! 05 Lan
page 132
Comments
341702815.xls ! 05 Lan
page 133
Comments
341702815.xls ! 05 Lan
page 134
341702815.xls ! 05 Lan
page 135
341702815.xls ! 05 Lan
page 136
341702815.xls ! 05 Lan
page 137
341702815.xls ! 05 Lan
page 138
341702815.xls ! 05 Lan
page 139
341702815.xls ! 05 Lan
page 140
341702815.xls ! 05 Lan
page 141
341702815.xls ! 05 Lan
page 142
341702815.xls ! 05 Lan
page 143
341702815.xls ! 05 Lan
page 144
341702815.xls ! 05 Lan
page 145
341702815.xls ! 05 Lan
page 146
Audit Questionnaire: Network Operations

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
ISO 27002
06A
Security of operations procedures
06A01
Security in the relationship with operational personnel (employees, suppliers or service providers)
06A01-01
Is there a security policy specifically aimed at operational network personnel covering all the aspects of information security
(confidentiality of information, service and information availability, integrity of information and configurations, trace ability, etc. )?
06A01-02
Is operational network personnel required to sign contract clauses of adherence to that security policy (no matter their status:
permanent or temporary staff, students, etc.)?
06A01-03
Do these clauses make clear that the obligation to respect security applies to all information no matter what the medium is (paper,
magnetic, optical, etc.)?
E3
06A01-04
Do these clauses make clear, if necessary and legally possible, that the obligation to respect the security policy applies without
limitation in time?
This applies, in particular, to the clauses concerning confidentiality, they may (and often must) continue after the end of the
contract linking (directly or indirectly) the employee or service provider or partner to the company
E3
06A01-05
Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other
people?
E3
06A01-06
Does the signature of these clauses represent a formal commitment?

In order to achieve a formal commitment, the personnel should explicitly state that his/her signature implies having understood
and accepted the security policy
E2
06A01-07
Are these same clauses obligatory for contractors working on network operations?
Practically, the contractors should ensure that their personnel sign individually and explicitly under the same conditions than
internal staff.
E2
06A01-08
Is there a mandatory and well adapted training course aimed at network operations personnel?
06A01-09
Are the confidentiality agreements, signed by personnel, securely kept (at least in a locked cupboard )?
R1
06A01-10
Are the confidentiality agreements, signed by external contractors, securely kept (at least in a locked cupboard )?
R1
06A01-11
Is there a regular audit, at least once a year, of the effective application of the signature procedure by operational personnel
(directly employed by the company or indirectly through a service company) ?
C1
06A02
Control of the implementation or upgrade of software or hardware
06A02-01
Is there a control procedure for change decisions, equipment and system evolutions (registration, planning, formal approbation,
communication to all concerned individuals, etc.)?
E1
10.1.2
06A02-02
Are the change decisions based on an analysis of the capacity of the new equipment and systems in ensuring the required load
taking into account the evolution of foreseeable requests?
E2
10.3.1
06A02-03
Do the installations take into account physical protection (protected access, no direct external view to equipments, absence of
physical threats, climate conditions, protection against thunderbolts, protection against dust, etc.)?
E2
9.2.1
06A02-04
Is there a definite review, involving Information Security Office personnel, of the potential risks related to functional changes
associated to each new or revised network software or equipment?
E2
12.4.1; 10.3.2
06A02-05
Does this review contain an analysis of the risks that may arise from these functional changes?
E2
12.4.1; 10.3.2
06A02-06
Has operational staff received specific formal training in risk analysis?
E3
06A02-07
Does operational staff obtain appropriate advice when needed?
E3
06A02-08
Are security measures, to be implemented to counter any new risks identified, subject to formal review and control before start of
production?
E2
341702815.xls ! 06 Nop
E1
E2
E2
10.3.2
page 147

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
ISO 27002
06A02-09
Are security parameters and configuration rules (removal of all generic accounts, changing of generic passwords, closure of all
ports not specifically requested and authorized, access control and authentication parameters, control of routing tables etc.)
detailed and kept up to date and are they reviewed before any start of production of a new version?
E2
11.4.4; 10.3.2
06A02-10
Are the security parameters and configuration rules controlled before any new version is installed and operated?
E2
11.4.4; 10.3.2
06A02-11
Is it considered the possible impact over the continuity plans due the system changes?
E2
10.3.2
06A02-12
Are any dispensations from the prior risk analysis and control of security parameters subject to strict procedures requiring the
signature of a senior manager?
R1
06A02-13
Is the start of production of new equipment or software only possible by operational staff?
E2
12.4.1; 6.1.4
06A02-14
Is the start of production of new equipment or software only possible following a defined validation and authorization process?
E3
12.4.1; 6.1.4
06A02-15
Are all the control procedures related to start of production subject to regular audit?
C1
06A03
Control of maintenance operations
06A03-01
Is it kept a trace of all maintenance operations?
06A03-02
Are all maintenance operations required to terminate with a systematic verification of all security parameters (as defined at the
start of production)?
E2
06A03-03
Are all maintenance operations required to terminate with a systematic verification of security log files parameters (events to be
recorded, context of events to be recorded, duration of retention, etc.)?
E3
06A03-04
Are all maintenance operations required to terminate with a systematic verification of administration control parameters
(necessary profile, authentication type, removal of standard logins, etc.)?
E3
06A03-05
Is a formal dispensation, signed by a responsible manager, required if the above mentioned procedures are not observed?
06A03-06
Is the totality of start of production (after maintenance) control procedures regularly audited?
06A04
Control of Remote Maintenance
06A04-01
In the case of remote maintenance, is there a secure authentication procedure of the remote maintenance center?
06A04-02
In the case of remote maintenance is there a secure authentication procedure for maintenance personnel?
06A04-03
Is there a set of procedures covering the attribution of access rights for a new maintenance operative, the revocation of rights and
the attribution of rights in emergency situations?
06A04-04
E2
9.2.4
E3
3
C1
E2
11.4.4
E2
11.4.4
E3
11.4.4
Have the procedures and protocols for the exchange and storage of secret data etc., been approved by the Information Security
Officer or a specialized organization?
E3
06A04-05
Does the usage of the remote maintenance line require the prior agreement (for each usage) of operational personnel (following
the provider's request specifying the nature, date and time of the intervention )?
E2
06A04-06
Is the equipment allocated for remote maintenance protected against inhibition or modification of access conditions, resulting in
the triggering of an alarm?
R1
06A04-07
Are all the control procedures for remote maintenance regularly audited?
C1
06A05
Management of Operating Procedures for Network Operation
06A05-01
Do the network operating procedure result from the study of the overall cases to be covered by said procedure (normal operating
cases and incidents)?
E2
10.1.1
06A05-02
Are the operating procedures documented and kept up to date?
E2
10.1.1
06A05-03
Are these operating procedures readily available upon request by any accredited individual?
E2
10.1.1
06A05-04
Does the Management approve changes to procedures ?
E2
10.1.1
341702815.xls ! 06 Nop
11.4.4
page 148

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
ISO 27002
06A05-05
Are these procedures protected from unauthorized alterations?
R1
06A05-06
Are the operating procedures audited regularly for authenticity and relevance?
C1
06A06
Management of service providers relating to networks
06A06-01
Is it ensured regularly that the network security services allocated to suppliers or service providers are efficiently implemented
and maintained by them?
C1
10.2.1
06A06-02
Is it ensured that the above suppliers have efficiently prepared the appropriate arrangements to ensure that the services are
provided as agreed?
E2
10.2.1
06A06-03
Is the respect of the security provisions by the suppliers or service providers under control and regularly reviewed?
E1
10.2.2
06A06-04
Is it ensured that the suppliers report and document any security incident concerning information or networks?
E2
10.2.2
06A06-05
Is there a regular review of these incidents or malfunctions with the concerned suppliers?
E2
10.2.2
06A06-06
Are any changes in the contract relationship (e.g. Mandatory duties, service levels) analyzed for impact on resulting potential
risks?
E3
10.2.3
06A07
Taking into account the confidentiality during maintenance operations on network equipment.
06A07-01
Is there a procedure describing in detail the operations to execute before conducting maintenance thus avoiding their access to
critical data (encryption keys, network protection, equipment security configuration, etc.)?
E2
9.2.6; 9.2.4
06A07-02
Is there a procedure or a contractual provision regarding the maintenance personnel (internal and external) specifying that any
support containing sensitive information must be wiped out before its disposal?
E2
9.2.4
06A07-03
Is there a systems' integrity verification procedure after a maintenance is conducted (no spyware, no Trojan horse, etc.)?
E2
06A07-04
E3
06A07-05
Are the above procedures regularly audited?
06A08
Contract Management of Network Services
06A08-01
Have service levels been identified for each network service?

Service levels apply not only to the services rendered to users, but also the security features required and the commitments of
each party involved.
E1
10.6.2
06A08-02
Have these service levels been included in a contractual agreement (whatever the services are ensured internally or by an
external provider)?
E2
10.6.2
06A08-03
Does Management control the application of corresponding measures?
C1
10.6.2
06B
Parameters setting and control of hardware and software configurations
06B01
Network equipment customizing and compliance control of configurations
06B01-01
Is there a document or set of documents or an operational procedure detailing all security parameters for network equipment?
which is derived from the network protection policy and determined filtering rules?
Such a document must result from the network protection policy and describe the filtering rules decided. It should also state the
reference versions of the systems so it is possible to check the status of the updates;
E1
06B01-02
Does this document (or documents) require the removal of all generic or by default accounts and does it detail the list of such
accounts?
E2
06B01-03
Does this document or procedure impose a synchronization feature, based on a reliable time reference?
06B01-04
Are these parameters set and updated regularly in line with latest information and in cooperation with expert authorities
(specialized audits, subscription to a service center, regular consultation with CERTs, etc.)?
CERT : Computer Emergency Response Team.
341702815.xls ! 06 Nop
C1
E2
3
10.10.6
E3
page 149

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
ISO 27002
06B01-05
Are these referenced documents (or copies of installed parameters considered as references) protected, by secure sealing
methods, against untimely or illicit alteration?
R1
06B01-06
Is the integrity of system configurations regularly tested against the configuration theoretically expected (at least weekly if not
each time systems are activated)?
E3
15.2.2
06B01-07
Are regular audits carried out of the list of security parameters specified?
R1
10.1.4; 15.2.2
06B01-08
Are regular audits carried out of the exception or escalation procedures in case of difficulties?
C1
10.1.4; 15.2.2
06B01-09
Are the development and test systems separated from the operational systems?
E2
10.1.4
06B02
Control of the network access configurations of user equipment
06B02-01
Is there a document detailing all parameters to check on user workstations related to external connections capability (modem,
WiFi, etc.)?
E2
06B02-02
Is this document regularly updated in line with the latest information and in cooperation with expert authorities (specialized audits,
subscription to a service center, regular consultation with CERTs, etc.)?
E2
06B02-03
Is this reference document protected against all undue or illicit modification by strong security methods (electronic sealing )?
R1
06B02-04
Is the configuration of network equipment of user workstations checked systematically for compliance against this reference
document?
E2
06B02-05
Is this control effected systematically, at each connection to the network?
E3
06B02-06
Are there automatic routines which systematically analyze the use of the telephone network for data transmission?
E3
06B02-07
Are there automatic routines which test for the presence of non declared wireless network (WiFi) access points?
E3
06B02-08
Are user workstations protected against the possibility of installing systems software and of modifying configurations?
E3
06B02-09
Is there a regular audit of the user configuration reference document and is the configuration control procedure regularly
executed?
06C
Control of administrative rights
06C01
Control of special access rights to network equipment
06C01-01
Has a management policy for privileged access rights on the network equipment been established, based on a pre-analysis of
the security requirements and business stakes?
E1
06C01-02
Is this policy documented, regularly reviewed, and approved by the affected managers?
E2
06C01-03
Have profiles been defined, as part of network operations, corresponding to each type of activity (equipment administration, the
administration of security equipment, network management, management of backup medias and contents etc.)?
E1
10.1.3; 10.6.1;
11.2.2
06C01-04
For each profile have the necessary administrative rights been defined?
E1
10.1.3; 10.6.1
06C01-05
Does the process of attribution of administrative rights require the formal authorization of management (or the manager
responsible for external service providers) at a sufficiently high level?
E2
10.1.3
06C01-06
Does the process of attribution of administrative rights effected uniquely in relation to the profile of the holder?
E2
10.1.3
06C01-07
Is the process of granting (modification or retraction) of special rights to an individual strictly controlled?
A strict control requires a formal recognition of the signature (electronic or not) of the requestor, that there be an access control in
order to attribute or modify such rights and that any modification of special rights be logged and audited.
R1
11.2.2
06C01-08
Is there a systematic process of removal of administrative rights at the time of departure or role change of staff?
E2
11.2.4
06C01-09
Is there a regular audit, at least once a year, of all administrative rights attributed ?
C1
11.2.4
341702815.xls ! 06 Nop
C1
11.1.1
page 150

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
06C02
Authentication of administrators and operational personnel
06C02-01
Is the process of authentication of network administrators or holders of administrative rights considered to be secure?
An authentication protocol is considered secure if it is not susceptible to being broken by a listening device on the network or
rendered inoperable by specialists tools (in particular password crack tools ). Such security usually uses cryptographic methods.
E2
06C02-02
Are the rules, for instance in the case of passwords, considered to be very strict?
Strict rules impose the use of tested non-trivial passwords and the use of a mixture of different types of character of a reasonable
length (ten or more characters). It is desirable that such rules be decided or agreed upon by the CISO.
E2
06C02-03
Is a strong authentication used for the connection of administrators to the supervision system as well as for the connection of the
supervision system to network equipments?
If the administrator connects to a hypervisor (such as HP OpenView, IBM TIVOLI, CA Unicenter, BMC Patrol or Bull OpenMaster)
with secure authentication and effective access control, an equivalent level of security is needed for the objects that are managed
(avoiding for example visible passwords, default public and community groups, access via telnet or simple SQL) in order to avoid
malicious direct action on the equipment.
E2
06C02-04
Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested
access, as per formal rules of access control?
06C02-05

A strict control requires that the list of people able to change authentication rules, the identifiers themselves and the rules for
monitoring connection attempts be strictly limited, that there be a reinforced access control in order to be able to modify these
rights and that any modification of these rights be logged and audited and that there be a general audit at least once a year of all
authentication parameters.
R1
06C02-06

R1
06C02-07
Is there a regular audit of existing profiles having administrative rights?
C1
06C02-08
Is there a regular audit of the procedures for granting profiles and the security parameters protecting the profiles and the rights?
C1
06C03
Surveillance of administrative actions on the network
06C03-01
Has a detailed analysis been carried out of the operations performed with administrative rights which may potentially have an
impact on network security (configuration of security systems, access to sensitive information, usage of sensitive tools, download
or modification of administrative tools etc.)?
06C03-02
Are all these events recorded on a log file as well as all parameters required for their subsequent analysis?
06C03-03
Is there a system which enables the detection of the modification or deletion of a past record and to immediately trigger an alarm
to a manager?
06C03-04
Is there a summary of these records which enables management to detect abnormal behavior?
06C03-05
Is there a system which enables the detection of any modification of recording parameters and to immediately trigger an alarm to
a manager?
06C03-06
Does any inhibition of the recording system and processing of logged events trigger an alarm to a manager?
06C03-07
Are all records or summary analyses protected against destruction or modification?
06C03-08
Are all records or summary analyses kept for a long period?
341702815.xls ! 06 Nop
ISO 27002
E2
2
3
11.2.4
E2
10.10.4; 10.6.1
E2
10.10.4; 10.6.1
E3
10.10.4
E3
10.10.4
R1
10.10.4
E3
10.10.4
R1
10.10.4
R1
10.10.4
page 151

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Questions
Max
Min
Typ
ISO 27002
06C03-09
Are the procedures for recording and analyzing operations executed with administrative rights regularly audited?
06C04
Control of networking operational tools and utilities
06C04-01
Is there an exhaustive inventory of the sensitive networking tools or utilities (administration of rights, configuration management,
backups, copies, hot system restarts etc.) allowed for each type of operational staff profile?
06C04-02
Can the tools or sensitive utilities only be used by the holders of the corresponding profiles following a secure and individual
authentication (authentication token, smart card etc.)?
E2
06C04-03
Is it forbidden to add or create tools or utilities without formal authorization?
E2
06C04-04
Is this forbidding rule regularly enforced by an automatic procedure which may trigger an alert to a manager?
E3
06C04-05
Do the rights attributed to operational teams prohibit them from modifying operational tools and utilities or at the very least is
there a control of any such modification with triggering of an alert to a manager?
E3
06C04-06
Are the attribution of profiles and the implementation of the security measures mentioned above regularly audited?
C1
06D
Audit and Network Control Procedures
06D01
Audit Control Operation
06D01-01
Has the management established the requirements and procedures to follow during the audits conducted on the networks?
E2
15.3.1
06D01-02
Are the rules related to network audits, relevant procedures and associated responsibilities defined and documented?
The limits to be determined concern the type of access to the equipment, the controls and authorized processing, the deletion of
sensitive data obtained, the flagging of certain operations, ... and the empowerment of the individuals conducting the audits.
E2
15.3.1
06D01-03
Are the auditors independent of the concerned activities?
E2
15.3.1
06D01-04
Are the audit operations conducted for critical data recorded?
E3
15.3.1
06D01-05
Are the possible actions of the auditors well delimited?

Such limitations are recommended in the case of external auditors.
E2
15.3.2
06D02
Protection of Tools and Audit Results
06D02-01
Are the audit tools protected to avoid any unauthorized or abusive use?
This applies particularly to intrusion testing and vulnerability assessments.
E2
15.3.2
06D02-02
Are the audit results protected against any modification or disclosure?
E2
15.3.2
06D02-03
Is the use of audit tools and results strictly limited?

Such limitations are recommended in the case of external auditors.
E2
15.3.2
341702815.xls ! 06 Nop
C1
E1
page 152
Comments
341702815.xls ! 06 Nop
page 153
Comments
341702815.xls ! 06 Nop
page 154
Comments
341702815.xls ! 06 Nop
page 155
Comments
341702815.xls ! 06 Nop
page 156
Comments
341702815.xls ! 06 Nop
page 157
Comments
341702815.xls ! 06 Nop
page 158
341702815.xls ! 06 Nop
page 159
341702815.xls ! 06 Nop
page 160
341702815.xls ! 06 Nop
page 161
341702815.xls ! 06 Nop
page 162
341702815.xls ! 06 Nop
page 163
341702815.xls ! 06 Nop
page 164
Audit Questionnaire: Security and Architecture of Systems
1 variant
Number
Question
07A
Control of access to systems
07A01
Management of access profiles (rights and privileges granted by functional profile)
07A01-01
Has a management policy for access rights to the systems been established, built from an analysis of the security requirements
based on the business stakes?
07A01-02
Is access to the various parts of the information system (applications, data bases, systems, equipments, etc) defined in terms of
job profiles which regroup roles or functions within the organization (profiles define access rights which are available to holders of
the profile)?
Note: in certain circumstances the notion of "profile" may be replaced by the notion of "group".
07A01-03
Is it possible to adjust the access rights attributed to a given profile, based on the nature of the connection and equipment used
(location, link, network, protocol, encryption, etc) and on the classification of the resources accessed?
E2
07A01-04
etc.)?
E3
11.5.6
07A01-05
Have these profiles and the access rights attributed to the different profiles, as a function of context, been approved by the
information owners and the Information Security Officer?
E2
11.5.6
07A01-06
Is the process of definition and management of rights attributed to profiles under strict control?
A strict control requires that the list of people able to change rights attributed to profiles be strictly limited and that the
implementation of these rights into tables be strictly secure during transmission and storage and that there exists a reinforced
access control in order to be able to modify these rights and that any modification of these rights be logged and audited.
R1
07A01-07
Is it possible to review at any time, the complete list of profiles and of the rights attributed to each profile?
C1
07A01-08
Is there a regular audit at least once a year of all rights attributed to each profile and the profile management procedures?
C1
07A02
Management of access authorizations and privileges (granting, delegation, revocation)
07A02-01
Does the procedure of granting access authorization require the formal approval of line management (at a sufficiently high level)?
E1
07A02-02
Are authorizations granted to named individuals only as a function of their profile?
07A02-03
Is the procedure for granting (or changing or revoking) authorization to an individual (either directly or via his profile) strictly
controlled?
the profile attributed to users in the form of tables is highly secure during transmission and storage and that there be a reinforced
access control over the modification of such records and that any modification of records be logged and audited.
07A02-04
Is there a systematic process of updating the table of access authorizations at the time of departure of personnel (either internal
or external)?
07A02-05
Is there a systematic process of updating the table of access authorizations at the time of change of function?
07A02-06
Is there a strictly controlled process (as above) which allows to delegate his/her own authorizations, in part or in whole, to a
person of choice for a determined period (in case of absence)?
In this case, the delegated rights must no longer be authorized to the person who has delegated them during this time. The owner
however, must have the possibility of taking them back, by which process he or she effectively ends the delegation.
07A02-07
Is it possible to control at any time, for all users, the rights, authorizations and privileges in force?
R-V1 R-V2 R-V3 R-V4 P
341702815.xls ! 07 Sys
Max
Min
Typ
ISO 27002
E1
11.1.1
E1
11.2.2
11.2.4
E1
3
E2
11.2.2
E2
11.2.4
E3
11.2.4
E3
C1
page 165
1 variant
Number
Question
07A02-08
Is there a regular audit, at least once a year, of the profiles and authorizations granted to all users and of the procedures for
management of attributed profiles?
07A03
Authentication of the access requestor (user or entity)
07A03-01
Max
Min
Typ
ISO 27002
C1
11.2.4
Does the process of distribution or modification of the user credentials guarantee that only the holder of the identifier can have
access to them (initial communication is confidential, password change is under the exclusive control of the user, etc.)?
E1
11.5.3
07A03-02
Does the process of definition or modification of user credentials respect a set of rules which ensures their intrinsic validity?
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less
than once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard
systems", first names, anagrams of username, dates etc. In the case of certificates and authentications based on cryptographic
mechanisms: generation process evaluated or publicly recognized, keys of a sufficient length etc.
E2
11.2.3; 11.5.3
07A03-03
Does the process of presenting a user password guarantee its inviolability?

The usage of a password will always be a weak point. The only process which does not divulge observable information consists
of either introducing an object containing a secret (smart card), or entering a code which changes at every moment (token card
type SecureId) or using a biometric characteristic.
E3
11.5.1; 11.5.3
07A03-04
Is the logon process secured?

A secure logon should not give any information before the process is satisfactorily executed, not display the authenticators'
password, display date and time of last connection, display eventual connection attempts that have failed, etc.
E3
11.5.1; 11.5.3
07A03-05
Do the mechanisms for retention and usage of credentials by the user (or by the equipment representing the user) or by the
target systems guarantee inviolability and authenticity of these credentials?
Passwords must be stored encrypted and a preliminary access control must be made before being accessible to the user.
In the case of authentication using cryptographic procedures, the mechanism must propose solid guarantees validated by a
recognized organization.
E2
11.5.1; 11.5.3
07A03-06
Do the mechanisms used for the transmission of the credentials between the user and target equipments guarantee inviolability
and authenticity of these credentials?
In the case of authentication using cryptographic procedures, the mechanism must propose solid guarantees validated by a
E3
11.5.1; 11.5.3
07A03-07
In the case of multiple incorrect authentication attempts, is there an automatic process which temporarily invalidates the identifier
used or, possibly, the user workstation itself, or which slows down the authentication process so as to inhibit any automatic
routine from connecting?
E2
11.5.1; 11.5.3
07A03-08
Does the procedure for the replacement of a lost or mislaid user credential (password, token card) allow the instant deactivation
of the old credential?
E2
11.5.3
07A03-09
Does the procedure for the replacement of a lost or mislaid user credential (password, token card) allow an effective control of
the requestor's identity?
E3
11.5.3
341702815.xls ! 07 Sys
page 166
1 variant
Number
Question
07A03-10

A strict control requires that the list of people allowed to change the definition rules of credentials, the credentials themselves, the
rules of surveillance of connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these
modifications, that these modifications be logged and audited and that there exists a regular general audit at least once a year of
all authentication parameters.
R1
07A03-11

A strict control requires that the software used has been validated and undergoes a regular test for integrity (close with a seal)
and that there be an audit at least once a year of authentication procedures and processes (including the processes which aim to
detect intrusion attempts and the processes which respond to these intrusion attempts).
C1
07A04
Access filtering and management of associations
07A04-01
Does any access to a system require the use of an identifier recognized by the system?
E1
11.5.2
07A04-02
Is there a direct or indirect correspondence between any identifier and a real physical person?
In the case where an application calls another or executes a system call, it may be that the application does not transfer to the
target system the identifier which originally made the request. The link between the call, the identifier and the user himself must
remain traceable after the fact.
E1
11.5.2
07A04-03
Have all generic or by-default accounts been deleted?
E2
11.5.2
07A04-04
Is the acceptance of the identifier by the system systematically subject to authentication?

Systematic authentication requires that the process be implemented for all subsystems (Remote process monitors, database
management systems, batch processes, etc.), for all application requests and for all access routes, including ports reserved for
remote maintenance.
E2
11.5.2
07A04-05
May the authentication process be renewed during an open session for those transactions considered to be sensitive?
E3
07A04-06
Is there an automatic invalidation of the user session in the absence of traffic after a defined duration, thus requiring user reidentification and re-authentication?
E3
07A04-07
Is there a systematic control, based upon definite access rules, of the profile of the requestor, of the association context and of
the appropriateness of that profile and context for the access requested?
E3
07A04-08
Are the parameters for the definition and management of access filtering rules under strict control?
A strict control requires that the list of persons allowed to change the security parameters for access filtering be extremely limited,
and that there be a reinforced access control in order to be able to effect such modification and that any modification be logged
and audited.
R1
07A04-09
Are the processes that guarantee access filtering under strict control?
A strict control requires that the software used has been validated and undergoes a regular test for integrity (close with a seal)
and that there be an audit at least once a year of access filtering procedures and processes (including the processes which aim
to detect intrusion attempts and the processes which respond to these intrusion attempts).
C1
07A04-10
Are regular tests carried out to attempt to break into the information system and are there detailed technical audits run by
specialists?
R2
07A05
Authentication of the server for access to sensitive servers
07A05-01
Is there a possibility to declare servers as sensitive and, as such, requiring an authentication of the server accessed?
E2
341702815.xls ! 07 Sys
Max
Min
Typ
ISO 27002
11.5.5
page 167
1 variant
Number
Question
07A05-02
Is there a mechanism of authentication of the server called before access to a sensitive server from the internal network?
E2
07A05-03
Does the authentication mechanism of the accessed servers provide a recognized "strong" level of security?
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable
without divulging information, are those based on cryptographic algorithms.
E3
07A05-04
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a
E2
07A05-05
Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication
systems use mechanisms which guarantee their impregnability and authenticity?
E3
07A05-06
revocation of keys?
E2
07A05-07
Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have
not been revoked?
E3
07A05-08
R1
07B
Containment of environments
07B01
Control of access to residual data
07B01-01
Has a detailed analysis been carried out for each type of system to identify residual data files, their storage areas and access
paths to such files and storage areas?
E2
07B01-02
Have storage systems (and medias) been identified which once stored sensitive information and which have been re-affected to
other usages?
E1
07B01-03
Does the system use an access rights control mechanism which prohibits user access to the contents of resources which have
been freed up by another process (areas of memory, temporary resources )?
E2
07B01-04
Are the tools which enable access to sensitive remnant data or temporary files reserved only for the use of systems operators
and does access to those tools require a secure authentication?
E3
07B01-05
Are there procedures of physical erasure of residual files (in main memory or for storage media)?
07B01-06
Are these procedures implemented systematically and automatically by the relevant systems each time a logical resource is
freed?
E2
07B01-07
Is the invalidation of such procedures alerted to an operational IT manager?
R1
07B01-08
Is there a procedure which guarantees that sensitive information contained on discarded media will be protected until the
destruction of the supporting media?
07B01-09
Are all security procedures and parameters protecting access to residual data subject to regular audit?
07C
Management and saving of logs
07C01
Recording access to sensitive resources
341702815.xls ! 07 Sys
Max
Min
Typ
ISO 27002
E3
E2
3
10.7.2
C1
page 168
1 variant
Number
Question
Typ
ISO 27002
07C01-01
Has a specific analysis been carried out to determine which access requests and related parameters will be logged?
E2
10.10.2
07C01-02
Is a tool or control application used which is able to log accesses to sensitive resources (applications, files, databases, etc.)?
E2
10.10.2
07C01-03
Are the rules, specifying which accesses to log and retain, formalized?
E2
07C01-04
Have the rules, specifying which accesses to log and retain, been approved by the information owners or the Information Security
Officer?
E3
07C01-05
Do the rules which specify which accesses will be logged include the necessary elements to carry out a subsequent investigation
in the case of anomaly?
These rules should specify for each type of access (system, database management system, etc. ) the fundamental elements to
record; for example user ID, the service or application requested, date and time, the point from where the access was requested
if known etc.
E2
10.10.1
07C01-06
Have these rules been validated by Legal Department (particularly for logs containing personal data)?
E3
10.10.1
07C01-07
Are all these records archived (on disk, cassettes, optical disk, etc.) and conserved for a long period in such a way as to be unmodifiable?
E2
10.10.1; 10.10.3
07C01-08
Are the parameters for definition and management of recording connections (login) and called applications under strict control?
A strict control requires that the list of persons allowed to change the definition parameters and the management of the recording
rules for the logins and called applications be strictly limited and that there exist a reinforced access control to effect these
modifications and that these modifications be logged and audited.
R1
10.10.3
07C01-09
Are the processes which ensure the recording of connections and called applications under strict control?
A strict control requires that the software used for recording has been validated and undergoes a regular test for integrity (closed
with seal) and that there be an audit at least once a year of recording procedures and processes (including the processes which
aim to detect modification attempts and the processes which respond to these modification attempts).
C1
07C02
Recording privileged system calls
07C02-01
Has a specific analysis been carried out of privileged system calls to log and of parameters related to these calls which should be
recorded?
E2
10.10.2
07C02-02
Is use made of a tool or control application which is able to record privileged system calls (tools which require special access
rights, access to security files, administration of security parameters etc.)?
E2
10.10.2
07C02-03
Have the rules specifying the privileged system calls to be logged been formalized?
E2
07C02-04
Have the rules specifying the privileged system calls to be logged been approved by the information owners or the Information
Security Officer?
E3
07C02-05
Do the rules specifying the accesses to privileged system calls to be logged include the relevant elements needed for subsequent
investigation in the case of anomaly?
The rules must specify for each type of system call (create, read, update or delete) the basic elements to record, for example, the
nature of the event, the user identifier, the systems services required, date and time etc.
E2
10.10.1
07C02-06
Have these rules been validated by Legal Department (particularly for logs containing personal data)?
E3
10.10.1
07C02-07
Are all these records archived (on disk, cassettes, optical disk, etc.) and conserved for a long period in such a way as to be unfalsifiable?
E2
10.10.3; 10.10.1
341702815.xls ! 07 Sys
Max
Min
page 169
1 variant
Number
Question
Typ
ISO 27002
07C02-08
Are the parameters for definition and management of the rules for recording privileged system calls under strict control?
A strict control requires that the list of persons allowed to change the recording parameters be strictly limited and that there exists
a reinforced access control to effect these modifications and that these modifications be logged and audited.
R1
10.10.3
07C02-09
Are the processes which ensure the recording of privileged system calls under strict control?
A strict control requires that the software used for recording has been validated and undergoes a regular test for integrity (closed
with seal) and that there be an audit at least once a year of recording procedures and processes (including the processes which
aim to detect modification attempts and the processes which respond to these modification attempts).
C1
07D
Security of the architecture
07D01
Service continuity of the architecture and of its components
07D01-01
Has an analysis been carried out of the various shared equipment and systems (apart from the architecture of the applications
but including general peripheral systems such as backup systems and robots, print servers and centralized printing equipment) in
order to highlight the needs of service continuity?
An in depth analysis assumes that a list of failure scenarios has been established and that the consequences of such events
have been analyzed.
E2
07D01-02
Has this analysis allowed to detail the minimum performance levels that must be maintained for each system and have these
performance levels been accepted by users or information owners?
E2
07D01-03
Has the appropriate level of architectural redundancy been determined (e.g. clusters or disk replication ) for the servers or
equipment concerned?
E2
07D01-04
Does the architecture and its implementation guarantee that the minimum performance levels will be exceeded in the case of an
incident of failure?
Such a guarantee supposes that either failsafe systems are entirely automatic or that sufficient detection systems and staff are in
place so as to manually reconfigure them.
E2
07D01-05
Is there an assurance in this case that secondary equipment (power supply, air-conditioning, etc. ) does not introduce any
additional risk and does not eliminate redundancy envisaged for the systems architecture or equipment?
E3
07D01-06
Does any shutdown or inhibition of redundant equipment or system devoted to detecting the need for human intervention or for
automatic reconfiguration trigger an alarm to an operational manager?
R1
07D01-07
Are regular tests made to demonstrate that security equipment is able to guarantee minimum performance levels required in the
case of an incident or failure?
07D02
Isolation of Sensitive Systems
07D02-01
Has the systems' sensitivity been analyzed (based on the applications and data processed) including peripheral systems or
robots used for storage or archiving, print servers or central printing equipment, etc.) to highlight their security requirements?
A thorough analysis implies the establishment of a list of incident scenarios (A, I, C), for which all foreseeable consequences
were analyzed.
E2
11.6.2
07D02-02
Did this analysis allow to formalize minimum requirements for each system and were these minimum requirements accepted by
the users (information owner)?
E2
11.6.2
341702815.xls ! 07 Sys
Max
Min
C1
page 170
1 variant
Number
Question
07D02-03
Have appropriate isolation measures (physical and logical) been determined for these servers and equipment?
These measures may impose to use different data centers for sensitive servers or applications from other servers.
341702815.xls ! 07 Sys
Max
Min
Typ
ISO 27002
E2
11.6.2
page 171
Commentaires
341702815.xls ! 07 Sys
page 172
Commentaires
341702815.xls ! 07 Sys
page 173
Commentaires
341702815.xls ! 07 Sys
page 174
Commentaires
341702815.xls ! 07 Sys
page 175
Commentaires
341702815.xls ! 07 Sys
page 176
Commentaires
341702815.xls ! 07 Sys
page 177
Commentaires
341702815.xls ! 07 Sys
page 178
341702815.xls ! 07 Sys
page 179
341702815.xls ! 07 Sys
page 180
341702815.xls ! 07 Sys
page 181
341702815.xls ! 07 Sys
page 182
341702815.xls ! 07 Sys
page 183
341702815.xls ! 07 Sys
page 184
341702815.xls ! 07 Sys
page 185
Audit Questionnaire: IT Production Environment

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
Security of operational procedures
08A
08A01
Consideration of security in relation with operational personnel (permanent and temporary staff)
08A01-01
Is there a security policy, specifically aimed at operations personnel, related to information systems?
This policy should cover the requirements for the protection of information as well as the protection of physical assets and
processes and mention the forbidden behaviors
E1
08A01-02
Is information systems operations personnel required to sign contract clauses of adherence to that security policy (no matter their
status: permanent or temporary staff, students, etc.)?
E2
08A01-03
Do these clauses make clear that the obligation to respect that security policy applies to information at large (whichever the
support : paper, magnetic, optical, etc.)?
E2
08A01-04
Do these clauses make clear, if necessary and legally possible, that the obligation to respect the security policy applies without
limitation in time?
This applies, in particular, to the clauses concerning confidentiality, they may (and often must) continue after the end of the contract
linking (directly or indirectly) the employee or service provider or partner to the company
E3
08A01-05
Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other people?
E3
08A01-06

In order to achieve a formal commitment, the personnel should explicitly state that his/her signature implies having understood and
accepted the security policy
E2
08A01-07
Are these same clauses obligatory for contractors working on systems operations?
internal staff.
E2
08A01-08
Is there a mandatory and well adapted training course aimed at systems operation personnel?
08A01-09
Are the security policy compliance agreements, signed by personnel, securely kept (at least in a locked cupboard )?
R1
08A01-10
Are the security policy compliance agreements, signed by external contractors, securely kept (at least in a locked cupboard )?
R1
08A01-11
C1
08A02
9.2.1
E2
Control of the operational tools and utilities
08A02-01
Have different profiles been defined for the systems operation staff (administration and management of configurations,
administration of security equipment, monitoring, audit and investigation)?
E1
08A02-02
Are all members of systems operation staff attributed with one of these profiles?
E2
08A02-03
Have all the sensitive system tools and utilities (rights administration, configuration management, backups, copies, hot restarts,
etc.) been exhaustively audited and listed for each profile?
E2
11.5.4
08A02-04
Is it possible only for holders of a certain profile to use the corresponding tools and utilities subsequent to proper strong
authentication (smart card or token card)?
E3
11.5.4
08A02-05
Is it forbidden to create or add sensitive tools or utilities without formal authorization?
E2
11.5.4
08A02-06
Is there a regular automated check to enforce this rule which triggers an alert to an appropriate manager?
E3
11.5.4
08A02-07
Does the segregation of rights of systems operation staff prevent undue modification of sensitive tools or utilities or at least, is
there an automatic routine which checks that no modification has been made and which may trigger an alert to a manager if so?
E3
11.5.4
08A02-08
Are the granting of administrative profiles and the implementation of the aforementioned security measures subject to regular
audit?
C1
341702815.xls ! 08 Sop
page 186

Number
08A03
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
Acceptance control of systems introduction or modification

Systems here include operating systems, applications and associated middleware
08A03-01
Are the decisions to change or update equipment and systems significantly subject to a control procedure (registration, planning,
formal approval, communication to all concerned individuals, etc.)?
E1
10.1.2
08A03-02
Are the change decisions based on an analysis of the capacity of the new equipment and systems to ensure the required load and
take into account the evolution of foreseeable requests?
E2
10.3.1
08A03-03
Do the installations take into account physical protection (protected access, no direct external view on equipments, no multiple
physical threats, weather conditions, protection against thunderbolts, protection against dust, etc.)?
E2
9.2.1; 12.5.1
08A03-04
Is any new or modified functionality linked to a new system or new version of a system, systematically documented before moving
into production?
E2
12.4.1; 12.5.1
08A03-05
Is such new functionality (or change in functionality), linked to a new system or new version of a system, formally and
systematically reviewed in conjunction with the IT security function?
E2
12.4.1; 10.3.2
08A03-06
Does this review include an analysis of the risks that may result from the changes?
E2
12.4.1; 10.3.2
08A03-07
Have system operations staff received formal appropriate training in risk analysis?
08A03-08
May the operation staff obtain an appropriate support specially competent on risk analysis?
08A03-09
Are the security measures, determined to counter the new identified risks, formally reviewed before implementation?
E3
10.3.2
08A03-10
Are security parameters and configuration rules (deletion of generic accounts, changing of any default passwords, blocking of
unauthorized communications ports, setting of access rights and authentication parameters, etc.) listed in detail and regularly
updated?
E3
11.4.4; 10.3.2
E3
E3
2
08A03-11
Are the security parameters and configuration rules controlled prior to any start of production of a new version?
E3
11.4.4; 10.3.2
08A03-12
Has the eventual impact of the systems' changes regarding the continuity plans been considered?
E2
10.3.2
08A03-13
Are any derogations from the prerequisite risk analysis and control of security parameters subject to strict procedures, including a
signature from senior management?
R1
12.4.1
08A03-14
Can the start of production of new systems and applications be only carried out by operations personnel?
E3
12.4.1; 6.1.4
08A03-15
Is the start of production of new versions of systems or applications possible by the use of a defined validation and authorization
process?
E3
12.4.1; 6.1.4
08A03-16
Are the start of production control procedures regularly audited?
C1
08A04
08A04-01
08A04-02
Are all maintenance operations required to terminate with a systematic control of security parameters (as defined at time of start of
production)?
E2
08A04-03
Are all maintenance operations required to terminate with a systematic control of the recording parameters for security events and
the life span of records?
E3
08A04-04
Are all maintenance operations required to terminate with a systematic control of system administration parameters (required
profile, authentication type, removal of standard logins etc.)?
E3
08A04-05
08A04-06
Is the effective implementation of these controls regularly audited?
08A05
08A05-01
E2
9.2.4
E3
3
C1
Confidentiality considerations during maintenance of the production systems

Is there a procedure describing, in detail, all the operations to execute before contacting maintenance in order to prevent
maintenance staff gaining access to operational production data (disconnection of disk arrays and cartridges, deletion of
operational data etc.)?
341702815.xls ! 08 Sop
E1
9.2.4; 9.2.6
page 187
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
08A05-02
Is there a binding clause in maintenance personnel contracts stipulating that any storage media which contained sensitive data be
destroyed before disposal?
E2
08A05-03
Is there a procedure of checking for system integrity after maintenance intervention (absence of spyware, or trojans etc.)?
E2
08A05-04
E3
08A05-05
Are the above procedures subject to regular audit?
C1
08A06
Max
Min
Typ
ISO 27002
9.2.4; 9.2.6
Control of remote maintenance
08A06-01
In the case of remote maintenance, is the remote maintenance desk's access subject to a secure authentication procedure?
E2
11.4.4
08A06-02
In the case of remote maintenance, are maintenance staff subject to a secure authentication procedure?
E2
11.4.4
08A06-03
Is there a set of procedures covering the granting and revocation of access rights for remote maintenance operatives and the
granting of rights in urgent situations?
E3
11.4.4
08A06-04
Have the procedures and protocols for transmission and retention of secret conventions (in the case of remote maintenance) been
approved by the Information Security Officer or a qualified specialist?
E3
08A06-05
Does the usage of the remote maintenance line require the prior agreement (for each usage) of system operations personnel
(upon request by the manufacturer or editor specifying the nature, date and time of the intervention)?
08A06-06
Are data or command exchanges during remote maintenance protected by encryption?
E3
08A06-07
Are data or command exchanges during remote maintenance protected by integrity control (sealing)?
E3
08A06-08
Is the usage of the remote maintenance line under strict control ?

A strict control supposes that each use of the line, the name of the maintenance operative and the actions carried out is registered,
and that there be a subsequent audit of the appropriateness of the actions and their conformity with the rules laid down by
maintenance managers.
E2
08A06-09
Are the equipment accessible for remote maintenance protected against inhibition or modification of the access conditions for
remote maintenance (e.g. by the triggering of an alarm)?
R1
08A06-10
Are control procedures for remote maintenance regularly audited?
C1
08A07
E3
Protection of sensitive printed documents and reports
08A07-01
Are all sensitive documents and reports printed in secure premises?
08A07-02
Are all sensitive documents and reports protected against diversion while being produced?
E1
08A07-03
Are all sensitive documents and reports protected against diversion while waiting for distribution?
E1
08A07-04
Does the distribution system for printouts and reports ensure protection against theft (locked cabinets and carrying cases during
transportation)?
E2
08A07-05
Does the distribution system for printouts and reports ensure protection against prying consultation?
E2
08A07-06
Does the distribution system for printouts and reports require the addressee to be authenticated prior to their delivery?
E3
08A07-07
Are printed documents and reports labeled anonymously without showing any particular classification?
E2
08A07-08
Are these measures adapted to the maximum security level of the information within (temporary storage in locked strong boxes
and hand delivery for very sensitive information)?
E2
08A07-09
Are sensitive printed documents and reports put on the scrap destroyed in a secure way so that they cannot be exploited?
E2
08A07-10
Are the security procedures for distribution of printed material regularly audited?
C1
08A08
11.4.4
E1
Management of Operating Procedures for IT production
341702815.xls ! 08 Sop
page 188
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
08A08-01
Do the operating procedures result from the study of the overall cases to be covered by said procedure (normal operating cases
and incidents)?
E2
10.1.1
08A08-02
E2
10.1.1
08A08-03
Are the operating procedures readily available upon request by any accredited individual?
E2
10.1.1
08A08-04
Is the IT operation Management required to approve changes to procedures ?
E2
10.1.1
08A08-05
R1
08A08-06
C1
08A09
Management of service suppliers and providers relating to IT operations
Max
Min
Typ
ISO 27002
08A09-01
Is it regularly ensured that the security services allocated to suppliers or providers are efficiently implemented and maintained by
them?
E1
10.2.1
08A09-02
Is it ensured that the service suppliers or providers have efficiently prepared the appropriate arrangements to ensure that the
services are provided as agreed?
E2
10.2.1
08A09-03
Is the respect of the security provisions by the suppliers or providers regularly reviewed?
C1
10.2.2
08A09-04
Is it ensured that the suppliers and providers report and document any security incident concerning information or systems?
E2
10.2.2
08A09-05
Is there a regular review of these incidents or malfunctions with the concerned suppliers and providers?
E2
10.2.2
08A09-06
Are any changes in the contract relationship (obligations, service levels, etc.) analyzed for resulting potential risks?
E3
10.2.3
Control of hardware and software configurations
08B
08B01
08B01-01
Conformity control of systems parameters and configurations

Is there a document (or a set of documents ) or an operational procedure which describes all security parameters for the systems?
E1
Such a document should be derived from the security policy and describe all the filtering rules decided. It should also mention the
reference to the system versions so as to check the status of the updates.
08B01-02
Does this document require that all generic or by default accounts be deleted and their list established?
E2
11.4.4
08B01-03
Are the system versions, fixes and parameters updated regularly in line with latest information?
This should be done in cooperation with expert authorities (specialized audits, subscription to a service center, regular consultation
with CERTs, etc.)
E2
10.7.4; 12.6.1
08B01-04
Does the resulting document or procedure impose a synchronization feature, based on a reliable time reference?
E3
10.10.6
08B01-05
Are these reference documents protected, by secure methods, against untimely or illicit alteration (sealing)?
R1
10.7.4
08B01-06
Is the integrity of system configurations checked, regularly (at least weekly) if not at each system start-up, against the configuration
theoretically expected?
E3
15.2.2
08B01-07
Are regular audits carried out of the compliance to the specifications for security parameters?
R1
15.2.2
08B01-08
Are regular audits carried out of the exception and escalation procedures in the case of difficulty or installation problems?
R1
15.2.2
08B01-09
Are the development and test environments separated from the operational environments?
C1
08B02
Conformity control of operational software configurations (including packages)
08B02-01
Is there a document (or a set of documents ) or an operational procedure which describes the security parameters for all
applications?
These parameters should result from the security architecture retained for the applications
E1
08B02-02
Is this document updated for each change of version?
E2
08B02-03
E2
341702815.xls ! 08 Sop
page 189
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
Max
08B02-04
Are the application software versions, fixes and parameters updated regularly in line with latest information?
with CERTs, etc.)
E2
10.7.4; 12.6.1
08B02-05
R1
10.7.4
08B02-06
Is the integrity of application configurations regularly checked against the configuration theoretically expected (weekly)?
E3
10.7.4; 15.2.2
08B02-07
Are regular audits carried out of possible differences between the security parameters expected and effectively implemented?
R1
15.2.2
08B02-08
R1
15.2.2
E1
12.4.1
08B03
Min
Typ
ISO 27002
Conformity control of reference programs (source code and executables)
08B03-01
Do IT operations manage a reference version for each product installed in production (source code and executables)?
08B03-02
Is this reference version protected against all possible illicit or untimely modification (signed media kept by a senior manager,
electronic sealing, etc.)?
R1
08B03-03
Is this protection considered to be inviolable (sealing by cryptographic algorithm approved by the Information Security Officer)?
R2
08B03-04
Is the protective seal controlled automatically (otherwise it may be an authoritative signature) at each new installation?
R2
08B03-05
Is a check made of the proof of origin and integrity of received maintenance module or a new version, from the editor or the
manufacturer (for operating systems)?
E2
08B03-06
Are the sealing and sealing control tools protected against any unauthorized usage?
R2
08B03-07
Does the inhibition of the automatic control of seals trigger an alarm to a manager?
E3
08B03-08
Are there regular audits of protection procedures for reference programs?
C1
Management of storage media for data and programs
08C
08C01
Management of storage media
08C01-01
Are all media removals from the media library controlled by a dedicated person or department responsible for the media handling?
E1
10.7.1
08C01-02
Are media returns after use by the operations controlled by the same person or department?
E2
10.7.1
08C01-03
Is the removal of storage media systematically registered (date and time, individual responsible for media, etc.) ?
E2
10.7.1
08C01-04
Is the disposal of storage media systematically registered (date and time, individual responsible for media, etc.) ?
E2
10.7.1; 10.7.2
08C01-05
Is there a procedure to erase data on media before exit or disposal?
E3
10.7.1; 9.2.6
08C01-06
Are any missing items systematically subject to a search procedure and a follow-on form included in the overall operational
dashboard?
E2
08C01-07
Are all movements of storage media into or out of the library strictly controlled with respect to production systems planning?
E3
08C01-08
Are the files related to storage media management under strict control?
A strict control requires that people authorized to access the files be registered and in limited number, that there be a reinforced
access control to be able to modify the files and that any modification be logged and audited.
341702815.xls ! 08 Sop
R1
page 190

Number
08C01-09
08C02
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Are the processes which ensure the management of storage media under strict control?
A strict control requires to control that the software has been effectively, that a regular data integrity test (seal) be performed and
that there is an audit, at least once a year, of media management procedures and processes (including handling the anomalies
detected in the course of storage media management).
Max
Min
Typ
Labeling of storage media (live, backups and archives)
08C02-01
Are magnetic media marked neutrally without any mention of their classification level?
08C02-02
Are the files accompanying the marking system (files which make the link between the label of the media and its contents) under
strict control?
access control to be able to modify them and that any modification be logged and audited.
E2
08C02-03
Are the processes which ensure the management of storage media marking under strict control?
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is
an audit at least once a year of support media marking procedures and processes (including a management of anomalies detected
in the course of support media marking).
This presupposes that there be a document which details all of the requirements of support media marking.
C1
08C03
E1
Physical security of media kept on site
08C03-01
Is there an automatic and systematic access control to the location used for on site storage of operation media?
08C03-02
Does authentication, for access control to the storage rooms of production media, employ user related data that cannot be falsified
(smart cards or biometric data for example)?
E2
08C03-03
Does the access control system guarantee that all personnel entering the location are verified (double door limiting the number of
people entering to one-at-a-time, process which prohibits the usage of a badge by more than one person etc.)?
E2
08C03-04
In addition to access control for the normal exits, is there a specific control for non authorized exits (windows accessible from
outside, emergency exits, potential access via false panels, flooring and ceilings, etc)?
E3
08C03-05
Are the automatic access control systems under 24 hr surveillance enabling to detect in real time the failure or deactivation of the
system or the usage of emergency exits?
R1
08C03-06
Is there an audit procedure enabling later to uncover irregularities in the access control procedures (audit of procedures and
C1
08C03-07
Is there an operational intrusion detection system for the storage locations, linked to a 24 hr monitoring center?
R2
08C03-08
Are the on site locations for production storage media placed under 24 hours surveillance (video surveillance of the location itself)?
R2
08C03-09
Is the transfer of production media, between the production and on site storage locations, under strict control (specific moving
procedures, secured containers etc.)?
E2
08C03-10
Is the storage location of production storage media protected against accidental risk (fire detection and extinguisher equipment,
protection from water damage, etc.)?
E2
E2
E1
08C03-11
Is the storage location for production storage media regulated and supervised for temperature and humidity?
08C03-12
Are the automatic fire, flood and humidity detection systems, under 24 hour operational control enabling to detect in real time a
failure, a deactivation or an alarm?
R1
08C03-13
Is there a procedure or automatic routine which triggers the immediate intervention of specialized personnel in the case of an
alarm (of the access control system or the incident detection system)?
C1
08C04
08C04-01
ISO 27002
C1
10.7.1
Physical security of storage media (kept in an external site)

Is use made of a specialized company, which offers contractual guarantees of security, for the storage of archives outside the
production site?
341702815.xls ! 08 Sop
E1
page 191

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Max
08C04-02
Does the contract signed with the outside media storage company ensure a high level of security (strong access authentication,
control of access points and emergency exits, intrusion detection, video surveillance, protection against natural risk, intervention
team, etc.)?
08C04-03
Does the procedure used for the transfer of sensitive media to the external storage location require a high level of security (like
secure containers and transporters accredited by the company)?
E2
08C04-04
Are there contractual clauses or annex clauses, which stipulate the conditions of restitution of storage media, guaranteeing that the
person to whom to the media is returned has the correct authorization even in the case of an emergency procedure?
E3
08C04-05
Is there a regular audit of the security measures used by the company ensuring the external storage of archives and backups?
C2
08C04-06
Is there a regular audit of the management procedures related to storage media (transport and return )?
C1
08C04-07
Is there a regular audit of the contractual clauses specifying relations with the company ensuring the external storage of archives
and backups?
C1
08C05
Question
Min
Typ
10.8.3
Verification and turnover of archive storage media
08C05-01
Are the storage media which retain data for long periods (archives) regularly verified (as a function of the frequency of updates and
the classification of the information)?
E2
08C05-02
Are the storage media which retain data for long periods (archives) periodically copied to new storage media with the maintenance
of an inventory and redundancy of media?
E2
08C05-03
Is there a regular verification of the technical compatibility between the storage media and the operational solution used to effect
restoration of data?
E3
08C05-04
Are regular tests carried out of archived media readability?
E2
08C05-05
Do the reread tests contain controls of the authenticity of the information stored?
08C05-06
Are the files used for the management of storage media rotation and sampling under strict control?
access control to be able to modify them and that any modification be logged and audited.
08C05-07
Are the procedures concerning the verification of archived storage media regularly audited?
08C06
ISO 27002
E2
E3
R2
Security of storage networks (SAN : Storage Area Network and NAS)
08C06-01
Are the storage networks physically or logically isolated from other data networks?
08C06-02
Are the storage networks protected by a firewall which only allows data and administrative flows related to storage?
E1
08C06-03
Is access to storage bays subject to strong authentication, for authorized elements (servers and administration stations)?
E2
08C06-04
Do the data storage protocols contain a protection against replay?
08C06-05
Is data stored using a storage network encrypted before transmission to the network?
08C06-06
Do the solutions, protecting access to data stored on the storage network, offer valid and solid guarantees?
A cryptographic solution with keys of sufficient length is one of among many parameters to take into consideration (as a function of
the algorithm) .
The recommendation of an official organization can be a confidence factor. At least the solution should have been approved b the
CISO.
E2
08C06-07
Are the security mechanisms for access to data protected against infraction or alteration?
R1
08C06-08
Is the switching off or bypass of security mechanisms immediately detected and signaled to a responsible team?
R1
08C06-09
Is this team available 24 hrs a day and capable of intervening immediately?
R1
08C06-10
Is there a procedure detailing the actions to carry out in the case of error or alert?
341702815.xls ! 08 Sop
E1
E3
3
E3
12.3.1
C1
page 192

Number
08C07
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
Physical Security of Transiting Medias
08C07-01
Are the transfer of medias between sites (internal or external) strictly controlled (specific procedures, follow-up or secured
containers, etc.) ?
E1
08C07-02
Are the medias marked anonymously, without reference to any classification, while in transit?
E2
08C07-03
Is any abnormality or media loss immediately reported?
E2
08C07-04
Is any abnormality or media loss followed by an investigation?
08C07-05
Are the media transfers regularly audited?
10.8.3
E2
3
C1
Service continuity
08D
08D01
Organization of hardware maintenance (for operational equipment)
08D01-01
E1
08D01-02
Are there specific maintenance contracts for all hardware which require a high availability and for which the replacement must be
made within limited delays?
E2
08D01-03
Do the contracts stipulate maximum delays before intervention and compatible with the requirements of availability?
E2
08D01-04
Do the contracts detail the required time slots and days of intervention (24h/7d for example) compatible with the requirements of
availability?
E3
08D01-05
Do the contracts stipulate the conditions of escalation in case of difficulty?
R1
08D01-06
Do the contracts detail specific clauses for when the hardware downtime exceeds the specific times stipulated (penalties, hardware
replacement, etc.)?
It is desirable that these clauses be general and apply to all cases no matter what the reasons (technical difficulty, staff strikes,
etc.)
E3
08D01-07
Do the maintenance contracts anticipate the complete replacement of equipment in the case of important damage which might not
be taken into consideration by reparative maintenance?
08D01-08
Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit?
08D02
9.2.4
E3
3
C1
Organization of software maintenance (systems, middleware and applications)
08D02-01
Are there maintenance contracts for all acquired software products (systems software, middleware and applications)?
E1
08D02-02
Do the suppliers provide a technical software support center which guarantees a quick and competent telephone assistance?
E2
08D02-03
Do the software maintenance contracts anticipate the regular release of new versions taking into account all applicable fixes to the
product?
E2
08D02-04
Are there specific maintenance contracts for software products (systems, middleware and applications) which require corrective
delays that standard maintenance cannot cover?
E2
08D02-05
Do these contracts detail specific maximum intervention delays, compatible with the availability requirements?
E2
08D02-06
availability?
E3
08D02-07
R1
08D02-08
Do the contracts specify specific clauses when system downtime exceeds specific durations stipulated (penalties, replacement of
hardware, etc.)?
etc.)
E3
341702815.xls ! 08 Sop
page 193

Number
08D02-09
08D03
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
C1
Application recovery procedures and plans following incidents during operation
08D03-01
Has a list been established, for all applications, of incidents which could occur during production and, for each of these, the
seriousness of possible consequences?
Critical consequences may relate to data consistency and continuity of service
E1
08D03-02
For each incident during operation have the corresponding diagnostic means been identified?
E2
08D03-03
For each incident during operation, has a solution been established as well as the operations to carry out by system operation
personnel?
E2
08D03-04
For each possible incident during operation, have an acceptable resolution delay and an escalation procedure been determined in
the case of failure or lateness of the anticipated corrective actions?
E3
08D03-05
Are the diagnostic means, needed by system operation personnel, protected against any possible inhibition or unauthorized
modification?
R1
08D03-06
Are the corrective means, needed by system operation personnel, to solve a critical operation incident protected against any
possible inhibition or unauthorized modification?
R2
08D03-07
Are there regular tests concerning the efficiency of the procedures and facilities which survey and diagnose the applications'
operation?
08D03-08
Are there regular checks concerning the update of the corresponding documentation?
08D03-09
Are regular tests made of the effective capacity to restore data and restart the application after an incident during operation?
08D03-10
For encrypted data retrieval, does the Key Management provide the recovery for lost or altered keys?
E3
12.3.2
E1
10.5.1
08D04
C1
C2
3
C1
Backup of software configurations (system, applications and configuration parameters)
08D04-01
Has a backup plan been established which covers all programs and defines all objects to save and the frequency of backups?
08D04-02
Does the plan also cover system and middleware configuration parameters to save?
E2
10.5.1
08D04-03
Does the plan also cover application parameters to save?
E2
10.5.1
08D04-04
Is the plan implemented by automatic production routines?
E2
10.5.1
08D04-05
Are there regular tests that the backup copies of programs (source code and/or executables) enable the effective restoration of the
production environment at any time?
These tests should consider all the backups (including documentation and parameters files) of legitimate elements.
E2
10.5.1; 14.1.5
08D04-06
Are the production routines which ensure backups protected, against illicit or undue modification, by secure mechanisms?
Such mechanisms might be electronic seal or any equivalent modification detection system.
R1
10.5.1
08D04-07
Are regular tests made of the readability of backups?
R2
10.5.1
08D04-08
Are all software backup plans and procedures subject to regular audit?
C1
08D05
08D05-01
Backup of application data

Has a preliminary study been made, in conjunction with the users, to identify the scenarios which backups must be able to cover?
341702815.xls ! 08 Sop
E1
10.5.1
page 194

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
08D05-02
Has an analysis been carried out with the users in order to define for each file the maximum acceptable time between two
backups?
These studies are to be based on the capacity to rebuild lost information and permit to define the required backup cycle
E1
10.5.1
08D05-03
Have studies been made of the necessary synchronization between bound backups for all platforms in order to ensure the proper
functioning of the resumed applications and the coherence of the data necessary for this resumption?
E1
10.5.1
08D05-04
From above studies, have the various procedures been recorded in a backup plan comprising, for each class of files, the
frequency, the details of constitution and the necessary synchronizations?
E2
10.5.1
08D05-05
Does the backup plan integrate a control plan pointing out the various control points (size of files, duration, reread, etc.) and their
frequency?
E3
10.5.1
08D05-06
Does the control plan mention the actions to effect in the case of incident or anomaly?
E3
10.5.1
08D05-07
Is the backup plan updated each time the operation's environment is changed?
Updates should occur in particular at the time of addition or modification of applications
E2
10.5.1
08D05-08
Has the backup plan been translated to automatic operational routines?
E2
10.5.1
08D05-09
Are regular controls carried out to ensure that a restart or start up is possible from the backups made (i.e. a complete test which
verifies all functionality and the absence of synchronization or coherence problems)?
E2
10.5.1; 14.1.5
08D05-10
Are production routines which effect backups under strict control with regard to illicit or undue modification?
A strict control requires a reinforced access control to modify these routines, a logging and an audit of all modification and/or an
integrity control by electronic sealing of the automatic operational routines.
R1
10.5.1
08D05-11
Do the data saving and retention procedures offer guarantees of compliance to regulations and commitments from the organization
regarding confidentiality and integrity?
E3
10.5.1
08D05-12
Are there regular tests to reread backups of application data?
E2
10.5.1
08D05-13
Are several generations of files systematically kept in order to guard against any losses or illegibility by organizing, for example, the
rotation of backup storage media?
E3
10.5.1
08D05-14
Are all data backup plans and procedures regularly audited?
08D06
C1
Disaster Recovery Planning for IT operations
08D06-01
Have all the scenarios which may impact the IT infrastructure and services been considered and, for each scenario, the
consequences in terms of service unavailability for users?
E1
14.1.3
08D06-02
For each scenario, and in agreement with the users, have a list and schedule of IT service resume been defined?
Loss of information, means to reconstruct them and temporary operational procedures must be considered.
E2
14.1.3
08D06-03
Has an activity recovery solution been defined and implemented to resolve each scenario identified above, in accordance with user
requirements?
E1
14.1.3
08D06-04
Are the technical, organizational and human resources sufficient to address the organization's requirements for IT continuity?
This means being able to correct personnel deficiencies
E2
14.1.3
08D06-05
Are the technical, organizational and human resources educated to address the organization's requirements for IT continuity?
This implies to train appropriately all concerned staff.
E2
14.1.3
08D06-06
Are all these solutions described in detail in Disaster Recovery Plans including the conditions for triggering the plan, the actions to
execute, the priorities, the actors to mobilize and their contact details?
E1
14.1.3
08D06-07
E2
14.1.5
341702815.xls ! 08 Sop
page 195

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
08D06-08
Are above tests able to guarantee that the staff capacity and the recovery systems can cope, under full operational load, the
minimum IT services required by users?
The tests required to obtain this guarantee are preferably full scale tests of each variant of scenario, involving all users. The results
of the tests have to be registered and analyzed in order to improve the capability of the organization to answer to the situations
considered.
Min
Typ
E2
08D06-09
If the recovery solutions include delivery of hardware components (which cannot be triggered during tests), is there a contractual
commitment by the manufacturer or any relevant third party (leaser, broker, distributor) to deliver the replacement hardware within
fixed and anticipated time limits as stated in the recovery plan?
E2
08D06-10
Has the unavailability or failure of the recovery facility been considered and has a replacement solution been defined and validated
(second level recovery)?
E2
ISO 27002
14.1.5
08D06-11
Has this (second level recovery) solution been validated?
E3
08D06-12
Is the recovery solution usable for an unlimited duration and, if not, has a follow on replacement solution been established?
E3
08D06-13
Are the existence, the pertinence and the updates of the IT services Recovery Plans regularly controlled?
C1
08D06-14
Is the updating of the above procedures within the recovery plan subject to regular audit?
C1
E2
10.4.1
10.4.1
08D07
Anti virus protection for production servers
08D07-01
Have the measures to be taken by the IT staff been defined so as to prevent, detect and correct any attacks by malevolent code
(virus, spyware, other)?
08D07-02
Are production servers (including office and mail servers) protected by anti virus or malevolent code software?
E1
08D07-03
Are several antivirus software (from different editors) simultaneously operating for the protection of the operation servers?
E2
08D07-04
Are antivirus software products regularly and automatically updated (daily)?
E2
08D07-05
Is a subscription held with an emergency response center able to warn and anticipate large scale virus attacks for which the
installed antivirus software is not yet up to date?
E3
08D07-06
Is there an emergency committee which can be implemented quickly in the case of alert or detection of viral infection?
E2
08D07-07
Is the activation and the update of antivirus software on servers subject to regular audit?
C1
08D08
Management of critical systems (regarding maintenance continuity)
08D08-01
Have the consequences of the disappearance of a supplier been analyzed (in the case of failure, a bug or change requirement)
and has a list of critical systems been established?
This is valid for hardware, software or service providers
E2
08D08-02
For all critical systems, has a corrective solution been analyzed to cope with the failure or disappearance of a supplier
(consignment of maintenance documentation or source code with a trusted third party, hardware replacement by standard market
solutions etc.)?
E2
08D08-03
Is there a guarantee that the corrective solutions could be made operational within time delays compatible with the continuity of the
business and accepted by the users?
08D08-04
Have variants to the primary solution been considered in case it might encounter unforeseen difficulties?
E3
08D08-05
Is there a regular review of critical systems and corrective solutions envisaged?
C1
08D09
E2
Off site emergency (recourse) backups
08D09-01
Are all software backups and configuration files, which enable the restoration of the production environment, also saved at a
location off premises (recourse backup)?
E1
08D09-02
Are all data saved for backup also saved at a location off premises (recourse backup)?
E1
08D09-03
Are regular tests carried out that these emergency backups can be read?
E2
341702815.xls ! 08 Sop
page 196

Number
08D10
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
Maintaining user accounts
08D10-01
Has it been defined with the users the maximum acceptable delay for reinstating their rights following the accidental or deliberate
blocking of their accounts (application, system, or network?
E1
08D10-02
Is the procedure to follow if an account is blocked defined?
E2
08D10-03
Is this procedure known to users?
08D10-04
Does this procedure respect the maximum acceptable delay in the case of isolated blockage of several accounts (denial of service
attack)?
E2
08D10-05
Is the possibility of simultaneous blockage of many accounts allowed for?
E3
08D10-06
Has the procedure to follow if many accounts are simultaneously blocked been defined with users?
E3
08D10-07
Are user account preservation procedures audited regularly?
C1
E2
Management and handling of incidents
08E
08E01
Online detection and treatment of IT related abnormal events and incidents
08E01-01
Has a detailed analysis been carried out of the events or succession of events which may reveal abnormal behaviors or illicit
actions and, as a consequence, have specific monitoring indicators or control points been identified?
E2
08E01-02
Is the system equipped with an automatic real time monitoring system in the case of an accumulation of abnormal events (for
example unsuccessful connection attempts on non-open ports)?
E3
08E01-03
Is there one application able to analyze the individual anomaly diagnostic data and trigger an alert to operational personnel?
E3
08E01-04
Is there, within operational personnel, a team or individual available 24 hrs a day and capable of reacting in the case of an alert
after this application has detected an anomaly?
08E01-05
Has the expected response time from the surveillance team been defined for each case of alert and are its availability and staffing
level sufficient to meet these expectations?
08E01-06
Are the alarm definition parameters strictly protected (restricted access rights and strong authentication ) against illicit
modification?
R1
08E01-07
Does the shutdown of the alarm system trigger an alert with the surveillance team?
R1
08E01-08
Are all the elements which enabled the detection of an anomaly or incident archived (on disk, cassette or DON etc.)?
08E01-09
Are the procedures of detection of the anomalies and the availability of the surveillance team subject to regular audit?
C1
08E02
E3
E3
E2
Offline management of traces, logs and event journals
08E02-01
Has a detailed analysis been carried out of the events or succession of events which may have an impact on security (refused
connections, reconfigurations, changes in performance, access to sensitive data or tools etc.)?
08E02-02
Are these events recorded as well as the parameters useful for their subsequent analysis?
08E02-03
Is there an application able to analyze these records as well as performance measurements and to infer statistics, a dashboard,
anomaly diagnostics, etc. for examination by a competent team?
08E02-04
Is the structure in charge of the analysis of these summaries (or incident logs and security related events) obliged to do so at
regular intervals and does it have sufficient availability?
E2
08E02-05
Has the expected reaction from the surveillance team been defined for each case of alert and is its availability level sufficient to
meet these expectations?
E3
08E02-06
Are the parameters defining the elements to record and the summaries effected on these elements strictly protected against
unauthorized change (limited rights and strong authentication)?
R1
08E02-07
Is any inhibition of the recording and processing system immediately signaled to the surveillance team?
R1
341702815.xls ! 08 Sop
E1
E1
2
E2
page 197
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
08E02-08
E2
08E02-09
Are the procedures for recording, processing and analysis of the records and summaries as well as the availability of the analysis
and corrective team subject to regular audit?
C1
08E03
Max
Min
Typ
ISO 27002
Management of system and application incidents
08E03-01
Is there a hot-line charged with taking and recording calls and to log and escalate all incidents?
E1
08E03-02
Is this hot-line team available 24 hours a day?
E2
08E03-03
E2
08E03-04
08E03-05
Does the system cater for a systematic follow-up of necessary actions?
E3
08E03-06
Does this system incorporate a categorization of incidents with statistics generation and dashboards destined for use by the
E3
08E03-07
Is the incident management system strictly controlled with regard to unauthorized or inadvertent modification?
A strict control requires a reinforced protection in order to modify records and an audit trail of all modifications of records or
protection by electronic seal on all records modification.
08E03-08
Is each a major incident on systems or applications subject to a specific follow-up (nature and description, priority, technical
solution, progress analysis, expected resolution lead time etc.)?
E2
E1
10.1.3; 11.2.2
E2
R1
08F
08F01
Control of administrative access rights granted on systems
08F01-01
Have profiles been defined, within IT operations staff, corresponding to each type of activity (system administration, administration
of security equipment, system monitoring, management of data storage and backup functions etc.)?
08F01-02
For each profile have the necessary rights and privileges been defined?
E1
10.1.3
08F01-03
Does the process of attributing special rights require the formal authorization of management (or the manager responsible for
external service providers) at a sufficiently high level?
E2
10.1.3
08F01-04
Is the process of attributing special rights allocated only in relation to the profile of the holder?
E2
10.1.3
08F01-05
Is the process of granting (modification or revocation) of special rights to an individual strictly controlled?
A strict control requires a formal recognition of the signature (electronic or not) of the requestor, that there be a tight control of
access in order to attribute or modify such rights and that any modification of special rights be logged and audited.
R1
11.2.2
08F01-06
Is there a systematic process of removal of special rights at the time of departure or role change of IT operations staff?
E2
11.2.4
08F01-07
Is there a regular audit, at least once a year, of all special rights attributed ?
C1
11.2.4
08F02
08F02-01
Is the authentication protocol used for administrators or holders of special rights considered to be secure?
08F02-02
Strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters). It is desirable that these rules have been approved by the Information Security Officer
E2
08F02-03
E2
341702815.xls ! 08 Sop
E2
page 198
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
Max
08F02-04

A strict control requires that the list of people able to change authentication rules, the credentials themselves and the surveillance
rules of connection attempts be strictly limited, that there be a reinforced access control in order to be able to modify these rights
and that any modification of these rights be logged and audited and that there be a general audit at least once a year of all
R1
08F02-05

an audit at least once a year of the authentication procedures and processes.
R1
08F02-06
Is there a regular audit of the privileged profiles effectively granted?
C1
08F02-07
Is there a regular audit of the procedures of granting privileged rights and the security parameters attached to protecting profiles
and rights?
C1
08F03
Typ
ISO 27002
11.2.4
Surveillance of system administrators' actions
08F03-01
Has a detailed analysis been carried out of the events and operations carried out with administrative rights which may potentially
have an impact on system security (configuration of security systems, access to sensitive information, usage of sensitive tools,
download or modification of administrative tools etc.)?
08F03-02
Are these events recorded as well as all parameters which may be useful for their subsequent analysis?
08F03-03
Is there a system able to detect any modification or deletion of a past record and to immediately trigger an alarm to a manager?
08F03-04
Is there a summary of these records enabling management to detect abnormal behavior?
08F03-05
Is there a system enabling the detection of any modification of recording parameters and to immediately trigger an alarm to a
manager?
08F03-06
Does any inhibition of the recording and processing of the logged events system trigger an alarm to a manager?
08F03-07
Are all records or summary analyses protected against any falsification or destruction?
08F03-08
08F03-09
08G
Min
E2
10.10.4; 10.6.1
E2
10.10.4; 10.6.1
E3
10.10.4
E3
10.10.4
E3
10.10.4
E3
10.10.4
E2
10.10.4
E2
10.10.4
Are the procedures, which record and process privileged operations, regularly audited?
C1
10.10.4
2
3
2
Audit and control Procedures relative to Information Systems
08G01
Operation of Audit Control
08G01-01
Have requirements and enforced procedures for the audit of IT systems been enacted by Management?
E2
15.3.1
08G01-02
Are the rules related to Information System audits, relevant procedures and associated responsibilities defined and documented?
The restrictions concern the type of access to data and applications, the authorized controls and processing, the deletion of
sensitive data obtained, the flagging of certain operations, ... and the empowerment of the individuals conducting the audits.
E2
15.3.1
08G01-03
Are the auditors independent of the concerned activities?
E2
15.3.1
08G01-04
Are audit operations conducted for critical data recorded?
E3
15.3.1
08G02
08G02-01
Are the audit tools protected to avoid any unauthorized or malevolent use?
This applies particularly to intrusion testing and vulnerability assessments.
E2
15.3.2
08G02-02
Are the audit results protected against any modification or disclosure?
E2
15.3.2
08G02-03
Are the auditors' activities delimited?

Such a delimitation is especially recommended regarding external auditors
E2
15.3.2
341702815.xls ! 08 Sop
page 199

Number
08H
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
Management of IT related archives
08H01
Organization of the management for IT archives
08H01-01
Is there an organization in charge of archiving IT files that require to be kept over a long period?
E2
08H01-02
Is there a procedure forcing users to use this archiving service for all the files that require to be kept over a long period?
E2
08H01-03
Has a list of conditions been established and updated by each owner of data requiring to be archived concerning the archiving
rules?
08H01-04
Are the requirements for external (legal and regulatory) and internal archiving defined and tackled by the entity owning the data
and accepted by the top management at the highest level?
The consequences (legal, financial, image) of non compliance (partial or total) of the archiving requirements must be endorsed by
the board of managers.
08H01-05
Are service agreements negotiated with the IT department, considered as agents only for the data?
Each agreement must state the requirements: content of the archives, retention duration, durability, capacity to trace, imputability,
non disclosure, procedures and delay for disposal, administrative constraints, etc.
A clear separation must be stated between the content of the archives, under responsibility of the owner of data, and the container
(media, disks, tapes, cartridges) under the responsibility of the IT department.
08H01-06
Are the resources necessary for archiving the data known and financed over the longer term?
08H01-07
Are there regular readability tests of the archives?
08H01-08
Are the possible modifications resulting from technological or regulatory evolutions, that may modify the content or the containers
of the archives, taken into account, documented and accepted by the management?
These evolutions cannot be avoided on the long term and all the external regulations must be respected in order to guarantee the
conformity of the data to the original ones.
08H01-09
Is the existence of the hardware and software tools for the processing of the archives regularly controlled?
08H01-10
Is there a regular control of the procedures stated for the archiving and any deviation related to the data owners?
The controls must also look for eliminating the possibilities of fraud involving the persons in charge of the operations as well as
those who may have an access to the contents or the containers.
08H01-11
Are all the procedures concerning the archiving policy audited regularly?
08H02
E1
E1
13.2.3; 15.1.3
E2
15.1.3
E2
15.1.3
C1
2
E2
C1
C1
IT Archives access management
08H02-01
Have the requirements and procedures to be followed to access the archives been specified by management?
E2
08H02-02
Does each archive or set of archives have a designated owner?
E2
08H02-03
Are requests for extracts from the archives accepted only from the designated owner?
08H02-04
Is a request from the owner subject to authentication?
08H02-05
Is this authentication check considered to be strong?
08H02-06
Given that users do not have access to the archives, does the archival department always keep the original version?
08H02-07
Is access to the archives by archival personnel subject to strong authentication?
4
4
4
4
4
4
2
2
3
3
3
08H02-08
Is each access recorded in a secure manner?
08H02-09
Is transfer of an archive or of a copy to the requester carried out in a secure manner?
4
4
3
3
08H02-10
Are the conditions of access to the archives and the associated security systems audited regularly
08H03
15.3.1
E2
E2
E3
E3
E3
E3
E3
C1
Management of IT archive safety
341702815.xls ! 08 Sop
page 200

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
08H03-01
Are the archive storage locations equipped with suitable fire detection and extinction systems and water leakage detection and
evacuation?
08H03-02
Are the archive storage locations equipped with an access control system backed up with intruder detectors?
08H03-03
Are the archive storage locations under video surveillance when not occupied?
E2
08H03-04
Are the archive storage locations under permanent video surveillance?
E2
08H03-05
Are archive media labeled without reference to the content?
08H03-06
Are the index tables used to associate content to an archive media number inaccessible to the staff managing the archive media?
08H03-07
Are these index tables backed up?
E2
08H03-08
Does stopping or interrupting the safety systems (fire, water, access control, intrusion detection) cause an alarm at a monitoring
center for rapid intervention?
R1
08H03-09
Are the storage conditions for archives and the associated safety systems audited regularly?
C1
341702815.xls ! 08 Sop
Min
Typ
ISO 27002
E2
E2
E2
E2
page 201
Comments
341702815.xls ! 08 Sop
page 202
Comments
341702815.xls ! 08 Sop
page 203
Comments
341702815.xls ! 08 Sop
page 204
Comments
341702815.xls ! 08 Sop
page 205
Comments
341702815.xls ! 08 Sop
page 206
Comments
341702815.xls ! 08 Sop
page 207
Comments
341702815.xls ! 08 Sop
page 208
Comments
341702815.xls ! 08 Sop
page 209
Comments
341702815.xls ! 08 Sop
page 210
Comments
341702815.xls ! 08 Sop
page 211
Comments
341702815.xls ! 08 Sop
page 212
Comments
341702815.xls ! 08 Sop
page 213
Comments
341702815.xls ! 08 Sop
page 214
Comments
341702815.xls ! 08 Sop
page 215
Comments
341702815.xls ! 08 Sop
page 216
Comments
341702815.xls ! 08 Sop
page 217
341702815.xls ! 08 Sop
page 218
341702815.xls ! 08 Sop
page 219
341702815.xls ! 08 Sop
page 220
341702815.xls ! 08 Sop
page 221
341702815.xls ! 08 Sop
page 222
341702815.xls ! 08 Sop
page 223
341702815.xls ! 08 Sop
page 224
341702815.xls ! 08 Sop
page 225
341702815.xls ! 08 Sop
page 226
341702815.xls ! 08 Sop
page 227
341702815.xls ! 08 Sop
page 228
341702815.xls ! 08 Sop
page 229
341702815.xls ! 08 Sop
page 230
341702815.xls ! 08 Sop
page 231
341702815.xls ! 08 Sop
page 232
341702815.xls ! 08 Sop
page 233
Audit Questionnaire: Application Security

Quest. Nr
09A
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
Application access control
09A01
Management of application data access profiles
09A01-01
Has a management policy for access rights to data and information been established, built from an analysis of the security
requirements based on the business stakes?
09A01-02
Is access to applications and associated data defined in terms of job profiles which regroup roles or functions within the
organization (a profile defines access rights available to holders of the profile)?
Note: in certain circumstances the notion of "profile" may be replaced by the notion of "group".
09A01-03
Is it possible to adjust the access rights (that establish rights attributed to a given profile), variable parameters based on the
connection context such as the origin of the request or network paths used, or depending on protection means used (protocol,
encryption, etc) and on the classification of the resources accessed?
E2
09A01-04
Do the access profiles also allow definition of working time limits and periods in the working calendar (daily hours, weekends,
holidays etc.)?
E3
09A01-05
Have these profiles and the access rights attributed to the different profiles been approved by the information owners and/or the
E2
09A01-06
Are the processes of definition and management of rights attributed to profiles under strict control?
A strict control requires that the list of people allowed to change rights attributed to profiles be strictly limited and that the
implementation of these rights (e.g. into tables) be strictly secure and that there exist a reinforced access control for any
modification of these rights and that any modification be logged and audited.
R1
09A01-07
Is it possible to review at any time the list of profiles and the rights attributed to each profile?
C1
09A01-08
Is there a regular audit, at least once a year, of the totality of rights attributed to each profile and the profile management
procedures?
C1
11.2.4
E1
11.6.1
E1
11.6.1
E2
11.2.2
09A02
E1
11.1.1
E1
11.2.2; 11.6.1
11.5.6
Management of access authorizations to application data (granting, delegation, revocation)
09A02-01
Does the procedure of granting access authorization to applications require the formal authorization of line management (at a
sufficiently senior level)?
09A02-02
Are authorizations granted to named individuals and only as a function of their profile?
09A02-03
Is the procedure for granting (or modification or revocation) of access rights (directly or via a profile) strictly controlled?
the profile attributed to users in the form of tables is highly secure and that there be a reinforced access control over the
modification of such records and that any modification of records be logged and audited.
09A02-04
Is there a systematic process of updating the table of access rights at the time of departure of personnel (internal or external
personnel)?
E2
11.2.4
09A02-05
Is there a systematic process of updating the table of access rights at the time of change of function?
E3
11.2.4
09A02-06
Is there a strictly controlled process (see below) which allows rights to be delegated, in part or in whole, to a person of choice for a
determined period (in case of absence )?
In this case, the delegated rights must no longer be available to the person who has delegated them during this time. The latter
however, must have the possibility of taking them back, by which process he or she effectively ends the delegation.
E3
09A02-07
Is it possible to control at any time, for all users, the rights, authorizations and privileges in force?
09A02-08
Is there a regular audit, at least once a year, of the profiles and authorizations granted to all personnel and the procedures for
management of attributed profiles?
09A03
C1
2
C1
11.2.4
Authentication of the access requestor
341702815.xls ! 09 App
page 234
1 variant
R-V1 R-V2 R-V3 R-V4
Quest. Nr
Question
Max
09A03-01
Does the process of distribution or modification of the user credentials guarantee that only the holder of the identifier has access
(initial communication is confidential, password change is under the exclusive control of the user, etc.)?
E1
11.5.3
09A03-02
Does the process of creation or modification of a user credentials respect a set of rules which ensures its intrinsic validity?
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less
than once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard
systems", first names, anagrams of username, dates etc.
In the case of certificates or use made of cryptographic mechanisms for authentication: a generation process evaluated or publicly
recognized, encryption keys of a sufficient length etc.
E2
11.2.3; 11.5.3
09A03-03
Does the presentation of his credentials by the user guarantee their inviolability?
Typing a password will always be a weak point. The only processes whose observation does not divulge information consist either
of introducing an object containing a secret (smart card), or using a code which changes at every moment (token card) or using a
means of which contains some biometric characteristic.
E3
11.5.3
09A03-04
Is there a guarantee that the credentials, used for authentication, will remain inviolable and authentic while kept or presented by
the user or by the user agent?
Passwords must be stored encrypted and a preliminary access control must be made before usage.
In the case of authentication using cryptographic processing, the mechanism must provide solid guarantees validated by a
reference organization.
E2
11.5.3
09A03-05
Is there a guarantee that the credentials, used for authentication, will remain inviolable and authentic while transmitted between the
user and the target systems?
In the case of authentication using cryptographic processing, the mechanism must provide solid guarantees validated by a
reference organization.
E3
11.5.3
09A03-06
In the case of multiple incorrect authentication attempts, is there a process which automatically invalidates the user identifier, even
the user workstation itself, or a slowing of the authentication process (aimed at preventing connection from an automatic routine)?
E2
11.5.3
09A03-07
Does the procedure for the replacement of lost or mislaid user authentication means (password, token card) allow for the instant
deactivation of the user account?
E2
11.5.3
09A03-08
Does the procedure for the replacement of lost or mislaid user authentication means (password, token card) allow for an effective
control of the requestor's identity?
E3
11.5.3
09A03-09

A strict control requires that people able to change the definition rules of credentials, the credentials themselves, rules of
surveillance of connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these
modifications, that these modifications be logged and audited and that a general audit be run at least once a year of all
R1
09A03-10

A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there be
an audit at least once a year of authentication procedures and processes (including the processes which aim to detect violations
attempts and the processes which respond to these violation attempts).
C1
E1
09A04
09A04-01
Min
Typ
ISO 27002

Does any access to the system require the use of an identifier recognized by the system?
341702815.xls ! 09 App
11.5.2; 11.6.1
page 235
1 variant
R-V1 R-V2 R-V3 R-V4
Quest. Nr
Question
Max
09A04-02
Is there a direct or indirect correspondence between any identifier and a real physical person?
In the case where an application calls another one or calls a system, it may be that the application does not transfer to the target
system the identifier which originally made the request. However, the link between that call and the original user identifier must
remain traceable after the fact.
E1
11.5.2; 11.6.1
09A04-03
Have all generic or by-default accounts and passwords been changed or deleted?
E2
11.5.2
09A04-04
Is the acceptance of the account identified by the system systematically followed by authentication control?
Systematic authentication requires that the process be implemented for all subsystems (remote processing monitor, database
management system, batch processes, etc. ), for all application requests, for all access routes and for all ports, including ports
reserved for remote maintenance.
E2
11.5.2
09A04-05
May the authentication process be repeated during an open session for transactions considered to be sensitive?
E3
11.5.6
09A04-06
Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay, which requires user reidentification and re-authentication?
E3
11.5.5
09A04-07
Are there application access controls which limit the view and access to very sensitive information?
E3
11.6.1
09A04-08
Is there a systematic control of the profile and connection context of the requestor and of their appropriateness for the access
requested?
R1
09A04-09
Is the process of definition and management of access filtering rules under strict control?
A strict control requires that the list of persons able to change the filtering security parameters be extremely limited, and that there
be a reinforced access control in order to be able to effect such modification and that any modification be logged an audited.
C1
09A04-10
Are the processes that guarantee access filtering under strict control?
an audit at least once a year of access control procedures and processes (including the processes which aim to detect change
attempts and the processes which respond to these change attempts).
R2
09A05
Min
Typ
ISO 27002
Authentication of the application for access to sensitive applications
09A05-01
Is there a possibility to declare applications as sensitive and, as such, requiring an authentication of the application accessed?
E2
09A05-02
Is there a mechanism of authentication of the application called before access to a sensitive application from the internal network?
E2
09A05-03
Does the authentication mechanism of the accessed sensitive applications provide a recognized "strong" level of security?
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable
without divulging information, are those based on cryptographic algorithms.
E3
09A05-04
E2
09A05-05
Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication
systems use mechanisms which guarantee their impregnability and authenticity?
E3
341702815.xls ! 09 App
page 236
1 variant
R-V1 R-V2 R-V3 R-V4
Quest. Nr
Question
Max
09A05-06
revocation of keys?
E2
09A05-07
Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have not
been revoked?
E3
09A05-08
R1
09B
Min
Typ
ISO 27002
Control of data integrity
09B01
Sealing of sensitive data
09B01-01
Have integrity sensitive files been identified which must be protected by sealing solutions and have such solutions been
implemented at the application level?
09B01-02
Are the seals controlled automatically by the corresponding applications?
E3
09B01-03
The sufficient length of the key is one of the parameters to take into consideration. The recommendation of an official organization
can be a confidence factor.
E3
09B01-04
Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys
R1
09B01-05
Are the sealing mechanisms strictly protected against violation or change?

In the case of hardware sealing and appliances, they should be physical protected against access to the sealing mechanisms. If a
software solution is used, it must itself contain an integrity control.
09B01-06
Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day and capable of
09B01-07
09B01-08
Are sealing mechanisms, their parameters and associated procedures subject to regular audit?
09B02
E2
R2
R2
2
R2
C1
Protection of integrity of exchanged data
09B02-01
Have all data exchanges which must be protected by sealing solutions been defined and have such solutions been implemented at
the application level?
09B02-02
Are the seals controlled automatically by the corresponding applications?
09B02-03
The sufficient length of the key is one of the parameters to take into consideration (as a function of the algorithm). The
09B02-04
Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys
09B02-05
09B02-06
E2
12.2.3
E3
12.2.3
E2
12.2.3
R1
Are the sealing mechanisms strictly protected against violation or change?

In the case of hardware sealing and appliances, they should be physical protected against access to the sealing mechanisms. If a
Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day or by direct call
and capable of triggering an immediate reaction?
341702815.xls ! 09 App
R2
R2
page 237
1 variant
R-V1 R-V2 R-V3 R-V4
Quest. Nr
Question
09B02-07
09B02-08
Are sealing mechanisms, their parameters and associated procedures subject to regular audit?
09B03
Max
3
Min
Typ
R2
ISO 27002
C1
Control of data entry
09B03-01
Are sensitive data strictly controlled by the person entering them (auto-control)?
09B03-02
Are sensitive data subject to data entry control by an other person?
09B03-03
Are sensitive data subject to means allowing to ascribe their entry or modification to their author?
09B03-04
E1
12.2.1
E1
12.2.1
E3
12.2.1
Are there incentives for data entry without error (individual bonuses, departmental bonuses, penalties in the case of too many
errors etc.)?
E2
12.2.1
09B03-05
Is there an overall control of series of data items entered (sum, range, min, max, etc.)?
E2
12.2.1
09B03-06
Is data entry subject to coherence checks incorporated into the data entry process?
E2
12.2.1
09B03-07
Are these additional checks (range, coherence, etc.) strongly protected against any illicit alteration ?
R1
09B03-08
Have the procedures to correct data entry errors been defined?
R1
09B03-09
Is the checking process subject to regular audit?
09B04
C1
Permanent checks (accuracy, etc) relating to data
09B04-01
Has a review been carried out with users to determine suitable controls of the pertinence of data entered or modified (correction in
relation to data ranges, ratios between data entered independently, coherence checks, evolution and comparison with statistics)
and have the corresponding controls been implemented in applications?
E1
09B04-02
Have control parameters (values of data ranges, etc.) been stored in tables separate from the application and which may be easily
checked?
E2
09B04-03
Are the processes that guarantee these permanent controls under strict control themselves?
an audit at least once a year of the control procedures and processes.
R1
09B04-04
Are the parameters of permanent controls under strict control?

A strict control requires that the list of people able to change control parameters be strictly limited and that there be a reinforced
access control in order to be able to modify these parameters and that any modification of these parameters be logged and
audited.
R1
09B04-05
When these controls exist, are they the integrated into an operational process for alert and processing of errors?
E2
09B05
12.2.1; 12.2.4
Continuous (plausibility, ) checks on data processing
09B05-01
Have the checks that should be made to verify consistency of the data after processing by the application been analyzed with the
users (test variables, ratios, evolution and comparison before and after processing, etc.), and have the corresponding checks been
implemented in the applications?
E1
09B05-02
Are the parameters for these checks recorded in tables separated from the application code and easily verifiable?
E2
09B05-03
Are the processes insuring continuous checking of the data processing under strict control?
Strict control requires that the corresponding software is validated and is subject to a regular integrity check (sealing) and that
there is an audit at least once a year of the control process and procedures (including procedures for detecting attempts at
modification and for reacting to these attempts).
R1
09B05-04
Are the check parameters under strict control?

Strict control requires that the list of people authorized to change the control parameters is very limited, that strong access control
is applied to all modifications, and that the modifications are logged and audited.
R1
09B05-05
Are the checks that exist integrated into an operational procedure that signals and handles any errors?
09C
12.2.1
12.2.1; 12.2.4
E2
Control of data confidentiality

341702815.xls ! 09 App
page 238

Quest. Nr
09C01
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
09C01-01
Have the messages which must be protected by encryption solutions been defined and such solutions been implemented at the
application level?
09C01-02
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm). The
E2
09C01-03
Does the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the
keys offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
E2
09C01-04
Are the encryption mechanisms strictly protected against violation or change?

In the case of hardware encryption and appliances, they should be physical protected against access to the encryption
mechanisms. If a software solution is used, it must itself contain an integrity control.
09C01-05
Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day or by direct
call and capable of triggering an immediate reaction?
R1
09C01-06
Are encryption mechanisms, their parameters and associated procedures subject to regular audit?
C1
09C02
E1
12.3.2
Encryption of stored data

Have the files or storage zones which must be protected by encryption solutions been defined and have such solutions been
implemented in the application architecture?
09C02-02
Is this encryption systematically applied (as a function of information classification ) and/or automatic (as a function of storage
media) each time data is written to the storage media or each time the application session closes?
E2
09C02-03
Is this encryption systematically applied each time files are transferred or remotely-loaded by the relevant applications?
E2
09C02-04
E2
09C02-05
Do the procedures and mechanisms for storage, distribution and, more generally, management of keys offer a sufficient level of
confidence and have they been approved by the Information Security Officer?
The possibility of having to recover these data on another hardware system or another version of the operating system needs to be
anticipated.
E2
09C02-06
Are the encryption mechanisms strictly protected against intrusion or change?

In the case of hardware encryption and appliances, they should be physical protected against access to the encryption
mechanisms. If a software solution is used, it must itself contain an integrity control.
09C02-07
Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day or by direct
R1
09C02-08
Are encryption mechanisms for stored data, their parameters and associated procedures (in particular the management and
protection of keys) subject to regular audit?
C1
09C03
12.3.1
R2
09C02-01
09C03-01
ISO 27002
Encryption of data exchanges

Here we consider the encryption effected directly by the application (ISO layers 6-7, prior to or during transmission).
E1
12.3.1
12.3.2
E3
Anti electromagnetic radiation protection

Are means used to prevent radiation from equipment hosting very sensitive applications (Tempest, cable shielding, faradizations of
the offices)?
341702815.xls ! 09 App
E2
page 239
1 variant
R-V1 R-V2 R-V3 R-V4
Quest. Nr
Question
09C03-02
Are radiation levels regularly controlled for equipment hosting these sensitive applications?
09D
Max
Min
Typ
ISO 27002
E3
Data availability
09D01
Very high security recording
09D01-01
Are specific procedures applied to verify that all data recorded can be reread?
09D01-02
Are there procedures or an architecture of a very high security level which records all data with redundancy (RAID disks, mirroring,
etc.)?
09D01-03
Do these very high security procedures enable the reconstitution of data in the case of an error or readability issue for a few
sectors?
E3
09D01-04
Have scenarios been defined for which very high security recording is to be used and has the physical protection of storage media
been tested to ensure that it is suited to meet the requirements of these scenarios?
E2
09D02
E2
3
E2
Management of access to data files
09D02-01
Is the list of data file formats that must be readable verified and maintained?
E1
09D02-02
Are the hardware and software required for reading all these types of data files available or easily made available?
E1
09D02-03
Do the procedures for allocating and customizing the mechanisms for encryption and protection of files guarantee that the files can
be accessed, even in the event of the absence or departure of the file owners?
E2
09D02-04
Are the means of recovering access keys or encryption keys protected against accidental or malicious loss?
E2
09D02-05
Are there regular audits of these means and procedures to guarantee permanent access to the data files?
E2
09E
Service continuity
09E01
Hardware reconfiguration
09E01-01
Has a fail-safe architecture been established, including redundancy and system mirroring for critical equipment or servers?
E2
09E01-02
Does the implementation of this architecture guarantee the minimum performance levels required in the case of incident or failure?
Such a guarantee supposes either that failsafe systems features are entirely automatic or that systems will detect failures and staff
will have the specifications and capability to manually reconfigure failed systems.
E2
09E01-03
Is there some assurance in this case that ancillary equipment (power supply, air-conditioning, etc. ) do not introduce any additional
risk and do not ruin the redundancy expected from the equipment or network architecture?
E3
09E01-04
Does the shutdown or invalidation of any redundant equipment or failure dtection system (requiring human intervention) trigger an
alarm to an operational manager?
R1
09E01-05
Are regular tests made to demonstrate that security equipment is able to guarantee minimum performance levels required in the
case of an incident or failure?
09E02
14.1.4
C1
Application service continuity plans
09E02-01
Have application service continuity plans been established for each business application, based on its criticality classification
level?
09E02-02
Are these continuity plans compatible with the Disaster Recovery Plans for the hardware and systems used by the process or
application?
09E02-03
Do these continuity plans detail all the actions necessary to ensure service continuity between the time of an alert and the effective
implementation of solutions prescribed by the Disaster Recovery Plans?
09E02-04
Do these plans treat all the organizational aspects related to a manual emergency solution (personnel, logistic, management etc.)?
341702815.xls ! 09 App
E1
14.1.3
E1
14.1.3
E2
14.1.3
E2
14.1.3
page 240
1 variant
R-V1 R-V2 R-V3 R-V4
Quest. Nr
Question
09E02-05
Have the appropriate instructions and training been given to staff in order to deal with a "manual" emergency solution?
09E02-06
Have the application service continuity plans anticipated all the procedures required for a return to normal service?
09E02-07
Is there a plan which regroups all emergency solutions designed to overcome critical process and application shutdowns?
09E02-08
Is the crisis plan initiation compliant with the above application service continuity plan?
09E02-09
Are these plans regularly tested under full scale conditions (with operational data volumes) and updated at least once a year?
C1
09E02-10
Are the updates of these plans regularly audited (at least once a year)?
C1
09E03
Max
Min
Typ
14.1.3
E2
14.1.3
E2
14.1.3
E2
14.1.5
Management of critical applications (with regard to maintenance continuity)
09E03-01
Have the consequences of the disappearance of an application or package editor been analyzed (in the case of failure of a bug or
the need for evolution) and has a list of critical applications been deduced?
E2
09E03-02
For each critical application, is there a corrective solution to cope with the failure or disappearance of a supplier (consignment of
maintenance documentation and source code with a trusted third party, replacement of equipment or of software by standard
package etc.)?
E2
09E03-03
Is it certain that this corrective solution could be made operational to enable company activity to restart within a time delay
sufficiently short to be acceptable to users?
E2
09E03-04
Have variants to the primary solution been considered in case the latter might encounter unforeseen difficulties?
E3
09E03-05
Is there a regular review of critical applications and corrective solutions envisaged?
C1
09F
ISO 27002
E2
Control of origin and receipt of data
09F01
Proof of origin, electronic signature
09F01-01
Have sensitive transactions been identified which must be protected by electronic signature solutions implemented at the
application level?
09F01-02
Is the conformity of signatures controlled automatically by the application?
E2
09F01-03
Does the electronic signature solution offer valid and solid guarantees and has it been approved by the Information Security
Officer?
E2
09F01-04
Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the keys
offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
E2
09F01-05
Are the electronic signature mechanisms strictly protected against violation or change?
In the case of hardware solution or appliance, it should be physical protected against access to the signature mechanisms. If a
09F01-06
Is shutdown or by-pass of the signature solution immediately detected and signaled to a team available 24 hrs a day or by direct
09F01-07
Is there a procedure which details the operations to carry out in the case of error or alert?
09F01-08
Are electronic signature mechanisms, their parameters and associated procedures subject to regular audit?
09F02
E2
12.3.2
R2
R1
2
12.3.1
R1
C1
Prevention of message duplication and replay (numbering, sequencing)
09F02-01
Have sensitive transactions been identified which must be protected by sequencing control solutions implemented at the
application level (or at the network level)?
09F02-02
Is the coherence of the numbers and sequences controlled automatically by the application or by the middleware used?
341702815.xls ! 09 App
E2
2
E2
page 241
1 variant
R-V1 R-V2 R-V3 R-V4
Quest. Nr
Question
Max
09F02-03
Does the numbering and sequencing solution offer valid and solid guarantees and has it been approved by the Information
Security Officer?
The recommendation of an official organization can be a confidence factor.
09F02-04
Are the numbering and numbering control mechanisms strictly protected against violation or change?
In the case of hardware solution or appliance, it should be physical protected against access to the sequencing mechanisms. If a
09F02-05
Is shutdown or by-pass of the numbering system immediately detected and signaled to a team available 24 hrs a day or by direct
09F02-06
09F02-07
Are numbering mechanisms, their parameters and associated control procedures subject to regular audit?
09F03
Min
Typ
ISO 27002
E2
R2
R1
2
R1
C1
Acknowledgements of receipt
09F03-01
Is there a procedure which requires an acknowledgement of receipt to be sent for all sensitive messages?
Note: in certain cases, checks may be based on the signature.
09F03-02
Is an alert triggered when an acknowledgement of receipt is not sent (or received) for sensitive messages?
E2
09F03-03
Is the acknowledgement of receipt emitted only after the message has been effectively considered by the target application?
No acknowledgement should be sent for a message still waiting for treatment
E3
09F03-04
Is the acknowledgement of receipt mechanism protected against all undesirable intervention?
R1
09F03-05
R1
09F03-06
Is the acknowledgement of receipt system subject to regular audit?
C1
E1
Detection and management of application incident and anomalies
09G
09G01
Detection of application anomalies
09G01-01
Have events or successions of events been analyzed which might reveal abnormal behavior or illicit action and, as a consequence,
have specific monitoring points been identified?
09G01-02
Are features, detecting and recording sensitive events, installed in applications (with type of event, user identifier, date and time,
etc.)?
E2
09G01-03
Is there an audit trail within certain sensitive processes which records the events which would enable later diagnosis of
anomalies?
E3
09G01-04
Are sensitive applications provided with an automatic monitoring function dealing in real time with large numbers of abnormal
events (for example many unsuccessful connection attempts on user workstations or unsuccessful attempts to use sensitive
transactions)?
E3
09G01-05
Are all these diagnostic elements registered?
09G01-06
Are there one or more applications capable of analyzing the individual anomaly diagnostic data and triggering an alert to
operational personnel?
09G01-07
Does the anomaly diagnostic system trigger an alarm in real time to a permanent surveillance team able or by direct call and able
to react without delay?
09G01-08
For each case of alert has the expected response from the intervention team been defined and is the availability of the intervention
team sufficient to face this expectation?
E3
09G01-09
Are the parameters defining the elements to record and the diagnostic analyses effected on these elements strictly protected
(restricted access rights and strict authentication ) against illicit modification?
R2
09G01-10
Does the stopping of the recording and record processing system trigger an alarm with the surveillance team?
R1
341702815.xls ! 09 App
E2
E2
2
E3
3
E3
page 242
1 variant
R-V1 R-V2 R-V3 R-V4
Quest. Nr
Question
09G01-11
Are the procedures for recording, processing and diagnostic analysis and the availability of the intervention team regularly audited?
09H
09H01
Max
Min
Typ
C1
ISO 27002
E-commerce
Security of the e-commerce Sites
09H01-01
Have the security requirements specific to e-commerce been analyzed and thus defined the necessary protections?
E2
10.9.1
09H01-02
Have the security requirements specific to on-line trades been analyzed and thus defined the necessary protections?
E2
10.9.2
09H01-03
Have the security requirements specific to making information available to the public been analyzed and thus defined the
necessary protections?
E2
10.9.3
341702815.xls ! 09 App
page 243
Comments
341702815.xls ! 09 App
page 244
Comments
341702815.xls ! 09 App
page 245
Comments
341702815.xls ! 09 App
page 246
Comments
341702815.xls ! 09 App
page 247
Comments
341702815.xls ! 09 App
page 248
Comments
341702815.xls ! 09 App
page 249
Comments
341702815.xls ! 09 App
page 250
Comments
341702815.xls ! 09 App
page 251
Comments
341702815.xls ! 09 App
page 252
Comments
341702815.xls ! 09 App
page 253
341702815.xls ! 09 App
page 254
341702815.xls ! 09 App
page 255
341702815.xls ! 09 App
page 256
341702815.xls ! 09 App
page 257
341702815.xls ! 09 App
page 258
341702815.xls ! 09 App
page 259
341702815.xls ! 09 App
page 260
341702815.xls ! 09 App
page 261
341702815.xls ! 09 App
page 262
341702815.xls ! 09 App
page 263
Audit Questionnaire: Security of Application Projects and Developments

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Type
ISO 27002
Domain 10 of MEHARI represents a particular point of view that can be summarized as follows: the challenge of security in application
development and maintenance is to protect against the introduction of weaknesses. Quality insurance for the developments, which aims to ensure
that needs are well specified, developments are effected in conformity to a recognized method, that specifications are properly applied and that the
application functions correctly, etc. is not considered within this security domain.
10A
Security of application projects and developments
10A01
Consideration of security in application development
10A01-01
Is there a systematic analysis, from the start of project specification, of the dysfunctions which could be induced by the application
or applications following the project or during one of the components of the project?
Notes : A project may consist simply of the installation of a software package or of a full internal development.
Possible dysfunctions must be analyzed on two levels: at the level of company activity and its operational processes (do new or
deleted functions represent an additional risk?) and at the IT architecture level (do new or changed infrastructure, operating
system, middleware, applications, data represent additional risk?).
E1
12.1.1
10A01-02
Is an analysis carried out with user managers of the level of impact and probability of possible dysfunction taking into consideration
the security measures already in place and the additional or specific measures envisaged in the specifications of the project?
E2
12.1.1
10A01-03
Are there project reviews during which these risks are presented, decisions are taken about their acceptability or not and about
any additional security measures needed?
E1
12.1.1
10A01-04
Has the possibility of information leaks through hidden canals been considered within risk studies and have adapted controls been
implemented?
E3
12.5.4
10A01-05
Is the implementation of security measures, specific to the project, formally tracked during the project lifecycle?
The tracking may consist of an obligatory review point at each project phase, followed up by documentation detailing the choice of
solutions and the status of their implementation.
C1
10A01-06
Is there a support group, specialized in project risk analysis, assisting the management of the project with the risk analysis
process?
E2
10A01-07
Is the Information Security Office implicated, directly or indirectly, in security related decisions in the projects? 10A08 has been
deleted
E2
10A02
Change management
10A02-01
Are all change requests for an application subject to a formal review procedure (requestor, rationale, decision process)?
E2
12.5.1
10A02-02
Are all automatic software changes or updates made impossible?
R2
12.5.1
10A02-03
Are the versions of all software kept up?
E2
12.5.1
10A02-04
Are the versions of all associated documentation kept up?
E2
10A02-05
When changes are made to the operating systems, is there a review and test of their impact on the applications?
E2
12.5.2
10A02-06
Does the change management procedure impose non regression tests to be run?
Non regression tests check that the modifications do not change the characteristics nor the performances of the other functions of
the application.
E2
12.5.2
10A02-07
Is the impact on the continuity plans of the changes introduced into the applications taken into account?
E2
12.5.2; 14.1.5
E2
12.5.5
10A03
Externalization of software development
10A03-01
When the software development is subcontracted, have the issues regarding license agreement and intellectual property of the
code developed been handled?
10A03-02
Were requirements regarding the quality and the security level of the code formally integrated in the contracts?
E2
12.5.5
10A03-03
Have access rights allowing to audit the quality of the work effected by subcontractors been agreed upon?
E2
12.5.5
341702815.xls ! 10 Dev
page 264
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
10A03-04
Have pre-installation tests of new applications been anticipated in order to detect eventual malevolent code?
10A03-05
Have security measures regarding code custody, including all accompanying documents, been taken in case of default by a third
party?
10A04
Max
2
Does application maintenance have at its disposal a technical software support center which guarantees rapid, competent
assistance in case of difficulty or bug?
10A04-02
Is there a special service agreement for all in-house software requiring high availability and for which standard maintenance would
not be provided within acceptable delays?
Does this special service agreement anticipate the conditions of escalation in the case of intervention difficulty and the possibilities
and conditions for calling in the most qualified specialists?
ISO 27002
E2
12.5.5
E2
12.5.5
E1
E2
E2
10A04-04
Is there a guarantee that the competence and availability of the maintenance staff enable them to respond in a satisfactory manner
to the maintenance requests of users ?
This agreement should consider weekend and holiday periods as well.
10A04-05
Is the respect of the maintenance service agreement subject to regular audit?
10A05
Type
Organization of application maintenance
10A04-01
10A04-03
Min
E2
C1
Modification of software packages
10A05-01
Is it avoided, as far as possible, to modify software packages?
E2
12.5.3
10A05-02
Is it applied a strict control of changes when obligated to modify software packages?
E2
12.5.3
10A05-03
Specifically, has the editor's consent to proceed with said changes been obtained?
E2
12.5.3
10A05-04
Have the consequences of those changes on the maintenance provided by the editor been examined?
E2
12.5.3
10B
Ensuring security in the development and maintenance processes
10B01
Ensuring security in the organization of application developments
10B01-01
Do application development procedures impose a strict separation between detailed specification, design, unit test and integration,
with the attribution of specific profiles to the various members of the development team specific to the task involved?
10B01-02
Is the attribution of profiles and tasks to application development personnel done on an individual and nominative basis?
10B01-03
Is a trace kept of the tasks effected by each member of development staff?
E2
10B01-04
Are the application development, test and integration environments strictly separated?
E1
10B01-05
Have strict and separated access rights been defined for these environments, based on profile and project?
A strict access control supposes that it is necessary to get the right profile in order to access to a given environment
E2
10B01-06
Is the authentication protocol for development personnel holding privileged rights considered as strong?
10B01-07
In the particular case of passwords, can the imposed rules be considered as very strict?
Very strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters or more). It is desirable that these rules have been approved by the Information Security Officer.
10B01-08
Do application development procedures require that a person never have sole responsibility for a task?
10B01-09
Do application development procedures require that, for sensitive functions, a verification of code is made by an independent
team?
341702815.xls ! 10 Dev
E1
E2
12.4.1
E3
E2
R1
3
R2
page 265
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
10B01-10
Do application development procedures require a formal validation, by users, of the coverage of functional tests?
10B01-11
Do application development procedures require that the security function provide a formal validation of the coverage of tests
related to security functions or mechanisms?
10B01-12
In the case of software packages or developments conferred on IT service companies are the above conditions contractually
imposed on the editor, partner or subcontractor?
E1
10B01-13
Are the management control parameters of rights attributed to development personnel under strict control?
A strict control requires that the list of people able to change per project rights attributed to development staff, the access control
parameters to development environments and objects be strictly limited and that there be a reinforced access control in order to be
able to modify these rights and that any modification of these rights be logged and audited.
C2
10B01-14
Are the organization of tasks within development teams and the application of clear segregation and control rules regularly
audited?
C1
10B02
Max
Min
Type
E3
Ensuring confidentiality in application developments
10B02-01
Do the development procedures impose an analysis of the confidentiality of applications developed and a classification of objects
implemented in the course of developments (documentation, source code, executable code, study notes, etc.)?
E1
10B02-02
In the case of development of a confidential application, are their special procedures for management of documentation?
E1
10B02-03
In the case of development of a confidential application, are profiles put in place which enable the distribution of confidential
information to be limited only to people who have a real need?
E1
10B02-04
Are source code, executable code and documentation protected by a strict access control procedure which details, as a function of
development phase, the authorized profiles having access to these objects as well as the storage conditions and corresponding
access control rules?
An access control procedure using strict access conditions should guarantee that all code or documentation modification is made
by an authorized person under authorized conditions.
E2
10B02-05
Are the control parameters related to the management of rights attributed to development personnel under strict control?
A strict control requires that the list of people able to change rights attributed to development personnel by project and the access
control parameters to development environment and objects be strictly limited and that there be a reinforced access control in
order to modify these rights and that any modification of these rights be logged and audited.
R2
10B02-06
Are the processes which ensure the filtering of access to development objects (documentation and code ) under strict control ?
an audit at least once a year of the procedures and processes of access filtering (including the process aiming to detect
modification attempts and the processes which respond to these modification attempts).
R3
10B02-07
In the case of developments of packages or conferred on IT service companies are the above conditions contractually imposed on
the editor, partner or subcontractor?
E1
10B02-08
Is the management of access rights to development objects, protection procedures and mechanisms subject to a regular audit?
C1
10B03
10B03-01
ISO 27002
E2
12.4.3
Security within Internal Processing of Applications

During the design or implementation of applications, is it conducted a detailed study of the processing failures that could result in
an integrity loss?
341702815.xls ! 10 Dev
E2
12.2.2
page 266
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
10B03-02
Specifically, is it made sure that the use of the functions "Add", "Modify", "Delete" could not result in a loss of integrity (referential
integrity, etc)?
E2
12.2.2
10B03-03
Has the processing sequence of execution been validated and has the restart sequence after failure of a previous processing
been anticipated?
E2
12.2.2
10B03-04
Have prevention controls against buffer overflow attacks been anticipated?
E2
12.2.2
E1
12.4.2
10B04
Max
Min
Type
ISO 27002
Protection of Data during tests
10B04-01
For testing, is the use of functional databases containing personal information or any other sensitive information avoided?
10B04-02
If sensible or personal data have to be used, is it ensured deleting sensitive details and contents before using them (or make them
anonymous)?
E2
12.4.2
10B04-03
When using operations data, do the access control procedure that apply to the running applications also apply to the test
applications?
E2
12.4.2
10B04-04
Is the operating information used by a test application deleted immediately after the test is completed?
E2
12.4.2
10B04-05
Is there a log of all copy or use of operating data during tests to create a audit trail?
C1
12.4.2
E1
10B05
Security of application maintenance
10B05-01
Do application maintenance procedures impose a strict separation between detailed specification, design, unit test and integration
tasks, with the attribution of specific profiles to the various members of the maintenance staff?
10B05-02
Is the attribution of profiles and tasks to maintenance personnel done on an individual and named basis?
E2
10B05-03
Is a trace kept of the tasks effected by each member of the maintenance staff?
E2
10B05-04
Are the application maintenance, test and integration environments strictly separated?
10B05-05
Have strict and separated access rights been defined for these environments, based on profile and project?
A strict access control supposes that it is necessary to get the right profile in order to access to a given environment
10B05-06
Is the authentication protocol for development personnel holding privileged rights considered as strong?
10B05-07
In the particular case of passwords, can the imposed rules be considered as very strict?
Very strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters or more). It is desirable that these rules have been approved by the Information Security Officer.
10B05-08
Do application maintenance procedures require that a person never be the only person responsible for a task?
10B05-09
Do application maintenance procedures require that, for sensitive functions, a verification of code is a made by an independent
team?
10B05-10
Do application maintenance procedures require a formal validation, by users, of the coverage of functional tests?
10B05-11
Do application maintenance procedures require that a formal validation be run by the security function of the coverage of tests
related to security functions or mechanisms?
10B05-12
In the case of application maintenance conferred on outside contractors, are the above conditions contractually imposed on the
partner or subcontractor?
Note: when the maintenance is assured by a software editor and/or in a another country, separated by considerable distance, the
guarantees made in respect of maintenance conditions must be reviewed with great care.
341702815.xls ! 10 Dev
E2
E3
E2
E2
3
E2
E2
E3
E1
page 267
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
10B05-13
Are the control parameters related to the management of rights attributed to application maintenance personnel under strict
control?
A strict control requires that the list of people able to change profiles by project attributed to application maintenance personnel and
the access control parameters to maintenance environments and objects be strictly limited and that there be a reinforced access
control in order to be able to modify these rights and that any modification of these rights be logged and audited.
C2
10B05-14
Are the organization of tasks within application maintenance and the application of clear segregation and control rules regularly
audited?
C1
10B06
Max
Min
Type
ISO 27002
Hot Maintenance
10B06-01
Is real-time (hot) maintenance, when done directly in the production environment, subject to the triggering of a formal procedure
including, in particular, the formal agreement of the operational director and the manager responsible for the application domain (or
data owner) concerned?
E1
10B06-02
Is a full backup of the production environment (systems and applications) made before any real time maintenance, which would
enable a return to the previous situation in case of a problem?
E2
10B06-03
Is a full backup of operational data (synchronized) made before any real time maintenance so as to enable a return to the prior
situation in case of a problem?
E2
10B06-04
Is a trace kept of all operations effected and commands launched during any real time maintenance in order to be able to
investigate afterwards, or even to cancel them, if the sequence of operations finished improperly?
10B06-05
Are the procedures of real time maintenance and their application subject to regular audit?
341702815.xls ! 10 Dev
E2
3
C1
page 268
Comments
341702815.xls ! 10 Dev
page 269
Comments
341702815.xls ! 10 Dev
page 270
Comments
341702815.xls ! 10 Dev
page 271
Comments
341702815.xls ! 10 Dev
page 272
Comments
341702815.xls ! 10 Dev
page 273
341702815.xls ! 10 Dev
page 274
341702815.xls ! 10 Dev
page 275
341702815.xls ! 10 Dev
page 276
341702815.xls ! 10 Dev
page 277
341702815.xls ! 10 Dev
page 278
Audit questionnaire: Protection of users' work equipment

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4
11A
Security of the operational procedures for the whole set of users' equipment
11A01
Control of the installation of new software or system versions on the users' equipment
11A01-01
Are the decisions to change or update users' software versions subject to a control procedure (registration, planning, formal
approval, communication to all concerned individuals, etc.)?
E1
11A01-02
Are the new versions validated on pilot equipment before general installation throughout the user stations?
E2
11A01-03
Is the remotely ordered validation of new installations on users' equipment reserved to a limited list of administrators in charge of
users work equipment?
E2
11A01-04
Are security parameters and configuration rules of user equipment listed in detail and regularly updated?
E3
10.3.2
11A01-05
Are security parameters and configuration rules controlled following any configuration evolution of user equipment?
E3
10.3.2
11A01-06
Has the eventual impact of the user equipment configuration changes regarding the continuity plans been considered?
E2
10.3.2
11A01-07
Are all the control procedures related to user configurations subject to regular audit?
11A02
10.1.2; 10.3.1
C1
Control of the compliance of user configurations
11A02-01
Has a list of authorized software for the user equipment been established?
This list should state the reference versions authorized and the possible parameterization options accepted.
E2
11A02-02
Has a list of additional equipment authorized on the user work stations been established?
This list should contain the authorized reference versions and possibly the parameter options used
E2
11A02-03
Are these lists protected against untimely or illicit alteration by a robust sealing process?
R2
11A02-04
Are the rights provided to users preventing them to modify the system configurations of their equipment (addition of hardware or
software)?
E2
11A02-05
Is the conformity of the hardware configurations for user workstations regularly controlled relatively to the authorized options?
E3
15.2.2
11A02-06
Is the conformity of the software configurations for user workstations regularly controlled relatively to the authorized options?
E3
15.2.2
11A02-07
Does the inhibition of the control process trigger an alarm to a manager?
E3
11A02-08
Is it also controlled that the users do not possess the access rights required for the installation of additional hardware or software?
E3
11A02-09
Are the processes of control themselves subject to regular audits?
C1
11A03
Control of software and software package licenses
11A03-01
Does the security policy state that it is strictly forbidden to load any piece of software on the workstation without a proper license?
E1
15.1.2
11A03-02
Is a permanent inventory held up to date of the software officially installed and declared on each work station?
E2
15.1.2
11A03-03
Is there a regular control of the conformity of the software installed to those declared or that they possess an authorized license?
E2
15.1.2
11A03-04
Are these controls covering the equipment base?
E3
11A03-05
Is the application of these controls subject to a regular audit?
C1
11A04
11A04-01
Conformity control of the reference programs (source and executable) for user software
Does the IT operation manage a reference for each software product installed on the user workstations (source code and
executable)?
341702815.xls ! 11 Mic
E1
12.4.1
page 279

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4

11A04-02
Is this reference version protected against untimely or illicit alteration (media signed and kept by a responsible person of high rank,
R1
11A04-03
Is this protection considered as inviolable (cryptographic sealing approved by the CISO)?
R2
11A04-04
Is there an automatic control of the sealing (or, at least, a deposited signature) for each new installation of a user workstation?
R2
11A04-05
E2
11A04-06
C1
11A05
Management of service suppliers and providers relating to the operation and handling of the user workstations base
11A05-01
Is it regularly ensured that the security services allocated to suppliers or providers for the operation and handling of the user
workstations are efficiently implemented and maintained by them?
C1
10.2.1
11A05-02
Is it ensured that the service suppliers or providers for the operation and handling of the user workstations have efficiently
prepared the appropriate arrangements to ensure that the services are provided as agreed?
E2
10.2.1
11A05-03
E1
10.2.2
11A05-04
Is it ensured that the suppliers and providers report and document any security incident concerning operation and handling of the
user workstations?
E2
10.2.2
11A05-05
E2
10.2.2
11A05-06
E3
10.2.3
11B
Protection of workstations
11B01
Control of access to workstations
11B01-01
Is access to the workstation itself (even for local use) protected by a password or authentication system?
E1
11B01-02
Does the process of creation or modification of user authentication means respect a set of rules which ensures its intrinsic validity?
In the case of passwords: sufficient length (8 characters or more), mandatory mixture of types of characters, frequent change
(less than once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard
systems", first names, anagrams of username, dates etc. In the case of authentication based on cryptographic mechanisms and of
certificates: a generation process evaluated or publicly recognized, encryption keys of a sufficient length etc.
E1
11B01-03
Does the process of providing credentials for authentication (like user password) guarantee its inviolability?
The usage of a password will always be a weak point. The only process which does not divulge observable information consists
either of introducing an object containing a secret (smart card), or using a code which changes at every moment (token card type
SecureId) or providing some biometric character.
E2
11B01-04
Is the authentication process permanent (smart card)?
E2
11B01-05
If the authentication process is not permanent, must it be reinitialized after a short period of inactivity?
E2
11B01-06
Is the workstation protected against the installation of software by anyone apart from workstation administrators?
E1
11B01-07
Is there a procedure allowing an authorized administrator to access to the workstation in the event of departure or of
disappearance of its holder?
E2
11B01-08
Are the workstations protected against any use by individuals other than the incumbent (particularly if the post is left temporarily,
for more than 10 min for example)?
E2
341702815.xls ! 11 Mic
11.2.3
11.3.2
page 280

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4

11B01-09
Is the shutdown of the access control system detected dynamically at the time of connection to the enterprise network?
R1
11B01-10
Are the procedures and services for access control subject to regular audit?
C1
11B02
Work effected off company premises
11B02-01
Have a security policy and associated recommendations relative to working off premises been established?
The recommendations and directives should cover the precautions to take working at home, when on business travel, on public
transport and should cover the protection of mobile computers, the usage of firewalls and up to date antivirus software,
connections to public or third party networks, precautions to take concerning written documents, instant message services,
telephone and conversations.
E1
9.2.5; 11.7.1;
11.7.2
11B02-02
Has it been established a security policy and recommendations relative to teleworking using remote connections to the office
network)?
The recommendations and instructions should cover the precautions and means to implement and cover the security of the
connection to the company network (reinforced authentication, VPN, etc.), possible restriction of access authorizations,
precautions concerning the use of personal workstations by individuals other than the incumbent (family, friends, etc.).
E1
11.7.2
11B02-03
Does the security policy formally forbid to carry out of the premises documents classified or carrying a value of proof?
E2
9.2.5; 11.71
11B02-04
Are personnel likely to work off site made aware of and receive training on the measures to be applied in order to protect
documents, systems and the data they contain?
These measures cover physical and logical protection against theft as well as disclosure or unauthorized access by family
members as well as by other persons.
E2
9.2.5; 11.71
11B02-05
Are the computing systems used off site only those belonging to the company and configured specifically for that purpose (in
particular if they permit an access to the internal network)?
E2
11.7.2
11B02-06
Is the configuration of computing systems used for work outside company buildings (portable computers) regularly checked?
C1
11B03
Use of personal equipment or external equipment (not owned by the organization)
11B03-01
Has an exhaustive analysis of all the work situations or professional exchanges using equipments that do not belong to the
organization?
E2
11B03-02
Has an exhaustive analysis of all the external peripheral connection possibilities to the Information Systems of the organization
(USB ports, bluetooth, etc...) ?
E2
11B03-03
Are these analyses regularly updated ?

A technological survey should be effected so as to improve knowledge of new types of devices and new vulnerabilities.
C2
11B03-04
Has it been deduced from them a security policy regarding the use of personal equipment for work purposes?
The instructions should consider the introduction and use of personal equipment such as laptops, PDAs, external disks, optical
supports, USB keys, etc.
E2
6.1.4; 11.7.2
11B03-05
Have means of control regarding the use of personal equipment been defined and implemented?
Such as specific parameters of the operating systems, filtering capabilities, etc.
E2
6.1.4
11B03-06
Are the means of control protected against untimely or illicit alteration?
R1
11B03-07
Is there a regular audit of the procedures and means of control?
C1
11C
Protection of data on the workstation

341702815.xls ! 11 Mic
page 281

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4

11C01
Protection of the confidentiality of data on the workstation or on a data server (logical disk for the workstation)
11C01-01
Is confidential data stored encrypted, whether on the user workstation or hosted on a data server (logical disk)?
E2
11C01-02
Are all elements of the encryption process securely protected against any alteration, modification or inhibition?
E3
11C01-03
Are workstations equipped with an effective file erasing system which ensures that any file deleted (whether from a local or shared
disk) cannot be subsequently reread?
E2
11C01-04
Are workstations equipped with a true and efficient system which erases temporary files after their use (whether on a local or a
shared disk)?
E2
11C01-05
Is the process or the directives concerning file encryption extended to messages and message attachments?
E2
11C01-06
Does the process or the directives concerning file encryption extended to information residing on the address book?
E3
11C01-07
Have users received an appropriate training on file encryption and erasing systems, indicating in particular the rules to follow to
ensure that encryption is not circumvented?
E3
11C01-08
Are regular audits carried out on the usage of file encryption and erasing facilities by users?
C1
11C02
Protection of the confidentiality of data stored on removable media
11C02-01
Is confidential data stored encrypted on removable media?
E2
11C02-02
Are the elements used for the encryption process protected strongly against any illicit alteration, modification or blocking ?
E3
11C02-03
Is the encryption process applied whichever media type (external disk, USB key, PDA, etc.)?
E2
11C03
Confidentiality considerations during maintenance operations on user workstations
11C03-01
Is there a procedure which details the actions to carry out before calling maintenance to ensure that unauthorized staff do not gain
access to sensitive information which may be stored on the workstation (physical erasing of sensitive data and of temporary files,
retaining of disks etc.)?
E2
11C03-02
Is there a written procedure and a binding clause in personnel maintenance contracts stipulating that any storage media which
contained sensitive data be destroyed before disposal?
E2
11C03-03
Is there a procedure of checking for system integrity after maintenance intervention (absence of spyware, or trojans etc.)?
E2
11C03-04
Are the procedures described above obligatory in all circumstances and do any derogations require the signature of senior
management?
R2
11C03-05
Are the above procedures subject to regular audit?
C2
11C04
11.7.1; 12.3.1
9.2.6
Protection of the integrity of files stored on workstations or on data servers (logical disk for workstations)
11C04-01
Are integrity sensitive files (whether stored on workstations or hosted on a data server) write-protected and is there an integrity
control mechanism?
Such a mechanism may authorize the creation of modifiable working copies while guaranteeing the integrity of the original
E2
11C04-02
Are the components of the integrity control process security protected against any alteration, modification or inhibition?
R2
11C04-03
Is the process or the directives concerning integrity control extended to messages and message attachments?
E2
11C04-04
Is the process or the directives concerning integrity control extended to information contained in address books
E3
11C04-05
Have users undergone training on integrity control means indicating in particular the rules to respect such that integrity control
cannot be circumvented?
E2
341702815.xls ! 11 Mic
page 282

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4

11C04-06
11C05
Are regular audits carried out on the usage of means of integrity control by users?
C2
Security of Email and Electronic Information Exchanges
11C05-01
Is there a security policy specific to emails defining precautions for use and security measures to implement?
E1
11C05-02
Does this policy state the rules concerning the use of email address out of the internal space (internet site, forum, etc...)?
It is advisable to use aliases rather than professional email address
E2
11C05-03
Does this policy impose that message sent with a high importance be systematically requesting an acknowledgement of receipt
controlled by the sender?
E2
11C05-04
Is there also a security policy attached to various other electronic exchange of information (telephonic or video conference,
cooprative work, document sharing, FTP services, instant messaging, etc.) defining the security measure and precautions to
implement?
E1
10.8.5
11C05-05
Has it been implemented an encrypted electronic messaging service?
E2
10.8.4
11C05-06
Has it been implemented a digital signature service?
E3
10.8.4
11C05-07
Is a service in charge of collection and treatment of undesirable messages?

Undesirable messages (spams, virus, false virus alerts, etc...) must be immediately sent to this service, which will estimate the
threat and put in place counter measures: specific filtering, internal warning, etc...
E3
11C05-08
Are regular audits carried out on the procedures and instructions concerning email and electronic exchanges security?
C1
11C06
Protection of documents printed on shared printers
11C06-01
Are the shared printers located in rooms with controlled access?
11C06-02
Is the access control system considered as sufficiently strong?
11C06-03
Is the access to the printer's room reserved to persons of the same service sharing the same rights?
11C06-04
Is it possible for this personnel to cancel, if necessary, a printout in the waiting list?
11C06-05
Is it possible for this personnel to destroy printed documents put on scrap in a secure way?
11C06-06
Are regular audits conducted on the protective measures for printouts from a shared printer?
11D
10.8.4
Service continuity of the work environment
11D01
Organization of user hardware maintenance
11D01-01
Is all computing hardware covered by a maintenance contract (personal computers, peripherals, etc.)?
E1
11D01-02
Are there specific maintenance contracts for all hardware requiring a high availability and for which repair or swap is required
swiftly?
E1
11D01-03
Do these maintenance contracts include specific obligation to provide an equivalent equipment?
E1
11D01-04
Do the maintenance contracts include specific obligations stipulating maximum intervention and reparation times which are
compatible with availability requirements?
E1
11D01-05
Are maintenance contracts, selection of service providers and the associated maintenance procedures regularly audited?
C1
11D02
9.2.4
Organization of user software maintenance (system, middleware and application)
11D02-01
Are there maintenance contracts for all software installed on user workstations?
E1
11D02-02
Is a technical support center available for each software supplier which guarantees rapid and qualified telephone support?
E1
341702815.xls ! 11 Mic
page 283

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4

11D02-03
Are there specific maintenance contracts for all software requiring high availability and for which standard repair times are not
acceptable?
E1
11D02-04
Are maintenance contracts, selection of service providers and the associated procedures regularly audited?
C1
11D03
Users' configurations backup plans
11D03-01
Has it been established a backup plan including all the configuration parameters of the user workstations?
E1
10.5.1
11D03-02
Is this backup plan included into automated operational processes?
E2
10.5.1
11D03-03
Is there a regular test that the backup of the configuration parameters of the user workstations allow the effective rebuild of the
user working environment upon a new station or a complete restoring, within time limits compatible to the business requirements?
E2
10.5.1; 14.1.5
11D03-04
Are the production routines which ensure backups of user configurations protected, against illicit or undue modification, by secure
mechanisms?
R1
10.5.1
11D03-05
Are user configuration backup plans and procedures subject to regular audit?
C1
11D04
Backup plans for user data stored on data servers
11D04-01
Is all user data stored on data servers systematically backed up?
E1
10.5.1
11D04-02
Has the frequency of backups been communicated to users?
E1
10.5.1
11D04-03
Are several generations of save files available in order to guard against missing or unreadable files, by organizing, for example a
rotation of backup media?
E2
10.5.1
11D04-04
Is a complete quarterly or six-monthly backup set kept to serve as an emergency archive?
E2
10.5.1
11D04-05
Are the backup procedures, for office data stored on servers, subject to a regular audit?
C1
11D05
Backup plan for data stored on user workstations.
11D05-01
Are the users made aware and trained to backup operations for sensitive data possibly stored in their workstation?
E1
10.5.1
11D05-02
Is all user data (stored on workstations) systematically backed up (by users, at a fixed frequency or when connecting to the internal
network)?
E1
10.5.1; 11.7.1
11D05-03
Do users also have the possibility to effect a backup themselves if necessary?
E1
10.5.1
11D05-04
Are several generations of saved files available in order to guard against missing or unreadable files, by organizing, for example a
rotation of backup media?
E2
10.5.1
11D05-05
Is a complete quarterly or six-monthly backup set kept to serve as an emergency archive?
E2
10.5.1
11D05-06
Are the backup procedures for user data subject to a regular audit?
C1
11D06
Anti virus (malware, unauthorized executable code, etc.) protection for user workstations.
11D06-01
Has it been defined a policy to prevent risks of attack from malevolent codes (virus, Trojan Horse, worms, etc.) like prohibit the use
of unauthorized software, protection measures during file retrieval via external networks and reviews of installed software?
E1
11D06-02
Are user workstations equipped with a means to protect from viruses and malware?
E1
11D06-03
Is the anti virus product regularly updated?

With internet, new threats are instantaneous thus forcing to control at least every day of the existence of a corrective update
E1
11D06-04
Is there a regular and automatic analysis of all the files on the workstations?
E2
341702815.xls ! 11 Mic
10.4.1
page 284

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4

11D06-05
Have actions to be taken by users' support team in case of an attack by malevolent code (alert, confinement measures, triggering
of a crisis management process, etc.) been defined?
E2
11D06-06
Is it possible for the users' support team to make, at any time, a complete check of the users' workstation base?
E2
11D06-07
Has it been defined a policy and protection measures to fight against unauthorized executable codes (applets, ActiveX controls,
etc.) (blocking or environment control where the codes execute, control of accessible resources by mobile codes, issuer
authentication, etc.)?
E2
11D06-08
Is the activation and update of anti-virus systems on workstations regularly audited?
C1
E1
14.1.3
E2
14.1.3
E1
14.1.3
11D07
10.4.1
10.4.2
Recovery Plans for the users' workstations
11D07-01
Have all the scenarios which may impact the users' workstation base been considered and, for each scenario, the consequences
in terms of service unavailability for users?
11D07-02
Has it been defined, to resolve each scenario identified above, a sequence of minimal services recovery in accordance with user
requirements?
The user services need to be considered qualitatively and quantitatively (percentage of the base to be reinstalled)
11D07-03
Has an activity recovery solution been defined and implemented to resolve each scenario identified above, in accordance with
user requirements?
11D07-04
Are the technical, organizational and human resources sufficient to address the organization's requirements?
E2
14.1.3
11D07-05
Are the technical, organizational and human resources educated to address the organization's requirements?
E2
14.1.3
11D07-06
Are all these solutions for the continuity of users' services related to the workstations base described in detail in Disaster Recovery
Plans including the conditions for triggering the plan, the actions to execute, the priorities, the actors to mobilize and their contact
details?
E1
14.1.3
11D07-07
E2
14.1.5
11D07-08
Are above tests able to guarantee the capacity of the recovery solution to cope, under full operational load, the minimum services
required by users?
The tests required to obtain this guarantee are preferably full scale tests of each variant of scenario, involving all users. The
results of the tests have to be registered and analyzed in order to improve the capability of the organization to answer to the
situations considered.
E2
14.1.5
11D07-09
commitment by the manufacturer or any relevant third party (distributor) to deliver the replacement hardware within fixed and
anticipated time limits as stated in the recovery plan?
E2
11D07-10
Are the existence, the pertinence and the updates of the users' workstations Recovery Plans regularly controlled?
C1
11D07-11
C1
11D08
Access management to office data and files
11D08-01
Is the list of office file formats, that are required to be accessible, kept up to date?
E1
11D08-02
Are the necessary hardware and software elements required for the access to all the types of office files put in archive available or
easily made available?
E1
11D08-03
Do the procedures of allocation and personalization of office files encryption and protection capabilities guarantee possibilities to
access the files, even if their owners are absent or have left the organization?
E2
341702815.xls ! 11 Mic
page 285

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4

11D08-04
Are the recovery capabilities of the access or encryption keys protected against accidental or malevolent unavailability?
E2
11D08-05
Are there regular audits of the mechanisms and procedures that guarantee the continuity of access to office files?
E2
11E
11E01
Management of privileged access rights granted on user workstations (administrative rights)
11E01-01
Have profiles been defined, within users workstation operations staff, corresponding to each type of activity (assistance,
installation, maintenance, etc.)?
11E01-02
11E01-03
11E01-04
11E01-05
11E01-06
Is there a systematic process of removal of special rights at the time of departure or role change of user support operations staff?
11E01-07
11E02
E1
10.1.3; 11.2.2
E1
10.1.3
E2
10.1.3
E2
10.1.3
R1
11.2.2
E2
11.2.4
C1
11.2.4
Authentication and control of the access rights of administrators and operational personnel
11E02-01
Is the authentication of the administrator required before taking control of a user workstation?
E2
11E02-02
E2
11E02-03
E2
11E02-04
E2
11E02-05

R1
11E02-06

R1
11E02-07
Is there a regular audit of the procedures of the security parameters attached to protecting profiles and rights?
C1
11E03
Surveillance of system administrators' actions over the users' workstations
341702815.xls ! 11 Mic
page 286

Number
1 variant
Question
Max
Min
Typ
ISO 27002
R-V1 R-V2 R-V3 R-V4

11E03-01
Has a detailed analysis been carried out of the events and operations carried out with administrative rights on the users'
workstations which may potentially have an impact on system security?
11E03-02
11E03-03
11E03-04
11E03-05
manager?
11E03-06
11E03-07
11E03-08
11E03-09
E2
10.10.4
E2
10.10.4
E3
10.10.4
E3
10.10.4
E3
10.10.4
E3
10.10.4
E2
10.10.4
E2
10.10.4
C1
10.10.4
341702815.xls ! 11 Mic
2
3
2
page 287
Comments
341702815.xls ! 11 Mic
page 288
Comments
341702815.xls ! 11 Mic
page 289
Comments
341702815.xls ! 11 Mic
page 290
Comments
341702815.xls ! 11 Mic
page 291
Comments
341702815.xls ! 11 Mic
page 292
Comments
341702815.xls ! 11 Mic
page 293
Comments
341702815.xls ! 11 Mic
page 294
Comments
341702815.xls ! 11 Mic
page 295
Comments
341702815.xls ! 11 Mic
page 296
341702815.xls ! 11 Mic
page 297
341702815.xls ! 11 Mic
page 298
341702815.xls ! 11 Mic
page 299
341702815.xls ! 11 Mic
page 300
341702815.xls ! 11 Mic
page 301
341702815.xls ! 11 Mic
page 302
341702815.xls ! 11 Mic
page 303
341702815.xls ! 11 Mic
page 304
341702815.xls ! 11 Mic
page 305
Audit questionnaire: Telecommunications operations
1 variant
The architecture and operations concerning voice are often effected by a different entity than data networks
Number
12A
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
12A01
12A01-01
Is there a security policy, specifically aimed at operations personnel, related to telecommunications?

This policy should cover the requirements for the protection of information as well as the protection of physical assets and
processes and mention the forbidden behaviors
E1
12A01-02
Is telecommunication operations personnel required to sign contract clauses of adherence to that security policy (no matter their
status: permanent or temporary staff, students, etc.)?
E2
12A01-03
Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other people?
E3
12A01-04

In order to achieve a formal commitment, the personnel should explicitly state that his/her signature implies having understood and
accepted the security policy
E2
12A01-05
Are these same clauses obligatory for contractors working on systems operations?
internal staff.
E2
12A01-06
Is there a mandatory and well adapted training course aimed at systems operation personnel?
12A01-07
Are the security policy compliance agreements, signed by personnel, securely kept (at least in a locked cupboard )?
R1
12A01-08
Are the security policy compliance agreements, signed by external contractors, securely kept (at least in a locked cupboard )?
R1
12A01-09
C1
12A02
9.2.1
E2
Control of the implementation of new equipments or upgrade of existing systems

Equipments for classical telephony : PABX, ...
With ToIP : call server, gateway converter to classical telephony, routers, switches
Equipments dedicated to users: telephone terminal, fax machines (often combined with printing, scanning and photocopy
capabilities , ...), tele and videoconferencing, ...
These systems may provide configuration, management, directory, billing and storage (answering machine, voice mail) services,
12A02-01
Are the decisions to change or update equipment and systems significantly subject to a control procedure (registration, planning,
formal approval, communication to all concerned individuals, etc.)?
The possible separation (physical or logical, using VLAN) of data and voice flows shall be analyzed when moving to ToIP and
revised based on the observed load changes, the same applies to interconnection capabilities between the two networks
E1
10.1.2; 10.3.1
12A02-02
Are the change decisions based on an analysis of the capacity of the new equipment and systems to ensure the required load and
take into account the evolution of foreseeable requests?
E2
10.3.1
12A02-03
Do the installations take into account physical protection?

Protected access, no direct external view on equipments, no multiple physical threats, continuity of power supply, weather
conditions, protection against thunderbolts, protection against dust, etc.
E2
9.2.1
12A02-04
Is any new or modified functionality linked to a new system or new version of a system, systematically documented before moving
into production?
12A02-05
Is such new functionality (or change in functionality), linked to a new system or new version of a system, formally and
systematically reviewed in conjunction with the IT security function?
341702815.xls ! 12 Top
E2
E2
10.3.2
page 306
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
Max
12A02-06
Does this review include an analysis of the risks that may result from the changes?
12A02-07
Have telecommunication operations staff received formal appropriate training in risk analysis?
This should include service continuity as well as confidentiality and integrity of the data and the transmissions
12A02-08
May the operation staff obtain an appropriate support specially competent on risk analysis?
12A02-09
Are the security measures, determined to counter the new identified risks, formally reviewed before implementation?
E3
10.3.2
12A02-10
Are security parameters and configuration rules (deletion of generic accounts, changing of any default passwords, blocking of
unauthorized communications ports, setting of access rights and authentication parameters, etc.) listed in detail and regularly
updated?
E3
10.3.2; 11.4.4
12A02-11
Are the security parameters and configuration rules controlled prior to any start of production of a new version?
E3
10.3.2; 11.4.4
12A02-12
Has the eventual impact of the systems' changes regarding the continuity plans been considered?
E2
10.3.2
12A02-13
Are any derogations from the prerequisite risk analysis and control of security parameters subject to strict procedures, including a
signature from senior management?
R1
12A02-14
Can the start of production of new systems and applications be only carried out by operations personnel?
E3
6.1.4; 12.4.1
12A02-15
Is the start of production of new versions of systems or applications possible by the use of a defined validation and authorization
process?
E3
6.1.4; 12.4.1
12A02-16
Are the start of production control procedures regularly audited?
C1
12A03
Min
Typ
E2
E3
E3
12A03-01
12A03-02
Are all maintenance operations required to terminate with a systematic control of physical or recorded configurations and security
parameters (as defined at time of start of production)?
E2
12A03-03
Are all maintenance operations required to terminate with a systematic control of the recording parameters for security events and
the life span of records?
E3
12A03-04
Are all maintenance operations required to terminate with a systematic control of system administration parameters (required
profile, authentication type, removal of standard logins etc.)?
E3
12A03-05
12A03-06
Is the effective implementation of these controls regularly audited?
12A04
ISO 27002
10.3.2
E2
9.2.4
E3
3
C1
Control of Remote Maintenance
12A04-01
In the case of remote maintenance, is the remote maintenance desk's access subject to a secure authentication procedure?
E2
11.4.4
12A04-02
In the case of remote maintenance, are maintenance staff subject to a secure authentication procedure?
E2
11.4.4
12A04-03
Is there a set of procedures covering the granting and revocation of access rights for remote maintenance operatives and the
granting of rights in urgent situations?
E3
11.4.4
12A04-04
Does the usage of the remote maintenance line require the prior agreement (for each usage) of telecommunication operations
personnel (upon request by the manufacturer or editor specifying the nature, date and time of the intervention)?
E3
11.4.4
12A04-05
Is the usage of the remote maintenance line under strict control ?

A strict control supposes that each use of the line, the name of the maintenance operative and the actions carried out is registered,
and that there be a subsequent audit of the appropriateness of the actions and their conformity with the rules laid down by
maintenance managers.
E2
341702815.xls ! 12 Top
page 307
1 variant
Number
Question
12A04-06
Are control procedures for remote maintenance regularly audited?
12A05
R-V1 R-V2 R-V3 R-V4
Max
Min
Typ
ISO 27002
C1
Management of Operating Procedures for Telecommunication Operation
12A05-01
Do the operating procedures result from the study of the overall cases to be covered by said procedure (normal operating cases
and incidents)?
E2
10.1.1
12A05-02
E2
10.1.1
12A05-03
Are the operating procedures readily available upon request by any accredited individual?
E2
10.1.1
12A05-04
Is the telecommunications operation Management required to approve changes to procedures ?
E2
10.1.1
12A05-05
R1
12A05-06
C1
12A06
Management of service providers relating to telecommunication
12A06-01
Is it regularly ensured that the security services allocated to suppliers or providers are efficiently implemented and maintained by
them?
C1
10.2.1
12A06-02
Is it ensured that the telecommunications service suppliers or providers have efficiently prepared the appropriate arrangements to
ensure that the services are provided as agreed?
E2
10.2.1
12A06-03
E1
10.2.2
12A06-04
Is it ensured that the suppliers and providers report and document any security incident concerning information or networks?
E2
10.2.2
12A06-05
E2
10.2.2
12A06-06
E3
10.2.3
E2
12B
12B01
12B01-01
Is an exact inventory of the equipments kept up to date by the concerned responsible persons?
Of key importance with ToIP for the move of terminal equipments and their configuration (including configured emergency call
numbers)
12B01-02
Is there a document (or a set of documents ) or an operational procedure which describes all security parameters for the
equipments and systems?
Such a document should be derived from the security policy and describe all the filtering rules decided. It should also mention the
reference to the system versions so as to check the status of the updates.
E1
12B01-03
E2
11.4.4
12B01-04
Are the system versions, fixes and parameters updated regularly in line with latest information?
with CERTs, etc.)
E2
10.7.4; 12.6.1
12B01-05
Does the resulting document or procedure impose a synchronization feature, based on a reliable time reference?
E3
10.10.6
12B01-06
R1
10.7.4
12B01-07
Is the integrity of system configurations checked, regularly (at least weekly) if not at each system start-up, against the configuration
theoretically expected?
E3
15.2.2
12B01-08
Are regular audits carried out of the compliance to the specifications for security parameters?
R1
15.2.2
12B01-09
R1
15.2.2
12B01-10
Are the development and test environments separated from the operational environments?
C1
341702815.xls ! 12 Top
page 308
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
12B01-11
Is it possible to control, each time it is needed, the compliance of the architecture and of the configurations of the equipments ?
12B02
Max
Min
Typ
R2
E1
ISO 27002
Conformity control of operational software to a reference version
12B02-01
Do the telecommunications operations manage a reference version for each equipment or system in operation (source and
executable code)?
12B02-02
Is this reference version protected against all possible illicit or untimely modification (signed media kept by a senior manager,
R1
12B02-03
Is this protection considered to be inviolable (sealing by cryptographic algorithm approved by the Information Security Officer)?
R2
12B02-04
Is the protective seal controlled automatically (otherwise it may be an authoritative signature) at each new installation?
R2
12B02-05
E2
12B02-06
Are the sealing and sealing control tools protected against any unauthorized usage?
R2
12B02-07
Does the inhibition of the automatic control of seals trigger an alarm to a manager?
E3
12B02-08
C1
Service continuity
12C
12C01
Organization of operational equipment maintenance
12C01-01
E1
12C01-02
Are there specific maintenance contracts for all hardware which require a high availability and for which the replacement must be
made within limited delays?
E2
12C01-03
Do the contracts stipulate maximum delays before intervention and compatible with the requirements of availability?
E2
12C01-04
availability?
E3
12C01-05
R1
12C01-06
Do the contracts detail specific clauses for when the hardware downtime exceeds the specific times stipulated (penalties, hardware
replacement, etc.)?
etc.)
E3
12C01-07
Do the maintenance contracts anticipate the complete replacement of equipment in the case of important damage which might not
be taken into consideration by reparative maintenance?
A special attention should be born on the confidentiality of data stored on the disk of the replaced equipments
12C01-08
12C02
9.2.4
E3
C1
Organization of software maintenance (systems and attached services)
12C02-01
Are there maintenance contracts for all acquired software products (systems software, middleware and applications)?
E1
12C02-02
Do the suppliers provide a technical software support center which guarantees a quick and competent telephone assistance?
E2
341702815.xls ! 12 Top
page 309
1 variant
Number
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
12C02-03
Are there specific maintenance contracts for software products (systems, middleware and applications) which require corrective
delays that standard maintenance cannot cover?
12C02-04
Do these contracts detail specific maximum intervention delays, compatible with the availability requirements?
E2
12C02-05
availability?
E3
12C02-06
R1
12C02-07
Do the contracts specify specific clauses when hardware downtime exceeds specific durations stipulated (penalties, replacement
of hardware, etc.)?
etc.)
E3
12C02-08
C1
12C03
ISO 27002
E2
Backup of software configurations (system, services and configuration parameters)
12C03-01
Has a backup plan been established which covers all programs and defines all objects to save and the frequency of backups?
E1
10.5.1
12C03-02
Does the plan also cover configuration parameters of the telecommunication equipments to save?
12C03-03
Is the plan implemented by automatic production routines?
E2
10.5.1
E2
12C03-04
Are there regular tests that the backup copies of configurations enable the effective restoration of the production environment at
any time?
These tests should consider all the backups (including documentation and parameters files) of legitimate elements.
10.5.1
E2
10.5.1; 14.1.5
12C03-05
Are the production routines which ensure backups protected, against illicit or undue modification, by secure mechanisms?
R1
10.5.1
12C03-06
Are regular tests made of the readability of backups?
R2
10.5.1
12C03-07
Are all software backup plans and procedures subject to regular audit?
C1
12C04
Disaster Recovery Plans
12C04-01
Have all the scenarios which may impact the telecommunications infrastructure and services been considered and, for each
scenario, the consequences in terms of service unavailability for users?
ToIP creates additional requirements for power supply continuity and ability to reconfigure of terminal equipments
12C04-02
For each scenario, and in agreement with the users, have a list and schedule of service resume been defined?
Loss of information, means to reconstruct them and temporary operational procedures must be considered.
12C04-03
Has an activity recovery solution been defined and implemented to resolve each scenario identified above, in accordance with user
requirements?
12C04-04
Are the technical, organizational and human resources sufficient to address the organization's requirements for IT continuity?
12C04-05
Are the technical, organizational and human resources educated to address the organization's requirements for continuity?
341702815.xls ! 12 Top
E1
14.1.3
E2
14.1.3
E1
14.1.3
E2
14.1.3
E2
14.1.3
page 310
1 variant
Number
R-V1 R-V2 R-V3 R-V4
Question
12C04-06
Are all these solutions described in detail in Disaster Recovery Plans including the conditions for triggering the plan, the actions to
execute, the priorities, the actors to mobilize and their contact details?
12C04-07
12C04-08
Are above tests able to guarantee that the staff capacity and the recovery systems can cope, under full operational load, the
minimum service levels required by users?
The tests required to obtain this guarantee are preferably full scale tests of each variant of scenario, involving all users. The results
of the tests have to be registered and analyzed in order to improve the capability of the organization to answer to the situations
considered.
12C04-09
Max
Min
Typ
ISO 27002
E1
14.1.3
E2
14.1.5
E2
14.1.5
commitment by the manufacturer or any relevant third party (leaser, broker, distributor) to deliver the replacement hardware within
fixed and anticipated time limits as stated in the recovery plan?
E2
12C04-10
Has the unavailability or failure of the recovery facility been considered and has a replacement solution been defined and validated
(second level recovery)?
E2
12C04-11
Has this (second level recovery) solution been validated?
E3
12C04-12
Is the recovery solution usable for an unlimited duration and, if not, has a follow on replacement solution been established?
E3
12C04-13
Are the existence, the pertinence and the updates of the services Recovery Plans regularly controlled?
C1
12C04-14
C1
12C05
12C05-01
Have the consequences of the disappearance of a supplier been analyzed (in the case of failure, a bug or change requirement)
and has a list of critical systems been established?
This is valid for hardware, software or service providers
E2
12C05-02
For all critical systems, has a corrective solution been analyzed to cope with the failure or disappearance of a supplier
(consignment of maintenance documentation or source code with a trusted third party, hardware replacement by standard market
solutions etc.)?
E2
12C05-03
Is there a guarantee that the corrective solutions could be made operational within time delays compatible with the continuity of the
business and accepted by the users?
12C05-04
Have variants to the primary solution been considered in case it might encounter unforeseen difficulties?
E3
12C05-05
Is there a regular review of critical systems and corrective solutions envisaged?
C1
12D
E2
Use of end-user telecommunication equipment
12D01
12D01-01
Has a list of the telecommunication software authorized on the users' stations been established?
This list should indicate the reference versions authorized and possibly the parameterization options
E2
12D01-02
Are these lists protected against untimely or illicit alteration by a robust sealing process?
R2
12D01-03
Are the rights provided to users preventing them to modify the specific telecommunication (telephone, audio or video conferencing,
etc. )configurations of their equipment?
E2
12D01-04
Is the conformity of the telecommunication configurations for user workstations regularly controlled relatively to the authorized
options?
C1
12D01-05
Does the inhibition of the control process trigger an alarm to a manager?
C2
12D01-06
Are the processes of control themselves subject to regular audits?
341702815.xls ! 12 Top
C1
page 311
1 variant
Number
12D02
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
12D02-01
Are the users made aware of the risks of tapping resulting from the use of telecommunication equipment and services?
E1
12D02-02
Are the users informed of risks resulting from the malevolent usage, locally or remotely, of their communication equipment?
In addition to the use of their colleagues' equipment without their knowing.
E2
12D02-03
Are the deactivation procedures explained to users at the installation or replacement time of their equipment?
E2
12D02-04
Are the control and security procedures documented?
12D02-05
Are all the users trained about these procedures?
12D03
ISO 27002
Training and awareness setting for users
E2
3
E2
Utilization of cryptographic equipment
12D03-01
Are encryption of exchanges mechanisms settable in accordance to the non-disclosure requirements established?
12D03-02
Are the encryption capabilities explained to all the staff?
12D03-03
Have the user functions requiring a protection of the telecommunication exchanges been analyzed?
E2
12D03-04
Have encryption functions been installed on all the corresponding user equipment?
E2
E2
E2
12E
12E01
Management of privileged access rights granted on equipments and systems (administrative rights)
12E01-01
Have profiles been defined, within telecommunication operations staff, corresponding to each type of activity (system
administration, administration of security equipment, system monitoring, management of data storage and backup functions etc.)?
E1
10.1.3; 11.2.2
12E01-02
12E01-03
E1
10.1.3
E2
10.1.3
12E01-04
12E01-05
12E01-06
Is there a systematic process of removal of special rights at the time of departure of telecommunication operations staff?
12E01-07
12E01-08
12E02
12E02-01
E2
10.1.3
R1
11.2.2
E2
11.2.4
Is there a systematic process of removal of special rights at the time of rle change of telecommunication operations staff?
E2
11.2.4
C1
11.2.4
Authentication and control of the access rights of administrators and operational personnel
341702815.xls ! 12 Top
E2
page 312
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
12E02-02
E2
12E02-03
E2
12E02-04

R1
12E02-05

R1
12E02-06
Is there a regular audit of the security parameters attached to protecting profiles and rights?
C1
12E03
Max
Min
Typ
ISO 27002
Surveillance of system administrators' actions over the equipments and systems
12E03-01
Has a detailed analysis been carried out of the events and operations carried out with administrative rights which may potentially
have an impact on system security (configuration of security systems, access to sensitive information, usage of sensitive tools,
download or modification of administrative tools etc.)?
12E03-02
12E03-03
12E03-04
12E03-05
manager?
12E03-06
12E03-07
12E03-08
12E03-09
E2
10.10.4
E2
10.10.4
E3
10.10.4
E3
10.10.4
E3
10.10.4
E3
10.10.4
E2
10.10.4
E2
10.10.4
C1
10.10.4
341702815.xls ! 12 Top
2
3
2
page 313
Comments
341702815.xls ! 12 Top
page 314
Comments
341702815.xls ! 12 Top
page 315
Comments
341702815.xls ! 12 Top
page 316
Comments
341702815.xls ! 12 Top
page 317
Comments
341702815.xls ! 12 Top
page 318
Comments
341702815.xls ! 12 Top
page 319
Comments
341702815.xls ! 12 Top
page 320
Comments
341702815.xls ! 12 Top
page 321
341702815.xls ! 12 Top
page 322
341702815.xls ! 12 Top
page 323
341702815.xls ! 12 Top
page 324
341702815.xls ! 12 Top
page 325
341702815.xls ! 12 Top
page 326
341702815.xls ! 12 Top
page 327
341702815.xls ! 12 Top
page 328
341702815.xls ! 12 Top
page 329
Audit Questionnaire: Management Processes

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
Protection of personal information (PPI)
13A
13A01
Policy and instructions related to PPI
13A01-01
Is there a set of legal provisions and regulations concerning the protection of personal information (PPI)?
E2
15.1.2
13A01-02
Is this set updated annually?
E2
15.1.2
13A01-03
Is there a policy and are there directives concerning PPI?
E1
15.1.4
13A01-04
Has this policy been approved by the governing bodies?
E2
15.1.4
13A01-05
Does the policy indicate that PPI must be taken into consideration in the development of projects related to information
technology?
E2
13A01-06
Do the PPI directives cover all legal obligations, including those related to collection, access, communication, use, preservation
and destruction of such information?
E2
13A01-07
Has the adequacy of the directives with respect to all the relevant laws and regulations been verified by independent audit?
E2
13A01-08
Has a manager responsible for PPI been appointed?
E2
13A01-09
Is the PPI manager known to all members of staff?
E2
13A01-10
Does the PPI policy (or the management framework) clearly define the responsibilities of the various stakeholders: the PPI
manager, Digital Information Security Manager, internal control, etc.?
E1
13A01-11
Is there a committee related to the governing bodies that is charged with developing PPI policy and with periodically studying any
related problems?
E2
13A01-12
If such a committee exists, is it composed of the PPI manager and representatives from senior management, security, audit, IT,
legal, document management, and users?
E2
13A01-13
Is the PPI policy revised regularly?
13A02
E2
PPI training and awareness program
13A02-01
Is there a PPI awareness and training program?
E1
13A02-02
Is this program approved by the PPI manager?
E2
13A02-03
Is this program offered to the staff who process information covered by the legal provisions related to PPI?
E2
13A02-04
Is this program tailored to the tasks performed?
E2
13A02-05
Does this program take into account PPI issues relating to the use of IT and telecommunications systems?
E2
13A02-06
Does this program include training or awareness of the consequences of not respecting the legal provisions relating to PPI?
E2
13A02-07
Is the level of knowledge of members of staff concerning PPI periodically evaluated by survey or other mechanism?
13A02-08
Are members of staff periodically reminded of the existence of this program by poster, or other communication?
13A02-09
Is this program revised at least every five years?
13A02-10
Is the enforcement of this program subject to a periodic audit?
13A03
E3
R1
C1
E2
Applicability of the PPI policy
13A03-01
Have the conditions necessary for implementing the PPI policy been analyzed?
13A03-02
Have the corresponding resources (technical and human) been put in place?
E2
13A03-03
Is the level of resource necessary for the application of PPI audited regularly?
E2
13A04
C1
Monitoring the implementation of the PPI policy
341702815.xls ! 13 Man
page 330
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
Max
13A04-01
Is the implementation of the PPI policy audited regularly?
C1
13A04-02
Are sanctions defined in case of nonconformity or failure to apply the policy?
E2
13A04-03
Have these sanctions been communicated to staff?
E2
13B
Min
Typ
ISO 27002
Communication of financial data

For example, the Financial Security Law (loi Mer) in France and the Sarbanes Oxley Act in the United States
13B01
Policy and instructions related to Communication of financial data
13B01-01
Is there a reference document stating the set of rules related to the collection, treatment and presentation of results leading to
Communication of financial data?
E3
13B01-02
Is this reference document updated annually?
E2
13B01-03
Is there a policy and are there precise directives concerning Communication of financial data?
E1
13B01-04
13B01-05
Does the policy concerning Communication of financial data encompass all the legal requirements in that matter?
13B01-06
Has the upper management conducted an evaluation of the effectiveness of internal control regarding the procedures and controls
ensuring that financial statements are produced in line with external regulations?
13B01-07
Has the quality evaluation document been evaluated and approved by financial auditors?
This approval implies that the auditors must obtain all the necessary elements in time for them to control
13B01-08
Has the upper management certified the efficiency of the procedures and controls implemented to ensure the veracity of financial
statements?
E2
13B01-09
Is there an audit commission charged with choosing external auditors, fixing their remuneration levels and supervising their
activities?
E2
13B01-10
Are the members of the audit commission totally independent?

i.e. they do not exercise any operational authority within the company, are not affiliated to any person exercising authority within
the company and receive no remuneration apart from that related to their function on the audit commission
E3
13B01-11
Does the application of this frame of reference enable all information published to be traced back?
This includes the capacity to trace back the chain of treatments so as to identify the original data (references to the facts,
accounting data entries, ... ) and the decisions related to the origin of the information
C1
13B01-12
Has a manager responsible for Communication of financial data been appointed?
E2
13B01-13
Does the policy concerning Communication of financial data (or its management framework) clearly establish the responsibilities of
each of the contributors?
E1
13B01-14
Is there a committee related to the governing bodies that is charged with developing the Communication of financial data policy
and with periodically studying any related problems?
E2
13B01-15
Is the Communication of financial data policy revised regularly?
13B02
E2
3
E2
E2
E2
E2
Communication of financial data training and awareness program
13B02-01
Is there a Communication of financial data awareness and training program?
E1
13B02-02
Is this program approved by the manager responsible or in charge of the Communication of financial data?
E2
13B02-03
Is this program available to the staff who process information covered by the legal provisions related to Communication of financial
data?
E2
13B02-04
E2
341702815.xls ! 13 Man
page 331
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
13B02-05
Does this program take into account Communication of financial data issues relating to the use of IT and telecommunications
systems?
P
4
Max
Min
Typ
E2
13B02-06
Does this program include training or awareness of the consequences of not respecting the legal provisions relating to
Communication of financial data?
E2
13B02-07
Is the level of knowledge of members of staff concerning the Communication of financial data periodically evaluated by survey or
other mechanism?
E3
13B02-09
R1
13B02-10
C1
13B03
Applicability of the Communication of financial data policy
13B03-01
Have the conditions necessary for implementing the Communication of financial data policy been analyzed?
13B03-02
E2
13B03-03
Is the level of resource necessary for the application of Communication of financial data audited regularly?
E2
13B04
C1
Monitoring the implementation of the Communication of financial data policy
13B04-01
Is the implementation of the Communication of financial data policy audited regularly?
C1
13B04-02
E2
13B04-03
E2
13C
ISO 27002
Respect of regulations concerning the verification of computerized accounting (VCA)
13C01
Preservation of accounting data and treatments
13C01-01
Is there a list of the types of recordings to preserve and of the procedures and protections to apply until their end of life?
This list should consider media like : paper, microfiches, files and their protection during the requested retention durations.
13C01-02
Are the basic accounting data preserved in compliance with the VCA regulations?
The elementary data are individual, not yet aggregated, data considered since their origin, for example: historic files of movements
(orders, bills, stocks...), written evidences, statements, permanent data, operations of files' updates...
E2
13C01-03
Are files which contain long term or reference information (accounting schemas, client files, suppliers, tariffs,
products) kept in compliance with the VCA?
E2
13C01-04
Are operational procedures kept in compliance with VCA regulations?
E2
13C01-05
Are operational systems which have a direct or indirect link with the accounting system kept in compliance with
VCA regulations?
E2
13C01-06
Are all accounting applications and applications which feed the accounting system, via intermediate or interface
files, kept?
E2
13C01-07
Are analytical or budgetary applications used to determine expenses and incomes kept?
E3
13C01-08
Are constraints related to the migration of systems and applications respected ?

In the case of migrations, the company must be able to supply either copies of the history of each data file or the
tools and processes used for converting existing data files towards the new system. It is not therefore necessary to
retain a working version of the old system.
C1
E2
13C02
Documentation of accounting data, procedures and treatments
341702815.xls ! 13 Man
page 332

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
13C02-01
Is an inventory of applications and documentation likely to be checked as parts of a VCA audit kept up-to-date?
E2
13C02-02
Is a complete documentation maintained which lists all IT accounting systems required?

The documentation must contain evidence elements such as: an analysis of the information systems organization,
an inventory and description of hardware used, the overall architectural concept, functional specifications,
computerized applications and treatments (description of processing chains, of data and transactions, of source
code used), maintenance, configuration, user documentation, operation documentation, internal control
procedures, archiving plans.
E2
13C02-03
Is this documentation preserved as required by the regulation (either on paper or electronically)?
E2
13C02-04
Is this documentation updated using a precise system of follow up of documents version numbers?
E2
13C02-05
Is the source code of programs related to VCA accessible?
E2
13C02-06
Are all documents, data and transactions, subject to legal control, preserved and accessible in the host country
itself?
E2
13C02-07
Is the retention plan for data and information, including documentation, compliant with the rules in force (duration
and nature of support media)?
E2
13C02-08
Do IT contracts with third parties contain a specific legal clause taking into account VCA regulations such as the availability of
source code, documentation and technical assistance in the case of a VCA audit?
Such third parties include outsourcing, software editors, suppliers, etc.
E2
13C02-09
Does the documentation, issued from application developments and updates, comply to VCA regulation (for all
applications within the scope of VCA regulations)?
E2
13C02-10
In the case of company acquisitions is there a clause which guarantees the respect of obligations related to VCA?
E2
13C02-11
Is there a control procedure related to VCA elements covering backup plan, operations technical documents, data,
processing, version of the saved elements, etc. ?
C1
13C03
Verification of computerized accounting data training and awareness program
13C03-01
Is there a VCA awareness and training program?
E1
13C03-02
Is this program approved by the VCA manager?
E2
13C03-03
Is this program offered to the staff who process information covered by the legal provisions related to VCA?
E2
13C03-04
E2
13C03-05
Does this program take into account VCA issues relating to the use of IT and telecommunications systems?
E2
13C03-06
Does this program include training or awareness of the consequences of not respecting the legal provisions relating to VCA?
E2
13C03-07
Is the level of knowledge of members of staff concerning VCA periodically evaluated by survey or other mechanism?
E3
13C03-09
R1
13C03-10
C1
13C04
Applicability of the VCA policy
13C04-01
Have the conditions necessary for implementing the VCA policy been analyzed?
13C04-02
E2
13C04-03
Is the level of resource necessary for the application of VCA audited regularly?
E2
C1
13C05
13C05-01
ISO 27002
C1
Monitoring the implementation of the VCA policy

Is the implementation of the VCA policy audited regularly?
341702815.xls ! 13 Man
page 333

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Max
13C05-02
E2
13C05-03
E2
13D
Question
Min
Typ
ISO 27002
Protection of intellectual property rights (IPR)
13D01
Policy and instructions relative to the Protection of intellectual property rights
13D01-01
Is there a collection of all applicable legal and regulatory rules and measures regarding the protection of intellectual property
rights?
E2
13D01-02
Is this collection revised every year?
E2
13D01-03
Is there a policy and are there precise directives concerning intellectual property rights?
13D01-04
Are these directives explicitly forbidding the use of software without a proper license and limitation of copies of software,
commercial recordings (video, audio) and documents ?
13D01-05
13D01-06
Does the policy concerning the protection of intellectual property rights encompass all the legal requirements in that matter?
E2
13D01-07
E2
13D01-08
Has a manager responsible for IPR been appointed?
E2
13D01-09
Is the IPR responsible manager known to all members of staff?
E2
13D01-10
Does the IPR policy (or the management framework) clearly define the responsibilities of the various stakeholders?
E1
13D01-11
Is there a committee related to the governing bodies that is charged with developing IPR directions and with periodically studying
any related problems?
E2
13D01-12
Is the IPR policy revised regularly?
13D02
E1
2
E2
E2
E2
Intellectual property rights training and awareness program
13D02-01
Is there an IPR awareness and training program?
E1
13D02-02
Is this program approved by the IPR manager or respondent?
E2
13D02-03
Is this program offered to the staff concerned?
E2
13D02-04
Does this program take into account IPR issues relating to the use of IT and telecommunications systems?
E2
13D02-05
Does this program include training or awareness of the consequences of not respecting the legal provisions relating to IPR?
E2
13D02-06
Is the level of knowledge of members of staff concerning IPR periodically evaluated by survey or other mechanism?
E3
13D02-07
R1
13D02-08
C1
13D03
Applicability of the intellectual property rights policy
13D03-01
Have the conditions necessary for implementing the IPR policy been analyzed?
13D03-02
E2
13D03-03
Is the level of resource necessary for the application of IPR audited regularly?
E2
13D04
Monitoring the implementation of the intellectual property rights policy
C1
13D04-01
Is the implementation of the IPR policy audited regularly?
C1
13D04-02
E2
13D04-03
E2
341702815.xls ! 13 Man
page 334

Number
13E
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
ISO 27002
Protection of computerized systems
13E01
Policy and instructions relative to the Protection of computerized systems
13E01-01
Is there a collection of all applicable legal and regulatory rules and measures regarding the protection of computerized systems?
E2
13E01-02
E2
13E01-03
Is there a policy and are there precise directives concerning the protection of computerized systems?
E1
13E01-04
13E01-05
Does the policy concerning the protection of computerized systems encompass all the legal requirements in that matter?
E2
13E01-06
E2
13E01-07
Has a manager responsible for the protection of computerized systems been appointed?
E2
13E01-08
Is the protection of computerized systems responsible manager known to all members of staff?
E2
13E01-09
Does the protection of computerized systems policy (or the management framework) clearly define the responsibilities of the
various stakeholders?
E1
13E01-10
Is there a committee related to the governing bodies that is charged with developing directions for the protection of computerized
systems and with periodically studying any related problems?
E2
13E01-11
Is the protection of computerized systems policy revised regularly?
13E02
E2
E2
Protection of computerized systems training and awareness program
13E02-01
Is there a protection of computerized systems awareness and training program?
E1
13E02-02
Is this program approved by the protection of computerized systems manager or respondent?
E2
13E02-03
E2
13E02-04
Does this program include training or awareness of the consequences of not respecting the legal provisions relating to the
protection of computerized systems?
E2
13E02-05
Is the level of knowledge of members of staff concerning the protection of computerized systems periodically evaluated by survey
or other mechanism?
E3
13E02-06
R1
13E02-07
C1
13E03
Applicability of the protection of computerized systems policy
13E03-01
Have the conditions necessary for implementing the protection of computerized systems policy been analyzed?
13E03-02
E2
13E03-03
Is the level of resource necessary for the application of the protection of computerized systems audited regularly?
E2
13E04
C1
Monitoring the implementation of the protection of computerized systems policy
13E04-01
Is the implementation of the protection of computerized systems policy audited regularly?
C1
13E04-02
E2
13E04-03
E2
13F
Human safety and protection of the environment
13F01
13F01-01
Policy and instructions relative to Human safety and protection of the environment
Is there a collection of all applicable legal and regulatory rules and measures relative to the human safety and protection of the
environment?
341702815.xls ! 13 Man
E2
page 335
1 variant
R-V1 R-V2 R-V3 R-V4
Number
Question
13F01-02
E2
13F01-03
Is there a policy and are there precise directives relative to the human safety and protection of the environment?
E1
13F01-05
13F01-06
Does the policy relative to the human safety and protection of the environment encompass all the legal requirements in that
matter?
E2
13F01-07
E2
13F01-08
Has a manager responsible for human safety and protection of the environment been appointed?
E2
13F01-09
Is the responsible manager relative to the human safety and protection of the environment known to all members of staff?
E2
13F01-10
Does the policy (or the management framework) relative to human safety and protection of the environment clearly define the
responsibilities of the various stakeholders?
E1
13F01-11
Is there a committee related to the governing bodies that is charged with developing directions for relative to the human safety and
protection of the environment and with periodically studying any related problems?
E2
13F01-12
Is the policy relative to the human safety and protection of the environment revised regularly?
13F02
Max
Min
Typ
E2
E2
Human safety and protection of the environment training and awareness program
13F02-01
Is there a Human safety and protection of the environment awareness and training program?
E1
13F02-02
Is this program approved by the Human safety and protection of the environment manager or respondent?
E2
13F02-03
E2
13F02-04
Does this program include training or awareness of the consequences of not respecting the legal provisions relating to the Human
safety and protection of the environment?
E2
13F02-05
Is the level of knowledge of members of staff concerning the Human safety and protection of the environment periodically
evaluated by survey or other mechanism?
E3
13F02-06
R1
13F02-07
C1
13F03
Applicability of the Human safety and protection of the environment policy
13F03-01
Have the conditions necessary for implementing the Human safety and protection of the environment policy been analyzed?
13F03-02
E2
13F03-03
Is the level of resource necessary for the application of the Human safety and protection of the environment audited regularly?
E2
13F04
C1
Monitoring the implementation of the Human safety and protection of the environment policy
13F04-01
Is the implementation of the Human safety and protection of the environment policy audited regularly?
C1
13F04-02
E2
13F04-03
E2
13G
ISO 27002
Rules related to the use of encryption
13G01
Policy and instructions relative to the use of encryption
13G01-01
Is there a collection of all applicable legal and regulatory rules and measures regarding the use of encryption?
E2
13G01-02
E2
13G01-03
Is there a policy and are there precise directives concerning the use of encryption?
E1
341702815.xls ! 13 Man
page 336

Number
1 variant
R-V1 R-V2 R-V3 R-V4
Question
Max
Min
Typ
13G01-04
13G01-05
Does the policy concerning the use of encryption encompass all the legal requirements in that matter?
E2
13G01-06
E2
13G02
Use of encryption training and awareness program
13G02-01
Is there a use of encryption awareness and training program?
E1
13G02-02
E2
13G03
ISO 27002
E2
Monitoring the implementation of the use of encryption policy
13G03-01
Is the implementation of the use of encryption policy audited regularly?
C1
13G03-02
E2
13G03-03
E2
341702815.xls ! 13 Man
page 337
Comments
341702815.xls ! 13 Man
page 338
Comments
341702815.xls ! 13 Man
page 339
Comments
341702815.xls ! 13 Man
page 340
Comments
341702815.xls ! 13 Man
page 341
Comments
341702815.xls ! 13 Man
page 342
Comments
341702815.xls ! 13 Man
page 343
Comments
341702815.xls ! 13 Man
page 344
Comments
341702815.xls ! 13 Man
page 345
341702815.xls ! 13 Man
page 346
341702815.xls ! 13 Man
page 347
341702815.xls ! 13 Man
page 348
341702815.xls ! 13 Man
page 349
341702815.xls ! 13 Man
page 350
341702815.xls ! 13 Man
page 351
341702815.xls ! 13 Man
page 352
341702815.xls ! 13 Man
page 353
Audit questionnaire : Information Security management
1 variant
This questionnaire controls whether the organisation realises effectively a continuous process of management and reduction of the
risks also called ISMS .
It is recommanded to integrate this questionnaire into MEHARI complete process of risk treatment, preferrably associated
together with domain 01 (Organisation), which corresponds to the management responsibility and audits parts of the standard.
Number
14A
Question
R-V1 R-V2 R-V3 R-V4
Max
Min
Comments
Establish the management system
14A01
Define the boundaries of the ISMS
14A01-01
Are the boundaries and scope of the ISMS resulting from a preliminary study of the expectations of the top management and the
stakeholders?
14A01-02
Do the boundaries contain the processes and assets of vital value for the organization?
They should specify the sites, organizational units and business activities as well as external interfaces.
Any exclusions from the scope must be documented and justified.
14A02
Define the ISMS policy
14A02-01
Does the ISMS policy result from a preliminary study of the expectations of the stakeholders?
14A02-02
Does this policy state clearly and precisely the commitments of the management relative to information security?
14A02-03
Does this policy take into account the requirements of the organization towards criteria such as Availability, Integrity and non
disclosure?
14A02-04
Does this policy take into account legal and regulatory requirements?
14A02-05
Does this policy take into account the commitment to use precise evaluation of risks?
14A02-06
Have clear risk reduction and management objectives been established?
14A02-07
Has this policy been approved by the top management of the organization?
14A02-08
Has the management of the organization reserved the necessary resources and funding over the long term?
14A03
Define the risk assessment approach and associated metrics
14A03-01
Has a risk assessment method that fits to the requirements of the organization been selected?
14A03-02
Does the method permit to analyze the information security requirements for each asset in accordance to the business, laws and
regulations?
14A03-03
Does the method permit to classify the feared dysfunctions on a scale applicable to the entire organization?
14A03-04
Does the method provide precise metrics allowing a rational and reproducible risk assessment?
The seriousness of each risk being classified within a previously defined scale.
14A04
Identification of the risks
14A04-01
Does this risk analysis method used allow to identify the supporting assets attached to each operational process and to each
primary asset?
14A04-02
Does the method permit to identify the threats and their consequences relative to the security objectives ( e.g. Availability, integrity,
Confidentiality)?
14A04-03
Does the method permit to identify, in a precise way, the vulnerabilities according to the security measures in place?
14A04-04
Does the method permit to describe finely the scenarios that may exploit the threats and vulnerabilities?
14A04-05
Does the method permit to identify the impacts on the activity for each scenario (through a precise criteria and asset)?
14A04-06
Does the method permit to identify the links between each asset and the owners of data and processes?
14A05
Analysis and evaluation of the risks
341702815.xls ! 14 ISM
page 354
14A05-01
Does the risk analysis method permit to assess the levels of risk reduction resulting from the security measures in place or
planned?
14A05-02
Does the method provide the elements allowing to assess the likelihood of each risk scenario?
14A05-03
Does the method permit to reduce the likelihood of the scenarios resulting from the current (and planned) security measures (or
controls)?
14A05-04
Is it possible to adapt the likelihood levels resulting from changes in the organization?
14A05-05
Is the risk seriousness level clearly related to the impact and likelihood values for each scenario ?
14A05-06
Does the method provide the elements allowing to classify the seriousness level for each risk scenario?
His level should be used to determine whether each risk is acceptable or require further treatment
14A06
Selection of risk treatment options
14A06-01
Does the method permit to figure out the risk treatment options appropriate for the organization ?
Based on the possible options (Accept, Avoid, Transfer or Reduce lye risk) and the criteria of acceptance already established.
14A06-02
Does the method permit to analyze the risk acceptance criteria for each scenario?
14A07
Selection of the measures (controls) for risk reduction
14A07-01
Does the organization have at its disposal the elements allowing to select the most efficient security measures required?
The method used must permit to propose improvement directions for each risk situation and to optimize the selection based on the
objectives and constraints of the organization.
14A07-02
Does the method permit to identify the residual risks after treatment of these risks?
14A07-03
14A08
Are the residual risks, either after treatment or acceptance, presented to the management for validation?
Selection of the security measures in accordance to the statement of applicability (SOA)
14A08-01
Is a list of decisions and security measures applicable to the organization formally established?
14A08-02
Does the statement of applicability describe the security measures already in place?
14A08-03
Are the security measures excluded or differed documented and justified?
14B
Implement the management system
14B01
Formulation of a risk treatment plan
14B01-01
Has a risk treatment plan been established?
14B01-02
Does this plan identify the actions to be taken including the appropriate resources, responsibilities, deadlines, and priorities?
14B01-03
Has this plan been validated by senior management?
2
1
14B02
Implementation of the risk treatment plan
14B02-01
Has this risk treatment plan been put in place?
14B02-02
Does the implementation cover the entire risk treatment plan?
14B02-03
Does the implementation effectively cover all the goals and security measures that were defined during the establishment phase
(risk assessment) of the Information Security Management System (ISMS)?
14B02-04
Does this plan define goals for achieving the measures decided (dates, level of risk reduction achieved)?
14B02-05
Is this plan monitored regularly by senior management?
14B03
Selection and implementation of ISMS indicators
14B03-01
Have evaluation methods been defined for effectiveness of the selected measures (indicator, audit, etc)?
14B03-02
Has the manner in which the results of these evaluations will be interpreted been defined (scale, maximum or minimum
thresholds, quality of service objective, etc)?
14B03-03
Are these evaluations comparable and reproducible?
341702815.xls ! 14 ISM
page 355
14B03-04
Have the evaluation methods been validated by senior management?
14B03-05
Have these evaluations been implemented?
14B03-06
Are these evaluations monitored regularly by senior management?
14B04
Implementation of training and awareness plan
14B04-01
Has a program of training and awareness raising been implemented for the various security staff within the organization?
14B04-02
Is this program based on an analysis of the security skills and competences required by the various actors of the organization?
14B05-03
Has this program been effectively implemented?
14B04-04
Is the effectiveness of the program evaluated through an analysis of its results?
14B04-05
Is the documentation associated with this program stored and used?
For example, yearly programs, attendance records and participant evaluations, course content, skills acquired, etc.
14B05
14B05-01
14C
Incident detection and response

Have procedures and measures been implemented to enable rapid detection and response to security incidents?
Monitor the management system
14C01
Monitoring execution of the security procedures and measures
14C01-01
Has the organization put in place procedures for review and monitoring of the ISMS?
14C01-02
Are these procedures intended to rapidly detect anomalies in the output of data processing?
14C01-03
Do these procedures enable rapid identification of security failures and incidents?
14C01-04
Do these procedures enable the responsible managers to determine whether the procedures or delegated security measures have
been carried out in conformance with the system?
14C01-05
Are there indicators in place that enable detection or prevention of security incidents?
14C01-06
Are reviews of the efficiency and application of the ISMS regularly planned and carried out?
14C01-07
Do the conclusions of these reviews take into account the experiences and suggestions of the parties concerned?
14C02
3
2
Steering the audit program
14C02-01
Do the implementation of the organization requirements of the ISMS, and the implementation of various action plans, fall within the
scope of the Audit program?
For example, concerning organization requirements: risk enumeration from a risk analysis, Information Security Policy or
documented ISMS plan, etc.
Concerning the various action plans: the actions agreed upon following a risk analysis, the implementation of an Information
Security Policy, or other audits.
14C02-02
Are all audits findings presented to management for review?
14C02-03
Are all audit findings the subject of a proposal for risk reduction presented to management?
14C02-04
Is the audit program monitored by a set of indicators presented during management reviews?
14C03
Review of risks and security measures
14C03-01
Are risk evaluation reviews regularly conducted?
14C03-02
Do these risk evaluation reviews enable validation of the effectiveness of the security measures put in place?
Such measures may be organizational or technical.
14C03-03
Do these reviews lead to revision of the security plans whenever this is necessary?
14C03-04
Are the boundaries and goals of the security management policy reviewed regularly?
14C03-05
Does the planning for these reviews take account of changes in the information security environment?
For example, changes in the organization, technology, threats, procedures, requirements of activities, and regulations.
14C03-06
Is a structured record kept of observations and of significant security incidents?
341702815.xls ! 14 ISM
page 356
14C03-07
14D
At least once year, is there a management review of the ISMS, covering all aspects of ISMS steering (results of risk analysis,
dashboards, audit results, etc.), enabling management to make decisions about the ISMS implementation policy (evolution of the
Information Security Policy, ISMS scope, audit program, requirements to be taken into account, resources assigned, etc.)?
Improve the management system
14D01
Continuous improvement
14D01-01
Have already identified improvements to the ISMS been implemented?
14D01-02
Does senior management review these actions?
14D01-03
Are the results of these actions recorded in a log?
14D01-04
Has an analysis been carried out to confirm that the actions lead to an improvement in the effectiveness of the ISMS?
14D02
Actions to correct nonconformities
14D02-01
Are nonconformities in the application of the ISMS identified regularly?

Concerning the security policies, the processes and procedures
14D02-02
Are the necessary corrective actions planned?
14D02-03
Have the causes of the nonconformities been identified?
14D02-04
Has a plan covering all the corrective actions been formulated?
14D02-05
Have the corrective actions been implemented?
14D02-06
Have measures been taken to prevent non-conformities from reoccurring?
14D02-07
Have the results of the corrective actions been recorded for later review?
14D02-08
Has an analysis been made to confirm that the corrective actions effectively reduce the nonconformities?
14D03
Actions to prevent nonconformities
14D03-01
Have potential nonconformities been identified?
14D03-02
Have the causes of the potential nonconformities been identified?
14D03-03
Have preventative actions been determined?
14D03-04
Have these preventative actions been implemented?
14D03-05
Have the results of the implemented preventative actions been recorded in a log?
14D03-06
14D04
Has an analysis been carried out to confirm that the preventative actions avoided nonconformities?
Communication to stakeholders
14D04-01
Are the corrective actions and improvements communicated to all the parties concerned?
The communication must be sufficiently precise and detailed..
14D04-02
Is agreement obtained from all relevant parties concerning the improvement actions?
14E
Documentation
14E01
Documentation management
14E01-01
Is there a procedure describing how System Management documentation must be managed?
14E01-02
Is a named person responsible for application of this procedure?
14E01-03
Does the procedure indicate that every document must have an owner?
14E01-04
Is this procedure distributed widely to all the relevant services?
14E02
Document approval
14E02-01
Is the approval procedure for each document defined?
14E02-02
Is the physical location of the approved documents clearly defined?

For example, a shared folder on a server.
14E03
14E03-01
Updates
Are the people authorized to update the documents clearly identified?
341702815.xls ! 14 ISM
page 357
14E03-02
14E04
Is it clearly stated that all updates must be approved?
Document naming and versioning management
14E04-01
Is there a consistent numbering scheme for the documents that takes into account various versions?
14E04-02
Are all modifications summarized in a document history section?
14E05
Documentation disposal
14E05-01
Is there a document classification scheme that defines the level of access rights for different users?
14E05-02
Is there a mechanism in place for publishing information according to the users' access rights?
14E06
Withdrawing of obsolete documents
14E06-01
Is the procedure for withdrawing obsolete documents described?
14E06-02
Is the implementation of this procedure regularly checked by the responsible managers?
341702815.xls ! 14 ISM
page 358
341702815.xls ! 14 ISM
page 359
341702815.xls ! 14 ISM
page 360
341702815.xls ! 14 ISM
page 361
341702815.xls ! 14 ISM
page 362
341702815.xls ! 14 ISM
page 363
341702815.xls ! 14 ISM
page 364
341702815.xls ! 14 ISM
page 365
341702815.xls ! 14 ISM
page 366
341702815.xls ! 14 ISM
page 367
341702815.xls ! 14 ISM
page 368
SECURITY SERVICES & SUB-SERVICES

DOMAINS
Objective values to be handled (if 1):
SERVICES
SUB-SERVICES
Theme
01 Organization of security
01A
V1
A1
01A02 Organization and piloting of Information Systems security
A1
01A03 General reporting system and incident management system
A1
01A04 Organization of audits and audit program
A1
01A05 Crisis management related to information security
A1
A2
01B02 General directives related to information protection
A2
01B03 Classification of resources
A2
01B04 Asset management
A2
01B05 Protection of assets having value of evidence
A2
V4
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
01C01 Staff involvement, contractual clauses
A2
01C02 Management of strategic personnel, partners and providers
A2
01C03 Staff screening procedure
A2
01C04 Awareness and training in security
A2
01C05 Third Parties Management (partners, suppliers, clients, public, etc.)
A2
01C06 People Registration
A2
01D
V3
Fin
01B01 Obligations and responsibilities of personnel and management
01C
V2
Obj
01A01 Organization and piloting of general security
01B
Min
Insurance
01D01 Insurance against property (or material) damages
A1
01D02 Insurance of consequential losses (non-material damages)
A1
01D03 Personal Liability Insurance (PLI)
A1
01D04 Insurance against loss of Key Personnel
A1
01D05 Management of insurance contracts
A1
01E
1.0
1.0
1.0
1.0
1.0
1.0
Business continuity
01E01 Taking into account the need for business continuity
F1
1.0
1.0
01E02 Business continuity Plans
F1
1.0
1.0
01E03 Workplace Recovery Plans (WRP)
F1
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
02 Sites security
02A
V1
02A01 Management of access rights to the site or building
B1
02A02 Management of access authorizations granted to the site or the building
B1
02A03 Access control to the site or the building
B1
02A04 Intrusion detection to the site or the building
B1
02A05 Access to the loading and unloading areas (goods receipt and consignment) or to areas open to
public
B1
02B
V4
B2
02C01 Partitioning of office areas into protected zones
B1
02C02 Physical access control to the protected office zones
B1
02C03 Management of access authorizations to protected office area
B1
02C04 Detection of intrusions into protected office areas
B1
02C05 Monitoring of protected office areas
B1
02C06 Control of movement of visitors and occasional service providers required to work in the offices
B1
02D
V3
02B01 Analysis of Miscellaneous Environmental Risks

02C
V2
02D01 Conservation and protection of important commonly used documents
E3
02D02 Protection of documents and removable support media
E3
02D03 Paper-bin collection and destruction of documents
E3
02D04 Security of post mail
E3
02D05 Security of faxes (traditional)
E3
02D06 Conservation and protection of important documents (to be preserved during a long period)
E3
02D07 Management of archived documents
E3
03 Security of Premises
03A
V1
V3
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
V4
General Maintenance
03A01 Quality of energy supply
B2
03A02 Continuity of energy supply
B2
03A03 Air conditioning security
B2
03A04 Quality of cabling
B2
03A05 Lightning protection
B2
03A06 Dependability of service equipment
B2
03B
V2
1.0
03B01 Access rights management to sensitive locations
B1
1.0
1.0
03B02 Management of access authorizations granted to sensitive locations
B1
1.0
1.0
03B03 Access control to sensitive locations
B1
1.0
1.0
03B04 Intruder detection in sensitive locations
B1
1.0
1.0
03B05 Perimeter monitoring (surveillance of entry points and surroundings of sensitive locations)
B1
1.0
1.0
03B06 Surveillance of sensitive locations
B1
1.0
1.0
03B07 Cabling access control
B1
1.0
1.0
03B08 Location of sensible premises.
B1
1.0
1.0
03C01 Prevention of risk of water damage
B2
1.0
1.0
03C02 Detection of water damage
B2
1.0
1.0
03C03 Water evacuation
B2
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
03C
03D
Fire security
03D01 Fire risk prevention
B2
03D02 Fire detection
B2
03D03 Fire extinguishing
B2
04 Extended Network (intersite)

04A
V1
V2
V3
V4
04A01 Functional security of the extended network architecture
C1
04A02 Management of extended network equipment maintenance
F3
04A03 Procedures and Business Contingency Planning following incidents on the extended network
E1
04A04 Backup plan of extended network configurations
F2
04A05 Business Contingency Planning (BCP) of the Extended Network
F1
04A06 Management of critical suppliers as regards a permanent maintenance service
F3
04B
D1
04B02 Authentication of the entity for an incoming access from the extended network
D1
04B03 Authentication of the entity accessed for an outgoing access across the extended network
04C02 Integrity control of exchanges on the extended network
C2
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
04D01 Real-time monitoring of the extended network
H1
04D02 Offline analysis of traces, log files and event journals on the extended network
H1
04D03 Management of incidents on the extended network
H1
05 Local Area Network (LAN)
V1
V2
V3
V4
05A01 Partitioning of the local area network into security domains
C1
05A02 Security of the functioning of the local area network architecture
C1
05A03 Organization of the maintenance of local area network equipment
F3
05A04 Procedures and Recovery Plans following incidents on the local area network
E1
05A05 Save and Restore plans of local area network configurations
F2
05A06 Save and Restore plans of local area network configurations
F1
05A07 Management of critical suppliers as regards a permanent maintenance service
F3
05B
1.0

C2
05A
1.0
D1
04C01 Encryption of exchanges on the extended network
04D
1.0
04B01 Security profiles for entities connected to the extended network
04C
1.0
05B01 Management of access profiles on the local area network
D1
05B02 Management of privileges and access authorizations (granting, delegation, revocation)
D1
05B03 User or entity authentication for access requests to the local area network from an internal access
point
This mechanism corresponds, for example, to the authentication implemented in a Windows
domain controller.
D1
05B04 User or requestor authentication before access to the local area network from a remote site via
the extended network
D1
05B05 User or requestor authentication for outside access to the local area network
D1
05B06 User or requestor authentication for access requests to the local area network from a WiFi subnetwork
D1
05B07 General filtering of access to the local area network
D1
05B08 Routing control of outgoing access
D1
05B09 Authentication of the external entity accessed for outgoing access to sensitive sites
05C
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0

C2
05C02 Integrity control of exchanges on the local area network
C2
05C03 Encryption of exchanges in the case of remote access to the local area network
C2
05C04 Protection of the integrity of exchanges in the case of remote access to the local area network
C2
05D01 Real-time monitoring of the local area network
H1
05D02 Offline analysis of traces, log files and event journals on the local area network
H1
05D03 Management of incidents on the local area network
H1
06 Network operations
06A
1.0
D1
05C01 Encryption of exchanges on the local area network

Encryption can be effected at layer 3 (IPSEC VPN) or at level 4-5 (SSL) or directly effected by the
application (level 6-7, for example encryption before or during transmission), case really treated
by domain 09.
It could be systematic on the "pipeline" (physical or logical) or limited only to certain data flows (as
a function of address or type, etc.) it can also be performed on intermediate systems (VPN boxes)
or end systems (stations, server) or both.
05D
1.0
V1
V2
V3
V4
06A01 Security in the relationship with operational personnel (employees, suppliers or service providers)
E1
06A02 Control of the implementation or upgrade of software or hardware
E1
06A03 Control of maintenance operations
E1
06A04 Control of Remote Maintenance
E1
06A05 Management of Operating Procedures for Network Operation
E1
06A06 Management of service providers relating to networks
E1
06A07 Taking into account the confidentiality during maintenance operations on network equipment.
E1
06A08 Contract Management of Network Services
E1
06B
06B02 Control of the network access configurations of user equipment
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
E1
E1
06C01 Control of special access rights to network equipment
D1
06C02 Authentication of administrators and operational personnel
D1
06C03 Surveillance of administrative actions on the network
H1
06C04 Control of networking operational tools and utilities

06D
1.0
06B01 Network equipment customizing and compliance control of configurations
06C
1.0
E1
06D01 Audit Control Operation

I1
06D02 Protection of Tools and Audit Results
I1
07 Security and architecture of systems

07A
V1
D1
07A02 Management of access authorizations and privileges (granting, delegation, revocation)
D1
07A03 Authentication of the access requestor (user or entity)
D1
07A04 Access filtering and management of associations
D1
07A05 Authentication of the server for access to sensitive servers
D1
V4
07B01 Control of access to residual data

O7C
V3
07A01 Management of access profiles (rights and privileges granted by functional profile)
07B
V2
D1
07C01 Recording access to sensitive resources

07C02 Recording privileged system calls
07D
H1
07D02 Isolation of Sensitive Systems
C1
08 IT Production environment
1.0
1.0
1.0
V1
V2
V3
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
V4
08A01 Consideration of security in relation with operational personnel (permanent and temporary staff)
E1
08A02 Control of the operational tools and utilities
E1
08A03 Acceptance control of systems introduction or modification

Systems here include operating systems, applications and associated middleware
E1
E1
08A05 Confidentiality considerations during maintenance of the production systems
D2
08A06 Control of remote maintenance
E1
08A07 Protection of sensitive printed documents and reports
E3
08A08 Management of Operating Procedures for IT production
E1
08A09 Management of service suppliers and providers relating to IT operations
E1
08B01 Conformity control of systems parameters and configurations
E1
08B02 Conformity control of operational software configurations (including packages)
E1
08B03
E1
08C
1.0
C1
08B
1.0
H1
07D01 Service continuity of the architecture and of its components
08A
1.0

08C01 Management of storage media
E2
08C02 Labeling of storage media (live, backups and archives)
E2
08C03 Physical security of media kept on site
E2
08C04 Physical security of storage media (kept in an external site)
E2
08C05 Verification and turnover of archive storage media
E2
08C06 Security of storage networks (SAN : Storage Area Network and NAS)
08C07 Physical Security of Transiting Medias
08D
E2
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
E2
Service continuity
08D01 Organization of hardware maintenance (for operational equipment)
F3
08D02 Organization of software maintenance (systems, middleware and applications)
F3
08D03 Application recovery procedures and plans following incidents during operation
E1
08D04 Backup of software configurations (system, applications and configuration parameters)
F2
08D05 Backup of application data
F2
1.0
08D06 Disaster Recovery Planning for IT operations
F1
08D07 Anti virus protection for production servers
D2
08D08 Management of critical systems (regarding maintenance continuity)
F3
08D09 Off site emergency (recourse) backups
F2
08D10 Maintaining user accounts
E1
3.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
08E
3.0
3.0
3.0
1.0
1.0
08E01 Online detection and treatment of IT related abnormal events and incidents
H1
1.0
1.0
08E02 Offline management of traces, logs and event journals
H1
1.0
1.0
08E03 Management of system and application incidents
H1
1.0
1.0
08F01 Control of administrative access rights granted on systems
D1
1.0
1.0
08F02 Authentication of administrators and operational personnel
D1
1.0
1.0
08F03 Surveillance of system administrators' actions
H1
1.0
1.0
I1
1.0
1.0
I1
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
08F
08G
08G01 Operation of Audit Control

08G02 Protection of Tools and Audit Results
08H
08H01 Organization of the management for IT archives
E2
08H02 IT Archives access management
E2
08H03 Management of IT archive safety
E2
09 Application security
V1
V2
V3
V4
09A
09A01 Management of application data access profiles
D1
1.0
1.0
09A02 Management of access authorizations to application data (granting, delegation, revocation)
D1
1.0
1.0
09A03 Authentication of the access requestor
D1
1.0
1.0
09A04 Access filtering and management of associations
D1
1.0
1.0
09A05 Authentication of the application for access to sensitive applications
D1
1.0
1.0
09B01 Sealing of sensitive data
D2
1.0
1.0
09B02 Protection of integrity of exchanged data
D2
1.0
1.0
09B03 Control of data entry
D2
1.0
1.0
09B04 Permanent checks (accuracy, etc) relating to data
D2
1.0
1.0
09B05 Continuous (plausibility, ) checks on data processing
D2
1.0
1.0
09C01 Encryption of data exchanges
D2
1.0
1.0
09C02 Encryption of stored data
D2
1.0
1.0
09C03 Anti electromagnetic radiation protection
D2
1.0
1.0
09D01 Very high security recording
D2
1.0
1.0
09D02 Management of access to data files
D2
1.0
09E01 Hardware reconfiguration
C1
1.0
1.0
09E02 Application service continuity plans
F1
1.0
1.0
09E03 Management of critical applications (with regard to maintenance continuity)
F3
1.0
1.0
09F01 Proof of origin, electronic signature
D2
1.0
1.0
09F02 Prevention of message duplication and replay (numbering, sequencing)
D2
1.0
1.0
09F03 Acknowledgements of receipt
D2
1.0
1.0
H1
1.0
1.0
D2
1.0
1.0
09B
09C
09D
09E
09F
09G
Data availability
09H01 Security of the e-commerce Sites
10 Security of application projects and developments

10A
3.0
Service continuity
09G01 Detection of application anomalies

09H
3.0
V1
V2
V3
V4
10A01 Consideration of security in application development
G1
1.0
1.0
10A02 Change management
G1
1.0
1.0
10A03 Externalization of software development
G1
1.0
1.0
10A04 Organization of application maintenance
G1
1.0
1.0
10A05 Modification of software packages
G1
1.0
1.0
10B01 Ensuring security in the organization of application developments
G1
1.0
1.0
10B02 Ensuring confidentiality in application developments
G1
1.0
1.0
10B03 Security within Internal Processing of Applications
G1
1.0
1.0
10B04 Protection of Data during tests
G1
1.0
1.0
10B05 Security of application maintenance
G1
1.0
1.0
10B06 Hot Maintenance
G1
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
10B
11 Protection of users' work equipment

11A
V1
E1
11A02 Control of the compliance of user configurations
E1
11A03 Control of software and software package licenses
E1
11A04 Conformity control of the reference programs (source and executable) for user software
E1
11A05 Management of service suppliers and providers relating to the operation and handling of the user
workstations base
E1
D2
11B02 Work effected off company premises
D2
11B03 Use of personal equipment or external equipment (not owned by the organization)
D2
11C01 Protection of the confidentiality of data on the workstation or on a data server (logical disk for the
workstation)
D2
11C02 Protection of the confidentiality of data stored on removable media
D2
11C03 Confidentiality considerations during maintenance operations on user workstations
D2
11C04 Protection of the integrity of files stored on workstations or on data servers (logical disk for
workstations)
D2
11C05 Security of Email and Electronic Information Exchanges
D2
11C06 Protection of documents printed on shared printers
D2
11D
V4
11B01 Control of access to workstations
11C
V3
11A01 Control of the installation of new software or system versions on the users' equipment
11B
V2
11D01 Organization of user hardware maintenance
F3
11D02 Organization of user software maintenance (system, middleware and application)
F3
11D03 Users' configurations backup plans
F2
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
F3
1.0
1.0
F3
1.0
1.0
11D04 Backup plans for user data stored on data servers
F2
11D05 Backup plan for data stored on user workstations.
F2
11D06 Anti virus (malware, unauthorized executable code, etc.) protection for user workstations.
D2
11D07 Recovery Plans for the users' workstations
F2
11D08 Access management to office data and files
F2
11E
11E01 Management of privileged access rights granted on user workstations (administrative rights)
D1
11E02 Authentication and control of the access rights of administrators and operational personnel
D1
11E03 Surveillance of system administrators' actions over the users' workstations
H1
12 Telecommunications operations
12A
V1
V4
E1
12A02 Control of the implementation of new equipments or upgrade of existing systems

Equipments for classical telephony : PABX, ...
Equipments dedicated to users: telephone terminal, fax machines (often combined with printing,
scanning and photocopy capabilities , ...), tele and videoconferencing, ...
These systems may provide configuration, management, directory, billing and storage (answering
machine, voice mail) services,
E1
E1
E1
12A05 Management of Operating Procedures for Telecommunication Operation
E1
12A06 Management of service providers relating to telecommunication
E1
12B01 Network equipment customizing and compliance control of configurations
E1
12B02 Conformity control of operational software to a reference version
E1
12C
V3
12B
V2
Service continuity
12C01 Organization of operational equipment maintenance

12C02 Organization of software maintenance (systems and attached services)
12C03 Backup of software configurations (system, services and configuration parameters)
F2
1.0
1.0
12C04 Disaster Recovery Plans
F1
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
12C05 Management of critical systems (regarding maintenance continuity)

F3
12D
12D01 Control of the compliance of user configurations

12D02 Training and awareness setting for users
12D03 Utilization of cryptographic equipment
12E
E1
A2
C2
12E01 Management of privileged access rights granted on equipments and systems (administrative
rights)
D1
D1
12E03 Surveillance of system administrators' actions over the equipments and systems
H1
13 Management processes
13A
V1
V2
V3
V4
13A01 Policy and instructions related to PPI
A2
13A02 PPI training and awareness program
A2
13A03 Applicability of the PPI policy
A1
13A04 Monitoring the implementation of the PPI policy
A1
13B

For example, the Financial Security Law (loi Mer) in France and the Sarbanes Oxley Act in the United States
13B01 Policy and instructions related to Communication of financial data
A2
13B02 Communication of financial data training and awareness program
A2
13B03 Applicability of the Communication of financial data policy
A1
13B04 Monitoring the implementation of the Communication of financial data policy
A1
13C
13C01 Preservation of accounting data and treatments
A2
13C02 Documentation of accounting data, procedures and treatments
A2
13C03 Verification of computerized accounting data training and awareness program
A2
13C04 Applicability of the VCA policy
A1
13C05 Monitoring the implementation of the VCA policy
A1
1.0
13D
13D01 Policy and instructions relative to the Protection of intellectual property rights
1.0
A2
13D02 Intellectual property rights training and awareness program
A2
13D03 Applicability of the intellectual property rights policy
A1
13D04 Monitoring the implementation of the intellectual property rights policy
A1
13E
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
13E01 Policy and instructions relative to the Protection of computerized systems
A2
1.0
1.0
13E02 Protection of computerized systems training and awareness program
A2
1.0
1.0
13E03 Applicability of the protection of computerized systems policy
A1
1.0
1.0
13E04 Monitoring the implementation of the protection of computerized systems policy
A1
1.0
1.0
13F01 Policy and instructions relative to Human safety and protection of the environment
A2
1.0
1.0
13F02 Human safety and protection of the environment training and awareness program
A2
1.0
1.0
13F03 Applicability of the Human safety and protection of the environment policy
A1
1.0
1.0
13F04 Monitoring the implementation of the Human safety and protection of the environment policy
A1
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
13F
13G
13G01 Policy and instructions relative to the use of encryption
A2
13G02 Use of encryption training and awareness program
A2
13G03 Monitoring the implementation of the use of encryption policy
A1
14 Information security management

14A
V1
V2
V3
V4
14A01 Define the boundaries of the ISMS

14A02 Define the ISMS policy
14A03 Define the risk assessment approach and associated metrics
14A04 Identification of the risks
14A05 Analysis and evaluation of the risks
14A06 Selection of risk treatment options
14A07 Selection of the measures (controls) for risk reduction
14A08 Selection of the security measures in accordance to the statement of applicability (SOA)
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
14E01 Documentation management
1.0
1.0
14E02 Document approval
1.0
1.0
14E03 Updates
1.0
1.0
14E04 Document naming and versioning management
1.0
1.0
14E05 Documentation disposal
1.0
1.0
14E06 Withdrawing of obsolete documents
1.0
1.0
14B
14B01 Formulation of a risk treatment plan

14B02 Implementation of the risk treatment plan
14B03 Selection and implementation of ISMS indicators
14B04 Implementation of training and awareness plan
14B05 Incident detection and response
14C
14C01 Monitoring execution of the security procedures and measures

14C02 Steering the audit program
14C03 Review of risks and security measures
14D
14D01 Continuous improvement

14D02 Actions to correct nonconformities
14D03 Actions to prevent nonconformities
14D04 Communication to stakeholders
14E
Documentation
MEHARI Security themes

N Name
Referenced Services
A1 Roles and organization

A2 Security awareness and training,
Human resources management
B1 Physical access control (sites,
buildings and premises)
B2 Miscellaneous Risks
C1 Networks and Systems Architecture
01A, 01D
01B, 01C, 12D02
C2 Control of the exchanges

D1 Logical access control
04C, 05C, 12D03

04B, 05B, 06C01, 06C02, 07A, 07B, 08F01, 08F02, 09A, 11E01, 11E02,
12E01, 12E02
08A05, 08D07, 09B, 09C, 09D, 09F, 09H, 11B, 11C, 11D06
04A02, 04A03, 05A03, 05A04, 06A, 06B, 06C04, 08A01 08A04, 08A06,
O8A08, 08A09, 08B, 08D03, 08D10, 11A, 12A, 12B, 12D01
08C, 08H
02D, 08A07
D2 Security of data
E1 Operational procedures
E2 Management of data containers
E3 Protection of documents and written
information
F1 Recovery Plans
F2 Backups
02A, 02C, 03B

02B, 03A, 03C, 03D
04A01, 05A01, 05A02, 07D, 09E01
01E, 04A05, 05A06, 08D06, 09E02, 09E04, 12C04

04A04, 05A05, 08D04, 08D05, 08D09, 11D03, 11D04, 11D05, 11D07, 12C03
F3 Maintenance
04A02, 04A06, 05A03, 05A07, 08D01, 08D02, 08D08, 09E03, 11D01, 11D02,
12C01, 12C02, 12C05
G1
H1
I1
J1
K1
10A, 10B
04D, 05D, 06C03, 07C, 08E, 08F03, 09G, 11E03, 12E03
06D, 08G
Projects and developments

Incident management
Audit management
Compliance management
Information security management
system
341702815.xls ! Themes
13
14
383
Dcembre 2006
ISO 27002
ISO 27002 : 2005 Correspondance and scoring

Questions or services used for scoring
Score
5 Security policy
5.1
Information security policy

5.1.1
Information security policy document
5.1.2
Review of the information security policy
01A02-01
01A02-02
0.0
0.0
Internal organization
6.1.1
Management committment to information security
01A02-09
6.1.2
6.1.3
Information security co-ordination

Allocation of information security responsibilities
01A02-03:05
01A02-06:07
0.0
0.0
6.1.4
Authorization process for information processing facilities
06A02-13:14;08A03-14:15;11B03-04:05;12A02-14:15
6.1.5
6.1.6
6.1.7
Confidentiality agreements
Contact with authorities
Contact with special interest groups
01C01-01:05
01A02-10
01A02-11
6.1.8
Independent review of information security
01A02-13
6 Organizing information security

6.1
6.2
0.0
0.0
0.0
0.0
0.0
0.0
External parties
6.2.1
Identification of risks related to external parties
01C05-01
6.2.2
6.2.3
01C05-02
01C05-04:05
0.0
0.0
0.0
01B04-01:02
01B04-03
01B04-04
0.0
0.0
0.0
01B03-03;01B03-10
01B02-04;01B03-02
0.0
0.0
01C03-01
01C03-02:04
01C01-01:02
0.0
0.0
0.0
Addressing security when dealing with customers

Addressing security in third party agreements
7 Asset management
7.1
7.2
Responsibility for asset

7.1.1
Inventory of assets
7.1.2
Ownership of assets
7.1.3
Acceptable use of assets
Information classification
7.2.1
Classification guidelines
7.2.2
Information labeling and handling
8 Human resources security

8.1
8.2
Prior to employement
8.1.1
Roles and responsibilities
8.1.2
Screening
8.1.3
Terms and conditions of employment
During employement
341702815.xls ! ISO 27002
384
Dcembre 2006
ISO 27002
8.3
8.2.1
Management responsiblities
8.2.2
Information security awareness, education and training
8.2.3
Disciplinary process
Termination or change of employment
8.3.1
Termination responsibilities
8.3.2
Return of assets
8.3.3
Removal of access rights
01C01-06
01C04-01:05
01B01-07
0.0
0.0
0.0
01B01-09
01B04-05
01B01-10
0.0
0.0
0.0
02A03-01:02;02A03-06;02A04-01
02C06-01:04;03B01-01;03B01-07;03B03-01
0.0
0.0
0.0
9 Physical and environmental security

9.1
9.2
Secure areas
9.1.1
Physical security perimeter
9.1.2
Physical entry controls
9.1.3
9.1.4
Securing offices, rooms and facilities

Protecting against external and environmental threats
03B08-01:03
02B01-01:04;03C01-01;03C02-01:03;03D01-01;03D02-01;03D0306
9.1.5
Working in secure areas
03B02-08;03B03-01;03B06-01
9.1.6
Public access, delivery and loading areas
Equipment security
9.2.1
Equipment siting and protection
9.2.2
Supporting utilities
9.2.3
Cabling security
9.2.4
Equipment maintenance
9.2.5
9.2.6
9.2.7
Security of equipment off-premises

Secure disposal or re-use of equipment
Removal of property
02A05-01:03
06A02-03;08A01-01;08A03-03;12A01-01;12A02-03
03A01-01:03;03A02-01:02;03A03-01;03A03-03
03A04-01:04
04A02-01;05A03-01;06A03-01;06A07-01:02;08A04-01;08A0501:02;08D01-01;11D01-01;12A03-01;12C01-01
11B02-01;11B02-03
06A07-01;08A05-01:02;08C01-05;11C03-01
01B04-06
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
10 Communications and operations management

10.1 Operational procedures and responsibilities
10.1.1
Documented operating procedures
06A05-01:04;08A08-01:04;12A05-01:04
10.1.2
Change management
06A02-01;08A03-01;11A01-01;12A02-01
10.1.3
Segregation of duties
06C01-03:06;08F01-01:04;11E01-01:04;12E01-01:04
10.1.4
Separation of development, test, and operational facilities
06B01-07:09
0.0
0.0
0.0
0.0
10.2 Third party service delivery agreement

10.2.1
Service delivery
06A06-01:02;08A09-01:02;11A05-01:02;12A06-01:02
10.2.2
Monitoring and review of third party services
06A06-03:05;08A09-03:05;11A05-03:05;12A06-03:05
10.2.3
Managing changes to third party services
06A06-06;08A09-06;11A05-06;12A06-06
0.0
0.0
0.0
10.3 System planning and acceptance

341702815.xls ! ISO 27002
385
Dcembre 2006
ISO 27002
10.3.1
Capacity management
06A02-02;08A03-02;11A01-01;12A02-01:02
0.0
10.3.2
System acceptance
06A02-04:05;06A02-08:11;08A03-05:06;08A03-09:12;11A0104:06;12A02-05:06;12A02-09:12
0.0
10.4 Protection against malicious and mobile code

10.4.1
Controls against malicious code
08D07-01:02;11D06-01;11D06-05
10.4.2
Controls against mobile code
11D06-07
0.0
0.0
Information back-up
04A04-01:07;05A05-01:07;08D04-01:07;08D05-01:13;11D0301:04;11D04-01:04;11D05-01:05;12C03-01:06
0.0
10.5 Back-up
10.5.1
10.6 Network security management

10.6.1
Network controls
06C01-03:04;06C03-01:02
10.6.2
Security of network services
06A08-01:03
0.0
0.0
10.7 Media handling

10.7.1
Management of removable media
02D02-01;08C01-01:05;08C03-11
10.7.2
Disposal of media
07B01-08;08C01-04
10.7.3
Information handling procedures
01B02-03:07
10.7.4
Security of system documentation
08B01-03;08B01-05;08B02-04:05;12B01-04;12B01-06
0.0
0.0
0.0
0.0
10.8 Exchange of information

10.8.1
Information exchange policies and procedures
01B02-03:05;01B02-07:08
10.8.2
Exchange agreements
01C05-03
10.8.3
Physical media in transit
08C04-03;08C07-01
10.8.4
Electronic messaging
11C05-01;11C05-05:06
10.8.5
Business information systems
11C05-04
0.0
0.0
0.0
0.0
0.0
09H01-01
09H01-02
09H01-03
0.0
0.0
0.0
04D02-01:02;05D02-01:02;07C01-05:07;07C02-05:07
0.0
04D01-01:03;04D01-08;05D01-01:03;05D01-08;07C0101:02;07C02-01:02
0.0
10.9 Electronic commerce services

10.9.1 Electronic commerce
10.9.2 On-line transactions
10.9.3 Publicly available information
10.10 Monitoring
10.10.1 Audit logging
10.10.2 Monitoring system use
10.10.3 Protection of log information
04D01-09;04D02-06;04D02-08:09;05D01-09;05D02-06;05D0208:09;07C01-07:08;07C02-07:08
10.10.4 Administrator and operator logs
06C03-01:07;08F03-01:07;11E03-01:09;12E03-01:09
10.10.5 Fault logging
04D03-01:05;05D03-01:05
341702815.xls ! ISO 27002
386
0.0
0.0
0.0
Dcembre 2006
ISO 27002
10.10.6 CPrek synchronization
06B01-03;08B01-04;12B01-05
0.0
02C01-01;05B01-01;06C01-01;07A01-01;09A01-01
0.0
0.0
11 Access control
11.1 Business requirement for access control
11.1.1
Access control policy
11.2 User access management

11.2.1
11.2.2
User registration
Privilege management
01C06-01:06
05B01-02;05B02-03;06C01-03;06C01-07;07A01-02;07A0203;08F01-01;08F01-05;09A01-02;09A02-03;11E01-01;11E0105;12E01-01;12E01-05
11.2.3
User password management
05B03-02;07A03-02;09A03-02;11B01-02
0.0
0.0
11.2.4
Review of user access rights
05B01-08;05B02-04:05;05B02-07;06C01-08:09;06C02-07;07A0108;07A02-04:05;07A02-08;08F01-06:07;08F02-06;09A0108;09A02-04:05;09A02-08;11E01-06:07;12E01-06:08
0.0
01B01-02
01B01-03;11B01-08
01B02-07
0.0
0.0
0.0
01B02-05
01B02-01:02;05B05-01:03;05B08-01:03
0.0
0.0
0.0
11.3 User responsibilities

11.3.1 Password use
11.3.2 Unattended user equipment
11.3.3 Clear desk and clear screen policy
11.4 Network access control
11.4.1 Policy on use of network services
11.4.2 User authentication for external connections
11.4.3
11.4.4
Equipment identification in networks

Remote diagnostic and configuration port protection
05B07-08
06A02-09:10;06A04-01:03;06A04-05;08A06-01:03;08A0605;08B01-02;12A02-10:11;12A04-01:04;12B01-03
11.4.5
Segregation in networks
01B02-02;05A01-02:06
11.4.6
Network connection control
04B01-05:06;05A01-06;05A01-08
11.4.7
Network routing control
04B01-14;05A01-12
0.0
0.0
0.0
0.0
11.5 Operating system access control

11.5.1
11.5.2
Secure log-on procedures

User identification and authentication
07A03-03:07
07A04-01:04;09A04-01:04
11.5.3
Password management system
07A03-01:09;09A03-01:08
11.5.4
Use of system utilities
08A02-03:07
11.5.5
Session time-out
07A04-06;09A04-06
11.5.6
Limitation of connection time
07A01-04:05;09A01-04;09A04-05
0.0
0.0
0.0
0.0
0.0
0.0
11.6 Information and application access control

11.6.1
Information access restriction
09A01-02;09A02-01:02;09A04-01:02;09A04-07
11.6.2
Sensitive system isolation
07D02-01:03
341702815.xls ! ISO 27002
387
0.0
0.0
Dcembre 2006
ISO 27002
11.7 Mobile computing and teleworking
11.7.1
11.7.2
Mobile computing and communications

Teleworking
01B02-08;11C01-01;11B02-01;11B02-03;11D05-01
11B02-01:02;11B02-04;11B03-04
0.0
0.0
12 Information systems acquisition, development and maintenance

12.1 Security requirements of information systems
12.1.1
Security requirements analysis and specification
12.2 Correct Identification of applicable legislation
12.2.1 Input data validation

12.2.2 Control of internal processing
12.2.3 Message integrity
12.2.4 Output data validation
12.3 Cryptographic controls
12.3.1 Policy on the use of cryptographic controls
12.3.2
Key management
10A01-01:03
0.0
09B03-01:06;09B03-08;09B04-01;09B05-01
10B03-01:04
09B02-01:03
09B04-01;09B05-01
0.0
0.0
0.0
0.0
04C01-01;05C01-01;05C03-01;08C06-05;09C01-01;09C0201;09F01-01;11C01-01
0.0
04C01-03;05C01-03;05C03-03;08D03-10;09C01-03;09C0205;09F01-04
0.0
12.4 Security of system files

12.4.1
Control of operational software
06A02-04:05;06A02-13:14;08A03-04:06;08A03-13:15;08B0301;10B01-03;11A04-01;12A02-14:15
12.4.2
12.4.3
Protection of system test data

Access control to program source code
10B04-01:05
10B02-04
0.0
0.0
0.0
12.5 Security in development and support process

12.5.1
Change control procedures
08A03-03:04;10A02-01:03
12.5.2
10A02-05:07
12.5.3
Technical review of applications after operating system

changes
Retrictions of changes to software packages
12.5.4
Information leakage
10A01-04
12.5.5
Outsourced software development
10A03-01:05
0.0
0.0
0.0
0.0
0.0
08B01-03;08B02-04;12B01-04
0.0
10A05-01:04
12.6 Technical vulnerability management

12.6.1
Control of technical vulnerabilities
13 Information security incident management

13.1 Reporting information security events and weaknesses
13.1.1
Reporting information security events
01A02-12;01A03-01:04
13.1.2
Reporting security weaknesses
01C04-06
0.0
0.0
01A02-12;01A03-04;04D03-08;05D03-08;08E03-08
01A03-05
0.0
0.0
13.2 Management of information security events and improvement

13.2.1
13.2.2
Responsibilities and procedures

Learning from information security incidents
341702815.xls ! ISO 27002
388
Dcembre 2006
ISO 27002
13.2.3
Collection of evidences
01A03-06;02D06-01:02;08H01-04
0.0
14 Business continuity management

14.1 Information security aspects of business continuity management
14.1.1
Including information security in the business continuity

management process
01E01-03
14.1.2
14.1.3
Business continuity and risk assessment

Developing and implementing continuity plans including
information security
01E01-01:02
01E02-01:05;04A05-01:03;05A06-01:03;08D06-01:06;09E0201:07;11D07-01:06;12C04-01:06
14.1.4
Business continuity planning framework
09E02-07
0.0
0.0
14.1.5
Testing, maintaining and re-assessing business continuity

plans
01E02-08:11;04A05-04:05;05A06-04:05;08D04-05;08D0509;08D06-07:08;09E02-09;10A02-07;11D03-03;11D0707:08;12C03-04;12C04-07:08
0.0
0.0
0.0
15 Compliance
15.1 Compliance with legal requirements
15.1.1
Identification of applicable legislation
01B02-10
15.1.2
Intellectual property rights
11A03-01:03;13D01-01:10;13D02-01:04;13D04-01
15.1.3
Protection of organizational records
01B02-09;08H01-04:06
15.1.4
Data protection and privacy of personal information
13A01-01:06;13A02-01:04;13A04-01
15.1.5
Prevention of misuse of information processing facilities
01B01-05;01C05-05;13E01-01:06;13E02-01:03;13E04-01
15.1.6
Regulation of cryptographic controls
13G01-01:06;13G02-01:02;13G03-01
0.0
0.0
0.0
0.0
0.0
0.0
15.2 Compliance with security policies and standards and technical compliance
15.2.1
Compliance with security policies and standards
01B01-12
15.2.2
Technical compliance checking
05B07-10;06B01-06:08;08B01-06:08;08B02-06:08;11A0205:06;12B01-07:09
15.3 Information systems audit considerations

15.3.1
Information systems audit controls
06D01-01:04;08G01-01:04
15.3.2
Protection of Information systems audit controls
06D01-05;06D02-01:03;08G02-01:03
341702815.xls ! ISO 27002
389
0.0
0.0
0.0
0.0
Dcembre 2006
Table of events : types of events and natural exposure

Family type
Code
type
Absence of personnel due to an

accident
AB.P
Absence or unavailability of service,

due to an accident
Environmental serious accident
AB.S
AC.E
Event description
Code
Absence of personnel from partner
AB.P.Pep
Absence of internal personnel
AB.P.Per
Absence of service : Air conditioning
AB.S.Cli
Absence of service : Power supply
AB.S.Ene
Absence of service : Impossibility to have access to the premises
AB.S.Loc
Absence or impossibility of application software maintenance
AB.S.Maa
Absence or impossibility of information system maintenance
AB.S.Mas
Lightning
AC.E.Fou
Fire
AC.E.Inc
Flooding
AC.E.Ino
Equipment breakdown
AC.M.Equ
Accessory equipment breakdown
AC.M.Ser
AV.P.Gre
Hardware accident
AC.M
Voluntary absence of personnel
AV.P
Social conflict with strike
Conceptual error
ER.L
Software blocking or malfunction due to a design or programming error (in-house

ER.L.Lin
software)
Hardware error or behavioral error by

personnel
Incident due to environment
Logical or functional incident
Malevolent action (logical or

functional)
Malevolent action (physical)
Non compliance to procedures
ER.P
IC.E
IF.L
MA.L
MA.P
PR.N
Lost or forgotten document or media
ER.P.Peo
Error of operation or non compliance of a procedure
ER.P.Pro
Typing or data entry error
ER.P.Prs
Damage due to ageing (of equipment)
IC.E.Age
Water damage
IC.E.De
Pollution damage
IC.E.Pol
Electrical boosting or over load
IC.E.Se
Production incident
IF.L.Exp
Software blocking or malfunction (information system or software package)
IF.L.Lsp
Saturation due to an external cause (worm)
IF.L.Ver
Virus
IF.L.Vir
Deliberate blocking of accounts
MA.L.Blo
Deliberate erasure or massive pollution of system configurations
MA.L.Cfg
Deliberate erasure of files, data bases or media
MA.L.Del
Electromagnetic pick up
MA.L.Ele
Deliberate corruption of data or functions
MA.L.Fal
Forging of messages or data
MA.L.Fau
Fraudulent replay of transaction
MA.L.Rej
Deliberate saturation of IT equipments or networks
MA.L.Sam
Deliberate total erasure of files and backups
MA.L.Tot
Diversion of files or data (tele-load or copy)
MA.L.Vol
Tampering or falsification of equipment
MA.P.Fal
Terrorism
MA.P.Ter
Vandalism or hooliganism
MA.P.Van
Theft of physical asset
MA.P.Vol
Inadequate procedures
PR.N.Api
Procedures not applied due to lack of resource or means
PR.N.Naa
Procedures not applied due to ignorance
PR.N.Nam
Procedures not applied deliberately
PR.N.Nav
Natural
exposure
(standard
CLUSIF)
Natural
exposure
(decided)
Natural
exposure
(resulting)
Selection
2
2
3
2
2
3
1
1
1
Comments
Reference Base of scenarios

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Actor
Type
Sub
Type
Place Time
IF.L
Exp
Exp
ER.P
Pro
Exp
Ain
Ual
Access Process
Loss of data used by applications
D01-A
File
erasure
File
erasure
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
Uai
D01
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
Una
F01-ER1
D01
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
F01-ER1
D01
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
F01-EM1
D01
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
Ual
F01-EM1
D01
File
erasure
MA.L
Del
Exp
Ain
Uai
F01-EM1
D01
File
erasure
MA.L
Del
Exp
Ain
Una
F01-EM1
D01
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
F01-EM1
D01
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
F01-EM1
D01
File
erasure
MA.L
Del
Exp
Atm
Tie
F01-EM3
D01
File
erasure
MA.L
Tot
Atm
F01-PA1
D01
File
Pollution
Fic.pol
ER.P
Pro
Mal
F01-PA1
D01
File
Pollution
Fic.pol
ER.P
Pro
Mac
F01-PA1
D01
File
Pollution
IF.L
Exp
File
Pollution
MA.L
Fal
Exp
Uai
F01-PM1
D01
F01-EA1
D01
F01-ER1
D01
F01-ER1
D01
F01-ER1
Fic.eff
Fic.eff
Fic.eff
Fic.eff
Fic.eff
Fic.eff
Fic.pol
Fic.pol
Ain

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
File
THREAT
Type of
damage
Circumstances
Event
Code
Pollution
Actor
Type
Sub
Type
MA.L
Fal
Ain
Exp
Una
Place Time
Access Process
F01-PM1
D01
F01-PM1
D01
File
Pollution
Fic.pol
MA.L
Fal
Ain
Exp
F01-PM1
D01
File
Pollution
Fic.pol
MA.L
Fal
Ain
Exp
F02-AC1
D01
Media
Destruction
AC.E
Inc
Exp
F02-AC1
D01
Media
Destruction
AC.E
Ino
Exp
F02-AC1
D01
Media
Destruction
Med.des AC.E
Inc
Md.
F02-AC1
D01
Media
Destruction
Med.des AC.E
Ino
Md.
F03-AC1
D01
Media
disappearance
ER.P
Peo
Md.
F03-AC1
D01
Media
disappearance
Med.dis ER.P
Peo
Exp
F03-MA1
D01
Media
disappearance
MA.P
Vol
Exp
Pna
F03-MA1
D01
Media
disappearance
Med.dis MA.P
Vol
Exp
F03-MA1
D01
Media
disappearance
Med.dis MA.P
Vol
Exp
Pse
F03-MA1
D01
Media
disappearance
Med.dis MA.P
Vol
Md.
Pna
F03-MA1
D01
Media
disappearance
Med.dis MA.P
Vol
Md.
F03-MA1
D01
Media
disappearance
Med.dis MA.P
Vol
Md.
Pse
Media
inoperability
AC.M
Equ
Exp
F04-AC1
D01
F04-AC1
D01
IC.E
De
Exp
Fic.pol
Med.des
Med.des
Med.dis
Med.dis
Med.ine
Media
inoperability
Med.ine

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
F04-AC1
D01
F04-AC1
D01
F04-AC1
D01
F04-AC1
D01
F05-ER
D01
F05-MA
D01
THREAT
Type of
damage
Media
inoperability
Media
inoperability
Circumstances
Event
Code
Med.ine
Actor
Type
Sub
Type
Place Time
IC.E
Se
Exp
IF.L
Exp
Exp
IC.E
Pol
Md.
IC.E
De
Md.
ER.P
Pro
MA.P
Vol
IF.L
Vir
Exp
ER.P
Pro
Exp
Ain
Ual
ER.P
Pro
Exp
Ain
Uai
Access Process
Med.ine
Media
inoperability
Media
inoperability
Access
means
Access
means
disappearance
Med.ine
Med.ine
Cle.dis
disappearance
Cle.dis
Loss of shared office data
D02-A
F01-EA1
D02
File
erasure
File
erasure
File
erasure
Fic.eff
F01-ER1
D02
F01-ER1
D02
F01-ER1
D02
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
Una
F01-ER1
D02
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
F01-ER1
D02
File
erasure
ER.P
Pro
Exp
Ain
F01-EM1
D02
File
erasure
MA.L
Del
Exp
Ain
Ual
F01-EM1
D02
File
erasure
MA.L
Del
Exp
Ain
Uai
F01-EM1
D02
File
erasure
MA.L
Del
Exp
Ain
Una
F01-EM1
D02
File
erasure
MA.L
Del
Exp
Ain
F01-EM1
D02
File
erasure
MA.L
Del
Exp
Ain
Fic.eff
Fic.eff
Fic.eff
Fic.eff
Fic.eff
Fic.eff
Fic.eff
Fic.eff

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
F01-EM3
D02
F02-AC1
D02
F02-AC1
D02
F03-MA1
D02
F03-MA1
D02
F03-MA1
D02
F04-AC1
D02
F04-AC1
D02
F04-AC1
D02
F04-AC1
D02
F05-ER
D02
F05-MA
D02
THREAT
Type of
damage
File
erasure
Media
Destruction
Circumstances
Event
Code
Fic.eff
Actor
Type
Sub
Type
MA.L
Tot
AC.E
Inc
Exp
AC.E
Ino
Exp
MA.P
Vol
Exp
Pna
MA.P
Vol
Exp
MA.P
Vol
Exp
Pse
AC.M
Equ
Exp
IC.E
De
Exp
IC.E
Se
Exp
IF.L
Exp
Exp
ER.P
Pro
MA.P
Vol
IF.L
Vir
Bur
ER.P
Pro
Bur
Apc
Ua
ER.P
Pro
Bur
Ain
Place Time
Access Process
Ain
Med.des
Media
Destruction
Media
disappearance
Media
disappearance
Media
disappearance
Media
inoperability
Media
inoperability
Media
inoperability
Media
inoperability
Access
means
disappearance
Access
means
disappearance
Med.des
Med.dis
Med.dis
Med.dis
Med.ine
Med.ine
Med.ine
Med.ine
Cle.dis
Cle.dis
Loss of personal office data
D03-A
F01-EA1
D03
F01-ER1
D03
F01-ER1
D03
File
erasure
File
erasure
File
erasure
Fic.eff
Fic.eff
Fic.eff

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Actor
Access Process
F01-ER1
D03
File
erasure
Fic.eff
ER.P
Pro
Bur
F01-ER1
D03
File
erasure
Fic.eff
ER.P
Pro
Exp
Abs
Apc
Una
F01-EM1
D03
Files
erasure
Fic.eff
MA.L
Del
Bur
Abs
Apc
Una
F01-EM1
D03
Files
erasure
Fic.eff
MA.L
Del
Bur
Hho
Apc
Una
F01-EM1
D03
Files
erasure
Fic.eff
MA.L
Del
Bur
Ain
F01-EM1
D03
Files
erasure
Fic.eff
MA.L
Del
Bur
F02-AC1
D03
Media
Destruction
Med.des AC.E
Inc
Bur
F02-AC1
D03
Media
Destruction
Med.des AC.E
Ino
Bur
F03-AC1
D03
Media
disappearance
ER.P
Peo
Bur
F03-AC1
D03
Media
disappearance
Med.dis ER.P
Peo
Ext
F03-MA1
D03
PC
disappearance
MA.P
Vol
Bur
Per
F03-MA1
D03
PC
disappearance
MA.P
Vol
Bur
Pse
F03-MA1
D03
PC
disappearance
Med.dis MA.P
Vol
Bur
Vis
F03-MA1
D03
PC
disappearance
Med.dis MA.P
Vol
Ext
F03-MA1
D03
Media
disappearance
MA.P
Vol
Bur
Per
F03-MA1
D03
Media
disappearance
MA.P
Vol
Bur
Pse
F03-MA1
D03
Media
disappearance
Med.dis MA.P
Vol
Bur
Vis
F04-AC1
D03
Media
inoperability
Equ
Bur
F04-AC1
D03
Media
inoperability
De
Bur
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis
Med.ine
AC.M
Med.ine IC.E

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Media
inoperability
Access
means
disappearance
Access
means
disappearance
F04-AC1
D03
F05-ER
D03
F05-MA
D03
Circumstances
Event
Code
Actor
Type
Sub
Type
Place Time
IC.E
Se
Bur
IC.E
Age
Bur
ER.P
Pro
MA.P
Vol
IC.E
De
AC.E
Inc
AC.E
Ino
ER.P
Peo
ER.P
Peo
MA.P
Vol
Abs
Per
Med.dis MA.P
Vol
Abs
Vis
MA.P
Vol
Hho
Per
MA.P
Vol
Hho
Pse
Med.dis MA.P
Vol
Med.ine
Med.ine
Cle.dis
Access Process
Cle.dis
Loss of documents
F08-AC
D04
F08-AC
D04
F08-AC
D04
F08-ER
D04
F08-ER
D04
F08-MA
D04
F08-MA
D04
F08-MA
D04
F08-MA
D04
F08-MA
D04
Document
inoperability
Document
Destruction
Document
Destruction
Document
disappearance
Document
disappearance
Document
disappearance
Document
disappearance
Document
disappearance
Med.ine
Med.des
Med.des
Med.dis
Med.dis
Med.dis
disappearance
Med.dis
Document
disappearance
Loss of data during transfers or of messages
Ext
Med.dis
Document
D06-A
damage
inoperability
D03
D04-A
Type of
Media
F04-AC1
THREAT
Ext

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
F07-AC1
D06a
F07-AC1
D06a
F07-AC1
D06a
F07-AC1
D06a
F07-MA1
D06a
F07-MA1
D06a
D07-A
THREAT
Type of
damage
Messages
loss
Messages
loss
Event
Code
Dtr.per
Circumstances
Actor
Type
Sub
Type
IF.L
Exp
AC.M
Equ
AC.E
Inc
AC.E
Ino
MA.L
Del
MA.L
Del
Pna
IF.L
Exp
AC.M
Equ
AC.E
Inc
AC.E
Ino
ER.P
Pro
Tru
Ua
ER.P
Pro
Exp
ER.P
Pro
Mai
MA.L
Del
MA.L
Del
Pna
Place Time
Access Process
Dtr.per
Messages
loss
Messages
loss
data
erasure
data
erasure
Dtr.per
Dtr.per
Dtr.des
Dtr.des
Loss of e-mails (during sending or receipt)

F07-AC1
D07
F07-AC1
D07
F07-AC1
D07
F07-AC1
D07
F07-ER1
D07
F07-ER1
D07
F07-ER1
D07
F07-MA1
D07
F07-MA1
D07
e-mails
loss
e-mails
loss
e-mails
loss
e-mails
loss
e-mails
erasure
e-mails
erasure
e-mails
erasure
Dtr.per
Dtr.per
Dtr.per
Dtr.per
Dtr.per
Dtr.per
Dtr.per
e-mails
erasure
e-mails
erasure
Dtr.per
Dtr.per

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
D08-A
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Actor
Access Process
Loss of documents while transferred (during sending or receipt)

fax
Destruction
fax
Destruction
fax
Destruction
fax
loss
post mail
Destruction
D08
post mail
Destruction
F07-AC2
D08
post mail
Destruction
fax
loss
F07-ER2
D08
F07-ER2
D08
F07-MA2
D08
F07-MA2
D08
F07-MA2
D08
F07-MA2
D08
F07-MA2
D08
F07-AC2
D08
F07-AC2
D08
F07-AC2
D08
F07-AC2
D08
F07-AC2
D08
F07-AC2
D09-A
IC.E
De
Emi
AC.E
Inc
Emi
AC.E
Ino
Emi
AC.M
Equ
Emi
Dtr.per
IC.E
De
Emi
Dtr.per
AC.E
Inc
Emi
AC.E
Ino
Emi
ER.P
Pro
Bur
Tru
ER.P
Pro
Bur
Tru
MA.P
Vol
Lof
Pna
MA.P
Vol
Dis
Per
MA.L
MA.P
Fal
Vol
Loc
Pna
MA.P
Vol
Dis
Per
IC.E
De
Arc
Dtr.per
Dtr.per
Dtr.per
Dtr.per
Dtr.per
Dtr.per
post mail
loss
fax
disappearance
fax
disappearance
fax
post mail
Transfer
disappearance
post mail
disappearance
Dtr.per
Dtr.per
Dtr.per
Dtr.per
Dtr.per
Dtr.per
Loss or unusability of archived documents

Document
F08-AC
D09
inoperability
Med.ine

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Document
F08-AC
D09
F08-AC
D09
F08-MA
D09
F08-MA
D09
F08-MA
D09
F08-MA
D09
Place Time
AC.E
Inc
Arc
AC.E
Ino
Arc
ER.P
Pro
Arc
MA.P
Vol
Arc
Hou
Pa
MA.P
Vol
Arc
Hho
Pse
MA.P
Vol
Arc
Hou
Pna
MA.P
Vol
Arc
Hho
Pna
MA.P
Vol
Dis
MA.P
Ter
Arc
ER.P
Pro
Exp
Access Process
loss of reference
disappearance
disappearance
disappearance
Med.dIs
disappearance
Med.dIs
Document
disappearance
Tran
Pna
Med.dIs
Document
D10-A
Sub
Type
Med.dIs
Document
D09
Destruction
A
Document
F08-MA
Destruction
Type
Med.dIs
Document
D09
Code
Actor
Med.dIs
Document
F08-MA
damage
Circumstances
Event
Med.des
Document
D09
Type of
Med.des
Document
F08-ER
THREAT
Destruction
Tve
Med.dIs
Loss of digital archives

F01-ER1
D10
File
erasure
Fic.eff
Ain
Ua

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Access Process
Actor
F01-ER1
D10
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
F01-EM1
D10
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
F01-EM1
D10
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
Ual
F01-EM1
D10
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
Uai
F01-EM1
D10
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
Pna
F02-AC1
D10
Media
Destruction
Med.des AC.E
Inc
Md.
F02-AC1
D10
Media
Destruction
Med.des AC.E
Ino
Md.
F03-AC1
D10
Media
disappearance
Med.dis ER.P
Peo
Arc
F03-AC1
D10
Media
disappearance
Med.dis ER.P
Peo
Exp
F03-MA1
D10
Media
disappearance
Med.dis MA.P
Vol
Arc
Pa
F03-MA1
D10
Media
disappearance
Med.dis MA.P
Vol
Arc
Pna
F03-MA1
D10
Media
disappearance
Med.dis MA.P
Vol
Arc
Pse
F03-MA1
D10
Media
disappearance
Med.dis MA.P
Vol
Dis
Pna
F04-AC1
D10
Media
inoperability
Age
Arc
F04-AC1
D10
Media
inoperability
Med.ine IC.E
De
Arc
F05-ER
D10
Media
loss of reference
Cle.dis
ER.P
Pro
Dis
MA.P
Vol
D10
Access
means
disappearance
F05-MA
D11-A
Med.ine
IC.E
Cle.dis
Unavailability or loss of data published on internal or public web sites

F01-ER1
D11
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
Ual
F01-ER1
D11
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
Uai

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Actor
Type
Sub
Type
Place Time
Access Process
F01-ER1
D11
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
Una
F01-ER1
D11
File
erasure
Fic.eff
ER.P
Pro
Exp
Ain
F01-ER1
D11
File
erasure
Fic.eff
ER.P
Pro
Exp
F01-EM1
D11
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
Una
F01-EM1
D11
File
erasure
Fic.eff
MA.L
Del
Exp
Ain
F01-EM1
D11
File
erasure
Fic.eff
MA.L
Del
Exp
File
Pollution
ER.P
Pro
Mal
F01-PA1
D11
ER.P
Pro
Mac
F01-PA1
D11
F01-PA1
D11
IF.L
Exp
F02-AC1
D11
AC.E
Inc
Exp
AC.E
Ino
Exp
F02-AC1
D11
F02-AC1
D11
AC.E
Inc
Md.
AC.E
Ino
Md.
F02-AC1
D11
F03-AC1
D11
ER.P
Peo
Exp
MA.P
Vol
Exp
F03-MA1
D11
Fic.pol
File
Pollution
Fic.pol
File
Pollution
Media
Destruction
Media
Destruction
Fic.pol
Med.des
Med.des
Media
Destruction
Media
Destruction
Med.des
Med.des
Media
disappearance
Media
disappearance
Med.dis
Med.dis
Pna

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Media
F03-MA1
D11
F03-MA1
D11
F04-AC1
D11
F04-AC1
D11
F04-AC1
D11
F04-AC1
D11
Type of
damage
Circumstances
Event
Code
disappearance
Actor
Type
Sub
Type
Place Time
MA.P
Vol
Exp
MA.P
Vol
Exp
Pse
AC.M
Equ
Exp
IC.E
De
Exp
IC.E
Se
Exp
IF.L
Exp
Exp
ER.P
Pro
Mal
ER.P
Pro
Mac
IF.L
Exp
ER.P
Pro
Ain
Tru
Ual
ER.P
Pro
Ain
Tru
Uai
ER.P
Pro
Ain
Tru
Una
ER.P
Pro
Mal
Access Process
Med.dis
Media
disappearance
Media
inoperability
Med.dis
Med.ine
Media
inoperability
Med.ine
Media
inoperability
Med.ine
Media
D01-I
THREAT
inoperability
Med.ine
Distortion (undetected) of data files

F09-AC1
D01
F09-AC1
D01
F09-AC1
D01
F09-ER
D01
F09-ER
D01
F09-ER
D01
F09-AC1
D11
File
tampering
File
tampering
File
tampering
File
tampering
File
tampering
Fic.alt
Fic.alt
Fic.alt
Fic.alt
Fic.alt
File
tampering
File
tampering
Fic.alt
Fic.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Event
Code
Circumstances
Actor
Type
Sub
Type
MA.L
Fal
Ain
Exp
Uai
MA.L
Fal
Ain
Exp
Una
Ain
Exp
Exp
Exp
Tie
Place Time
Access Process
File
tampering
File
tampering
File
tampering
Fic.alt
MA.L
Fal
D01
File
tampering
Fic.alt
MA.L
Fal
F09-MA1
D01
File
tampering
MA.L
Fal
F09-MA1
D01
Media
tampering
MA.L
Fal
Tran
Pa
Media
swap
MA.P
Fal
Exp
Pa
F09-ME1
D01
MA.P
Fal
Exp
Pna
F09-ME1
D01
MA.P
Fal
Tran
Pa
F09-ME1
D01
ER.P
Pro
Ain
Tru
Ual
ER.P
Pro
Ain
Tru
Uai
ER.P
Pro
Ain
Tru
Una
MA.L
Fal
Ain
Exp
Uai
F09-MA1
D01
F09-MA1
D01
F09-MA1
D01
F09-MA1
Fic.alt
Fic.alt
Fic.alt
Atm
Med.ech
Media
swap
Med.ech
Media
D02-I
Fic.alt
swap
Med.ech
Distortion (undetected) of shared office files

File
F09-ER
D02
F09-ER
D02
F09-ER
D02
F09-MA1
D02
Fic.alt
File
tampering
Fic.alt
File
tampering
Fic.alt
File
tampering
tampering
Fic.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
File
F09-MA1
D02
F09-MA1
D02
F09-MA1
D02
F09-ME1
D02
F09-ME1
D02
Type of
damage
Event
Code
tampering
Circumstances
Actor
Type
Sub
Type
MA.L
Fal
Ain
Exp
Una
MA.L
Fal
Ain
Exp
MA.L
Fal
Ain
Exp
MA.P
Fal
Ain
Exp
Pa
MA.P
Fal
Ain
Exp
Pna
ER.P
Pro
Apc
Tru
Ual
ER.P
Pro
Apc
Tru
Una
MA.L
Fal
Ain
Stp
MA.L
Fal
Stp
MA.L
Fal
Stm
Pa
MA.L
Fal
Act
Una
MA.P
Fal
Stm
Pa
Place Time
Access Process
Fic.alt
File
tampering
Fic.alt
File
tampering
Fic.alt
Media
swap
Med.ech
Media
D03-I
THREAT
swap
Med.ech
Distortion (undetected) of personal office files

File
F09-ER
D03
F09-ER
D03
F09-MA1
D03
F09-MA1
D03
F09-MA1
D03
F09-MA1
D03
F09-ME1
D03
Fic.alt
File
tampering
Fic.alt
File
tampering
Fic.alt
File
tampering
Media
tampering
File
tampering
Fic.alt
Fic.alt
Abs
Apc
Fic.alt
Media
tampering
swap
Med.ech

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
D06-I
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Actor
Access Process
Distortion (undetected) of data or of transmitted data that are individually sensitive

F10-ER
D06b
F10-MA
D06b
F10-MA
D06b
F10-MA
D06b
F10-MA
D06b
F10-MA
data
tampering
data
tampering
data
tampering
Fic.alt
Fic.alt
ER.P
Prs
MA.L
Fal
Ain
Exp
Ual
MA.L
Fal
Ain
Exp
Pna
MA.L
Fal
Ain
Exp
Uai
Fic.alt
data
tampering
data
tampering
Fic.alt
MA.L
Fal
Exp
D06b
data
tampering
Fic.alt
MA.L
Fal
Exp
data
tampering
MA.L
Fal
Ere
Tie
F10-MA
D06c
F10-MA
D06c
MA.L
Fal
Ere
F10-MA
D06c
MA.L
Fal
Aerl
Are
Pna
F10-MA
D06c
MA.L
Fal
Aerl
Are
MA.L
Fal
Erl
Pna
F10-MA
D06c
MA.L
Fal
Erl
F10-MA
D06c
F10-MA
D06c
MA.L
Rej
Una
F10-MA
D06c
MA.L
Fal
Una
Ext
Are
Dtr.alt
data
tampering
data
tampering
data
tampering
data
tampering
Dtr.alt
Dtr.alt
Dtr.alt
Dtr.alt
data
Fic.alt
tampering
Dtr.alt
Transaction
replay
Message
Usurpation
Dtr.alt
Dtr.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
D07-I
ASSET
type
AICE Asset
THREAT
Type of
damage
Event
Code
Type
Sub
Type
Circumstances
Place Time
Actor
Access Process
Distortion of e-mails during their sending or receipt

F10-MA
D07
F10-MA
D07
F10-FA1
D07
D08-I
e-mail
tampering
e-mail
tampering
e-mail
tampering
Fic.alt
Fic.alt
Fic.alt
MA.L
Fal
Tie
MA.L
Fal
MA.L
Fau
Exp
Tie
Distortion of faxes during their sending or receipt

F10-FA2
D10-I
D08
fax
tampering
Fic.alt
MA.L
Fal
Tie
MA.L
Fal
MA.L
Fal
Ain
Pna
MA.P
Fal
Ain
Pa
MA.P
Fal
Ain
Pna
MA.P
Fal
Ain
Distortion of computerized archives

F09-MA1
D10
F09-MA1
D10
F09-ME1
D10
F09-ME1
D10
F09-ME1
D10
D11-I
File
tampering
File
tampering
Media
swap
Media
swap
Media
swap
Fic.alt
Fic.alt
Med.ech
Med.ech
Med.ech
Tran
Tie
Mac
Distortion of data published on internal or public sites

File
F09-AC1
D11
F09-AC1
D11
F09-ER
D11
F09-ER
D11
F09-ER
D11
ER.P
Pro
IF.L
Exp
ER.P
Pro
Ain
Tru
Ual
ER.P
Pro
Ain
Tru
Uai
ER.P
Pro
Ain
Tru
Una
Fic.alt
File
tampering
File
tampering
File
tampering
Fic.alt
Fic.alt
Fic.alt
File
tampering
tampering
Fic.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
File
F09-MA1
D11
F09-MA1
D11
F09-MA1
D11
F09-MA1
D11
THREAT
Type of
damage
Event
Code
tampering
Circumstances
Actor
Type
Sub
Type
MA.L
Fal
Ain
Exp
Uai
MA.L
Fal
Ain
Exp
Una
MA.L
Fal
Exp
MA.L
Fal
Exp
Place Time
Access Process
Fic.alt
File
tampering
File
tampering
File
tampering
Fic.alt
Fic.alt
Fic.alt
Disclosure of data files
D01-C
F11-ER1
D01
data
disclosure
Fic.dif
ER.P
Pro
Exp
F11-ER1
D01
data
disclosure
Fic.dif
ER.P
Pro
Mam
F11-ER1
D01
data
disclosure
Fic.dif
ER.P
Pro
Tde
F11-ER1
D01
data
disclosure
ER.P
Pro
Mal
F11-MA1
D01
File
disclosure
MA.L
Vol
Ain
Tru
Ual
F11-MA1
D01
data file
disclosure
MA.L
Vol
Ain
Tru
Uai
F11-MA1
D01
data file
disclosure
MA.L
Vol
Ain
Tru
Una
F11-MA1
D01
data file
disclosure
MA.L
Vol
Exp
data file
disclosure
MA.L
Vol
Ain
Exp
Tie
F11-MA1
D01
F11-MA1
D01
MA.L
Vol
Aerl
Exp
Tie
F11-MA1
D01
MA.L
Vol
Atm
Exp
Tie
Fic.dif
Fic.dif
Fic.dif
Fic.dif
Fic.dif
Fic.dif
data file
disclosure
data file
disclosure
Fic.dif
Fic.dif

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
data file
F11-MA1
D01
F11-MA1
D01
F12-MA1
D01
F12-MA1
D01
F12-MA1
D01
F12-MA1
D01
F12-MA1
D01
F12-MA1
D01
F12-MA1
D01
THREAT
Type of
damage
Event
Code
disclosure
Type
Sub
Type
MA.L
Vol
MA.L
Circumstances
Place Time
Actor
Access Process
Asan
Exp
Tie
Vol
Mai
MA.P
Vol
Tran
Pa
MA.P
Vol
Sti
Pa
MA.P
Vol
Ste
Pa
MA.P
Vol
Exp
Pna
MA.P
Vol
Tran
Pna
MA.P
Vol
Sti
Pna
MA.P
Vol
Ste
Pna
ER.P
Pro
Exp
ER.P
Pro
Mam
MA.L
Vol
Ain
Tru
Ual
MA.L
Vol
Ain
Tru
Uai
MA.L
Vol
Ain
Tru
Una
Fic.dif
data file
disclosure
Media
disappearance
Fic.dif
Med.dis
Media
disappearance
Media
disappearance
Med.dis
Med.dis
Media
disappearance
Med.dis
Media
disappearance
Med.dis
Media
disappearance
Med.dis
Media
disappearance
Med.dis
Disclosure of shared office files
D02-C
F11-ER1
D02
F11-ER1
D02
F11-MA1
D02
F11-MA1
D02
F11-MA1
D02
File
disclosure
File
disclosure
data file
disclosure
data file
disclosure
data file
disclosure
Fic.dif
Fic.dif
Fic.dif
Fic.dif
Fic.dif

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
F11-MA1
D02
F11-MA1
D02
F11-MA1
D02
D02
F11-MA1
D02
F12-MA1
D02
F12-MA1
D02
F12-MA1
D02
F12-MA1
D02
F12-MA1
D02
F12-MA1
D02
F12-MA1
D02
F12-MA1
D02
damage
disclosure
data file
disclosure
data file
disclosure
Event
Code
Fic.dif
Fic.dif
Circumstances
Actor
Type
Sub
Type
MA.L
Vol
Exp
MA.L
Vol
Mai
MA.L
Vol
Ain
Exp
Tie
MA.L
Vol
Aerl
Exp
Tie
MA.L
Vol
Asan
Exp
Tie
MA.P
Vol
Exp
Pa
MA.P
Vol
Tran
Pa
MA.P
Vol
Sti
Pa
MA.P
Vol
Ste
Pa
MA.P
Vol
Exp
Pna
MA.P
Vol
Tran
Pna
MA.P
Vol
Sti
Pna
MA.P
Vol
Ste
Pna
Place Time
Access Process
Fic.dif
disclosure
Fic.dif
data file
Type of
data file
data file
F11-MA1
THREAT
disclosure
Fic.dif
Media
disappearance
Media
disappearance
Media
disappearance
Media
disappearance
Media
disappearance
Media
disappearance
Media
disappearance
Media
disappearance
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Actor
Type
Sub
Type
ER.P
Pro
Tru
ER.P
Pro
Mam
MA.L
Vol
Abs
Apc
Pna
MA.L
Vol
Hho
Apc
Pna
MA.L
Vol
Exp
MA.L
Vol
Mai
ER.P
Peo
Ext
MA.P
Vol
Bur
Abs
Per
MA.P
Vol
Bur
Abs
Vis
MA.P
Vol
Bur
Hho
Per
MA.P
Vol
Bur
Hho
Ser
MA.P
Vol
Ext
MA.P
Vol
Bur
Abs
Per
Place Time
Access Process
Disclosure of personal office files
D03-C
F11-ER1
D03
F11-ER1
D03
F11-MA1
D03
F11-MA1
D03
F11-MA1
D03
F11-MA1
D03
F12-ER
D03
F12-MA1
D03
F12-MA1
D03
F12-MA1
D03
F12-MA1
D03
F12-MA1
D03
F12-MA2
D03
File
disclosure
File
disclosure
data file
disclosure
data file
disclosure
data file
disclosure
data file
disclosure
Media
disappearance
Media
disappearance
Fic.dif
Fic.dif
Fic.dif
Fic.dif
Fic.dif
Med-dis
Med.dis
Media
disappearance
Med.dis
Media
disappearance
Med.dis
Media
Fic.dif
disappearance
Med.dis
Media
disappearance
PC
disappearance
Med.dis
Med.dis

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
PC
F12-MA2
D03
F12-MA2
D03
F12-MA2
D03
F12-MA2
D03
THREAT
Type of
damage
Circumstances
Event
Code
Actor
Type
Sub
Type
Place Time
MA.P
Vol
Bur
Abs
Vis
MA.P
Vol
Bur
Hho
Per
MA.P
Vol
Bur
Hho
Ser
MA.P
Vol
Ext
ER.P
Pro
Ext
MA.P
Vol
Bur
Hho
Per
MA.P
Vol
Bur
Abs
Uai
MA.P
Vol
Bur
MA.P
Vol
Bur
Abs
Per
MA.P
Vol
Bur
Abs
Vis
Med.dis MA.P
Vol
Ext
MA.P
Vol
Imp
Per
Med.dis MA.P
Vol
Imp
Vis
MA.P
Vol
Dif
Per
disappearance
Access Process
Med.dis
PC
disappearance
Med.dis
PC
disappearance
Med.dis
PC
disappearance
Med.dis
Disclosure of documents
D04-C
F14-ER1
D04
F14-MA1
D04
F14-MA1
D04
F14-MA1
D04
F14-MA1
D04
F14-MA1
D04
F14-MA1
D04
F14-MA1
D04
F14-MA1
D04
F14-MA1
D04
Document
disappearance
Document
disappearance
Med.dis
Med.dis
Document
disappearance
Document
disappearance
Document
disappearance
Med.dis
Med.dis
Ser
Med.dis
Document
disappearance
Document
disappearance
Document
disappearance
Document
disappearance
Document
disappearance
Med.dis
Med.dis
Med.dis

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Actor
Access Process
F14-MA1
D04
Document
disappearance
Med.dis MA.P
Vol
Dif
Vis
F14-MA3
D04
Document
disappearance
Med.dis MA.P
Vol
Crc
ER.P
Pro
Dif
MA.P
Vol
Exp
Pa
Med.dis MA.P
Vol
Exp
Ser
MA.P
Vol
Exp
Pna
MA.P
Vol
Med.dis MA.P
MA.P
Med.dis
Vol
Vol
Exp
MA.L
Vol
Bur
Ain
Uai
MA.L
Vol
Bur
Ain
Tie
MA.L
Vol
Bur
Ain
MA.L
Vol
Ext
Aerl
Tie
MA.L
Ele
Ext
Aem
Tie
MA.L
Vol
Aru
Disclosure of listings or printouts
D05-C
printouts
F14-ER2
D05
F14-MA2
D05
F14-MA2
D05
F14-MA2
D05
F14-MA2
D05
F14-MA2
D05
F14-MA2
D05
disclosure
Med.dis
printouts
disappearance
printouts
disappearance
printouts
disappearance
printouts
disappearance
printouts
scrapped
printouts
disappearance
disappearance
Med.dis
Med.dis
Med.dis
Dif
Per
Dif
Crc
Vis
Disclosure of data after consultation or harnessing
D06-C
F13-MA1
D06
F13-MA1
D06
F13-MA1
D06
F13-MA1
D06
F13-MA1
D06
F13-MA1
D06
screen
disclosure
screen
disclosure
Dtr.div
Dtr.div
screen
disclosure
screen
disclosure
screen
harnessing
Rsidu
disclosure
Dtr.div
Dtr.div
Dtr.div
Dtr.div

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
F13-MA2
D06
data
transferred
harnessing
F13-MA2
D06
data
transferred
harnessing
D06
data
transferred
harnessing
F13-MA2
F13-MA2
D06
data
transferred
harnessing
D06
data
transferred
harnessing
F13-MA2
F13-MA2
D06
data
transferred
harnessing
F13-MA2
D06
data
transferred
disclosure
F13-MA2
D06
data
transferred
disclosure
Circumstances
Event
Code
Dtr.div
Dtr.div
Actor
Type
Sub
Type
Place Time
Access Process
MA.L
Vol
Ext
Are
Pna
MA.L
Vol
Ain
Per
MA.L
Fal
Amer
Per
MA.L
Fal
Amer
MA.L
Fal
Amdertm
Tie
MA.L
Vol
Amderuf Main
Tie
MA.L
Vol
Ext
Auie
Tie
MA.L
Vol
Ext
Auis
Dtr.div
Dtr.div
Ext
Dtr.div
Dtr.div
Dtr.div
Dtr.div
Disclosure of e-mails during their sending or receipt
D07-C
F19-ER1
D07
e-mails
disclosure
e-mails
disclosure
Dtr.div
Dtr.div
ER.P
Pro
Ua
MA.L
Vol
F19-MA
D07
F19-MA
D07
e-mails
disclosure
Dtr.div
MA.L
Vol
F19-MA
D07
e-mails
disclosure
Dtr.div
MA.L
Vol
Pna
Disclosure of post mails or faxes during their sending or receipt
D08-C
F19-ER2
D08
post mail
disclosure
Dtr.div
ER.P
Pro
F19-ER3
D08
fax
disclosure
Dtr.div
ER.P
Pro
F19-MA1
D08
post mail
disappearance
MA.P
Vol
Dtr.div
Loc
Col

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
F19-MA1
D08
F19-MA2
D08
F19-MA2
D08
F19-MA3
D08
THREAT
Type of
damage
post mail
disappearance
fax
disappearance
fax
disappearance
fax
disclosure
Circumstances
Event
Code
Dtr.div
Dtr.div
Dtr.div
Dtr.div
Type
Sub
Type
Place Time
MA.P
Vol
Bur
MA.P
Vol
Lof
MA.P
Vol
MA.L
Fal
Actor
Access Process
Col
Col
Disclosure of printed or written archive
D09-C
F16-MA
D09
Document
disappearance
Med.dis MA.P
Vol
Arc
Pa
F16-MA
D09
Document
disappearance
Med.dis MA.P
Vol
Arc
Pna
F16-MA
D09
Document
disappearance
MA.P
Vol
F16-MA2
D09
Document
disclosure
MA.P
Vol
Arc
Pna
MA.P
Vol
Arc
Pa
MA.P
Vol
Arc
Pna
MA.P
Vol
Dis
Pna
Med.dis
Med.dis
Tran
Pna
Disclosure of files or digitalized archives
D10-C
Media
F12-MA1
D10
F12-MA1
D10
F12-MA1
D10
Med.dis
Media
disappearance
Med.dis
Media
G01-A
disappearance
disappearance
Med.dis
Unavailability of the working environment of users

F17-AC
G01
F17-AC
G01
F17-AC
G01
F17-AC
G01
premises
unavailability
Loc.ina AC.E
Inc
premises
unavailability
Loc.ina
AC.E
Ino
premises
unavailability
AB.S
Ene
premises
unavailability
Loc.ina AB.S
Loc
Loc.ina

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
G02-A
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Actor
Access Process
Unavailability of telecommunication services (voice, faxes, video conferencing)

File
erasure
File
erasure
F01-EA2
G02
F01-ER4
G02
F01-EM2
G02
F01-EM2
G02
G02
telecom
equipment
damaging
F06-AC1
G02
telecom
equipment
damaging
F06-AC1
telecom
equipment
Destruction
telecom
equipment
Destruction
telecom
equipment
Destruction
unavailability
unavailability
F06-AC2
G02
F06-AC2
G02
Exp
ER.P
Pro
Exp
erasure
MA.L
Del
Exp
erasure
MA.L
Del
Exp
IC.E
De
Exp
IC.E
Se
Exp
AC.E
Fou
Exp
AC.E
Inc
Exp
AC.E
Ino
Exp
AC.M
Equ
AC.M
Ser
Cfl.eff
F06-AC3
G02
telecom
equipment
F06-AC3
G02
auxiliary
elements
Exp
Cfl.eff
File
G02
IF.L
Cfl.eff
File
F06-AC2
Cfl.eff
Eq.hs
Eq.hs
Eq.des
Eq.des
Eq.des
Eq.hs
Eq.hs

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
F06-AC3
F06-MA1
F06-MA1
F06-MA1
ASSET
type
G02
G02
G02
G02
AICE Asset
Type of
damage
auxiliary
elements
unavailability
telecom
equipment
damaging
telecom
equipment
damaging
telecom
equipment
damaging
telecom
equipment
damaging
Circumstances
Event
Code
Actor
Type
Sub
Type
AB.S
Ene
MA.P
Van
Exp
Pa
MA.P
Van
Exp
Pna
MA.P
Van
Tve
MA.P
Van
Tvi
MA.P
Ter
Tve
AB.S
Mas
IF.L
Exp
Exp
ER.P
Pro
Exp
ER.P
Pro
Exp
MA.L
Del
Exp
Una
Place Time
Access Process
Eq.hs
Eq.hs
Eq.hs
Eq.hs
F06-MA1
G02
G02
telecom
equipment
Destruction
F06-MA2
F18-AR
G02
telecom
equipment
unavailability
R01-A
THREAT
Eq.hs
Eq.des
Eq.hs
Unavailability of the extended network service

F01-EA4
R01
software
erasure
configuration
Cfl.eff
F01-ER4
R01
software
erasure
configuration
Cfl.eff
F01-ER4
R01
software
erasure
configuration
Cfl.eff
F01-EM4
R01
software
erasure
configuration
Cfl.eff

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Code
F01-EM4
R01
software
erasure
configuration
Cfl.eff
F01-EM4
R01
software
erasure
configuration
Cfl.eff
F01-EM5
R01
software
erasure
configuration
Cfl.eff
F06-AC1
R01
network
equipment
damaging
Eq.hs
F06-AC1
R01
network
equipment
damaging
F06-AC2
R01
network
equipment
Destruction
R01
network
equipment
Destruction
F06-AC2
R01
network
equipment
Destruction
F06-AC2
R01
network
equipment
unavailability
F06-AC3
R01
auxiliary
elements
unavailability
F06-AC3
R01
auxiliary
elements
unavailability
F06-AC3
R01
network
equipment
damaging
F06-MA1
R01
network
equipment
damaging
F06-MA1
Circumstances
Event
Eq.hs
Eq.des
Actor
Type
Sub
Type
Place Time
MA.L
Del
Exp
MA.L
Del
Exp
MA.L
Tot
IC.E
De
Exp
IC.E
Se
Exp
AC.E
Fou
Exp
AC.E
Inc
Exp
AC.E
Ino
Exp
AC.M
Equ
AC.M
Ser
AB.S
Ene
MA.P
Van
Exp
Pa
MA.P
Van
Exp
Pna
Access Process
Eq.des
Eq.des
Eq.hs
Eq.hs
Eq.hs
Eq.hs
Eq.hs

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Type of
damage
R01
network
equipment
damaging
F06-MA1
R01
network
equipment
damaging
F06-MA1
R01
network
equipment
Destruction
F06-MA2
R01
network
equipment
unavailability
F06-MA4
R01
network
equipment
unavailability
F06-MA4
F18-AR
R01
network
equipment
unavailability
F18-AR
R01
network
equipment
unavailability
F18-AR
R01
network
equipment
unavailability
F18-AR
R01
network
equipment
unavailability
F18-AR
R01
network
lock
R02-A
THREAT
Circumstances
Event
Code
Actor
Type
Sub
Type
MA.P
Van
Tve
MA.P
Van
Tvi
MA.P
Ter
Tve
MA.L
Cfg
MA.L
Cfg
AB.S
Mas
AV.P
Gre
AB.P
Per
AB.P
Pep
IF.L
Ver
IF.L
Exp
Exp
ER.P
Pro
Exp
ER.P
Pro
Exp
Place Time
Access Process
Eq.hs
Eq.hs
Eq.des
Eq.hs
Eq.hs
Eq.hs
Eq.mo
Eq.mo
Eq.mo
Eq.hs
Unavailability of the local area network service

F01-EA4
R02
software
erasure
configuration
Cfl.eff
F01-ER4
R02
software
erasure
configuration
Cfl.eff
F01-ER4
R02
software
erasure
configuration
Cfl.eff

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Code
F01-EM4
R02
software
erasure
configuration
Cfl.eff
F01-EM4
R02
software
erasure
configuration
Cfl.eff
F01-EM4
R02
software
erasure
configuration
Cfl.eff
F01-EM5
R02
software
erasure
configuration
Cfl.eff
F06-AC1
R02
network
equipment
damaging
Eq.hs
F06-AC1
R02
network
equipment
damaging
F06-AC2
R02
network
equipment
Destruction
R02
network
equipment
Destruction
F06-AC2
R02
network
equipment
Destruction
F06-AC2
R02
network
equipment
unavailability
F06-AC3
R02
auxiliary
elements
unavailability
F06-AC3
R02
auxiliary
elements
unavailability
F06-AC3
R02
network
equipment
damaging
F06-MA1
Circumstances
Event
Eq.hs
Eq.des
Actor
Type
Sub
Type
Place Time
MA.L
Del
Exp
Una
MA.L
Del
Exp
MA.L
Del
Exp
MA.L
Tot
IC.E
De
Exp
IC.E
Se
Exp
AC.E
Fou
Exp
AC.E
Inc
Exp
AC.E
Ino
Exp
AC.M
Equ
AC.M
Ser
AB.S
Ene
MA.P
Van
Access Process
Eq.des
Eq.des
Eq.hs
Eq.hs
Eq.hs
Eq.hs
Exp
Pa

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
R02
network
equipment
damaging
F06-MA1
R02
network
equipment
damaging
F06-MA1
R02
network
equipment
damaging
F06-MA1
R02
network
equipment
Destruction
F06-MA2
R02
network
equipment
unavailability
F06-MA4
R02
network
equipment
unavailability
F06-MA4
F18-AR
R02
network
equipment
unavailability
F18-AR
R02
network
equipment
unavailability
F18-AR
R02
network
equipment
unavailability
F18-AR
R02
network
equipment
unavailability
F18-AR
R02
network
lock
Circumstances
Event
Code
Actor
Type
Sub
Type
Place Time
MA.P
Van
Exp
MA.P
Van
Tve
MA.P
Van
Tvi
MA.P
Ter
Tve
MA.L
Cfg
MA.L
Cfg
AB.S
Mas
AV.P
Gre
AB.P
Per
AB.P
Pep
IF.L
Ver
IF.L
Exp
Exp
ER.P
Pro
Exp
Access Process
Pna
Eq.hs
Eq.hs
Eq.hs
Eq.des
Eq.hs
Eq.hs
Eq.hs
Eq.mo
Eq.mo
Eq.mo
Eq.hs
Unavailability of application service
S01-A
F01-EA2
S01
F01-ER2
S01
program file
erasure
program file
erasure
Cfl.eff
Cfl.eff
Ual

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Actor
Access Process
F01-ER2
S01
program file
erasure
Cfl.eff
ER.P
Pro
Exp
Uai
F01-ER2
S01
program file
erasure
Cfl.eff
ER.P
Pro
Exp
Una
F01-ER2
S01
program file
erasure
Cfl.eff
ER.P
Pro
Exp
F01-ER2
S01
program file
erasure
Cfl.eff
ER.P
Pro
Exp
F01-EM2
S01
program file
erasure
Cfl.eff
MA.L
Del
Exp
Ual
F01-EM2
S01
program file
erasure
MA.L
Del
Exp
Uai
F01-EM2
S01
program file
erasure
MA.L
Del
Exp
Una
F01-EM2
S01
program file
erasure
Cfl.eff
MA.L
Del
Exp
F01-EM2
S01
program file
erasure
Cfl.eff
MA.L
Del
Exp
F01-EM3
S01
program file
erasure
MA.L
Tot
F01-PA2
S01
program file
Pollution
ER.P
Pro
Mal
F01-PA2
S01
program file
Pollution
ER.P
Pro
Mac
F01-PA2
S01
program file
Pollution
IF.L
Exp
program file
Pollution
MA.L
Fal
Exp
Uai
F01-PM2
S01
F01-PM2
S01
MA.L
Fal
Exp
Una
F01-PM2
S01
F01-PM2
S01
Cfl.eff
Cfl.eff
Fic.eff
Cfl.pol
Cfl.pol
Cfl.pol
Cfl.pol
program file
Pollution
program file
Pollution
Cfl.pol
MA.L
Fal
Exp
program file
Pollution
Cfl.pol
MA.L
Fal
Exp
Cfl.pol

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
F02-AC2
S01
F02-AC2
S01
F02-AC2
S01
F02-AC2
S01
F03-AC2
S01
F03-AC2
S01
F03-MA2
S01
F03-MA2
S01
F03-MA2
S01
F03-MA2
S01
F03-MA2
S01
storing
program
media
F03-MA2
S01
F04-AC2
S01
F04-AC2
S01
F04-AC2
S01
F04-AC2
S01
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
THREAT
Type of
Circumstances
Event
Code
Actor
Type
Sub
Type
Place Time
AC.E
Inc
Exp
AC.E
Ino
Exp
Destruction
Med.des AC.E
Inc
Md.
Destruction
Med.des AC.E
Ino
Md.
ER.P
Peo
Md.
ER.P
Peo
Exp
MA.P
Vol
Exp
Pna
MA.P
Vol
Exp
MA.P
Vol
Exp
Pse
Med.dis MA.P
Vol
Md.
Pna
MA.P
Vol
Md.
Med.dis MA.P
Vol
Md.
Pse
AC.M
Equ
Exp
IC.E
De
Exp
IC.E
Se
Exp
IF.L
Exp
Exp
damage
Destruction
Destruction
disappearance
disappearance
disappearance
disappearance
disappearance
disappearance
disappearance
disappearance
Med.des
Med.des
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis
inoperability
Med.ine
inoperability
inoperability
Med.ine
Med.ine
inoperability
Med.ine
Access Process

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Type of
damage
inoperability
media
storing
program
media
storing
program
media
storing
program
application
server
application
server
damaging
S01
F06-AC2
S01
application
server
Destruction
S01
application
server
Destruction
F06-AC2
S01
application
server
Destruction
F06-AC2
S01
application
server
unavailability
F06-AC3
S01
auxiliary
elements
unavailability
F06-AC3
F06-AC3
S01
auxiliary
elements
unavailability
S01
auxiliary
elements
unavailability
F06-AC3
S01
application
server
damaging
F06-MA1
F04-AC2
S01
F04-AC2
S01
F04-AC2
S01
F06-AC1
S01
F06-AC1
THREAT
inoperability
inoperability
damaging
Circumstances
Event
Code
Med.ine
Med.ine
Med.ine
Eq.hs
Type
Sub
Type
Place Time
IC.E
Pol
Md.
IC.E
De
Md.
IC.E
Age
Md.
IC.E
De
Exp
IC.E
Se
Exp
AC.E
Fou
Exp
AC.E
Inc
Exp
AC.E
Ino
Exp
AC.M
Equ
AC.M
Ser
AB.S
Ene
AB.S
Cli
MA.P
Van
Actor
Access Process
Eq.hs
Eq.des
Eq.des
Eq.des
Eq.hs
Eq.hs
Eq.hs
Eq.hs
Eq.hs
Exp
Pa

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Actor
Type
Sub
Type
Place Time
MA.P
Van
Exp
MA.P
Van
Tve
MA.P
Van
Tvi
MA.P
Ter
Tve
MA.L
Cfg
MA.L
Cfg
AB.S
Mas
AB.S
Maa
AV.P
Gre
AB.P
Per
AB.P
Pep
Access Process
S01
application
server
damaging
F06-MA1
S01
application
server
damaging
F06-MA1
S01
application
server
damaging
F06-MA1
S01
application
server
Destruction
F06-MA2
S01
application
server
unavailability
F06-MA4
S01
application
server
unavailability
F06-MA4
F18-AR
S01
application
server
unavailability
Application
lock
F18-AR
S01
F18-AR
S01
application
server
unavailability
F18-AR
S01
application
server
unavailability
F18-AR
S01
application
server
unavailability
F18-BL
S01
application
lock
Cfl.bug
IF.L
Lsp
Exp
F18-BL
S01
application
lock
Cfl.bug
ER.L
Lin
Exp
F18-BL
S01
application
lock
Cfl.bug
IF.L
Exp
Exp
Pna
Eq.hs
Eq.hs
Eq.hs
Eq.des
Eq.hs
Eq.hs
Eq.hs
Exp
Eq.hs
Eq.mo
Eq.mo
Eq.mo

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Actor
Access Process
F18-BL
S01
application
lock
Cfl.bug
MA.L
Sam
Exp
F18-BC
S01
account
lock
Cpt.blo
MA.L
Blo
IF.L
Exp
Exp
ER.P
Pro
Exp
Ual
Unavailability of the common office services
S02-A
File
erasure
File
erasure
File
erasure
Cfl.eff
ER.P
Pro
Exp
Uai
S02
File
erasure
Cfl.eff
ER.P
Pro
Exp
Una
F01-ER2
S02
File
erasure
Cfl.eff
ER.P
Pro
Exp
F01-ER2
S02
File
erasure
Cfl.eff
ER.P
Pro
Exp
F01-EM2
S02
File
erasure
Cfl.eff
MA.L
Del
Exp
Ual
F01-EM2
S02
File
erasure
MA.L
Del
Exp
Uai
F01-EM2
S02
File
erasure
MA.L
Del
Exp
Una
F01-EM2
S02
File
erasure
Cfl.eff
MA.L
Del
Exp
F01-EM2
S02
File
erasure
Cfl.eff
MA.L
Del
Exp
F01-EM3
S02
Files
erasure
MA.L
Tot
F01-PA2
S02
File
Pollution
Cfl.pol
ER.P
Pro
Mal
F01-PA2
S02
File
Pollution
Cfl.pol
ER.P
Pro
Mac
F01-PA2
S02
File
Pollution
IF.L
Exp
F01-EA2
S02
F01-ER2
S02
F01-ER2
S02
F01-ER2
Cfl.eff
Cfl.eff
Cfl.eff
Cfl.eff
Fic.eff
Cfl.pol

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Actor
Type
Sub
Type
MA.L
Fal
Exp
Uai
MA.L
Fal
Exp
Una
Place Time
Access Process
File
Pollution
File
Pollution
File
Pollution
Cfl.pol
MA.L
Fal
Exp
S02
File
Pollution
Cfl.pol
MA.L
Fal
Exp
F02-AC2
S02
Destruction
AC.E
Inc
Exp
F02-AC2
S02
AC.E
Ino
Exp
F02-AC2
S02
Destruction
Med.des AC.E
Inc
Md.
F02-AC2
S02
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
Destruction
Med.des AC.E
Ino
Md.
F03-AC2
S02
ER.P
Peo
Md.
F03-AC2
S02
ER.P
Peo
Exp
MA.P
Vol
Exp
Pna
F03-MA2
S02
MA.P
Vol
Exp
F03-MA2
S02
F03-MA2
S02
MA.P
Vol
Exp
Pse
F03-MA2
S02
Med.dis MA.P
Vol
Md.
Pna
F03-MA2
S02
MA.P
Vol
Md.
F03-MA2
S02
Med.dis MA.P
Vol
Md.
Pse
F01-PM2
S02
F01-PM2
S02
F01-PM2
S02
F01-PM2
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
Destruction
disappearance
disappearance
Cfl.pol
Cfl.pol
Med.des
Med.des
Med.dis
Med.dis
disappearance
Med.dis
disappearance
Med.dis
disappearance
disappearance
disappearance
disappearance
Med.dis
Med.dis

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
F04-AC2
S02
F04-AC2
S02
F04-AC2
S02
F04-AC2
S02
F04-AC2
S02
F04-AC2
S02
F04-AC2
S02
F06-AC1
S02
F06-AC1
S02
F06-AC2
S02
F06-AC2
S02
F06-AC2
S02
F06-AC3
S02
Type of
damage
media
storing
program
inoperability
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
Server
inoperability
Server
damaging
Server
Destruction
Server
Destruction
Circumstances
Event
Code
Type
Sub
Type
Place Time
AC.M
Equ
Exp
IC.E
De
Exp
IC.E
Se
Exp
IF.L
Exp
Exp
IC.E
Pol
Md.
IC.E
De
Md.
IC.E
Age
Md.
IC.E
De
Exp
IC.E
Se
Exp
AC.E
Fou
Exp
AC.E
Inc
Exp
AC.E
Ino
Exp
AC.M
Equ
Med.ine
inoperability
Med.ine
Med.ine
inoperability
Med.ine
inoperability
inoperability
inoperability
damaging
Med.ine
Med.ine
Med.ine
Eq.hs
Eq.hs
Eq.des
Eq.des
Server
Destruction
Eq.des
Server
THREAT
unavailability
Eq.hs
Access Process
Actor

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Type of
damage
S02
auxiliary
elements
unavailability
F06-AC3
F06-AC3
S02
auxiliary
elements
unavailability
Server
damaging
F06-MA1
S02
F06-MA1
S02
F06-MA1
S02
F06-MA1
S02
F06-MA2
S02
F06-MA4
S02
F06-MA4
S02
F18-AR
S02
F18-AR
S02
F18-AR
S02
Circumstances
Event
Code
Actor
Type
Sub
Type
AC.M
Ser
AB.S
Ene
MA.P
Van
Exp
Pa
MA.P
Van
Exp
Pna
MA.P
Van
Tve
MA.P
Van
Tvi
MA.P
Ter
Tve
MA.L
Cfg
MA.L
Cfg
AB.S
Mas
AB.S
Maa
AV.P
Gre
Place Time
Access Process
Ser.hs
Ser.hs
Eq.hs
Server
damaging
Eq.hs
Server
damaging
Eq.hs
Server
damaging
Eq.hs
Server
Destruction
Eq.des
Server
unavailability
Eq.hs
Server
THREAT
unavailability
Eq.hs
Server
unavailability
application
lock
Eq.hs
Eq.mo
Server
unavailability
Eq.mo
Exp

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
AB.P
Per
AB.P
Pep
Place Time
Actor
Access Process
Server
unavailability
Server
unavailability
application
lock
Cfl.bug
IF.L
Lsp
Exp
S02
application
lock
Cfl.bug
MA.L
Sam
Exp
S02
account
lock
Cpt.blo
MA.L
Blo
F18-AR
S02
F18-AR
S02
F18-BL
S02
F18-BL
F18-BC
Eq.mo
Eq.mo
Unavailability of interface services or terminals for users (PC, local printers, peripherals, specific interfaces, etc.)
S03-A
F01-EA5
S03
software
erasure
configuration
Cfl.eff
F01-ER5
S03
software
erasure
configuration
Cfl.eff
F01-ER5
S03
software
erasure
configuration
Cfl.eff
F01-EM6
S03
software
erasure
configuration
Cfl.eff
F06-AC4
S03
F06-AC4
S03
F06-AC4
S03
F06-AC4
S03
F06-AC4
S03
work stations unavailability
work stations Destruction

work stations unavailability
Eq.hs
Eq.hs
Eq.hs
Eq.hs
Eq.hs
IF.L
Exp
Exp
ER.P
Pro
Exp
ER.P
Pro
Exp
ER.P
Pro
Exp
IF.L
Vir
Exp
AC.E
Fou
Exp
AC.E
Inc
Exp
AC.E
Ino
Exp
AB.S
Ene

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Code
work stations damaging

F06-MA3
S03
F06-MA3
S03
F06-AC5
S03
Circumstances
Event
Actor
Type
Sub
Type
Place Time
MA.P
Van
Exp
Pa
MA.P
Van
Exp
Tie
AC.M
Equ
Access Process
Eq.des
work stations damaging
Eq.des
shared
equipment
unavailability
Eq.hs
Unavailability of common system services: messaging, archiving, printing, editing, etc.
S04-A
program file
erasure
IF.L
Exp
Exp
program file
erasure
ER.P
Pro
Exp
Ual
program file
erasure
Cfl.eff
ER.P
Pro
Exp
Uai
S04
program file
erasure
Cfl.eff
ER.P
Pro
Exp
Una
F01-ER2
S04
program file
erasure
Cfl.eff
ER.P
Pro
Exp
F01-ER2
S04
program file
erasure
Cfl.eff
ER.P
Pro
Exp
F01-EM2
S04
program file
erasure
Cfl.eff
MA.L
Del
Exp
Ual
F01-EM2
S04
program file
erasure
MA.L
Del
Exp
Uai
F01-EM2
S04
program file
erasure
MA.L
Del
Exp
Una
F01-EM2
S04
program file
erasure
Cfl.eff
MA.L
Del
Exp
F01-EM2
S04
program file
erasure
Cfl.eff
MA.L
Del
Exp
F01-EM3
S04
program file
erasure
MA.L
Tot
F01-EA2
S04
F01-ER2
S04
F01-ER2
S04
F01-ER2
Cfl.eff
Cfl.eff
Cfl.eff
Cfl.eff
Fic.eff

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
Place Time
Actor
Access Process
F01-PA2
S04
program file
Pollution
Cfl.pol
ER.P
Pro
Mal
F01-PA2
S04
program file
Pollution
Cfl.pol
ER.P
Pro
Mac
F01-PA2
S04
program file
Pollution
IF.L
Exp
F01-PM2
S04
program file
Pollution
MA.L
Fal
Exp
Uai
F01-PM2
S04
program file
Pollution
MA.L
Fal
Exp
Una
F01-PM2
S04
program file
Pollution
Cfl.pol
MA.L
Fal
Exp
F01-PM2
S04
program file
Pollution
Cfl.pol
MA.L
Fal
Exp
F02-AC2
S04
Destruction
AC.E
Inc
Exp
F02-AC2
S04
AC.E
Ino
Exp
F02-AC2
S04
Destruction
Med.des AC.E
Inc
Md.
F02-AC2
S04
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
Destruction
Med.des AC.E
Ino
Md.
F03-AC2
S04
ER.P
Peo
Md.
F03-AC2
S04
ER.P
Peo
Exp
MA.P
Vol
Exp
Pna
F03-MA2
S04
MA.P
Vol
Exp
F03-MA2
S04
F03-MA2
S04
Med.dis MA.P
Vol
Exp
Pse
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
Destruction
disappearance
disappearance
Cfl.pol
Cfl.pol
Cfl.pol
Med.des
Med.des
Med.dis
Med.dis
disappearance
Med.dis
disappearance
Med.dis
disappearance

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
F03-MA2
S04
F03-MA2
S04
F03-MA2
S04
F04-AC2
S04
F04-AC2
S04
F04-AC2
S04
F04-AC2
S04
F04-AC2
S04
F04-AC2
S04
F04-AC2
S04
F06-AC1
S04
F06-AC1
S04
F06-AC2
S04
F06-AC2
S04
media
storing
program
media
storing
program
media
storing
program
media
storing
program
THREAT
Type of
damage
disappearance
disappearance
disappearance
Circumstances
Event
Code
Sub
Type
Place Time
Med.dis MA.P
Vol
Md.
Pna
MA.P
Vol
Md.
Med.dis MA.P
Vol
Md.
Pse
AC.M
Equ
Exp
IC.E
De
Exp
IC.E
Se
Exp
IF.L
Exp
Exp
IC.E
Pol
Md.
IC.E
De
Md.
IC.E
Age
Md.
IC.E
De
Exp
IC.E
Se
Exp
AC.E
Fou
Exp
AC.E
Inc
Exp
Type
Med.dis
inoperability
Med.ine
media
storing
program
inoperability
media
storing
program
media
storing
program
media
storing
program
media
storing
program
media
storing
program
Server
inoperability
Server
damaging
Server
Destruction
Server
Destruction
Med.ine
Med.ine
inoperability
Med.ine
inoperability
inoperability
inoperability
damaging
Actor
Med.ine
Med.ine
Med.ine
Eq.hs
Eq.hs
Eq.des
Eq.des
Access Process

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Server
Type of
damage
S04
F06-AC3
S04
S04
auxiliary
elements
unavailability
F06-AC3
F06-AC3
S04
auxiliary
elements
unavailability
F06-AC3
S04
auxiliary
elements
unavailability
Server
damaging
F06-MA1
S04
F06-MA1
S04
F06-MA1
S04
F06-MA1
S04
F06-MA2
S04
F18-AR
S04
F18-AR
S04
Circumstances
Event
Code
Destruction
F06-AC2
Actor
Type
Sub
Type
Place Time
AC.E
Ino
Exp
AC.M
Equ
AC.M
Ser
AB.S
Ene
AB.S
Cli
MA.P
Van
Exp
Pa
MA.P
Van
Exp
Pna
MA.P
Van
Tve
MA.P
Van
Tvi
MA.P
Ter
Tve
AB.S
Mas
AB.S
Maa
Access Process
Eq.des
Server
unavailability
Eq.hs
Ser.hs
Ser.hs
Ser.hs
Eq.hs
Server
damaging
Eq.hs
Server
damaging
Eq.hs
Server
damaging
Eq.hs
Server
THREAT
Destruction
Eq.des
Server
unavailability
application
lock
Eq.hs
Eq.hs
Exp

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Circumstances
Event
Code
Type
Sub
Type
AV.P
Gre
AB.P
Per
AB.P
Pep
Place Time
Actor
Access Process
Server
unavailability
Server
unavailability
Server
unavailability
application
lock
Cfl.bug
IF.L
Lsp
Exp
S04
application
lock
Cfl.bug
ER.L
Lin
Exp
F18-BL
S04
application
lock
Cfl.bug
IF.L
Exp
Exp
F18-BL
S04
application
lock
Cfl.bug
MA.L
Sam
Exp
F18-BC
S04
account
lock
Cpt.blo
MA.L
Blo
F18-AR
S04
F18-AR
S04
F18-AR
S04
F18-BL
S04
F18-BL
Eq.mo
Eq.mo
Eq.mo
Unavailability of the publishing service on a web site (internal or public)
S05-A
program file
F01-EA2
S05
F01-ER2
S05
F01-ER2
S05
F01-ER2
S05
F01-ER2
S05
F01-ER2
S05
IF.L
Exp
Exp
ER.P
Pro
Exp
Ual
ER.P
Pro
Exp
Uai
ER.P
Pro
Exp
Una
ER.P
Pro
Exp
ER.P
Pro
Exp
Cfl.eff
program file
erasure
Cfl.eff
program file
erasure
Cfl.eff
program file
erasure
erasure
Cfl.eff
program file
erasure
program file
erasure
Cfl.eff
Cfl.eff

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
program file
F01-EM2
S05
F01-EM2
S05
F01-EM2
S05
F01-EM2
S05
F01-EM2
S05
F01-EM3
S05
F01-PA2
S05
F01-PA2
S05
F01-PA2
S05
F01-PM2
S05
F01-PM2
S05
Type of
damage
Circumstances
Event
Code
erasure
Actor
Type
Sub
Type
Place Time
MA.L
Del
Exp
Ual
MA.L
Del
Exp
Uai
MA.L
Del
Exp
Una
MA.L
Del
Exp
MA.L
Del
Exp
MA.L
Tot
ER.P
Pro
Mal
ER.P
Pro
Mac
IF.L
Exp
MA.L
Fal
Exp
Uai
MA.L
Fal
Exp
Una
Access Process
Cfl.eff
program file
erasure
Cfl.eff
program file
erasure
Cfl.eff
program file
erasure
Cfl.eff
program file
erasure
Cfl.eff
program file
erasure
Fic.eff
program file
Pollution
Cfl.pol
program file
Pollution
Cfl.pol
program file
Pollution
Cfl.pol
program file
Pollution
Cfl.pol
program file
THREAT
Pollution
Cfl.pol

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
program file
F01-PM2
S05
F01-PM2
S05
F02-AC2
S05
F02-AC2
S05
F02-AC2
S05
F02-AC2
S05
F03-AC2
Type of
damage
Circumstances
Event
Code
Pollution
Actor
Type
Sub
Type
MA.L
Fal
Exp
MA.L
Fal
Exp
AC.E
Inc
Exp
AC.E
Ino
Exp
AC.E
Inc
Md.
AC.E
Ino
Md.
ER.P
Peo
Md.
ER.P
Peo
Exp
MA.P
Vol
Exp
Pna
MA.P
Vol
Exp
MA.P
Vol
Exp
Pse
MA.P
Vol
Md.
Pna
Place Time
Access Process
Cfl.pol
program file
Pollution
Cfl.pol
media
storing
program
media
storing
program
media
storing
program
Destruction
media
storing
program
Destruction
media
storing
program
disappearance
S05
S05
media
storing
program
disappearance
F03-AC2
S05
media
storing
program
disappearance
F03-MA2
S05
media
storing
program
disappearance
F03-MA2
S05
media
storing
program
disappearance
F03-MA2
S05
media
storing
program
disappearance
F03-MA2
THREAT
Destruction
Med.des
Med.des
Destruction
Med.des
Med.des
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis
Med.dis

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Type of
damage
S05
media
storing
program
disappearance
F03-MA2
S05
media
storing
program
disappearance
F03-MA2
S05
media
storing
program
inoperability
F04-AC2
S05
F04-AC2
S05
F04-AC2
S05
media
storing
program
media
storing
program
media
storing
program
inoperability
F04-AC2
S05
media
storing
program
inoperability
F04-AC2
S05
media
storing
program
inoperability
F04-AC2
S05
media
storing
program
inoperability
F04-AC2
F06-AC1
S05
Server
damaging
Server
damaging
F06-AC1
S05
F06-AC2
S05
Circumstances
Event
Code
Actor
Type
Sub
Type
Place Time
MA.P
Vol
Md.
MA.P
Vol
Md.
Pse
AC.M
Equ
Exp
IC.E
De
Exp
IC.E
Se
Exp
IF.L
Exp
Exp
IC.E
Pol
Md.
IC.E
De
Md.
IC.E
Age
Md.
IC.E
De
Exp
IC.E
Se
Exp
AC.E
Fou
Exp
Access Process
Med.dis
Med.dis
Med.ine
Med.ine
inoperability
Med.ine
inoperability
Med.ine
Med.ine
Med.ine
Med.ine
Eq.hs
Eq.hs
Server
THREAT
Destruction
Eq.des

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Server
Type of
damage
S05
F06-AC2
S05
F06-AC3
S05
S05
auxiliary
elements
unavailability
F06-AC3
S05
auxiliary
elements
unavailability
F06-AC3
Server
damaging
F06-MA1
S05
S05
F06-MA1
S05
F06-MA4
S05
Exp
Destruction
AC.E
Ino
Exp
unavailability
AC.M
Equ
AC.M
Ser
AB.S
Ene
MA.P
Van
Exp
Pa
MA.P
Van
Exp
Pna
MA.P
Van
Tve
MA.P
Van
Tvi
MA.L
Cfg
MA.L
Cfg
Ser.hs
Ser.hs
damaging
damaging
damaging
Eq.hs
unavailability
Eq.hs
Server
Inc
Eq.hs
Server
AC.E
Access Process
Eq.hs
Server
S05
Place Time
Eq.hs
Server
F06-MA4
Sub
Type
Eq.hs
Server
F06-MA1
Type
Eq.des
Server
Code
Actor
Eq.des
Server
S05
Circumstances
Event
Destruction
F06-AC2
F06-MA1
THREAT
unavailability
Eq.hs

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Server
F06-MA2
S05
F18-AR
S05
F18-AR
S05
F18-AR
S05
F18-AR
S05
F18-AR
S05
F18-BL
S05
F18-BL
S05
F18-BL
S05
F18-BL
S05
THREAT
Type of
damage
Event
Code
Destruction
Circumstances
Actor
Type
Sub
Type
MA.P
Ter
AB.S
Mas
AB.S
Maa
AV.P
Gre
AB.P
Per
AB.P
Pep
IF.L
Lsp
Exp
ER.L
Lin
Exp
IF.L
Exp
Exp
MA.L
Sam
Exp
ER.P
Pro
ER.P
Pro
Place Time
Access Process
Tve
Eq.des
Server
unavailability
application
lock
Eq.hs
Exp
Eq.hs
Server
unavailability
Eq.mo
Server
unavailability
Eq.mo
Server
unavailability
Eq.mo
application
lock
application
lock
application
lock
application
lock
Cfl.bug
Cfl.bug
Cfl.bug
Cfl.bug
Altration of the telecommunication functions
G02-I
F09-ER
G02
equipment
tampering
configuration
Cfl.alt
F09-ER
G02
equipment
tampering
configuration
Cfl.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Event
Code
F09-MA4
G02
equipment
tampering
configuration
Cfl.alt
F09-MA4
G02
equipment
tampering
configuration
Cfl.alt
F09-MA4
G02
equipment
tampering
configuration
Cfl.alt
F09-MA4
G02
equipment
tampering
configuration
Circumstances
Actor
Type
Sub
Type
MA.L
Fal
MA.L
Fal
MA.L
Fal
Ain
Una
MA.L
Fal
Atm
Tie
ER.P
Pro
ER.P
Pro
MA.L
Fal
MA.L
Fal
MA.L
Fal
Una
ER.P
Pro
ER.P
Pro
MA.L
Fal
Place Time
Access Process
Cfl.alt
Alteration of the extended network service
R01-I
F09-ER
R01
equipment
tampering
configuration
Cfl.alt
F09-ER
R01
equipment
tampering
configuration
Cfl.alt
F09-MA4
R01
equipment
tampering
configuration
Cfl.alt
F09-MA4
R01
equipment
tampering
configuration
Cfl.alt
F09-MA4
R01
equipment
tampering
configuration
Cfl.alt
Alteration of the local area network service
R02-I
F09-ER
R02
equipment
tampering
configuration
Cfl.alt
F09-ER
R02
equipment
tampering
configuration
Cfl.alt
F09-MA4
R02
equipment
tampering
configuration
Cfl.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Event
Code
F09-MA4
R02
equipment
tampering
configuration
Cfl.alt
F09-MA4
R02
equipment
tampering
configuration
Cfl.alt
Circumstances
Actor
Type
Sub
Type
MA.L
Fal
MA.L
Fal
Una
ER.P
Pro
ER.P
Pro
ER.P
Pro
MA.L
Fal
MA.L
Fal
MA.L
Fal
MA.L
Fal
Una
MA.P
Fal
Exp
Pa
MA.P
Fal
Exp
Pna
MA.P
Fal
Tran
Pa
MA.L
Fal
Con
MA.L
Fal
Con
Place Time
Access Process
Alteration of the application services
S01-I
F09-AC2
S01
F09-AC2
S01
F09-AC2
S01
F09-MA2
S01
F09-MA2
S01
F09-MA2
S01
F09-MA2
S01
F09-ME2
S01
F09-ME2
S01
F09-ME2
S01
F09-FC
S01
F09-FC
S01
program file
tampering
program file
tampering
program file
tampering
program file
tampering
program file
tampering
program file
tampering
program file
tampering
media
storing
program
media
storing
program
swap
Cfl.alt
Cfl.alt
Cfl.alt
Cfl.alt
Cfl.alt
Cfl.alt
Cfl.alt
Med.ech
swap
Med.ech
media
storing
program
swap
connection
process
tampering
connection
process
tampering
Med.ech
Cfl.alt
Cfl.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
tampering
Event
Code
F09-FC
S01
connection
process
F09-AC3
S01
security
tampering
configuration
Cfl.alt
F09-AC3
S01
security
tampering
configuration
Cfl.alt
F09-MA3
S01
security
tampering
configuration
Cfl.alt
F09-MA3
S01
security
tampering
configuration
Cfl.alt
F09-MA3
S01
security
tampering
configuration
Cfl.alt
Cfl.alt
Circumstances
Actor
Type
Sub
Type
MA.L
Fal
Con
ER.P
Pro
Res
ER.P
Pro
Res
MA.L
Fal
Res
MA.L
Fal
Res
MA.L
Fal
Res
Pna
ER.P
Pro
ER.P
Pro
MA.L
Fal
MA.L
Fal
MA.L
Fal
Una
Place Time
Access Process
Alteration of the common office services
S02-I
F09-ER
S02
software
tampering
configuration
Cfl.alt
F09-ER
S02
software
tampering
configuration
Cfl.alt
F09-MA4
S02
software
tampering
configuration
Cfl.alt
F09-MA4
S02
software
tampering
configuration
Cfl.alt
F09-MA4
S02
software
tampering
configuration
Cfl.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Event
Code
F09-AC3
S02
security
tampering
configuration
Cfl.alt
F09-AC3
S02
security
tampering
configuration
Cfl.alt
F09-MA3
S02
security
tampering
configuration
Cfl.alt
F09-MA3
S02
security
tampering
configuration
Cfl.alt
Circumstances
Actor
Type
Sub
Type
ER.P
Pro
Res
ER.P
Pro
Res
MA.L
Fal
Res
MA.L
Fal
Res
Pna
ER.P
Pro
ER.P
Pro
MA.L
Fal
MA.L
Fal
MA.L
Fal
Una
ER.P
Pro
Res
ER.P
Pro
Res
MA.L
Fal
Res
Place Time
Access Process
Alteration of the common system services
S04-I
F09-ER
S04
software
tampering
configuration
Cfl.alt
F09-ER
S04
software
tampering
configuration
Cfl.alt
F09-MA4
S04
software
tampering
configuration
Cfl.alt
F09-MA4
S04
software
tampering
configuration
Cfl.alt
F09-MA4
S04
software
tampering
configuration
Cfl.alt
F09-AC3
S04
security
tampering
configuration
Cfl.alt
F09-AC3
S04
security
tampering
configuration
Cfl.alt
F09-MA3
S04
security
tampering
configuration
Cfl.alt

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
F09-MA3
ASSET
type
S04
AICE Asset
THREAT
Type of
damage
security
tampering
configuration
Circumstances
Event
Code
Type
Sub
Type
MA.L
Fal
Place Time
Actor
Access Process
Res
Pna
Cfl.alt
Alteration of the publishing services for web sites, public or internal
S05-I
program file
tampering
F09-AC2
S05
F09-AC2
S05
F09-AC2
S05
F09-MA2
S05
F09-MA2
S05
F09-MA2
S05
F09-MA2
S05
S05
media
storing
program
swap
F09-ME2
S05
media
storing
program
swap
F09-ME2
S05
media
storing
program
swap
F09-ME2
program file
Pro
tampering
ER.P
Pro
ER.P
Pro
MA.L
Fal
MA.L
Fal
MA.L
Fal
MA.L
Fal
Una
MA.P
Fal
Exp
Pa
MA.P
Fal
Exp
Pna
MA.P
Fal
Tran
Pa
Cfl.alt
program file
tampering
Cfl.alt
program file
tampering
Cfl.alt
program file
tampering
Cfl.alt
program file
tampering
Cfl.alt
program file
ER.P
Cfl.alt
tampering
Cfl.alt
Med.ech
Med.ech
Med.ech

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
F09-FC
S05
F09-FC
S05
F09-FC
F09-AC3
F09-AC3
F09-MA3
F09-MA3
F09-MA3
S05
S05
S05
S05
S05
S05
THREAT
Type of
damage
connection
process
tampering
connection
process
tampering
connection
process
tampering
Event
Code
Circumstances
Actor
Type
Sub
Type
MA.L
Fal
Con
MA.L
Fal
Con
MA.L
Fal
Con
ER.P
Pro
Res
ER.P
Pro
Res
MA.L
Fal
Res
MA.L
Fal
Res
MA.L
Fal
Res
Pna
ER.P
Pro
Exp
Place Time
Access Process
Cfl.alt
Cfl.alt
Cfl.alt
security
tampering
configuration
security
tampering
configuration
security
tampering
configuration
security
tampering
configuration
security
tampering
configuration
Cfl.alt
Cfl.alt
Cfl.alt
Cfl.alt
Cfl.alt
Disclosure linked to the application service
S01-C
F11-ER2
S01
File
Programme
disclosure
Cfl.dif

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Type of
damage
F11-ER2
S01
File
Programme
disclosure
F11-ER2
S01
File
Programme
disclosure
F11-ER2
S01
File
Programme
disclosure
F11-MA2
S01
File
Programme
disclosure
F11-MA2
S01
File
Programme
disclosure
F11-MA2
S01
File
Programme
disclosure
F11-MA2
S01
File
Programme
disclosure
F11-MA2
S01
File
Programme
disclosure
Media
disappearance
F12-MA1
S01
F12-MA3
S01
F12-MA3
S01
F12-MA3
S01
F12-MA3
S01
F12-MA3
S01
Event
Code
Cfl.dif
Cfl.dif
Cfl.dif
Cfl.dif
Cfl.dif
Cfl.dif
Cfl.dif
Cfl.dif
Circumstances
Actor
Type
Sub
Type
ER.P
Pro
Mam
ER.P
Pro
Tde
ER.P
Pro
Mal
MA.L
Vol
Tru
Ual
MA.L
Vol
Tru
Uai
MA.L
Vol
Tru
Una
MA.L
Vol
Exp
MA.L
Vol
Mai
MA.P
Vol
Tran
Pa
MA.P
Vol
Sti
Pa
MA.P
Vol
Ste
Pa
MA.P
Vol
Exp
Pna
MA.P
Vol
Tran
Pna
MA.P
Vol
Sti
Pna
Place Time
Access Process
Med.dis
Media
disappearance
Media
disappearance
Med.dis
Med.dis
Media
disappearance
Med.dis
Media
disappearance
Med.dis
Media
THREAT
disappearance
Med.dis

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
Media
F12-MA3
S01
THREAT
Type of
damage
Code
disappearance
Circumstances
Event
Type
Sub
Type
MA.P
Vol
Place Time
Actor
Access Process
Ste
Med.dis
Non compliance of processes attached to the protection of personal information
C01-E
F20-NC
C01
compliance Non application

of processes
Pro.inf
F20-NC
C01

of processes
Pro.inf
F20-NC
C01

of processes
Pro.inf
F20-NC
C01

of processes
Pro.inf
PR.N
Api
Exp
PR.N
Naa
Exp
PR.N
Nam
Exp
PR.N
Nav
Exp
Non compliance of processes attached to the financial communication
C02-E
F20-NC
C02

of processes
Pro.inf
F20-NC
C02

of processes
Pro.inf
F20-NC
C02

of processes
Pro.inf
F20-NC
C02

of processes
Pro.inf
PR.N
Api
Exp
PR.N
Naa
Exp
PR.N
Nam
Exp
PR.N
Nav
Exp
Non compliance of processes attached to the verification of accounting
C03-E
F20-NC
C03

of processes
PR.N
Pro.inf
Api
Exp
Pna

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Event
Code
F20-NC
C03

of processes
Pro.inf
F20-NC
C03

of processes
Pro.inf
F20-NC
C03

of processes
Pro.inf
Circumstances
Actor
Type
Sub
Type
PR.N
Naa
Exp
PR.N
Nam
Exp
PR.N
Nav
Exp
Place Time
Access Process
Non compliance of processes attached to the protection of intellectual property
C04-E
F20-NC
C04

of processes
Pro.inf
F20-NC
C04

of processes
Pro.inf
F20-NC
C04

of processes
Pro.inf
F20-NC
C04

of processes
Pro.inf
PR.N
Api
Exp
PR.N
Naa
Exp
PR.N
Nam
Exp
PR.N
Nav
Exp
Non compliance of processes attached to the protection of computing systems
C05-E
F20-NC
C05

of processes
Pro.inf
F20-NC
C05

of processes
Pro.inf
F20-NC
C05

of processes
Pro.inf
F20-NC
C05

of processes
Pro.inf
PR.N
Api
Exp
PR.N
Naa
Exp
PR.N
Nam
Exp
PR.N
Nav
Exp

ASSET
VULNERABILITY
Supporting
Scenario
Family
Family
Code
ASSET
type
AICE Asset
THREAT
Type of
damage
Event
Code
Type
Sub
Type
Circumstances
Place Time
Actor
Access Process
Non compliance of processes attached to the protection of human beings and environment
C06-E
F20-NC
C06

of processes
Pro.inf
F20-NC
C06

of processes
Pro.inf
F20-NC
C06

of processes
Pro.inf
F20-NC
C06

of processes
Pro.inf
PR.N
Api
Exp
PR.N
Naa
Exp
PR.N
Nam
Exp
PR.N
Nav
Exp
Consideration of Security services if 1 :
Seriousness for plans
1 1 1 3 1
Erasure, due to an error, of files of data, by a user authorized legitimately,

connected from the internal network
1 1 1 3 0
Erasure, due to an error, of files of data, by a user authorized illegitimately,

1 1 1 3 0
max(07A02;09A02)
Erasure, due to an error, of files of data, by a user not authorized, connected

from the internal network
1 1 1 3 0
min(07A03;07A04)
Erasure, due to an error, of files of data, by a member of the production team,

1 1 1 3 0
Erasure, due to an error, of files of data, by a member of the maintenance

team , connected from the internal network
1 1 1 3 0
Malicious erasure of files and backups of data, by a user authorized

legitimately, connected from the internal network
1 1 1 3 0
Malicious erasure of files and backups of data, by a user authorized

illegitimately, connected from the internal network
1 1 1 3 0
Malicious erasure of files and backups of data, by a user not authorized,

1 1 1 3 0
Malicious erasure of files and backups of data, by a member of the production

team, connected from the internal network
1 1 1 3 0
min(08F02;08F03)
Malicious erasure of files and backups of data, by a member of the

maintenance team , connected from the internal network
1 1 1 3 0
max(08A05;08E02)
Malicious erasure of files and backups of data, by an unauthorized third party ,

connected through a remote maintenance port
1 1 1 3 0
Malicious erasure of files and backups of data, by a member of the production

team, connected through a remote maintenance port
1 1 1 1 0
Pollution, by accident, of files of data due to a procedure error, during a

software maintenance operation
1 1 1 3 0
10B05
Pollution, by accident, of files of data due to a procedure error, during a hot

maintenance operation
1 1 1 3 0
10B06
Pollution, by accident, of files of data due to a production incident
1 1 1 3 0
Malicious pollution of files of data, by a user authorized illegitimately,

1 1 1 3 0
seriousness
Likelihood
Impact
Impact
Accidental erasure of files of data, due to a production incident
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
Accept (A) or transfer (T)
Effect of security measures (formulas)
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
08A03
Confining
EFF-CONF
08E03
min(07C01;08E02)
min(07C01;08E02)
max(07A02;09A02)
min(07A03;07A04)
08A06
min(08F02;08F03)
08D03
max(min(07A01;07A0
2;08F01);min(09A01;0
9A02))
08E02
1 1 1 3 0
Malicious pollution of files of data, by a member of the production team,

1 1 1 3 0
09C02
Malicious pollution of files of data, by a member of the maintenance team ,

1 1 1 3 0
max(09C02;10B05)
Loss, due to accidental destruction, of media supporting files of data, within the
production premises, due to a fire
1 1 1 3 0
Loss, due to accidental destruction, of media supporting files of data, within the
production premises, due to flooding
1 1 1 3 0
Loss, due to accidental destruction, of media supporting files of data, in the

media storage premises, due to a fire
1 1 1 3 0
Loss, due to accidental destruction, of media supporting files of data, in the

media storage premises, due to flooding
1 1 1 3 0
Loss, due to accidental disappearance, of media supporting files of data, in the

media storage premises
1 1 1 3 0
Loss, due to accidental disappearance, of media supporting files of data, within

the production premises
1 1 1 3 0
Theft of media supporting files of data, within the production premises, by a

member of the staff not authorized
1 1 1 3 0
03B06

member of the production team
1 1 1 3 0
03B06

member of the services team
1 1 1 3 0
03B06
Theft of media supporting files of data, in the media storage premises, by a

1 1 1 3 0
03B06

1 1 1 3 0
03B06

1 1 1 3 0
03B06
Impossibility, due to an accident, to use a media supporting files of data, within

the production premises, caused by the breakdown of an equipment
1 1 1 3 0

the production premises, due to a liquid (water) damage
1 1 1 3 0
seriousness
Likelihood
Impact
Impact
Malicious pollution of files of data, by a user not authorized, connected from

the internal network
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
max(min(07A03;07A0
4;08F02);min(09A03;0
9A04);09C02)
03D01
03D01
min(03B03;03B04)
08C03
09D01
03C01
Confining
EFF-CONF
1 1 1 3 0

the production premises, due to a production incident
1 1 1 3 0
Impossibility, due to an accident, to use a media supporting files of data, in the

media storage premises, due to pollution
1 1 1 3 0
Impossibility, due to an accident, to use a media supporting files of data, in the

media storage premises, due to a liquid (water) damage
1 1 1 3 0
Disappearance, due to an accident, of means required for accessing files of

data
1 1 1 3 0
Theft or malicious destruction of means required for accessing files of data
1 1 1 3 0
Accidental erasure of files shared for office work, due to a virus
1 1 1 1 0
Erasure, due to an error, of files shared for office work, by a user authorized
1 1 1 1 0
Erasure, due to an error, of files shared for office work, by a user authorized
1 1 1 1 0
Erasure, due to an error, of files shared for office work, by a user not
authorized, connected from the internal network
1 1 1 1 0
Erasure, due to an error, of files shared for office work, by a member of the
production team, connected from the internal network
1 1 1 1 0
Erasure, due to an error, of files shared for office work, by a member of the
maintenance team , connected from the internal network
1 1 1 1 0
Malicious erasure of files and backups shared for office work, by a user
authorized legitimately, connected from the internal network
1 1 1 1 0
Malicious erasure of files and backups shared for office work, by a user
authorized illegitimately, connected from the internal network
1 1 1 1 0
Malicious erasure of files and backups shared for office work, by a user not
1 1 1 1 0
Malicious erasure of files and backups shared for office work, by a member of
the production team, connected from the internal network
1 1 1 1 0
the maintenance team , connected from the internal network
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

the production premises, due to an electrical over load
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(03A01;03A04)
08A03
08C03
min(08D07;11D06)
07A02
min(07A03;07A04)
min(08F02;08F03)
08E03
1 1 1 1 0
Loss, due to accidental destruction, of media supporting files shared for office
work, within the production premises, due to a fire
1 1 1 1 0
Loss, due to accidental destruction, of media supporting files shared for office
work, within the production premises, due to flooding
1 1 1 1 0
Theft of media supporting files shared for office work, within the production
premises, by a member of the staff not authorized
1 1 1 1 0
03B06
premises, by a member of the production team
1 1 1 1 0
03B06
premises, by a member of the services team
1 1 1 1 0
03B06
Impossibility, due to an accident, to use a media supporting files shared for

office work, within the production premises, caused by the breakdown of an
equipment
1 1 1 1 0

office work, within the production premises, due to a liquid (water) damage
1 1 1 1 0

office work, within the production premises, due to an electrical over load
1 1 1 1 0

office work, within the production premises, due to a production incident
1 1 1 1 0
Disappearance, due to an accident, of means required for accessing files

shared for office work
1 1 1 1 0
Theft or malicious destruction of means required for accessing files shared for
office work
1 1 1 1 0
Accidental erasure of files used for personal office activity, due to a virus
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(08F02;08F03)
03D01
Erasure, due to an error, of files used for personal office activity, by an

authorized user, directly connected to the workstation
Erasure, due to an error, of files used for personal office activity, by a member
of the production team, connected from the internal network
seriousness
Likelihood
Impact
Impact
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
min(03B03;03B04)
03C01
min(03A01;03A04)
08A03
min(08D07;11D06)
08E03
1 1 1 1 0
Erasure, due to an error, of files used for personal office activity, by a user not
authorized, directly connected to the workstation, while the user is absent
Malicious erasure of files and backups used for personal office activity, by a
user not authorized, directly connected to the workstation, while the user is
absent
user not authorized, directly connected to the workstation, outside working
hours
member of the production team, connected from the internal network
1 1 1 1 0
1 1 1 1 0
11B01
1 1 1 1 0
11B01
1 1 1 1 0
member of the maintenance team
1 1 1 1 0
Loss, due to accidental destruction, of media supporting files used for personal
office activity, in the offices, due to a fire
1 1 1 1 0
Loss, due to accidental destruction, of media supporting files used for personal
office activity, in the offices, due to flooding
1 1 1 1 0
Loss, due to accidental disappearance, of media supporting files used for

personal office activity, in the offices
1 1 1 1 0
Loss, due to accidental disappearance, of media supporting files used for

personal office activity, outside the company
1 1 1 1 0
Vol of PC portable contenant des fichiers used for personal office activity, in the
offices, by a member of the enterprise staff
1 1 1 1 0
offices, by a member of the services team
1 1 1 1 0
offices, by a visitor
1 1 1 1 0
Vol of PC portable contenant des fichiers used for personal office activity,
outside the company
1 1 1 1 0
Theft of media supporting files used for personal office activity, in the offices, by
a member of the enterprise staff
1 1 1 1 0
a member of the services team
1 1 1 1 0
a visitor
Impossibility, due to an accident, to use a media supporting files used for
personal office activity, in the offices, caused by the breakdown of an
equipment
personal office activity, in the offices, due a liquid (water) damage
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
1
1
seriousness
Likelihood
Impact
Impact
Erasure, due to an error, of files used for personal office activity, by a member
of the maintenance team
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
min(08F02;08F03)
02C05
02D02
02C05
02D02
02C05
max(02C03;02D02)
02C05
02D02
02C05
02D02
02C05
max(02C03;02D02)
Confining
EFF-CONF

personal office activity, in the offices, due to ageing
Disappearance, due to an accident, of means required for accessing files used

for personal office activity
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
Accidental disappearance or impossibility to use a document written or printed

detained by users, due to a liquid (water) damage
1 1 1 1

detained by users, due to a fire
1 1 1 1

detained by users, due to flooding
1 1 1 1
Loss of document written or printed detained by users, due to a loss or

forgetting
1 1 1 1
Loss of document written or printed detained by users, due to a loss or

forgetting, outside the company
1 1 1 1
Malevolent disappearance, theft or destruction of document written or printed

detained by users, due to a theft, by a member of the enterprise staff
1 1 1 1

detained by users, due to a theft, by a visitor
1 1 1 1

detained by users, due to a theft, by a member of the enterprise staff
1 1 1 1

detained by users, due to a theft, by a member of the services team
1 1 1 1

detained by users, outside the company
1 1 1 1
seriousness
Likelihood
Impact
Impact
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
calculated
values
Type AICE

personal office activity, in the offices, due to an electrical over load
security decided
measures values
Type AEM
Direct Selection
Intrinsic
values
DESCRIPTION
Theft or malicious destruction of means required for accessing files used for
personal office activity
Dissuasion
EFF-DISS
Prevention
EFF-PREV
min(03A01;03A04)
min(02D01;02D06)
min(02D01;02D06)
min(02D01;02D06)
min(02D01;02D06)
11B02
02C05
min(02D01;02D06)
02C05
min(02D01;02D06)
02C05
min(02D01;02D06)
min(02D01;02D06)
11B02
Confining
EFF-CONF
1 1 1 1
Accidental loss of data during a transfer: messages or transactions waiting for

treatment, caused by the breakdown of an equipment
1 1 1 1

treatment, due to a fire
1 1 1 1

treatment, due to flooding
1 1 1 1
Malicious destruction of data during a transfer: erasure of data by a member of

the production team
1 1 1 1
Malicious destruction of data during a transfer: erasure of data by a member of

the staff not authorized
1 1 1 1
Accidental loss of data during a transfer: e-mails during emission or receipt,

due to a production incident
1 1 1 1

caused by the breakdown of an equipment
1 1 1 1

due to a fire
1 1 1 1

due to flooding
1 1 1 1
Loss of data, due to an error, during a transfer: e-mails during emission or

receipt, due to a procedure error, during user treatments
1 1 1 1

receipt, due to a procedure error, during production
1 1 1 1

receipt, due to a procedure error, during a maintenance operation
1 1 1 1
Malicious destruction of data during a transfer: erasure of e-mails by a member

of the production team
1 1 1 1
Malicious destruction of data during a transfer: erasure of e-mails by a member

of the staff not authorized
1 1 1 1
seriousness
Likelihood
Impact
Impact

treatment, due to a production incident
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
08A03
03D01
03C01
min(08F02;08F03)
min(08F02;07A03;07A
04)
08A03
03D01
03C01
min(08F02;08F03)
min(08F02;07A03;07A
04)
Confining
EFF-CONF
1 1 1 1
Accidental loss of documents during a transportation: fax during emission or

receipt, due to a fire
1 1 1 1
02D05

receipt, due to flooding
1 1 1 1
02D05

receipt, caused by the breakdown of an equipment
1 1 1 1
Accidental loss of documents during a transportation: post mail during emission

or receipt, due to a liquid (water) damage
1 1 1 1
02D04

or receipt, due to a fire
1 1 1 1
02D04

or receipt, due to flooding
1 1 1 1
02D04
Loss of documents due to an error, during a transfer: fax, due to a procedure

error, during user treatments
1 1 1 1
Loss of documents due to an error, during a transfer: post mail, due to a

procedure error, during user treatments
1 1 1 1
Malicious destruction of documents during a transfer : theft of fax, in the fax

office by a member of the staff not authorized
1 1 1 1
Malicious destruction of documents during a transfer : theft of fax, in the

distribution office by a member of the enterprise staff
1 1 1 1
Malicious destruction of documents during a transfer
1 1 1 1
Malicious destruction of documents during a transfer : theft of post mail, in the

post mail office by a member of the staff not authorized
1 1 1 1
Malicious destruction of documents during a transfer : theft of post mail, in the

distribution office by a member of the enterprise staff
1 1 1 1
Accidental disappearance or impossibility to use a document of archives

(patrimony or documents) or important documents to preserve for a long period
of time, within the archival premises, due to a liquid (water) damage
seriousness
Likelihood
Impact
Impact

receipt, due to a liquid (water) damage
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
02D05
02D05
02D05
02D04
02D04
min(02D06;02D07)
1 1 1 1
Confining
EFF-CONF
1 1 1 1
min(02D06;02D07)
1 1 1 1
3
min(02D06;02D07)
1 1 1 1
Malevolent disappearance, theft or destruction of document of archives

of time, within the archival premises, by an authorized staff member, during
working hours
1 1 1 1

of time, within the archival premises, by a member of the staff not authorized,
outside working hours

of time, during the transportation between sites
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)
min(02D06;02D07)

of time, within the archival premises, by vandals or terrorists acting from outside
1 1 1 1
Erasure, due to an error, of files of digitalized archives , by an authorized user,

1 1 1 1 0
Prevention
EFF-PREV

of time, within the archival premises, by a member of the staff not authorized,
during working hours
Dissuasion
EFF-DISS
min(02D06;02D07)
Loss of document of archives (patrimony or documents) or important

documents to preserve for a long period of time, due to to a procedure error,
within the archival premises

of time, within the archival premises, by a member of the services team, outside
working hours

of time, within the archival premises, due to flooding
seriousness
Likelihood
calculated
values
Impact
Type AICE
Impact
Type AEM

of time, within the archival premises, due to a fire
security decided
measures values
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Direct Selection
Intrinsic
values
DESCRIPTION
Confining
EFF-CONF
1 1 1 1 0
Malicious erasure of files and backups of digitalized archives , by a member of

1 1 1 1 0
Malicious erasure of files and backups of digitalized archives , by a user

1 1 1 1 0
Malicious erasure of files and backups of digitalized archives , by a user

1 1 1 1 0
08H02
Malicious erasure of files and backups of digitalized archives , by a member of

the staff not authorized, connected from the internal network
1 1 1 1 0
08H02
Loss, due to accidental destruction, of media supporting files of digitalized

archives , in the media storage premises, due to a fire
1 1 1 1 0
08H03
Loss, due to accidental destruction, of media supporting files of digitalized

archives , in the media storage premises, due to flooding
1 1 1 1 0
08H03
Loss, due to accidental disappearance, of media supporting files of digitalized

archives , within the archival premises
Loss, due to accidental disappearance, of media supporting files of digitalized
archives , within the production premises
Theft of media supporting files of digitalized archives , within the archival
premises, by an authorized staff member
premises, by a member of the staff not authorized
premises, by a member of the services team
Theft of media supporting files of digitalized archives , in the distribution office,
by a member of the staff not authorized
1 1 1 1 0
08H01
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
08H03
1 1 1 1 0
08H03
1 1 1 1 0
08H02
Impossibility, due to an accident, to use a media supporting files of digitalized

archives , within the archival premises, due to ageing
1 1 1 1 0
Impossibility, due to an accident, to use a media supporting files of digitalized

archives , within the archival premises, due to a liquid (water) damage
1 1 1 1 0
Disappearance, due to an accident, of means required for accessing files of

digitalized archives
1 1 1 3
Theft or malicious destruction of means required for accessing files of

digitalized archives
1 1 1 3
Erasure, due to an error, of files of data posted on public or internal sites , by a

user authorized legitimately, connected from the internal network
1 1 1 3 0

user authorized illegitimately, connected from the internal network
1 1 1 3 0
seriousness
Likelihood
Impact
Impact
Erasure, due to an error, of files of digitalized archives , by a member of the

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
08H02
08H03
08H03
08H03
08C05
1 1 1 3 0

member of the production team, connected from the internal network
1 1 1 3 0

1 1 1 3 0
Malicious erasure of files and backups of data posted on public or internal sites
, by a user not authorized, connected from the internal network
1 1 1 3 0
, by a member of the production team, connected from the internal network
1 1 1 3 0
min(08F02;08F03)
, by a member of the maintenance team
1 1 1 3 0
max(08A05;08E02)
Pollution, by accident, of files of data posted on public or internal sites due to

a procedure error, during a software maintenance operation
1 1 1 3
Pollution, by accident, of files of data posted on public or internal sites due to

a procedure error, during a hot maintenance operation
1 1 1 3
Pollution, by accident, of files of data posted on public or internal sites due a

production incident
1 1 1 3
Loss, due to accidental destruction, of media supporting files of data posted on

public or internal sites , within the production premises, due to a fire
1 1 1 3 0

public or internal sites , within the production premises, due to flooding
1 1 1 3 0

public or internal sites , in the media storage premises, due to a fire
1 1 1 3 0

public or internal sites , in the media storage premises, due to flooding
1 1 1 3 0
Loss, due to accidental disappearance, of media supporting files of data

posted on public or internal sites , within the production premises
1 1 1 3 0
Theft of media supporting files of data posted on public or internal sites , within
the production premises, by a member of the staff not authorized
1 1 1 3 0
seriousness
Likelihood
Impact
Impact

user not authorized, connected from the internal network
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(07A03;07A04)
10B05
10B06
08D03
03D01
03D01
03B06
min(03B03;03B04)
08E02
1 1 1 3 0
03B06
the production premises, by a member of the services team
1 1 1 3 0
03B06
Impossibility, due to an accident, to use a media supporting files of data posted

on public or internal sites , within the production premises, caused by the
breakdown of an equipment
1 1 1 3 0

on public or internal sites , within the production premises, due to a liquid
(water) damage
1 1 1 3 0

on public or internal sites , within the production premises, due to an electrical
over load
1 1 1 3 0

on public or internal sites , within the production premises, due to a production
incident
1 1 1 3 0
Tampering, by accident, (and not detected) of files of data due to a procedure

error, during a software maintenance operation
1 1 1 1 1
Tampering, by accident, (and not detected) of files of data due to a procedure

error, during a hot maintenance operation
1 1 1 1 1
Tampering, by accident, (and not detected) of files of data due to a production

incident
1 1 1 1 1
Tampering, due to an error of procedure, of configurations of data, by a user

1 1 1 1 1

1 1 1 1 1
max(09B05;min(07A0 09B04
1;07A02;08F01);min(0
9A01;09A02))

not authorized, connected from the internal network
1 1 1 1 1
max(09B05;min(07A0 09B04
3;07A04;08F02);min(0
9A03;09A04))
Tampering, by accident, (and not detected) of files of data posted on public or

internal sites due to a procedure error, during a software maintenance
operation
1 1 1 1 1
seriousness
Likelihood
Impact
Impact
the production premises, by a member of the production team
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
03C01
min(03A01;03A04)
08A03
08E03
max(09B05;10B05)
09B04
max(09B05;10B06)
09B04
max(09B05;08D03)
09B04
09B05
09B04
max(09B05;10B05)
09B04
1 1 1 1 1
Malicious (and undetected) tampering of files of data, by a user not authorized,

1 1 1 1 1
Malicious (and undetected) tampering of files of data, by a member of the

1 1 1 1 1
Malicious (and undetected) tampering of files of data during production by a

1 1 1 1 1
Malicious (and undetected) tampering of files of data, by an unauthorized third

party , connected through a remote maintenance port
1 1 1 1 1
Malicious (and undetected) tampering of files of data during the transportation

between sites by an authorized staff member
1 1 1 1 1
1 1 1 1 1
Malicious (and undetected) swap of media containing files of data during

production by a member of the staff not authorized
1 1 1 1 1
Malicious (and undetected) swap of media containing files of data during the
transportation between sites by an authorized staff member
1 1 1 1 1
1 1 1 1
Malicious (and undetected) swap of media containing files of data during

production by an authorized staff member
Tampering, due to an error of procedure, of configurations shared for office

work during user treatments, by a user authorized legitimately, connected from
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
max(09B05;min(07A0 09B04
1;07A02;08F01);min(0
9A01;09A02))
max(09B05;min(07A0 09B04
3;07A04;08F02);min(0
9A03;09A04);09B01;0
max(09B01;09C02)
09B04
9C02)
max(09B01;09C02)
09B04
08A06
09B04
max(09B01;09C02)
09B04
09B04
max(03B04;03B05;03 max(min(03B01;03B0 09B04

B06)
2;03B03);08C02;09B0
1;09C02)
max(09B01;09C02)
11C04

work during user treatments, by a user authorized illegitimately, connected from
1 1 1 1

work during user treatments, by a user not authorized, connected from the
internal network
1 1 1 1
Malicious (and undetected) tampering of files shared for office work during
production, by a user authorized illegitimately, connected from the internal
network
1 1 1 1
seriousness
Likelihood
Impact
Impact
Malicious (and undetected) tampering of files of data, by a user authorized

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
min(07A01;07A02;08F
01)
max(min(08F02;07A0
3;07A04);11C01;11C0
4)
min(07A01;07A02;08F
01)
09B04
1 1 1 1
production, by a member of the production team, connected from the internal
network
1 1 1 1
production, by a member of the maintenance team , connected from the
internal network
1 1 1 1
Malicious (and undetected) swap of media containing files shared for office
work during production, by an authorized staff member, connected from the
internal network
1 1 1 1
Malicious (and undetected) swap of media containing files shared for office
work during production, by a member of the staff not authorized, connected
1 1 1 1
Tampering, due to an error of procedure, of configurations used for personal

office activity during user treatments, by a user authorized legitimately, directly
connected to the workstation
1 1 1 1
Tampering, due to an error of procedure, of configurations used for personal

office activity during user treatments, by a user not authorized, directly
connected to the workstation
1 1 1 1
Malicious (and undetected) tampering of files used for personal office activity
stored on the work station, by a member of the production team, connected
1 1 1 1
stored on the work station by a member of the maintenance team
1 1 1 1
stored on a removable media by an authorized staff member
1 1 1 1
open on the workstation, by a user not authorized, directly connected to the
workstation
1 1 1 1
1 1 1 1
Malicious (and undetected) swap of media containing files used for personal
office activity stored on a removable media by an authorized staff member
seriousness
Likelihood
Impact
Impact
production, by a user not authorized, connected from the internal network
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
max(min(08F02;07A0
3;07A04);11C01;11C0
4)
max(11C011;11C04)
max(11C01;11C03;11
C04)
max(11C01;11C04)
max(03B04;03B05;03 max(min(03B01;03B0
B06)
2;03B03);08C02;11C0
1;11C04)
11C04
max(11B01;11C04)
max(11C01;11C04)
max(11C01;11C03;11
C04)
11C02
max(11B01;11C01;11
C04)
11C02
Confining
EFF-CONF
1 1 1 1 1
Malicious handling of data (individually) sensitive during production, by a user

1 1 1 1 1
Malicious handling of data (individually) sensitive during production, by a

member of the staff not authorized, connected from the internal network
1 1 1 1 1
Malicious handling of data (individually) sensitive during production, by a user

1 1 1 1 1
Malicious handling of data (individually) sensitive, during production, by a

1 1 1 1 1
max(09B01;09C02)
09B04
Malicious handling of data (individually) sensitive, during production, by a

1 1 1 1 1
max(09B01;09C02)
09B04
Malicious handling of messages or data during transfers over the extended

network, by an unauthorized third party , connected on the extended network
1 1 1 1 1
max(04C01;04C02;09 09B04
B02;09C01)
Malicious handling of messages or data during transfers, over the extended

network, by a member of the production team
1 1 1 1 1
max(04C01;04C02;09 09B04
B02;09C01)
Malicious handling of messages or data during transfers, during an access to

the network from outside, by a member of the staff not authorized
1 1 1 1 1
Malicious handling of messages or data during transfers, during an access to

the network from outside, by a member of the production team
1 1 1 1 1
Malicious handling of messages or data during transfers, during exchanges on

the local area network, by a member of the staff not authorized
1 1 1 1 1
Malicious handling of messages or data during transfers, during exchanges on

the local area network, by a member of the production team
1 1 1 1 1
Replay of transaction
1 1 1 1 1
Forged message sent by a member of personnel usurping the identity of an

authorized person (or server) by using a fallacious signature
1 1 1 1
seriousness
Likelihood
Impact
Impact
Tampering of data individually sensitive due to an error during capture or typing
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
09B03
Prevention
EFF-PREV
Confining
EFF-CONF
09B03
09B04
09B03
09B04
max(min(07A03;07A0 09B04
4;08F02);min(09A03;0
9A04;08F02);09B01;0
9C02)
max(min(07A01;07A0 09B04
2);min(09A01;09A02))
max(05C03;05C04)
09B04
max(05C03;05C04)
09B04
max(05C01;05C02;09 09B04
B02;09C01)
max(05C01;05C02;09 09B04
B02;09C01)
max(04C01;09C01;09 09F03
F02)
09F01
1 1 1 1
Malicious handling of e-mails during emission or receipt, by a member of the

production team
1 1 1 1
Sending of a faked email, by using a forged signature
1 1 1 1
11C05
Sending of a faked fax, by using a forged signature
1 1 1 1
02D05
Malicious (and undetected) tampering of files of digitalized archives , by a

1 1 1 1
Malicious (and undetected) tampering of files of digitalized archives , by a

member of the staff not authorized, connected from the internal network
1 1 1 1
Malicious (and undetected) swap of media containing files of digitalized

archives , by an authorized staff member, connected from the internal network
archives , by a member of the staff not authorized, connected from the internal
network
archives , by an unauthorized third party , connected from the internal network
1 1 1 1
1 1 1 1
1 1 1 1 0

internal sites due to a procedure error, during a hot maintenance operation
1 1 1 1 1

internal sites due a production incident
1 1 1 1 1
Tampering, due to an error of procedure, of configurations of data posted on

public or internal sites during user treatments, by a user authorized
1 1 1 1 1

public or internal sites during user treatments, by a user authorized
1 1 1 1 1
max(09B05;min(07A0 09B04
1;07A02;08F01);min(0
9A01;09A02))

public or internal sites during user treatments, by a user not authorized,
1 1 1 1 1
max(09B05;min(07A0 09B04
3;07A04;08F02);min(0
9A03;09A04))
seriousness
Likelihood
Impact
Impact
Malicious handling of e-mails during emission or receipt, by an unauthorized

third party
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
11C05
11C05
08H02
08H02
08H03
08H02
08H02
max(09B05;10B06)
09B04
max(09B05;08D03)
09B04
09B05
09B04
1 1 1 1 1
Malicious (and undetected) tampering of files of data posted on public or

internal sites during production, by a user not authorized, connected from the
internal network
1 1 1 1 1

internal sites during production, by a member of the production team
1 1 1 1 1

internal sites during production, by a member of the maintenance team
1 1 1 1 1
Disclosure, due to an error, of files of data due to a procedure error during

production
1 1 1 1
09C02
Disclosure, due to an error, of files of data due to a procedure error during a

hardware maintenance operation
1 1 1 1
max(08A05;09C02)
Disclosure, due to an error, of files of data due to a procedure error during

development tests
1 1 1 1
max(10B04;09C02)
Disclosure, due to an error, of files of data due to a procedure error during a

software maintenance operation
1 1 1 1
Diversion of files of data during user treatments, by a user authorized

1 1 1 1
Diversion of files of data during user treatments, by a user authorized

1 1 1 1
Diversion of files of data during user treatments, by a user not authorized,

1 1 1 1
Diversion of files of data, during production, by a member of the production

team
1 1 1 1
Diversion of files of data during production, by an unauthorized third party ,

1 1 1 1

connected, from outside, to the local area notwork
1 1 1 1

connected through a remote maintenance port
1 1 1 1
seriousness
Likelihood
Impact
Impact

internal sites during production, by a user authorized illegitimately, connected
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
max(09B05;min(07A0 09B04
1;07A02;08F01);min(0
9A01;09A02))
max(09B05;min(07A0 09B04
3;07A04;08F02);min(0
9A03;09A04))
max(09B01;09C02)
09B04
max(09B01;09C02)
max(08A05;09C02)
07C01
07C01
max(min(07A01;07A0
2);min(09A01;09A02))
max(min(07A03;07A0
4;08F02;08C06);min(0
9A03;09A04))
09C02
max(05B03;min(07A0
3;07A04))
max(min(05B04;05B0
5;05B06;05B07;06B0
2);min(07A03;07A04))
08A06
09B04
1 1 1 1
Diversion of files of data, during a maintenance operation, by a member of the

maintenance team
1 1 1 1
Disclosure of information, due to a theft, of media containing files of data,

during the transportation between sites, by an authorized staff member
1 1 1 1

during a storage in the site, by an authorized staff member
1 1 1 1

during an externalized storage , by an authorized staff member
1 1 1 1

during production, by a member of the staff not authorized
1 1 1 1

during the transportation between sites, by a member of the staff not authorized
1 1 1 1

during a storage in the site, by a member of the staff not authorized
1 1 1 1

during an externalized storage , by a member of the staff not authorized
1 1 1 1
Disclosure, due to an error, of files shared for office work due to a procedure
error during production
1 1 1 1
Disclosure, due to an error, of files shared for office work due to a procedure
error during a hardware maintenance operation
1 1 1 1
Diversion of files shared for office work during user treatments, by a user
1 1 1 1
Diversion of files shared for office work during user treatments, by a user
1 1 1 1
Diversion of files shared for office work during user treatments, by a user not
1 1 1 1
seriousness
Likelihood
Impact
Impact

connected on the storage network
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
min(05B08;05B09)
max(min(07B01;08A0
5);09C02)
09C02
08C03
09C02
08C04
09C02
03B06
max(min(03B03;03B0
4);09C02)
max(08C07;09C02)
08C03
max(08C03;09C02)
08C04
max(08C04;09C02)
11C01
max(11C01;11C03)
min(07A01;07A02)
max(min(07A03;07A0
4;08C06;08F02);11C0
1)
Confining
EFF-CONF
1 1 1 1
11C01
Diversion of files shared for office work during a maintenance operation, by a

1 1 1 1
max(11C01;11C03)
Diversion of files shared for office work during production, by an unauthorized

third party , connected from the internal network
1 1 1 1

third party , connected, from outside, to the local area notwork
1 1 1 1

third party , connected on the storage network
1 1 1 1
Disclosure of information, due to a theft, of media containing files shared for

office work, during production, by an authorized staff member
1 1 1 1

office work, during the transportation between sites, by an authorized staff
member
1 1 1 1

office work, during a storage in the site, by an authorized staff member
1 1 1 1

office work, during an externalized storage , by an authorized staff member
1 1 1 1

office work, during production, by a member of the staff not authorized
1 1 1 1

office work, during the transportation between sites, by a member of the staff
not authorized
1 1 1 1

office work, during a storage in the site, by a member of the staff not authorized
1 1 1 1

office work, during an externalized storage , by a member of the staff not
authorized
1 1 1 1
seriousness
Likelihood
Impact
Impact
Diversion of files shared for office work during production, by a member of the
production team
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
max(05B03;min(07A0
3;07A04);11C01)
max(min(05B04;05B0
5;05B06;05B07;06B0
2);min(07A03;07A04);
11C01)
max(min(05B08;05B0
9);11C01)
02C05
11C01
11C01
08C03
11C01
08C04
11C01
max(min(03B03;03B0
4);11C01)
max(08C07;11C01)
08C03
max(08C03;11C01)
08C04
max(08C04;11C01)
Confining
EFF-CONF
1 1 1 1
Disclosure, due to an error, of files used for personal office activity due to a
procedure error, during a hardware maintenance operation
1 1 1 1
Diversion of files used for personal office activity, by a member of the staff not
authorized, directly connected to the workstation, while the user is absent
1 1 1 1
max(min(11B01;11E0
1);11C01)
Diversion of files used for personal office activity, by a member of the staff not
authorized, directly connected to the workstation, outside working hours
1 1 1 1
max(min(11B01;11E0
1);11C01)
Diversion of files used for personal office activity, during production, by a

1 1 1 1
Diversion of files used for personal office activity, during a maintenance

operation, by a member of the maintenance team
1 1 1 1
Disclosure of information, due to an accidental loss, of media containing files

used for personal office activity, outside the company
1 1 1 1 0
Disclosure of information, due to a theft, of media containing files used for

personal office activity, in the offices, by a member of the enterprise staff, while
the user is absent
1 1 1 1

personal office activity, in the offices, by a visitor, while the user is absent
1 1 1 1

personal office activity, in the offices, by a member of the enterprise staff,
1 1 1 1

personal office activity, in the offices, by a member of the services team,
1 1 1 1

personal office activity, outside the company
1 1 1 1
Disclosure of information, due to a theft, of portable equipment (e.g. PC)

containing files used for personal office activity, in the offices, by a member of
the enterprise staff, while the user is absent
1 1 1 1
seriousness
Likelihood
Impact
Impact
Disclosure, due to an error, of files used for personal office activity due to a
procedure error, during user treatments
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
11C01
max(11C01;11C03)
min(11E02;11E03)
11C01
max(11C01;11C03)
11C01
02C05
max(min(02C01;02C0
2;02C03);11C02)
02C05
max(02C06;11C02)
max(02C04;02C05)
max(min(02C01;02C0
2;02C03);11C02)
02C05
11C02
11C02
02C05
max(min(02C01;02C0
2;02C03;11B01);11C0
1)
Confining
EFF-CONF
1 1 1 1

the enterprise staff, outside working hours
1 1 1 1

the services team, outside working hours
1 1 1 1

containing files used for personal office activity, outside the company
1 1 1 1
Disclosure of documents, due to an error or accidental loss, outside the

company
1 1 1 1
Theft of documents written or printed detained by users, in the offices, by a

member of the enterprise staff, outside working hours
1 1 1 1

user authorized illegitimately, while the user is absent
1 1 1 1

1 1 1 1

member of the enterprise staff, while the user is absent
1 1 1 1

visitor, while the user is absent
1 1 1 1
Theft of documents written or printed detained by users, outside the company
1 1 1 1
Theft of documents , during the printing on a shared printer, by a member of the

enterprise staff
1 1 1 1
Theft of documents , during the printing on a shared printer, by a visitor
1 1 1 1
Theft of documents , during the distribution, by a member of the enterprise staff
1 1 1 1
seriousness
Likelihood
Impact
Impact

containing files used for personal office activity, in the offices, by a visitor, while
the user is absent
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
02C05
max(02C06;11B01;11
C01)
max(02C04;02C05)
max(min(02C01;02C0
2;02C03;11B01);11C0
1)
02C05
max(11B01;11C01)
max(11B01;11C01)
02D02
02D02
02C05
max(02A02;02C03;02
D02)
02C05
02D02
02C05
max(02D02;min(02C0
1;02C02;02C03))
02C05
max(02D02;min(02C0
1;02C02;02C06))
02D02
max(02D02;11C06)
max(02D02;11C06)
02D02
Confining
EFF-CONF
1 1 1 1
02D02
Theft of discarded documents , within the collection circuit of paper bins
1 1 1 1
02D03
Disclosure of listings or printouts, due to an error or accidental loss, during the

distribution, by a member of the production team
1 1 1 1
Theft of listings or printouts , within the production premises, by an authorized

staff member
1 1 1 1
03B06
Theft of listings or printouts , within the production premises, by a member of

the services team
1 1 1 1
03B06
Theft of listings or printouts , within the production premises, by a member of

1 1 1 1
03B06
Theft of listings or printouts , during the distribution, by a member of the

enterprise staff
1 1 1 1
Theft of listings or printouts , during the distribution, by a visitor
1 1 1 1
Theft of listings or printouts , within the collection circuit of paper bins
1 1 1 1
Disclosure of data after consultation , by a user authorized illegitimately,

1 1 1 1
Disclosure of data after consultation , by an unauthorized third party ,

1 1 1 1
Disclosure of data after consultation , by a member of the production team,

1 1 1 1
Disclosure of data after consultation , by an unauthorized third party ,

connected, from outside, to the local area notwork
1 1 1 1
Disclosure of data after consultation , by an unauthorized third party , through

electro-magnetic tapping
1 1 1 1
Disclosure of data after consultation , by a member of the production team,

having access to user resources not erased after use.
1 1 1 1
seriousness
Likelihood
Impact
Impact
Theft of documents , during the distribution, by a visitor
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
08A07
08A07
08A07
08A07
08A07
08A07
08A07
min(08F02;08F03)
max(min(07A01;07A0
2;08F01);min(08F01;0
9A01;09A02))
max(min(05B01;05B0
2;05B03;05B07;06C0
2);min(07A03;07A04;0
8F02);min(09A03;09A
04))
min(08F02;08F03)
max(04B02;min(05B0
4;05B05;05B06;05B0
7);min(07A03;07A04;0
8F02);min(09A03;09A
09C03
04))
07B01
Confining
EFF-CONF
1 1 1 1
Disclosure of data after tampering , by a member of the enterprise staff,

1 1 1 1
Disclosure of data after tampering , by a member of the enterprise staff, after

modification of a network equipment
1 1 1 1
Disclosure of data after tampering , by a member of the production team, after

modification of a network equipment
1 1 1 1
Disclosure of data after tampering , by an unauthorized third party , after a

remote modification of a network equipment, using a remote maintenance line
1 1 1 1
Disclosure of data after tampering , by an unauthorized third party , after a

remote modification of a network equipment, using a flaw not yet fixed
1 1 1 1
Disclosure of data after tampering , by an unauthorized third party , using an

equipment usurping the identity of an entity also connected to the extended
network
1 1 1 1
max(04B03;04C01;09
C01)
Disclosure of data after tampering , by a member of the production team, by

usurpation of the identity of an application server
1 1 1 1
max(04B03;04C01;09
C01)
Accidental disclosure of emails, due to an addressing error
1 1 1 1
11C05
Intentional disclosure of e-mails during emission or receipt, by a member of the

production team
1 1 1 1

maintenance team
1 1 1 1
11C05

staff not authorized
1 1 1 1
11C05
Accidental disclosure of post mails, due to an addressing error
1 1 1 1
Accidental disclosure of faxes, due to an addressing error
1 1 1 1
Theft of post mail, during collection or diffusion, in the post mail office
1 1 1 1
seriousness
Likelihood
Impact
Impact
Disclosure of data after tampering , by a member of the staff not authorized,

connected on the extended network
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
max(05C03;09C01)
max(03B07;05C01;09
C01)
max(min(06C01;06C0
2);09C01)
min(06A01;06C03)
09C01
max(06A04;09C01)
max(06A02;09C01)
11C05
02D05
02D04
Confining
EFF-CONF
1 1 1 1
Intentional disclosure of faxes, in the fax office
1 1 1 1
Intentional disclosure of faxes, during collection or diffusion
1 1 1 1
Diversion of fax due to a malicious transfer of receiver fax
1 1 1 1
Theft or diversion of archived documents , within the archival premises, by an

authorized staff member
1 1 1 1
02D07
Theft or diversion of archived documents , within the archival premises, by a

1 1 1 1
02D07
Theft or diversion of archived documents , during the transportation between

sites, by a member of the staff not authorized
1 1 1 1
Diversion of archived documents, by using the identity of a person authorized to

extract an archive
1 1 1 1
Disclosure of information, due to a theft, of media containing files of digitalized

archives , within the archival premises, by an authorized staff member
1 1 1 1

archives , within the archival premises, by a member of the staff not authorized
1 1 1 1

archives , in the distribution office, by a member of the staff not authorized
1 1 1 1
Unavailability of the working environment, by accident, due to a fire
1 1 1 1
Unavailability of the working environment, by accident, due to flooding
1 1 1 1
Unavailability of the working environment, by accident, due to a lack of power

supply (external cause)
1 1 1 1
Unavailability of the working environment, by accident, due to the impossibility

of accessing the premises (external cause)
1 1 1 1
seriousness
Likelihood
Impact
Impact
Theft of post mail, during collection or diffusion, in the offices
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
02D04
02D05
02D05
02D05
02D07
02D07
02D07
08H03
max(08H03;09C02)
08H03
max(08H03;09C02)
08H03
max(08H03;09C02)
03D01
min(03D02;03D03)
03C01
min(03C02;03C03)
03A02
1 1 1 1 0
Erasure, due to an error, of configuration (code, parameters, etc.) of

telecommunication services (voice, fax, videoconferencing, etc.), by a member
1 1 1 1 0
Malicious erasure of programs of telecommunication services (voice, fax,

videoconferencing, etc.), by a member of the production team
1 1 1 1 0
Malicious erasure of programs of telecommunication services (voice, fax,

videoconferencing, etc.), by a member of the maintenance team
1 1 1 1 0
Damaging of (host) system, by accident of telecommunication services (voice,

fax, videoconferencing, etc.), within the production premises, due to a liquid
(water) damage
1 1 1 1 0
Damaging of (host) system, by accident of telecommunication services (voice,

fax, videoconferencing, etc.), within the production premises, due to an
electrical over load
1 1 1 1 0
Long lasting unavailability, damaging or loss of (host) system, by accident of

telecommunication services (voice, fax, videoconferencing, etc.), within the
production premises, due to a lightning
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
12A02
12A03
min(12E02;12E03)
12A03
03C01
min(03A01;03A04)
03A05
1 1 1 1 0
1 1 1 1 1
2
03D01
min(03D02;03D03)
03C01
min(03C02;03C03)

1 1 1 1 1
Temporary unavailability of (host) system, due to an accident, of

telecommunication services (voice, fax, videoconferencing, etc.), caused by the
1 1 1 1 0

telecommunication services (voice, fax, videoconferencing, etc.), caused by the
breakdown or the unavailability of auxiliary elements
1 1 1 1 0
seriousness
Likelihood
Impact
Impact
Accidental erasure of programs of telecommunication services (voice, fax,

videoconferencing, etc.), due to a production incident
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
1 1 1 1 0
seriousness
Likelihood
calculated
values
Impact
Type AICE
Impact
Type AEM
security decided
measures values
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Direct Selection
Intrinsic
values
DESCRIPTION

telecommunication services (voice, fax, videoconferencing, etc.), due to a lack
of power supply (external cause)
Dissuasion
EFF-DISS
1 1 1 1 1
Malicious damaging of host systems of telecommunication services (voice, fax,

videoconferencing, etc.), due to vandalism, within the production premises, by a
1 1 1 1 0

videoconferencing, etc.), due to vandalism, by vandals or terrorists acting from
outside
1 1 1 1 0

videoconferencing, etc.), due to vandalism, by vandals or terrorists acting from
inside (after an intrusion)
1 1 1 1 0
Malicious destruction of host systems of telecommunication services (voice,

fax, videoconferencing, etc.), due to a terrorist action, by vandals or terrorists
acting from outside
1 1 1 1 0
Stoppage of functioning of telecommunication services (voice, fax,

videoconferencing, etc.), due to system maintenance provider being unable to
repair (unfixable failure or provider default)
1 1 1 1 0
Accidental erasure of configuration (code, parameters, etc.) of the extended

network services due to a production incident
1 1 1 1 0
Erasure, due to an error, of configuration (code, parameters, etc.) of the

extended network services by a member of the production team
1 1 1 1 0
Erasure, due to an error, of configuration (code, parameters, etc.) of the

extended network services by a member of the maintenance team
1 1 1 1 0
Malicious erasure de configuration (code, parameters, etc.) of the extended

network services by a user not authorized
1 1 1 1 0
Confining
EFF-CONF
3
03B06

videoconferencing, etc.), due to vandalism, within the production premises, by
an authorized staff member
Prevention
EFF-PREV
min(03B01;03B02;03
B03)
03B04
min(03B03;03B04;03
B06)
min(02A01;02A02;02
A03;02A05)
02A04
06A02
04D03
06C02
04D02
1 1 1 1 0

network services by a member of the maintenance team
1 1 1 1 0
Malicious erasure of configurations and backups (code, parameters, etc.) of the

extended network services by a member of the production team
1 1 1 1 0
Damaging of (host) system, by accident of the extended network services ,

within the production premises, due to a liquid (water) damage
1 1 1 1 0
Damaging of (host) system, by accident of the extended network services ,

within the production premises, due to an electrical over load
1 1 1 1 0
Long lasting unavailability, damaging or loss of (host) system, by accident of the

extended network services , within the production premises, due to a lightning
1 1 1 1 0

extended network services , within the production premises, due to a fire
1 1 1 1 1

extended network services , within the production premises, due to flooding
1 1 1 1 1
Temporary unavailability of (host) system, due to an accident, of the extended

network services , caused by the breakdown of an equipment
1 1 1 1 0

network services , caused by the breakdown or the unavailability of auxiliary
elements
1 1 1 1 0

network services , due to a lack of power supply (external cause)
1 1 1 1 0
Malicious damaging of host systems of the extended network services , due to

vandalism, within the production premises, by an authorized staff member
1 1 1 1 0

vandalism, within the production premises, by a member of the staff not
authorized
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

network services by a member of the production team
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(06C02;06C03)
04D02
min(06C02;06C03)
03C01
min(03A01;03A04)
03A05
03D01
min(03D02;03D03)
03C01
min(03C02;03C03)
min(03B01;03B02;03
B03)
03B04
2
2
min(03B03;03B04;03
B06)
03B06
1 1 1 1 0

vandalism, by vandals or terrorists acting from inside (after an intrusion)
1 1 1 1 0
Malicious destruction of host systems of the extended network services , due to

a terrorist action, by vandals or terrorists acting from outside
1 1 1 1 0
Malicious breakdown of the extended network services , mass erasure or

pollution of the configuration of a host system , by a member of the production
team
1 1 1 1 0
Malicious breakdown of the extended network services , mass erasure or

pollution of the configuration of a host system , by a member of the
maintenance team
1 1 1 1 0
Stoppage of functioning of the extended network services , due to system

maintenance provider being unable to repair (unfixable failure or provider
default)
1 1 1 1 0
Stoppage of functioning of the extended network services , due to a social

conflict with the production staff
1 1 1 1 0
Stoppage of functioning of the extended network services , due to a long lasting

absence of internal staff required
1 1 1 1 0
Stoppage of functioning of the extended network services , due to a long lasting

absence of staff from a provider
1 1 1 1 0
Stoppage of functioning of the extended network services , due to a worm
1 1 1 1 0
Accidental erasure of configuration (code, parameters, etc.) of Local Area

Network services, due to a production incident
1 1 1 1 1
Erasure, due to an error, of configuration (code, parameters, etc.) of Local Area

Network services, by a member of the production team
1 1 1 1 0
Erasure, due to an error, of configuration (code, parameters, etc.) of Local Area

Network services, by a member of the maintenance team
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

vandalism, by vandals or terrorists acting from outside
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
min(02A01;02A02;02
A03;02A05)
Confining
EFF-CONF
02A04
min(06C02;06C03)
04D01
06A02
05D03
1 1 1 1 0
Malicious erasure de configuration (code, parameters, etc.) of Local Area

1 1 1 1 0

1 1 1 1 0
Malicious erasure of configurations and backups (code, parameters, etc.) of

Local Area Network services, by a member of the production team
1 1 1 1 0
Damaging of (host) system, by accident of Local Area Network services, within

the production premises, due to a liquid (water) damage
1 1 1 1 0
Damaging of (host) system, by accident of Local Area Network services, within

the production premises, due to an electrical over load
1 1 1 1 0

Local Area Network services, within the production premises, due to a lightning
1 1 1 1 0

Local Area Network services, within the production premises, due to a fire
1 1 1 1 1

Local Area Network services, within the production premises, due to flooding
1 1 1 1 1
Temporary unavailability of (host) system, due to an accident, of Local Area

Network services, caused by the breakdown of an equipment
1 1 1 1 0

Network services, caused by the breakdown or the unavailability of auxiliary
elements
1 1 1 1 0

Network services, due to a lack of power supply (external cause)
1 1 1 1 0
Malicious damaging of host systems of Local Area Network services, due to

1 1 1 1 1
seriousness
Likelihood
Impact
Impact

Network services, by a user not authorized
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
06C02
Confining
EFF-CONF
05D02
min(06C02;06C03)
05D02
min(06C02;06C03)
03C01
min(03A01;03A04)
03A05
03B06
03D01
min(03D02;03D03)
03C01
min(03C02;03C03)
min(03B01;03B02;03
B03)
03B04
1 1 1 1 0

1 1 1 1 0

1 1 1 1 0
Malicious destruction of host systems of Local Area Network services, due to a

terrorist action, by vandals or terrorists acting from outside
1 1 1 1 0
Malicious breakdown of Local Area Network services, mass erasure or

pollution of the configuration of a host system by a member of the production
team
1 1 1 1 0
Malicious breakdown of Local Area Network services, mass erasure or

pollution of the configuration of a host system by a member of the maintenance
team
1 1 1 1 0
Stoppage of functioning of Local Area Network services, due to system

default)
1 1 1 1 0
Stoppage of functioning of Local Area Network services, due to a social conflict

with the production staff
1 1 1 1 0
Stoppage of functioning of Local Area Network services, due to a long lasting

1 1 1 1 0
Stoppage of functioning of Local Area Network services, due to a long lasting

1 1 1 1 0
Stoppage of functioning of Local Area Network services, due to a worm
1 1 1 1 0
Accidental erasure of programs of application services , due to a production

incident
1 1 1 1 0
Erasure, due to an error, of programs of application services , by a user

authorized legitimately
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

authorized
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(03B03;03B04;03
B06)
min(02A01;02A02;02
A03;02A05)
02A04
min(06C02;06C03)
05D01
08A03
08E03
1 1 1 1 0
max(07A02;09A02)
Erasure, due to an error, of programs of application services , by a user not

authorized
1 1 1 1 0
min(07A03;07A04)
Erasure, due to an error, of programs of application services , by a member of

the production team
1 1 1 1 0
Erasure, due to an error, of programs of application services , by a member of

the maintenance team
1 1 1 1 0
Malicious erasure of programs of application services , by a user authorized

legitimately
1 1 1 1 0
Malicious erasure of programs of application services , by a user authorized

illegitimately
1 1 1 1 0
Malicious erasure of programs of application services , by a user not authorized
1 1 1 1 0
Malicious erasure of programs of application services , by a member of the

production team
1 1 1 1 0
min(08F02;08F03)
Malicious erasure of programs of application services , by a member of the

maintenance team
1 1 1 1 0
min(07C02;08E02)
Malicious erasure of files and backups of application services , by a member of

the production team
1 1 1 1 0
Pollution, by accident, of programs of application services due to a procedure

error, during a software maintenance operation
1 1 1 1 0
Pollution, by accident, of programs of application services due to a procedure

error, during a hot maintenance operation
1 1 1 1 0
Pollution, by accident, of programs of application services due a production

incident
1 1 1 1 0
Malicious pollution of programs of application services during production by a

user authorized illegitimately
1 1 1 1 0
max(min(07A01;07A0
2;08F01);min(09A01;0
9A02))

user not authorized
1 1 1 1 0
max(min(07A03;07A0
4;08F02);min(09A03;0
9A04))

1 1 1 1 0
min(08F02;08F03)

1 1 1 1 0
min(08F02;08F03)
seriousness
Likelihood
Impact
Impact
Erasure, due to an error, of programs of application services , by a user

authorized illegitimately
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(07C01;08E02)
min(07C01;08E02)
max(07A02;09A02)
min(07A03;07A04)
min(08F02;08F03)
10B05
10B06
08E02
10B05
1 1 1 1 0
Loss, due to destruction, of media supporting programs of application

services , within the production premises, due to flooding
1 1 1 1 0

services , in the media storage premises, due to a fire
1 1 1 1 0

services , in the media storage premises, due to flooding
1 1 1 1 0
Loss, due to accidental disappearance, of media supporting programs of

application services , in the media storage premises
1 1 1 1 0

application services , within the production premises
1 1 1 1 0
Theft of media supporting programs of application services , within the

production premises, by a member of the staff not authorized
1 1 1 1 0
03B06

production premises, by a member of the production team
1 1 1 1 0
03B06

production premises, by a member of the services team
1 1 1 1 0
03B06
Theft of media supporting programs of application services , in the media

storage premises, by a member of the staff not authorized
1 1 1 1 0
03B06

storage premises, by a member of the production team
1 1 1 1 0
03B06

storage premises, by a member of the services team
1 1 1 1 0
03B06
Impossibility, due to an accident, to use a media supporting programs of

application services , within the production premises, caused by the breakdown
of an equipment
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0

application services , within the production premises, due a liquid (water)
damage
application services , within the production premises, due to an electrical over
load
application services , within the production premises, due a production incident
seriousness
Likelihood
Impact
Impact

services , within the production premises, due to a fire
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
03D01
03D01
min(03B03;03B04)
08C03
03C01
min(03A01;03A04)
08A03
08E03
1 1 1 1 0

application services , in the media storage premises, due to a liquid (water)
damage
1 1 1 1 0

application services , in the media storage premises, due to ageing
1 1 1 1 0
Damaging of (host) system, by accident of application services , within the

production premises, due to a liquid (water) damage
1 1 1 1 0
Damaging of (host) system, by accident of application services , within the

production premises, due to an electrical over load
1 1 1 1 0

application services , within the production premises, due to a lightning
1 1 1 1 0

application services , within the production premises, due to a fire
1 1 1 1 0

application services , within the production premises, due to flooding
1 1 1 1 0
Temporary unavailability of (host) system, due to an accident, of application

services , caused by the breakdown of an equipment
1 1 1 1 0

services , caused by the breakdown or the unavailability of auxiliary elements
1 1 1 1 0

services , due to a lack of power supply (external cause)
1 1 1 1 0

services , due a stoppage of the air conditioning
1 1 1 1 0
Malicious damaging of host systems of application services , due to vandalism,

within the production premises, by an authorized staff member
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

application services , in the media storage premises, due to pollution
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
08C03
08C05
03C01
min(03A01;03A04)
03A05
03D01
min(03D02;03D03)
03C01
min(03C02;03C03)
09E01
03B06
min(03B01;03B02;03
B03)
03B04
1 1 1 1 0

by vandals or terrorists acting from outside
1 1 1 1 0

by vandals or terrorists acting from inside (after an intrusion)
1 1 1 1 0
Malicious destruction of host systems of application services , due to a terrorist

action, by vandals or terrorists acting from outside
1 1 1 1 0
Malicious breakdown of application services , mass erasure or pollution of the

configuration of a host system , by a member of the production team
1 1 1 1 0
Malicious breakdown of application services , mass erasure or pollution of the

configuration of a host system , by a member of the maintenance team
1 1 1 1 0
Stoppage of functioning of application services , due to to system maintenance

provider being unable to repair (unfixable failure or provider default)
1 1 1 1 0
Stoppage of functioning of application services , due to to the software

default)
1 1 1 1 0
Stoppage of functioning of application services , due to to a social conflict with

the production staff
1 1 1 1 0
Stoppage of functioning of application services , due to to a long lasting

1 1 1 1 0
Stoppage of functioning of application services , due to to a long lasting

1 1 1 1 0
Locking of application services , due to to a blocking bug in a system or

application software
1 1 1 1 0
08A03
Locking of application services , due to to a blocking bug in a custom software
1 1 1 1 0
08A03
Locking of application services , due to a production incident
1 1 1 1 0
07D01
seriousness
Likelihood
Impact
Impact

within the production premises, by a member of the staff not authorized
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(03B03;03B04;03
B06)
min(02A01;02A02;02
A03;02A05)
02A04
min(08F02;08F03)
min(07C02;08E02)
08E01
1 1 1 1 0
Locking of accounts necessary for operation of application services , due to to

a blockage of accounts attack
1 1 1 1 0
Accidental erasure of programs of common office services, due to a production

incident
1 1 1 1 0
Erasure, due to an error, of programsof common office services, by a user

1 1 1 1 0
Erasure, due to an error, of programsof common office services, by a user

1 1 1 1 0
max(07A02;09A02)
Erasure, due to an error, of programsof common office services, by a user not

authorized
1 1 1 1 0
min(07A03;07A04)
Erasure, due to an error, of programsof common office services, by a member

1 1 1 1 0
Erasure, due to an error, of programsof common office services, by a member

1 1 1 1 0
Malicious erasure of programs of common office services, by a user authorized

legitimately
1 1 1 1 0
Malicious erasure of programs of common office services, by a user authorized

illegitimately
1 1 1 1 0
Malicious erasure of programs of common office services, by a user not

authorized
1 1 1 1 0
Malicious erasure of programs of common office services, by a member of the

production team
1 1 1 1 0
min(08F02;08F03)
Malicious erasure of programs of common office services, by a member of the

maintenance team
1 1 1 1 0
min(07C02;08E02)
Malicious erasure of files and backups of common office services, by a member

1 1 1 1 0
Pollution, by accident, of programs of common office services due to a

procedure error, during a software maintenance operation
1 1 1 1
10B05
Pollution, by accident, of programs of common office services due to a

procedure error, during a hot maintenance operation
1 1 1 1
10B06
Pollution, by accident, of programs of common office services due a production

incident
1 1 1 1
seriousness
Likelihood
Impact
Impact
Locking of application services , due to to a malicious saturation of computing

or network equipments
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
min(07C01;07C02)
Prevention
EFF-PREV
Confining
EFF-CONF
08E01
min(08E02;08E03)
08A03
08E03
min(07C01;08E02)
min(07C01;08E02)
max(07A02;09A02)
min(07A03;07A04)
min(08F02;08F03)
08D03
08E02
1 1 1 1
Malicious pollution of programs of common office services during production by

a user not authorized
1 1 1 1

a member of the production team
1 1 1 1
min(08F02;08F03)

a member of the maintenance team
1 1 1 1
min(08F02;08F03)
Loss, due to destruction, of media supporting programs of common office

services, within the production premises, due to to a fire
1 1 1 1 0

services, within the production premises, due to to flooding
1 1 1 1 0

services, in the media storage premises, due to to a fire
1 1 1 1 0

services, in the media storage premises, due to to flooding
1 1 1 1 0

common office services, in the media storage premises
1 1 1 1 0

common office services, within the production premises
1 1 1 1 0
Theft of media supporting programs of common office services, within the

1 1 1 1 0
03B06

1 1 1 1 0
03B06

1 1 1 1 0
03B06
Theft of media supporting programs of common office services, in the media

1 1 1 1 0
03B06

1 1 1 1 0
03B06

1 1 1 1 0
03B06
seriousness
Likelihood
Impact
Impact

a user authorized illegitimately
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
max(min(07A01;07A0
2;08F01);min(09A01;0
9A02))
max(min(07A03;07A0
4;08F02);min(09A03;0
9A04))
10B05
03D01
03D01
min(03B03;03B04)
08C03
Confining
EFF-CONF
1 1 1 1 0
Impossibility, due to an accident, to use a media supporting programsof

common office services, within the production premises, due a liquid (water)
damage
1 1 1 1 0

common office services, within the production premises, due to an electrical
over load
1 1 1 1 0

common office services, within the production premises, due a production
incident
1 1 1 1 0

common office services, in the media storage premises, due to pollution
1 1 1 1 0

common office services, in the media storage premises, due a liquid (water)
damage
1 1 1 1 0

common office services, in the media storage premises, due to ageing
1 1 1 1 0
Damaging of (host) system, by accident of common office services, within the

production premises, due a liquid (water) damage
1 1 1 1 0
Damaging of (host) system, by accident of common office services, within the

1 1 1 1 0

common office services, within the production premises, due to a lightning
1 1 1 1 0

common office services, within the production premises, due to a fire
1 1 1 1 0

common office services, within the production premises, due to flooding
1 1 1 1 0
Temporary unavailability of (host) system, due to an accident, of common office

services, caused by the breakdown of an equipment
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

common office services, within the production premises, caused by the
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
03C01
min(03A01;03A04)
08A03
08E03
08C03
08C05
03C01
min(03A01;03A04)
03A05
03D01
min(03D02;03D03)
03C01
min(03C02;03C03)
09E01
1 1 1 1 0

services, due to a lack of power supply (external cause)
1 1 1 1 0
Malicious damaging of host systems of common office services, due to

1 1 1 1 0
min(03B01;03B02;03
B03)

authorized
1 1 1 1 0
min(03B03;03B04;03
B063)

1 1 1 1 0

1 1 1 1 0
Malicious destruction of host systems of common office services, due to a

1 1 1 1 0
Malicious breakdown of common office services, mass erasure or pollution of

the configuration of a host system , by a member of the production team
1 1 1 1 0
Malicious breakdown of common office services, mass erasure or pollution of

the configuration of a host system , by a member of the maintenance team
1 1 1 1 0
Stoppage of functioning of common office services, due to to system

default)
1 1 1 1
Stoppage of functioning of common office services, due to the software

default)
1 1 1 1 0
Stoppage of functioning of common office services, due to a social conflict with

the production staff
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

services, caused by the breakdown or the unavailability of auxiliary elements
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
03B06
Prevention
EFF-PREV
min(02A01;02A02;02
A03;02A05)
min(08F02;08F03)
min(07C02;08E02)
Confining
EFF-CONF
03B04
02A04
1 1 1 1 0
Stoppage of functioning of common office services, due to a long lasting

1 1 1 1 0
Locking of common office services, due to a blocking bug in a system or

1 1 1 1 0
Locking of common office services, due to a malicious saturation of computing

or network equipments
1 1 1 1 0
Locking of accounts necessary for operation of common office services, due to

a blockage of accounts attack
1 1 1 1 0
Accidental erasure of all configuration files (programs, codes, parameters, etc.)

of equipments provided to end users, due to a production incident
1 1 1 1 0
General erasure, by error, of configurations (programs, code, parameters, etc.)

of equipments provided to end users, by a member of the production team
1 1 1 1 0
General erasure, by error, of configurations (programs, code, parameters, etc.)

of equipments provided to end users, by a member of the maintenance team
1 1 1 1 0
Malicious erasure of all configurations (programs, code, parameters, etc.) of

equipments provided to end users, by a member of the production team
1 1 1 1 0
Heavy unavailability of equipments provided to end users, due a virus
1 1 1 1 0
Heavy unavailability of equipments provided to end users, within the production

premises, due to a lightning
1 1 1 1 0

premises, due to a fire
1 1 1 1 0

premises, due to flooding
1 1 1 1 0
Heavy unavailability of equipments provided to end users, due to a lack of

power supply (external cause)
1 1 1 1 0
seriousness
Likelihood
Impact
Impact
Stoppage of functioning of common office services, due to a long lasting

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
11A01
min(07C01;07C02)
08E01
min(08E02;08E03)
c interfaces, etc.)
11A01
min(11E02;11E03)
11D06
03A05
03D01
min(03D02;03D03)
03C01
min(03C02;03C03)
03A02
1 1 1 1 0
Malicious heavy destruction of equipments provided to end users, due to

vandalism, within the production premises, by an unauthorized third party
1 1 1 1 0
Temporary unavailability, due to an accident, of equipments provided to end

users, caused by the breakdown of an equipment (shared equipment)
1 1 1 1 0
Accidental erasure of programs of common system services , due to a

production incident
1 1 1 1 0
Erasure, due to an error, of programsof common system services , by a user

1 1 1 1 0

1 1 1 1 0
max(07A02;09A02)

not authorized
1 1 1 1 0
min(07A03;07A04)
Erasure, due to an error, of programsof common system services , by a

1 1 1 1 0
Erasure, due to an error, of programsof common system services , by a

1 1 1 1 0
Malicious erasure of programs of common system services , by a user

1 1 1 1 0
Malicious erasure of programs of common system services , by a user

1 1 1 1 0
Malicious erasure of programs of common system services , by a user not

authorized
1 1 1 1 0
Malicious erasure of programs of common system services , by a member of

the production team
1 1 1 1 0
min(08F02;08F03)
Malicious erasure of programs of common system services , by a member of

1 1 1 1 0
min(07C02;08E02)
Malicious erasure of files and backups of common system services , by a

1 1 1 1 0
seriousness
Likelihood
Impact
Impact
Malicious heavy destruction of equipments provided to end users, due to

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
03B06
Prevention
EFF-PREV
min(03B01;03B02;03
B03)
Confining
EFF-CONF
03B04
min(03B03;03B04;03
B063)
08A03
min(07C01;08E02)
min(07C01;08E02)
max(07A02;09A02)
min(07A03;07A04)
min(08F02;08F03)
08E03
1 1 1 1 0
10B05
Pollution, by accident, of programs of common system services due to a

procedure error, during a hot maintenance operation
1 1 1 1 0
10B06
Pollution, by accident, of programs of common system services due a

production incident
1 1 1 1 0
Malicious pollution of programs of common system services during production

by a user authorized illegitimately
1 1 1 1 0

by a user not authorized
1 1 1 1 0

by a member of the production team
1 1 1 1 0
min(08F02;08F03)

by a member of the maintenance team
1 1 1 1 0
min(08F02;08F03)
Loss, due to destruction, of media supporting programs of common system

services , within the production premises, due to to a fire
1 1 1 1 0

services , within the production premises, due to to flooding
1 1 1 1 0

services , in the media storage premises, due to to a fire
1 1 1 1 0

services , in the media storage premises, due to to flooding
1 1 1 1 0

common system services , in the media storage premises
1 1 1 1 0

common system services , within the production premises
1 1 1 1 0
Theft of media supporting programs of common system services , within the

1 1 1 1 0
03B06

1 1 1 1 0
03B06

1 1 1 1 0
03B06
seriousness
Likelihood
Impact
Impact
Pollution, by accident, of programs of common system services due to a

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
08E02
max(min(07A01;07A0
2;08F01);min(09A01;0
9A02))
max(min(07A03;07A0
4;08F02);min(09A03;0
9A04))
10B05
03D01
03D01
min(03B03;03B04)
1 1 1 1 0
03B06
Theft of media supporting programs of common system services , in the media

1 1 1 1 0
03B06

1 1 1 1 0
03B06

common system services , within the production premises, caused by the
1 1 1 1 0

common system services , within the production premises, due a liquid (water)
damage
1 1 1 1 0

common system services , within the production premises, due to an electrical
over load
1 1 1 1 0

common system services , within the production premises, due a production
incident
1 1 1 1 0

common system services , in the media storage premises, due to pollution
1 1 1 1 0

common system services , in the media storage premises, due a liquid (water)
damage
1 1 1 1 0

common system services , in the media storage premises, due to ageing
1 1 1 1 0
Damaging of (host) system, by accident of common system services , within the

1 1 1 1 0
Damaging of (host) system, by accident of common system services , within the

1 1 1 1 0

common system services , within the production premises, due to a lightning
1 1 1 1 0

common system services , within the production premises, due to a fire
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
08C03
03C01
min(03A01;03A04)
08A03
08E03
08C03
08C05
03C01
min(03A01;03A04)
03A05
03D01
min(03D02;03D03)
1 1 1 1 0
Temporary unavailability of (host) system, due to an accident, of common

system services , caused by the breakdown of an equipment
1 1 1 1 0

system services , caused by the breakdown or the unavailability of auxiliary
elements
1 1 1 1 0

system services , due to a lack of power supply (external cause)
1 1 1 1 0

system services , due a stoppage of the air conditioning
1 1 1 1 0
Malicious damaging of host systems of common system services , due to

1 1 1 1 0
min(03B01;03B02;03
B03)

authorized
1 1 1 1 0
min(03B03;03B04;03
B06)

1 1 1 1 0

1 1 1 1 0
Malicious destruction of host systems of common system services , due to a

1 1 1 1 0
Stoppage of functioning of common system services , due to to system

default)
1 1 1 1 0
Stoppage of functioning of common system services , due to to the software

default)
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

common system services , within the production premises, due to flooding
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
03C01
Confining
EFF-CONF
min(03C02;03C03)
09E01
03B06
min(02A01;02A02;02
A03;02A05)
03B04
02A04
1 1 1 1 0
Stoppage of functioning of common system services , due to to a long lasting

1 1 1 1 0
Stoppage of functioning of common system services , due to to a long lasting

1 1 1 1 0
Locking of common system services , due to to a blocking bug in a system or

1 1 1 1 0
08A03
Locking of common system services , due to to a blocking bug in a custom

software
1 1 1 1 0
08A03
Locking of common system services , due to a production incident
1 1 1 1 0
07D01
08E01
Locking of common system services , due to to a malicious saturation of

computing or network equipments
1 1 1 1 0
08E01
min(08E02;08E03)
Locking of accounts necessary for operation of common system services , due

to to a blockage of accounts attack
1 1 1 1 0
Accidental erasure of programs of information publishing services on an

internal or public web site, due to a production incident
08A03
08E03
1 1 1 1 0
Erasure, due to an error, of programsof information publishing services on an

internal or public web site, by a user authorized legitimately
1 1 1 1 0

internal or public web site, by a user authorized illegitimately
1 1 1 1 0

internal or public web site, by a user not authorized
1 1 1 1 0

internal or public web site, by a member of the production team
1 1 1 1 0

internal or public web site, by a member of the maintenance team
1 1 1 1 0
seriousness
Likelihood
Impact
Impact
Stoppage of functioning of common system services , due to to a social conflict

with the production staff
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
min(07C01;07C02)
Prevention
EFF-PREV
max(07A02;09A02)
min(07A03;07A04)
Confining
EFF-CONF
1 1 1 1 0
Malicious erasure of programs of information publishing services on an internal

or public web site, by a user authorized illegitimately
1 1 1 1 0

or public web site, by a user not authorized
1 1 1 1 0

or public web site, by a member of the production team
1 1 1 1 0

or public web site, by a member of the maintenance team
1 1 1 1 0
Malicious erasure of files and backups of information publishing services on an

internal or public web site, by a member of the production team
1 1 1 1 0
Pollution, by accident, of programs of information publishing services on an

internal or public web site due to a procedure error, during a software
maintenance operation
1 1 1 1 0

internal or public web site due to a procedure error, during a hot maintenance
operation
1 1 1 1 0

internal or public web site due a production incident
1 1 1 1 0
Malicious pollution of programs of information publishing services on an internal

or public web site during production by a user authorized illegitimately
1 1 1 1 0
max(min(07A01;07A0
2;08F01);min(09A01;0
9A02))

or public web site during production by a user not authorized
1 1 1 1 0
max(min(07A03;07A0
4;08F02);min(09A03;0
9A04))
seriousness
Likelihood
Impact
Impact

or public web site, by a user authorized legitimately
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(07C01;08E02)
min(07C01;08E02)
max(07A02;09A02)
min(07A03;07A04)
min(08F02;08F03)
min(07C02;08E02)
min(08F02;08F03)
10B05
10B06
08D03
08E02
1 1 1 1 0

or public web site during production by a member of the maintenance team
1 1 1 1 0
Loss, due to destruction, of media supporting programs of information

publishing services on an internal or public web site, within the production
premises, due to to a fire
1 1 1 1 0

publishing services on an internal or public web site, within the production
premises, due to to flooding
1 1 1 1 0

publishing services on an internal or public web site, in the media storage
premises, due to to a fire
1 1 1 1 0

publishing services on an internal or public web site, in the media storage
premises, due to to flooding
1 1 1 1 0

information publishing services on an internal or public web site, in the media
storage premises
1 1 1 1 0

information publishing services on an internal or public web site, within the
production premises
1 1 1 1 0
Theft of media supporting programs of information publishing services on an

internal or public web site, within the production premises, by a member of the
1 1 1 1 0
03B06

production team
1 1 1 1 0
03B06

services team
1 1 1 1 0
03B06

internal or public web site, in the media storage premises, by a member of the
1 1 1 1 0
03B06
seriousness
Likelihood
Impact
Impact

or public web site during production by a member of the production team
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
min(08F02;08F03)
min(08F02;08F03)
10B05
03D01
03D01
min(03B03;03B04)
08C03
Confining
EFF-CONF
1 1 1 1 0
03B06

services team
1 1 1 1 0
03B06

production premises, caused by the breakdown of an equipment
1 1 1 1 0

1 1 1 1 0

1 1 1 1 0

production premises, due a production incident
1 1 1 1 0

storage premises, due to pollution
1 1 1 1 0

storage premises, due a liquid (water) damage
1 1 1 1 0

storage premises, due to ageing
1 1 1 1 0
Damaging of (host) system, by accident of information publishing services on

an internal or public web site, within the production premises, due a liquid
(water) damage
1 1 1 1 0
Damaging of (host) system, by accident of information publishing services on

an internal or public web site, within the production premises, due to an
electrical over load
1 1 1 1 0

production premises, due to a lightning
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

production team
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
03C01
min(03A01;03A04)
08A03
08E03
08C03
08C05
03C01
min(03A01;03A04)
03A05
1 1 1 1 0

1 1 1 1 0
Temporary unavailability of (host) system, due to an accident, of information

publishing services on an internal or public web site, caused by the breakdown
of an equipment
1 1 1 1 0

publishing services on an internal or public web site, caused by the breakdown
or the unavailability of auxiliary elements
1 1 1 1 0

publishing services on an internal or public web site, due to a lack of power
supply (external cause)
1 1 1 1 0
Malicious damaging of host systems of information publishing services on an

internal or public web site, due to vandalism, within the production premises, by
an authorized staff member
1 1 1 1 0
03B06
1 1 1 1 0

internal or public web site, due to vandalism, by vandals or terrorists acting
from outside
1 1 1 1 0

internal or public web site, due to vandalism, by vandals or terrorists acting
from inside (after an intrusion)
1 1 1 1 0
Malicious breakdown of information publishing services on an internal or public

web site, mass erasure or pollution of the configuration of a host system , by a
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
03D01
min(03D02;03D03)
03C01
min(03C02;03C03)
09E01

internal or public web site, due to vandalism, within the production premises, by
a member of the staff not authorized
Malicious breakdown of information publishing services on an internal or public

web site, mass erasure or pollution of the configuration of a host system , by a
seriousness
Likelihood
Impact
Impact

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
1 1 1 1 0
min(02A01;02A02;02
A03;02A05)
2
min(07C02;08E02)
1 1 1 1 0
03B04
min(03B03;03B04;03
B063)
min(08F02;08F03)
min(03B01;03B02;03
B03)
02A04
1 1 1 1 0
Stoppage of functioning of information publishing services on an internal or

public web site, due to to system maintenance provider being unable to repair
(unfixable failure or provider default)
1 1 1 1 0

public web site, due to to the software maintenance provider being unable to
repair (unfixable failure or provider default)
1 1 1 1 0

public web site, due to to a social conflict with the production staff
1 1 1 1 0

public web site, due to to a long lasting absence of internal staff required
1 1 1 1 0

public web site, due to to a long lasting absence of staff from a provider
1 1 1 1 0
Locking of information publishing services on an internal or public web site, due

to to a blocking bug in a system or application software
1 1 1 1 0

to to a blocking bug in a custom software
1 1 1 1 0

to a production incident
1 1 1 1 0

to to a malicious saturation of computing or network equipments
1 1 1 1 1
Tampering, due to an error of procedure, of configurations of

1 1 1 1 0
Tampering, due to an error of procedure, of configurations of

1 1 1 1 0
seriousness
Likelihood
Impact
Impact
Malicious destruction of host systems of information publishing services on an

internal or public web site, due to a terrorist action, by vandals or terrorists
acting from outside
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Confining
EFF-CONF
08A03
08A03
min(07C01;07C02)
Prevention
EFF-PREV
07D01
08E01
08E01
min(08E02;08E03)
min(12A02;12B02)
12B01
1 1 1 1 0
Malicious (and undetected) tampering of configurations (code, parameters,

etc.) of telecommunication services (voice, fax, videoconferencing, etc.), by a
1 1 1 1 0

user not authorized, connected from the internal network
1 1 1 1 0

etc.) of telecommunication services (voice, fax, videoconferencing, etc.), by an
unauthorized third party , connected through a remote maintenance port
1 1 1 1 0
Tampering, due to an error of procedure, of configurations of the extended

network services , by a member of the maintenance team
1 1 1 1 0
Tampering, due to an error of procedure, of configurations of the extended

network services , by a member of the production team
1 1 1 1 0

etc.) of the extended network services , by a member of the maintenance team
1 1 1 1 0

etc.) of the extended network services , by a member of the production team
1 1 1 1 0

etc.) of the extended network services , by a user not authorized
1 1 1 1 0
Tampering, due to an error of procedure, of configurations of Local Area

1 1 1 1 0
Tampering, due to an error of procedure, of configurations of Local Area

1 1 1 1 0

etc.) of Local Area Network services, by a member of the maintenance team
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
12A03
Prevention
EFF-PREV
12B01
min(12E02;12E03)
min(12E01;12E02)
12A04
06A02
06B01
06A03
06B01
min(06C02;06C03)
min(06C01;06C02)
06A02
06B01
06A03
06B01
Confining
EFF-CONF
1 1 1 1 0

etc.) of Local Area Network services, by a user not authorized
1 1 1 1 0
Tampering of programs by accident (not detected) of application services , by a

member of the development team
1 1 1 1 1
max(08A03;08B03;09 09B05
B05;10B01)

1 1 1 1 1
max(08A03;08B03;09 09B05
B05;10B05)

1 1 1 1 1
max(08B02;08B03;09 09B05
B05)
Malicious (and undetected) tampering of programs of application services , by

a member of the development team
1 1 1 1 1

a member of the maintenance team
1 1 1 1 1

a member of the production team
1 1 1 1 1

a user not authorized
1 1 1 1 1
Malicious (and undetected) swap of media containing programs of application

services during production by an authorized staff member
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
Tampering of service, due to an altered process of connection to the server of

application services during the connection to the service by a member of the
production team
1 1 1 1 1

development team
1 1 1 1 1

services during production by a member of the staff not authorized

services during the transportation between sites by an authorized staff member
seriousness
Likelihood
Impact
Impact

etc.) of Local Area Network services, by a member of the production team
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(06C02;06C03)
min(06C01;06C02)
10B01
10B01
10B05
10B05
max(07C02;08F03)
max(08B02;08B03)
07C02
max(min(07A01;07A0 09B04
2;07A03;07A04);08B0
2;08B03;09B05)
max(08B03;09B05)
09B04
09B04
max(03B04;03B05;03 max(min(03B01;03B0 09B04

B06)
2;03B03);08B03;08C0
2;09B05)
max(08B03;09B05)
max(07C02;08F03)
max(07A05.09A05)
10B01
max(07A05.09A05)
09B04
1 1 1 1 1
Tampering or inhibition of security functions by accident (not detected) of

application services during the setting up after an intervention by a member of
the production team
1 1 1 1 1

1 1 1 1 1
Malicious (and undetected) tampering or inhibition of security functions of

the production team
1 1 1 1 1

1 1 1 1 1

1 1 1 1 1
Tampering, due to an error of procedure, of configurations of common office

services, by a member of the maintenance team
1 1 1 1 0
Tampering, due to an error of procedure, of configurations of common office

services, by a member of the production team
1 1 1 1 0

etc.) of common office services, by a member of the maintenance team
1 1 1 1 0

etc.) of common office services, by a member of the production team
1 1 1 1 0

etc.) of common office services, by a user not authorized
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

maintenance team
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
10B05
Prevention
EFF-PREV
max(07A05.09A05)
08A04
min(07C02;08F03)
10B05
08A04
min(08F01;08F02)
08B01
08B01
08A04
08B01
min(08F02;08F03)
max(min(07A01;07A0
2;07A03;07A04);08B0
1)
Confining
EFF-CONF
1 1 1 1 0

common office services, during the setting up after an intervention by a
1 1 1 1 0

1 1 1 1 0

1 1 1 1 0
Tampering, due to an error of procedure, of configurations of common system

services , by a member of the maintenance team
1 1 1 1 0
Tampering, due to an error of procedure, of configurations of common system

services , by a member of the production team
1 1 1 1 0

etc.) of common system services , by a member of the maintenance team
1 1 1 1 0

etc.) of common system services , by a member of the production team
1 1 1 1 0

etc.) of common system services , by a user not authorized
1 1 1 1 0

common system services , during the setting up after an intervention by a
1 1 1 1 0

1 1 1 1 0

1 1 1 1 0
seriousness
Likelihood
Impact
Impact

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
08B01
08B01
min(07C02;08F03)
min(08F01;08F02)
08B01
08B01
08A04
08B01
min(08F02;08F03)
max(min(07A01;07A0
2;07A03;07A04);08B0
1)
08B01
08B01
min(07C02;08F03)
Confining
EFF-CONF
1 1 1 1 0
Tampering of programs by accident (not detected) of information publishing

services on an internal or public web site, by a member of the development
team
1 1 1 1 1

services on an internal or public web site, by a member of the maintenance
team
1 1 1 1 1

services on an internal or public web site, by a member of the production team
1 1 1 1 1
Malicious (and undetected) tampering of programs of information publishing

services on an internal or public web site, by a member of the development
team
1 1 1 1 1

services on an internal or public web site, by a member of the maintenance
team
1 1 1 1 1

services on an internal or public web site, by a member of the production team
1 1 1 1 1

services on an internal or public web site, by a user not authorized
1 1 1 1 1
Malicious (and undetected) swap of media containing programs of information

publishing services on an internal or public web site during production by an
authorized staff member
1 1 1 1 1

publishing services on an internal or public web site during production by a
1 1 1 1 1

publishing services on an internal or public web site during the transportation
between sites by an authorized staff member
1 1 1 1 1
seriousness
Likelihood
Impact
Impact

Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
Confining
EFF-CONF
min(08F01;08F02)
max(08A03;08B03;09 09B05
B05;10B01)
max(08A03;08B03;09 09B05
B05;10B05)
max(08B02;08B03;09 09B05
B05)
10B01
10B01
10B05
10B05
max(07C02;08F03)
max(08B02;08B03)
07C02
max(min(07A01;07A0 09B04
2;07A03;07A04);08B0
2;08B03;09B05)
max(08B03;09B05)
09B04
09B04
max(03B04;03B05;03 max(min(03B01;03B0 09B04

B06)
2;03B03);08B03;08C0
2;09B05)
max(08B03;09B05)
09B04
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1

information publishing services on an internal or public web site during the
setting up after an intervention by a member of the production team
1 1 1 1 1

setting up after an intervention by a member of the maintenance team

setting up after an intervention by a member of the staff not authorized
Disclosure of program files, due to an error of application services due to a

procedure error, during production
Prevention
EFF-PREV
max(07C02;08F03)
max(07A05.09A05)
10B01
max(07A05.09A05)
10B05
max(07A05.09A05)

setting up after an intervention by a member of the production team
Dissuasion
EFF-DISS

connection to the service by a member of the maintenance team

setting up after an intervention by a member of the maintenance team

connection to the service by a member of the development team
seriousness
Likelihood
calculated
values
Impact
Type AICE
Impact
Type AEM

connection to the service by a member of the production team
security decided
measures values
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Direct Selection
Intrinsic
values
DESCRIPTION
08A04
1 1 1 1 1
3
min(07C02;08F03)
1 1 1 1 1
3
10B05
1 1 1 1 1
08A04
3
min(08F01;08F02)
1 1 1 1 1
1 1 1 1 0
10B02
Confining
EFF-CONF
1 1 1 1 0

procedure error, during development tests
1 1 1 1 0

1 1 1 1 0
Diversion of programs of application services , during user treatments, by a

user authorized legitimately
1 1 1 1 0

user authorized illegitimately
1 1 1 1 0

user not authorized
1 1 1 1 0
Diversion of programs of application services , during production, by a member

1 1 1 1 0
Diversion of programs of application services , during a maintenance

operation, by a member of the maintenance team
1 1 1 1 0
Disclosure of information, due to a theft, of media containing files of application

services , during the transportation between sites, by an authorized staff
member
1 1 1 1 0
Disclosure of programs, due to a theft, of media containing program files of

application services , during a storage in the site, by an authorized staff
member
1 1 1 1 0

application services , during an externalized storage , by an authorized staff
member
1 1 1 1 0

application services , during production, by a member of the staff not authorized
1 1 1 1 0

application services , during the transportation between sites, by a member of
1 1 1 1 0

application services , during a storage in the site, by a member of the staff not
authorized
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

procedure error, during a hardware maintenance operation
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
10B02
10B02
10B02
10B02
max(min(07A01;07A0
2);min(09A01;09A02);
10B02)
max(min(07A03;07A0
4;08F02;08C06);min(0
9A03;09A04);10B02)
10B02
10B02
10B02
08C03
10B02
08C04
10B02
03B06
max(min(03B03;03B0
4);10B02)
max(08C07;10B02)
08C03
max(08C03;10B02)
Confining
EFF-CONF
1 1 1 1 0
Non compliance to laws or regulations concerning the protection of personal

information due to the use of inadequate procedures
1 1 1 1 1

information due to the non application of procedures, consequence of lack of
resources
1 1 1 1 1

information due to the non application of procedures, consequence of lack of
knowledge
1 1 1 1 1

information due to the intentional non application of procedures
1 1 1 1 1
Non compliance to laws or regulations concerning financial communication

due to the use of inadequate procedures
1 1 1 1 1

due to the non application of procedures, consequence of lack of resources
1 1 1 1 1

due to the non application of procedures, consequence of lack of knowledge
1 1 1 1 1

due to the intentional non application of procedures
1 1 1 1 1
Non compliance to laws or regulations concerning the digital accounting

control due to the use of inadequate procedures
1 1 1 1 0
seriousness
Likelihood
Impact
Impact

application services , during an externalized storage , by a member of the staff
not authorized
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
08C04
Prevention
EFF-PREV
max(08C04;10B02)
13A01
13A03
13A02
13A04
13B01
13B03
13B02
13B04
min(13C01;13C02)
Confining
EFF-CONF
1 1 1 1 1

control due to the non application of procedures, consequence of lack of
knowledge
1 1 1 1 1

control due to the intentional non application of procedures
1 1 1 1 1
Non compliance to laws or regulations concerning the protection intellectual

property due to the use of inadequate procedures
1 1 1 1 1

property due to the non application of procedures, consequence of lack of
resources
1 1 1 1 1

property due to the non application of procedures, consequence of lack of
knowledge
1 1 1 1 1

property due to the intentional non application of procedures
1 1 1 1 1
Non compliance to laws or regulations concerning the protection of computer

systems due to the use of inadequate procedures
1 1 1 1 1

systems due to the non application of procedures, consequence of lack of
resources
1 1 1 1 1

systems due to the non application of procedures, consequence of lack of
knowledge
1 1 1 1 1

systems due to the intentional non application of procedures
1 1 1 1 1
seriousness
Likelihood
Impact
Impact

control due to the non application of procedures, consequence of lack of
resources
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
13C04
13C03
13C05
min(11A03;13D01)
13D03
13D02
min(11A03;13D04)
13E01
13E03
13E02
13E04
Confining
EFF-CONF
1 1 1 1 1
Non compliance to laws or regulations concerning the security of persons and

the protection of environment due to the non application of procedures,
consequence of lack of resources
1 1 1 1 1

the protection of environment due to the non application of procedures,
consequence of lack of knowledge
1 1 1 1 1

the protection of environment due to the intentional non application of
procedures
1 1 1 1 1
seriousness
Likelihood
Impact
Impact

the protection of environment due to the use of inadequate procedures
Exposure
seriousness
Dissuasion
Prevention
Confining
Palliation
Confinability
Impact
Likelihood
Type AICE
calculated
values
Type AEM
security decided
measures values
Direct Selection
Intrinsic
values
DESCRIPTION
Dissuasion
EFF-DISS
Prevention
EFF-PREV
13F01
13F03
13F02
13F04
Confining
EFF-CONF
las)
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
las)
Palliative
EFF-PALL
08D05
08D05
08D05
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
las)
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
09D02
09D02
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
las)
Palliative
EFF-PALL
min(11D04;08D09)
min(11D04;08D09)
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D08
11D08
11D05
11D05
11D05
las)
Palliative
EFF-PALL
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
las)
Palliative
EFF-PALL
11D05
11D05
11D08
11D08
las)
Palliative
EFF-PALL
09F03
09F03
09F03
09F03
09F03
09F03
11C05
11C05
11C05
11C05
11C05
11C05
11C05
11C05
11C05
las)
Palliative
EFF-PALL
02D05
02D05
02D05
02D05
02D04
02D04
02D04
02D05
02D04
02D05
02D05
02D05
02D04
02D04
las)
Palliative
EFF-PALL
08H02
las)
Palliative
EFF-PALL
08H02
08H02
08H02
08H02
08H02
08H02
08H02
08H02
09D02
09D02
08D05
08D05
las)
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
08D05
08D05
las)
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
01E03
01E03
01E03
01E03
las)
Palliative
EFF-PALL
12C03
12C03
12C03
12C03
12C04
12C04
12C04
12C04
12C04
12C01
03A06
las)
Palliative
EFF-PALL
03A02
12C01
12C01
12C01
12C01
12C04
12C05
04A04
04A04
04A04
04A04
las)
Palliative
EFF-PALL
04A04
04A04
max(04A01;04A05;mi
n(01E01;01E02))
max(04A01;04A05;mi
n(01E01;01E02))
04A05
04A05
04A05
max(04A01;04A02)
03A06
03A02
04A02
04A02
las)
Palliative
EFF-PALL
04A02
04A02
04A05
04A04
04A04
04A06
min(01E01;01E02)
01C02
01C02
04A03
05A05
05A05
05A05
las)
Palliative
EFF-PALL
05A05
05A05
05A05
max(05A02;05A06;mi
n(01E01;01E02))
max(05A02;05A06;mi
n(01E01;01E02))
05A06
05A06
05A06
max(05A02;05A03)
03A06
03A02
05A03
las)
Palliative
EFF-PALL
05A03
05A03
05A03
05A06
05A05
05A05
05A07
min(01E01;01E02)
01C02
01C02
05A04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
03A03
08D01
las)
Palliative
EFF-PALL
08D01
08D01
08D01
min(08D06;09E02)
08D04
08D04
08D08
09E03
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03
las)
Palliative
EFF-PALL
08D10
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)
las)
Palliative
EFF-PALL
03A06
03A02
08D01
08D01
08D01
08D01
min(08D06;09E02)
08D04
08D04
08D08
09E03
min(01E01;01E02)
las)
Palliative
EFF-PALL
01C02
01C02
11D02
08D10
11D03
11D03
11D03
11D03
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)
las)
Palliative
EFF-PALL
max(01E03;11D07)
max(01E03;11D07)
11D01
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)
las)
Palliative
EFF-PALL
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
03A03
08D01
08D01
08D01
08D01
min(08D06;09E02)
08D08
09E03
las)
Palliative
EFF-PALL
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03
08D10
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
las)
Palliative
EFF-PALL
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
08D01
08D01
08D01
08D01
08D04
08D04
las)
Palliative
EFF-PALL
min(08D06;09E02)
08D08
09E03
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
las)
Palliative
EFF-PALL
Number of scenarios per asset type and seriousness level

Data and information assets
Availability
Integrity
S. 1 S. 2 S. 3 S. 4
Confidentiality
S. 1 S. 2 S. 3 S. 4
S. 1 S. 2 S. 3 S. 4
Data and information

D01
D02
D03
D04
D05
D06
D07
D08
D09
D10
D11
Data files and data bases accessed by applications

Shared office files and data
Personal office files (on user work stations and equipments)
Written or printed information and data kept by users and personal archives
Listings or printed documents
Exchanged messages, screen views, data individually sensitive
electronic mailing
(Post) Mails and faxes
Patrimonial archives or documents used as proofs
IT related Archives
Data and information published on public or internal sites
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
>
>
>
>
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
>
>
>
>
>
>
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 > 0
0 > 0
0 > 0
0
0
0 > 0
0 > 0
0 > 0
0
0 > 0
0 >
0
0
0
0
0
0
0 >
0 >
0 >
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 >
0 >
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 >
>
>
>
>
>
>
>
>
>
>
Service assets
General Services
G01 User workspace and environment
G02 Telecommunication Services (voice, fax, audio & videoconferencing, etc.)
IT and networking Services

R01 Extended Network Service
R02 Local Area Network Service
S01 Services provided by applications
S02 Shared Office Services (servers, document management, shared printers, etc.)
S03 Users' disposal of Equipments (workstations, local printers, peripherals, specific interfaces, etc.)
S04 Common Services, working environment: messaging, archiving, print, editing, etc.
S05 Web editing Service (internal or public)
0
0
0
0
0
Management process types of assets
>
>
>
>
>
>
>
>
>
> 0
>
Efficiency
Management processes for compliance to law or regulations

C01
C02
C03
C04
C05
C06
Compliance to law or regulations relative to personal information protection

Compliance to law or regulations relative to financial communication
Compliance to law or regulations relative to digital accounting control
Compliance to law or regulations relative to intellectual property
Compliance to law or regulations relative to the protection of information systems
0
0
0
0
0
Compliance to law or regulations relative to people safety and protection of environment
341702815.xls ! Risk%asset
569
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
>
>
>
>
>
>
Dcembre 2006
Number of scenarios sorted per type of event and seriousness level

Type
Code
type
Absence of personnel, accidental
AB.P
Absence or unavailability of service,

by accident
Serious accident affecting the

environment
AB.S
AC.E
Event
Code
Absence of personnel from a partner
AB.P.Pep
Absence of internal personnel
AB.P.Per
Absence of service : Power supply
AB.S.Ene
Absence of service : Air-conditioning
AB.S.Cli
Absence of service : Premises
AB.S.Loc
Absence or unavailability of application maintenance
AB.S.Maa
Absence or unavailability of system maintenance
AB.S.Mas
Lightning
AC.E.Fou
Fire
AC.E.Inc
Flooding
AC.E.Ino
Breakdown of computing or telecommunication equipment
AC.M.Equ
Breakdown of auxiliary equipment
AC.M.Ser
Accident affecting hardware
AC.M
Voluntary absence of personnel
AV.P
Social conflict with strike
AV.P.Gre
Design error
ER.L
Blocking bug due to a design or programming error (internal development)
ER.L.Lin
Loss or oblivion of document or media
ER.P.Peo
Error of operation or execution of a procedure
ER.P.Pro
Capture or typing error
ER.P.Prs
Damage due to obsolescence
IC.E.Age
Water damage
IC.E.De
Electrical overloading
IC.E.Pol
Damage due to pollution
IC.E.Se
Production incident
IF.L.Exp
Blocking bug in system or packaged software
IF.L.Lsp
Blocking jam due to external cause (worm)
IF.L.Ver
Virus
IF.L.Vir
Attempt to block an account
MA.L.Blo
Deliberate erasure or massive pollution of system configurations
MA.L.Cfg
Deliberate erasure of physical or logical media
MA.L.Del
Electromagnetic harnessing
MA.L.Ele
Logical alteration of data or functions)
MA.L.Fal
Forgery (of messages or data)
MA.L.Fau
Replay of transaction
MA.L.Rej
Malicious saturation of computer equipments or networks
MA.L.Sam
Complete destruction of data (files and backup copies)
MA.L.Tot
Harnessing of files or data (illegal remote loading or copy)
MA.L.Vol
Rigging or alteration of hardware equipment
MA.P.Fal
Terrorism
MA.P.Ter
Vandalism
MA.P.Van
Robbery
MA.P.Vol
Inadequate procedures
PR.N.Api
Procedures not applied due to lack of resources
PR.N.Naa
Procedures not applied due to ignorance
PR.N.Nam
Procedures not applied deliberately
PR.N.Nav
Error affecting hardware or originated

ER.P
by personnel
Incident caused by the environment
Incident or dysfunction of software
Malevolence effected using logical or

functional means
Malevolence effected using physical

means
Non compliance of procedures
IC.E
IF.L
MA.L
MA.P
PR.N
Number of scenarios for

each seriousness level
S. 1
S. 2
S. 3
S. 4
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Action plans
Number of scenarios
Family of
scenarios
S1
D01-A
S3
S4
Tot
If 1 in the opposite cell, the reduced seriousness from the completion of

projects (Obj_projects) or selected plans (1 in the "Decision" row below) will
be considered
Measures
needing
improvement
Deterrence :
Deterrence :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Plan of type A
Plan of type A
Plan of type A
Plan of type B
Plan of type A
Plan of type A
Plan of type E
Target Services to Curren Target

level
improve
t level
level
Services to Curren Target

improve
t level
level
1
1
1
1
1
1
1
3
3
4
4
4
3
3
07C02
08E02
07A02
08A06
03A04
08E03
08D09
1
1
1
1
1
4
4
4
3
3
07A03
08C03
03B03
1
1
1
4
4
4
09D02
Deterrence :
Deterrence :
Prevention :
Prevention :
Plan of type A
Plan of type A
Plan of type A
Plan of type A
08F02
03B06
07A02
03A01
1
1
1
1
08F03
4
4
07A03
03A04
1
1
4
4
07A04
03B03
1
1
4
4
Plan of type A
Plan of type E
08E03
08D09
1
1
3
3
11D04
11D08
Deterrence :
Deterrence :
Plan of type A
Plan of type B
08F02
02C05
1
1
4
4
08F03
Prevention :
Prevention :
Confining :
Palliation :
Plan of type A
Plan of type B
08D07
02C03
1
1
4
4
11B01
02D02
1
1
4
4
11D06
03A01
1
1
4
4
Plan of type E
11D05
11D08
Deterrence :
Plan of type B
02C05
Prevention :
Confining :
Palliation :
Plan of type E
02D01
02D06
11B02
Deterrence :
Plan of type A
08F02
08F03
Prevention :
Confining :
Palliation :
Plan of type D
03C01
03D01
07A03
Plan of type E
09F03
Plan of type A
Plan of type C
08F02
03C01
1
1
4
4
08F03
03D01
1
1
4
4
07A03
Loss of documents
0
Loss of transmitted data or messages

0
D07-A
Current
level
Loss of personal office data

0
D06-A
Services to
improve
07C01
03B06
07A01
08A03
03A01
08E02
08D05
Confining :
Palliation :
D04-A
Decision
Loss of office shared data

0
D03-A
Type of plan
Loss of data for applications

0
D02-A
S2
If 0 in the opposite cell, the intrinsic seriousness of the scenarios will be

considered
If 1 in the opposite cell, the current seriousness of the scenarios will be
considered
Loss of e-mails (during sending or receipt)

0
Deterrence :
Prevention :

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Confining :
Palliation :
D08-A
Type of plan
Decision
Plan of type E
Services to
improve
Current
level

level
improve
t level
level
11C05
02D04
02D05

improve
t level
level
Loss of transmitted documents (during sending or receipt)

Deterrence :
D09-A
Prevention :
Confining :
Palliation :
Plan of type E
Loss or impossibility to use archived documents

0
Deterrence :
Plan of type D
02D06
02D07
Prevention :
Confining :
Plan of type E
02D06
02D07
Deterrence :
Plan of type A
08H03
Prevention :
Confining :
Palliation :
Plan of type B
Plan of type A
Plan of type D
08H01
08C05
08H02
1
1
1
08H03
09D02
08D05
08D09
Plan of type B
Plan of type B
Plan of type B
Plan of type C
Plan of type C
Plan of type E
08D03
07A01
09A01
09B01
09C02
09B04
1
1
1
1
1
1
4
4
4
4
4
3
10B05
07A02
09A02
1
1
1
4
4
4
10B06
07A03
09A03
1
1
1
4
4
4
Plan of type D
Plan of type A
Plan of type D
Plan of type C
11C01
11C03
11C04
07A01
1
1
1
1
4
4
4
4
07A02
07A03
Palliation :
D10-A
Loss of digitalized archives

0
D11-A
Unavailability or Loss of data published on private or public sites

Deterrence :
Prevention :
Confining :
Palliation :
D01-I
D02-I
Plan of type E
Distorsion (not detected) of files containing data for applications

0
Deterrence :
Prevention :
Prevention :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Distorsion (not detected) of shared office files

0
Deterrence :
Prevention :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :

be considered
Number of scenarios
Family of
scenarios
S1
D03-I
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level
Deterrence :
Prevention :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Plan of type C
Plan of type A
Plan of type D
Plan of type B
11C01
11C03
11C04
11C02
1
1
1
1
4
4
4
4
Deterrence :
Plan of type A
09B03
Prevention :
Prevention :
Prevention :
Plan of type A
Plan of type C
Plan of type C
09B03
09B01
09C01
1
1
1
4
4
4
09B02
09C02
1
1
4
4
09F01
Prevention :
Prevention :
Plan of type C
Plan of type A
04C01
07A01
1
1
4
4
04C02
07A02
1
1
4
4
05C01
07A03
1
1
4
4
Confining :
Plan of type E
09B04
Confining :
Palliation :
Plan of type A
09F03
Plan of type E
11C05
Plan of type E
02D05
Deterrence :
Plan of type B
08H03
Prevention :
Confining :
Palliation :
Plan of type D
08H02
09B05
09B01
09C02
07A01
1
1
1
1
4
4
4
4
07A02
07A03
Deterrence :
Prevention :
Confining :
Palliation :
Deterrence :
Prevention :
Confining :
Palliation :
Distorsion of computerized archives

0
D11-I
Measures
needing
improvement
Distorsion of faxes during sending or receipt

0
D10-I
Tot
Distorsion of e-mails during sending or receipt

0
D08-I
S4
Distorsion (not detected) of data individually sensitive or during transfer

0
D07-I
S3
Distorsion (not detected) of personal office files

0
D06-I
S2
Distorsion of data published on internal or public sites

0
Deterrence :
Prevention :
Prevention :
Prevention :
Prevention :
Plan of type D
Plan of type B
Plan of type B
Plan of type C

be considered
Number of scenarios
Family of
scenarios
S1
D01-C
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level
Prevention :
Confining :
Palliation :
Plan of type B
Plan of type E
08D03
09B04
1
1
4
3
10B06
Deterrence :
Prevention :
Prevention :
Prevention :
Plan of type B
Plan of type E
Plan of type B
Plan of type A
03B06
09C02
07B01
07A01
1
1
1
1
3
4
4
4
08C03
08C04
08A05
07A02
1
1
4
4
08A06
07A03
1
1
4
4
Prevention :
Prevention :
Plan of type A
Plan of type B
05B03
03B03
1
1
4
4
05B04
03B04
1
1
4
4
05B05
08C03
1
1
4
4
Deterrence :
Prevention :
Prevention :
Prevention :
Plan of type B
Plan of type E
Plan of type A
Plan of type B
08C03
11C01
07A01
03B03
1
1
1
1
3
4
4
4
08C04
02C05
07A02
03B04
1
1
4
4
07A03
08C03
1
1
4
4
Prevention :
Confining :
Palliation :
Plan of type A
05B03
05B04
05B05
Deterrence :
Prevention :
Prevention :
Prevention :
Confining :
Plan of type C
Plan of type E
Plan of type C
Plan of type B
02C04
11C01
11B01
02C01
1
1
1
1
3
4
4
4
02C05
11C02
11E01
02C02
1
1
1
1
3
4
4
4
11E02
02C03
Deterrence :
Plan of type B
02C05
Prevention :
Plan of type E
02D02
02D03
Prevention :
Confining :
Palliation :
Plan of type B
02C01
02C02
02C03
Deterrence :
Prevention :
Confining :
Palliation :
Plan of type C
Plan of type E
03B06
08A07
1
1
3
4
Disclosure of data files

0
Confining :
Palliation :
D02-C
Disclosure of shared office files

0
D03-C
Disclosure of personal office files

0
Palliation :
D04-C
Disclosure of documents
0
D05-C
Disclosure of listings or printouts

0
D06-C
Disclosure of data after consulting or harnessing

be considered
Number of scenarios
Family of
scenarios
D07-C
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level
Deterrence :
Prevention :
Prevention :
Prevention :
Plan of type B
Plan of type B
Plan of type C
Plan of type B
06A01
09A01
05C01
07A01
1
1
1
1
3
4
4
4
06C03
09A02
05C03
07A02
1
1
1
1
3
4
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Plan of type B
Plan of type B
Plan of type A
03B07
06A02
09C03
1
1
1
3
3
4
04B02
06A04
1
1
Plan of type E
11C05
02D05

improve
t level
level
08F02
09A03
09C01
07A03
1
1
1
1
3
4
4
4
3
3
04B03
06C01
1
1
3
3
Disclosure of e-mails during sending or receipt

Deterrence :
Prevention :
Confining :
Palliation :
D08-C
Disclosure of post-mails or faxes during sending or receipt

0
D09-C
Deterrence :
Prevention :
Confining :
Palliation :
Plan of type E
02D04
Deterrence :
Plan of type C
02D07
Prevention :
Confining :
Palliation :
Plan of type D
02D07
Deterrence :
Plan of type E
08H03
Prevention :
Confining :
Palliation :
Plan of type E
09C02
03A02
03C02
01E03
1
1
1
4
4
3
03C01
03C03
1
1
4
4
03D01
03D02
1
1
4
4
Disclosure of archive computer data

0
G01-A
Disclosure of archived document

0
D10-C
Unavailability of the users' working environment

Deterrence :
0
G02-A
Prevention :
Confining :
Palliation :
Plan of type D
Plan of type C
Plan of type E
Unavailability of the telecommunication services (voice, faxes, videoconferencing)

0
Deterrence :
Prevention :
Plan of type A
Plan of type A
03B06
02A01
1
1
3
4
12E02
02A02
1
1
3
4
12E03
02A03
1
1
3
4
Prevention :
Prevention :
Plan of type B
Plan of type A
03A01
12A02
1
1
4
4
03A02
03A04

be considered
Number of scenarios
Family of
scenarios
S1
R01-A
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level
Confining :
Plan of type A
02A04
03B04
03C02
Palliation :
Plan of type E
03A02
03A06
12C01
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type E
03B06
02A01
03A01
04D01
02A04
01C02
1
1
1
1
1
1
3
4
4
4
4
3
06C02
02A02
03A02
06A02
03B04
01E02
1
1
1
1
1
1
3
4
4
4
4
3
06C03
02A03
03A04
06C02
03C02
03A02
1
1
1
1
1
1
3
4
4
4
4
3
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type E
Plan of type A
03B06
02A01
03A01
05D01
02A04
01C02
03A02
1
1
1
1
1
1
1
3
4
4
4
4
3
3
06C02
02A02
03A02
06A02
03B04
01E01
03A06
1
1
1
1
1
1
1
3
4
4
4
4
3
3
06C03
02A03
03A04
06C02
03C02
01E02
05A02
1
1
1
1
1
1
1
3
4
4
4
4
3
3
Deterrence :
Prevention :
Plan of type B
Plan of type A
03B06
07A01
1
1
3
4
07C01
07A02
1
1
3
4
07C02
07A03
1
1
3
4
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Palliation :
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type D
02A01
03A01
07D01
02A04
01C02
01E01
1
1
1
1
1
1
4
4
4
3
3
3
02A02
03A04
08A03
03B04
08D01
01E02
1
1
1
1
1
1
4
4
4
3
3
3
02A03
03A05
08E01
03C02
08D02
03A02
1
1
1
1
1
1
4
4
4
3
3
3
Deterrence :
Prevention :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Plan of type B
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type A
03B06
07A01
02A01
03A01
07D01
02A04
01C02
1
1
1
1
1
1
1
3
4
4
4
4
3
3
07C01
07A02
02A02
03A04
08A03
03B04
08D01
1
1
1
1
1
1
1
3
4
4
4
4
3
3
07C02
07A03
02A03
03A05
08E01
03C02
08D02
1
1
1
1
1
1
1
3
4
4
4
4
3
3
Palliation :
Plan of type D
01E01
01E02
03A02
3
4
4
4
3
3
11E03
03B03
03C01
03C03
11D07
1
1
1
1
4
4
3
Deterrence :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Deterrence :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Palliation :
Unavailability of the shared office services

0
S03-A
Tot
Unavailability of the application service

0
S02-A
S4
Unavailability of the local area network service

0
S01-A
S3
Unavailability of the extended network service

0
R02-A
S2
Unavailability of the interface services or peripherals needed by users (PC, printers, specific interfaces, etc.)
0
Deterrence :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Plan of type A
Plan of type A
Plan of type A
Plan of type B
Plan of type B
Plan of type E
03B06
11A01
03B01
03A02
03B04
01E03
1
1
1
1
1
1
3
4
4
4
3
3
11E02
11D06
03B02
03A05
03C02
11D03
1
1
1
1
1
1

be considered
Number of scenarios
Family of
scenarios
S1
S04-A
S3
S4
Tot
Measures
needing
improvement
Deterrence :
Prevention :
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Palliation :

improve
t level
level
Plan of type B
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type B
Plan of type D
03B06
07A01
02A01
03A01
07D01
02A04
01C02
01E01
1
1
1
1
1
1
1
1
3
4
4
4
4
3
3
3
07C01
07A02
02A02
03A04
08A03
03B04
08D01
01E02
1
1
1
1
1
1
1
1
3
4
4
4
4
3
3
3
07C02
07A03
02A03
03A05
08E01
03C02
08D02
03A02
1
1
1
1
1
1
1
1
3
4
4
4
4
3
3
3
Plan of type B
Plan of type A
03B06
07A01
1
1
3
4
07C01
07A02
1
1
3
4
07C02
07A03
1
1
3
4
Prevention :
Prevention :
Prevention :
Confining :
Palliation :
Plan of type A
Plan of type A
Plan of type A
Plan of type A
Plan of type A
02A01
03A01
07D01
02A04
01C02
1
1
1
1
1
4
4
4
3
3
02A02
03A04
08A03
03B04
08D01
1
1
1
1
1
4
4
4
3
3
02A03
03A05
08E01
03C02
08D02
1
1
1
1
1
4
4
4
3
3
Plan of type E
01E01
01E02
03A02
Plan of type C
Plan of type E
12A03
12A02
1
1
3
4
12E02
12B01
1
1
3
4
12E03
12B02
1
1
3
4
Plan of type C
Plan of type E
06A03
06A02
1
1
3
4
06C02
06B01
1
1
3
4
06C03
06C01
1
1
3
4
Plan of type C
Plan of type E
06A03
06A02
1
1
3
4
06C02
06B01
1
1
3
4
06C03
06C01
1
1
3
4
Deterrence :
Prevention :
Prevention :
Confining :
Palliation :
Plan of type C
Plan of type E
Plan of type B
Plan of type C
03B04
08A03
03B01
09B04
1
1
1
1
3
4
4
3
03B05
08A04
03B02
09B05
1
1
1
1
3
4
4
3
03B06
08B01
03B03
1
1
1
3
4
4
Deterrence :
Plan of type B
07C02
08A04
08F02
Deterrence :
Prevention :
Confining :
Palliation :
Deterrence :
Prevention :
Confining :
Palliation :
Alteration of the local area network service

0
Deterrence :
Prevention :
Confining :
Palliation :
Alteration of the application services

0
S02-I

level
improve
t level
level
Alteration of the extended network service

0
S01-I
Current
level
Alteration of the telecommunication fonctions

0
R02-I
Services to
improve
Deterrence :
Prevention :
Palliation :
R01-I
Decision
Unavailability of the publication service on a web site (internal or public)

0
G02-I
Type of plan
Unavailability of common system services: e-mailing, archiving, printing, edition, etc.

0
S05-A
S2
Alteration of the common office services

0

be considered
Number of scenarios
Family of
scenarios
S04-I
S1
S2
S3
S4
Tot
Prevention :
Prevention :
Confining :
Palliation :
Plan of type D
07A01
07A02
07A03
Deterrence :
Prevention :
Confining :
Palliation :
Plan of type B
Plan of type D
07C02
07A01
1
1
3
4
08A04
07A02
1
1
3
4
08F02
07A03
1
1
3
4
Deterrence :
Prevention :
Plan of type C
Plan of type E
03B04
08A03
1
1
3
4
03B05
08A04
1
1
3
4
03B06
08B01
1
1
3
4
Prevention :
Confining :
Palliation :
Plan of type B
Plan of type C
03B01
09B04
1
1
4
3
03B02
09B05
1
1
4
3
03B03
Deterrence :
Prevention :
Prevention :
Palliation :
Plan of type B
Plan of type E
Plan of type A
03B06
10B02
07A01
1
1
1
3
4
4
08C03
08C04
07A02
07A03
Deterrence :
Prevention :
Prevention :
Palliation :
Plan of type B
Plan of type D
1
1
4
4
13A02
13A03
Deterrence :
Prevention :
Prevention :
Palliation :
Plan of type B
Plan of type D
4
4
13B02
13B03
Deterrence :
Prevention :
Prevention :
Palliation :
Plan of type B
Plan of type D
1
1
4
4
13C02
13C03
Deterrence :
Prevention :
Prevention :
Palliation :
Plan of type B
Plan of type D
1
1
4
4
13D02
13D03
Deterrence :
Plan of type B
13A04
13A01
13B04
13B01
1
1
13C05
13C01
Non compliance of processes relating to the protection of intellectual property

0
C05-E

improve
t level
level
Non compliance of processes relating to the control of the computerized accounting

0
C04-E

level
improve
t level
level
Non compliance of processes relating to the communication of financial information

0
C03-E
Current
level
Non compliance of processes relating to the protection of personal information

0
C02-E
Services to
improve
Disclosure of application program service

0
C01-E
Decision
Alteration of the edition services for web sites (public or internal)

0
S01-C
Type of plan
Alteration of the common system services

0
S05-I
Measures
needing
improvement
13D04
13D01
Non compliance of processes relating to the protection of computing systems and operations
0
13E04

be considered
Number of scenarios
Family of
scenarios
C06-E
S1
S2
S3
S4
Tot
Measures
needing
improvement
Prevention :
Prevention :
Palliation :
Type of plan
Decision
Plan of type D
Services to
improve
13E01
Current
level

level
improve
t level
level

improve
t level
level
13E02
13E03
4
4
13F02
13F03
Non compliance of processes relating to the protection of humans and environment

0
Deterrence :
Prevention :
Prevention :
Palliation :
Plan of type B
Plan of type D
Number of selected scenarios whose I and P parameters are defined:
13F04
13F01
1
1

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level

be considered
Number of scenarios
Family of
scenarios
S1
S2
S3
S4
Tot
Measures
needing
improvement
Type of plan
Decision
Services to
improve
Current
level

level
improve
t level
level

improve
t level
level
Summary of the objectives resulting from the action plans

DOMAIN
01A
01A01
01A02
01A03
01A04
01A05
01B
01B01
01B02
01B03
01B04
01B05
01C
01C01
01C02
01C03
01C04
01C05
01C06
01D
01D01
01D02
01D03
01D04
01D05
01E
01E01
01E02
01E03

Asset management
People Registration
Insurance
Business continuity
Workplace Recovery Plans (WRP)
02 Sites security
02A
02A01
02A02
02A03
02A04

Management of access rights to the site or building
D03-C
D02-C
D01-C
D11-I
D10-I
D08-I
D07-I
D06-I
D03-I
D02-I
D01-I
D11-A
D10-A
D09-A
D08-A
D07-A
D06-A
D04-A
D03-A
Objectives
from the
action plans
D02-A
SUB-SERVICE
D01-A
SERVICE
02A05
02B
02B01
02C
02C01
02C02
02C03
02C04
02C05
02C06
Access to the loading and unloading areas (goods receipt and consignment) or to areas open to
public
02D
02D01
02D02
02D03
02D04
02D05
02D06
02D07

0
0
0
0
0
0
0
0
0
0
0
03A
03A01
03A02
03A03
03A04
03A05
03A06
03B
03B01
03B02
03B03
03B04
03B05
03B06
03B07
03B08
03C
03C01
03C02
03C03
03D
03D01
03D02
03D03
General Maintenance
Quality of cabling
Water evacuation
Fire security
Fire detection
Fire extinguishing

04A
0
0
0
0
0
0
0
0
0
0
0
0
0
04A01
04A02
04A03
04A04
04A05
04A06
04B
04B01
04B02
04B03

04C
04C01
04C02
04D
04D01
04D02
04D03

0
0

05A
05A01
05A02
05A03
05A04
05A05
05A06
05A07
05B
05B01
05B02
05B03

User or entity authentication for access requests to the local area network from an internal access
point
domain controller.
05B07
05B08
05B09
05C
05C01
05C02
05C03
05C04
0
0
0
0
0
0
General filtering of access to the local area network

Encryption
can be
effected at layer
(IPSEC
VPN)
or at level 4-5 (SSL) or directly effected by the
Integrity control
of exchanges
on the3 local
area
network
Encryption
of
exchanges
in
the
case
of
remote
access
to the local area network
by domain 09.
Protection
It
could be of
systematic
the integrity
on the
of exchanges
"pipeline" (physical
in the case
or of
logical)
remote
or access
limited only
to thetolocal
certain
area
data
network
flows (as
a function of address or type, etc.) it can also be performed on intermediate systems (VPN boxes)
0
0
0
0
05D
05D01
05D02
05D03

06A
06B
06B01
06B02
06C
06C01
06C02

06C03
06C04
06D
06D01
06D02

0
0
0
0
0
0
0
0

07A
07A01
07A02
07A03
07A04
07A05
07B
07B01
O7C
07C01
07C02
07D
07D01
07D02

08A
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
08A02
08A03
08A04
08A05

Systems
include operating
systems, applications and associated middleware
Control ofhere
maintenance
operations
08A06
08A07
08A08
08A09
08B
08B01
08B02
08B03
08C
08C01
08C02
08C03
08C04
08C05
08C06
08C07
08D
08D01
08D02

Service continuity
08D05
08D06
08D07
08D08
08D09
08D10

08E
08E01
08E02
08E03
08F
08F01
08F02

Online detection and treatment of IT related abnormal events and incidents
Offline management of traces, logs and event journals
Management of system and application incidents
Control of administrative access rights granted on systems
08F03 Surveillance of system administrators' actions

08G
0
0
0
0
0
0
0
0
0
0
0
3.0
0
0
3.0
0
0
0
0
08G01
08G02
08H
08H01
08H02
08H03

0
0
0
0
0
09A
09A03
09A04
09A05
09B
09B01
09B02
09B03
09B04
09B05
09C
09C01
09C02
09C03
09D
09D01
09D02
09E
09E01
09E02
09E03
09F
09F01
09F02
09F03
09G
09G01
09H
09H01

Data availability
Service continuity

10A
10A01
10A02
10A03
10A04
10A05

Consideration of security in application development
Change management
0
0
0
0
3.0
0
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
10B
10B01
10B02
10B03
10B04
10B05
10B06

Hot Maintenance
0
0
0
0
0

11A
workstations base
11B

11B02
11B03
11C
11C01
0
0

Protection of the confidentiality of data on the workstation or on a data server (logical disk for the
workstation)
workstations)

11D

0
0
0
0
11E
12A
12A01
12A02
12A03
12A04
12A05
12A06
12B
12B01
12B02
12C
12C01
12C02

Equipments
for classicaloperations
telephony : PABX, ...
Control of maintenance
Control
of Remote
Maintenance
Equipments
dedicated
to users: telephone terminal, fax machines (often combined with printing,
scanning and of
photocopy
capabilities
, ...),
and videoconferencing,
...
Management
Operating
Procedures
for tele
Telecommunication
Operation
Service continuity

12C04
12C05
12D
12D01
12D02
12D03
12E
12E01

Management of privileged access rights granted on equipments and systems (administrative
rights)
13A

13A03
13A04
13B
13B01
13B02
13B03
13B04

For
example,
the Financial
Security
Law (loi Mer) of
in financial
France and
the Sarbanes Oxley Act in the
Policy
and instructions
related
to Communication
data
United States
0
0
0
13C
13C01
13C02
13C03
13C04
13C05
13D
13D01
13D02
13D03
13D04
13E
13E01
13E02
13E03
13E04
13F
13F01
13F02
13F03
13F04
13G
13G01
13G02
13G03


14A
14A01
14A02
14A03
14A04
14A05
14A06
14A07
14A08
14B
14B01
14B02
14B03
14B04
14B05
14C
14C01
14C02
14C03

14D
14D01
14D02
14D03
14D04
14E
14E01
14E02
14E03
14E04
14E05
14E06

Documentation
Document approval
Updates
S02-A
S04-A
S05-A
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
C06-E
C05-E
C04-E
C03-E
C02-E
C01-E
S01-C
S05-I
S04-I
S02-I
S01-I
R02-I
R01-I
G02-I
S03-A
S01-A
G02-A
G01-A
D10-C
D09-C
D08-C
D07-C
D06-C
D05-C
D04-C
R02-A
0
0
0
0
R01-A
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Objectives per project
Projects :
Each cell should mention the level of quality (up to 4) expected for the service w
line 4, giving the target date "yy (year), space, mm (month)" (for example 12 06
DOMAINS
01A
01A01
01A02
01A03
01A04
01A05
01B
01B01
01B02
01B03
01B04
01B05
01C
01C01
01C02
01C03
01C04
01C05
01C06
01D
01D01
01D02
01D03
01D04
01D05
01E
01E01
01E02

Asset management
People Registration
Insurance
Business continuity
Need
SUB-SERVICES
10 01
P6
P5
P4
P3
P1
SERVICES
P2
Objectives
target date:
01E03 Workplace Recovery Plans (WRP)
02 Sites security
02A
02A01 Management of access rights to the site or building
02A02
02A03
02A04
02A05
02B
02B01
02C
02C01
02C02
02C03
02C04
02C05
02C06

Access to the loading and unloading areas (goods receipt and consignment) or to areas open to
public
02D
02D01
02D02
02D03
02D04
02D05
02D06
02D07

03A
03A01
03A02
03A03
03A04
03A05
03A06
03B
03B01
03B02
03B03
03B04
03B05
03B06
03B07
03B08
03C
03C01
03C02
General Maintenance
Quality of cabling
03C03
03D
03D01
03D02
03D03
Water evacuation
Fire security
Fire detection
Fire extinguishing

04A
04A01
04A02
04A03
04A04
04A05
04A06
04B
04B01
04B02
04B03

04C
04C01
04C02
04D
04D01
04D02
04D03


05A
05A01
05A02
05A03
05A04
05A05
05A06
05A07
05B
05B01
05B02
05B03

User or entity authentication for access requests to the local area network from an internal access
point
domain controller.
05B07 General filtering of access to the local area network
05B08
05B09
05C
05C01
05C02
05C03
05C04
05D
05D01
05D02
05D03

Encryption
can be
effected at layer
(IPSEC
VPN)
or at level 4-5 (SSL) or directly effected by the
Integrity control
of exchanges
on the3 local
area
network
Encryption
of exchanges in the case of remote access to the local area network
by domain 09.
Protection
the integrity
of exchanges
in the case
remote
to thetolocal
area
network
It
could be of
systematic
on the
"pipeline" (physical
or of
logical)
or access
limited only
certain
data
flows (as
a
function
of address
type, etc.)ofitincidents
can also on
be the
performed
on intermediate systems (VPN boxes)
Control,
detection
andorresolution
local network
06A
06B
06B01
06B02
06C
06C01
06C02

06C03
06C04
06D
06D01
06D02


07A
07A01
07A02
07A03
07A04
07A05
07B
07B01
O7C
07C01

07C02
07D
07D01
07D02

08A
08A02
08A03
08A04
08A05

Systems
include operating
systems, applications and associated middleware
Control ofhere
maintenance
operations
08A06
08A07
08A08
08A09
08B
08B01
08B02
08B03
08C
08C01
08C02
08C03
08C04
08C05
08C06
08C07
08D
08D01
08D02

Service continuity
08D05
08D06
08D07
08D08
08D09
08D10

08E
08E01 Online detection and treatment of IT related abnormal events and incidents
08E02 Offline management of traces, logs and event journals
08E03 Management of system and application incidents

08F
08F01 Control of administrative access rights granted on systems
08F02 Authentication of administrators and operational personnel
08F03
08G
08G01
08G02
08H
08H01
08H02
08H03
Surveillance of system administrators' actions

09A
09A03
09A04
09A05
09B
09B01
09B02
09B03
09B04
09B05
09C
09C01
09C02
09C03
09D
09D01
09D02
09E
09E01
09E02
09E03
09F
09F01
09F02
09F03
09G
09G01
09H
09H01

Data availability
Service continuity

10A
10A01 Consideration of security in application development
10A02 Change management
10A03
10A04
10A05
10B
10B01
10B02
10B03
10B04
10B05
10B06

Hot Maintenance

11A
workstations base
11B

11B02
11B03
11C
11C01

Protection of the confidentiality of data on the workstation or on a data server (logical disk for the
workstation)

workstations)
11D

11E
12A
12A01
12A02
12A03
12A04
12A05
12A06
12B
12B01
12B02
12C
12C01
12C02

Equipments
for classicaloperations
telephony : PABX, ...
Control of maintenance
Control of Remote
Maintenance
Equipments
dedicated
to users: telephone terminal, fax machines (often combined with printing,
scanning and of
photocopy
capabilities
, ...),
and videoconferencing,
...
Management
Operating
Procedures
for tele
Telecommunication
Operation
Service continuity

12C04
12C05
12D
12D01
12D02
12D03
12E
12E01

Management of privileged access rights granted on equipments and systems (administrative
rights)
13A

13A03
13A04
13B
13B01
13B02
13B03
13B04
13C

For
example,
the Financial
Security
Law (loi Mer) of
in financial
France and
the Sarbanes Oxley Act in the
Policy
and instructions
related
to Communication
data
United States
13C01
13C02
13C03
13C04
13C05
13D
13D01
13D02
13D03
13D04
13E
13E01
13E02
13E03
13E04
13F
13F01
13F02
13F03
13F04
13G
13G01
13G02
13G03


14A
14A01
14A02
14A03
14A04
14A05
14A06
14A07
14A08
14B
14B01

14B02
14B03
14B04
14B05
14C
14C01
14C02
14C03
14D
14D01
14D02
14D03
14D04
14E
14E01
14E02
14E03
14E04
14E05
14E06

Documentation
Document approval
Updates
List of intrinsic vulnerabilities

Type of supporting asset
Type of damage
Type of vulnerability
Criteria
AICE
Code
Alteration
Failure
Possibility of alteration of software configurations (software and parameters)

Possibility of software failure (bug)
A and I
A
Cfl.alt
Cfl.bug
Disclosure of software
Possibility of disclosure of a software file
Cfl.dif
Erasure
Unauthorized use
Pollution
Lock
Loss
Destruction
Failure
Not operable
Unavailability
Destruction
Loss
Exchange
Not operable
Unavailability
Possibility of erasure of software configurations

Possibility of denial to use (due to lack of license)
Possibility of pollution of software configurations
Possibility of user accounts to be blocked
Possibility of loss of capability to connect to the service
Possibility of destruction of equipment
Possibility of failure of equipment
Possibility of non operable equipment
Possibility of premises to be not accessible
Possibility of destruction of media containing software
Possibility of loss of media containing software
Possibility of loss of media containing software
Possibility of non operable media containing software
Possibility of unavailability of auxiliary means or equipments
A
I
I
A
A
A
A
A
A
A
A
I
A
I
Cfl.eff
Cfl.lic
Cfl.pol
Cpt.blo
Cpt.dis
Eq.des
Eq.hs
Eq.mo
Loc.ina
Med.des
Med.dis
Med.ech
Med.ine
Ser.hs
Loss
Alteration
Disclosure
Possibility of loss of means allowing to access data (physical or logical keys)

Possibility of alteration of data in transit or messages
Possibility of duplication and disclosure of data in transit, messages, screens
A
I
C
Cle.dis
Dtr.alt
Dtr.div
Loss
Possibility of loss of data in transit or messages
A and C
Dtr.per
Alteration
Disclosure
Erasure
Pollution
Destruction
Possibility of alteration of files containing data

Possibility of duplication or diffusion (and disclosure) of a file containing data
Possibility of erasure of data files
Possibility of pollution (slow evolution) of data in a file
Possibility of destruction of media containing data
I
C
A
A
A
Fic.alt
Fic.dif
Fic.eff
Fic.pol
Med.des
Loss
Possibility of loss of media containing data
A and C
Med.dis
Duplication
Possibility of duplication and disclosure of media containing data
A and C
Med.dup
Exchange
Possibility of exchange of media containing data
A and C
Med.ech
Unavailability
Possibility of unavailability of media containing data
Med.ine
Category: Service
Software Configuration
Account or means to access the

service
Hardware (Equipment)
Premises
Media containing software
Auxiliary means or equipments
Category: data
means to access data
Data in transit, messages, screens
File containing data
Media containing data
Category: management process

Procedures and instructions
Inefficiency
Possibility that procedures observed be inefficient (towards laws, regulations or contractual commitments)
Pro.inf
Selection
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Comments
Synthesis table : Risk seriousness

Impact
4
3
2
1
341702815.xls ! Seriousness
2
3
4
Likelihood
651
Dcembre 2006
Grids of of evaluation of STATUS-I

The non evolutionary scenarios are represented on the nc line
1. Scenarios affecting Availability

II = 1
II = 2
II = 3
II = 4
C 4
C 4
C 4
C 4
O 3
O 3
O 3
O 3
N 2
N 2
N 2
N 2
F 1
F 1
F 1
F 1
nc
nc
nc
nc
2. Scenarios affecting Integrity

II = 1
II = 2
II = 3
II = 4
C 4
C 4
C 4
C 4
O 3
O 3
O 3
O 3
N 2
N 2
N 2
N 2
F 1
F 1
F 1
F 1
nc
nc
nc
nc
3. Scenarios affecting Confidentiality

II = 1
II = 2
II = 3
II = 4
C 4
C 4
C 4
C 4
O 3
O 3
O 3
O 3
N 2
N 2
N 2
N 2
F 1
F 1
F 1
F 1
nc
nc
nc
nc
1
P
1
A
1
A
1
A
4. Type L (limitable?) scenarios

II = 1
341702815.xls ! IP_Grids
II = 2
II = 3
II = 4
652
Dcembre 2006
C 4
O 3
N 2
F 1
C 4
O 3
N 2
F 1
1
1
P
2
A
3
L
4
L
C 4
C 4
O 3
O 3
N 2
N 2
F 1
F 1
1
P
2
A
3
L
4
L
1
P
2
A
3
L
4
L
1
P
653
2
A
3
L
4
L
Dcembre 2006
Grids of evaluation of STATUS-P

1. Scenarios resulting from an Accident
E X P O = 1
E X P O = 2
E X P O = 3
E X P O = 4
2. Scenarios resulting from an Error

E X P O = 1
E X P O = 2
E X P O = 3
E X P O = 4
3. Scenarios resulting from a Volontary action

E X P O = 1
E X P O = 2
E X P O = 3
E X P O = 4
654
Dcembre 2006

DB-Mehari 2010 Exc en 2-20

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DB-Mehari 2010 Exc en 2-20

Hochgeladen von

Copyright:

Verfügbare Formate

MEHARI 2010 - release 2-2

Mehari 2010 knowledge base

Scheme of navigation within the knowledge base

Recap of the quality of the security services

Risk analysis module (identification, assessment and classification of risks)

Display of seriousness for the scenarios based on the asset involved

Display fo the seriousness of scenarios based on the origin or event

Risk treatment : options, risk reduction plans and follow on

Revision status and comments

in the worksheets of the file.

Grids for risk acceptability,

Navigation in the knowledge base

Analyze and evaluate

Public License agreement for Mehari 2010

MEHARI is a registered trademark of the CLUSIF.

NIVEAUX DE SENSIBILITE DES APPLICATIONS, DONNEES ET INFORMATIONS

NIVEAUX DE SENSIBILITE DES APPLICATIONS, DONNEES ET INFORMATIONS

NIVEAUX DE SENSIBILITE DES APPLICATIONS, DONNEES ET INFORMATIONS

CLASSIFICATION OF the COMPLIANCE to LAWS AND REGULATIONS relative to:

There is only one criteria for classification:

ND REGULATIONS relative to:

people safety and

contractual requirements, for the

Intrinsic Impact table

Data and information

Management process type of assets

Management Processes for compliance to law or regulations

For selecting an asset, set a 1 in the F column

Audit Questionnaire : Organization of security

R-V1 R-V2 R-V3 R-V4

Roles and structures of security

Organization and piloting of general security

Are security management actions represented on dashboards and regularly reviewed?

Is the approach to security clearly recognized and supported by senior management?

Organization and piloting of Information Systems security

General reporting system and incident management system

Mise jour : janvier 2010

Audit Questionnaire : Organization of security

R-V1 R-V2 R-V3 R-V4

Organization of audits and audit program

Crisis management related to information security

Security Reference Guide

Obligations and responsibilities of personnel and management

Mise jour : janvier 2010

Audit Questionnaire : Organization of security

R-V1 R-V2 R-V3 R-V4

General directives related to information protection

Mise jour : janvier 2010

Audit Questionnaire : Organization of security

R-V1 R-V2 R-V3 R-V4

Is an "owner" appointed for each identified and inventoried asset?

Protection of assets having value of evidence

Have all necessary measures been taken consequently?

Is the aptness of these measures periodically reviewed?

Mise jour : janvier 2010

Audit Questionnaire : Organization of security

R-V1 R-V2 R-V3 R-V4

Are these measures periodically subject to an audit?

Human Resource Management

Staff involvement, contractual clauses

Management of strategic personnel, partners and providers

Are strategic skills regularly identified in the organization?

Are backup solutions available in the absence of strategic skills?