Beruflich Dokumente
Kultur Dokumente
Appendix 17-D
Confidential …
Group of companies:
Company:
Location:
Address:
Homepage:
Scope:
Contact person:
Telephone number:
Email address:
Creator:
Telephone number:
Email address:
Managing Director:
Signature:
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 2 von 39
Cover
Information Security Assessment
Results
Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity levels: 0.00 Maximum Score: 3.00
1 ISMS
18 Compliance 5 5 Information Security Policies
4
17 Information Security Aspects of Business Continuity Management 6 Organization of Information Security
3
2
16 Information Security Incident Management 1 7 Human Resources Security
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 3 von 39
Results
Information Security Assessment
Results
Details:
Question Target maturity
No. Topics level Results
1.1 Release of an Information Security Management System (ISMS) 3 0
1.2 IS Risk Management 3 0
1.3 Effectiveness of the ISMS 3 0
5.1 Information Security Policy 3 0
6.1 Assigning responsibility for information security 3 0
6.2 Information Security in projects 3 0
6.3 Mobile devices 3 0
7.1 Contractual commitment to information security of employees 3 0
7.2 Awareness and training of employees 4 0
8.1 Inventory of assets 3 0
8.2 Classification of information 2 0
8.3 Handling of information (especially mobile storage) 3 0
9.1 Access to networks and network services 3 0
9.2 User registration 4 0
9.3 Privileged user accounts 3 0
9.4 Confidentiality of authentication data 3 0
9.5 Access to information and applications 3 0
10.1 Cryptography 3 0
11.1 Security zones 3 0
11.2 Protection against external influences and external threats 3 0
11.3 Protection measures in the delivery and shipping area 2 0
11.4 Use of equipment 2 0
12.1 Change Management 4 0
12.2 Separation of development, test and operational environment 2 0
12.3 Protection from malware 4 0
12.4 Back-up procedures 4 0
12.5 Event Logging 3 0
12.6 Logging administrational activities 2 0
12.7 Prosecution of vulnerability (patch management) 4 0
12.8 Review of information systems 2 0
13.1 Management of networks 3 0
13.2 Security requirements for networks / services 3 0
13.3 Separation of networks (network segmentation) 3 0
13.4 Electronic exchange of information 3 0
13.5 Confidentiality agreements with third parties 3 0
14.1 Requirements for the procurement of information systems 3 0
14.2 Security along the software development process 3 0
14.3 Management of test data 2 0
15.1 Risk Management in collaboration with suppliers 3 0
15.2 Services check of supplier performance 3 0
16.1 Reporting system for information security incidents (Incident Management) 3 0
16.2 Processing of information security incidents 4 0
17.1 Information Security Aspects of Business Continuity Management 3 0
18.1 Legal and contractual provisions 3 0
18.2 Protection of personal data 3 0
18.3 Audit of the ISMS by independent bodies 3 0
18.4 Efficiency tests, including technical tests 3 0
Method: comparison of the top 47 security topics 3.00 0.00
based on ISO 27002 controls
evaluated with SPICE ISO 15504
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 4 von 39
Results
Information Security Assessment
Results -
Connection to third parties
Details:
Details:
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 5 von 39
Results
Version KPI References
3.0.4
Company: 0
Location: 0
Date: 12/30/1899
Maturity Level
In case a question does not apply, please insert na (not applicable).
0-5; na
1.1 To what extent is an ISMS approved by the Top Management and is the scope documented? 3.0.3
(Reference to ISO 27001: 4 and 5.1)
1.2 To what extent is an Information Security risk management as well as risk treatment defined, documented and implemented? 3.0.4
5.1 To what extent are information security guidelines created, published (internally and to external partners), communicated and are they checked 3.0.4
in regular time intervals?
6.1 To what extent are responsibilities for information security defined and allocated? 3.0.3
(Reference to ISO 27002: Control 6.1.1)
6.2 To what extent are information security requirements taken into account in project work (irrespective of project type)? 3.0.3
(Reference to ISO 27002: Control 6.1.5)
6.3 To what extent is a policy in place regarding the use of mobile devices and remote access to company data? 3.0.3 Off-Premises
(Reference to ISO 27002: Control 6.2.1 and 6.2.2)
7.1 To what extent is staff (internal and external) contractually bound to comply with information security policies? 3.0.4 Personel
(Reference to ISO 27002: Control 7.1.2 and 7.3.1)
7.2 To what extent is staff (internal and external) made aware of and trained about the risks that arise when handling and processing information? 3.0.3 KPI 7.2
8.1 To what extent are directories existent for objects (assets) that contain information in different versions? 3.0.3 Protection classes
(Reference to ISO 27002: Control 8.1.1, 8.1.2, 8.1.3, and 8.1.4)
8.2 To what extent is information classified regarding the corresponding protection level and are there regulations regarding labelling, handling, 3.0.4
transport, storage, retention, deletion and disposal in place?
(Reference to ISO 27002: Control 8.2.1, 8.2.2, and 8.2.3)
8.3 To what extent are appropriate procedures implemented for the management of information on mobile storage devices? 3.0.3
9.1 To what extent are policies and procedures existent regarding access to networks and network services? 3.0.3
(Reference to ISO 27002: Control 9.1.2)
9.2 To what extent are procedures for a formal user registration, change and de-registration implemented to enable assignment of access rights and 3.0.3 KPI 9.2
is the allocation of secret authentication information controlled?
9.3 To what extent is the allocation and use of privileged user and technical access rights restricted and controlled? 3.0.3
(Reference to ISO 27002: Control 9.2.3)
9.4 To what extent have binding policies been defined concerning creation and handling of secret authentication information? 3.0.3
9.5 To what extent is access to information and applications restricted to authorized personnel? 3.0.4
(Reference to ISO 27002: Control 9.4.1 and 9.4.2)
10 Cryptography 3.0.3
10.1 To what extent are regulations for encryption, including the management of cryptographic keys (entire lifecycle process) for the protection of 3.0.3
information during storage and transport, developed and implemented?
(Reference to ISO 27002: Control 10.1.1)
11.1 To what extent are secure areas for the protection of sensitive or critical information and information processing facilities defined, protected and 3.0.4
monitored (entrance control)? Safety zones
(Reference to ISO 27002: Control 11.1.1, and 11.1.2)
11.2 To what extent has the company established measures to protect itself against the effects of natural disasters, malicious attacks and accidents? 3.0.3
11.3 To what extent are protective measures established to protect delivery and loading areas from being accessed by unauthorized persons? 3.0.3
11.4 To what extent are policies and procedures defined and implemented regarding the use of company equipment, including off-site use, disposal 3.0.4
and re-use?
(Reference to ISO 27002: Control 11.2.5, 11.2.6, and 11.2.7)
12.1 To what extent are changes to the organization, business processes, information processing facilities and systems in accordance with their KPI 12.1
relevance to Information Security controlled?
(Reference to ISO 27002: Control 12.1.2)
12.2 To what extent are development and testing environments kept separate from productive environments? 3.0.4
(Reference to ISO 27002: Control 12.1.4)
12.3 To what extent are protection controls (e.g. endpoint security) against malware (Viruses, Worms, Trojans, Spyware, ...) implemented and 3.0.3 KPI 12.3
combined with appropriate user awareness?
(Reference to ISO 27002: Control 12.2.1)
12.4 To what extent are backups created and tested regularly in accordance with an agreed backup policy? 3.0.3 KPI 12.4
(Reference to ISO 27002: Control 12.3.1)
12.5 To what extent are event-logs (containing e.g. user activities, exceptions, errors and security events) created, stored, reviewed and protected 3.0.3
against modification?
(Reference to ISO 27002: Control 12.4.1, and 12.4.2)
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 6 von 39
Information Security
12.6 To what extent are system administrator and system operator activities logged, the logs protected against modification and regularly reviewed? 3.0.3
12.7 To what extent is information regarding technical vulnerabilities of information processing systems acquired at an early stage, assessed and 3.0.3 KPI 12.7
appropriate measures are taken (e.g. patch management)?
(Reference to ISO 27002: Control 12.6.1, and 12.6.2)
12.8 To what extent are audit requirements defined and activities that are used to check information processing systems planned, coordinated and 3.0.3
executed?
(Reference to ISO 27002: Control 12.7.1, 18.2.3)
13.1 To what extent are networks managed and controlled to protect information in systems and applications? 3.0.4
(Reference to ISO 27002: Control 13.1.1)
13.2 To what extent are requirements related to security mechanisms and service levels and also management requirements related to network 3.0.4
services identified and documented in service level agreements?
(Reference to ISO 27002: Control 13.1.2)
13.3 To what extent are groups of information services, users and information systems segregated on networks? 3.0.3
(Reference to ISO 27002: Control 13.1.3)
13.4 To what extent are protective measures taken when information is exchanged or transmitted? 3.0.3
(Reference to ISO 27002: Control 13.2.1, and 13.2.3)
13.5 To what extent are non-disclosure agreements applied before an exchange of information and are the requirements or needs for the protection of 3.0.3
information documented and regularly reviewed?
(Reference to ISO 27002: Control 13.2.4)
14.1 To what extent are security-relevant requirements taken into account for new information systems (incl. systems that are accessible from the 3.0.3
public) and for extensions to existing systems?
(Reference to ISO 27002: Control 14.1.1, 14.1.2, and 14.1.3))
14.2 To what extent are security-relevant aspects taken into account within the software development process (incl. change management)? 3.0.3
14.3 To what extent are test data created, protected and used in a careful and controlled manner? 3.0.3
(Reference to ISO 27002: Control 14.3.1)
15.1 To what extent are information security requirements agreed with suppliers to mitigate risks contractually when suppliers have access to 3.0.3
corporate assets (particularly information and communication services and in case such assets are used by sub-contractors)?
15.2 To what extent are the services performed by suppliers/sub-contractors monitored, reviewed and audited on a regular basis? 3.0.3
16.1 To what extent are responsibilities, procedures, reporting channels and criticality levels established to ensure an effective response to 3.0.3
information security incidents or vulnerabilities?
(Reference to ISO 27002: Control 16.1.1 - 16.1.3)
16.2 To what extend is the handling on security events performed? 3.0.3 KPI 16.2
(Reference to ISO 27002: Control 16.1.4 - 16.1.7)
17.1 To what extent are information security requirements (including the redundancy of corresponding facilities) and the continuation of the ISMS in 3.0.3
the event of a crisis defined, implemented, checked and evaluated?
18 Compliance 3.0.3
18.1 To what extent are relevant legal (country-specific), statutory, regulatory and contractual requirements ensured (e.g. protection of intellectual 3.0.3
property rights, use of encryption technology and protection of records)?
(Reference to ISO 27002: Control 18.1.1, 18.1.2, 18.1.3, 18.1.5)
18.2 To what extent is confidentiality and the protection of personal data ensured (taking national legislation into account)? 3.0.3
Note: In case of commissioned data processing according to §11 BDSG, the module "Data Protection (24)" must be mandatorily included and
evaluated.
18.3 To what extent is the ISMS reviewed independently on a regular basis or in the course of significant changes? 3.0.3
(Reference to ISO 27002: Control 18.2.1)
18.4 To what extent is the effectiveness of policies, guidelines and other relevant information security standards reviewed and documented? 3.0.3
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 7 von 39
Information Security
Version
Information Security Assessment -
Additional requirements for connection to third parties
based on ISO 27002:2013 3.0.3
Company: 0
Location: 0
Date: 12/30/1899
Maturity
In case a question does not apply, please insert na (not applicable).
Level 0-5; na
23.7.2 To what extent are the employees (internally and externally) trained and made aware about the risks in dealing with information and its 3.0.3
processing?
(Reference to ISO 27002: Control 7.2.1 and 7.2.2)
23.9.2 To what extent are procedures for the registration, modification and deletion of users with the corresponding access rights implemented, and in 3.0.3
particular is a confidential handling of the registration information ensured?
(Reference to ISO 27002: Control 9.2.1, 9.2.2, 9.2.4 and 9.2.5)
23.11.1 To what extent are security zones defined for the protection of sensitive or critical information as well as information processing facilities, 3.0.3
protected and monitored (access control)?
(Reference to ISO 27002: Control 11.1.1 and 11.1.2)
23.13.3 To what extent are groups of information services, users and information systems segmented within the network? 3.0.3
(Reference to ISO 27002: Control 13.1.3)
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 8 von 39
Connection to third parties(23)
Version Hinweise
Information Security Assessment -
Additional Requirements Prototype Protection
3.0.3
Company: 0
Location: 0
Date: 12/30/1899
Maturity
In case a question does not apply, please insert na (not applicable).
Level 0-5; na
25.1.1 To what extent is a safety concept available that describes minimum requirements regarding object safety for prototype protection? 3.0.3
25.1.2 To what extent is perimeter security existent, that prevents unauthorized access to protected objects of the properties? 3.0.3
25.1.3 To what extent is the outer skin of the buildings to be protected constructed in a form that does not allow the removal or opening of outer skin 3.0.3
components using standard tools?
(PT-module; no reference to ISO 27002)
25.1.4 To what extent is a view and sight protection ensured in defined protection areas? 3.0.3
(PT-module; no reference to ISO 27002)
25.1.5 To what extent is the protection against unauthorized entry regulated in the form of an access control? 3.0.3
(Reference to ISO 27002: Control 11.1.1, 11.1.2 and 11.1.3)
25.1.6 To what extent is there a functioning intrusion detenction system implemented in the premises to be secured? 3.0.3
(Reference to ISO 27002: Control 11.1.2)
25.2.1 To what extent are non-disclosure agreements / obligations existent according to the valid contractual law? 3.0.3
(Reference to ISO 27002: Control 13.2.4)
25.2.2 To what extent are requirements for commissioning subcontractors known and fulfilled? 3.0.3
(Reference to ISO 27002: Control 13.2.4, 15.1.1, 15.1.2 and 15.1.3)
25.2.3 To what extent are the employees and project members evidently trained and made aware regarding risks when handling prototypes? 3.0.3
25.2.4 To what extent are security classifications of the project and the resulting measures for protection known? 3.0.3
(Reference to ISO 27002: Control 8.2.2)
25.2.5 To what extent is a process for allocation of access to specified security areas defined? 3.0.3
(Reference to ISO 27002: Control 11.1.2)
25.2.6 To what extent are regulations for image recording and handling with created graphical material existent? 3.0.3 Optics
(Reference to ISO 27002: Control 11.1.5)
25.2.7 To what extent is a process for carrying along and use of film- and photograph enabled devices into defined security areas established? 3.0.3
25.3.1 To what extent are the predefined regulations for camouflage implemented by the project participants? 3.0.3
(PT-module; no reference to ISO 27002)
25.3.2 To what extent are transports in need of protection arranged according to the specifications of the customer? 3.0.3
(PT-module; no reference to ISO 27002)
25.3.3 To what extent is it ensured that vehicles, components or parts which are in need of confidentiality are parked / stored in accordance with the 3.0.3
requirements of the customer?
(PT-module; no reference to ISO 27002)
25.3.4 To what extent are safety requirements of approved test and trial grounds observed / implemented? 3.0.3
(PT-module; no reference to ISO 27002)
25.3.5 To what extent are safety requirements for approved test and trial drives respected / implemented in public? 3.0.3
(PT-module; no reference to ISO 27002)
25.3.6 To what extent are safety requirements for presentations and events implemented with scope / contents subject to confidentiality? 3.0.3
25.3.7 To what extent are safety requirements for film and photo shootings with scope / contents subject to confidentiality implemented? 3.0.3
Company: 0
Location: 0
Date: 12/30/1899
fulfilled
[yes / no]
24 Data Protection
Findings:
Measures:
References
+ Appointment of the data protection officer
+ organisational implementation of the data protection
- Integration of the data protection officer into the corporate structure
- Voluntary or obligatory appointment of a data protection officer
- Full-time or part-time data protection officer
- Internal or external data protection officer
- Support of the data protection officer by directly assigned employees (department "data protection") depending on the company size
- Supporting data protection officer by data protection coordinators in the company areas depending on the size of the company (e.g., marketing, sales,
personnel, logistics, development, etc.)
24.2 To what extent are organisational measures taken so that the processing of personal data is made according to the law?
Comments:
Findings:
Measures:
References
+ Establishment of principles for data protection (collection, processing or use of personal data) in a company-internal policy.
+ Implementation of company-internal steering committees - with the cooperation of the data protection officer - in which data protection relevant topics are
addressed.
+ Implementation of a process which ensures the involvement of the data protection officer in the case of data protection relevant topics (e.g. in the context
of a preliminary check or a subsequent assessment).
+ Documentation of work processes during the collection, processing or use of personal data.
+ Documentation of statements and comments from the data protection officer regarding data protection law assessments.
+ Implementation of a process by means of which the implementation of necessary measures (e.g. contractual regulation) is ensured in order to ensure the
collection, processing or use of personal data by the employees entrusted with it (including subcontractors) of the customer.
+ Company-internal work instructions or manuals in specific areas of activity concerning the collection, processing or use of personal data.
+ Employees' commitment to data and telecommunication confidentiality.
24.3 To what extent is it ensured that the internal processes or workflows are carried out according to the currently valid data protection regulations
and that this is regularly subjected to a quality check?
Comments:
Findings:
Measures:
References
+ Certification of the data protection management system depending on its company size
+ Ensuring the integrity when transmitting personal data.
+ Implementation of a control system that reveals unauthorized access to personal data.
+ Training of employees (e.g. classroom training, WBT, voluntary / obligatory).
+ Internal audits of the processes and regular optimizations.
24.4 To what extent are the relevant processing procedures documented with regard to the admissibility of data protection law (e.g. prior checks)?
Comments:
Findings:
Measures:
Information Security Assessment -
Additional questions for Data Protection in case of
commissioned data processing according to §11 BDSG
Company: 0
Location: 0
Date: 12/30/1899
References
+ Implementation of prior checks and / or data protection impact assessments and documentation of the arising results.
+ Management of an external procedure directory
+ Management of an internal processing overview
+ Implementation of privacy / data protection by design and by default principles.
+ Verifying admissibility of data processing, taking into account different national legislations, if necessary
Control 7.2 Awareness and training of the employees
minimization of information
regular trainings of all employees
objective for information security
security incidents with human
error as a cause
evaluation
training management collecting the number of security
measurement quotient: number of incidents with human error as a
participants / total number of cause
employees
COVERAGE EFFECTIVENESS
timely proccessing of
coverage rate of information
information security
security incidents
incidents
10 years 10 years
Zone
Explanation / notes
Aspect
Accessibility
Visitor requirements
Driving on / parking
Access control and protection
Monitorings
Resistance values
Zone
Explanation / notes
Aspect "use"
Video telephony / video
conferencing (without recording)
Photography /video recordings
Type of employment
relationship
Department Manager
Off-Premises workpla
Confidentiality of the
information
highest protection class
"secret"
normal
high
very high
white (public)
Areas of public character, which are permanently or temporarily accessible to everyone. Areas with low risk
without particularly sensitive values. None or only preventive safety requirements. Domestic authority exists.
(e.g. visitors' parking space, connecting routes)
no special requirements
appropriate signs
permitted
None
public area
Areas of public character, which are permanently or temporarily accessible to everyone. Areas with low risk
without particularly sensitive values. None or only preventive safety requirements. Domestic authority exists.
(e.g. visitors' parking space, connecting routes)
public area
No special requirements
No special requirements
No special requirements
public area
No special requirements
No special requirements
Stndard validation
Off-Premises workplace
temporary working environment (e.g. hotel)
local data storage: strongly encrypted or Mobile Device management (MDM) active (remote deletion
on demand)
Remote Access: strongly authenticated & strongly transport enrypted, integrity of the access device
ensured, data "non-permanent"
Protection classes
Description
The potential damage is marginal, short-term nature, and limited to a single entity.
The potential damage is significant or medium-term nature or is not limited to a single entity.
The potential damage threatens the existence of the company or long-term nature or is not limited to
a single entity.
Safety zones
green (controlled zone)
Area with technical or organizationally controlled safety measures, not freely accessible,
usually internal scopes
Fences 2.2m with anti-climbing protection and undermine protection / building shell
consisting of windows, doors, walls, roofs
30 minutes
Optics
green (photo-security area 1)
Area with technical or organizationally controlled safety measures, not freely accessible,
usually internal scopes
Personnel
place
regular alternative working environment (in particular home office)
temporary measuers (according to the risk analysis) für visual protection / noise
reduction
Restricted group of visitors, written confirmation of the non-disclosure, in pemanent
personal accompaniment by own staff
Special restrictions
Monitoring the entering / exiting of the zones via online access reader, compensating
locking system with limited circle
Camera surveillance, motion detection at least in the access areas or easily accessible
areas (e.g., ground floor windows)
10 minutes
Foto-security area 2
Area with additional safety measures, restrictive, protection of special scopes, limited
number of persons, usually confidential scopes as well.
Foto-security area 2
Carrying along unsealed devices allowed
Foto-security area 2
allowed in office workplaces and meeting rooms, otherwise after an approval
no use of private devices or devices of contractors / visitors
allowed with company owned devices after an approval
X
red (high risk zone)
Area with the highest safety requirements, protection of sensitive values, strictly
regulated access rights, usually secret scopes.
Camera surveillance, glass breakage detector, windows with sight protection, double
illumination with motion detectors, central circuit, intrusion detection system installed by
professionals
at least RC 2 (resistance time 5 minutes) with additional measures
5 minutes
Foto-security area 3
Area with the highest safety requirements, protection of sensitive values strictly
regulated access rights, usually secret scopes.
Foto-security area 3
Carrying along sealed devices allowed
Carrying along unsealed devices is forbidden
Foto-security area 3
in defined meeting rooms with permanently installed equipment, otherwise after an
approval
no use of private devices or devices of contractors / visitors
allowed in exceptional cases after an approval (e.g. four-eyes principles, consent of the
management
allowed only in exceptional cases after an approval
Declaration of consent required
X
Information Security Assessment -
Glossary
GWP = Generic Work Product = a general result that arises from the execution of the process
PA = Process Attributes = a measurable characteristic to a process capability that is applicable for each process. .
Result, reduced:
In the "result with reduction to the target level", the reduction of the achieved results to the target level ensures that
"overloaded" controls in the overall result do not compensate for unfulfilled controls.
Result, maximum achievable:
The variations in the maximum achievable result arise when individual controls are marked as n.a. (Not applicable)
and therefore the average value of the target maturity levels changes.
Spider-Diagram:
All results are shown without shortening. The line for the target maturity level considers controls that were marked as
n.a..
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 37 von 39
Glossar
Author:
Study group Information Security of the
German Association of the Automotive Industry
License:
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 38 von 39
Lizenz
1.0 First Release (Initial build)
2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
Control 13.5 revised
All other controls with version 2.1.3 translation revised
2.1.4 Maturity Control changed from 12.4 into 4
Maturity Control changed from 16.3 into 3
Addition of KPIs
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 39 von 39
Change History