| |
In April 2012, the ICT Board approved the following standards:
Web Server Security Standard Web Application Security Standard
As part of this process, the Board requires the Office of the Chief Information Officer to provide it with an assurance that these standards are being adopted by agencies.
The first stage in this process is the collection of information about the current level of maturity amongst agencies. The survey below is intended to provide an indication to the Board of the starting position within agencies. The information collected will be provided in a summary form without identifying data from individual agencies.
It will be followed up at a later date with a more detailed survey, addressing the different areas covered by the standards.
To enable a report to be provided to the Board this year, please complete the survey by the 28th June 2013.
Thank you very much for your time. Please start the survey now by clicking on the Continue button below.
|
| |
|
|
|
| |
| How to answer the questions. |
| |
|
| |
For some questions, you will be given 5 options:
1 Initial
ad hoc and poorly controlled processes
2 Repeatable
some processes are repeatable, but not well managed
3 Defined
includes well-defined processes, consistent with business needs
4 Managed
processes are measurable and controlled
5 Optimising
strong management focus and continuous process improvement
Where a question gives these options, please select the one that best describes the current approach to the activity.
You can view this explanation by clicking on the Help icon next to each question. Further information can be obtained on the ISACA website.
At the end of each section, you can provide any additional comments you care to make. |
| |
|
|
|
| |
| * Please provide your name: | | |
|
|
|
|
|
|
|
|
|
| * How would you describe your agency's approach to the use of penetration/vulnerability testing? |
| |
|
|
|
| * What is your agency's approach to undertaking risk assessments of your web systems? |
| |
|
|
|
| * What is your agency's approach to classifying the data accessed by your web systems? |
| |
|
|
|
| * What is the agency's approach to providing the assessments to the Business owners so they can examine and either accept or reject these? |
| |
|
|
|
| * What is the agency's approach to providing the assessments to the Agency Security Executive (or similar role) for endorsement? |
| |
|
|
| |
| Have you any additional comments about identifying the risks? | | |
|
|
|
|
| |
| * What stage has the agency reached in preparing an implementation plan to remedy any unacceptable risks arising from the assessments? |
| |
|
|
| |
| * What has been the involvement of the Business owners in the development of this plan? |
| |
|
|
|
| |
| * Has your Agency Security Executive (or similar role) endorsed the plan? |
| |
|
|
| |
| * Has your CIO endorsed the plan? |
| |
|
|
| |
| * Please comment on the start date to begin the remedial action contained in the plan? | | |
|
|
| |
| * Please comment on the finish date for completion of the remedial action contained in the plan? | | |
|
|
| |
| Have you any additional comments about the remedial action required? | | |
|
|
|
|
| |
| * Has the agency implemented appropriate changes to its ongoing processes to comply with the new standards? |
| |
|
|
| |
| * When will these new processes be fully adopted? |
| |
|
|
|
| * What is your agency's approach to a continuous monitoring regime for your web presence? |
| |
|
|
| |
| Have you any additional comments about ongoing activities? | | |
|
|
|
|
| |
| * Have you discussed these answers with your Agency Security Executive (or similar role)? |
| |
|
|
|
|
| |
| Please add any further comments you may have about the overall process
and any constraints, risks or opportunities you foresee: | | |
|
|
|
|
Loading...
