Page 193 - Building Big Data Applications
P. 193

192   Building Big Data Applications


                  Are security risks with third-party contractors working onsite identified and
                   appropriate controls implemented?
             2. Security requirements in third-party contracts
                  Is there a formal contract containing, or referring to, all the security requirements
                   to ensure compliance with the organization’s security policies and standards?
             3. Security requirements in outsourcing contracts
                  Are security requirements addressed in the contract with the third party, when
                   the organization has outsourced the management and control of all or some of
                   its information systems, networks, and/or desktop environments?
                  Does contract address how the legal requirements are to be met, how the secu-
                   rity of the organization’s assets are maintained and tested, and the right of
                   audit, physical security issues, and how the availability of the services is to be
                   maintained in the event of disaster?

             Asset classification and control

             1. Inventory of assets
                  Is there a maintained inventory or register of the important assets associated
                   with each information system?

             Information classification
             1. Classification guidelines
                  Is there an information classification scheme or guideline in place; which will
                   assist in determining how the information is to be handled and protected?
             2. Information labeling and handling
                  Is there an appropriate set of procedures defined for information labeling and
                   handling in accordance with the classification scheme adopted by the
                   organization?

             Security in job definition and resourcing

             1. Including security in job responsibilities
                  Are security roles and responsibilities as laid in organization’s information secu-
                   rity policy documented where appropriate?
                  Does this include general responsibilities for implementing or maintaining secu-
                   rity policy as well as specific responsibilities for protection of particular assets,
                   or for extension of particular security processes or activities?
             2. Confidentiality agreements
                  Do employees sign confidentiality or nondisclosure agreements as a part of
                   their initial terms and conditions of the employment and annually thereafter?
                  Does this agreement cover the security of the information processing facility
                   and organization assets?
   188   189   190   191   192   193   194   195   196   197   198