PCI DSS Compliance & QSA Services in Azerbaijan

Instructions

There are 10 questions.
Select the most appropriate option for each question.
You can select only one option per question.
Click Submit to process the assessment.

Levels:

Initial System: Culture:- Information Security is accepted as 'necessary evil'. Procedures and policies are paperwork. People:- Small IT team (mainly outsourced) only for basic system administration activities.No reporting in place. Process:- Informal and ad-hoc processes. No process approach implemented. Technology:- Basic security configurations on existing technologies.Decentralized security organization with limited coordination across functions.Focus mainly on prevention.
Developing System: Culture:- Information Security should be integrated into the business. We understand the necessity of information security. People:- Information Security is mainly IT department function, but general responsibilities and functions regarding information security are defined. Process:- Better coordination of security processes by IT.But processes remain informal, manual and dependent on individuals.Some elements of information security risk assessment is in place. Technology:- More advanced use of security technologies, adoption of tools for vulnerability detection, incident ticketing.
Advance/Mature System: Culture:- Information Security is part of the culture. People:- Information Security team has some autonomy from IT department.Staff has relevant security competence. Process:- Process approach implemented. Documented and formal information security processes that are regularly monitored and their effectiveness regularly measured.Information Security Risk management process is established and implemented. Technology:- Focus on incident prevention, detection and response. Vulnerability management full cicle has been implemented. Event logging and monitoring process has been introduced.

Question 1: What is the below options are most suitable for Your Information Security Governance?

There is no documented policies/procedures covering governance part of the Information Security

Some formal policies/procedures has been developed but no evidence of implementation (no records collected.)

Governance part of the Information security has been implemented, regularly reviewed, staff trained and awareness is in place.

Question 2: What is the below options are most suitable for Your Information security Risk Management?

Risk management is not in place

The organization has documented risk management methodology and regularly assess information security risks.

Security controls implemented in organization are aligned with risk assessment. Risk Treatment plans as a result of assessed risks have been developed and followed-up on regular bases.

Question 3: What is the below options are most suitable for Your Backup Restoration Process?

Backup copies are not taken, or not in a systematic way.

Backup copies of information, software,system images are taken regularly (predefined schedule) but not tested.

Backup copies of information, software,system images are taken and tested regularly in accordance with backup restoration policy.

Question 4: What is the below options are most suitable for Your Physical Security?

Physical security is not in place.

Some elements of Physical Security controls have been implemented intuitively.

Physical Security has been implemented, security zones are defined,some of the policies regarding physical security are documented.

Question 5: What is the below options are most suitable for Your Information Classification?

There is no classification of information in organization.

There is understanding that some information is confidential and basic controls are implemented.

Information classification policy has been developed and implemented. Relevant controls are applied for handling of information based on its classification level. Distribution matrix is in place.

Question 6: What is the below options are most suitable for Your Human Resource Security?

Human Resource Security is not considered in organization.

There is labor contract signed with each employee stated confidentiality clause.

Human resource screening (background check) is performed prior employment. Nondisclosure agreements are signed with each employee apart from labor contracts. Asset handover during termination and change of position introduced as one of security controls.

Question 7: What is the below options are most suitable for Your Asset Management?

Assets are considered as financial component . Organization understands necessity of asset management. But there is no systematic approach for asset management.

Asset inventory has been developed. Assets are categorised and their impact to business assessed.

Asset inventory regularly reviewed and updated.Changes and incidents are linked with assets.There is tracking system of asset lifecycle and movement.

Question 8: What is the below options are most suitable for Your Information Security Incident Management?

Definition of Information Security Incident Management is not introduced.

There is reactive approach to information security incidents, and the process is not systematic.

Information security incident management methodology is in place. Incidents logging is conducted.

Question 9: What is the below options are most suitable for Your Vulnerability Management?

The necessity of vulnerability management is recognised. But there is no systematic approach.

Vulnerability management procedure has been developed.The process is mainly conducted manually. There is no automatisation of vulnerability detection.

Vulnerability management procedure has been developed.Vulnerability detection methodologies are developed and tools are used. Further follow up of vulnerabilities is in place.

Question 10: What is the below options are most suitable for Your Network Security?

The organization does the bare minimum. Firewall not actively managed.Wi-Fi password is broadly shared and lacks complexity. Email systems lack threat protection.

Network topology is in place, segmentation and segregation has been applied. Various techniques applied for email security, intrusion detection and intrusion prevention systems.

Protection of network from targeted attacks. Various techniques used for endpoind security, data loss prevention, security information and event management.

Q.V. LLC

Information Security Management System Maturity Level Self-Assessment