IintiGrow would conduct a dipstick review of the following key areas at one of your location and/or remote:
- Information security policies
Information security policies shall be reviewed and recommendations regarding improving the same shall be given.
- Organization of information security:
Current information security organization with regards to the various information security roles and responsibilities shall be accessed. We shall also review teleworking and/or BYOD policies if present.
Practices regarding screening of employees, the disciplinary process during employment and off boarding process of the employees shall be audited.
- Assets & Configuration management:
The identification of various assets and their handling shall be assessed along with the policies related to asset management. Information classification and labeling of information shall also be reviewed.
Access control procedures shall be assessed. The procedure to create user access, grant user privileges and revocation of user privileges shall also be assessed.
If applicable, process to handle cryptographic keys and other cryptography related controls shall be reviewed.
- Physical and environmental security:
Physical security controls shall be assessed to ensure unauthorized access is prevented. Equipment and cabling security shall also be reviewed.
Standard operating procedures and change management procedures shall also be reviewed. backup procedure shall be reviewed along with the logging and monitoring activities.
- Communications Protection:
Network security with regards to network segregation, security of network services, and email security shall be assessed.
- System & Services acquisition, development:
Information security practices in development and in project management shall be assessed.
Policies and procedures of Maintenance of Information Systems
Setup with regards to suppliers and the way information security is handled in supplier relationship shall be assessed.
Incident management procedure shall be reviewed, along with the procedure of reporting information security events.
Current setup with regards to BCP/DR shall be assessed and recommendations shall be made to improve the procedure.
Compliance with internal requirements, such as policies, and with external requirements, such as laws & regulations