Draft Audit Plan: ICANN SSR Workshop 9-10 October

	A	B	C	D	E	F	G	H	I	J
1	ID	Topic		Questions	ICANN Personnel	Date	Time	ICANN Personnel	Documents	Recommendations

2	1	Perform an assessment of ICANN's Information Security Management System.
3		1.1	ISMS in general
4		1.1.1		Does ICANN utilise a formal ISMS (Information Security Management System)?
5		1.1.2		Are the general ISMS objectives compatible mapped to the ICANN strategic plan and ICANN’s identified enterprise risks?
6		1.1.3		Is there a formal training plan in place to ensure all staff are aware of the policies and operating procedures of the ISMS?
7		1.2	Leadership and responsibilities
8		1.2.1		Are the general ISMS objectives compatible with the strategic direction of ICANN?
9		1.2.2		Does Information Security Policy exist with objectives or framework for setting objectives?
10		1.2.3		Is Information Security Policy communicated within the company?
11		1.2.4		Are roles and responsibilities for information security assigned and communicated?
12		1.2.5		Is there a formal training plan in place to ensure all staff are aware of the policies and operating procedures of the ISMS?
13		1.3	Resources, competence, awareness, and communication
14		1.3.1		Are adequate resources provided for all the elements of ISMS?
15		1.3.2		Are required competences defined, trainings performed, and records of competences maintained?
16		1.3.3		Is the personnel aware of Information security policy, of their role, and consequences of not complying with the rules?
17		1.3.4		Does the process for communication related to information security exist, including the responsibilities and what to communicate?
18		1.3.5		Does the process for managing documents and records exist, including who reviews and approves documents, where and how they are published, stored and protected?
19		1.3.6		Are documents of external origin controlled?
20		1.3.7		Are all relevant employees and contractors being trained to perform their security duties, and do the awareness programs exist?
21		1.4	Access control
22		1.4.1		Does policy for physical access to hardware and equipment exists?
23		1.4.2		Does policy for Logical access control to protect data and software from unauthorised access and misuse exists?
24		1.5	Physical and environmental security
25		1.5.1		Is there physical methods to control access to information processing facilities?
26		1.5.2		Is there protecton of equipment from security and environmental threats and hazards?
27		1.5.3		Does equipment facilities have continuous power supply?
28		1.6	Operational security
29		1.6.1		Are Operational Procedures and Responsibilities established across organization?
30		1.6.2		Does Operational Procedures and Responsibilities comply with security policy?
31		1.6.3		Is there protection from malicious software?
32		1.6.4		Is there dokumented Backup procedure?
33		1.6.5		Are the rules been established for use of mobile devices and removable media?
34		1.7	System acquisition, development and maintenance
35		1.7.1		Are there security requirements that new applications or all enhancements to existing systems must meet?
36		1.7.2		Are there security controls for aplication development or aquisition?
37		1.7.3		Does formal procedure to control changes to information systems exist?
38		1.7.4		Is there a policy on the use of cryptography?
39		1.8	Supplier relationships
40		1.8.1		Is the policy on how to treat the risks related to suppliers and partners documented?
41		1.8.2		Are suppliers regularly monitored for compliance with the security requirements, and audited if appropriate?
42		1.8.3		Do the agreements with suppliers include security requirements for ensuring the reliable delivery of services?
43	2	Perform a comprehensive assessment of ICANN's Business Continuity Management System.
44		2.1	Business Continuity Objectives and Plans
45		2.1.1		Is there a documented Corporate (organization) BCM Strategy that has been signed-off by top management?
46		2.1.2		Does the organization have a documented business continuity operational planning and control process?
47		2.2	Operational planning and control
48		2.2.1		Have the operating procedures for IT processes been documented?
49		2.2.2		Is installation of software strictly controlled; do procedures exist for that purpose?
50		2.2.3		Is it clearly defined who should be in contact with which authorities?
51		2.2.4		Is it clearly defined who should be in contact with special interest groups or professional associations?
52		2.2.5		Are information security rules included in every project?
53		2.2.6		Are audits of production systems planned and executed in such a way that they minimize the risk of disruption?
54		2.3	Business Continuity Strategies
55		2.3.1		Is there a documented Corporate (organization) BCM Strategy that has been signed-off by top management?
56		2.4	Prioritized Activity Recovery Strategy
57		2.4.1		Have the Recovery Time Objective (RTO) for each prioritised activity been identified and agreed?
58		2.4.2		Has the organization identified the dependencies and resources needed to maintain, restore, resume and/or recover each of its prioritised activities to an acceptable level of functionality and performance (MBCO)?
59		2.5	Resource Recovery Strategy
60		2.5.1		Is there a documented Resource Recovery Strategy for critical business activities and their dependencies that has been signed off by top management?
61		2.5.2		Is the strategy based upon and consistent with the resource recovery requirements identified within the current BIA in respect of the organization's prioritised activities their support services and dependencies recovery profile?
62		2.5.3		Have the resource requirements to implement the business continuity strategies been identified and provided?
63		2.6	BC Procedures - Incident Response Structure
64		2.6.1		Does organization have an Emergency Management/Evacuation Plan?
65		2.6.2		Does the organization have an incident management structure, procedures and arrangements that provide overall control of the response to a disruptive incident?
66		2.6.3		Does the organization have a documented Corporate Crisis Management Plan (CCMP)?
67		2.6.4		Does the organization have predefined Incident Management Team(s) for co-ordinating and/or managing differing types of incident e.g. business, technical service delivery, site, building, corporate?
68		2.7	Business Continuity Plans (BCP)
69		2.7.1		Does the organization have documented business continuity plans in respect of each of the organization’s prioritised activities and their dependencies?
70		2.7.2		Does each plan identify roles and teams that have the necessary seniority, authority, capability and competence to take control and manage the incident and communicate with stakeholders?
71		2.7.3		Has each plan and its component parts been successfully tested and/or invoked at least once within the last 12 months to ensure they can achieve its aim and objectives within the required timescales?
72		2.7.4		Does each plan contain predefined task checklists that includes mandatory and discretionary tasks together with individuals/roles/teams responsible for their completion and a process for tracking there completion within an allocated timeframe ?
73		2.7.5		Is there a documented and funded maintenance cycle and programme for the plan and its component parts to ensure it remains appropriate (fit for purpose), plausible and capable of meeting its objectives and required outcomes?
74		2.8	Evaluation of Business Continuity Procedures
75		2.8.1		Does the organization conduct performance evaluations of its business continuity procedures, arrangements and capabilities in order to verify their continued suitability, adequacy and effectiveness?
76		2.8.2		Is a post incident review undertaken in the event of an incident that disrupts the organization’s prioritised activities or requires an incident response?
77	3	Perform a comprehensive assessment of ICANN's Risk Management Methodology and Framework.
78		3.1	Risk Assessment Process, Risk Acceptance Criteria and Criteria for Risk Assessment
79		3.1.1		Is there an information risk assessment process documented, including the risk acceptance criteria and criteria for risk assessment?
80		3.1.2		Are the risks identified, their owners, likelihood, consequences, and the level of risk; are these results documented?
81		3.2	Risk Management and Risk Treatment
82		3.2.1		Is the risk treatment process documented, including the risk treatment options?
83		3.2.2		Does Risk treatment plan define who is responsible for implementation of which control, with which resources, what are the deadlines, and what is the evaluation method?
84	4	Perform an assessment how effectively ICANN has implemented its Security Incident Management and response processes to reduce (pro-active and reactive) the probability of DNS-related incidents.
85		4.1	Security Incident Management Process
86		4.1.1		Are procedures and responsibilities for managing incidents clearly defined?
87		4.1.2		Are all information security events reported in a timely manner?
88		4.1.3		Are employees and contractors reporting on security weaknesses?
89		4.1.4		Are all security events assessed and classified?
90		4.1.5		Are procedures on how to respond to incidents documented?
91		4.1.6		Are security incidents analyzed in order to gain knowledge on how to prevent them?
92		4.1.7		Do procedures exist which define how to collect evidence that will be acceptable during the legal process?
93		4.2	Security Incident Response Process relating to a global incident (DNS-related)
94		4.2.1		Does ICANN have a documented incident response plan, with processes and resources identified
95		4.2.2		Does ICANN maintain contracts with third parties to potentially assist in major incident responses
96		4.2.3		Is this incident response plan tested on a periodic basis?
97		4.2.4		Does ICANN have a vulnerability management process?
98		4.2.5		Does ICANN have a vulnerability disclosure policy?
99		4.3	ICANN operational responsibilities (L-Root)
100		4.3.1		Are there technical and operational requirements for hosting L-Root node?