System Guides

A.8.20 Network Security would include:

1. Network Security Policy: Documentation of a network security policy that outlines the organization's overall approach to securing its network infrastructure, including the goals, objectives, and responsibilities related to network security.

2. Network Architecture Diagrams: Detailed diagrams and documentation of the organization's network architecture, including network boundaries, zones, subnets, and the placement of security devices such as firewalls and intrusion detection systems.

3. Access Control Lists (ACLs): Configuration details of access control lists implemented on network devices to control traffic flow and restrict unauthorized access to network resources.

4. Network Segmentation: Evidence of network segmentation practices to isolate critical systems and sensitive data from less secure areas of the network, reducing the impact of potential breaches.

5. Firewalls and Intrusion Detection/Prevention Systems: Documentation of firewall configurations and rules, as well as reports from intrusion detection/prevention systems showing detection and response to potential security incidents.

6. Virtual Private Network (VPN) Configuration: Details of VPN configurations used to secure remote access to the organization's network, ensuring confidentiality and integrity of data in transit.

7. Network Monitoring and Logging: Records of network monitoring and logging practices, including logs from network devices, to detect suspicious activities and enable timely incident response.

8. Network Vulnerability Assessment Reports: Reports from network vulnerability assessments or penetration tests, identifying potential weaknesses in network security and their remediation status.

9. Wireless Network Security: Documentation of the organization's wireless network security measures, including encryption protocols, authentication mechanisms, and procedures for monitoring and securing wireless access points.

10. Network Device Patching and Updates: Evidence of a process to apply regular patches and updates to network devices, such as routers, switches, and firewalls, to address known vulnerabilities.

11. Incident Response Plan: Documentation of an incident response plan specific to network security incidents, including roles, responsibilities, and procedures to address and mitigate network-related incidents.

12. Network Security Training: Records of training sessions and awareness programs provided to network administrators and users to educate them about network security best practices and potential threats.

By reviewing these pieces of evidence, an auditor can assess the organization's network security posture, identify potential weaknesses, and determine if the implemented network security controls align with industry best practices and standards. The goal is to ensure the confidentiality, integrity, and availability of the organization's network resources and data, and to protect against network-based attacks and unauthorized access to critical systems

A.6.1 Screening would include:

1. Screening Policy and Procedures: Documentation of a formal screening policy and procedures that outline the organization's approach to conducting screening activities for employees, contractors, and third-party personnel.

2. Employee Screening Records: Records of background checks and screenings conducted for all employees, including verification of their qualifications, work history, criminal background checks, and any other relevant screenings based on job roles and responsibilities.

3. Contractor and Third-Party Screening Records: Documentation of background checks and screenings performed for contractors and third-party personnel who have access to sensitive information or critical systems.

4. Screening Consistency: Evidence that the screening process is consistently applied to all individuals, irrespective of their position or role within the organization.

5. Screening Criteria: Clear criteria and guidelines for determining eligibility and suitability for employment, contract engagement, or third-party relationships based on the results of the screenings.

6. Screening Records Retention: Documentation of the retention period for screening records and compliance with relevant data protection and privacy regulations.

7. Risk Assessment: Evidence of risk assessments carried out to identify specific job roles or access levels that require higher levels of screening based on the sensitivity of information or systems accessed.

8. Screening Reviews and Audits: Records of periodic reviews and audits of the screening process to ensure compliance with the policy and procedures and to identify opportunities for improvement.

9. Incident Response and Reporting: Documentation of procedures for handling any incidents related to screening, such as false information provided by candidates or contractors.

10. Compliance with Regulations: Evidence that the organization's screening practices align with relevant employment laws, industry regulations, and data protection requirements.

By reviewing these pieces of evidence, an auditor can assess the effectiveness and consistency of the organization's screening process, ensuring that appropriate measures are in place to verify the integrity and trustworthiness of individuals with access to sensitive information and critical systems. The goal is to reduce the risk of insider threats and unauthorized access, ultimately enhancing the overall security posture of the organization.

Prior to Employment due deligence is conducted for employees, supplier and consultants condisring as relevat the below procedures; Criminal Records Checks, Drug Testing, Motor Vehicle Records Screening, Employment Verification, Supervisor/Reference Interviews, Education Verification, Licensing and Professional Certification Verification,