To ensure the most accurate and representative scores possible, it is essential to link evidence to each and every answer throughout the questionnaire. By doing so, you are providing concrete support for your responses, which will help to establish the validity and reliability of your results.
Documented information defines and communicates information security objectives, policy, guidelines, instructions, controls, processes, procedures, and what persons are expected to do and how they are expected to behave.
Examples of documented information that can be necessary for ensuring and improving the effectiveness of the information security framework are:
policies, rules and directives for directing and operating information security activities;
the roles, responsibilities and authorities;
reports of the different phases of the risk management;
plans and results of awareness activities;
processes and procedures used to implement, maintain and improve the IS framework;
action plans;
Evidence of the results of information security processes (e.g. incident management, access control, information security continuity, equipment maintenance, etc.).
Definition of Sensitive Information
Information is classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. e.g. in terms of confidentiality, integrity and availability.
Some common types of sensitive information are:
Personally identifiable information (e.g. health-related information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data or biometric data)
Payment account information (debit card pin code, credit card primary account number, etc)
Payslips
Trade secrets / intellectual property
Financial information
Passwords
Customer information / Employee data
Contractual agreements / commercial figures
Operational & inventory information
Industry-specific data
Examples of masked evidence/documentation
Extract from a risk register
We could conclude that there is a risk assessment/risk treatment procedure and the risk management process is effectively implemented and operational.
2. Extract from a personally identifiable information register
Personal data of individuals are not required, we just need to check that all personal data that are being stored, processed or transmitted are being inventoried and are meeting all the requirements of the applicable personal data protection law. (e.g GDPR, CNIL, CCPA, POPI, etc.)
3. Network diagram
CyberVadis do not need information on the IP addresses or ports. We need to check if your network is secured, e.g segmentation, strong encryption protocols, DMZ, Firewalls, IDS/IPS, robust authentication methods, etc.
4. Information security policy and other security policies
A policy represents the overall intentions and strategic direction of an organization, expressed formally by its management. The information security policy (or policies) lays out and confirms senior management’s commitment to
(a) the organization’s information security objectives and
(b) continuous improvement of the information security management system and often much more.
CyberVadis do not need confidential or detailed information on names, IDs, or IPs… but we need to understand the security practices defined and implemented at a company level.