No Particulars Yes No

1 Physical Security
1.1 Server room / Data Centre (DC)
(a) Is the server room (DC) easily accessible to unauthorized persons? v
(b) Is the server room (DC) away from the basement, main water
v
drainage?
(c ) Is the server room locked and is the key under the custody of an
v
authorized person?
(d) Is/Are the server(s) in close proximity to the UPS room? v
(e) Are activities in the server room (DC) monitored? v
(f) 1. Does the air-conditioning provide adequate cooling? v
2. Has a backup measure been provided? v
(g) Are storage devices kept inside the server room? v
(h) Are humidity and heat measuring instrument like, thermometer, and
v
hydrometer, installed in the server room, are these being used?
(i) Is the server room (DC) neat and clean?
Is the house-keeping done regularly,under the supervision of v
authorized personnel?
(j) Are the fire and smoke alarms/indicators installed in the server
v
room (DC)? Are the alarms audible enough, for all concerned?
(k) Are these detectors installed in proper locations? v
(l) Are fire suppressant systems checked regularly, to see if they are in
v
a working condition?
(m) Is there video surveillance in the server room (DC)? v
(n) Do employees or visitors wear identification badges, as per the
v
policy?

1.2 UPS
(a) Is there a separate enclosure and locking arrangement for UPS? v
(b) Is the UPS kept in the same room where the server are kept? v
(c ) Is the entry to the UPS housing facility, the same as the entrance to
v
the server room?
(d) Is the UPS housing facility spacious enough, for the movement of
v
maintenance personnel?
(e) Does the maintenance agency provide battery service,regularly? v
(f) Are there sufficient environmental controls in the UPS housing
v
facility?
(g) Does the UPS cabin have adequate ventilation to take care of acid
v
fumes, emitted by the lead acid batteries?
(h) Is the capacity of the UPS system sufficient to take care of
Tidak diketahui
electricity? load, required by the computers installed?
No Particulars Yes No
(i) Are the power cords fixed firmly in their sockets?
(j) Is the UPS free of load of the tube-lights, fans, water coolers,etc? v
(k) Does the UPS function properly when electricity fails? v
(l) Is there provision for a generator backup, in case of long hours of
v
power blackout?
(m) Is the line voltage, monitored? v
(n) Is the power supply regulated (for voltage fluctation)? v
(o) Is an emergency lighting system available? v

1.3 Fire Protection

(a) Is there a fire suppression system for the server room/data centre? v
(b) Are fire extinguishers kept in easily accessible locations, in the
v
premises?
(c ) Are fire extinguishers installed at strategic places like, server room,
v
UPS room, etc?
(d) Has training been provided to the staff, in the usage of fire
v
extinguishers?
(e) Are fire extinguishers regularly regularly refilled/maintained? v
(f) Are building materials, fire resistant? v
(g) Are wall and floor coverings, noncombustible? v
(h) Has the smoking restriction been enforced? v
(i) Are fire resistant safes available and are they used for tapes, disks,
v
and documentation?
(j) Are fire instructions clearly posted? v
(k) Are fire alarm buttons clearly visible? v
(l) Are emergency power-off procedures posted? v
(m) Is an evacuation plan, with assignment of responsibilities, clearly
v
defined and understood?
(n) Is there regular fire drill and training? v

2 Operational Security
2.1 Automated Operations Facility (AOF)
(a) Is the AOF design authorized? unknown
(b) Are the parameters authorized? unknown
(c) Are change management procedures in place, for changing
parameters? unknown
(d) Is the integrity of the parameter file maintained? unknown
(e) Is the parameter file backed up properly? unknown
(f) Are all computer operations coveredby AOF? unknown
No Particulars Yes No
(g) Is there proper access control for interface, between the manual
control and automated control? v
(h) Are regular reports submitted to the IS management? v
(i) Are log reports verified, for ensuring scheduling? v
 2.2 Roles
(a) Is there a segregation of roles, into system administration, database
v
administration and network administration?
(b) Is security administration, a specific role? v
(c) Has the job description for each level, been prepared and
v
implemented?
(d) Is the transaction authorization role, separate from the transaction
v
processing role?
(e) Is the system administrator, supervised and controlled, with respect
to creation of user Ids at the OS level and application software v
level?
(f) Is there any policy for job rotation? v
(g) Is rotation of jobs carried out? v

2.3 Consumables
(a) Is the operations group responsible for acquiring and distributing
consumables? v
(b) Does the IS group give inputs on the spcification and requirement
of consumables, to the group responsible for consumables? unknown
(c) Does the IS group advocate on the secure usage of consumables? unknown

2.4 Processing
(a) Does a scheduled system exsit, for the execution of programs?
(b) Are non-scheduled jobs approved, prior to being run?
(c) Is the use of utility programs controlled (in particular those, that
can change executable code or data)? v
(d) Are overrides of system checks conducted by operators, controlled?
(e) Are exception reports for such overrides prepared and reeviewed,
by appropriate personnel? v

3 Backup
3.1 Backup of Data and Media Security
(f) Is there a properly documented policy and procedures? v
(g) Are the backups stored in a secure location, with proper access
v
control measures?
No Particulars Yes No
(h) Is the backup technique properly defined? v
(i) Is there a process for database backup, apart from that system
v
utilities in the database?
(j) Is there differentiation between 'backup' and 'archival'?
(k) Are the media used for the archival, stored in a secure process?
(l) Is the obsolescence of media/technology addressed in the archival
process? unknown
(m) Are all floppies/CDs/tapes that are purchased and pertain to OS

v
(m)
software,application software and utility programs, drivers, etc.
recorded in a register and stored in fire-resistant cabinet, under
dual control? v
(n) Are the hardware, software, operating system, printer manuals
v
properly labelled and maintained?
(o) Are latest user manuals of the application software and other
end-user packages that are running, available for guidance? v
(p) Is the daily/weekly/monthly and quarterly backup data taken
v
regularly, and is it made available for guidance?
(q) Are backup media properly labellled and numbered? unknown
(r) Is there offsite storage of one set of backup? unknown
(s) Are backup media verified/tested periodically, by restoring the data
thereof, and maintaining a record of the testing? unknown
(t) Is there any test bed, for testing the backup?
(u) Is testing done on live systems?
(v) Are backup media disposed off, after their specified period in use? v
Are records available, in respect of such verification/disposal? v

4. Technical Support and Help Desk

(a) Are there adequate and documented procedures to guide the help desk
personnel? v
(b) Are the help desk personnel qualified and competent for the job? v
(c) Are procedures followed by the help desk personnel, in their daily v
(d) activities?
Are the average response, resolution and turnaround time, high? v
(e) Is the size of the unresolved problems high? v
(f) Are escalation procedures for call logging, being done properly? unknown
(g) Are the third-party service provider's services, contracted and
guaranteed in the SLA? unknown
(h) In case of thid-party help desk personnel, have appropriate non-
disclosure agreements been signed? v

No Particulars Yes No
5. Input/Output Control
(a) Are ther established procedures for control? v
(b) Are these procedures being adhered to, by the personnel? unknown
(c) Is segregation of duties maintained? v
(d) Is data integrity maintained? v
(e) Are reports made available on a regular basis? Are the reports accurate
and authentic? v
(f) Does the user department authorize and authenticate the changes that
are required? v
(g) Is program change control monitored? v

6. Quality Assurance
(a) Are duty segregations maintained and adhered to? v
(b) Are industry standard practices being adhered to, by the staff? v
(c) Are the personnel qualified and competent to carry out the job? v

7. Documentation and Program Library

(a) Are there procedures to ensure that all the programs required for
maintance, are kept in a separate program test library? v
(b) Are programmers denied access to all libraries, other than the test
(c) library?
Are there adequate controls for the transfer of programs from
production to the programmer's test library? unknown
(d) Are transfer from the development library to the production library
carried out by persons, independent of the programmers? unknown
(e) Do procedures ensure that no transfer can take place, without the
change having been properly tested and approved of? v
(f) Is a report, of program transfer into production, reviewed on a daily
basis, by a senior official, to ensure only authorized transfers have v
(g) been made? exist for frequent and also infrequent operational
Do documents v
(h) activities?
Are these documents authenticated by the appropriate authority?
(i) Is there a proper change management procedure to update the various
documents? Is the procedures being followed? v
(j) Are the processes entailed in the document, as per the contemporary
and international industru standards?
(k) Are access controls implemented for the documents? v
(l) Are the documents backed up in a secure location? v

No Particulars Yes No
8. Removable Storage Media
(a) Are proper criteria in place, to choose the type of media? v
(b) Is there any relation between the type of media and the type of
backup/archival that it used for? v
(c) Is the storage media, stored under appropriate access and
environmental controls? Is the media labelled properly? v
(d) Is there any log, of the number of times of use, of the same storage v
(e) media?
Is storage media kept in the same room as the server/equipment from
which data has been stored in the media? v
(f) Is the storage media disposed after its life span is completed? Are
formal disposal procedures followed? v