0 Replies · Latest reply on Nov 26, 2017 5:16 PM by TAKAFUMI SANADA

    Based on signing MOA(CON0596917) article 7.1, we would like to do audit.

      Based on signing MOA(CON0596917) article 7.1, we would like to do audit.

       

      I would like to conduct security audits.

      I want the following materials.

       

      I would like to know how to obtain materials.

      · On-sie viit

      · TV conference

      · Email

       

      I want the answer by November 28.

       

          -------------------------------------------------------------------------------

          【Documenting policies and regulations】

          0.1.3

          Materials and trails that show that information security policy is well-known

         

          0.2.3

          Materials and trails that show that information security standards are known and educated

         

          0.2.5

          Please let me browse materials / trails that show that information security related documents

          are known and educated.

         

          [Security education]

          1.1.1

          If a test is given following security education,

          could we receive a sample for one person in order to see the level of knowledge acquisition?

         

          [Managing the PCs used for operations]

          3.1.1

          Materials that proves a hard disk drive of the PC used for Aflac business operations

          is encrypted(Browse on the spot)

         

          3.2.1

          Please provide us a screenshot, etc.

          that prove use of USB and external devices being prohibited.(Browse on the spot)

         

          3.3.1

          A trail that shows that you are acquiring a log of the personal computer used for business(Browse on the spot)

         

          3.4.1

          Evidence (request form, etc.) that proves the PCs used for business operations are lent and returned upon approval of managers, etc.(Browse on the spot)

         

          3.4.2

          How often do you make an inventory for the PCs used for business operations?

          Evidence that proves an inventory for the PCs used for business operations being made (Recommended: once a month)

          (Browse on the spot)

         

          3.5.1

          ・Please tell us a type and version of the Operation System.

          ・Evidence that proves the Operating System is updated once a month or more (a screenshot that captured the date of Operating System update)

          (Browse on the spot)

         

          3.6.1

          Please provide us a screenshot that proves the following implementation status.

          ・A screenshot that proves a virus scan being scheduled on a daily basis

          ・A screenshot that proves a full scan being scheduled to run on a weekly basis

          ・A screenshot that proves anti-virus software update being scheduled once a week

          (Browse on the spot)

         

          3.7.1

          ・If you are using a laptop computer, are you wire locked to prevent theft?

          (Browse on the spot)

         

          [User ID management for PCs used for Aflac business operations]

          4.1.1

          Please tell us the number of the administrators with administrator authority assigned and their names.Please let me browse trails and materials.

          Please let me browse trails and materials.

         

          4.1.2

          Please tell us the authorities assigned to general users.

          Please let me browse trails and materials.

         

          4.2.1

          Evidence that proves user IDs are requested/deleted upon approval from managers, etc. (ID request form, etc.)

         

          4.2.2

          Evidence that proves an inventory for user IDs being made once a month (Inventory results)

         

          4.3.1

          Please provide us a screenshot, etc. that proves the following password restrictions being implemented.

          ・Valid digits for a password: Recommended: 8 digits or more

          ・Complexity of the password: Recommended: Mix of alphanumeric characters or a more complex [password]

          ・Account lock: Recommended: Three times or less

          ・Forced initial password change: Applicable

          ・Password non-display: Applicable

          ・Password expiration: Recommended: Within 90 days (System restrictions are not necessary. This can be stipulated under company regulations, etc.)

          ・Password history: Recommended: [Use of] a same password is prohibited for thirteen months. (System restrictions are not necessary. This can be stipulated under company regulations, etc.)

         

          [Network control]

          5.1.1

          A trail that shows that NW is separated by FW because it is not illegally accessed from outside

         

          【access control】

          6.1.1

          Let me browse the trail (sample) that understands the following contents.

          ・The system administrator who can use the privilege ID is managed by the ledger.

          ・We give minimum privileges, principle of segregation of duties.

          ・The number of people is private. (It is a very limited number of people.) 

         

          6.1.2

          Let me browse the trail (sample) that understands the following contents.

          ・Registration application / approval of privilege ID / authority is managed based on ITIL process within our company.

          (Application/Approval/Issue/Abolition)

         

          6.1.3

          Provide materials that show that the privilege ID · authority inventory is being carried out.

         

          6.1.4

          Let me browse a trail (sample) that shows that one-time loan of privilege ID is being carried out.

         

          6.1.5

          Regarding confirmation of work results with privilege ID, please let me check the sample that shows the confirmation result.

         

          6.1.6

          Please provide screen capture etc. which shows that the following contents are implemented. (For example, a screen where a PW setting that does not satisfy the constraint failed)

          -Minimum password length

          -Minimum password history

          -Password expiration interval

          -Invalid password account lockout threshold

          -Complexity

         

          6.1.7

          For the privilege ID of OS / DB, let me browse the trail that shows that monitoring is being carried out.

          ---------------------------------------------------------------------------------------------------------