Information Security

Management

QUICK EXPLORATORY SELF-ASSESSMENT GUIDE

PRACTICAL TOOLS FOR SELF-ASSESSMENT

Diagnose projects, initiatives, organizations,

businesses and processes using accepted
diagnostic standards and practices

Implement evidence-based best practice

strategies aligned with overall goals

Integrate recent advances and process design

strategies into practice according to best practice
guidelines

Use the Self-Assessment tool Scorecard and

develop a clear picture of which areas need
attention

The Art of Service

Information Security Management
Quick Exploratory Self-Assessment Guide

This Information Security Management Quick Exploratory Self-

Assessment Guide is an excerpt of the Complete Information Security
Management Self-Assessment guide, read more at:

https://store.theartofservice.com/
The guidance in this Self-Assessment is based on Information Security
Management best practices and standards in business process
architecture, design and quality management. The guidance is also based
on the professional judgment of the individual collaborators listed in the
Acknowledgments.

Notice of rights
You are permitted to use the Self-Assessment contents in your presentations
and materials for internal use and customers without asking us - we are here
to help.

All rights reserved for the book itself: this book may not be reproduced or
transmitted in any form by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of the publisher.
The information in this book is distributed on an As Is basis without warranty.
While every precaution has been taken in the preparation of he book, neither
the author nor the publisher shall have any liability to any person or entity
with respect to any loss or damage caused or alleged to be caused directly or
indirectly by the instructions contained in this book or by the products described
in it.

Trademarks
Many of the designations used by manufacturers and sellers to distinguish
their products are claimed as trademarks. Where those designations appear in
this book, and the publisher was aware of a trademark claim, the designations
appear as requested by the owner of the trademark. All other product names
and services identified throughout this book are used in editorial fashion only
and for the benefit of such companies with no intention of infringement of the
trademark. No such use, or the use of any trade name, is intended to convey
endorsement or other affiliation with this book.

Copyright by The Art of Service

http://theartofservice.com
service@theartofservice.com

1
Table of Contents
About The Art of Service 3
Acknowledgments 4
Complete Resources - how to access 4
Purpose of this Self-Assessment 4
How to use the Self-Assessment 5
Information Security Management
Scorecard Example 7
Information Security Management
Scorecard 8
BEGINNING OF THE
SELF-ASSESSMENT: 9
CRITERION #1: RECOGNIZE 11
CRITERION #2: DEFINE: 14
CRITERION #3: MEASURE: 17
CRITERION #4: ANALYZE: 21
CRITERION #5: IMPROVE: 24
CRITERION #6: CONTROL: 27
CRITERION #7: SUSTAIN: 31
Index 33

2
About The Art of Service

T
he Art of Service, Business Process Architects since 2000, is
dedicated to helping business achieve excellence.

Defining, designing, creating, and implementing a process

to solve a business challenge or meet a business objective is
the most valuable role In EVERY company, organization and
department.

Unless youre talking a one-time, single-use project within a

business, there should be a process. Whether that process is
managed and implemented by humans, AI, or a combination
of the two, it needs to be designed by someone with a complex
enough perspective to ask the right questions.

Someone capable of asking the right questions and step back and
say, What are we really trying to accomplish here? And is there a
different way to look at it?

With The Art of Services Business Process Architect Self-

Assessments, Research, Toolkits, Education and Certifications
we empower people who can do just that whether their title
is marketer, entrepreneur, manager, salesperson, consultant,
Business Process Manager, executive assistant, IT Manager, CIO
etc... they are the people who rule the future. They are people
who watch the process as it happens, and ask the right questions
to make the process work better.

Contact us when you need any support with this Self-

Assessment and any help with templates, blue-prints and
examples of standard documents you might need:

http://theartofservice.com
service@theartofservice.com

3
Acknowledgments
This checklist was developed under the auspices of The Art of
Service, chaired by Gerardus Blokdyk.

Representatives from several client companies participated in the

preparation of this Self-Assessment.

Our deepest gratitude goes out to Matt Champagne, Ph.D.

Surveys Expert, for his invaluable help and advise in structuring
the Self Assessment.

Mr Champagne can be contacted at

http://matthewchampagne.com/

In addition, we are thankful for the design and printing services

provided.

Complete Resources - how to access

The Complete Information Security Management Self-Assessment
Guide includes ALL questions and Self-Assessment areas.

Included are all the Information Security Management Self-

Assessment questions in a ready to use Excel spreadsheet,
containing the self-assessment, graphs, and project RACI planning
- all with examples to get you started right away. Go to:

https://store.theartofservice.com

Purpose of this Self-Assessment

This Self-Assessment has been developed to improve
understanding of the requirements and elements of Information

4
 Security Management, based on best practices and standards in
business process architecture, design and quality management.

It is designed to allow for a rapid Self-Assessment of an

organization or facility to determine how closely existing
management practices and procedures correspond to the
elements of the Self-Assessment.

The criteria of requirements and elements of Information Security

Management have been rephrased in the format of a Self-
Assessment questionnaire, with a seven-criterion scoring system,
as explained in this document.

In this format, even with limited background knowledge of

Information Security Management, a facility or other business
manager can quickly review existing operations to determine
how they measure up to the standards. This in turn can serve as
the starting point of a gap analysis to identify management tools
or system elements that might usefully be implemented in the
organization to help improve overall performance.

How to use the Self-Assessment

On the following pages are a series of questions to identify to
what extent your Information Security Management initiative is
complete in comparison to the requirements set in standards.

To facilitate answering the questions, there is a space in front of

each question to enter a score on a scale of 1 to 5.

1 Strongly Disagree
2 Disagree
3 Neutral
4 Agree
5 Strongly Agree

5
 Read the question and rate it with the following in front of mind:

In my belief,
the answer to this question is clearly defined.

There are two ways in which you can choose to interpret this
statement;

1. how aware are you that the answer to the question is

clearly defined
2. for more in-depth analysis you can choose to gather
evidence and confirm the answer to the question. This
obviously will take more time, most Self-Assessment
users opt for the first way to interpret the question
and dig deeper later on based on the outcome of the
overall Self-Assessment.

A score of 1 would mean that the answer is not clear at

all, where a 5 would mean the answer is crystal clear and
defined. Leave emtpy when the question is not applicable
or you dont want to answer it, you can skip it without
affecting your score. Write your score in the space provided.

After you have responded to all the appropriate statements

in each section, compute your average score for that
section, using the formula provided, and round to the
nearest tenth. Then transfer to the corresponding spoke in
the Information Security Management Scorecard on the
second next page of the Self-Assessment.

Your completed Information Security Management

Scorecard will give you a clear presentation of which
Information Security Management areas need attention.

6
Information Security Management
Scorecard Example

Example of how the finalized Scorecard can look like:

7
Information Security Management
Scorecard

Your Scores:

8
BEGINNING OF THE
SELF-ASSESSMENT:

9
SELF-ASSESSMENT SECTION
START

10
CRITERION #1: RECOGNIZE

INTENT: B e aware of the need for

change. Recognize that there is an
unfavorable variation, problem or
symptom.

In my belief, the answer to this

question is clearly defined:

5 Strongly Agree

4 Agree

3 Neutral

2 Disagree

1 Strongly Disagree

1. Has the organization established an Identity

and Access Management program that is
consistent with requirements, policy, and
applicable guidelines and which identifies users
and network devices?
<--- Score

2. What do I need to comply with?

<--- Score

11
3. Liability in the event sensitive information is
compromised?
<--- Score

4. How is the board kept informed of information

security issues?
<--- Score

5. Has management issued a policy statement on

information security?
<--- Score

6. Would the average employee recognize a

security issue?
<--- Score

7. Would people recognise a security incident

when they saw one?
<--- Score

Add up total points for this section:

_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n

Divided by: ______ (number of

statements answered) = ______
Average score for this section

Tr a n s f e r y o u r s c o re t o t h e I n f o r m a t i o n
Security Management Index at the
beginning of the Self-Assessment.

12
SELF-ASSESSMENT SECTION
START

13
CRITERION #2: DEFINE:

INTENT: Formulate the business

problem. Define the problem, needs and
objectives.

In my belief, the answer to this

question is clearly defined:

5 Strongly Agree

4 Agree

3 Neutral

2 Disagree

1 Strongly Disagree

1. Scope of application?
<--- Score

2. Has the organization established an enterprise-

wide business continuity/disaster recovery
program that is consistent with requirements,
policy, and applicable guidelines?
<--- Score

3. Has the organization established a remote

14
access program that is consistent with FISMA
requirements, policy, and applicable NIST
guidelines?
<--- Score

4. Define ISMS scope what businesses, business

units, departments and/or systems are going
to be covered by your Information Security
Management System?
<--- Score

5. Are security roles and responsibilities clearly

defined and communicated?
<--- Score

6. How do you define security?

<--- Score

7. What tools and roadmaps did you use for getting

through the Define phase?
<--- Score

Add up total points for this section:

_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n

Divided by: ______ (number of

statements answered) = ______
Average score for this section

Tr a n s f e r y o u r s c o re t o t h e I n f o r m a t i o n
Security Management Index at the
beginning of the Self-Assessment.

15
SELF-ASSESSMENT SECTION
START

16
CRITERION #3: MEASURE:

INTENT: Gather the correc t data.

Measure the current performance and
evolution of the situation.

In my belief, the answer to this

question is clearly defined:

5 Strongly Agree

4 Agree

3 Neutral

2 Disagree

1 Strongly Disagree

1. Does your enterprise follow a patch/update

management and evaluation process to prioritize
and mediate new security vulnerabilities?
<--- Score

2. Has a business impact assessment been

performed?
<--- Score

3. Do you regularly scan your systems and

17
networks, using a vulnerability analysis tool, for
security exposures?
<--- Score

4. Resulting risks, and selected countermeasures

are the same for all companies. If a large number
of companies have documented their experiences
in this area, alongside the countermeasures they
have selected for the possible risks, why do a
comprehensive risk analysis to probably arrive at
the same result?
<--- Score

5. Is the organization effectively analyzing the

security impacts of identified changes to the
information system and its environment of
operation?
<--- Score

6. Who participated in the data collection for

measurements?
<--- Score

7. What particular quality tools did the team find

helpful in establishing measurements?
<--- Score

Add up total points for this section:

_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n

Divided by: ______ (number of

statements answered) = ______
Average score for this section

Tr a n s f e r y o u r s c o re t o t h e I n f o r m a t i o n
Security Management Index at the

18
beginning of the Self-Assessment.

19
SELF-ASSESSMENT SECTION
START

20
CRITERION #4: ANALYZE:

INTENT: Analyze causes, assumptions

and hypotheses.

In my belief, the answer to this

question is clearly defined:

5 Strongly Agree

4 Agree

3 Neutral

2 Disagree

1 Strongly Disagree

1. Are losses documented, analyzed, and remedial

processes developed to prevent future losses?
<--- Score

2. Does Information Security Management

systematically track and analyze outcomes for
accountability and quality improvement?
<--- Score

3. Have the concerns of stakeholders to help identify

and define potential barriers been obtained and

21
analyzed?
<--- Score

4. Do staff have the necessary skills to collect, analyze,

and report data?
<--- Score

5. What are our key indicators that you will measure,

analyze and track?
<--- Score

6. Why identify and analyze stakeholders and their

interests?
<--- Score

7. Have the types of risks that may impact Information

Security Management been identified and analyzed?
<--- Score

Add up total points for this section:

_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n

Divided by: ______ (number of

statements answered) = ______
Average score for this section

Tr a n s f e r y o u r s c o re t o t h e I n f o r m a t i o n
Security Management Index at the
beginning of the Self-Assessment.

22
SELF-ASSESSMENT SECTION
START

23
CRITERION #5: IMPROVE:

INTENT: D evelop a prac tical solution.

Innovate, establish and test the
solution and to measure the results.

In my belief, the answer to this

question is clearly defined:

5 Strongly Agree

4 Agree

3 Neutral

2 Disagree

1 Strongly Disagree

1. When was the last time top management got

involved in security-related decisions?
<--- Score

2. What is at Risk?
<--- Score

3. Is the enterprise clear on its position relative to

IT and security risks?
<--- Score

24
4. Outline the types of risk responses that are
acceptable to the organization (e.g., is risk
transfer/sharing feasible and acceptable at this
facility?
<--- Score

5. Is information security risk assessment a regular

agenda item at it and business management
meetings and does management follow through
and support improvement initiatives?
<--- Score

6. Does the risk assessment consider what

information assets are subject to laws and
regulations?
<--- Score

7. Does the ceo request an information security

evaluation, and are the results reviewed with staff
and reported to the board of directors?
<--- Score

Add up total points for this section:

_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n

Divided by: ______ (number of

statements answered) = ______
Average score for this section

Tr a n s f e r y o u r s c o re t o t h e I n f o r m a t i o n
Security Management Index at the
beginning of the Self-Assessment.

25
SELF-ASSESSMENT SECTION
START

26
CRITERION #6: CONTROL:

INTENT: Implement the prac tical

solution. Maintain the performance and
correct possible complications.

In my belief, the answer to this

question is clearly defined:

5 Strongly Agree

4 Agree

3 Neutral

2 Disagree

1 Strongly Disagree

1. What set of countermeasures will provide the

best protection against these risks?
<--- Score

2. Against which risks must the information

resources be protected?
<--- Score

3. Is the organization updating critical risk

management documents based on ongoing

27
monitoring activities?
<--- Score

4. Has the organization established a poa&m

program that is consistent with fisma
requirements, policy, and applicable nist
guidelines and tracks and monitors known
information security weaknesses?
<--- Score

5. Did the final risk determination and risk

acceptance by the authorizing official reflect
the risk management strategy developed by the
organization and conveyed by the risk executive
(function)?
<--- Score

6. Do the results of the security categorization

process reflect the organizations risk management
strategy?
<--- Score

7. Is there a business continuity, disaster recovery

plan in place?
<--- Score

Add up total points for this section:

_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n

Divided by: ______ (number of

statements answered) = ______
Average score for this section

Tr a n s f e r y o u r s c o re t o t h e I n f o r m a t i o n
Security Management Index at the
beginning of the Self-Assessment.

28
SELF-ASSESSMENT SECTION
START

29
30
CRITERION #7: SUSTAIN:

INTENT: Retain the benefits.

In my belief, the answer to this

question is clearly defined:

5 Strongly Agree

4 Agree

3 Neutral

2 Disagree

1 Strongly Disagree

1. Information Security Management within

Service Operation is a mature practice
<--- Score

2. We have defined Information Security

Managements Challenges, Critical Success Factors
and Risks
<--- Score

3. We have defined Information Security

Managements Information Management
reporting
<--- Score

31
4. We have defined Information Security
Managements KPIs
<--- Score

5. We have defined Information Security

Managements Triggers, Imputs, Outputs and
interfaces
<--- Score

6. Information Security Managements

Management of security breaches and incidents is
defined
<--- Score

7. Information Security Managements Security

Controls are defined
<--- Score

Add up total points for this section:

_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n

Divided by: ______ (number of

statements answered) = ______
Average score for this section

Tr a n s f e r y o u r s c o re t o t h e I n f o r m a t i o n
Security Management Index at the
beginning of the Self-Assessment.

32
Index
acceptable 25
acceptance 28
access 2, 4, 11, 15
accomplish 3
achieve 3
activities 28
addition 4
advise 4
affecting 6
Against 27
agenda 25
alleged 1
alongside 18
analysis 5-6, 18
analyze 2, 21-22
analyzed 21-22
analyzing 18
answer 6, 11, 14, 17, 21, 24, 27, 31
answered 12, 15, 18, 22, 25, 28, 32
answering 5
appear 1
applicable 6, 11, 14-15, 28
Architect 3
Architects 3
arrive 18
asking 1, 3
assessment 4, 17, 25
assets 25
assistant 3
attention 6
auspices 4
author 1
Average 6, 12, 15, 18, 22, 25, 28, 32
background 5
barriers 21
beginning 2, 9, 12, 15, 19, 22, 25, 28, 32
belief 6, 11, 14, 17, 21, 24, 27, 31
benefit 1
benefits 31
better 3

33
Blokdyk 4
breaches 32
business 1, 3, 5, 14-15, 17, 25, 28
businesses 15
capable 3
caused 1
causes 21
chaired 4
challenge 3
Challenges 31
Champagne 4
change 11
changes 18
checklist 4
choose 6
claimed 1
clearly 6, 11, 14-15, 17, 21, 24, 27, 31
client 4
closely 5
collect 22
collection 18
companies 1, 4, 18
company 3
comparison 5
Complete 1-2, 4-5
completed 6
complex 3
comply 11
compute 6
concerns 21
confirm 6
consider 25
consistent 11, 14-15, 28
consultant 3
Contact 3
contacted 4
contained 1
containing 4
Contents 1-2
continuity 14, 28
CONTROL 2, 27
Controls 32
convey 1

34
conveyed 28
Copyright 1
correct 17, 27
correspond 5
covered 15
creating 3
criteria 5
CRITERION 2, 11, 14, 17, 21, 24, 27, 31
Critical 27, 31
crystal 6
current 17
customers 1
damage 1
decisions 24
dedicated 3
deeper 6
deepest 4
Define 2, 14-15, 21
defined 6, 11, 14-15, 17, 21, 24, 27, 31-32
Defining 3
department 3
described 1
design 1, 4-5
designed 3, 5
designing 3
determine 5
Develop 24
developed 4, 21, 28
devices 11
different 3
directly 1
directors 25
Disagree 5, 11, 14, 17, 21, 24, 27, 31
disaster 14, 28
Divided 12, 15, 18, 22, 25, 28, 32
document 5
documented 18, 21
documents 3, 27
editorial 1
Education 3
electronic 1
elements 4-5
employee 12

35
empower 3
enough 3
enterprise 17, 24
entity 1
establish 24
evaluation 17, 25
evidence 6
evolution 17
Example 2, 7
examples 3-4
excellence 3
excerpt 1
executive 3, 28
existing 5
Expert 4
explained 5
exposures 18
extent 5
facilitate 5
facility 5, 25
Factors 31
fashion 1
feasible 25
finalized 7
follow 17, 25
following 5-6
format 5
formula 6
Formulate 14
function 28
future 3, 21
Gather 6, 17
Gerardus 4
getting 15
graphs 4
gratitude 4
guidance 1
guidelines 11, 14-15, 28
happens 3
helpful 18
helping 3
humans 3
hypotheses 21

36
identified 1, 18, 22
identifies 11
identify 5, 21-22
Identity11
impact 17, 22
impacts 18
Implement 27
IMPROVE 2, 4-5, 24
Imputs 32
incident 12
incidents 32
Included 4
includes 4
in-depth 6
indicators 22
indirectly 1
individual 1
informed 12
initiative 5
Innovate 24
intended 1
INTENT 11, 14, 17, 21, 24, 27, 31
intention 1
interests 22
interfaces 32
internal 1
interpret 6
invaluable 4
involved 24
issued 12
issues 12
itself 1
judgment 1
knowledge 5
Liability 1, 12
limited 5
listed 1
losses 21
Maintain 27
managed 3
Management 1-2, 4-8, 11-12, 15, 17-18, 21-22, 24-25, 27-28, 31-
32
manager 3, 5

37
marketer 3
materials 1
mature 31
measure 2, 5, 17, 22, 24
mechanical 1
mediate 17
meetings 25
monitoring 28
monitors 28
nearest 6
necessary 22
neither 1
network 11
networks 18
Neutral 5, 11, 14, 17, 21, 24, 27, 31
Notice 1
number 12, 15, 18, 22, 25, 28, 32-33
objective 3
objectives 14
obtained 21
obviously 6
official 28
one-time 3
ongoing 27
Operation 18, 31
operations 5
otherwise 1
outcome 6
outcomes 21
Outline 25
Outputs 32
overall 5-6
particular 18
people 3, 12
performed 17
permission 1
permitted 1
person 1
planning 4
points 12, 15, 18, 22, 25, 28, 32
policy 11-12, 14-15, 28
position 24
possible 18, 27

38
potential 21
practical 24, 27
practice 31
practices 1, 5
precaution 1
prevent 21
printing 4
prioritize 17
probably 18
problem 11, 14
procedures 5
process 1, 3, 5, 17, 28
processes 21
product 1
products 1
program 11, 14-15, 28
project 3-4
protected 27
protection 27
provide 27
provided 4, 6
publisher 1
Purpose 2, 4
quality 1, 5, 18, 21
question 5-6, 11, 14, 17, 21, 24, 27, 31
questions 3-5
quickly 5
really 3
recognise 12
RECOGNIZE 2, 11-12
recording 1
recovery 14, 28
references 33
reflect 28
regular 25
regularly 17
relative24
remedial 21
remote 14
rephrased 5
report 22
reported 25
reporting 31

39
reproduced 1
request 25
requested 1
Research 3
reserved 1
Resources 2, 4, 27
respect 1
responded 6
responses 25
result 18
Resulting 18
results 24-25, 28
Retain 31
review 5
reviewed 25
rights 1
roadmaps 15
Scorecard 2, 6-8
Scores 8
scoring 5
second 6
section 6, 12, 15, 18, 22, 25, 28, 32
Security 1-2, 4-8, 12, 15, 17-18, 21-22, 24-25, 28, 31-32
selected 18
sellers 1
sensitive 12
series 5
Service 1-4, 31
services 1, 4
several 4
sharing 25
should 3
single-use 3
situation 17
skills 22
solution 24, 27
Someone 3
standard 3
standards 1, 5
started 4
starting 5
statement 6, 12
statements 6, 12, 15, 18, 22, 25, 28, 32

40
strategy 28
Strongly 5, 11, 14, 17, 21, 24, 27, 31
subject 25
Success 31
support 3, 25
Surveys 4
SUSTAIN 2, 31
symptom 11
system 5, 15, 18
systems 15, 17
talking 3
templates 3
thankful 4
through 15, 25
throughout 1
Toolkits 3
tracks 28
trademark 1
trademarks 1
Transfer 6, 12, 15, 18, 22, 25, 28, 32
Triggers32
trying 3
Unless 3
update 17
updating 27
usefully 5
valuable 3
variation 11
Version 33
warranty 1
weaknesses 28
whether 3
within 3, 31
without1, 6
written 1

41