Additional Notes 5599?\"? 10. 11. 12. Software developed by ABC Technologies is held in a Software-as-a-Senrice (SaaS} environment provided by ABCloud. Although the organization has signed ABCloud's standard terms and conditions' it is unclear what security requirements ABCIoud must full. It is understood that ABCloud have data centres in the UK. USA and India and some personal data may therefore be held on ABCloud sewers in these countries Although policies have been developed, it is not clear when or if they have been reviewed and what the process is Sally McCarty's laptop was stolen from a train station last week It has become clear that Jennifer Gordon 's contract for employment was not signed. It isn't clear if she was even aware that she had to sign it. If she was to leave. ABC Technologies would be in difculty as nobody knows how to do her job and she wouldn't have to give a period of notice ABC Technologies have had a recent ofce move and printed copies of source code were left on the floor for the cleaners to move The asset register is very basic1 and it is not clear ifthis is up to date Contingency plans for when people are of sick or leave need developing An access control policy was never developed Physical access control is outsourced as the premises are managed by the leas'ng company A clear desk policy is in operation. but staff members are still leaving paperwork out over the evening and at weekends Staff members also work from home and need remote access at times. Some work needs to be done around removing equipment and what is and is not allowed A clear policy and suitable environment are needed for development and testing of software 13. 14. 15. 16. 17. 18. 19. 21. 23. It isn't clear if backups have ever been tested The company has efficientand effective logging and monitoring activities. All are kept up to date, reviewed appropriately and stored securely Installation of software and the integrity of operational systems are maintained effectively Network segregation needs clarication The company needs to spend some time developing useful transfer policies and procedures. Staff don't know what it is acceptable and what is not As the company wants to focus on software development. the company needs to ensure that information secu Iity is applied to the complete development lifecycle. This needs to be embedded in all aspects (from initial planning to testing) Supplier relationships and contracts are key; clarication with suppliers and their part in ensuring security of information is essential. Contracts are in place, but these don't include all the necessary activities. In particular service delivery needs to become better controlled Only the important incidents related to the network are documented and discussed during the [T team's weekly meeting The last review of sewrity controls took place 18 months ago The organization assumes it complies with all legislation. but there isn't a denitive list of applicable legislation The review of compliance with policy. standards and procedures is overdue. A timeframe has never been xed but managers appear to do this when incidents happen