TATA COMMUNICATION

Is there a process defined to create and maintain a catalogue of assets and their business criticality?

Not at present

A process does not exist but plans to create one exist or are underway

A process exists but isn’t always followed or doesn’t work well

A process exists and is followed but has some problems

A mature process exists and is well understood
Do you have a cyber security strategy and appropriate policies in place to address digital initiatives?

Not at present

A strategy does not exist but plans to create one exist or are underway

A strategy exists but isn’t always followed

A strategy exists and is usually followed

A mature strategy exists and is well understood
Are roles and responsibilities defined for cyber security across your organisation?

Not at present

Some roles are loosely defined but awareness is limited

Roles are well defined but insufficient

Roles are well defined and are being improved and evaluated

Roles are well defined and effective across the organisation
Do you maintain a security integration tool to ensure that your organisation adheres to a risk-based approach for critical business processes and related infrastructure?

No such approach is followed

No tools are used but plans to implement them exist or are underway

Tool exists but are ineffective

Effective tool exists but improvements are possible

Best available tools are used
Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of IT risk related issues?

Not needed

This role is performed by individuals on projects as needed

This is role is performed by a dedicated individual

This role is performed by several dedicated individuals

Dedicated department exists
Does your organisation have a process for monitoring access to security tools?

Not at present

A process does not exist but plans to create one exist or are underway

A process exists but isn’t always followed or doesn’t work well

A process exists and is followed but has some problems

A mature process exists and is well understood
Does your organisation conduct security awareness training for employees, executives, and business partners?

Not at present

Not at present but plans to implement this exist or are underway

Some training is provided for selected individuals

Training is provided for all employees but is outdated or ineffective

Effective training is provided for all employees
Are there processes defined and appropriate set of tools in place to ensure data is encrypted across its lifecycle?

Not at present

A process does not exist but plans to create one exist or are underway

A process exists but is unsupported by tools

A process exists and is supported by some tool functionality

A mature process exists and is well supported by tools
Are security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organisational entities), processes, and procedures are maintained and used to manage the protection of information systems and assets?

Not at present

These do not exist but plans to create them exist or are underway

These exist but are not widely used

These exist with some use and support issues

These are in place, widely used, and effective
Is maintenance and repair of organisational assets performed and logged in a timely manner, with approved and controlled tools?

Repairs are not done

Repairs are done as needed but not recorded

Repairs are performed as needed and recorded

Maintenance and repairs are performed using approved tools and are recorded

Preventative maintenance schedules are followed and recorded which remove the need for repairs
Do you have an enterprise-level security architecture defined and adhered across the organisation?

Not at present

An architecture does not exist but plans to create one exist or are underway

An architecture exists but isn’t always followed or doesn’t work well

An architecture exists and is followed but has some problems

A mature architecture process and is well understood
Do you maintain a matrix-based dashboard to monitor events continuously?

Not at present

A dashboard does not exist but plans to create one exist or are underway

A dashboard exists but isn’t always used or doesn’t work well

A dashboard exists and is used but has some problems

A mature dashboard exists and is well understood and used regularly
Do you maintain vendor management programme to determine organisational risks?

Not at present

A programme does not exist but plans to create one exist or are underway

A programme exists but isn’t always followed or doesn’t work well

A programme exists and is followed but has some problems

A mature programme exists and is well understood
Are technical security solutions implemented to detect the security and resilience of systems and assets, consistent with related policies, procedures, and agreements?

Not at present

On an ad hoc or case-by-case manner

Disparate solutions are used across the business

A consolidated solution exists but could be improved

An effective consolidated solution exists
Have you implemented technical controls and processes to detect security events?

Not at present

A process does not exist but plans to create one exist or are underway

A process exists but isn’t effective and controls are limited

A process exists with some controls but has some problems

A mature process with controls exists and is well understood
Does your cyber security incident response cover all stages of an investigation?

Incident responses are not prepared

Incident responses are prepared on an ad-hoc basis

Incident responses are prepared, but aren’t exhaustive

Incident responses are prepared, but the process can be improved

Incident responses are prepared and the process is continuously improved
Does your cyber security incident response process enable you to respond to all the incidents within timelines?

Incident responses are not prepared

Incident responses are prepared on an ad-hoc basis

Established incident response process, but timelines are often missed

Incident response process exists and works well, but occasionally timelines are missed

A complete and effective incident response process works that delivers within timelines
Do you analyse cyber security threats and associated vulnerabilities on a regular basis?

Not at present

A process for doing so does not exist but plans to create one exist or are underway

A process for doing so exists but isn’t performed regularly

A process for doing so exists but could be improved

A mature process for doing so exists and is performed regularly
Do you have the right set of tools and technologies to mitigate the cyber security incidents?

No mitigation is performed

No tools are used but plans to implement them exist or are underway

Tool set exists but is ineffective

Effective tool set exists but, improvements are possible

Best available tools are used
Does your organisation analyse its past security incidents to improve response strategies and tactics?

Not at present

A process for doing so does not exist but plans to create one exist or are underway

A process for doing so exists but isn’t followed regularly

A process for doing so exists but could be improved

A mature process for doing so exists and is followed after each incident
Do you have a crisis management team to support serious cyber security incidents?

Not needed

This role is performed by individuals as needed

This is role is performed by a dedicated individual

This role is performed by several dedicated individuals

Dedicated team exists
Do you identify, document and communicate the lessons learned from cyber security incidents?

Not at present

A process for doing so does not exist but plans to create one exist or are underway

A process for doing so exists but isn’t followed regularly

A process for doing so exists but could be improved

A mature process for doing so exists and is followed after each incident
Do you maintain a documented and proactive security breach response process?

Not at present

A process for doing so does not exist but plans to create one exist or are underway

A process for doing so exists but isn’t followed regularly

A process for doing so exists but could be improved

A mature process for doing so exists
Do you maintain a BCP/DR programme to resolve and recover from cyber security incidents?

No programme exists

A programme does not exist but plans to create one exist or are underway

A programme exists but is dated

A programme exists but could be improved

A complete and effective programme exists
Does your organisation have the ability to recover from data compromise and availability issues?

No such capability exists

This capability does not exist but plans to create it exist or are underway

This capability exists but its extent is unclear or limited

This capability exists but could be improved

The capability to completely recover and maintain availability is well known

Identify

Protect

Detect

Respond

Recover

Is there a process defined to create and maintain a catalogue of assets and their business criticality?

Do you have a cyber security strategy and appropriate policies in place to address digital initiatives?

Are roles and responsibilities defined for cyber security across your organisation?

Do you maintain a security integration tool to ensure that your organisation adheres to a risk-based approach for critical business processes and related infrastructure?

Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of IT risk related issues?

Does your organisation have a process for monitoring access to security tools?

Does your organisation conduct security awareness training for employees, executives, and business partners?

Are there processes defined and appropriate set of tools in place to ensure data is encrypted across its lifecycle?

Are security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organisational entities), processes, and procedures are maintained and used to manage the protection of information systems and assets?

Is maintenance and repair of organisational assets performed and logged in a timely manner, with approved and controlled tools?

Do you have an enterprise-level security architecture defined and adhered across the organisation?

Do you maintain a matrix-based dashboard to monitor events continuously?

Do you maintain vendor management programme to determine organisational risks?

Are technical security solutions implemented to detect the security and resilience of systems and assets, consistent with related policies, procedures, and agreements?

Have you implemented technical controls and processes to detect security events?

Does your cyber security incident response cover all stages of an investigation?

Does your cyber security incident response process enable you to respond to all the incidents within timelines?

Do you analyse cyber security threats and associated vulnerabilities on a regular basis?

Do you have the right set of tools and technologies to mitigate the cyber security incidents?

Does your organisation analyse its past security incidents to improve response strategies and tactics?

Do you have a crisis management team to support serious cyber security incidents?

Do you identify, document and communicate the lessons learned from cyber security incidents?

Do you maintain a documented and proactive security breach response process?

Do you maintain a BCP/DR programme to resolve and recover from cyber security incidents?

Does your organisation have the ability to recover from data compromise and availability issues?

Identify

Protect

Detect

Respond

Recover

Is there a process defined to create and maintain a catalogue of assets and their business criticality?

Do you have a cyber security strategy and appropriate policies in place to address digital initiatives?

Are roles and responsibilities defined for cyber security across your organisation?

Do you maintain a security integration tool to ensure that your organisation adheres to a risk-based approach for critical business processes and related infrastructure?

Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of IT risk related issues?

Does your organisation have a process for monitoring access to security tools?

Does your organisation conduct security awareness training for employees, executives, and business partners?

Are there processes defined and appropriate set of tools in place to ensure data is encrypted across its lifecycle?

Are security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organisational entities), processes, and procedures are maintained and used to manage the protection of information systems and assets?

Is maintenance and repair of organisational assets performed and logged in a timely manner, with approved and controlled tools?

Do you have an enterprise-level security architecture defined and adhered across the organisation?

Do you maintain a matrix-based dashboard to monitor events continuously?

Do you maintain vendor management programme to determine organisational risks?

Are technical security solutions implemented to detect the security and resilience of systems and assets, consistent with related policies, procedures, and agreements?

Have you implemented technical controls and processes to detect security events?

Does your cyber security incident response cover all stages of an investigation?

Does your cyber security incident response process enable you to respond to all the incidents within timelines?

Do you analyse cyber security threats and associated vulnerabilities on a regular basis?

Do you have the right set of tools and technologies to mitigate the cyber security incidents?

Does your organisation analyse its past security incidents to improve response strategies and tactics?

Do you have a crisis management team to support serious cyber security incidents?

Do you identify, document and communicate the lessons learned from cyber security incidents?

Do you maintain a documented and proactive security breach response process?

Do you maintain a BCP/DR programme to resolve and recover from cyber security incidents?

Does your organisation have the ability to recover from data compromise and availability issues?

Can you count on your corporate security? Get the report to find out more.

Can you count on your corporate security?
Get the report to find out more.