| No |
Vulnerability |
| 151 |
User id’s based on job description |
| 152 |
No user identification and authentication |
| 153 |
Weak password management system |
| 154 |
Unrestricted use of system utilities |
| 155 |
No provision of duress alarm for employees who mite be susceptible to coercion |
| 156 |
No terminal timeout for systems in high risk environment |
| 157 |
No additional controls for systems which cannot have terminal timeout |
| 158 |
Access not given based on business application requirements |
| 159 |
Sensitive systems are not kept in isolated environment |
| 160 |
Auditing is not enabled on the files |
| 161 |
No monitoring of system use |
| 162 |
No clock synchronization facility |
| 163 |
Lack of encryption software on the laptops |
| 164 |
No guidelines for mobile computing |
| 165 |
Lack of awareness, training for users for mobile computing |
| 166 |
No guidelines/policy for teleworking |
| 167 |
Security requirement specification is not available |
| 168 |
Input string is not validated for length and type, sanitizing of input is not adequate |
| 169 |
Weak Design and processing of application |
| 170 |
Weak Authentication mechanism being used i.e.encryption not in use |
| 171 |
Improper administration, plausibility checks to test the reasonability of output data are not in place |
| 172 |
Information being exchanged in plain text |
| 173 |
Poor Encryption technique is used |
| 174 |
Adequate cryptographic measures not in place |
| 175 |
Improper controls and Improper access to the keys |
| 176 |
No qualified nomination of people who will update the operational software |
| 177 |
Access to the source code not restricted |
| 178 |
Improper change implementation or change control procedure not present |
| 179 |
No technical review of operating system changes |
| 180 |
Restrictions on changes to software packages are not either set or well communicated to users or implementers |
| 181 |
Third party software are not procured from a reputable source |
| 182 |
Third party software is not evaluated/ improper evaluation |
| 183 |
SLA and NDA not signed with the third party software development firm |
| 184 |
No escrow agreement with the third party software development firm |
| 185 |
No pre planning for disaster recovery |
| 186 |
Geographical location has fault lines (earthquake prone zone) |
| 187 |
Geographical location is in an area susceptible to floods |
| 188 |
Geographical location is in an area susceptible to storm |
| 189 |
Building is located near to area vulnerable to accidents. (e.g., Petrol Pump, Gas station etc., |
| 190 |
Building is located near to power generating station |
| 191 |
No Analysis or well approved business continuity strategy |
| 192 |
No or poor implementation of BCP |
| 193 |
No DRP framework present |
| 194 |
DRP is not tested, implemented or verified |
| 195 |
Statutory, regulatory and contractual requirements are not clearly defined |
| 196 |
Copyright, design rights and trademark are not ket restricted |
| 197 |
Records are not categorised or kep secretly |
| 198 |
General information of living individuals is not kept secret |
| 199 |
Warning on critical assets is either not or incorrectly displayed |
| 200 |
agreements, laws, regulations or other instruments to control the access to or the use of cryptographic controls is not set |
| 201 |
Evidences pertaining to respective law either civil or criminal are not present |
| 202 |
Security Ploy is not being complied with legal and other issues |
| 203 |
Controls of the audit of operational system are not either in place or present |
| 204 |
Audit tools (software data files) are not protected |
| 205 |
Unrestricted use of modems to dial in to the network |
| 206 |
Lack of an inventory of dial-up lines leading to inability to monitor dial up access |
| 207 |
Lack of audit logs to detect unauthorized access |
| 208 |
Lack of user authentication |
| 209 |
Lack of firewall |
| 210 |
Lack of policies in respect of dial up access and modem use. |
| 211 |
Lack of policy restricting staff to use of licensed software |
| 212 |
Inadequate control of software distribution |
| 213 |
Lack of software auditing |
| 214 |
Unrestricted copying of software |
| 215 |
Negligence or insufficient checks (Legal responsibilities and rights etc) |
| 216 |
Insufficient security training |
| 217 |
Lack of security awareness |
| 218 |
Lack of monitoring mechanisms |
| 219 |
Lack of policies for the correct use of telecommunications media and messaging |
| 220 |
No removal of access rights upon job termination |
| 221 |
No procedure to ensure return of asset upon job termination |
| 222 |
Unmotivated or disgruntled staff |
| 223 |
Unsupervised work by outside staff or staff working outside normal business hours |
| 224 |
Personnel are not aware of threats from social engineering |
| 225 |
No user awareness |
| 226 |
No protection for office systems |
| 227 |
Inadequate or careless use of physical access control to buildings, rooms and offices |
| 228 |
Lack of physical protection for the building, doors, and windows |
| 229 |
Location in an area susceptible to flood |
| 230 |
Unprotected storage |
| 231 |
Insufficient maintenance/faulty installation of storage media |
| 232 |
Lack of periodic equipment replacement schemes |
| 233 |
Susceptibility of equipment to humidity, dust, soiling |
| 234 |
Susceptibility of equipment to temperature variations |
| 235 |
Susceptibility of equipment to voltage variations |
| 236 |
Unstable power grid |
| 237 |
Unrestricted physical access to facilities and computer room |
| 238 |
Blind spots due of improper placement of camera |
| 239 |
Security perimeter is not clearly defined |
| 240 |
Insufficient security man power |
| 241 |
Insufficient access controls for critical facility |
| 242 |
Servers are stored in a unsafe location with no access control mechanisms |
| 243 |
Critical devices are not placed in controlled environment |
| 244 |
Server is not stored in a rack or a cage |
| 245 |
Critical devices are left carelessly lying around |
| 246 |
Loading and unloading areas are not secured |
| 247 |
Inadmissible temperature and humidity |
| 248 |
No process for cleaning of equipment s |
| 249 |
Lack of fire detection devices |
| 250 |
Lack of automatic fire suppression system |
| 251 |
Fire drills are not conducted |
| 252 |
Fire fighting equipment s are not appropriate for electric fires/ equipment s in the Data Center |
| 253 |
Stabilized power not available |
| 254 |
Surge in electric current |
| 255 |
Voltage variations |
| 256 |
Redundant power supplies are not available |
| 257 |
Power and telecommunication lines are exposed |
| 258 |
Lack of redundancy and back-ups for the communication services |
| 259 |
Lack of planning and implementation of communication cabling |
| 260 |
Network cabling exposed and carelessly laid |
| 261 |
Power cables not segregated from telecommunication cables |
| 262 |
The maintenance for firefighting equipment’s are not performed on a periodic basis |
| 263 |
Testing of the fire equipment’s are not performed |
| 264 |
Lack of proper maintenance process for all critical equipment’s. (HVAC, Servers, etc.,) |
| 265 |
Critical devices left unattneded in public palces |
| 266 |
Destruction mechanism such as shredders not used |
| 267 |
Hard copies are available freely |
| 268 |
Critical devices (common hardware tokens) are taken home |
| 269 |
Backup media are not kept in a fireproof safe |
| 270 |
Off-site backup facility is not present |
| 271 |
Backup medias are not secured |
| 272 |
Unsafe storage |
| 273 |
Medias are not erased at its end of life |
| 274 |
Medias are not safely disposed |
| 275 |
No information labeling |
| 276 |
No access restriction |
| 277 |
Paper information is not protected during distribution through courrier |
| 278 |
Media is not protected |
| 279 |
Media is not physically secured |
| 280 |
Goodwill / Reputation Loss |
| 281 |
Improper Disposal of documents |
| 282 |
Lack of proper access rights management of removable and external storage media |
| 283 |
Inappropriate access rights management |
| 284 |
Inadequate classification present for the documentation |
| 285 |
Employees not educated / unaware of security threats and counter measures |
| 286 |
No policies and Procedures pertaining to access control, password management, secure disposal of data in place |
| 287 |
Inadequate backup and restoration procedures in place |
| 288 |
Usage of removable storage media |
| 289 |
Improper retention of documents as per the contractual/regulatory requirements applicable |
| 290 |
Public emails used for sharing organization information |
| 291 |
Improper information sharing between employees |
| 292 |
No security related roles and responsibilities defined for employee of POSOCO |
| 293 |
Inadequate classification present for the documentation |
| 294 |
Sensitive or confidential information is not appropriately protected |
| 295 |
Files containing business confidential information are kept out in open |
| 296 |
Visitor baggage not being frisked |
| 297 |
Inadequate backup and restoration procedures in place |
| 298 |
Improper retention of documents as per the contractual/regulatory requirements applicable |
| 299 |
Improper disposal of project documentation |
| 300 |
Improper privilege (administrator level) set on all the machines |
| 301 |
Monitors are not locked when employee is not on his/her desk |
| 302 |
Users have privilege to download and install any software on their systems. |
| 303 |
No access rights management on removable storage media |
| 304 |
Personal and non business related information stored in the systems |
| 305 |
No procedure in place to ensure that applications, systems and devices are updated and patched regularly |
| 306 |
No policies and procedures in place (for example password management policy, backup and retrieval policy, physical and environmental policy, access control policy, email and internet usage policy, data retention and purging policy, etc.) |
| 307 |
Improper files and folder sharing practices followed |
| 308 |
Lack of security awareness. |
| 309 |
No service level or confidentiality agreement signed with the vendors |
| 310 |
No proof or records maintained for testing conducted |
| 311 |
No Change management procedure in place |
| 312 |
No process in place to ensure active monitoring of network device logs |
| 313 |
No fault recording and capacity management is not carried out |
| 314 |
Lack of structured cabling |
| 315 |
No BCP/ DR planning in place |
| 316 |
No backup of the configurations of the devices |
| 317 |
No content filtering enabled to block unwanted traffic |
| 318 |
No policies and procedures in place for network management |
| 319 |
No procedure in place to track people entering and leaving a server room / ups room |
| 320 |
No policies and procedures in place for server management |
| 321 |
Inadequate back and restoration procedure |
| 322 |
No procedure in place to track people entering and leaving a server/ups room |
| 323 |
Department SOP Not present |
| 324 |
No service level or confidentiality agreement signed with the vendors |
| 325 |
Inadequate SLA monitoring |
| 326 |
No policies and procedures in place for the software acceptable use |
| 327 |
No proof or records maintained for testing conducted |
| 328 |
No Change management procedure in place |
| 329 |
Inadequate back and restoration procedure |
| 330 |
Lack of security awareness. |
| 331 |
No procedure in place to ensure that applications, systems and devices are updated and patched regularly
|
