Area

Principle

Best Practice

Information security policy

Provide management direction and support for information security

• Management sets a clear policy direction and demonstrates support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization.

Information security infrastructure

Manage information security within the organization.

• A management framework is established to initiate and control the implementation of information security within the organization.
• A suitable management forum with management leadership is established to approve the information security policy, assign security roles and co-ordinate the implementation of security across the organization
• A source of specialist information security advice is established and made available within the organization
• Contacts with external security specialists is developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when dealing with security incidents
• A multi-disciplinary approach to information security is encouraged, e.g. involving the co-operation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance and risk management.

Security of third party access

Maintain the security of organizational information processing facilities and information assets accessed by third parties.

• Access to the organization's information processing facilities by third parties is controlled.
• A risk assessment is carried out to determine security implications and control requirements where there is a business need for third party access
• Controls are agreed to and defined in contracts with the third party.
• Allowance for designation of other eligible participants and conditions for access is included in third party contracts that allow access

Outsourcing

Maintain the security of information when the responsibility for information processing has been outsourced to another organization.

• Outsourcing arrangements address the risks, security controls and procedures for information systems, networks and/or desk top environments in the contract between the parties.

Accountability for assets

Maintain appropriate protection of organizational assets.

• All major information assets are accounted for and have a nominated owner.
• Ownership is identified for all major assets and the responsibility for the maintenance of appropriate controls is assigned
• Responsibility for implementing controls may be delegated. Accountability remains with the nominated owner of the asset.

Security in job definition and resources

Reduce the risks of human error, theft, fraud or misuse of facilities.

• Security responsibilities are addressed recruitment stage, included in contracts, and monitored during an individual's employment.
• Potential recruits are adequately screened, especially for sensitive jobs.
• All employees and third party users of information processing facilities sign a confidentiality (non-disclosure) agreement.

User training

Ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work.

• Users are trained in security procedures and the correct use of information processing facilities to minimize possible security risks.

Responding to security incidents and malfunctions

• Monitor and learn from incidents.
• Incidents affecting security are reported through appropriate management channels as quickly as possible.
• All employees and contractors are made aware of the procedures for reporting the different types of incidents (security breach, threat, weakness or malfunction) that might have an impact on the security of organizational assets.
• The organization has a formal disciplinary process for dealing with employees who commit security breaches.
• Evidence is collected as soon as possible after the occurrence

Secure areas

Prevent unauthorized access, damage and interference to business premises and information.

• Critical or sensitive business information processing facilities are:

Equipment security

Prevent loss, damage or compromise of assets and interruption to business activities

• Equipment is physically protected from security threats and environmental hazards.
• Protection of equipment (including that used off-site) is necessary to reduce the risk of unauthorized access to data and to protect against loss or damage.
• Protection of equipment should also consider equipment siting and disposal
• Special controls may be required to protect against hazards or unauthorized access, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure.

General controls

Prevent compromise or theft of information and information processing facilities.

• Information and information processing facilities is protected from disclosure to, modification of or theft by unauthorized persons, and controls is in place to minimize loss or drainage.

Operational procedures and responsibilities

Ensure the correct and secure operation of information processing facilities

• Responsibilities and procedures for the management and operation of all information processing facilities are established.
• Appropriate operating instructions and incident response procedures exist and are used.
• Segregation of duties are implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

System planning and acceptance

Minimize the risk of systems failures

• Advance planning and preparation is done to ensure the availability of adequate capacity and resources.
• Projections of future capacity requirements are made, to reduce the risk of system overload.
• The operational requirements of new systems are established, documented and tested prior to their acceptance and use

Protection against malicious software

Protect the integrity of software and information

• Precautions are required to prevent and detect the introduction of malicious software.
• Users are made aware of the dangers of unauthorized or malicious software,
• Managers introduce special controls to detect or prevent its introduction.
• Precautions are taken to detect and prevent computer viruses on personal computers.

Housekeeping

Maintain the integrity and availability of information processing and communication services.

• Routine procedures are established for carrying out the agreed back-up strategy taking back-up copies of data and rehearsing their timely restoration, 1ogging events and faults and, where appropriate, monitoring the equipment environment
• Validation of recoverability is done

Network management

Ensure the safeguarding of information in networks and the protection of the supporting infrastructure.

• Methods and responsibilities of security management of networks spanning organizational boundaries are developed.
• Additional controls are provided to protect sensitive data passing over public networks.

Media handling and security

• Media is controlled and physically protected.
• Appropriate operating procedures are established to protect documents, computer media (tapes, disks, cassettes), input/output data and system documentation from damage, theft and unauthorized access.

Exchanges of information and software

Prevent loss, modification or misuse of information exchanged between organizations.

• Exchanges of information and software between organizations are controlled and is compliant with any relevant legislation
• Exchanges are carried out on the basis of formal agreements.
• Procedures and standards to protect information and media in transit is established.
• The business and security implications associated with electronic data interchange, electronic commerce and electronic mail and the requirements for controls are considered

Business requirement for access control

Control access to information

• Access to information, and business processes are controlled on the basis of business and security requirements.
• Policies for information dissemination and authorization must be available.

User access management

Prevent unauthorized access to information systems

• Formal procedures are in place to control the allocation of access rights to information systems and services.
• Procedures cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services.
• Tightly control the allocation of privileged access rights, which allow users to override system controls

User responsibilities

Prevent unauthorized user access

• Users are made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.
• The cooperation of any authorized user is essential for effective security

Network access control

Protect of networked services

• Access to both internal and external networked services is controlled.
• Ensure that users who have access to networks and network services do not compromise the security of these network services by establishing:

Operating system access control

Prevent unauthorized computer access

• Security facilities at the operating system level are used to restrict access to computer resources. These facilities are capable of the following:

Application access control

Prevent unauthorized access to information held in information systems. Security facilities is used to restrict access within application systems

• Logical access to software and information is restricted to authorized users. Application systems will:

Monitoring system access and use

Detect unauthorized activities

• Systems are monitored to detect deviation from access control policy and record monitored events to provide evidence in case of security incidents.
• System monitoring allows the effectiveness of controls to be checked and if they conformity to access policy modes.

Mobile computing and telecommuting

Ensure information security when using mobile computing and telecommuting facilities.

• The protection required is commensurate with the risks
• Address the  risks of working in an unprotected environment
• Develop appropriate protection for the unprotected environment.
• Apply protection to the telecommuting site and ensure that suitable arrangements are in place.

Security requirements of systems

Ensure that security is built into information systems

• Security requirements are identified and agreed and documented prior to the development of information systems.
• All security requirements, including the need for failback arrangements, are identified at the requirements phase of a project and justified, agreed and documented as part of the overall business case for an information system.

Security in application systems

Prevent loss, modification or misuse of user data in application systems

• Appropriate controls and audit trails or activity logs are designed into application systems, including user written applications.
• Appropriate controls will include the validation of input data, internal processing and output data.
• Additional controls are required for systems that process, or have an impact on, sensitive, valuable or critical organizational assets.
• Security controls are determined on the basis of security requirements and risk assessment.
• When systems interface the security controls for the most critical are implemented in the other systems.

Cryptographic controls

Protect the confidentiality, authenticity or integrity of information.

• Cryptographic systems and techniques are used for the protection of information that is considered at risk and for which other controls do not provide adequate protection

Security in development and support processes

Maintain the security of application system software and information

• Project and support environments are strictly controlled.
• Managers responsible for application systems should also be responsible for the security of the project or support environment. Managers will ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.

Business continuity management

Counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters

• Business continuity management processes are implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.
• The consequences of disasters, security failures and loss of service are analyzed, and risk factors developed.
• Contingency plans are developed and implemented to ensure that business processes can be restored within the required time-scales.
• Contingency plans are maintained and practiced to become an integral part of all other management processes.
• Business continuity management includes controls to identity and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.

Compliance with legal requirements

Avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

• Advice on specific legal requirements is sought from the organization's legal advisers, or suitably qualified legal practitioners.

Reviews of security policy and technical compliance

Ensure compliance of systems with organizational security policies and standards

• The security of information systems is regularly reviewed.
• Such reviews are performed against the appropriate security policies and the technical platforms and information systems are audited for compliance with security implementation standards.

System audit considerations

Maximize the effectiveness of and to minimize interference to/from the system audit process.

• Controls to safeguard operational systems and audit tools during system audits are established and documented.
• Safeguard the integrity and prevent misuse of audit tools.