Teach employees about your business controls. Make sure that incidents are reported to management. Develop a formal security incident reporting procedure. Establish a formal security incident response procedure. Make sure that personnel report all information security threats.
Make sure that personnel report all information security weaknesses. Develop a procedure for reporting software malfunctions. Develop a procedure for responding to software malfunctions. Monitor and quantify the types of security incidents. Monitor and quantify the costs of security incidents. Develop a process to discipline people who violate your security procedures.
Physical and Environmental Security 7. Use security perimeters and barriers to protect facilities. Restrict building access to authorized personnel. Record the date and time visitors enter and leave secure areas. Use physical controls to restrict access to information processing facilities. Design your secure areas to withstand natural and man-made disasters. Use intruder detection systems to prevent access to secure areas.
Use guidelines to control the work done in secure areas. Supervise all work performed in secure areas.
Control the use of your organization's delivery and holding areas. Separate delivery and holding areas from information processing facilities. Isolate all equipment that requires an extra level of protection.
Adopt security measures to protect your equipment. Protect your equipment from power failures. Protect your equipment from electrical anomalies. Protect power lines from unauthorized interception or damage. Protect communication cables from unauthorized interception or damage. Maintain your equipment to ensure that it functions properly. Allow only authorized personnel to service your equipment.
Make sure that all off-site use of equipment is authorized. Take additional security measures to deal with off-site risks. Control the disposal of old or obsolete information processing equipment. Control the re-use of old or obsolete information processing equipment.
Establish a clear-desk policy to protect information processing facilities. Establish a clear-screen policy to protect information processing facilities. Get management authorization to take equipment off-site. Get management authorization to take information off-site. Get management authorization to take software off-site. Communications and Operations 8. Develop operating procedures that comply with your security policy. Develop housekeeping procedures for information processing facilities.
Develop housekeeping procedures for communication facilities. Control changes to your information processing facilities. Control changes to your information systems. Develop procedures to handle all types of security incidents.
Develop procedures to handle information security failures. Develop procedures to handle confidentiality breakdowns. Develop procedures to handle the denial of service. Develop procedures to handle the loss of service. Develop procedures to handle incomplete data. Develop procedures to handle inaccurate data. Prevent misuse of information or services by segregating duties.
Prevent unauthorized modification of information by segregating duties. Reduce the probability of fraud by reducing the opportunity for collusion. Supervise work more closely whenever responsibilities can't be separated. Separate responsibility for software development, testing, and operations. Control the transfer of software from development and testing to operations. Make sure that external contractors protect your information.
Make sure that contracts define controls that contractors must use. Make sure that contracts specify business continuity requirements. Monitor your information storage and processing resource demands. Identify your future information storage and processing requirements. Develop plans to ensure future storage and processing needs will be met. Use acceptance criteria to test new systems before they are used. Use acceptance criteria to test system upgrades before they are used.
Implement controls to protect your systems against malicious software. Implement controls to detect the introduction of malicious software. Implement controls to prevent the introduction of malicious software. Make regular back-ups of all essential information. Make regular back-ups of all essential software. Make sure that operators maintain a log of their activities. Make sure that records can confirm that files are handled correctly. Make sure that records can confirm that output is handled properly.
Make sure that log checks are performed by an independent person. Make sure that users report all system faults. Make sure that you log all system fault reports.
Establish rules for handling reported faults. Establish controls to secure the information in computer networks. Establish controls to protect connected services from unauthorized access. Establish procedures to protect systems connected to public networks. Establish procedures to manage and control remote equipment.
Establish procedures to manage and control removable computer media. Establish procedures to control the secure disposal of computer media. Establish procedures to control information handling and storage. Develop controls to protect your system documentation. Establish security agreements to control the exchange of information. Establish security agreements to control the exchange of software. Establish controls to safeguard the physical transportation of media.
Establish special controls to safeguard sensitive information during transit. Establish controls to protect online transactions. Establish controls to protect electronic data interchange activities. Establish controls to make email less vulnerable to tampering.
Establish controls to make email less vulnerable to unauthorized access. Establish controls to increase the reliability of your email service.
Ensure that policy explains how email attacks should be handled. Ensure that policy explains how email viruses should be handled. Ensure that policy explains how email attachments should be handled. Ensure that policy explains when cryptographic techniques must be used. Ensure that policy explains when email should not be used. Establish policies to protect your electronic office systems and facilities. Reduce the vulnerability of information in your electronic office systems.
Control information sharing within and between electronic office systems. Make arrangements that allow you to continue operating when systems fail. Establish a process to authorize publication of electronic documents. Protect the integrity of information that is published electronically.
Establish a process to control how public feedback should be handled. Establish procedures to control voice communications. Establish procedures to control mobile phone communications.
Establish procedures to control answering machine messages. Establish procedures to control dial-in voice-mail systems. Establish procedures to control video communications. Establish procedures to control fax communications.
Information Access Control 9. Define the business requirements that your access controls must meet. Establish an access policy that meets your business requirements. Few changes to the standard occurred in , as the choice to renumber such standards was purely an administrative change to accommodate anticipated future needs.
From the beginning, ISO dealt with matters such as security policies, control of access, defining types of information, development of information systems, and risk assessment. Organizational leaders could use ISO as a guide for developing information systems and ensuring the security of such systems. Additional guidelines regarding acquisition of existing systems, as typically occurs during business mergers, outlined steps to maintain information security without limiting access to key personnel.
Recommendations for developing security practices as well as handling instances of security breaches were also included in the first ISO Our Products. Our Prices. Praxiom Research Group Limited help praxiom. Updated on March 27, First published on November 3, Legal Restrictions on the Use of this Page Thank you for visiting this webpage.
You are welcome to view our material as often as you wish, free of charge. And as long as you keep intact all copyright notices, you are also welcome to print or make one copy of this page for your own personal, noncommercial , home use.
0コメント