7. Communications and operations management (ISO) : Information Security Management System

Operational procedures and responsibilities

The objective of this category is to ensure the correct and secure operation of information processing facilities.

Documented operating procedures • Operating procedures should be documented, maintained and made available to all users who need them. Controls include:

documentation of/for all significant system activities including start-up, close-down, back-up and maintenance;
treatment of such documentation as a formal organizational record, subject to appropriate change authorization, change tracking and archiving; and
provision of appropriate security for such documentation, including distribution control (see also "security of system documentation" control).

Authorities: ISO-27002:2005 10.1.1.

Change management • Changes to information processing facilities and systems should be controlled using appropriate change management procedures. Control includes:

risk assessments, including an analysis of potential impacts and necessary countermeasures or mitigation controls;
processes for planning and testing of changes, including fallback (abort/recovery) measures;
managerial approval and authorization before proceeding with changes that may have a significant impact on operations;
advance communication/warning of changes, including schedules and a description of reasonably anticipated effects, provided to all relevant persons; and
documentation of changes made and the prior steps in the change management process.

Authorities: ISO-27002:2005 10.1.2.

Segregation of duties • Duties and areas of responsibility should be segregated to the degree practicable, to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.

Authorities: ISO-27002:2005 10.1.3.

Separation of development, test and operational facilities • Development, test and operational facilities should be separated, to the degree practicable, to reduce risks of unauthorized access or changes to the operational system.

Authorities: ISO-27002:2005 10.1.4.

Third party delivery management

This category aims to implement and maintain the appropriate level of information security and service delivery in the context of third-party service delivery agreements.

Service delivery • Security controls, service definitions and delivery levels should be included in third-party service delivery agreements.

Authorities: ISO-27002:2005 10.2.1.

Monitoring and review of third-party services • Services, reports and records provided by the third party should be regularly monitored and reviewed, and appropriate audits conducted.

Authorities: ISO-27002:2005 10.2.2.

Managing changes to third-party services • Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, should be appropriately managed. Control includes:

taking into account the criticality of the particular business system(s) and process(es); and
using appropriate change management procedures, similar to those applied to internal service changes.

Authorities: ISO-27002:2005 10.2.3.

System planning and acceptance

This category aims to minimize the risk of systems failures.

Capacity management • The use of information and information facility resources should be appropriately monitored, and projections made of future capacity requirements to ensure adequate systems performance. Control includes:

identification of capacity requirements for each new and ongoing system/service;
projection of future capacity requirements, taking into account current use, projected trends, and anticipated changes in business requirements; and
system monitoring and tuning to ensure and, where possible, improve availability and effectiveness of current systems.

Authorities: ISO-27002:2005 10.3.1.

System acceptance • Acceptance criteria for new information systems, upgrades, and new versions should be appropriately established, and suitable tests of the system(s) carried out during development and prior to acceptance. Control includes:

clear definition of, agreement on, testing of, and documentation of compliance with requirements for system acceptance; and
consultation with affected persons, or representatives of affected groups, at all phases of the process.

Authorities: ISO-27002:2005 10.3.2.

Protection against malicious and mobile code

This category aims to protect the integrity of software and information.

Controls against malicious code • Appropriate controls should be implemented for prevention, detection and response to malicious code, including appropriate user awareness. Control includes:

formal policies prohibiting the use or installation of unauthorized software, including a prohibition of obtaining data and software from external networks;
formal policies requiring protective measures, such as installation of anti-virus and anti-spyware software, and for the regular updating of it;
periodic reviews/scans of installed software and the data content of systems to identify and, where possible, remove any unauthorized software;
defined procedures for response to identification of malicious code or unauthorized software;
continuity/recovery plans to deal with system interruptions and failures caused by malicious code; and
user awareness training on these policies and methods.

Authorities: ISO-27002:2005 10.4.1.; HIPAA 164.308(a)(5);

Controls against mobile code • Appropriate controls should be implemented to control the operation of, and prevent damage from malicious versions of, mobile code.

Authorities: ISO-27002:2005 10.4.2.

Back-up

This category aims to maintain the integrity and availability of organizational information.

Information back-up • Back-up copies of information and software should be made, and tested at appropriate intervals, in accordance with an agreed-upon back-up policy. Control includes:

formal definition of the level of backup required for each system -- scope of data to be imaged, frequency of imaging, duration of retention -- on the basis of legal-regulatory-certificatory standards and business requirements;
complete inventory records for the back-up copies, including content and current location;
complete documentation of restoration procedures for each system;
storage of the back-ups in a remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site;
appropriate physical and environmental controls for the back-up copies where-ever located;
appropriate technical controls, such as encryption, for back-up copies of sensitive information;
regular testing of back-up media; and
regular testing of restoration procedures.

Authorities: ISO-27002:2005 10.5.1.; HIPAA 164.308(a)(7)(ii)(A-B) ; HIPAA 164.310(d)(1);

Network security management

This category aims toensure the protection of information in networks and protection of the supporting network infrastructure.

Network controls • Networks should be appropriately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. Control includes:

separation of operational responsibilities for networks from those for computer systems and operations, where appropriate;
implementation of appropriate controls to assure the availability of network services and information services using the network;
establishment of responsibilities and procedures for management of equipment on the network, including equipment in user areas;
special controls to safeguard the confidentiality and integrity of sensitive data passing over the organization's network and to/from public networks;
appropriate logging and monitoring of network activities, including security-relevant actions; and
management processes to ensure coordination of and consistency in the elements of the network infrastructure.

Authorities: ISO-27002:2005 10.6.1.; HIPAA 164.312(e)(2)(ii);

Security of network services • Security features, service levels and management requirements for all network services should be identified in reasonable detail, and included in a network services agreement, whether those services are provided in-house or outsourced. Control includes specification of:

technologies applied for security of network services, such as authentication, encryption and connection controls;
technical parameters and rules for secured connection with the network; and
procedures and processes to control/restrict network access.

Authorities: ISO-27002:2005 10.6.2.; HIPAA 164.312(e)(2)(ii);

Media handling

This category aims to prevent unauthorized disclosure, modification, removal or destruction of information assets, or interruptions to business activities.

Management of removable media • Policies and procedures should be established for management of removable media. Control includes:

where appropriate to the sensitivity of the data, logging and an audit trail of removals of media from or relocations within the organization's premises;
where appropriate to the sensitivity of the data, a requirement for authorization prior to removal or relocation;
appropriate redundancy of storage in light of the risks to the removable media, including where storage retention requirements exceed the rated life of the media;
restrictions on the type(s) of media, and usages thereof, where necessary for adequate security;
registration of certain type(s) of media; and
secure disposal of media when no longer needed (see next).

Authorities: ISO-27002:2005 10.7.1.; HIPAA 164.310(d)(1)

Disposal of media • Media should be disposed of securely and safely when no longer required, using formal procedures. Control includes:

use of generally-accepted secure disposal methods for media that contain (or might contain) sensitive data;
procedures and policies to identify data that qualifies as sensitive, or a policy that all information will be considered sensitive in the absence of unequivocal evidence to the contrary; and
where appropriate to the sensitivity of the data, logging and an audit trail of disposal operations.

Authorities: ISO-27002:2005 10.7.2. and 9.2.6.; HIPAA 164.310(d)(1)

Information handling procedures • Appropriate procedures for the handling and storage of information should be established to protect data from unauthorized disclosure or misuse. Control includes:

physical and technical access restrictions appropriate to the data sensitivity level;
handling and labelling of all media according to its indicated classification (sensitivity) level;
where appropriate to the sensitivity, maintenance of formal records of data transfers, including logging and an audit trail; and
review at appropriate intervals of distribution and authorized recipient lists.

Authorities: ISO-27002:2005 10.7.3.

Security of system documentation • System documentation should be appropriately protected against unauthorized access. Control includes:

secure storage of documentation, whether in paper and electronic form; and
authentication and access control measures, where appropriate to the sensitivity of the documentation.

Authorities: ISO-27002:2005 10.7.4

Exchange of information

This category aims to maintain the security of information and software exchanged within an organization and with any external entity.

Information exchange policies and procedures • Formal exchange policies and procedures should be implemented to protect the exchange of information, covering the use of all types of communications facilities and data storage media. Control includes:

procedures designed to protect exchanged information from interception, copying, modification, mis-routing or destruction;
procedures for the detection of and protection against malicious code (see also "controls against malicious code" policy);
procedures for the protection of wireless communications;
use of cryptographic methods where appropriate to achieve sufficient protections;
policies or guidelines about acceptable and unacceptable uses of communications facilities and media;
retention and disposal guidelines for all business information;
user awareness and training about these policies and guidelines; and
compliance with all relevant legal-regulatory-certificatory requirements for information exchange.

Authorities: ISO-27002:2005 10.8.1.

Exchange agreements • Agreements should be established for the exchange of information and software between the organization and external parties. Control includes:

specification of management responsibilities for controlling/approving agreements about transmissions and receipts;
procedures to ensure appropriate identification and labelling, appropriate notifications to sender and recipient, traceability and non-repudiation;
minimum technical standards for packing and transmission;
specification of ownership and responsibilities for data protection, copyright, license compliance and similar considerations (see also Compliance policy section);
specification of responsibleness and liabilities in the event of an information security incident;

Authorities: ISO-27002:2005 10.8.2.

Physical media in transit • Media containing information should be protected against unauthorized access, misuse or corruption. Controls include:

procedures and standards for authorizing (vendorizing) couriers, and a list of currently authorized couriers; and
packaging standards, including technical protections (e.g.,encryption); and
physical protection standards (e.g., locked containers, tamper-evident tagging).

Authorities: ISO-27002:2005 10.8.3.

Electronic messaging • Information involved in electronic messaging should be appropriately protected. Electronic messaging includes email, IM, audio-video conferencing and any other one-to-one, one-to-many, or many-to-many personal communications. Control includes:

protecting messages from unauthorized access, modification or diversion;
ensuring correct addressing and transportation;
ensuring the general reliability and availability of messaging services;
limiting the use of less-secure messaging systems (e.g., public IM); and
stronger levels of authentication and message content protection when using public networks.

Authorities: ISO-27002:2005 10.8.4.

Business information systems • Policies and procedures should be developed and implemented to protect information associated with the interconnection of business systems. Control includes:

a risk assessment of and appropriate countermeasures for vulnerabilities associated with such interconnections;
policies and appropriate controls to manage information sharing using such interconnections;
fallback and recovery arrangements in the event of interconnection failure.

Authorities: ISO-27002:2005 10.8.5.

Electronic commerce services

This category aims to ensure the security of electronic commerce services and their secure use.

Electronic commerce • Information involved in electronic commerce passing over public networks should be appropriately protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.

Authorities: ISO-27002:2005 10.9.1.

On-line transactions • Information involved in on-line transactions should be appropriately protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Authorities: ISO-27002:2005 10.9.2.

Publicly available information • The integrity of information being made available on a publicly available system, such as a Web server, should be appropriately protected to prevent unauthorized modification.

Authorities: ISO-27002:2005 10.9.3.

Monitoring

This category aims to detect unauthorized information processing activities.

Audit logging • Audit logs that record user activities, exceptions, and information security events should be produced, and kept for an agreed-upon time period, to assist in future investigations and access control monitoring. Control includes:

recording, when relevant and within the capacity of the logging system, all key events, including the data/time and details of the event, the user-ID associated, terminal identity and/or location, network addresses and protocols, records of successful and unsuccessful system accesses or other resource accesses, changes to system configurations, use of privileges, use of system utilities and applications, files accessed and the kinds of access, alarms raised by the access control or any other protection system (e.g., ID/IP);
appropriate privacy protection measures for logged data that is appropriately confidential;
appropriate security protections of a technical, physical and administrative nature (e.g., division of responsibilities) to ensure integrity and availability of audit logs.

Authorities: ISO-27002:2005 10.10.1.; HIPAA 164.312(b);

Monitoring system use • Procedures for monitoring use of information processing facilities should be established and the results of monitoring activities regularly reviewed. Control includes:

event tracking and recording as specified in the "audit trail" policy;
monitoring and review of data as determined by the criticality of the application/system or information involved, past experience with information security incidents, and general risk assessment.

Authorities: ISO-27002:2005 10.10.2.; HIPAA 164.308(a)(1)(ii)(D);

Protection of log information • Logging facilities and log information should be appropriately protected against tampering and unauthorized access.

Authorities: ISO-27002:2005 10.10.3.

Administrator and operator logs • System administrator and system operator activities shall be appropriately logged, as part of the general audit trail process.

Authorities: ISO-27002:2005 10.10.4.

Fault logging • Faults should be appropriately logged, analyzed and actions taken.

Authorities: ISO-27002:2005 10.10.5.

Clock synchronization • The clocks of all relevant information processing systems within an organization or security domain should be appropriately synchronized with an agreed-upon time source.