Security Policies

The following represents a template for a set of policies aligned with the standard. Note that these are headings, to assist with policy creation, rather than policy statements. However, similar policy sets are in use in a substantial number of organizations.

Chapter	Title
ONE	INFORMATION SECURITY ORGANIZATION
	Information Security Policy Information Security policy Senior Management Support Information Security Policy Review Inter-departmental collaboration Information Security Organization Independent Review of Information Security Policy Sharing Information with other Organizations
TWO	CLASSIFYING INFORMATION AND DATA
	Setting Classification Standards Defining Information Classifying Information Accepting Ownership for Classified Information Labeling Classified Information Storing and Handling Classified Information Isolating Top Secret Information Managing Network Security
THREE	CONTROLLING ACCESS TO INFORMATION AND SYSTEMS
	Controlling Access to Information and Systems Managing Access Control Standards Managing User Access Securing Unattended Workstations Management Duties Third Party Service Management Managing Network Access Controls Controlling Access to Operating System Software Managing Passwords Securing Against Unauthorized Physical Access Access Control Framework Access Policy Restricting Access Monitoring System Access and Use Giving Access to Files and Documents Managing Higher Risk System Access Controlling Remote User Access Types of Access Granted to Third Parties Why access is granted to third parties Controlled pathway Node authentication Diagnostic and Configuration Port Controls Granting Access to Customers Acceptable Usage of Information Assets Monitoring Third Party Services Third Party Service Changes
FOUR	PROCESSING INFORMATION AND DOCUMENTS
	Networks Configuring Networks Managing the Network Network Segregation Controlling Shared Networks Routing Controls Network Security Accessing your Network Remotely Defending your Network Information from Malicious Attack Time-out Facility Exploitation of Covert Channels Authentication of Network Connecting Equipment System Operations and Administration Appointing System Administrators Administrating Systems Controlling Data Distribution System Utilities System Use Procedures Internal Processing Controls Permitting Third Party Access Managing Electronic Keys Managing System Operations and System Administration Managing System Documentation Synchronizing System Clocks Monitoring Error Logs Scheduling Systems Operations Scheduling Changes to Routine Systems Operations Monitoring Operational Audit Logs Responding to System Faults Managing or Using Transaction / Processing Reports Commissioning Facilities Management - FM Third Party Service Delivery Log-on Procedures Corruption of Data Corrupt Data Controls Controlling On-Line Transactions E-mail and the Worldwide Web Downloading Files and Information from the Internet Electronic Business Communications Policy on Electronic Business Communications Using and Receiving Digital Signatures Sending Electronic Mail (E-mail) Receiving Electronic Mail (E-mail) Retaining or Deleting Electronic Mail Developing a Web Site Receiving Misdirected Information by E-mail Forwarding E-mail Using Internet for Work Purposes Giving Information when Ordering Goods on Internet Setting up Intranet Access Setting up Extranet Access Setting up Internet Access ‘Out of the Box’ Web Browser Issues Using Internet ‘Search Engines’ Maintaining your Web Site Filtering Inappropriate Material from the Internet Certainty of File Origin Cryptographic Keys Key Management Procedures Controlling Mobile Code Telephones & Fax Making Conference Calls Recording of Telephone Conversations Receiving Misdirected Information by Fax Giving Information when Ordering Goods on Telephone Persons Giving Instructions over the Telephone Using Video Conferencing Facilities Persons Requesting Information over the Telephone Receiving Unsolicited Faxes Data Management Transferring and Exchanging Data Permitting Emergency Data Amendment Receiving Information on Disks Setting up a New Folder / Directory Amending Directory Structures Sharing Data on Project Management Systems Archiving Documents Information Retention Policy Setting up New Spreadsheets Setting up New Databases Linking Information between Documents and Files Updating Draft Reports Deleting Draft Reports Using Version Control Systems Updating Customer Information Using Meaningful File Names Managing Data Storage Managing Databases Using Headers and Footers Using and Deleting ‘Temp’ Files Using Customer and Other Third Party Data Files Saving Data / Information by Individual Users Backup, Recovery and Archiving Restarting or Recovering your System Archiving Information Backing up Data on Portable Computers Managing Backup and Recovery Procedures Archiving Electronic Files Recovery and Restoring of Data Files Document Handling Managing Hard Copy Printouts The Countersigning of Documents Checking Document Correctness Approving Documents Verifying Signatures Receiving Unsolicited Mail Style and Presentation of Reports Photocopying Confidential Information Filing of Documents and Information Transporting Sensitive Documents Shredding of Unwanted Hardcopy Using Good Document Management Practice Securing Data Using Encryption Techniques Sending Information to Third Parties Maintaining Customer Information Confidentiality Handling of Customer Credit Card Details Fire Risks to Your Information Sending Out Reports Sharing Information Dealing with Sensitive Financial Information Deleting Data Created / Owned by Others Protecting Documents with Passwords Printing of Classified Documents Other Information Handling and Processing Using Dual Input Controls Loading Personal Screen Savers Speaking to the Media Speaking to Customers Need for Dual Control / Segregation of Duties Using Clear Desk Policy Misaddressing Communications to Third Parties Using External Disposal Firms Using Photocopier for Personal Use Verifying Correctness of Information Traveling on Business Checking Customer Credit Limits
FIVE	PURCHASING AND MAINTAINING COMMERCIAL SOFTWARE
	Purchasing and Installing Software Specifying User Requirements for Software Implementing New / Upgraded Software Selecting Business Software Packages Selecting Office Software Packages Using Licensed Software Technical Vulnerability Management Software Maintenance & Upgrade Applying ‘Patches’ to Software Responding to Vendor Recommended Upgrades to Software Interfacing Applications Software / Systems Supporting Application Software Operating System Software Upgrades Upgrading Software Support for Operating Systems Recording and Reporting Software Faults Other Software Issues Disposing of Software
SIX	SECURING HARDWARE, PERIPHERALS AND OTHER EQUIPMENT
	Purchasing and Installing Hardware Specifying Information Security Requirements for New Hardware Specifying Detailed Functional Needs for New Hardware Installing New Hardware Testing Systems and Equipment Cabling, UPS, Printers and Modems Supplying Continuous Power to Critical Equipment Using Centralized, Networked or Stand-Alone Printers Managing and Maintaining Backup Power Generators Using Fax Machines / Fax Modems Using Modems / ISDN / DSL connections Installing and Maintaining Network Cabling Consumables Controlling IT Consumables Using Removable Storage Media including Diskettes and CDs Working Off Premises or Using Outsourced Processing Contracting or Using Outsourced Processing Using Mobile Phones Using Business Centre Facilities Issuing Laptop / Portable Computers to Personnel Using Laptop/Portable Computers Working from Home or Other Off-Site Location (Tele-working) Moving Hardware from One Location to Another Day to Day Use of Laptop / Portable Computers Using Secure Storage Using Lockable Storage Cupboards Using Lockable Filing Cabinets Using Fire Protected Storage Cabinets Using a Safe Documenting Hardware Managing and Using Hardware Documentation Maintaining a Hardware Inventory or Register Other Hardware Issues Disposing of Obsolete Equipment Recording and Reporting Hardware Faults Clear Screen Policy Logon and Logoff from your Computer Dealing with Answering Machines / Voice Mail Taking Equipment off the Premises Maintaining Hardware (On-site or Off-site Support) Using Speed Dialing Telephone Options Cleaning of Keyboards and Screens Damage to Equipment Insuring Hardware Insuring Laptops / Portables for use Domestically or Abroad
SEVEN	COMBATING CYBER CRIME
	Combating Cyber Crime Defending Against Premeditated Cyber Crime Attacks Minimizing the Impact of Cyber Attacks Collecting Evidence for Cyber Crime Prosecution Defending Against Premeditated Internal Attacks Defending Against Opportunistic Cyber Crime Attacks Safeguarding Against Malicious Denial of Service Attack Defending Against Hackers, Stealth-and Techno-Vandalism Handling Hoax Virus Warnings Defending Against Virus Attacks Responding to Virus Incidents Collecting Evidence for Cyber Crime Prosecution Installing Virus Scanning Software
EIGHT	CONTROLLING E-COMMERCE INFORMATION SECURITY
	E-Commerce Issues Structuring E-Commerce Systems including Web Sites Securing E-Commerce Networks Configuring E-Commerce Web Sites Using External Service Providers for E-Commerce
NINE	DEVELOPING AND MAINTAINING IN-HOUSE SOFTWARE
	Controlling Software Code Managing Operational Program Libraries Controlling Software Code during Software Development Controlling Program Listings Controlling Program Source Libraries Controlling Old Versions of Programs Managing Program Source Libraries Software Development Software Development Establishing ownership for System Enhancements Justifying New System Development Managing Change Control Procedures Making Emergency Amendments to Software Separating Systems Development and Operations Testing & Training Controlling Test Environments Using Live Data for Testing Testing Software before Transferring to a Live Environment Capacity Planning and Testing of New Systems Parallel Running Training in New Systems Documentation Documenting New and Enhanced Systems Other Software Development Acquiring Vendor Developed Software
TEN	DEALING WITH PREMISES RELATED CONSIDERATIONS
	Premises Security Preparing Premises to Site Computers Securing Physical Protection of Computer Premises Challenging Strangers on the Premises High Security Locations Delivery and loading areas Duress Alarm Ensuring Suitable Environmental Conditions Physical Access Control to Secure Areas Environmental and other external threats Data Stores Managing On-Site Data Stores Managing Remote Data Stores Other Premises Issues Electronic Eavesdropping Cabling Security Disaster Recovery Plan
ELEVEN	ADDRESSING PERSONNEL ISSUES RELATING TO SECURITY
	Contractual Documentation Preparing Terms and Conditions of Employment Using Non Disclosure Agreements (Staff and Third Party) Misuse of Organization Stationery Lending Keys to Secure Areas to Others Lending Money to Work Colleagues Complying with Information Security Policy Establishing Ownership of Intellectual Property Rights Employing / Contracting New Staff Contracting with External Suppliers / other Service Providers Employees' Responsibility to Protect Confidentiality of Data Confidential Personnel Data Respecting Privacy in the Workplace Handling Confidential Employee Information Giving References on Staff Checking Staff Security Clearance Sharing Employee Information with Other Employees Sharing Personal Salary Information Personnel Information Security Responsibilities Using the Internet in an Acceptable Way Keeping Passwords / PIN Numbers Confidential Sharing Organization Information with Other Employees Signing for the Delivery of Goods Signing for Work done by Third Parties Ordering Goods and Services Verifying Financial Claims and Invoices Approving and Authorization of Expenditure Responding to Telephone Enquiries Sharing Confidential Information with Family Members Gossiping and Disclosing Information Spreading Information through the Office ‘Grape Vine’ Using E-Mail and Postal Mail Facilities for Personal Reasons Using Telephone Systems for Personal Reasons Using the Organization’s Mobile Phones for Personal Use Using Organization Credit Cards Playing Games on Office Computers Using Office Computers for Personal Use HR Management Dealing with Disaffected Staff Taking Official Notes of Employee Meetings Staff Leaving Employment Handling Staff Resignations Completing Procedures for Terminating Staff or Contractors Obligations of Staff Transferring to Competitors HR Issues Other Recommending Professional Advisors
TWELVE	DELIVERING TRAINING AND STAFF AWARENESS
	Awareness Delivering Awareness Programmes to Permanent Staff Drafting Top Management Security Communications to Staff Third Party Contractor : Awareness Programmes Delivering Awareness Programmes to Temporary Staff Providing Regular Information Updates to Staff Training Information Security Training on New Systems Information Security Officer : Training User : Information Security Training Technical Staff : Information Security Training Training New Recruits in Information Security
THIRTEEN	COMPLYING WITH LEGAL AND POLICY REQUIREMENTS
	Complying with Legal Obligations Being Aware of Legal Obligations Complying with Copyright and Software Licensing Legislation Complying with the Data Protection Act or Equivalent Complying with General Copyright Legislation Complying with Database Copyright Legislation Legal Safeguards against Computer Misuse Complying with Policies Managing Media Storage and Record Retention Complying with Information Security Policy Avoiding Litigation Safeguarding against Libel and Slander Using Copyrighted Information from the Internet Sending Copyrighted Information Electronically Using Text directly from Reports, Books or Documents Infringement of Copyright Other Legal Issues Recording Evidence of Incidents (Information Security) Reviewing System Compliance Levels Renewing Domain Name Licenses – Web Sites Insuring Risks Recording Telephone Conversations Admissibility of Evidence Adequacy of Evidence Collection of Evidence
FOURTEEN	DETECTING AND RESPONDING TO IS INCIDENTS
	Reporting Information Security Incidents Reporting Information Security Incidents Reporting IS Incidents to Outside Authorities Reporting Information Security Breaches Software Errors and Weaknesses Notifying Information Security Weaknesses Witnessing an Information Security Breach Being Alert for Fraudulent Activities When and How to Notify Authorities Investigating Information Security Incidents Investigating the Cause and Impact of IS Incidents Collecting Evidence of an Information Security Breach Recording Information Security Breaches Responding to Information Security Incidents Corrective Activity Establishing Remedies to Information Security Breaches Other Information Security Incident Issues Ensuring the Integrity of IS Incident Investigations Analyzing IS Incidents Resulting from System Failures Monitoring Confidentiality of Information Security Incidents Breaching Confidentiality Establishing Dual Control / Segregation of Duties Using Information Security Incident Check Lists Detecting Electronic Eavesdropping and Espionage Activities Risks in System Usage Reviewing System Usage
FIFTEEN	PLANNING FOR BUSINESS CONTINUITY
	Business Continuity Management Initiating the Business Continuity Project Assessing the Business Continuity Security Risk Developing the Business Continuity Plan Testing the Business Continuity Plan Training and Staff Awareness on Business Continuity Maintaining and Updating the Business Continuity Plan Realistic Testing Environment for Business Continuity Plans Impact of the Pace of change on the Business Continuity Plan

From : www.27001-online.com