Search in ISMS Guides


Tuesday, July 24, 2007

12. Compliance (ISO)

Compliance with legal requirements

The objective of this category is to ensure compliance with all statutory, regulatory, certificatory or contractual obligations.

Identification of applicable statutes, regulations and certification standards • All relevant statutory, regulatory and private certificatory requirements should be identified. The organization's approach to meeting these requirements should be explicitly defined, documented and kept up to date.

Authorities: ISO-27002:2005 15.1.1.

Protection of confidentiality of personal information • Appropriate policies and procedures should be implemented to ensure the confidentiality of personal data, consistent with statutory, regulatory and private requirements.

Authorities: ISO-27002:2005 15.1.4.

Protection of intellectual property rights (IPR) • Appropriate policies and procedures should be implemented to ensure compliance with legal, regulatory and private requirements for all materials for which there may be IPR, including but not limited to proprietary software products.

Authorities: ISO-27002:2005 15.1.2.

Protection of organizational records • Appropriate policies and procedures should be implemented to ensure the confidentiality, integrity and availability of organizational records. Control includes:

  • categorization of data, consistent with statutory, regulatory, certificatory, contractual and business requirements;
  • creation of data protection policies consistent with this categorization;
  • creation of data retention and data destruction policies consistent with this categorization;
  • implementation of data retention and destruction schedule consistent with policies;
  • appropriate controls to protect records from loss, destruction or falsification during their retention period;
  • appropriate controls to assure appropriate destruction at the end of their retention period.

Authorities: ISO-27002:2005 15.1.3.

Prevention of misuse of information and information processing facilities • Appropriate policies, procedures and end-user education should be implemented to deter misuse of information and information processing services, systems, equipment and facilities. Control includes:

  • user awareness of the precise scope of their permitted access;
  • user awareness of the monitoring in place to detect unauthorized access;
  • a log-on warning message reminding users of access policies and monitoring; and
  • intrusion detection/prevention, content inspection and other monitoring activities as appropriate.

Authorities: ISO-27002:2005 15.1.5.

Regulation of cryptographic controls and other technologies • Appropriate policies and procedures should be implemented to ensure that cryptographic methods and controls, and any other national-security-sensitive technologies, are used in accordance with all relevant laws and regulations.

Authorities: ISO-27002:2005 15.1.6.

Compliance with organizational security policies and technical standards

This category aims to ensure compliance with "internal" organizational policies, procedures and standards.

Periodic review of security processes • Data, data system and data facility controllers should periodically review all security processes within their areas of responsibility to ensure compliance with relevant security policies and standards.

Authorities: ISO-27002:2005 15.2.1.

Periodic checks of technical compliance • Data systems should be regularly checked for compliance with security implementation standards, including but not limited to penetration tests and vulnerability assessments.

Authorities: ISO-27002:2005 15.2.2.

Information systems audit considerations

This category aims to maximize the effectiveness of and to minimize interference from information system audit processes.

Information systems audit controls • Audit controls should be implemented to allow collection of appropriate audit data on operational systems, while minimizing the risk of disruption to business processes.

Authorities: ISO-27002:2005 15.3.1.

Protection of information system audit tools • Access to information system audit tools should be appropriately limited to prevent misuse or compromise.

Authorities: ISO-27002:2005 15.3.2.

Article By :

11. Business continuity management (ISO)

Information security aspects of business continuity management

This category's objectiuve is to ensure timely resumption from, and if possible prevention of, interruptions to business activities and processes caused by failures of information systems.

Authorities: ISO-27002:2005 14.; HIPAA 164.308(a)(7); JCAHO-IM:2004 2.20; PCI/DSS:2005 12.8.3

Including information security in the business continuity management process • A managed process should be developed and maintained for business continuity throughout the organization, that includes information security requirements needed for the organization's business continuity. Control includes:

  • identification of information assets involved in critical business processes;
  • a risk assessment that addresses likely causes and consequences of information system failures;
  • identification and consideration of preventive and mitigating controls in light of these risks;
  • identification of sufficient financial, technical and human resources to address the preventive/mitigating control requirements;
  • development and documentation of business continuity plans and processes, including assignment of responsibilities and incorporation into the organization's general processes and structure; and
  • regular testing and updating of business continuity plans and processes.

Authorities: ISO-27002:2005 14.1.1.; HIPAA 164.308(a)(7)(i);

Business continuity and risk assessment • Events that can cause interruptions to business processes should be identified, along with the probability and impact of such interruptions and their consequences for information security. Control includes:

  • identification of all significant risk/risk categories, including the probability and probable impact on operations in terms of scale, likely damage and recovery period;
  • full involvement of owners of significant organizational assets in the assessment process;
  • identification of acceptable and unacceptable losses and interruptions; and
  • formal documentation of the assessment's results, and a plan for regular updating to ensure completeness and currency (see next).

Authorities: ISO-27002:2005 14.1.2.; HIPAA 164.308(a)(7)(ii)(E);

Developing and implementing continuity plans including information security • Business continuity plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time, following interruptions to or failures of business processes. Control includes:

  • identification of and agreement on all responsibilities and operational procedures;
  • specification of the disaster recovery/business continuity procedures to effect recovery and restoration of business processes;
  • a data backup plan to ensure recovery of all data following process restoration, including the ability to replicate exact copies of data in its state prior to disruption of operations;
  • specification of alternative operational procedures to follow pending completion of recovery and restoration, including methods for accessing all critical data;
  • documentation of the above plan elements;
  • appropriate education and awareness efforts for staff on the plan elements;
  • testing and updating of the plan.

Authorities: ISO-27002:2005 14.1.3.; HIPAA 164.308(a)(7)(ii)(A-C); HIPAA 164.312(a)(2)(ii)

Business continuity planning framework • A single framework of business continuity plans should be maintained to ensure that all plans are consistent, consistently assess information security requirements, and to identify priorities for testing and maintenance. Control includes:

  • specification of conditions and criteria for activating the plan; and
  • formal assignment of responsibilities for making assessments about plan activation, choices among emergency procedures and processes, resumption procedures, etc.

Authorities: ISO-27002:2005 14.1.4.; HIPAA 164.308(a)(7)(i)

Testing, maintaining and re-assessing business continuity plans • Business continuity plans should be tested and updated regularly to ensure that they are up to date and effective. Control includes:

  • testing that assures that all persons with significant responsibilities under the plan(s) are aware of and competent to perform them;
  • a range and frequency of testing exercises, from table-top to complete rehearsals, performed as necessary to ensure awareness and competence; and
  • regular reviews and updating of the plan(s) in light of testing results.

Authorities: ISO-27002:2005 14.1.5.; HIPAA 164.308(a)(7)(ii)(D)

Article By :

10. Information security incident management (ISO)

Reporting information security events and weaknesses

This category aims to ensure information security events and weaknesses associated with the organization's information and information system assets are communicated in a manner to allow appropriate corrective actions to be taken.

Reporting information security events • Information security events should be reported through appropriate management channels as quickly as possible. Control includes:

  • establishment of formal event reporting process(es) and procedure(s), setting out actions to be taken and points of contact;
  • awareness on the part of all employees, contractors and third-party users of the event-reporting process(es), including the requirement to report security events and weaknesses;
  • awareness of the requirement to report as quickly as possible, with sufficient detail to allow a timely response;
  • awareness of the prohibition on adverse action for reports made in good faith; and
  • suitable feedback processes to ensure that those reporting events are appropriately notified of results.

Authorities: ISO-27002:2005 13.1.1.; HIPAA 164.308(a)(6)

Reporting security weaknesses • All employees, contractors and third party users should be required to note and report any observed or suspected security weaknesses in systems or services as soon as possible. Controls include:

  • easy, accessible channels for reporting, the availability of which is clearly communicated to employees, contractors and third parties;
  • reasonable awareness on the part of employees, contractors and third parties of common signs and symptoms of security events;
  • reporting requirement extends to malfunctions or other anomalous events that might indicate a security weakness;
  • awareness on the part of employees, contractors and third parties that they should report, but not attempt to test, a suspected security vulnerability unless they have appropriate technical skills and an immediate response is required, since this might be interpreted as a potential misuse.

Authorities: ISO-27002:2005 13.1.2.; HIPAA 164.308(a)(6)

Management of information security incidents and improvements

This category aims to ensure a consistent and effective approach is applied to the management of information security events and incidents.

Responsibilities and procedures • Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. Control includes:

  • processes to ensure routine use of data from the ongoing monitoring of systems to detect events and incidents;
  • procedures specifically designed to respond to different types and severities of incident, including appropriate analysis and identification of causes, containment, communication with those actually or potentially affected by the incident, reporting of the incident to appropriate authorities, planning and implementation of corrective action to prevent reoccurrence as appropriate;
  • collection and use of audit trails and similar evidence as part of the incident management and investigation process, and appropriate management of this evidence for use in subsequent legal or disciplinary proceedings;
  • formal controls for recovery and remediation, including appropriate documentation of actions taken.

Authorities: ISO-27002:2005 13.2.1.; HIPAA 164.308(a)(6)

Learning from information security incidents • There should be mechanisms in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. Control includes:

  • routine sharing of data on information security incidents among the parties responsible for receiving reports and managing investigations;
  • periodic reports summarizing the data derived from this sharing.

Authorities: ISO-27002:2005 13.2.2.; HIPAA 164.308(a)(1)(ii)(D); HIPAA 164.308(a)(6)

Investigation of incidents • Where disciplinary or legal action may be part of the follow-up to an information security incident, any investigation should be initiated in a manner that follows documented procedures and conforms to accepted practices. Control includes:

  • specifying what persons or classes of person may request an investigation, and on what basis;
  • specifying what persons or classes of person may initiate an investigation process, including collection of evidence;
  • specifying the necessary documentation to initiate an investigation, and the documentation required as the investigation proceeds;
  • procedures for securing and maintaining the integrity of investigatory records; and
  • observing appropriate procedures to assure "chain of custody" for any information collected.

Authorities: ISO-27002:2005 13.2.3. (adapted); HIPAA 164.308(a)(6)

Collection of evidence • Where an investigation has been initiated as part of possible disciplinary or legal action, evidence should be collected, retained and presented in a manner that follows documented procedures and conforms to accepted practices. Control includes:

  • specifying who may initiate an investigation, and on what basis;
  • specifying the necessary documentation to initiate an investigation, and the documentation required as the investigation proceeds;
  • securing and maintaining the integrity of copies of paper records, including "originals" if such exist;
  • securing and maintaining the integrity of copies of electronic records or other data on computer media relevant to the incident; and
  • observing appropriate procedures to assure "chain of custody" for any information collected.

Authorities: ISO-27002:2005 13.2.3.; HIPAA 164.308(a)(6)

Article By :

9. Information systems acquisition, development and maintenance (ISO)

Security requirements of information systems

The objective of this category is to ensure that security is an integral part of the organization's information systems, and of the business processes associated with those systems.

Security requirements analysis and specification • Statements of business requirements for new information systems, or enhancements to existing information systems should include specification of the requirements for security controls. Control includes:

  • consideration of business value of and legal-regulatory-certificatory standards for information assets affected by the new/changed system(s);
  • consideration of administrative, technical and physical controls available to support security for the system(s);
  • integration of these controls early in system design and requirements specification; and
  • a formal plan for testing and acceptance, including independent evaluation where appropriate.

Authorities: ISO-27002:2005 12.1.1.

Correct processing in applications

This category aims to prevent errors, loss, unauthorized modification or misuse of information in applications.

Authorities: HIPAA 164.312(c)(1)

Input data validation • Data input in applications should be validated to ensure that the data is correct and appropriate. Control includes:

  • use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
  • defined responsibilities and processes for responding to detected errors.

Authorities: ISO-27002:2005 12.2.1.

Control of internal processing • Validation checks should be incorporated into applications to detect the corruption of of information through processing errors or deliberate acts. Control includes:

  • use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
  • defined responsibilities and processes for responding to detected errors.

Authorities: ISO-27002:2005 12.2.2.

Message integrity • Requirements for ensuring authenticity and protecting message integrity in applications should be identified, and appropriate controls identified and implemented.

Authorities: ISO-27002:2005 12.2.3.

Output data validation • Data output from applications should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. Control includes:

  • use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
  • defined responsibilities and processes for responding to detected errors.

Authorities: ISO-27002:2005 12.2.4.

Cryptographic controls

This category aims to protect the confidentiality, integrity and authenticity of information by cryptographic means.

Policy on the use of cryptographic controls • Policies on the use of cryptographic controls for protection of information should be developed and implemented. Control includes:

  • statement of general principles and management approach to the use of cryptographic controls;
  • specifications based on a thorough risk assessment, that considers appropriate algorithm selections, key management and other core features of cryptographic implementations;
  • consideration of legal restrictions on technology deployments;
  • application, as appropriate, to data at rest and fixed-location devices, data transported by mobile/removable media and embedded in mobile devices, and data transmitted over communications links; and
  • specification of roles and responsibilities for implementation of and the monitoring of compliance with the policy

Authorities: ISO-27002:2005 12.3.1.; HIPAA 164.312(a)(2)(iv); HIPAA 164.312(e)(2)(ii); PCI-DSS:2005 3.4, 4;

Key management • Key management policies and processes should be implemented to support an organization's use of cryptographic techniques. Control includes procedures for:

  • distributing, storing, archiving and changing/updating keys;
  • recovering, revoking/destroying and dealing with compromised keys; and
  • logging all transactions associated with keys.

Authorities: ISO-27002:2005 12.3.2.; PCI-DSS:2005 3.5;

Security of system files

Control objective: To ensure the security of system files.

Control of operational software • Procedures should be implemented to control the installation of software on operational systems, to minimize the risk of interruptions in or corruption of information services. Control includes:

  • updating performed only with appropriate management authorization;
  • updating performed only by appropriately trained personnel;
  • only appropriately tested and certified software deployed to operational systems;
  • appropriate change management and configuration control processes for all stages of updating;
  • appropriate documentation of the nature of the change and the processes used to implement it;
  • a rollback strategy in place, including retention of prior versions as a contingency measure; and
  • appropriate audit logs maintained to track changes.

Authorities: ISO-27002:2005 12.4.1.

Protection of system test data • Test data should be selected carefully and appropriately logged, protected and controlled.

Authorities: ISO-27002:2005 12.4.2.

Access control for program source code • Access to program source code should\ be restricted. Control includes:

  • appropriate physical and technical safeguards for program source libraries, documentation, designs, specifications, verification and validation plans; and
  • maintenance and copying of these materials subject to strict change management and other controls.

Authorities: ISO-27002:2005 12.4.3.

Security in development and support processes

This category aims to maintain the security of application system software and information.

Change control procedures • The implementation of changes should be controlled by the use of formal change control procedures. Control includes:

  • a formal process of documentation, specification, testing, quality control and managed implementation;
  • a risk assessment, analysis of actual and potential impacts of changes, and specification of any security controls required;
  • a budgetary or other financial analysis to assess adequacy of resources;
  • formal agreement to and approval of changes by appropriate management; and
  • appropriate notification of all affected parties prior to implementation, on the nature, timing and likely impacts of the changes;
  • scheduling of changes to minimize the adverse impact on business processes.

Authorities: ISO-27002:2005 12.5.1.

Technical review of applications after operating system changes • When operating systems and processes are changed, critical business processes should be reviewed and tested to ensure that there has been no adverse impact.

Authorities: ISO-27002:2005 12.5.2.

Restrictions on changes to software packages • Modifications to software packages should be discouraged, limited to necessary changes, and all changes shall be strictly controlled.

Authorities: ISO-27002:2005 12.5.3.

Information leakage • Opportunities for information leakage should be appropriately minimized or prevented. Control includes:

  • risk assessment of the probable and possible mechanisms for information leakage, and consideration of appropriate countermeasures;
  • regular monitoring of likely information leak mechanisms and sources; and
  • end-user awareness and training on preventive strategies (e.g., to remove meta-data in transferred files).

Authorities: ISO-27002:2005 12.5.4.

Outsourced software development • Outsourced software development should be appropriately supervised and monitored by the organization.

Authorities: ISO-27002:2005 12.5.5.

Technical vulnerability management

This category aims to reduce risks resulting from exploitation of published technical vulnerabilities.

Control of technical vulnerabilities • Timely information about technical vulnerabilities of information systems used by the organization should be obtained, evaluated in terms of organizational exposure and risk, and appropriate countermeasures taken. Control includes:

  • a complete inventory of information assets sufficient to identify systems put at risk by a particular technical vulnerability;
  • procedures to allow timely response to identification of technical vulnerabilities that present a risk to any of the organization's information assets, including a timeline based on the level of risk;
  • defined roles and responsibilities for implementation of countermeasures and other mitigation procedures.

Authorities: ISO-27002:2005 12.6.1.

Article By :

8. Access control (ISO)

Business requirements for access control

The objective of this category is to control access to information, information processing facilities, and business processes.

Access control policy • An access control policy should be established, documented and periodically reviewed, based on business needs and external requirements. Access control policy and associated controls should take account of:

  • security issues for particular data systems, given business needs, anticipated threats and vulnerabilities;
  • security issues for particular types of data, given business needs, anticipated threats and vulnerabilities;
  • all relevant legislative, regulatory and certificatory requirements;
  • relevant contractual obligations or service level agreements;
  • other organizational policies for information access, use and disclosure; and
  • consistency among such policies across the organization's systems and networks;

Access control policies include:

  • clearly stated rules and rights based on user profiles;
  • consistent management of access rights across a distributed/networked environment;
  • an appropriate mix of logical (technical) and physical access controls;
  • segregation of access control roles -- e.g., access request, access authorization, access administration;
  • requirements for formal authorization of access requests ("provisioning"); and
  • requirements for authorization and timely removal of access rights ("de-provisioning").

Authorities: ISO-27002:2005 11.1.1.; HIPAA 164.308(a)(4)(B-C);

User access management

This category aims to ensure authorized user access, and prevent unauthorized access, to information and information systems. Includes:

  • formal procedures to control the allocation of access rights;
  • procedures cover all stages in the life-cycle of user access, from provisioning to de-provisioning;
  • special attention to control of privileged ("super-user") access rights; and
  • appropriate technical measures for identification and authentication to ensure compliance with defined access rights.

Authorities: HIPAA 164.312(d)

User registration • Formal user registration and de-registration procedures should be implemented, for granting and revoking access to all information systems and services. Control includes:

  • assignment of unique user-IDs to each user;
  • documentation of approval from data system owner for each user's access;
  • confirmation by supervisor or other personnel that each user's access is consistent with business purposes and other security policy controls (e.g., segregation of duties);
  • giving each user a written statement of their access rights and responsibilities;
  • requiring users to sign statements indicating they understand the conditions of access (see also "terms and conditions of employment" and "confidentiality agreements" policies);
  • ensuring service providers do not grant access until all authorization procedures are completed;
  • maintaining a current record of all users authorized to use a particular system or service;
  • immediately changing/eliminating access rights for users who have changed roles or left the organization;
  • checking for and removing redundant or apparently unused user-IDs.

Authorities: ISO-27002:2005 11.2.1.; HIPAA 164.308(a)(4)(ii)(B-C); HIPAA 164.312(a)(2)(i); PCI-DSS 8;

Privilege management • Allocation and use of access privileges should be restricted and controlled. Control includes:

  • development of privilege profiles for each system, based on intersection of user profiles and system resources;
  • granting of privileges based on these standard profiles when possible;
  • a formal authorization process for all privileges;
  • maintaining a current record of privileges granted;

Authorities: ISO-27002:2005 11.2.2.; HIPAA 164.308(a)(4)(ii)(B-C);

User password management • Allocation of passwords should be controlled through a formal management process. Control includes:

  • requiring users to sign a statement indicating they will keep their individual passwords confidential and, if applicable, any group passwords solely within the group;
  • secure methods for creating and distributing temporary, initial-use passwords;
  • forcing users to change any temporary, initial-use password;
  • development of procedures to verify a user's identity prior to providing a replacement password ("password reset");
  • prohibiting "loaning" of passwords;
  • prohibiting storage of passwords on computer systems in unprotected form; and
  • prohibiting use of default vendor passwords, where applicable.

Authorities: ISO-27002:2005 11.2.3.

User access token management • Allocation of access tokens, such as key-cards, should be controlled through a formal management process. Control includes:

  • requiring users to sign a statement indicating they will keep their access tokens secure;
  • secure methods for creating and distributing tokens;
  • use of two-factor tokens (token plus PIN) where appropriate and technically feasible;
  • development of procedures to verify a user's identity prior to providing a replacement token; and
  • prohibiting "loaning" of tokens.

Authorities: ISO-27002:2005 11.2.3. (adapted)

Review of user access rights • Each user's access rights should be periodically reviewed using a formal process. Control includes:

  • review at regular intervals, and after any status change (promotion, demotion, transfer, termination);
  • more frequent review of privileged ("super user") access rights;

Authorities: ISO-27002:2005 11.2.4.; HIPAA 164.308(a)(4)(ii)(B-C);

User responsibilities

This category aims to prevent unauthorized access to, and compromise or theft of, information and information systems. It includes user awareness of:

  • responsibilities for maintaining authentication security, particularly regarding password and token safety
  • responsibilities for securing computers and other office equipment.

Password use • Users should follow good security practices in the selection and use of passwords. Control includes advising/requiring users to:

  • keep passwords confidential and not "share" them;
  • avoid keeping a paper or electronic record of passwords, unless this can be done securely;
  • change a password when there is any suspicion that it has been compromised, and report the suspicion;
  • select "strong" passwords that are resistant to dictionary, brute force or other standard attacks;
  • change passwords periodically;
  • change a temporary password on first log-on;
  • avoid storing passwords in automated log-on processes;
  • not use the same password for business and non-business purposes;
  • use the same password for multiple systems/services only where a reasonable level of security can be assured for each.

Authorities: ISO-27002:2005 11.3.1.; HIPAA 164.308(a)(5);

Access token use • Users should follow good security practices in the use of tokens. Control includes advising/requiring users to:

  • keep tokens secure and not "share" them;
  • avoid keeping a paper or electronic record of PIN associated with a two-factor token; and
  • report when a token is lost or there is any suspicion that it has been compromised.

Authorities: ISO-27002:2005 11.3.1. (adapted)

Monitoring of activity history • Users should monitor password/token activity history where available. Control includes advising/requiring users to:

  • observe and report discrepancies in "last successful login" and "last unsuccessful login" information, when it is available; and
  • observe and report discrepancies in date/time information for all other activities which have timestamps, such as file accesses or modifications.

Authorities: HIPAA 164.308(a)(5);

Appropriate use of user equipment • Users should observe appropriate physical and technical practices with respect to the equipment assigned to them. Control includes:

  • requirement to limit use to to performing appropriate functions in an appropriate manner; and
  • user training in appropriate functions and use; and
  • monitoring of user behavior through appropriate technical means.

Authorities: HIPAA 164.310(b)

Unattended user equipment • Users should ensure that unattended computing equipment has appropriate protection. Unattended equipment controls include:

  • terminating active (logged-in) sessions before a device is left unattended, unless it can be securely "locked" (e.g., with a password-protected screensaver);
  • physically securing devices, or the area in which a device is located, with a key-lock or equivalent if a device will be unattended.

Authorities: ISO-27002:2005 11.3.2.

"Clear desk - clear screen" policy • Users should ensure that desks and other work areas are kept cleared of papers and any storage media when unattended. Computer screens should be kept clear of sensitive information when unattended.

Authorities: ISO-27002:2005 11.3.3.

"Clear equipment" policy • Photocopiers, fax machines and other office equipment should be kept cleared of papers and any storage media when unattended.

Authorities: ISO-27002:2005 11.3.3.

Network access control

Control objective: To prevent unauthorized access to network services.

Policy on use of network services • Users should only be provided with access to the services that they have been specifically authorized to use. Control includes:

  • authorization procedures for determining who is allowed to access to which networks and network services, consistent with other access rights; and
  • policies on deployment of technical controls to limit network connections.

Authorities: ISO-27002:2005 11.4.1.

User authentication for external connections • Appropriate authentication methods should be used to control remote access to the network.

Authorities: ISO-27002:2005 11.4.2.

Equipment/location identification in networks • Where appropriate and technically feasible, access to the network should be limited to identified devices or locations.

Authorities: ISO-27002:2005 11.4.3.

Remote diagnostic and configuration port protection • Physical and logical access to diagnostic and configuration ports should be appropriately controlled. Control includes:

  • physical security for on-site diagnostic and configuration ports;
  • technical security for remote diagnostic and configuration ports; and
  • disabling/removing ports, services and similar facilities which are not required for business functionality.

Authorities: ISO-27002:2005 11.4.4.

Segregation in networks • Where appropriate and technically feasible, groups of information services, users and services should be segregated on networks. Control includes:

  • separation into logical domains, each protected by a defined security perimeter; and
  • secure gateways between/among logical domains.

Authorities: ISO-27002:2005 11.4.5.

Network connection control • Capabilities of users to connect to the network should be appropriately restricted, consistent with access control policies and applications requirements. Control includes:

  • filtering by connection type (e.g., messaging, email, file transfer, interactive access, applications access).

Authorities: ISO-27002:2005 11.4.6.

Network routing control • Routing controls should be implemented to ensure that computer connections and information flows do not breach the access control policy of the business applications. Control includes:

  • positive source and destination address checking; and
  • routing limitations based on the access control policy.

Authorities: ISO-27002:2005 11.4.7.

Operating system access control

Control objective: To prevent unauthorized access to operating systems, and the data and services thereof.

Controls should be implemented to restrict data system access to authorized users, by requiring authentication of authorized users in accordance with the defined access control policy. Controls include:

  • providing mechanisms for authentication by knowledge-, token- and/or biometric-factor methods as appropriate;
  • recording successful and failed system authentication attempts;
  • recording the use of special system privileges; and
  • issuing alarms when access security controls are breached.

Secure log-on procedures • Access to data systems should be controlled by secure log-on procedures. Control includes:

  • display of a general notice warning about authorized and unauthorized use;
  • no display of system or application identifiers until successful log-on;
  • no display of help messages prior to successful log-on that could aid an unauthorized user;
  • validation or rejection of log-on only on completion of all input data (e.g., both user-ID and password);
  • no display of passwords as entered (e.g., hide with symbols);
  • no transmission of passwords in clear text;
  • limits on the number of unsuccessful log-on attempts in total or for a given time period;
  • logging of successful and unsuccessful log-on attempts;
  • limits on the maximum and minimum time for a log-on attempt; and
  • on successful log-on, display date/time of last successful log-on and any unsuccessful attempts;

Authorities: ISO-27002:2005 11.5.1.

User identification and authentication • All data system users should have a unique identifier ("user-ID") for their personal use only. A suitable authentication technique -- knowledge-, token- and/or biometric-based -- should be chosen to authenticate the user. Control includes:

  • shared user-IDs are employed only in exceptional circumstances, where there is a clear justification;
  • generic user-IDs (e.g., "guest") are employed only where no individual-user audit is required and limited access privileges otherwise justify the practice;
  • strength of the identification and authentication method (e.g., use of multiple authentication factors) are suitable to the sensitivity of the information being accessed; and
  • regular user activities are not performed from privileged accounts.

Authorities: ISO-27002:2005 11.5.2.

Password management system • Systems for managing passwords should ensure the quality of this authentication method. Control includes:

  • log-on methods enforce use of individual user-IDs and associated passwords;
  • set/change password methods enforce choice of strong passwords;
  • force change of temporary password on first log-on;
  • enforce password change thereafter at reasonable intervals;
  • store passwords separately from application data; and
  • store and transmit passwords in encrypted form only.

Authorities: ISO-27002:2005 11.5.3.

Access token management system • Systems for managing access tokens should ensure the quality of this authentication method.

Authorities: ISO-27002:2005 11.5.3. (adapted)

Use of system utilities • Use of system utilities that are capable of overriding other controls should be restricted, and appropriately monitored (e.g., by special event logging processes).

Authorities: ISO-27002:2005 11.5.4.

Session time-out • Interactive sessions should shut down and "lock out" the user after a defined period of inactivity. Resumption of the interactive session should require re-authentication. Control includes:

  • time-out periods that reflect risks associated with type of user, setting of use and sensitivity of the applications and data being accessed;
  • waiver or relaxation of time-out requirement when it is incompatible with a business process, provided other steps are taken to reduce vulnerabilities (e.g., removal of sensitive data, removal of network connection capabilities).

Authorities: ISO-27002:2005 11.5.5.; PCI-DSS:2005 8.5.15.; HIPAA 164.312(a)(2)(iii); JCAHO-IM.2.20.

Notes: PCI-DSS specifies 15-minute timeout.

Limitation of connection time • Restrictions on connection times should be used to provide additional security for high-risk applications or remote communications capabilities. Control includes:

  • restricting connection time (e.g., to normal office hours);
  • restricting connection locations (e.g., to IP address ranges); and
  • requiring re-authentication at timed intervals.

Authorities: ISO-27002:2005 11.5.6.

Application and information access control

This category aims to prevent unauthorized access to information held in application systems.

Information access restriction • Access to information and application system functions by users and support personnel should be restricted in accordance with a defined access control policy that is consistent with the organizational access policy.

Authorities: ISO-27002:2005 11.6.1. and 11.1.1.

Sensitive system isolation • Sensitive systems should have a dedicated (isolated) computing environment. Control includes:

  • explicit identification and documentation of sensitivity by each system/application controller; and
  • explicit identification and acceptance of risks when a shared facilities and/or resources must be used.

Authorities: ISO-27002:2005 11.6.2.

Mobile computing and teleworking

This category aims to ensure information security when using mobile computing and teleworking facilities.

Controls should be implemented that are commensurate with the:

  • type of user(s);
  • setting(s) of mobile/teleworking use; and
  • sensitivity of the applications and data being accessed from mobile/teleworking settings.

Mobile computing and communications • A formal policy should be implemented, and appropriate security measures adopted, for mobile computing and communications activities. Controls should apply to laptop, notebook, and palmtop computers; mobile phones and "smart" phone-PDAs; and portable storage devices and media. Controls include requirements for:

  • physical protection;
  • data storage minimization;
  • access controls;
  • cryptographic techniques;
  • data backups;
  • anti-virus and other protective software;
  • operating system and other software updating;
  • secure communication (e.g., VPN) for remote access; and
  • sanitization prior to transer or disposal.

Authorities: ISO-27002:2005 11.7.1.; HIPAA 164.410(b-c); HIPAA 164.310(d)(1)

Teleworking • A formal policy should be implemented, and appropriate security measures adopted, for "teleworking" activities in off-premises locations. Control includes:

  • physical security measures at the off-premises site;
  • appropriate access controls, given reasonably anticipated threats from other users at the site (e.g., family members);
  • cryptographic techniques for data storage at and communications to/from the site;
  • data backup processes and security measures for those backup copies;
  • security measures for wired and wireless network configurations at the site;
  • policies regarding intellectual property used or created at the site, including software licensing;
  • policies regarding organizational property used at the site (e.g., organizations' computing hardware);
  • policies regarding private property used at the site (e.g., teleworkers' computing hardware); and
  • insurance coverage or other specification of financial responsibility for equipment repair or replacement.

Authorities: ISO-27002:2005 11.7.2.; HIPAA 164.410(a)(1); HIPAA 164.410(b-c); HIPAA 164.310(d)(1)

Article By :

7. Communications and operations management (ISO)

Operational procedures and responsibilities

The objective of this category is to ensure the correct and secure operation of information processing facilities.

Documented operating procedures • Operating procedures should be documented, maintained and made available to all users who need them. Controls include:

  • documentation of/for all significant system activities including start-up, close-down, back-up and maintenance;
  • treatment of such documentation as a formal organizational record, subject to appropriate change authorization, change tracking and archiving; and
  • provision of appropriate security for such documentation, including distribution control (see also "security of system documentation" control).

Authorities: ISO-27002:2005 10.1.1.

Change management • Changes to information processing facilities and systems should be controlled using appropriate change management procedures. Control includes:

  • risk assessments, including an analysis of potential impacts and necessary countermeasures or mitigation controls;
  • processes for planning and testing of changes, including fallback (abort/recovery) measures;
  • managerial approval and authorization before proceeding with changes that may have a significant impact on operations;
  • advance communication/warning of changes, including schedules and a description of reasonably anticipated effects, provided to all relevant persons; and
  • documentation of changes made and the prior steps in the change management process.

Authorities: ISO-27002:2005 10.1.2.

Segregation of duties • Duties and areas of responsibility should be segregated to the degree practicable, to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.

Authorities: ISO-27002:2005 10.1.3.

Separation of development, test and operational facilities • Development, test and operational facilities should be separated, to the degree practicable, to reduce risks of unauthorized access or changes to the operational system.

Authorities: ISO-27002:2005 10.1.4.

Third party delivery management

This category aims to implement and maintain the appropriate level of information security and service delivery in the context of third-party service delivery agreements.

Service delivery • Security controls, service definitions and delivery levels should be included in third-party service delivery agreements.

Authorities: ISO-27002:2005 10.2.1.

Monitoring and review of third-party services • Services, reports and records provided by the third party should be regularly monitored and reviewed, and appropriate audits conducted.

Authorities: ISO-27002:2005 10.2.2.

Managing changes to third-party services • Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, should be appropriately managed. Control includes:

  • taking into account the criticality of the particular business system(s) and process(es); and
  • using appropriate change management procedures, similar to those applied to internal service changes.

Authorities: ISO-27002:2005 10.2.3.

System planning and acceptance

This category aims to minimize the risk of systems failures.

Capacity management • The use of information and information facility resources should be appropriately monitored, and projections made of future capacity requirements to ensure adequate systems performance. Control includes:

  • identification of capacity requirements for each new and ongoing system/service;
  • projection of future capacity requirements, taking into account current use, projected trends, and anticipated changes in business requirements; and
  • system monitoring and tuning to ensure and, where possible, improve availability and effectiveness of current systems.

Authorities: ISO-27002:2005 10.3.1.

System acceptance • Acceptance criteria for new information systems, upgrades, and new versions should be appropriately established, and suitable tests of the system(s) carried out during development and prior to acceptance. Control includes:

  • clear definition of, agreement on, testing of, and documentation of compliance with requirements for system acceptance; and
  • consultation with affected persons, or representatives of affected groups, at all phases of the process.

Authorities: ISO-27002:2005 10.3.2.

Protection against malicious and mobile code

This category aims to protect the integrity of software and information.

Controls against malicious code • Appropriate controls should be implemented for prevention, detection and response to malicious code, including appropriate user awareness. Control includes:

  • formal policies prohibiting the use or installation of unauthorized software, including a prohibition of obtaining data and software from external networks;
  • formal policies requiring protective measures, such as installation of anti-virus and anti-spyware software, and for the regular updating of it;
  • periodic reviews/scans of installed software and the data content of systems to identify and, where possible, remove any unauthorized software;
  • defined procedures for response to identification of malicious code or unauthorized software;
  • continuity/recovery plans to deal with system interruptions and failures caused by malicious code; and
  • user awareness training on these policies and methods.

Authorities: ISO-27002:2005 10.4.1.; HIPAA 164.308(a)(5);

Controls against mobile code • Appropriate controls should be implemented to control the operation of, and prevent damage from malicious versions of, mobile code.

Authorities: ISO-27002:2005 10.4.2.


This category aims to maintain the integrity and availability of organizational information.

Information back-up • Back-up copies of information and software should be made, and tested at appropriate intervals, in accordance with an agreed-upon back-up policy. Control includes:

  • formal definition of the level of backup required for each system -- scope of data to be imaged, frequency of imaging, duration of retention -- on the basis of legal-regulatory-certificatory standards and business requirements;
  • complete inventory records for the back-up copies, including content and current location;
  • complete documentation of restoration procedures for each system;
  • storage of the back-ups in a remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site;
  • appropriate physical and environmental controls for the back-up copies where-ever located;
  • appropriate technical controls, such as encryption, for back-up copies of sensitive information;
  • regular testing of back-up media; and
  • regular testing of restoration procedures.

Authorities: ISO-27002:2005 10.5.1.; HIPAA 164.308(a)(7)(ii)(A-B) ; HIPAA 164.310(d)(1);

Network security management

This category aims toensure the protection of information in networks and protection of the supporting network infrastructure.

Network controls • Networks should be appropriately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. Control includes:

  • separation of operational responsibilities for networks from those for computer systems and operations, where appropriate;
  • implementation of appropriate controls to assure the availability of network services and information services using the network;
  • establishment of responsibilities and procedures for management of equipment on the network, including equipment in user areas;
  • special controls to safeguard the confidentiality and integrity of sensitive data passing over the organization's network and to/from public networks;
  • appropriate logging and monitoring of network activities, including security-relevant actions; and
  • management processes to ensure coordination of and consistency in the elements of the network infrastructure.

Authorities: ISO-27002:2005 10.6.1.; HIPAA 164.312(e)(2)(ii);

Security of network services • Security features, service levels and management requirements for all network services should be identified in reasonable detail, and included in a network services agreement, whether those services are provided in-house or outsourced. Control includes specification of:

  • technologies applied for security of network services, such as authentication, encryption and connection controls;
  • technical parameters and rules for secured connection with the network; and
  • procedures and processes to control/restrict network access.

Authorities: ISO-27002:2005 10.6.2.; HIPAA 164.312(e)(2)(ii);

Media handling

This category aims to prevent unauthorized disclosure, modification, removal or destruction of information assets, or interruptions to business activities.

Management of removable media • Policies and procedures should be established for management of removable media. Control includes:

  • where appropriate to the sensitivity of the data, logging and an audit trail of removals of media from or relocations within the organization's premises;
  • where appropriate to the sensitivity of the data, a requirement for authorization prior to removal or relocation;
  • appropriate redundancy of storage in light of the risks to the removable media, including where storage retention requirements exceed the rated life of the media;
  • restrictions on the type(s) of media, and usages thereof, where necessary for adequate security;
  • registration of certain type(s) of media; and
  • secure disposal of media when no longer needed (see next).

Authorities: ISO-27002:2005 10.7.1.; HIPAA 164.310(d)(1)

Disposal of media • Media should be disposed of securely and safely when no longer required, using formal procedures. Control includes:

  • use of generally-accepted secure disposal methods for media that contain (or might contain) sensitive data;
  • procedures and policies to identify data that qualifies as sensitive, or a policy that all information will be considered sensitive in the absence of unequivocal evidence to the contrary; and
  • where appropriate to the sensitivity of the data, logging and an audit trail of disposal operations.

Authorities: ISO-27002:2005 10.7.2. and 9.2.6.; HIPAA 164.310(d)(1)

Information handling procedures • Appropriate procedures for the handling and storage of information should be established to protect data from unauthorized disclosure or misuse. Control includes:

  • physical and technical access restrictions appropriate to the data sensitivity level;
  • handling and labelling of all media according to its indicated classification (sensitivity) level;
  • where appropriate to the sensitivity, maintenance of formal records of data transfers, including logging and an audit trail; and
  • review at appropriate intervals of distribution and authorized recipient lists.

Authorities: ISO-27002:2005 10.7.3.

Security of system documentation • System documentation should be appropriately protected against unauthorized access. Control includes:

  • secure storage of documentation, whether in paper and electronic form; and
  • authentication and access control measures, where appropriate to the sensitivity of the documentation.

Authorities: ISO-27002:2005 10.7.4

Exchange of information

This category aims to maintain the security of information and software exchanged within an organization and with any external entity.

Information exchange policies and procedures • Formal exchange policies and procedures should be implemented to protect the exchange of information, covering the use of all types of communications facilities and data storage media. Control includes:

  • procedures designed to protect exchanged information from interception, copying, modification, mis-routing or destruction;
  • procedures for the detection of and protection against malicious code (see also "controls against malicious code" policy);
  • procedures for the protection of wireless communications;
  • use of cryptographic methods where appropriate to achieve sufficient protections;
  • policies or guidelines about acceptable and unacceptable uses of communications facilities and media;
  • retention and disposal guidelines for all business information;
  • user awareness and training about these policies and guidelines; and
  • compliance with all relevant legal-regulatory-certificatory requirements for information exchange.

Authorities: ISO-27002:2005 10.8.1.

Exchange agreements • Agreements should be established for the exchange of information and software between the organization and external parties. Control includes:

  • specification of management responsibilities for controlling/approving agreements about transmissions and receipts;
  • procedures to ensure appropriate identification and labelling, appropriate notifications to sender and recipient, traceability and non-repudiation;
  • minimum technical standards for packing and transmission;
  • specification of ownership and responsibilities for data protection, copyright, license compliance and similar considerations (see also Compliance policy section);
  • specification of responsibleness and liabilities in the event of an information security incident;

Authorities: ISO-27002:2005 10.8.2.

Physical media in transit • Media containing information should be protected against unauthorized access, misuse or corruption. Controls include:

  • procedures and standards for authorizing (vendorizing) couriers, and a list of currently authorized couriers; and
  • packaging standards, including technical protections (e.g.,encryption); and
  • physical protection standards (e.g., locked containers, tamper-evident tagging).

Authorities: ISO-27002:2005 10.8.3.

Electronic messaging • Information involved in electronic messaging should be appropriately protected. Electronic messaging includes email, IM, audio-video conferencing and any other one-to-one, one-to-many, or many-to-many personal communications. Control includes:

  • protecting messages from unauthorized access, modification or diversion;
  • ensuring correct addressing and transportation;
  • ensuring the general reliability and availability of messaging services;
  • limiting the use of less-secure messaging systems (e.g., public IM); and
  • stronger levels of authentication and message content protection when using public networks.

Authorities: ISO-27002:2005 10.8.4.

Business information systems • Policies and procedures should be developed and implemented to protect information associated with the interconnection of business systems. Control includes:

  • a risk assessment of and appropriate countermeasures for vulnerabilities associated with such interconnections;
  • policies and appropriate controls to manage information sharing using such interconnections;
  • fallback and recovery arrangements in the event of interconnection failure.

Authorities: ISO-27002:2005 10.8.5.

Electronic commerce services

This category aims to ensure the security of electronic commerce services and their secure use.

Electronic commerce • Information involved in electronic commerce passing over public networks should be appropriately protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.

Authorities: ISO-27002:2005 10.9.1.

On-line transactions • Information involved in on-line transactions should be appropriately protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Authorities: ISO-27002:2005 10.9.2.

Publicly available information • The integrity of information being made available on a publicly available system, such as a Web server, should be appropriately protected to prevent unauthorized modification.

Authorities: ISO-27002:2005 10.9.3.


This category aims to detect unauthorized information processing activities.

Audit logging • Audit logs that record user activities, exceptions, and information security events should be produced, and kept for an agreed-upon time period, to assist in future investigations and access control monitoring. Control includes:

  • recording, when relevant and within the capacity of the logging system, all key events, including the data/time and details of the event, the user-ID associated, terminal identity and/or location, network addresses and protocols, records of successful and unsuccessful system accesses or other resource accesses, changes to system configurations, use of privileges, use of system utilities and applications, files accessed and the kinds of access, alarms raised by the access control or any other protection system (e.g., ID/IP);
  • appropriate privacy protection measures for logged data that is appropriately confidential;
  • appropriate security protections of a technical, physical and administrative nature (e.g., division of responsibilities) to ensure integrity and availability of audit logs.

Authorities: ISO-27002:2005 10.10.1.; HIPAA 164.312(b);

Monitoring system use • Procedures for monitoring use of information processing facilities should be established and the results of monitoring activities regularly reviewed. Control includes:

  • event tracking and recording as specified in the "audit trail" policy;
  • monitoring and review of data as determined by the criticality of the application/system or information involved, past experience with information security incidents, and general risk assessment.

Authorities: ISO-27002:2005 10.10.2.; HIPAA 164.308(a)(1)(ii)(D);

Protection of log information • Logging facilities and log information should be appropriately protected against tampering and unauthorized access.

Authorities: ISO-27002:2005 10.10.3.

Administrator and operator logs • System administrator and system operator activities shall be appropriately logged, as part of the general audit trail process.

Authorities: ISO-27002:2005 10.10.4.

Fault logging • Faults should be appropriately logged, analyzed and actions taken.

Authorities: ISO-27002:2005 10.10.5.

Clock synchronization • The clocks of all relevant information processing systems within an organization or security domain should be appropriately synchronized with an agreed-upon time source.

Authorities: ISO-27002:2005 10.10.6.

Article By :