Information Security Principles (ISO/IEC 17799)

Security policy
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies

Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts

Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection

Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy

Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism

Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse

Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job

Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled

Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters

Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts

Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm

Best Practice Management Controls

Best practice controls for company data assets

Abstract

This article reviews the main areas for concern for protecting data assets from internal threats and vulnerabilities. It starts with an anecdote from an interview with a senior manager and concludes with a recommendation for implementing an approach to protect data directly (as opposed to commonly-used methods that attempt to protect the network and limit user permissions).

Read More