Information Security

Only available on StudyMode
  • Download(s) : 300
  • Published : July 12, 2009
Open Document
Text Preview
Security Policy
1.1 3.1
Information security policy
1.1.1 3.1.1
Information
security policy
document
Whether there exists an Information security policy,
which is approved by the management, published and
communicated as appropriate to all employees.
Whether it states the management commitment and set
out the organisational approach to managing
information security.
1.1.2 3.1.2
Review and
evaluation
Whether the Security policy has an owner, who is
responsible for its maintenance and review according
to a defined review process.
Whether the process ensures that a review takes place
in response to any changes affecting the basis of the
original assessment, example: significant security
incidents, new vulnerabilities or changes to
Organisational Security
2.1 4.1
Information security infrastructure
2.1.1 4.1.1
Management
information
security forum
Whether there is a management forum to ensure there
is a clear direction and visible management support for
security initiatives within the organisation.
2.1.2 4.1.2
Information
security
coordination
Whether there is a cross-functional forum of
management representatives from relevant parts of the
organisation to coordinate the implementation of
information security controls.
2.1.3 4.1.3
Allocation of
information
security
responsibilities
Whether responsibilities for the protection of
individual assets and for carrying out specific security
processes were clearly defined.
2.1.4 4.1.4
Authorisation
process for
information
processing
Whether there is a management authorisation process
in place for any new information processing facility.
This should include all new facilities such as hardware
and software.
facilities
2.1.5 4.1.5
Specialist
information
security advise
Whether specialist information security advice is
obtained where appropriate.
A specific individual may be identified to co-ordinate
in-house knowledge and experiences to ensure
consistency, and provide help in security decision
making.
2.1.6 4.1.6
Co-operation
between
organisations
Whether appropriate contacts with law enforcement
authorities, regulatory bodies, information service
providers and telecommunication operators were
maintained to ensure that appropriate action can be
quickly taken and advice obtained, in the event of a
security incident.
2.1.7 4.1.7
Independent
review of
information
security
Whether the implementation of security policy is
reviewed independently on regular basis. This is to
provide assurance that organisational practices
properly reflect the policy, and that it is feasible and
effective.
2.2 4.2
Security of third party access
2.2.1 4.2.1
Identification
of risks from
third party
Whether risks from third party access are identified
and appropriate security controls implemented.
Whether the types of accesses are identified, classified
access and reasons for access are justified.
Whether security risks with third party contractors
working onsite was identified and appropriate controls
are implemented.
2.2.2 4.2.2
Security
requirements
in third party
contracts
Whether there is a formal contract containing, or
referring to, all the security requirements to ensure
compliance with the organisation’s security policies
and standards.
2.3 4.3
Outsourcing
2.3.1 4.3.1
Security
requirements
in outsourcing
contracts
Whether security requirements are addressed in the
contract with the third party, when the organisation has
outsourced the management and control of all or some
of its information systems, networks and/ or desktop
environments.
The contract should address how the legal
requirements are to be met, how the security of the
organisation’s assets are maintained and tested, and the
right of audit, physical security issues and how the
availability of the services is to be maintained in the
event of disaster.
Asset classification and control
3.1 5.1
Accountability of assets...
tracking img