Information Security Controls

IS-3 Matrix

ISO 27002

Standards of Good Practice

Security Management
Keeping the business risks associated with information systems under control within an organisation requires clear direction and commitment from the top, the allocation of adequate resources, effective arrangements for promoting good information security practice throughout the organisation and the establishment of a secure environment.
Area SM1 HIGH-LEVEL DIRECTION
Achieving an effective and consistent standard of good practice for information security throughout the organisation requires clear direction from the top. Accordingly, this area covers top management's direction on, and commitment to, information security. It specifies an information security policy and a set of staff agreements that should be applied to all individuals who have access to the information and systems of the organisation.
Section SM1.1    Management commitment
Principle    Top management's direction on information security should be established, and commitment demonstrated.
Objective    To ensure an appropriate set of security controls is implemented enterprise-wide. Section SM1.2    Information security policy
Principle    A comprehensive, documented information security policy should be produced and communicated to all individuals with access to the organisation's information and systems.
Objective    To document top management's direction on and commitment to information security, and communicate it to all relevant individuals.
Section SM1.3    Staff agreements
Principle    Staff agreements should be established that specify information security responsibilities, are incorporated into staff contracts, and are taken into account when screening applicants for employment.
Objective    To ensure that staff behave in a manner that supports the organisation's information security policy.
Information Security Forum    •    Standard of Good Practice 2007    15
Security Management    www.securityforum.org
Area SM2 SECURITY ORGANISATION
Safeguarding information and systems requires information security activity to be organised effectively throughout the organisation. Accordingly, this area covers the organisational arrangements for managing information security throughout the organisation, raising security awareness amongst staff and ensuring they have the skills required to run systems correctly and securely.
Section SM2.1    High-level control
Principle    Control over information security should be provided by a high-level working group, committee or equivalent body, and be supported by a top-level executive.
Objective    To provide a top-down management structure and a practical mechanism for co-ordinating information security activity throughout the organisation.
Section SM2.2    Information security function
Principle    A specialist information security function should be established, which has responsibility for promoting information security enterprise-wide.
Objective    To ensure good practice in information security is applied effectively and consistently throughout the organisation.
Section SM2.3    Local security co-ordination
Principle    Arrangements should be made to co-ordinate information security activity in individual business units / departments.
Objective    To ensure that security activities are carried out in a timely and accurate manner, enterprise-wide, and that security issues are resolved effectively.
Section SM2.4    Security awareness
Principle    Specific activities should be undertaken, such as a security awareness programme, to promote security awareness to all individuals who have access to the information and systems of the organisation.
Objective    To ensure all relevant individuals apply security controls and prevent important information used throughout the organisation from being compromised or disclosed to unauthorised individuals.
Section SM2.5    Security education / training
Principle Objective
Staff should be educated / trained in how to run systems correctly and how to develop and apply information security controls.
To provide staff with the skills required to protect systems and fulfil their information security responsibilities.
16
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Security Management
Area SM3 SECURITY REQUIREMENTS
Ensuring that the safeguards applied to information and systems are proportionate to their importance to the business is a fundamental element of good practice. Accordingly, this area covers arrangements for classifying critical information and systems, assigning ownership, managing information risk analysis, undertaking information risk analysis and legal and regulatory compliance.
Section SM3.1    Information classification
Principle An information classification scheme should be established that applies throughout the organisation, based on the confidentiality of information in use.
Objective    To determine the level of protection that should be applied to particular types of information, thereby preventing unauthorised disclosure.
Section SM3.2    Ownership
Principle    Ownership of critical information and systems should be assigned to capable individuals, with responsibilities clearly defined and accepted.
Objective    To achieve individual accountability for the protection of all critical information and systems throughout the organisation.
Section SM3.3    Managing information risk analysis
Principle    Critical business applications, computer installations, networks and systems under development should be subject to information risk analysis on a regular basis.
Objective    To enable individuals who are responsible for critical information and systems to identify key information risks and determine the controls required to keep those risks within acceptable limits.
Section SM3.4    Information risk analysis methodologies
Principle    Information risk analysis conducted on applications, computer installations, networks and systems under development should be undertaken using structured methodologies.
Objective    To ensure information risk analysis is conducted in a consistent, rigorous and reliable manner throughout the organisation.
Section SM3.5    Legal and regulatory compliance
Principle    A process should be established to identify and interpret the information security implications of relevant laws and regulations.
Objective    To comply with laws and regulations affecting information security.
Information Security Forum    •    Standard of Good Practice 2007    17
Principles
Security Management    www.securityforum.org
Area SM4 SECURE ENVIRONMENT
Achieving a consistent standard of good practice in information security across an organisation is a complex undertaking. The difficulties can be eased by introducing a common framework of disciplines and by making standard arrangements at organisation level, rather than on an individual basis (eg by developing a security architecture, establishing identity and access arrangements, creating a capability for managing information security incidents, and planning business continuity for the whole organisation). Accordingly, this area covers the arrangements required to build a secure environment enterprise-wide.
Section SM4.1    Security architecture
Principle    A security architecture should be established, which provides a framework for the application of standard security controls throughout the organisation.
Objective    To enable system developers and administrators to implement consistent, simple-to-use security functionality across multiple computer systems throughout the organisation.
Section SM4.2    Information privacy
Principle    Responsibility for managing information privacy should be established and security controls for handling personally identifiable information applied.
Objective    To prevent information about individuals being used in an inappropriate manner, and ensure compliance with legal and regulatory requirements for information privacy.
Section SM4.3    Asset management
Principle    Proven, reliable and approved hardware / software should be used that meet security requirements and are recorded in an inventory.
Objective    To reduce the risk of information security being compromised by weaknesses in hardware / software. Section SM4.4    Identity and access management
Principle    Identity and access management arrangements should be established to provide effective and consistent user administration, identification, authentication and access mechanisms across the organisation.
Objective    To restrict system access to authorised users and ensure the integrity of important user information. Section SM4.5    Physical protection
Principle Objective
All locations that house critical IT facilities, sensitive material and other important assets should be physically protected against accident or attack.
To restrict physical access to authorised individuals and ensure that critical IT facilities processing important information, sensitive material and other important assets are available when required.
(continued on the next page)
18
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Security Management
Section SM4.6    Information security incident management
Principle    Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.
Objective    To identify and resolve information security incidents effectively, minimise their business impact and reduce the risk of similar incidents occurring.
Section SM4.7    Business continuity
Principle    Documented standards / procedures should be established for developing business continuity plans and for maintaining business continuity arrangements enterprise-wide.
Objective    To enable the organisation to withstand the prolonged unavailability of critical information and systems.
Information Security Forum    •    Standard of Good Practice 2007    19
Principles
Security Management    www.securityforum.org
Area SM5 MALICIOUS ATTACK
Organisations are often subject to attack from malicious third parties (eg by sending malware or hacking systems). Consequently, this area covers the security controls required to protect against malware, keep applications and systems up-to-date with patches, provide intrusion detection capabilities, respond to a serious attack and manage forensic investigations.
Section SM5.1    General malware protection
Principle    All individuals who have access to information and systems of the organisation should be made aware of the risks from malware, and the actions required to minimise those risks.
Objective    To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum.
Section SM5.2    Malware protection software
Principle Effective malware protection software should be installed, configured, and maintained enterprise-wide.
Objective    To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales.
Section SM5.3    Intrusion detection
Principle    Intrusion detection mechanisms should be applied to critical systems and networks. Objective    To identify suspected or actual malicious attacks and enable the organisation to respond before
serious damage is done.
Section SM5.4    Emergency response
Principle    An emergency response process should be established, supported by an emergency response team, which outlines actions to be taken in the event of a serious attack.
Objective    To respond to serious attacks quickly and effectively, reducing any potential business impact. Section SM5.5    Forensic investigations
Principle Objective
A process should be established for dealing with information security incidents that require forensic investigation.
To identify perpetrators of malicious acts and preserve sufficient evidence to prosecute them if required.
(continued on the next page)
20
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Security Management
Section SM5.6    Patch management
Principle    A process should be established for the deployment of system and software patches. Objective    To address technical system and software vulnerabilities quickly and effectively in order to reduce
the likelihood of a serious business impact arising.
Information Security Forum    •    Standard of Good Practice 2007    21
Principles
Security Management    www.securityforum.org
Area SM6 SPECIAL TOPICS
The rapid pace of change in business and technology has resulted in the emergence of special topics with particular security concerns that should be dealt with enterprise-wide. Accordingly, this area covers the special security controls that apply to the use of cryptography, public key infrastructure, electronic messaging, remote working, the provision of third party access, electronic commerce and outsourcing.
Section SM6.1    Cryptographic solutions
Principle    Cryptographic solutions should be approved, documented and applied enterprise-wide. Objective    To protect the confidentiality of sensitive information, preserve the integrity of critical information
and confirm the identity of the originator of information.
Section SM6.2    Public key infrastructure
Principle    Where a public key infrastructure (PKI) is used, it should be protected by 'hardening' the underlying operating system(s) and restricting access to Certification Authorities.
Objective    To ensure that the public key infrastructure (PKI) operates as intended, is available when required and can be recovered in the event of an emergency.
Section SM6.3    E-mail
Principle    E-mail systems should be protected by a combination of policy, awareness, procedural and technical security controls.
Objective    To ensure that e-mail services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised.
Section SM6.4    Remote working
Principle    Personal computers used by staff working in remote locations should be purchased from approved suppliers, tested prior to use, supported by maintenance arrangements and protected by physical and logical controls.
Objective    To ensure that computers used by staff working in remote locations operate as intended, remain available and do not compromise the security of any facilities to which they can be connected.
Section SM6.5    Third party access
Principle Objective
Connections from third parties (eg customers, clients and suppliers) should be uniquely identified, subjected to an information risk analysis, approved, and supported by contracts.
To ensure that access to the organisation's information and systems is restricted to authorised third parties.
(continued on the next page)
22
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Security Management
Section SM6.6    Electronic commerce
Principle    A process should be established to ensure that information security requirements are taken into account in electronic commerce initiatives across the organisation.
Objective    To keep the increased risks associated with the development and deployment of electronic commerce within acceptable limits.
Section SM6.7    Outsourcing
Principle    A process should be established to govern the selection and management of outsource providers, supported by documented agreements that specify the security requirements to be met.
Objective    To ensure that security requirements are satisfied and maintained when the running of a particular environment or service is entrusted to an outsource provider.
Section SM6.8    Instant messaging
Principle    Instant messaging services should be protected by setting management policy, deploying instant messaging application controls and correctly configuring the security elements of an instant messaging infrastructure.
Objective    To ensure that instant messaging services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised.
Information Security Forum    •    Standard of Good Practice 2007    23
Principles
Security Management    www.securityforum.org
Area SM7 MANAGEMENT REVIEW
An accurate understanding of the information security condition of the organisation is required in order to manage information security effectively. Accordingly, this area covers the arrangements needed to provide decision-makers with sound information on the security condition of information and systems throughout the organisation.
Section SM7.1    Security audit / review
Principle    The information security status of critical IT environments should be subject to thorough, independent and regular security audits / reviews.
Objective    To provide individuals who are responsible for particular IT environments, and top management, with an independent assessment of the information security condition of those environments.
Section SM7.2    Security monitoring
Principle Objective
The information security condition of the organisation should be monitored regularly and reported to top management.
To provide top management with an accurate, comprehensive and coherent assessment of the security condition of the organisation.
24
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org
Critical Business Applications
A critical business application requires a more stringent set of security controls than other applications. By understanding the business impact of a loss of confidentiality, integrity or availability of information, it is possible to establish the level of importance of an application. This provides a sound basis for identifying information risks and determining the level of protection required to keep information risks within acceptable limits.
Area CB1
BUSINESS REQUIREMENTS FOR
SECURITY
Business applications vary enormously in their importance to the business; hence the level of protection required also varies. Accordingly, this area identifies the information security requirements of the application.
Section CB1.1    Confidentiality requirements
Principle    The business impact of unauthorised disclosure of information associated with the application should be assessed.
Objective    To document and agree the confidentiality requirements (the need for information to be kept secret or private within a predetermined group) of the application.
Section CB1.2    Integrity requirements
Principle    The business impact of the accidental corruption or deliberate manipulation of business information stored in or processed by the application should be assessed.
Objective    To document and agree the integrity requirements (the need for information to be valid, accurate and complete) of the application.
Section CB1.3    Availability requirements
Principle    The business impact of business information stored in or processed by the application being unavailable for any length of time should be assessed.
Objective    To document and agree the availability requirements (the need for information to be accessible when required) of the application.
Information Security Forum    •    Standard of Good Practice 2007    25
Principles
Critical Business Applications    www.securityforum.org
Area CB2 APPLICATION MANAGEMENT
Keeping business risks within acceptable limits requires a coherent set of information security arrangements. Accordingly, this area covers the roles and responsibilities required (including business ownership), integral application controls and additional controls needed for handling or transferring sensitive information. In addition, this area covers general management controls including change management, information security incident management and business continuity.
Section CB2.1    Roles and responsibilities
Principle    An owner should be identified for the application, and responsibilities for key tasks assigned to individuals who are capable of performing them.
Objective To assign ownership of the application, achieve individual accountability, provide a sound management structure for staff running or using it and give responsible individuals a vested interest in its protection.
Section CB2.2    Application controls
Principle    The full range of application controls should be considered, and required controls identified. Objective    To build in the required application controls to protect information stored in or processed by
the application.
Section CB2.3    Change management
Principle    Changes to the application should be tested, reviewed and applied using a change management process.
Objective To ensure that changes are applied correctly and do not compromise the security of the application.
Section CB2.4    Information security incident management
Principle    Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.
Objective    To identify and resolve information security incidents effectively, minimise their business impact and reduce the risk of similar incidents occurring.
Section CB2.5    Business continuity
Principle Objective
A business continuity plan should be established, supported by contingency arrangements, and tested regularly.
To enable the business processes associated with the application to continue in the event of a disaster.
(continued on the next page)
26
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Critical Business Applications
Section CB2.6    Sensitive information
Principle    Additional protection should be provided for applications that involve handling sensitive material or transferring sensitive information.
Objective    To preserve the integrity of sensitive information and protect it from unauthorised disclosure.
Information Security Forum    •    Standard of Good Practice 2007    27
Principles
Critical Business Applications    www.securityforum.org
Area CB3 USER ENVIRONMENT
Critical business applications can be used by internal or external business or technical users. These individuals may be sited locally or at a remote location, often with differing business and security requirements. Accordingly, this area covers the disciplines required to control access to the application, configure workstations and ensure that users are aware of information security and understand their personal responsibilities.
Section CB3.1    Access control
Principle    Access to the application and associated information should be restricted to authorised individuals. Objective    To ensure that only authorised individuals are granted access to the application, and that individual
accountability is assured.
Section CB3.2    Application sign-on process
Principle    Users should be subject to a rigorous sign-on process before being provided with access to the application.
Objective    To ensure that only authorised users can gain access to the application. Section CB3.3    Workstation protection
Principle    Workstations connected to the application should be purchased from approved suppliers, tested prior to use, supported by maintenance arrangements, and protected by physical controls.
Objective    To ensure workstations operate as intended, are available when required and do not compromise the security of the application.
Section CB3.4    Security awareness
Principle Objective
Users of the application should be made aware of the key elements of information security and why it is needed, and understand their personal information security responsibilities.
To ensure users of the application apply security controls and prevent important information used in the application from being compromised or disclosed to unauthorised individuals.
28
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Critical Business Applications
Area CB4 SYSTEM MANAGEMENT
To enable applications to function, they have to run on one or more computers and typically make use of one or more networks. Accordingly, this area covers service agreements, the resilience of the application, external connections and the back-up of essential information and software.
Section CB4.1    Service agreements
Principle    Computer and network services required to support the application should only be obtained from service providers capable of providing required security controls, and be supported by documented contracts or service level agreements.
Objective    To define the business requirements for providers of any computer or network services that support the application, including those for information security, and to ensure they are met.
Section CB4.2    Resilience
Principle    The application should be run on robust, reliable hardware and software, supported by alternative or duplicate facilities.
Objective    To ensure that the application is available when required. Section CB4.3    External connections
Principle    All external connections to the application should be individually identified, verified, recorded, and approved.
Objective To ensure that only authorised individuals are granted access to the application via external connections.
Section CB4.4    Back-up
Principle    Back-ups of essential information and software used by the application should be performed on a regular basis, according to a defined cycle.
Objective    To ensure that, in the event of an emergency, essential information or software required by the application can be restored within critical timescales.
Information Security Forum    •    Standard of Good Practice 2007    29
Principles
Critical Business Applications    www.securityforum.org
Area CB5 LOCAL SECURITY MANAGEMENT
The security controls applied to a business application should be proportional to business risk. Accordingly, this area covers the arrangements made to identify the importance of information stored in or processed by the application, the associated business risks and the level of protection required. It also addresses local security co-ordination and the need for the application to be subject to thorough, independent and regular security audits / reviews.
Section CB5.1    Local security co-ordination
Principle    An individual should be appointed to co-ordinate information security activities associated with the application.
Objective    To ensure that security activities are carried out in a timely and accurate manner, and that security issues are resolved effectively.
Section CB5.2    Information classification
Principle    Information stored in or processed by critical business applications should be classified according to its confidentiality, using an approved information classification scheme.
Objective    To determine the level of protection that should be applied to the application, thereby preventing unauthorised disclosure.
Section CB5.3    Information risk analysis
Principle    The application should be subject to an information risk analysis on a regular basis, the results of which should be documented, reviewed, and agreed.
Objective    To identify key information risks associated with the application, and determine the security controls required in order to keep those risks within acceptable limits.
Section CB5.4    Security audit / review
Principle Objective
The information security status of the application should be subject to thorough, independent and regular security audits / reviews.
To ensure that security controls have been implemented effectively, that information risk is being managed, and to provide the application owner and top management with an independent assessment of the information security status of the application.
30
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Critical Business Applications
Area CB6 SPECIAL TOPICS
The rapid pace of change in business and technology has resulted in the emergence of special topics with particular security concerns. Where these topics apply to a critical business application, special security arrangements are required. Accordingly, this area covers the additional security controls required by applications that provide third party access, employ cryptographic key management, use a public key infrastructure (PKI) or are based on web-enabled technology.
Section CB6.1    Third party agreements
Principle    Connections from third parties (ie external organisations, such as customers, suppliers and members of the public) should be subject to an information risk analysis, approved by the application owner and agreed by both parties in a documented agreement, such as a contract.
Objective    To ensure that only approved third parties are granted access to the application. Section CB6.2    Cryptographic key management
Principle    Cryptographic keys should be managed tightly, in accordance with documented standards / procedures, and protected against unauthorised access or destruction.
Objective To ensure that cryptographic keys are not compromised (eg through loss, corruption or disclosure).
Section CB6.3    Public key infrastructure
Principle    Any public key infrastructure (PKI) used by the application should be protected by 'hardening' the underlying operating system(s) and restricting access to Certification Authorities.
Objective    To ensure that the public key infrastructure (PKI) operates as intended, is available when required and can be recovered in the event of an emergency.
Section CB6.4    Web-enabled applications
Principle    Specialised procedural and technical controls should be applied to web-enabled applications and the servers on which they run.
Objective    To ensure that the increased risks associated with web-enabled applications are minimised.
Information Security Forum    •    Standard of Good Practice 2007    31
Principles
www.securityforum.org
Computer Installations
Computer installations typically support critical business applications and safeguarding them is, therefore, a key priority. Since the same information security principles apply to any computer installation (irrespective of where, or on what scale or types of computer it takes) a common standard of good practice for information security should be applied.
Area CI1 INSTALLATION MANAGEMENT
Computer installations used for processing information need to be well managed. Accordingly, this area covers the roles and responsibilities of the staff involved in running computer installations, agreements made with business users, management of key assets (eg hardware and software) and monitoring of the systems associated with the installation.
Section CI1.1    Roles and responsibilities
Principle    An owner should be identified for the computer installation, and responsibilities for key tasks assigned to individuals who are capable of performing them.
Objective    To achieve individual accountability for the computer installation, provide a sound management structure for staff running the installation and give responsible individuals a vested interest in its protection.
Section CI1.2    Service agreements
Principle    Users' service requirements should be classified in a way that identifies their criticality to the business, and documented in contracts or service level agreements.
Objective    To define the business requirements, including information security requirements, for services provided by the computer installation.
Section CI1.3    Asset management
Principle    Essential information about hardware and software (eg unique identifiers, version numbers and physical locations) should be recorded in inventories, and software licensing requirements met.
Objective    To protect information stored in or processed by the computer installation and to meet legal / regulatory requirements.
Section CI1.4    System monitoring
Principle Objective
Systems associated with the computer installation should be monitored continuously, and reviewed from a business user's perspective.
To assess the performance of the computer installation, reduce the likelihood of system overload and detect potential or actual malicious intrusions.
32
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Computer Installations
Area CI2 LIVE ENVIRONMENT
Service targets are more likely to be achieved if computer installations are designed well. Accordingly, this area covers the design of the installation, logging of key security-related events and the configuration of host systems and workstations. It also covers the resilience of the installation and its protection from physical loss or damage.
Section CI2. 1    Installation design
Principle    Computer installations should be designed to cope with current and predicted information processing requirements and be protected using a range of in-built security controls.
Objective    To produce a computer installation that has security functionality built-in and enables additional controls to be incorporated easily.
Section CI2.2    Security event logging
Principle    Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.
Objective    To identify threats that may lead to an information security incident, and maintain the integrity of important security-related information.
Section CI2.3    Host system configuration
Principle    Host systems should be configured to function as required, and to prevent unauthorised or incorrect updates.
Objective    To ensure host systems operate as intended and do not compromise the security of the computer installation.
Section CI2.4    Workstation protection
Principle    Workstations connected to systems within the computer installation should be purchased from approved suppliers, tested prior to use, supported by maintenance arrangements, and protected by physical and logical controls.
Objective    To ensure workstations operate as intended and do not compromise the security of the systems to which they are connected.
Section CI2.5    Resilience
Principle    The computer installation should be run on robust, reliable hardware and software, supported by alternative or duplicate facilities.
Objective    To ensure that the systems supported by the computer installation are available when required. (continued on the next page)
Information Security Forum    •    Standard of Good Practice 2007    33
Principles
Computer Installations    www.securityforum.org
Section CI2.6    Hazard protection
Principle    Computer equipment and facilities should be protected against fire, flood, environmental and other natural hazards.
Objective    To prevent services being disrupted by damage to computer equipment or facilities caused by fire, flood and other types of hazard.
Section CI2.7    Power supplies
Principle    Critical computer equipment and facilities should be protected against power outages. Objective    To prevent services provided by the computer installation from being disrupted by loss of power.
Section CI2.8    Physical access
Principle Objective
Physical access to critical computer installation facilities should be restricted to authorised individuals.
To prevent services being disrupted by loss of or damage to equipment or facilities.
34
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Computer Installations
Area CI3 SYSTEM OPERATION
Achieving service targets requires computer installations to be run in accordance with sound disciplines. Accordingly, this area covers basic controls over system operation (ie handling computer media, back- up and change management) and arrangements for identifying and resolving incidents (ie information security incident management and emergency fixes).
Section CI3.1    Handling computer media
Principle    Information held on data storage media (including magnetic tapes, disks, printed results, and stationery) should be protected against corruption, loss or disclosure, and additional security controls applied to media containing sensitive information.
Objective    To protect computer media in accordance with information security and regulatory requirements. Section CI3.2    Back-up
Principle    Back-ups of essential information and software used by the computer installation should be performed on a regular basis, according to a defined cycle.
Objective    To ensure that, in the event of an emergency, essential information and software required by the installation can be restored within critical timescales.
Section CI3.3    Change management
Principle    Changes to any part of the computer installation should be tested, reviewed and applied using a change management process.
Objective To ensure that changes are applied correctly and do not compromise the security of the installation.
Section CI3.4    Information security incident management
Principle    Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.
Objective    To identify and resolve information security incidents effectively, minimise their business impact and reduce the risk of similar incidents occurring.
Section CI3.5    Emergency fixes
Principle Objective
Emergency fixes to computer equipment, business applications, systems software and business information should be tested, reviewed and applied quickly and effectively, in accordance with documented standards / procedures.
To respond to emergencies in a timely and secure manner, while reducing disruption to the organisation.
(continued on the next page)
Information Security Forum    •    Standard of Good Practice 2007    35
Principles
Computer Installations    www.securityforum.org
Section CI3.6    Patch management
Principle Objective
A process should be established for managing the application of system and software patches, which is supported by documented standards / procedures.
To address technical system and software vulnerabilities quickly and effectively in order to reduce the likelihood of a serious business impact arising.
36
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Computer Installations
Area CI4 ACCESS CONTROL
Effective access control mechanisms can reduce the risk of unauthorised access to information and systems. Accordingly, this area covers the access control disciplines applied to users and the steps taken to restrict access to information and systems within the computer installation.
Section CI4.1    Access control arrangements
Principle    Access control arrangements should be established to restrict access by all types of user to approved system capabilities of the computer installation.
Objective    To ensure that only authorised individuals gain access to information or systems within the computer installation, and that individual accountability is assured.
Section CI4.2    User authorisation
Principle    All users of the computer installation should be authorised before they are granted access privileges.
Objective    To restrict access to any information or systems within the computer installation to authorised users.
Section CI4.3    Access privileges
Principle    All users of the computer installation should be assigned specific privileges to allow them to access particular information or systems.
Objective    To provide authorised users with access privileges which are sufficient to enable them to perform their duties but do not permit them to exceed their authority.
Section CI4.4    Sign-on process
Principle    Users should follow a rigorous system sign-on process before being provided with access to target systems.
Objective    To prevent unauthorised users from gaining access to any information or systems within the computer installation.
Section CI4.5    User authentication
Principle    All users should be authenticated by using UserIDs and passwords or by strong authentication mechanisms (eg smartcards or biometric devices, such as fingerprint recognition) before they can gain access to target systems.
Objective    To prevent unauthorised users from gaining access to any information or systems within the computer installation.
Information Security Forum    •    Standard of Good Practice 2007    37
Principles
Computer Installations    www.securityforum.org
Area CI5 LOCAL SECURITY MANAGEMENT
A computer installation typically supports one or more critical business applications, holds information that needs to be protected, and is an important asset in its own right. Each of these perspectives needs to be considered in order to provide appropriate protection. Accordingly, this area covers the arrangements made to identify the relative importance of the computer installation, the associated business risks and the level of protection required. It also covers the arrangements made to ensure that information security is co-ordinated locally, staff are aware of information security and understand their personal responsibilities, and the need for the installation to be subject to thorough, independent and regular security audits / reviews.
Section CI5.1    Local security co-ordination
Principle    An individual should be appointed to co-ordinate the information security activities associated with the computer installation.
Objective    To ensure that security activities are carried out in a timely and accurate manner, and that security issues are resolved effectively.
Section CI5.2    Security awareness
Principle    Individuals running the installation should be made aware of the key elements of information security and why it is needed, and understand their personal information security responsibilities.
Objective    To ensure individuals running the installation apply security controls and prevent important information stored in or processed by the installation from being compromised or disclosed to unauthorised individuals.
Section CI5.3    Information classification
Principle    Information stored or processed within the computer installation should be classified according to its confidentiality, using an approved information classification scheme.
Objective    To determine the level of protection that should be applied to the computer installation, thereby preventing unauthorised disclosure.
Section CI5.4    Information risk analysis
Principle Objective
The computer installation should be subject to an information risk analysis on a regular basis, the results of which should be documented, reviewed, and agreed.
To identify key information risks associated with the computer installation and determine the security controls required in order to keep those risks within acceptable limits.
(continued on the next page)
38
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Computer Installations
Section CI5.5    Security audit / review
Principle    The information security status of the computer installation should be subject to thorough, independent and regular security audits / reviews.
Objective    To ensure that security controls have been implemented effectively, that risk is being managed and to provide the installation owner, and top management, with an independent assessment of the security status of the installation.
Information Security Forum    •    Standard of Good Practice 2007    39
Principles
Computer Installations    www.securityforum.org
Area CI6 SERVICE CONTINUITY
If there is a serious interruption to information processing, (eg if a disaster occurs), the computer installation may be unavailable for a prolonged period. Considerable forethought is required to enable information processing to continue in these circumstances and to keep the business impact to a minimum. Accordingly, this area covers the development of contingency plans and arrangements, and their validation.
Section CI6.1    Contingency plans
Principle    A contingency plan should be developed and documented. Objective    To provide individuals with a documented set of actions to perform in the event of a disaster,
enabling information processing to be resumed within critical timescales.
Section CI6.2    Contingency arrangements
Principle    Alternative processing arrangements should be established, and made available when required. Objective    To enable information processing to resume within critical timescales, using alternative facilities.
Section CI6.3    Validation and maintenance
Principle Objective
Contingency plans and arrangements should be tested on a regular basis.
To ensure that information processing can resume within critical timescales, using alternative facilities.
40
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org
Networks
Computer networks convey information and provide a channel of access to information systems. By their nature, they are highly vulnerable to disruption and abuse. Safeguarding business communications requires robust network design, well-defined network services, and sound disciplines to be observed in running networks and managing security. These factors apply equally to local and wide area networks, and to data and voice communications.
Area NW1 NETWORK MANAGEMENT
Computer networks are complex. They have to link different systems together, are subject to constant change and often rely on services provided by external parties. Orchestrating the technical and organisational issues involved requires sound management. Accordingly, this area covers the organisational arrangements for running a network, its design, resilience and documentation, and the management of relationships with service providers.
Section NW1.1    Roles and responsibilities
Principle    An owner should be identified for the network, and responsibilities for key tasks assigned to individuals who are capable of performing them.
Objective    To achieve individual accountability for the network, provide a sound management structure for staff running the network and give responsible individuals a vested interest in its protection.
Section NW1.2    Network design
Principle    The network should be designed to cope with current and predicted levels of traffic and be protected using a range of in-built security controls.
Objective    To produce an operational network that has security functionality built-in and enables additional controls to be incorporated easily.
Section NW1.3    Network resilience
Principle    The network should be run on robust, reliable hardware and software, supported by alternative or duplicate facilities.
Objective    To ensure that the network is available when required. Section NW1.4    Network documentation
Principle    Networks should be supported by accurate, up-to-date documentation. Objective    To ensure that the network is configured accurately and securely.
(continued on the next page)
Information Security Forum    •    Standard of Good Practice 2007    41
Principles
Networks    www.securityforum.org
Section NW1.5    Service providers
Principle Objective
Network services should only be obtained from service providers capable of providing required security controls, and be supported by documented contracts or service level agreements.
To define the business requirements for network service providers, including those for security, and ensure they are met.
42
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Networks
Area NW2 TRAFFIC MANAGEMENT
Computer networks can handle many types of traffic from a wide variety of sources. To manage network traffic effectively, network devices (eg firewalls) have to be configured correctly and particular types of network traffic denied access. Accordingly, this area covers the disciplines required to ensure undesirable network traffic and unauthorised external or wireless users are prevented from gaining access to the network.
Section NW2.1    Configuring network devices
Principle    Network devices (eg firewalls) should be configured to function as required, and to prevent unauthorised or incorrect updates.
Objective    To ensure that the configuration of network devices is accurate and does not compromise the security of the network.
Section NW2.2    Firewalls
Principle    Network traffic should be routed through a well-configured firewall, prior to being allowed access to the network, or before leaving the network.
Objective    To prevent unauthorised network traffic from gaining access to the network, or leaving the network.
Section NW2.3    External access
Principle    All external connections to the network should be individually identified, verified, recorded, and approved by the network owner.
Objective    To prevent unauthorised external users from gaining access to the network. Section NW2.4    Wireless access
Principle    Wireless access should be authorised, users authenticated, and wireless traffic encrypted. Objective    To ensure that only authorised individuals gain wireless access to the network and minimise the risk
of wireless transmissions being monitored, intercepted or modified.
Information Security Forum    •    Standard of Good Practice 2007    43
Principles
Networks    www.securityforum.org
Area NW3 NETWORK OPERATIONS
Maintaining continuity of service to users requires computer networks to be run in accordance with sound disciplines. Accordingly, this area covers the arrangements needed to monitor network performance and to manage changes and information security incidents. In addition, the area covers the arrangements required to provide physical security, perform back-ups and ensure service continuity.
Section NW3.1    Network monitoring
Principle    Network activity should be monitored using a range of techniques such as capacity planning; review of network and intrusion detection logs; and examination of usage reports from service providers.
Objective    To assess the performance of the network, reduce the likelihood of network overload and detect potential or actual malicious intrusions.
Section NW3.2    Change management
Principle    Changes to the network should be tested, reviewed and applied using a change management process.
Objective    To ensure that changes are applied correctly and do not compromise the security of the network. Section NW3.3    Information security incident management
Principle    Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.
Objective    To identify and resolve network information security incidents effectively, minimise their business impact and reduce the risk of similar incidents occurring.
Section NW3.4    Physical security
Principle    Physical access to critical network facilities should be restricted to authorised individuals. Objective    To prevent services being disrupted by loss of, or damage to, communications equipment, power
or facilities.
Section NW3.5    Back-up
Principle Objective
Back-ups of essential information and software used by the network should be performed on a regular basis, according to a defined cycle.
To ensure that, in the event of an emergency, essential network information or software required by the network can be restored within critical timescales.
(continued on the next page)
44
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Networks
Section NW3.6    Service continuity
Principle    A service continuity plan should be established, supported by effective contingency arrangements, and tested regularly.
Objective    To enable critical network services to continue in the event of a disaster. Section NW3.7    Remote maintenance
Principle    Remote maintenance of the network should be restricted to authorised individuals, confined to individual sessions, and subject to review.
Objective    To prevent unauthorised access to the network through the misuse of remote maintenance facilities.
Information Security Forum    •    Standard of Good Practice 2007    45
Principles
Networks    www.securityforum.org
Area NW4 LOCAL SECURITY MANAGEMENT
Computer networks play an essential role in the functioning of many critical business applications. They convey information that needs to be protected, and are valuable assets in their own right. Accordingly, this area covers the arrangements made to identify the relative importance of the network, the associated business risks and the level of protection required. The area also covers the arrangements made to ensure that information security is co-ordinated locally, network staff are aware of information security and understand their personal responsibilities, and the need for the network to be subject to thorough, independent and regular security audits / reviews.
Section NW4.1    Local security co-ordination
Principle    An individual should be appointed to co-ordinate the information security activities associated with the network.
Objective    To ensure that security activities are carried out in a timely and accurate manner, and that security issues are resolved effectively.
Section NW4.2    Security awareness
Principle    Individuals maintaining the network should be made aware of the key elements of information security and why it is needed, and understand their personal information security responsibilities.
Objective    To ensure individuals maintaining the network apply security controls and prevent important information from being compromised or disclosed to unauthorised individuals.
Section NW4.3    Information classification
Principle    Information transmitted over the network should be classified according to its confidentiality, using an approved information classification scheme.
Objective    To determine the level of protection that should be applied to the network, thereby preventing unauthorised disclosure.
Section NW4.4    Information risk analysis
Principle    The network should be subject to an information risk analysis on a regular basis, the results of which should be documented, reviewed and agreed.
Objective    To identify key information risks associated with the network and determine the security controls required in order to keep those risks within acceptable limits.
Section NW4.5    Security audit / review
Principle Objective
The information security status of the network should be subject to thorough, independent and regular security audits / reviews.
To ensure that security controls have been implemented effectively, that information risk is being managed and to provide the network owner, and top management, with an independent assessment of the security status of the network.
46
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Networks
Area NW5 VOICE NETWORKS
Business processes can be disrupted if voice networks, such as telephone systems, are unavailable or overloaded. Harm can also be caused if voice networks are subject to unauthorised use by outsiders, or sensitive conversations are overheard. Accordingly, this area covers the security arrangements applied to traditional voice and Voice over IP (VoIP) networks.
Section NW5.1    Voice network documentation
Principle    Voice networks should include documentation of essential components and be supported by documented standards / procedures.
Objective    To provide employees with a clear statement of the security disciplines they are expected to follow in relation to voice networks.
Section NW5.2    Resilience of voice networks
Principle    Voice networks should be supported by a robust and reliable set of hardware and software, and be supported by alternative facilities.
Objective    To ensure that voice network facilities (eg telephone exchanges) are available when required. Section NW5.3    Special voice network controls
Principle    Voice network facilities (eg telephone exchanges) should be monitored regularly and access to them restricted.
Objective    To prevent and detect unauthorised use or misuse of voice network facilities. Section NW5.4    Voice over IP (VoIP) networks
Principle    Voice over IP (VoIP) networks should be approved, and protected by a combination of general, network and VoIP-specific controls.
Objective    To ensure the availability of the VoIP network, and protect the confidentiality and integrity of sensitive information (eg the content of telephone calls) in transit.
Information Security Forum    •    Standard of Good Practice 2007    47
Principles
www.securityforum.org
Systems Development
Building security into systems during their development is more cost-effective and secure than applying it afterwards. It requires a coherent approach to systems development as a whole, and sound disciplines to be observed throughout the development cycle. Ensuring that information security is
addressed at each stage of the cycle is of key importance.
Area SD1 DEVELOPMENT MANAGEMENT
Producing robust systems, on which the organisation can depend, requires a sound approach to systems development. Accordingly, this area covers the organisation of systems development staff, the methodology used in developing systems, quality assurance and the security of development environments.
Section SD1.1    Roles and responsibilities
Principle    An individual should be appointed to manage systems development activities, and responsibilities for key tasks assigned to individuals who are capable of performing them.
Objective    To achieve individual accountability for systems development activities and provide a sound management structure for staff performing them.
Section SD1.2    Development methodology
Principle Development activities should be carried out in accordance with a documented system development methodology.
Objective    To ensure that systems under development meet business requirements, including those for information security.
Section SD1.3    Quality assurance
Principle    Quality assurance of key security activities should be performed during the system development life cycle.
Objective    To provide assurance that security requirements are defined adequately, agreed security controls are developed, and security requirements are met.
Section SD1.4    Development environments
Principle Objective
System development activities should be performed in specialised development environments, which are isolated from the live and testing environments, and protected against unauthorised access.
To provide a secure environment for system development activities, and avoid any disruption to mainstream business activity.
48
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Systems Development
Area SD2 LOCAL SECURITY MANAGEMENT
In common with live systems, systems under development need to be supported by a sound organisational structure and run by individuals who are aware of information security and know how to apply security controls effectively. Accordingly, this area covers the arrangements made to ensure that information security is co-ordinated locally, systems development staff are aware of information security and understand their personal responsibilities, and the need for systems development activities to be subject to thorough, independent and regular security audits / reviews.
Section SD2.1    Local security co-ordination
Principle    An individual should be appointed to co-ordinate information security activities associated with systems development.
Objective    To ensure that security activities are carried out in a timely and accurate manner, and that information security issues are resolved effectively.
Section SD2.2    Security awareness
Principle    Systems developers should be made aware of the key elements of information security and why it is needed, and understand their personal information security responsibilities.
Objective    To ensure systems developers apply security controls and prevent important information from being compromised or disclosed to unauthorised individuals.
Section SD2.3    Security audit / review
Principle    The information security status of systems development activity should be subject to thorough, independent and regular security audits / reviews.
Objective    To ensure that security controls are designed effectively, that risk is managed, and to provide the business owner and top management, with an independent assessment of the information security status of systems development activities.
Information Security Forum    •    Standard of Good Practice 2007    49
Principles
Systems Development    www.securityforum.org
Area SD3 BUSINESS REQUIREMENTS
A thorough understanding of business requirements (including those for the confidentiality, integrity and availability of information) is essential if systems are to fulfil their intended purpose. Accordingly, this area covers the arrangements made for specifying business requirements, determining security requirements and conducting information risk analyses.
Section SD3.1    Specification of requirements
Principle    Business requirements (including those for information security) should be documented and agreed before detailed design commences.
Objective    To ensure that information security requirements are treated as an integral part of business requirements, fully considered and approved.
Section SD3.2    Confidentiality requirements
Principle    The business impact of unauthorised disclosure of business information stored in or processed by the system under development should be assessed.
Objective    To document and agree the confidentiality requirements (the need for information to be kept secret or private within a predetermined group) of the system under development.
Section SD3.3    Integrity requirements
Principle    The business impact of the accidental corruption or deliberate manipulation of business information stored in or processed by the system under development should be assessed.
Objective    To document and agree the integrity requirements (the need for information to be valid, accurate and complete) of the system under development.
Section SD3.4    Availability requirements
Principle    The business impact of business information stored in or processed by the system under development being unavailable for any length of time should be assessed.
Objective    To document and agree the availability requirements (the need for information to be accessible when required) of the system under development.
Section SD3.5    Information risk analysis
Principle Objective
Systems under development should be subject to a structured information risk analysis, the results of which should be documented, reviewed and agreed.
To identify key information risks associated with critical systems under development and determine the security controls required in order to keep those risks within acceptable limits.
50
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Systems Development
Area SD4 DESIGN AND BUILD
Building systems that function as intended requires the use of sound disciplines throughout the design and build stage of development. Accordingly, this area covers the arrangements needed to address information security during design, acquisition and system build, and the identification of required application, general and web-specific security controls.
Section SD4.1    System design
Principle    Information security requirements for the system under development should be considered when designing the system.
Objective    To produce a live system based on sound design principles which has security functionality built-in and enables controls to be incorporated easily.
Section SD4.2    Application controls
Principle The full range of application controls should be considered when designing the system under development.
Objective    To ensure that required application controls are built-in to the system under development. Section SD4.3    General security controls
Principle    The full range of general security controls should be considered when designing the system under development.
Objective    To ensure that required general security controls are established to support the system under development.
Section SD4.4    Acquisition
Principle    Robust, reliable hardware and software should be acquired, following consideration of security requirements and identification of any security deficiencies.
Objective    To ensure that hardware and software acquired from third parties provides the required functionality and does not compromise the security of systems under development.
Section SD4.5    System build
Principle Objective
System build activities (including coding and package customisation) should be carried out in accordance with industry good practice; performed by individuals provided with adequate skills / tools; and inspected to identify unauthorised modifications or changes.
To ensure that systems are built correctly, able to withstand malicious attacks, and that no security weaknesses are introduced during the build process.
(continued on the next page)
Information Security Forum    •    Standard of Good Practice 2007    51
Principles
Systems Development    www.securityforum.org
Section SD4.6    Web-enabled development
Principle Objective
Specialised technical security controls should be applied to the development of web-enabled applications.
To ensure that the increased risks associated with the development of web-enabled applications are minimised.
52
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    Systems Development
Area SD5 TESTING
Testing is a fundamental element of good practice in systems development. Planned well and performed correctly, it provides assurance that systems, including security controls, function as intended and reduces the likelihood of system malfunctions occurring. Accordingly, this area covers the arrangements needed to carry out testing thoroughly, without disrupting other activities.
Section SD5.1    Testing process
Principle    All elements of a system (including application software packages, system software, hardware and services) should be tested before the system is promoted to the live environment.
Objective    To ensure systems function correctly and meet security requirements. Section SD5.2    Acceptance testing
Principle    Systems under development should be subject to rigorous acceptance testing in a separate area that simulates the live environment.
Objective To ensure that newly developed systems function as intended and do not compromise information security.
Information Security Forum    •    Standard of Good Practice 2007    53
Principles
Systems Development    www.securityforum.org
Area SD6 IMPLEMENTATION
Sound disciplines are required when new systems are promoted from the development into the live environment. Accordingly, this area covers system promotion criteria, the installation of new systems in the live environment and post-implementation reviews.
Section SD6.1    System promotion criteria
Principle    Rigorous criteria should be met before new systems are promoted into the live environment. Objective    To ensure that only tested and approved versions of hardware and software are promoted into the
live environment.
Section SD6.2    Installation process
Principle    New systems should be installed in the live environment in accordance with a documented installation process.
Objective    To minimise disruption to the organisation when new systems are installed in the live environment. Section SD6.3    Post-implementation review
Principle Objective
Post-implementation reviews should be conducted for all new systems. To check that systems and information security controls function as intended.
54
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org
End User Environment
Individuals in end user environments typically have access to corporate applications that are critical to the organisation and often develop critical desktop applications using powerful spreadsheets or databases. Furthermore, sensitive information can be processed or stored on local computing devices such as personal computers, hand-held devices or portable storage devices. Protecting this information is essential, and requires a combination of enterprise-driven and local activities, such as effective local security management; controlling access to corporate business applications; identifying and protecting important desktop applications; securing computing devices and electronic communications (eg e-mail, instant messaging and Internet access); and implementing effective business continuity arrangements.
Area UE1 LOCAL SECURITY MANAGEMENT
Minimising information risks within the end user environment requires effective security management and the contribution of all individuals. Accordingly, this area covers roles and responsibilities, user awareness, and training. It also addresses local security co-ordination and information classification.
Section UE1.1    Roles and responsibilities
Principle    An owner should be identified for the end user environment, and responsibilities for key tasks assigned to individuals who are capable of performing them.
Objective    To assign ownership of the end user environment, provide a sound management structure for staff and give responsible individuals a vested interest in the protection of the end user environment.
Section UE1.2    Security awareness
Principle    Users should be made aware of the key elements of information security and why it is needed, and understand their personal information security responsibilities.
Objective    To ensure users apply security controls and prevent important information from being compromised or disclosed to unauthorised individuals.
Section UE1.3    User training
Principle    Users should be trained in how to run systems correctly and how to develop and apply security controls.
Objective    To provide users with the skills required to protect systems and fulfil their information security responsibilities.
(continued on the next page)
Information Security Forum    •    Standard of Good Practice 2007    55
Principles
End User Environment    www.securityforum.org
Section UE1.4    Local security co-ordination
Principle    An individual should be appointed to co-ordinate information security activities in the end user environment.
Objective    To ensure that security activities are carried out in a timely and accurate manner, and that security issues are resolved effectively.
Section UE1.5    Information classification
Principle Objective
Information stored in or processed by applications and systems in the end user environment should be classified according to its confidentiality, using an approved information classification scheme.
To determine the level of protection that should be applied to applications and systems in the end user environment, thereby preventing unauthorised disclosure.
56
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    End User Environment
Area UE2
CORPORATE BUSINESS
APPLICATIONS
Corporate business applications accessible from the end user environment should be protected from unauthorised access and the adverse consequences of change. Accordingly, this area covers the disciplines required to restrict access to corporate business applications and to ensure that changes made do not cause adverse business impact.
Section UE2.1    Access control
Principle    Access to corporate systems should be restricted to authorised individuals. Objective    To ensure that only authorised individuals are granted access to corporate systems, and that
individual accountability is assured.
Section UE2.2    Application sign-on process
Principle    Users should be subject to a rigorous sign-on process before they are provided with access to corporate business applications.
Objective    To ensure that only authorised users are granted access to corporate business applications. Section UE2.3    Change management
Principle    Changes to corporate business applications accessible from the end user environment should be tested, reviewed and applied using a change management process.
Objective    To ensure that changes are applied correctly and do not compromise security.
Information Security Forum    •    Standard of Good Practice 2007    57
Principles
End User Environment    www.securityforum.org
Area UE3 DESKTOP APPLICATIONS
Protecting critical desktop applications in the end user environment, and the accuracy of the information they store or process, requires a combination of good practice in general information security, supported by a set of technical security controls specific to desktop applications. Accordingly, this area covers the recording of critical desktop applications in an inventory, the development of critical desktop applications, and their protection.
Section UE3.1    Inventory of desktop applications
Principle    Critical desktop applications used in the end user environment should be recorded in an inventory, or equivalent.
Objective    To maintain an accurate and up-to-date record of critical desktop applications in the end user environment, enabling them to be protected accordingly.
Section UE3.2    Protection of spreadsheets
Principle    Critical desktop applications created using spreadsheet programs should be protected by validating input, implementing access control, and restricting access to powerful functionality.
Objective To assure the accuracy of information processed by critical spreadsheets, and protect that information from disclosure to unauthorised individuals.
Section UE3.3    Protection of databases
Principle    Critical desktop applications created using database programs should be protected by validating input, implementing access control, and restricting access to powerful functionality.
Objective    To assure the accuracy of information processed by critical databases, and protect that information from disclosure to unauthorised individuals.
Section UE3.4    Desktop application development
Principle Objective
Development of desktop applications should be carried out in accordance with a documented development methodology.
To ensure desktop applications function correctly and meet security requirements.
58
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    End User Environment
Area UE4 COMPUTING DEVICES
The protection of computing devices used in the end user environment (and the information they store or process) requires a combination of both physical and logical controls to be applied. Accordingly, this area covers the disciplines required to configure, maintain and protect workstations, hand-held devices and portable storage devices.
Section UE4.1    Workstation protection
Principle    Workstations used in the end user environment should be purchased from approved suppliers, tested prior to use, supported by maintenance arrangements and protected by physical and logical controls.
Objective    To ensure workstations operate as intended, are available when required and do not compromise the security of information stored in or processed by them.
Section UE4.2    Hand-held devices
Principle Hand-held devices (eg Personal Digital Assistants (PDAs), WAP-based mobile phones and smartphones) used in the end user environment should be approved, protected by software controls and supported by standards / procedures for acceptable use.
Objective    To ensure hand-held devices operate as intended, are available when required and do not compromise the security of information stored in or processed by them.
Section UE4.3    Portable storage devices
Principle    The use of portable storage devices in the end user environment should be approved, access to them restricted, and information stored on them protected.
Objective    To ensure that important information stored on portable storage devices is protected from unauthorised disclosure.
Information Security Forum    •    Standard of Good Practice 2007    59
Principles
End User Environment    www.securityforum.org
Area UE5 ELECTRONIC COMMUNICATIONS
Electronic communication in the end user environment should be subject to a range of controls which preserve the accuracy and confidentiality of information whilst also protecting the organisation from unintended consequences which may result from misuse of communications facilities. Accordingly, this area covers the approved use of electronic communications, end user behaviour when using electronic communication as well as the application of specific controls relating to e-mail; instant messaging; use of the Internet; Voice over IP (VoIP) networks; and wireless access.
Section UE5.1    General controls
Principle Objective
The use of electronic communications (eg e-mail, instant messaging, Internet access, Voice over IP or wireless access) should be supported by setting policy covering the types of communication permitted, and promoting user awareness of the security issues associated with their use.
To ensure that the organisation's reputation is not damaged as a result of the transmission of inappropriate information, that the content of electronic communications is accurate, and that business activity is not disrupted by the introduction of malware.
Section UE5.2    E-mail
Principle    Use of e-mail systems should be approved, and protected by a combination of policy, awareness, and procedural controls.
Objective    To ensure that the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised.
Section UE5.3    Instant messaging
Principle    Use of instant messaging services should be approved, and protected by setting management policy, deploying instant messaging application controls and correctly configuring the security elements of an instant messaging infrastructure.
Objective    To ensure that instant messaging services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised.
Section UE5.4    Internet access
Principle Objective
Use of the Internet by end users should be approved, and protected by restricting the types of use permitted, deploying approved web browsers and promoting awareness of the risks associated with Internet access.
To ensure that use of the Internet is restricted to legitimate business activity and that the risks associated with malicious code are minimised.
(continued on the next page)
60
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org    End User Environment
Section UE5.5    Voice over IP (VoIP) networks
Principle    Voice over IP (VoIP) networks should be approved, and protected by a combination of general network and VoIP-specific controls.
Objective    To ensure the availability of the VoIP network, protect the confidentiality and integrity of sensitive information in transit, and minimise the risk of misuse.
Section UE5.6    Wireless access
Principle    Wireless access should be authorised, users authenticated and wireless traffic encrypted. Objective    To ensure that only authorised individuals can gain wireless access to the network, and minimise
the risk of wireless transmissions being monitored, intercepted or modified.
Information Security Forum    •    Standard of Good Practice 2007    61
Principles
End User Environment    www.securityforum.org
Area UE6 ENVIRONMENT MANAGEMENT
End user environments are important to the success of the organisation, therefore security arrangements within the end user environment should reflect those made on an enterprise-wide basis. Accordingly, this area covers the protection of personally identifiable information; information security incident management; back-up of important information and software; physical protection of the end user environment; and business continuity.
Section UE6.1    Information privacy
Principle Approved methods for handling personally identifiable information should be established and applied.
Objective    To prevent information about individuals being used in an inappropriate manner, and to ensure compliance with legal and regulatory requirements for information privacy.
Section UE6.2    Information security incident management
Principle    Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.
Objective    To identify and resolve information security incidents effectively, minimise their business impact and reduce the risk of similar information security incidents occurring.
Section UE6.3    Back-up
Principle    Back-ups of essential information, applications and software used in the end user environment should be performed on a regular basis, according to a defined cycle.
Objective    To ensure that, in the event of an emergency, essential information or software required in the end user environment can be restored within critical timescales.
Section UE6.4    Physical and environmental protection
Principle    The end user environment (and sensitive material stored within it) should be subject to a range of physical and environmental controls.
Objective    To restrict physical access to authorised individuals and ensure that IT facilities processing critical information are available when required.
Section UE6.5    Business continuity
Principle Objective
A business continuity plan should be established, supported by contingency arrangements, and tested regularly.
To enable the business processes associated with the end user environment to continue in the event of a disaster.
62
Information Security Forum    •    Standard of Good Practice 2007
Principles
www.securityforum.org
Topics Matrix
Information Security Forum    •    Standard of Good Practice 2007