Security Policy
The objectives of
this section are to provide management direction and support for information
security. A policy document should be published and communicated to
all employees including overall objectives and scope. Specific elements
may include compliance with legislative and contractual requirements,
access to information resources, security education, monitoring and
enforcement.
Security Organization
The objectives of
this section are to develop a management framework for the purpose of
implementing information security in a company. Roles and responsibilities
are to be assigned. Special emphasis should be placed on information
assets accessed by third parties. Outsourcing arrangements should be
managed according to risk and corresponding controls.
Asset Classification
and Control
All major information
assets should be accounted for and have an assigned owner. Information
assets include databases and data files, software assets and physical
hardware. Information should be classified to indicate need, priorities
and degree of protection.
Personnel Security
The objectives of
this section are to reduce risks of human error, theft, fraud or misuse
of IT facilities. Security should be considered when recruiting new
employees, included in contracts and monitored during an individual's
employment.
Physical and
Environmental Security
The objectives of
this section are to prevent unauthorized access, damage and interference
to business information, activities and premises. IT facilities should
be housed in secure areas and protected by a security perimeter with
entry controls.
Computer & Operations
Management
The objectives of
this section are to ensure the correct and secure operation of information
processing facilities. Advance planning and preparation is necessary
to ensure adequate capacity and resources. Preventive controls are required
to protect against malicious software including viruses and trojan horses.
Network management should include controls to protect data as well as
network services from unauthorized access.
Access Control
The objectives of
this section are to control access to information, ensure the protection
of networked services, detect unauthorized activities and provide security
for remote access.
System Development
and Maintenance
The objectives of
this section are to ensure security is designed into information systems;
to prevent loss, modification or misuse of user data in application
systems; to protect the confidentiality, authenticity and integrity
of information; and to maintain the security of application system software
and data.
Business Continuity
Planning
The objective of
this section is to protect critical business processes from the effects
of major failure or disasters. The capability should be developed, maintained
and practiced for quick response to interruptions.
Compliance
The objectives of
this section are to avoid breaches of any criminal or civil law, statutory,
regulatory or contractual obligations. Information systems must also
comply with organizational security policies and standards.
