|
Standard |
Section |
Details |
|
4 |
Risk Assessment and Treatment |
|
4.1 |
Assessing
security risks |
Whether the organisation uses a systematic approach of
estimating the magnitude of risks (risk analysis) and the
process of comparing the estimated risks against risk criteria
to determine the significance of the risks (risk evaluation). |
|
4.2 |
Treating
security risks |
Whether there is
a documented risk treatment for each type of risk identified.
Whether
there is a predefined criteria for determining whether risks
should be accepted and if not, documentation showing what
controls will be put in place to mitigate the risk. |
|
5 |
Security Policy |
|
5.1 |
Information Security Policy |
|
5.1.1 |
Information security policy document |
Whether there exists an Information security policy, which is
approved by the management, published and communicated as
appropriate to all employees.
Whether it
states the management commitment and set out the organisational
approach to managing information security. |
|
5.1.2 |
Review of the information security policy |
Whether
the Security policy has an owner, who is responsible for its
maintenance and review according to a defined review process.
Whether
the process ensures that a review takes place in response to any
changes affecting the basis of the original assessment, example:
significant security incidents, new vulnerabilities or changes
to organisational or technical infrastructure. |
|
6 |
Organisation of Information Security |
|
6.1 |
Internal organization |
|
6.1.1 |
Management
commitment to
information security |
Whether
there is active management support to ensure there is a clear direction,
demonstrated commitment, explicit assignment and acknowledgment
of information responsibilities within
the organisation. |
|
6.1.2 |
Information security co-ordination |
Whether
there is a cross-functional forum of management representatives
from relevant parts of the organisation to coordinate the
implementation of information security controls. |
|
6.1.3 |
Allocation of information security responsibilities |
Whether
responsibilities for the protection of individual assets and for
carrying out specific security processes were clearly defined. |
|
6.1.4 |
Authorisation process for information processing Facilities |
Whether
there is a management authorisation process in place for any new
information processing facility. This should include all new
facilities such as hardware and software. |
|
6.1.5 |
Confidentiality
Agreements |
Whether
confidentiality or non-disclosure agreements exist and that they
reflect the need for the protection of information.
Whether there is any review process. |
|
6.1.6 |
Contact with
Authorities |
Whether
appropriate contacts with law enforcement authorities,
regulatory bodies, information service providers and
telecommunication operators were maintained to ensure that
appropriate action can be quickly taken and advice obtained, in
the event of a security incident. |
|
6.1.7 |
Contact with
special interest groups |
Whether appropriate contacts
with special interest groups or other specialist security forums
and professional associations are maintained. |
|
6.1.8 |
Independent review of information security |
Whether
the implementation of security policy is reviewed independently
on regular basis. This is to provide assurance that
organisational practices properly reflect the policy, and that
it is feasible and effective. |
|
6.2 |
External Parties |
|
6.2.1 |
Identification of risks from third parties |
Whether
risks from third party access are identified and appropriate
security controls implemented. Whether the types of accesses
are identified, classified and reasons for access are justified.
Whether
security risks with third party contractors working onsite was
identified and appropriate controls are implemented. |
|
6.2.2 |
Addressing
security when dealing with customers |
Whether
security requirements are addressed before giving customers
access to information or assets. |
|
6.2.3 |
Addressing
security requirements in third party agreements |
Whether
there is a formal contract containing, or referring to, all the
security requirements to ensure compliance with the
organisation’s security policies and standards. |
|
7 |
Asset
Management |
|
7.1 |
Responsibility for Assets |
|
7.1.1 |
Inventory of Assets |
Whether an
inventory or register is maintained with the important assets
associated with each information system.
Whether
each asset identified has an owner, the security classification
defined and agreed and the location identified. |
|
7.1.2 |
Ownership of
Assets |
Whether
information and assets associated with information processing
facilities are owned by a designated part of the organisation. |
|
7.1.3 |
Acceptable Use
of Assets |
Whether
rules for acceptable use of information and assets associated
with information processing are documented and implemented. |
|
7.2 |
Information Classification |
|
7.2.1 |
Classification Guidelines |
Whether
there is an Information classification scheme or guideline in
place; which will assist in determining how the information is
to be handled and protected. |
|
7.2.2 |
Information labelling and handling |
Whether an
appropriate set of procedures are defined for information
labelling and handling in accordance with the classification
scheme adopted by the organisation. |
|
8. |
Human Resources Security |
|
8.1 |
Prior to Employment |
|
8.1.1 |
Roles and
Responsibilities |
Whether
security roles and responsibilities as laid in Organisation’s
information security policy is documented where appropriate.
This
should include general responsibilities for implementing or
maintaining security policy as well as specific responsibilities
for protection of particular assets, or for extension of
particular security processes or activities. |
|
8.1.2 |
Screening |
Whether
verification checks on permanent staff were carried out at the
time of job applications.
This
should include character reference, confirmation of claimed
academic and professional qualifications and independent
identity checks. |
|
8.1.3 |
Terms and
Conditions of Employment |
Whether
terms and conditions of the employment covers the employee’s
responsibility for information security. Where appropriate,
these responsibilities might continue for a defined period after
the end of the employment. |
|
8.2 |
During Employment |
|
8.2.1 |
Management
Responsibilities |
Whether
managers are aware of their responsibilities with regard to
ensuring that established policies and procedures are applied by
third parties, contractors and employees. |
|
8.2.2 |
Information
security awareness, education and training |
Whether
employees, third parties and contractors receive appropriate
awareness training and regular updates in organisational
policies and procedures as relevant for their job function. |
|
8.2.3 |
Disciplinary
Process |
Whether a
formal disciplinary process for employees who have committed a
security breach exists. |
|
8.3 |
Termination or Change of
Employment |
|
8.3.1 |
Termination
responsibilities |
Whether a
formal procedure exists for performing employment terminations
or change of employment and assignment of responsibility for
this. |
|
8.3.2 |
Return of Assets |
Whether a
formal process exists for the return of assets allocated during
employment. |
|
8.3.3 |
Removal of
Access Rights |
Whether
procedures are clearly established for removing access rights
upon termination and adjusting access rights upon change of
employment. |
|
9. |
Physical and Environmental Security |
|
9.1 |
Secure Area |
|
9.1.1 |
Physical security perimeter |
What
physical border security facility has been implemented to
protect the Information processing service.
Some
examples of such security facility are card control entry gate,
walls, manned reception etc. |
|
9.1.2 |
Physical entry controls |
What entry
controls are in place to allow only authorised personnel into
various areas within organisation. |
|
9.1.3 |
Securing offices, rooms and facilities |
Whether
the rooms, which have the Information processing service, are
locked or have lockable cabinets or safes.
Whether
the Information processing service is protected from natural and
man-made disaster.
Whether
there is any potential threat from neighbouring premises. |
|
9.1.4 |
Protecting
against external and environmental threats |
Whether
controls were adopted to minimise risk from potential threats
such as theft, fire, explosives, smoke, water, dist, vibration,
chemical effects, electrical supply interfaces, electromagnetic
radiation, flood.
Whether
environmental conditions are monitored which would adversely
affect the information processing facilities. |
|
9.1.5 |
Working in secure areas |
The
information is only on need to know basis.
Whether
there exists any security control for third parties or for
personnel working in secure area. |
|
9.1.6 |
Public access,
delivery and loading areas |
Whether
the delivery area and information processing area are isolated
from each other to avoid any unauthorised access.
Whether a
risk assessment was conducted to determine the security in such
areas. |
|
9.2 |
Equipment Security |
|
9.2.1 |
Equipment siting and protection |
Whether
the equipment was located in appropriate place to minimise
unnecessary access into work areas.
Whether
the items requiring special protection were isolated to reduce
the general level of protection required.
Whether
controls were adopted to minimise risk from potential threats
such as theft, fire, explosives, smoke, water, dist, vibration,
chemical effects, electrical supply interfaces, electromagnetic
radiation, flood.
Whether
there is a policy towards eating, drinking and
smoking on in proximity to information processing services.
Whether
environmental conditions are monitored which would adversely
affect the information processing facilities. |
|
9.2.2 |
Supporting
utilities |
Whether the equipment is protected
from power failures and other disruptions by using permanence of power supplies such
as multiple feeds, uninterruptible power supply (ups), backup
generator
and other
supporting utilities |
|
9.2.3 |
Cabling security |
Whether
the power and telecommunications cable carrying data or
supporting information services are protected from interception
or damage.
Whether
there are any additional security controls in place for
sensitive or critical information. |
|
9.2.4 |
Equipment Maintenance |
Whether
the equipment is maintained as per the supplier’s recommended
service intervals and specifications.
Whether
the maintenance is carried out only by authorised personnel.
Whether
logs are maintained with all suspected or actual faults and all
preventive and corrective measures.
Whether
appropriate controls are implemented while sending equipment off
premises.
If the
equipment is covered by insurance, whether the insurance
requirements are satisfied. |
|
9.2.5 |
Securing of equipment off-premises |
Whether
any equipment usage outside an organisation’s premises for
information processing has to be authorised by the management.
Whether
the security provided for these equipments while outside the
premises are on par with or more than the security provided
inside the premises. |
|
9.2.6 |
Secure disposal or re-use of equipment |
Whether
storage device containing sensitive information are physically
destroyed or securely over written. |
|
9.2.7 |
Removal of property |
Whether
equipment, information or software can be taken offsite without
appropriate authorisation.
Whether
spot checks or regular audits were conducted to detect
unauthorised removal of property.
Whether
individuals are aware of these types of spot checks or regular
audits. |
|
10. |
Communications and Operations Management |
|
10.1 |
Operational Procedure and Responsibilities |
|
10.1.1 |
Documented operating procedures |
Whether
the Security Policy has identified any Operating procedures such
as Back-up, Equipment maintenance etc.
Whether
such procedures are documented and used and audit logs are
available. |
|
10.1.2 |
Change management |
Whether
all operational programs running on systems are subject to strict
change control i.e., any change to be made to those production
programs need to go through the change control authorisation.
Whether
audit logs are maintained for any made to the
programs. |
|
10.1.3 |
Segregation of duties |
Whether
duties and areas of responsibility are separated in order to
reduce opportunities for unauthorised modification or misuse of
information or services. |
|
10.1.4 |
Separation of development and operational facilities |
Whether
the development and testing facilities are isolated from
operational facilities. For example development software should
run on a different computer to that of the computer with
production software. Where necessary development and production
network should be separated from each other. |
|
10.2 |
Third Party Service Delivery
Management |
|
10.2.1 |
Service Delivery |
Whether
the security controls, service definitions and delivery levels
included in third party service delivery agreements are
implemented, operated and maintained by the third parties.
Whether there is documented
evidence that the above is monitored. |
|
10.2.2 |
Monitoring and
review of third party services |
Whether audits of third party
performance is audited to ensure that it meets specified
deliverables
Whether responsibility for
managing the relationship with third parties is assigned to a
designated individual or service management team. |
|
10.2.3 |
Managing changes
to third party services |
Whether changes to the
provision of services by a third party are subject to a formal
management process.
Whether a reassessment of
risk is undertaken to ensure that the new requirements are
covered by existing contracts, policies and procedures and
controls. |
|
10.3 |
System Planning and Acceptance |
|
10.3.1 |
Capacity management |
Whether
the use of resources is monitored, tuned and projections of future
capacity requirements are made. This is to ensure that adequate
processing power and storage are available.
Example:
Monitoring Hard disk space, RAM, CPU on critical servers. |
|
10.3.2 |
System acceptance – new information systems, upgrades and new
versions |
Whether
System acceptance criteria are established for new information
systems, upgrades and new versions.
Whether
suitable tests were carried out prior to acceptance. |
|
10.4 |
Protection Against Malicious Software |
|
10.4.1 |
Control against malicious software – Anti-Virus protection |
Whether
there exists any control against malicious software usage.
Whether
the security policy does address software licensing issues such
as prohibiting usage of unauthorised software.
Whether web pages are checked
for malicious code.
Whether
there exists any Procedure to verify all warning bulletins are
accurate and informative with regards to the malicious software
usage.
Whether
Antivirus software is installed on the computers to check and
isolate or remove any viruses from computer and media.
Whether
this software signature is updated on a regular basis to check
any latest viruses.
Whether
all the traffic originating from un-trusted network in to the
organisation is checked for viruses.
Example:
Checking for viruses on email, email attachments and on the web,
FTP traffic. |
|
10.4.2 |
Controls against
mobile code |
Whether there is a clearly
defined security policy and configuration details for
implementing the use of mobile code. |
|
10.5 |
Backup |
|
10.5.1 |
Information back-up |
Whether
Back-up of essential business information such as production
server, critical network components, configuration backup etc.,
were taken regularly.
Example:
Mon-Thu: Incremental Backup and Fri: Full Backup.
Whether
the backup media along with the procedure to restore the backup
are stored securely and well away from the actual site.
Whether
the backup media are regularly tested to ensure that they could
be restored within the time frame allotted in the operational
procedure for recovery. |
|
10.6 |
Network Security Management |
|
10.6.1 |
Network controls including management of remote network
equipment and remote access with live update |
Whether
effective operational controls such as separate network and
system administration facilities were be established where
necessary.
Whether
responsibilities and procedures for management of remote
equipment, including equipment in user areas were established.
Whether
there exist any special controls to safeguard confidentiality
and integrity of data processing over the public network and to
protect the connected systems.
Example:
Virtual Private Networks, other encryption and hashing
mechanisms etc. |
|
10.6.2 |
Security of
Network Services |
Whether
security features, service levels and management requirements of
all network services are identified and whether these are
included in any network services agreement in-house or
outsourced. |
|
10.7 |
Media Handling |
|
10.7.1 |
Management of removable computer media |
Whether
there exist a procedure for management of removable computer
media such as tapes, disks, cassettes, memory cards and
reports. |
|
10.7.2 |
Disposal of media |
Whether
the media that are no longer required are disposed off securely
and safely.
Whether
disposal of sensitive items are logged where necessary in order
to maintain an audit trail. |
|
10.7.3 |
Information handling procedures |
Whether
there exists a procedure for handling the storage of
information. Does this procedure address issues such as
information protection from unauthorised disclosure or misuse. |
|
10.7.4 |
Security of system documentation |
Whether
the system documentation is protected from unauthorised access.
Whether
the access list for the system documentation is kept to minimum
and authorised by the application owner. Example: System
documentation need to be kept on a shared drive for specific
purposes, the document need to have Access Control Lists enabled
(to be accessible only by limited users.) |
|
10.8 |
Exchange of Information and Software |
|
10.8.1 |
Information exchange policies and procedures |
Whether there are procedures
and controls in place to protect the exchange of information.
Whether
there are any policies, procedures or controls in place to
protect the exchange of information through the use of voice,
facsimile and video communication facilities.
Whether
staff are reminded to maintain the confidentiality of sensitive
information while using such forms of information exchange
facility. |
|
10.8.2 |
Exchange
Agreements |
Whether
there exists any formal or informal agreement between the
organisations for exchange of information or software.
Whether
the agreement addresses the security issues based on the
sensitivity of the business information involved. |
|
10.8.3 |
Security of media in transit |
Whether
security of media while being transported taken into account.
Whether
the media is well protected from unauthorised access, misuse or
corruption. |
|
10.8.4 |
Electronic
messaging |
Whether
there is a policy in place for the acceptable use of email,
instant messaging and EDI.
Whether
controls such as antivirus checking, isolating potentially
unsafe attachments, spam control, anti relaying etc., are put in
place to reduce the risks created by electronic email. |
|
10.8.5 |
Business
information systems |
Whether
there are any policies and procedures in place to protect
information where systems are interconnected and where
information is shared.
Examples include mobile
computing, email received on cellphones, voicemail, convergence
of technologies such as printers that are also facsimiles,
multimedia etc |
|
10.9 |
Electronic Commerce Services |
|
10.9.1
|
Electronic commerce |
Whether
Electronic commerce is well protected and controls implemented
to protect against fraudulent activity, contract dispute and
disclosure or modification of information.
Whether
Security controls such as Authentication, Authorisation are
considered in the Ecommerce environment.
Whether
electronic commerce arrangements between trading partners
include a documented agreement, which commits both parties to
the agreed terms of trading, including details of security
issues. |
|
10.9.2
|
On-Line
transactions |
Whether
controls exist to prevent errors such as incomplete
transmission, unauthorised disclosure, unauthorised message
alteration and unauthorised duplication.
Whether
Security controls such as
digital signatures, non
repudiation services, encryption are commensurate with the
sensitivity of the transaction. |
|
10.9.3 |
Publicly available systems including websites |
Whether
there is any formal authorisation process in place for the
information to be made publicly available. Such as approval
from Change Control which includes Business, Application owner
etc.
Whether
there are any controls in place to protect the integrity of such
information publicly available from any unauthorised access.
This might
include controls such as firewalls, Operating system hardening,
any Intrusion detection type of tools used to monitor the system
etc. |
|
10.10 |
Monitoring |
|
10.10.1
|
Audit Logging |
Whether
audit logs recording exceptions and other security relevant
events are produced and kept for an agreed period to assist in
future investigations and access control monitoring. |
|
10.10.2
|
Monitoring
system use |
Whether
procedures are set up for monitoring the use of information
processing facility. The procedure should ensure that the users
are performing only the activities that are explicitly
authorised.
Whether
the results of the monitoring activities are reviewed
regularly. |
|
10.10.3 |
Protection of
log information |
Whether
log information and audit trails are adequately protected by
security controls to prevent tampering. |
|
10.10.4
|
Administrator
and operator logs |
Whether
administrators and operation staff maintain a log of their activities such as
name of the person, errors, corrective action etc.
Whether
logs are checked on regular basis to ensure that security
controls have not been breached and for compliance with
procedures. |
|
10.10.5
|
Fault logging |
Whether
faults are reported and well managed. This includes corrective
action being taken, review of the fault logs and checking the
actions taken |
|
10.10.6 |
Clock
synchronisation |
Whether
the computer or communication device has the capability of
operating a real time clock, it should be set to an agreed
standard such as Universal coordinated time or local standard
time.
The
correct setting of the computer clock is important to ensure the
accuracy of the audit logs. |
|
11. |
Access Control |
|
11.1 |
Business Requirements for Access Control |
|
11.1.1 |
Access control policy |
Whether
the business requirements for access control have been defined
and documented.
Whether
the Access control policy does address the rules and rights for
each user or a group of user.
Whether
the users and service providers were given a clear statement of
the business requirement to be met by access controls. |
|
11.2 |
User Access Management |
|
11.2.1 |
User registration and deregistration |
Whether
there is any formal user registration and deregistration
procedure for granting access to multi-user information systems
and services. |
|
11.2.2 |
Privilege management |
Whether
the allocation and use of any privileges in multi-user
information system environment is restricted and controlled
i.e., Privileges are allocated on need-to-use basis; privileges
are allocated only after formal authorisation process. |
|
11.2.3 |
User password management |
The
allocation and reallocation of passwords should be controlled
through a formal management process.
Whether
the users are asked to sign a statement to keep the password
confidential. |
|
11.2.4 |
Review of user access rights |
Whether
there exist a process to review user access rights at regular
intervals.
Example:
Special privilege review every 3 months, normal privileges every
6 months. |
|
11.3 |
User Responsibilities |
|
11.3.1 |
Password use |
Whether
there are any guidelines in place to guide users in selecting
and maintaining secure passwords. |
|
11.3.2 |
Unattended user equipment including logging off, screen saver
timeouts, session termination with period of inactivity etc. |
Whether
the users and contractors are made aware of the security
requirements and procedures for protecting unattended equipment,
as well as their responsibility to implement such protection.
Example:
Logoff when session is finished or set up auto log off,
terminate sessions when finished etc. |
|
11.3.3 |
Clear desk and clear screen policy |
Whether
automatic computer screen locking facility is enabled. This
would lock the screen when the computer is left unattended for a
period.
Whether
employees are advised to leave any confidential
material in the form of paper documents, media etc, in a locked
manner while unattended. |
|
11.4 |
Network Access Controls |
|
11.4.1 |
Policy on use and protection of network services |
Whether
there exists a policy that does address concerns relating to
networks and network services such as:
Parts of
network to be accessed.
Authorisation services to determine who
is allowed to do what.
Procedures
to protect the access to network connections and network
services. |
|
11.4.2 |
User authentication for external connections |
Whether
there exists any authentication mechanism for challenging
external connections. Examples: Cryptography based technique,
hardware tokens, software tokens, challenge/ response protocol
etc. |
|
11.4.3 |
Equipment
identification in Networks |
Whether
equipment identification - eg by mac address is enabled for
remote connections.
Whether
the
equipment is identified before allowing a connection to occur if
the connection is only allowable from a specific location or
specific equipment. |
|
11.4.4 |
Remote diagnostic and configuration port protection |
Whether
access (physical and logical) to diagnostic ports are securely controlled i.e.,
protected by a security mechanism. |
|
11.4.5 |
Segregation in
networks |
Whether
the network (where business partner’s and/ or third parties need
access to information system) is segregated using perimeter
security mechanisms such as firewalls. |
|
11.4.6 |
Network connection controls – email, web access, file transfer
etc |
Whether
there exists any network connection control for shared networks
that extend beyond the organisational boundaries. Example:
electronic mail, web access, file transfers, etc. |
|
11.4.7 |
Network routing control |
Whether
there exist any network control to ensure that computer
connections and information flows do not breach the access
control policy of the business applications. This is often
essential for networks shared with non-organisations users.
Whether
the routing controls are based on the positive source and
destination identification mechanism. Example: Network Address
Translation (NAT). |
|
11.5 |
Operating system Access Control |
|
11.5.1 |
Secure log-on
procedures |
Whether
access to information system is attainable only via a secure
log-on process.
Whether
there is a procedure in place for logging in to an information
system. This is to minimise the opportunity of unauthorised
access. |
|
11.5.2 |
User identification and authorisation – unique user accounts |
Whether
unique identifier is provided to every user such as operators,
system administrators and all other staff including technical.
The
generic user accounts should only be supplied under exceptional
circumstances where there is a clear business benefit.
Additional controls may be necessary to maintain
accountability.
Whether
the authentication method used does substantiate the claimed
identity of the user; commonly used method: Password that only
the user knows. |
|
11.5.3 |
Password management system and non-disclosure of passwords |
Whether
there exists a password management system that enforces various
password controls such as: individual password for
accountability, enforce password changes, store passwords in
encrypted form, not display passwords on screen etc. |
|
11.5.4 |
Use of system utilities |
Whether
the system utilities that comes with computer installations, but
may override system and application control is tightly
controlled. |
|
11.5.5 |
Session timeout |
Inactive
machines should be configured to clear the
screen or shut down automatically after a defined period of
inactivity. |
|
11.5.6 |
Limitation of connection time |
Whether
there exist any restriction on connection time for high-risk
applications. This type of set up should be considered for
sensitive applications for which the terminals are installed in
high-risk locations. |
|
11.6 |
Applications and Information Access Control |
|
11.6.1 |
Information access restrictions |
Whether
access to application by various groups/ personnel within the
organisation should be defined in the access control policy as
per the individual business application requirement and is
consistent with the organisation’s Information access policy. |
|
11.6.2 |
Sensitive system isolation |
Whether
sensitive systems are provided with isolated computing
environment such as running on a dedicated computer, share
resources only with trusted application systems, etc. |
|
11.7 |
Mobile Computing and Teleworking |
|
11.7.1 |
Mobile computing and communications |
Whether a
formal policy is adopted that takes into account the risks of
working with computing facilities such as notebooks, palmtops
etc., especially in unprotected environments.
Whether
trainings were arranged for staff to use mobile computing
facilities to raise their awareness on the additional risks
resulting from this way of working and controls that need to be
implemented to mitigate the risks. |
|
11.7.2 |
Teleworking |
Whether
there is any policy, procedure and/ or standard to control
teleworking activities, this should be consistent with
organisation’s security policy.
Whether
suitable protection of teleworking site is in place against
threats such as theft of equipment, unauthorised disclosure of
information etc. |
|
12 |
System Development and Maintenance
|
|
12.1 |
Security
Requirements of Systems |
|
12.1.1 |
Security requirements analysis and specification |
Whether
security requirements are incorporated as part of business
requirement statement for new systems or for enhancement to
existing systems.
Security
requirements and controls identified should reflect business
value of information assets involved and the consequence from
failure of Security.
Whether
risk assessments are completed prior to commencement of system
development. |
|
12.2 |
Correct Processing
in Applications |
|
12.2.1 |
Input data validation |
Whether
data input to application system is validated to ensure that it
is correct and appropriate.
Whether
the controls such as: Different type of inputs to check for
error messages, Procedures for responding to validation errors,
defining responsibilities of all personnel involved in data
input process etc are considered. |
|
12.2.2 |
Control of internal processing |
Whether
areas of risks are identified in the processing cycle and
validation checks were included. In some cases the data that has
been correctly entered can be corrupted by processing errors or
through deliberate acts.
Whether
appropriate controls are identified for applications to mitigate
from risks during internal processing. The controls will
depend on nature of application and business impact of any
corruption of data. |
|
12.2.3 |
Message integrity |
Whether an
assessment of security risk was carried out to determine if
message authentication is required; and to identify most
appropriate method of implementation if it is necessary.
Message
authentication is a technique used to detect unauthorised
changes to, or corruption of, the contents of the transmitted
electronic message. |
|
12.2.4 |
Output data validation |
Whether
the data output of application system is validated to ensure
that the processing of stored information is correct and
appropriate to circumstances. |
|
12.3 |
Cryptographic Controls |
|
12.3.1 |
Policy on use of cryptographic controls |
Whether
there is a “Policy in use of cryptographic controls for
protection of information” is in place.
Whether a
risk assessment was carried out to identify the level of
protection the information should be given.
Whether
encryption techniques were used to protect the data.
Whether
assessments were conducted to analyse the sensitivity of the
data and the level of protection needed.
Whether
Digital signatures were used to protect the authenticity and
integrity of electronic documents.
Whether
non-repudiation services were used, where it might be necessary
to resolve disputes about occurrence or non-occurrence of an
event or action.
Example:
Dispute involving use of a digital signature on an electronic
payment or contract. |
|
12.3.2 |
Key management |
Whether
there is a management system is in place to support the
organisation’s use of cryptographic techniques such as Secret
key technique and Public key technique.
Whether
the Key management system is based on agreed set of standards,
procedures and secure methods. |
|
12.4 |
Security of System Files |
|
12.4.1 |
Control of operational software |
Whether
there are any controls in place for the implementation of
software on operational systems. This is to minimise the risk
of corruption of operational systems. |
|
12.4.2 |
Protection of system test data |
Whether
system test data is protected and controlled. The use of
operational database containing personal information should be
avoided for test purposes. If such information is used, the data
should be depersonalised before use. |
|
12.4.3 |
Access control to program source library |
Whether
strict controls are in place over access to program source
libraries. This is to reduce the potential for corruption of
computer programs. |
|
12.5 |
Security in Development and Support Processes |
|
12.5.1 |
Change control procedures |
Whether
there are strict control procedures in place over implementation
of changes to the information system. This is to minimise the
corruption of information system. |
|
12.5.2 |
Technical review of applications after operating system changes |
Whether
there are process or procedure in place to ensure application
system is reviewed and tested after change in operating system.
Periodically it is necessary to upgrade operating system i.e.,
to install service packs, patches, hot fixes etc. |
|
12.5.3 |
Restrictions to changes to software packages |
Whether
there are any restrictions in place to limit changes to software
packages. As far as possible the vendor supplied software
packages should be used without modification. If changes are
deemed essential the original software should be retained and
the changes applied only to a clearly identified copy. All
changes should be clearly tested and documented, so they can be
reapplied if necessary to future software upgrades. |
|
12.5.4 |
Information
leakage |
Whether
there are controls in place to ensure that the covert channels
and Trojan codes are not introduced into new or upgraded
system.
A covert
channel can expose information by some indirect and obscure
means. Trojan code is designed to affect a system in a way that
is not authorised. |
|
12.5.5 |
Outsourced software development |
Whether
there are controls in place over outsourcing software. The
points to be noted includes: Licensing arrangements, escrow
arrangements, contractual requirement for quality assurance,
testing before installation to detect Trojan code etc. |
|
12.6 |
Technical Vulnerability
Management |
|
12.6.1 |
Control of
technical vulnerabilities |
Whether the organisation
subscribes to any alerting services or receives advisory
information about technical vulnerabilities and that technical
staff use this information to mitigate potential risks to
information systems.
Whether there is any
procedural documentation for the installation of patches and
testing regimes. |
|
13. |
Information Security Incident
Management |
|
13.1 |
Reporting Information
Security Events and Weaknesses |
|
13.1.1 |
Reporting information security events |
Whether a
formal reporting procedure exists, to report security incidents
through appropriate management channels as quickly as possible. |
|
13.1.2 |
Reporting security weaknesses |
Whether a
formal reporting procedure or guideline exists for users, to
report security weakness in, or threats to, systems or services. |
|
13.2 |
Management of Information
Security Incidents and Improvements |
|
13.2.1 |
Responsibilities
and procedures |
Whether an
Incident Management procedure exist to handle security
incidents.
Whether
the procedure addresses the incident management
responsibilities, orderly and quick response to security
incidents.
Whether
the procedure addresses different types of incidents ranging
from denial of service to breach of confidentiality etc., and
ways to handle them.
Whether
the audit trails and logs relating to the incidents are
maintained and proactive action taken in a way that the incident
doesn’t reoccur. |
|
13.2.2 |
Learning from incidents |
Whether
there are mechanisms in place to enable the types, volumes and
costs of incidents and malfunctions to be quantified and
monitored. |
|
13.2.3 |
Collection of evidence |
Whether
the process involved in collecting evidence is in accordance
with legal and industry best practice. |
|
14. |
Business Continuity Management |
|
14.1 |
Aspects of Business Continuity Management |
|
14.1.1 |
Including
information security in the business continuity management
process |
Whether
there is a managed process in place for developing and
maintaining business continuity throughout the organisation that
addresses information security requirements.
This might
include Organisation wide Business continuity plan, regular
testing and updating of the plan, formulating and documenting a
business continuity strategy etc. |
|
14.1.2 |
Business continuity and risk analysis |
Whether
events that could cause interruptions to business process were
identified example: equipment failure, flood and fire.
Whether a
risk assessment was conducted to determine impact of such
interruptions.
Whether a
strategy plan was developed based on the risk assessment results
to determine an overall approach to business continuity. |
|
14.1.3 |
Developing
and implementing business continuity plans including information
security |
Whether
plans were developed to restore business operations within the
required time frame following an interruption or failure to
business process.
Whether
the plan is regularly tested and updated. |
|
14.1.4 |
Business continuity planning framework |
Whether
there is a single framework of Business continuity plan.
Whether
this framework is maintained to ensure that all plans are
consistent and identify priorities for testing and maintenance.
Whether
this identifies conditions for activation and individuals
responsible for executing each component of the plan. |
|
14.1.5 |
Testing, maintaining and reassessing business continuity plan |
Whether
Business continuity plans are tested regularly to ensure that
they are up to date and effective.
Whether
Business continuity plans were maintained by regular reviews and
updates to ensure their continuing effectiveness.
Whether
procedures were included within the organisation’s change
management programme to ensure that Business continuity matters
are appropriately addressed. |
|
15 |
Compliance |
|
15.1 |
Compliance with Legal Requirements |
|
15.1.1 |
Identification of applicable legislation |
Whether
all relevant statutory, regulatory and contractual requirements
were explicitly defined and documented for each information
system.
Whether
specific controls and individual responsibilities to meet these
requirements were defined and documented. |
|
15.1.2 |
Intellectual property rights including copyright, design marks,
trademarks |
Whether
there exist any procedures to ensure compliance with legal
restrictions on use of material in respect of which there may be
intellectual property rights such as copyright, design rights,
trade marks.
Whether
the procedures are well implemented.
Whether
proprietary software products are supplied under a license
agreement that limits the use of the products to specified
machines. The only exception might be for making own back-up
copies of the software. |
|
15.1.3 |
Safeguarding of organisational records |
Whether
important records of the organisation is protected from loss,
destruction and falsification. |
|
15.1.4 |
Data protection and privacy of personal information |
Whether
there is a management structure and control in place to protect
data and privacy of personal information. |
|
15.1.5 |
Prevention of misuse of information processing facilities |
Whether
use of information processing facilities for any non-business or
unauthorised purpose, without management approval is treated as
improper use of the facility.
Whether at
the log-on a warning message is presented on the computer screen
indicating that the system being entered is private and that
unauthorised access is not permitted. |
|
15.1.6 |
Regulation of cryptographic controls |
Whether
the regulation of cryptographic control is as per the sector and
national agreement. |
|
15.2 |
Reviews of Security Policy and Technical Compliance |
|
15.2.1 |
Compliance with security policies and standards |
Whether
all areas within the organisation is considered for regular
review to ensure compliance with security policy, standards and
procedures. |
|
15.2.2 |
Technical compliance checking |
Whether
information systems were regularly checked for compliance with
security implementation standards.
Whether
the technical compliance check is carried out by, or under the
supervision of, competent, authorised persons. |
|
15.3 |
Information
Systems Audit Considerations |
|
15.3.1 |
Information systems audit controls |
Whether
audit requirements and activities involving checks on
operational systems should be carefully planned and agreed to
minimise the risk of disruptions to business process. |
|
15.3.2 |
Protection of system audit tools |
Whether
access to system audit tools such as software or data files are
protected to prevent any possible misuse or compromise. |