ISO 27002 Standard 6.2.2

ISO 27002 Standard 6.2.3

ISO 27002 Standard 10.2.1

ISO 27002 Standard 11.4.2

ISO 27002 Standard 11.5.2

ISO 27002 Standard 11.7.1

ISO 27002 Standard 11.7.2

SIGS Chapter 6 Contractors and Other Third

    Party Access 25-29

SIGS Chapter 9 Control of Access to

    Information Systems 15

SIGS Chapter 9 Control of Access to

    Information Systems 27

SIGS Chapter 9 Control of Access to

    Information Systems 59

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard 8.2

PCI DSS Standard 8.3

The Fake Chicken Company computer systems and networks are to be protected from unauthorised access by ensuring strict compliance to Password and Authentication policies.

ISO 27002 Standard 9.2.5

ISO 27002 Standard 10.2.1

SIGS No Match

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

Access  to   information  and  systems  is   granted  for the purposes of  undertaking  specific  functions by designated people.  All other access is unauthorised and is considered a security breach. 

       

ISO 27002 Standard 6.2.3

ISO 27002 Standard 10.4.1

ISO 27002 Standard 11.7.1

ISO 27002 Standard 11.7.2

 

SIGS Chapter 4 Control of Classified

    Information 49

SIGS Chapter 6 Contractors and other Third

    Party Access 12-17

SIGS Chapter 6 Contractors and other Third

    Party Access 22-24

SIGS Chapter 6 Contractors and other Third

    Party Access 25-27

SIGS Chapter 8 Communications and Systems

    Security Management 21-22

SIGS Chapter 8 Communications and Systems

    Security Management, Annex A 25-30

SIGS Chapter 9 Control of Access to

    Information Systems 53

SIGS Chapter 9 Control of Access to

    Information Systems 54

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard 5.1

In order to protect computer systems, information and networks from viruses, trojans, worms and bots which proliferate in the online world, anti-virus software must be implemented and run in accordance with the company Anti-Virus Policy.  

       

  ISO 27002 Standard 7.2.1

ISO 27002 Standard 7.2.2

ISO 27002 Standard 10.5.1

ISO 27002 Standard 10.7.3

ISO 27002 Standard 10.8.1

ISO 27002 Standard 10.8.4

ISO 27002 Standard 10.9.3

     ISO 27002 Standard 15.1.2

ISO 27002 Standard 15.1.4

  

 

       

 

SIGS Chapter 3 Information Classification 4

SIGS Chapter 3 Information Classification 8

SIGS Chapter 3 Information Classification

    Annex A

SIGS Chapter 3 Information Classification

    Annex B

SIGS Chapter 3 Information Classification

    Annex C

SIGS Chapter 3 Information Classification

    Annex D

SIGS Chapter 3 Information Classification

    Annex E

SIGS Chapter 3 Information Classification

    Annex F

SIGS Chapter 4 Control of Classified Material 1 

SIGS Chapter 4 Control of Classified Material 4

SIGS Chapter 4 Control of Classified Material

    47

SIGS Chapter 4 Control of Classified Material

     51-52

SIGS Chapter 4 Control of Classified Material

     53-62

SIGS Chapter 4 Control of Classified Material

     63-67

SIGS Chapter 4 Control of Classified Material

     75-78

SIGS Chapter 8 Communications and Systems

    Security Management 36

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard 2.4

PCI DSS Standard 12.8.2

The intention of this policy is to notify external users who have access to company computer systems and networks that data and information must be created, classified, accessed, stored, transmitted and archived in accordance with documented company policies and users should be aware of their obligations in this regard.

       

ISO 27002 Standard 11.5.6

SIGS Chapter 9 Control of Access to

    Information Systems 23

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard 8.5.6

Hours  of use  have  been  agreed  and  authorised  as part  of  the  Remote  Access Agreement.  Any third party associated with the Agreement connecting to the company networks and systems outside the hours agreed are operating in breach of the Agreement.

         

ISO 27002 Standard 10.2.2

ISO 27002 Standard 10.10.1

          ISO 27002 Standard 10.10.2

SIGS Chapter 8 Communications and Systems

    Security Management 12

SIGS Chapter 8 Communications and Systems

    Security Management 14-20

SIGS Chapter 8 Communications and Systems

    Security Management 23

SIGS Chapter 9 Control of Access to

    Information Systems 50

SIGS Chapter 9 Control of Access to

    Information Systems 51

SIGS Chapter 9 Control of Access to

    Information Systems 52

     BS 25999 Standard No Match

SOX Section 404 - 1.5

PCI DSS Standard 10.2.1

Authorised staff from the company or a designated agent may, from time to time, monitor remote connections and employ any tools and applications it may deem appropriate to determine that the remote access link is being operated according to prescribed policies and operating procedures and within acceptable performance parameters.  Such tools may include intrusion scanning software, Sniffer applications etc.

         

ISO 27002 Standard 9.2.5

         

SIGS Chapter 6 Contractors and Other Third

    Party Access 12-17

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

Any equipment supplied by the company as a loan is to be operated and maintained as documented in the Computer Systems and Equipment Use Policy.  A copy of the policy must be supplied to the third party requiring remote access.

             ISO 27002 Standard 6.2.2

ISO 27002 Standard 6.2.3

ISO 27002 Standard 10.9.3

SIGS Chapter 8 Communications and Systems

    Security Management 25

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

Information must not be made available unless there is a clear reason for doing so and the interests of the company are protected.  It may be for advertising, to enable customers to update information held in company databases, to provide information or an alternative channel for conducting company business.  Whatever the reason, there will be costs involved in making the information available as well as risks.  A proposal outlining the costs and the benefits of providing the service must be approved by senior management prior to the system or service being implemented and a risk analysis must be performed to highlight any potential security issues that will need to be addressed.

         

ISO 27002 Standard 6.1.4 

SIGS No Match

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard 12.10.2

External or remote user access to company computer systems and networks must have the appropriate authorisation or the application will not be processed.  As costs will be incurred by the business unit requesting the remote access, the Division Manager is required to give signed approval....

         

ISO 27002 Standard 6.2.3

                   ISO 27002 Standard 10.2.1

SIGS Chapter 6 Contractors and Other Third

    Party Access 28-29

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

All  users  connecting to company networks and computer systems must comply with the Acceptable Use Policy and all the relevant policies detailed within.  This is to protect both the users of the systems and the company.  Those connecting from a third party organisation are expected to respect their access to company systems and use it in a responsible manner....

         

          ISO 27002 Standard 9.2.4 

SIGS No Match

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

To safeguard  the company and the  third party hosting remote access communications or computer equipment only  designated authorised staff will be allowed access to the premises and systems for the purposes of support.  Although it is preferable that notice be given and the visit be organised by prior mutual agreement with a member of the third party’s staff present, in times of an emergency this may not always be possible.  

         

          ISO 27002 Standard 11.5.6

 

SIGS Chapter 9 Control of Access to

    Information Systems 23

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

The purpose of this policy is to ensure that visitors and third parties have the permission of an authorised staff member before they enter restricted areas that are usually off limits.    Randomly allowing access to such areas provides the potential for tampering with system configuration, equipment theft, compromising the integrity of data and other problems.  Employee entrances should only be accessible to staff using a badge or some other access control mechanism (swipe card, pin number etc) to open the door. 

         

ISO 27002 Standard 6.2.1

ISO 27002 Standard 11.5.6

 

 

SIGS Chapter 6 Contractors and Other Third

    Party Access 2

SIGS Chapter 9 Control of Access to

    Information Systems 23

SIGS Chapter 9 Control of Access to

    Information Systems 56

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard 8.5.6

PCI DSS Standard 12.3.9

The policy is intended to prevent well meaning staff from establishing network connections that may jeopardise the security of internal networks and connected machines.  Vendor support must be closely monitored to ensure that only valid changes are made.  Any suspicious activities should be reported to the IT Manager.

         

ISO 27002 Standard 12.3.1

SIGS Chapter 8 Communications and Systems

    Security Management 98

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard 4.1

In order to protect confidential information and at the discretion of company Management, remote access connections may be encrypted using the technologies and standards prescribed by the company.  Any requirement for additional security will be detailed and duly signed off in the Remote Access Application Form and Remote Access Agreement.  

  ISO 27002 Standard 10.6.1

      ISO 27002 Standard 11.4.1

ISO 27002 Standard 11.4.2

ISO 27002 Standard 11.4.6

ISO 27002 Standard 11.4.7

SIGS Chapter 8 Communications and Systems

    Security Management 23-24

SIGS Chapter 8 Communications and Systems

    Security Management Annex A 12-20

SIGS Chapter 9 Control of Access to 

    Information 33

SIGS Chapter 9 Control of Access to 

    Information 35-38

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard 1.1.6

PCI DSS Standard 1.1.7

PCI DSS Standard 8.3

PCI DSS Standard 12.3.2

In-bound connections to company computer systems and networks should be adequately protected by firewalls, switches or routers and should not allow telnet, ftp or nfs for transferring files.  This method of transferring data could allow a user to upload malware or any kind of executable files and to access areas of the system which they would not ordinarily have rights.

         

ISO 27002 Standard 10.2.2

ISO 27002 Standard 10.10.1

          ISO 27002 Standard 10.10.2

ISO 27002 Standard 15.2.1

ISO 27002 Standard 15.2.2

SIGS Chapter 8 Communications and Systems

    Security Management 12

SIGS Chapter 8 Communications and Systems

    Security Management 14-20

SIGS Chapter 8 Communications and Systems

    Security Management 23

SIGS Chapter 9 Control of Access to

    Information Systems 50

SIGS Chapter 9 Control of Access to

    Information Systems 51

SIGS Chapter 9 Control of Access to

    Information Systems 52

     BS 25999 Standard No Match

SOX Section 404 - 1.5

PCI DSS Standard 10.2.1

PCI DSS Standard 10.2.5

PCI DSS Standard 11.1

PCI DSS Standard 11.2

PCI DSS Standard 11.3

PCI DSS Standard 12.1.3

It will be necessary  from time  to  time to verify the hardware, software,  personnel, communications infrastructure, data, logs, applications and information to ensure that policies and procedures are being complied with and that the systems are operating within expected parameters.  The Fake Chicken Company staff or their agents do not have the right to examine systems and information that is not relevant to fulfilling the third party obligations to The Fake Chicken Company.

ISO 27002 Standard 10.2.1

ISO 27002 Standard 10.2.3

SIGS Chapter 6 Contractors and Other Third

    Party Access 25-29 

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

The Fake Chicken Company is only responsible for providing support to those systems and applications which facilitate remote access and that are listed in the Remote Access Agreement. 

         

ISO 27002 Standard 6.1.4 

SIGS Chapter 8 Communications and Systems

    Security Management 2

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

To prevent inconsistency, ensure technology standards and security requirements are maintained and due process is followed, only authorised personnel from the company or their designated agents may initiate the remote access for an external user.  This policy includes liaison with telecommunications companies and the installation of communications equipment.

       

ISO 27002 Standard 8.2.2

ISO 27002 Standard 10.2.1

ISO 27002 Standard 10.2.3

SIGS Chapter 2 Security Organisation 24-25

SIGS Chapter 6 Contractors and Other Third

    Party Access 25-29

     BS 25999 Standard No Match

SOX Section 404 No Match

PCI DSS Standard No Match

To prevent misuse (accidental or intentional) and processing errors, all remote users must complete an approved training course prior to being granted privileges to the company's information systems.