2012 Guidelines for Information Security

1
Warning This document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct. If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected]. Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited. This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use. Classification: Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the document from the ISF. 2012 Guidelines for Information Security Ref Control Area Guideline Purpose SG 1 Security Governance Approach Establish, maintain and monitor an information security governance framework with clear direction for information security. To provide assurance that required security management activities are performed correctly and consistently by designated executive managers. SG 2 Security Governance Components Support the organisation's security governance framework by developing and maintaining an information security strategy and an information security assurance programme that are aligned with the organisation's strategic objectives and that promote a structured approach to information risk management. To ensure information security initiatives contribute to the organisation's success, achieve business value and provide assurance that information risk is being addressed. SR 1 Information Risk Assessment Undertake regular information risk assessments for target environments (eg critical business environments, business processes, business applications) in a rigorous and consistent manner, using a structured methodology. To enable individuals who are responsible for target environments to identify information risks, determine the risk treatment options to adopt, including where necessary the selection of controls to keep information risk within acceptable limits. SR 2 Compliance Apply an approved method for identifying and interpreting the information security implications of relevant laws and regulations, and addressing non-compliance. To ensure compliance with laws and regulations affecting information security. CF 1 Security Policy and Organisation Develop and distribute a comprehensive, approved information security policy to all individuals with access to the organisation’s information and systems, and establish a specialist information security function. To communicate the governing body’s direction on and commitment to information security, set expectations for the behaviour of individuals and ensure good practice for information security is applied effectively and consistently throughout the organisation. CF 2 Human Resource Security Assign ownership and responsibility for particular information and systems to designated individuals and establish an information security awareness programme, which is supported by a range of education / training activities. To create a security-positive environment where individuals are accountable for protecting information and individuals are provided with the knowledge and skills required to apply security controls effectively. CF 3 Asset Management Establish an information classification scheme and a method for protecting assets and information in physical and electronic formats. To ensure information and systems are protected in accordance with information security and compliance requirements. CF 4 Business Applications Apply sound information security architecture principles to business applications (including internal and external web-based applications) and protect information used by business applications throughout its lifecycle. To ensure business applications incorporate consistent security functionality to protect information during creation, processing, transmission, storage and destruction. CF 5 Customer Access Protect business applications with customer access by performing information risk assessments to determine security requirements, and by applying security arrangements supported by agreed, approved contracts. To ensure customers are legally and contractually bound to protect sensitive or critical information relating to either the organisation or the customer. CF 6 Access Management Establish methods of restricting access to business applications, systems, computing devices and networks by requiring users to be authorised before being granted access privileges, authenticated using access control mechanisms and subject to a rigorous sign-on process before being provided with access. To ensure that only authorised users can gain access to business applications, systems, computing devices and networks, and that individual accountability is assured. CF 7 System Management Design, configure and deploy information systems in a consistent and accurate manner, and maintain supporting technical infrastructure using a rigorous change management process. To ensure information systems and supporting technical infrastructure meet business and security requirements, function as required and are maintained in a managed and secure manner. CF 8 Technical Security Infrastructure Establish a sound technical security infrastructure based on an enterprise-wide security architecture, which addresses the protection of information and critical infrastructure using identity and access management, cryptographic solutions and information leakage protection. To support a consistent approach organisation-wide to selecting, building and deploying technical security infrastructure components and ensure they support business activities. CF 9 Network Management Design, implement and manage physical, wireless and voice networks to be resilient, prevent unauthorised access and support current and future business activities in a secure manner. To ensure business information transmitted over all types of network is protected against unauthorised disclosure, interception, interference and interruption. CF 10 Threat and Vulnerability Management Manage threats and vulnerabilities associated with information, systems and networks by maintaining up-to-date patch levels, deploying comprehensive, up-to-date malware protection and performing continuous monitoring. To reduce levels of vulnerability, protect information against threats, highlight system and network errors, detect potential and actual attacks and support investigations. CF 11 Incident Management Implement a comprehensive and approved incident management process for information and systems that includes the identification, response, recovery and post-implementation review of information security incidents. To resolve information security incidents of all types in a consistent, effective manner, minimise their business impact and reduce the risk of similar incidents occurring. CF 12 Local Environments Co-ordinate information security activities in individual business environments by addressing the risks associated with business users, information, technology and locations. To ensure that information risks throughout the organisation are identified and understood, and security activities within local environments are carried out in a timely and accurate manner. CF 13 Desktop Applications Establish a methodology for developing and maintaining desktop applications, which includes methods for protecting them and recording them in an inventory. To ensure that desktop applications are created in a secure manner, the information they process is protected, and an accurate record of each desktop application is maintained. CF14 Mobile Computing Configure mobile devices, including portable storage devices, to function as required and protect information during all stages of the information lifecycle. To ensure that information processed, stored and transmitted by mobile devices, is protected against the full range of threats. CF15 Electronic Communications Protect electronic communication systems (eg e-mail, instant messaging and VoIP) by setting policy for their use, configuring security settings, performing capacity planning and hardening the supporting technical infrastructure. To preserve the integrity of important business messages, prevent unauthorised disclosure of sensitive information handled by electronic communication systems and maximise availability. CF 16 External Supplier Management Include information security requirements in documented agreements with external suppliers (including suppliers of hardware, software and services, such as outsourcing and cloud) and incorporate security requirements throughout all stages of the relationship with each supplier. To ensure the organisation’s information is protected when being handled by external suppliers and that security requirements are satisfied and maintained when acquiring hardware and software from external suppliers. CF 17 System Development Management Establish a structured systems development methodology that involves isolating development environments, applying security throughout the development process and performing quality assurance. To ensure business applications are developed in a secure environment and meet business and information security requirements. CF 18 Systems Development Lifecycle Implement a systems development methodology that addresses security during requirements gathering, design and build, testing and implementation. To ensure business and information security requirements are met throughout the development process and at implementation. CF 19 Physical and Environmental Security Protect IT facilities and services against malicious attack, accidental damage, loss of power, natural hazards and unauthorised physical access. To ensure that important IT facilities and services are available when required and to prevent unauthorised disclosure and unavailability of information. CF 20 Business Continuity Develop an organisation-wide business continuity strategy and programme that includes co-ordinating and maintaining business continuity plans and arrangements across the organisation. To ensure the organisation is resilient to attack and can continue to operate effectively in the event of a disaster or crisis. SI 1 Security Audit Subject target environments to thorough, independent and regular security audits, using a repeatable and consistent process. To ensure that security controls have been implemented according to identified information risks and that executive management are kept informed of the security status of target environments. SI 2 Security Performance Monitor and report to executive management on the information risks, compliance requirements and security condition of the organisation on a regular basis. To provide executive management with an accurate and comprehensive overview of information risk, compliance obligations and security condition across the organisation. Reference: ISF 12 12 01 Copyright © 2012 Information Security Forum Limited. All rights reserved. www.securityforum.org

Transcript of 2012 Guidelines for Information Security

WarningThis document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct. If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected]. Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited. This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use. Classification: Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the document from the ISF.2012 Guidelines for Information Security Ref Control Area Guideline PurposeSG 1Security Governance ApproachEstablish, maintain and monitor an information security governance framework with clear direction for information security.To provide assurance that required security management activities are performed correctly and consistently by designated executive managers.SG 2Security Governance ComponentsSupport the organisation's security governance framework by developing and maintaining an information security strategy and an information security assurance programme that are aligned with the organisation's strategic objectives and that promote a structured approach to information risk management.To ensure information security initiatives contribute to the organisation's success, achieve business value and provide assurance that information risk is being addressed.SR 1Information Risk AssessmentUndertake regular information risk assessments for target environments (eg critical business environments, business processes, business applications) in a rigorous and consistent manner, using a structured methodology.To enable individuals who are responsible for target environments to identify information risks, determine the risk treatment options to adopt, including where necessary the selection of controls to keep information risk within acceptable limits.SR 2 ComplianceApply an approved method for identifying and interpreting the information security implications of relevant laws and regulations, and addressing non-compliance.To ensure compliance with laws and regulations affecting information security.CF 1Security Policy and OrganisationDevelop and distribute a comprehensive, approved information security policy to all individuals with access to the organisations information and systems, and establish a specialist information security function.To communicate the governing bodys direction on and commitment to information security, set expectations for the behaviour of individuals and ensure good practice for information security is applied effectively and consistently throughout the organisation.CF 2Human Resource SecurityAssign ownership and responsibility for particular information and systems to designated individuals and establish an information security awareness programme, which is supported by a range of education / training activities.To create a security-positive environment where individuals are accountable for protecting information and individuals are provided with the knowledge and skills required to apply security controls effectively.CF 3 Asset ManagementEstablish an information classification scheme and a method for protecting assets and information in physical and electronic formats.To ensure information and systems are protected in accordance with information security and compliance requirements.CF 4Business ApplicationsApply sound information security architecture principles to business applications (including internal and external web-based applications) and protect information used by business applications throughout its lifecycle.To ensure business applications incorporate consistent security functionality to protect information during creation, processing, transmission, storage and destruction.CF 5 Customer AccessProtect business applications with customer access by performing information risk assessments to determine security requirements, and by applying security arrangements supported by agreed, approved contracts.To ensure customers are legally and contractually bound to protect sensitive or critical information relating to either the organisation or the customer.CF 6 Access ManagementEstablish methods of restricting access to business applications, systems, computing devices and networks by requiring users to be authorised before being granted access privileges, authenticated using access control mechanisms and subject to a rigorous sign-on process before being provided with access.To ensure that only authorised users can gain access to business applications, systems, computing devices and networks, and that individual accountability is assured.CF 7 System ManagementDesign, configure and deploy information systems in a consistent and accurate manner, and maintain supporting technical infrastructure using a rigorous change management process.To ensure information systems and supporting technical infrastructure meet business and security requirements, function as required and are maintained in a managed and secure manner.CF 8Technical Security InfrastructureEstablish a sound technical security infrastructure based on an enterprise-wide security architecture, which addresses the protection of information and critical infrastructure using identity and access management, cryptographic solutions and information leakage protection.To support a consistent approach organisation-wide to selecting, building and deploying technical security infrastructure components and ensure they support business activities.CF 9Network ManagementDesign, implement and manage physical, wireless and voice networks to be resilient, prevent unauthorised access and support current and future business activities in a secure manner.To ensure business information transmitted over all types of network is protected against unauthorised disclosure, interception, interference and interruption.CF 10Threat and Vulnerability ManagementManage threats and vulnerabilities associated with information, systems and networks by maintaining up-to-date patch levels, deploying comprehensive, up-to-date malware protection and performing continuous monitoring.To reduce levels of vulnerability, protect information against threats, highlight system and network errors, detect potential and actual attacks and support investigations.CF 11Incident ManagementImplement a comprehensive and approved incident management process for information and systems that includes the identification, response, recovery and post-implementation review of information security incidents.To resolve information security incidents of all types in a consistent, effective manner, minimise their business impact and reduce the risk of similar incidents occurring.CF 12 Local EnvironmentsCo-ordinate information security activities in individual business environments by addressing the risks associated with business users, information, technology and locations.To ensure that information risks throughout the organisation are identified and understood, and security activities within local environments are carried out in a timely and accurate manner.CF 13Desktop ApplicationsEstablish a methodology for developing and maintaining desktop applications, which includes methods for protecting them and recording them in an inventory.To ensure that desktop applications are created in a secure manner, the information they process is protected, and an accurate record of each desktop application is maintained.CF14 Mobile ComputingConfigure mobile devices, including portable storage devices, to function as required and protect information during all stages of the information lifecycle.To ensure that information processed, stored and transmitted by mobile devices, is protected against the full range of threats.CF15Electronic CommunicationsProtect electronic communication systems (eg e-mail, instant messaging and VoIP) by setting policy for their use, configuring security settings, performing capacity planning and hardening the supporting technical infrastructure.To preserve the integrity of important business messages, prevent unauthorised disclosure of sensitive information handled by electronic communication systems and maximise availability.CF 16External Supplier ManagementInclude information security requirements in documented agreements with external suppliers (including suppliers of hardware, software and services, such as outsourcing and cloud) and incorporate security requirements throughout all stages of the relationship with each supplier. To ensure the organisations information is protected when being handled by external suppliers and that security requirements are satisfied and maintained when acquiring hardware and software from external suppliers.CF 17System Development ManagementEstablish a structured systems development methodology that involves isolating development environments, applying security throughout the development process and performing quality assurance.To ensure business applications are developed in a secure environment and meet business and information security requirements.CF 18Systems Development LifecycleImplement a systems development methodology that addresses security during requirements gathering, design and build, testing and implementation.To ensure business and information security requirements are met throughout the development process and at implementation.CF 19Physical and Environmental SecurityProtect IT facilities and services against malicious attack, accidental damage, loss of power, natural hazards and unauthorised physical access.To ensure that important IT facilities and services are available when required and to prevent unauthorised disclosure and unavailability of information.CF 20 Business ContinuityDevelop an organisation-wide business continuity strategy and programme that includes co-ordinating and maintaining business continuity plans and arrangements across the organisation.To ensure the organisation is resilient to attack and can continue to operate effectively in the event of a disaster or crisis.SI 1Security AuditSubject target environments to thorough, independent and regular security audits, using a repeatable and consistent process.To ensure that security controls have been implemented according to identified information risks and that executive management are kept informed of the security status of target environments.SI 2Security PerformanceMonitor and report to executive management on the information risks, compliance requirements and security condition of the organisation on a regular basis.To provide executive management with an accurate and comprehensive overview of information risk, compliance obligations and security condition across the organisation.Reference: ISF 12 12 01Copyright 2012 Information Security Forum Limited. All rights reserved. www.securityforum.org