13 Communication Security
13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
13.2.1 Information transfer policies and procedures
3122
Control 3123
Formal transfer policies, procedures and controls should be in place to protect the transfer of 3124
information through the use of all types of communication facilities. 3125
Implementation guidance 3126
The procedures and controls to be followed when using communication facilities for information 3127
transfer should consider the following items: 3128
a) procedures designed to protect transferred information from interception, copying, modification, 3129
mis-routing and destruction; 3130
b) procedures for the detection of and protection against malware that may be transmitted through 3131
the use of electronic communications (see 12.2.1); 3132
c) procedures for protecting communicated sensitive electronic information that is in the form of 3133
an attachment; 3134
d) policy or guidelines outlining acceptable use of communication facilities (see 8.1.3); 3135
e) personnel, external party and any other user’s responsibilities not to compromise the 3136
organization, e.g. through defamation, harassment, impersonation, forwarding of chain letters, 3137
unauthorized purchasing, etc.; 3138
f) use of cryptographic techniques e.g. to protect the confidentiality, integrity and authenticity of 3139
information (see 10); 3140
g) retention and disposal guidelines for all business correspondence, including messages, in 3141
accordance with relevant national and local legislation and regulations; 3142
h) controls and restrictions associated with using communication facilities, e.g. automatic 3143
forwarding of electronic mail to external mail addresses; 3144
i) advising personnel to take appropriate precautions not to reveal confidential information; 3145
j) not leaving messages containing confidential information on answering machines since these 3146
may be replayed by unauthorized persons, stored on communal systems or stored incorrectly 3147
as a result of misdialling; 3148
k) advising personnel about the problems of using facsimile machines or services, namely: 3149
1) unauthorized access to built-in message stores to retrieve messages; 3150
2) deliberate or accidental programming of machines to send messages to specific numbers; 3151
3) sending documents and messages to the wrong number either by misdialling or using the 3152
wrong stored number. 3153
In addition, personnel should be reminded that they should not have confidential conversations in 3154
public places or over insecure communication channels, open offices and meeting places. 3155
Information transfer services should comply with any relevant legal requirements (see 18.1). 3156
Other information 3157
Information transfer may occur through the use of a number of different types of communication 3158
facilities, including electronic mail, voice, facsimile and video. 3159 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Software transfer may occur through a number of different mediums, including downloading from the 3160
Internet and acquisition from vendors selling off-the-shelf products. 3161
The business, legal and security implications associated with electronic data interchange, electronic 3162
commerce and electronic communications and the requirements for controls should be considered. 3163
13.2.2 Agreements on information transfer
3164
Control 3165
Agreements should address the secure transfer of business information between the organization and 3166
external parties. 3167
Implementation guidance 3168
Information transfer agreements should incorporate the following: 3169
a) management responsibilities for controlling and notifying transmission, dispatch and receipt; 3170
b) procedures to ensure traceability and non-repudiation; 3171
c) minimum technical standards for packaging and transmission; 3172
d) escrow agreements; 3173
e) courier identification standards; 3174
f) responsibilities and liabilities in the event of IACS security incidents, such as loss of data, control 3175
or visualization; 3176
g) use of an agreed labelling system for sensitive or critical information, ensuring that the 3177
meaning of the labels is immediately understood and that the information is appropriately 3178
protected (see 8.2); 3179
h) technical standards for recording and reading information and software; 3180
i) any special controls that are required to protect sensitive items, such as cryptography (see 3181
10); 3182
j) maintaining a chain of custody for information while in transit; 3183
k) acceptable levels of access control. 3184
Policies, procedures and standards should be established and maintained to protect information and 3185
physical media in transit (see 8.3.3), and should be referenced in such transfer agreements. 3186
The information security content of any agreement should reflect the sensitivity of the business 3187
information involved. 3188
Other information 3189
Agreements may be electronic or manual, and may take the form of formal contracts. For confidential 3190
information, the specific mechanisms used for the transfer of such information should be consistent for 3191
all organizations and types of agreements. 3192
13.2.3 Electronic messaging
3193
Control 3194
Information involved in electronic messaging should be appropriately protected. 3195
Implementation guidance 3196
Information security considerations for electronic messaging should include the following: 3197
a) protecting messages from unauthorized access, modification or denial of service 3198
commensurate with the classification scheme adopted by the organization; 3199 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
b) ensuring correct addressing and transportation of the message; 3200
c) reliability and availability of the service; 3201
d) legal considerations, for example requirements for electronic signatures; 3202
e) obtaining approval prior to using external public services such as instant messaging, social 3203
networking or file sharing; 3204
f) stronger levels of authentication controlling access from publicly accessible networks. 3205
Other information 3206
There are many types of electronic messaging such as email, electronic data interchange and social 3207
networking which play a role in business communications. 3208
13.2.4 Confidentiality or non-disclosure agreements
3209
Control 3210
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for 3211
the protection of information should be identified, regularly reviewed and documented. 3212
Implementation guidance 3213
Confidentiality or non-disclosure agreements should address the requirement to protect confidential 3214
information using legally enforceable terms. Confidentiality or non-disclosure agreements are 3215
applicable to external parties or employees of the organization. Elements should be selected or added 3216
in consideration of the type of the other party and its permissible access or handling of confidential 3217
information. To identify requirements for confidentiality or non-disclosure agreements, the following 3218
elements should be considered: 3219
a) a definition of the information to be protected (e.g. confidential information); 3220
b) expected duration of an agreement, including cases where confidentiality might need to be 3221
maintained indefinitely; 3222
c) required actions when an agreement is terminated; 3223
d) responsibilities and actions of signatories to avoid unauthorized information disclosure; 3224
e) ownership of information, trade secrets and intellectual property, and how this relates to the 3225
protection of confidential information; 3226
f) the permitted use of confidential information and rights of the signatory to use information; 3227
g) the right to audit and monitor activities that involve confidential information; 3228
h) process for notification and reporting of unauthorized disclosure or confidential information 3229
leakage; 3230
i) terms for information to be returned or destroyed at agreement cessation; 3231
j) expected actions to be taken in case of a breach of the agreement. 3232
Based on an organization’s information security requirements, other elements may be needed in a 3233
confidentiality or non-disclosure agreement. 3234
Confidentiality and non-disclosure agreements should comply with all applicable laws and regulations 3235
for the jurisdiction to which they apply (see 18.1). 3236
Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and 3237
when changes occur that influence these requirements. 3238 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Other information 3239
Confidentiality and non-disclosure agreements protect organizational information and inform 3240
signatories of their responsibility to protect, use and disclose information in a responsible and 3241
authorized manner. 3242
There may be a need for an organization to use different forms of confidentiality or non-disclosure 3243
agreements in different circumstances. 3244
14 System acquisition, development and maintenance