CF1.1.1
There should be a documented information security policy, ratifi ed at board level, that applies across the organisation. There should be an individual (or a group of individuals) responsible for maintaining the policy.
CF1.1.2
The information security policy should defi ne information security, associated responsibilities and the information security principles to be followed by all staff.
CF1.1.3
The information security policy should require that:
a) information is classifi ed in a way that indicates its importance to the organisation
b) owners (typically the people in charge of business processes that are dependent on information and systems) are appointed for all critical information and systems
c) important information and systems be subject to an information risk assessment on a regular basis or before a major change
d) staff are made aware of information security
e) compliance with software licenses and with other legal, regulatory and contractual obligations is met f) breaches of the information security policy and suspected information security weaknesses are reported g) tampering with evidence in the case of information security incidents that may require forensic investigation
is prohibited
h) information is protected in terms of its requirements for confi dentiality, integrity and availability.
CF1.1.4
The information security policy should be:
a) aligned with other high-level policies (eg those relating to human resources, health and safety, fi nance and information technology)
b) communicated to all staff and external individuals (eg consultants, contractors and employees of external parties) with access to the organisation’s information or systems
c) reviewed regularly according to a defi ned review process
d) revised to take account of changing circumstances (eg new threats, vulnerabilities and risks, reorganisation of the organisation, changes to contractual, legal and regulatory requirements, or changes to the IT infrastructure).
CONTROL FRAMEWORK
www.securityforum.org
CF
SPECIALISED
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF1.1
CF1.1
Information Security Policy
(continued)CF1.1.5
The organisation’s information security policy should be supported by detailed acceptable usage policies (AUPs) that defi ne the way in which individuals are expected to use technology within the organisation.
FUNDAMENTAL
An acceptable usage policy (AUP) typically defi nes the organisation’s rules on how an individual (eg an employee or contractor) can use technology, including software, computer equipment and connectivity.
CF1.1.6
Acceptable usage policies should clearly state:
a) the ownership and purpose of technology provided to individuals
b) expected security-related behaviour of individuals (eg using strong passwords and encrypting fi les)
c) unacceptable behaviour (eg sending or copying confi dential information to unauthorised individuals or storing sensitive information on non-corporate devices)
d) permitted use of technology (eg Internet browsing for business purposes, VoIP, wireless networking and personal Internet browsing at predetermined times of the day)
e) prohibited use of technology (eg non-corporate web browsers, unauthorised connections to public VoIP services or connecting unapproved computers to the corporate network)
f) details of any monitoring activities to be performed (eg browsing of Internet websites or the use of VoIP) to detect malicious activity or accidental leakage of business information.
CF1.1.7
Acceptable usage policies should be:
a) documented and supported by guidelines for acceptable use, which provide additional information for users b) approved by an appropriate business representative with authority
c) communicated to relevant individuals with access to the organisation’s information, software, equipment and connectivity
d) easily accessible by individuals (eg by locating copies on business users’ computers and displaying them on a dedicated area of the corporate intranet, portal or shared database)
e) kept up-to-date
f) signed off by executive management.
CF1.1.8
A method should be established to:
a) enable individuals to confi rm their acceptance of and compliance with the information security policy and supporting policies when they are issued and updated (eg by displaying a confi rmation dialogue box as part of the login process for their computer, when starting business applications and upon accessing the organisation’s intranet) b) assess compliance with the information security policy and supporting policies on a regular basis (eg in the
form of audits).
CF1.1.9
A method should be established to ensure individuals understand that disciplinary actions may be taken against them if they violate the information security policy and supporting acceptable usage policies.
Related areas / topics
CF2.2 Security Awareness Programme
CF2.3 Security Awareness Messages CF14.5 Consumer Devices
ISF resources
Information Security Policy: Overview Protecting Information in the End User Environment
CONTROL FRAMEWORK
www.securityforum.org
CF
CF1.2 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF1.2
Information Security Function
Principle
A specialist information security function should be established, which has responsibility forpromoting information security throughout the organisation.
Objective
To ensure good practice in information security is applied effectively and consistently throughoutthe organisation.
CF1.2.1
The organisation should be supported by an information security function (or equivalent), which has responsibility for promoting good practice in information security throughout the organisation. The Chief Information Security Offi cer (or equivalent) should be dedicated to information security full-time and report to a senior member of executive management.
Ideally, the Chief Information Security Offi cer (CISO) should report either directly to the governing board, or via a senior member of an independent risk management function.
CF1.2.2
The information security function should support the organisation’s information security policy by: a) assisting in the development and maintenance of an information security strategy
b) developing information security standards / procedures and guidelines
c) defi ning a set of security services (eg identity services, authentication services, cryptographic services), which provide a coherent range of security capabilities
d) co-ordinating information security across the organisation
e) monitoring the effectiveness of information security arrangements (eg using tools such as the ISF’s Return on Security Investment (RO$I) and Security Healthcheck)
f) overseeing the investigation of information security incidents.
CF1.2.3
The information security function should represent a ‘centre of excellence’ for information security by:
a) providing expert advice on all aspects of information security (including information risk assessment, identity and access management, protecting information in the local environment, malware protection and information security incident management)
b) running an ongoing, continuous programme of information security awareness and developing security skills for staff throughout the organisation
c) incorporating information security requirements into documented agreements (eg contracts or service level agreements)
d) providing support for protecting the information associated with the organisation’s critical infrastructure (eg equipment for operations, telecommunications, utilities and buildings)
e) evaluating the security implications of specialised business initiatives (eg outsourcing, electronic commerce initiatives and information exchange).
CF1.2.4
The information security function should provide proactive support for: a) information risk assessment activities
b) classifi cation of information and systems according to their importance to the organisation c) the use of cryptography
d) important security-related projects
e) major IT projects with security requirements
f) the development of the organisation’s business continuity programme g) security audits.
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF1.2
FUNDAMENTAL
CF1.2
Information Security Function
(continued)CF1.2.5
The information security function should monitor current, new and emerging:
a) general business trends (eg prospects for growth, internationalisation, merger and acquisitions, joint ventures, divestitures, consumerisation, outsourcing and cloud computing)
b) technological developments (eg web-based technology, virtualisation, encryption standards, digital rights management (DRM) and IPv6)
c) threats (eg identity theft, spear phishing and Bluetooth attacks)
d) vulnerabilities in key operating systems, applications and other software (eg using vendor websites and mailing lists)
e) information security solutions (eg digital rights management and intrusion prevention)
f) industry / international information security-related standards (eg ISO/IEC 27001 and 27002, COBIT, NIST SP 800-53 and ITIL)
g) legislation or regulations related to information security (eg those concerning data breach notifi cation, data privacy, digital signatures and industry-specifi c standards such as Basel III and the Payment Card Industry Data Security Standard (PCI DSS)).
CF1.2.6
The information security function should:
a) be adequately resourced in terms of the number of staff, their range and level of skills, and tools or techniques (eg information risk assessment methodologies, forensic investigation software and an enterprise-wide security architecture)
b) have suffi cient impact on the organisation and strong support from executive management, other business managers and IT managers
c) maintain contact with counterparts in the commercial world, government and law enforcement agencies and with security experts in computer / software companies and service providers
d) be reviewed on a regular basis (eg to ensure it performs as expected).
Related areas / topics
SG1.1 Security Governance Framework
SG1.2 Security Direction
SG2.1 Information Security Strategy
ISF resources
Information Security Strategy: Workshop Report
Role of Information Security in the Enterprise (RISE): Workshop Report
ISF Digest: Managing a Security Function Managing a Security Function Diagnostic Tool ISF Briefi ng: The Insider View – the role of information security in the enterprise
CF
CONTROL FRAMEWORK
www.securityforum.org
FUNDAMENTAL
CF2.1 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF2.4 Security Education / Training CF2.5 Roles and Responsibilities