information.
CF16.2.1
There should be documented standards / procedures for acquiring hardware / software, which specifi es:
a) guidelines for selecting hardware / software (eg lists of approved suppliers, security considerations and contractual terms)
b) methods of identifying and addressing security weaknesses in hardware / software c) the need to meet software licensing requirements
d) the process for reviewing and approving hardware / software.
CF16.2.2
Standards / procedures should apply to all hardware acquired throughout the organisation, including: a) computer equipment (eg servers, computing devices, laptops and netbooks)
b) consumer devices (eg tablets and smartphones) c) virtual systems (eg virtual servers and virtual desktops)
d) network storage systems (eg Storage Area Network (SAN) and Network-Attached Storage (NAS)) e) network equipment (eg routers, switches, wireless access points and fi rewalls)
f) telephony (including VoIP) and conferencing equipment
g) portable storage media (eg external hard disk drives and USB memory sticks) h) authentication hardware (eg physical tokens, smartcards and biometric equipment) i) offi ce equipment (eg network printers and multifunction devices)
j) specialist equipment (eg equipment that is used to support or enable the organisation’s critical infrastructure).
CF16.2.3
Standards / procedures should apply to all software acquired throughout the organisation, including: a) operating system and virtualisation software
b) business software (eg enterprise resource planning (ERP) and customer relationship management (CRM) applications)
c) commercial-off-the-shelf software (COTS)
d) security software (eg data leakage protection (DLP), digital rights management (DRM) and intrusion detection software (IDS)).
CF16.2.4
Hardware / software should be:
a) acquired (eg purchased or leased) from approved suppliers (ie those with a proven record of providing robust and resilient equipment)
b) tested prior to use (eg by performing penetration tests and vulnerability tests) to help identify and resolve security weaknesses
c) supported by maintenance arrangements.
CONTROL FRAMEWORK
www.securityforum.org
CF
FUNDAMENTAL
CF16.2 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF16.2 Hardware / Software Acquisition
(continued)CF16.2.5
When acquiring hardware / software: a) security requirements should be considered
b) a high priority should be placed on reliability in the selection process c) contractual terms should be agreed with suppliers.
CF16.2.6
The risk of potential security weaknesses in hardware / software should be reduced by:
a) obtaining external assessments from trusted sources (eg external auditor’s opinions and specifi ed security criteria, such as the Information Technology Security Evaluation Criteria (ITSEC), ‘Common Criteria’ (CC) and Federal Information Processing Standards (FIPS))
b) identifying security defi ciencies (eg by detailed inspection, reference to published sources, or by participating in user / discussion groups)
c) considering alternative methods of providing the required level of security (eg an alternative method of authentication or additional application and system monitoring).
CF16.2.7
Software licensing requirements should be met by obtaining adequate licenses for planned use and by providing proof of ownership of software (eg via ‘blanket’ licence agreements).
CF16.2.8
The acquisition of hardware / software should be reviewed by staff that have the necessary skills to evaluate them, and be approved by an appropriate business representative.
Related areas / topics
CF3.4 Asset Register
ISF resources
CONTROL FRAMEWORK
www.securityforum.org
CF
SPECIALISED
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF16.3
CF16.3 Outsourcing
Principle
A process should be established to govern the selection and management of outsource providers(including cloud service providers), supported by documented agreements that specify the security requirements to be met.
Objective
To ensure that security requirements are satisfi ed and maintained when the running of a particularenvironment or service is entrusted to an outsource provider.
CF16.3.1
A documented process should be established to govern the selection of outsource providers and the transfer of activity to them.
Organisations typically use a range of external suppliers to support critical business processes. The security controls outlined in this topic apply to a broad range of external suppliers that an organisation may use including outsource providers, offshore service providers and cloud service providers.
CF16.3.2
When determining the requirements for outsourcing, the organisation should:
a) evaluate information risks associated with outsourcing arrangements and the particular business functions that may be outsourced
b) determine cross-border / multi-jurisdictional legislative and regulatory requirements c) identify particularly critical or sensitive environments
d) take into account the classifi cation of information to be placed in the care of the outsource provider e) assess the information security practices and standards of potential outsource providers
f) consider interdependencies between the function to be outsourced and other business functions
g) develop exit strategies from the relationship in the eventuality of an early termination of the agreement (eg due to a dispute with the outsource supplier or if the outsource supplier ceases trading).
CF16.3.3
Before the management of a particular environment is transferred, information security controls should be agreed with the outsource provider and approvals for the transfer obtained from relevant business owners.
CF16.3.4
Contracts should be established with all outsource providers (including cloud service providers), which are: a) reviewed independently (eg by a legal representative, lawyer or equivalent)
b) approved by executive management c) agreed and signed by both parties d) kept up-to-date.
CF16.3.5
Contracts with outsource providers should require them to:
a) comply with good practice for information security (eg apply common security architecture principles) b) maintain the confi dentiality of information gained through the outsourcing agreement
c) protect the integrity of information used in the course of work (ie to ensure it is complete, accurate and valid) d) ensure the availability of information and systems (eg by providing resilient equipment and guaranteeing
response times)
CONTROL FRAMEWORK
www.securityforum.org
CF
CF16.3 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
SPECIALISED
CF16.3 Outsourcing
(continued)CF16.3.6
Contracts should require outsource providers to:
a) limit access to the assets of the organisation to authorised staff b) protect personally identifi able information (PII)
c) meet legal and regulatory requirements (eg those relating to privacy, data protection, encryption export, data breach notifi cation and the Payment Card Industry Data Security Standard (PCI DSS))
d) defi ne the way in which they are permitted to further outsource to other external parties.
CF16.3.7
Contracts should specify that outsource providers are required to: a) assure the quality and accuracy of work performed
b) follow a change management process
c) provide effective information security incident management
d) return or destroy information, software or equipment on an agreed date, or upon request e) provide effective business continuity arrangements.
CF16.3.8
Contracts should specify:
a) details of licensing arrangements
b) the ownership of intellectual property rights and information
c) the right for the organisation to audit the outsource provider’s activities (or provide agreed alternative assurance processes where an audit is not possible).
CF16.3.9
A process should be agreed, to deal with security issues via an agreed point of contact(s) within the outsource provider, who is available at predetermined times (eg 24 hours a day, 365 days a year).
Related areas / topics
CF16.4 Cloud Computing Policy CF16.5 Cloud Service Contracts
ISF resources
Information Risk Management in Outsourcing and Offshoring
Outsourcing and Offshoring: Managing Information Risk
Outsourcing and Third Party Risk Management – ISF deliverables
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF16.4
CF16.4 Cloud Computing Policy
Principle
A comprehensive, documented policy on the use of cloud services should be produced andcommunicated to all individuals who may purchase or use cloud services.