Section SM3.1 Information classification
(continued)SM3.1.5
The information classification scheme should apply to information associated with:
business applications computer installations networks
systems under development end user environments.
SM3.1.6
There should be approved methods for labelling classified:
information stored in paper form (eg using rubber ink stamps, adhesive labels, hologram lamination)
information stored in electronic form (eg using electronic watermarking, labelling headers and footers, using filename conventions)
electronic communications (eg using digital signatures and clearly identifying the classification in the subject headers of e-mails).
SM3.1.7
An inventory (or equivalent) of information classification details should be maintained (eg in a database, via a specialised piece of software, or on paper).
SM3.1.8
Information classification details recorded should include:
the classification of the information the identity of the information owner
a brief description of the information classified.
a) b) c) d) e)
a) b) c)
a) b) c)
SM3 Security Requirements
www.securityforum.org
SM
Section SM3.2 Ownership
Principle
Ownership of critical information and systems should be assigned to capable individuals, with responsibilities clearly defined and accepted.Objective
To achieve individual accountability for the protection of all critical information and systems throughout the organisation.SM3.2.1
Ownership of critical information and systems should be assigned to individuals, and the responsibilities of owners documented. Responsibilities for protecting information and systems should be communicated to owners and accepted by them.
SM3.2.2
Responsibilities of owners should include:
determining business (including information security) requirements and signing them off ensuring information and systems are protected in line with their importance to the organisation defining information interchange agreements (or equivalent)
developing service level agreements (SLAs) authorising new or significantly changed systems being involved in security audits / reviews.
SM3.2.3
The responsibilities of owners should involve:
determining which users are authorised to access particular information and systems signing off access privileges for each user or set of users
ensuring users are aware of their security responsibilities and are able to fulfil them.
SM3.2.4
A process should be established for:
providing owners with the necessary skills, tools, staff and authority to fulfil their responsibilities assigning responsibilities for protecting information and systems when the owner is unavailable reassigning ownership when an owner leaves or changes roles.
a) b) c) d) e) f)
a) b) c)
a) b) c)
SM3 Security Requirements
www.securityforum.org
SM
Section SM3.3 Managing information risk analysis
Principle
Critical business applications, computer installations, networks and systems under development should be subject to information risk analysis on a regular basis.Objective
To enable individuals who are responsible for critical information and systems to identify key information risks and determine the controls required to keep those risks within acceptable limits.SM3.3.1
Decision-makers (including top management; heads of business units / departments; and owners of business applications, computer installations, networks, systems under development and end user environments) should be aware of the need to apply information risk analysis to critical environments within the organisation.
SM3.3.2
There should be documented standards / procedures for performing information risk analysis, which apply across the organisation. Documented standards / procedures should require risks to be analysed for:
information and systems that are important to the organisation systems at an early stage in their development
systems subject to significant change, at an early stage in the change process
the introduction of major new technologies (eg wireless networks, instant messaging and Voice over IP) requests to permit access from external locations (eg employees’ homes, third party premises or public places)
requests to permit access to the organisation’s information and systems by external individuals (eg consultants, contractors and employees of third parties).
SM3.3.3
Standards / procedures should specify that information risk analysis:
be performed regularly
involve business owners, IT specialists, key user representatives and experts in information risk analysis and information security specialists.
SM3.3.4
The results from information risk analyses that are conducted across the organisation should be:
reported to top management
used to help determine programmes of work in information security (eg remedial action and new security initiatives)
integrated with wider risk management activities (eg managing operational risk).
a) b) c) d) e) f)
a) b)
a) b) c)
SM3 Security Requirements
www.securityforum.org
SM
Section SM3.4 Information risk analysis methodologies
Principle
Information risk analysis conducted on applications, computer installations, networks and systems under development should be undertaken using structured methodologies.Objective
To ensure information risk analysis is conducted in a consistent, rigorous and reliable manner throughout the organisation.SM3.4.1
Risks associated with the organisation’s information and systems should be analysed using structured information risk analysis methodologies (eg the ISF’s Information Risk Analysis Methodology (IRAM)).
SM3.4.2
Information risk analysis methodologies should be:
documented
approved by top management consistent across the organisation
automated (eg using specialist software tools)
reviewed regularly to ensure that they meet business needs applicable to systems of various sizes and types
understandable to relevant business representatives.
SM3.4.3
Information risk analysis methodologies should require all risk analyses to have a clearly defined scope.
SM3.4.4
Information risk analysis methodologies should determine risk by assessing:
the potential level of business impact associated with the system, network or computer installation
deliberate threats to the confidentiality, integrity and availability of information and systems (eg carrying out denial of service attacks, malware, installing unauthorised software, misusing systems to commit fraud) accidental threats to the confidentiality, integrity and availability of information and systems (eg loss of power, system or software malfunctions)
vulnerabilities due to control weaknesses
vulnerabilities due to circumstances that increase the likelihood of a serious information security incident occurring (eg use of the Internet, permitting third party access or siting a computer installation in an area prone to earthquakes or flooding).
SM3.4.5
Information risk analysis methodologies should take into account:
compliance requirements (eg with legislation, regulation, contractual terms, industry standards and internal policies)
objectives of the organisation a)
www.securityforum.org
SM
Section SM3.4 Information risk analysis methodologies
(continued)
SM3.4.6
Information risk analysis methodologies should ensure that the results of the information risk analysis are documented and include:
a clear identification of key risks
an assessment of the potential business impact of each risk recommended actions to reduce risk to an acceptable level.
SM3.4.7
Information risk analysis methodologies should be used to help:
select security controls that will reduce the likelihood of serious information security incidents occurring select security controls that will satisfy relevant compliance requirements (eg those outlined in the Sarbanes-Oxley Act 2002, the Payment Card Industry (PCI) Data Security Standard, Basel II 1998, data privacy requirements and anti-money laundering requirements)
evaluate the strengths and weaknesses of security controls
determine the costs of implementing security controls (eg costs associated with: design, purchase, implementation and monitoring of the controls; hardware and software; training; overheads, such as facilities;
and consultancy fees)
identify specialised security controls required by particular environments (eg data encryption or strong authentication).
SM3.4.8
Information risk analysis methodologies should ensure that the results of the risk analysis (including risk treatment actions and any identified residual risk) are:
communicated to the relevant owner signed off by the relevant owner
compared with information risk analyses conducted in other areas of the organisation.
Risk treatment typically involves one of four options: applying appropriate controls; accepting risks; avoiding risks; or transferring risks. Residual risk is that proportion of risk that still remains after selected controls have been implemented.
a) b) c)
a) b)
c) d)
e)
a) b) c)
SM3 Security Requirements
www.securityforum.org