Organizing Information Security:
Internal organization
The objective of this category is to manage information security within the organization's overall administrative structure.
Management commitment to information security
Management at all levels should actively support security within the organization with clear direction, demonstrated commitment, and explicit acknowledgement of information security responsibilities.
Control includes:
- Clear direction and visible support for information security initiatives, including providing appropriate resources for information security controls
- Coordination of information security efforts across the organization, including designation of information security officer(s)and committee(s)
- Assuring formulation, review and approval of appropriate organization-wide information security policy
- Periodic reviews of the effectiveness of information security policy, including external review as appropriate, and updating of the policy as needed
- Appropriate management controls over new information facilities, systems and capabilities
Information security coordination
Information security activities should be coordinated by representatives from different parts of the organization with relevant roles and job functions.
Control includes:
- Assessing adequacy and coordinating implementation of controls
- Ensuring that information security controls are executed in compliance with information security policy
- Proposing methodologies and processes (e.g., risk assessment) subject to management approval
- Evaluating security incident data from across the organization, and recommending appropriate action
- Identifying significant threat and vulnerability changes, and recommending appropriate action
- Promoting security awareness and training throughout the organization
Allocation of information security responsibilities
All information security responsibilities should be clearly defined.
Control includes:
- Identification and clear definition of assets and security controls for each information facility
- Identification of the individual responsible for security for each information facility
Authorization process for information processing facilities
A management authorization process for new information processing facilities and capabilities should be defined and implemented.
Control includes:
- Formal approval of purpose and use for each new system, or for existing systems that are materially changed
- Certification that hardware and or software used by the new (or changed) system meets organizational standards, approval of any non-standard functions, locations, or users, including approval of any personal or privately-owned hardware and or software and or facilities to be used
- Certification that the new or changed system complies with all applicable security controls
Confidentiality agreements
Requirements for confidentiality and non-disclosure agreements (NDA) should reflect the organization's needs for protection of information. Such agreements should be periodically reviewed.
This control includes specification of:
- Definition of the information, information type(s) or information system(s) to be protected
- Confidentiality requirements for that information, in clear, legally-enforceable terms, that accord with all relevant statutory-regulatory and private certificatory authorities
- Responsibilities of signatories, including limitations on use or disclosure of information and adherence to security controls
- Terms of ownership of information, including any trade secret or intellectual property requirements
- Expected duration of the agreement
- Required actions when the agreement is terminated, including requirements to return or destroy information
- Right to monitor compliance with the agreement
- Processes for reporting of and notice of breaches
- Expected actions to be taken in the event of a breach
Contact with authorities
Appropriate contacts with relevant external authorities should be maintained.
Control includes:
- Development of policies, procedures and contact lists that specify when and by whom external authorities should be contacted
- Specification of the timing and manner in which breaches shall be reported, to ensure appropriate reporting
Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.
Independent review of information security
The organization's approach to managing information security and its implementation should be reviewed independently at planned intervals, and when there are significant changes to internal structure or the external environment.
External parties
This category aims to maintain the security of the organization's information and information processing facilities that are accessed, processed, communicated to or managed by external parties.
Risks to the organization's information and information processing facilities from business processes involving external parties should be identified and appropriate controls implemented before granting access.
Control includes:
- A risk assessment to identify any requirements for specific controls, taking into account characteristics of external users, their type of access, and the value and sensitivity of the information involved
- Contractual specification of the terms and conditions of access, including required security controls
- Implementation of all security controls before access is permitted
Addressing security when dealing with customers
All identified security requirements should be addressed before giving customers access to the organization's information or assets. Controls considerations are similar to those for external parties.
Addressing security in third party agreements
Agreements with third parties involving accessing, processing, communicating or managing the organization's information or information processing facilities should cover all relevant security requirements.
Control includes specifying security requirements related to:
- The applicable information security policy or policies
- Necessary controls to ensure asset protection
- User and system administrator awareness and training efforts
- Responsibilities related to hardware/software selection and configuration
- A clear and specific process of change management
- Agreements for reporting, notification and investigation
- Reporting structure and reporting formats
- Levels of acceptable/unacceptable service and service continuity
- Definitions of verifiable performance criteria
- Rights to monitor and audit activities
- Problem resolution processes, including escalation steps
- Intellectual property rights and ownership of data
- Policies regarding subcontractors
- Conditions for renegotiation and or termination
References
ISO-27002:2005 6.1.1
ISO-27002:2005 6.1.2
ISO-27002:2005 6.1.3
HIPAA 164.308(a)(2)
ISO-27002:2005 6.1.4
ISO-27002:2005 6.1.5
ISO-27002:2005 6.1.6
ISO-27002:2005 6.1.7
ISO-27002:2005 6.1.8
ISO-27002:2005 6.2.1
ISO-27002:2005 6.2.2
ISO-27002:2005 6.2.3
HIPAA 164.308(b)(1)
See also
- ISO 17799/27002 - Code of Practice for Information Security Management