Ref
Control Area
Guideline
Purpose
SG 1
Security Governance Establish, maintain and monitor an information security governance framework with clear direction
Approach
for information security.
SG 2
SR 1
Information Risk
Assessment
Undertake regular information risk assessments for target environments (eg critical business
environments, business processes, business applications) in a rigorous and consistent manner, using a
structured methodology.
To enable individuals who are responsible for target environments to identify information
risks, determine the risk treatment options to adopt, including where necessary the
selection of controls to keep information risk within acceptable limits.
SR 2
Compliance
Apply an approved method for identifying and interpreting the information security implications of
relevant laws and regulations, and addressing non-compliance.
CF 1
Develop and distribute a comprehensive, approved information security policy to all individuals
with access to the organisations information and systems, and establish a specialist information
security function.
CF 2
Human Resource
Security
Assign ownership and responsibility for particular information and systems to designated
individuals and establish an information security awareness programme, which is supported by a
range of education / training activities.
CF 3
Asset Management
Establish an information classification scheme and a method for protecting assets and information in
physical and electronic formats.
CF 4
Business
Applications
Apply sound information security architecture principles to business applications (including internal
and external web-based applications) and protect information used by business applications
throughout its lifecycle.
CF 5
Customer Access
Protect business applications with customer access by performing information risk assessments
to determine security requirements, and by applying security arrangements supported by agreed,
approved contracts.
To ensure customers are legally and contractually bound to protect sensitive or critical
information relating to either the organisation or the customer.
CF 6
Access Management
Establish methods of restricting access to business applications, systems, computing devices and
To ensure that only authorised users can gain access to business applications, systems,
networks by requiring users to be authorised before being granted access privileges, authenticated using
computing devices and networks, and that individual accountability is assured.
access control mechanisms and subject to a rigorous sign-on process before being provided with access.
CF 7
System Management
Design, configure and deploy information systems in a consistent and accurate manner, and maintain
supporting technical infrastructure using a rigorous change management process.
CF 8
Technical Security
Infrastructure
CF 9
Network
Management
Design, implement and manage physical, wireless and voice networks to be resilient, prevent
unauthorised access and support current and future business activities in a secure manner.
To ensure business information transmitted over all types of network is protected against
unauthorised disclosure, interception, interference and interruption.
CF 10
Threat and
Vulnerability
Management
Manage threats and vulnerabilities associated with information, systems and networks by
maintaining up-to-date patch levels, deploying comprehensive, up-to-date malware protection and
performing continuous monitoring.
To reduce levels of vulnerability, protect information against threats, highlight system and
network errors, detect potential and actual attacks and support investigations.
CF 11
Incident
Management
Implement a comprehensive and approved incident management process for information and
systems that includes the identification, response, recovery and post-implementation review of
information security incidents.
CF 12
Local Environments
Co-ordinate information security activities in individual business environments by addressing the risks
associated with business users, information, technology and locations.
To ensure that information risks throughout the organisation are identified and
understood, and security activities within local environments are carried out in a timely
and accurate manner.
CF 13
Desktop
Applications
Establish a methodology for developing and maintaining desktop applications, which includes methods
for protecting them and recording them in an inventory.
To ensure that desktop applications are created in a secure manner, the information they
process is protected, and an accurate record of each desktop application is maintained.
CF14
Mobile Computing
Configure mobile devices, including portable storage devices, to function as required and protect
information during all stages of the information lifecycle.
CF15
Electronic
Communications
Protect electronic communication systems (eg e-mail, instant messaging and VoIP) by setting policy
for their use, configuring security settings, performing capacity planning and hardening the supporting
technical infrastructure.
CF 16
External Supplier
Management
CF 17
System
Development
Management
CF 18
Systems
Development
Lifecycle
To ensure business and information security requirements are met throughout the
development process and at implementation.
CF 19
Physical and
Environmental
Security
Protect IT facilities and services against malicious attack, accidental damage, loss of power, natural
hazards and unauthorised physical access.
To ensure that important IT facilities and services are available when required and to
prevent unauthorised disclosure and unavailability of information.
CF 20
Business Continuity
To ensure the organisation is resilient to attack and can continue to operate effectively in
the event of a disaster or crisis.
SI 1
Security Audit
Subject target environments to thorough, independent and regular security audits, using a repeatable
and consistent process.
SI 2
Security
Performance
Monitor and report to executive management on the information risks, compliance requirements and
security condition of the organisation on a regular basis.
Warning
This document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct. If you are not a Member of the ISF or have received
this document in error, please destroy it or contact the ISF on info@securityforum.org. Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly
prohibited. This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.
Classification: Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the document from the ISF.
www.securityforum.org
Reference: ISF 12 12 01 Copyright 2012 Information Security Forum Limited. All rights reserved.