2012 Guidelines for Information Security

Ref

Control Area

Guideline

Purpose

SG 1

Security Governance Establish, maintain and monitor an information security governance framework with clear direction
Approach
for information security.

To provide assurance that required security management activities are performed

correctly and consistently by designated executive managers.

SG 2

Support the organisation's security governance framework by developing and maintaining an

Security Governance information security strategy and an information security assurance programme that are aligned
Components
with the organisation's strategic objectives and that promote a structured approach to information
risk management.

To ensure information security initiatives contribute to the organisation's success, achieve

business value and provide assurance that information risk is being addressed.

SR 1

Information Risk
Assessment

Undertake regular information risk assessments for target environments (eg critical business
environments, business processes, business applications) in a rigorous and consistent manner, using a
structured methodology.

To enable individuals who are responsible for target environments to identify information
risks, determine the risk treatment options to adopt, including where necessary the
selection of controls to keep information risk within acceptable limits.

SR 2

Compliance

Apply an approved method for identifying and interpreting the information security implications of
relevant laws and regulations, and addressing non-compliance.

To ensure compliance with laws and regulations affecting information security.

CF 1

Security Policy and

Organisation

Develop and distribute a comprehensive, approved information security policy to all individuals
with access to the organisations information and systems, and establish a specialist information
security function.

To communicate the governing bodys direction on and commitment to information

security, set expectations for the behaviour of individuals and ensure good practice for
information security is applied effectively and consistently throughout the organisation.

CF 2

Human Resource
Security

Assign ownership and responsibility for particular information and systems to designated
individuals and establish an information security awareness programme, which is supported by a
range of education / training activities.

To create a security-positive environment where individuals are accountable for

protecting information and individuals are provided with the knowledge and skills
required to apply security controls effectively.

CF 3

Asset Management

Establish an information classification scheme and a method for protecting assets and information in
physical and electronic formats.

To ensure information and systems are protected in accordance with information

security and compliance requirements.

CF 4

Business
Applications

Apply sound information security architecture principles to business applications (including internal
and external web-based applications) and protect information used by business applications
throughout its lifecycle.

To ensure business applications incorporate consistent security functionality to protect

information during creation, processing, transmission, storage and destruction.

CF 5

Customer Access

Protect business applications with customer access by performing information risk assessments
to determine security requirements, and by applying security arrangements supported by agreed,
approved contracts.

To ensure customers are legally and contractually bound to protect sensitive or critical
information relating to either the organisation or the customer.

CF 6

Access Management

Establish methods of restricting access to business applications, systems, computing devices and
To ensure that only authorised users can gain access to business applications, systems,
networks by requiring users to be authorised before being granted access privileges, authenticated using
computing devices and networks, and that individual accountability is assured.
access control mechanisms and subject to a rigorous sign-on process before being provided with access.

CF 7

System Management

Design, configure and deploy information systems in a consistent and accurate manner, and maintain
supporting technical infrastructure using a rigorous change management process.

To ensure information systems and supporting technical infrastructure meet business

and security requirements, function as required and are maintained in a managed and
secure manner.

CF 8

Technical Security
Infrastructure

Establish a sound technical security infrastructure based on an enterprise-wide security architecture,

which addresses the protection of information and critical infrastructure using identity and access
management, cryptographic solutions and information leakage protection.

To support a consistent approach organisation-wide to selecting, building and deploying

technical security infrastructure components and ensure they support business activities.

CF 9

Network
Management

Design, implement and manage physical, wireless and voice networks to be resilient, prevent
unauthorised access and support current and future business activities in a secure manner.

To ensure business information transmitted over all types of network is protected against
unauthorised disclosure, interception, interference and interruption.

CF 10

Threat and
Vulnerability
Management

Manage threats and vulnerabilities associated with information, systems and networks by
maintaining up-to-date patch levels, deploying comprehensive, up-to-date malware protection and
performing continuous monitoring.

To reduce levels of vulnerability, protect information against threats, highlight system and
network errors, detect potential and actual attacks and support investigations.

CF 11

Incident
Management

Implement a comprehensive and approved incident management process for information and
systems that includes the identification, response, recovery and post-implementation review of
information security incidents.

To resolve information security incidents of all types in a consistent, effective manner,

minimise their business impact and reduce the risk of similar incidents occurring.

CF 12

Local Environments

Co-ordinate information security activities in individual business environments by addressing the risks
associated with business users, information, technology and locations.

To ensure that information risks throughout the organisation are identified and
understood, and security activities within local environments are carried out in a timely
and accurate manner.

CF 13

Desktop
Applications

Establish a methodology for developing and maintaining desktop applications, which includes methods
for protecting them and recording them in an inventory.

To ensure that desktop applications are created in a secure manner, the information they
process is protected, and an accurate record of each desktop application is maintained.

CF14

Mobile Computing

Configure mobile devices, including portable storage devices, to function as required and protect
information during all stages of the information lifecycle.

To ensure that information processed, stored and transmitted by mobile devices, is

protected against the full range of threats.

CF15

Electronic
Communications

Protect electronic communication systems (eg e-mail, instant messaging and VoIP) by setting policy
for their use, configuring security settings, performing capacity planning and hardening the supporting
technical infrastructure.

To preserve the integrity of important business messages, prevent unauthorised

disclosure of sensitive information handled by electronic communication systems and
maximise availability.

CF 16

External Supplier
Management

Include information security requirements in documented agreements with external suppliers

(including suppliers of hardware, software and services, such as outsourcing and cloud) and
incorporate security requirements throughout all stages of the relationship with each supplier.

To ensure the organisations information is protected when being handled by external

suppliers and that security requirements are satisfied and maintained when acquiring
hardware and software from external suppliers.

CF 17

System
Development
Management

Establish a structured systems development methodology that involves isolating development

environments, applying security throughout the development process and performing quality assurance.

To ensure business applications are developed in a secure environment and meet

business and information security requirements.

CF 18

Systems
Development
Lifecycle

Implement a systems development methodology that addresses security during requirements

gathering, design and build, testing and implementation.

To ensure business and information security requirements are met throughout the
development process and at implementation.

CF 19

Physical and
Environmental
Security

Protect IT facilities and services against malicious attack, accidental damage, loss of power, natural
hazards and unauthorised physical access.

To ensure that important IT facilities and services are available when required and to
prevent unauthorised disclosure and unavailability of information.

CF 20

Business Continuity

Develop an organisation-wide business continuity strategy and programme that includes

co-ordinating and maintaining business continuity plans and arrangements across the organisation.

To ensure the organisation is resilient to attack and can continue to operate effectively in
the event of a disaster or crisis.

SI 1

Security Audit

Subject target environments to thorough, independent and regular security audits, using a repeatable
and consistent process.

To ensure that security controls have been implemented according to identified

information risks and that executive management are kept informed of the security
status of target environments.

SI 2

Security
Performance

Monitor and report to executive management on the information risks, compliance requirements and
security condition of the organisation on a regular basis.

To provide executive management with an accurate and comprehensive overview of

information risk, compliance obligations and security condition across the organisation.

Warning
This document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct. If you are not a Member of the ISF or have received
this document in error, please destroy it or contact the ISF on info@securityforum.org. Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly
prohibited. This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.
Classification: Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the document from the ISF.

www.securityforum.org

Reference: ISF 12 12 01 Copyright 2012 Information Security Forum Limited. All rights reserved.