Date post: | 22-Jul-2016 |
Category: |
Documents |
Upload: | priyank-patel |
View: | 246 times |
Download: | 7 times |
iFour Consultancy
A6 : Organization of Information Security
The administrative structure of the organization and its relationships with external parties must promote effective management of all aspects of information security.
Includes maintaining the security of the organization's information, its processing facilities, and any information or facilities that are accessed, processed, communicated to or managed by external parties.
A.6 Organization of Information Security
1. Internal Organization2. Mobile Devices and Teleworking
Software Development Companies in India
A.6.1 Internal Organization
Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
Executive CommitteeChaired by the Chief
Executive Officer
Audit CommitteeChaired by Head of
Audit
Security CommitteeChaired by Chief
Security Officer CSO
Information Security Manager
Security Administration Policy & Compliance
Risk & Contingency Management Security Operations
Local Security Committees
One per location
Information Asset Owners (IAOs)
Site Security Managers
Security Guards Facilities Management
Risk CommitteeChaired by Risk
Manager
NOTE: This is a generic structure chart. One should replace it by one describing a particular Organization’s actual management structure for information security.
Software Development Companies in India
A.6.1 Internal Organization (Conti…)
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management
Software Development Companies in India
A.6.1.1 Information Security Roles and Responsibilities
Control: All information security responsibilities shall be defined and allocated.
Identification of the individual/individuals responsible for security of each information facility
Clear definition and identification of assets and associated security
controls for each information facility
Note: Before defining and allocating responsibility to individuals company should create Organizational chart.
Software Development Companies in India
A.6.1.2 Segregation of Duties
Control: Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
The first is the prevention of conflict of interest, the appearance of conflict of interest, wrongful acts, fraud, abuse and errors.
The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls.
Two Primary Objectives:
Software Development Companies in India
Control: Appropriate contacts with relevant authorities shall be maintained.
A.6.1.3 Contact with Authorities
Following points could be included:Specification of the manner and timing in which breaches shall be communicated to
external authorities so as to ensure appropriate reporting
Development of procedures, policies and contact lists that specify by whom and when
external authorities should be contacted
Software Development Companies in India
Control: Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
A.6.1.4 Contact with Special Interest Groups
Software Development Companies in India
Control-set out the basics of how
information security should be considered as part of the overall
framework of the project management
with organization
creation of “mini-ISMS” within the
project to ensure that risks are identified
and managed
A.6.1.5 Information Security in Project Management
Control: Information security shall be addressed in project management, regardless of the type of the project.
Software Development Companies in India
A.6.2 Mobile Devices and Teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
Applicability
Mobile PhonesDesktop computers used off-premises
Notebook, palmtop computers and
laptop
Media and portable storage devices
Software Development Companies in India
A.6.2.1 Mobile Device Policy
Control: A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
Regular data backups for
stored sensitive data
Physical security
measures
Secure communication methods for
transmitted data such as
Virtual Private Network
Updates for operating
system and other software
updating
Access control and
appropriate user
authentication (biometric-
based)
Cryptographic methods for
sensitive data
Protective software such as anti-virus and others
Software Development Companies in India
A.6.2.2 Teleworking Policy
Control: A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites
Environmental and physical security measures
Policies concerning safety of private property used at the site
Appropriate user access control and authentication
Security measures for wireless and wired network configurations at the site
Cryptographic techniques for communications from/to the site and data storage
Data backup at regular intervals and security measures for those backup copiesSoftware Development Companies in India
Management Commitments
Visible support and clear direction for
information security initiatives which
includes providing appropriate resources
for information security controls
Assurance of formulation, review
and approval of appropriate
organization-wide information security
policy;
Coordination of information security efforts all over the
organization, including committee(s) and
designation of information security
officer(s)
Appropriate management controls over new information capabilities, systems
and facilities including the planning
for the facilities
Reviews at regular intervals of the effectiveness of
information security policy, including
updating of the policy as needed and
external review as appropriate.
Software Development Companies in India
References
1. http://it.med.miami.edu/x2227.xml2. http://it.med.miami.edu/x1771.xml3. https://www.google.com/url?sa=t&rct=j&q=&
esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.iso27001security.com
4. iFour Consultancy’s ISMS policy documentation – http://www.ifour-consultancy.com
5. http://www.csoonline.com/article/2123120/it-audit/separation-of-duties-and-it-security.html
Software Development Companies in India