This is a continuing post from last weeks - Security Baseline - Part I - ISM4Startups.
So lets continue where we left off!
Just a heads up, it is a long post this time! But remember I only put stuff in that is relevant and will help your business.
Deliver and Support
Define and manage service levels
Define and management security aspects of service levels
1. Ensure that management establishes security requirements and regular reviews compliance of internal service level agreements and contracts with third-party service providers.
Manage third-party services
Manage security aspects of services.
2. Assess the professional capability of third parties and ensure they provide adequate contact with the authority to act upon enterprise security requirements and concerns.
3. Consider the dependence on third-party suppliers for security requirements, and mitigate continuity, confidentiality and intellectual property risk by, for example - escrow, legal liabilities, penalties and rewards.
Ensure continuous service
Ensure that the enterprise is capable of carrying on its day-to-day automated business activities with minimal interruption from a security incident.
4. Identify critical business functions and information, and those resources (e.g. applications, third-party services, supplies and data files) that are critical to support them. Provide for availability of these resources in the event of a security incident to maintain continuous service. Ensure that significant incidents are identified and resolved in a timely manner.
5. Establish basic principles for safeguarding and reconstructing IT services, including alternative processing procedures, how to obtain supplies and services in an emergency, how to return to normal processing after the security incident, and how to communicate with customers and suppliers.
6. Together with key employees, define what needs to be backed up and stored offsite to support recovery of the business. Examples are, critical data files, documentation and other IT resources. Also secure is appropriately and regular intervals.
Ensure systems security
Ensure that all aspects of the enterprise’s automated processing are used only by authorized persons/systems for business purposed.
7. Implement rules to control access to services based on the individual’s need to view, add, change or delete information and transactions. Especially consider access rights of service providers, suppliers and customers.
8. Ensure that responsibility is allocated to manage all user accounts and security tokens (e.g. passwords, cards and devices) to control devices, tokens and media with financial value. Periodically review/confirm the actions and authority of those managing user accounts. Ensure that these responsibilities are not assigned to the same person.
9. Detect and log important security violations (e.g., system and network access, virus, misuse, and illegal software). Ensure that they are reported immediately and acted upon in a timely manner.
10. To ensure that counter parties can be trusted and transaction are authentic when using electronic transaction systems, ensure that the security instructions are adequate and compliant with contractual obligations.
11. Enforce the use of virus protection software throughout the enterprise’s infrastructure and maintain up-to-date virus definitions. Use only legal software.
12. Define policy for what information can come into and go out the organization and configure the network security systems, e.g. firewall, accordingly. Consider how to protect physically transportable storage device. Monitor exceptions and follow up on significant incidents.
Manage the configuration
Ensure that all assets are appropriately secured and security risks are minimized by maintaining the enterprise’s awareness of its related assets and licenses.
13. Ensure that there is a regularly updated and complete inventory of the (IT) hardware and software configurations.
14. Regularly review whether all installed software is authorized and licensed properly.
Ensure that all data remain complete, accurate and valid during input, processing, storage and distribution.
15. Subject data to a variety of controls to check for integrity (accuracy, completeness and validity) during input, processing storage and distribution. Control transactions to ensure their authenticity and that they cannot be repudiated.
16. Distribute sensitive output only to authorized people.
17. Define retention periods, archival requirements and storage terms for input and output documents, data and software. Ensure that they comply with user and legal requirements. While in storage, check continuing integrity and ensure that data cannot be retrieved.
Protect all (IT) equipment from damage.
18. Physically secure (IT) facilities and assets, especially those most are risk to a security threat and if applicable, obtain expert advice.
19. Protect computer networking and storage equipment (particularly mobile equipment) from damage, theft, accidental loss and interception.
Next week it will be all about monitoring and evaluating. And as always, if you have any questions, suggestions or tips please don’t hesitate and just ask them!