To ensure that services and information systems are available, the organization can create redundant systems architecture by replicating information processing and implementing procedures for activating redundant components. Redundant components should provide similar security access as primary ones and make them available during repairs or replacement. Consider contracting … [Read more...] about 8.14 Redundancy of information processing facilities

This section discusses the need for organizations to establish a issue-specific backup policy for data security and retention. The policy should consider business requirements, security requirements, and criticality of information when developing plans for backing up information, software, and systems. The backup plan should include procedures for producing accurate records and … [Read more...] about 8.13 Information backup

This question involves measures that organizations can take to prevent data leakage. This includes recognizing and categorizing sensitive information, reviewing where data leakage occurs, and preventing leaks. Data leakage prevention are meant to recognize and surveill sensitive information, detect any disclosed information, and stop actions that reveals sensitive data. … [Read more...] about 8.12 Data leakage prevention

To protect sensitive data such as personally identifiable information (PII), organizations should consider data masking, pseudonymization, or anonymization. These tools conceal sensitive data and ensure privacy by disconnecting PII and the user's identity. However, when using these techniques, it is important to have data pseudonymized or anonymized to prevent indirect … [Read more...] about 8.11 Data masking

Organizations should not keep sensitive information longer than necessary. This guideline will lessen the risk of unlawful access. If deleting information, the organization should consider the appropriate deletion method, record the aftermath of deletion, and obtain evidence of deletion from service providers. Organizations should also include information deletion requirements … [Read more...] about 8.10 Information deletion

To ensure the security of hardware, software, services, and networks, an organization should create and enact procedures or tools for defined configurations and make sure that they remain satisfactory over their lifetime. The organization should establish standard templates for secure configuration, using publicly available guidance and considering the organization's security … [Read more...] about 8.9 Configuration management

To effectively manage technical vulnerabilities, an organization keep a relevant inventory of its assets, including software vendor, names, version numbers, and deployment state. Organizations should also define roles and responsibilities for vulnerability management, identify relevant information resources, require vulnerability reporting from suppliers, and use suitable … [Read more...] about 8.8 Management of technical vulnerabilities

To protect against malware, a multi-layered approach is necessary, including implementing controls to prevent the use of unauthorized software and known malicious websites, reducing vulnerabilities, regular scanning of systems and data for malware, implementing appropriate malware detection and repair tools based on risk assessment, isolating critical environments, and training … [Read more...] about 8.7 Protection against malware

Identify capacity needs for facilities and resources, consider criticality. Tune and monitor systems for accessibility and efficiency, stress-test for sufficient capacity. Future capacity needs and trends should be considered. Managers use capacity info to avoid limitations and plan. To raise capacity, consider new resources and cloud computing. Reduce demand by deleting … [Read more...] about 8.6 Capacity management

This section covers guidelines for authentication and log-on procedures to minimize the risk of unauthorized access to systems or applications. Strong authentication alternatives to password include digital certificates, smart cards, tokens, or biometric means. They should be used for the organization's more critical information systems. Multi-factor authentication should … [Read more...] about 8.5 Secure authentication

This section discusses guidelines for controlling entries to see source code, associated items, and tools to prevent corruption and ensure data security. Access to these items should be tightly managed, and source code writing or access should be granted based on the organization's needs. Source code storage is recommended, and access to externally located code archives should … [Read more...] about 8.4 Access to source code

This section describes the importance of restricting access to sensitive data and other assets. It suggests several measures for controlling access, such as configuration, controlling user access to specific data, and allowing access controls. Additionally, it recommends implementing access management procedures to protect sensitive data with high organizational value. These … [Read more...] about 8.3 Information access restriction

Access rights should require an authorization process. The process includes naming users with favored access capabilities, providing certain access rights if needed, using authorization procedures, defining requirements for closing privileged access capabilities, and regularly reviewing those with privileged access rights. Additionally, the policy should establish specific … [Read more...] about 8.2 Privileged access rights

Organizations should enact a policy for the secure configuration and use of endpoint devices, taking into account factors such as information type and classification level, physical protection, software restrictions, access controls, storage device encryption, protection against malware, backups, and usage of devices. The policy should be communicated to relevant personnel and … [Read more...] about 8.1 User end point devices

Before disposing or re-using, equipment should undergo verification to determine if it contains storage media. If the storage media contains confidential information or materials with copyright, it should be disposed of or the data should be securely deleted, overwritten, or destroyed to prevent retrieval. Guidelines for safely destroying storage media are found in section … [Read more...] about 7.14 Secure disposal or re-use of equipment

Maintaining equipment involves several guidelines: Follow suppliers' recommendations, enact a maintenance program, use authorized personnel for repairs, collect maintenance records, limit entries by remote maintenance, secure off-premises assets, comply with insurance maintenance requirements, inspect the equipment after maintenance, and either dispose of or keep using the … [Read more...] about 7.13 Equipment maintenance

For cable security, organizations should protect electric and telecommunications cables in information processors by separating the lines, particularly for important or vulnerable systems. These controls may include installing armored conduits, using electromagnetic shielding, and controlling access to patch panels or cable areas. Cables should also be labeled with details for … [Read more...] about 7.12 Cabling security

To support their information processors, organizations rely on utilities such as electricity, water, gas, and more. To ensure their proper functioning and minimize risks, the organization considers maintaining and inspecting the utility equipment often, appraising their capacity regularly, and detecting any malfunctions as needed. Emergency lighting, communications, and cutoff … [Read more...] about 7.11 Supporting utilities

The directives for managing detachable storage media include establishing a policy for their use, keeping records of their removal, storing them in a secure environment, adopting cryptographic tools to safeguard the data, transferring data to new storage media, and securely disposing of them. When transporting something used as physical storage, organizations should use … [Read more...] about 7.10 Storage media

Management should authorize devices used outside an organization's premises, such as mobile devices or personally-owned devices used for work, and require protection for them. Guidelines for protecting such devices include not leaving them publicly unattended, following manufacturers' instructions for protection, logging device custody when transferring equipment, using … [Read more...] about 7.9 Security of assets off-premises