To secure materials, organizations should consider guidelines such as carefully positioning sensitive data equipment, using security measures to lessen physical and environmental problems, monitoring environmental conditions, applying for lightning protection, and protecting confidential information equipment. Additionally, organizations should create instructions for eating … [Read more...] about 7.8 Equipment siting and protection

Organizations should create a clear desk and screen policy for appropriate people. The policy should include guidelines such as securing sensitive information when workes do not use it, protecting user devices with locks, and configuring computers to log off automatically. Printers should have an authentication tool to ensure only the originator can retrieve printouts. … [Read more...] about 7.7 Clear desk and clear screen

Organizations should apply security measures to all people and actions that occur in secure areas. The guidelines to follow include: informing personnel of the secure area and its activities only on a person-by-person basis, preventing unmonitored work in secure places, periodically inspecting and locking vacant secure areas, not allowing unauthorized recording equipment, … [Read more...] about 7.6 Working in secure areas

Organizations should perform risk assessments for the possible effects of environmental and physical problems, implement necessary safeguards, and monitor how events and threats regularly. They should obtain specialist advice on managing risks from such threats. Organizations should also consider the local topography and urban threats when choosing the location and construction … [Read more...] about 7.5 Protecting against physical and environmental threats

This passage describes guidelines for monitoring physical premises to identify unapproved entries or unusual behavior. It recommends installing surveillance equipment, such as video monitoring, intruder alarms, and software to manage physical security. The guidelines also recommend using video monitors, contact detectors, motion detectors, and glass-breaking sensors to trigger … [Read more...] about 7.4 Physical security monitoring

This passage discusses guidelines for securing office spaces, rooms, and buildings where confidential information is processed or stored. These include situating important areas to prevent public use, designing facilities to keep confidential information or actions from being detectable or listenable from outside, and away from directories, telephone books, or online maps … [Read more...] about 7.3 Securing offices, rooms and facilities

Organizations should control and isolate access points, including delivery sites and loading locations, from information processing facilities to stop unauthorized access. Access to physical areas should be restricted to authorized workers only, and a process for managing access rights should be established. Physical access should be monitored and logged, and authentication … [Read more...] about 7.2 Physical entry

The following should be evaluated and enacted for physical security reasons: defining security requirements and their strength based on InfoSec standards, having physically secure perimeters with no gaps or easy break-in points, using solid construction for walls, floors, and ceilings, protecting external doors with protection tools like locks and alarms, locking windows and … [Read more...] about 7.1 Physical security perimeters

Examples of InfoSec "events" that deserve reporting include insufficient controls, information privacy or integrity breaches, human errors, nonconformity with InfoSec policies, topic-particular guidelines or relevant standards, physical breaches, system revisions outside the regular revision process, defects or other unexpected hardware or software behavior, unauthorized … [Read more...] about 6.8 Information security event reporting

A remote work policy should consider the physical security of the remote work site, the security of remote access to the organization's systems, using remote access with security measures, and potentially forbidden access to information. The guidelines should include providing suitable equipment and storage, defining authorized work and access to systems, training for remote … [Read more...] about 6.7 Remote working

Confidential agreements or NDAs should be put in place to safeguard crucial information alongside legal requirements. These agreements apply to personnel and interested parties in the organization and the terms should be written based on the information security requirements, considering information type, how it's classified, usage, and access permitted to the other party. … [Read more...] about 6.6 Confidentiality or non-disclosure agreements

Overseeing termination or employment changes should involve InfoSec obligations and duties that stay active after employment expiration or changes/transfers, including information privacy, IP, and similar agreements. Information security responsibilities should be found in the individual's employment agreement or contract and any other contracts that continue after employment. … [Read more...] about 6.5 Responsibilities after termination or change of employment

Disciplinary actions should only be started after verifying a violation of the InfoSec policy has occurred. The disciplinary response should be proportional and consider issues such as the nature and severity of any breach, whether it was intentional or accidental, the first or repeat offense, and if the employee was correctly trained. … [Read more...] about 6.4 Disciplinary process

The organization should establish a program for InfoSec knowledge, training, and education. This program should take into account the protected data and the security controls implemented. The program should be periodic and initially provided to new employees and those in new roles with different security requirements. Personnel knowledge should be tested after each activity to … [Read more...] about 6.3 Information security awareness, education and training

The personnel's contractual obligations should include the legal aspects of confidentiality agreements or NDAs. This includes but is not limited to considerations around copyright laws, data protection laws, classifying information, handling information from stakeholders, and the consequences of not adhering to the organization's security requirements. … [Read more...] about 6.2 Terms and conditions of employment

The verification process should adhere to all applicable privacy regulations, personally identifiable information (PII) protection laws, and employment legislation. Where permissible, the verification should comprise the following elements: obtaining reliable references, both business and personal; verifying the applicant's resume for thoroughness and accuracy; verifying their … [Read more...] about 6.1 Screening

The organization should have a process in place for conducting periodic independent reviews of their information security approach and implementation. These reviews should be conducted by individuals independent of the area under review and with appropriate competence. The results of the reviews should be reported to management and if necessary, top management. If the reviews … [Read more...] about 5.37 Documented operating procedures

Managers and owners should ensure information security requirements are met, with frequent reviews and remedial actions. Organizations should record and send the eventual review to independent reviewers. Corrective steps should be timely and reviewed at the next review if unfinished. … [Read more...] about 5.36 Compliance with policies, rules and standards for information security

Organizations should have a process for conducting regular reviews of their information security approach and implementation. These reviews will be conducted by personnel with the necessary competence, but they should be outside the area being reviewed. The review results should be given to management and, if necessary, top management. If the reviews identify any inadequacies, … [Read more...] about 5.35 Independent review of information security

Organizations should enact policies for privacy and protecting personally identifiable information (PII) and communicate it to relevant parties. Procedures for preserving privacy and protecting PII should be developed and told to all those relevant to processing the information. Handling PII should follow relevant laws and regulations, and applicable technical and … [Read more...] about 5.34 Privacy and protection of personal identifiable information (PII)