The organization should implement guidelines for preventing changing records and requiring alignment with the organization's requirements for managing records. A retention schedule should be created to define the length of time records should be kept, taking into account relevant laws and regulations and societal expectations. The system of storage and handling should permit … [Read more...] about 5.33 Protection of records

Safeguarding intellectual property can include but is not limited to copyrighted information, patents, domain names, database rights, etc. Best practices in this area include only acquiring software from trusted and reliable sources to prevent copyright infringement, maintaining an accurate asset register with appropriate labels, conducting regular reviews of authorized or … [Read more...] about 5.32 Intellectual property rights

Organizations should assess all relevant laws and regulations that impact their operations. This includes considering compliance in any foreign countries where the organization's business activities occur, utilizing products or services provided by other nations, or transferring data across borders. Regular reviews should be conducted to stay informed of changes or new … [Read more...] about 5.31 Legal, statutory, regulatory and contractual requirements

An effective organizational structure should include personnel with the appropriate responsibilities, authority, and expertise to anticipate, manage, and reduce disruptions. ICT continuity actions, including "respond and recover" instructions, should be continually reviewed through exercises and tests and approved. Examples of procedures to prepare for ICT readiness include … [Read more...] about 5.30 ICT readiness for business continuity

Examples of disruptions include fires, earthquakes, ransomware attacks, and other interruptions. To secure vital business assets in the event of a breach or breakdown, it's crucial to create, implement, test, assess, and revise plans for maintaining or restoring information security. The information security should be re-established to the necessary level within the specified … [Read more...] about 5.29 Information security during disruption

Develop and follow internal procedures for evidence management involving InfoSec events for corrective or legal actions. Admissible evidence should be collected according to which storage media and device types are involved. Seek certification or similar ways to qualify and improve the worth of preserved evidence. Consider jurisdictional requirements for admission of evidence … [Read more...] about 5.28 Collection of evidence

The organization should have protocols to measure and track InfoSec incidents and use the data to improve incident management, identify causes, and update the risk assessment. The data can also be used to improve a user's awareness and training. … [Read more...] about 5.27 Learning from information security incidents

The organization must have established protocols for responding to InfoSec incidents, which include containing, collecting evidence, escalating, logging, communicating, coordinating, closing, analyzing, and managing vulnerabilities. Designated employees or teams should respond to these incidents and should have the needed competencies. … [Read more...] about 5.26 Response to information security incidents

Agree on incident categorization and prioritization scheme, including criteria, assess events using scheme, personnel make decisions, record assessment results for future reference. … [Read more...] about 5.25 Assessment and decision on information security events

Establish management protocols for incidents, determine roles and obligations, agree on objectives and priorities, develop procedures for evaluation, monitoring, detection, classification, analysis, and reporting of incidents, manage incidents to a conclusion, coordinate with interested parties, log activities, handle evidence, identify lessons learned, and report incidents in … [Read more...] about 5.24 Information security incident management planning and preparation

Establish policy on using cloud services, define security requirements, roles, and responsibilities, manage controls and changes, handle incidents, monitor and review risk, review agreements, identify and accept residual risks, ensure the protection of data and service availability, require advance notification of changes, maintain contact with providers for mutual exchange of … [Read more...] about 5.23 Information security for use of cloud services

Designated workers or teams should be tasked with overseeing supplier relationships. Complying with the agreement should involve adequate technical abilities and resources, particularly regarding information security. If any shortcomings in service delivery are noticed, take prompt corrective measures. … [Read more...] about 5.22 Monitoring, review and change management of supplier services

Topics to include in protecting InfoSec within ICT supply chain management include requirements that affect acquiring ICT products or services, how ICT product suppliers apply requirements to various stages in supply chains, the monitoring procedures for validating ICT products and services, and requirements for identifying critical product or service components that need extra … [Read more...] about 5.21 Managing information security in the information and communication technology (ICT) supply chain

Organizations should draft and record supplier agreements to clearly define the expectations and responsibilities of organizations and suppliers about meeting the necessary information security standards. Agreements can include requirements related to what information is available for access, how the information should be classified, and the different classifications among the … [Read more...] about 5.20 Addressing information security within supplier agreements

Organizations should identify the kinds of suppliers (ICT, utilities, logistics, financial services, etc.) that can influence the confidentiality and accessibility of certain information. Organizations should evaluate suppliers with appropriate controls and security for information such as market research, customer information, document reviews, assessments, etc. … [Read more...] about 5.19 Information security in supplier relationships

Authorize access, consider business requirements and policies, remove unnecessary access, give temporary access for limited time, verify access level, activate only after authorization, maintain record of access, review access regularly, consider privileged access, review and adjust access before termination or change based on risk factors. … [Read more...] about 5.18 Access rights

Allocate secure authentication info, verify user identity, transmit info securely, change default authentication info, keep records confidential, advise users to keep passwords confidential, select strong passwords, use unique passwords across services, use a password management system with strong enforcement and protection measures. … [Read more...] about 5.17 Authentication information

Identity management processes should ensure:na) one identity per person for accountability;nb) identities shared between users are approved and documented;nc) non-human activities have independent oversight;nd) timely removal of unnecessary identities;ne) no duplicate identities within a domain;nf) documents recording identity events are kept.nChanges to user identities should … [Read more...] about 5.16 Identity management

Owners should implement InfoSec requirements to control access. A topic-particular standard should be identified and presented to any relevant party. Considerations include identifying the entities that need access, physical and application security, authorization levels, and logging. Access control rules should be implemented by mapping appropriate access rights and … [Read more...] about 5.15 Access control

Create and make known the policy about transfers of information to any relevant individual or organization. Rules, protocols, and agreements should secure data when transferred and reflect its classification. Transfer agreements with third parties should be created to protect all forms of information in transit. Controls should prevent interception, unauthorized access, … [Read more...] about 5.14 Information transfer