IS-01 Cyber security policy A documented Cyber Security Policy (or set of policies) MUST be in place and approved by senior management [P1] An information security policy is the foundation of an Organisation’s security programme. It sets out how the Organisation protects information assets, considering: Confidentiality: the protection of information from unauthorised access; Integrity: ensuring that information is complete and accurate and hasn’t been tampered with, altered or damaged in an unauthorised way; Availability: information is available to the right people when it is needed. The policy to be approved and signed off by senior management to demonstrate their commitment to the Organisation’s security programme. Cyber security policies MUST be kept up to date and effectively communicated to all relevant personnel. [P1] Policies to be reviewed regularly to make sure that they are suitable, adequate and effective for the Organisation. Policies to be communicated regularly to everyone that needs to see them in a way that is relevant and understandable by the intended reader, and easy to access. IS-02 Effective cyber security organisation All cyber security roles and responsibilities SHOULD be assigned and communicated to relevant personnel. [P2] Cyber security roles and responsibilities to be assigned in line with the cyber security policy. There MUST be a named Chief Information Security Officer (CISO) or appointed person who has overall responsibility for cyber security within the organisation. [P1] The CISO or appointed person to be of sufficient seniority within the Organisation and have relevant expertise and experience to be able to carry out the role effectively. account security, legal and regulatory (e.g. GDPR). OS. Operational Security OS-01 Technical security analysis Regular technical security analysis such as penetration or vulnerability testing of the product or service MUST be performed. [P1] Vulnerability scans are automated tests that identify vulnerabilities in a system or application. Penetration testing is more in depth than a vulnerability scan and can be used to identify weaknesses as well as exploit them. System components, processes and software to be tested frequently to ensure that security of Customer information is maintained. This is especially important when significant changes are made to infrastructure or internet-facing services. OS-02 Vulnerability management A vulnerability management process MUST be in place to keep track of identified vulnerabilities and patches that can fix them. [P1] A vulnerability management process to be in place that demonstrates to customers how frequently vulnerability testing is carried out and how patching is managed and implemented to fix any identified weaknesses. The process to ensure that potential vulnerabilities within the Product stack are identified (e.g., if running an Oracle DB then Oracle security bulletins to be subscribed to) and a release process to be in place to patch security issues for Customers in line with this. There SHOULD be a vulnerability disclosure policy or process in place for the responsible reporting of vulnerabilities. [P2] Having a vulnerability disclosure policy/process helps to reduce the risk of an incident occurring. It allows a reasonable time for a Vendor to provide a vulnerability patch before it is publicly disclosed.
Yorumlar
Yorum Gönder