Blog Feed

ISO 27001

ISO 27001 Annex : A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets

info savvy

ISO 27001 Annex : A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets is based on ISO in this article these two topic has been explained.

A.8.2.2 Labeling of Information

Control- A.8.2.2 Labeling of Information In accordance with the information classification scheme adopted by the organization an adequate set of methods for labeling information should be established and implemented.

Implementation Guidance- Information labeling procedures need to cover information in physical and electronic formats and its related assets. The labeling will represent A.8.2.1 defined classification scheme. The labels are to be clearly identifiable. The protocols will provide instructions on where and how labels are applied taking into account whether the information is obtained or the assets are managed based on media forms. The procedures that identify situations where labeling is absent, e.g. non-confidential information labeling to scale back workloads. Employees and contractors should be made aware of the procedures for labeling.
An appropriate classification label should be included in the output from the system containing information classified as sensitive or critical.

Other Information- Classified information labeling is an essential prerequisite for agreements for information sharing. The common labeling form is physical labels and metadata.
Information labeling and associated assets can sometimes be detrimental. Subject to classified assets, insider assets or external attackers are easier to identify and steal.

At Infosavvy we have our trainers who are skilled and well-trained in various courses in the field of information security and we are also eligible for one of the most important certificates in the area of information security. i.e. IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification) . Our trainers can empower you to do better labeling of information by providing you with in-depth information and numerous examples for the same, helping the applicant to improve their skills and do well. Through a combination of tutorials, syndicate exercises and role-play, you will learn everything you need to know about how an ISMS audit should be run including conducting second and third-party audits.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

A.8.2.3 Handling of Assets

Control- A.8.2.3 Handling of Assets Procedures for the handling of assets in accordance with the organization ‘s information classification scheme should be developed and implemented.

Implementation Guidance- Procedures should be developed for the handling, processing, storing, and communication of classified information.

The following points should be taken into consideration:-

 Access restrictions that support the security standards for each classification level;

 Maintaining a formal record of the approved recipients of the assets;

 Security to a level consistent with the security of the original information for temporary or permanent copies of information;

 IT asset storage as specified by the manufacturer;

 Clear marking for the authorized recipient of all copies of the media.

The scheme for classification used in the organization, even if the classification levels are similar, may not equate to the schemes employed by other organizations; in addition, information moving across organizations can vary according to their contexts, even if their classification schemes are equal.
Accords with other organizations that include sharing information should include methods of classifying that information and interpreting other organizations’ classifications labels.

Also Read : ISO 27001 Annex : A.8.2 Information Classification

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.8.2 Information Classification

info savvy

ISO 27001 Annex : A.8.2 Information Classification Its objective is To ensure that the information is properly secured, in accordance with its significance to the organization.

A.8.2.1 Classification of Information

Control- Information should be classification the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration

Implementation Guidance- Classifications and associated information security measures will also include regulatory standards, which take into account market demands for information sharing or restriction. Assets other than information may also be classified according to the information classification stored, processed, otherwise handled or protected by the asset. Information asset owners would be responsible for their classification.

The classification system will include classification standards, as well as classification analysis guidelines over time. The level of security found in the system will be determined by evaluating confidentiality, integrity and availability, and all other information specifications under consideration. The scheme should be aligned with policy on access control

The scheme will be consistent with the policy on access management. Each level should be given a name which makes sense for the application of the classification scheme. The scheme should be consistent across the organization to ensure that everyone classifies information and related assets in the same way, has a common understanding of the security standards, and applies appropriate protection.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Classification should be part of the organization ‘s processes and be consistent across the organization. Classification results may highlight the importance of assets, depending on their sensitivity and their criticality to the organization, e.g. in terms of confidentiality, integrity, and availability. Classification findings should be revised to reflect changes in their importance, responsiveness, and criticality during their life-cycle.

Other Information- Classification offers a concise summary of how to manage and secure knowledge for those who deal with it. This is facilitated by establishing information groups with similar protection needs and defining information security procedures that apply to all or some of the information in each group. This approach eliminates the need for case-by-case risk assessment, as well as personalized control design.

Information can cease to be sensitive or critical after a certain duration of the time, when the information is made public, for example. These aspects should be taken into account, as over-classification may result in the implementation of unnecessary controls resulting in additional expenditure or, on the contrary, under-classification may threaten the achievement of business goals.

At Infosavvy we have our trainers as our assets who are skilled and well-trained in various courses in the field of information security and we are also eligible for one of the most important certificates in the area of information security. i.e. IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification) . Our trainers can empower you to do better asset management by providing you with in-depth information and numerous examples for the same, helping the applicant to improve their skills and do well.

Also Read : ISO 27001 Annex : A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets

An example of a classification scheme for the confidentiality of information may be based on four levels as follows:-

  1. Disclosure does not cause harm;
  2. Disclosure leads to mild humiliation or organizational discomfort;
  3. The short-term impact of the disclosure on operations or tactical objectives is significant.
  4. Our putting the survival of an organization at risk a serious impact on long-term strategic goals

Read More : https://www.info-savvy.com/iso-27001-annex-a-8-2-information-classification/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.8 Asset Management

info savvy

A.8.1 Responsibility for Assets

ISO 27001 Annex : A.8 Asset Management Its objective is to identify and establish acceptable security responsibilities for the organization’s assets .

A.8.1.1 Inventory of Assets

Control- Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained.

Implementation Guidance- An organization will identify important assets in the information lifecycle, and document their importance. The life-cycle of information should include creation, processing, storage, transmission, deletion, and destruction. Documentation of specific or current inventories should be maintained, as per need.

The inventory of assets should be accurate, up to date, compatible, and matched with other inventories. The ownership of the asset should be allocated to each of the specified assets and the classification should be specified.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Other Information- Asset inventories help to ensure adequate protection for certain purposes such as safety and health, insurance, or financial (asset management) reasons. This may also be achieved for other required factors.

As with humans, life is their greatest asset, similarly, the organization too have its assets. when you keep yourself safe and stable, you live longer, in the same way, if the company keeps its assets protected, its reputation and success on the market lasts longer.

For a healthy business, identifying the assets, making an inventory of the assets, and assigning an owner to the assets is important. The guidelines for and the implementation of these Asset Management Guidelines are provided in Annex A.8. At Infosavvy we have our trainers as our assets who are skilled and well-trained in various courses in the field of information security and we are also eligible for one of the most important certificates in the area of information security. i.e. IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification) . Our trainers can empower you to do better asset management by providing you with in-depth information and numerous examples for the same, helping the applicant to improve their skills and do well.

ISO / IEC 27005[11J offers a list of assets to be taken into account by the organization. A critical risk management requirement (such as ISO / IEC 27000 and ISO / IEC 2700511) is the framework for compiling asset listing.

A.8.1.2 Ownership of Assets

Control- Assets in the inventory should have their owners (Asset-owner)

Implementation Guidance- Individuals who qualify as asset owners are management authorized and are responsible for the asset whole throughout its life cycle.

A process is usually enforced to make sure timely assigning of asset ownership. Ownership should be allocated when creating assets or transferring assets to the organization. The owner of the asset should adequately manage the asset over the entire asset life cycle.

Responsibilities of the asset owner are as follows:-

 Ensuring the proper inventory of the assets

 Ensuring proper classification and security of the assets

 Defines and regularly updating access constraints and classifying important assets taking into consideration the existing access management policies;

 Ensuring proper management of assets when they are deleted or destroyed

Other Information- The defined owner may be either a person or an entity that has authorized management control over an asset’s entire lifecycle. The defined owner doesn’t necessarily have ownership rights to the assets.

Also Read : ISO 27001 Annex : A.7.3 Termination and Change of Employment

Routine duties may also be assigned, for example to a custodian who takes care of the properties on a day-to-day basis, but the responsibility remains with the owner.

It can be helpful to identify groups of assets that function together to provide a specific service for complex information systems. In this situation, the owner is responsible for the delivery of the service, including its asset operation.

Read More : https://www.info-savvy.com/iso-27001-annex-a-8-asset-management/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.7.3 Termination and Change of Employment

info savvy

ISO 27001 Annex : A.7.3 Termination and Change of Employment Its objective is to safeguard the interests of the organization as part of the adjustment or termination of employment.

A.7.3.1 Termination or change of Employment Responsibilities

Control- Responsibility and information security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.

Implementation Guidance- Communication of termination duties may include on-going information security requirements and legal responsibilities and, as applicable, the duties found in the confidentiality arrangement and the terms and conditions of employment to be maintained for a specified time following the termination of the job of the employee or contractor.

Responsibilities and duties still valid after termination must be included in the terms and conditions of employment of the employee/contractor.

As a termination of existing responsibility or employment combined with additional duties, changes of responsibility or employment should be managed.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Annex 7.3 of the Standard ISO 27002 addresses various activities involved in Termination or Change of Employment. At Infosavvy , we have skilled trainers who can help you improve your skillsets in information security and gain in-depth knowledge about ISO standards. We also qualify for one of the highest information security certificates IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification), this certificate helps you to develop the expertise needed to carry out an ISMS audit, by implementing widely recognized auditing principles, practices and techniques.

Also Read : ISO 27001 Annex : A.7.2 During Employment

Other Information- The human resource function is generally responsible for the overall termination process and works with the supervisor to manage the safety measures of the relevant procedures. This termination process is carried out by an external party in compliance with the arrangement between the organization and the external party in the event of a contractor appointed by an external party. Changes in personnel and operating arrangements may be required to inform employees, clients, and contractors.

Read More : https://www.info-savvy.com/iso-27001-annex-a-7-3-termination-and-change-of-employment/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.7.2 During Employment

info savvy

ISO 27001 Annex : A.7.2 During Employment Its objective is to make sure that employees and contractors are conscious of and fulfill their information security responsibilities.

A.7.2.1 Management Responsibilities

Control- Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.

Implementation Guidance- Responsibilities for management should include ensuring employees and contractors are:

  1. Are adequately briefed about information security role and responsibilities before given access to confidential information or information systems;
  2. Shall provide proper guidelines stating the information security expectations from their roles in the organization.
  3. Motivated to comply with the organization’s information security policies;
  4. Achieving the level of information security awareness relevant to their organizational positions and responsibilities;
  5. comply with the terms and conditions of employment, including the information security policy of the organization and the relevant working methods;
  6. Seek to have relevant qualifications and expertise, and are regularly trained;
  7. An anonymous reporting platform is provided to report breaches of information security policies or procedures (“whistleblowing”). Management should demonstrate, and serve as a role model for, information security policies, procedures, and controls.

Other Information- If employees and contractors are not made aware of their responsibility for information security, they may cause significant damage to the organization. Motivated personnel are likely to be more professional and trigger fewer accidents related to information security.

Poor management can cause staff to feel undervalued, resulting in a negative impact on the organization’s information security. Poor management, for example, can lead to neglecting information security or, potential misuse of the assets of an organization.

To win in the market place you must first win in the workplace

                                                                                  – Doug Conant

A well said verse which address the employees positive attitude towards his work and the organization. Speaking about employment in every organization will raise awareness of the roles and responsibilities of preserving and protecting the confidentiality of the organization’s assets.

Annex 7.2 of the Standard ISO 27001 addresses various activities and implications of organizational infringements. At Infosavvy , we have experienced trainers who can provide you with a better insight into the information security in the business and can help you learn about safeguards to protect your business. We qualify for one of the highest information security certificates IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification)

A.7.2.2 Information Security Awareness, Education and Training

Control- All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.

Implementation Guidance- An information security awareness program will strive to make workers and, where appropriate, contractors aware of their information security responsibilities and the instances where those responsibilities will be discharged.

In line with the information security policies and related procedures of the organization, and, information security awareness plan should be introduced, taking into account the information to be protected of the organization and the controls to be carried out to guard the information. The awareness plan will include a range of awareness-raising events, such as promotions and booklet issuance or newsletter launches.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

The awareness program should be organized in the context of the roles of the employees in the organization and, if necessary, the expected awareness of contractors. the activities in the awareness program, ideally annually, will be scheduled over time so that new workers and contractors can be identified and replicated. The awareness program should also be frequently updated so that it conforms to the organizational policies and procedures and draws on lessons learned from events in the area of information security.

Awareness training should be carried out as required by the information security awareness program of the organization. Awareness training may take advantage of multiple distribution platforms, including classroom-based, distance learning, web-based, self-paced, and others.

Information security training and curriculum will also cover key aspects such as:

– To state the commitment of management to information security across the organization;

– The need to become familiar with the relevant rules and regulations on information security, as specified in policies, guidelines, laws, regulations, contracts, and agreements;

– Personal accountability of own acts and inactions and overall responsibility for securing or protecting organizational and external information;

– Basic procedures (e.g. reporting of security incidents) and baseline controls (e.g. password security, malware controls and clear desks);

– Contact points and tools for additional knowledge and guidance on information security issues, including more information security awareness and training materials.

Information security awareness and training should take place on a regular basis. Initial education and training refers to those who transition to new positions or roles with significantly different information security criteria, not just to new beginnings, but should take place before the role is active.

Also Read : ISO 27001 Annex : A.7 Human Resource Security

In order to implement education and training efficiently, the organization must establish an education and training program. The plan will be consistent with the information security policies and procedures of the organization, taking into account the information to be protected and the safeguards that have been implemented in place to protect the information. The curriculum should consider various forms of education and preparation, e.g. seminars or self-study.

Other Information- When designing an awareness plan, it is important not only to concentrate on ‘what’ and ‘how,’ but also on ‘why.’ It is crucial for employees to understand the purpose of information security and the possible positive and negative effects on the organization from their own behavior.

Awareness, training, and awareness can be part of other training programs, such as general IT or general security training, or in collaboration with them. Awareness, education, and training programs should be necessary and suitable for the duties, responsibilities, and skills of the person.

At the conclusion of an awareness, education, and training course for testing knowledge transfer, and evaluation of employee comprehension may be carried out.

Read More : https://www.info-savvy.com/iso-27001-annex-a-7-2-during-employment/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.7 Human Resource Security

info savvy

A.7.1  Prior to Employment

ISO 27001 Annex : A.7 Human Resource Security Its object is to make sure both employees and vendors recognize their duties and are suitable for their positions.

A.7.1.1  Screening

Control- Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.

Implementation Guidance- All applicable privacy, personal identity information security, and employment-based policies, should be taken into consideration and should include the following:

  • Availability of appropriate references to character, e.g. one business and one personal;
  • A verification of the applicant’s curriculum vitae (for completeness and correctness);
  • Verification of asserted professional and academic qualifications;
  • Independent biometric identification (passport or similar document);
  • Further thorough checking; such as credit verification or criminal record verification.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

If recruiting a private individual for a designated security position, organizations should ensure the following points:-

  • Has the expertise needed to carry out the security role;
  • Whether the candidate can be trusted, especially when the organization’s role is important.

 When a position requires a person with access to information processing facilities, either for initial appointment or promotion, and in especially when they handle sensitive information, such as financial information or confidential information, the organization should often require further verification.

“No matter how good or successful you are or how clever or crafty, your business and its future are in the hands of people you hire.”
-Akio Morita,

Procedures should identify requirements and limitations for verification reviews, such as who is eligible for screening, and how, where, and why verification reviews are performed.

A process of screening for contractors should also be guaranteed. In these situations, the agreement between the company and thus the contractor will specify the requirements for the screening and notification protocols to be followed if the screening has not been completed or if the results give rise to doubts or concerns.

Information on all applicants eligible for positions within the company will be obtained and processed in compliance with the applicable regulations in the relevant jurisdiction. Taking into account the law in place, candidates will be notified in advance of the screening activities.

This is where Human Resources plays a crucial role in the organization, beginning with having the right selection, making them aware of their roles and responsibilities, and in addition, the role of HR comes with great responsibility and security for the organization. Training sessions at Infosavvy provide you with an in-depth knowledge of the security measures that HR needs to take while hiring a candidate, the guidelines for this security role are covered in IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification)Infosavvy coaches help you develop your abilities and learn to recruit people who are qualified or expertise for a specific role. we flood you with many examples so to make your learning more interactive and efficient.

A.7.1.2  Terms and Conditions of Employment

Control- Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.

Implementation Guidance- The contractual responsibilities of employees or contractors should represent the information security policies of the company in addition to clarifying and stating the following points:-

  • That and employee and contractor who has access to sensitive information will sign a confidentiality or non-disclosure agreement before access to information processing facilities is granted;
  • Legal responsibilities and rights of the employee or contractor, e.g. copyright or data protection legislation;
  • Responsibilities for classifying information and handling organizational assets related to information, information processing and information services managed by the employee or contractor;
  • Employee or contractor’s responsibilities in the handling of information received from other companies or from outside parties;
  • Actions to be taken where the employee or contractor fails to comply with the security requirements of the organization.

Roles and responsibilities in information security should be communicated to job applicants during the pre-employment process.

The organization should see to it that the terms and conditions of information security are agreed by the employees and the contractor as appropriate for the nature and scope of their access to information systems and services assets of the organization.

Responsibilities under the terms and conditions of employment should, where appropriate, continue for a defined period after the termination of employment.

Read More : https://www.info-savvy.com/iso-27001-annex-a-7-human-resource-security/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.6.2 Mobile Devices and Teleworking

info savvy

ISO 27001 Annex : A.6.2 Mobile Devices and Teleworking its objective is to ensure the security of teleworking and the use of mobile devices.

A.6.2.1  Mobile Device Policy

 Control- To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted.

 Implementation Guidance- Special care should be taken when using mobile devices to ensure that business information is not compromised. The policy on mobile devices should take into account the risks of working with mobile devices in unprotected environments.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Mobile device policy should include:-

  1. Registration of mobile devices;
  2. Requirements for physical protection;
  3. Restriction of software installation;
  4. Requirements for mobile device software versions and for applying patches;
  5. Restriction of connection to information services;
  6. Access controls; Cryptographic techniques;
  7. Malware protection;
  8. Remote disabling,
  9. erasure or lockout;
  10. Backups;
  11. Usage of web services and web apps.

Be careful while using mobile devices in public areas like meeting rooms and other not so protected areas. Preventive measures should be taken to avoid unauthorized access, or disclosure of confidential information stored and processed by the devices, eg. cryptographic methods and enforcing the use of secret authentication information

Mobile devices should also be physically secured against theft, particularly when entering, for example, in vehicles and other modes of transport, hotel rooms, convention centers, and public gatherings. A chosen protocol, taking into account the regulatory, insurance, and other security requirements of the organization, should be defined for cases of theft or loss of mobile devices. Devices containing confidential, sensitive, or crucial business information should not be ignored and, if possible, should be physically locked away, or special locks should be used to protect the items.

Training should be provided for workers using mobile devices to increase their understanding of the potential risks emerging from this method of operating and, thereby, the controls that should be implemented. If the mobile device policy allows the use of private mobile devices, it will also include the rules and associated security controls, those are:-

  1. Separate personal and business usage of the devices, including by using software to help the segregation of personal devices and protect business data;
  2. Providing access to business information only after an end-user agreement has been signed that recognizes their duties (physical safeguard, software upgrade, etc.) waives control of the company’s business data and requires remote data wiping by the client for burglary, loss of a device, or no longer authorized to use a service. The Privacy Legislation must be taken into account in this strategy.

Other Information- Wireless networks for mobile devices are similar to other network connections but have significant variations to be taken into account in the detection of controls. Those significant variations are as follows:-

  1. Certain wireless security protocols are immature and have defined weaknesses;
  2. Mobile device storage may not be backed up due to insufficient network bandwidth and even when backup processing is scheduled, devices may not be connected.

Mobile devices generally share common functions, e.g. networking, internet access, e-mail, and file handling, with fixed-use devices. Controls in information security for mobile devices typically consist of those implemented within fixed use systems and those to counter risks raised by their use outside the premises of the organization.

A.6.2.2  Teleworking

Control- To guard the accessed, processed, or stored information at teleworking sites, a policy and supporting security measures should be implemented.

Implementation Guidance- Teleworking organizations should issue a policy defining the guidelines for using teleworking. The following points should be considered where deemed applicable and authorized by law:-

  1. The existing physical security of the teleworking site, taking into account the physical safety of the building and, consequently, the local environment;
  2. the proposed physical teleworking environment;
  3. Communications security requirements, taking into consideration the need for direct access to the internal networks of the organization, the sensitivity of the information to be obtained and transmitted via the contact channel and, thus, the vulnerability of the internal system;
  4. Providing virtual desktop access which prevents information processing and storing on private equipment;
  5. Risk of unauthorized access to information or resources from other persons using the amenities, e.g. family and friends.
  6. Usage of home networks, and requirements or limitations on wireless network access configuration;
  7. Policies and procedures for settling conflicts involving property rights built on privately-owned equipment;
  8. Access to private facilities (to test the security of the device or during an investigation) which may be prohibited by law;
  9. Software License agreements which are such organizations may be responsible on workstations owned privately by staff and/or external parties for licensing for client software;
  10. Requirements for malware protection and firewall.

Also Read : ISO 27001 Annex : A.6 Organization of Information Security

The guidelines and arrangements should include the following:-

  • The procurement of suitable teleworking facilities and storage furniture, where the use of private devices not under the organization’s regulation is not permitted;
  • A definition of the work allowed, the hours of work, the classification of the information to be stored and therefore the internal systems and services to which the teleworker is entitled;
  • Provision of an appropriate communication system, including methods for securing remote access;
  • Physical security, provision of insurance policies, a requirement of support and maintenance for hardware and software
  • Rules and guidance on access to equipment and information for families and visitors;
  • Monitoring of audit and security,
  • Backup and business continuity planning
  • Revocation of authority and service privileges and removal of facilities after termination of teleworking operations.

Read More : https://www.info-savvy.com/iso-27001-annex-a-6-2-mobile-devices-and-teleworking/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.6 Organization of Information Security

info savvy

6.1 Internal Organization

ISO 27001 Annex : A.6 Organization of Information Security its object is to establish a management framework for initiating and controlling the implementation and functioning of information security within the organization.

6.1.1 Information Security Roles and Responsibilities

Control- All responsibilities related to information security should be well defined and assigned.

Implementation Guidance- Allocation of information security responsibilities should be carried out in compliance with information security policies (Refer A.5.1.1). Responsibilities for the security of individual assets and the implementation of specific information security procedures should be defined. Responsibilities for information security risk management activities and, in particular, for the acceptance of residual risks should be defined. When necessary, further guidance should be provided for specific sites and information processing facilities in order to supplement these responsibilities. Local responsibilities should be defined for the protection of assets and for the implementation of specific security processes. Individuals with assigned responsibility for information security can delegate security tasks to others. But they remain responsible and must decide whether any delegated tasks are conducted correctly or not

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Areas for which individuals are responsible should be defined. In fact, the subsequent should take place:
1. Assets as well as the information security processes should be identified and well defined;
2. An individual candidate should be assigned for each asset and information security processes and details describing the responsibility should be documented;
3. Levels of authorization should be described and documented;
4. The appointed persons should be competent in this area and be given opportunities to keep up to date with their progress, in order to meet responsibilities in the information security area;
5. Coordination and monitoring should be identified and documented on information security aspects of supplier relations.

Other Information- Many organizations assign an information security officer to take ultimate responsibility for information security development and implementation, and to help access recognition. However, individual management will often remain responsible for the resourcing and implementation of the controls. It is common practice to appoint an owner for all assets which are then responsible for their regular security.

6.1.2  Segregation of Duties

Control- Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.

Implementation Guidance- No one shall be allowed without authorization or approval to access, modify or use the assets. This will distinguish the execution of an occurrence from its authorization. The probability of collusion in should be considered while designing the controls. Small organizations may find it impossible to accomplish division of tasks, but the principle should be enforced as far as is practicable and feasible. If segregation is challenging, other measures such as task reporting, audit trails and management supervision should be considered.

Other Information- Segregation of duties may be a method to reduce the risk of unintentional or intentional abuse of the assets of the organization.

6.1.3  Contact with Authorities

Control- It is necessary to maintain proper communications with the relevant authorities.

Implementation Guidance- Organizations should have processes in place that determine when and by whom officials (e.g. law enforcement, regulatory agencies, supervisory officials) should communicate and how information security violations detected will be recorded in a timely manner (e.g. if the law is alleged to have been violated).

Other Information- Internet-assaulted organizations may require authorities to take measures against the attack. Holding these connections may also be a necessity to support incident management  or business continuity and contingency planning processes in information security. Contacts with regulatory bodies are also useful when anticipating and preparing potential changes in the laws or regulations that the organization needs to enforce. Contacts with other authorities include utilities, emergency services, suppliers of energy and safety , and protection such as fire departments, telecommunication (routing and availability) suppliers, and water (equipment cooling).

6.1.4  Contact with Interest groups

Control- Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.

 Implementation Guidance

  •  Membership of community groups or forums  should be considered as a way to:
    1. Improve skills and keep up to date on appropriate safety details about the best practices;
    2. Ensuring an up-to – date and complete understanding of information security;
    3. Receive early warnings about threats and vulnerabilities, updates and patches;
    4. Enable expert information security advice;
    5. Share and exchange information on new technology, products, threats or vulnerabilities;  
    6. provide correct liaison points for events relevant to information security

Read More : https://www.info-savvy.com/iso-27001-annex-a-6-organization-of-information-security/
———————————————————


Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.5 Information Security Policies

info savvy

5. 1  Management direction for information security

ISO 27001 Annex : A.5 Information Security Policies, Its objective is to provide management guidance and information security assistance in accordance with business requirements and relevant laws and regulations.

5.1.1 Policies for Information Security

Control-  A set of information security policies should be established, managed accepted, published and communicated to the employees and related external parties.

Implementation Guidance- At the very least companies need to identify a management-approved “information security strategy,” which outlines the organization’s approach to managing its information security goals.

Information security policies should meet criteria that have been created by:

  1. Business strategy;
  2. Regulations, legislation and contracts;
  3. The present and projected information security threat environment

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

The information security policy should contain statements concerning:

  1. Information security concept, goals and principles that guide all information security activities;
  2. Assigning general and specific responsibilities of information security management to defined roles;
  3. Deviation and exception handling processes.

At the very least, Information security policy should be accompanying with  topic-specific policies that also enforce the implementation of information security controls which are usually designed to meet the needs of certain target groups within the organization or to cover other topics. Few policy topics are :-  Access Control (Clause 9), cryptographic control (Clause 10), physical and environmental security (Clause ), etc.

At Info-savvy, we guide you with proper knowledge of information security assistance and how can you make them meet the business requirements, we give flood of practical examples, customizing our teaching style; thus making learning easy and amazing experience for the participants so that they can excel in managing ISMS, This learning is covered in our training sessions of IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (training certified by TÜV SÜD)

Other information

The need for internal information security policies varies across organizations. Internal policies are particularly useful in larger and more complex organizations where those defining and approving the expected levels of control are separated from those implementing the controls or in situations where the policy applies to a number of different people or functions within the organization. Information security policies are often issued in the context of a single “information security policy” document or as a group of individual but related documents.

If some of the information security policies are shared publicly, it is important to be careful not to reveal details. In such policy documents, certain companies use certain terminology such as “standards,” “directives” or “regulations.”

5.1.2 Review of the policies for information security

Control– The information safety policies should be reviewed at regular intervals or where there are major corrections to ensure that they are acceptable, relevant, and efficient.

Implementation Guidance– Each policy should include an owner who has agreed to manage and evaluate policies for the event. The evaluations will include identifying opportunities to improve the procedures and practices and addressing the management of information security corresponding  to the changes in  business environment, regulatory requirements or technical environment.

Read More : https://www.info-savvy.com/iso-27001-annex-a-5-information-security-policies/

————————————————————————————————————

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ECSA

Enterprise Information Security Architecture

info savvy

Information Security Architecture

Enterprise Information Security Architecture is a set of requirements, processes, principles, and models that determine the current And/or future structure and behavior of an organization’s security processes, information security systems, personnel, and organizational sub-units. It ensures that the security architecture and controls are in alignment with the organization’s core goals and strategic direction.Though Enterprise Information Security Architecture deals with information security, it relates more broadly to the security practice of business. Optimization. Thus, it also addresses business security architecture, performance management and security process architecture. The main objective of implementing EISA is to make sure that IT security is in alignment with business strategy.

Enterprises are struggling nowadays to achieve the balance between implementing the security controls in the enterprise while allowing the employees to increase the productivity and communicate the information easily. Enterprise security is not only about protecting the infrastructure of the enterprise, but also the sensitive data flowing among the organization. Security of enterprise is done in generic manner by applying three ways [1, 2]:

Prevention – This involves preventing the networks from intruders by avoiding security Breaches. This is normally done by implementation of firewalls.
Detection – This process focuses on the detection of the attacks and the breaches that are done over the network.
Recovery – Once attack occurs, recovery is essential for preventing the information asset of the enterprise that may damage due to the attack. For this, some recovery mechanisms are being employed by the enterprises. Till date, most of the researches and works have been done in the area of prevention and detection of the attack.

Enterprise Information Security Architecture (EISA) could be a key component of an information security program. the first function of EISA is to document and communicate the artifacts of the safety program during a consistent manner. As such, the first deliverable of EISA could be a set of documents connecting business drivers with technical implementation guidance. These documents are developed iteratively through multiple levels of abstraction.

Related Product:- EC-Council Security Analyst v10 | ECSA

Motives behind  enterprise security

Enterprise security is getting difficult primarily due to following reasons A. Increasing threats- Enterprise organizations are continuously attacked by newer With the aim of stealing the confidential information. Cyber criminals, hackers are growing in a large number. It has been reported that in recent years, malware are worse than previous attacks. Further, crime is getting more sophisticated these days. All these factors need to be managed. B. Technology Complexity – Security experts are dealing with threats as well as maintaining the change with effect of the new technologies like cloud computing, mobile computing, Internet of things and virtualization. These new technologies are creating gap within the system which need to be addressed. C. Legacy security procedures and techniques: From the past, many security techniques have been used in the enterprises starting from firewalls, Intrusion Detection System/ Intrusion Prevention System (IDS/IPS), to host security software (i.e., antivirus software), and to security monitoring and compliance tools (i.e., SIEM, log management, etc.). These procedures are incapable of dealing with the multidimensional threat.

Also Read:- What is an Information Security Incident?

There exist multiple security standards for securing and protecting the assets of the enterprises. Some organizations use the published security standards while other implemented their own security architecture depending on their requirement. There is no single uniform standard that can be applied to all enterprises. By incorporating the recommended policies and programs, effective and consistent security architecture can be develop.

Trends in enterprise security

Due to the incorporation of cloud and mobile applications, the security needed by the enterprise has been increased at a wider level. The attacks are changing day by day and so this necessitates more secure information environment. Thus these trends suggest that further improvement is needed in the security architectures of the enterprises.

  • Encrypted data
  • DDoS (Distributed Denial of Service Attack
  •  Managed Security Service
  •  Single platforms for secure
  •  Increased Customer expectation
  •  Data collection and process
  •  Malware analytic
  •  Intelligent algorithm

Read More : https://www.info-savvy.com/information-security-incidents/

————————————————————————————————

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ