(5) Risk Treatment Ch1

1. Organization of information security

1.1 Internal organization and information security policies

1.1.1 Information security in project management

A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.

Define an “information security policy” which is approved by management and which sets out the organization’s approach to managing its information security objectives.
Make sure that the information security policy contains the definition of information security, objectives and principles to guide all activities relating to information security. Furthermore, the policy should assign general and specific responsibilities for information security management to defined roles.
The information security policy should be supported by topic-specific policies (e.g. access control, backup, communications security, etc.) which further mandate the implementation of information security controls.
Review the policies for information security at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

1.1.2 Information security roles and responsibilities

All information security responsibilities should be defined and allocated.

Define responsibilities for information security risk management activities and for acceptance of residual risks.
Identify responsibilities for the protection of individual assets and for carrying out specific information security processes.
If relevant, appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.
Individuals with allocated information security responsibilities may delegate security tasks to others, but they remain accountable and should determine that any delegated tasks have been correctly performed.

1.1.3 Segregation of duties

Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

Make sure that no single person can access, modify or use assets without authorization or detection.
Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, consider other controls such as monitoring of activities, audit trails and management supervision.

1.1.4 Contact with authorities

Appropriate contacts with relevant authorities should be maintained.

Implement procedures that specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner.
Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in laws or regulations, which have to be implemented by the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety, e.g. fire departments, telecommunication providers and water suppliers.

1.1.5 Contact with special interest groups

Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.

Consider membership in special interest groups or forums as a means to improve knowledge about best practices; receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities; and exchange information about new technologies, products, threats or vulnerabilities.
If necessary, establish information sharing agreements to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.

1.1.6 Information security in project management

Information security should be addressed in project management, regardless of the type of the project.

Integrate information security into the organization’s project management method(s) to ensure that information security risks are identified and addressed as part of a project.
Require that information security objectives are included in project objectives; an information security risk assessment is conducted at an early stage of the project to identify necessary controls; and information security is part of all phases of the applied project methodology.
Address and review information security implications regularly in all projects.
Define and allocate responsibilities for information security in the project management methods to specified roles.

1.2 Mobile devices and teleworking

1.2.1 Mobile device policy

A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices.

Develop a mobile device policy that includes requirements for physical protection, restriction of software installation and requirements for applying patches, access controls, cryptographic techniques, malware protection, remote disabling, erasure or lockout and backups.
The policy should define rules for using mobile devices in public places and unprotected areas. Mobile devices carrying important, sensitive or critical business information should not be left unattended and, where possible, should be physically locked away. Protection should be in place to avoid the unauthorized access to or disclosure of the information stored and processed by these devices.
Where applicable, the mobile device policy should define the separation of private and business use of the devices, including using software to support such separation and protect business data on a private device.

See also CISControl 4 Secure Configuration of Enterprise Assets and Software.

1.2.2 Teleworking

A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites.

Develop a teleworking policy that defines the conditions and restrictions for using teleworking. The following matters should be considered:
a) the existing physical security of the teleworking site;
b) the communications security requirements;
c) the provision of virtual desktop access that prevents processing and storage of information on privately owned equipment;
d) the threat of unauthorized access to information or resources from other persons using the site, e.g. family and friends;
e) the use of home networks and requirements or restrictions on the configuration of wireless network services;
f) malware protection and firewall requirements.
The arrangements to be considered:
a) the provision of suitable equipment and storage furniture for the teleworking activities;
b) a definition of the work permitted, the classification of information that may be held and the internal systems and services that the teleworker is authorized to access; c) the provision of suitable communication equipment, including methods for securing remote access;
d) the provision of hardware and software support and maintenance;
e) the procedures for backup and business continuity.