June 2013Comprehensive coverage of: ISO/IEC 27002 COBIT 5 CESG 10 Steps SANS 20 CSC DSD Top 35 PAS 555The Standard of Good Practice for Information SecurityThe Informaon Security Forum (ISF) has developed a security model to support organisaons in designing their approach to addressing informaon security and to give them a basis for idenfying the key aspects of an informaon security programme. TheISFprovidesinsights,bestpraccestandardsandtoolswhichaddresseachaspectofthemodeltoaidorganisaonsin enhancing their informaon security arrangements. Within the ISF Security Model, The Standard of Good Pracce for Informaon Security forms part of the Tools and Methods service. Using a rang from very high to very low, the way in which this report aligns with the ISF Security Model is shown below.www.securityforum.orgThe ISF Security ModelA copy of the ISF Security Model can be downloaded by Members from ISF Live (the ISF Member only website). The Security Model can be a useful aid in describing to others the scope of ISF acvies to help Members improve informaon security.2013 Standard of Good PracticeInformation Security ForumKNOWLEDGE EXCHANGETOOLS & METHODSRESEARCH & REPORTSProcess Business processes, applications and data that support operations and decision making.TechnologyThe physical and technicalinfrastructure, including networks and end points, required to support the successful deployment of secure processes.Governance The framework by which policy and direction is set, providing senior management with assurance that security management activities are being performed correctly and consistently.RiskThe potential business impact and likelihood of particular threats occurring and the application of controls to mitigate risk to acceptable levels.ComplianceThe policy, statutory and contractual obligations relevant to information security which must be met to operate in todays business world to avoid civil or criminal penalties and mitigate risk.Knowledge Exchange The ISF brings Members together to share and discuss information security issues, experiences and practical solutions in an environment of total trust and confidentiality.Our programme of workshops, meetings and forums is held across the world from Scandinavia through the Americas to the Middle East, India, Africa, Australia and the Pacific Rim, and address both regional and international issues.KNOWLEDGE EXCHANGERESEARCH & REPORTSTOOLS & METHODSESEARPeopleThe executives, staff and external suppliers with access to information, who need to be aware of their information security responsibilities and requirements and whose access to systems and data need to be managed.keyVery highHighMediumLowVery lowHOD TOOLS & METHResearch & Reports ISF Members have unlimited access to an extensive library of reports that provide practical guidance and solutions to information security challenges.Our research and reports material incorporates an unmatched degree of thought leadership in information security, information risk management and related topics.Tools & Methods The ISF offers Members a unique set of practical tools and methodologies to manage and control information risk throughout the enterprise.Designed to be as straightforward to implement as possible, these offer Members an out of the box approach for addressing a wide range of challenges whether they be strategic, compliance-driven or process-related.COMPLIANCEGOVERNANCERISKPEOPLEPROCESSTECHNOLOGYContentswww.securityforum.org Information Security Forum2013 Standard of Good Practice1 Topics in the Standard of Good Practice2About the 2013 Standard4Using the Standard to manage risk5NEW! The Standard as an enabler to compliance 8 Enabling compliance with the ISO/IEC 27000 suite of standards8Enabling compliance with COBIT 5 for Information Security9Complying with other standards SANS 20, DSD Top 35, UK Top 10, PAS 5559Key features and structure10Fundamental and Specialised controls10Structure10Topic layout11The 2013 StandardSECURITY GOVERNANCE13SECURITY REQUIREMENTS25CONTROL FRAMEWORK45SECURITY MONITORING AND IMPROVEMENT241Appendix A: The ISF Business Impact Reference Table258Appendix B: The ISF Threat List259Appendix C: Guidelines for information security263Appendix D: Other information security standards referenced265Appendix E: Templates266Index27322013 Standard of Good PracticeInformation Security Forum www.securityforum.orgIntroTopics in the Standard of Good PracticeKEYTYPE: F Fundamental topicTopics that have been subject to signicant change since the 2012 Standard of Good Pracce S Specialised topicIntroductionInformation Security Forum2013 Standard of Good Practice3www.securityforum.orgIntroKEYTYPE: F Fundamental topicTopics that have been subject to signicant change since the 2012 Standard of Good Pracce S Specialised topic42013 Standard of Good PracticeInformation Security Forum www.securityforum.orgIntroAbout the 2013 StandardThe ISFs Standard of Good Pracce is the Standard for informaon security. The Standard is the most comprehensive and currentsourceofinformaonsecuritycontrolsavailable,enablingorganisaonstoadoptgoodpracceinresponseto evolvingthreatsandchangingbusinessrequirements.Updatedannuallytoreectthelatestndingsfromourresearch programme, input from our global Member organisaons, trends from the ISF Benchmark and major external developments including new legislaon and other requirements, the Standard is used by many organisaons as their primary reference for informaon security.The Standard incorporates the most up-to-date thinking and pracces in managing informaon risk. It does this by: reecng actualpracceinleadingglobalorganisaons;respondingtotherequirementsofdataproteconandprivacyregulaon from around the world; and remaining aligned with the structure of other informaon security-related standards.Consequently, the Standard is the most complete, authoritave and current internaonal reference on informaon security controls. Implemenng the Standard helps organisaons to:be agile and exploit new opportunies while ensuring that associated informaon risks are managed to acceptable levels by applying good praccerespond to rapidly evolving threats, using current informaon to increase cyber resilienceidenfy how regulatory and compliance requirements can be best met.Each secon of the Standard also references ISF reports to assist implementaon and achieve intended outcomes.An extensive research programme into hot topics ln lnformauon security.Member InputLIVEInput from ISF Members, including workshops, onllne collaborauon ln lSl Llve, face-Lo-face meeungs, interviews and academy sessions at the ISFs 2012 Congress in Chicago.Benchmark resultsThe results of the ISFs Benchmark, which provide valuable insights into how lnformauon securlLy ls applled 'on Lhe ground' ln Member organlsauons.ISF researchLatest research reports include:-1hreaL Porlzon 2013-Managlng 8?Cu rlsk: SLaylng ahead of your mobile workforce-Securlng Lhe Supply Chaln: revenung your suppllers' vulnerablllues from becomlng your own-uaLa rlvacy ln Lhe Cloud-Lngaglng wlLh Lhe 8oard-1he Modern ClSC: Managlng 8lsk and uellverlng value (8rleng Paper)-uaLa Analyucs for lnformauon Security: From hindsight to insight-?ou Could 8e nexL: Learnlng from incidents to improve resilienceAnalysis and coverage of lnformauon securlLy-relaLed standards (eg lSC/lLC 27001/2 and CC8l1 3 for lnformauon SecurlLy), and legal and regulatory requlremenLs (eg 8asel lll, and Lhe Lu ulrecuve on uaLa roLecuon).External developments-lSC/lLC 27001/2-uSu 1op 33-AS 333 -regulaLory developmenLs from around the worldwww.securityforum.orgThe role of the Chief Information Security Officer (CISO) has of the chief lnformotion 5ecurity Officer to the point where it is becomichanges are that the demands on the CISO from 2006 have increased substantThe economic, social and technological landscape is vastly different than it was in 200while increasing volumes of the organisations sensitive data are outsuch as Bring Your Own Device (BYOD) and the use of social networking.At the same time, cyber security is moving up the agenda anand more stringent regulation have spotlighted informatiomodern CISOs to assure stakeholders. Moreover, CISOs are tasked with demonsto the business in order to secure increased investment.However, most of the developments of the past seven years are in line with demand more business-oriented skills while at the same time it is stilThis evolution is ongoing and CISOs will need to continue adapting of a successful CISO will be his/her ability to develop business-minded corebusiness.We anticipate the CISO function as it is today will evolve fufunctionfocusingonthetechnicalaspects(possiblyknownastheC with the business needs of the role (what th within some organisations. pires remai on thof the ISFInformau on Security ForuCIassi cation Restricted to ISF Members, ISF Service Providers and non-Members whwww www se .se u currityf ityforum or orum.orggof the ISFf Informau on Sec uu urity ForuCIassi CIassi cacattio ion Restricted to ISF Members, ISF Service Providers and non-Members whMay 2012Data Analytics for Information SecurityFrom hindsight to insightAugust 2012You Could Be NextLearning from incidents to improve resilienceYou CouldYou Could Be Nould Be NextLe Learning from incidents to improve resilienceYYMore danger from known threatsJanuary 2013Threat Horizon 2015June 2013Comprehensive coverage of: ISO/IEC 27002 COBIT 5 CESG 10 Steps SANS 20 CSC DSD Top 35 PAS 555The Standard of Good Practice for Information SecurityStaying ahead of your mobile workforceJuly 2013Managing BYOD RiskFebruary 2013Securing the Supply ChainPreventing your suppliers vulnerabilities from becoming your owni l dFebruary 2013y Chainulnerabilities February 2013Enabling business agility bymanaging riskData Privacy in the CloudNoorganisaonshouldexpecttoimplementtheStandardinitsenrety.Theyshouldapplyarisk-basedapproach (as described in the next secon Using the Standard to manage risk) to select and implement those controls required to manage informaon risk within acceptable limits. In this context, the Standard is the authority on controls relevant to managing all informaon security risks.The sources used in developing this update of the Standard are:Information Security Forum2013 Standard of Good Practice5www.securityforum.orgIntroUsing the Standard to manage riskManaginginformaonriskiscricalforallorganisaonstodelivertheirstrategies,iniavesandgoals.Consequently, informaon risk management is relevant only if it enables the organisaon to achieve these objecves, ensuring it is well posioned to succeed and is resilient to unexpected events.Asaresult,anorganisaonsriskmanagementacvieswhethercoordinatedasanenterprise-wideprogrammeorat funconal levels must include assessment of risks to informaon that could compromise success. Risk assessment should be directed from the top down (responding to external developments and strategic change) as well as boom up for crical business applicaons and processes. The ISF provides Members with a number of methods (such as IRAM), tools (such as the Benchmark) and reports (such as the Threat Horizon series) to enable good risk assessment.Anorganisaonsmanagementcyclewilltypicallyconsistof:Deningobjecvesandstrategy;Implemenngoperaonal plans;Evaluangongoingprogress;andidenfyingchangestoEnhanceperformanceandrespondtonewinternaland external factors, although dierent models and terms may be used to describe this cycle. The management cycle depicted below emphasises how the Standard and related ISF tools and services can assist Members to manage informaon risk as part of enterprise risk management or as a stand-alone acvity.1 DEFINE2 IMPLEMENT3 EVALUATE4 ENHANCEHow the Standard and other ISF tools improve information securitySeptember 2011Information Security GovernanceRaising the game011 00111I f i I f i S i S iber 20 ber 20I f ti S itSSept eptemb ep Sept Seeptemb ep pt SSeepInformation Security GGGGGGovernance GGGGGo GGGRaising the game Raising the game Raising the game gg g g g ggJune 2013Comprehensive coverage of: ISO/IEC 27002 COBIT 5 CESG 10 Steps SANS 20 CSC DSD Top 35 PAS 555The Standard of Good Practicefor Information Security1Establishingthetonefromthetopandcommitmentto soundinformaonsecuritygovernance,assessingthe organisaons risk appete, aligning security strategy with theorganisaonsstrategyanddevelopingappropriate informaon security policy. TheStandardoerscomprehensivematerialonwhich informaonsecuritygovernanceandinformaonsecurity policy can be based. The Standard covers the requirements ofothersignicantinformaonsecuritystandardsand regulaons (ie ISO, COBIT) and so can be used where these apply. Many Members have adopted the Standard as is as the the core of their informaon security policy.DEFINE2Implemenngpolicy,assessingrisk, andapplyingcontrolsconsistentwith risk appete.TheISFsInformaonRiskAnalysis Methodology(IRAM)isdesignedto assessrisksatapplicaon,business processorbusinessunitleveland select appropriate controls to migate riskconsistentwithriskappete. Onceriskisassessedandsecurity requirementsidenedusingIRAM, theStandardcanbeusedtoselect appropriate controls.IMPLEMENT4Enhancingcontrolsandacvies wherealignmentofrisk,policyand implementaonneedstorespondto newtechnologies,newwaysofdoing business and new threats. WheretheISFBenchmarkhas highlightedweaknesses/gapsin controls,Memberscanusethe StandardandotherISFreportsto idenfyandselectcontrolstobeer alignarrangements.Reportsonnew and emerging topics enable Members torespondtochangesinthreatsand business acvies.ENHANCE3Assessing how eecvely controls implemented deliver policy, meet regulatory requirements and respond to risk. The ISFs Benchmark enables Members to assess the extent towhichcontrolsareimplemented.Italsoallowsareasof control weakness / gaps (and strengths) to be idened and providescomparisonstopeers.TheBenchmarkenables assessmentusingahighlevelSecurityHealthcheck,and more detailed assessments at the level of the Standard for those high risk or crical areas requiring closer examinaon. TheBenchmarkalsoreportsresultsinISOandCOBIT formats,andsocanbeusedtoassesscontrolsandgaps against those standards.EVALUATEIntroduction62013 Standard of Good PracticeInformation Security Forum www.securityforum.orgIntroAs informaon security acvies should always contribute to the organisaons goals and support compliance with regulaon, theStandardandotherISFtoolsshouldbeappliedinthecontextoftheorganisaonsstrategy.Theseriskscanalsobe compounded by polical, regulatory and socio-cultural developments.InaddiontohelpingMembersidenfycontrolsrelevanttomanaginginformaonrisk,theStandardisalsodesignedto helpmeettherequirementsofothercommoninformaonsecurity-relatedstandards,suchasthosepublishedbyISO (ISO/IEC 27001 and 27002) and ISACA (COBIT 5 for Informaon Security).The Standard enables Members to build an Informaon Security Management System (ISMS) as described in ISO/IEC 27001, perform informaon risk assessments consistent with ISO/IEC 27005 and implement relevant security controls. Importantly, while other standards such as ISO/IEC 27002 do not address recent developments/topics such as cloud compung, cybercrime aacksandconsumerdevices,theStandarddoesprovidecoverageoftheseimportantdevelopments.TheStandardis therefore a more comprehensive resource than other standards in enabling ISO/IEC 27001 cercaon and managing risk.The ISF provides Members with a highly integrated set of tools and services to manage informaon risk. These are founded on the Standard, the Informaon Risk Analysis Methodology (IRAM) and the Benchmark. When applied as part of a business cycle for improvement, these tools and services support an eecve approach to informaon risk management. An overview ofthesetoolsandservicesisprovidedbelow,alongwithadescriponofISFLive,whichoersMembersdirectaccessto implementaon support for all of the ISFs tools, services and research.Informaon Risk Analysis Methodology (IRAM)IRAM provides an approach to idenfy, analyse and assess informaon risk in all types of system or process. IRAM can be used to: assess the business impact of potenal security breaches; assess threats andvulnerabilies;determineinformaonrisks;andidenfycontrolsthatcanbeimplementedto migate those risks.Benchmark TheBenchmarkisaservicethatenablesMemberstoassesstheextenttowhichcontrolsare implemented in key processes and acvies. It helps idenfy areas of control weakness / gaps (and strengths) and provides comparisons to peers. The Benchmark enables assessment at two levels:AtahighlevelusingtheHealthcheckforestablishinganoverallpictureofinformaonsecurity performance for an environment, or high-level risk assessments / gap analysesIn detail for closer examinaon of high risk or crical areas.Member-dened and standard templates are available to enable assessments in accordance with the Member organisaons own preferences.The Benchmark can also present results in ISO/IEC 27002 and COBIT 5 for Informaon Security formats, and can be used to assess performance and gaps against those standards. Addionally, the Benchmark enablesorganisaonstoanswertheHow do we compare withquesonbycomparinglevelsof control with peer organisaons (eg in the same industry sector or region).Implementaon Support via ISF LiveISF Live oers a vibrant environment for Member collaboraon. ISF Live enables Members to share informaonandlearnabouthowothersimplementtheStandard,IRAMandtheBenchmark,and providesimplementaonsupportintheformofaddionalguidance,scenarios,casestudies anddiscussionsbetweenMembersandwiththeISFGlobalTeam.ISFLiveisalsowhereSpecial Interest Groups convene on emerging hot topics and where research progress and ndings are shared and debated.IntroductionInformation Security Forum2013 Standard of Good Practice7www.securityforum.orgIntroTarget audienceTheStandardisprimarilydevelopedfororganisaons,naonalandinternaonal,thatrecogniseinformaon securityasakeybusinessenabler.Itseecveimplementaondependsonstrongriskassessment,sothatcontrols described in the Standard are applied in line with risk. GoodpraccedescribedintheStandardwilltypicallybeincorporatedintoanorganisaonsinformaonsecuritypolicy, businessprocesses,environmentsandapplicaons,andshouldbeofinterestandrelevancetoarangeofindividualsand external stakeholders, including:ChiefInformaonSecurityO cers(orequivalent),responsiblefordevelopingpolicy;andimplemenngsound Informaon Security Governance and Informaon Security AssuranceInformaon Security Managers (as well as local security co-ordinators and informaon protecon champions), responsible for promong or implemenng informaon security and assurance programmesBusinessmanagersresponsibleforensuringthatcricalbusinessapplicaons,processesandlocalenvironmentson which their organisaons success depends are risk managed and eecvely controlledIT managers and technical sta responsible for designing, planning, developing, deploying and maintaining key business applicaons, informaon systems or faciliesInternal and external auditors responsible for conducng security auditsIT service providers responsible for managing crical facilies (eg computer installaons and networks) on behalf of the organisaon Procurement and Vendor Management teams responsible for dening appropriate informaon security requirements in contractsInternal and external auditors responsible for conducng security audits.82013 Standard of Good PracticeInformation Security Forum www.securityforum.orgIntroThe Standard uses clear and praccal statements to describe the complete spectrum of security arrangements that should be considered to manage risks to informaon within acceptable limits. It is updated annually to reect and address the rapid pace at which threats and risks evolve. As a result, not only does it enable comprehensive informaon risk management, it can also enable informaon security compliance.Most organisaons need to be able to demonstrate compliance with policy, dened standards and legislaon. Amongst ISF Membership, the most prevalent standards used are the Standard, ISO/IEC 27001/2 and COBIT 5 for Informaon Security. The role of the Standard to enable compliance is therefore a major consideraon in annual updates.The Standard as an enabler to complianceItshouldbenotedthatwhileinformaonsecuritycomplianceinitselfcanbeasoundbusinessobjecve,apurely compliance-drivenapproachmayexposeanorganisaontothreatsthatarenotyetaddressedbyISO/IEC27001/2, COBIT5forInformaonSecurityorlegislaon.ForthisreasontheStandardalsoreectsgoodpracceinemerging areas of informaon risk.Enabling compliance with the ISO/IEC 27000 suite of standardsTheStandardisalignedwiththerequirementsforanInformaonSecurityManagementSystem(ISMS)setoutin ISO/IEC 27001 and provides comprehensive coverage of ISO/IEC 27002 controls topics. Addionally the Standard contains good pracce to implement ISO/IEC 27014 (Security Governance); ISO/IEC 27005 (risk-based specicaon of requirements for informaon security); and ISO/IEC 27036 (Controls relang to third party relaonships and supply chain management).The Standard extends well beyond the topics dened in ISO/IEC 27002, to cover topics such as cybercrime aacks, consumer devices and the use of big data analycs. Control topics covered in the Standard that are not covered in ISO/IEC 27002 are shown below.Comparison of topics covered in ISO/IEC 27002 and the StandardBy using the Standard as the basis for control assessment (for example, using the Benchmark), organisaons can not only assess the extent to which they have applied and complied with the controls set out in ISO/IEC 27002, but also obtain a wider view of adherence to emerging and recently-established good pracce.Consequently, using the Standard in this manner enables not only ISO/IEC 27002 compliance to be assessed, but also a wider view of adherence to emerging and recently-established good pracce.The 2013 Standard of Good Practice covers ALL ISO/IEC 27002 topics plus...CIoud computing, incIuding privacy in the cloudSuppIy chainConsumer devices and Bring Your Own Device (BYOD)Cybercrime attacksCriticaI infrastructure...and many more ISO/IEC 27002 topicsJune 2013Comprehensive coverage of: ISO/IEC 27002 COBIT 5 CESG 10 Steps SANS 20 CSC DSD Top 35 PAS 555The Standard of Good Practice for Information SecurityIntroductionInformation Security Forum2013 Standard of Good Practice9www.securityforum.orgIntroEnabling compliance with COBIT 5 for Information SecurityCOBIT 5 for Informaon Security (COBIT 5) has been widely recognised since its introducon in 2012. The Standard provides full coverage of COBIT 5. Control topics covered in the Standard that are not addressed in COBIT 5 are shown below.Extent of alignment between COBIT 5 and the StandardBy using the Standard as the basis for control assessment (for example, using the ISF Benchmark), organisaons can assess the extent to which they have applied (and complied with) the controls set out in COBIT 5.Complying with other standards SANS 20, DSD Top 35, UK Top 10, PAS 555While the Standard, the ISO/IEC 27000 suite of standards and COBIT 5 are the most popular standards used by ISF Members, therearemanyothersthatareappliedorreferencedtovaryingdegrees.ThisupdateoftheStandardalsoprovides comprehensive coverage of controls included in:10 Steps to Cyber Security (UK Government)20 Crical Security Controls (SANS Instute)Strategies to Migate Targeted Cyber Intrusions (Australian Government Defence Signals Directorate)PAS 555: 2013 Cyber security risk Governance and management Specicaon (Brish Standards Instuon).The 2013 Standard of Good Practice covers ALL COBIT 5 for Information Security topics plus...CIoud computing, incIuding privacy in the cloudConsumer devices and Bring Your Own Device (BYOD)Cybercrime attacksInformation privacyDesktop appIication development...and many more COBIT 5 for Information Security topicsJune 2013Comprehensive coverage of: ISO/IEC 27002 COBIT 5 CESG 10 Steps SANS 20 CSC DSD Top 35 PAS 555The Standard of Good Practice for Information Security102013 Standard of Good PracticeInformation Security Forum www.securityforum.orgIntroFundamental and Specialised controlsThe Standard makes a disncon between those topics that are considered Fundamental and those that are considered Specialised.Thisclassicaonmakesiteasiertoidenfyessenalsecurityarrangementslikelytoberelevantformost organisaons, disnguishing them from those that depend on other factors that are not universal.FUNDAMENTALtopicsaretheinformaonsecurityarrangementsthataregenerallyappliedbyMemberstoformthe foundaon of their informaon security programme.SPECIALISEDtopicsarethosethatdependonsubjecvefactorssuchasthebusinessenvironmentandtechnology deployed and are unlikely to apply universally. Examples include Server Virtualisaon and Cloud Compung.AclearindicatoratthetopofeachtopicpageintheStandardshowswhetherthecontrolspresentedinthattopicare Fundamental or Specialised.StructureThe overall structure of the Standard is illustrated below. Key features and structureThe Standard is also consistent with the structure and ow of the ISO/IEC 27000 suite of standards, and is appropriate for those organisaons that wish to use the Standard as an enabler to ISO compliance or cercaon, or to implement one or more Informaon Security Management Systems (ISMS).The Standard sets out statements of good pracce as a series of 118 topics or business acvies, which are grouped into 26 higher level areas and the 4 categories above. Each of the 118 topics contains all good pracce controls relevant to that parcular acvity from an informaon security perspecve. ThestructureoftheStandardenablesorganisaonstodipintospecicareasofinterest/concern(suchasInformaon Classicaon or O ce Equipment) as they wish. To facilitate assessment against the Standard, the ISFs Benchmark provides quesonnaires that reect the structure shown above.4 Categories 26 Areas 118 TopicsSECURITY GOVERNANCESECURITY REQUIREMENTSCONTROL FRAMEWORKSECURITY MONITORING AND IMPROVEMENT2 Areas2 Areas20 Areas2 Areas5 Topics8 Topics97 Topics8 TopicsJune 2013Comprehensive coverage of: ISO/IEC 27002 COBIT 5 CESG 10 Steps SANS 20 CSC DSD Top 35 PAS 555The Standard of Good Practice for Information SecurityIntroductionInformation Security Forum2013 Standard of Good Practice11www.securityforum.orgIntroTopic layoutEach of the 118 topics is structured as below. Example of how each topic in the Standard is presentedwww.securityforum.org nformation Security Forum2013 Standard of Good PracticeCF13.2171Related contentCF4 Business ApplicaonsISF resourcesProtecng Infoon in the End User EnvironmentCONTROL FRAMEWORKCFCF13.2Protection of SpreadsheetsPrincipleCrical desktop applicaons created using spreadsheet programs should be protected by validang input, implemenng access control and restricng access to powerful funconality.ObjectiveTo assure the accuracy of informaon processed by crical spreadsheets, and protect that informaon from disclosure to unauthorised individuals.CF13.2.1Crical spreadsheets should be supported by documented standards / procedures, which cover:a)training of individuals who use spreadsheetsb)validaon of informaon input into spreadsheetsc)protecon of spreadsheets and the informaon they contain.SPECIALISEDCrical spreadsheets are oen developed using spreadsheet programs (eg Microso Excel or OpenO ce Calc). Oen, macros (which are small, user dened, rounes or pieces of code) are developed within the spreadsheet to automate funcons like roune tasks, imporng data, performing calculaons and creang new menus and shortcuts.CF13.2.2Individuals who use and develop crical spreadsheets should be trained in how to:a)use them eecvelyb)protect the informaon they store and processc)developsecurity-relatedfunconality(egwhenwringmacros,conducngerrorcheckingandperforming calculaons in cells).CF13.2.3Informaon input into crical spreadsheets should be subject to integrity checks using validaon rounes, which:a)require parcular spreadsheet cells to contain a non-null value (ie the cell contains a value of some type, and is not empty)b)restrict the type of informaon entered (eg requiring entered informaon to be in the format of date, currency, number or text)c)use range checks to ensure informaon entered into the spreadsheet is within a predened range (eg checking that a number that should be posive is not negave)d)generate hash totals, to allow the integrity of informaon to be checked at various stages of being processede)perform consistency checks (eg on a formula that is repeated throughout a spreadsheet).CF13.2.4The risk of inaccurate entry of informaon should be reduced by the use of:a)default values (eg pre-agreed values that will automacally be entered when a new record is added)b)drop-down lists consisng of predened values (eg to help users of spreadsheets select the correct informaon)c)error messages (eg error codes and descripve text provided to inform users when a mistake may have occurred)d)special coding rounes to check input values (eg macros and automated error checking rounes).PrincipleA summary of the main set of security controls required (ie what controls need to be applied).ObjecveThe purpose for applying a parcular set of security controls (ie why controls need to be applied).Statement numberingA numbering system to allow easy reference for parcular security controls.Topic numberProvides quick access to the required topic of the Standard.Topic headingIndicates the parcular topic covered within the secon.Category tabProvides the reader with quick access to the category they need.Explanatory textProvides addional informaon about a parcular term used in a statement.Statement of Good PracceIndividually numbered statements that dene the security controls to be applied in order to protect informaon and systems.ISF resourcesReferences to ISF reports or tools that oer addional detail or provide a praccal means of implementaon.Related contentRefers to other areas, topics or appendices that relate to the described topic (topics within the same Area are not necessarily shown).Type Indicates whether this topic is Fundamental or Specialised.2013 Standard of Good PracticeInformation Security Forum www.securityforum.orgSECURITY GOVERNANCEInformation Security Forum2013 Standard of Good PracticeSG13www.securityforum.orgContentsSG1 Security Governance ApproachSG1.1Security Governance FrameworkSG1.2Security DireconSG2 Security Governance ComponentsSG2.1Informaon Security StrategySG2.2Stakeholder Value DeliverySG2.3Informaon Security Assurance ProgrammeSGSECURITY GOVERNANCE14SG1.12013 Standard of Good PracticeInformation Security Forum www.securityforum.orgAREA SG1 Security Governance ApproachList of TopicsSG1.1Security Governance FrameworkSG1.2Security DirectionSPECIALISEDSG1.1Security Governance FrameworkPrinciple Aframeworkforinformaonsecuritygovernanceshouldbeestablished,andcommitment demonstrated by the organisaons governing body.Objective To ensure that the organisaons overall approach to informaon security supports high standards of governance.SG1.1.1The organisaons governing body (eg members of the board or equivalent) should establish, direct, monitor and communicate an informaon security governance framework.The governing body of an organisaon is typically the group of individuals that is responsible for running that organisaon (eg members of the board or equivalent). It is typically supported by execuve management, which is made up of senior individuals responsible for running operaonal business units (eg a trading oor, sales order processing funcon, manufacturing plant, call centre, large department or retail outlet) or specialist funcons (eg major IT funcons, informaon security, operaonal risk, internal audit, nance, legal or human resources).SG1.1.2The governing body should:a)treat informaon security as a crical business issueb)appoint a board-level execuve or equivalent to take overall responsibility for the informaon security governance frameworkc)ensure that the informaon security governance framework is supported by an informaon security strategy and an informaon security assurance programme.SG1.1.3The governing body should dene the objecves of the informaon security governance framework, which include:a)aligning the informaon security strategy and policy with the business strategyb)delivering value to stakeholders (eg reduced cost, enhanced reputaon and improved management of risk)c)providing assurance that informaon risks are being adequately addressed.SECURITY GOVERNANCEInformation Security Forum2013 Standard of Good PracticeSG1.115www.securityforum.orgSGSPECIALISED SPECIALISEDSG1.1Security Governance Framework (continued)SG1.1.4The informaon security governance framework should address the need to:a)co-ordinate informaon security acvies throughout the organisaonb)make investment decisions about informaon security that reect business objecvesc)ensure that decisions about informaon security acvies are based on risk, reect the organisaons overall risk appete and are made in a mely mannerd)promote a security-posive environmente)support compliance with applicable legislaon and regulaonf)measure its success in terms of contribuon to the objecves of the organisaon.SG1.1.5The informaon security governance framework should include a process that requires the governing body to:a)evaluate the extent to which the informaon security strategy is meeng the needs of the business, and respond accordinglyb)direct informaon security acvity overall by determining the organisaons overall risk appete, endorsing the informaon security strategy and policy, and allocang su cient resourcesc)monitor the success of informaon security management arrangements, the extent of overall compliance with informaon security-related legislaon and regulaon, and overall implicaons of the changing threat landscaped)communicate the status of high-level informaon security-related acvity to external stakeholders, and inform informaon security management where correcve acon is required.An organisaons informaon risk appete may be subject to frequent change, oen as a result of:developments in the enterprises business strategychanges in stakeholder expectaonsgrowth, mergers and acquisionsincreased compeon or di cult economic circumstancesevolving threats to informaonmajor incidents experiencednew product or service development.SG1.1.6Theinformaonsecuritygovernanceframeworkshouldrequirethegoverningbodytomonitorandreviewthe organisaons informaon risk appete on a regular basis.SG1.1.7The governing body should demonstrate their commitment by signing o the:a)overall approach to informaon security governanceb)strategy for informaon securityc)informaon security assurance programmed)informaon security policye)security architecture for the organisaon.Related contentSG2 Security Governance ComponentsISF resourcesISF Brieng: Informaon Security GovernanceInformaon Security Governance: Raising the gameSECURITY GOVERNANCEwww.securityforum.orgSGFUNDAMENTAL16SG1.22013 Standard of Good PracticeInformation Security ForumSG1.2Security DirectionPrincipleControl over informaon security should be provided by a high-level working group, commiee or equivalent body, and managed by a senior execuve. ObjectiveTo provide a top-down management structure and mechanism for co-ordinang security acvity (eg an informaon security programme) and supporng the informaon security governance approach.SG1.2.1A full-me Chief Informaon Security O cer (or equivalent) should be appointed at execuve management level, with overall responsibility for the organisaons informaon security programme.Ideally, the Chief Informaon Security O cer (CISO) should report either directly to the governing body, or via a senior member of an independent risk management funcon.SG1.2.2The Chief Informaon Security O cer should implement the organisaons overall approach to informaon security by:a)developingandmaintaininganinformaonsecuritystrategyandpolicythatsupportsthesecuritygovernance frameworkb)focusing on informaon, business and compliance risksc)concentrang on the protecon of crical business processes and applicaonsd)protecng sensive informaon from disclosure to unauthorised individualse)takingresponsibilityfordevelopingandmaintaininganinformaonsecurityarchitecturethatprovidesa framework for the applicaon of standard security controls throughout the organisaonf)ensuring that new informaon systems are developed securely.SG1.2.3The Chief Informaon Security O cer should adopt a business-focused approach to informaon security throughout the organisaon by:a)establishingarapportwithbusinessandtechnicalcommuniesthroughouttheorganisaontopromotethe value and importance of informaon securityb)organising the delivery of risk-based security soluons that address people, process and technologyc)developinginformaonsecuritystatobeadvisorswhohaveexperseindeliveringsecuritysoluonsina business contextd)delivering soluons to be implemented and owned by relevant business and IT funcons.SG1.2.4A high-level working group, commiee or equivalent body should be established, which:a)co-ordinates informaon security acvity across the organisaonb)is chaired by a member of the governing body (ie a board-level execuve or equivalent)c)meets on a regular basis (eg three or more mes a year) and documents acons agreed at those meengs.SG1.2.5Membership of the high-level working group should include:a)the Chief Informaon Security O cerb)one or more business owners (ie heads of business units / departments or people in charge of parcular business applicaons or processes)c)representavesofspecialistfuncons(eglegal,operaonalrisk,internalaudit,humanresourcesandphysical security)d)the head of IT (or equivalent).SECURITY GOVERNANCEwww.securityforum.orgSGInformation Security Forum2013 Standard of Good PracticeSG1.217 FUNDAMENTALSG1.2Security Direction (continued)SG1.2.6The high-level working group should support the Chief Informaon Security O cer (or equivalent) in establishing the organisaons overall approach to informaon security by:a)adopng an agile, business-oriented perspecve (ie forward-looking, dynamic, and exible enough to scale in size and respond to business demands and challenges)b)reviewing the overall informaon security strategy, policy and architecture prior to sign-o by the governing bodyc)promong connuous improvement in informaon security throughout the organisaond)emphasising the importance of informaon security to the organisaone)ensuring informaon security is addressed in the organisaons business planning processesf)embedding informaon security in the organisaons system development methodology.SG1.2.7Thehigh-levelworkinggroupshouldensuretheongoingeecvenessande ciencyofinformaonsecurity arrangements by:a)approving key decisions aecng the informaon security status of the organisaonb)reviewing threat intelligence and making recommendaons to the governing body (where appropriate) on how to respond to new and changing threatsc)promong mely decision-making about informaon risk by monitoring the organisaons exposure to current andemerginginformaonsecuritythreats(egthoseassociatedwiththecyberenvironment,cloudadopon, external suppliers and Bring Your Own Device (BYOD))d)approving new informaon security policies, standards and procedurese)monitoring security performance using informaon that is mely and accuratef)promongresilienceagainstthepotenalandactualhighbusinessimpactsofmajorincidents,suchasthose typically associated with targeted cyber aacksg)reporngtostakeholders(egaboutrisksidenedandprogressofinformaonsecurity-relatedprojectsand iniaves).Related contentCF1.2 Informaon Security FunconSI2.1 Security Monitoring ISF resourcesEngaging with the Board: Balancing cyber risk and rewardISF Brieng: The Modern CISO - Managing Risk and Delivering ValueISF Brieng: Informaon Security GovernanceRole of Informaon Security in the Enterprise (RISE): Workshop ReportInformaon Security Governance: Raising the gameCyber Security Strategies: Achieving cyber resilienceSGSECURITY GOVERNANCEwww.securityforum.org 18SG2.12013 Standard of Good PracticeInformation Security ForumSG2.3Information Security Assurance ProgrammeAREA SG2 Security Governance ComponentsList of TopicsSG2.1Information Security StrategySG2.2Stakeholder Value DeliverySPECIALISEDSG2.1Information Security StrategyPrincipleAll informaon security projects and iniaves should be demonstrably aligned with the organisaons strategic objecves.ObjectiveTo ensure that the informaon security programme contributes to the organisaons success.SG2.1.1Informaonsecuritygovernanceshouldbesupportedbyadocumentedinformaonsecuritystrategythatstates how informaon security acvity will be aligned with the organisaons overall objecves.SG2.1.2The informaon security strategy should support the organisaons overall objecves by outlining:a)how informaon security will add value to the organisaon (eg in terms of reduced cost and enhanced reputaon) and protect the interests of stakeholdersb)the role of individual informaon security projects in enabling specic strategic iniavesc)the importance of informaon security in addressing market and regulaon-related risks; legal and compliance-related risks; and technology-related risksd)abalancedapproachtoinformaonsecuritythattakesintoaccounttheneedtomanageinformaonrisk (eg according to the organisaons risk appete) and meet legal and regulatory compliance requirementse)howinformaonsecurityacvitywillhelpestablishresilienceagainsthigh-impactincidentsandensurethe connuity of business operaons.SG2.1.3The informaon security strategy should help defend the organisaon against threats by:a)outlining how the informaon security programme will enable the organisaon to maintain its strategic direcon (eg by responding to the evolving threat landscape)b)describing how individual informaon security projects will protect the organisaon against the possible adverse businessimpactassociatedwithspecicstrategiciniaves(suchasnewbusinessventuresinvolvingexternal pares via the Internet, or cross-border business relaonships)c)incorporang informaon security incident management as a key element of the strategy.SG2.1.4The informaon security strategy should describe how the value of the informaon security funcon, and therefore its prole in the organisaon, will be raised over me.SECURITY GOVERNANCEwww.securityforum.orgSGSPECIALISEDInformation Security Forum2013 Standard of Good PracticeSG2.119 SG2.1Information Security Strategy (continued)SG2.1.5The high-level working group or commiee responsible for co-ordinang informaon security acvity overall should:a)reviewtheinformaonsecuritystrategyonaregularbasistoensureitconnuestosupportdeliveryofthe organisaons objecvesb)approve changes to the informaon security strategy where appropriate c)ensure the current version of the informaon security strategy is disseminated throughout the organisaon.Related contentSG1.2 Security DireconCF20.1 Business Connuity StrategySI2.1 Security Monitoring Appendix A: The ISF Business Impact Reference TableAppendix B: The ISF Threat ListISF resourcesInformaon Security Strategy: Workshop ReportISF Digest: Managing a Security FunconISF Brieng: Informaon Security GovernanceInformaon Security Governance: Raising the gameSECURITY GOVERNANCEwww.securityforum.orgSG20SG2.22013 Standard of Good PracticeInformation Security ForumSPECIALISEDSG2.2Stakeholder Value DeliveryPrincipleThe organisaon should implement processes to measure the value delivered by informaon security iniaves and report the results to all stakeholders.ObjectiveTo ensure that the informaon security programme delivers value to stakeholders.SG2.2.1Thegoverningbody(egmembersoftheboardorequivalent)shouldidenfyandrecordtherequirementsof stakeholders (such as shareholders, regulators, auditors and customers) for protecng their interests and delivering value through informaon security acvity, and set direcon accordingly.SG2.2.2The role of informaon security in enhancing the agility of the organisaon should be promoted by the governing body for example by enabling iniaves that deliver value.Informaonsecuritycanplayanenablingroleinremovingbarrierstoadded-valueacviesorservices. Examples of informaon security as an enabler include:two-factor authencaon providing a foundaon for secure online banking services to be deliveredpublic key infrastructure helping establish trust between organisaons trading over the Internetvirtualisaon, Mobile Device Management (MDM) and VPN technology supporng iniaves, such as Bring Your Own Device (BYOD).SG2.2.3The value delivered to stakeholders by key informaon security iniaves should be opmised by calculang return on security investment (ROSI) using recognised techniques that:a)measurethelikelynancialreturnfromtheinvestment,takingintoaccountnancialbenetsandthecostof security (typically the cost of controls in addion to the cost of incidents)b)esmate the likely non-nancial benets resulng from the iniave, such as brand protecon, favourable media coverage and increased customer sasfacon.SG2.2.4The value actually delivered to stakeholders by key informaon security iniaves should be:a)recorded in a way that can be clearly understood by those without a detailed knowledge of informaon security, for example in a business-focused case study or nancial benets statementb)reported to execuve management.SG2.2.5Tofacilitatethemoste cientuseofexisnginformaonsecurity-relatedassetsthroughouttheorganisaon,an inventory of resources that can be used to reduce cost and add value should be maintained. These resources include:a)informaon security specialists / sta, whose knowledge can be leveraged across dierent parts of the organisaonb)sources of informaon security knowledge available throughout the organisaonc)informaon security-related products and services (that have been purchased externally or developed internally).SECURITY GOVERNANCEwww.securityforum.orgSGSPECIALISEDInformation Security Forum2013 Standard of Good PracticeSG2.221 SG2.2Stakeholder Value Delivery (continued)SG2.2.6Informaonsecurity-relatediniaves(includingrecruitmentand/orprocurement)shouldbesupportedbya business case that:a)clearly states how the iniave (or project) contributes to achieving the organisaons strategic objecves, and delivering the informaon security strategyb)includes details regarding the need to recruit addional informaon security sta or purchase new informaon security-related products or servicesc)is signed o by a business managerd)providesanindicaonofthereturnoninvestmentexpected(iethevalueexpectedtobedelivered),inboth tangible (nancial) and intangible (non-nancial) terms.SG2.2.7Business cases for informaon security-related iniaves (including recruitment and / or procurement) should:a)indicate how the iniave will make the best possible use of the informaon security resources availableb)explain why exisng resources are insu cient.SG2.2.8Informaonsecurity-relatediniavesshouldbesupportedbyabusinesscasethatissubjecttoanescalaon procedure where:a)alignment between the iniave and business objecves is not apparentb)eecve use of exisng informaon security resources is not apparent.Related contentSI2.1 Security Monitoring ISF resourcesROSI Return on Security Investment: Workshop ReportRO$I Return on Security Investment ToolRole of Informaon Security in the Enterprise (RISE): Workshop ReportInformaon Security Governance: Raising the gameSECURITY GOVERNANCEwww.securityforum.orgSGFUNDAMENTAL22SG2.32013 Standard of Good PracticeInformation Security ForumSG2.3Information Security Assurance ProgrammePrincipleThe organisaon should adopt a consistent and structured approach to informaon risk management.ObjectiveTo provide assurance that informaon risk is being adequately addressed.SG2.3.1The risk appete of the organisaon should be determined at governing body level using a structured technique, for example using a Business Impact Reference Table approach. Where the organisaon has a devolved structure, or comprises highly independent business units, risk appete should also be determined at business unit level.An organisaons risk appete relates to the maximum level of risk or harm that the organisaon is prepared to accept in any given situaon. It should be used to inform any decisions about informaon risk throughout the organisaon. Risk appete can be assessed using a tool such as the ISFs Business Impact Reference Table (BIRT),whererangsassociatedwithpossibleoperaonal,nancial,customer-relatedandemployee-related impacts can be idened (see Appendix A). Execuve management are typically involved in risk-based decisions to ensure the organisaons risk appete is taken into consideraon.SG2.3.2The risk appete should be communicated to, and understood by, all individuals throughout the organisaon who are responsible for making decisions about treang informaon risk.SG2.3.3An informaon security assurance programme should be established which states that:a)securityrequirementsareidenedbasedonaninformaonriskassessmentandcompliancerequirements (legal / regulatory / contractual)b)idened risks are treated in accordance with business requirements, and any accepted risks subjected to sign-o by the businessc)a suitable control framework is implementedd)the eecveness and e ciency of security arrangements is monitored and reported to the governing body.SG2.3.4The informaon security assurance programme should:a)reect the organisaons risk appeteb)beconsistentwiththemanagementandreporngofothertypesofriskintheorganisaon(forexample, operaonal, nancial, market)c)be applied consistently throughout the organisaon.SG2.3.5Anenterprise-wideapproachformonitoringtheperformanceoftheinformaonsecurityassuranceprogramme should be agreed by execuve management, which includes:a)monitoringthesecuritycondionoftheorganisaonbasedonquantavetechniques(egusingrecognised performance indicators supported by informaon security metrics)b)presentaon of results against key performance indicators (KPIs) that can be clearly understood by those without a detailed knowledge of informaon securityc)details of any areas of major concern (eg key risks) that remain unaddressedd)therequirementforexceponreporngtothegoverningbodyandstakeholders,forexamplewherethe organisaon experiences a major informaon security-related incident.SECURITY GOVERNANCEwww.securityforum.orgSGInformation Security Forum2013 Standard of Good PracticeSG2.323 FUNDAMENTALSG2.3Information Security Assurance Programme (continued)SG2.3.6The high-level working group or commiee responsible for co-ordinang informaon security acvity overall should review the eecveness of performance monitoring techniques on a regular basis and make adjustments when and where necessary.Related contentSR1 Informaon Risk AssessmentSR2 ComplianceSI2 Security PerformanceAppendix A: The ISF Business Impact Reference TableISF resourcesISF Brieng: Informaon Security GovernanceInformaon Security Assurance: An overview for implemenng an informaon security assurance programmeISF Brieng: Key Performance Indicators for Informaon SecurityInformaon Risk Analysis Methodology (IRAM) Business Impact Reference Table (BIRT)Informaon Security Governance: Raising the game2013 Standard of Good PracticeInformation Security Forum www.securityforum.orgSECURITY REQUIREMENTSInformation Security Forum2013 Standard of Good PracticeSR25www.securityforum.orgContentsSR1 Information Risk AssessmentSR1.1Managing Informaon Risk AssessmentSR1.2Informaon Risk Assessment MethodologiesSR1.3Condenality RequirementsSR1.4Integrity RequirementsSR1.5Availability RequirementsSR1.6Informaon Risk TreatmentSR2 ComplianceSR2.1Legal and Regulatory ComplianceSR2.2Informaon PrivacySECURITY REQUIREMENTS26SR1.12013 Standard of Good PracticeInformation Security Forum www.securityforum.orgFUNDAMENTALSRList of TopicsSG1.1Security Governance FrameworkSG1.2Security DirectionAREA SR1 Information Security Governance ApproachList of TopicsSG1.1Security Governance FrameworkSG1.2Security DirectionSR1.1Managing Information Risk AssessmentPrincipleInformaonriskassessmentsshouldbeperformedfortargetenvironments(egcricalbusiness environments,businessprocesses,businessapplicaons(includingthoseunderdevelopment), informaon systems and networks) on a regular basis.ObjectiveTo enable individuals who are responsible for target environments to idenfy key informaon risks and determine the controls required to keep those risks within acceptable limits.SR1.1.1There should be formal, documented standards / procedures for performing informaon risk assessments, which apply across the organisaon. Standards / procedures should cover the:a)need for informaon risk assessments to be performedb)types of target environment that should be assessed for informaon risks (including internal business processes or processes in the supply chain)c)circumstances in which informaon risk assessments should be performedd)individuals who need to be involved, and their specic responsibiliese)method of managing and responding to the results of informaon risk assessments.SR1.4Integrity RequirementsSR1.5Availability RequirementsSR1.6Information Risk TreatmentAREA SR1 Information Risk AssessmentList of TopicsSR1.1Managing Information Risk AssessmentSR1.2Information Risk Assessment MethodologiesSR1.3Condentiality RequirementsInformaonriskassessment(somemesreferredtoasinformaonriskanalysis)istheidencaon, measurement and priorisaon of risk associated with informaon.SR1.1.2Informaon risk assessments should be performed for target environments, including:a)businessenvironments(egbusinessadministraono ces,tradingoors,callcentres,warehousesandretail environments)b)business processes (eg processing high value transacons, manufacturing goods, handling medical records)c)business applicaons (including those under development)d)informaon systems and networks that support crical business processese)specialist systems that are important to the organisaon (eg systems that support or enable crical infrastructure, suchasembeddedsystemsandindustrialcontrolsystems(includingSCADAsystems,processcontrolPCsand programmable logic controllers).SECURITY REQUIREMENTSInformation Security Forum2013 Standard of Good PracticeSR1.127www.securityforum.orgFUNDAMENTALSRSR1.1Managing Information Risk Assessment (continued)SR1.1.3Decision-makers (including: execuve management; heads of business units / departments; and owners of business applicaons, informaon systems, networks and systems under development) should be aware of the need to carry out informaon risk assessments for target environments within the organisaon.Tradionalinformaonriskassessmenthastypicallyfocussedonbusinessapplicaonsandinformaon systems.However,inrecentyearssomeorganisaonshaveexpandedthetargetofriskassessmentsto encompassenvironmentssuchasbusinessprocesses(egprocessinghighvaluetransacons,manufacturing goods,handlingmedicalrecords)orevenbusinessenvironments(egbusinessadministraono ces,trading oors, call centres, warehouses and retail environments). Accordingly, the term target environments has been used to refer to those business environments, business processes, business applicaons (including those under development), informaon systems and networks that are crical to the organisaon.SR1.1.4Target environments should be subject to an informaon risk assessment:a)at an early stage in their development (including design stage)b)prior to signicant change (at an early stage in the change management process)c)when considering if they should be outsourced to an external party, such as a managed security service provider (eg through the cloud).SR1.1.5Informaon risk assessments should be performed regularly and prior to:a)introducingmajornewtechnologiesandiniaves(egmobileapplicaons,HTML5,BringYourOwnDevice (BYOD), RFID, virtualisaon and IPv6 networking)b)using the services of external service providers (eg when outsourcing, oshoring or using cloud service providers)c)permi ngaccesstotheorganisaonscricalsystems(includingthoseunderdevelopment)byexternal individuals (eg consultants, contractors and employees of external pares)d)granng access from external locaons (eg employees homes, external party premises or public places).SR1.1.6Informaon risk assessments should involve:a)business owners (eg owners of business applicaons and business environments)b)experts in risk assessment (eg a member of sta or an external specialist who has signicant experience as an informaon risk assessment praconer)c)IT specialistsd)key user representavese)informaon security specialists (eg a member of sta or an external specialist who has signicant experience as an informaon security praconer).SECURITY REQUIREMENTS28SR1.12013 Standard of Good PracticeInformation Security Forum www.securityforum.orgFUNDAMENTALSRSR1.1Managing Information Risk Assessment (continued)SR1.1.7Informaon risk assessments should be supported by reviewing intelligence informaon about:a)emerging and changing threats (eg cybercrime, identy the, spear phishing, watering holes and cyber-espionage aacks)b)knownvulnerabiliesandexploitsassociatedwithkeyoperangsystems,applicaonsandothersoware (egbymonitoringsecurityvendorwebsites,trackingCERTadvisories,subscribingtovulnerabilitynocaon services and using intelligence service providers)c)informaon security incidents aecng major organisaons (including type of incidents, frequency of occurrence and preceding events)d)impacts being experienced by major organisaons (eg including those associated with brand, reputaonal, legal, operaonal and nancial impact).SR1.1.8Results from informaon risk assessments conducted across the organisaon should be:a)reported to owners of business environments and execuve management (or equivalent)b)usedtohelpdetermineprogrammesofworkininformaonsecurity(egdevelopinganinformaonsecurity management system (ISMS), performing remedial acons and establishing new security iniaves)c)integrated with wider risk management acvies (eg managing operaonal risk).Related contentSR1.6 Informaon Risk TreatmentSI2.2 Informaon Risk ReporngAppendix A: The ISF Business Impact Reference TableAppendix B: The ISF Threat ListISF resourcesRisk Convergence: Implicaons for Informaon Risk ManagementReporng Informaon RiskIRAM Risk Analyst Workbench (RAW)ISF Brieng: Insider threatsCyber Security Strategies: Achieving cyber resilienceer SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSRInformation Security Forum2013 Standard of Good PracticeSR1.229 SR1.2Information Risk Assessment MethodologiesPrincipleInformaon risk assessments should be undertaken using structured methodologies.ObjectiveTomakeinformaonriskassessmentsconsistentthroughouttheorganisaon,eecve,easyto conduct, and produce a clear picture of key informaon risks.SR1.2.1Informaonrisksassociatedwithtargetenvironments(egcricalbusinessenvironments,businessprocesses, business applicaons (including those under development), informaon systems and networks) should be assessed using structured informaon risk assessment methodologies (eg the ISFs Informaon Risk Analysis Methodology (IRAM)).SR1.2.2Informaon risk assessment methodologies should be:a)documented, and approved by execuve managementb)aligned with the organisaons approach to enterprise risk management (eg managed as part of operaonal risk management and using similar terminology, techniques and reporng)c)performed consistently across the organisaond)automated(egusingspecialistsowaretoolsthatcovertheassessmentofbusinessimpact,threatand vulnerability and support risk treatment)e)reviewed regularly to ensure that they meet business needsf)applicable to business environments, business processes and informaon systems of various sizes and typesg)easy to understand by non-security specialists (eg business representaves).SR1.2.3Informaon risk assessment methodologies should require all risk assessments to have a clearly dened scope and address all types of crical and sensive informaon, including:a)commercial informaon (eg order quanes, orders and invoices, prices and quotes)b)intellectual property (IP) (eg advice, drawings, product formulae and specicaons)c)legal, regulatory and privileged informaon (LRP) (eg contracts, legal advice and negoaons)d)logiscal informaon (eg delivery schedules, shipping requirements and stock reports)e)management informaon (eg nancial reports, process performance and warehousing and stock turnover)f)personally idenable informaon (PII), such as consumer details, employee data and payroll data.SR1.2.4Informaon risk assessments should determine risk by assessing:a)thepotenallevelofbusinessimpactassociatedwiththebusinessenvironment,businessprocess,business informaon and systems, should business informaon be compromisedb)thelikelihoodofbusinessinformaonbeingcompromised(iebyassessinglevelsofboththreatsand vulnerabilies).SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSR30SR1.22013 Standard of Good PracticeInformation Security ForumSR1.2Information Risk Assessment Methodologies (continued)SR1.2.5The likelihood of business informaon being compromised should be assessed by evaluang a full range of threats to the condenality, integrity and availability of crical informaon systems, including:a)deliberatethreats(egcarryingoutdenialofserviceaacks,distribungmalware,installingunauthorised soware, intenonally disclosing sensive informaon to unauthorised individuals or organisaons for nancial gain and misusing systems to commit fraud)b)unintenonalthreats(eginformaonleakagewhensendingemails,exchangingelectronicdocumentsand sharingpaper-baseddocuments,makingmistakesindatainput,inadvertentlydelengdatabaserecordsand failing to backup informaon)c)threats posed by internal sta (ie the insider threat)d)threats posed by external pares / individuals (eg customers, clients, business partners and suppliers)e)man-made disasters (eg loss of power, system or soware malfuncons, re or explosions)f)natural disasters (eg hurricane, storm or ood damage).SR1.2.6Vulnerabiliesthatincreasethelikelihoodofbusinessinformaonbeingcompromisedshouldbeassessedby performing:a)a control analysis (ie an analysis of an assessment of the weaknesses of exisng controls in an informaon system, suchaslackofinformaonclassicaon,poorlyprotectedportablestoragedevicesorunprotectedcrical desktop applicaons)b)anenvironmentanalysis(ieananalysisoftheexternalmacro-environmentinwhichaninformaonsystem operates(egusingthePLESTmodelcoveringpolical,legalandregulatory,economic,socio-culturaland technological factors))c)a system analysis (ie an analysis of the key characteriscs of an informaon system (eg Internet connecvity, scale and complexity of system, number of transacons))d)technicalanalysis(ieananalysisofthetechnicalweaknessesinherentinaninformaonsystem,suchas conguraon errors, operang system weaknesses and known soware bugs).SR1.2.7Vulnerabilies should be assessed for each stage of the informaon lifecycle, including:a)creaon (eg lack of security requirements, classicaons and centralised control)b)processing (eg excessive privileges, user inexperience and unapproved use of equipment)c)transmission (eg lack of encrypon or restricons on the distribuon of informaon, such as email)d)storage (eg storing sensive les on mobile devices, consumer devices and unencrypted external hard disk drives)e)destrucon (eg poor disposal pracces or accidental destrucon of crical informaon).SR1.2.8Informaonriskassessmentsshouldtakeintoaccountfactorsthatmayinuencethelikelihoodofthreats materialising, including:a)service level agreements (SLAs) associated with business applicaons, informaon systems and networksb)thedierentformatsofinformaon(includingpaperdocuments,electronicles,verbalcommunicaonsand physical objects)c)informaon classicaon requirementsd)previous risk assessments conducted on the informaon or system being assessede)incidents previously experienced (including frequency and magnitude)f)supporngtechnologythatusesmakes/modelsofhardwareandsowarethatareproprietary,obsoleteor unsupported.SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSRInformation Security Forum2013 Standard of Good PracticeSR1.231 SR1.2Information Risk Assessment Methodologies (continued)SR1.2.9Informaon risk assessments should take into account factors related to business operaons, including:a)compliancerequirements(egwithlegislaon,regulaon,contractualterms,industrystandardsandinternal policies)b)objecves of the organisaon (eg those idened in the organisaons business and security strategies)c)characteriscs of the operang environment of informaon and systems being assessed (eg number and diversity of users, their level of access to informaon, their a tude to handling business informaon, resistance to control and inuence by the organisaon)d)the physical locaons associated with the target environments (eg convenonal o ces within the organisaon, remote parts of the organisaon such as satellite o ces, industrial environments and customer facing locaons such as retail stores and airports)e)the organisaons presence in and dependence on cyberspace (eg brand, reputaon and market share).SR1.2.10Informaon risk assessments should ensure that the results of assessments are documented and include:a)a clear idencaon of key risksb)an assessment of the level of potenal business impact and likelihood of threats materialisingc)a list of risk treatment opons (eg accepng risks, avoiding risks, transferring risks or migang risks by applying security controls).SR1.2.11The results of informaon risk assessments (including risk treatment opons and any idened residual risk) should be:a)communicated to the relevant ownerb)signed o by the relevant ownerc)compared with informaon risk assessments conducted in other areas of the organisaond)presented in a format that is clear and understandable to the business (ie wrien in business language).Related contentSR1.6 Informaon Risk TreatmentSI2.2 Informaon Risk ReporngAppendix A: The ISF Business Impact Reference TableAppendix B: The ISF Threat ListISF resourcesRisk Convergence: Implicaons for Informaon Risk ManagementReporng Informaon RiskIRAM Risk Analyst Workbench (RAW)Cyber Security Strategies: Achieving cyber resilienceSECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSR32SR1.32013 Standard of Good PracticeInformation Security ForumSR1.3Condentiality RequirementsPrincipleThebusinessimpactofunauthoriseddisclosureofsensivebusinessinformaonassociatedwith target environments should be assessed.ObjectiveTodocumentandagreethecondenalityrequirements(theneedforinformaontobekept secret or private within a predetermined group) for informaon associated with target environments (eg crical business environments, business processes, business applicaons (including those under development) and informaon systems).SR1.3.1Business requirements should take account of the need to protect the condenality of informaon.SR1.3.2Theanalysisofcondenalityrequirementsshoulddeterminehowtheunauthoriseddisclosureofsensive informaon could have a nancial impact on the organisaon in terms of:a)loss of sales, orders or contracts (eg sales opportunies missed, orders not taken or contracts not signed)b)loss of tangible assets (eg through fraud, the of money or lost interest)c)penales / legal liabilies (eg through breach of legal, regulatory or contractual obligaons)d)unforeseen costs (eg recovery costs, uninsured losses or increased insurance)e)depressed share price (eg sudden or prolonged loss of share value, or random share value uctuaon).SR1.3.3Theanalysisofcondenalityrequirementsshoulddeterminehowtheunauthoriseddisclosureofsensive informaon could have an operaonal impact on the organisaon in terms of:a)lossofmanagementcontrol(egimpaireddecision-making,inabilitytomonitornancialposions,orprocess management failure)b)loss of compeveness (eg repeve producon line failures, degraded customer service or introducon of new pricing policies)c)new ventures held up (eg delayed new products, delayed entry into new markets or delayed mergers / acquisions)d)breach of operang standards (eg contravenon of regulatory, quality or safety standards).SR1.3.4Theanalysisofcondenalityrequirementsshoulddeterminehowtheunauthoriseddisclosureofsensive informaon could have a customer-related impact on the organisaon in terms of:a)delayed deliveries to customers or clients (eg failure to meet product delivery deadlines or failure to complete contracts on me)b)loss of customers or clients (eg customer / client defecon to competors or withdrawal of preferred supplier status by customer / client)c)loss of condence by key instuons (eg adverse cricism by investors, regulators, customers or suppliers)d)damage to reputaon (eg condenal nancial informaon published in media or compromising internal memos broadcast by media).SR1.3.5Theanalysisofcondenalityrequirementsshoulddeterminehowtheunauthoriseddisclosureofsensive informaon could have an employee-related impact on the organisaon in terms of:a)reducon in sta morale / producvity (eg reduced e ciency, lost me or job losses)b)injury or death.SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSRInformation Security Forum2013 Standard of Good PracticeSR1.333 SR1.3Condentiality Requirements (continued)Related contentSR1.6 Informaon Risk TreatmentSI2.2 Informaon Risk ReporngAppendix A: The ISF Business Impact Reference TableISF resourcesPraccal Approaches to Informaon Classicaon: Workshop ReportInformaon Risk Analysis Methodology (IRAM) - Business Impact AssessmentSECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSR34SR1.42013 Standard of Good PracticeInformation Security ForumSR1.4Integrity RequirementsPrincipleThebusinessimpactoftheaccidentalcorruponordeliberatemanipulaonofcricalbusiness informaon associated with target environments should be assessed.ObjectiveTo document and agree the integrity requirements (the need for informaon to be valid, accurate and complete) for informaon associated with target environments (eg crical business environments, businessprocesses,businessapplicaons(includingthoseunderdevelopment)orinformaon systems).SR1.4.1Business requirements should take account of the need to protect the integrity of informaon.SR1.4.2The analysis of integrity requirements should determine how the accidental corrupon or deliberate manipulaon of informaon could have a nancial impact on the organisaon in terms of:a)loss of sales, orders or contracts (eg sales opportunies missed, orders not taken or contracts not signed)b)loss of tangible assets (eg through fraud, the of money or lost interest)c)penales / legal liabilies (eg through breach of legal, regulatory or contractual obligaons)d)unforeseen costs (eg recovery costs, uninsured losses or increased insurance)e)depressed share price (eg sudden or prolonged loss of share value, or random share value uctuaon).SR1.4.3The analysis of integrity requirements should determine how the accidental corrupon or deliberate manipulaon of informaon could have an operaonal impact on the organisaon in terms of:a)lossofmanagementcontrol(egimpaireddecision-making,inabilitytomonitornancialposions,orprocess management failure)b)loss of compeveness (eg repeve producon line failures, degraded customer service or introducon of new pricing policies)c)new ventures held up (eg delayed new products, delayed entry into new markets or delayed mergers / acquisions)d)breach of operang standards (eg contravenon of regulatory, quality or safety standards).SR1.4.4The analysis of integrity requirements should determine how the accidental corrupon or deliberate manipulaon of informaon could have a customer-related impact on the organisaon in terms of:a)delayed deliveries to customers or clients (eg failure to meet product delivery deadlines or failure to complete contracts on me)b)loss of customers or clients (eg customer / client defecon to competors or withdrawal of preferred supplier status by customer / client)c)loss of condence by key instuons (eg adverse cricism by investors, regulators, customers or suppliers)d)damage to reputaon (eg condenal nancial informaon published in media or compromising internal memos broadcast by media).SR1.4.5The analysis of integrity requirements should determine how the accidental corrupon or deliberate manipulaon of informaon could have an employee-related impact on the organisaon in terms of:a)reducon in sta morale / producvity (eg reduced e ciency, lost me or job losses)b)injury or death.SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSRInformation Security Forum2013 Standard of Good PracticeSR1.435 SR1.4Integrity Requirements (continued)Related contentSR1.6 Informaon Risk TreatmentSI2.2 Informaon Risk ReporngAppendix A: The ISF Business Impact Reference TableISF resourcesInformaon Risk Analysis Methodology (IRAM) - Business Impact AssessmentSECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSR36SR1.52013 Standard of Good PracticeInformation Security ForumSR1.5Availability RequirementsPrincipleThebusinessimpactofcricalbusinessinformaonassociatedwithtargetenvironmentsbeing unavailable for any length of me should be assessed.ObjectiveTo document and agree the availability requirements (the need for informaon to be accessible when required)forinformaonassociatedwithtargetenvironments(egcricalbusinessenvironments, businessprocesses,businessapplicaons(includingthoseunderdevelopment)orinformaon systems).SR1.5.1Business requirements should take account of the need to protect the availability of informaon.SR1.5.2Theanalysisofavailabilityrequirementsshoulddeterminehowalossofavailabilityofinformaoncouldhavea nancial impact on the organisaon in terms of:a)loss of sales, orders or contracts (eg sales opportunies missed, orders not taken or contracts not signed)b)loss of tangible assets (eg through fraud, the of money or lost interest)c)penales / legal liabilies (eg through breach of legal, regulatory or contractual obligaons)d)unforeseen costs (eg recovery costs, uninsured losses or increased insurance)e)depressed share price (eg sudden or prolonged loss of share value, or random share value uctuaon).SR1.5.3The analysis of availability requirements should determine how a loss of availability of informaon could have an operaonal impact on the organisaon in terms of:a)lossofmanagementcontrol(egimpaireddecision-making,inabilitytomonitornancialposions,orprocess management failure)b)loss of compeveness (eg repeve producon line failures, degraded customer service or introducon of new pricing policies)c)new ventures held up (eg delayed new products, delayed entry into new markets or delayed mergers / acquisions)d)breach of operang standards (eg contravenon of regulatory, quality or safety standards).SR1.5.4Theanalysisofavailabilityrequirementsshoulddeterminehowalossofavailabilityofinformaoncouldhavea customer-related impact on the organisaon in terms of:a)delayed deliveries to customers or clients (eg failure to meet product delivery deadlines or failure to complete contracts on me)b)loss of customers or clients (eg customer / client defecon to competors or withdrawal of preferred supplier status by customer / client)c)loss of condence by key instuons (eg adverse cricism by investors, regulators, customers or suppliers)d)damage to reputaon (eg condenal nancial informaon published in media or compromising internal memos broadcast by media).SR1.5.5The analysis of availability requirements should determine how a loss of availability of informaon could have an employee-related impact on the organisaon in terms of:a)reducon in sta morale / producvity (eg reduced e ciency, lost me or job losses)b)injury or death.SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSRInformation Security Forum2013 Standard of Good PracticeSR1.537 SR1.5Availability Requirements (continued)SR1.5.6Businessrequirementsshouldtakeintoaccountthecricalmescaleoftheapplicaon(iethemescalebeyond which a loss of service would be unacceptable to the organisaon).Related contentSR1.6 Informaon Risk TreatmentSI2.2 Informaon Risk ReporngAppendix A: The ISF Business Impact Reference TableISF resourcesInformaon Risk Analysis Methodology (IRAM) - Business Impact AssessmentSECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSR38SR1.62013 Standard of Good PracticeInformation Security ForumSR1.6Information Risk TreatmentPrincipleInformaonrisksshouldbetreatedinaccordancewithbusinessrequirementsandtheapproach taken approved by execuve management.ObjectiveTohelpensureinformaonrisksaretreated(egaccepted,avoided,transferredormigated)ina suitable manner.SR1.6.1Risksidenedaspartofaninformaonriskassessmentshouldbetreatedaccordingtotheorganisaonsrisk appete and security requirements, taking into account business circumstances and level of threat and treatment approved by execuve management.SR1.6.2 Opons to treat informaon risk (ie risk treatment) should include:a)accepng all or part of the risk (eg business owners take responsibility for accepng the business consequences and signing o the risk)b)avoiding all or part of the risk (eg by cancelling a high risk project or deciding not to pursue a parcular business iniave)c)transferring all or part of the risk (eg by sharing the risk with an external party or by taking out insurance)d)migang all or part of the risk, typically by applying appropriate security controls (eg malware protecon, digital rights management or data loss prevenon (DLP)).SR1.6.3 Accepnginformaonrisks(iethebusinessownertakesresponsibilityforaccepngthebusinessconsequences) should include:a)consideraonofpredenedlimitsforlevelsofrisk(egquantavevaluessuchasnancialthresholdsor qualitave values such as a rangs scale of very low to very high)b)approval and sign-o by a senior individual with authority, such as a representave of execuve management (eg senior execuve or equivalent)c)acknowledging that risk is sll present (ie residual risk) and management will accept the consequences if incidents occurd)recordingtheminacentralregister(wheretheycanbereviewedandcomparedwithotherrisksandrelated treatment decisions).SR1.6.4 Avoiding informaon risks should involve a decision by a senior individual to cancel or postpone a parcular project or iniave that introduces the risk (eg adopng a parcular technology, allowing external access, oering products in a new market (or jurisdicon) or providing a new service to customers).SR1.6.5Transferring informaon risks should involve:a)sharingtheriskswithexternalparessuchasjointventurepartners,outsourceprovidersorcloudservice providers (eg sharing nancial investment and resources)b)obtaining insurance against parcular types of incident occurring for high risk acvies.SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSRInformation Security Forum2013 Standard of Good PracticeSR1.639 SR1.6Information Risk Treatment (continued)SR1.6.6Applying security controls to migate informaon risk should include:a)applying (or mapping to) a reputable security control framework (eg ISO/IEC 27002, COBIT, NIST SP 800-53 or ITIL)b)evaluang the strengths and weaknesses of security controlsc)selecng security controls that will reduce the likelihood of serious informaon security incidents occurring and reduce their impact if they do occurd)selecng security controls that will sasfy relevant compliance requirements (eg those outlined in the Sarbanes-Oxley Act, legislaon associated with EU Direcves 2006/43/EC and 2006/46/EC, the Payment Card Industry Data Security Standard (PCI DSS), Basel III, data privacy requirements and an-money laundering requirements)e)assessing the costs of implemenng security controls (eg costs associated with: design, purchase, implementaon and monitoring of the controls; hardware and soware; training; overheads, such as facilies; and consultancy fees)f)idenfying specialised security controls required by parcular business environments (eg applicaon whitelisng, digital rights management (DRM) or strong authencaon)g)idenfying and obtaining sign-o for any residual risk (ie the proporon of risk that sll remains aer selected controls have been implemented).Related contentSR1.1 Managing Informaon Risk AssessmentSR1.2 Informaon Risk Assessment MethodologiesSI2.2 Informaon Risk ReporngISF resourcesReporng Informaon RiskInformaon Security Assurance: An overview for implemenng an informaon security assurance programmeInformaon Risk Analysis Methodology (IRAM) - Control SeleconApplicaon whitelisng is a technique used to prevent unauthorised applicaons from running on compung devices,byonlyallowingpredetermined,approvedapplicaons(ieinthewhiteist)torun.Thistechniqueis considered to be a major factor in reducing the volume and impact of deliberate aacks on compung devices. However,despitethelevelofproteconprovidedbyapplicaonwhitelisng,itcanintroduceanaddional burdenfororganisaonsorbeconsideredimpraccal.Applicaonsaresubjecttoconnualchange(oen due to patching and conguraon), which can result in the whitelist becoming out-of-date quickly. As a result, applicaonwhitelisngtypicallyrequiressignicantaenon,andsubsequently,resourceinordertoavoid business interrupon when legimate applicaons are prevented from running.SR1.6.7Informaon risk treatment acons (together with residual risk) should be detailed in a risk treatment plan, which is:a)communicated to the relevant business ownerb)signed o by the relevant owner and at least one representave of execuve management (eg senior execuve, head of business unit / department or equivalent)c)compared with informaon risk assessments conducted in other areas of the organisaon.SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSR40SR2.12013 Standard of Good PracticeInformation Security ForumSR2.1Legal and Regulatory CompliancePrincipleAprocessshouldbeestablishedtoidenfyandinterprettheinformaonsecurityimplicaonsof relevant laws and regulaons.ObjectiveTo comply with laws and regulaons aecng informaon security.SR2.1.1Legal and regulatory requirements aecng informaon security should be recognised by:a)execuve managementb)business ownersc)the head of informaon security (Chief Informaon Security O cer or equivalent)d)representaves of other security-related funcons (eg legal, operaonal risk, internal audit, insurance, human resources, and physical security).SR2.1.2A process should be established for ensuring compliance with relevant legal and regulatory requirements aecng informaon security across the organisaon, which covers:a)informaonsecurity-speciclegislaon(egcomputercrimes,encryponexport,databreachnocaonand e-discovery)b)generallegislaonwhichhassecurityimplicaons(egdataprivacy,invesgatorypowers,intellectualproperty and human rights)c)regulaon(egnancialregulaon,an-moneylaundering,corporategovernance,healthcareandindustry-specic regulaons such as the Payment Card Industry Data Security Standard (PCI DSS)).SR2.1.3The compliance process should enable decision-makers to:a)discover laws and regulaons that aect informaon security (eg by using the services of law rms and industry watchdog groups that provide updates on new regulaons, changes to exisng regulaons and results of ligaon (case law or precedent))b)interpret the informaon security implicaons of discovered laws and regulaonsc)idenfy potenal legal / regulatory non-compliance (eg performing a risk assessment of compliance with laws and regulaons)d)address areas of potenal legal / regulatory non-compliance.SR2.1.4The compliance process should be documented, signed o by execuve management, and kept up-to-date.AREA SR2 ComplianceList of TopicsSR2.1Legal and Regulatory ComplianceSR2.2Information PrivacySECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSRInformation Security Forum2013 Standard of Good PracticeSR2.141 SR2.1Legal and Regulatory Compliance (continued)SR2.1.5A review of compliance with legal and regulatory requirements that aect informaon security should:a)be performed regularly or when new legislaon or regulatory requirements come into eectb)involverepresentavesfromkeyareasoftheorganisaon(egexecuvemanagement,businessowners,legal department, IT management, and the informaon security funcon)c)result in the update of informaon security standards / procedures to accommodate any necessary changes.Related contentSI2.3 Monitoring Informaon Security ComplianceISF resourcesMonitoring Compliance: Workshop ReportSECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSR42SR2.22013 Standard of Good PracticeInformation Security ForumSR2.2Information PrivacyPrincipleResponsibilityformanaginginformaonprivacyshouldbeestablishedandsecuritycontrolsfor handling personally idenable informaon (ie informaon that can be used to idenfy an individual person) applied.ObjectiveTopreventinformaonaboutindividualsbeingusedinaninappropriatemanner,andensure compliance with legal and regulatory requirements for informaon privacy.SR2.2.1Ahigh-levelworkinggroup,commieeorequivalentbodyshouldbeestablishedtoberesponsibleformanaging informaon privacy issues, and an individual appointed to co-ordinate informaon privacy acvity (eg a Chief Privacy O cer, Data Protecon Manager or equivalent).SR2.2.2The high-level working group should be aware of:a)privacy-related legislaon and regulaon with which the organisaon needs to complyb)the locaon(s) of personally idenable informaon held about individuals (eg applicaon and database servers, computer devices, consumer devices and portable storage devices)c)howandwhenpersonallyidenableinformaon(ieinformaonthatcanbeusedtoidenfyanindividual person) is used.SR2.2.3An informaon privacy programme should be established which includes:a)idenfying individuals (or a group of individuals) within the organisaon who are responsible for implemenng the programmeb)establishinganawarenessprogrammetomakestaandexternalpares(egcustomers,clientsandsuppliers) aware of the importance of informaon privacy (or integrang the topic into exisng awareness campaigns)c)performing privacy assessments against crical business processes and crical business applicaons across the organisaon to idenfy privacy-related risksd)undertaking privacy audits to determine the level of compliance with relevant legislaon, regulaon and internal policies.SR2.2.4There should be a documented informaon privacy policy that covers the:a)acceptable use of personally idenable informaon (ie informaon that can be used to idenfy an individual person)b)rights of individuals about whom personally idenable informaon is heldc)legal and regulatory requirements for privacy d)need for privacy assessments, awareness and compliance programmese)technical controls (including privacy enhancing technologies (PETs)).SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSRInformation Security Forum2013 Standard of Good PracticeSR2.243 SR2.2Information Privacy (continued)SR2.2.5The informaon privacy policy should require that where personally idenable informaon is stored, processed or transmied, there should be a process to ensure that it is:a)classied and labelled (eg as personal or personally idenable informaon (PII))b)adequate, relevant and not excessive for the purposes for which it is collectedc)accurate (ie recorded correctly and kept up-to-date)d)kept condenal (ie protected against unauthorised disclosure)e)processed fairly and legally, and used only for specied, explicit and legimate purposesf)held in a format that permits idencaon of individuals for no longer than is necessaryg)only provided to external pares that can demonstrate compliance with legal and regulatory requirements for handling personally idenable informaonh)retrievable in the event of a legimate request for access (eg a subject access request under UK Data Protecon law or under the EU Direcve for Data Protecon).SR2.2.6Theinformaonprivacypolicyshouldbealignedwithotherinformaonsecurity-relatedpolicies,suchasthose covering document retenon and cloud compung (eg as part of an informaon security policy framework).SR2.2.7Individualsaboutwhompersonallyidenableinformaonisheld(egthedatasubjectaccordingtotheEU Direcve for Data Protecon) should:a)have their approval sought before this informaon is collected, stored, processed or disclosed to external paresb)be informed of who is collecng this informaon, how this informaon will be used, allowed to check its accuracy and be able to have their records corrected or removedc)have the ability to opt-out of the collecon and disclosure of this informaon (eg to external pares)d)have a method available to them to hold the organisaon accountable for following informaon privacy principles (ie those common to the majority of privacy-related legislaon).SR2.2.8Personally idenable informaon should be:a)handledinaccordancewithrelevantlegislaon(egtheEUDirecveforDataProteconandtheUSHealth Insurance Portability and Accountability Act (HIPAA))b)protected throughout its lifecycle (ie through creaon, processing, storage, transmission and destrucon).SR2.2.9Technicalcontrols(oenreferredtoasprivacyenhancingtechnologies(PETs))shouldbeusedtohelpprotect privacy-related informaon, including:a)encrypon(topreventunauthoriseddisclosureduringstorageandtransmission)andeecveencryponkey management (eg when handling, storing and archiving keys)b)data masking (also known as data obfuscaon, data de-idencaon, data depersonalisaon, data scrubbing, and data scrambling), which involves concealing parts of informaon (eg names, addresses, social security numbers and credit card numbers) when being stored or transmiedc)tokenisaon,whichsubstutesvalidinformaon(egdatabaseelds,records)withrandominformaonand provides authorised access to this informaon via the use of tokensd)protecngprivacy-relatedmetadata(egdocumentaributesordescripveinformaonthatmaycontain personal informaon such as the name of the person who last updated a le).SECURITY REQUIREMENTSwww.securityforum.orgFUNDAMENTALSR44SR2.22013 Standard of Good PracticeInformation Security ForumSR2.2Information Privacy (continued)SR2.2.10A method of dealing with data privacy breaches should be established, which includes:a)idenfying when a data privacy breach occurs (typically by monitoring event logs or using intrusion detecon and informaon leakage protecon tools)b)respondingtoadataprivacybreach(typicallyaspartoftheorganisaonsinformaonsecurityincident management process)c)nofying