27002 - Code Of Practice Information Security Controls

27002 - Code Of Practice Information Security Controls

Determining controls is dependent on the organization's decisions following a risk assessment, with a clearly defined scope. Decisions related to identified risks should be based on the criteria for risk acceptance, risk treatment options and the risk management approach applied by the organization.

Control determination also depends on the manner in which controls interact with one another to provide defence in depth.

There should be a balance between the resources deployed for implementing controls and the potential resulting business impact from security incidents in the absence of those controls. The results of a risk assessment should help guide and determine the appropriate management action.

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

At a lower level, the information security policy should be supported by topic-specific policies as needed, to further mandate the implementation of information security controls. Topic-specific policies are typically structured to address the needs of certain target groups within an organization or to cover certain security areas. Topic-specific policies should be aligned with and complementary to the information security policy of the organization.

At the highest level, the organization should define an “information security policy” which is approved by top management and which sets out the organization's approach to managing its information security.

The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to the intended reader. Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable.

Information security roles and responsibilities should be defined and allocated according to the organization needs.

Individuals who take on a specific information security role should be competent in the knowledge and skills required by the role and should be supported to keep up to date with developments related to the role and required in order to fulfil the responsibilities of the role.

Conflicting duties and conflicting areas of responsibility should be segregated.

To reduce the risk of fraud, error and bypassing of information security controls.

To establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization.

Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision.

When there is a large number of roles, the organization should consider using automated tools to identify conflicts and facilitate their removal. Roles should be carefully defined and provisioned to minimize access problems if a role is removed or reassigned.

Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

To ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfil their information security responsibilities.

The organization should establish and maintain contact with relevant authorities.

The organization should specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner.

The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Membership of special interest groups or forums should be considered as a means to:

(1) improve knowledge about best practices and stay up to date with relevant security information. (2) receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities. (3) Information relating to information security threats should be collected and analysed to produce threat intelligence.

Information about existing or emerging threats is collected and analysed in order to. (1) facilitate informed actions to prevent the threats from causing harm to the organization. (2) reduce the impact of such threats.

Information security should be integrated into project management.

Information security should be integrated into project management to ensure information security risks are addressed as part of the project management.

An inventory of information and other associated assets, including owners, should be developed and maintained.

The organization should identify its information and other associated assets and determine their importance in terms of information security.

The inventory of information and other associated assets should be accurate, up to date, consistent and aligned with other inventories.

The location of an asset should be included in the inventory as appropriate.

The asset owner should be responsible for the proper management of an asset over the whole asset life cycle, ensuring that.

(1) information and other associated assets are appropriately classified and protected.

(2) information and other associated assets, when deleted or disposed, are handled in a secure manner and removed from the inventory.

(3) they are involved in the identification and management of risks associated with their asset(s).

(4) they support personnel who have the roles and responsibilities of managing their information.

Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

Personnel and other interested parties as appropriate should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement.

Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls.

An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.

Digital information should utilize metadata in order to identify, manage and control information, especially with regard to confidentiality. Metadata should also enable efficient and correct searching for information. Metadata should facilitate systems to interact and make decisions based on the associated classification labels.

Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.

Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit.

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

An entity can represent a human user as well as a technical or logical item (e.g. a machine, device or a service).

Access control rules should be implemented by defining and mapping appropriate access rights and restrictions to the relevant entities.

There are often overarching principles used in the context of access control. Two of the most frequently used principles are.

(1) need-to-know: an entity is only granted access to the information which that entity requires in order to perform its tasks (different tasks or roles mean different need-to-know information and hence different access profiles).

(2) need-to-use: an entity is only assigned access to information technology infrastructure where a clear need is present.

There are several ways to implement access control, such as MAC (mandatory access control), DAC (discretionary access control), RBAC (role-based access control) and ABAC (attribute-based access control).

Access control rules can be implemented in different granularity, ranging from covering whole networks or systems to specific data fields and can also consider properties such as user location or the type of network connection that is used for access.

The full life cycle of identities should be managed.

Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.

Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control.

Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews of access rights are easier managed at the level of such roles than at the level of particular rights.

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier's products or services.

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization's information security requirements.

The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

The organization should assess information security events and decide if they are to be categorized as information security incidents.

Information security incidents should be responded to in accordance with the documented procedures.

Knowledge gained from information security incidents should be used to strengthen and improve the information security controls.

The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

In general, these procedures for the management of evidence should provide instructions for the identification, collection, acquisition and preservation of evidence in accordance with different types of storage media, devices and status of devices (i.e. powered on or off). Evidence typically needs to be collected in a manner that is admissible in the appropriate national courts of law or another disciplinary forum.

The organization should plan how to maintain information security at an appropriate level during disruption.

ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

The ICT continuity requirements are the outcome of the business impact analysis (BIA). The BIA process should use impact types and criteria to assess the impacts over time resulting from the disruption of business activities that deliver products and services. The magnitude and duration of the resulting impact should be used to identify prioritized activities which should be assigned a recovery time objective (RTO). The BIA should then determine which resources are needed to support prioritized activities.

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements should be identified, documented and kept up to date.

The organization should implement appropriate procedures to protect intellectual property rights.

Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

The organization's approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.

Compliance with the organization's information security policy, topic-specific policies, rules and standards should be regularly reviewed.

Operating procedures for information processing facilities should be documented and made available to personnel who need them.

Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

The employment contractual agreements should state the personnel's and the organization's responsibilities for information security.

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.

Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises.

The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Security perimeters should be defined and used to protect areas that contain information and other associated assets.

Secure areas should be protected by appropriate entry controls and access points.

Physical security for offices, rooms and facilities should be designed and implemented.

Premises should be continuously monitored for unauthorized physical access.

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.

Security measures for working in secure areas should be designed and implemented.

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

Equipment should be sited securely and protected.

Off-site assets should be protected.

Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements.

Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities.

Cables carrying power, data or supporting information services should be protected from interception, interference or damage.

Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.

Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse.

Information stored on, processed by or accessible via user endpoint devices should be protected.

The allocation and use of privileged access rights should be restricted and managed.

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

Read and write access to source code, development tools and software libraries should be appropriately managed.

Access to source code and associated items (such as designs, specifications, verification plans and validation plans) and development tools (e.g. compilers, builders, integration tools, test platforms and environments) should be strictly controlled.

Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control.

Using a combination of multiple authentication factors, such as what you know, what you have and what you are, reduces the possibilities for unauthorized accesses. Multi-factor authentication can be combined with other techniques to require additional factors under specific circumstances, based on predefined rules and patterns, such as access from an unusual location, from an unusual device or at an unusual time.

The use of resources should be monitored and adjusted in line with current and expected capacity requirements.

Protection against malware should be implemented and supported by appropriate user awareness.

Protection against malware should be based on malware detection and repair software, information security awareness, appropriate system access and change management controls. Use of malware detection and repair software alone is not usually adequate.

Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

Configurations should be monitored with a comprehensive set of system management tools (e.g. maintenance utilities, remote support, enterprise management tools, backup and restore software) and should be reviewed on a regular basis to verify configuration settings, evaluate password strengths and assess activities performed. Actual configurations can be compared with the defined target templates.

Information stored in information systems, devices or in any other storage media should be deleted when no longer required.

Data masking should be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

Data masking is a set of techniques to conceal, substitute or obfuscate sensitive data items.

Data masking can be static (when data items are masked in the original database), dynamic (using automation and rules to secure data in real-time) or on-the-fly (with data masked in an application's memory).

Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

Users, including those with privileged access rights, should not have permission to delete or de-activate logs of their own activities. They can potentially manipulate the logs on information processing facilities under their direct control. Therefore, it is necessary to protect and review the logs to maintain accountability for the privileged users.

A SIEM tool or equivalent service can be used to store, correlate, normalize and analyse log information, information, and to generate alerts. SIEMs tend to require careful configuration to optimize their benefits. Configurations to consider include identification and selection of appropriate log sources, tuning and testing of rules and development of use cases.

Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

Continuous monitoring via a monitoring tool should be used. Monitoring should be done in real time or in periodic intervals, subject to organizational need and capabilities. Monitoring tools should include the ability to handle large amounts of data, adapt to a constantly changing threat landscape, and allow for real-time notification. The tools should also be able to recognize specific signatures and data or network or application behaviour patterns.

The clocks of information processing systems used by the organization should be synchronized to approved time sources.

The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.

Procedures and measures should be implemented to securely manage software installation on operational systems.

Networks and network devices should be secured, managed and controlled to protect information in systems and applications.

Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.

Groups of information services, users and information systems should be segregated in the organization's networks.

The organization should consider managing the security of large networks by dividing them into separate network domains and separating them from the public network (i.e. internet). The domains can be chosen based on levels of trust, criticality and sensitivity (e.g. public access domain, desktop domain, server domain, low- and high-risk systems), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks.

Access to external websites should be managed to reduce exposure to malicious content.

Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.

Rules for the secure development of software and systems should be established and applied.

Information security requirements should be identified, specified and approved when developing or acquiring applications.

Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities.

Secure coding principles should be applied to software development.

Security testing processes should be defined and implemented in the development life cycle.

The organization should direct, monitor and review the activities related to outsourced system development.

Development, testing and production environments should be separated and secured.

Changes to information processing facilities and information systems should be subject to change management procedures.

Test information should be appropriately selected, protected and managed.

Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.