Audit Framework Under Information System and Cyber Security Regulations

A: AUDIT FRAMEWORK UNDER INFORMATION SYSTEM AND CYBER SECURITY REGULATION
# Domain Mapping with IS

Framework Document
of IRDAI
5.1
1 Information security policy
2 Information security policy 5.2

5
6
7
8
9
11 Information security policy 9.2, 8.2
13 Information security policy 12
16 Information security policy 5.13,5.14.4
8
17 Information security policy
18 Information security policy 6.2,7.1

24 Organization of information security 5.13,5.14
25 Organization of information security 11
17.2
26 Organization of information security
5.21
27 Organization of information security

29 Organization of information security 5.4
30 Organization of information security 8.1,11,13.1
40 Organization of information security 18
5.23
51 Human resource security
52 Human resource security 5.23

5.23
5.24
5.24
Human resource security 9.4
56

60 5.25
5.25
5.25
62
5.25
5.25
65 Asset Management 7.1

5.25
69 Asset Management
Asset Management 5.11
70

72 6.2
17.3
77 Asset Management

84 Access Control 16.1,17.2,9.4,15.3
85 Access Control 16.1,17.2,9.11,15.3
86 Access Control 5.11
Access Control 5.17
89

8.4
91 Access Control

5.17
93 Access Control
5.18
94 Access Control
5.17
95 Access Control
5.17
96 Access Control

8.8
101

5.17
104 Access Control
18
105 Access Control
106 Access Control 18

18.4
108 Access Control
109 cryptography 12
110 12
111 12
112 12
113 12
114 12
115 12
116 Communication Security 11
11
117 Communication Security
11

11

11

11
11

130 11
11
11
11

136 11
11

139 11
11

142 System acquisition, development and maintenance 8
8
143 System acquisition, development and maintenance
8
8
8
8

8
8
8
8
8
8
8

158 8
160 8
161 8
8

166 8
167 8
168 8
169 8
170 8
8
8

178 Information security in supplier relationships 5.21
5.21
180
5.21
181 Information security in supplier relationships
5.21
5.21

5.21
187 5.21
188 5.21
189 5.21
190 5.21
191 5.21
192 5.21
193 5.21
194 5.21
195 Information security incident management 14
14
197 Information security incident management

14
14

202 14
203 14
14
204

206 14
207 14
208 14
209 14
210 14
211 14
212 14
213 14
214 14
14

219 14
14
223 Compliance with legal requirements 20

224 20
225 20
226 20
227 20
228 20
229 20
230 20
20
232 Compliance with legal requirements

20
20
20
236
20

20
20
20
20

14
14
6.3
248 Business Continuity Management
6.3
6.3
6.3
252 Business Continuity Management 6.3

6.3
6.3
6.3
5
261 Compliance
262 Compliance 5
5
263 Compliance
5
264 Compliance
265 Compliance 5
5
266 Compliance
5
267 Compliance
268 Compliance 5
269 Compliance 5
270 Compliance 5
5
271 Compliance
272 Compliance 5
273 Compliance 5
5
274 Compliance
5
275 Compliance
5
276 Compliance
277 Compliance 5
5
278 Compliance
5
279 Compliance
20

282 Cloud Security 17
YBER SECURITY REGULATIONS :
Control Checkpoints
Is the information security policy defined, published, approved by management and communicated to employees & relevan
Does it state the management commitment and set out the organizational approach in managing information security?
Has the role of Information Security Officer with responsibilities for implementation of the Security Policy been assigned?
Does the information security policy include end user oriented topics such as:
1) acceptable use of assets
2) clear desk and clear screen
3) information transfer
4) mobile devices and teleworking
5) restrictions on software installations and use
Does the information security policy include backup requirement?
Does the information security policy include protection from malware?
Does the information security policy include management of technical vulnerabilities?
Does the information security policy include cryptographic controls requirements?
Does the information security policy include privacy and protection of personally identifiable information?
Is the Information security policy reviewed at plan interval by management?
Does information security Policy contain Responsibilities for information security management?
Does information security Policy contain Application security controls to ensure access to program that can bypass the secu
system ?
Is the Information (data) classification criteria identified?
Is the information (data) been classified accordingly?
Are network security controls documented in the Information Security Policy?
Is there a policy documented for Information security incident management?
Is there a process to approve exceptions to the defined information security policy?
Is the information security policy communicated to Part time users, Contractors, Temporary workers?
Are the key roles and responsibility identified in Information security process for everyone in organization/ BU/ Territory/ Con
Is there an information security incident procedure documented and are the information security incidents reported in a time
Are organization/ BU/ Territory/ Concept receive early warnings of Alerts, advisories and patches pertaining to attacks and v
Is the risk assessment performed on third parties / vendors who involved in providing various services to organization/ BU/ T
Are the third party audits conducted regularly within the organization?
Is the process in place for notification and reporting of unauthorized disclosure or confidential information breaches?
Is there any authorization required for an Individual to access, modify or use <<Org Name>> information asset?
Is the person's activity monitored or maintain any audit trails or logs while accessing the <<Org Name>> information asset?
Is change management defined and followed for any changes in third party contract?
Are Privacy requirements mentioned in third party agreement?
Does the third party agreements include the Dispute resolution?
Is the Data ownership Criteria mentioned in third party agreements?
Has ownership of intellectual property addressed in the third party agreements?
Has the sub-contracting clause included for projects which are subcontracted?
Does the third party agreement include Termination/exit clause and right to audit clause?
Is their any Contingency plan in case either party wishes to terminate the relationship before the end of the agreements?
Are the information security requirements assessed before and during the project execution?
Are any mobile computing devices (notebooks, PDA, smart cards, etc.) used for accessing / processing / storing any busine
Are mobile devices are registered and approve by <<Org Name>> Management before use?
Are mobile devices are restricted of software installation?
Are mobile devices are compliant with software versions and for patches?
Are mobile devices restricted for connection to information services
Is the access control defined for usage of mobile devices?
Is any cryptographic techniques use to protect data stored in mobile device?
Is any anti malware software is installed to protect from malwares?
Is the remotely disabling the mobile device, erasure or lockout features are configured?
Is the critical data been backup regularly from mobile devices
Is there an access restriction on visitor/employee personal devices to <<Org Name>> assets or network?
Are security roles and responsibilities of users defined and documented in accordance with the organization’s information s
Were the roles and responsibilities defined and clearly communicated to job candidates during the pre-employment process
Whether employee, contractors and third party users are asked to sign confidentiality or non-disclosure agreement as a par
terms and conditions of the employment contract ? If yes, does it include: Acceptable Use, Code of Conduct / Ethics, Non-D
Agreement, Confidentiality Agreement?
Whether the above mentioned agreement covers the information security responsibility of the organization and the employe
and contractors.
Whether the management requires employees, contractors and third party users to apply security in accordance with the es
and procedures of the organization.
Whether all employees in the organization and relevant, contractors and third party users; receive appropriate security awa
regular updates in organizational policies and procedures as it pertains to their job function.
Whether there is a formal disciplinary process for the employees who have committed a security breach.
Is there a employee termination or change of status process?
Whether responsibilities for performing employment termination, or change of employment, are clearly defined and assigne
Does HR notify security / access administration of employee termination / change of Status. For access rights removal?
Whether there is a process in place that ensures all employees, contractors and third party users surrender all of the organi
their possession upon termination of their employment, contract or agreement ?
Also are employee required to return assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, p
documentation) upon: Termination / Change of Status.
Whether access rights of all employees, contractors and third party users, to information and information processing facilitie
termination of their employment, contract or agreement, or will be adjusted upon change.
Are Information security responsibilities and duties that remain valid after termination or change of employment are defined
the employee or contractor and enforced?
Are the IT assets disposed / destroyed as per organization destruction policy?
Is there an acceptable usage policy?
Is sign off obtained from employees, contractors and third party users for the acceptable usage policy?
Is there a measure to enforce the acceptable usage policy?
Is there any procedure in place to ensure the return of <<Org Name>> information assets like Laptop, Portable device etc. u
termination or retirement?
Is the information been classified as per legal requirements, value, critically & sensitivity of asset by owner of information as
on confidentiality, integrity & availability?
Are the IT assets appropriately labeled (bar code) / tag?
Is there any procedure for information labeling & its related asset in physical and electronic format?
Is the protection of temporary or permanent copies of information consistent with the protection of original information?
Are the IT assets stored in accordance with manufacturers’ specifications (if required)?
Is there any process to make contents of any re-usable media unrecoverable if no longer required by organization?
Are user machines encrypted wherever required based on the criticality of data ?
Is the data on removable media encrypted whereever required based on the criticality of data? (Mention encryption techniq
Are multiple copies of confidential data stored on separate media?

Is the transfer of information to and from removable media being monitored?
Are external party involved in disposal of media ?
Are audit trail maintained for disposal of sensitive items ?
Are the offsite media movement happening?
Is the transportation used for physical media transfer reliable and approved by management?
Whether an access control policy is developed and reviewed based on the business and security requirements.
Whether both logical and physical access control are taken into consideration in the policy
Whether the users and service providers are given access as per the access control matrix if any approved by Business.
Whether there is any formal user registration and de-registration procedure for granting access to all information systems an
Is authorization from information owner taken before assigning user access to the information system?
Whether the allocation and use of any privileges in information system environment are restricted and controlled i.e., Privile
on need-to-use basis, privileges are allocated only after formal authorization process.
Are unique user IDs used for access to Information systems such as server, desktops, network devices etc.?
Are logon banners configured for all systems access with warning? Also whether access to operating system is controlled b
procedure.
Whether there are any security practice in place to guide users in selecting and maintaining secure passwords
Whether there exists a process to review user access rights at regular intervals. Example: Special privilege review every 3 m
privileges every 6 months.
Is there a process to review access rights with the information owner? Especially during promotion, movement to lateral tea
of employee?
Whether unique identifier (user ID) is provided to every user such as operators, system administrators and all other staff inc
Whether generic user accounts are supplied only under exceptional circumstances where there is a clear business benefit.
may be necessary to maintain accountability.
Upon logon failure, does the error message describe the cause of the failure to the user (Invalid password, invalid user ID, e
Upon successful logon, does a message indicate the last time of successful logon?
Do inactive workstation lock within 15 minutes?
Whether inactive session is disconnected after a defined period of inactivity.
(A limited form of timeouts can be provided for some systems, which clears the screen and prevents unauthorized access b
down the application or network sessions.)
Whether the organization has adopted clear desk policy with regards to papers and removable storage media
Whether the organization has adopted clear screen policy with regards to information processing facility
Whether access to information and application system functions by users and support personnel is restricted in accordance
access control policy.
Whether a formal policy is in place, and appropriate security measures are adopted to protect against the risk of using mob
communication facilities.
Whether risks such as working in unprotected environment is taken into account by Mobile computing policy.
Whether policy, operational plan and procedures are developed and implemented for teleworking activities.
Whether teleworking activity is authorized and controlled by management and does it ensure that suitable arrangements are
way of working.
Are the key been managed using following controls?
- Key distribution
- changing or updating keys including rules on when keys should be changed
- revoking keys including how keys should be withdrawn or deactivated
- recovering keys that are lost or corrupted;
- backing up or archiving keys;
- destroying keys;
Are appropriate network controls implemented for the security of information and information in transit?
Whether controls were implemented to ensure the security of the information in networks, and the protection of the connect
threats, such as unauthorized access.
Are Security mechanisms, service levels and management requirements of all network services identified and included in n
agreements ?
Are Security mechanisms, service levels and management requirements of all network services provided in-house or outso
Whether the ability of the network service provider, to manage agreed services in a secure way, is determined and regularly
the right to audit is agreed upon.
Is there an Intruder Detection System (IDS)/Intruder Prevention System (IPS) implemented? Does it cover all external co
Are the responsibilities and procedures defined for the managing of networking equipment ?
Are firewalls in use for both internal and external connections? Is every connection to an external network terminated at a fi
firewalls used to segment internal networks based on asset risk level?
Is every connection to an external network terminated at a firewall?
Are firewalls used to segment internal networks based on asset risk level?
Do the firewalls have any rules that permit 'any' network, sub network, host, protocol or port on any of the firewalls (internal
Is the Firewall rule base treated as a sensitive information and is knowledge of the same restricted to only authorized offici
Computer operations department?
Whether there is a formal transfer (exchange) policy, procedure and control in place to ensure the protection of information.
Is there a policy or guidelines available outlining acceptable use of communication facilities?
Is there a procedure and control cover using electronic communication facilities for information exchange. (viz. IDF rooms, D
Are there any procedures designed to protect transferred information from interception, copying, modification, misrouting an
Are cryptographic techniques used to protect the confidentiality, integrity and authenticity of information? For e.g. VPN, Link
and outside the organization network?
Whether agreements are established concerning exchange of information and software between the organization and exter
Whether the security content of the agreement reflects the sensitivity of the business information involved.
Whether media containing information is protected against unauthorized access, misuse or corruption during transportation
organization’s physical boundary.
Whether the information involved in electronic messaging is well protected.
(Electronic messaging includes but is not restricted to Email, Electronic Data Interchange, Instant Messaging)
Whether policies and procedures are developed and enforced to protect information associated with the interconnection of
information systems.
Is there a process to ensure that Confidentiality and non-disclosure agreements comply with all applicable laws and regulat
Is there a process to review requirements for confidentiality and non-disclosure agreements periodically and when changes
Whether Information involved in application service, transaction are be protected ? Whether prevention of incomplete transm
misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or reply are hand
Does information involved in application services passing over public networks are protected from fraudulent activity, contra
unauthorized disclosure and modification? For e.g. authentication, cryptographic controls etc.
Whether security requirements for new information systems and enhancement to existing information system specify the re
of implementation/ design for security controls.
Whether the Security requirements and controls identified reflects the business value of information assets involved and the
from failure of Security.
Whether system requirements for information security and processes for implementing security is integrated in the early sta
system projects.
Whether data input to application system is validated to ensure that it is correct and appropriate.
Whether the controls such as: Different types of inputs to check for error messages, Procedures for responding to validation
responsibilities of all personnel involved in data input process etc., are considered.
Whether validation checks are incorporated into applications to detect any corruption of information through processing erro
acts.
Whether the design and implementation of applications ensure that the risks of processing failures leading to a loss of integ
Whether requirements for ensuring and protecting message integrity in applications are identified, and appropriate controls
implemented.
Whether an security risk assessment was carried out to determine if message integrity is required, and to identify the most a
of implementation.
Whether the data output of application system is validated to ensure that the processing of stored information is correct and
circumstances.
Is there a formal Software Development Life Cycle (SDLC) process? Does it include Peer code review, integration testing, a
testing?
Is change management process followed for the application changes and are the change records maintained?
Are secure system engineering principles followed for development and implementation of software applications ?
Such as New technology analyzed for security risks and the design reviewed against known attack patterns.
Are separate source code repositories maintained for production and non-production environment?
Are access control procedures the same for both the test and production environment?
Whether modifications to software package is discouraged and/ or limited to necessary changes.
Are application development third party / outsourced developers onshore/offshore?
Are there access controls to protect source code and test data? Does the version management system provide segregation
environments?
Do changes to applications or application code go through a risk assessment including application testing?
Are production systems and data ever used in the test, development or QA environments?
If yes, is:
- Authorization required when production data is copied to the test environment.
- Are test data destroyed following the testing phase.
- Are test data masked or obfuscated (i.e. source or machine code that is difficult for humans to understand) during the testi
- Are copying to the test environment logged.
Whether Rules for the development of software and systems are established and applied to developments within the organ
Whether changes to systems within the development lifecycle are controlled by the use of formal change control procedure
When operating platforms are changed, whether business critical applications are reviewed and tested to ensure there is no
organizational operations or security.
Whether Organizations is established and appropriately protected to secure development environments for system develop
integration efforts that cover the entire system development lifecycle.
Whether the organization supervise and monitor the activity of out sourced system development.
Whether testing of security functionality are carried out during development.
Whether Acceptance testing programs and related criteria are established for new information systems, upgrades and new
Are third party alert services used to keep up to date with the latest vulnerabilities?
Is there a policy available to address information security requirements for mitigating risks associated with suppliers?
(i.e. whether measures are taken to ensure that the security controls, service definitions and delivery levels, included in the
delivery agreement, are implemented, operated and maintained by a third party)
Are there processes and procedures established for information security requirements for each type of supplier and type of
the organization’s business needs and the risk profile?
Does the supplier agreements include legal and regulatory requirements, data protection, intellectual property rights and co
description of how it will be ensured that they are met?
Do the supplier agreements include organization’s security requirements throughout the supply chain; if suppliers subcontra
information and communication technology ?
Whether the services, reports and records provided by third party are regularly monitored and reviewed.
Whether audits are conducted on the above third party services, reports and records, on regular interval.
Whether changes to provision of services, including maintaining and improving existing information security policies, proced
are managed?
Such as changes in supplier services to implement:
1) changes and enhancement to networks;
2) use of new technologies;
3) adoption of new products or newer versions/releases;
4) new development tools and environments;
5) changes to physical location of service facilities;
6) change of suppliers;
7) sub-contracting to another supplier.
Does it take into account criticality of business systems, processes involved and re-assessment of risks
Is there an Incident Management program?
Is there a documented policy for incident management that has been approved by management, communicated to appropri
and an owner to maintain and review the policy?
Whether information security events are reported through appropriate management channels as quickly as possible.
Whether formal information security event reporting procedure, Incident response and escalation procedure is developed an
Whether there exists a procedure that ensures all employees of information systems and services are required to note and
observed or suspected security weakness in the system or services.
Is there a formal Incident Response Plan ? If yes, does it include:
- An Incident / Event Response team with defined roles and response related qualifications available 24x7x365.
- Procedures to collect and maintain a chain of custody for evidence during incident investigation.
- Feedback process to ensure that the person reporting information security events are notified of the results after the issue
with and closed. Does it consider incidents when running from DR facilities
Is there an identification of incident process? If yes, does it include:
- Unauthorized physical access.
- Information system failure or loss of service.
- Malware activity (anti-virus, worms, Trojans).
- Denial of service.
- Errors resulting from incomplete or inaccurate business data.
- Breach or loss of confidentiality.
- System exploit.
- Unauthorized logical access or use of system resources.
- Feedback and lessons learned.
Whether management responsibilities and procedures are established to ensure quick, effective and orderly response to inf
incidents.
Whether monitoring of systems, alerts and vulnerabilities are used to detect information security incidents.
Whether the objective of information security incident management is agreed with the management.
Are the Information security events assessed and decided if they are to be classified as information security incidents?
Are appropriate incident response defined to resume ‘normal security level’ and then initiate the necessary recovery?
Whether there is a mechanism in place to identify and quantify the type, volume and costs of information security incidents.
Whether the information gained from the evaluation of the past information security incidents are used to identify recurring o
incidents.
Are processes and procedures for identification, collection, acquisition and preservation of evidence are defined including:
a) chain of custody;
b) safety of evidence;
c) safety of personnel;
d) roles and responsibilities of personnel involved;
e) competency of personnel;
f) documentation;
g) briefing.
Are audits performed to ensure compliance with any legal, regulatory or industry requirements?
Are there procedures to ensure compliance with legislative, regulatory, and contractual requirements on the use of material
property rights may be applied and on the use of proprietary software products?
Whether the above procedures are well implemented.
Whether controls such as: publishing intellectual property rights compliance policy, procedures for acquiring software, policy
maintaining proof of ownership, complying with software terms and conditions are considered.
Is there records retention policy covering paper and electronic records, including email, in support of applicable regulations,
contractual requirements?
Whether data storage systems were chosen so that required data can be retrieved in an acceptable timeframe and format,
requirements to be fulfilled (viz. data retention time frame basis as per local legal requirement).
Whether important records of the organization is protected from loss destruction and falsification, in accordance with statuto
contractual and business requirement.
Whether consideration is given to possibility of deterioration of media used for storage of records.
Whether data storage systems were chosen so that required data can be retrieved in an acceptable timeframe and format,
requirements to be fulfilled.
Whether data protection and privacy is ensured as per relevant legislation, regulations and if applicable as per the contractu
Whether use of information processing facilities for any non-business or unauthorized purpose, without management appro
improper use of the facility.
Whether a log-on a warning message is presented on the computer screen prior to log-on. Whether the user has to acknow
and react appropriately to the message on the screen to continue with the log-on process.
Whether legal advice is taken before implementing any monitoring procedures.
Are encryption tools managed and maintained for the information stored?
Whether the cryptographic (encryption) controls are used in compliance with all relevant agreements, laws, and regulations
Whether follow-up action against a person or organization after an information security incident involves legal action (either
Whether evidence relating to the incident are collected, retained and presented to conform to the rules for evidence laid dow
jurisdiction(s).
Whether internal procedures are developed and followed when collecting and presenting evidence for the purpose of discip
the organization
Is there a IT Disaster Recovery Management (IT DR) framework to improve the resiliency of the organization and ensure a
systems supporting the business operations ?
Are there any processes, procedures and controls in place to ensure the required level of continuity for critical services and
a disaster / disruptive events ?
Is Business Impact Analysis and Business Continuity Risk Assessment done for the BU / Department / Concept / Corporate
with RTO & RPO?
Whether Business continuity plans are tested regularly to ensure that they are up to date and effective.
Whether Business continuity plans were maintained by regular reviews and updates to ensure their continuing effectivene
Has any third party evaluated DR Program in the past 12 months?
Is there a DR test plan
Has Annual management review of the DR program for adequacy of resources (people, technology, facilities, and funding) c
Is the disaster recovery site located in a different geographical location?
Is the incident response personnel identified with necessary responsibility, authority & competence to manage an incident &
communicated to the concerned personnel?
Are there detailed recovery procedures (applications, Infrastructure components) documented for an effective recovery of th
applications ?
Whether there are plans in place that address the return to normal operations and original business locations once the situa
resolved and permanent facilities are again available?
Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resoluti
regulatory issues?
Are audits performed to ensure compliance with any legal, regulatory or industry requirements?
Are there procedures to ensure compliance with legislative, regulatory, and contractual requirements on the use of material
property rights may be applied and on the use of proprietary software products?
Is there a records retention policy covering paper and electronic records, including email, in support of applicable regulation
contractual requirements?
Are there regulations for encryption tools which are being used, managed and maintained?
Whether managers ensure that all security procedures within their area of responsibility are carried out correctly to achieve
security policies and standards.
Do managers regularly review the compliance of information processing facility within their area of responsibility for complia
appropriate security policy and procedure
Whether information systems are regularly checked for compliance with security implementation standards.
Whether the technical compliance check is carried out by, or under the supervision of, competent, authorized personnel
Is there an independent audit function within the organization?
Whether audit requirements and activities involving checks on operational systems should be carefully planned and agreed
risk of disruptions to business process.
Whether the audit requirements, scope are agreed with appropriate management.
Are any information systems audit tools (e.g., software or data files) accessible to any users in any unprotected area?
Whether access to information system audit tools such as software or data files are protected to prevent any possible misus
Whether information system audit tools are separated from development and operational systems, unless given an appropr
additional protection.
Is there a policy implemented for privacy and protection of personally identifiable information developed and implemented?
communicated to all persons involved in the processing of personally identifiable information?
Is there a review of information security conducted independently at planned intervals or when significant changes occur.
Is regular compliance review of any system, service, or infrastructure, or any physical location and procedures within their a
responsibility with the appropriate security policies, standards and any other security requirements done? Has a review of s
standards, procedures, and/or guidelines been performed within the last 12 months?
Are Information systems regularly reviewed for compliance with the organization’s information security policies and standard
penetration test been conducted within the last 12 months?
Whether all relevant statutory, regulatory, contractual requirements and organizational approach to meet the requirements w
defined and documented for each information system and organization.
Whether specific controls and individual responsibilities to meet these requirements were defined and documented.
Does the cloud hosting policy ensure that critical business records are maintained within India
Does the policy cover security requirements for data and systems hosted on cloud services?
Do changes to cloud-based systems follow the change management policy?

Audit Framework Under Information System and Cyber Security Regulations

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Audit Framework Under Information System and Cyber Security Regulations

Hochgeladen von

Copyright:

Verfügbare Formate

A: AUDIT FRAMEWORK UNDER INFORMATION SYSTEM AND CYBER SECURITY REGULATION

# Domain Mapping with IS

2 Information security policy 5.2

18 Information security policy 6.2,7.1

28 Organization of information security 5.19,5.14

52 Human resource security 5.23

57 Human resource security 5.24

65 Asset Management 7.1

71 Asset Management 6.2

78 Asset Management 7.1

90 Access Control 5.18

92 Access Control 5.17

97 Access Control 8.4

102 Access Control 6.2

106 Access Control 18

119 Communication Security 11

121 Communication Security 11

124 Communication Security 11

128 Communication Security 11

134 Communication Security 11

138 Communication Security 11

141 Communication Security 11

148 System acquisition, development and maintenance 8

156 System acquisition, development and maintenance 8

164 System acquisition, development and maintenance 8

175 System acquisition, development and maintenance 8

184 Information security in supplier relationships 5.21

198 Information security incident management 14

201 Information security incident management 14

205 Information security incident management 14

216 Information security incident management 14

223 Compliance with legal requirements 20

233 Compliance with legal requirements 20

238 Compliance with legal requirements 20

243 Compliance with legal requirements 20

252 Business Continuity Management 6.3

281 Compliance with legal requirements 20

Are multiple copies of confidential data stored on separate media?

Das könnte Ihnen auch gefallen