Sie sind auf Seite 1von 9

Access Control System development and Access Control Business Requirements for maintenance

Access Control Policy of systems Security requirements User Access Management Security requirements analysis and specification BusinessRegistration Management User Continuity systems Security in application Privilegeof validation Continuity Management Aspects Management Input data Business User Password Management Business continuityprocessing Control of internal management process Business authentication impact Review of user access rights analysis Message continuity and User Responsibilities Writingdata validation Output and implementing continuity plan Password continuity planning framework Business use controls Cryptographic Testing, maintaining and re- controls Unattended user cryptographicassessing business continuity Policy on use of equipment plan Network Access Control Encryption Policy on use of network services Digital Signatures Enforced path Non- repudiation services User management for external connections Key authentication Node Authentication Security of system files Remote of operational software Control diagnostic port protection Segregation in networks data Protection of system test Network connection protocols Access Control to program source library Network in development and support process Security routing control Security control procedures Change of network services Operating review of operating system changes Technical system access control Automatic review ofidentification Technical terminal operating system changes Terminal log-on and Trojan code Covert channels procedures User identification and authorisation Outsourced software development Password management system Use of system utilities Duress alarm to safeguard users Terminal time-out Limitation of connection time Application Access Control Information access restriction Sensitive system isolation Monitoring system access and use Event logging Monitoring system use Clock synchronisation Mobile computing and teleworking Mobile computing Teleworking

Communications and Operations Management


Operational Procedure and responsibilities Documented Operating procedures Operational Change Control Incident management procedures Segregation of duties Separation of development and operational facilities External facilities management System planning and acceptance Capacity Planning System acceptance Protection against malicious software Control against malicious software Housekeeping Information back-up Operator logs Fault Logging Network Management Network Controls Media handling and Security Management of removable computer media Disposal of Media Information handling procedures Security of system documentation Exchange of Information and software Information and software exchange agreement Security of Media in transit Electronic Commerce security Security of Electronic email Security of Electronic office systems Publicly available systems Other forms of information exchange

Asset classification and control


Accountability of assets Inventory of assets Information classification Classification guidelines Information labelling and handling

Compliance
Compliance with legal requirements Identification of applicable legislation Intellectual property rights (IPR) Safeguarding of organisational records Data protection and privacy of personal information Prevention of misuse of information processing facility Regulation of cryptographic controls Collection of evidence Reviews of Security Policy and technical compliance Compliance with security policy Technical compliance checking System audit considerations System audit controls Protection of system audit tools

Physical and Environmental Security Security Policy Perimeter Physical Security


Secure Area Information security policy Physical entry Controls Information security policy facilities Securing Offices, rooms anddocument Review in evaluation WorkingandSecure Areas Isolated delivery and loading areas Equipment Security Equipment siting protection Power Supplies Cabling Security Equipment Maintenance Securing of equipment off- premises Secure disposal or re-use of equipment General Controls Clear Desk and clear screen policy Removal of property

Organisational Security
Information security infrastructure Management information security forum Information security coordination Allocation of information security responsibilities Authorisation process for information processing facilities Specialist information security advice Co- operation between organisations Indep endent review Personnel security of information security Security of third party access Security in job definition and Resourcing Identification of risks from third party access Including security in job responsibilities Security requirements in third party contracts Personnel screening and policy Outsourcing Confidentiality agreements Security requirements in outsourcing contracts Terms and conditions of employment User training Information security education and training Responding to security incidents and malfunctions Reporting security incidents Reporting security weaknesses Reporting software malfunctions Learning from incidents Disciplinary process

IT INFRASTRUCTURE
Software and hardware purchases Programming and script writing Pricing plan setup and configuration

Continuation of IT Infratrusture

Operation System and Database Security Computers, Switches and Routers Application Software Inventory Plans, Policies and procedures Existence of basic Application Security IT Security policy Procedure for assessing IT service delivery Internet and email usage policy Existence and compliance with SLA by vendors IT Organizational Structure Existence and compliance with SLA by Internal IT Governance, Strategic Plans and Budgeting Customers Incidence Management and reporting IT Inventory Controls

Procedure for IT assets movementIS security Awareness Information Dissemination Procedure for IT Purchases User profile and privileges in all application Physical and Environmental IT Controls Logical Access controls to all Application and Software Backup and Recovery Policies and procedures IT Contingency and Business Continuity Plan Access to LAN and WAN and Security Administration Procedure for protecting and monitoring the network from unauthorized access Procedure for modifying or making changes to system Application/Parameters Review of System Administration Controls

1.Security Policy 2.Organisational Security

3.Personnel Security 4.Physical and Environmental Security 5.Compliance 1.Access Control 2.Asset Classification and Control 3.IT Infrastructure 1.Communication & Operational Management 2.Business Continuity Management
3.

System development & Maintenance

Das könnte Ihnen auch gefallen