The 2011 Standard of Good Practice for Information Security. June 2011

Transcription

1 The 2011 Standard of Good Practice for Information Security June 2011

2 Published by Information Security Forum Limited Tel: +44 (0) Fax: +44 (0) Web: Principal authors Mark Chaplin Jason Creasey Contributors Adrian Davis Nick Frost Simon Rycroft Technical review Miles Clement Gary Wood Supplementary content Christopher Petch Matias Lopez-Portillo Review and quality assurance Steve Thorne Design Louise Liu Snehal Rabadia Acknowledgements The Information Security Forum would like to extend its special thanks to those Member organisations who volunteered to provide case study information for this report. Warning This document is confidential and purely for the attention of and use by Member organisations of the Information Security Forum (ISF): including Academic and Supply Chain Members. If you are not a Member of the ISF, or have received this document in error, please destroy it or contact the ISF on info@securityforum.org. Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited. This document has been produced with care and to the best of our ability. However, neither the Information Security Forum nor Information Security Forum Limited accepts any responsibility for problems or incidents arising from its use (other than responsibility for personal injury or physical damage to property). Furthermore, neither the Information Security Forum nor Information Security Forum Limited makes any representation or gives any warranty of any kind as to the accuracy completeness or current applicability of the information provided. Classification: Restricted to ISF Members and ISF Service Providers Standard of Good Practice Copyright 2011 Information Security Forum

3 The ISF 2011 Standard of Good Practice The 2011 Standard of Good Practice for Information Security (the 2011 Standard) has been produced by the Information Security Forum (ISF) for its Members. This version contains the latest thinking combining developments and enhancements from previous editions and facts and insights from the many authoritative projects run by the ISF over the last 20 years to produce the international reference source for information security. The 2011 Standard is core to the ISF s Membership offerings, forming the centre-piece of its tools and techniques. For example, the 2011 Standard is tightly integrated with the ISF s Information Risk Analysis Methodology (IRAM), and with the Benchmark, which enables Members to gain a clear picture of their organisation s performance across all aspects of information security, and compare with other leading organisations. The 2011 Standard will be updated annually, reflecting the rapid pace of change and organisations greater need for information security. In this way it will keep the ISF and its Members ahead of the curve in delivering up-to-date good practice in information security. Building and maintaining strong security arrangements throughout your supply chain ISF reports are normally for the exclusive use of its Members. However, the ISF has created an external supplier version of the 2011 Standard that may be shared with organisations that supply goods and services to Members. This approach enables Members to ensure that: Consistently strong practices are established, assessed and maintained throughout their supply chain Organisations supplying goods and services to a Member are able to meet the Member s expectations All parties provide feedback to the ISF in its ongoing effort to ensure the Standard maintains its leading position as the reference which is practical, focused on the right areas, and effective in managing information risk. Members may download the special edition of the 2011 Standard for organisations in Member supply chains from the ISF s Member Exchange (MX) system and share it amongst their suppliers. The investment committed to developing the 2011 Standard and future annual updates, and its significant value, has lead the ISF Member Council to agree that the 2011 Standard will not be freely available in the public domain. Non-Members who are not in Member supply chains may purchase a copy of the 2011 Standard on the ISF public website. For more information please contact Mark Chaplin on +44 (0) or mark.chaplin@securityforum.org We take great care to minimise the impact on the environment in the paper we use. The paper we have used in this document is FSC* certified and manufactured at an ISO14001** accredited mill. *FSC Forest Stewardship Council. This ensures there is an audited chain of custody from the tree in the well managed forest through to the finished document in the printing factory. **ISO14001 A pattern of control for an environmental management system against which an organisation can be accredited by a third party. Copyright 2011 Information Security Forum 2011 Standard of Good Practice

4 The ISF Security Model The ISF has developed a security model to support organisations in designing their approach to addressing information security and to give them a basis for identifying the key aspects of an information security programme. The ISF provides insights, best practice standards and tools which address each aspect of the model to aid organisations in enhancing their information security environment. Within the ISF Security Model, The 2011 Standard of Good Practice for Information Security forms part of the Research and Reports service. Using a rating from very high to very low, the way in which this report aligns with the ISF Security Model is shown below. Governance The framework by which policy and direction is set, providing executive management with assurance that security management activities are being performed correctly and consistently. Risk The potential business impact and likelihood of particular threats materialising and the application of controls to mitigate risks to acceptable levels. Compliance The policy, statutory and contractual obligations relevant to information security which must be met to operate in today s business world to avoid civil or criminal penalties and mitigate risk. TECHNOLOGY PROCESS PEOPLE COMPLIANCE RISK KNOWLEDGE EXCHANGE RESEARCH & REPORTS TOOLS & METHODS GOVERNANCE People The executives, staff and external parties with access to information, who need to be aware of their Information Security responsibilities and requirements and whose access to systems and data need to be managed. Process Business processes, applications and data that support the operations and decision making. Technology The physical and technical infrastructure, including networks and end points, required to support the successful deployment of secure processes. key Very high High Medium Low Very low A pdf copy of the ISF Security Model can be downloaded from the ISF s Member Exchange (MX) system, which can be used to clearly describe to your team and others (management, potential Supply Chain or other Membership prospects) the key aspects of the information security environment within your organisation Standard of Good Practice Copyright 2011 Information Security Forum

5 Contents Introduction to the 2011 Standard About the 2011 Standard of Good Practice 1 Basis for the 2011 Standard 1 Target audience 2 How the 2011 Standard can help you Using the 2011 Standard 3 Enable compliance with ISO and support compliance with other recognised standards 3 Validate information security arrangements in external suppliers 4 Provide a foundation for your information risk assessment 5 Form a basis for policies, standards and procedures 6 Raise information security awareness 6 Form the basis of a detailed or high-level information security assessment 7 Develop or improve specific information security arrangements 7 Features of the 2011 Standard New and updated content 8 Modular and Aspect-based formats 8 Relationship between the 2011 Standard and other major information security standards 10 Fundamental and specialised controls 11 Comparing this 2011 Standard with previous versions 11 Structure and layout Overview 12 Topic layout 13 About the Index 14 The 2011 Standard SECURITY GOVERNANCE SECURITY REQUIREMENTS CONTROL FRAMEWORK SECURITY MONITORING AND IMPROVEMENT Appendix A: Categories and topics 252 Appendix B: Sources used in developing the 2011 Standard 254 Appendix C: Threat types 255 Appendix D: The 2011 Standard in Aspect format 258 Index 268 Copyright 2011 Information Security Forum 2011 Standard of Good Practice

6 Introduction to the 2011 Standard The ISF Information Risk Management Business Cycle The ISF provides a highly integrated set of tools and services to help Members manage information risk. These are founded on The 2011 Standard of Good Practice for Information Security, the Information Risk Analysis Methodology (IRAM) and the Benchmark. When applied as part of an Information Risk Management Business Cycle as described below, these tools and services support the business process to manage Information Risk. 1 DEFINE 2 IMPLEMENT Establishing the tone from the top and commitment towards sound information security governance, assessing the organisation s risk appetite, aligning security strategy with the organisation s strategy and developing information security policy accordingly. The 2011 Standard offers comprehensive material on which information security governance and information security policy can be based. The 2011 Standard covers the requirements of other significant information security standards and regulations (ie ISO, COBIT, PCI DSS) and so can be used where these apply. Many Members have adopted the Standard as is as the detailed part of their information security policy. Defining the means by which the policy will be implemented, how risk will be assessed, and implementing controls consistent with risk appetite. The ISF s Information Risk Analysis Methodology (IRAM) is designed to assess risks at application, business process or business unit level and select appropriate controls to mitigate risk consistent with risk appetite. The 2011 Standard defines potential information security controls. Once risk and security requirements are identified using IRAM, the Control Framework in the 2011 Standard can be used to select appropriate controls. 1 DEFINE SoGP 4 ENHANCE How the 2011 Standard and other ISF tools improve information security 2 IMPLEMENT 3 EVALUATE 4 ENHANCE 3 EVALUATE Enhancing controls and activities where alignment of risk, policy and implementation requires improvement. Assessing the effectiveness of controls implemented against policy and regulatory requirements. Where the ISF Benchmark has highlighted weaknesses / gaps in controls, Members can use the 2011 Standard and other ISF reports to identify and select controls to better align arrangements. The ISF s Benchmark is a powerful service that enables Members to assess the extent to which controls are implemented. It also allows areas of control weakness / gaps (and strengths) to be identified and provides comparisons to peers. The Benchmark enables assessment using a high level Security Healthcheck for lower risk activities, and more detailed assessments at the level of the 2011 Standard for higher risk areas and critical business applications. The Benchmark reports results in many formats, including ISO, COBIT and PCI DSS formats, and so can also be used to assess performance and gaps against those standards. The above Business Cycle describes how Members may use a highly integrated and consistent set of tools and services to ensure that controls respond to risk and regulation to support enterprise success. Most importantly, these tools and services can be used to assess compliance against other standards commonly used by Members Standard of Good Practice Information Security Forum

7 Introduction to the 2011 Standard About the 2011 Standard of Good Practice The 2011 Standard of Good Practice for Information Security (the 2011 Standard) is the most practical source of information security and information risk-related guidance available worldwide. Significantly updated for 2011, the 2011 Standard addresses information security from a business perspective and provides an ideal basis for assessing and improving an organisation s information security arrangements. Intro A full list of topics can be found in Appendix A: Categories and topics. The 2011 Standard covers the complete spectrum of security arrangements that need to be made to keep business risks associated with information systems within acceptable limits, and presents good practice in practical, clear statements. As a result, not only does it contribute towards improving the quality and efficiency of information security arrangements applied by an organisation, it also acts as a powerful aid towards information security compliance. As the 2011 Standard is mapped fully to the content of ISO 27001*, ISO 27002*, ISO 27005* and COBIT version 4, using the 2011 Standard to comply with these standards can greatly reduce the complexity of potentially onerous compliance (and certification) activities. Further, as the 2011 Standard is aligned closely with other regulatory requirements and guidance such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes Oxley Act, Basel III Accord and Cloud Security Alliance (CSA) Controls Matrix, it can make a significant contribution to harmonising information security compliance activities across the board. * Full titles and descriptions of the relevant standards in the ISO suite are provided on page 10. Basis for the 2011 Standard The 2011 Standard is based on analysis of a wide range of material, in-depth research, and the extensive knowledge and practical experience of ISF Members worldwide. It is updated every year in order to: meet the needs of leading international organisations define new areas of good practice and enhance existing ones promote the most up-to-date thinking in information risk management remain tightly aligned with other information security-related standards cover the latest hot topics, such as cloud security, consumerisation and cybercrime. The main inputs to development of the 2011 Standard are illustrated in Figure 1 below. An extensive work programme involving the expertise of a full-time ISF Global Team, that performs research into hot topics in information security, produces reports, tools and methodologies, and maintains strategic initiatives such as the ISF s Information Risk Analysis Methodology (IRAM). Analysis and integration of information security-related standards (eg ISO and COBIT v4.1), and legal and regulatory requirements (eg Sarbanes-Oxley Act, Payment Card Industry Data Security Standard (PCI DSS), Basel III, and the EU Directive on Data Protection). A full list of standards reviewed can be found in Appendix B: Sources used in developing the 2011 Standard The involvement of ISF Members using techniques such as workshops, face-to-face meetings and interviews, and the results of the ISF s Benchmark. Figure 1: Inputs to development of the 2011 Standard Copyright 2011 Information Security Forum 2011 Standard of Good Practice 1

8 Introduction to the 2011 Standard Target audience The 2011 Standard is aimed at major national and international enterprises that recognise that information security is a key business issue. However, the 2011 Standard will also be of real, practical use to any type of organisation, such as a small- to medium-sized enterprise as it presents good practice as discrete topics that are described in clear, accessible language. Intro Good practice detailed in the 2011 Standard will typically be incorporated into an organisation s information security policy and other arrangements by a range of key individuals or external parties, including: Chief Information Security Officers (or equivalent), responsible for developing policy and implementing a sound organisation-wide approach to Information Security Governance and Information Security Assurance Information Security Managers (or equivalent), responsible for promoting or implementing an information security assurance programme Business managers responsible for ensuring that critical business applications, processes and local environments on which their organisation s success depends are well controlled IT managers and technical staff responsible for planning, developing, deploying and maintaining key information systems or facilities Internal and external auditors responsible for conducting security audits IT service providers responsible for managing critical facilities (eg computer installations and networks) on behalf of the organisation Organisations in your information processing supply chain that should understand and comply with your information security policy to protect your business interests Standard of Good Practice Copyright 2011 Information Security Forum

9 How the 2011 Standard can help you Using the 2011 Standard The 2011 Standard of Good Practice for Information Security can be used in a range of circumstances, depending on the requirements and priorities of your organisation. To illustrate the versatility and practical nature of the 2011 Standard, this section describes seven of the most common ways in which the 2011 Standard can be applied in an organisation together with the associated business benefits. These are summarised and described in more detail. Intro How the 2011 Standard can help you 1. Enable compliance with ISO and support compliance with other recognised standards 1 DEFINE SoGP 2. Validate information security arrangements in external suppliers 4 ENHANCE How the 2011 Standard and other ISF tools improve information security 2 IMPLEMENT 3. Provide a foundation for your information risk assessment 4. Form a basis for policies, standards and procedures 5. Raise information security awareness 3 EVALUATE ATE 6. Form the basis of a detailed or high-level information security assessment 7. Develop or improve specific information security arrangements Figure 2: How Members can benefit from the 2011 Standard 1 Enable compliance with ISO and support compliance with other recognised standards The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO and provides a wider and deeper coverage of ISO controls topics. It particularly covers many hot topics not addressed by ISO 27002, such as cloud computing, information leakage, consumer devices and security governance. The 2011 Standard is therefore an ideal tool to enable ISO certification. Further, as the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, implementing the 2011 Standard will enable compliance with these too. This enabling role is shown in Figure 3 overleaf. Copyright 2011 Information Security Forum 2011 Standard of Good Practice 3

10 How the 2011 Standard can help you ISO/IEC (Security Governance) 1 DEFINE SoGP ISO/IEC (Requirements of an ISMS) Intro 4 ENHANCE How the 2011 Standard and other ISF tools improve information security 2 IMPLEMENT Enables compliance / implementation as fully aligned ISO/IEC (risk-based specification of requirements for information security) ISO/IEC (Control framework required to implement an ISMS) ISO/IEC (Controls relating to third party relationship and supply chain management) 3 EVALUATE ATE Supports compliance COBIT version 4 Other major recognised standards / requirements such as PCI DSS, Sarbanes Oxley Act Figure 3: How the 2011 Standard supports compliance Whatever information security standard or requirement organisations are obliged to comply with, the 2011 Standard provides the practical means by which certification or compliance can be achieved. Business benefits provided by use of the 2011 Standard: Efficiency enabling compliance / certification / alignment with other relevant standards and regulations to meet business needs Simplification harmonising information security compliance activity throughout the organisation, delivering cost and efficiency benefits Trust increasing external confidence that information risks are being managed effectively, enhancing reputation and potentially market value. 2 Validate information security arrangements in external suppliers The 2011 Standard is a valuable resource for helping organisations to address the need for strong information security in external supplier relationships. Firstly, the 16 External Supplier Management area of the 2011 Standard will help organisations to ensure that information security requirements become embedded in arrangements for working with external parties. Secondly, the 2011 Standard can be used in its entirety as the basis for understanding or assessing information security of external suppliers. This can be particularly powerful when applied with the ISF s Benchmark or Third Party Security Assessment Tool (TPSAT). Business benefits provided by use of the 2011 Standard: Trust providing an assurance that your supply chain is subject to a uniform level of information security, whether in-house or outsourced Simplification when issued with the Benchmark or TPSAT tool, it provides assurance that is aligned with the forthcoming ISO (draft standard covering external suppliers) and the Cloud Security Alliance s (CSA) Controls Matrix Effectiveness reducing reputational damage or loss of customer support by information security lapses in an external supplier organisation Rigour using the Benchmark offers a well proven solution to external supplier security assessment Standard of Good Practice Copyright 2011 Information Security Forum

11 How the 2011 Standard can help you 3 Provide a foundation for your information risk assessment Information risk assessment helps organisations reduce the frequency and impact of information security incidents and improve information security arrangements. The 2011 Standard has been developed with this in mind, and will support any information risk assessment but in particular a risk assessment using the ISF s Information Risk Analysis Methodology (IRAM). It is designed to address the ISF Threat List referenced in IRAM. The way in which IRAM and the 2011 Standard can be used as part of an information risk assessment process is shown in Figure 4 below. Intro PHASE 1 BUSINESS IMPACT ASSESSMENT 1 DEFINE SoGP Security requirements PHASE 2 How the 2011 Standard and 4 ENHANCE other ISF tools improve information security 2 IMPLEMENT THREAT AND VULNERABILITY ASSESSMENT 3 EVALUATE ATE PHASE 3 Control framework CONTROL SELECTION Figure 4: How IRAM and the 2011 Standard support an Information Risk Assessment The 2011 Standard is consistent with the risk assessment approaches defined in ISO and ISO 27005, and other relevant authorities including ISACA and NIST, and covers the important topic of information risk treatment. The ISF Threat List, embedded in IRAM and Benchmark, is available as Appendix C: Threat types. Business benefits provided by use of the 2011 Standard: Rigour identifying key risks and potential business impact Efficiency avoiding the need to purchase an additional repository of potential controls Integration as the 2011 Standard is completely aligned with IRAM s 50 threat types Quality providing a trusted, standard set of controls for risk assessment across the organisation and enabling control selection and implementation that is commensurate with risk profile and appetite Integration meeting ISO requirements for risk assessment. Copyright 2011 Information Security Forum 2011 Standard of Good Practice 5

12 How the 2011 Standard can help you 4 Form a basis for policies, standards and procedures Intro The 2011 Standard can be used as the basis for an organisation s overall information security policy, and a significant number of ISF Members use it in this way. In addition, it is an effective tool for identifying gaps in existing policies, standards and procedures and for developing new ones. For example, where deficiencies in policies and procedures for activities such as mobile device configuration, outsourcing or information leakage protection are identified, the 2011 Standard will be effective in filling those gaps. The 2011 Standard can also be used as the basis for entirely new policies or procedures where they don t yet exist. Where an organisation has many different departments or business units that have developed their own policies and procedures over time, the 2011 Standard can also provide a sound basis for harmonisation. Business benefits provided by use of the 2011 Standard: Efficiency providing a ready-made control framework out of the box upon which policies and procedures can be based, reducing resources required to produce policies / procedures from scratch Practical providing policies / standards that are pragmatic and based on real world good practice Simplification harmonising policies throughout the organisation, reducing duplication of effort and delivering a consistent level of protection Relevance highlighting genuine good practice that is applied by real global organisations as it incorporates experiences of major organisations around the world. 5 Raise information security awareness The 2011 Standard includes content aimed at improving security awareness, but can also be used in its entirety to support security awareness activities. The 2011 Standard also addresses how information security should be applied in local environments largely an awareness-driven activity. Business benefits provided by use of the 2011 Standard: Efficiency reducing the need to purchase a specific security awareness solution, and contributing to reducing costly damage to an organisation s reputation Credibility this authoritative 2011 Standard raises understanding across the organisation of the importance of information security and what it includes to a consistent level and delivers heightened levels of protection overall Standard of Good Practice Copyright 2011 Information Security Forum

13 How the 2011 Standard can help you 6 Form the basis of a detailed or high-level information security assessment The 2011 Standard is integrated tightly with the ISF s Benchmark, which enables detailed or higher level assessments of the strength of information security across the enterprise (or locally) activity that is important to sound Security Assurance. Additionally, Members using the Benchmark can draw meaningful comparisons with the status of information security in other like organisations (eg in the same sector). Business benefits provided by use of the 2011 Standard: Rigour underpins (with the Benchmark) an organisation s Security Assurance programme and supports both internal and external audits of key information assets Efficiency provides the foundation for a comprehensive programme of context-rich security assessments without incurring any additional external cost as ISF full Membership already includes free access to the widely used Benchmark service Trust providing higher levels of confidence from executive management and stakeholders as the organisation is able to provide accurate, quantitative reporting on the true security maturity level of the organisation in a way that is objective and transparent. Intro 7 Develop or improve specific information security arrangements Where an organisation needs to develop new (or improve existing) information security arrangements to react to a specific circumstance, the 2011 Standard is an ideal reference. For example, an organisation may use the 2011 Standard to address the use of consumer-focused devices (such as tablets) in the workplace. Equally, it might be used as a key input to a systems development project or when defining policy for new ventures or external supply arrangements (eg through the use of cloud computing). As the 2011 Standard is separated into intuitive topics, extracting relevant good practice to form the basis of a new information security procedure is straightforward. Once new information security arrangements have been introduced, or existing ones improved, their effectiveness should be assessed and reported. As the Benchmark is founded on the 2011 Standard, including topics covering security audit, security monitoring and information risk reporting, it provides a sound basis for this activity. Business benefits provided by use of the 2011 Standard: Trusted it provides rigorously developed controls information to solve new challenges, such as the need to secure cloud computing and address consumer devices (such as tablets or smartphones) in the workplace Effectiveness reducing the frequency and magnitude of potentially costly incidents in terms of impact on cost and reputation Efficiency producing cost savings as the need to develop controls from the ground up is eliminated Responsiveness providing a platform to rapidly secure new initiatives and offerings that rely on sound information security. Copyright 2011 Information Security Forum 2011 Standard of Good Practice 7

14 Features of the 2011 Standard New and updated content Intro Prior to 2011, the Standard was normally updated every two years. From 2011, to ensure that the Standard addresses the latest hot topics and challenges, it will be updated annually. As each annual iteration of the Standard incorporates the results of the ISF s latest research work, this approach ensures that the ISF and its Members are kept ahead of the curve in delivering comprehensive, up-to-date good practice. The annual update approach also ensures that the Standard reflects the latest emerging threats highlighted in the ISF s annual Threat Horizon report. A list of new topics in the 2011 Standard is shown in the table below, along with a summary of the degree of content change compared with the 2007 version. Summary of new topics SECURITY GOVERNANCE Security Governance Framework Security Direction Information Security Strategy Stakeholder Value Delivery Information Security Assurance Programme SECURITY REQUIREMENTS Information Risk Treatment CONTROL FRAMEWORK Security Awareness Messages Document Management Information Validation Customer Access Arrangements Customer Contracts Customer Connections Access Control Mechanisms Password Access Control Mechanisms Token Access Control Mechanisms Biometric Virtual Servers Network Storage Systems CONTROL FRAMEWORK (Continued) Critical Infrastructure Information Leakage Protection Digital Rights Management Cybercrime Attacks Local Environment Profile Office Equipment Mobile Device Connectivity Consumer Devices External Supplier Management Process Cloud Computing Policy Cloud Service Contracts Business Continuity Programme SECURITY MONITORING AND IMPROVEMENT Security Audit Process Planning Security Audit Process Fieldwork Security Audit Process Reporting Security Audit Process Monitoring Information Risk Reporting Monitoring Information Security Compliance Degree of change Number of topics New 35* Extensive 24 Moderate 14 Minimal 45 * In addition to new topics, seven topics from the 2007 Standard have been broken down into separate topics as a result of being updated. A full list of topics can be found in Appendix A: Categories and topics. Modular and Aspect-based formats The default format for the 2011 Standard as presented in this publication is Modular. However the 2011 Standard is also available in its previous Aspect-based format if required. The two approaches to structure are explained below. Modular format The Modular format structure sets out statements of good practice as a series of 118 topics or business activities, which are grouped into 26 higher level areas and then 4 high level categories. Each topic is designed to stand alone and addresses that particular aspect of business activity from an information security perspective. This approach is summarised in Figure 5 on page 9. The categories reflect the typical approach taken to Security Governance (shown in blue) and Security Assurance (shown in green) in many organisations Standard of Good Practice Copyright 2011 Information Security Forum

15 Features of the 2011 Standard Categories Areas Topics SECURITY GOVERNANCE 2 Areas 5 Topics SECURITY REQUIREMENTS 2 Areas 8 Topics CONTROL FRAMEWORK SECURITY MONITORING AND IMPROVEMENT 20 Areas 2 Areas 97 Topics 8 Topics Intro Figure 5: Overview of the Modular structure of the 2011 Standard The modular format is suited to most organisations and supports improving information security arrangements across the board or in a particular business unit or initiative (such as an online banking or a sales order processing application). It is also the most suitable format for those organisations that wish to dip into the Standard to address specific areas of concern (such as Information Classification or Office Equipment). The modular format is also consistent with the structure and flow of the ISO suite of standards, and is appropriate for those organisations that wish to use the Standard as an enabler to ISO compliance or certification, or to implement one or more Information Security Management Systems (ISMS). The structure of the ISF s Benchmark is tightly aligned to the 2011 Standard in modular format, so this format is likely to be well suited for organisations that aim to use the 2011 Standard to underpin an evaluation of the strength of information security controls. The 2011 Standard also lends itself well to customisation, for example as a basis for topicspecific checklists. Aspect-based format The Aspect-based format was the default format for previous versions of the Standard of Good Practice (2007 and earlier). It evolved from the ISF s original Survey (the predecessor to the ISF s current Benchmark) and groups statements of good practice by IT subject or environment (eg networks, critical business applications, computer installations) rather than by information security topic. This Aspect approach is shown in Figure 6. While the Aspect-based format may be very effective when reviewing controls relating to specific types of technical or business function, it includes a substantial amount of duplication for many topics (ie change management and access control) across the Aspects. This duplication can make the format complex to use when taking a more holistic approach to information security across an entire organisation or business unit. Figure 6: Overview of the Aspect-based Standard The Aspect-based format is suitable for those organisations that have used the Standard over a number of years and have a strong desire for comparability. It may also be useful for organisations wishing to apply the Standard to only a single computer installation, network or business application. The topics relating to each of the six aspects are presented in Appendix D: The 2011 Standard in Aspect format. Copyright 2011 Information Security Forum 2011 Standard of Good Practice 9

16 Features of the 2011 Standard Relationship between the 2011 Standard and other major information security standards The 2011 Standard is closely aligned with the ISO suite of information security-related standards. As such, the 2011 Standard is a powerful tool to support ISO compliance and certification activities. The relationship between the 2011 Standard and the relevant ISO information security-related standards is shown in Figure 7, with an explanation of the purpose of each ISO standard: Intro Structure of the 2011 Standard SECURITY GOVERNANCE ISO (Draft) SECURITY REQUIREMENTS ISO ISO (ISMS) CONTROL FRAMEWORK SECURITY MONITORING AND IMPROVEMENT ISO (Draft) ISO Figure 7: How the 2011 Standard is aligned with the ISO suite of standards Standard ISO/IEC Information technology Security techniques Information security management systems Requirements ISO/IEC Information technology Security techniques Code of practice for information security management ISO/IEC Information technology Security techniques Information security risk management ISO/IEC 27014* Information technology Security techniques Governance of information security ISO/IEC 27036* Information technology Security techniques Information security for supplier relationships Description A normative standard providing a mandatory set of steps as part of an Information Security Management System (ISMS), against which an organization can certify its security arrangements (eg Define target environment, Assess risks and Select appropriate controls ). An informative standard providing a framework of security controls which can be used to help select the controls required within an ISMS. A normative standard detailing the mandatory steps required to perform an information security risk assessment, as part of an ISMS (eg Identify possible business impact, Evaluate threats and vulnerabilities, and Create a risk treatment plan ). An informative standard that defines the governance of information security, explains the relationship with other types of governance (and with an ISMS) and details how information security governance can be applied in practice. An informative standard that outlines information security for external parties for both the acquirer and supplier. It supports organizations in implementing information security controls related to supplier relationships. *In Draft The ISF has Liaison status (category C) with the ISO SC27 steering group which is responsible for overseeing development of the ISO suite of information security-related standards. This enables the ISF to represent Member needs and influence enhancement of existing, and development of new ISO standards. This also ensures that the ISF s 2011 Standard accurately reflects both the latest and up-and-coming international standards. The 2011 Standard also provides coverage of COBIT version 4 (and an early draft of COBIT version 5), and will be a useful aid to organisations implementing this framework Standard of Good Practice Copyright 2011 Information Security Forum

17 Features of the 2011 Standard While the 2011 Standard is not mapped to the full content of other recognised information security-related standards, directives or legislation (such as PCI DSS, the Sarbanes Oxley Act, NIST SP , Basel III and HIPAA), there is a high degree of correlation between their information security-related elements and the 2011 Standard and thus the content in the 2011 Standard will be a useful resource to support compliance or certification. Fundamental and specialised controls For the first time, the 2011 Standard now makes a distinction between those topics that are Fundamental and those that are Specialised. This classification is used to make it easier to identify essential security arrangements for all organisations separate from those that depend on other factors that are not universal. Intro FUNDAMENTAL topics are the information security arrangements that are generally applied by Members to form the foundation of their information security programme. SPECIALISED topics are those that depend on how the business operates and are not typically relevant to every organisation, or topics that do not apply to all environments such as Server Virtualisation or Cloud Computing. A clear indicator at the top of each topic page in the 2011 Standard shows whether the controls presented in that topic are Fundamental or Specialised. Important note: The extent to which an organisation applies Specialised controls in addition to those classified as Fundamental will depend on a variety of organisational factors. However, as an indication, the results of a risk assessment are likely to be helpful in determining higher risk systems that should be subjected to Specialised controls. Comparing the 2011 Standard with previous versions The 2011 Standard represents a very significant update, with revisions made from the ground up in terms of structure and content. The table below highlights the main differences between the 2011 Standard and previous versions. Characteristic 2007 Standard and previous 2011 Standard (and beyond) Default format Aspect-based Modular Default structure Mapped to six distinct types of environment (Aspects) Presented as standalone topics mapped to a typical security assurance approach Update frequency Every 2 years planned Annual Duplication of topics Yes by design No Aligned with ISO (ISMS) No Yes Mapped to ISO and COBIT Yes Yes Mapped directly to ISF Benchmark Yes Yes, but also enables easier tailoring of results Highlights Fundamental and Specialised No Yes Controls Provides pointers to related ISF reports and tools No Yes Copyright 2011 Information Security Forum 2011 Standard of Good Practice 11

18 CONTROL FRAMEWORK CONTROL FRAMEWORK CONTROL FRAMEWORK SG1.1 Security Governance Framework SG1.2 Security Direction SG2.1 Information Security Strategy SG2.2 Stakeholder Value Delivery SG2.3 Information Security Assurance Programme 12.1 Local Environment Profile 12.3 Office Equipment 12.2 Local Security Co-ordination 12.1 Local Environment Profile 12.3 Office Equipment 12.2 Local Security Co-ordination 12.1 Local Environment Profile 12.3 Office Equipment 12.2 Local Security Co-ordination A security profile for each local environment should be documented and maintained, which contains important business and security details about business users, information, technology and locations. A security profile for each local environment should be documented and maintained, which contains important business and security details about business users, information, technology To provide a high-level picture of the type and importance of business conducted in the local and locations. environment, A which security helps profile support for security each local decisions environment about activities should relating be documented to the local environment. and maintained, which contains important business and security details about business users, information, technology To provide a high-level picture of the type and importance of business conducted in the local and locations. environment, which helps support security decisions about activities relating to the local environment. A security profile for each local To provide environment a high-level should picture be documented of the type and and maintained, importance providing of business an overall conducted picture in the local of the environment, which environment, helps support which risk-based helps support decisions security and information decisions about security-related activities relating activities to the at local both environment. a corporate A security and local profile level. for each local environment should be documented and maintained, providing an overall picture of the environment, which helps support risk-based decisions and information security-related activities at both a corporate A security and profile local level. for each local environment should be documented and maintained, providing an overall picture The security of profile the environment, should help which to identify helps potential support risk-based business impacts, decisions threats and information and vulnerabilities security-related by including activities at both important details a corporate about: and local level. The security profile should help to identify potential business impacts, threats and vulnerabilities by including a) individuals operating in the local environment important details about: b) business processes and information associated with the local environment c) technology The used security the profile local environment should help to identify potential business impacts, threats and vulnerabilities by including a) individuals operating in the local environment important details about: d) the b) location business of the processes local environment. and information associated with the local environment c) technology a) individuals used operating the local in environment the local environment d) the b) location business of processes the local environment. and information associated with the local environment The security c) profile technology should used contain in the important local environment details about individuals in the local environment (eg staff and contractors), d) including: the location of the local environment. The security profile should contain important details about individuals in the local environment (eg staff and a) main business contact(s) contractors), including: b) individuals with information security responsibilities (including local security co-ordinators and information protection The a) main champions) security profile should contain important details about individuals in the local environment (eg staff and business contact(s) contractors), including: c) types b) of individuals with operating information the security local environment responsibilities (eg (including regular users, local operational security co-ordinators staff, individuals and information with special protection privileges, a) main champions) business external parties contact(s) such as contractors) d) use c) of types consumer b) individuals of devices with such operating information as tablets the and security local smartphones environment responsibilities (and(eg other (including regular gadgets users, local including operational security media co-ordinators staff, players, individuals e-book and information with readers, special cameras) protection privileges, champions) external parties such as contractors) e) level d) of use security c) of types consumer awareness of individual devices (ie such operating the extent as tablets in to the and which local smartphones individuals environment (and understand (eg other regular gadgets the users, importance including operational media of information staff, players, individuals e-book with security, readers, the special level cameras) of privileges, security required external by parties the organisation such as contractors) and their individual security responsibilities) f) degree e) level of d) responsibility of use security of consumer awareness for, and devices level (ie of such the access as extent tablets to, information to and which smartphones individuals (eg from (and basic understand other access gadgets to the high importance including security clearance) media of information players, e-book g) those who security, have readers, the not level been cameras) of subject security to required standard by / the central organisation vetting procedures, and their individual so that background security responsibilities) checks can be performed. f) degree e) level of responsibility of security awareness for, and level (ie of the access extent to, to information which individuals (eg from basic understand access to the high importance security clearance) of information g) those security, who have the not level been of security subject to required standard by / the central organisation vetting procedures, and their individual so that background security responsibilities) checks can be performed. f) degree of responsibility for, and level of access to, information (eg from basic access to high security clearance) g) those who have not been subject to standard / central vetting procedures, so that background checks can be performed. SR1.1 Managing Information Risk Assessment SR1.2 Information Risk Assessment Methodologies SR1.3 Confidentiality Requirements SR1.4 Integrity Requirements SR1.5 Availability Requirements SR1.6 Information Risk Treatment SR2.1 Legal and Regulatory Compliance SR2.2 Information Privacy CONTROL FRAMEWORK CONTROL FRAMEWORK CONTROL FRAMEWORK 13.1 Inventory of Desktop Applications 13.2 Protection of Spreadsheets 13.1 Inventory of Desktop Applications 13.2 Protection of Spreadsheets 13.1 Inventory of Desktop Applications 13.2 Protection of Spreadsheets Critical desktop applications (eg those developed using spreadsheet and database programs) should be recorded in an inventory, or equivalent. Critical desktop applications (eg those developed using spreadsheet and database programs) To maintain an accurate and up-to-date record of critical desktop applications, enabling them to should be recorded in an inventory, or equivalent. be protected accordingly. Critical desktop applications (eg those developed using spreadsheet and database programs) To maintain an accurate and up-to-date record of critical desktop applications, enabling them to should be recorded in an inventory, or equivalent. be protected accordingly. Details of critical desktop To applications maintain an (eg accurate those developed and up-to-date using record spreadsheet of critical and desktop database applications, programs enabling that them to are used to support critical be business protected processes accordingly. such as processing high-value transactions, handling sensitive information Details and of managing critical desktop a production applications line) should (eg those be recorded developed in an using inventory, spreadsheet or equivalent. and database programs that are used to support critical business processes such as processing high-value transactions, handling sensitive information Desktop applications Details and of critical managing are typically desktop a production developed applications line) should using (eg those be recorded spreadsheet developed in an programs, using inventory, spreadsheet or equivalent. such as Microsoft and database Excel, programs that OpenOffice are Calc used or to IBM support Lotus 1-2-3; critical database business programs, processes such such as as Microsoft processing Access, high-value OpenOffice transactions, Base or IBM handling sensitive Lotus Approach; information or similar. and managing a production line) should be recorded in an inventory, or equivalent. Desktop applications are typically developed using spreadsheet programs, such as Microsoft Excel, OpenOffice Calc or IBM Lotus 1-2-3; database programs, such as Microsoft Access, OpenOffice Base or IBM Lotus Desktop Approach; applications or similar. are typically developed using spreadsheet programs, such as Microsoft Excel, OpenOffice Calc or IBM Lotus 1-2-3; database programs, such as Microsoft Access, OpenOffice Base or IBM Lotus Approach; or similar. Details recorded in the inventory should include: a) a description of each critical desktop application Details recorded in the inventory should include: b) the identity of the individual with primary responsibility for designing and maintaining each critical desktop application a) a description of each critical desktop application c) the individuals Details that recorded use each in the critical inventory desktop should application include: b) the identity of the individual with primary responsibility for designing and maintaining each critical desktop d) the intended application a) a description purpose of of each each critical critical desktop application(eg processing of: operational information, such as tracking c) the b) individuals and the identity monitoring that of use the operational each individual critical workflow; with desktop primary analytical application responsibility / management for designing information and maintaining to support decisionmaking; d) the or intended financial application purpose information of each such critical as balances desktop populated application in a general (eg processing ledger) of: operational information, such each critical desktop e) the type as c) tracking of information the individuals and monitoring processed that use operational by each each critical critical workflow; desktop desktop application analytical / management (eg customer information details, product to support data decisionmaking; transaction d) the or intended financial information) purpose information of each such critical as balances desktop populated application in a general (eg processing ledger) of: operational information, such or financial f) the e) department the type as tracking of / individual information and responsible monitoring processed for operational by the each development critical workflow; desktop of each analytical application critical / management desktop (eg customer application information details, (eg individuals product to support data decisionmaking; transaction environment or financial information) an information IT function such that as specialises balances in populated spreadsheet in a and general database ledger) programs) or in the financial end user g) any f) changes the e) department the made type to of each / individual information critical responsible desktop processed application. for by the each development critical desktop of each application critical desktop (eg customer application details, (eg individuals product data or in the financial end user transaction environment information) an IT function that specialises in spreadsheet and database programs) g) any f) changes the department made to / each individual critical responsible desktop application. for the development of each critical desktop application (eg individuals The inventory should in the end include user details environment about the or an level IT of function complexity that specialises of each critical in spreadsheet desktop application, and database such programs) as: g) any changes made to each critical desktop application. a) low (eg desktop applications that are used to maintain basic lists) The inventory should include details about the level of complexity of each critical desktop application, such as: b) moderate (eg desktop applications that perform simple calculations or provide information for analytical review) a) low (eg desktop applications that are used to maintain basic lists) c) high b) (eg moderate desktop The inventory (eg applications should desktop that include applications support details complex about the that perform calculations, level of complexity simple calculations valuations of and each or modelling critical desktop provide information tools). application, such as: for analytical review) a) low (eg desktop applications that are used to maintain basic lists) c) high b) (eg moderate desktop (eg applications desktop applications that support that complex perform calculations, simple calculations valuations and or provide modelling information tools). for analytical review) c) high (eg desktop applications that support complex calculations, valuations and modelling tools) Business Continuity Strategy 16.1 External Supplier Management Process 20.2 Business Continuity Programme 16.2 Hardware / Software Acquisition 20.3 Resilience 16.3 Outsourcing 20.4 Crisis Management 16.4 Cloud Computing Policy 11.1 Information Security 20.5 Incident Business Management Continuity Planning 8.1 Security Architecture 16.5 Cloud Service Contracts 11.2 Cybercrime Attacks20.6 Business Continuity Arrangements 8.2 Identity and Access Management 11.3 Emergency Fixes 20.7 Business Continuity Testing 11.4 Forensic Investigations 12.1 Local Environment Profile 12.2 Local Security Co-ordination 12.3 Office Equipment 13.1 Inventory of Desktop Applications 13.2 Protection of Spreadsheets 5.1 Customer Access Arrangements 13.3 Protection of Databases 1.1 Information Security Policy 5.2 Customer Contracts 13.4 Desktop Application Development 1.2 Information Security Function 5.3 Customer Connections 14.1 Remote Environments 2.1 Staff Agreements 6.1 Access Control 14.2 Mobile Device Configuration 2.2 Security Awareness Programme 6.2 User Authorisation 14.3 Mobile Device Connectivity 2.3 Security Awareness Messages 6.3 Access Control Mechanisms 14.4 Portable Storage Devices 2.4 Security Education / Training 6.4 Access Control Mechanisms Password 14.5 Consumer Devices 2.5 Roles and Responsibilities 6.5 Access Control Mechanisms Token 10.1 Patch Management 19.1 Physical Protection 6.6 Access Control Mechanisms 19.2 Power Supplies Biometric 10.2 Malware Awareness 6.7 Sign-on Process 10.3 Malware Protection19.3 Software Hazard Protection Information Classification 10.4 Security Event Logging 15.2 Instant Messaging 3.2 Document Management 10.5 System / Network Monitoring 3.3 Sensitive Physical Information 7.1 Computer and Network Installations 10.6 Intrusion Detection 3.4 Asset Register 7.2 Server Configuration 7.3 Virtual Servers 7.4 Network Storage Systems 4.1 Application Protection 7.5 Back-up 4.2 Browser-based Application Protection 7.6 Change Management 4.3 Information Validation 7.7 Service Level Agreements 13.3 Protection of Databases 13.4 Desktop Application Development 13.3 Protection of Databases 13.4 Desktop Application Development 13.3 Protection of Databases 13.4 Desktop Application Development CONTROL FRAMEWORK CONTROL FRAMEWORK SI1.1 Security Audit Management SI1.2 Security Audit Process Planning SI1.3 Security Audit Process Fieldwork SI1.4 Security Audit Process Reporting SI1.5 Security Audit Process Monitoring SI2.1 Security Monitoring SI2.2 Information Risk Reporting SI2.3 Monitoring Information Security Compliance CONTROL FRAMEWORK 14.1 Remote Environments 14.4 Portable Storage Devices 14.2 Mobile Device Configuration 14.5 Consumer Devices Mobile Remote Device Environments Connectivity 14.4 Portable Storage Devices 14.2 Mobile Device Configuration 14.5 Consumer Devices Mobile Remote Device Environments Connectivity 14.4 Portable Storage Devices 14.2 Mobile Device Configuration 14.5 Consumer Devices 14.3 Mobile Device Connectivity Devices used by staff working in remote environments (eg in locations other than the organisation s premises) should be purchased from approved suppliers, tested prior to use, supported by maintenance Devices arrangements used by staff working and protected in remote by environments physical and logical (eg in locations controls. other than the organisation s premises) should be purchased from approved suppliers, tested prior to use, supported by To ensure that devices used by staff working in remote environments operate as intended, remain maintenance available, do Devices arrangements not compromise used by staff the working and protected security in of remote by the corporate environments physical and logical network (eg to in which locations controls. they other connect. than the organisation s premises) should be purchased from approved suppliers, tested prior to use, supported by To ensure that devices used by staff working in remote environments operate as intended, remain maintenance arrangements and protected by physical and logical controls. available, do not compromise the security of the corporate network to which they connect. Remote working should be To supported ensure that by devices documented used by standards staff working / procedures, in remote which environments cover: operate as intended, remain available, do not compromise the security of the corporate network to which they connect. a) authorisation by an appropriate business representative for staff to work remotely Remote working should be supported by documented standards / procedures, which cover: b) security requirements associated with remote working c) the a) types authorisation of device that by an can appropriate be used by business staff working representative in remote for environments staff to work (eg remotely desktop computers, laptop computers, Remote consumer working devices should such be supported tablets and by smartphones, documented standards and printers) / procedures, which cover: b) security requirements associated with remote working d) implementation c) the a) types authorisation of and device maintenance that by an can appropriate of be devices used by business located staff working representative remote in remote environments for environments staff to work (eg remotely desktop computers, laptop e) software computers, b) configuration security consumer requirements (eg employing devices associated such standard tablets with builds remote and and smartphones, working relevant web and browser printers) settings) f) provision d) implementation c) of the software types of to and device protect maintenance that devices can be (eg of used devices system by located management staff working remote in tools, remote environments access environments control mechanisms, (eg desktop malware computers, laptop protection e) software software computers, configuration and consumer encryption (eg employing devices capabilities) such standard as tablets builds and and smartphones, relevant web and browser printers) settings) g) protection f) provision d) against implementation of software loss or theft. to and protect maintenance devices of (eg devices system located management in remote tools, environments access control mechanisms, malware protection e) software software configuration and encryption (eg employing capabilities) standard builds and relevant web browser settings) g) protection f) provision against of software loss or theft. to protect devices (eg system management tools, access control mechanisms, malware Staff that work protection in remote software environments, and encryption including capabilities) public areas (eg hotels, trains, airports and Internet cafes) or from home, g) should protection be: against loss or theft. Staff that work in remote environments, including public areas (eg hotels, trains, airports and Internet cafes) or a) authorised to work only in specified locations and informed of locations not approved for remote working (eg from home, should be: bars, public transportation) b) equipped Staff a) authorised with that the work to necessary in remote work only skills in specified to environments, perform locations required including and security public informed tasks areas of locations (eg (eg restricting hotels, not approved access, trains, airports performing and remote working backups and bars, encrypting public transportation) key files) Internet cafes) or (eg from home, should be: c) made b) aware equipped a) authorised of the with additional the to necessary work risks only associated skills in specified to perform with locations remote required and working security informed (including tasks of locations (eg the restricting increased not approved access, likelihood performing remote of theft working backups and bars, or encrypting disclosure public transportation) key of confidential files) information) (eg of equipment d) provided c) made b) with equipped aware adequate of the with technical additional the necessary support risks associated skills (eg via to a perform helpdesk) with remote required working security (including tasks (eg the restricting increased access, likelihood performing of theft backups with and legal or encrypting disclosure and regulatory key of files) confidential requirements information) (eg health and safety laws, and data privacy regulations) e) in compliance of equipment f) provided d) provided c) with made alternative with aware adequate of working the technical additional arrangements support risks associated (eg in case via a of with helpdesk) emergency. remote working (including the increased likelihood of theft e) in compliance of equipment with legal or disclosure and regulatory of confidential requirements information) (eg health and safety laws, and data privacy regulations) f) provided d) provided with alternative with adequate working technical arrangements support (eg in case via a of helpdesk) emergency. Staff that work e) in in compliance remote environments with legal and should regulatory be supplied requirements with devices (eg health that are: and safety laws, and data privacy regulations) f) provided with alternative working arrangements in case of emergency. a) purchased from approved suppliers (eg those with a proven record of providing robust and resilient equipment) Staff that work in remote environments should be supplied with devices that are: b) tested prior to use c) supported a) purchased by maintenance from approved arrangements. suppliers (eg those with a proven record of providing robust and resilient equipment) Staff that work in remote environments should be supplied with devices that are: b) tested prior to use c) supported a) purchased by maintenance from approved arrangements. suppliers (eg those with a proven record of providing robust and resilient equipment) b) tested prior to use c) supported by maintenance arrangements. Structure and layout Overview Intro The information security good practice presented in the 2011 Standard is divided into four categories: Security Governance Security Requirements Control Framework Security Monitoring and Improvement. Each category is composed of a number of areas, each covering an information security-related subject. An area is broken down further into topics, each of which contains a set of statements. The overall structure of each category in the 2011 Standard is illustrated in Figure 8, using the Control Framework category as an example. AREA 12 Local Environments AREA 13 Desktop Applications AREA 14 Mobile Computing SPECIALISED SPECIALISED SPECIALISED List of Topics List of Topics 12.1 Local Environment Profile Principle 12.1 Local Environment Profile Objective Principle Objective Objective List of Topics Principle 12.1 Local Environment Profile SPECIALISED SPECIALISED List of Topics List of Topics 13.1 Inventory of Desktop Applications Principle 13.1 Inventory of Desktop Applications Principle Objective 13.1 Inventory of Desktop Applications Objective Principle Objective List of Topics SPECIALISED SPECIALISED List of Topics 14.1 Remote Environments Principle 14.1 Remote Environments Objective Principle Objective Objective List of Topics Principle 14.1 Remote Environments List of Topics SPECIALISED SPECIALISED Figure 8: Structure of the 2011 Standard Standard of Good Practice Copyright 2011 Information Security Forum

19 Structure and layout Topic layout Each of the 118 topics in the 2011 Standard is set out as shown in Figure 9. Principle A summary of the main set of security controls required (ie what controls need to be applied). Objective The purpose for applying a particular set of security controls (ie why controls need to be applied). Statement numbering A numbering system to allow easy reference for particular security controls. CONTROL FRAMEWORK 13.2 Protection of Spreadsheets Principle Objective Critical desktop applications created using spreadsheet programs should be protected by validating input, implementing access control and restricting access to powerful functionality. To assure the accuracy of information processed by critical spreadsheets, and protect that information from disclosure to unauthorised individuals. Critical spreadsheets should be supported by documented standards / procedures, which cover: a) training of individuals that use spreadsheets b) validation of information input into spreadsheets c) protection of spreadsheets and the information they contain. SPECIALISED Critical spreadsheets are often developed using spreadsheet programs (eg Microsoft Excel, OpenOffice Calc or IBM Lotus 1-2-3). Often, macros (which are small, user defined, routines or pieces of code) are developed within the spreadsheet to automate functions like routine tasks, importing data, performing calculations and creating new menus and shortcuts Individuals that use and develop critical spreadsheets should be trained in how to: a) use them effectively b) protect the information they store and process c) develop security-related functionality (eg when writing macros, conducting error checking and performing calculations in cells) Information input into critical spreadsheets should be subject to integrity checks using validation routines, which: a) require particular spreadsheet cells to contain a non-null value (ie the cell contains a value of some type, and is not empty) b) restrict the type of information entered (eg requiring entered information to be in the format of date, currency, number or text) c) use range checks to ensure information entered into the spreadsheet is within a predefined range (eg checking that a number that should be positive, is not negative) d) generate hash totals, to allow the integrity of information to be checked at various stages of being processed e) perform consistency checks (eg on a formula that is repeated throughout a spreadsheet). Type Indicates whether this topic is Fundamental or Specialised. Topic heading Indicates the particular topic covered within the section. Explanatory text Provides additional information about a particular term used in a statement. Intro Category tab Provides the reader with quick access to the category they need The risk of inaccurate entry of information should be reduced by the use of: a) default values (eg pre-agreed values that will automatically be entered when a new record is added) b) drop-down lists consisting of predefined values (eg to help users of spreadsheets select the correct information) c) error messages (eg error codes and descriptive text provided to inform users when a mistake may have occurred) d) special coding routines to check input values (eg macros and automated error checking routines). Statement of Good Practice Individually numbered statements that define the security controls to be applied in order to protect information and systems. Related areas / topics Refers to other areas or topics that relate to the described topic (topics within the same Area are not shown). Related areas / topics 4 Business Applications ISF resources Protecting Information in the End User Environment ISF resources References to ISF reports or tools that offer additional detail or provide a practical means of implementation. Topic number Provides quick access to the required topic of the Standard. Figure 9: Example of how each topic in the 2011 Standard is presented Copyright 2011 Information Security Forum 2011 Standard of Good Practice 13

20 Structure and layout About the Index The Index presents an extensive alphabetical list of information security-related terms, concepts and topics, and provides a reference to relevant topics in which they are covered in the 2011 Standard (as shown in Figure 10). INDEX Intro Main heading Presents the key information security-related term, concept or topic covered in the Standard. The corresponding reference(s) indicate each statement of good practice in the Standard where the term can be found Infrastructure (PKI) 8.6 Certificates 8.6 SR1.1, 2.3, 14.1, Acceptable level of, SI2.1 Assessment See Information risk assessment Appetite SG1.1, SG2.1, SG2.3, SR1.6, 20.1, SI2.1, SI2.2 Management SG2.3, SR1.1, 1.2, 8.7 Residual, SR1.2, SR1.6, SI1.5 Tolerance 20.1 Treatment SR1.2, SR1.6, 20.2, SI See also Ownership 2.5, 10.1, 10.4, 11.1, 12.2, 16.1, 18.7, 20.2, , 7.1, 9.1, 9.3, 9.7, 10.1, 11.3, 16.2, SG1.1, SR1.3, SR1.4, SR1.5, 5.2, 18.5, 20.2, SI1.1, SI1.2, SI2.1 Basel III SR1.6, 1.2, 5.1 See Storage Area Network (SAN) Subheading Indicates a prefix, suffix or associated term that relates to the main heading. Environments 14.1 Maintenance / Support 7.2, 9.1, 9.5, 14.2 Working 14.1 See Portable storage 7.2 SG1.1, SG2.1, SR1.3, SR1.4, SR1.5, , 16.4, 20.3, SI , 14.2, 14.3, 14.5 SR1.6, 5.1, , 14.2, 14.4, 18.4, , 7.2, , 16.3, , 7.3, 7.4, 9.4 Figure 10: Example of the Index Standard of Good Practice Copyright 2011 Information Security Forum