11. ISO:IEC 27001 2005 Control The information security policy is being reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. Review of the information security policy A.5.1.2 Control An information security policy document has been approved by management, and published and communicated to all employees and relevant external parties. The latest version of this document is available for all employees on the ABC Company’s internal network. Information security policy document A.5.1.1 A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. A.5 Security policy
12. ISO:IEC 27001 2005 Control Rules for the acceptable use of information and assets associated with information processing facilities are identified, documented, and implemented. Acceptable use of assets A.7.1.3 Control All information and assets associated with information processing facilities are ‘owned’ by a designated part of the organization. Ownership of assets A.7.1.2 Control All assets are clearly identified and an inventory of all-important assets drawn up and maintained. The Classification of Assets is as per the guidelines laid out in Procedure on Risk Assessment. Rules of classification take asset value and importance into account. A list of assets including the owner and relevant details is kept with the respective functional departments. Additional asset details are maintained by the Admin Department for the purposes of audit and keeping track of assets. Inventory of assets A.7.1.1 A.7.1 Responsibility for assets Objective: To achieve and maintain appropriate protection of organizational assets. A.7 Asset management
16. ISO:IEC 27001 2005 Control Equipment are correctly maintained to ensure its continued availability and integrity. Equipment maintenance A.9.2.4 Control Power and telecommunications cabling carrying data or supporting information services are protected from interception or damage. Cabling security A.9.2.3 Control Security features, service levels, and management requirements of all network services are identified and included in any network services agreement, whether these services are provided in-house or outsourced. Security of network services A.10.6.2 Control Networks are adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. Network controls A.10.6.1 A.10.6 Network security management Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
17. Routing controls are implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. Network routing control A.11.4.7 For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications Network connection control A.11.4.6 Groups of information services, users, and information systems are segregated on networks. Segregation in networks A.11.4.5 Physical and logical access to diagnostic and configuration ports shall be controlled. Remote diagnostic and configuration port protection A.11.4.4 Automatic equipment identification is considered as a means to authenticate connections from specific locations and equipment. Equipment identification in the network A.11.4.3 Appropriate authentication methods shall be used to control access by remote users. User authentication for external connections A.11.4.2 Users shall only be provided with access to the services that they have been specifically authorized to use. Policy on use of network services A.11.4.1 A.11.4 Network access control Objective: To prevent unauthorized access to networked services.
Interception- The data that are transmitted over the network pass through some medium. These data could be intercepted and subject to disclosure. Availability - As networks proliferate, more and more users are remote and access their applications over the network. If network connectivity fails there would be serious interruption to business and consequent damages. Access - Network provides the feasibility for access to the system from anywhere. A single weak point in the network can make all the information assets in the network vulnerable to intruders.