5. Security Domain

Security Management Component

The Security Management Component is based on specifically three of the British Standard (BS7799) Control Areas as well as the management aspects of the other seven. The four BS7799 control areas are: security policy; security organization; and, Compliance.

Systems Access Control

Systems Access Control consists of those areas of access control necessary for: control access to business information; prevention of unauthorized computer access; prevention of unauthorized access to information held in computer systems; detection of unauthorized activities; and, protection of networked services. Systems Access Control is made up of the following subcomponents: Identification and Authentication Subcomponent; Access Control Subcomponent Availability Subcomponent; Confidentiality Subcomponent; Data Integrity Subcomponent; and Non-Repudiation Subcomponent.

Personnel and Site Security	Personnel and Site Security controls consist of both physical or environmental security and personnel or individual staff security controls. Personnel and Site Security Controls are made up of the following subcomponents Physical Security Personnel Security
Communications and Operations Management Component	To ensure the correct and secure operation of information processing facilities. Component is made up of the following subcomponents Operational Procedures and Responsibilities Subcomponent Systems Planning and Acceptance Subcomponent Protection Against Malicious Software Subcomponent Housekeeping Subcomponent Network Management Subcomponent Media Handling Security Subcomponent Exchange of Information and Software Security Subcomponent
Systems Development	To ensure that security is considered and built into all the organization's information systems. Component is made up of the following subcomponents Security Requirements in Systems Subcomponent Security in Application Systems Subcomponent Cryptographic Controls Subcomponent Security of System Files Subcomponent Security in Development and Support Processes Subcomponent
Business Continuity	To ensure the correct and secure operation of information processing facilities after a major disruption in service. Included in this component is a requirement for developing and testing a comprehensive recovery plan.
Asset Classification and Control	To maintain appropriate protection of he organization assets.

	The organization will protect its information assets from loss and unauthorized access, use, modification, destruction and disclosure.
	The Information Security Office is responsible for the organization's Information Security Program, which includes development and maintenance of: Enterprise Information Security policy(s) and direction, an Information Security Awareness program, and the organization’s Risk Management Program.
	Technology implementers (ITB and DIT) are responsible for implementing technology in accordance with the organization’s Information Security Program.
	Security (including information) is the responsibility of every employee. Trained and knowledgeable staff can prevent security incidents from happening, and detect and mitigate such incidents when they do occur.
	Managers specify and monitor the integrity and security of information assets and the use of those assets within their areas of program responsibility. Also, they ensure that program staff and other users of the information are informed of and carry out information security responsibilities.

	Management must provide and direct security focus and support. Rationale: Employees are provided enterprise security direction
	Ensure that the organization's security policies are written and universally applied and enforced across the enterprise. Rationale: Security awareness reduces security risk.
	Utilize a widely accepted standard as the basis for this Domain. Rationale: Reduces time to develop the standard. Standard is broadly accepted.
	Based on risk management, protect information assets to the proper level for the risk. Rationale: Total security is more expensive than desirable. Security is granular to the level required.
	Security audits should not be obtrusive or perceived as adversarial but as a planned part of business. Rationale: Ensure enterprise wide application of security.
	Manage IT security centrally within the enterprise. Rationale: Ensure all access can be audited. Ensure enterprise wide application of security.
	Support a tested Business Continuity Plan that allows resumption of critical processes while protecting critical business processes from the effects of major failures or disasters. Rationale: Enables the Department to continue doing its job. Make participants more aware of potential problems. Works out many resumption problems ahead of need. Provide business continuity.
	Utilize security solutions consistently across the enterprise. Rationale: Eliminates the need for application unique security solutions. Reduces the number of security solutions. Allows progress toward a single sign-on.
	Protect the privacy and confidentiality of our customers and partners data, as required. Rationale: Conform to the legal requirements for personal and business information.
	Provide secure transmission of confidential and sensitive information. Rationale: Allows access to confidential and private data. Enables the organization to do E-commerce to exchange data with customers.
	Promote a high level of security awareness to employees and partners, ensuring that users are aware of information security threats, concerns, consequences and are equipped to support organizational security policy in the course of their normal work. Rationale: Make all employees aware of adverse consequences of not following good practices. Reduce number and severity of security incidents.
	Maintain the security of organizational information processing facilities and information assets accessed by third parties or outsourced. Rationale: Work is done by third parties as required by the organization. Contractual obligations are met.
	Reduce or eliminate the risks of human error, theft, fraud or misuse of facilities. Rationale: Less opportunity for accidental or intentional damage to information assets.
	Minimize the damage from security incidents, monitor and learn from such incidents. Rationale: Learn from mistakes.
	Prevent unauthorized access, theft, damage and interference to business processes, policies and information assets to prevent loss, damage or compromise of assets and interruption to business activities while ensuring the correct and secure operation of information processing facilities, minimizing the risk of systems failures and protecting the integrity of software and information (including hardware, software and data in any form). Rationale: Ensure business continuity. Prevent unauthorized use of information assets. Protect information assets.
	Maintain the integrity and availability of information processing and communication services while protecting the supporting infrastructure.. Rationale: Meet the customer's processing need. Continued processing is possible.
	Minimize loss, modification or misuse of information exchanged. Rationale: The organization depends on accurate information.
	Detect unauthorized activities. Rationale: Determines who is accessing data inappropriately.
	Protect the organization's information assets regardless of location (i.e. teleworking) by making teleworkers and mobile computer users aware of the vulnerabilities of theft, loss, misuse or physical damage. Rationale: Organization assets need protection regardless of locations. Staff is aware of consequences of working "offsite".
	Ensure that security is designed and built into information systems at the early stages of development. Rationale: Security requirements are less expensive and more comprehensive if designed early in the life cycle.
	Prevent loss, modification or misuse of information assets while protecting the confidentiality and authenticity and integrity of the information. Rationale: Data is an enterprise resource required for on-going business.
	Ensure compliance with organizational security policies and standards. Rationale: Assures that staff will follow the rules.

2. Security Management Component

	Management must set a clear policy direction and demonstrate support for, and commitment to, information security through the issuance and maintenance of an information security policy for the enterprise.
	A management framework must be established to initiate and control the implementation of information security within the organization.
	Suitable management, with management leadership must be established to approve the information security policy, assign security roles and coordinate the implementation of security across the organization.
	Contacts with external security specialists must be developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when dealing with security incidents.
	A multi-disciplinary approach to information security must be encouraged; e.g., involving the cooperation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance and risk management
	Access to the organization's information processing facilities by (non-organizational) third parties must be controlled.
	Where there is a business need for third party access, a risk assessment must be carried out to determine security implications and control requirements
	Controls must be agreed to and defined in a contract with the third party. Contracts conferring third party access must include allowance for designation of other eligible participants and conditions for their access.
	Arrangements must address the risks, security controls and procedures for information systems (and associated data), networks and/or desk top environments in the contract between the parties.
	The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements.
	Advice on specific legal requirements must be sought from the organization's legal advisers, or suitably qualified legal practitioners.
	The security of information systems must be regularly reviewed and audited for compliance with security implementation standards against the appropriate security policies, the technical platforms, and the information systems while safeguarding operational systems and audit tools during system audits.
	Protection is also required to safeguard the integrity and prevent misuse of audit tools.
	The compliance process must be implemented to ensure compliance with organization security.
	The security of IT systems and IT system development efforts must be reviewed and approved by appropriate management and disciplines, such as audit.
	Noncompliance with security policies and standards will incur adverse consequences.
	When incidents are identified and reported, an appropriate evidence trail will be secured and retained.
	IT system development and maintenance must incorporate processes to ensure compliance to security policies , as well as audibility.

Component	Description	Standard
Security Management	Compliance - Legal Requirements	The specific controls and individual responsibilities to meet relevant statutory, regulatory and contractual requirements will be explicitly defined and documented for each information system.
		Appropriate procedures will be implemented to ensure compliance with legal restrictions on the use of material such as proprietary software products, copyright, and design rights or trade marks.
	Compliance - Organizational Records	Records of an organization will be protected from loss, destruction and falsification.
		Data storage systems will accommodate, where necessary, required data retrieval formats that are acceptable to a court of law.
		Procedures will ensure data protection and privacy of personal information.
		Any use of information processing facilities for non-business or unauthorized purposes, without management approval, will be regarded as improper use of the facilities.
		If improper use of the facilities is identified, it will be brought to the attention of the manager for appropriate disciplinary action.
	Compliance - Cryptographic Controls	When applicable, legal advice will be sought to ensure compliance with cryptographic law.
	Compliance - Evidence Collection	Evidential material must be secured, maintained and retained according to the published standard or code of practice for the production, availability, and integrity of admissible evidence.
		Records of whom found eveidence, where it was found, when it was found and who witnessed the discovery will be documented and non-tampered originals will be ensured.
	Compliance	Managers and staff will ensure that all security procedures within their area of responsibility are carried out correctly.
		Audit requirements and operational systems review activities will be adequately authorized and, to minimize disruptions to business processes, carefully planned as follows. Appropriate management will authorize audit requirements. The audit scope will be authorized and controlled. Audits will be limited to read-only access to software and data except for isolated copies of system files, which will be erased when the audit is completed. IT resources required for performing the audits will be identified and made available. Requirements for special or additional audit steps will be identified and authorized. All access will be monitored and logged to produce a reference trail. All procedures, requirements and responsibilities will be documented.
	As part of the system development life cycle, audibility and compliance will be considered.	System audit will be proactively considered during system development.
	Security Policies	Enterprise information security policies will be issued across the organization.
		Coordinate information security measures through a cross-functional forum.
		The risks associated with access to organizational IT facilities by third parties must be assessed and appropriate security controls implemented.
		Contracts with third parties involving access to organizational IT facilities must specify security conditions.
		A written policy document must be available to all employees responsible for information security.
	Management Framework	A management framework will be established to initiate and control the implementation of information security within the organization.
		Responsibilities and procedures for the management and operation of all computers and networks must be established.
	Information Owner	Designate an owner and custodian for all information assets (SAM 4841.2 requires a data owner and custodian for all data files and databases).
	Information Custodian	Designate a custodian for all information assets (SAM 4841.2 requires a custodian for all data files and databases).
	Security Classification (refer to Asset Classification and Control Component)	Information owners define access, security and integrity controls based on security classification and risk assessment.
		Designated owner classifies information in accordance with law and administrative policy (SAM 4841.3).
		Designated owner classifies information in accordance with the need to control access to information, security and integrity (SAM 4841.5).
		Designated owner classifies information as described in the Organization's External Customer Access Policy.
	Employee/User	Security must be addressed during an employee's entire employment period, or contractor's engagement.
		Responsibilities for the protection of individual assets and for carrying out specific security processes must be explicitly defined.
		Users must be trained in security procedures and the correct use of IT facilities.
		Users should be formally authorized in writing about the scope of their access rights and restrictions.
		Use information assets only for State approved purposes.
		Comply with applicable laws and with Administrative, Departmental and Program policies, procedures, and standards.
	Security Incidents	Incidents affecting security must be reported immediately upon detection to management and to the ISO.
		IT assets will be monitored for potential or actual security incidents or breaches.
		When security incidents or breaches occur, appropriate/corrective actions will be taken as soon as possible.
	Monitoring, Logging and Audit Mechanism:	The security of IT systems must be regularly audited.
		IT systems must have controls to safeguard operational systems and audit trails to assist during system audits.
		Monitoring, logging and auditing must be accounted for in the design stages of the system.
		Appropriate log archives as identified in the security requirements must be collected and maintained for a period of time consistent with the legal and business needs of the organization.
		Monitor logs and alerts regularly for deviations from the norm and take appropriate action.
		To detect unauthorized activities, systems must be monitored to ensure conformity to access policy.

	Ensure that "Password" rules are sufficiently strong and enforced to protect the information and system.
	Ensure that the authentication mechanisms are properly administered.
	Restrict and control the use of special privileges.
	Prevent proliferation of User IDs and passwords.
	Control and secure the allocation of user passwords.
	Enforce the users follow good security practices in the selection and use of passwords.
	Ensure management processes for network computers that span organizational boundaries are addressed.
	There will be a formal user registration and de-registration procedure for access to all multi-user IT services.
	Connections by remote users via public (or non-organization) to the enterprise networks will be authenticated.

	Ensure the safeguarding of information in networks and protection of the supporting infrastructure.
	Secure all enterprise IT resources and data through access controls.
	Define and maintain employee access controls for each job function.
	Trace computer activities to individuals.
	Access to computer services and data are controlled on the basis of business requirements.
	Access to computer facilities is controlled.
	Systems are monitored to ensure conformity to access policy and standards.
	Access to IT services must be via an effective, secure logon process.

	Control and physically protect computer media.
	Perform risk assessment and identify the critical processes
	Connections to networked services are monitored.
	Administer internal networks with security policies designed for the information they carry.
	Protect internal networks so they may not create exposure to other networks that might have different needs.
	Limit the number of public accessible servers, placing them in an independent network.
	Ensure that alternative processing facilities are available to handle situations requiring the activation of the enterprise’s business continuity plans.
	Control connections to the organization's computing and network services.

	Use logical access controls to control access to application systems and data.
	Develop procedures for the allocation of access rights to IT services.
	Safeguard all private data and data communications.

	Ensure special measures are in place to protect sensitive information over the public networks
	Record and change data only under business application control.
	Manage all enterprise data for back-up and fast recovery.

Non-repudiation services must be used where it might be necessary to resolve disputes about occurrence or non-occurrence of an event or action; e.g., a dispute involving use of a digital signature on an electronic contract or payment.

Sub-component	Description	Standard
Identification & Authentication -Internal Customer	User IDs	No shared accounts
		No guest accounts
		The user should have the same User ID for all systems. The systems administrators will resolve conflicts.
		Disable the User ID after failed (enter number) logon attempts.
		User IDs will: - be up to 8 characters long - in the format of first initial, last name with a numeric qualifier to make the User ID unique in the eighth position if necessary.
		User IDs will be based on (from high to low desirability) enterprise NT User ID, EMC2 ID and Office Vision (PROFS) ID.
		Revoke/cancel User IDs and collect ID cards, keys and electronic access devices when an employee leaves their cost center on their last working day.
		Service account User IDs are prefixed with #
		Training account User IDs are prefixed with !
		Special User IDs will have limited authorized accesses.
	Passwords	Strong Passwords are required: Keep password confidential - do not loan, share or borrow passwords. Do not write down your password. Change compromised passwords immediately. Do not include passwords in any programmed logon process (e.g. stored in a macro or function key, etc.). Passwords not changed after 90 days will be disabled. Passwords must a combination of alphabetic and numeric or special characters. Passwords must be six (6) characters minimum Passwords will be disabled after 45 days of inactivity. New passwords must be different than the prior six passwords.
		Temporary passwords are good only for one use.
		Allow password changes no more than once daily.
		Do not display passwords.
		Encrypt stored passwords and password files.
		Enforce password standards for remote access devices.
		A trusted third party authentication infrastructure with strictly enforced password rules must be provided for users who typically require access to more than one system for "normal" business activities.
		Verify the identity of staff before resetting or providing a temporary password.
	Access requestor	Verify the identity and authority of the requester before granting new or revoking existing access.
	Logoff	Terminate active sessions when leaving your work area or when finished unless an appropriate lock (i.e. screen saver password) or time-out features can secure the session.
	Audit trails	System must be set to log all denied access attempts.
		Track up to six passwords not allowing use of any of the prior five.
	Administration	It is the manager's responsibility to ensure the user has a Confidentiality Statement (DE7410) on file before granting access to information classified as confidential or sensitive.
	Authentication	Applications that do not access sensitive or confidential information do not require authentication.
		Logging on to a network will require, at a minimum, a user ID and password combination.
		Connections by remote computer systems will be authenticated.
Identification & Authentication -External Customer	Security requirements from the organization's External Customer Access Policy:
	Public Information	Identification and Authentication are not required for access to public information.
	Sensitive Information	Access to "sensitive" information is not allowed.
	Confidential Information	The system must uniquely identify the requester and the establish authority to grant access.
		The system must provide a method for the verification of the individual accessing the system by using a Personal Identification Number (PIN), smart card or biometrics.
	Identification Standards	Ensure a unique identifier is used for each constituent group and no duplicate identifier exists between any two groups. (?How does this reconcile with the first standard?) Question for ITDQC

Subcomponent	Description	Standard
Access Control	Firewalls	Mechanisms such as firewalls must be used for all external connections to/from the organization and the Internet, to/from systems belonging to other organizations and on both sides of any Web Servers that are connected to both the organization's network and the Internet
		Implement necessary services on the firewall.
		Firewalls will be used to protect the intranet from the Internet and access from other non-the organization organizations.
		All unnecessary network services will be disabled e.g. FTP or News.
		All security related TCP/IP stack patches will be installed upon identification and testing of those patches.
		Firewall must not allow IP address spoofing, i.e. faking the sending address of a transmission in order to gain illegal entry into a secure system.
		Firewall must log all relevant data.
		Firewall must generate an alert if there is a sign of a security breach or an attempted breach.
		Limit and monitor the amount and type of traffic passing through the firewall in either direction.
	Firewall Policy	A network protection policy (i.e. firewall policy) must be defined and periodically reviewed.
		Audit firewall against firewall policy.
		The firewall policy must cause the check for: List of permitted services Configuration of firewall with list of services All security patches have been applied and unnecessary services disabled Scan of firewalls for active services Probe of the host that should be protected by the firewall Check of maintenance procedures and who checks the daily logs
		Firewalls and possibly physical separation must be used to segregate the organization's internal networks into subnets that can be administered with security policies designed for the information they carry without exposing other domains that might have different needs.
		Limit the number of public accessible servers, placing them in an independent network subnet.
		TCP/IP hosts will be protected on isolated sub nets.
		Any network traffic that is not specifically allowed, is forbidden
		Where appropriate, separate services on different computers or in a DMZ so that a successful attack on a service will not result in total access.
	Subnets	Network domains containing confidential organization information must be isolated from all inbound traffic initiated from other network domains.
	Access	Access to computer services and data must be controlled on the basis of business requirements.
		Access control mechanisms must default to disallow all unauthorized users from any access rights to organization information.
		A logon banner must exist to warn the user that the system is for official use only and an unauthorized user may be subject to prosecution.
	Remote Access	Remote access is restricted to approved access paths only (i.e. RAS, through the Internet, or WAN).
		All external connections to/from the organization are untrusted and must be allowed only through approved the organization controls.
		Untrusted internal network domains must be isolated from the organization's trusted internal network domains using approved the organization controls.
	Physical location	IT resources (systems, network components, peripheral devices and media) supporting the organization's confidential business information must be housed in secure areas with access limited to authorized personnel.
		No workstation or multi-user system must allow access to its information by any unauthorized person.
		The use of special privileges must be restricted and controlled.
		Business requirements for access control will be defined and documented.
		The route from the user terminal to the computer service needs to be controlled (access closets).
	Other	Access to diagnostic ports will be securely controlled.
		Shared networks require individual network routing and access controls.
		Inactive terminals in high risk locations, or serving high risk systems, will be set to time out, to prevent access by unauthorized users.
		Restrictions on access or connection times are required to limit access of hackers.
		Access to system utilities will be securely controlled and will not be accessible by the general staff.
		Access to all libraries will be restricted to a need for access.
		Sensitive systems and data require a dedicated (isolated) computing environment.
		All security related releases of network operating systems will be kept up-to-date to insure that all the latest security issues have been addressed.
	Electronic Commerce	Controls for electronic commerce must be applied to protect the access and interchange of information between business partners, customers, and other enterprise users to protect from unauthorized access, disclosure or modification of information.
	Assigning access rights	Establish formal procedures to control allocation of access rights to systems and data through all stages in the life cycle.
	Mobile Computing	When using mobile computing or teleworking, special precautions must be taken to minimize the risk of unauthorized access and use.
		Dial up users will be subject to strong password use.
		Sensitive local data on the hard drive will be protected in a manner that if the computer is stolen, the information is useless to the thief.
		The designated owner authorizes access to the organization’s informational resources based on information classification and business need (SAM 4841.5) .
		Phone numbers and procedures for mobile computing access must be treated as sensitive.

Subcomponent	Description	Standard
Availability	Data	Enterprise data must be recoverable within the timeframes set by Service Level Agreements (SLAs) and the procedures established in the Business Continuity Plan.
		Enterprise critical or confidential data must be stored on a production environment network server.
		Backup of essential business data and software must be taken regularly.
		Recovery must be tested regularly.
		If a production system or software version installation fails, the appropriate data for the prior version must be available.
	Planning	Business continuity plans must be available to protect critical business processes from the effects of major failures or disasters.
		The business continuity plan and processes in place will be regularly tested and updated where appropriate.
		New versions of software, must have a complete, tested, back-out recovery plan prior to installation
	Equipment	All equipment components of the physical system must consider the availability and confidentiality of the data and visibility of failure (degree of risk) during systems design.
	Network	Large networks must be divided into separate sub networks or segments to insure controllability, security and recoverability.
		Highly critical circuits must have a degree of redundancy that is in accordance with the criticality of the data carried on that circuit.
		The risks associated with the use of network services will be established.
	Software	Software versions must be recoverable, e.g., if a version of software installed in production fails, the prior version must be recoverable.
		Software fixes, both off the shelf and operating system must be installed expeditiously.
		Software must be fully operational before being implemented (i.e., tested),

Subcomponent	Description	Standard
Confidentiality	Data Storage	Confidential the organization data stored on media in an area which is not trusted must be encrypted based on the risk management plan (i.e. data stored on laptops, back-up files stored at disaster recovery sites, etc.).
		Enterprise critical or confidential data must be stored in a secure production environment.
		Computers containing sensitive or confidential information must not be accessible to unauthorized people, applications and systems.
	Data Transmission	Movement of confidential the organization data on a public network must be protected by encryption mechanisms.
	Data Destruction	Sensitive or confidential data must be destroyed in a timely and appropriate manner. This includes data stored on hard drives, tapes, floppy disks, CD-ROMs, and hardcopy printouts.
		Within a "trusted" environment, movement of confidential the organization data must be protected by appropriate access control mechanisms.
	Transit Points	Telephone and data closets must not be accessible to other than authorized staff or contractors.
	Computers	Access to network enabled computers will require proper identification and authorization.

Subcomponent	Description	Standard
Data Integrity	Data	Data defined as enterprise data will be backed-up on a regular basis.
		Data integrity should be checked using concepts such as checksums.
		A plan to backup and recover data must be developed and tested for all critical data.
		Enterprise data is always stored on a network server.
		Data will be stored "off-site" for those systems deemed critical.
		Off-site storage will be in a secure area.
		Recovery of data must be tested.
		Limit the number of access paths (ports) to data and monitor those access ports.
		Implement controls to prevent and detect introduction of unauthorized and malicious software.
		Only authorized modifications may be made to systems, public or private.
		Special care should be taken on publicly available systems to ensure the integrity of electronic information to prevent unauthorized modification that may harm the reputation of the organization.
		Update virus definitions monthly across all platforms or more often as needed from a reliable source.
		Virus attacks will be reported upon detection to the Information Security Office (ISO).
		Detection of hacking attempts will be reported immediately to the ISO.
		Take immediate action to notify, contain, cleanse and protect affected and at risk computing platforms and data.

Component	Description	Standard
Non-Repudiation	Recipient	Ensure the authenticity and integrity of the electronically sent document; i.e., the ability to verify the identity of the sender, as well as the ability to verify that a document has not been altered since it was sent by using PKI.
		Control interactive access to the electronic sending system via a user authentication process.
		Generate a positive acknowledgment to the sender indicating that the document has been received.
		Employ cryptographic techniques to generate unique electronic or digital signatures that can be decrypted to prove the origin of a message.
	Sender	If appropriate, ensure that digital signatures are appended to messages received from another party, whether requests or responses.
		Submit in a designated electronic file format and retain in the electronic format in which submitted.
		Include the identity of the receiver, date and time of the document's receipt (as part of the positive acknowledgment) and an assign a document reference number.
		For applications requiring non-repudiation, digital signature will be used. Encryption methodology and key management will depend on the hardware and software solution selected.
	Digital Signatures - California Code of Regulations	Digital Signatures are acceptable for the organization's purposes as per California Code of Regulations §22001 through §22003.
		Uniform Electronic Transactions Act (effective Jan1, 2000).
		The signer of electronic messages must protect their private key form compromise.
		Upon separation from the organization the private key must be revoked.
		The Certificate Authority (CA) must revoke a certificate and place on a Certification Revocation List (CRL) upon notification of a compromised certificate.
		Reliant parties must actually verify the digital signature and check its validity against the current CRL maintained by the online repository.

2. Personnel and Site Security Component

	Security incidents will be reported to management on a periodic basis.
	Management will participate in the resolution of security incident patterns.

	Management will ensure that equipment is secured.
	Sensitive and confidential documents will be safeguarded.
	Management will ensure that staff is apprised of current physical security policies.
	Management will ensure that staff is apprised of changes to existing physical security policies in a timely fashion.
	Secure facility areas will have controlled access.

	Recruitment announcements and contract Requests for Proposals will be security informative, and references will be checked.
	Employees will be familiarized with security requirements.
	Users must be trained in security procedures and the correct use of information processing facilities to minimize possible security risks.
	All employees and contractors will be made aware of the procedures for reporting the different types of incident (security breach, threat, weakness or malfunction) that might have an impact on the security of organizational assets.
	All employees and contractors will be required to report any observed or suspected incidents as quickly as possible to the designated point of contact.
	All employees will be expected to participate in initial, and ongoing, security programs.
	All employees and contractors will comply with security-related laws, policies and guidelines.
	Managers and supervisors will address reported incidents.
	There will be established, well communicated, disciplinary processes for dealing with security breaches will be referred to HRSD.
	Instances of security breaches will be dealt with by established, well communicated, disciplinary processes.

Sub-component	Description	Standard
Physical Security	Equipment	Equipment will be physically protected from security threats and environmental hazards.
		IT infrastructure supporting critical or sensitive business activities will be housed in a secure area and manner.
		Secure areas will be protected by appropriate entry controls.
		Critical systems will be designed to survive power interruptions and failures.
		the organization utilized power and telecommunication cabling will be protected from interception or damage.
		Data will be permanently erased from equipment prior to disposal.
		the organization’s equipment will be secured when it is outside the work site.
	Clear Desk Policy	Confidential and sensitive information will be secured when unattended.
	Facilities	IT facilities supporting critical or sensitive business activities must be housed in secure areas.

Sub-component	Description	Standard
Personnel Security	Recruitment	Job descriptions and/or Requests for Proposal (RFP) will define security roles and responsibilities.
		Applications for employment will be screened if the job involves access to the organization's sensitive information To the extent possible as allowed by the organizations human resources organization and regulations.
	Workforce	the organization staff will sign a confidentiality agreement.
		Staff will be trained in security procedures and the correct use of the organization IT systems and facilities.
		Staff will be trained in information security threats and the consequences for not following policy or procedure.
		Staff and contractors will be trained in security procedures and the correct use of the organization IT systems and facilities.
		Staff will be given adequate security education and technical training.
	Reporting (Incidents)	Incidents affecting security will be reported through management channels as quickly as possible.
		Security incidents will be investigated and, if possible, responsibility localized.
		Suspected security weaknesses will be reported.
		Security failures will be investigated as a top priority.
	Enforcement	An established, well communicated, disciplinary process will be implemented for dealing with security breaches.
		Staff responsible for security breaches, will be disciplined.

2. Communications and Operations Management Component

	Responsibilities and procedures for the management and operation of all information processing facilities must be established including the development of appropriate operating instructions and incident response procedures.
	Segregation of duties must be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

	Advance planning and preparation are required to ensure the availability of adequate computing and storage capacity and resources.
	Projections of future capacity requirements must be made, to reduce the risk of system overload and potential failure.
	The operational requirements of new systems must be established, documented and tested prior to their acceptance and use.

	Software should be from a trusted source.
	Software should be tested for validity periodically to prevent unauthorized modification of that software.

Routine procedures must be established for carrying out the agreed back-up strategy taking back-up copies of data and rehearsing their timely restoration, logging events and faults and, where appropriate, monitoring the equipment environment.

	Additional controls are required to protect sensitive data passing over public networks.
	Network access points (remote access or dialup) will have access controls to the same level as a person who is accessing the computer from within the network boundaries.
	Firewalls will be used to detect and report unauthorized intruders on the network.

Appropriate operating procedures must be established to protect documents, computer media (tapes, disks, cassettes), input/output data and system documentation from damage, theft and unauthorized access.

	Exchanges of information and software between organizations must be controlled, and must be compliant with any relevant legislation, state policy and regulations.
	Procedures and standards to protect information and media in transit must be established.
	The business and security implications associated with electronic data interchange, electronic commerce and electronic mail and the requirements for controls must be ensured.
	Exchanges must be carried out on the basis of formal written agreements.

Sub-component	Description	Standard
Operational procedures and responsibilities	General	The operating procedures identified by the security policy must be documented and maintained. Operating procedures must be treated as formal documents and changes authorized by management. The procedures must specify the instructions for the detailed execution of each job. Documented procedures must also be prepared for system housekeeping activities associated with information processing and communication facilities, such as computer start-up and shutdown procedures, back up, equipment maintenance, computer room and mail handling management and safety.
	Operational change control	Changes to information processing facilities and systems must be controlled. Formal management responsibilities and procedures must be in place to ensure satisfactory control of all changes to equipment, software or procedures. Operational programs must be subject to strict change control.
	Operational change control (continued)	When programs are changed, an audit log containing all relevant information must be retained. Changes to the operational environment has impacts on applications. Wherever practicable, operational and application change control procedures must be integrated.
	Incident management procedures	Incident management responsibilities and procedures must be established to ensure a quick, effective and orderly response to security incidents. Procedures must be established to cover all potential types of security incident. Audit trails and similar evidence must be collected and secured, as appropriate. Action to recover from security breaches and correct system failures must be carefully and formally controlled.
	Segregation of duties	Separate the management or execution of certain duties or areas of responsibility, in order to reduce opportunities for unauthorized modification or misuse of information or services. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision will be considered. Security audit will remain independent. Ensure that no single person can perpetrate fraud in areas of single responsibility without being detected. The initiation of an event must be separated from its authorization.
	Separation of development and operational facilities	Separating development, test and operational facilities is required to achieve segregation of the roles involved. Rules for the transfer of software from development to operational status must be defined and documented.
	Separation of development and operational facilities (continued)	All code will be tested prior to implementation. Development and testing activities will be separated from the production environment Only authorized staff has access to testing, development and production environments. Development and operational software will run on different computer processors, or in different domains or directories. Development and testing activities must be separated. Compilers, editors and other system utilities must not be accessible from operational systems. Different log-on procedures must be used for operational and test systems. Development staff must only have access to operational passwords where controls are in place for issuing passwords for the support of operational systems.
		Controls must ensure that such passwords are changed after use.
	External facilities management	Risks associated with the use of an external contractor must be identified in advance, and appropriate controls agreed with the contractor and incorporated into the contract.

Sub-component	Description	Standard
System planning and acceptance	General	All new systems will be monitored during startup.
		All critical systems will be monitored on a ongoing basis and will be subject to a SLA.
		All network devices, circuits and segments will be monitored.
		All new systems will be monitored during acceptance test to establish system-wide operational requirements.
	Capacity planning	Capacity demands must be monitored and projections of future capacity requirements made. Mainframe services must monitored the utilization of key system resources, including processors, main storage, file storage, printers and other output devices, and communications systems identifying identify trends in usage. Capacity information will be used to identity and avoid potential bottlenecks that might present a threat to system security or user services. Plan appropriate remedial action to resolve capacity issues.
	System acceptance	Acceptance criteria for new information systems, upgrades and new versions must be established and suitable tests of the system carried out prior to acceptance. Requirements and criteria for acceptance of new systems will be clearly defined, agreed, documented and tested. The operations organization and users must be consulted at all stages in the development process to ensure the operational efficiency of the proposed system design Appropriate tests must be carried out to confirm that all acceptance criteria are fully satisfied.

Subcomponent	Description	Standard
Protection against malicious software	Controls against malicious software	Implement detection and prevention controls to protect against malicious software. Implement appropriate user awareness procedures regarding malicious software. Base protection against malicious software on security awareness, appropriate system access and change management controls. Comply with software licenses and prohibit the use of unauthorized software. determine what protective measures must be taken for software from non-traditional sources. Install and regularly update of anti-virus detection and repair software to scan computers and media on a routine basis. Conduct reviews of the software and data content of systems supporting critical business processes for unauthorized changes. Report and formally investigate any unapproved files or unauthorized amendments as a security incident. Check any files on electronic media of uncertain or unauthorized origin, or files received over untrusted networks, for viruses before use Check any electronic mail attachments and downloads for malicious software before use.
Protection against malicious software	Controls against malicious software (continued)	Develop management procedures and responsibilities to deal with the virus protection on systems, training in their use, reporting and recovering from virus attacks. Develop appropriate business continuity plans for recovering from virus attacks, including all necessary data and software back-up and recovery arrangements. Develop procedures to verify all information relating to malicious software, and ensure that warning bulletins are accurate and informative. Ensure that qualified sources; e.g., reputable journals, reliable Internet sites or anti-virus software suppliers, are used to differentiate between hoaxes and what to do on receipt of them and real viruses. Staff must be made aware of the problem of hoaxes. Staff must be made aware of virus infection and remediation as early as possible.
"		Virus software must be upgraded as new viruses appear.
"		Virus must be reported upon detection.
"		Periodic virus updates from a reliable source must be done.

Subcomponent	Description	Standard
Housekeeping	Information back-up	Back-up copies of essential business information and software must be taken regularly. Adequate back-up facilities must be provided to ensure that all essential business information and software can be recovered following a disaster or media failure. Back-up arrangements for individual systems must be regularly tested to ensure that they meet the requirements of business continuity plans A minimum level of back-up information, together with accurate and complete records of the back-up copies and documented restoration procedures, must be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site. Maintain at least three generations or cycles of back-up information for important business applications.
	Information back-up (continued)	Back-up information must be given an appropriate level of physical and environmental protection consistent with the standards applied at the main site. The security controls applied to media at the main site must be extended to cover the back-up site. Back-up media must be regularly tested, where practicable, to ensure that they can be relied upon for emergency use when necessary. Restoration procedures must be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery. The retention period for essential business information, and also any requirement for archive copies to be permanently retained, must be determined.
	Operator logs	Operational staff must maintain a log of their activities. Logs must include, as a minimum: system starting and finishing times; system errors and corrective action taken; confirmation of the correct handling of data files and computer output; the name of the person making the log entry. Operator logs must be subject to regular, independent checks against operating procedures.
	Fault logging	Faults must be reported and corrective action taken. Faults reported by users regarding problems with information processing or communications systems must be logged. There must be clear rules for handling reported faults.

Subcomponent	Description	Standard
Network controls		Network managers must implement controls to ensure the security of data in networks, and the protection of connected services from unauthorized access. Operational responsibility for networks must be separated from computer operations where appropriate. Responsibilities and procedures for the management of remote equipment, including equipment in user areas, must be established. Controls must be established to safeguard the confidentiality and integrity of data passing over public networks, and to protect the connected systems. Special controls will also be required to maintain the availability of the network services and computers connected to the network. Ensure that controls are consistently applied across the information-processing infrastructure to optimize the service to the business.
		Controls to access points of the network must be established and enforced.
		All network devices connected to the infrastructure must be fully tested prior to implementation on the production network.
	Public Accessible Servers	Public accessible servers must be carefully monitored and controlled to ensure their content is appropriate and authorized.
		Public access server data content will be separated from operation data content.
		Protect all data on the private network from public access.

Subcomponent	Description	Standard
Media handling and security	Management of removable computer media	Establish procedures for the management of removable computer media, such as tapes, disks, cassettes and printed reports. The previous contents of any reusable media that are to be removed from the organization must be erased. Authorization must be required for all media removed from the organization and a record of all such removals to maintain an audit trail must be kept. All media must be stored in a safe, secure environment, in accordance with manufacturers' specifications.
		All procedures and authorization levels must be clearly documented.
	Disposal of media	Dispose of media securely and safely when no longer required. Media must be emptied of data before use by another application within the organization. Establish formal procedures for the secure disposal of media to minimize the risk of misuse of sensitive information. Media containing sensitive information must be stored and disposed of securely and safely; e.g., by incineration or shredding, or A contractor offering collection and disposal services must have adequate controls and experience. Disposal of sensitive items must be logged in order to maintain an audit trail. Dispose of media often, a large quantity of unclassified information contains sensitive information, often more than a small quantity of classified information.
	Information handling procedures	Establish procedures for the handling and storage of information in order to protect such information from unauthorized disclosure or misuse. Develop procedures for handling information consistent with its classification in documents, computing systems, networks, mobile computing, mobile communications, mail, voice mail, voice communications in general, multimedia, postal services/facilities, use of fax machines and any other sensitive items; e.g., blank checks, invoices.
	Security of system	System documentation must be stored securely. The access list for system documentation must be kept to a minimum and authorized by the application owner. System documentation held on a public network, or supplied via a public network, must be appropriately protected.
"		Computer media should be controlled and physically protected.

Subcomponent	Description	Standard
Exchanges of information and software	Information and software exchange agreements	Develop formal software escrow agreements when appropriate. Establish formal agreements for the exchange of information and software (whether electronic or manual) between organizations. Agreements must reflect the sensitivity of the business information involved
	Security of media in transit	Use reliable transport. Develop a list of authorized couriers. Develop a procedure to check the identification of couriers implemented. Packaging must be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with manufacturers' specifications. Special controls must be adopted, where necessary, to protect sensitive information from unauthorized disclosure or modification.
	Electronic commerce security -	Develop electronic commerce agreements between trading partners which commits both parties to the agreed terms of trading, including details of authorization, authentication and non-repudiation.
	Security of electronic mail Security risks	Develop controls to reduce security risks created by electronic mail.
	Policy on electronic mail	Organizations must draw up a clear policy regarding the use of electronic mail.
	Security of electronic office systems	Develop and implement policies and guidelines to control the business and security risks associated with electronic office.
	Publicly available systems	Develop processes and procedures to protect the integrity of electronically published information. preventing unauthorized modification that could harm the reputation of the publishing organization. Comply with laws, rules and regulations in the jurisdiction in which the system is located or where trade is taking place. Have a formal authorization process before information is made publicly available. Protect by appropriate mechanisms, software, data and other information requiring a high level of integrity, and/or made available on a publicly available system. Electronic publishing systems, especially those that permit feedback and direct entering of information, must be carefully controlled.
	Other forms of information exchange	Develop and implement a policy statement of the procedures staff are expected to follow in using voice, facsimile and video communications.
		Develop and implement security controls and policies the staff will be expected to follow prior to the public dissemination of any information.

	Application and network systems include all infrastructure, business applications and user-developed applications required to operate that system.
	All security requirements, including the need for fallback arrangements, must be identified at the requirements phase of a project and justified, agreed to, and documented as part of the overall business case for an information system.
	The design and implementation of the business processes supporting the application or service can be crucial for security.
	Security requirements must be identified and agreed to prior to the development of information systems.
	The design and implementation of security administration processes are crucial to ensuring application security.
	Any security requirement for new login processes must be integrated into existing processes.

	Appropriate controls and audit trails or activity logs must be designed into application systems, including user written applications.
	Include the validation of input data, internal processing and output data to insure data integrity.
	Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical organizational assets, based on risk to those assets.
	Controls must be determined on the basis of security requirements and risk assessment.

	Cryptographic systems and techniques must be used for the protection of information that is considered at risk and for which no other controls would provide adequate protection.
	Cryptographic controls must be applied for sensitive and personal data transferred through the Internet.
	Cryptographic data storage should be used for the most sensitive data, such as storage of individuals personal identifiers (PINs).

	Access to system files must be controlled.
	Maintaining system integrity must be the responsibility of the business owner or development group to whom the application system or software belongs.

	Project and support environments must be strictly controlled.
	Managers responsible for application systems must also be responsible for the security of the project or support environment. Ensuring that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.

Subcomponent	Description	Standard
Application Systems Security	Input data validation	Check input to detect the following errors: out-of-range values; invalid characters in data fields; missing or incomplete data; exceeding upper and lower data value and volume limits; unauthorized or inconsistent control data. wrong input data file utilized. Review the content of key fields or data files to confirm their validity and integrity. Inspect hardcopy input documents for any unauthorized changes to input data (all changes to input documents should be authorized). Establish procedures for responding to validation errors. Establish procedures for testing the plausibility of the input data. Test all procedures using mockup data, prior to testing with real data. Define the responsibilities of all personnel involved in the data input process.
	Control of internal processing	Establish session or batch controls to reconcile data file balances alter transaction updates. Use balancing controls to check opening balances against previous closing balances, namely: run-to-run controls; file update totals; program-to-program controls. Validate the integrity of data or software downloaded, or uploaded, between central and remote computers. Create and use hash totals of records and files, as appropriate. Validate that application programs are run at the correct time and in the correct order using correct files. Insure processing is halted if programs terminate En case of a failure, until the problem is resolved.
	Output data validation	Output validation includes: plausibility checks to test whether the output data is reasonable; reconciliation control counts to ensure processing of all data; providing sufficient information for a reader or subsequent processing system to determine the accuracy, completeness, precision and classification of the information; procedures for responding to output validation tests; defining the responsibilities of all personnel involved in the data output process. arrival of key information from different processes.

Subcomponent	Description	Standard
Cryptographic Controls	Policy on the use of cryptographic controls	Develop a policy on the use of cryptographic controls for protection of its information. The cryptographic control policy must consider: the management approach towards the use of cryptographic controls across the organization, including the general principles under which business information should be protected; the approach to management of keys, including methods to deal with the recovery of encrypted information in the case of lost, compromised or damaged keys; roles and responsibilities; e.g., who is responsible for: the implementation of the policy; the management of keys; how the appropriate level of cryptographic protection is to be determined; the standards to be adopted for the effective implementation throughout the organization (which solution is used for which business processes).
	Encryption	Identify the required level of protection, taking into account the type and quality of the encryption algorithm used and the length of cryptographic keys to be used.
	Digital signatures	Protect the confidentiality of private keys. Provide public key security by the use of a public key certificate. Cryptographic keys used for digital signatures must be different from those used for encryption. Designers must be knowledgeable about legislation that describes the conditions under which a digital signature is legally binding. It may be necessary to have binding contracts or other agreements to support the use of digital signatures. Legal advice should be sought regarding the laws and regulations that might apply to the organization's intended use of digital signatures.
	Non-repudiation services	Non-repudiation services must be used where it might be necessary to resolve disputes about occurrence or non-occurrence of an event or action; e.g., a dispute involving use of a digital signature on an electronic contract or payment.
	Protection of cryptographic keys	All keys should be protected against modification and destruction. Secret and private keys need protection against unauthorized disclosure. Physical protection should be used to protect equipment used to generate, store and archive keys.
	Key Management	Base the key management system on an agreed set of standards, procedures and secure methods for: generating keys for different cryptographic systems and different applications; generating and obtaining public key certificates; distributing keys to intended users, including how keys should be activated when received; storing keys, including how authorized users obtain access to keys; changing or updating keys including rules on when keys should be changed and how this will be done; dealing with compromised keys; revoking keys including how keys should be withdrawn or deactivated; e.g., when keys have been compromised or when a user leaves an organization (in which case keys should also be archived); recovering keys that are lost or corrupted as part of business continuity management; e.g., for recovery of encrypted information; archiving keys; e.g., for information archived or backed up; destroying keys; logging and auditing of key management related activities.
	Standards, procedures and methods	Keys must have defined activation and deactivation dates so they can only be used for a limited period of time. Procedures need to be considered for handling legal requests for access to cryptographic keys; e.g., the encrypted information may need to be made available in an unencrypted form as evidence in a court case. Public keys must be protected by the use of a public key certificate. Use certificates that uniquely binds information related to the owner of the public/private key pair to the public key. The contents of service level agreements or contracts with external suppliers of cryptographic services; e.g., with a certification authority, will cover issues of liability, reliability of services and response times for the provision of services.

Subcomponent	Description	Standard
Systems Files Security	Control of operational software	The updating of the operational program libraries must only be performed by the nominated librarian upon appropriate management authorization. Operational systems must only hold executable code. Executable code must not be implemented on an operational system until evidence of successful testing and user acceptance is obtained, and the corresponding program source libraries have been updated. An audit log must be maintained of all updates to operational program libraries. Previous versions of software must be retained as a contingency measure. Vendor supplied software used in operational systems must be maintained at a level supported by the supplier. Any decision to upgrade to a new release should take into account the security of the release; i.e., the introduction of new security functionality or the number and severity of security problems affecting this version. Software patches must be applied when they can help to remove or reduce security weaknesses. Physical or logical access will be given to suppliers for support purposes when necessary, and with management approval. Supplier's activities should be monitored.
	Protection of system test data	Test data will be protected and controlled. The use of operational databases containing personal information should be avoided as test data. Depersonalize test data before use. The following controls should be applied to protect operational data, when used for testing purposes. The access control procedures, which apply to operational application systems, will also apply to test application systems. There will be separate authorization each time operational information is copied to a test application system. Operational information will be erased from a test application system immediately after the testing is complete. The copying and use of operational information will be logged to provide an audit trail.
	Access control to program source library	Program source libraries will not be held in operational systems, but in secure libraries which protect that code. A program librarian will be appointed or each application. IT support staff will not have unrestricted access to program source libraries. Programs under development or maintenance will not be held in operational program source libraries. The updating of program source libraries and the issuing of program sources to programmers will only be performed by the librarian upon authorization from the IT support manager for the application. Program listings will be treated as containing sensitive information. An audit log will be maintained of all accesses to program source libraries. Old versions of source programs will be archived, with a clear indication of the precise dates and times when they were operational, together with all supporting software, job control, data definitions and procedures. Maintenance and copying of program source libraries will be subject to strict change control procedures.

Subcomponent	Description	Standard
Development and Support Processes	Change control procedures	Maintain a record of agreed authorization levels. Ensure changes are submitted by authorized users. Review controls and integrity procedures to ensure that they will not be compromised by the changes. Identify all computer software, information, database entities and hardware that require amendment. Obtain formal approval for detailed proposals before work commences. Ensure that the authorized user accepts changes prior to any implementation. Ensure that implementation is carried out to minimize business disruption. Ensure that the system documentation set is updated on the completion of each change and that old documentation is archived. Maintain a version control for all software updates. Maintain an audit trail of all change requests. Ensure that operating documentation (and user procedures are changed as necessary to be appropriate. Ensure that the implementation of changes takes place at the right time and is not disturbing the business processes involved. Maintain an environment in which users test new software , segregated from development and production environments.
	Technical review of operating system changes	Review application control and integrity procedures to ensure that they have not been compromised by the operating system changes. The annual support plan and budget will cover reviews and system testing resulting from operating system changes. Allow time for appropriate reviews to take place before implementation. Changes are made to the business continuity plan as needed on a timely basis.
	Restrictions on changes to vendor software packages	The original software must be retained and the changes applied to a clearly identified copy. All changes must be fully tested and documented, so that they can be reapplied if necessary to future software upgrades.
	Prevention of Covert channels and Trojan code	Buy programs only from a reputable source. Buy programs in source code so the code may be verified. Use evaluated products. Inspect all source code before operational use. Control access to, and modification of, code once installed. Use staff of proven trust to work on key systems.
	Outsourced software development	Contract only with a reputable source. Source code must be furnished so the code may be verified. Use highly recommended vendors. Inspect all source code before operational use. Control access to, and modification of, code once installed. Verify references of any vendor.
	Systems Development	Security requirements (including security controls and audit trails) must be identified and agreed to during systems requirements development.
		Designers for applications must include the appropriate level of security as defined by the security requirements of the system.
		Access to system test files, project and control environments, must be designed into the system requirements.
		The design, operation and use of IT systems (both internal and external) and data is subject to statutory and contractual security requirements.
		Project and support environments must be strictly controlled.

	A business continuity management process must be implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.
	Plans must be maintained and practiced to become an integral part of all other management processes.
	The consequences of disasters, security failures and loss of service must be analyzed.
	Business continuity management must include controls to identity and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.
	Contingency plans must be developed, implemented, and tested to ensure that business processes can be restored within the required time-scales.

Component	Description	Standard
Business Continuity		the organization's Business Continuity Plan will be based n a 72-hour recovery period. Implement a business continuity management process. Analyze the consequences of disasters, security failures and loss of service. Develop and implement contingency plans. Plans will be maintained and practiced. Plans will include: Controls to identity and reduce risks, Limit the consequences of damaging incidents, ensure the timely resumption of essential operations.
	Business continuity management process	There will be a managed process in place for developing and maintaining business continuity. Responsibility for coordinating the plan will be assigned at an appropriate level within the organization.
	Business continuity and impact analysis	The plan will Identify events that can cause interruptions to business processes. Determine the impact of those interruptions in terms of damage scale and recovery period Involve owners of business resources and processes. Assess all business processes (not limited to the information processing facilities). Be developed to determine the overall approach to business continuity. Will be endorsed by management.
	Writing and implementing continuity plans	Develop plans to maintain or restore business operations in the required time scales following interruption to, or failure of, critical business processes. The planning process will focus on the required business objectives; e.g., restoring of specific services to customers in an acceptable amount of time. The services and resources that will enable this to occur will be considered, including staffing, non-information processing resources, as well as fallback arrangements for information processing facilities
	Business continuity planning framework	A single framework of business continuity plans will be maintained to ensure that all plans are consistent, and to identity priorities for testing and maintenance. Each business continuity plan will specify clearly the conditions for its activation, as well as the individuals responsible for executing each component of the plan. When new requirements are identified, established emergency procedures; e.g., evacuation plans or any existing failback (or fallback) arrangements, will be amended as appropriate. Each plan will have a specific owner. Emergency procedures, manual fallback plans and resumption plans will be within the responsibility of the owners of the appropriate business resources or processes involved. Fallback arrangements for alternative technical services, such as information processing and communications facilities, will usually be the responsibility of the service providers.
	Testing, maintaining business continuity plans -	Business continuity plans will be tested regularly to ensure that they are up to date and effective. Schedule the frequency depending on the success of the prior tests. Never exceed a 12-month period between tests. Tests will also ensure that all members of the recovery team and other relevant staff are aware of the plans. The test schedule for business continuity plan(s) will indicate how and when each element of the plan will be tested. Test the individual components of the plan(s) frequently.
	Maintaining and re-assessing the plans	Business continuity plans will be maintained by regular reviews and updates to ensure their continuing effectiveness. Procedures will be included within the organization's change management program to ensure that business continuity matters are appropriately addressed. Responsibility will be assigned for regular reviews of each business continuity plan; the identification of changes in business arrangements not yet reflected in the business continuity plans will be followed by an appropriate update of the plan. This formal change control process will ensure that the updated plans are distributed and reinforced by regular reviews of the complete plan.
		Business continuity plans must be developed via a managed process to insure operation and recovery of critical business processes from the effects of major failures or disasters.
		Fully implement the Department's mission and DOIT Mission Critical definitions. Reference Department of Information Technology memorandum Dated June 11, 1999 Subject: Definition of Mission Critical
		Enterprise prioritization of critical business processes must be included in the recovery plan.

	The State’s automated files and databases are an essential public resource that must be given appropriate protection from loss, inappropriate disclosure, and unauthorized modification (SAM 4841.3).
	All information does not require the same level of protection.
	Al information has a designated owner.
	Enterprise information remains the property of the enterprise even if it has been distributed to other individuals or organizations.

the organization information regardless of form, should be inventoried.

	the organization information regardless of form, should be classified into at least three categories defined in the the organization External Customer Access Policy: public information, sensitive information, and confidential information.
	Information classification is an element of risk assessments.
	Collections of information are a greater security risk than single instances.

Staff handling information should be aware of the classification of that information.

Subcomponent	Description	Standard
Inventory of information	Ownership	Each asset must be clearly identified. Designate an owner for each information asset. Each asset's current location (important when attempting to recover from loss or damage) must be determined.
	Types	Assets must include: Information assets: databases and data files, system documentation, user manuals, training material, operational or support procedures, continuity plans, fallback arrangements, archived information; Software assets: application software, system software, development tools and utilities; Physical assets: computer equipment (processors, monitors, laptops, modems), communications equipment (routers, PABXs, fax machines, answering machines), magnetic media (tapes and disks), other technical equipment power supplies, air conditioning units), furniture, accommodation; services: computing and communications services, general utilities; e.g., heating, lighting, power, air-conditioning.

the organization Classification	Tier	Classification	Example	Complexity and cost
Public	1	Public Information.	Information found in the lobby of an enterprise office, pregnancy duration and qualifications.	Negligible.
Sensitive	2	Sensitive information.	Policies and procedures.	Control by hand
Confidential	3	Confidential Information to a person about themselves.	When their check was mailed.	Simple
Confidential	4	Confidential record about a person.	The employment history for the individual.	Simple
Confidential	5	Confidential record about a person, for update.	The employment history for the individual.	Complex
Confidential	6	A group of confidential records.	The employment history files for one organization	Highly Complex
Confidential	7	A group of confidential records to be updated	The employment history file for multiple organizations	Highly Complex
Confidential	8	A group of files containing confidential information.	The personnel system	Very Highly complex

Subcomponent	Description	Standard
Information Classification	Labeling of assets	Classifications and associated protective controls for information will take account of business needs for sharing or restricting information, and the business impacts associated with such needs. Information and outputs from systems handling classified data will be labeled in terms of its value and sensitivity to the organization. Label information in terms of how critical it is to the organization.
	Asset Security Life	Information made public is no longer classified Classification guidelines will anticipate and allow for the fact that the classification of any given item of information is not necessarily fixed for all time, and may change in accordance with some predetermined policy.
	Responsibility	Classification categories will be limited in number. Overly complex schemes become cumbersome and uneconomic to use or prove impractical. Care will be taken in interpreting classification labels on documents from other organizations that may have different definitions for the same or similarly named labels. The responsibility for defining the classification of an item of information; e.g., for a document, data record, data file or diskette, and for periodically reviewing that classification, will remain with the originator or nominated owner of the information
	Information Owner	Designate an owner and custodian for all information assets (SAM 4841.2 requires a data owner and custodian for all data files and databases).
	Information Custodian	Designate a custodian for all information assets (SAM 4841.2 requires a custodian for all data files and databases).
	Security Classification	Information owners define access, security and integrity controls based on security classification and risk assessment.
		Designated owner classifies information in accordance with law and administrative policy (SAM 4841.3).
		Designated owner classifies information in accordance with the need to control access to information, security and integrity (SAM 4841.5).
		Designated owner classifies information as described in the the organization External Customer Access Policy.

Subcomponent	Description	Standard
Labeling and Handling		Output from systems containing information that is classified as being sensitive or confidential will carry an appropriate classification label (in the output). The labeling will reflect the classification according to the rules established in the the organization External Customer Access Policy. Physical labels will be used if appropriate. Information assets, documents in electronic form, will use a electronic means of labeling.