12.1 COMPLY WITH LEGAL REQUIREMENTS

Make sure that your information systems comply
with all relevant statutory security requirements.

Make sure that your information systems comply
with all relevant regulatory security requirements.

Make sure that your information systems comply
with all relevant contractual security requirements.

Make sure that your information systems comply with
all relevant international legal security requirements.

Consult with legal experts in order to ensure that your
information systems comply with all relevant national
and international legal security requirements.

12.1.1 IDENTIFY ALL RELEVANT LEGAL REQUIREMENTS

Identify and document all relevant statutory requirements
for each one of your organization’s information systems.

Identify and document all relevant regulatory requirements
for each one of your organization’s information systems.

Identify and document all relevant contractual requirements
for each one of your organization’s information systems.

Identify and document the controls that you need
in order to comply with statutory requirements.

Identify and document the controls that you need
in order to comply with regulatory requirements.

Identify and document the controls that you need
in order to comply with contractual requirements.

Identify and document the individual responsibilities
that must be met in order to comply with all relevant
statutory requirements.

Identify and document the individual responsibilities
that must be met in order to comply with all relevant
regulatory requirements.

Identify and document the individual responsibilities
that must be met in order to comply with all relevant
contractual requirements.

12.1.2 RESPECT INTELLECTUAL PROPERTY RIGHTS

12.1.2.1 CREATE INTELLECTUAL PROPERTY PROCEDURES

Establish procedures to ensure that your organization
complies with intellectual property rights and restrictions.

Make sure that your intellectual property procedures
ensure that your organization respects the legal rights
and restrictions that are imposed on the use of
intellectual property.

Make sure that your intellectual property procedures
ensure that your organization respects all copyrights.

Make sure that your intellectual property procedures
ensure that your organization respects restrictions on
the copying of proprietary material.

Make sure that your intellectual property procedures
ensure that your organization respects all design rights.

Make sure that your intellectual property procedures
ensure that your organization respects all trade marks.

Make sure that your intellectual property procedures
ensure that your organization respects all licenses.

12.1.2.2 COMPLY WITH ALL SOFTWARE COPYRIGHTS

Develop a software copyright compliance policy.

Make sure that your copyright compliance policy explains
that copyright laws and license agreements control the
use of proprietary software and information products.

Make sure that your copyright compliance policy explains
the difference between the legal use of software and
information products and their illegal use.

Develop policies and standards to control the purchase of software.

Make personnel aware of software compliance and purchasing policies.

Make it clear that your organization will take disciplinary action whenever
staff members violate your software compliance and purchasing policies.

Maintain a register of all proprietary software and information assets.

Make sure that you can prove that you own all your software
licenses, master disks, manuals, and other information assets.

Establish controls to ensure that you do not exceed the maximum
allowable number of users for each proprietary software product.

Perform checks to ensure that only licensed and
legally authorized software products are being used.

Develop a policy to control the maintenance
of software licenses and licensing conditions.

Develop a policy to control the disposal or transfer
of proprietary software products to others.

Ensure that appropriate tools are used to audit
the use of proprietary software products.

Ensure that you comply with the legal terms and
conditions that govern the use of software and
information obtained from public networks.

12.1.3 SAFEGUARD YOUR ORGANIZATION’S RECORDS

Protect your organization’s important records.

Protect your important records from loss.

Implement controls to protect your important
and essential records and information from loss.

Protect your important records from destruction.

Implement controls to protect your important and
essential records and information from destruction.

Protect your important records from falsification.

Implement controls to protect your important and
essential records and information from falsification.

Make sure that records are securely retained whenever
statutory or regulatory requirements expect you to do so.

Make sure that records are securely retained whenever
essential business functions must be supported.

Store cryptographic keys in a secure manner.

Make sure that your records can prove that your organization
complies with all statutory and regulatory requirements.

Make sure that your records can provide the evidence needed to
defend your organization against possible civil or criminal actions.

Make sure that your records allow you to retrieve information in a
format and time frame that would be acceptable to a court of law.

Make sure that your records can provide the evidence needed to
confirm the financial status and performance of your organization.

Make sure that the information content and structure of your
records complies with all relevant national laws and regulations.

Make sure that your record retention time periods comply
with the appropriate national laws and regulations.

Categorize your records into different types
in order to be able to manage them differently.

Make sure that your organization has established
an official retention time period for each type of record.

Make sure that you establish a record retention schedule that
specifies how long each type of record must be retained.

Establish procedures to ensure that electronic records
will be accessible throughout the retention period even
though future technologies may change.

Specify what type of storage media
should be used by each type of record.

Protect your records against the possible
degradation of storage media.

Make sure that your storage media are handled in accordance
with manufacturers’ recommendations and specifications.

Make sure that your storage and handling system
ensures that records are clearly identified and labeled.

Make sure that your storage and handling system ensures
that record retention periods are clearly specified.

Make sure that your storage and handling system allows you to destroy
records that are no longer needed once the retention period is over.

Establish guidelines to control the storage,
retention, handling, and disposal of your records.

Maintain an inventory that lists your organization’s key
information including the sources of that information.

12.1.4 PROTECT THE PRIVACY OF PERSONAL INFORMATION

Protect the privacy of personal information when that
information can be used to identify specific people.

Make sure that your organization complies with all relevant
legislation that governs and controls the collecting, processing,
transmission, and dissemination of personal data.

Make sure that your organization complies with all relevant legislation
that governs and controls the transfer of information between countries.

Set up management structures and controls to ensure that your
organization complies with relevant personal data protection legislation.

Appoint a data protection officer to provide guidance
and advice on personal data protection issues.

Make sure that your personal data protection officer helps
users, managers, and service providers to protect the
privacy of your organization’s personal information.

Make sure that your personal data protection officer
explains the data protection responsibilities that users,
managers, and service providers have.

Make sure that your personal data protection officer
explains the data protection procedures that users,
managers, and service providers must follow.

Make data owners responsible for telling your data
protection officer about any personal information
that is being kept in a structured file.

Make data owners responsible for making sure that
personnel understand all relevant personal data
protection principles and procedures.

12.1.5 PREVENT MISUSE OF DATA PROCESSING FACILITIES

Ensure that your information processing facilities are not
used for unauthorized personal or non‑business purposes.

Monitor the use of your information processing facilities
in order to detect unauthorized personal use.

Get legal advice before you start monitoring the
personal use of your information processing facilities.

Make sure that your monitoring of information processing
facility usage complies with all relevant legal requirements.

Ensure that unauthorized personal or non-business use of
information processing facilities is reported to management.

Make sure that your managers take disciplinary action
whenever personnel make unauthorized personal use
of your information processing facilities.

Ensure that computer user access rights and
practices comply with all relevant criminal laws.

Ensure that all users are aware of the precise legal limits that are imposed
on their use of your organization’s information processing facilities.

Ensure that users receive written authorization to access
information processing facilities before they get access.

Ensure that your employees understand that they must
receive written authorization before they are allowed to
access your information processing facilities.

Ensure that third party users understand that they must
receive written authorization before they are allowed to
access your information processing facilities.

Use on‑screen warning messages to tell users
when they log on that your computer system is private
and that only authorized users are allowed access.

Expect users to acknowledge on‑screen warnings
and to respond appropriately before they are allowed
to continue with the log‑on process.

12.1.6 CONTROL THE USE OF CRYPTOGRAPHIC CONTROLS

Ensure that access to or use of cryptographic controls
complies with all relevant laws, regulations, and agreements.

Get legal advice to ensure that your access to or use
of cryptographic controls complies with all relevant
laws, regulations, and agreements.

Get legal advice before you decide to transfer
encrypted information to another country.

Get legal advice before you decide to transfer
cryptographic controls to another country.

Get legal advice before you decide to import computer
hardware that is used to perform cryptographic functions.

Get legal advice before you decide to export computer
hardware that is used to perform cryptographic functions.

Get legal advice before you decide to import computer
software that is used to perform cryptographic functions.

Get legal advice before you decide to export computer
software that is used to perform cryptographic functions.

Get legal advice before you decide to import computer hardware that
has been designed to allow someone to add cryptographic functions.

Get legal advice before you decide to export computer hardware that
has been designed to allow someone to add cryptographic functions.

Get legal advice before you decide to import computer software that
has been designed to allow someone to add cryptographic functions.

Get legal advice before you decide to export computer software that
has been designed to allow someone to add cryptographic functions.

Get legal advice whenever countries wish to have access to
information that has been encrypted by hardware or software.

12.1.7 COLLECT EVIDENCE TO SUPPORT YOUR ACTIONS

12.1.7.1 COMPLY WITH APPROPRIATE RULES OF EVIDENCE

Make sure that you collect evidence to support actions that
you may need to take against a person or organization.

Make sure that you collect evidence to support potential
internal disciplinary actions that you may need to take
against one of your own people.

Develop internal procedures that specify what kind of evidence is needed
in order to support your organization’s internal disciplinary actions.

Make sure that you collect evidence to support potential civil or criminal
actions that may need to be taken against a person or organization.

Make sure that your evidence will comply with the rules of evidence
established by the laws and courts that effect your organization.

Make sure that your evidence will be admissible
and can be formally used in a court of law.

Safeguard the quality and completeness of your
evidence in order to ensure that the weight of
evidence will support your legal position.

Make sure that you can prove that your process controls are working
correctly and consistently and are able to protect the quality of the
evidence that is being processed and stored in your information systems.

12.1.7.2 GATHER EVIDENCE THAT IS ADMISSIBLE IN COURT

Identify a published standard or code of practice that you
can use to ensure that your information systems are able
to produce evidence that is admissible in a court of law.

Make sure that your information systems comply
with this evidentiary standard or code of practice.

12.1.7.3 PROTECT THE QUALITY OF YOUR EVIDENCE

Establish a strong trail of evidence whenever an
incident occurs that could result in legal action.

Establish a strong trail of evidence whenever an incident
occurs by safeguarding original paper documents.

Establish a strong trail of evidence whenever an incident
occurs by recording who found related paper documents
and when and where they were found.

Establish a strong trail of evidence whenever
an incident occurs by recording who witnessed
the discovery of related paper documents.

Establish a strong trail of evidence whenever an incident
occurs by ensuring that original paper documents are not
tampered with during an investigation.

Establish a strong trail of evidence whenever an incident occurs
by safeguarding related information available on computer media.

Establish a strong trail of evidence whenever an incident occurs
by taking copies of related removable media in order to ensure
that your evidence is available when you need it.

Establish a strong trail of evidence whenever an incident occurs
by taking copies of related information on hard disks or memory
to ensure that evidence is available when needed.

Establish a strong trail of evidence whenever an incident occurs
by keeping a log of all steps taken during the copying process
and by making sure that this process is witnessed.

Establish a strong trail of evidence whenever an incident
occurs by ensuring that a copy of your log is securely stored.

Establish a strong trail of evidence whenever an incident occurs
by ensuring that a copy of any related media is securely stored.

Involve a lawyer or the police as early as possible whenever you believe
that a serious incident has occurred that could result in legal action.

12.2 PERFORM SECURITY COMPLIANCE REVIEWS

Review regularly the security of your information systems.

Review the security of your information systems by examining
how well they comply with your security policies.

Review the security of your information systems by examining
how well they comply with security standards.

12.2.1 REVIEW COMPLIANCE WITH SECURITY POLICY

Review regularly how well your organization
complies with its own security policies.

Review regularly how well your organization
complies with official security standards.

Review regularly how well your organization
follows its own security procedures.

Review regularly how well your information systems
comply with security policies and standards.

Review regularly how well systems providers
comply with security policies and standards.

Review regularly how well owners of information
assets comply with security policies and standards.

Review regularly how well users comply
with security policies and standards.

Review regularly how well your management
complies with security policies and standards.

Make sure that owners of information systems
actively support regular compliance reviews.

12.2.2 REVIEW TECHNICAL SECURITY COMPLIANCE

Check regularly your information systems to ensure
that they comply with technical security standards.

Examine your operational systems to ensure that
hardware controls have been correctly implemented.

Examine your operational systems to ensure that
software controls have been correctly implemented.

Make sure that all technical compliance checks are
carried out or supervised by authorized technical experts.

Use technical security specialists to help you
carry out technical security compliance reviews.

Use technical security specialists to help you to interpret
security reports generated by software packages.

Use experienced system engineers to
perform manual security compliance reviews.

Carry out penetration tests in order to detect
security vulnerabilities in your information systems.

Carry out penetration tests in order to check
whether your controls can prevent unauthorized
access to your information systems.

Ensure that your penetration tests do not
compromise the security of your systems.

12.3 CARRY OUT OPERATIONAL SYSTEM AUDITS

Perform audits of your operational systems.

Establish controls to safeguard operational
systems while system audits are being performed.

Establish controls to safeguard audit software and
data files while system audits are being performed.

Establish controls to safeguard the integrity
of audit software and data files (i.e.,  tools).

Establish controls to prevent the misuse
of audit software and data files (i.e.,  tools).

12.3.1 PLAN THE AUDIT OF OPERATIONAL SYSTEMS

Plan your operational audit activities and requirements in order to
minimize the chances that your business processes will be disrupted.

Control your operational audit activities and requirements in order to
minimize the chances that your business processes will be disrupted.

Make sure that your audit activities and requirements are approved by
management before you carry out your audit of operational systems.

Make sure that agreement is reached on the scope of your audit
checks before you carry out your audit of operational systems.

Make sure that audit checks are limited to read‑only
access to operational system data and software.

Make sure that only isolated copies of operational
system files are used to perform your audit checks.

Make sure that isolated copies of operational system files
are erased once audit checks have been completed.

Make sure that IT resources needed to perform audit
checks are identified before you carry out your audit
of operational systems.

Make sure that needed IT resources are made available
when you need them to perform audit checks.

Make sure that any special requirements for additional
processing are identified and approved before you carry
out your audit of operational systems.

Monitor and log all access to operational
systems in order to produce a reference trail.

Document all audit procedures.

Document all audit requirements.

Document all audit responsibilities.

12.3.2 PROTECT YOUR SYSTEM  TOOLS

Protect your system audit tools in order to prevent any
possible compromise or misuse of these audit tools.

Protect your system audit software in order to
prevent any compromise or misuse of this software.

Protect your system audit data files in order to
prevent any compromise or misuse of these files.

Segregate your system audit tools from
your operational and development systems.

Provide special security protection for audit tools
that are held in user areas or tape libraries.