8.1 ESTABLISH OPERATIONAL PROCEDURES

Establish procedures to manage your
information processing facilities.

Assign responsibilities that govern the management
of your organization’s information processing facilities.

Establish procedures to operate your
organization’s information processing facilities.

Assign responsibilities that govern the operation of
your organization’s information processing facilities.

8.1.1 DOCUMENT YOUR OPERATING PROCEDURES

Develop operating procedures that
comply with your security policy.

Document your operating procedures.

Control your operating procedure documents.

Make sure that all changes to your operating procedure
documents are authorized and controlled by management.

Make sure that operating procedures explain
how each job or task should be performed.

Make sure that your operating procedures
explain how information should be processed.

Make sure that your operating procedures
explain how information should be handled.

Make sure that operating procedures explain
how job scheduling should be performed.

Make sure that your operating procedures expect
your schedules to specify start and finish dates.

Make sure that operating procedures describe the systemic
interdependencies that influence how jobs are done.

Make sure that your operating procedures explain
how job performance errors should be handled.

Make sure that your operating procedures explain how
restrictions on the use of system utilities should be handled.

Make sure that your operating procedures identify
people who can be contacted when operational
or technical problems occur.

Make sure that your operating procedures
explain how output should be handled.

Make sure that your operating procedures explain
how confidential output should be handled.

Make sure that your operating procedures explain
how output from failed jobs should be disposed of.

Make sure that operating procedures explain
how system failures should be handled.

Make sure that operating procedures
explain how to restart your systems.

Make sure that operating procedures
describe system recovery procedures.

Develop operational housekeeping procedures
for your information processing facilities.

Develop operational housekeeping
procedures for communication facilities.

Develop computer startup and shutdown procedures.

Develop computer backup procedures.

Develop equipment maintenance procedures.

Develop computer room procedures.

Develop mail handling management procedures.

Develop mail handling safety procedures.

8.1.2 CONTROL CHANGES TO FACILITIES AND SYSTEMS

Control changes to information processing facilities.

Control changes to your information systems.

Assign management responsibility
for the control of changes to equipment.

Assign management responsibility
for the control of changes to software.

Assign management responsibility
for the control of changes to procedures.

Develop procedures to control changes to equipment.

Develop procedures to control changes to software.

Develop procedures to control changes to procedures.

Control all changes to operational programs.

Use audit logs to track changes to programs.

Identify all significant changes to your organization’s
information processing facilities and systems.

Record all significant changes to your organization’s
information processing facilities and systems.

Assess the potential impact before you make changes
to your information processing facilities and systems.

Use a formal procedure to authorize proposed
changes to your facilities and systems.

Ensure that the details of all changes to facilities and
systems are communicated to all relevant persons.

Use a procedure to control how unsuccessful
changes should be aborted and resolved.

8.1.3 ESTABLISH INCIDENT MANAGEMENT PROCEDURES

Establish procedures that must be used to
manage and respond to all security incidents.

Assign incident management responsibilities.

Develop procedures to handle all types of security incidents.

Develop procedures to handle information system failures.

Develop procedures to handle the loss of service.

Develop procedures to handle the denial of service.

Develop procedures to handle incomplete data.

Develop procedures to handle inaccurate data.

Develop procedures to handle confidentiality breakdowns.

Make sure that your procedures expect people to identify
and analyze the causes of your security incidents.

Make sure that your procedures expect people to figure
out how to prevent a recurrence of your security incidents.

Make sure that procedures expect people to communicate
with those who are affected by security incidents.

Make sure that your procedures expect people to report the
security incident and response to the appropriate authority.

Make sure that your procedures expect people to study 
trails and collect evidence about your security incidents.

Use evidence to analyze your security incidents.

Collect evidence for breach of contract purposes.

Collect evidence to address regulatory violations.

Collect evidence to support legal proceedings.

Collect evidence to support your requests for
compensation from software and service suppliers.

Develop procedures to control how you
correct and recover from security failures.

Make sure that your recovery procedures ensure
that only authorized persons are allowed access
to live systems and data.

Make sure that your recovery procedures
expect people to document all the actions
that were taken during the emergency.

Make sure that your recovery procedures expect
people to report emergency actions to management.

Make sure that your recovery procedures expect management
to carry out an orderly review of emergency actions taken.

Make sure that your recovery procedures ensure that the
integrity of all vulnerable business systems is verified.

Make sure that your recovery procedures ensure
that all relevant business controls are still effective.

8.1.4 SEGREGATE CONTROL OVER KEY RESPONSIBILITIES

Make it difficult to modify information or services without
authorization by ensuring that associated duties and
responsibilities are not controlled by a single person.

Make it difficult to misuse information or services by
ensuring that associated duties and responsibilities
are not entirely controlled by a single person.

Reduce the chances that people will accidentally or intentionally modify or
misuse information or services by separating duties and responsibilities.

Ensure that responsibility for initiating and authorizing
actions are not controlled by the same person.

Reduce the chances that fraud will be perpetrated
by reducing the opportunity for collusion.

Reduce the opportunity for collusion by ensuring that
sensitive work is not carried out by a single person.

Take steps to ensure that fraud can be detected
whenever key areas are controlled by a single person.

Supervise work activities more closely whenever the security
of information and services cannot be controlled through the
separation of duties and responsibilities.

Use audit trails whenever the security of your information
and services cannot be adequately controlled through
the separation of duties and responsibilities.

8.1.5 SEPARATE SYSTEMS DEVELOPMENT AND OPERATIONS

Separate the responsibility for software
development, testing, and operational facilities.

Separate development and testing activities.

Develop and document rules to control the transfer of software
from the development and testing phase to operational facilities.

Run developmental software and operational
software on different computer processors.

Run developmental software and operational
software in different directories or domains.

Prevent unauthorized access to editors, compilers, and
other system utilities from your operational systems.

Make sure that test systems and operational
systems use different log‑on procedures.

Expect users to use different passwords
for test systems and operational systems.

Make sure that it is easy for users to distinguish between
test system menus and operational system menus.

Control how operational system passwords are
issued to system development and testing staff.

8.1.6 CONTROL THE MANAGEMENT OF EXTERNAL FACILITIES

Make sure that external contractors have
done everything necessary to protect your
information and secure their sites.

Make sure that your contracts specify the
controls that external contractors must
use in order to protect your information.

Make sure that your contracts specify
the business continuity requirements
that must be met by external contractors.

Make sure that your contracts specify the security
standards that external contractors must comply with.

Make sure that your contracts specify how compliance
with security standards should be measured.

Make sure that your contracts allocate specific
security monitoring responsibilities to contractors.

Make sure that your contracts identify the
procedures that should be used to monitor
how well security measures are applied.

Make sure that your contracts allocate the responsibility
for reporting security incidents to the contractor.

Make sure that your contracts define the procedures that
should be used to handle and report all security incidents.

Keep your most sensitive applications in‑house.

8.2 DEVELOP PLANS TO PROVIDE FUTURE CAPACITY

Develop plans to ensure that adequate information processing
capacity and resources will be available in the future.

Project what your information processing capacity
and resource requirements will be in the future.

Establish the operational requirements of new
systems prior to their acceptance and use.

Document the operational requirements of new
systems prior to their acceptance and use.

Test the operational requirements of new
systems prior to their acceptance and use.

8.2.1 MONITOR USAGE AND MEET FUTURE REQUIREMENTS

Monitor the demands that are being placed on your
current information storage and processing resources.

Figure out what your future information storage
and processing capacity requirements will be.

Develop plans to ensure that future storage
and processing power needs will be met.

Make sure that your plans consider the burden
that new business will place on your existing
storage and processing resources.

Make sure that your plans respect
current information processing trends.

Figure out what your mainframe computing capacity
requirements will probably be in the future.

Monitor mainframe computer processor usage.

Monitor mainframe computer storage usage.

Monitor mainframe computer output device usage.

Monitor mainframe communication system usage.

Identify trends in mainframe computer usage.

Make sure that managers use trend information to identify
potential bottlenecks that could undermine your security.

Make sure that managers use trend
information to avoid bottlenecks.

Make sure that managers use trend
information to plan remedial action.

8.2.2 USE ACCEPTANCE CRITERIA TO TEST SYSTEMS

Use acceptance criteria to test new information
systems before they are accepted for actual use.

Use acceptance criteria to test information system
upgrades before they are accepted for actual use.

Use acceptance criteria to test new versions of
information systems before they are accepted for use.

Make sure that managers ensure that new information
system acceptance criteria are clearly defined.

Make sure that managers ensure that new information
system acceptance criteria are documented.

Make sure that managers ensure that new information
system acceptance criteria are tested prior to use.

Make sure that your acceptance criteria consider
the computer capacity and performance requirements
that new systems must meet.

Make sure that your acceptance criteria consider
the need for new systems to facilitate error recovery.

Make sure that your acceptance criteria consider
the need for new systems to have restart procedures.

Make sure that acceptance criteria consider the need to
have contingency plans to deal with potential system failures.

Make sure that acceptance criteria consider the need to
test new system operating procedures against standards.

Make sure that your acceptance criteria consider the
security controls that new information systems must have.

Make sure that your acceptance criteria consider the need
for new systems to have effective manual procedures.

Make sure that acceptance criteria consider the need to
have business continuity arrangements to deal with disasters.

Make sure that your acceptance criteria consider the need
to prove that new systems will not harm existing systems.

Make sure that your acceptance criteria consider the need
to prove that new systems will not undermine your security.

Make sure that acceptance criteria consider the need to prove
that new systems will meet user needs and expectations.

Make sure that your acceptance criteria consider the need
to teach people how to use and operate new systems.

Perform tests to verify that all acceptance criteria
are fully satisfied before new systems are accepted.

8.3 PROTECT AGAINST MALICIOUS SOFTWARE

Make sure that your managers have taken steps
to detect the introduction of malicious software.

Make sure that your managers have taken steps
to prevent the introduction of malicious software.

Make users aware of the damage
that malicious software can cause.

Detect personal computer viruses.

Prevent personal computer viruses.

8.3.1 DETECT AND PREVENT MALICIOUS SOFTWARE

Implement controls to protect your
systems against malicious software.

Implement controls to detect the
introduction of malicious software.

Implement controls to prevent the
introduction of malicious software.

Develop procedures to make users aware of what
they can do to protect against malicious software.

Develop a formal policy that prohibits your
users from using unauthorized software.

Develop a formal policy that requires your
users to comply with software licenses.

Develop a formal policy that controls the use of
files and software obtained from external sources.

Make sure that your organization requires the
use of anti‑virus detection and repair software.

Make sure that you conduct regular security reviews of the
software and data that supports critical business systems.

Make sure that your security reviews look for unapproved
files or unauthorized changes to your data or software.

Investigate the presence of unapproved files or
unauthorized changes to your data or software.

Check suspicious files for viruses before use.

Check email attachments for malicious software.

Check all downloads for malicious software.

Make managers responsible for virus protection.

Make managers responsible for reporting viruses.

Make managers responsible for recovering from virus attacks.

Make managers responsible for teaching their staff about viruses.

Develop procedures that must be used
to protect systems against virus attacks.

Develop business continuity plans that
you can use to recover from virus attacks.

Develop procedures to ensure that all virus bulletins
and warnings are accurate and informative.

Make sure that warning procedures ensure that staff are
able to distinguish between hoaxes and real virus attacks.

8.4 ESTABLISH HOUSEKEEPING PROCEDURES

Develop procedures to control data back‑ups.

Develop procedures to control data restoration.

Develop procedures to control how information
processing events and faults should be logged.

Develop procedures to control how your
equipment environment should be monitored.

8.4.1 BACK‑UP YOUR INFORMATION AND SOFTWARE

Make regular back‑ups of essential information.

Make regular back‑ups of essential software.

Make sure that you can restore all
essential information when necessary.

Make sure that you can restore all
essential software when necessary.

Test your back‑up procedures in order to ensure
that they comply with your business continuity plans.

Retain at least three back‑up generations or cycles.

Ensure that your back‑up information and
software is safely stored in a remote location.

Ensure that an accurate and complete record of
your back‑ups is safely stored in a remote location.

Ensure that all documented restoration procedures
are safely stored in a remote location.

Make sure that your remote storage location is far enough
away from the main site to escape damage at the main site.

Make sure that your remote back‑up site is given as much
physical and environmental protection as your main site.

Make sure that the controls at your back‑up site
are the same as the controls at your main site.

Test the reliability of back‑up media on a regular basis.

Check and test the efficiency and effectiveness
of your restoration procedures on a regular basis.

Establish how long you need to retain essential information.

Figure out what needs to be retained as a permanent archive.

8.4.2 MAINTAIN A LOG OF OPERATOR ACTIVITIES

Make sure that operators maintain a log of their activities.

Keep a record of system start and finish times.

Keep a record of all information system errors.

Keep a record of all corrective actions taken.

Keep a record of exactly who made log entries.

Make sure that your records can confirm
that data files are handled correctly.

Make sure that your records can confirm
that output is handled properly.

Check your operator logs on a regular basis.

Make sure that log checks are performed
by an independent person.

Make sure that logs are checked
against your operating procedures.

8.4.3 REPORT AND LOG SYSTEM FAULTS

Make sure that users report all system faults.

Make sure that you log all user reports of system faults.

Make sure that you log communication system faults reported by users.

Make sure that you log information processing faults reported by users.

Establish rules for handling reported faults.

Make sure that fault handling rules ensure that fault logs are reviewed.

Make sure that fault handling rules ensure that faults are resolved.

Make sure that corrective actions are taken to resolve system faults.

Make sure that your fault handling rules ensure that corrective
actions are reviewed by an independent person.

Make sure that your corrective action reviews check to
ensure that your controls have not been compromised.

Make sure that your corrective action reviews check to
ensure that all corrective actions are in fact authorized.

8.5 SAFEGUARD YOUR COMPUTER NETWORKS

Take steps to protect information in networks.

Take steps to protect network infrastructure.

Take steps to protect data on public networks.

8.5.1 ESTABLISH NETWORK SECURITY CONTROLS

Make sure that your network managers establish controls
to secure the information in their computer networks.

Make sure that your network managers establish controls
to protect connected services from unauthorized access.

Reduce the chances that people will accidentally
or intentionally modify or misuse information by
separating operational responsibilities and
computer operations.

Establish procedures to manage remote equipment.

Assign responsibilities for the management of remote equipment.

Establish special controls to protect the confidentiality
and integrity of your data on public networks.

Establish special controls to protect the systems
that are connected to public networks.

Establish special controls to ensure the availability
of public networks and related computers.

Ensure that managers apply network controls consistently
across your information processing infrastructure.

8.6 PROTECT AND CONTROL COMPUTER MEDIA

Establish operating procedures to protect
and control your computer media.

Establish operating procedures to
protect and control your documents.

Establish operating procedures to protect
and control system documentation.

Establish operating procedures to protect
and control input and output data.

Make sure that your operating procedures
protect your computer media from damage.

Make sure that your operating procedures
protect your computer media from theft.

Make sure that your operating procedures protect
your computer media from unauthorized access.

8.6.1 MANAGE REMOVABLE COMPUTER MEDIA

Establish procedures to manage and
control your removable computer media.

Document your removable media
management and control procedures.

Make sure that your procedures expect
people to erase unneeded media before
they are removed from your organization.

Make sure that your procedures expect
people to get authorization before they
remove media from your organization.

Make sure that your procedures ensure that
accurate records of all media removals are kept.

Make sure that your procedures ensure that all
media is stored in a safe and secure environment.

Make sure that your procedures tell people to follow
your manufacturers’ media storage specifications.

8.6.2 CONTROL THE DISPOSAL OF YOUR MEDIA

Establish formal procedures to control the secure
disposal of media that are no longer required.

Make sure that media disposal procedures ensure that
all unneeded media are safely and securely disposed of.

Make sure that your procedures ensure that all unneeded
paper documents are safely and securely disposed of.

Make sure that your procedures ensure that all unneeded
system documentation is safely and securely disposed of.

Make sure that procedures ensure that all unneeded
output reports are safely and securely disposed of.

Make sure that procedures ensure that all unneeded program
listings are safely and securely disposed of.

Make sure that procedures ensure that all unneeded
test data are safely and securely disposed of.

Make sure that procedures ensure that all carbon
paper is safely and securely disposed of.

Make sure that procedures ensure that all one‑time‑use
printer ribbons are safely and securely disposed of.

Make sure that procedures ensure that all unneeded
recordings are safely and securely disposed of.

Make sure that procedures ensure that all unneeded
magnetic tapes are safely and securely disposed of.

Make sure that procedures ensure that all unneeded
removable disks are safely and securely disposed of.

Make sure that procedures ensure that all unneeded
cassettes are safely and securely disposed of.

Make sure that your procedures ensure that all unneeded
optical storage media are safely and securely disposed of.

Make sure that contractors hired to dispose of
your media apply appropriate security controls.

Make sure that your disposal contractors
have suitable security experience.

Log the disposal of all sensitive or critical items.

8.6.3 CONTROL INFORMATION HANDLING AND STORAGE

Establish procedures to control information handling and storage.

Make sure that information handling and storage procedures
ensure that information is protected from misuse.

Make sure that information handling and storage procedures ensure
that information is protected from unauthorized disclosure.

Develop a procedure to control how documents should be handled.

Make sure that document control procedure ensures that every document
is handled and stored in accordance with its security classification.

Develop a procedure to control how faxes should be handled and stored.

Make sure that your information control procedure ensures that every
fax is handled and stored in accordance with its security classification.

Develop a procedure to control how
sensitive forms should be handled and stored.

Make sure that your information control procedure
ensures that every sensitive form is handled and
stored in accordance with its security classification.

Develop a procedure to control how your computing
system information should be handled and stored.

Make sure that your information control procedure ensures
that computing system information is handled and stored
in accordance with its security classification.

Developed a procedure to control how network
information should be handled and stored.

Make sure that your information control procedure
ensures that network information is handled and
stored in accordance with its security classification.

Develop a procedure to control how mobile computing
information should be handled and stored.

Make sure that your information control procedure
ensures that mobile computing information is handled
and stored in accordance with its security classification.

Develop a procedure to control how mobile communications
information should be handled and stored.

Make sure that your information control procedure ensures
that mobile communications information is handled and
stored in accordance with its security classification.

Develop a procedure to control how conventional
mail should be handled and stored.

Make sure that your information control procedure
ensures that conventional mail is handled and stored
in accordance with its security classification.

Develop a procedure to control how all voice
communications should be handled and stored.

Make sure that your information control procedure
ensures that voice communications are handled and
stored in accordance with their security classification.

Develop a procedure to control how voice
mail should be handled and stored.

Make sure that your information control procedure ensures
that voice mail is handled and stored in accordance with its
security classification.

Develop a procedure to control how your
multimedia should be handled and stored.

Make sure that your information control procedure
ensures that multimedia is handled and stored in
accordance with its security classification.

Make sure that your procedures ensure
that media are handled properly.

Make sure that your procedures ensure
that media are labeled properly.

Make sure that your procedures ensure that media access
restrictions are used to identify unauthorized personnel.

Make sure that your procedures ensure that you maintain
a record that shows who is authorized to receive data.

Make sure that your procedures ensure that
all input data is complete before it is processed.

Make sure that your procedures ensure that
all data processing is completed properly.

Make sure that your procedures ensure that
output validation is properly applied.

Make sure that procedures ensure that your spooled data
is protected in accordance with its security classification.

Make sure that your procedures ensure that all media is
stored in accordance with manufacturers’ specifications.

Make sure that procedures ensure that the distribution
of data is controlled and kept to a minimum.

Make sure that procedures ensure that all copies of data
are clearly marked for the attention of authorized recipients.

Make sure that your procedures ensure that
data distribution lists are reviewed regularly.

Make sure that your procedures ensure that lists of
authorized data recipients are re‑evaluated regularly.

8.6.4 PROTECT YOUR SYSTEM DOCUMENTATION

Develop controls to protect your system
documentation from unauthorized access.

Ensure that your system documentation is securely stored.

Make sure that all access to system documentation
is controlled by application owners.

Make sure that access to system
documentation is kept to a minimum.

Make sure that that system documentation
available on public networks is suitably protected.

8.7 CONTROL INTERORGANIZATIONAL EXCHANGES

Make sure that you control the exchange of information
between your organization and other external organizations.

Make sure that you control the exchange of software
between your organization and other external organizations.

Make sure that you comply with all relevant legislation that governs
the interorganizational exchange of information and software.

Make sure that interorganizational exchanges of information
and software are governed by formal agreements.

Establish procedures to protect information and
media that is transmitted between organizations.

Establish standards to protect information and
media that is transmitted between organizations.

8.7.1 DEVELOP INFORMATION EXCHANGE AGREEMENTS

Establish security agreements to control the exchange of
information between your organization and other organizations.

Establish security agreements to control the exchange of
software between your organization and other organizations.

Make sure that the amount of protection specified by your
security agreements is commensurate with the sensitivity
of the information you’re trying to protect.

Make sure that your security agreements ensure that management
is responsible for controlling how notifications are performed.

Make sure that your security agreements ensure that management
is responsible for controlling the transmission of information.

Make sure that your security agreements ensure that management
is responsible for controlling physical delivery of information.

Make sure that your security agreements ensure that
management is responsible for the receipt of information.

Make sure that security agreements ensure that procedures
are established to control how notifications are performed.

Make sure that security agreements ensure that procedures
are established to control the transmission of information.

Make sure that security agreements ensure that procedures
are established to control the physical delivery of information.

Make sure that security agreements ensure that procedures
are established to control the receipt of information.

Make sure that security agreements ensure that minimum
technical standards for packaging are established.

Make sure that security agreements ensure that minimum
technical standards for transmission are established.

Make sure that security agreements ensure that
courier identification standards are established.

Make sure that security agreements
allocate responsibility for data loss.

Make sure that security agreements
define data loss liabilities.

Make sure that your security agreements require the use
of labels to clearly identify sensitive or critical information.

Make sure that your security agreements ensure that information
that is labeled as sensitive or critical gets suitable protection.

Make sure that your security agreements
define data protection responsibilities.

Make sure that your security agreements
define copyright compliance requirements.

Make sure that security agreements clarify information
and software ownership rights and requirements.

Make sure that your security agreements ensure
that technical standards for recording and reading
information are established.

8.7.2 SAFEGUARD THE TRANSPORTATION OF COMPUTER MEDIA

Establish controls to safeguard the physical transportation
of computer media from one physical site to another.

Establish controls to protect computer media while it is being mailed.

Establish controls to protect computer media while it is being couriered.

Establish a list of authorized couriers.

Establish a procedure to verify courier identity.

Make sure that packaging protects contents from physical damage.

Make sure that packaging complies with manufacturers’ specifications.

Develop special controls to protect sensitive information
from unauthorized disclosure during transit.

Develop special controls to protect sensitive information
from unauthorized modification during transit.

Use locked containers to protect information from
unauthorized disclosure or modification during transit.

Use hand delivery to protect your information from
unauthorized disclosure or modification during transit.

Use tamper‑evident packaging to protect information from
unauthorized disclosure or modification during transit.

Split critical deliveries into more than one package and more
than one route in order to protect information from
unauthorized disclosure or modification during transit.

Use digital signatures to protect information from
unauthorized disclosure or modification during transit.

Use encryption to protect your information from
unauthorized disclosure or modification during transit.

8.7.3 CREATE CONTROLS TO PROTECT ECOMMERCE

Establish controls to protect your ecommerce activities.

Establish controls to protect electronic
data interchange (EDI) activities.

Establish controls to protect email.

Establish controls to protect your online transactions.

Make sure that your ecommerce controls
protect you against fraudulent activities.

Make sure that your ecommerce controls
protect you against contract disputes.

Make sure that your ecommerce controls protect you
against the unauthorized disclosure of information.

Make sure that your ecommerce controls protect you
against the unauthorized modification of information.

Make sure that your ecommerce controls ensure that the
identity of commercial participants is properly authenticated.

Make sure that your ecommerce controls ensure that only
authorized people are allowed to make ecommerce decisions.

Make sure that your ecommerce controls ensure that participants
comply with all contractual requirements and obligations.

Make sure that your ecommerce controls ensure that your
tendering processes comply with all requirements and obligations.

Make sure that your ecommerce controls ensure that all
pricing and discount information is accurate and up‑to‑date.

Make sure that your ecommerce controls ensure that the confidentiality
and integrity of all commercial transactions is protected.

Make sure that your ecommerce controls ensure that the
payment information provided by customers is accurate.

Make sure that your ecommerce controls
protect you against fraudulent transactions.

Make sure that controls ensure that the confidentiality
and integrity of your order information is protected.

Make sure that your ecommerce controls
ensure that commercial transactions are
protected against duplication or loss.

Use cryptographic techniques to protect
your ecommerce activities.

Use agreements to document the terms that
both buyers and sellers must comply with.

Use agreements to document the terms that
your organization and its ecommerce service
providers must comply with.

Make sure that your ecommerce hosting service providers
taken steps to reduce their vulnerability to network attacks.

8.7.4 ESTABLISH CONTROLS TO PROTECT EMAIL

8.7.4.1 CONTROL THE USE OF EMAIL

Establish controls to protect email.

Establish controls to make email messages
less vulnerable to unauthorized access.

Establish controls to make email messages less
vulnerable to unauthorized modification or tampering.

Establish controls to make email less
vulnerable to denial of service attacks.

Establish controls to make
email less vulnerable to error.

Establish controls to increase the reliability
and availability of your email services.

Establish controls to prevent the incorrect
addressing or misdirection of email.

Take steps to ensure that email can be
used to perform official legal functions.

Take steps to ensure that email can
be used to establish proof of origin.

Take steps to ensure that email can
be used to establish proof of dispatch.

Take steps to ensure that email can
be used to establish proof of delivery.

Take steps to ensure that email can be
used to establish proof of acceptance.

Take steps to reduce the security risk that
comes with publishing your email addresses.

Take steps to control the access that
remote users have to email accounts.

8.7.4.2 DEVELOP AN EMAIL POLICY

Develop a policy to control the use of email.

Make sure that your email policy explains how
email attacks should be prevented and handled.

Make sure that your email policy explains how
email viruses should be prevented and handled.

Make sure that your email policy explains how
email interceptions should be handled.

Make sure that your email policy explains
how email attachments should be handled.

Make sure that email policy explains
when email should not be used.

Make sure that your email policy states that email should
not be used to harm the reputation of your organization.

Make sure that your email policy makes it clear
that email should not be used to defame others.

Make sure that your email policy makes it clear
that email should not be used to harass others.

Make sure that your email policy makes it clear that email
should not be used to make unauthorized purchases.

Make sure that email policy explains when cryptographic
techniques should be used to protect email messages.

Make sure that email policy explains what should be done
when incoming email messages cannot be authenticated.

Make sure that your email policy
establishes email retention rules.

8.7.5 PROTECT YOUR ELECTRONIC OFFICE SYSTEMS

Establish policies to protect your
electronic office systems and facilities.

Establish guidelines to protect your
electronic office systems and facilities.

Reduce the vulnerability of information
in your electronic office systems.

Protect electronic office records of
telephone and conference calls.

Protect the storage of electronic office faxes.

Control the opening and distribution
of mail within electronic office systems.

Control information sharing within and
between your electronic office systems.

Control information sharing through the
use of corporate electronic bulletin boards.

Establish a policy to manage information sharing
within and between electronic office systems.

Protect your most sensitive information by excluding
it from electronic office systems that are unable to
provide the necessary level of security.

Restrict access to personnel diary information that
is sensitive or critical to the success of your organization.

Ensure that your electronic office systems can
support your various business applications.

Identify categories of staff members that are officially
allowed to access your electronic office systems.

Identify the locations from which staff members are
allowed to access your electronic office systems.

Identify categories of contractors that are officially
allowed to access your electronic office systems.

Identify the locations from which contractors are
allowed to access your electronic office systems.

Identify categories of business partners that are
allowed to access your electronic office systems.

Identify the locations from which your business partners
are allowed to access your electronic office systems.

Select those electronic office facilities that should
be restricted to specific categories of user.

Ensure that electronic office system users have a way of
establishing the official identity and status of other users.

Ensure that your organization’s electronic
office information is routinely backed up.

Define your information retention policy.

Make arrangements that allow you to continue
operating when your electronic office systems fail.

8.7.6 CONTROL YOUR PUBLIC INFORMATION SYSTEMS

Protect the integrity of information
that is published electronically.

Prevent the unauthorized modification
of electronically published information.

Establish a process to authorize the
publication of electronic documents.

Establish a process to control how electronic input
or feedback from the public should be handled.

Ensure that your electronic input or feedback
systems comply with data protection laws.

Ensure that information received from the public
is processed accurately and completely.

Protect sensitive information received from
the public by electronic input systems.

Ensure that information received by electronic
input systems is processed without delay.

Ensure that people who are given access to your
public information systems do not unintentionally
also get access to your private information systems.

8.7.7 REGULATE EXTERNAL COMMUNICATIONS

Establish procedures to protect and
control your voice communications.

Establish procedures to protect and
control mobile phone communications.

Establish procedures to protect and control
access to dial‑in voice‑mail systems.

Establish procedures to protect and
control answering machine messages.

Establish procedures to protect and
control your fax communications.

Establish procedures to protect and
control your video communications.

Establish a policy that tells people how to handle
their voice, fax, and video communications.

Make sure that your communications policy tells people
to ensure that their telephone conversations are not being
overheard by people in their immediate vicinity.

Make sure that your communications policy tells people
to ensure that their telephone conversations are not being
overheard at the receiving end of the conversation.

Make sure that your communications policy tells people
to ensure that their telephone conversations are
not being intercepted.

Make sure that your communications policy expects people
to protect themselves against telephone wiretaps and other
forms of clandestine eavesdropping.

Make sure that your communications policy expects people to protect
themselves against the use of scanning receivers to monitor
analogue mobile phone communications.

Make sure that your communications policy warns people
not to have confidential conversations in public places.

Make sure that your communications policy warns people
not to have confidential conversations in open offices.

Make sure that communications policy warns people not
to have confidential conversations in rooms with thin walls.

Make sure that your communications policy warns people
not to leave confidential messages on answering machines.

Make sure that your communications policy warns people
about how fax communications can be compromised.

Make sure that your communications policy explains that
messages can be accidentally faxed to the wrong people
and that special care must be taken to avoid this possibility.

Make sure that your communications policy
explains that intruders could gain unauthorized
access to stored fax messages.

Make sure that your communications policy
explains that fax machines can be programmed
to send messages to the wrong destination.