9.1 CONTROL ACCESS TO INFORMATION

Make sure that your information access
controls meet your business requirements.

Make sure that your information access
controls meet your security requirements.

Make sure that your information access controls
comply with your information dissemination policies.

Make sure that your information access controls
comply with your information authorization policies.

9.1.1 DEVELOP A POLICY AND RULES TO CONTROL ACCESS

9.1.1.1 DEVELOP A POLICY TO CONTROL INFORMATION ACCESS

Define and document the business requirements
that your access controls must meet.

Make sure that your users understand the business
requirements that access controls are supposed to meet.

Make sure that your service providers understand the
business requirements that access controls must meet.

Develop a policy to control information access.

Make sure that your access control policy
meets your business requirements.

Make sure that your access control policy defines the rules
and rights that each of your user groups must comply with.

Make sure that access control policy defines the security
requirements that individual applications must meet.

Make sure that access control policy defines how information
dissemination and authorization should be controlled.

Make sure that your access control policy complies
with all relevant data access laws and regulations.

Make sure that your access control policy meets all
contractual obligations to protect access to data or services.

Make sure that access control policy allows the use of
standard user access profiles for common job categories.

Make sure that your access control policy supports
the management of access rights in a distributed
and networked environment.

Make sure that your access control policy recognizes
all the types of connections that are possible within
a distributed and networked environment.

Make sure that your information access control policy
is consistent with your information classification policies.

9.1.1.2 DEVELOP INFORMATION ACCESS CONTROL RULES

Develop rules to control access to information.

Make sure that your access control rules specify
which rules must always be enforced and which
ones are conditional or optional.

Make sure that access control rules forbid access except
for those who have been officially allowed to have access.

Make sure that access control rules distinguish between
information labels that are generated automatically and 
those that can be generated by users.

Make sure that access control rules distinguish between
user permissions that are generated automatically and
those that are initiated by an administrator.

Make sure that you distinguish between user access
rules that must be formally approved by administrators
or managers, and those rules that can be enacted
without formal approval.

9.2 MANAGE THE ALLOCATION OF ACCESS RIGHTS

Establish a procedure to control the allocation of
rights to access information systems and services.

Ensure that your access rights allocation procedure controls
all stages from initial user registration to de-registration.

Ensure that your access rights allocation procedure pays
particular attention to the allocation of special rights and
privileges that allow users to override normal system controls.

9.2.1 ESTABLISH A USER REGISTRATION PROCEDURE

Develop a formal procedure to control the registration
and de‑registration of users who want access to multi‑user
information systems and services.

Make sure that your user registration procedure
assigns a unique user ID to each individual user.

Make sure that your user registration
procedure limits the use of group IDs.

Make sure that your user registration procedure ensures that
system owners authorize access before user access is granted.

Make sure that your user registration procedure specifies when
management authorization is required before user access is granted.

Make sure that your user registration procedure ensures that the
level of access granted is determined by business requirements.

Make sure that your user registration procedure ensures that
the level of access granted is consistent with your security policy.

Make sure that your user registration procedure ensures that the
level of access granted does not create an opportunity for collusion.

Make sure that your user registration procedure ensures that users
are given a written statement of their access rights and responsibilities.

Make sure that your registration procedure ensures that all users
are asked to sign statements that confirm that they understand what
their access rights and responsibilities are.

Make sure that your user registration procedure ensures that
service providers do not provide access until all formal authorization
steps have been taken.

Make sure that your user registration procedure ensures
that a formal record of all registered users is maintained.

Make sure that your user registration procedure ensures
that access rights are immediately cancelled whenever
users change jobs or leave your organization.

Make sure that your user registration procedure ensures
that someone periodically checks your records to make
sure that only legitimate users continue to have access.

Make sure that your user registration procedure ensures
that old or redundant IDs are not issued to new users.

Make sure that your employment contracts specify the
sanctions that will be applied if employees attempt to gain
access to information without authorization.

Make sure that your service contracts specify the sanctions
that will be applied if service agents attempt to gain access to
information without authorization.

9.2.2 CONTROL THE AUTHORIZATION OF SYSTEM PRIVILEGES

Establish a formal authorization process that must be used
to restrict and control the allocation of special privileges that
allow users to override normal system controls.

Specify exactly what the special privileges should
be for each category of software product.

Specify which staff members should have which
privileges for each category of software product.

Grant system privileges only when they are needed.

Make sure that your authorization process ensures that system privileges
are not granted until all formal authorization steps have been completed.

Maintain a record of all privilege allocations.

Reduce the need to grant privileges by promoting
the development and use of system routines.

Ensure that the same user identity is not used to grant
both privileged access and normal business access.

9.2.3 ESTABLISH A PROCESS TO MANAGE PASSWORDS

Establish a formal process to manage and control
the allocation of your organization’s passwords.

Make sure that your password management process ensures
that all users are asked to sign statements that promise to
protect the confidentiality of their personal passwords.

Make sure that your password management process ensures that
all work groups are asked to sign statements that promise to protect
the confidentiality of their work group passwords.

Make sure that your password management process ensures
that secure temporary passwords are supplied only after the
user has been properly identified.

Make sure that your password management process ensures
that a secure process is used to supply temporary passwords.

Make sure that your password management process ensures
that users are forced immediately to change secure temporary
passwords into secure permanent passwords.

Make sure that your password management process ensures
that users acknowledge the receipt of their passwords.

Store passwords on a secure computer system.

9.2.4 REVIEW USER ACCESS RIGHTS AND PRIVILEGES

Make sure that managers review user access rights and privileges.

Make sure that user access rights are reviewed on a regular basis.

Make sure that access rights are reviewed whenever changes occur.

Make sure that access privileges are reviewed more often than rights.

Make sure that access privileges are reviewed on a regular basis.

Make sure that access privileges are reviewed in order to
ensure that unauthorized privileges have not been granted.

9.3 ENCOURAGE RESPONSIBLE ACCESS PRACTICES

Ask authorized users to help you control access to
your organization’s information systems and services.

Make authorized users responsible for helping you
to control access to information systems and services.

Make users aware of what they must do to control access.

Make users aware of what they must do to protect passwords.

Make users aware of what they must do to protect equipment.

9.3.1 ENCOURAGE USERS TO PROTECT PASSWORDS

Make sure that your users follow best information
security practices when they select their passwords.

Make sure that your users select passwords
that are six or more characters in length.

Make sure that users select passwords
that are easy to remember.

Make sure that users select passwords
that are difficult for others to guess based
on what they already know about the user.

Make sure that users avoid selecting passwords
that have identical consecutive characters or have
groups of alphabetic or numeric characters.

Make sure that your users follow best information
security practices when they use their passwords.

Make sure that users protect the
confidentiality of their passwords.

Make sure that your users ensure that all written
records of passwords are safely and securely stored.

Make sure that users change passwords whenever the security
of passwords or systems appears to have been compromised.

Make sure that users change passwords on a regular basis.

Make sure that users avoid using previously used passwords.

Make sure that users change passwords more often for
privileged access accounts than for normal access accounts.

Make sure that your users change
temporary passwords immediately.

Make sure that your users ensure that passwords are not
used and automatically stored during automated log‑ons.

Make sure that users avoid sharing passwords with others.

Make sure that users are formally authorized to use a single password
to access multiple systems or services only if multiple access is a job
requirement and the password is of high quality.

9.3.2 ENCOURAGE USERS TO PROTECT EQUIPMENT

Make sure that users know how to protect unattended equipment.

Make sure that users understand the security requirements
that must be met when equipment is left unattended.

Make sure that users understand the security procedures
that must be followed to protect unattended equipment.

Make sure that your users understand what their
specific equipment protection responsibilities are.

Make sure that your users protect their
equipment when it has been left unattended.

Make sure that your contractors know
how to protect unattended equipment.

Make sure that contractors understand
the security requirements that must be
met when equipment is left unattended.

Make sure that your contractors understand
the security procedures that must be followed
to protect unattended equipment.

Make sure that your contractors know what their
specific equipment protection responsibilities are.

Make sure that your contractors protect
equipment when it has been left unattended.

Make sure that users are told to secure their equipment or 
to terminate active sessions when their work is finished.

Make sure that users are told to log‑off mainframe
computers when their work session is finished.

Make sure that users are told to protect terminals or PCs
against unauthorized access when they’re not using them.

Make sure that workstations and file servers are given special
protection from unauthorized access when they are located
in users areas and left unattended for long periods.

9.4 CONTROL ACCESS TO COMPUTER NETWORKS

Control access to internal networked services.

Control access to external networked services.

Control access by using the appropriate interfaces between
your network and networks owned by other organizations.

Control access by using the appropriate interfaces
between your network and public networks.

Control access to networks by using the appropriate
authentication mechanisms for users and equipment.

Control user access to information services.

9.4.1 FORMULATE A NETWORK USE POLICY

Establish a policy to control the use of networks and network services.

Make sure that your network use policy ensures that users are
not allowed access to a particular network unless they have
been formally authorized to use that network.

Make sure that your network use policy ensures that users are
not allowed access to sensitive or critical business applications
unless access has been formally authorized.

Make sure that your network use policy ensures that users are
not allowed access to high‑risk areas or locations unless access
has been formally authorized.

Make sure that your network use policy identifies the networks
and network services that users may access and those that
users may access only if they have special authorization.

Make sure that your network use policy establishes procedures that
must be used to determine who is allowed to have access to networks
and network services and which ones may not be accessed.

Make sure that your network use policy establishes management
controls and procedures to protect access to network connections.

Make sure that your network use policy establishes management
controls and procedures to protect access to network services.

Make sure that your network use policy is consistent
with your organization’s business access control policy.

9.4.2 USE ENFORCED PATHS TO CONTROL ACCESS

Reduce the opportunity for unauthorized access to business applications
by controlling the path from the user terminal to the computer service.

Reduce the opportunity for unauthorized use of information facilities
by controlling the path from the user terminal to the computer service.

Establish controls to restrict the route between user terminals
and the computer services that users are authorized to access.

Make sure that your path controls prevent users from
selecting unauthorized routes by limiting the routing
options available to the user at each point in the network.

Limit the users routing options by allocating
dedicated lines or telephone numbers.

Limit the users routing options by automatically
connecting ports to designated application systems.

Limit the users routing options by limiting
the menu options available to specific users.

Limit the users routing options by
preventing unlimited network roaming.

Limit the users routing options by making sure
that users access only authorized applications.

Limit the users routing options by controlling
communications between source and destination.

Use security gateways to limit routing options.

Use firewalls to limit routing options.

Limit external network users’ routing options by
forcing them to use specified security gateways.

Restrict network access by setting
up separate logical domains.

Restrict network access by setting
up virtual private networks for staff.

Make sure that your enforced path controls are
consistent with your business access control policy.

9.4.3 AUTHENTICATE REMOTE USER CONNECTIONS

Use authentication methods to prevent remote users
from accessing information without authorization.

Carry out risk assessments to determine what
level of protection is required and therefore what
type of authentication method should be used.

Use cryptographic methods to authenticate
remote users when strong protection is needed.

Use hardware tokens to authenticate remote users
before they are given access to your networks.

Use challenge‑and‑response protocols to authenticate remote users.

Use dedicated private lines to authenticate remote users.

Use user address checking techniques to authenticate remote users.

Use a dial‑back procedure to prevent remote users from
accessing your networks without authorization.

Make sure that your dial‑back procedure ensures that an
actual disconnection occurs at your organization’s end
before the dial‑back authentication is performed.

Test your dial‑back procedure to ensure that an actual
disconnection occurs at your organization’s end.

Disable the use of call‑forwarding features whenever
you use dial‑back procedures to control remote access.

9.4.4 USE NODE AUTHENTICATION TO CONTROL REMOTE USERS

Use node authentication methods to authenticate remote
users who wish to access remote computer systems.

Use node authentication methods to prevent
unauthorized access to your business applications.

9.4.5 CONTROL REMOTE ACCESS TO DIAGNOSTIC PORTS

Control access to the diagnostic ports found
in your computers and communications systems.

Make sure that your control of diagnostic ports prevents unauthorized
access to your computers and communications systems.

Use procedures and key locks to control access to your diagnostic ports.

Make sure that your port control procedure ensures that authorization
is granted by the manager of computer services before maintenance
engineers are allowed to access your diagnostic ports.

9.4.6 SEGREGATE INTERNAL AND EXTERNAL NETWORKS

Establish controls to segregate your internal networks
from your business partners’ external networks.

Make sure that your network controls prevent external partners
from gaining unauthorized access to your internal information
processing and networking facilities.

Make sure that your network controls prevent unauthorized external
partner access to sensitive or critical information systems.

Make sure that your external network controls segregate
groups of users, information systems, and services.

Divide your networks into separate
internal and external network domains.

Establish secure perimeters between internal
network domains and external network domains.

Establish secure gateways to control user access
and the flow of information between internal network
domains and external network domains.

Configure your gateways to filter traffic between internal
network domains and external network domains.

Configure your gateways to block unauthorized access
to your organization’s internal network domains.

Make sure that your gateways have been configured in
accordance with your organization’s access control policy.

Make sure that your network segregation practices
comply with your network access requirements.

9.4.7 RESTRICT CONNECTION TO SHARED NETWORKS

Establish controls to restrict the users'
ability to connect to shared networks.

Establish controls to restrict the users' ability to connect
to networks that are shared between organizations.

Use network gateways to filter traffic
using pre‑defined tables or rules.

Make sure that your shared network connection restrictions
are consistent with your organization's network access policy.

Make sure that your shared network connection restrictions
meet your organization's business application requirements.

Review and update your shared network
connection restrictions on a regular basis.

Apply network connection restrictions to your email communications.

Apply network connection restrictions to one‑way file transfers.

Apply network connection restrictions to both‑ways file transfers.

Apply network connection restrictions to interactive access.

Apply network connection restrictions by limiting
network access to a date or time of day.

9.4.8 ESTABLISH SHARED NETWORK ROUTING CONTROLS

Establish network routing controls to ensure that information
flows and computer connections within shared networks
comply with your access control policy.

Make sure that your network routing controls are
based on positive source and destination address
checking techniques.

Use network address translation techniques
to isolate shared networks and prevent routes
from propagating from one network to another.

9.4.9 VERIFY THE SECURITY OF NETWORK SERVICES

Use public or private network services.

Make sure that you have a clear description of the
security features that each network service uses.

Verify the security features of all the network
services that are used by your organization.

9.5 RESTRICT ACCESS AT OPERATING SYSTEM LEVEL

Develop methods at the operating system level
to restrict access to your computer resources.

Make sure that you can verify the identity of each authorized user.

Make sure that you can identify and verify the
terminal or location of each authorized user.

Maintain a record of successful and unsuccessful access attempts.

Use appropriate methods to authenticate users.

Make sure that good quality passwords are used to authenticate users.

Regulate how long users can be connected.

Use challenge‑response methods to control access.

9.5.1 USE AUTOMATIC TERMINAL IDENTIFICATION TECHNIQUES

Use automatic terminal identification techniques
to authenticate connections to specific locations.

Use automatic terminal identification techniques to
authenticate connections to specific portable equipment.

Use automatic terminal identification techniques when
you need to ensure that a session can only be initiated
from a particular location or terminal.

Install or attach identifiers to terminals in order to be
able to determine whether a particular terminal can
initiate or receive transactions.

Take steps to secure terminal identifiers.

9.5.2 ESTABLISH TERMINAL LOG-ON PROCEDURES

Establish terminal log‑on procedures to
control access to your information services.

Make sure that your log‑on procedures minimize the opportunity
for unauthorized access to information services.

Make sure that your log‑on procedures make it difficult for unauthorized
users to learn about your system by disclosing only the bare minimum
of information about the system.

Make sure that your log‑on procedures ensure that application
or system identifiers are hidden until the log‑on procedure has 
been completed successfully.

Make sure that your log‑on procedures warn users that the
computer system may only be accessed by authorized users.

Make sure that your log‑on procedures make
it difficult for unauthorized users to log‑on by
not providing any help messages.

Make sure that your log‑on procedures ensure
that log‑on information is not validated until
all information has been entered.

Make sure that your log‑on procedures handle
log‑on error conditions by not telling the user
exactly which input data is incorrect.

Make sure that your log‑on procedures limit the number
of unsuccessful log‑on attempts that are allowed.

Make sure that log‑on procedures limit the number of unsuccessful
log‑on attempts by disconnecting data link connections.

Make sure that log‑on procedures limit unsuccessful log‑on attempts by
rejecting any additional attempts to log‑on without special authorization.

Make sure that your log‑on procedures force a time delay
before the user is allowed to attempt another log‑on.

Make sure that log‑on procedures limit the minimum and
maximum time allowed to log‑on to information services.

Make sure that log‑on procedures ensure that unsuccessful
log‑on attempts are recorded and that records are kept.

Make sure that log‑on procedures ensure that the date
and time of the previous successful log‑on is displayed.

Make sure that log‑on procedures ensure that the details
of previous unsuccessful log‑on attempts are displayed.

9.5.3 IDENTIFY AND AUTHENTICATE ALL USERS

Assign a unique identifier (ID) to each user.

Make sure that personal identifiers conceal the user's
privilege level and his managerial or professional status.

Make it clear that personal identifiers are for personal
use only and must not be shared with others.

Make sure that personal identifiers can be used to
trace work back to the person who performed it
thereby establishing accountability.

Establish controls to regulate and limit the assignment
of IDs to groups of users or to specific jobs.

Make sure that the assignment of group IDs or job specific
IDs requires management approval and documentation.

Make sure that accountability is still maintained
even though group or job IDs have been granted.

Establish authentication procedures to 
verify the claimed identity of all users.

Use passwords to identify and authenticate users.

Use cryptographic methods and authentication
protocols to identify and authenticate users.

Use objects such as smart cards or memory
tokens to identify and authenticate users.

Use biometric authentication technologies
to identify and authenticate users.

9.5.4 SET UP A GOOD PASSWORD MANAGEMENT SYSTEM

Make sure that your password management system
ensures that good quality passwords are selected.

Make sure that password management system ensures
accountability through the use of individual passwords.

Make sure that your password management system
allows users to select and modify their own passwords.

Make sure that your password management system includes
a confirmation procedure to handle input errors.

Make sure that your password management
system ensures that passwords are not
displayed while they are being entered.

Make sure that your password management
system forces new users to change temporary
passwords when they log‑on for the first time.

Make sure that your password management system
forces users to change their passwords periodically.

Make sure that your password management system
keeps a complete record of previously used passwords.

Make sure that your password management
system prevents the re‑use of old passwords.

Make sure that your password management system
ensures that password files are stored separately
from application system data.

Make sure that your password management system
ensures that passwords are encrypted and stored
using a one‑way encryption algorithm.

Make sure that your password management system ensures
that default vendor passwords are changed once you've
installed the vendor's software.

9.5.5 CONTROL THE USE OF ALL SYSTEM UTILITIES

Restrict and control the use of any utilities that could be
used to override your application and system controls.

Use authentication procedures to restrict
and control the use of your system utilities.

Define and document authorization levels that are
used to restrict and control system utility usage.

Ensure that only a few trustworthy persons are
formally authorized to use your system utilities.

Authorize and control ad hoc system utility usage.

Limit the availability and use of all system utilities.

Maintain a complete log of system utility usage.

Keep application software separate from utilities.

Remove all unnecessary software utilities.

Remove all unnecessary system software.

9.5.6 PROVIDE DURESS ALARMS TO PROTECT USERS

Provide duress alarm systems to users who
could be the target of coercion or violence.

Carry out a risk assessment to determine
who should receive duress alarm systems.

Developed procedure that describe how
people should respond to duress alarms.

Define responsibilities that describe how
people should respond to duress alarms.

9.5.7 USE TIME-OUTS TO PROTECT INACTIVE TERMINALS

Prevent unauthorized access to inactive terminals by ensuring that they
automatically time‑out and shutdown after a specified period of inactivity.

Make sure that terminals in high risk areas and locations automatically
time‑out and shutdown after a specified period of inactivity.

Make sure that your time‑out feature ensures that terminal
screens are cleared after a specified period of inactivity.

Make sure that your time‑out feature ensures that application
and network sessions are closed after a period of inactivity.

Prevent unauthorized access to inactive PCs in lower risk areas
by ensuring that screens are cleared without closing down the
application or network session.

9.5.8 RESTRICT TERMINAL CONNECTION TIMES

Reduce the opportunity for unauthorized access to terminals
in high‑risk locations by limiting connection times.

Reduce the opportunity for unauthorized access to sensitive
applications by limiting terminal connection times.

Reduce the opportunity for unauthorized access to terminals by
establishing predetermined time slots for all batch file transmissions.

Reduce the opportunity for unauthorized access to terminals
by establishing short regular interactive sessions.

Reduce the opportunity for unauthorized access to terminals
by restricting connection times to normal business hours.

9.6 MANAGE ACCESS TO APPLICATION SYSTEMS

Ensure that only authorized users are
allowed to access your application systems.

Ensure that only authorized users are allowed
to access information held in application systems.

Make sure that access to your application systems
and information is regulated by a formal business
access control policy.

Make sure that your application systems control
user access to application system functions.

Make sure that your application systems control user
access to information held within application systems.

Make sure that application systems are protected
from unauthorized access by operating system
software and utilities.

Ensure that your application systems do not compromise
the security of other interrelated application systems.

Ensure that your application systems restrict access to the
owner of the system and to authorized users of the system.

9.6.1 REGULATE ACCESS TO APPLICATIONS AND INFORMATION

Make sure that access to application system
functions and information is controlled by a
well defined access control policy.

Make sure that your business application
requirements determine the types of access
restrictions that are placed on users.

Use menus to regulate and control access to 
application system functions and information.

Edit your application system documentation in 
order to limit the knowledge users can acquire
about application system functions and information.

Use formal access rights to restrict access to 
application system functions and information.

Make sure that sensitive application outputs are reviewed
to ensure that no unnecessary information is revealed and
that only information needed to do the job is included.

Make sure that sensitive application outputs are
sent only to authorized terminals and locations.

9.6.2 ISOLATE SENSITIVE APPLICATION SYSTEMS

Isolate your sensitive application systems.

Use dedicated computers to run your
most sensitive application systems.

Make sure that sensitive application systems share
resources with only trusted application systems.

Make sure that all trusted application systems
are identified before they are allowed to share
resources with sensitive application systems.

Make sure that application owners have documented
the sensitivity of their application systems.

Make sure that owners of sensitive application
systems control whether or not they will share
resources with other application systems.

9.7 MONITOR SYSTEM ACCESS AND USE

Monitor your information systems in order to verify
that they comply with your access control policy.

Monitor your information systems in order to
detect deviations from your access control policy.

Monitor information systems in order to evaluate
the effectiveness of your security controls.

Record deviations from your access control policy.

Make sure that your records can prove
that security incidents have occurred.

9.7.1 ESTABLISH AND MAINTAIN SYSTEM  LOGS

Establish information system audit logs that 
record security related exceptions and events.

Make sure that audit logs are used
to monitor system access and use.

Make sure that your audit logs record user IDs.

Make sure that your audit logs record terminal identities.

Make sure that your audit logs record terminal locations.

Make sure that your audit logs
record successful access attempts.

Make sure that your audit logs
record rejected access attempts.

Make sure that your audit logs record
log‑on and log‑off dates and times.

Make sure that your audit logs are
kept for an extended period of time.

Make sure that your audit logs comply
with your record retention policy.

Make sure that your audit logs support
the need to collect evidence.

Make sure that audit logs can be used
to support security investigations.

Make sure that you archive audit logs in order
to meet all legal record retention requirements.

9.7.2 MONITOR INFORMATION PROCESSING FACILITIES

9.7.2.1 ESTABLISH PROCEDURES TO MONITOR FACILITIES

Establish procedures to monitor the use
of your information processing facilities.

Make sure that your usage monitoring procedures are designed to
ensure that users are only performing authorized activities.

Carry out a risk assessment for each facility in order
to determine what level of monitoring is necessary.

Monitor authorized access to your
information processing facilities.

Monitor authorized access by tracking user IDs.

Monitor authorized access by tracking the
date and time of all key events and activities.

Monitor authorized access by tracking
the types of events that occur.

Monitor authorized access by tracking
the files that are accessed.

Monitor authorized access by tracking
the programs and utilities that are used.

Monitor privileged operations and activities.

Monitor privileged operations and activities
by tracking the use of all supervisor accounts.

Monitor privileged operations and activities
by tracking all system start‑ups and stops.

Monitor privileged operations and activities by
tracking I/O device attachments and detachments.

Monitor unauthorized access to your information processing facilities.

Monitor unauthorized access by tracking failed access attempts.

Monitor unauthorized access by tracking access policy violations.

Monitor unauthorized access by tracking
notifications for network gateways and firewalls.

Monitor unauthorized access by tracking alerts
announced by proprietary intrusion detection systems.

Monitor information system alerts and failures.

Monitor console alerts and messages.

Monitor network management alarms.

Monitor system log exceptions.

9.7.2.2 REVIEW THE RESULTS OF MONITORING ACTIVITIES

Review regularly the results of your monitoring activities.

Review the results that monitor high risk information processing
facilities more often than low risk information processing facilities.

Review the results that monitor the most critical application
processes more often than less critical application processes.

Review results that monitor the use of valuable information.

Review results that monitor the use of sensitive information.

Review results that monitor the use of critical information.

Review results that monitor areas that have
experienced previous system infiltrations.

Review results that monitor areas that have
experienced previous system misuse.

Review results that monitor systems that are
highly interconnected with other systems.

Review results that monitor systems that
are interconnected with public networks.

9.7.2.3 STUDY LOGS TO IDENTIFY SECURITY EVENTS

Review logs on a regular basis in order to
identify possible security threats and incidents.

Allocate the responsibility for regular log reviews.

Ensure that log reviewers are independent of 
the people, activities, and logs being reviewed.

Establish methods that you can use to study large
log files and to pinpoint significant security events.

Use system utilities or audit tools to interrogate large
log files and to pinpoint significant security events.

Take steps to secure your logging facilities.

Establish controls to prevent operational
problems with logging facilities.

Establish controls to ensure that log file media
does not become exhausted or damaged.

Establish controls to prevent log
recording failures and deficiencies.

Establish controls to prevent unauthorized
changes to your logging facilities.

Establish controls to prevent changes to the
general types of messages being logged.

Establish controls to prevent log files from being edited.

Establish controls to prevent log files from being deleted.

Establish controls to prevent the de‑activation of your logging facilities.

9.7.3 PROTECT LOGS BY SYNCHRONIZING CLOCKS

Protect the credibility of your logs by ensuring
that computer clocks are always accurate.

Make sure that your clocks are set
to an international time standard.

Establish a procedure to check computer
clocks and correct significant time variations.

9.8 PROTECT MOBILE AND TELEWORKING ASSETS

Protect your mobile computing equipment.

Make sure that your security initiatives address the
risks that your mobile computing activities cause.

Make sure that mobile security initiatives address
the risks associated with having to work in an
unprotected environment.

Take steps to protect your teleworking equipment.

Take steps to protect your teleworking sites.

Make sure that your security initiatives address the
risks that your teleworking equipment and sites create.

9.8.1 PROTECT MOBILE EQUIPMENT AND INFORMATION

Protect the information processed by mobile computing equipment.

Protect the information processed by notebooks.

Protect the information processed by palmtops.

Protect the information processed by laptops.

Protect the information processed by mobile phones.

Establish a policy to address the risks associated with using
mobile computing equipment in unprotected environments.

Make sure that your mobile equipment security policy instructs
users to be careful about using mobile computing equipment in
unprotected areas outside of the organization's premises.

Make sure that your mobile equipment security policy instructs
users to be careful about allowing unauthorized persons to view
confidential information.

Make sure that your mobile equipment security policy provides
guidance on how to protect information and equipment while
working in public places.

Make sure that your mobile equipment security policy addresses
the need to provide physical protection for your equipment.

Make sure that your mobile equipment security policy
addresses the need to provide access control.

Make sure that your mobile equipment security policy ensures
that unauthorized access to information is prevented.

Make sure that your mobile equipment security policy
addresses the need to provide cryptographic protection.

Make sure that your mobile equipment security policy ensures
that unauthorized disclosure of information is prevented.

Make sure that your mobile equipment security policy
addresses the need to provide virus protection.

Develop mobile equipment security
procedures to deal with malicious software.

Make sure that your mobile equipment security policy
addresses the need to provide suitable backup capabilities.

Provide equipment to enable your mobile
equipment users to backup their information.

Make sure that mobile equipment backups
are protected from theft or loss of information.

Make sure that your mobile equipment security
policy addresses the need to be able to connect
mobile equipment to networks.

Protect your mobile equipment
while it is connected to networks.

Use access control mechanisms to regulate
the use of mobile computer equipment and
public networks to access business information.

Make sure that your mobile access control mechanisms
ensure that users are properly identified and authenticated
before they are given access to business information.

Protect your mobile equipment against theft.

Protect all mobile equipment that handles
important or sensitive information.

Make sure that mobile equipment that handles important
or sensitive information is never left unattended.

Provide mobile computer security training
and awareness programs to your staff.

Make sure that your mobile computer training
and awareness programs discuss the additional
risks that mobile computing presents.

Make sure that mobile computer training and awareness
programs explain the security controls that should be used.

9.8.2 PROTECT TELEWORKING EQUIPMENT AND INFORMATION

Secure your remote teleworking sites.

Develop a policy to control teleworking.

Develop procedures to control teleworking.

Develop standards to control teleworking.

Prevent the theft of equipment used by
workers located outside your organization.

Prevent the theft of information available to
workers located outside your organization.

Prevent the unauthorized disclosure of information
available to workers located outside your organization.

Prevent unauthorized remote access
to your organization's internal systems.

Prevent remote workers from misusing
your organization's information facilities.

Make suitable arrangements to support your
organization's teleworking initiatives and activities.

Make sure that all teleworking activities and arrangements
are controlled by your organization's management.

Make sure that all teleworking activities and arrangements
have been formally authorized by your management.

Make sure that all teleworking security controls
and arrangements comply with your security policy.

Make sure that all necessary security controls and
arrangements are in place before teleworking activities
are authorized by your organization's management.

Make sure that teleworking sites are physically
secure before teleworking activities are authorized.

Make sure that teleworking buildings are secure
before teleworking sites are placed in those buildings.

Make sure that the local environment is secure before
teleworking sites are placed in that environment.

Make sure that communications between teleworking
sites and your internal systems will be secure before
teleworking sites are authorized.

Make sure that your teleworking security controls consider the
sensitivity and importance of the information that will be communicated
between your organization and its remote teleworking sites.

Prevent unauthorized access to your information
resources from remote teleworking sites.

Provide suitable teleworking
equipment and storage furniture.

Make sure that teleworkers know what type of
telework is permitted and what type is prohibited.

Make sure that teleworkers know the hours
and days during which telework is permitted.

Make sure that teleworkers know what
type of information may be accessed.

Make sure that teleworkers know what kinds of
internal systems and services may be accessed.

Make sure that the communications equipment given to
teleworkers is appropriate to the work they must perform.

Establish methods for securing remote access to
your organization’s information resources and services.

Establish physical security for your teleworking sites.

Establish rules that prevent family members and
personal visitors from using your organization's
teleworking equipment and accessing your data.

Make sure that teleworkers receive suitable software
and hardware maintenance and support services.

Establish teleworking back‑up procedures.

Establish business continuity
procedures for teleworking sites.

Establish audit and security monitoring methods
and techniques for your teleworking sites.

Establish procedures to control how teleworking
sites can be discontinued or shutdown.

Establish procedures to control how authorization
to perform telework can be revoked or cancelled.

Establish procedures to control how your
teleworking access rights can be withdrawn.

Establish procedures to control how your
teleworking equipment should be returned.

MAIN MENU

TO SECTION 10