Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
18.1.1 Identification of applicable legislation and contractual requirements 4240
Control 4241
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach 4242
to meet these requirements shall be explicitly identified, documented and kept up to date for each 4243
information system and the organization. 4244
Implementation guidance 4245
The specific controls and individual responsibilities to meet these requirements should also be defined 4246
and documented. 4247
Managers should identify all legislation applicable to their organization in order to meet the 4248
requirements for their type of business. If the organization conducts business in other countries, 4249
managers should consider compliance in all relevant countries. 4250
18.1.2 Intellectual property rights
4251
Control 4252
Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and 4253
contractual requirements related to intellectual property rights and use of proprietary software products. 4254
Implementation guidance 4255
The following guidelines should be considered to protect any material that may be considered 4256
intellectual property: 4257
a) publishing an intellectual property rights compliance policy which defines the legal use of the 4258
IACS; 4259
b) acquiring software only through known and reputable sources, to ensure that copyright is not 4260
violated; 4261
c) maintaining awareness of policies to protect intellectual property rights and giving notice of the 4262
intent to take disciplinary action against personnel breaching them; 4263
d) maintaining appropriate asset registers and identifying all assets with requirements to protect 4264
intellectual property rights; 4265
e) maintaining proof and evidence of ownership of licenses, master disks, manuals, etc.; 4266
f) implementing controls to ensure that any maximum number of users permitted within the license 4267
is not exceeded; 4268
g) carrying out reviews that only authorized software and licensed products are installed; 4269
h) providing a policy for maintaining appropriate license conditions; 4270
i) providing a policy for disposing of or transferring software to others; 4271
j) complying with terms and conditions for software and information obtained from public 4272
networks; 4273
k) not duplicating, converting to another format or extracting from commercial recordings (film, 4274
audio) other than permitted by copyright law; 4275
l) not copying in full or in part, books, articles, reports or other documents, other than 4276
permitted by copyright law. 4277
Other information 4278
Intellectual property rights include software or document copyright, design rights, trademarks, patents 4279
and source code licenses. 4280 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Proprietary software products are usually supplied under a license agreement that specifies license 4281
terms and conditions, for example, limiting the use of the products to specified machines or limiting 4282
copying to the creation of backup copies only. The importance and awareness of intellectual property 4283
rights should be communicated to staff for software developed by the organization. 4284
Legislative, regulatory and contractual requirements may place restrictions on the copying of 4285
proprietary material. In particular, they may require that only material that is developed by the 4286
organization or that is licensed or provided by the developer to the organization, can be used. 4287
Copyright infringement can lead to legal action, which may involve fines and criminal proceedings. 4288
18.1.3 Protection of records
4289
Control 4290
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized 4291
release, in accordance with legilated, regulatory, contractual and business requirements. 4292
Implementation guidance 4293
When deciding upon protection of specific organizational records, their corresponding classification 4294
based on the organization’s classification scheme, should be considered. I A C S r ecords o r 4295
c l a s s i f i e d i n f o r m a t i o n should be categorized into record types, e.g. critical and/or 4296
classified records,accounting records, database records, transaction logs, audit logs and 4297
operational procedures, each with details of retention periods and type of allowable storage 4298
media, e.g. paper, microfiche, magnetic, optical. Any related cryptographic keys and programs 4299
associated with encrypted archives or digital signatures (see 10), should also be stored to enable 4300
decryption of the records for the length of time the records are retained. 4301
Consideration should be given to the possibility of deterioration of media used for storage of records. 4302
Storage and handling procedures should be implemented in accordance with manufacturer’s 4303
recommendations. 4304
Where electronic storage media are chosen, procedures to ensure the ability to access data 4305
(both media and format readability) throughout the retention period should be established to safeguard 4306
against loss due to future technology change. 4307
Data storage systems should be chosen such that required data can be retrieved in an acceptable 4308
timeframe and format, depending on the requirements to be fulfilled. 4309
The system of storage and handling should ensure identification of records and of their retention 4310
period as defined by national or regional legislation or regulations, if applicable. This system should 4311
permit appropriate destruction of records after that period if they are not needed by the organization. 4312
To meet these record safeguarding objectives, the following steps should be taken within an 4313
organization: 4314
a) guidelines should be issued on the retention, storage, handling and disposal of records and 4315
information; 4316
b) a retention schedule should be drawn up based on the type of record and/or information and 4317
the period of time for which they should be retained; 4318
c) an inventory of these records and/or information should be maintained. 4319
Other information 4320
Some records may need to be securely retained to meet statutory, regulatory or contractual 4321
requirements, as well as to support essential business activities. Examples include records that may 4322
be required as evidence that an organization operates within statutory or regulatory rules, to ensure 4323
defense against potential civil or criminal action or to confirm the financial status of an organization 4324 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
to shareholders, external parties and auditors. National law or regulation may set the time period and 4325
data content for information retention. 4326
Further information about managing organizational records can be found in ISO 15489-1. 4327
18.1.4 Privacy and protection of personally identifiable information
4328
Control 4329
Privacy and protection of personally identifiable information should be ensured as required in relevant 4330
legislation and regulation where applicable. 4331
Implementation guidance 4332
An organization’s data policy for privacy and protection of personally identifiable information should be 4333
developed and implemented. This policy should be communicated to all persons involved in the 4334
processing of personally identifiable information. 4335
Compliance with this policy and all relevant legislation and regulations concerning the protection of 4336
the privacy of people and the protection of personally identifiable information requires appropriate 4337
management structure and control. Often this is best achieved by the appointment of a person 4338
responsible, such as a privacy officer, who should provide guidance to managers, users and service 4339
providers on their individual responsibilities and the specific procedures that should be followed. 4340
Responsibility for handling personally identifiable information and ensuring awareness of the privacy 4341
principles should be dealt with in accordance with relevant legislation and regulations. Appropriate 4342
technical and organizational measures to protect personally identifiable information should be 4343
implemented. 4344
Other information 4345
ISO/IEC 29100 provides a high-level framework for the protection of personally identifiable information 4346
within information and communication technology systems. A number of countries have introduced 4347
legislation placing controls on the collection, processing and transmission of personally identifiable 4348
information (generally information on living individuals who can be identified from that information). 4349
Depending on the respective national legislation, such controls may impose duties on those collecting, 4350
processing and disseminating personally identifiable information, and may also restrict the ability to 4351
transfer personally identifiable information to other countries. 4352
18.1.5 Regulation of cryptographic controls
4353
Control 4354
Cryptographic controls should be used in compliance with all relevant agreements, legislation and 4355
regulations. 4356
Implementation guidance 4357
The following items should be considered for compliance with the relevant agreements, laws and 4358
regulations: 4359
a) restrictions on import or export of computer hardware and software for performing cryptographic 4360
functions; 4361
b) restrictions on import or export of computer hardware and software which is designed to have 4362
cryptographic functions added to it; 4363
c) restrictions on the usage of encryption; 4364
d) mandatory or discretionary methods of access by the countries’ authorities to information 4365
encrypted by hardware or software to provide confidentiality of content. 4366 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Legal advice should be sought to ensure compliance with relevant legislation and regulations. Before 4367
encrypted information or cryptographic controls are moved across jurisdictional borders, legal advice 4368
should also be taken. 4369
18.2 Information security review