Cámara Fija IP exterior FULL HD

and protect sensitive information from unauthorised disclosure.

CF3.2.1

Documents should be managed throughout the document lifecycle (ie creation, categorisation, storage, retrieval, modifi cation and destruction).

CF3.2.2

The management of documents should be supported by a: a) document retention policy

b) retention schedule

c) document management process.

CF3.2.3

A document retention policy should be developed, which: a) is supported by executive management

b) specifi es employee obligations for document management and the consequences of non-compliance c) covers the different formats of information that are subject to the policy (including paper-based and electronic

documents)

d) defi nes important terms (eg what constitutes a document and a record, and their respective lifecycles) e) explains how to back-up and archive information.

In many organisations documents that have been offi cially assessed by the organisation to have a signifi cant business value (eg a set of company board minutes or product designs), or are within the scope of specifi c laws or regulations (eg fi nancial fi les, trade secrets or medical documents), are often categorised as records and subject to more rigorous record management.

CF3.2.4

A document retention policy should detail requirements for legal and regulatory compliance, including: a) any relevant standards relating to retention that are to be used

b) mechanisms for handling confl icting requirements (eg retention periods in different jurisdictions)

c) a process for dealing with legal discovery (eg requests for information held in a document management system).

CF3.2.5

A document retention policy should be supported by a comprehensive document retention schedule, which contains the retention period for each type of document used by the organisation (eg payroll records, legal correspondence, insurance policies, fi nancial statements or tax returns).

CONTROL FRAMEWORK

www.securityforum.org

CF

Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF3.2

SPECIALISED

CF3.2 Document Management

(continued)

CF3.2.6

There should be a process in place for managing the organisation’s documents throughout the complete document lifecycle, including:

a) creation (eg by a business user or by an automated business process) b) categorisation of important documents as records

c) storage (eg locally on a business user’s mobile device or centrally on a network folder) d) retrieval (by one or more business users)

e) modifi cation (eg adding to, changing or deleting content)

f) destruction (eg securely destroying documents when no longer required).

CF3.2.7

Records should be subjected to a more rigorous management process to meet business, legal and regulatory requirements. This process should include:

a) storing only one instance of each record (ie all other originals or copies are destroyed)

b) monitoring each record to ensure it complies with the organisation’s document retention policy and schedule (eg providing a notifi cation when the retention period has ended)

c) providing a copy of a record when retrieved (ie the original record remains in the document management system)

d) ensuring secure destruction of the original and all copies of a record (eg when the retention period has ended).

CF3.2.8

The document management process should be supported by an automated document management system (or equivalent) to:

a) improve the management of documents (eg by storing documents centrally and prompting users to classify and label them)

b) maintain the confi dentiality, integrity and availability of each document during its lifecycle (eg by automatically encrypting, digitally signing, time-stamping or backing up documents).

Related areas / topics

CF3.1 Information Classifi cation

ISF resources

Practical Approaches to Information Classifi cation: Workshop Report

ISF Digest: Documentation Retention and Record Management

The Information Lifecycle: A New Way of Looking at Information Risk

CONTROL FRAMEWORK

www.securityforum.org

CF

CF3.3 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum

FUNDAMENTAL

CF3.3

Sensitive Physical Information

Principle

Sensitive information held in physical form (sensitive physical information) should be protected

against corruption, loss or disclosure.

Objective

To protect sensitive physical information in accordance with information security and regulatory

requirements, preserve the integrity of sensitive physical information and protect it from unauthorised disclosure.

CF3.3.1

There should be documented standards / procedures for the protection of sensitive physical information (eg blank cheques, bonds or print-outs of documents such as personal information, fi nancial projections, business plans or product designs), which cover:

a) identifi cation and labelling of sensitive physical information b) storage of sensitive physical information

c) protection against unauthorised disclosure of sensitive physical information d) secure transportation of sensitive physical information

e) handling and disposing of sensitive physical information.

CF3.3.2

Sensitive physical information should be: a) identifi ed and documented

b) classifi ed according to the organisation’s information classifi cation scheme (eg top secret, company-in- confi dence or sensitive)

c) stored in a physically secure location (eg a locked, document fi re-proof safe or container) d) monitored by recording its issue, use and return.

CF3.3.3

Important papers and portable storage devices (eg USB memory sticks, CDs and DVDs) should be protected against theft or copying by:

a) storing sensitive physical material in locked cabinets (or similar) when not in use (eg by enforcing a ‘clear desk’ policy)

b) restricting physical access to important post / facsimile points, offi ce equipment (eg photocopiers, network printers, facsimile machines and multifunction devices) and local environments

c) locating equipment used for sensitive printed material in secure physical areas.

CF3.3.4

Sensitive physical information should be protected from unauthorised disclosure (eg by concealing classifi ed documents in sealed folders or keeping relevant printers / photocopiers in locked areas).

CF3.3.5

Sensitive physical information should be protected in transit by: a) minimising distribution

b) using double-packaging (ie one package inside another) c) recording authorised recipients

d) clearly marking all packaging with the identity of the authorised recipient e) confi rming receipt of transmitted information (eg documents via post or courier) f) reviewing records of authorised recipients regularly.

CONTROL FRAMEWORK

www.securityforum.org

CF

Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF3.3

FUNDAMENTAL

CF3.3.6

Sensitive physical information should be destroyed using a secure means of disposal (eg incineration or cross-cut shredding) when no longer required.

CF3.3.7

A method should be established for verifying the secure destruction of sensitive physical information, which includes:

a) approval of the destruction by the business owner

b) observation of the destruction by a business representative, ensuring all items have been destroyed and in an effective manner

c) recording details of the destruction and sign-off by the business representative.

Double-packaging is a technique often used to conceal the level of sensitivity and classifi cation of information when using postal or courier services. The labelling is only applied to the inner package, thereby concealing it from individuals that handle the outer package, which only contains the details of the recipient.

CF3.3

Sensitive Physical Information

(continued)

Related areas / topics

CF16.2 Hardware / Software Acquisition

CF19.1 Physical Protection

ISF resources

CONTROL FRAMEWORK

www.securityforum.org

CF

CF3.4 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum

FUNDAMENTAL

CF3.4 Asset Register

Principle

All hardware / software should be recorded in an accurate and up-to-date asset register.

Objective

To help support risk-based decisions regarding hardware / software, reduce the risk of information

security being compromised by weaknesses in hardware / software, protect assets against loss, support development of contracts and meet compliance requirements for licensing.

CF3.4.1

There should be documented standards / procedures for asset management, which cover: a) recording of hardware / software in an asset register (or equivalent)

b) protecting the asset register and keeping it up-to-date c) maintaining the accuracy of details in the register.

CF3.4.2

Types of hardware to be recorded in an asset register should include:

a) computer equipment (including servers, mobile devices, laptops and netbooks) b) consumer devices (including tablets and smartphones)

c) virtual systems (eg virtual servers and virtual desktops)

d) network storage systems (including Storage Area Network (SAN) and Network-Attached Storage (NAS)) e) network equipment (eg routers, switches, wireless access points and fi rewalls)

f) telephony (including VoIP) and conferencing equipment

g) portable storage media (eg external hard disk drives and USB memory sticks) h) authentication hardware (eg physical tokens, smartcards and biometric equipment) i) offi ce equipment (eg network printers and multifunction devices)

j) specialist equipment (eg equipment that is used to support or enable the organisation’s critical infrastructure).

CF3.4.3

Types of software (including licensing details) to be recorded in an asset register should include: a) operating system and virtualisation software

b) business software (eg enterprise resource planning (ERP) and customer relationship management (CRM) applications)

c) commercial-off-the-shelf software (COTS)

d) security software (eg data leakage protection (DLP), digital rights management (DRM) and intrusion detection software (IDS)).

CF3.4.4

Asset registers should specify important information about each asset, including: a) a unique description of hardware and software in use

b) versions of hardware and software in use c) the location of hardware and software in use

d) licensing details (eg license keys and proof of ownership).

CF3.4.5

The asset register should be checked regularly to identify any discrepancy with physical assets or software licenses. Any discrepancies identifi ed (eg unlicensed software, unused mobile devices or missing portable storage media) should be investigated and resolved (eg by purchasing new licenses, removing unlicensed software, locating missing hardware or securely destroying equipment).

CONTROL FRAMEWORK

www.securityforum.org

CF

Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF3.4

FUNDAMENTAL

CF3.4 Asset Register

(continued)

CF3.4.6

The accuracy of details about hardware / software recorded in the asset register should be supported by the use of automated discovery / mapping tools to:

a) identify discrepancies in the register

b) detect the illegal use of software (eg no license)

c) highlight the possible theft of equipment (eg hard disk drives or computer memory).

CF3.4.7

Asset registers should be:

a) signed off by an appropriate business representative b) protected against unauthorised change

c) kept up-to-date d) reviewed independently.

Related areas / topics

CF10.1 Patch Management CF16.2 Hardware / Software Acquisition

ISF resources

CF

CONTROL FRAMEWORK

www.securityforum.org

CF4.1 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum

SPECIALISED

CF4.3 Information Validation

AREA CF4 – Business Applications

In document CLÁUSULAS PARTICULARES CAPITULO I DEL OBJETO (página 43-53)