4. Las reformas del mercado de trabajo
4.3. Reformas en el mercado de bienes y servicios
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
11.2.1 Equipment siting and protection
2184
Control 2185
Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, 2186
and opportunities for unauthorized access. 2187
The organization shall employ and maintain fire suppression and detection devices/systems that 2188
can be activated in the event of a fire. 2189
(1) The organization employs fire detection devices/systems that activate automatically and 2190
notify the organization and emergency responders in the event of a fire. 2191
(2) The organization employs fire suppression devices/systems that provide automatic 2192
notification of any activation to the organization and emergency responders. 2193
(3) The organization employs an automatic fire suppression capability in facilities that ar e not 2194
staffed on a continuous basis. 2195
The organization shall regularly maintain, within acceptable levels, and monitor the temperature 2196
and humidity within the facility where the IACS resides. 2197
The organization shall protect the IACS from water damage resulting from broken plumbing lines 2198
or other sources of water leakage by providing master shutoff valves that are accessible, working 2199
properly, and known to key personnel. 2200
(1) The organization employs mechanisms that, without the need for manual intervention, 2201
protect the IACS from water damage in the event of a significant water leak. 2202 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Implementation guidance 2203
The following guidelines should be considered to protect equipment: 2204
a) equipment should be sited to minimize unnecessary access into work areas; 2205
b) information processing facilities handling sensitive data should be positioned carefully to reduce 2206
the risk of information being viewed by unauthorized persons during their use; 2207
c) storage facilities should be secured to avoid unauthorized access; 2208
d) items requiring special protection should be safeguarded to reduce the general level of 2209
protection required; 2210
e) controls should be adopted to minimize the risk of potential physical and environmental threats, 2211
e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical 2212
effects, electrical supply interference, communications interference, electromagnetic radiation 2213
and vandalism; 2214
f) guidelines for eating, drinking and smoking in proximity to information processing facilities 2215
should be established; 2216
g) environmental conditions, such as temperature and humidity, should be monitored and alarmed 2217
for conditions which could adversely affect the operation of information processing facilities; 2218
h) lightning protection should be applied to all buildings and lightning protection filters should be 2219
fitted to all incoming power and communications lines; 2220
i) the use of special protection methods, such as keyboard membranes, should be considered 2221
for equipment in industrial environments; 2222
j) equipment processing confidential information should be protected to minimize the risk of 2223
information leakage due to electromagnetic emanation. 2224
Fire suppression and detection devices/systems include, but are not limited to, sprinkler systems, 2225
handheld fire extinguishers, fixed fire hoses, and smoke detectors. 2226
11.2.2 Supporting utilities
2227
Control 2228
Equipment shall be protected from power failures and other disruptions caused by failures in 2229
supporting utilities. 2230
The organization shall identify primary and alternate telecommunications services to support the 2231
IACS and initiates necessary agreements to permit the resumption of system operations for critical 2232
mission/business functions within [Assignment: organization-defined time period] when the primary 2233
telecommunications capabilities are unavailable. 2234
(1) The organization develops primary and alternate telecommunications service agreements 2235
that contain priority-of-service provisions in accordance with the organization’s availability 2236
requirements. 2237
(2) The organization obtains alternate telecommunications services that do not share a single 2238
point of failure with primary telecommunications services. 2239
(3) The organization obtains alternate telecommunications service providers that are 2240
sufficiently separated from primary service providers so as not to be susceptible to the 2241
same hazards. 2242
(4) The organization requires primary and alternate telecommunications service providers to 2243
have adequate contingency plans. 2244
The organization shall provide a short-term uninterruptible power supply to facilitate an orderly 2245
shutdown of the IACS in the event of a primary power source loss. 2246 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
(1) The organization provides a long-term alternate power supply for the IACS that is capable 2247
of maintaining minimally required operational capability in the event of an extended loss of 2248
the primary power source. 2249
(2) The organization provides a long-term alternate power supply for the IACS that is self- 2250
contained and not reliant on external power generation. 2251
The organization shall employ and maintains automatic emergency lighting that activates in the 2252
event of a power outage or disruption and that covers emergency exits and evacuation routes. 2253
Implementation guidance 2254
Supporting utilities (e.g., electricity, telecommunications, water supply, gas, sewage, ventilation and 2255
air conditioning) should: 2256
a) conform to equipment manufacturer's specifications and local legal requirements; 2257
b) be appraised regularly for their capacity to meet business growth and interactions with other 2258
supporting utilities; 2259
c) be inspected and tested regularly to ensure their proper functioning; 2260
d) if necessary, be alarmed to detect malfunctions; 2261
e) if necessary, have multiple feeds with diverse physical routing. 2262
Emergency lighting and communications should be provided. Emergency switches and valves to cut 2263
off power, water, gas or other utilities should be located near emergency exits or equipment rooms. 2264
In the event that the primary and/or alternate telecommunications services are provided by a 2265
common carrier, the organization requests Telecommunications Service Priority (TSP) for all 2266
telecommunications services used for national security emergency preparedness (see 2267
http://tsp.ncs.gov for a full explanation of the TSP program). 2268
Other information 2269
Additional redundancy for network connectivity can be obtained by means of multiple routes from 2270
more than one utility provider. 2271
11.2.3 Cabling security
2272
Control 2273
Power and telecommunications cabling carrying data or supporting information services shall be protected 2274
from interception, interference or damage. 2275
Additional redundancy for network connectivity can be obtained by means of multiple routes from 2276
more than one utility provider.[ENH14]
2277
The organization shall protect power equipment and power cabling for the IACS from damage and 2278
destruction. 2279
(1) The organization employs redundant and parallel power cabling paths. 2280
Implementation guidance 2281
The following guidelines for cabling security should be considered: 2282
a) power and telecommunications lines into information processing facilities should be 2283
underground, where possible, or subject to adequate alternative protection; 2284
b) power cables should be segregated from communications cables to prevent interference; 2285
c) for sensitive or critical systems further controls to consider include: 2286 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
1) installation of armored conduit and locked rooms or boxes at inspection and termination 2287
points; 2288
2) use of electromagnetic shielding to protect the cables; 2289
3) initiation of technical sweeps and physical inspections for unauthorized devices being 2290
attached to the cables; 2291
4) controlled access to patch panels and cable rooms. 2292
Physical protections applied to IACS distribution and communication lines help prevent accidental 2293
damage, disruption, and physical tampering. Additionally, physical protections are necessary to 2294
help prevent eavesdropping or in transit modification of unencrypted communications. Protective 2295
measures to control physical access to IACS distribution and communication lines include: (i) 2296
including endpoints or any access point contained in locked wiring closets; (ii) disconnected or 2297
locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. 2298
11.2.4 Equipment maintenance
2299
Control 2300
Equipment shall be correctly maintained to ensure its continued availability and integrity. 2301
Implementation guidance 2302
Implementation guidance 2303
The following guidelines for equipment maintenance should be considered: 2304
a) equipment should be maintained in accordance with the supplier’s recommended service 2305
intervals and specifications; 2306
b) only authorized maintenance personnel should carry out repairs and service equipment; 2307
c) records should be kept of all suspected or actual faults, and of all preventive and corrective 2308
maintenance; 2309
d) appropriate controls should be implemented when equipment is scheduled for maintenance, 2310
taking into account whether this maintenance is performed by personnel on site or external to 2311
the organization; where necessary, confidential information should be cleared from the 2312
equipment or the maintenance personnel should be sufficiently cleared; 2313
e) all maintenance requirements imposed by insurance policies should be complied with; 2314
f) before putting equipment back into operation after its maintenance, it should be inspected to 2315
ensure that the equipment has not been tampered with and does not malfunction. 2316
11.2.5 Removal of assets
2317
Control 2318
Equipment, information or software should not be taken off-site without prior authorization. 2319
Implementation guidance 2320
Implementation guidance 2321
The following guidelines should be considered: 2322
a) employees and external party users who have authority to permit off-site removal of assets 2323
should be identified; 2324
b) time limits for asset removal should be set and returns verified for compliance; 2325
c) where necessary and appropriate, assets should be recorded as being removed off-site and 2326
recorded when returned; 2327
d) the identity, role and affiliation of anyone who handles or uses assets should be documented 2328
and this documentation returned with the equipment, information or software. 2329 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
e) Implementation guidance 2330
Other information 2331
Spot checks, undertaken to detect unauthorized removal of assets, can also be performed to detect 2332
unauthorized recording devices, weapons, etc., and to prevent their entry into and exit from, the site. 2333
Such spot checks should be carried out in accordance with relevant legislation and regulations. 2334
Individuals should be made aware that spot checks are carried out, and the verifications should only 2335
be performed with authorization appropriate for the legal and regulatory requirements. 2336
11.2.6 Security of equipment and assets off premises
2337
Control 2338
Security shall be applied to off-site assets taking into account the different risks of working outside the 2339
organization’s premises. 2340
Implementation guidance 2341
The use of any information storing and processing equipment outside the organization’s premises 2342
should be authorized by management. This applies to equipment owned by the organization and that 2343
equipment owned privately and used on behalf of the organization. 2344
The following guidelines should be considered for the protection of off-site equipment: 2345
a) equipment and media taken off premises should not be left unattended in public places; 2346
b) manufacturers’ instructions for protecting equipment should be observed at all times, e.g. 2347
protection against exposure to strong electromagnetic fields; 2348
c) controls for off-premises locations, such as home-working, teleworking and temporary sites 2349
should be determined by a risk assessment and suitable controls applied as appropriate, e.g. 2350
lockable filing cabinets, clear desk policy, access controls for computers and secure 2351
communication with the office (see also ISO/IEC 27033 Network Security); 2352
d) when off-premises equipment is transferred among different individuals or external parties, a 2353
log should be maintained that defines the chain of custody for the equipment including at least 2354
names and organizations of those who are responsible for the equipment. 2355
Risks, e.g. of damage, theft or eavesdropping, may vary considerably between locations and should 2356
be taken into account in determining the most appropriate controls. 2357
Other information 2358
Information storing and processing equipment includes all forms of personal computers, organizers, 2359
mobile phones, smart cards, paper or other form, which is held for home working or being transported 2360
away from the normal work location. 2361
More information about other aspects of protecting mobile equipment can be found in 6.2. 2362
It may be appropriate to avoid the risk by discouraging certain employees from working off-site or by 2363
restricting their use of portable IT equipment; 2364
11.2.7 Secure disposal or reuse of equipment
2365
Control 2366
All items of equipment containing storage media shall be verified to ensure that any sensitive data 2367
and licensed software has been removed or securely overwritten prior to disposal or re-use. 2368 Implementation guidance 2369 2370 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Procedures should be established and audited with respect to the addition, removal and disposal 2371
of all assets; and equipment should be verified to ensure whether or not storage media is contained 2372
prior to disposal or re-use. 2373
Storage media containing confidential or copyrighted information should be physically destroyed or 2374
the information should be destroyed, deleted or overwritten using techniques to make the original 2375
information non-retrievable rather than using the standard delete or format function. 2376
Other information 2377
Damaged equipment containing storage media may require a risk assessment to determine whether 2378
the items should be physically destroyed rather than sent for repair or discarded. Information can be 2379
compromised through careless disposal or re-use of equipment. 2380
In addition to secure disk erasure, whole-disk encryption reduces the risk of disclosure of confidential 2381
information when equipment is disposed of or redeployed, provided that: 2382
a) the encryption process is sufficiently strong and covers the entire disk (including slack space, 2383
swap files etc.); 2384
b) the encryption keys are long enough to resist brute force attacks; 2385
c) the encryption keys are themselves kept confidential (e.g. never stored on the same disk). 2386
For further advice on encryption, see 10. 2387
Techniques for securely overwriting storage media differ according to the storage media technology. 2388
Overwriting tools should be reviewed to make sure that they are applicable to the technology of the 2389
storage media. 2390
11.2.8 Unattended user equipment
2391
Control 2392
Users shall ensure that unattended equipment has appropriate protection. 2393
Implementation guidance 2394
All users should be made aware of the security requirements and procedures for protecting unattended 2395
equipment, as well as their responsibilities for implementing such protection. Users should be advised 2396
to: 2397
a) terminate active sessions when finished, unless they can be secured by an appropriate locking 2398
mechanism, e.g. a password protected screen saver; 2399
b) log-off from applications or network services when no longer needed; 2400
c) secure computers or mobile devices from unauthorized use by a key lock or an equivalent 2401
control, e.g. password access, when not in use. 2402
11.2.9 Clear desk and clear screen policy
2403
Control 2404
A clear desk policy for papers and removable storage media and a clear screen policy for information 2405
processing facilities shall be adopted. 2406
Implementation guidance 2407
The clear desk and clear screen policy should take into account the information classifications 2408
(see8.2), legal and contractual requirements (see 18.1) and the corresponding risks and cultural 2409
aspects of the organization. The following guidelines should be considered: 2410 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
a) sensitive or critical business information, e.g. on paper or on electronic storage media, should 2411
be locked away (ideally in a safe or cabinet or other forms of security furniture) when not 2412
required, especially when the office is vacated. 2413
b) computers and terminals should be left logged off or protected with a screen and keyboard 2414
locking mechanism controlled by a password, token or similar user authentication mechanism 2415
when unattended and should be protected by key locks, passwords or other controls when not 2416
in use; 2417
c) unauthorized use of photocopiers and other reproduction technology (e.g., scanners, digital 2418
cameras) should be prevented; 2419
d) media containing sensitive or classified information should be removed from printers 2420
immediately. 2421
Other information 2422
A clear desk/clear screen policy reduces the risks of unauthorized access, loss of and damage to 2423
information during and outside normal working hours. Safes or other forms of secure storage facilities 2424
might also protect information stored therein against disasters such as a fire, earthquake, flood or 2425
explosion. 2426
Consider the use of printers with pin code function, so the originators are the only ones who can get 2427
their print-outs and only when standing next to the printer. 2428
12 Operations security