Solid Digital

A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.

Information involved in electronic messaging shall be appropriately protected.

Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.

The allocation and use of privileged access rights shall be restricted and controlled.

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Assets maintained in the inventory shall be owned.

All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

Equipment, information or software shall not be taken off-site without prior authorization.

Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Users shall ensure that unattended equipment has appropriate protection.

Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products.

Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

Procedures shall be implemented to control the installation of software on operational systems.

Access to program source code shall be restricted.

Rules for the development of software and systems shall be established and applied to developments within the organization.

Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.

Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

Test data shall be selected carefully, protected and controlled.

Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.

The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Access to information and application system functions shall be restricted in accordance with the access control policy.

Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.

Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Media shall be disposed of securely when no longer required, using formal procedures.

Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.

Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

Agreements shall address the secure transfer of business information between the organization and external parties.

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual, and business requirements.

Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.