ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

6.1 CONTROL PERSONNEL RECRUITMENT PROCESS

Prevent personnel from misusing your information processing facilities.

Protect information processing facilities by reducing risk of human error.

Protect your information processing facilities by reducing the risk of theft.

Protect your information processing facilities by reducing the risk of fraud.

Address information security issues during the recruitment process.

Make sure that your employment contracts include security provisions.

Monitor how well personnel comply with contractual security provisions.

Make sure that all new users of information processing
facilities are subjected to a rigorous security screening.

Make sure that all new users of information processing
facilities are asked to sign confidentiality agreements.

Make sure that new third party users of information processing
facilities are asked to sign confidentiality agreements.

6.1.1 INCLUDE SECURITY IN YOUR JOB DESCRIPTIONS

Make sure that job descriptions assign the responsibility
for implementing your information security policy.

Make sure that job descriptions assign the responsibility
for maintaining your information security policy.

Make sure that job descriptions assign the responsibility
for protecting specific information assets.

Make sure that job descriptions assign the responsibility
for performing specific security processes or activities.

6.1.2 CHECK THE BACKGROUNDS OF JOB APPLICANTS

Verify the backgrounds of people who apply
for permanent employment with your organization.

Check out the character references provided
by people who apply for permanent employment.

Verify the professional and academic qualifications
of the people who apply for permanent employment.

Confirm the personal identity of people
who apply for permanent employment.

Perform credit checks for all personnel who will
have access to information processing facilities.

Perform periodic credit checks for all personnel
who will have access to information processing
facilities and have considerable authority.

Verify the backgrounds of all contractors who will
have access to your information processing facilities.

Verify the backgrounds of all temporary employees who
will have access to information processing facilities.

Make sure that contracts with personnel recruitment agencies
specify the personnel screening requirements that must be met.

Make sure that your contracts with personnel recruitment agencies specify the reporting procedures that should be followed whenever background checks reveal a problem.

Make sure that new and inexperienced staff, who have
access to information processing facilities, are supervised.

Make sure that your managers evaluate the
supervision of all new and inexperienced staff.

Make sure that managers review the work of all staff
who have access to information processing facilities.

Make sure that managers monitor how personal
problems can influence the work of staff members.

Make sure that managers monitor how personal financial
problems can influence the work of their staff members.

Make sure that managers monitor how personal lifestyle
problems can influence the work of their staff members.

Make sure that your managers monitor how personal
psychological problems can influence the work of staff.

Make sure that your managers comply with the legal
rules and regulations that govern the collection and
use of personal information.

6.1.3 USE CONFIDENTIALITY OR NON‑DISCLOSURE AGREEMENTS

Make sure that all new employees sign confidentiality
or non‑disclosure agreements before they are given
access to information processing facilities.

Make sure that confidentiality and non‑disclosure agreements
are reviewed whenever the terms of employment change.

6.1.4 USE EMPLOYMENT CONTRACTS TO PROTECT INFORMATION

Make sure that your employment contracts define
your employee’s information security responsibilities.

Make sure that your employment contracts specify the actions that you will take if employees disregard your information security requirements.

Make sure that your employment contracts
clarify all copyrights and responsibilities.

Make sure that your employment contracts clarify
all data protection rights and responsibilities.

Make sure that employment contracts define employees’
information management responsibilities.

Make sure that your employment contracts define your
employees’ information classification responsibilities.

Make sure that your employment contracts make it clear
that the employees’ information security responsibilities
also apply outside of normal working hours.

Make sure that your employment contracts make it clear
that the employee’s information security responsibilities
also apply outside of your organization’s work premises.

Make sure that your employment contracts make it clear
that employee’s information security responsibilities will
continue for a specified time period after the employee
leaves your organization.

ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

6.2 PROVIDE INFORMATION SECURITY TRAINING

Make sure that your users are aware of
information security threats and concerns.

Make sure that users are capable of
applying your information security policy.

Make sure that you teach users how
to apply your security procedures.

Make sure that you teach your users how to use
your information processing services and facilities.

Make sure that you teach your users how to
minimize possible information security risks.

6.2.1 CONTROL YOUR INFORMATION SECURITY TRAINING

Teach employees and other users about your security
requirements before you allow them to have access
to your organization’s information and services.

Teach employees and other users about their legal
responsibilities before you allow them to have access
to your organization’s information and services.

Teach employees and other users about your business
controls before you allow them to have access to your
organization’s information and services.

Teach employees and other users how to use your information
processing services and facilities before you allow them
to have access to those facilities and services.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

6.3 RESPOND TO INFORMATION SECURITY INCIDENTS

Make sure that your organization tries to minimize
the damage caused by information security incidents.

Make sure that people are required to report all security incidents.

Make sure that people know how to report security incidents.

Make sure that people know how to use reporting procedures.

Make sure that people report information security incidents.

Monitor your information security incidents.

Make sure that your organization learns
from its information security incidents.

Set up an official disciplinary process that you can use
to deal with people who commit security breaches.

6.3.1 REPORT INFORMATION SECURITY INCIDENTS

Make sure that security incidents are reported to management.

Develop a formal incident reporting procedure.

Make people aware of your reporting procedure.

Set up a feedback mechanism to ensure that incident
reporters learn about how an incident was handled.

Make sure that you use reported incidents to teach people
about security incidents and how they should be handled.

Develop a formal incident response procedure.

6.3.2 REPORT SECURITY THREATS AND WEAKNESSES

Make sure that people are required to report all suspected
threats to the security of information services and systems.

Make sure that people report all information security threats.

Make sure that people are required to report all
observed weaknesses in the security of your
information services and systems.

Make sure that people report all
information security weaknesses.

Make sure that people have been told not to try
to prove or test weaknesses in the security of
your information services and systems.

6.3.3 CONTROL YOUR SOFTWARE MALFUNCTIONS

Develop a procedure for reporting software malfunctions.

Make sure that your malfunction reporting procedure expects
people to document the problem and to record screen messages.

Make sure that your software malfunction reporting procedure
expects people to report malfunctions without delay.

Make sure that your reporting procedure ensures that the
malfunction is reported to the information security manager.

Develop a procedure for responding to software malfunctions.

Make sure that software malfunction response procedure
ensures that the malfunctioning computer is isolated.

Make sure that your response procedure ensures that
use of the malfunctioning computer will stop immediately.

Make sure that your software malfunction response procedure
ensures that the malfunctioning computer’s diskettes will not
be transferred to other computers.

Make sure that your software malfunction response procedure ensures that only authorized experts are allowed to remove suspect software.

Make sure that your malfunction response procedure ensures that
only authorized experts are allowed to carry out the recovery process.

6.3.4 LEARN FROM YOUR SECURITY INCIDENTS

Develop mechanisms that you can use to learn
about your information security incidents.

Monitor and quantify the types of security incidents.

Monitor and quantify the costs of security incidents.

Make sure that you can identify recurring security incidents.

Make sure that you can identify high impact security incidents.

Make sure that you use what you learn about your
security incidents to improve your information security.

Make sure that you use what you learn about security
incidents to improve your information security policy.

6.3.5 DEVELOP A DISCIPLINARY PROCESS

Develop a formal process that you can use
to discipline people who have violated your
information security policies and procedures.

Make sure that your disciplinary process ensures
that people who are suspected of committing serious
security breaches are treated fairly and correctly.

Ensure that your disciplinary process acts as a deterrent.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD