Guideline 34. Security in ICT operations

Submitted by Anonymous (not verified) on Tue, 07/10/2018 - 09:46

The institution establishes mechanisms to enforce security policies in ICT operations.

This includes software and patch management, protection against computer viruses and malicious codes, administration of operating systems and backups.

Guideline code

ICT_04300

Mechanism

In elaborating and implementing security measures for ICT operations, the ICT unit should:

Implement measures covering administration of operating systems; procedures for backup management, software and information exchange, physical media transportation, removable media management, and information and storage handling; and protection against computer viruses and malicious codes (see below);
Establish specific measures related to software and patch installation and updates, focusing on permanent protection against reported risks as well as on the authenticity of software installed;
Establish specific protection against viruses and malicious codes on all local area network servers and personal computers, taking into account computers connecting to the internal network via remote access channels and wireless networks;
Establish security measures related to operating system operations, especially concerning remote access services, system account privileges and password management;
Implement specific and comprehensive backup and recovery measures, addressing not only information recovery but also the protection of backup media against unauthorized access, misuse or corruption during transportation.

Parent

B. Key Technologies

Structure

The ICT unit should design and implement comprehensive security measures for ICT operations.
The management, based on the information security management structure, should define duties and responsibilities for the enforcement of security policies in ICT operations.
Internal policies and procedures on security in ICT operations should be based on the institutional information security management framework, the international standard ISO/IEC 27002:2005 Information technology – Security techniques, and recommendations issued by the National Institute of Standards and Technology (NIST).

Tags