ABOUT THE

STANDARD
 About the Standard

Part 1 Introducing the Standard Page

About The Standard of Good Practice 1
Improvements incorporated in this version 1
Target audience 2

Part 2 Setting the Standard

Drivers for the Standard 3
Basis for the Standard 4
Design and development criteria 5
Setting an effective standard 6

Part 3 Benefits of using the Standard

Establishing a well-managed business environment 7
Getting the best out of the Standard 8
Measuring performance against the Standard 9

Part 4 Applying the Standard

The five aspects of information security 10
Structure of the Standard 12
Understanding the layout of the Standard 13
The Standard in practice 13

Appendix A Version control - update January 2005

Why has The Standard of Good Pratice been updated? 14
What has been updated? 14

Version 4.1 – Copyright © January 2005

 Information for Non-ISF Members

The Standard of Good Practice for Information Security (the Standard) has been
produced by the Information Security Forum (ISF), an international association of
over 260 leading organisations which fund and co-operate in the development of a
practical research programme in information security. During the last 16 years the ISF
has spent more than US$75 million providing authoritative material to its Members.
The ISF’s work probably represents the most comprehensive and integrated set of
material anywhere in the world in the area of information risk management.

The Standard of Good Practice is a key deliverable from the ISF’s extensive work
programme. It has been developed and enhanced over a number of years and has
benefited from the results of the many projects run by the ISF.

As the ISF is a membership organisation, ISF reports are normally for the exclusive
use of ISF Members. However, the ISF has agreed to make The Standard of Good
Practice available to non-Members with the objectives of:

• promoting good practice in information security in all organisations worldwide

• helping organisations which are not Members of the ISF to improve their level of
security and to reduce their information risk to an acceptable level
• assisting in the development of standards that are practical, focused on the right
areas, and effective in reducing information risk.

The Standard has been developed using a proven methodology to produce the
international benchmark for information security. The Standard is updated regularly,
refining proven practices and addressing ‘hot topics’.

The ISF runs a comprehensive Information Security Status Survey that enables
Members to gain a clear picture of their organisation’s performance across all aspects
of information security. The Survey provides a practical, automated tool with which a
Member organisation can measure the effectiveness of their information security
arrangements, compare them with those of other leading organisations, and assess
how well they are performing against The Standard of Good Practice.

For information about the ISF please e-mail us at isfinfo@securityforum.org or visit

our web site at www.securityforum.org

This document has been produced with care

and to the best of our ability.
However, the Information Security Forum accepts
no responsibility for any problems or incidents arising from its use.

Version 4.1 – Copyright © January 2005


Part 1 Introducing the Standard
About The Standard of
Good Practice
The Standard is designed to
present organisations with a
challenging but achievable
target against which they can
measure their performance.
Improvements
incorporated in this
version
INTRODUCING THE STANDARD
This part of the document provides a detailed description of The Standard of
Good Practice (the Standard).
The Standard addresses information security from a business perspective,
providing a practical basis for assessing an organisation’s information security
arrangements. It focuses on the arrangements that should be made by leading
organisations to keep the business risks associated with critical information
systems under control in today’s dynamic and competitive environment.
The Standard is based on a wealth of material, in-depth research and the
extensive knowledge and practical experience of ISF Members. It is updated
at least every two years in order to:
• respond to the needs of leading international organisations
• refine areas of best practice
• reflect the most up-to-date thinking in information security
• include the latest ‘hot topics’.
This version of the Standard (Version 4.0 - March 2003, updated to version
4.1 - January 2005) provides improvements that include the following:
A - Additional sections on key topics covering:
• patch management - reflecting the increased importance of patch
management disciplines
• instant messaging - incorporating guidance on this maturing
technology.
B - Significant amendments to:
• information risk analysis - updated in accordance with extensive
research
• outsourcing - revised following a Member project and report.
C - Updates to important topics including:
• virus protection - reflecting research initiatives
• web server security - incorporating reviews of more recent operating
systems, such as Microsoft IIS Version 6 and Apache.
In order to maintain consistency with previous versions, the look and feel of
the document has been retained. Furthermore, the vast majority of the text
remains unchanged.
Version 4.1 – Copyright © January 2005 1
 INTRODUCING THE STANDARD
Part 1

Target audience
The Standard can add value to
any organisation irrespective
of market sector, size or
structure.
The Standard is aimed at major national and international organisations that
recognise that information security is a key business issue. However, the
Standard will also be of real, practical use to any type of organisation, such as
a small- to medium-sized enterprise.
Good practice detailed in the Standard will typically be incorporated into
an organisation’s information security arrangements by a range of key
individuals including:

Information security managers or equivalent, responsible for promoting

or implementing information security.

Business managers responsible for running critical business applications.

IT managers responsible for planning, developing, installing, running or

maintaining key information systems or facilities.

IT audit managers responsible for conducting security audits of

particular environments.

2 Version 4.1 – Copyright © January 2005

 SETTING THE STANDARD

Part 2 Setting the Standard

Drivers for the In a major survey, ISF Members were asked to identify the drivers for a
Standard security management standard: that is, what their main reasons were for
wanting a security management standard. The results are shown in Table 1
below, in priority sequence.

Table 1: How ISF Members rated drivers for a security management standard

Driver

1 Implement best practice

Major 2 Evaluate the status of controls

drivers 3 Set targets for information security
4 Reduce frequency/impact of major incidents
5 Comply with internal policy

Important 6 Integrate into a risk management programme

drivers 7 Meet industry regulatory requirements
8 Maximise existing investment
9 Gain competitive advantage

Other 10 Meet military or government requirements

drivers 11 Respond to pressure from third parties
12 Achieve cost savings

When looking at the ‘high’ and ‘very high’ ratings made in the
survey, the ‘major drivers’ received significant support from
Members. The ‘important’ and ‘other’ categories – while rated
slightly lower – also received significant support.

Version 4.1 – Copyright © January 2005 3

 SETTING THE STANDARD

Part 2

Basis for the Standard The ISF Standard was first released in 1996. It has been developed and
enhanced every two years, using a proven methodology, to produce the
international standard for information security. It is based on the extensive
knowledge of ISF Members and on the expertise of a full-time ISF
Management Team. Other international and national standards (such as
ISO 17799) and the results of earlier ISF Information Security Status Surveys
were also used as sources of information.

These sources are highlighted in Figure 1 below:

ISF projects

Practical experience
of ISF Members

Management
Team
International and
national standards

Status survey
results analysis

Figure 1: Basis for the ISF Standard

The Standard is based on the ISF’s extensive work programme

conducted over 16 years, comprising over 115 research projects and
200 reports.

4 Version 4.1 – Copyright © January 2005


Part 2
Design and
development criteria
Table 2: How the Standard conforms with design and development criteria
Design and development
criteria
1 Covers all key issues
2 Is complete
3 Includes latest developments
and ‘hot topics’
4 Has an easy-to-understand
structure and layout
5 Is clear and unambiguous
6 Provides sufficient detail to be
practical
7 Is applicable to any
organisation
8 Is achievable in practice
9 Forms the basis for the
measurement of performance
10 Is easy-to-use
SETTING THE STANDARD
The Standard has been tested to ensure that it conforms with ten
design and development criteria which should apply to any security
management standard.
These criteria, along with a brief assessment of how the Standard meets
them, are set out in Table 2 below.
How the Standard meets the criteria
Addresses all security matters in five self-contained aspects.
Exhaustive in its coverage of the topic of information security and is
consistent and even in the level of detail it offers.
Brought fully up-to-date every two years; this version addressing topics
such as broadband and wireless communications, PDAs, intrusion
detection and forensics.
Laid out in a clear tabular manner, supported by a topics matrix
(cross-reference) and an index.
Uses only simple words and accepted technical terms, and is reviewed by
ISF Members who do not have English as their first language.
Provides a consistent level of detail that forms the basis for easy and
straightforward application.
Designed with large organisations in mind, but is equally applicable to
individual business units as well as small- to medium-sized enterprises.
Sets a proven achievable target which every organisation should be
capable of reaching.
Expressed in a way which makes measurement simple and
straightforward.
Designed and laid out in a format – using a simple numbering system –
which security professionals of any level of experience can apply easily in
practice.
The role of risk analysis
Several ISF Members have commented that the Standard should be
applied as a matter of course unless there is a reason for non-compliance
that has been documented and approved.
A risk analysis would typically be used to identify the need for additional
controls in particular areas, over and above those specified in the Standard.
Version 4.1 – Copyright © January 2005 5
 SETTING THE STANDARD

Part 2

Setting an effective The design and development criteria – along with the drivers outlined
standard earlier in this part – underpinned the process used for producing the
Standard. The Standard of Good Practice is therefore driven by a set of
real-world principles which focus on meeting commercial needs in order to
produce accurate and clear statements of good practice.

Many information security professionals have found the Standard to be

an extremely valuable tool and have applied it throughout organisations
worldwide.

6 Version 4.1 – Copyright © January 2005


Part 3 Benefits of using the Standard
Establishing a
well-managed business
environment
Results from the ISF’s Survey
show that failure to manage
information risks lead to
incidents that erode the
‘bottom line’, depress the
value of the business and
compromise future earnings.
BENEFITS OF USING THE STANDARD
The establishment of a well-managed business environment where risks are
kept under control requires:
• information security to be addressed in a well-informed manner
• good practice to be observed in planning, developing, installing,
running, using and maintaining information systems.
However, this is a complex and demanding task made all the more
challenging because of the many issues facing organisations in today’s
dynamic business environment, including:
• the pressures faced by businesses due to the difficult world economic
situation
• an ever-increasing reliance on IT-based information systems
• the significant threats to computers and networks, which are in turn
based on rapidly changing technology
• businesses’ requirements for systems and staff to “do more,
faster, cheaper”
• a general lack of key skills, expertise and other resources in many
important areas.
Organisations therefore need a clear definition of what constitutes good
practice in information security through a standard that they can apply with
confidence – The Standard of Good Practice.
How implementing the Standard can help
ISF Members agree that, in general, implementing the Standard helps
organisations to:
• move towards international best practice
• manage the breadth and depth of information risk
• build confidence in third parties that information security is being
addressed in a professional manner
• reduce the likelihood of disruption from major incidents
• fight the growing threats of cybercrime
• comply with legal and regulatory requirements
• maintain business integrity.
Version 4.1 – Copyright © January 2005 7
 BENEFITS OF USING THE STANDARD

Part 3

Getting the best out of
the Standard
The main sections of The Standard of Good Practice provide a set of
high-level principles and objectives for information security together with
associated statements of good practice. They can be used to improve the level
of security in an organisation in a number of ways. For example, an
organisation can use the Standard to:

 replace or augment their own standard for information security (many

ISF Members use the Standard in this way)
 integrate parts of the Standard into their organisation to complement
and strengthen existing business processes
 assess their performance in information security (eg to verify that
their current information security arrangements are complete and
up-to-date)
 support security audits/reviews
 enhance security awareness programmes
 check compliance with industry standards
 provide authoritative reference material for particular initiatives.

Technical standards/ In some areas organisations will wish to draw up more detailed standards/
procedures procedures to support the Standard. These are often of a technical nature,
covering topics such as:

• Windows 2003
• Virus protection
• Instant Messaging
• Patch Management
• Web server security.

The Standard can be used for guidance or as reference material in the

preparation of these more detailed standards/procedures.

8 Version 4.1 – Copyright © January 2005

 BENEFITS OF USING THE STANDARD

Part 3

Measuring performance
against the Standard
Although The Standard of Good Practice specifies what should be done,
organisations will often want to know how well they are performing against
the Standard. Through their membership, ISF Members can take advantage
of the ISF’s Information Security Status Survey, which allows an organisation
to make a quantitative and comprehensive assessment of how well they
conform with the Standard.

The Survey provides a practical, automated process with which an

organisation can measure the effectiveness of its information security
arrangements, compare them with those of other leading organisations; and
assess how well they are performing against the Standard.

This process is outlined in Figure 2 below.

can use to measure with

Your The Survey Your level of The Standard of

organisation performance Good Practice for
Information Security

Figure 2: Measuring performance against the ISF’s Standard

For information about the Survey or the ISF, please contact the ISF
Management Team on standard@securityforum.org

Version 4.1 – Copyright © January 2005 9

 APPLYING THE STANDARD

Part 4 Applying the Standard

The five aspects of The Standard of Good Practice is split into five distinct aspects, each of which
information security covers a particular type of environment.

The Standard focuses on how information security supports an organisation’s

key business processes. These processes increasingly depend on IT-based
business applications, many of which are critical to their success. Thus the
aspect of security concerned with Critical Business Applications is central to
the design of the Standard, as shown in Figure 3 below.

Security Management

Systems
Development

Critical Business
Applications

IT Facilities

Computer Networks
Installations

Figure 3: How aspects of the Standard interrelate

Computer Installations and Networks provide the underlying infrastructure

on which the Critical Business Applications run. Systems Development deals
with how new applications are created and Security Management addresses
high-level direction and control.

A brief summary of each aspect can be found in Table 3 opposite.

10 Version 4.1 – Copyright © January 2005

 APPLYING THE STANDARD
Part 4

Table 3: Summary of The Standard of Good Practice

Aspect of
security Focus Issues probed Scope and coverage
Security Security The commitment provided The status of security management within:
Management management at by top management to • a group of companies (or equivalent)
(enterprise-wide) enterprise level. promoting good • part of a group (eg subsidiary company
information security or a business unit)
practices across the • an individual organisation (eg a
enterprise, along with the company or a government department).
allocation of appropriate
resources.

Critical Business A business The security requirements The status of critical business applications
Applications application that of the application and the of any:
is critical to the arrangements made for • type (including transaction processing,
success of the identifying risks and process control, funds transfer, customer
enterprise. keeping them within service and desktop applications)
acceptable levels. • size (eg applications supporting
thousands of users or just a few).

Computer A computer How requirements for The status of computer installations:

Installations installation that computer services are • of all sizes (including the largest
(‘Information supports one or identified and how the mainframe, server-based systems and
Processing’ in more business computers are set up and groups of PCs)
previous versions) applications. run in order to meet those • running in specialised environments
requirements. (eg a purpose-built data centre) or in
ordinary working environments
(eg offices, factories and warehouses)
• driven by any kind of operating system
(eg IBM MVS, Digital VMS, Windows
2000 or UNIX).

Networks A network that How requirements for Any type of communications network
(‘Communications supports one or network services are including:
Networks’ in more business identified and how the • wide area networks (WAN) or local area
previous versions) applications. networks are set up and networks (LAN)
run in order to meet those • large scale (eg enterprise-wide) or small
requirements. scale (eg an individual department or
business unit)
• those based on Internet technology
such as intranets or extranets
• voice, data or integrated.

Systems A systems How business requirements The status of developments of all types,
Development development (including information including:
unit/department security requirements) are • projects of all sizes (ranging from many
or a particular identified and how systems man-years to a few man-days)
systems are designed and built to • those conducted by any type of
development meet those requirements. developer (eg specialist unit/
project. departments, outsourced or business
users)
• those based on tailor-made software or
application packages.

Version 4.1 – Copyright © January 2005 11

 APPLYING THE STANDARD

Part 4

Structure of the The five aspects within the standard are composed of a number of areas,
Standard each covering a specific topic. An area is broken down further into a set
of sections.

The overall structure is illustrated in Figure 4 below.

Aspect
eg a Critical Business Application

Area 1 Area 2 Area 3

Section 1.1 Section 1.2 Section 1.3 Section 2.1 Section 3.1 Section 3.2
Good Practice
Good Practice

Good Practice

Good Practice

Good Practice
Good Practice
Statement of
Statement of

Statement of

Statement of

Statement of
Statement of

Figure 4: Structure of the Standard

Topics matrix

Some sections within the Standard (eg change management and risk
analysis) appear more than once, as each aspect is designed to be complete
‘in its own right’ and must therefore cover certain essential factors.

Consequently, a ‘topics matrix’ has been produced to group individual

sections of the Standard under similar topic headings. For example,
sections that have been categorised under the topic of physical protection
include SM4.4 Physical protection, CI2.8 Physical access and NW3.4
Physical security.

12 Version 4.1 – Copyright © January 2005

 APPLYING THE STANDARD
Part 4

Understanding the For each aspect and area presented in the main sections of this document, a
layout of the Standard brief introduction is provided which encapsulates their importance and the
main issues involved.

Each of the sections is then set out as shown in Figure 5 below.

A summary of the main set of

security controls required (ie
what controls need to be
applied).

The purpose for applying a

particular set of security
controls (ie why controls need
to be applied).

A numbering system to allow

easy reference for particular
security controls, thus aiding
implementation.

A set of individual statements

that define the security controls
to be applied in order to protect
information and systems.

Figure 5: Layout of each section within The Standard of Good Practice

The Standard in An examination of the main sections of The Standard of Good Practice will
practice show that it covers the entire spectrum of arrangements that need to be
made to keep the business risks associated with information systems within
acceptable limits. It is a major tool in improving the quality and efficiency of
security controls applied by an organisation.

The Standard provides organisations with an authoritative statement of what

should be done to protect their information – a vital asset for every
organisation in the information age.

Version 4.1 – Copyright © January 2005 13

 UPDATE JANUARY 2005

Appendix A Version control - update January 2005

Why has the Standard The Standard of Good Practice is updated at least every two years, to reflect
of Good Practice the extensive research carried out by the ISF and to ensure coverage of
been updated? ‘hot topics’.

What has been Much of the Standard produced in version 4.0 in March 2003 is still
updated? appropriate and valid, so much of it remains unchanged. The areas that have
been updated are those that have been the subject of additional research and
investigation, or reflect good practices employed by ISF Members for
key topics.

Significant ISF research initiatives since the last update of the

Standard include:

• Information Risk Management in Corporate Governance

• Virus Protection in Practice
• Securing Instant Messaging
• Managing Privacy
• Information Risk Analysis Methodologies
• Patch Management
• Managing the Information Risks from Outsourcing
• Web Server Security
• Disappearance of the network boundary.

The key findings from this research form the main basis for updates.
Additionally, feedback from the results of the ISFs Information Security
Status Survey have been incorporated. Where possible, single word changes
that have been requested for typographical reasons have been avoided, unless
they change the meaning of a sentence. A summary of the changes can be
found on the following pages.

Only pages that have changed have been reissued. Old pages should
be removed and new pages inserted in the appropriate section.

14 Version 4.1 – Copyright © January 2005

 UPDATE JANUARY 2005

Appendix A

Security Management (enterprise-wide)

Section Change description Significance

SM1 High level direction

SM1.1 Management commitment
SM1.2 Security policy
SM1.3 Staff agreements
Replaced the word ‘directors’ with ‘executives’. Very low
Removed reference to religion. Very low
Clarified that high-level policies other than information security
may be relevant.
Clarified references to contracts. Very low

SM2 Security organisation

SM2.1 High level control Replaced the word ‘directors’ with ‘executives’. Very low
SM2.2 Information security function None.
SM2.3 Local security coordination None.
SM2.4 Security awareness None.
SM2.5 Security education None.

SM3 Security requirements

SM3.1 Security classification
SM3.2 Ownership
SM3.3 Information risk analysis
Modified ratings of systems in accordance with Information Risk Low
Management review.
None.
Modified to reflect findings of the Information Risk High
Management review. The term ‘Risk Analysis’ has been changed
to read ‘Information Risk Analysis’.

SM4 Secure environment

SM4.1 Security architecture None.
SM4.2 Information privacy Added statement regarding the legal requirement to be able to
retrieve personal data. Low
Added example of Chief Privacy Officer.
SM4.3 Asset management None.
SM4.4 Physical protection Added more guidance on portable storage devices. Low
SM4.5 Business continuity None.

SM5 Malicious attack

SM5.1 Virus protection Added statements relating to emergency procedures and third Medium
party responsibilities in accordance with an ISF research project
on virus protection.
SM5.2 Malicious mobile code protection None.
SM5.3 Intrusion detection None.
SM5.4 Emergency response None.
SM5.5 Forensic investigations None.
SM5.6 Patch management Added new section based on ISF Special Interest Group. New

SM6 Special topics

SM6.1 Use of cryptography None.
SM6.2 Public key infrastructure None.
SM6.3 Email None.
SM6.4 Remote working None.
SM6.5 Third party access None.
SM6.6 Electronic commerce None.
SM6.7 Outsourcing Standardised on term Outsource Provider. Medium
Reviewed in context of ‘Managing Information Risks from
Outsourcing’ report.
Added the requirement to evaluate information risks associated
with outsourcing arrangements generally and the particular
business function that may be outsourced.
Added statements related to exit strategy and contingency.
Added requirement to understand outsource provider
outsourcing to other parties.
SM6.8 Instant messaging Added new section based on ISF research project on Instant New
Messaging covering instant messaging services, applications and
the underlying infrastructure.

SM7 Management review

SM7.1 Security audit/review None.
SM7.2 Security monitoring None.

Version 4.1 – Copyright © January 2005 15

 UPDATE JANUARY 2005

Appendix A

Critical Buisness Applications

Section Change description Significance

CB1 Business requirements for security

CB1.1 Confidentiality requirements
CB1.2 Integrity requirements
CB1.3 Availability requirements
Made significant changes to reflect findings of the Information High
Risk Management review.
Business impact now assesses financial, operational, customer-
related and employee-related impacts.
Made significant changes to reflect findings of the Information High
Risk Management review.
Business impact now assesses financial, operational, customer-
related and employee-related impacts.
Made significant changes to reflect findings of the Information High
Risk Management review.
Business impact now assesses financial, operational, customer-
related and employee-related impacts.

CB2 Application management

CB2.1 Roles and responsibilities None.
CB2.2 Application controls None.
CB2.3 Change management None.
CB2.4 Incident management None.
CB2.5 Business continuity None.
CB2.6 Sensitive information None.

CB3 User environment

CB3.1 Access control None.
CB3.2 Application sign-on process None.
CB3.3 Workstation configuration None.
CB3.4 Security awareness Removed reference to religion. Very low

CB4 System management

CB4.1 Service agreements None.
CB4.2 Resilience None.
CB4.3 External connections None.
CB4.4 Backup None.

CB5 Local security management

CB5.1 Local security coordination None.
CB5.2 Security classification Modified ratings of systems in accordance with Information Risk Low
Management review.
CB5.3 Information risk analysis Made changes to reflect findings of the Information Risk Medium
Management review. The term ‘Risk Analysis’ has been changed
to ‘Information Risk Analysis’.
CB5.4 Security audit/review None.

CB6 Special topics

CB6.1 Third party agreements None.
CB6.2 Cryptographic key management None.
CB6.3 Public key infrastructure None.
CB6.4 Web enabled applications Added statements related to removing unnecessary software, Medium
logging and protecting files.

16 Version 4.1 – Copyright © January 2005

 UPDATE JANUARY 2005

Appendix A

Computer Installations

Section Change description Significance

CI1 Installation management

CI1.1 Roles and responsibilities None.
CI1.2 Service agreement None.
CI1.3 Asset management None.
CI1.4 Systems monitoring None.

CI2 Live environment

CI2.1 Installation design None.
CI2.2 Event logging None.
CI2.3 Host system configuration None.
CI2.4 Workstation configuration None.
CI2.5 Resilience None.
CI2.6 Hazard protection None.
CI2.7 Power supplies None.
CI2.8 Physical access None.

CI3 System operation

CI3.1 Handling computer media None.
CI3.2 Backup None.
CI3.3 Change management None.
CI3.4 Incident management None.
CI3.5 Emergency fixes None.
CI3.6 Patch management Added new section based on ISF Special Interest Group on Patch New
Management, including pacth management strategy, framework
and process.

CI4 Access control

CI4.1 Access control arrangements None.
CI4.2 User authorisation None.
CI4.3 Access privileges None.
CI4.4 Sign-on process None.
CI4.5 User authentication None.

CI5 Local security management

CI5.1 Local security coordination
CI5.2 Security awareness
CI5.3 Security classification
CI5.4 Information risk analysis
None.
Removed reference to religion. Very low
Modified ratings of systems in accordance with Information Risk Low
Management review.
Made changes to reflect findings of the Information Risk High
Management review. The term ‘Risk Analysis’ has been changed
to ‘Information Risk Analysis’.

CI6 Service continuity

CI6.1 Contingency plan None.
CI6.2 Contingency arrangements None.
CI6.3 Validation and maintenance None.

Version 4.1 – Copyright © Janaury 2005 17

 UPDATE JANUARY 2005

Appendix A

Networks

Section Change description Significance

NW1 Network management None.

NW1.1 Roles and responsibilities None.
NW1.2 Network design Included requirement to prevent unauthorised devices from Low
connecting to the network.
NW1.3 Network resilience None.
NW1.4 Network documentation None.
NW1.5 Service providers None.

NW2 Traffic management

NW2.1 Configuring network devices None.
NW2.2 Firewalls None.
NW2.3 External access None.
NW2.4 Wireless access Added statements relating to detection of unauthorised Low
access points.
Added requirement to prevent client computers acting as
access points.

NW3 Network operations

NW3.1 Network monitoring None.
NW3.2 Change management None.
NW3.3 Incident management None.
NW3.4 Physical security None.
NW3.5 Back-up None.
NW3.6 Service continuity None.
NW3.7 Remote maintenance None.

NW4 Local security management

NW4.1 Local security coordination None.
NW4.2 Security awareness Removed reference to religion. Very low
NW4.3 Security classification Modified ratings of systems in accordance with Information Risk Low
Management review.
NW4.4 Information risk analysis Made changes to reflect findings of the Information Risk High
Management review. The term ‘Risk Analysis’ has been changed
to ‘Information Risk Analysis’.
NW4.5 Security audit/review None.

NW5 Voice networks

NW5.1 Voice network documentation None.
NW5.2 Resilience of voice networks None.
NW5.3 Special voice network controls None.

18 Version 4.1 – Copyright © January 2005

 UPDATE JANUARY 2005

Appendix A

Systems Development

Section Change description Significance

SD1 Development management None.

SD1.1 Roles and responsibilities None.
SD1.2 Development methodology None.
SD1.3 Quality assurance None.
SD1.4 Development environments None.

SD2 Local security management

SD2.1 Local security coordination None.
SD2.2 Security awareness Removed reference to religion. Very low
SD2.3 Security audit/review None.

SD3 Business requirements

SD3.1 Specification of requirements
SD3.2 Confidentiality requirements
SD3.3 Integrity requirements
SD3.4 Availability requirements
SD3.5 Information risk analysis
None.
Made significant changes to reflect findings of the Information High
Risk Management review.
Business impact now assesses financial, operational, customer-
related and employee-related impacts.
Made significant changes to reflect findings of the Information High
Risk Management review.
Business impact now assesses financial, operational, customer-
related and employee-related impacts.
Made significant changes to reflect findings of the Information High
Risk Management review.
Business impact now assesses financial, operational, customer-
related and employee-related impacts.
Made changes to reflect findings of the Information Risk High
Management review. The term ‘Risk Assesment’ has been
changed to ‘Information Risk Analysis’.

SD4 Design and build

SD4.1 Systems design Added item to ensure client validation is repeated at the server, Low
to mitigate against ‘man in the middle’ attacks.
SD4.2 Application controls None.
SD4.3 General security controls None.
SD4.4 Acquisition None.
SD4.5 System build None.
SD4.6 Web enabled development Added statements related to removing unnecessary software, Medium
logging and protecting files.

SD5 Testing
SD5.1 Testing process None.
SD5.2 Acceptance testing None.

SD6 Implementation
SD6.1 System promotion criteria None.
SD6.2 Installation process None.
SD6.3 Post implementation review None.

Version 4.1 – Copyright © January 2005 19