iFour Consultancy

ISMS Framework: Clause 6 – Organization of Information Security

ISO 27001:2013 has classified the Organization of Information Security into:Clause A.6.1: Internal OrganizationClause A.6.2: Mobile devices and Teleworking

Organization of Information Security – ISMS Requirements

ISO for Software Outsourcing Companies in India

To establish a management framework to initiate and control the implementation operation of information security within the organization.

Clause A.6.1: Internal Organization

Objective

A.6.1.1 Information security roles and responsibilities

A.6.1.2 Segregation of duties

A.6.1.3 Contact with authorities

A.6.1.4 Contact with special interest groups

A.6.1.5 Information security in project management

Identification of the individual/individuals responsible for security of each information facility

Clear definition and identification of assets and associated security controls for each information facility

A.6.1.1 Information Security Roles and Responsibilities

ISO for Software Outsourcing Companies in India

Control• All information security responsibilities shall be defined and allocated.

A.6.1.2 Segregation of Duties

The first is the prevention of conflict of interest, the appearance of conflict of interest, wrongful acts, fraud, abuse and errors.

The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls.

Control• Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for

unauthorized or unintentional modification or misuse of the organization’s assets.

A.6.1.3 Contact with Authorities

Specification of the manner and timing in which breaches shall be communicated to external authorities so as to ensure appropriate reporting

Development of procedures, policies and contact lists that specify by whom and when external authorities should be contacted

Control• Appropriate contacts with relevant authorities shall be maintained.

A.6.1.4 Contact with Special Interest Groups

Control

• Control: Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

A.6.1.5 Information Security in Project Management

set out the basics of how information security should be considered as part of the overall framework of the project management with organization

creation of “mini-ISMS” within the project to ensure that risks are identified and managed

Control• Information security shall be addressed in project management, regardless of the type of the

project.

To ensure the security of teleworking and use of mobile devices.

A.6.2 Mobile Devices and Teleworking

Objective

A.6.2.1 Mobile Device Policy

A.6.2.2 Teleworking Policy

A.6.2.1 Mobile Device Policy

Regular data backups for stored sensitive data

Physical security measures

Secure communication methods for transmitted data such as Virtual Private Network

Updates for operating system and other software updating

Access control and appropriate user authentication (biometric-based)

Cryptographic methods for sensitive data

Protective software such as anti-virus and others

A.6.2.2 Teleworking Policy

Environmental and physical security measures

Policies concerning safety of private property used at the site

Appropriate user access control and authentication

Security measures for wireless and wired network configurations at the site

Cryptographic techniques for communications from/to the site and data storage

Data backup at regular intervals and security measures for those backup copies

https://spaces.internet2.edu/display/2014infosecurityguide/Asset+Managementhttp://it.med.miami.edu/x2227.xmlhttp://it.med.miami.edu/x1771.xmlhttps://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&

uact=8&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.iso27001security.comhttp://

www.csoonline.com/article/2123120/it-audit/separation-of-duties-and-it-security.html

References

ISO for Software Outsourcing Companies in India

Visit our websites :

http://www.ifour-consultancy.com http://www.ifourtechnolab.com

For more details :

ISO for Software Outsourcing Companies in India

THANK YOU