The issue of information security is one of the urgent matters that preoccupy the owners of important information and data in every facility or facility, whether this information pertains to it or its customers, as is the same case in institutions and government agencies and ministries, and what concerns countries, and global policies.
The specialists believe - which is also what the ISO organization says and mentioned in detail in the Annex to the ISO 27001 Information Security System - that the information security system must have several axes that must be established, documented, applied and maintained in every facility that wants to implement a sound integrated system for its information security; Among these axes:
Information Security Policy: The company or facility must have an information security policy approved by the management and documented and available to all employees responsible for the information security system. As well as external parties associated with the company. The security policy should be reviewed in planned periods according to the documented review procedure or in the event that there are significant changes to ensure its durability, consistency, conformity and impact.
Organization of Information Security: within or within the organization, to determine the obligations of the top management to secure information, coordinate information security, define responsibilities, delegate processes for information operations places, confidentiality agreements, and communication and cooperation between agencies and external parties.
Asset Management: in order to access and deal with the appropriate protection of the assets of the organization, determine the property inventory, the ownership of these assets, the acceptable use of them, and the classification, distinction and circulation of information.
Human Resources Security: to ensure that employees, contractors, and third-party users understand their responsibilities and are appropriate for their role. And to reduce the risk of theft, fraud and misuse of resources and places. It must also investigate and set conditions for appointment, training on information security, procedures for termination of appointment, and so on.
Physical and Environmental Security: Securing areas and climatic conditions: with the aim of preventing those who do not have the authority to penetrate and destroy buildings that contain the institution’s information centres. Areas must be secured, access to them controlled, offices, rooms and equipment secured, protection against external and environmental threats, and work in areas Safe, public access areas, delivery and loading, security of devices, selection and protection of equipment sites, securing cables, maintenance of devices, securing the process of disposal or reuse of devices, and how to remove property.
Communication and Operation Management: to ensure the correct and safe operation of the means of information processing. Establishing documented operating procedures, how to manage operating adjustments, separations of duties and means of operation and development, management of third-party service delivery, service delivery, third-party service monitoring and review process, system planning and acceptance processes, security controls against transferred programs and codes, information backups, Network security, system document security, information exchange policy and procedures.
Access control: to control and control access to information, how to approve and register a user, manage privilege and password rights, review rights and responsibilities of users, access control, remote work plans, and more.
Information systems development and maintenance: with the aim of ensuring that security requirements are an integral part of information systems, analysing and describing security requirements, defining correct operations in applications, to prevent errors and loss of unauthorized modifications, coding controls, and controlling technical damage.
Information security incident management: This is to ensure that information security incidents and vulnerabilities associated with information systems are connected in such a way as to allow corrective actions to be taken in a timely manner.
Business continuity management: with the aim of eliminating obstacles to enterprise activity and protecting the basic workflow from the impact of disasters or massive failures of the information system to ensure its restoration in a timely manner.
Compliance with laws and regulations: to avoid violating criminal and civil laws, legislations, and contractual engagements that include security requirements. Learn about applicable legislation, intellectual property rights, and more.