SECURITY BY DESIGN

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

Information security roles and responsibilities should be defined and allocated according to the organization needs.

Conflicting duties and conflicting areas of responsibility should be segregated.

Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies, and procedures of the organization.

The organization should establish and maintain contact with relevant authorities.

Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis, taking into consideration applicable laws, regulations, and ethics, and be proportional to business requirements, the classification of the information to be accessed, and the perceived risks.

The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education, and training, and regular updates of the organization’s information security policy, topic-specific policies, and procedures, as relevant for their job function.

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced, and communicated to relevant personnel and other interested parties.

Security perimeters should be defined and used to protect areas that contain information and other associated assets.

Secure areas should be protected by appropriate entry controls and access points.

Physical security for offices, rooms, and facilities should be designed and implemented.

Premises should be continuously monitored for unauthorized physical access.

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure, should be designed and implemented.

Information stored on, processed by, or accessible via user endpoint devices should be protected.

The allocation and use of privileged access rights should be restricted and managed.

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

Read and write access to source code, development tools, and software libraries should be appropriately managed.

Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control.