Information Security Policy and Standard

Every Organization should have an overarching Information Security Policy addressing the below areas (mainly taken from the Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines (TRMG) and the ISO\IEC27001:2005 and ISF Standard of Good Practice:

Acceptable Use

  • User Responsibilities
  • Passwords
  • PIN
  • Email
  • Instant Messaging
  • Internet Use
  • Social Networking
  • Personal Use of Company Systems
  • Information Classification
  • Incident Reporting
  • Personally-Owned Technology Devices
  • Software Installation

Oversight of Technology Risks by Board of Directors and Senior Management

  • Roles and Responsibilities
  • IT Policies, Standards and Procedures
  • People Selection Process
  • Joiners, Movers and Leavers
  • IT Security Awareness & Training

Asset Management

  • Responsibility for Assets
  • Information and Asset Classification
  • Information and Asset Handling
  • Loss of Assets
  • Return of Assets
  • Secure Transportation of Assets
  • Secure Disposal of Assets

Technology Risk Management Framework

  • Risk Identification
  • Risk Assessment
  • Risk Treatment
  • Risk Monitoring and Reporting

Management of IT Outsourcing Risks

  • Ownership
  • Due Diligence
  • Cloud Computing

Acquisition and Development of Information Systems

  • IT Project Management
  • Security Requirements and Testing
  • Segregation of Duties
  • Source Code Review
  • End User Development

IT Service Management

  • Change Management
  • Program Migration
  • Incident Management
  • Problem Management
  • Capacity Management

System Reliability, Availability and Recoverability

  • System Availability
  • Disaster Recovery Plan
  • Disaster Recovery Testing
  • Data Backup Management

Operational Infrastructure Security Management

  • Data Loss Prevention
  • Technology Refresh Management
  • Networks and Security Configuration Management
  • Vulnerability Assessment and Penetration Testing
  • Patch Management
  • Security Logging and Monitoring

Physical and Environmental Security

  • Data Center – Threat and Vulnerability Risk Assessment
  • Data Center – Resiliency
  • Physical Access Security to Company Premises
  • Physical Security of Technology Assets

Access Control

  • User Access Management
  • Privileged Access Management

Online Financial Services Controls

  • Online Systems Security
  • Mobile Online Services and Payments Security

Payment Card Security (Automated Teller Machines, Credit and Debit Cards)

  • Payment Card Fraud
  • ATMs and Payment Kiosks Security

IT Audit

  • Audit Planning and Remediation Tracking

Based on the above overarching Information Security Policy, individual Security Standards should be developed for the detailed implementation of each Policy section.  Strategic Tools and Processes should be defined/built/acquired to support each of the individual Security Standards.  Any exception to the use of Strategic Tools and Processes should be captured via the Risk Acceptance and Signoff Process.

The Risks identified under a particular Department Domain should be aggregated and reported to the Department Management, as their KRI (Key Risk Indicator).  Analysis of comparison of Departmental KRI with the overall Aggregated Risk Levels for all Departments should be made available as well.

Information Security Policy and Standard