ISO/IEC 27001

Download free HIPAA, PCIDSS and ISO27001 Password Security Policy Templates. This Templates covering basic security policy such as:
- To keep passwords confidential, which includes in no circumstances giving them to a third party, whatever the ostensible reason.

- To avoid keeping any paper or electronic record of passwords (unless this can be securely stored – which means encryption and strong, two-factor access control protection).

1. Systems Maintenance
Objective: Determine that all maintenance activity is performed and documented according to installation standards and procedures by reviewing documentation related to systems maintenance.

Audit steps
a. Determine whether standards have been established for the documentation of systems maintenance
b. Evaluate existing standards to determine whether they are comprehensive enough and cover issues such as compliance with International Standards Organization (ISO) 17799
c. Review a sample of existing documentation to determine whether it complies with installation standards
d. Ascertain whether systems maintenance documentation is maintained in a secure environment and protected against tampering

Different business applications have different security requirements. These are determined by identifying all the information that the business systems are carrying and through the individual risk assessments carried out for each critical business system; these risk assessments point at who should, and should not, be allowed access to the system.

Some information required for particular business applications may be processed by people who do not need access to the application itself (the ‘need-to-know’ principle in action). An example might be in an office workflow system, where the person who inputs a supplier delivery note to a purchase and payments application does not need access to the actual accounting or payment functions of the system. Such a person would need different access rights from those required by a person who triggers actual vendor payments.

Basically to build to good and easy to be accepted IT Security Masterplan, we should cover every IT area. Here is simple checklist to build a sound good IT Security Masterplan

IT Policies

• Education and awareness programs.
• Badge wearing.
• Clean desk policy.
• Visitor and contractor controls.
• Employee involvement and responsibilities.
• When and how to have armed off-duty police officers onsite.

IT Investigations

• Use of hidden cameras along with determining who should be involved in the decision to use them.
• Use of a polygraph for interrogations.
• Whether or not to prosecute employees or others when a crime has been committed (even a minor crime).

Technology

• What technologies might be utilized in the future and when, where, and why

General background information on the company
An organizational chart for the management of the facility
A copy of the post orders
A copy of the site security manual
Blueprints of the facilities to be reviewed
Copies of any security-related procedures or practices, including information protection
Copies of incident reports for the past two years
Copies of any incident summary or analysis data
Copies of any crime statistic data on hand
A copy of the contract guard contract, if applicable
A copy of any other security-related contracts, such as confidential destruction

Source: Timothy D Giles, IT Security Master Plan