Control objective: to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements
15.1 Compliance With Legal Requirements
15.1.1 Identification of applicable legislation
All relevant statutory, regulatory and contractual requirements and the Organization approach to meet these requirements have been explicitly defined, documented and are kept up to date for
each information system and the Organization
15.1.1.1 All contractual, statutory and regulatory requirements that apply to individual information assets are identified by the asset Owners (see sub section 7.1.2 ) and listed alongside the asset itself, in the asset inventory defined in accordance with sub section 7.1.1 above.
15.1.1.2 The Information Security Manager is responsible for creating and maintaining the schedule of the Organization statutory and regulatory information/data and computer-related compliance requirements. The controls and responsibilities necessary to meet these compliance requirements are also identified in this schedule.
15.1.2 Intellectual property rights
Appropriate procedures have been implemented to ensure compliance with legislative, regulatory and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.
15.1.3 Safeguarding of organizational records
The Organization procedure, set out in DOC 15.2 protects important records from loss, destruction and falsification, in accordance with statutory, regulatory, contractual and business requirements
15.1.4 Data protection and privacy of personal information
Data protection and privacy are ensured as required and, where applicable, contractual clauses
15.1.4.1 The Organization Data Protection and Privacy policy is set out in DOC 15.6.
15.1.4.2 The Organization has appointed an Information Security Manager who is responsible for ensuring that the procedures set out in sub sections 15.4 and 15.5 are implemented.
15.1.4.3 The Organization has implemented specific technical measures to protect personal information.
15.1.5 Prevention of misuse of information processing facilities
Users are be deterred from using information processing facilities for unauthorized purposes.
15.1.5.1 Users are only allowed to access Organizational information facilities after they have signed a User Agreement (as required in DOC 11.2 ), in which they accept that disciplinary action may be commenced against anyone who abuses access rights or contravenes the Internet Acceptable Use Policy (DOC 7.2 ), the e-mail rules (DOC 7.3 ) or any other part of the ISMS. A warning about unauthorized access is also displayed at logon, as set out in DOC 11.9 .
15.1.5.2 The Organization monitors compliance with these requirements, as described in DOC 7.4 and DOC 10.18 .
15.1.6 Regulation of cryptographic controls
Cryptographic controls are used in compliance with all relevant agreements, laws and regulations, as set out in DOC 12.2 .
15.2 Compliance With Security Policies & Standards
Control objective: to ensure compliance of systems with organizational security policies and standards
15.2.1 Compliance with security policy and standards
Managers ensure that all documented security procedures and work instructions within their area of responsibility are carried out correctly to achieve compliance with security policies and standards
15.2.1.1 Managers are required, under their job descriptions, to carry out monthly checks to ensure that all security procedures and work instructions within their area of responsibility are being carried out, to identify shortfalls and to take action to ensure that shortfalls are immediately corrected. This action should involve identification of the causes of the non-compliance, an evaluation of the need for action to ensure non-recurrence of the shortfall, a determination of the appropriate action, followed by a review of the action to ensure that it has achieved its objectives. This follows the Organization PDCA approach.
15.2.1.2 Managers are required to document these reviews in accordance with DOC 15.4 as well as the actions required, and responsibilities and timeframes, in the case of shortfalls.
15.2.1.3 These management reviews and any actions arising must be reported in accordance with DOC 15.4 to the independent reviewers (see DOC 6.7 )
15.2.2 Technical compliance checking
Information systems are regularly checked for compliance with security implementation standards, and the Organization procedures for managing technical compliance checking are set out in DOC 15.4
15.3 Information Systems Audit Considerations
Control objective: to maximize the effectiveness of and to minimize interference to/from the information systems audit process
15.3.1 Information systems audit controls
Audit requirements and activities involving checks on operational systems are carefully planned as set out in DOC 15.5 and agreed with appropriate management to minimize the risk of disruptions to business processes.
15.3.2 Protection of information systems audit tools
Access to information systems audit tools are protected as required in DOC 15.5 to prevent any possible misuse or compromise
15.4 Compliance & Compliance Checking Procedure
The Organization’s entire ISMS is within the scope of this procedure.
Responsibilities
All personnel connected with the Trust Centre are responsible for ensuring and checking for procedural compliance.
The Information Security Manager is responsible for planning and commissioning technical compliance checking.
Procedure
Management review [ISO 17799 clause 15.2.1]
15.4.3.1 On a monthly basis, the Information Security Manager will review operational conformance with those Organizational policies and procedures that apply to the information assets for which they are responsible/whose Owners report to them. Managers are not responsible for performing or commissioning technical compliance checking.
15.4.3.2 The review must be reported/recorded on the Monthly Trust Centre Operational Report.
15.4.3.3 Where a non-conformance is identified, the manager must determine the cause of the non-conformance, evaluate what action is required to ensure that the non-conformance does not re-occur, determine necessary corrective action (including obtaining any required authorizations) and take the identified action
15.4.3.4 The details of the corrective actions, and confirmation of their successful implementation, should also be recorded in the [review report].
15.4.3.5 Review reports are made available to independent reviewers carrying out independent reviews in line with DOC 6.7 .
15.4.3.6 Managers are also responsible for identifying non-conformances in the ordinary course of business and taking appropriate corrective action appropriately.
Technical Compliance Checking [ISO 17799 clause 15.2.2]
15.4.4.1 The Information Security Manager has a schedule of the Organization’s information assets (gathered under DOC 7.1 ) and these are prioritized by their value to the Organization.
15.4.4.2 All assets that are Risk Level 2 or above are checked for technical compliance with their documented configuration requirements as part of the monthly audit carried out by the Information Security Manager.
ISO 27001 Auditor
15.4.4.3 The Organization requires that any person/organization who carries out technical compliance checking has been either certified as an ISO 27001 Auditor or is an accredited WebTrust Compliance Auditor.
15.4.4.4 The Information Security Manager approves the technical checking plan put forward by the ISO 27001 Auditor or WebTrust Compliance Auditor and authorizes commencement of the check plan only when satisfied that the testing will not compromise the asset or system being checked.
15.4.4.5 Non conformances are identified and dealt with as described in Section 3, above.
15.4.4.6 New weaknesses or vulnerabilities uncovered as a result of the technical compliance checking are reported in line with DOC 13.1 and dealt with in line with DOC 13.2 .
Systems Auditing Procedure
The Organization’s information assets and whole ISMS are within the scope of this procedure.
Responsibilities
The Information Security Manager is responsible for planning systems audit activities. The Information Security Manager is responsible for authorizing audit activity to occur.
Procedure [ISO 17799 clause 15.3.1]
Audit controls
The audit regime and the specific audit requirements will be documented and identified as part of the initial internal audit and will be identified and documented here, once completed. You should refer to the guidance of ISO 17799 clause 15.3.1 in drafting your procedure for this activity.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue