The following new security policies, with their corresponding policy reference number in the ISO 17799 outline, have been added to Information Security Policies Made Easy Version 10.

Policy Number    Policy Title

3.01.01.12   "Policy-Driven Information Systems Security Architecture"

4.01.03.09   "Systems Administrators Don't Handle Security Administration"

4.01.03.14   "Authorization To Review Any Information System"

4.01.03.27   "Information Access Delegation Path"

4.01.03.28   "Information Security Is A Management Responsibility"

4.01.03.29   "Clear Assignment Of Internal Controls Accountability"

4.01.03.30   "Board Of Directors Audit Committee"

4.02.01.11   "Publicly Posting Only Generic Information"

4.02.01.15   "Annual Evaluation Of Information Security Operations Outsourcing"

4.02.01.16   "Outsourcing Information Security Requires A Risk Assessment"

4.02.02.19   "Software Vendors Must Perform Security Tests"

4.02.02.20   "Software Vendors Must Submit Third Party Testing Documentation"

4.02.02.21   "Operating Systems Must Be Evaluated And Deemed Trustworthy"

4.03.01.03   "Third Party Software Developers Access To Source Code"

4.03.01.13   "Sensitive Business Activities Performed In Foreign Countries"

4.03.01.14   "Remote Alarms Indicate Equipment Area Is Being Accessed"

4.03.01.15   "Outsourced Security Must Be At Least As Robust As In-House Security"

5.02.01.03   "Internet Domain Name And Host Name Approval Process"

5.02.02.16   "Labeling Unbound Hardcopy Material"

6.01.02.11   "Worker History Of Computer Crime Or Abuse"

6.01.02.22   "Annual Personal Financial Disclosure For Trusted Workers"

6.01.04.02   "Ownership Of Employees' Ideas"

6.02.01.07   "Specification Of Minimum Information Security Training"

6.02.01.18   "Technical Training And Apprenticeship"

6.02.01.19   "Training In Software Defect Testing & Correction"

6.02.01.21   "Accepting Security Assistance From Outsiders"

6.03.01.20   "Reporting Suspected Security Breaches To Third Parties"

6.03.01.21   "Initial Response To Report Of Identity Theft"

6.03.01.24   "Reporting Unexpected Requests For Log-In Information"

6.03.01.27   "Requests To Cooperate In Investigations"

6.03.02.6   "Schedule For Responses To Reported Security Problems"

7.01.02.20   "Repair People Who Show Up Without Being Called"

7.01.02.48   "Return Of Badges By Terminated Workers"

7.01.04.04   "Work With Sensitive Materials In Public Areas"

7.01.04.06   "Third Party Service Providers Work During Office Hours"

7.02.01.17   "Wireless Access Points Need Strong Physical Security"

7.02.06.03   "Approval For Removal Of Any Equipment"

8.01.01.14   "Reconciling Statistics From Service Providers"

8.01.02.07   "Only Widely-Deployed Information Systems Technology"

8.03.01.08   "Virus Disclaimer For Downloaded Files"

8.03.01.22   "Portable Computers Issued With Standard Configuration"

8.04.01.17   "All Electronic Communications Are Recorded And Archived"

8.05.01.11   "Security For Domain Name Registrations"

8.05.01.12   "Monitoring Shadow Internet Domain Names"

8.05.01.13   "Central Registration Of Company X Web And Commerce Sites"

8.05.01.14   "Legal Audit For Web And Commerce Sites"

8.05.01.24   "Firewall Policy Defining Denied And Permitted Services"

8.05.01.25   "Firewall Policy Rule Testing"

8.05.01.26   "Immediate Local Backup Of Firewalls After Deployment"

8.05.01.27   "Remote Access To Firewalls"

8.05.01.38   "Terminating Communications Lines As Soon As Possible"

8.05.01.55   "Wireless Access Points Disabled Unless Approved"

8.05.01.59   "War Driving To Discover Unauthorized Wireless Access Points"

8.05.01.60   "Production Wireless Systems And Fail-Over Alternative Networks"

8.06.02.06   "Trash Container Contents Review"

8.06.02.07   "Destroying Documents Relevant To Litigation"

8.06.02.08   "Secondary Review For Materials Slated For Destruction"

8.06.02.13   "Physically Securing Trash Dumpsters"

8.06.03.13   "Protecting Outbound Secret Computerized Information"

8.07.03.10   "Scripted Response To Detected Intrusions On Commerce Systems"

8.07.03.20   "No Storage Of Credit Card Information"

8.07.03.21   "Credit Card Fraud Detection And Mitigation System"

8.07.03.22   "Signature Required For Delivery Of Internet Orders"

8.07.03.25   "Web-Based Secure Channel For Electronic Mail Communications"

8.07.03.28   "Individuals Involved With Fraud"

8.07.04.07   "Automatic Forwarding Of Electronic Mail Externally"

8.07.04.13   "Electronic Mail Message Storage Schedule And Allotment"

8.07.04.22   "Centralized Control Over Electronic Mail Systems"

8.07.04.29   "Outbound Electronic Mail Footer Approval"

8.07.04.36   "Blocking To Field On Systems Containing Private Information"

8.07.04.42   "Permissible Uses Of Instant Messaging Facilities"

8.07.04.43   "Instant Messaging Without Installed Auditing Tool"

8.07.04.44   "All Mail Servers Must Run Approved Spam-Filtering Software"

8.07.04.45   "All Outbound Electronic Mail Is Automatically Scanned"

8.07.04.46   "Anti-Spam Notices Embedded In Electronic Mail Marketing Messages"

8.07.04.47   "Consequences Of Sending Spam Messages"

8.07.05.61   "Typing Passwords When Others Are Watching"

8.07.06.40   "Web Pages Expressing Views Of Author Only"

8.07.06.41   "Disclaimer For Information Posted On Web Site"

8.07.07.06   "Fair Disclosure Of Material Financial Information"

8.07.07.28   "Logically Separate Voice And Data On IP Networks"

8.07.07.29   "VOIP Remote Management Or Auditing Requires Encrypted Channel"

8.07.07.30   "Critical Telephone Services Must Not Be Supported Via VOIP"

8.07.07.31   "Use Of Softphones That Support VOIP On Personal Computers"

9.01.01.07   "Role-Based Access Control Privileges"

9.01.01.10   "Every User ID Reflected In Centralized Access Database"

9.02.01.15   "Third Party Agreements And User ID Establishment"

9.02.01.18   "Project Manager Notification Regarding Third Party Access"

9.02.01.23   "Opening Accounts With Discrepancies In Customer Information"

9.02.01.24   "Special Procedures For Opening Accounts With A Fraud Alert"

9.02.01.25   "Thumbprints Required To Open A New Account"

9.02.01.26   "Reuse of authentication credentials on public web sites"

9.02.02.09   "Two Person Integrity Rule For Sensitive Information Access"

9.02.03.02   "Passwords Set To Expired After Intrusion"

9.02.03.12   "Password Changes Performed By Involved User"

9.03.01.16   "Password Disclosure Terminates Relationship"

9.03.01.23   "Script Files On Portable Computers, PDAs, And Smart Phones"

9.03.01.24   "Disclosure Of Sensitive Information Via Web Sites"

9.04.02.03   "Machines Connected Only To Internal LAN Or Intranet"

9.04.07.05   "Powering Down Network-Connected Workstations At Night"

9.05.04.05   "Null Passwords Always Prohibited"

9.05.04.19   "User Notification Of Changed Password"

9.07.02.15   "Honeypots And Intrusion Detection Systems"

9.07.02.24   "Unusual Transaction Activity Detects Identity Theft"

9.07.03.25   "Real-Time Monitoring Of Spam To Detect Phishing"

9.08.01.03   "Single Vendor Of Personal Digital Assistants"

9.08.01.07   "Poison Pills For Portable Computers With Secret Information"

9.08.01.15   "Boot And Utilities CD-ROM For Mobile Computers"

9.08.01.16   "Storage Of Remote Access Information In Portable Computers"

9.08.01.17   "Remote Client Machines Automatically Disabled If Lost/Stolen"

9.08.01.18   "Downloaded Software On PDAs & Smart Phones"

9.08.01.19   "Storage Of Company X Information On PDAs & Smart Phones"

9.08.01.20   "Portable Computers, PDAs, And Smart Phones Out Of Sight"

10.01.01.03   "Renewal Of Information Technology Project Funding"

10.02.02.04   "Announcing System Unavailability To Users"

10.03.02.03   "Encryption Usage Aside From That In Browsers"

10.03.02.07   "Vendor's Willingness To Reveal Source Code"

10.03.02.12   "Encryption Keys Not Resident In Main Memory"

10.03.05.12   "Systems Design Encryption Key Length"

10.03.05.15   "Two Of Four People With Access To Master Keys"

10.03.05.16   "At Least Two People With Access To Master Keys"

10.04.01.03   "Peer-To-Peer File-Sharing Software Prohibited"

10.04.01.04   "Conditions For Use Of Open Source Software"

10.04.01.05   "Security Testing Process For Open Source Software"

10.04.01.06   "Availability Of Consulting For Open Source Software"

10.04.01.07   "Derivative Versions Of Open Source Software"

10.05.01.02   "Use Of Automated Software Testing Routines"

10.05.01.03   "Web Code Review Tools"

10.05.01.15   "Change Log On Every Server"

10.05.01.21   "Systems Administrators Install/Update Server Software"

10.05.02.03   "Digital Signature And Source Approval For Patches"

10.05.02.04   "Frequency Of Installing Non-Emergency Patches, Fixes, And Upgrades"

10.05.02.05   "Documenting Reasons Why Patches And Fixes Were Not Installed"

10.05.02.06   "Development Testing For Software Patches, Fixes, And Updates"

11.01.01.03   "Vendors Providing Mission Critical Hardware & Software"

11.01.01.04   "Plan For Every Critical Application And Infrastructure Component"

11.01.01.05   "Mission Critical Systems And Refurbished/Reconfigured Equipment"

11.01.03.03   "Crisis Management Plan"

11.01.04.03   "Work At Home Requirements For Staff Performing Critical Tasks"

12.01.02.15   "Redistribution Of Information Posted On-Line"

12.01.03.07   "Vital Paper Records Captured In Electronic Imaging Form"

12.01.04.05   "Written Privacy Consent Needed For Provision Of Services"

12.01.04.06   "Retroactive Consent For Private Information Usage"

12.01.04.13   "Full And Accurate Description Of Private Data Collection"

12.01.04.14   "Routine Disclosure Of Full Private Record"

12.01.04.16   "Notice Of Privacy Practices Provided Before Consent Received"

12.01.04.18   "Place No Software Or Information On User's Machine"

12.01.04.19   "No Undisclosed Tracking Or Identification Software"

12.01.04.21   "Parental Access To Information Collected From Children"

12.01.04.24   "Centralization Or Synchronization Of Customer Databases"

12.01.04.27   "De-Identification Of Private Information"

12.01.04.48   "Private Information Shared When Recipient Has Comparable Policy"

12.01.04.55   "Only Privacy Policy Text Is Binding"

12.01.04.80   "Social Security Numbers Shown On Statements"

12.01.04.85   "Opt-In For Sensitive Data And Opt-Out For Other Types"

12.01.04.89   "Revoking Previously-Granted Consent To Disclose Private Data"

12.01.04.92   "Deleting Voluntarily Provided Personal Information"

12.01.04.95   "Private Data Movement To Third Party Custodians"

12.01.04.108   "Minimum Contents Of Posted Privacy Policy"

12.01.04.110   "Privacy Policy And Internet Personal Data Gathering Points"

12.01.04.111   "Opt Out From New Privacy Policy Provisions"

12.01.05.05   "Prohibition Against All Forms Of Adult Content"

12.01.05.08   "After Hours Web Shopping And Auction Business"

12.01.05.20   "Financial Transaction Accounts Reconciled Monthly"

12.02.01.07   "Privacy Policy And Practices Annual Audit"

12.02.02.04   "Scanning Network Exposed Systems Components"



Product Overview
Table of Contents
ISPME Data Sheet
• Index of New Policies
Security Experts Say...
Assess Your Needs
Who uses ISPME?


Buy It Now
Buy Bundle & Save
Ordering Information
Request Sample


ISPME Spanish Edition
Information Security Roles and Responsibilities Made Easy