AS/NZS 4444.1:1999

1 - AS/NZS 4444.1:1999 INFORMATION SECURITY MANAGEMENT - CODE OF PRACTICE FOR INFORMATION SECURITY MANAGEMENT
5 - Preface
7 - Contents
9 - Introduction
9 - What is information security?
9 - Why information security is needed?
10 - How to establish security requirements?
10 - Assessing security risks
11 - Selecting controls
11 - Information security starting point
12 - Critical success factors
12 - Developing your own guidelines
13 - 1 Scope
14 - 2 Terms and definitions
14 - 2.1 Information security
14 - 2.2 Risk assessment
14 - 2.3 Risk management
15 - 3 Security policy
15 - 3.1 Information security policy
15 - 3.1.1 Information security policy document
16 - 3.1.2 Review and evaluation
17 - 4 Security organization
17 - 4.1 Information security infrastructure
17 - 4.1.1 Management information security forum
18 - 4.1.2 Information security co-ordination
18 - 4.1.3 Allocation of information security responsibilities
19 - 4.1.4 Authorization process for information processing facilities
19 - 4.1.5 Specialist information security advice
20 - 4.1.6 Co-operation between organizations
20 - 4.1.7 Independent review of information security
20 - 4.2 Security of third party access
20 - 4.2.1 Identification of risks from third party access
21 - 4.2.2 Security requirements in third party contracts
23 - 4.3 Outsourcing
23 - 4.3.1 Security requirements in outsourcing contracts
24 - 5 Asset classification and control
24 - 5.1 Accountability for assets
24 - 5.1.1 Inventory of assets
25 - 5.2 Information classification
25 - 5.2.1 Classification guidelines
25 - 5.2.2 Information labelling and handling
27 - 6 Personnel security
27 - 6.1 Security in job definition and resourcing
27 - 6.1.1 Including security in job responsibilities
27 - 6.1.2 Personnel screening and policy
28 - 6.1.3 Confidentiality agreements
28 - 6.1.4 Terms and conditions of employment
29 - 6.2 User training
29 - 6.2.1 Information security education and training
29 - 6.3 Responding to security incidents and malfunctions
29 - 6.3.1 Reporting security incidents
30 - 6.3.2 Reporting security weaknesses
30 - 6.3.3 Reporting software malfunctions
30 - 6.3.4 Learning from incidents
30 - 6.3.5 Disciplinary process
31 - 7 Physical and environmental security
31 - 7.1 Secure areas
31 - 7.1.1 Physical security perimeter
32 - 7.1.2 Physical entry controls
32 - 7.1.3 Securing offices, rooms and facilities
33 - 7.1.4 Working in secure areas
33 - 7.1.5 Isolated delivery and loading areas
34 - 7.2 Equipment security
34 - 7.2.1 Equipment siting and protection
35 - 7.2.2 Power supplies
35 - 7.2.3 Cabling security
36 - 7.2.4 Equipment maintenance
36 - 7.2.5 Security of equipment off-premises
36 - 7.2.6 Secure disposal or re-use of equipment
37 - 7.3 General controls
37 - 7.3.1 Clear desk and clear screen policy
37 - 7.3.2 Removal of property
38 - 8 Communications and operations management
38 - 8.1 Operational procedures and responsibilities
38 - 8.1.1 Documented operating procedures
39 - 8.1.2 Operational change control
39 - 8.1.3 Incident management procedures
40 - 8.1.4 Segregation of duties
40 - 8.1.5 Separation of development and operational facilities
41 - 8.1.6 External facilities management
42 - 8.2 System planning and acceptance
42 - 8.2.1 Capacity planning
42 - 8.2.2 System acceptance
43 - 8.3 Protection against malicious software
43 - 8.3.1 Controls against malicious software
44 - 8.4 Housekeeping
44 - 8.4.1 Information back-up
44 - 8.4.2 Operator logs
45 - 8.4.3 Fault logging
45 - 8.5 Network management
45 - 8.5.1 Network controls
46 - 8.6 Media handling and security
46 - 8.6.1 Management of removable computer media
46 - 8.6.2 Disposal of media
47 - 8.6.3 Information handling procedures
47 - 8.6.4 Security of system documentation
48 - 8.7 Exchanges of information and software
48 - 8.7.1 Information and software exchange agreements
48 - 8.7.2 Security of media in transit
49 - 8.7.3 Electronic commerce security
50 - 8.7.4 Security of electronic mail
50 - 8.7.5 Security of electronic office systems
51 - 8.7.6 Publicly available systems
52 - 8.7.7 Other forms of information exchange
53 - 9 Access control
53 - 9.1 Business requirement for access control
53 - 9.1.1 Access control policy
54 - 9.2 User access management
54 - 9.2.1 User registration
55 - 9.2.2 Privilege management
55 - 9.2.3 User password management
56 - 9.2.4 Review of user access rights
56 - 9.3 User responsibilities
56 - 9.3.1 Password use
57 - 9.3.2 Unattended user equipment
57 - 9.4 Network access control
57 - 9.4.1 Policy on use of network services
58 - 9.4.2 Enforced path
58 - 9.4.3 User authentication for external connections
59 - 9.4.4 Node authentication
59 - 9.4.5 Remote diagnostic port protection
59 - 9.4.6 Segregation in networks
60 - 9.4.7 Network connection control
60 - 9.4.8 Network routing control
60 - 9.4.9 Security of network services
61 - 9.5 Operating system access control
61 - 9.5.1 Automatic terminal identification
61 - 9.5.2 Terminal log-on procedures
62 - 9.5.3 User identification and authentication
62 - 9.5.4 Password management system
63 - 9.5.5 Use of system utilities
63 - 9.5.6 Duress alarm to safeguard users
63 - 9.5.7 Terminal time-out
63 - 9.5.8 Limitation of connection time
64 - 9.6 Application access control
64 - 9.6.1 Information access restriction
64 - 9.6.2 Sensitive system isolation
65 - 9.7 Monitoring system access and use
65 - 9.7.1 Event logging
65 - 9.7.2 Monitoring system use
66 - 9.7.3 Clock synchronization
67 - 9.8 Mobile computing and teleworking
67 - 9.8.1 Mobile computing
68 - 9.8.2 Teleworking
69 - 10 Systems development and maintenance
69 - 10.1 Security requirements of systems
69 - 10.1.1 Security requirements analysis and specification
70 - 10.2 Security in application systems
70 - 10.2.1 Input data validation
70 - 10.2.2 Control of internal processing
71 - 10.2.3 Message authentication
71 - 10.2.4 Output data validation
72 - 10.3 Cryptographic controls
72 - 10.3.1 Policy on the use of cryptographic controls
72 - 10.3.2 Encryption
73 - 10.3.3 Digital signatures
73 - 10.3.4 Non-repudiation services
73 - 10.3.5 Key management
75 - 10.4 Security of system files
75 - 10.4.1 Control of operational software
75 - 10.4.2 Protection of system test data
76 - 10.4.3 Access control to program source library
77 - 10.5 Security in development and support processes
77 - 10.5.1 Change control procedures
78 - 10.5.2 Technical review of operating system changes
78 - 10.5.3 Restrictions on changes to software packages
78 - 10.5.4 Covert channels and Trojan code
79 - 10.5.5 Outsourced software development
80 - 11 Business continuity management
80 - 11.1 Aspects of business continuity management
80 - 11.1.1 Business continuity management process
81 - 11.1.2 Business continuity and impact analysis
81 - 11.1.3 Writing and implementing continuity plans
81 - 11.1.4 Business continuity planning framework
82 - 11.1.5 Testing, maintaining and re-assessing business continuity plans
84 - 12 Compliance
84 - 12.1 Compliance with legal requirements
84 - 12.1.1 Identification of applicable legislation
84 - 12.1.2 Intellectual property rights (IPR)
85 - 12.1.3 Safeguarding of organizational records
86 - 12.1.4 Data protection and privacy of personal information
86 - 12.1.5 Prevention of misuse of information processing facilities
87 - 12.1.6 Regulation of cryptographic controls
87 - 12.1.7 Collection of evidence
88 - 12.2 Reviews of security policy and technical compliance
88 - 12.2.1 Compliance with security policy
88 - 12.2.2 Technical compliance checking
89 - 12.3 System audit considerations
89 - 12.3.1 System audit controls
89 - 12.3.2 Protection of system audit tools
90 - Appendix A - OECD information security principles
90 - Security Objective
92 - Appendix B - Australian's information privacy principles
94 - Appendix C - New Zealand's information privacy principles
94 - PRIVACY ACT (1993)
99 - NEW ZEALAND'S COPYRIGHT ACT (1994)
100 - OTHER NEW ZEALAND LEGISLATION
101 - Index