Tag Archives: Cultural

The Last Post

Well I will say that this is the last post for the site SPA Paperless Office Project the reason why is that times have changed the site will have a new name and a new look complete with a totally new area to the paperless office, it will still have the roots of the S.P.A Foundation and still built around what I believe is still one of the fundamentals of achieving a paperless environment.

What will the new site have, a purpose built Management Efficacy SPA Template Tool and an Efficacy SPA Paperless Template Tool plus a few others.

How will the site be designed, it will have a new looking reader friendly screen a new external link friendly system plus the all the usual posts that are connected to the paperless environment for the person who wants to understand and read thought and interesting posts that are connected to this subject.

The site design will constantly be updated to improve the reader’s experience.

What will be the site called? To keep in line with the original thoughts of the first web site the name Paperless Endeavour will hope to keep the ever lasting and changing environment that to a certain degree will always try to keep up with the Technologies advances and break thoughts that are always trying to improve the world we live in weather it’s in the office or associated Technologies.

The new site will be launched in January next year, so I hope to see you then, other wise have a wonderful Christmas Holiday and a Happy New Year.

Martin Smith


Paperless and ISO 1799 (27001) (27002)

If these acts are very broadly all to do with security (see early posts for a more details description) and in fact any organizations that handles and depends on information.

How can a paperless system assist these regulations?

I think we have to look at the wider picture and understand why we use a paperless system to try to find an answer for this area.

It’s certainly not a case to say that we have to design a special area for this act to take place within a paperless system as nearly all companies will be connected to these acts in some way due to the fact we must handle peoples information just to employ and of cause some companies will require a more complex system if they depend on peoples information.

So do we design a paperless system to accommodate these acts or do we try to place these requirements into an already paperless system which could be better known as a Document Management System with added security due to the possible sensitivity of the information.

Some of the companies who have installed a respectable Document Management system will be happy with the outcome and to a certain degree this is more than acceptable to a normal company dependant of the type of information and type of company who has to use these regulations to a great degree, these two statements go without saying and are pretty common.

But could we say that a process of actions and processors within a system is the best answer, I think it’s more to do with we have to use what is available to us at the time of installation and what has been designed and already accepted.

It obvious that security has to play a big part if we intend to use the computer as an office or to assist a paperless system, that it the main point of the acts to protect people information.

One of the better areas of these acts is that is more to do with a code of practice/guideline rather than a certification standard, organizations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls as they see fit.

We can all agree that technology will grow and become better as technology grows in time, so could you say that this will always be open to debate in the areas of acceptability and how this will react to a paperless system.

We could say that this will always be the case, simple because technology will always grow but we do have to find that intermediate where a practical solution will be available to provide a practical answer.


E Paper and a “Pretentious Stigma”

Fish and chips traditionally wrapped in white ...

Image via Wikipedia

If you have been following any of my posts you will have noticed that I encourage technological advances but for a realistic and practical approach which can assist paperless systems and the concept of the paperless office.

I do believe that there is still an aristocratic or a pretentious stigma surrounding certain technological products around at the moment, this mainly been the development of E paper, not only E Paper but also technological developments to help us to combat the development of any paperless product.

We all understand that the progressive growth of the paperless office started very simply when software programmes were available for your PC, This over the years has encouraged people to start to use the standard computers to assist the development of the paperless office.

We all know now that E paper is the next big thing to tackle the development of a paperless society or a substitute or even a replacement for paper. Well that’s what I think! In the terms of what was produced on traditional paper is now been replaced by e paper or a product device that wants to replace paper.

I have often wondered if we have really thought or considered that we used paper for, I don’t mean in the ever day items like toilet paper or wrapping up your fish and chips (English way of eating) but paper that is used as a communication tool.

Communicating in the areas of the work environment and also social activities, I say social activities, but what did we use paper for as a social activity, reading books, magazines and Newspapers. I think there are the many areas which will come to everyone’s mind and I am sure that there will be a few other areas that you will think of in time.

One of my points is that why are the developers solely marketing the social side of these products, the skiff reader was designed for newspapers and magazines, most of the tables that are on the market have a underlining approach to social activities.

I honesty believe that we are scared to say that if we design an e paper product like the skiff reader, Sony e paper etc, that actually replaces paper, will the user turn around and state “is that all it does” !!!!, But really that’s all we want it to do, replace the paper that we use as a communication tool.

 The next big question is that can e paper work along side the computer!


E Paper (Technical basics)

Electronic paper (Side view of Electrophoretic...

Image via Wikipedia

Electronic paper was first developed in the 1970s by Nick Sheridon at Xerox‘s Palo Alto Research Center. The first electronic paper, called Gyricon, consisted of polyethylene spheres between 75 and 106 micrometres across.

Each sphere is a janus particle composed of negatively charged black plastic on one side and positively charged white plastic on the other (each bead is thus a dipole. The spheres are embedded in a transparent silicone sheet, with each sphere suspended in a bubble of oil so that they can rotate freely.

The polarity of the voltage applied to each pair of electrodes then determines whether the white or black side is face-up, thus giving the pixel a white or black appearance. At the FPD 2008 exhibition, Japanese company Soken has demonstrated a wall with electronic wall-paper using this technology.

In the simplest implementation of an electrophoretic display, titanium dioxide particles approximately one micrometer in diameter are dispersed in a hydrocarbon oil. A dark-colored dye is also added to the oil, along with surfactants and charging agents that cause the particles to take on an electric charge. This mixture is placed between two parallel, conductive plates separated by a gap of 10 to 100 micrometres.

When a voltage is applied across the two plates, the particles will migrate electrophoretically to the plate bearing the opposite charge from that on the particles. When the particles are located at the front (viewing) side of the display, it appears white, because light is scattered back to the viewer by the high-index titania particles.

When the particles are located at the rear side of the display, it appears dark, because the incident light is absorbed by the colored dye. If the rear electrode is divided into a number of small picture elements (pixels), then an image can be formed by applying the appropriate voltage to each region of the display to create a pattern of reflecting and absorbing regions.

Electrophoretic displays are considered prime examples of the electronic paper category, because of their paper-like appearance and low power consumption.

Examples of commercial electrophoretic displays include the high-resolution active matrix displays used in the Amazon Kindle, Barnes & Noble Nook, Sony Librie, Sony Reader, and iRex iLiad e-readers.

 These displays are constructed from an electrophoretic imaging film manufactured by E Ink Corporation. Also the technology has been developed by Sipix Microcup[9] and Bridgestone Quick Response Liquid Powder Display (QR-LPD). The Motorola MOTOFONE F3 was the first mobile phone to use the technology, in an effort to help eliminate glare from direct sunlight during outdoor use.

Electrophoretic displays can be manufactured using the Electronics on Plastic by Laser Release (EPLaR) process developed by Philips Research to enable existing AM-LCD manufacturing plants to create flexible plastic displays.


E Paper History

1974-gyricon-material

There have been various reports about the history of E paper that it was developed in the late 60s and early 70s by Xerox PARC, who were developing and attempting to get Xerox management to appreciate the Alto personal computer; they never did.

It was the world’s first office and word-processing computer, but this remarkable machine had one serious drawback: the cathode ray tube display it used was not the best; the problem was that the contrast was not bright enough, and the contrast was not great.    

A major improvement to assist this problem was the introduction of Gyricon; this was used with a rotating-ball and was based on a physical phenomenon called “electro capillarity.” The electro capillarity display worked by moving colored liquids against a white background as you can appreciate that this was back in the 70 and 60 and it was really a very basic spin of to what we seen on the screen today.

As time pasted the concept of E Paper slowly declined and the birth of the computer was born, and that area is history, it’s not really since the birth of the e reader that we see the development of E paper in its present form to which we own this to the potential growth of the electronic reader.

Since this time there was always the back ground research and development of e paper form all the usual companies, the various report where been published indicating that this development  was and still is a thing of the future.

Two articles were published, “E Is for E-Paper: An Electronic Paper Primer for the Graphic Communications Industry” and “E-Paper Technologies and Opportunities in Publishing, Communications and the Graphic Arts”  this examined the two major products releases by (the iRex iLiad and the Sony Reader) it also looked at the other potential devices waiting in the wings.

In 2006/2007 Sony started to develop a so called Sony Style e-store to where the e reader could down load various books to read etc. We have to be very carful here for most of the reports and articles are stating that the e books have elect iconic paper , could that be an misleading phrase, the device that they were reading form was to replace books ,it was common sense to think that the e books have e paper, the question of what you would class as e paper really has to spring to mind, we have seen this development before to the concept of the  paperless office, were terminology has been placed in to a section and in time the design process has lost it’s true meaning.

If we look at the years of 2008 to present and break it down to its Utilization then Electronic paper is the way out for people who read a lot off their screen. But there are also big expectations on the field of replacing printed newspaper, school books and manuals.

Advantages of the eBooks reader are, besides a handy, light size, the largestorage capacity and the fast and easy adaptation of the content. Additional advantage is that some models have the option to make notes that can be transformed into printed text.

A promising development of electronic paper is the flexible e-paper. Philips spin-off Polymer Vision presented in 2007 a first commercial utilization of flexible electronic paper in the form of the Readius, a smartphone with foldable screen. This makes it possible to equip a small device with a relatively large screen.

This has mostly been carried forward and developed commercial with the introduction of the skiff, which is a flexible sheet that can be used to read newspapers and more sheet design in reading , rather than the a traditional book design.

Although the skiff was never a commercial success, this was not to the problem of the material design of the product but a more commercial failure in how to market the product as a multi functional reading tool and acquiring the appropriate networking solutions to capture a new type of reader, some of the reports state that it was ahead of its time, I must disagree with this, it is only a question of time when a design concept will look and feel and the same size of a piece of paper, to what we are all used to and not a small computer device replacing the book.

Vizplex is another development with regards to eInk displays which are equipped with this technology and have a greater contrast and the pages can be switched faster. Vizplex is also more suitable for larger screens and therefore more suitable for a A4 size piece of paper.

One of the problems trying to trace back this history is that the E paper really has come from how this product has developed within the existing technology, it’s hard to state that the e paper was developed in the 60s and 70s, where it was the development of the computer screen that started it, can you class the e paper as a computer screen and once again the major leaps and bounds of this products has come from the mobile phone industry with a foldable screen.

 I think that in the early days it should have been called an e display( which it was) which has changed and developed into a piece of e paper.

So to try to track down a precise date has become difficult and I think its still an area to say that this is an ongoing development so has the e display finally turned into a piece of paper, I do believe that it will, but it will certainly taken more time and alot more research before we can clearly and confidently state this.

sony electronic paper

 


Paperless and the Civil Evidence Act 1995

We all can agree that the concept of the paperless office is becoming a reality as more systems and programs are been designed but do we have to consider the legal and compliance requirements when thinking about preparing for a paperless system.

The answer is yes we do, but unfortunately there is not a yes and no situation in how you design this, as you can appreciate companies and organizations will have different system and processes .The self employed person with a small company will not have to worry about this area, the main area is the items that we would recommend not to copy or transfer into a electronic document.

If we look at the Civil Evidence Act 1995, you could be right in assuming that this is really for the laws, courts and soliciting professions and in most cases this will be the case.

How can this Act assist the paperless system, the main area is that if you want to introduce a paperless system, transferring paper into a electronic document may have to follow certain guidelines. The problem with this is not that you can not copy paper documents in to electronic documents but it’s the area of integrity and authenticity, i.e. proof that it has not been tampered with and that it still retains its integrity as an original record.

We must also remember that at this point that they are so many ISO and BSI rules and guidelines that certain areas will cross over into each sections so therefore compliance can be covered from one guide line to another.

Most of the information will tell you that the guidelines are set out in BSI DISC PD0008, the British Standard (see older post) which relates to the Legal Admissibility of Evidential Information Stored Electronically. It provides a framework and guidelines that identify key areas of good practice

So in real terms what are the guide lines, Audit data requirements, Access control considerations, Interface requirements and backup obligations?

In very English terms it’s the Big Brother of the office, all documents are traced and tracked so if any printing, scanning and copying happens to a document it can be traceable and auditable.

So how is this connected to the paperless system and how does it assist this concept the main question you have to answer is? What is the original documents in the first place, is it an electronic transaction or a paper document that will have to be scanned.

To place this act in any category with the paperless system there are many areas to take into account and Audit trails are one of them. So if one of the answer is that the original document is presented in an electronic form then this has crossed over, to what you could say is a start of the paperless system to what degree do you conduct this audit system, This is really dependant to the type of business you control.

I do believe that every small business should have a basic audit program, we are not talking about the expensive and complicated bespoke systems, but to have a simple system within your structure is a good house keeping practice.

I have placed a few links, showing the basic systems which are designed for the smaller organization and Equitrac is probably a system that is used for the bigger and more professional organizations.

http://www.q-pulse.com/audit-management-system.asp?gclid=COXJ0YmEsKQCFYn-2AodEDtQzw

http://www.bitrixsoft.com/products/intranet/features/files.php?r1=enadwords&r2=doc&gclid=CKrLub6EsKQCFZL92AodAmdczw

http://www.eqmltd.co.uk/dolphin_software.htm

http://www.equitrac.com

We still must remember that the audit trail is only a small part of the act and all other sections must be taken into account.

The other areas will be posted later in the same category.


ISO 27002

ISO 27002 Codes of Practice 

Like governance, information security is a broad topic with ramifications in all parts of the modern organization.  Information security, and hence ISO/IEC 27002, is relevant to all types of organization including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies – in fact any organization that handles and depends on information. The specific information security requirements may be different in each case but the whole point of ISO27k is that there is a lot of common ground.

The standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security per se.  The IT Department is merely the custodian of a good proportion of the organization’s information assets and is commonly charged with securing them by the information asset owners – the business managers who are accountable for the assets.  However a large proportion of written and intangible information (e.g. the knowledge and experience of non-IT workers) is nothing to do with IT.

Relationship to ISO/IEC 27001

ISO/IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS).  It uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS, but since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organizations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls) as they see fit.  ISO/IEC 27001 incorporates a summary (little more that than the section titles in fact) of controls from ISO/IEC 27002 under its Annex A.  In practice, organizations that adopt ISO/IEC 27001 also substantially adopt ISO/IEC 27002.

Structure and format of ISO/IEC 27002

ISO/IEC 27002 is a code of practice – a generic, advisory document, not truly a standard or formal specification such as ISO/IEC 27001. It lays out a reasonably well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects. Organizations that adopt ISO/IEC 27002 must assess their own information security risks and apply suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory but if an organization chooses not to adopt something as common as, say, antivirus controls, they should certainly be prepared to demonstrate that this decision was reached through a rational risk management decision process, not just an oversight, if they anticipate being certified compliant to ISO/IEC 27001.

After the introduction, scope, terminology and structure sections, the remainder of ISO/IEC 27002 specifies some 39 control objectives to protect information assets against threats to their confidentiality, integrity and availability.  These control objectives in effect comprise a generic functional requirements specification for an organization’s information security management controls architecture.

There is one control objective for each second level heading in sections 6 through 15 of the standard (e.g. 8.2), or for the first level headings in the main sections with no second levels(i.e. sections 5 and 14).

Few people would quarrel with most of the control objectives, or, to put that an other way, it would be difficult to argue that the organization should not conform with the stated objectives in general.  However, some are not applicable in every case and the generic wording of the standard is unlikely to reflect each organization’s precise requirements. 

In our experience, the control objectives make an excellent starting point to define a comprehensive set of “axioms” or high level principles for information security policies with only slight re-wording.

Not mandating specific controls is a master stroke that makes the standard broadly applicable even as the technology and security risks change, and gives users tremendous flexibility in the implementation.  Unfortunately, it also makes it difficult for the certification bodies to assess whether an organization is fully compliant with the standard, hence there are no formal compliance certificates against ISO/IEC 27002 itself.  Organizations may instead get their information security governance/management processes, meaning the Information Security Management System as a whole, certified against ISO/IEC 27001 which describes the process for assessing risks and selecting, implementing and managing specific security controls from ISO/IEC 27002 or indeed other sources.

Section 0

Introduction

Starting from ‘What is information security?, the introduction explains how to make use of the standard.

Section 1

Scope

The standard gives information security management recommendations for those who are responsible for initiating, implementing or maintaining security.

Section 2

Terms and definitions

“Information security” is explicitly defined as the “preservation of confidentiality, integrity and availability of information”.  These and other related terms are further defined.  [In due course when ISO/IEC 27002 is revised, this section will presumably reference definitions in ISO/IEC 27000.]

Section 3

Structure of this standard

This page simply explains that the guts of the standard contain control objectives, suggested controls and implementation guidance.

Section 4

Risk assessment and treatment

ISO/IEC 27002 covers the topic of risk management in just a page and a half, woefully inadequate coverage for such a complex and central element of information security.  [When ISO/IEC 27002 is revised, it will probably reference ISO/IEC 27005 here although it has been suggested that the risk management section might be dropped entirely from ’27002 and moved to ’27001.  In keeping with the style of ’27002, ’27005 gives general guidance on selecting and using appropriate methods to analyze information security risk – it does not mandate a specific method since ‘appropriate’ depends on context.]

Section 5

Security policy

Management should define a policy to clarify their direction of, and support for, information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organization.  This is normally supported by a comprehensive suite of more detailed corporate information security policies, typically in the form of an information security policy manual.  The policy manual in turn is supported by a set of information security standards, procedures and guidelines.

Although the standards are somewhat ambiguous on this point, the information security policy noted in ISO/IEC 27002 is generally understood to be separate and different from the ISMS policy required by ISO/IEC 27001.  The ISMS policy is seen by some as a strategy or governance paper laying out management’s support for the ISMS as a whole – in fact it may be as short at a statement by the CEO.

Section 6

Organization of information security

A suitable information security governance structure should be designed and implemented.

6.1 

Internal organization

The organization should have a management framework for information security. Senior management should provide direction and commit their support, for example by approving information security policies. Roles and responsibilities should be defined for the information security function. Other relevant functions should cooperate and coordinate their activities.  IT facilities should be authorized.  Confidentiality agreements should reflect the organization’s needs.  Contacts should be established with relevant authorities (e.g. law enforcement) and special interest groups.  Information security should be independently reviewed.

6.2 

External parties

Information security should not be compromised by the introduction of third party products or services.  Risks should be assessed and mitigated. when dealing with customers and in third party agreements.

 Section 7

 Asset management

The organization should be in a position to understand what information assets it holds, and to manage their security appropriately.

 7.1 

Responsibility for assets

All [information] assets should be accounted for and have a nominated owner.  An inventory of information assets (IT hardware, software, data, system documentation, storage media, supporting assets such as computer room air conditioners and UPSs, and ICT services) should be maintained. The inventory should record ownership and location of the assets, and owners should identify acceptable uses.

7.2 

Information classification

Information should be classified according to its need for security protection and labeled accordingly.  [While this is clearly most relevant to military and government organizations handling ‘protectively marked information’ (Top Secret etc.), the concept of identifying important assets, classifying/grouping them, and applying controls that are judged suitable for assets of that nature, is broadly applicable.]

Section 8:

Human resources security

The organization should manage system access rights etc. for ‘joiners, movers and leavers’, and should undertake suitable security awareness, training and educational activities.

8.1 

Prior to employment

Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff (e.g. through adequate job descriptions, pre-employment screening) and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

8.2

During employment

Management responsibilities regarding information security should be defined.  Employees and (if relevant) third party IT users should be made aware, educated and trained in security procedures.  A formal disciplinary process is necessary to handle security breaches.

8.3 

Termination or change of employment

Security aspects of a person’s exit from the organization (e.g. the return of corporate assets and removal of access rights) or change of responsibilities should be managed.

Section 9

Physical and environmental security

Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.

9.1 

Secure areas

This section describes the need for concentric layers of physical controls to protect sensitive IT facilities from unauthorized access.

9.2 

Equipment security

Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely.

Section 10 

Communications and operations management

This lengthy, detailed section of the standard describes security controls for systems and network management.

10.1 

Operational procedures and responsibilities

IT operating responsibilities and procedures should be documented. Changes to IT facilities and systems should be controlled. Duties should be segregated between different people where relevant (e.g. access to development and operational systems should be segregated).

10.2 

Third party service delivery management

Security requirements should be taken into account in third party service delivery (e.g. IT facilities management or outsourcing), from contractual terms to ongoing monitoring and change management.  Do you have suitable security clauses in the contract with your ISP?

10.3 

System planning and acceptance

Covers IT capacity planning and production acceptance processes.

10.4 

Protection against malicious and mobile code

Describes the need for anti-malware controls, including user awareness.  Security controls for mobile code ‘associated with a number of middleware services’ are also outlined.

10.5 

Back-up

Covers routine data backups and rehearsed restoration.

10.6 

Network security management

Outlines secure network management, network security monitoring and other controls.  Also covers security of commercial network services such as private networks and managed firewalls etc.

10.7 

Media handling

Operating procedures should be defined to protect documents and computer media containing data, system information etc. Disposal of backup media, documents, voice and other recordings, test data etc. should be logged and controlled. Procedures should be defined for securely handling, transporting and storing backup media and system documentation.

10.8 

Exchange of information

Information exchanges between organizations should be controlled, for example though policies and procedures, and legal agreements. Information exchanges should also comply with applicable legislation. Security procedures and standards should be in place to protect information and physical media in transit, including electronic messaging (email, EDI and IM) and business information systems.

10.9

Electronic commerce services

The security implications of eCommerce (online transaction systems) should be evaluated and suitable controls implemented.  The integrity and availability of information published online (e.g. on websites) should also be protected.

10.10

Monitoring

Covers security event/audit/fault logging and system alarm/alert monitoring to detect unauthorized use.  Also covers the need to secure logs and synchronize system clocks.

Section 11

Access control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use.  This is another lengthy and detailed section.

11.1 

Business requirement for access control

The organization’s requirements to control access to information assets should be clearly documented in an access control policy, including for example job-related access profiles (role based access control).  [This is an important obligation for information asset owners.]

11.2 

User access management

The allocation of access rights to users should be formally controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

11.3 

User responsibilities

Users should be made aware of their responsibilities towards maintaining effective access controls e.g. choosing strong passwords and keeping them confidential. Systems and information should be secured when left unattended (e.g. clear desk and clear screen policies).

11.4 

Network access control

Access to network services should be controlled, both within the organization and between organizations. Policy should be defined and remote users (and possibly equipment) should be suitably authenticated.  Remote diagnostic ports should be securely controlled. Information services, users and systems should be segregated into separate logical network domains.  Network connections and routine should be controlled where necessary. 

11.5 

Operating system access control

Operating system access control facilities and utilities (such as user authentication with unique user IDs and managed passwords, recording use of privileges and system security alarms) should be used. Access to powerful system utilities should be controlled and inactivity timeouts should be applied.

11.6 Application and information access control

Access to and within application systems should be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

11.7 

Mobile computing and teleworking

There should be formal policies covering the secure use of portable PCs, PDAs, cellphones etc., and secure teleworking (“working from home”, “road warriors” and other forms of mobile or remote working).

Section 12

Information systems acquisition, development and maintenance

Information security must be taken into account in the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

12.1 

Security requirements of information systems

Automated and manual security control requirements should be analyzed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases.  Purchased software should be formally tested for security, and any issues risk-assessed.

12.2 

Correct processing in application systems

Data entry, processing and output validation controls and message authentication should be provided to mitigate the associated integrity risks.

12.3 

Cryptographic controls

A cryptography policy should be defined, covering roles and responsibilities, digital signatures, non-repudiation, management of keys and digital certificates etc.

12.4 

Security of system files

Access to system files (both executable programs and source code) and test data should be controlled.

12.5 

Security in development and support processes

Application system managers should be responsible for controlling access to [development] project and support environments.  Formal change control processes should be applied, including technical reviews.  Packaged applications should ideally not be modified. Checks should be made for information leakage for example via covert channels and Trojans if these are a concern. A number of supervisory and monitoring controls are outlined for outsourced development.

12.6

Technical vulnerability management

Technical vulnerabilities in systems and applications should be controlled by monitoring for the announcement of relevant security vulnerabilities, and risk-assessing and applying relevant security patches promptly.

Section 13

Information security incident management

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

13.1

Reporting in information security events and weaknesses

An incident reporting/alarm procedure is required, plus the associated response and escalation procedures.  There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities.

13.2

Management of information security incidents and improvements

Responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence.

Section 14: 

Business continuity management

This section describes the relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans.  These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 15:  Compliance

15.1 

Compliance with legal requirements

The organization must comply with applicable legislation such as copyright, data protection,protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

15.2 

Compliance with security policies and standards, and technical compliance

Managers and system owners must ensure compliance with security policies and standards, for example through regular platform security reviews, penetration tests etc. undertaken by competent testers.

15.3 

Information systems audit considerations

Audits should be carefully planned to minimize disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorized use.