You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This section provides guidelines on the use of the template that should be removed from the completed document. These guidelines are to help anyone using this template and will allow for the consistant completion across projects.
Refer to existing – Where possible use and make reference to existing policies, processes and solutions within Scottish Government such as "Saltire", "Scottish Government security policy", "eRDM", "HR policies", "HR procedures" and "Business impact assessment tool".
Reference 3rd party use – Utilisation of 3rd parties to deliver services is expected for all projects, even another team within the organisation could be considered a 3rd party to the project, so reference must be made to the expectation that these suppliers will manage areas properly in the baseline control set to this and how associated risks are mitigated through controls such as functional/non-functional requirements in procurement mechanisms, contracts with service levels, monitoring of the activities of the 3rd party and recording of the residual risk of a supplier not managing these areas of security properly.
Do not omit – Where a project has not followed best practice it is important that this is documented here and not omitted, justification for this type of deviation can be done be registering the residual risk in the project risk register along with any mitigating controls in place and ultimately the informed acceptance of the risk by the information asset owner.
All controls – Document all controls not just technical ones as processes and procedures are just as important, sometimes more so, in maintaining security.
Living document – During the development of this document there will be a number of unanswered questions so feel free to use markdown bolding to mark these questions in the document so readers understand where the gaps still are.
Operating procedures – This document is not expected to hold all the detail regarding how security is implemented and should make reference to more detail documents such as operating procedures.
Revision History
Version
Issued
Comments
0.1
dd-MM-yyyy
…
Distribution List
Role
RACI
…
…
Review
Review frequency
Next review due
?
?
Executive Summary
<Summarise the document in 1 or 2 paragraphs.>
Glossary
Term
Description
…
…
Security Policy (ISO-27001:2005, §5)
Information security policy
Information security policy
Review of information security policy
Organisation of Information Security (ISO-27001:2005, §6)
Internal organisation
Management commitment to information security
Information security coordination
Allocation of information security responsibilities
Authorisation process for information processing facilities
Confidentiality agreements
Contact with authorities
Contact with special interest groups
Independent review of information security
External parties
Identification of risks related to external parties
Addressing security when dealing with customers
Addressing security in third party agreements
Asset Management (ISO-27001:2005, §7)
Responsibility for Assets
Inventory of assets
Ownership of assets
Acceptable use of assets
Information classification
Human Resources Security (ISO-27001:2005, §8)
Prior to employment
Roles and responsibilities
Screening
Terms and conditions of employment
During employment
Management responsibilities
Information security awareness, education and training
Disciplinary process
Termination or change of employment
Termination responsibilities
Return of assets
Removal of access rights
Physical and Environmental Security (ISO-27001:2005, §9)
Secure areas
Physical security perimeter
Physical entry controls
Securing offices, rooms and facilities
Protecting against external and environmental threats
Working in secure areas
Public access, delivery and loading areas
Equipment security
Equipment siting and protection
Supporting utilities
Cabling security
Equipment maintenance
Security of equipment off-premises
Secure disposal or re-use of equipment
Removal of property
Communications and Operations Management (ISO-27001:2005, §10)
Operational procedures and responsibilities
Documented operating procedures
Change management
Segregation of duties
Separation of development, test and operational facilities
Third party service delivery management
Service delivery
Monitoring and review of third party services
Managing changes to third party services
System planning and acceptance
Capacity management
System acceptance
Controls against malicious code
Controls against mobile code
Backup
Information backup
Network security management
Network controls
Security of network services
Media handling
Management of removable media
Disposal of media
Information handling procedures
Security of system documentation
Exchange of information
Information exchange policies and procedures
Exchange agreements
Physical media in transit
Electronic messaging
Business information systems
Electronic commerce services
Monitoring
Audit logging
Monitoring system use
Protection of log information
Administrator and operator logs
Fault logging
Clock synchronisation
Access Control (ISO-27001:2005, §11)
Business requirement for access control
Access control policy
User access management
User registration
Privilege management
User password management
Review of user access rights
User responsibilities
Password use
Unattended user equipment
Clear desk and clear screen policy
Network access control
Policy on use of network services
User authentication for external connections
Equipment identification in networks
Remote diagnostic and configuration port protection
Segregation in networks
Network connection control
Network routing control
Operating system access control
Secure log-on procedures
User identification and authentication
Password Management System
Use of system utilities
Session time-out
Limitation of connection time
Application and information access control
Information access restriction
Sensitive system isolation
Mobile computing and teleworking
Mobile computing
Teleworking
Information Systems Acquisition, Development and Maintenance (ISO-27001:2005, §12)
Security requirements of information systems
Security requirements analysis and specification
Correct processing in applications
Input data validation
Control of internal processing
Output data validation
Cryptographic controls
Policy on the use of cryptographic controls
Key management
Security of system files
Control of operational software
Protection of system test data
Access control to program source
Security in development and support processes
Change control procedures
Technical review of applications after operating system changes
Restrictions on changes to software packages
Information leakage
Outsourced software development
Technical vulnerability management
Control of technical vulnerabilities
Information Security Incident Management (ISO-27001:2005, §13)
Reporting incident security events and weaknesses
Reporting information security events
Reporting security weaknesses
Management of information security incidents and improvements
Responsibilities and procedures
Learning from information security incidents
Collection of evidence
Business Continuity Management (ISO-27001:2005, §14)
Information security aspects of business continuity management
Including information security in the business continuity management process
Business continuity and risk assessment
Developing and implementing continuity plans including information security
Business continuity planning framework
Testing, maintaining and re-assessing business continuity plans
Compliance (ISO-27001:2005, §15)
Compliance with legal requirements
Identification of applicable legislation
Intellectual Property Rights (IPR)
Protection of organisational records
Data protection and privacy of personal information
Prevention of misuse of information processing facilities
Regulation of cryptographic controls
Compliance with security policies and standards, and technical compliance