Identificativo | 5.1.1 Information Security Policy Document | |||
---|---|---|---|---|
Descrizione | An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 5.1.2 Review of the Information Security Policy | |||
---|---|---|---|---|
Descrizione | The information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 6.1.1 Management Commitment to Information Security | |||
---|---|---|---|---|
Descrizione | Management should actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 5.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 6.1.2 Information Security Co-ordination | |||
---|---|---|---|---|
Descrizione | Information security activities should be co-ordinated by representatives from different parts of the organization with relevant roles and job functions. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 5.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 6.1.3 Allocation of Information Security Responsibilities | |||
---|---|---|---|---|
Descrizione | All information security responsibilities should be clearly defined. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 5.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 6.1.4 Authorization Process for Information Processing Facilities | |||
---|---|---|---|---|
Descrizione | A management authorization process for new information processing facilities should be defined and implemented. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 5.0 | 5.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 6.1.5 Confidentiality Agreements | |||
---|---|---|---|---|
Descrizione | Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified and regularly reviewed. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 0.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 6.1.6 Contact with Authorities | |||
---|---|---|---|---|
Descrizione | Appropriate contact with relevant authorities should be maintained. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 0.0 |
Rid. Probabilitą | 0.0 | 0.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 6.1.7 Contact with Special Interest Groups | |||
---|---|---|---|---|
Descrizione | Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 5.0 |
Rid. Probabilitą | 3.0 | 3.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 6.1.8 Independent Review of Information Security | |||
---|---|---|---|---|
Descrizione | The organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) should be reviewed independently at planned intervals, or when significant changes to the security implementation occur. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 6.2.1 Identification of Risks Related to External Parties | |||
---|---|---|---|---|
Descrizione | The risks to the organization's information and information processing facilities from business processes involving external parties should be identified and appropriate controls implemented before granting access. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 5.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 6.2.2 Addressing Security When Dealing with Customers | |||
---|---|---|---|---|
Descrizione | All identified security requirements should be addressed before giving customers access to the organization's information or assets. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 5.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 6.2.3 Addressing Security in Third Party Agreements | |||
---|---|---|---|---|
Descrizione | Agreements with third parties involving accessing, processing, communicating or managing the organization's information or information processing facilities, or adding products and services to information processing facilities should cover all relevant security requirements. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 5.0 | 5.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 7.1.1 Inventory of Assets | |||
---|---|---|---|---|
Descrizione | All assets should be clearly identified and an inventory of all important assets drawn up and maintained. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 0.0 |
Rid. Probabilitą | 3.0 | 3.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 7.1.2 Ownership of Assets | |||
---|---|---|---|---|
Descrizione | All information and assets associated with information processing facilities should be owned by a designated part of the organization. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 5.0 | 5.0 | 0.0 |
Rid. Probabilitą | 0.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 7.1.3 Acceptable Use of Assets | |||
---|---|---|---|---|
Descrizione | Rules for the acceptable use of information and assets associated with information processing facilities should be identified, documented, and implemented. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 7.2.1 Classification Guidelines | |||
---|---|---|---|---|
Descrizione | Information should be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 7.2.2 Information Labeling and Handling | |||
---|---|---|---|---|
Descrizione | An appropriate set of procedures for information labeling and handling should be developed and implemented in accordance with the classification scheme adopted by the organization. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 8.1.1 Roles and Responsibilities | |||
---|---|---|---|---|
Descrizione | Security roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance with the organization's information security policy. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 8.1.2 Screening | |||
---|---|---|---|---|
Descrizione | Background verification checks on all candidates for employment, contractors, and third party users should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 8.1.3 Terms and Conditions of Employment | |||
---|---|---|---|---|
Descrizione | As part of their contractual obligation, employees, contractors and third party users should agree and sign the terms and conditions of their employment contract, which should state their and the organization's responsibilities for information security. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 8.2.1 Management Responsibilities | |||
---|---|---|---|---|
Descrizione | Management should require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organization. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 8.2.2 Information Security Awareness, Education, and Training | |||
---|---|---|---|---|
Descrizione | All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 8.2.3 Disciplinary Process | |||
---|---|---|---|---|
Descrizione | There should be a formal disciplinary process for employees who have committed a security breach. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 8.3.1 Termination Responsibilities | |||
---|---|---|---|---|
Descrizione | Responsibilities for performing employment termination or change of employment should be clearly defined and assigned. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 0.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 8.3.2 Return of Assets | |||
---|---|---|---|---|
Descrizione | All employees, contractors and third party users should return all of the organization's assets in their possession upon termination of their employment, contract or agreement. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 0.0 |
Rid. Probabilitą | 5.0 | 0.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 8.3.3 Removal of Access Rights | |||
---|---|---|---|---|
Descrizione | The access rights of all employees, contractors and third party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 9.1.1 Physical Security Perimeter | |||
---|---|---|---|---|
Descrizione | Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) should be used to protect areas that contain information and information processing facilities. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 5.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 9.1.2 Physical Entry Controls | |||
---|---|---|---|---|
Descrizione | Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 9.1.3 Securing Offices, Rooms, and Facilities | |||
---|---|---|---|---|
Descrizione | Physical security for offices, rooms, and facilities should be designed and applied. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 9.1.4 Protecting Against External and Environmental Threats | |||
---|---|---|---|---|
Descrizione | Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster should be designed and applied. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 3.0 | 5.0 | 1.0 |
Rid. Probabilitą | 0.0 | 3.0 | 3.0 | 0.0 |
Controlli |
|
Identificativo | 9.1.5 Working in Secure Areas | |||
---|---|---|---|---|
Descrizione | Physical protection and guidelines for working in secure areas should be designed and applied. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 3.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 9.1.6 Public Access, Delivery, and Loading Access | |||
---|---|---|---|---|
Descrizione | Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 0.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 9.2.1 Equipment Siting and Protection | |||
---|---|---|---|---|
Descrizione | Equipment should be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 9.2.2 Supporting Utilities | |||
---|---|---|---|---|
Descrizione | Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 3.0 | 3.0 | 0.0 |
Rid. Probabilitą | 0.0 | 3.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 9.2.3 Cabling Security | |||
---|---|---|---|---|
Descrizione | Power and telecommunications cabling carrying data or supporting information services should be protected from interception or damage. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 3.0 | 3.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 9.2.4 Equipment Maintenance | |||
---|---|---|---|---|
Descrizione | Equipment should be correctly maintained to ensure its continued availability and integrity. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 0.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 9.2.5 Security of Equipment Off-Premises | |||
---|---|---|---|---|
Descrizione | Security should be applied to off-site equipment taking into account the different risks of working outside the organization's premises. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 5.0 | 3.0 |
Rid. Probabilitą | 5.0 | 0.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 9.2.6 Secure Disposal or Re-Use of Equipment | |||
---|---|---|---|---|
Descrizione | All items of equipment containing storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 0.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 9.2.7 Removal of Property | |||
---|---|---|---|---|
Descrizione | Equipment, information or software should not be taken off-site without prior authorization. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 3.0 | 3.0 | 0.0 |
Controlli |
|
Identificativo | 10.1.1 Documented Operating Procedures | |||
---|---|---|---|---|
Descrizione | Operating procedures should be documented, maintained, and made available to all users who need them. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 10.1.2 Change Management | |||
---|---|---|---|---|
Descrizione | Changes to information processing facilities and systems should be controlled. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 5.0 | 5.0 | 3.0 |
Rid. Probabilitą | 3.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 10.1.3 Segregation of Duties | |||
---|---|---|---|---|
Descrizione | Duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 10.1.4 Separation of Development, Test, and Operational Facilities | |||
---|---|---|---|---|
Descrizione | Development, test, and operational facilities should be separated to reduce the risks of unauthorised access or changes to the operational system. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 10.10.1 Audit Logging | |||
---|---|---|---|---|
Descrizione | Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 10.10.2 Monitoring System Use | |||
---|---|---|---|---|
Descrizione | Procedures for monitoring use of information processing facilities should be established and the results of the monitoring activities reviewed regularly. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 10.10.3 Protection of Log Information | |||
---|---|---|---|---|
Descrizione | Logging facilities and log information should be protected against tampering and unauthorized access. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 10.10.4 Administrator and Operator Logs | |||
---|---|---|---|---|
Descrizione | System administrator and system operator activities should be logged. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 5.0 |
Controlli |
|
Identificativo | 10.10.5 Fault Logging | |||
---|---|---|---|---|
Descrizione | Faults should be logged, analysed, and appropriate action taken. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 10.10.6 Clock Synchronization | |||
---|---|---|---|---|
Descrizione | The clocks of all relevant information processing systems within an organization or security domain should be synchronized with an agreed accurate time source. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 3.0 | 0.0 | 0.0 |
Rid. Probabilitą | 0.0 | 5.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 10.2.1 Service Delivery | |||
---|---|---|---|---|
Descrizione | It should be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 3.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 10.2.2 Monitoring and Review of Third Party Services | |||
---|---|---|---|---|
Descrizione | The services, reports and records provided by the third party should be regularly monitored and reviewed, and audits should be carried out regularly. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 10.2.3 Managing Changes to Third Party Services | |||
---|---|---|---|---|
Descrizione | Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 3.0 | 3.0 | 0.0 |
Rid. Probabilitą | 0.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 10.3.1 Capacity Management | |||
---|---|---|---|---|
Descrizione | The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 5.0 | 5.0 | 0.0 |
Rid. Probabilitą | 0.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 10.3.2 System Acceptance | |||
---|---|---|---|---|
Descrizione | Acceptance criteria for new information systems, upgrades, and new versions should be established and suitable tests of the system(s) carried out during development and prior to acceptance. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 3.0 | 3.0 | 0.0 |
Rid. Probabilitą | 3.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 10.4.1 Controls Against Malicious Code | |||
---|---|---|---|---|
Descrizione | Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 10.4.2 Controls Against Mobile Code | |||
---|---|---|---|---|
Descrizione | Where the use of mobile code is authorized, the configuration should ensure that the authorised mobile code operates according to a clearly defined security policy, and unauthorized mobile code should be prevented from executing. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 10.5.1 Information Back-Up | |||
---|---|---|---|---|
Descrizione | Back-up copies of information and software should be taken and tested regularly in accordance with the agreed backup policy. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 5.0 | 5.0 | 0.0 |
Rid. Probabilitą | 0.0 | 0.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 10.6.1 Network Controls | |||
---|---|---|---|---|
Descrizione | Networks should be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 10.6.2 Security of Network Services | |||
---|---|---|---|---|
Descrizione | Security features, service levels, and management requirements of all network services should be identified and included in any network services agreement, whether these services are provided in-house or outsourced. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 0.0 |
Controlli |
|
Identificativo | 10.7.1 Management of Removable Media | |||
---|---|---|---|---|
Descrizione | There should be procedures in place for the management of removable media. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 5.0 | 5.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 10.7.2 Disposal of Media | |||
---|---|---|---|---|
Descrizione | Media should be disposed of securely and safely when no longer required, using formal procedures. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 0.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 10.7.3 Information Handling Procedures | |||
---|---|---|---|---|
Descrizione | Procedures for the handling and storage of information should be established to protect this information from unauthorized disclosure or misuse. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 10.7.4 Security of System Documentation | |||
---|---|---|---|---|
Descrizione | System documentation should be protected against unauthorized access. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 3.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 10.8.1 Information Exchange Policies and Procedures | |||
---|---|---|---|---|
Descrizione | Formal exchange policies, procedures, and controls should be in place to protect the exchange of information through the use of all types of communication facilities. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 10.8.2 Exchange Agreements | |||
---|---|---|---|---|
Descrizione | Agreements should be established for the exchange of information and software between the organization and external parties. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 10.8.3 Physical Media in Transit | |||
---|---|---|---|---|
Descrizione | Media containing information should be protected against unauthorized access, misuse or corruption during transportation beyond an organization's physical boundaries. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 10.8.4 Electronic Messaging | |||
---|---|---|---|---|
Descrizione | Information involved in electronic messaging should be appropriately protected. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 10.8.5 Business Information Systems | |||
---|---|---|---|---|
Descrizione | Policies and procedures should be developed and implemented to protect information associated with the interconnection of business information systems. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 0.0 |
Controlli |
|
Identificativo | 10.9.1 Electronic Commerce | |||
---|---|---|---|---|
Descrizione | Information involved in electronic commerce passing over public networks should be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 10.9.2 On-Line Transactions | |||
---|---|---|---|---|
Descrizione | Information involved in on-line transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 10.9.3 Publicly Available Information | |||
---|---|---|---|---|
Descrizione | The integrity of information being made available on a publicly available system should be protected to prevent unauthorized modification. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 0.0 | 5.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 11.1.1 Access Control Policy | |||
---|---|---|---|---|
Descrizione | An access control policy should be established, documented, and reviewed based on business and security requirements for access. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 11.2.1 User Registration | |||
---|---|---|---|---|
Descrizione | There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 11.2.2 Privilege Management | |||
---|---|---|---|---|
Descrizione | The allocation and use of privileges should be restricted and controlled. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 11.2.3 User Password Management | |||
---|---|---|---|---|
Descrizione | The allocation of passwords should be controlled through a formal management process. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 11.2.4 Review of User Access Rights | |||
---|---|---|---|---|
Descrizione | Management should review users' access rights at regular intervals using a formal process. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 11.3.1 Password Use | |||
---|---|---|---|---|
Descrizione | Users should be required to follow good security practices in the selection and use of passwords. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 11.3.2 Unattended User Equipment | |||
---|---|---|---|---|
Descrizione | Users should ensure that unattended equipment has appropriate protection. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 11.3.3 Clear Desk and Clear Screen Policy | |||
---|---|---|---|---|
Descrizione | A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 11.4.1 Policy on Use of Network Services | |||
---|---|---|---|---|
Descrizione | Users should only be provided with access to the services that they have been specifically authorized to use. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 11.4.2 User Authentication for External Connections | |||
---|---|---|---|---|
Descrizione | Appropriate authentication methods should be used to control access by remote users. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 11.4.3 Equipment Identification in Networks | |||
---|---|---|---|---|
Descrizione | Automatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 11.4.4 Remote Diagnostic and Configuration Port Protection | |||
---|---|---|---|---|
Descrizione | Physical and logical access to diagnostic and configuration ports should be controlled. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 11.4.5 Segregation in Networks | |||
---|---|---|---|---|
Descrizione | Groups of information services, users, and information systems should be segregated on networks. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5 | 0 | 5 | 0 |
Controlli |
|
Identificativo | 11.4.6 Network Connection Control | |||
---|---|---|---|---|
Descrizione | For shared networks, especially those extending across the organization's boundaries, the capability of users to connect to the network should be restricted, in line with the access control policy and requirements of the business applications (see 11.1). | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 5.0 | 5.0 | 3.0 |
Rid. Probabilitą | 5.0 | 3.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 11.4.7 Network Routing Control | |||
---|---|---|---|---|
Descrizione | Routing controls should be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 11.5.1 Secure Log-On Procedures | |||
---|---|---|---|---|
Descrizione | Access to operating systems should be controlled by a secure log-on procedure. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 11.5.2 User Identification and Authentication | |||
---|---|---|---|---|
Descrizione | All users should have a unique identifier (user ID) for their personal use only, and a suitable authentication technique should be chosen to substantiate the claimed identity of a user. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 11.5.3 Password Management System | |||
---|---|---|---|---|
Descrizione | Systems for managing passwords should be interactive and should ensure quality passwords. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 11.5.4 Use of System Utilities | |||
---|---|---|---|---|
Descrizione | The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 11.5.5 Session Time-Out | |||
---|---|---|---|---|
Descrizione | Inactive sessions should shut down after a defined period of inactivity. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 11.5.6 Limitation of Connection Time | |||
---|---|---|---|---|
Descrizione | Restrictions on connection times should be used to provide additional security for high-risk applications. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 3.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 11.6.1 Information Access Restriction | |||
---|---|---|---|---|
Descrizione | Access to information and application system functions by users and support personnel should be restricted in accordance with the defined access control policy. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 11.6.2 Sensitive System Isolation | |||
---|---|---|---|---|
Descrizione | Sensitive systems should have a dedicated (isolated) computing environment. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 11.7.1 Mobile Computing and Communications | |||
---|---|---|---|---|
Descrizione | A formal policy should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and communication facilities. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 5.0 | 3.0 |
Rid. Probabilitą | 5.0 | 3.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 11.7.2 Teleworking | |||
---|---|---|---|---|
Descrizione | A policy, operational plans and procedures should be developed and implemented for teleworking activities. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 12.1.1 Security Requirements Analysis and Specification | |||
---|---|---|---|---|
Descrizione | Statements of business requirements for new information systems, or enhancements to existing information systems should specify the requirements for security controls. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 12.2.1 Input Data Validation | |||
---|---|---|---|---|
Descrizione | Data input to applications should be validated to ensure that this data is correct and appropriate. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 0.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 12.2.2 Control of Internal Processing | |||
---|---|---|---|---|
Descrizione | Validation checks should be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 5.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 12.2.3 Message Integrity | |||
---|---|---|---|---|
Descrizione | Requirements for ensuring authenticity and protecting message integrity in applications should be identified, and appropriate controls identified and implemented. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 0.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 12.2.4 Output Data Validation | |||
---|---|---|---|---|
Descrizione | Data output from an application should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 0.0 | 5.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 12.3.1 Policy on the Use of Cryptographic Controls | |||
---|---|---|---|---|
Descrizione | A policy on the use of cryptographic controls for protection of information should be developed and implemented. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 12.3.2 Key Management | |||
---|---|---|---|---|
Descrizione | Key management should be in place to support the organization's use of cryptographic techniques. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 12.4.1 Control of Operational Software | |||
---|---|---|---|---|
Descrizione | There should be procedures in place to control the installation of software on operational systems. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 0.0 |
Controlli |
|
Identificativo | 12.4.2 Protection of System Test Data | |||
---|---|---|---|---|
Descrizione | Test data should be selected carefully, and protected and controlled. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 12.4.3 Access Control to Program Source Code | |||
---|---|---|---|---|
Descrizione | Access to program source code should be restricted. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 3.0 | 3.0 |
Controlli |
|
Identificativo | 12.5.1 Change Control Procedures | |||
---|---|---|---|---|
Descrizione | The implementation of changes should be controlled by the use of formal change control procedures. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 3.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 12.5.2 Technical Review of Applications after Operating System Changes | |||
---|---|---|---|---|
Descrizione | When operating systems are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 3.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 12.5.3 Restrictions on Changes to Software Packages | |||
---|---|---|---|---|
Descrizione | Modifications to software packages should be discouraged, limited to necessary changes, and all changes should be strictly controlled. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 3.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 12.5.4 Information Leakage | |||
---|---|---|---|---|
Descrizione | Opportunities for information leakage should be prevented. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 0.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 12.5.5 Outsourced Software Development | |||
---|---|---|---|---|
Descrizione | Outsourced software development should be supervised and monitored by the organization. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 12.6.1 Control of Technical Vulnerabilities | |||
---|---|---|---|---|
Descrizione | Timely information about technical vulnerabilities of information systems being used should be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 13.1.1 Reporting Information Security Events | |||
---|---|---|---|---|
Descrizione | Information security events should be reported through appropriate management channels as quickly as possible. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 13.1.2 Reporting Security Weaknesses | |||
---|---|---|---|---|
Descrizione | All employees, contractors and third party users of information systems and services should be required to note and report any observed or suspected security weaknesses in systems or services. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 13.2.1 Responsibilities and Procedures | |||
---|---|---|---|---|
Descrizione | Management responsibilities and procedures should be established to ensure a quick, effective, and orderly response to information security incidents. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 13.2.2 Learning from Information Security Incidents | |||
---|---|---|---|---|
Descrizione | There should be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 13.2.3 Collection of Evidence | |||
---|---|---|---|---|
Descrizione | Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence should be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 14.1.1 Including Information Security in the Business Continuity Management Process | |||
---|---|---|---|---|
Descrizione | A managed process should be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organization's business continuity. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 5.0 | 5.0 | 5.0 |
Rid. Probabilitą | 0.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 14.1.2 Business Continuity and Risk Assessment | |||
---|---|---|---|---|
Descrizione | Events that can cause interruptions to business processes should be identified, along with the probability and impact of such interruptions and their consequences for information security. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 0.0 |
Rid. Probabilitą | 0.0 | 5.0 | 5.0 | 0.0 |
Controlli |
|
Identificativo | 14.1.3 Developing and Implementing Continuity Plans Including Information Security | |||
---|---|---|---|---|
Descrizione | Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 0.0 |
Rid. Probabilitą | 0.0 | 0.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 14.1.4 Business Continuity Planning Framework | |||
---|---|---|---|---|
Descrizione | A single framework of business continuity plans should be maintained to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 5.0 | 3.0 | 5.0 | 3.0 |
Rid. Probabilitą | 0.0 | 0.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 14.1.5 Testing, Maintaining and Re-Assessing Business Continuity Plans | |||
---|---|---|---|---|
Descrizione | Business continuity plans should be tested and updated regularly to ensure that they are up to date and effective. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 5.0 | 0.0 |
Rid. Probabilitą | 0.0 | 3.0 | 0.0 | 0.0 |
Controlli |
|
Identificativo | 15.1.1 Identification of Applicable Legislation | |||
---|---|---|---|---|
Descrizione | All relevant statutory, regulatory, and contractual requirements and the organization's approach to meet these requirements should be explicitly defined, documented, and kept up to date for each information system and the organization. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 0.0 | 0.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 15.1.2 Intellectual Property Rights (IPR) | |||
---|---|---|---|---|
Descrizione | Appropriate procedures should be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 0.0 |
Rid. Probabilitą | 0.0 | 0.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 15.1.3 Protection of Organizational Records | |||
---|---|---|---|---|
Descrizione | Important records should be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 5.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 15.1.4 Data Protection and Privacy of Personal Information | |||
---|---|---|---|---|
Descrizione | Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 3.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 0.0 | 0.0 | 3.0 |
Controlli |
|
Identificativo | 15.1.5 Prevention of Misuse of Information Processing Facilities | |||
---|---|---|---|---|
Descrizione | Users should be deterred from using information processing facilities for unauthorized purposes. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 0.0 | 5.0 |
Controlli |
|
Identificativo | 15.1.6 Regulation of Cryptographic Controls | |||
---|---|---|---|---|
Descrizione | Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5 | 5 | 0 | 5 |
Controlli |
|
Identificativo | 15.2.1 Compliance with Security Policies and Standards | |||
---|---|---|---|---|
Descrizione | Managers should ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 3.0 | 3.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 15.2.2 Technical Compliance Checking | |||
---|---|---|---|---|
Descrizione | Information systems should be regularly checked for compliance with security implementation standards. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 3.0 |
Controlli |
|
Identificativo | 15.3.1 Information Systems Audit Controls | |||
---|---|---|---|---|
Descrizione | Audit requirements and activities involving checks on operational systems should be carefully planned and agreed to minimize the risk of disruptions to business processes. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 3.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|
Identificativo | 15.3.2 Protection of Information Systems Audit Tools | |||
---|---|---|---|---|
Descrizione | Access to information systems audit tools should be protected to prevent any possible misuse or compromise. | |||
Efficace per : | Riservatezza | Integritą | Disponibilitą | Conformitą |
Rid. impatto | 0.0 | 0.0 | 0.0 | 5.0 |
Rid. Probabilitą | 5.0 | 5.0 | 5.0 | 5.0 |
Controlli |
|