Di seguito si riporta l'elenco dei controlli ISO:27001, con la loro efficacia rispetto ai criteri di  riservatezza, integritą, disponibilitą e conformitą, individuati nella redazione di un Pattern (vd. Capitolo 3 del documento):

5 Security Policy

5.1.1 Information Security Policy Document

Identificativo5.1.1 Information Security Policy Document
DescrizioneAn information security policy document should be approved by management, and published and communicated to all employees and relevant external parties.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 5.1.1-1 The enterprise information security policy has been approved by management.
  • 5.1.1-2 The enterprise information security policy defines roles and responsibilities for information security.
  • 5.1.1-3 The enterprise information security policy defines security education, training, and awareness requirements.
  • 5.1.1-4 The enterprise information security policy addresses both data and physical assets.
  • 5.1.1-5 The enterprise information security policy describes management s intent of information security within the context of the organization.
  • 5.1.1-6 The enterprise information security policy states consequences for policy violations.
  • 5.1.1-7 The enterprise information security policy has been communicated to stakeholders, employees and relevant third parties.
  • 5.1.1-8 The enterprise information security policy has been translated into derivative operational plans, procedures, standards and guidelines and is made available to relevant personnel.

5.1.2 Review of the Information Security Policy

Identificativo5.1.2 Review of the Information Security Policy
DescrizioneThe information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 5.1.2-1 The policy is reviewed upon significant changes to the environment s scope.
  • 5.1.2-10 A specific owner has been assigned the responsibilities of establishing, documenting, distributing, reviewing, and updating information security policies and procedures.
  • 5.1.2-2 Input to the review of the information security policy includes changes that could affect the organization s approach to managing information security, including changes to the organizational environment, business circumstances, resource availability, contractual, regulatory, and legal conditions, or to the technical environment.
  • 5.1.2-3 The policy is reviewed at least every two years.
  • 5.1.2-4 The adequacy of internal controls is considered.
  • 5.1.2-5 The policy is reviewed regularly.
  • 5.1.2-6 Input to the review of the information security policy includes trends related to threats and vulnerabilities.
  • 5.1.2-7 The continuing suitability of internal controls is considered.
  • 5.1.2-8 The effectiveness of internal controls is considered.
  • 5.1.2-9 The policy is reviewed at least annually.


6 Organization of Information Security

6.1.1 Management Commitment to Information Security

Identificativo6.1.1 Management Commitment to Information Security
DescrizioneManagement should actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 5.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 6.1.1-1 A group (committee, forum, etc.) is established to determine prioritization of information security initiatives across the enterprise.
  • 6.1.1-2 The enterprise information security policy describes management s intent of information security within the context of the organization.
  • 6.1.1-3 Management has initiated and maintains an information security awareness program.
  • 6.1.1-4 The enterprise information security policy has been approved by management.

6.1.2 Information Security Co-ordination

Identificativo6.1.2 Information Security Co-ordination
DescrizioneInformation security activities should be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 5.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 6.1.2-1 The team is comprised of representatives from legal, human resources, insurance, enterprise risk management, relevant users, administrators, auditors, application designed, security personnel and so on.
  • 6.1.2-2 The team includes representatives from physical security management.
  • 6.1.2-3 A group (committee, forum, etc.) is established to advise on information security implementation and to ensure compliance and business objectives are considered.

6.1.3 Allocation of Information Security Responsibilities

Identificativo6.1.3 Allocation of Information Security Responsibilities
DescrizioneAll information security responsibilities should be clearly defined.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 5.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 6.1.3-1 Information security roles and responsibilities are allocated according to the information security policy.
  • 6.1.3-2 Employee and contractor information security responsibilities are defined in policy.
  • 6.1.3-3 Overall information security responsibility has been assigned to an individual (e.g. CISO).

6.1.4 Authorization Process for Information Processing Facilities

Identificativo6.1.4 Authorization Process for Information Processing Facilities
DescrizioneA management authorization process for new information processing facilities should be defined and implemented.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 5.0 5.0 0.0
Rid. Probabilitą 5.0 5.0 3.0 3.0
Controlli
  • 6.1.4-1 Internet-facing devices are explicitly authorized prior to deployment.
  • 6.1.4-2 The authorization applies to wireless devices.
  • 6.1.4-3 Management explicitly and formally grants authorization to implement information systems and network connections.
  • 6.1.4-4 Authorization is granted for a specified information classification and sensitivity.
  • 6.1.4-5 The authorization process applies to end-user devices (modems, wireless, etc.).
  • 6.1.4-6 The authorization process ensures relevant security requirements are met.
  • 6.1.4-7 System component compatibility is checked prior to authorization.
  • 6.1.4-8 The authorization process applies to remote network access methods.

6.1.5 Confidentiality Agreements

Identificativo6.1.5 Confidentiality Agreements
DescrizioneRequirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified and regularly reviewed.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 0.0 0.0 0.0
Controlli
  • 6.1.5-1 Requirements are identified and developed for confidentiality and non-disclosure agreements.
  • 6.1.5-2 Requirements for confidentiality and non-disclosure agreements include the expected duration of the agreement, including cases where confidentiality might need to be maintained indefinitely.
  • 6.1.5-3 The requirements for confidentiality and non-disclosure agreements are reviewed periodically and when changes occur that influence these requirements.

6.1.6 Contact with Authorities

Identificativo6.1.6 Contact with Authorities
DescrizioneAppropriate contact with relevant authorities should be maintained.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 0.0
Rid. Probabilitą 0.0 0.0 5.0 5.0
Controlli
  • 6.1.6-1 Procedures are in place that specify when and by whom authorities (e.g., law enforcement, fire and rescue, supervisory authorities, and so on) are to be contacted.

6.1.7 Contact with Special Interest Groups

Identificativo6.1.7 Contact with Special Interest Groups
DescrizioneAppropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 5.0
Rid. Probabilitą 3.0 3.0 3.0 3.0
Controlli
  • 6.1.7-1 Early warnings are obtained of alerts, advisories, and patches pertaining to attacks and vulnerabilities.
  • 6.1.7-2 The organization maintains access to specialist information security advice.
  • 6.1.7-3 Up-to-date information security knowledge is maintained through memberships in special interest groups or forums.

6.1.8 Independent Review of Information Security

Identificativo6.1.8 Independent Review of Information Security
DescrizioneThe organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) should be reviewed independently at planned intervals, or when significant changes to the security implementation occur.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 6.1.8-1 Independent information security reviews are carried out by individuals independent of the area under review (e.g., the internal audit function, an independent manager, or a third party organization).
  • 6.1.8-2 Independent information security reviews include assessing opportunities for improvement and the need for changes to the approach to security, including the policy and control objectives.
  • 6.1.8-3 Management evaluates corrective actions following an independent information security review that results in findings of inadequacy or non-compliance.
  • 6.1.8-4 Management initiates independent reviews of information security.

6.2.1 Identification of Risks Related to External Parties

Identificativo6.2.1 Identification of Risks Related to External Parties
DescrizioneThe risks to the organization's information and information processing facilities from business processes involving external parties should be identified and appropriate controls implemented before granting access.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 5.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 6.2.1-1 The legal and regulatory requirements and other contractual obligations relevant to the business partner are considered during the risk assessment.
  • 6.2.1-2 The means and controls employed by the business partner when storing, processing, communicating, sharing, and exchanging information are considered during the business partner risk assessment.
  • 6.2.1-3 Security requirements resulting from work with business partners are reflected in the business partner agreements.
  • 6.2.1-4 A risk assessment is conducted for each business partner that may be granted access to the organization s information or information systems.

6.2.2 Addressing Security When Dealing with Customers

Identificativo6.2.2 Addressing Security When Dealing with Customers
DescrizioneAll identified security requirements should be addressed before giving customers access to the organization's information or assets.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 5.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 6.2.2-1 An access control policy is developed prior to giving customers access to any of the organization s assets.

6.2.3 Addressing Security in Third Party Agreements

Identificativo6.2.3 Addressing Security in Third Party Agreements
DescrizioneAgreements with third parties involving accessing, processing, communicating or managing the organization's information or information processing facilities, or adding products and services to information processing facilities should cover all relevant security requirements.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 5.0 5.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 6.2.3-1 Agreements with third parties include the arrangements for reporting, notification, and investigation of information security incidents and security breaches, as well as violations of the requirements stated in the agreement.
  • 6.2.3-10 Agreements with third parties include provisions for the transfer of personnel, where appropriate.
  • 6.2.3-11 Agreements with third parties include adherence to applicable legal, regulatory or contractual requirements.
  • 6.2.3-12 Agreements with third parties include the access control policy covering access justification, permitted access methods, access and privilege authorization, authorized user maintenance, a default-deny statement, and access revocation.
  • 6.2.3-13 Agreements with third parties include the right to monitor and revoke any activity related to the organization s assets.
  • 6.2.3-14 Third party agreements include a description of users and personnel authorized to handle data or use software.
  • 6.2.3-15 A procedure is implemented for establishing, modifying, and terminating third party agreements.
  • 6.2.3-16 The organization satisfies itself as to the indemnity of the third party as part of establishing an agreement with the third party.
  • 6.2.3-17 Agreements with third parties include requirements for user awareness of security responsibilities and issues.
  • 6.2.3-18 Agreements with third parties include the target level of service and unacceptable levels of service.
  • 6.2.3-19 Agreements with third parties include a definition of verifiable performance criteria, along with their monitoring and reporting.
  • 6.2.3-2 Agreements with third parties include the service continuity requirements, including measures for availability and reliability, in accordance with an organization s business priorities.
  • 6.2.3-20 Agreements with third parties include the respective liabilities of the parties to the agreement.
  • 6.2.3-21 Agreements with third parties include the intellectual property right and copyright assignment and protection of any collaborative work.
  • 6.2.3-22 Agreements with third parties include involvement of the third party with subcontractors, and the security controls these subcontractors need to implement.
  • 6.2.3-23 Agreements with third parties include relevant portions of the information security policy.
  • 6.2.3-24 Agreements with third parties include controls to ensure asset protection such as protecting the organization s hardware and software, physical protection controls, malicious software protections, and procedures to determine whether assets have been compromised.
  • 6.2.3-3 Agreements with service providers include the service provider s acknowledgement of responsibility for the security of cardholder data in its possession.
  • 6.2.3-4 Agreements with third parties include requirements for user and administrator training in methods, procedures, and security.
  • 6.2.3-5 Agreements with third parties include the responsibilities with respect to legal matters and how it is ensured that the legal requirements are met.
  • 6.2.3-6 Legal counsel reviews third party agreements and changes to those agreements.
  • 6.2.3-7 Agreements with third parties include the right to audit responsibilities defined in the agreement, to have those audits carried out by a third party, and to enumerate the statutory rights of the auditors.
  • 6.2.3-8 Agreements with third parties include the conditions for renegotiation and termination of agreements and include a contingency plan, changes in security requirements, and current documentation of asset lists, licenses, agreements, or rights relating to the agreement.
  • 6.2.3-9 Agreements with third parties include a clear and specified process of change management.


7 Asset Management

7.1.1 Inventory of Assets

Identificativo7.1.1 Inventory of Assets
DescrizioneAll assets should be clearly identified and an inventory of all important assets drawn up and maintained.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 0.0
Rid. Probabilitą 3.0 3.0 5.0 0.0
Controlli
  • 7.1.1-1 A process is established to identify assets and to document the importance of these assets.
  • 7.1.1-2 The asset inventory includes the information necessary in order to recover from a disaster, including the type of asset, its format, location, backup information, license information, and its business value.
  • 7.1.1-3 The asset inventory includes remote access servers and devices.

7.1.2 Ownership of Assets

Identificativo7.1.2 Ownership of Assets
DescrizioneAll information and assets associated with information processing facilities should be owned by a designated part of the organization.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 5.0 5.0 0.0
Rid. Probabilitą 0.0 5.0 5.0 0.0
Controlli
  • 7.1.2-1 The asset owner is responsible for defining and periodically reviewing access restrictions and classifications, taking into account applicable access control policies.
  • 7.1.2-2 Each asset is assigned an owner.

7.1.3 Acceptable Use of Assets

Identificativo7.1.3 Acceptable Use of Assets
DescrizioneRules for the acceptable use of information and assets associated with information processing facilities should be identified, documented, and implemented.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 7.1.3-1 Management provides specific rules or guidance pertaining to the acceptable use of business information and assets.
  • 7.1.3-2 Acceptable use rules include which technologies may be used for business purposes.
  • 7.1.3-3 Acceptable use rules include connecting non-corporate devices to the corporate network.
  • 7.1.3-4 Acceptable use policies are implemented for employee-facing technologies such as modems and wireless.
  • 7.1.3-5 Acceptable use policies are implemented for use of corporate Internet connections.
  • 7.1.3-6 Acceptable use rules address the use of instant messaging, file sharing technologies, and electronic data interchange.

7.2.1 Classification Guidelines

Identificativo7.2.1 Classification Guidelines
DescrizioneInformation should be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 7.2.1-1 Information classifications include definitions of security levels and protective controls.
  • 7.2.1-2 The asset owner is responsible for defining the classification of an asset, for periodic review of it, and to ensure it is kept up to date and at the appropriate level.
  • 7.2.1-3 Information classifications include data retention and destruction requirements.
  • 7.2.1-4 Information classifications include criticality and sensitivity.
  • 7.2.1-5 Information classifications are used as the basis for applying controls.

7.2.2 Information Labeling and Handling

Identificativo7.2.2 Information Labeling and Handling
DescrizioneAn appropriate set of procedures for information labeling and handling should be developed and implemented in accordance with the classification scheme adopted by the organization.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 7.2.2-1 Unencrypted PANs (Primary Account Numbers) are not sent via instant messaging, chat, or other direct end-user communication technologies.
  • 7.2.2-2 For each information classification level, handling procedures are defined that include secure processing, storage, transmission, declassification, destruction, chain of custody procedures, and the logging of security relevant events.
  • 7.2.2-3 Unencrypted PANs (Primary Account Numbers) are not sent by email.
  • 7.2.2-4 Media is labeled.
  • 7.2.2-5 Information is labeled according to its classification.
  • 7.2.2-6 Agreements with other organizations that include information sharing includes procedures to identify the classification of that information and to interpret the classification labels from other organizations.


8 Human Resources Security

8.1.1 Roles and Responsibilities

Identificativo8.1.1 Roles and Responsibilities
DescrizioneSecurity roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance with the organization's information security policy.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 8.1.1-1 Personnel are required to implement and act in accordance with the organization s information security policies.

8.1.2 Screening

Identificativo8.1.2 Screening
DescrizioneBackground verification checks on all candidates for employment, contractors, and third party users should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 8.1.2-1 Third party agreements clearly specify all responsibilities and notification procedures for personnel screening.
  • 8.1.2-2 The depth of background checks is based on the position s sensitivity and/or criticality.
  • 8.1.2-3 Contractors and third party users are subjected to background verification checks.
  • 8.1.2-4 Screening procedures define criteria and limitation for verification checks such as who is eligible to screen people, and how, when, and why verification checks are carried out.
  • 8.1.2-5 Background verification checks include an independent identity check via a passport or similar document.
  • 8.1.2-6 Background verification checks include more detailed checks, such as credit checks or checks of criminal records.
  • 8.1.2-7 Background checks are performed in accordance with local laws, regulations and ethics.

8.1.3 Terms and Conditions of Employment

Identificativo8.1.3 Terms and Conditions of Employment
DescrizioneAs part of their contractual obligation, employees, contractors and third party users should agree and sign the terms and conditions of their employment contract, which should state their and the organization's responsibilities for information security.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 0.0 0.0
Controlli
  • 8.1.3-1 Acceptable use rules include a description of disciplinary actions to which users may be subject if found in violation of the rules.
  • 8.1.3-2 The terms and conditions of employment require personnel to sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities.
  • 8.1.3-3 Personnel agree to relevant terms and conditions concerning information security by signing an acceptance statement.
  • 8.1.3-4 The terms and conditions of employment clarify the individual s legal responsibilities and rights and include responsibilities regarding copyright laws or data protection legislation.

8.2.1 Management Responsibilities

Identificativo8.2.1 Management Responsibilities
DescrizioneManagement should require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organization.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 8.2.1-1 Management ensures that personnel are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems.
  • 8.2.1-2 Password procedures and policies have been communicated to users with access to cardholder data.

8.2.2 Information Security Awareness, Education, and Training

Identificativo8.2.2 Information Security Awareness, Education, and Training
DescrizioneAll employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 8.2.2-1 Ongoing security awareness training includes security requirements, legal responsibilities and business controls, training in the correct use of information processing facilities, use of software packages, information handling, and information on the disciplinary process.
  • 8.2.2-2 Initial security awareness training is given to employees, contractors, and third party users to introduce the organization s security policies and expectation before access to information or services is granted.
  • 8.2.2-3 Ongoing security awareness training is conducted at least annually.

8.2.3 Disciplinary Process

Identificativo8.2.3 Disciplinary Process
DescrizioneThere should be a formal disciplinary process for employees who have committed a security breach.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 8.2.3-1 The formal disciplinary process provides for a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether or not this is a first or repeat offence, whether or not the violator
  • 8.2.3-2 The formal disciplinary process ensures correct and fair treatment for employees who are suspected of committing breaches of security.
  • 8.2.3-3 The disciplinary process is not commenced without prior verification that a security breach has occurred.

8.3.1 Termination Responsibilities

Identificativo8.3.1 Termination Responsibilities
DescrizioneResponsibilities for performing employment termination or change of employment should be clearly defined and assigned.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 0.0 0.0 3.0
Controlli
  • 8.3.1-1 Changes of responsibility or employment are managed as the termination of the respective responsibility or employment.
  • 8.3.1-2 Responsibilities for performing employment termination or change of employment are defined and assigned.
  • 8.3.1-3 The termination and change of employment process applies to employees, contractors and third-parties.
  • 8.3.1-4 Formal termination and position change procedures are defined and documented.

8.3.2 Return of Assets

Identificativo8.3.2 Return of Assets
DescrizioneAll employees, contractors and third party users should return all of the organization's assets in their possession upon termination of their employment, contract or agreement.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 0.0
Rid. Probabilitą 5.0 0.0 0.0 0.0
Controlli
  • 8.3.2-1 In cases where an individual purchases the organization s equipment or uses their own personal equipment, procedures are followed to ensure that all relevant information is transferred to the organization and securely erased
  • 8.3.2-2 The termination process is formalized to include the return of all previously issued software, corporate documents, and equipment.
  • 8.3.2-3 Organizational assets such as mobile computing devices, credit cards, access cards, software, manuals, and information stored on electronic media are returned upon termination.

8.3.3 Removal of Access Rights

Identificativo8.3.3 Removal of Access Rights
DescrizioneThe access rights of all employees, contractors and third party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 8.3.3-1 Access are reduced or removed before the employment terminates or changes in cases of highly sensitive or critical positions.
  • 8.3.3-2 Changes of an employment are reflected in removal of all access rights that were not approved for the new employment.
  • 8.3.3-3 Access rights are reduced or removed before the employment terminates or changes in cases where the terminated individual has access to high-value assets.
  • 8.3.3-4 The terminated individual access rights that are removed or adapted include physical and logical access, keys, identification cards, information processing facilities, subscriptions, and removal from any documentation that identifies them as a current member of the organization.
  • 8.3.3-5 Access rights are reduced or removed before the employment terminates or changes in cases where damage or a security breach may occur.
  • 8.3.3-6 Passwords for accounts remaining active, and to which the terminated individual had access, are changed upon termination or job change.
  • 8.3.3-7 The access rights of an individual to assets associated with information systems and services are reconsidered upon termination to determine whether it is necessary to remove access rights.


9 Physical and Environmental Security

9.1.1 Physical Security Perimeter

Identificativo9.1.1 Physical Security Perimeter
DescrizioneSecurity perimeters (barriers such as walls, card controlled entry gates or manned reception desks) should be used to protect areas that contain information and information processing facilities.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 5.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 9.1.1-1 Perimeter intrusion detection systems are tested at least every three months.
  • 9.1.1-2 Perimeter intruder detection systems are installed and regularly tested.
  • 9.1.1-3 Security perimeters are clearly defined.
  • 9.1.1-4 All windows on the physical perimeter have been equipped with locks.
  • 9.1.1-5 Glass break sensors have been employed on perimeter windows.
  • 9.1.1-6 The perimeters of buildings and sites containing information processing facilities are physically sound and external doors are suitably protected against unauthorized access.
  • 9.1.1-7 All doors on the physical perimeter have been equipped with locks.
  • 9.1.1-8 Physical access controls restrict access to only authorized personnel.

9.1.2 Physical Entry Controls

Identificativo9.1.2 Physical Entry Controls
DescrizioneSecure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 9.1.2-1 The date and time of entry and departure of visitors is recorded.
  • 9.1.2-2 Visitors are supervised unless otherwise approved.
  • 9.1.2-3 Access to areas where sensitive information is processed or stored is controlled and restricted to authorized persons only.
  • 9.1.2-4 Employees, contractors, third party users, and visitors are required to notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification.
  • 9.1.2-5 Third party support service personnel are granted restricted access to secure areas or sensitive information processing facilities only when required and this access is authorized and monitored.
  • 9.1.2-6 Visitors are granted access only for specific and authorized purposes.
  • 9.1.2-7 Employees, contractors, third party users, and visitors are required to wear visible identification that clearly identifies their affiliation with the organization and their authorized access.
  • 9.1.2-8 Access rights to secure areas are regularly reviewed and updated, and revoked when necessary.

9.1.3 Securing Offices, Rooms, and Facilities

Identificativo9.1.3 Securing Offices, Rooms, and Facilities
DescrizionePhysical security for offices, rooms, and facilities should be designed and applied.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 9.1.3-1 Health and safety regulations and standards are considered when securing offices, rooms, and facilities.

9.1.4 Protecting Against External and Environmental Threats

Identificativo9.1.4 Protecting Against External and Environmental Threats
DescrizionePhysical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster should be designed and applied.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 3.0 5.0 1.0
Rid. Probabilitą 0.0 3.0 3.0 0.0
Controlli
  • 9.1.4-1 Security threats presented by neighboring premises are considered when selecting physical protection controls, such as fire, water leaks, street explosions, and so on.
  • 9.1.4-2 Appropriate fire fighting equipment is provided and suitably placed.

9.1.5 Working in Secure Areas

Identificativo9.1.5 Working in Secure Areas
DescrizionePhysical protection and guidelines for working in secure areas should be designed and applied.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 3.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 9.1.5-1 The arrangements for working in secure areas include controls for the employees, contractors, and third party users working in the secure area, as well as other third party activities taking place there.
  • 9.1.5-2 Personnel are aware of the existence of, or activities within, a secure area only on a need to know basis.

9.1.6 Public Access, Delivery, and Loading Access

Identificativo9.1.6 Public Access, Delivery, and Loading Access
DescrizioneAccess points such as delivery and loading areas and other points where unauthorized persons may enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 0.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 9.1.6-1 Access to a delivery and loading areas from outside of the building are restricted to identified and authorized personnel.
  • 9.1.6-2 Delivery and loading areas are designed so that supplies can be unloaded without delivery personnel gaining access to other parts of the building.

9.2.1 Equipment Siting and Protection

Identificativo9.2.1 Equipment Siting and Protection
DescrizioneEquipment should be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 9.2.1-1 Equipment is sited to minimize unnecessary access into work areas.
  • 9.2.1-2 Equipment is housed in rack or similar housings that provide protection from environmental hazards and inadvertent damage.
  • 9.2.1-3 Items requiring special protection are isolated to reduce the general level of protection required.
  • 9.2.1-4 An HVAC system operates to maintain appropriate operating temperatures.
  • 9.2.1-5 Lightning protection is applied to all buildings and lightning protection filters are fitted to all incoming power and communications lines.
  • 9.2.1-6 Environmental conditions, such as temperature and humidity, are monitored for conditions that could adversely affect the operation of information processing facilities.
  • 9.2.1-7 Information processing facilities handling sensitive data are positioned and the viewing angle restricted to reduce the risk of information being viewed by unauthorized persons during their use.
  • 9.2.1-8 Controls are adopted to minimize the risk of potential physical threats, e.g., theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic emissions, and so on.

9.2.2 Supporting Utilities

Identificativo9.2.2 Supporting Utilities
DescrizioneEquipment should be protected from power failures and other disruptions caused by failures in supporting utilities.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 3.0 3.0 0.0
Rid. Probabilitą 0.0 3.0 5.0 0.0
Controlli
  • 9.2.2-1 Uninterruptible power supplies (UPS) are used to support orderly close down or continuous running for equipment supporting critical business operations.
  • 9.2.2-2 Uninterruptible power supply equipment and generators are regularly checked to ensure it has adequate capacity and is tested in accordance with the manufacturer s recommendations.
  • 9.2.2-3 A back-up generator is considered in order to continue processing in case of a prolonged power failure.
  • 9.2.2-4 Consideration is given to using multiple power sources or, if the site is large, a separate power substation.
  • 9.2.2-5 An alarm is generated in the event of power failure.

9.2.3 Cabling Security

Identificativo9.2.3 Cabling Security
DescrizionePower and telecommunications cabling carrying data or supporting information services should be protected from interception or damage.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 3.0 3.0 5.0 0.0
Controlli
  • 9.2.3-1 Cabling controls for sensitive or critical systems are appropriate based on associated risk factors.
  • 9.2.3-2 Clearly identifiable cable and equipment markings are used to minimize handling errors, such as accidental patching of wrong network cables.
  • 9.2.3-3 Network cabling is protected from unauthorized interception or damage, for example by using a conduit or by avoiding routes through public areas.
  • 9.2.3-4 A documented cable patch list is used to reduce the possibility of errors.
  • 9.2.3-5 Power cables are segregated from communications cables to prevent interference.

9.2.4 Equipment Maintenance

Identificativo9.2.4 Equipment Maintenance
DescrizioneEquipment should be correctly maintained to ensure its continued availability and integrity.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 0.0 5.0 5.0 0.0
Controlli
  • 9.2.4-1 Records are kept of all suspected or actual faults, and all preventive and corrective maintenance.
  • 9.2.4-2 Equipment is maintained in accordance with the supplier s recommended service intervals and specifications.

9.2.5 Security of Equipment Off-Premises

Identificativo9.2.5 Security of Equipment Off-Premises
DescrizioneSecurity should be applied to off-site equipment taking into account the different risks of working outside the organization's premises.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 5.0 3.0
Rid. Probabilitą 5.0 0.0 3.0 3.0
Controlli
  • 9.2.5-1 Equipment and media taken off the premises are not left unattended in public places.
  • 9.2.5-2 The use of any information processing equipment outside the organization s premises is authorized by management.
  • 9.2.5-3 The use of all off-site devices that record or report sensitive data is authorized.
  • 9.2.5-4 Various security risks, e.g., of damage, theft or eavesdropping, are taken into account in determining the most appropriate controls per location.

9.2.6 Secure Disposal or Re-Use of Equipment

Identificativo9.2.6 Secure Disposal or Re-Use of Equipment
DescrizioneAll items of equipment containing storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 0.0 0.0 0.0
Controlli
  • 9.2.6-1 Devices and media containing sensitive information are physically destroyed or the information contained within is destroyed, deleted or overwritten using techniques to make the original information non-retrievable.

9.2.7 Removal of Property

Identificativo9.2.7 Removal of Property
DescrizioneEquipment, information or software should not be taken off-site without prior authorization.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 3.0 3.0 0.0
Controlli
  • 9.2.7-1 Employees, contractors and third party users who have authority to permit off-site removal of assets are clearly identified.
  • 9.2.7-2 Equipment returns are recorded.
  • 9.2.7-3 Equipment, information and software are not taken off-site without prior authorization.
  • 9.2.7-4 Equipment is recorded as being removed off-site.


10 Communications and Operations Management

10.1.1 Documented Operating Procedures

Identificativo10.1.1 Documented Operating Procedures
DescrizioneOperating procedures should be documented, maintained, and made available to all users who need them.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 10.1.1-1 Changes to operating procedures are authorized by management.
  • 10.1.1-2 Documented procedures are prepared for system activities associated with information processing and communication facilities, such as computer start-up and close-down procedures, backup, equipment maintenance, media handling, computer room and mail handling, user account maintenance, log reviews, and so on.
  • 10.1.1-3 Operating procedures, and the documented procedures for system activities, are treated as formal documents and kept current.

10.1.2 Change Management

Identificativo10.1.2 Change Management
DescrizioneChanges to information processing facilities and systems should be controlled.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 5.0 5.0 3.0
Rid. Probabilitą 3.0 5.0 5.0 3.0
Controlli
  • 10.1.2-1 The organization s change management process includes the identification and recording of significant changes.
  • 10.1.2-2 An audit log containing all relevant information regarding changes is retained.
  • 10.1.2-3 The organization s change management process includes the planning and testing of changes.
  • 10.1.2-4 The organization s change management process includes the communication of change details to all relevant persons.
  • 10.1.2-5 System and software configuration changes are tested.
  • 10.1.2-6 Systems are tested following the application of security patches.
  • 10.1.2-7 The organization s change management process includes the formal approval procedure for proposed changes.
  • 10.1.2-8 The organization s change management process includes the assessment of the potential impacts, including security impacts, of such changes.

10.1.3 Segregation of Duties

Identificativo10.1.3 Segregation of Duties
DescrizioneDuties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 3.0 3.0
Controlli
  • 10.1.3-1 At least two parties are required to complete security-sensitive tasks.
  • 10.1.3-2 Authorization controls are designed to minimize the possibility of collusion.

10.1.4 Separation of Development, Test, and Operational Facilities

Identificativo10.1.4 Separation of Development, Test, and Operational Facilities
DescrizioneDevelopment, test, and operational facilities should be separated to reduce the risks of unauthorised access or changes to the operational system.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 10.1.4-1 Development, test, and operational software run on different systems or computer processors and in different domains or directories.
  • 10.1.4-2 Rules for the transfer of software from development to operational status are defined and documented.

10.10.1 Audit Logging

Identificativo10.10.1 Audit Logging
DescrizioneAudit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 5.0
Controlli
  • 10.10.1-1 Audit logs include records of successful and rejected system access attempts.
  • 10.10.1-2 Audit logs include the files accessed and the kind of access.
  • 10.10.1-3 Audit logs include alarms raised by the access control system.
  • 10.10.1-4 Audit logs include dates, times, and details of key events, e.g., logon and logoff.
  • 10.10.1-5 Audit logs include records of successful and rejected data and other resource access attempts.
  • 10.10.1-6 Audit logs include user IDs.
  • 10.10.1-7 Audit logs include the terminal identity, location, or origination of the event.
  • 10.10.1-8 Audit logs include the use of privileges.

10.10.2 Monitoring System Use

Identificativo10.10.2 Monitoring System Use
DescrizioneProcedures for monitoring use of information processing facilities should be established and the results of the monitoring activities reviewed regularly.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 10.10.2-1 Monitoring activities include all privileged operations, such as the use of privileged accounts, system start-up and stop, and I/O device attachment/detachment.
  • 10.10.2-10 Monitoring activities include system alerts or failures such as console alerts or messages, system log exceptions, network management alarms, and alarms raised by the access control system.
  • 10.10.2-2 Logs are reviewed on a regular basis and results are documented.
  • 10.10.2-3 Logs are reviewed at least weekly.
  • 10.10.2-4 Monitoring activities include unauthorized access attempts such as failed or rejected user actions, failed or rejected actions involving data and other resources, access policy violations and notifications for network gateways and firewalls, and alerts from proprietary intrusion detection systems.
  • 10.10.2-5 Logs are reviewed at least daily.
  • 10.10.2-6 Logs are reviewed at least every ninety days.
  • 10.10.2-7 The level of monitoring required for individual facilities is determined by a risk assessment.
  • 10.10.2-8 Monitoring activities include authorized access, including detail such as the user ID, the date and time of key events, the types of events, the files accessed, and the program/utilities used.
  • 10.10.2-9 Monitoring activities include changes to, or attempts to change, system security settings and controls.

10.10.3 Protection of Log Information

Identificativo10.10.3 Protection of Log Information
DescrizioneLogging facilities and log information should be protected against tampering and unauthorized access.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 5.0
Controlli
  • 10.10.3-1 Appropriate controls exist to prevent log files from being edited or deleted.
  • 10.10.3-2 File integrity or change monitoring software is used to detect unauthorized alterations to critical system components or sensitive information.
  • 10.10.3-3 File integrity is checked on a periodic basis.
  • 10.10.3-4 File integrity is checked weekly.
  • 10.10.3-5 Appropriate controls exist to prevent alterations to the message types that are recorded.

10.10.4 Administrator and Operator Logs

Identificativo10.10.4 Administrator and Operator Logs
DescrizioneSystem administrator and system operator activities should be logged.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 5.0
Rid. Probabilitą 5.0 5.0 3.0 5.0
Controlli
  • 10.10.4-1 System administrator and operator logs include the time at which an event (success or failure) occurred.
  • 10.10.4-2 System administrator and operator logs are reviewed on a regular basis.
  • 10.10.4-3 System administrator and operator logs include information about the event (e.g., files handled) or failure (e.g., error occurred and corrective action taken).
  • 10.10.4-4 System administrator and operator logs include which account and which administrator or operator was involved.

10.10.5 Fault Logging

Identificativo10.10.5 Fault Logging
DescrizioneFaults should be logged, analysed, and appropriate action taken.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 10.10.5-1 Error logging is enabled when the system function is available.
  • 10.10.5-2 Corrective measures are reviewed to ensure that controls have not been compromised, and that the action taken is fully authorized.

10.10.6 Clock Synchronization

Identificativo10.10.6 Clock Synchronization
DescrizioneThe clocks of all relevant information processing systems within an organization or security domain should be synchronized with an agreed accurate time source.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 3.0 0.0 0.0
Rid. Probabilitą 0.0 5.0 0.0 0.0
Controlli
  • 10.10.6-1 A procedure exists that checks for and corrects any significant variation in clock synchronization.

10.2.1 Service Delivery

Identificativo10.2.1 Service Delivery
DescrizioneIt should be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 3.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 10.2.1-1 Service delivery by a third party includes the agreed security arrangements, service definitions, and aspects of service management.
  • 10.2.1-2 The organization ensures that the third party maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster.

10.2.2 Monitoring and Review of Third Party Services

Identificativo10.2.2 Monitoring and Review of Third Party Services
DescrizioneThe services, reports and records provided by the third party should be regularly monitored and reviewed, and audits should be carried out regularly.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 10.2.2-1 Monitoring and review of third party services ensures that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly.
  • 10.2.2-2 The organization monitors third party service performance levels to check adherence to the agreements and that the performance is competitive with the alternative suppliers.
  • 10.2.2-3 The organization maintains overall control and visibility into all security aspects for sensitive or critical information or information processing facilities accessed, processed or managed by a third party.
  • 10.2.2-4 The responsibility for managing the relationship with a third party is assigned to a designated individual or service management team.
  • 10.2.2-5 The organization ensures that the third party assigns responsibilities for checking for compliance and enforcing the requirements of the agreements.
  • 10.2.2-6 The third party provides information about information security incidents and this information is reviewed by the third party and the organization as required by the agreements and any supporting guidelines and procedures.

10.2.3 Managing Changes to Third Party Services

Identificativo10.2.3 Managing Changes to Third Party Services
DescrizioneChanges to the provision of services, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 3.0 3.0 0.0
Rid. Probabilitą 0.0 5.0 5.0 0.0
Controlli
  • 10.2.3-1 The process of managing changes to a third party service takes account of changes in third party services to implement changes and enhancement to networks, the use of new technologies, the adoption of new products or newer versions/releases and new business developments.
  • 10.2.3-2 The process of managing changes to a third party service takes account of changes made by the organization to implement enhancements to the current services offered, development of any new applications and systems, and modifications or updates.

10.3.1 Capacity Management

Identificativo10.3.1 Capacity Management
DescrizioneThe use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 5.0 5.0 0.0
Rid. Probabilitą 0.0 5.0 5.0 0.0
Controlli
  • 10.3.1-1 System usage trends are used to identify and avoid potential bottlenecks, unnecessary dependence on key personnel, and other threats to system performance.

10.3.2 System Acceptance

Identificativo10.3.2 System Acceptance
DescrizioneAcceptance criteria for new information systems, upgrades, and new versions should be established and suitable tests of the system(s) carried out during development and prior to acceptance.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 3.0 3.0 0.0
Rid. Probabilitą 3.0 5.0 5.0 0.0
Controlli
  • 10.3.2-1 Appropriate tests are carried out to confirm that all acceptance criteria have been fully satisfied.

10.4.1 Controls Against Malicious Code

Identificativo10.4.1 Controls Against Malicious Code
DescrizioneDetection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 10.4.1-1 A formal policy is established to protect against risks associated with obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures must be taken.
  • 10.4.1-2 Procedures are implemented to regularly collect malicious code information, such as subscribing to mailing lists and/or checking web sites giving information about new malicious code.
  • 10.4.1-3 Regular reviews are conducted of the software and data content of systems supporting critical business processes.
  • 10.4.1-4 A formal policy is established prohibiting the use of unauthorized software.
  • 10.4.1-5 Malicious code detection and repair software has been installed and configured to scan computers and media as a precautionary control or on a routine basis.
  • 10.4.1-6 Management procedures and responsibilities are defined to deal with malicious code protection on systems, training in their use, reporting and recovering from malicious code attacks.

10.4.2 Controls Against Mobile Code

Identificativo10.4.2 Controls Against Mobile Code
DescrizioneWhere the use of mobile code is authorized, the configuration should ensure that the authorised mobile code operates according to a clearly defined security policy, and unauthorized mobile code should be prevented from executing.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 3.0 3.0
Controlli
  • 10.4.2-1 Cryptographic controls are used to uniquely authenticate mobile code.
  • 10.4.2-2 Mobile code is executed only in a logically isolated environment.

10.5.1 Information Back-Up

Identificativo10.5.1 Information Back-Up
DescrizioneBack-up copies of information and software should be taken and tested regularly in accordance with the agreed backup policy.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 5.0 5.0 0.0
Rid. Probabilitą 0.0 0.0 0.0 0.0
Controlli
  • 10.5.1-1 Back-up information is given an appropriate level of physical and environmental protection consistent with the standards applied at the main site.
  • 10.5.1-10 Back-ups are stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site.
  • 10.5.1-11 The necessary level of back-up information is defined.
  • 10.5.1-12 For critical systems, the backup arrangements cover all systems information, applications, and data necessary to recover the complete system in the event of a disaster.
  • 10.5.1-13 Controls applied to media at the main site are extended to cover the back-up site.
  • 10.5.1-2 Systems are restorable within two hours of going off-line.
  • 10.5.1-3 Back-up arrangements for individual systems are regularly tested to ensure that they meet the requirements of business continuity plans.
  • 10.5.1-4 Restoration procedures are regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery.
  • 10.5.1-5 Back-ups containing confidential information are protected by means of encryption.
  • 10.5.1-6 Back-up media is regularly tested to ensure that it can be relied upon for emergency use when necessary.
  • 10.5.1-7 Trial restorations from backup media are performed at least every six months.
  • 10.5.1-8 Trial restorations from backup media are performed at least annually.
  • 10.5.1-9 Adequate back-up facilities are provided to ensure that all essential information and software can be recovered following a disaster or media failure.

10.6.1 Network Controls

Identificativo10.6.1 Network Controls
DescrizioneNetworks should be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 10.6.1-1 Operational responsibilities for networks are segregated from those for information systems.
  • 10.6.1-2 Special controls are established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks.

10.6.2 Security of Network Services

Identificativo10.6.2 Security of Network Services
DescrizioneSecurity features, service levels, and management requirements of all network services should be identified and included in any network services agreement, whether these services are provided in-house or outsourced.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 3.0 0.0
Controlli
  • 10.6.2-1 Security arrangements are identified for particular services, such as security features, service levels, and management requirements.
  • 10.6.2-2 The ability of the network service provider to manage agreed services in a secure way is determined and regularly monitored, and the right to audit is agreed.

10.7.1 Management of Removable Media

Identificativo10.7.1 Management of Removable Media
DescrizioneThere should be procedures in place for the management of removable media.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 5.0 5.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 10.7.1-1 Media is stored in accordance with manufacturers specifications.
  • 10.7.1-2 All media is stored in a safe, secure environment, in accordance with manufacturers specifications.
  • 10.7.1-3 Authorization is required for media removed from the organization and a record of such removals is kept in order to maintain an audit trail.

10.7.2 Disposal of Media

Identificativo10.7.2 Disposal of Media
DescrizioneMedia should be disposed of securely and safely when no longer required, using formal procedures.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 0.0 0.0 0.0
Controlli
  • 10.7.2-1 Media containing sensitive information is stored and disposed of securely and safely, e.g., by incineration, shredding, or pulping of hardcopy materials or erased of data for use by another application within the organization.

10.7.3 Information Handling Procedures

Identificativo10.7.3 Information Handling Procedures
DescrizioneProcedures for the handling and storage of information should be established to protect this information from unauthorized disclosure or misuse.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 10.7.3-1 Information access restrictions are established to prevent access from unauthorized personnel.
  • 10.7.3-2 Information is handled such that a formal record is maintained of the authorized recipients of data.
  • 10.7.3-3 Data distribution is kept to a minimum.
  • 10.7.3-4 Copies of media are clearly marked for the attention of the authorized recipient.
  • 10.7.3-5 Procedures have been established for handling and labeling of all media to its indicated classification level.
  • 10.7.3-6 Distribution lists and lists of authorized recipients are reviewed at regular intervals.

10.7.4 Security of System Documentation

Identificativo10.7.4 Security of System Documentation
DescrizioneSystem documentation should be protected against unauthorized access.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 3.0 3.0 3.0
Controlli
  • 10.7.4-1 System documentation is stored securely.

10.8.1 Information Exchange Policies and Procedures

Identificativo10.8.1 Information Exchange Policies and Procedures
DescrizioneFormal exchange policies, procedures, and controls should be in place to protect the exchange of information through the use of all types of communication facilities.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 10.8.1-1 Information exchange requirements include not leaving sensitive or critical information on printing facilities, e.g., copiers, printers, and facsimile machines, as these may be accessed by unauthorized personnel.
  • 10.8.1-2 Procedures and controls are designed to protect exchanged information from interception, copying, modification, mis-routing, and destruction.

10.8.2 Exchange Agreements

Identificativo10.8.2 Exchange Agreements
DescrizioneAgreements should be established for the exchange of information and software between the organization and external parties.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 10.8.2-1 Information exchange agreements include procedures for notifying sender of transmission, dispatch, and receipt.
  • 10.8.2-2 Information exchange agreements include minimum technical standards for packaging and transmission.
  • 10.8.2-3 Information exchange agreements include courier identification standards.
  • 10.8.2-4 Information exchange agreements include ownership and responsibilities for data protection, copyright, software license compliance and similar considerations.
  • 10.8.2-5 Information exchange agreements include procedures to ensure traceability and non-repudiation.

10.8.3 Physical Media in Transit

Identificativo10.8.3 Physical Media in Transit
DescrizioneMedia containing information should be protected against unauthorized access, misuse or corruption during transportation beyond an organization's physical boundaries.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 10.8.3-1 Reliable transport or couriers are used for transporting information.

10.8.4 Electronic Messaging

Identificativo10.8.4 Electronic Messaging
DescrizioneInformation involved in electronic messaging should be appropriately protected.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 10.8.4-1 Approval is obtained prior to using external public services such as instant messaging or file sharing.
  • 10.8.4-2 General reliability and availability of electronic messaging services are evaluated.

10.8.5 Business Information Systems

Identificativo10.8.5 Business Information Systems
DescrizionePolicies and procedures should be developed and implemented to protect information associated with the interconnection of business information systems.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 3.0 0.0
Controlli
  • 10.8.5-1 Categories of sensitive business information and classified documents are excluded from information sharing amongst business information systems if the system does not provide an appropriate level of protection.
  • 10.8.5-2 Policy and appropriate controls are established to manage information sharing across interconnected business information systems.

10.9.1 Electronic Commerce

Identificativo10.9.1 Electronic Commerce
DescrizioneInformation involved in electronic commerce passing over public networks should be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 5.0
Controlli
  • 10.9.1-1 Consideration is given to the resilience to attack of the host(s) used for electronic commerce, and the security implications of any network interconnection required for the implementation of electronic commerce services.
  • 10.9.1-2 Electronic commerce controls include the liability associated with any fraudulent transactions.
  • 10.9.1-3 Electronic commerce controls include the degree of verification appropriate to check payment information supplied by a customer.
  • 10.9.1-4 Electronic commerce controls include the level of protection required to maintain the confidentiality and integrity of order information.

10.9.2 On-Line Transactions

Identificativo10.9.2 On-Line Transactions
DescrizioneInformation involved in on-line transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 0.0 5.0
Controlli
  • 10.9.2-1 On-line transactions are protected by ensuring that the communications path between all involved parties is encrypted.
  • 10.9.2-2 On-line transactions are protected by the use of electronic signatures by each of the parties involved in the transaction.
  • 10.9.2-3 On-line transactions are protected by using secured protocols to communicate between all involved parties.

10.9.3 Publicly Available Information

Identificativo10.9.3 Publicly Available Information
DescrizioneThe integrity of information being made available on a publicly available system should be protected to prevent unauthorized modification.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 0.0 5.0 0.0 0.0
Controlli
  • 10.9.3-1 Sensitive publicly available information is protected during collection, processing, and storage.
  • 10.9.3-2 Publicly available information is obtained in compliance with any data protection legislation.
  • 10.9.3-3 Publicly accessible systems are tested against weaknesses and failures prior to information being made available.


11 Access Control

11.1.1 Access Control Policy

Identificativo11.1.1 Access Control Policy
DescrizioneAn access control policy should be established, documented, and reviewed based on business and security requirements for access.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 11.1.1-1 The access control policy addresses identification of all information related to the business applications and the risks the information is facing.
  • 11.1.1-10 The access control policy addresses security requirements of individual business applications.
  • 11.1.1-11 The access control policy addresses consistency between the access control and information classification policies of different systems and networks.
  • 11.1.1-2 The access control policy addresses segregation of access control roles, e.g., access request, access authorization, and access administration.
  • 11.1.1-3 The access control policy addresses relevant legislation and any contractual obligations regarding protection of access to data or services.
  • 11.1.1-4 The access control policy addresses policies for information dissemination and authorization, e.g., the need to know principle and security levels and classification of information.
  • 11.1.1-5 The access control policy addresses management of access rights in a distributed and networked environment which recognizes all types of connections available.
  • 11.1.1-6 The access control policy addresses removal of access rights.
  • 11.1.1-7 Both logical and physical access controls are covered by access control requirements.
  • 11.1.1-8 The access control policy addresses requirements for formal authorization of access requests.
  • 11.1.1-9 The access control policy addresses requirements for periodic review of access controls.

11.2.1 User Registration

Identificativo11.2.1 User Registration
DescrizioneThere should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 5.0
Controlli
  • 11.2.1-1 The access control procedure for user registration and de-registration includes checking that the level of access granted is appropriate to the business purpose and is consistent with organizational security policy, e.g., it does not compromise segregation of duties.
  • 11.2.1-2 User accounts are reviewed at least every 60 days.
  • 11.2.1-3 User accounts are reviewed at least annually.
  • 11.2.1-4 The access control procedure for user registration and de-registration includes using unique user IDs to enable users to be linked to and held responsible for their actions.
  • 11.2.1-5 The access control procedure for user registration and de-registration includes maintaining a formal record of all persons registered to use the service.
  • 11.2.1-6 The access control procedure for user registration and de-registration includes periodically checking for, and removing or blocking, redundant user IDs and accounts.
  • 11.2.1-7 The access control procedure for user registration and de-registration includes requiring users to sign statements indicating that they understand the conditions of access.
  • 11.2.1-8 The access control procedure for user registration and de-registration includes checking that the user has authorization from the system owner for the use of the information system or service.
  • 11.2.1-9 The use of group IDs is only permitted where they are necessary for business or operational reasons, and are approved and documented.

11.2.2 Privilege Management

Identificativo11.2.2 Privilege Management
DescrizioneThe allocation and use of privileges should be restricted and controlled.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 3.0 3.0
Controlli
  • 11.2.2-1 Privileges are allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy, i.e., the minimum requirement for their functional role only when needed.
  • 11.2.2-2 Users are unprivileged by default.
  • 11.2.2-3 VPN users are unprivileged by default.
  • 11.2.2-4 Multi-user systems that require protection against unauthorized access have the allocation of privileges controlled through a formal authorization process.
  • 11.2.2-5 An authorization process and a record of all privileges allocated is maintained, and privileges are not granted until the authorization process is complete.

11.2.3 User Password Management

Identificativo11.2.3 User Password Management
DescrizioneThe allocation of passwords should be controlled through a formal management process.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.2.3-1 Passwords are not stored on computer systems in an unprotected form.
  • 11.2.3-2 Passwords are stored in an encrypted format.
  • 11.2.3-3 Procedures are established to verify the identity of a user prior to providing a new, replacement or temporary password.
  • 11.2.3-4 Wireless network default settings such as WEP/WPA keys, SSID, user and administrator passwords, and SNMP community strings are changed prior to use.
  • 11.2.3-5 Temporary passwords are unique to an individual and are designed not to be guessable.
  • 11.2.3-6 Temporary passwords are given to users in a secure manner.
  • 11.2.3-7 Default vendor passwords are altered following installation of systems or software.
  • 11.2.3-8 When users are required to maintain their own passwords, they are provided initially with a secure temporary password, which they are forced to change immediately.

11.2.4 Review of User Access Rights

Identificativo11.2.4 Review of User Access Rights
DescrizioneManagement should review users' access rights at regular intervals using a formal process.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 5.0
Rid. Probabilitą 5.0 5.0 3.0 3.0
Controlli
  • 11.2.4-1 Users access rights are reviewed at regular intervals, e.g., a period of 6 months, and after any changes, such as promotion, demotion, or termination of employment.
  • 11.2.4-2 Allocated privileges are checked at least annually.
  • 11.2.4-3 Allocated privileges are checked at least every 60 days.
  • 11.2.4-4 Authorizations for special privileged access rights are reviewed at frequent intervals, e.g., at a period of 3 months.
  • 11.2.4-5 Privilege allocations are checked at regular intervals to ensure that unauthorized privileges have not been obtained.

11.3.1 Password Use

Identificativo11.3.1 Password Use
DescrizioneUsers should be required to follow good security practices in the selection and use of passwords.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.3.1-1 Users are advised to change passwords at regular intervals or based on the number of accesses, and to avoid re-using or recycling old passwords.
  • 11.3.1-10 Desktop passwords must be at least four characters long.
  • 11.3.1-11 Password complexity requirements are defined.
  • 11.3.1-12 Users are advised to not use the same password for business and non-business purposes.
  • 11.3.1-13 Passwords expire and must be changed after a predetermined period of time.
  • 11.3.1-14 Users are advised to select quality passwords with sufficient minimum length that are easy to remember, not based on anything somebody else could easily guess or obtain using person-related information, not vulnerable to dictionary attacks, and free of common words.
  • 11.3.1-15 Passwords must be at least six characters long.
  • 11.3.1-16 Passwords expire at least annually.
  • 11.3.1-17 Users are advised to change passwords whenever there is any indication of possible system or password compromise.
  • 11.3.1-18 Users are not permitted to reuse any of the previous five passwords.
  • 11.3.1-19 Passwords must contain alphabetic characters.
  • 11.3.1-2 Users are advised to not share individual user passwords.
  • 11.3.1-20 Passwords must contain symbols or special characters.
  • 11.3.1-21 Passwords should not contain recognizable words, names, or number sequences.
  • 11.3.1-3 Users are advised to keep passwords confidential.
  • 11.3.1-4 Passwords must be at least seven characters long.
  • 11.3.1-5 Passwords must contain both lower- and upper-case alphabetic characters.
  • 11.3.1-6 Passwords expire at least every 120 days.
  • 11.3.1-7 Users are not permitted to reuse any of the previous four passwords.
  • 11.3.1-8 Users are advised to avoid keeping a record (e.g., paper, software file or hand-held device) of passwords, unless this can be stored securely and the method of storing has been approved.
  • 11.3.1-9 Passwords must contain numeric characters.

11.3.2 Unattended User Equipment

Identificativo11.3.2 Unattended User Equipment
DescrizioneUsers should ensure that unattended equipment has appropriate protection.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 11.3.2-1 Users are advised to secure PCs or terminals from unauthorized use by a key lock or an equivalent control, e.g., password access, when not in use.
  • 11.3.2-2 Users are advised to terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g., a password protected screen saver.

11.3.3 Clear Desk and Clear Screen Policy

Identificativo11.3.3 Clear Desk and Clear Screen Policy
DescrizioneA clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 0.0
Controlli
  • 11.3.3-1 Computers and terminals are left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism when unattended and are protected by key locks, passwords or other controls when not in use.

11.4.1 Policy on Use of Network Services

Identificativo11.4.1 Policy on Use of Network Services
DescrizioneUsers should only be provided with access to the services that they have been specifically authorized to use.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 3.0 3.0
Controlli
  • 11.4.1-1 The network use policy addresses the networks and network services that are allowed to be accessed (e.g. for VPNs, dial-up, Internet and so on).
  • 11.4.1-2 The network use policy addresses the means used to access networks and network services (e.g., the conditions for allowing dial-up access to an Internet service provider or remote system).

11.4.2 User Authentication for External Connections

Identificativo11.4.2 User Authentication for External Connections
DescrizioneAppropriate authentication methods should be used to control access by remote users.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.4.2-1 Authentication of remote users can be achieved using, for example, a cryptographic based technique, hardware tokens, a challenge/response protocol or biometrics.

11.4.3 Equipment Identification in Networks

Identificativo11.4.3 Equipment Identification in Networks
DescrizioneAutomatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 11.4.3-1 An identifier in or attached to equipment is used to indicate whether this equipment is permitted to connect to the network.

11.4.4 Remote Diagnostic and Configuration Port Protection

Identificativo11.4.4 Remote Diagnostic and Configuration Port Protection
DescrizionePhysical and logical access to diagnostic and configuration ports should be controlled.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 11.4.4-1 Ports, services, and similar facilities installed on a computer or network facility, which are not specifically required for business functionality, are disabled or removed.
  • 11.4.4-2 Remote management services (such as SNMP, RMON, etc.) are logically protected.

11.4.5 Segregation in Networks

Identificativo11.4.5 Segregation in Networks
DescrizioneGroups of information services, users, and information systems should be segregated on networks.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5 0 5 0
Controlli
  • 11.4.5-1 Segregation of networks is based on the value and classification of information stored or processed in the network, levels of trust, or lines of business, in order to reduce the total impact of a service disruption.
  • 11.4.5-2 Network perimeters are implemented by installing a secure gateway between the interconnected networks to control access and information flow between the two domains.
  • 11.4.5-3 Networks are segregated using the network device functionality, e.g., IP switching.
  • 11.4.5-4 Each entity has access to only its environment in multi-entity environments (e.g. hosting providers)

11.4.6 Network Connection Control

Identificativo11.4.6 Network Connection Control
DescrizioneFor shared networks, especially those extending across the organization's boundaries, the capability of users to connect to the network should be restricted, in line with the access control policy and requirements of the business applications (see 11.1).
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 5.0 5.0 3.0
Rid. Probabilitą 5.0 3.0 5.0 3.0
Controlli
  • 11.4.6-1 A gateway that filters traffic by means of pre-defined tables or rules is used to restrict the connection capability of users.
  • 11.4.6-10 Only traffic destined for the controlled network is permitted.
  • 11.4.6-11 Network trust relationships are explicitly stated.
  • 11.4.6-12 A firewall controls network communications between the Internet and internal networks.
  • 11.4.6-2 Only necessary traffic is permitted into and out of the network.
  • 11.4.6-3 A firewall controls network communications between DMZ and internal networks.
  • 11.4.6-4 The network access rights of users is maintained and updated as required by the access control policy.
  • 11.4.6-5 A "default deny" approach is used to construct firewall rule sets.
  • 11.4.6-6 Source-routed traffic is denied.
  • 11.4.6-7 Traffic with corporate source addresses are not permitted into the network.
  • 11.4.6-8 Traffic with RFC 1918 IP source addresses are not permitted into the network.
  • 11.4.6-9 Internal addresses are translated to external addresses using NAT, PAT, or similar techniques.

11.4.7 Network Routing Control

Identificativo11.4.7 Network Routing Control
DescrizioneRouting controls should be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 11.4.7-1 Start-up router configurations are synchronized with running configurations.
  • 11.4.7-2 Propagation of network routes across network boundaries is controlled so as to not reveal information regarding the internal corporate network.
  • 11.4.7-3 Routing controls are based on positive source and destination address checking mechanisms.
  • 11.4.7-4 Routing tables are regularly reviewed for appropriateness.

11.5.1 Secure Log-On Procedures

Identificativo11.5.1 Secure Log-On Procedures
DescrizioneAccess to operating systems should be controlled by a secure log-on procedure.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.5.1-1 Logon procedures validate the logon information only on completion of all input data, and the system does not indicate which part of the data is correct or incorrect.
  • 11.5.1-10 Logon procedures display a general notice warning that the computer may be accessed only by authorized users.
  • 11.5.1-2 Logon procedures do not transmit passwords in clear text over a network.
  • 11.5.1-3 Logon procedures limit the maximum and minimum time allowed for the logon procedure and, if exceeded, the system terminates the logon.
  • 11.5.1-4 Logon procedures limit the number of unsuccessful logon attempts allowed, e.g., to three attempts, and include recording unsuccessful and successful attempts, forcing a time delay before further logon attempts are allowed or rejecting any further attempts.
  • 11.5.1-5 Locked user IDs must be manually unlocked by an administrator.
  • 11.5.1-6 The logon procedure discloses minimum information about the system in order to avoid providing an unauthorized user with any unnecessary assistance.
  • 11.5.1-7 The user ID is locked after not more than six failed access attempts.
  • 11.5.1-8 Locked user IDs are automatically unlocked after 30 minutes.
  • 11.5.1-9 Logon procedures display on completion of a successful logon the date and time of the previous successful logon, and details of any unsuccessful logon attempts since the last successful logon.

11.5.2 User Identification and Authentication

Identificativo11.5.2 User Identification and Authentication
DescrizioneAll users should have a unique identifier (user ID) for their personal use only, and a suitable authentication technique should be chosen to substantiate the claimed identity of a user.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.5.2-1 All user types use a unique user ID, including technical support personnel, operators, network administrators, system programmers, database administrators, and so on.
  • 11.5.2-2 User IDs are used to trace activities to the responsible individual.
  • 11.5.2-3 Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as cryptographic means, smart cards, tokens or biometric means, are used.

11.5.3 Password Management System

Identificativo11.5.3 Password Management System
DescrizioneSystems for managing passwords should be interactive and should ensure quality passwords.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.5.3-1 The password management system enforces password changes.
  • 11.5.3-2 Passwords must be changed at least every 90 days.
  • 11.5.3-3 Passwords must be changed at least every 120 days.

11.5.4 Use of System Utilities

Identificativo11.5.4 Use of System Utilities
DescrizioneThe use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 11.5.4-1 Unnecessary software based utilities and system software are disabled or removed.

11.5.5 Session Time-Out

Identificativo11.5.5 Session Time-Out
DescrizioneInactive sessions should shut down after a defined period of inactivity.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 0.0 5.0
Controlli
  • 11.5.5-1 Application and terminal sessions are automatically disconnected after 30 minutes of inactivity.
  • 11.5.5-2 Idle sessions must be re-authenticated after 15 minutes.
  • 11.5.5-3 A time-out facility clears the session screen and also, possibly later, closes both application and network sessions after a defined period of inactivity.
  • 11.5.5-4 Modems are automatically disconnected after a defined period of inactivity.
  • 11.5.5-5 Idle sessions must be re-authenticated after a specified period of inactivity.
  • 11.5.5-6 A locking screen saver is activated within 15 minutes of inactivity.
  • 11.5.5-7 Idle sessions must be re-authenticated after 30 minutes.

11.5.6 Limitation of Connection Time

Identificativo11.5.6 Limitation of Connection Time
DescrizioneRestrictions on connection times should be used to provide additional security for high-risk applications.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 3.0 3.0 3.0
Controlli
  • 11.5.6-1 Modems are only activated for vendors when needed, and are immediately deactivated after use.
  • 11.5.6-2 Accounts used by vendors for remote maintenance are only enabled during the needed time period.

11.6.1 Information Access Restriction

Identificativo11.6.1 Information Access Restriction
DescrizioneAccess to information and application system functions by users and support personnel should be restricted in accordance with the defined access control policy.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.6.1-1 Information access is denied unless explicitly granted.
  • 11.6.1-2 Application access restriction requirements include controlling the access rights of users, e.g., read, write, delete, and execute.
  • 11.6.1-3 Application access restriction requirements include controlling access rights of other applications.

11.6.2 Sensitive System Isolation

Identificativo11.6.2 Sensitive System Isolation
DescrizioneSensitive systems should have a dedicated (isolated) computing environment.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.6.2-1 Applications of different sensitivities do not run on the same systems without appropriate mitigating controls.
  • 11.6.2-2 The sensitivity of an application system is explicitly identified and documented by the application owner.

11.7.1 Mobile Computing and Communications

Identificativo11.7.1 Mobile Computing and Communications
DescrizioneA formal policy should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and communication facilities.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 5.0 3.0
Rid. Probabilitą 5.0 3.0 5.0 3.0
Controlli
  • 11.7.1-1 Mobile computing facilities are physically protected against theft especially when left, for example, in cars and other forms of transport, hotel rooms, conference centers, and meeting places.
  • 11.7.1-2 Mobile devices require a boot-time password.
  • 11.7.1-3 Procedures against malicious software affecting mobile computers are in place and be kept up to date.
  • 11.7.1-4 Disks on mobile devices are encrypted.
  • 11.7.1-5 Back-ups of critical business information on mobile computing facilities are taken regularly and receive security protections commensurate with their criticalities.
  • 11.7.1-6 Protection is in place to avoid the unauthorized access to or disclosure of the information stored and processed by mobile computing facilities, e.g., using cryptographic techniques.
  • 11.7.1-7 The mobile computing policy includes rules and advice on connecting mobile facilities to networks and guidance on the use of these facilities in public places.
  • 11.7.1-8 The mobile computing policy includes the requirements for physical protection, access controls, cryptographic techniques, back-ups, and virus protection.

11.7.2 Teleworking

Identificativo11.7.2 Teleworking
DescrizioneA policy, operational plans and procedures should be developed and implemented for teleworking activities.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 11.7.2-1 Teleworking activities are both authorized and controlled by management, and it is ensured that suitable arrangements are in place for this way of working.
  • 11.7.2-2 Security arrangements for teleworking activities include the communications security requirements, taking into account the need for remote access to the organization s internal systems, the sensitivity of the information that will be accessed and pass over public networks.
  • 11.7.2-3 Teleworking guidelines include a definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the teleworker is authorized to access.
  • 11.7.2-4 Teleworking guidelines include physical security.


12 Information Systems Acquisition, Development and Maintenance

12.1.1 Security Requirements Analysis and Specification

Identificativo12.1.1 Security Requirements Analysis and Specification
DescrizioneStatements of business requirements for new information systems, or enhancements to existing information systems should specify the requirements for security controls.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 12.1.1-1 Security requirements and controls reflect the business value of the information assets involved, and the potential business damage that may result from a failure or absence of security.
  • 12.1.1-2 Security control requirements for information systems are specified.
  • 12.1.1-3 A formal testing and acquisition process is followed for purchased products.
  • 12.1.1-4 System requirements for information security and processes for implementing security are integrated in the early stages of information system projects.

12.2.1 Input Data Validation

Identificativo12.2.1 Input Data Validation
DescrizioneData input to applications should be validated to ensure that this data is correct and appropriate.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 0.0 5.0 0.0 3.0
Controlli
  • 12.2.1-1 Input validation includes dual input or other input checks, such as boundary checking or limiting fields to specific ranges of input data, to detect out-of-range values, invalid characters in data fields, missing or incomplete data, and exceeding upper and lower boundaries.
  • 12.2.1-2 Applications do not accept characters that are known to cause problems such as ASCII control characters, back quotes, HTML-encoded strings, special query-language characters, and so on.
  • 12.2.1-3 Input validation includes creating a log of the activities involved in the data input process.
  • 12.2.1-4 Applications decode input, potentially doubly or triply as needed, prior to filtering.
  • 12.2.1-5 Applications filter input using a "default-deny" approach.

12.2.2 Control of Internal Processing

Identificativo12.2.2 Control of Internal Processing
DescrizioneValidation checks should be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 5.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 12.2.2-1 Internal processing validation checks include protection against attacks using buffer overruns/overflows.

12.2.3 Message Integrity

Identificativo12.2.3 Message Integrity
DescrizioneRequirements for ensuring authenticity and protecting message integrity in applications should be identified, and appropriate controls identified and implemented.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 0.0 5.0 0.0 5.0
Controlli
  • 12.2.3-1 An assessment of security risks is carried out to determine if message integrity is required and to identify the most appropriate method of implementation.

12.2.4 Output Data Validation

Identificativo12.2.4 Output Data Validation
DescrizioneData output from an application should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 0.0 3.0
Rid. Probabilitą 0.0 5.0 0.0 0.0
Controlli
  • 12.2.4-1 Output data validation checks include plausibility checks to test whether the output data is reasonable.
  • 12.2.4-2 Output data validation checks include creating a log of activities in the data output validation process.

12.3.1 Policy on the Use of Cryptographic Controls

Identificativo12.3.1 Policy on the Use of Cryptographic Controls
DescrizioneA policy on the use of cryptographic controls for protection of information should be developed and implemented.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 12.3.1-1 When implementing the organization s cryptographic policy, consideration is given to the regulations and national restrictions that might apply to the use of cryptographic techniques in different parts of the world and to the issues of trans-border flow.
  • 12.3.1-2 The cryptographic controls policy includes the approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys.
  • 12.3.1-3 The cryptographic controls policy includes the roles and responsibilities, e.g., who is responsible for the implementation of the policy and key management, including key generation.
  • 12.3.1-4 Data transmitted over wireless networks is protected using encryption technologies such as SSL, WPA/WPA2, or IPSEC VPN.
  • 12.3.1-5 Non-console administrative access is encrypted.
  • 12.3.1-6 Sensitive data stored in cookies is encrypted.
  • 12.3.1-7 Sensitive data is transmitted in encrypted form.
  • 12.3.1-8 The cryptographic controls policy is based on a risk assessment, and the required level of protection is identified taking into account the type, strength, and quality of the encryption algorithm required.
  • 12.3.1-9 The cryptographic controls policy includes the use of encryption for protection of sensitive information transported by mobile or removable media or devices, or across communication lines.

12.3.2 Key Management

Identificativo12.3.2 Key Management
DescrizioneKey management should be in place to support the organization's use of cryptographic techniques.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 12.3.2-1 The cryptographic key management system includes generating and obtaining public key certificates.
  • 12.3.2-10 The cryptographic key management system includes generating keys for different cryptographic systems and different applications.
  • 12.3.2-11 The cryptographic key management system includes storing keys, including how authorized users obtain access to keys.
  • 12.3.2-12 Digital certificates are appropriately revoked.
  • 12.3.2-13 The cryptographic key management system includes distributing keys to intended users, including how keys are to be activated when received.
  • 12.3.2-14 The cryptographic key management system includes destroying keys.
  • 12.3.2-2 The cryptographic key management system includes archiving keys, e.g., for information archived or backed up.
  • 12.3.2-3 Users obtain and store digital certificates using secure means.
  • 12.3.2-4 The cryptographic key management system includes changing or updating keys, including rules on when keys are to be changed and how this will be done.
  • 12.3.2-5 The cryptographic key management system includes revoking keys, including how keys are to be withdrawn or deactivated, e.g., when keys have been compromised or when a user leaves an organization.
  • 12.3.2-6 The cryptographic key management system includes as part of business continuity management recovering keys that are lost or corrupted, e.g., for recovery of encrypted information.
  • 12.3.2-7 Digital certificates are appropriately distributed to intended users.
  • 12.3.2-8 Encryption keys for wireless networks are changed at least annually.
  • 12.3.2-9 The cryptographic key management system includes dealing with compromised keys.

12.4.1 Control of Operational Software

Identificativo12.4.1 Control of Operational Software
DescrizioneThere should be procedures in place to control the installation of software on operational systems.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 3.0 0.0
Controlli
  • 12.4.1-1 A configuration control system is used to keep control of all implemented software, as well as the system documentation.
  • 12.4.1-2 Operational systems hold only approved executable code, and not development code or compilers.
  • 12.4.1-3 Vendor-supplied software used in operational systems is maintained at a level supported by the supplier.

12.4.2 Protection of System Test Data

Identificativo12.4.2 Protection of System Test Data
DescrizioneTest data should be selected carefully, and protected and controlled.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 3.0
Controlli
  • 12.4.2-1 Live PANs are not used for testing or development.
  • 12.4.2-2 The use for testing purposes of operational databases containing personal information or any other sensitive information is avoided or the data is removed or modified beyond recognition before use.

12.4.3 Access Control to Program Source Code

Identificativo12.4.3 Access Control to Program Source Code
DescrizioneAccess to program source code should be restricted.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 3.0 3.0
Controlli
  • 12.4.3-1 Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) is strictly controlled to prevent the introduction of unauthorized functionality and to avoid unintentional changes.
  • 12.4.3-2 Program listings are held in a secure environment.

12.5.1 Change Control Procedures

Identificativo12.5.1 Change Control Procedures
DescrizioneThe implementation of changes should be controlled by the use of formal change control procedures.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 3.0 5.0 5.0 0.0
Controlli
  • 12.5.1-1 Change control procedures include maintaining version control for all software updates.
  • 12.5.1-10 Formal change control procedures are documented and enforced in order to minimize the corruption of information systems.
  • 12.5.1-11 The change control process includes a risk assessment, analysis of the impacts of changes, and specification of security controls needed.
  • 12.5.1-2 The change control process ensures that formal agreement and approval for any change is obtained.
  • 12.5.1-3 Introduction of new systems and major changes to existing systems follow a formal process of documentation, specification, testing, quality control, and managed implementation.
  • 12.5.1-4 Change control procedures include ensuring changes are submitted by authorized users.
  • 12.5.1-5 Change control procedures include obtaining formal approval for detailed proposals before work commences.
  • 12.5.1-6 Change control procedures include maintaining an audit trail of all change requests.
  • 12.5.1-7 The change control process ensures that existing security and control procedures are not compromised.
  • 12.5.1-8 Change control procedures include ensuring authorized users accept changes prior to implementation.
  • 12.5.1-9 Change control procedures include reviewing controls and integrity procedures to ensure that they will not be compromised by the changes.

12.5.2 Technical Review of Applications after Operating System Changes

Identificativo12.5.2 Technical Review of Applications after Operating System Changes
DescrizioneWhen operating systems are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 3.0 5.0 5.0 0.0
Controlli
  • 12.5.2-1 A specific group or individual is given responsibility for monitoring vulnerabilities and vendors releases of patches and fixes.
  • 12.5.2-2 Technical reviews of applications following operating system changes include a review of application control and integrity procedures to ensure that they have not been compromised.

12.5.3 Restrictions on Changes to Software Packages

Identificativo12.5.3 Restrictions on Changes to Software Packages
DescrizioneModifications to software packages should be discouraged, limited to necessary changes, and all changes should be strictly controlled.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 3.0 5.0 5.0 0.0
Controlli
  • 12.5.3-1 A software update management process is implemented to ensure the most up-to-date approved patches and application updates are installed for all authorized software.
  • 12.5.3-2 All modifications to software packages are fully tested and documented, so that they can be reapplied if necessary to future software upgrades.

12.5.4 Information Leakage

Identificativo12.5.4 Information Leakage
DescrizioneOpportunities for information leakage should be prevented.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 0.0 0.0 5.0
Controlli
  • 12.5.4-1 Information leakage risk is reduced through monitoring resource usage in computer systems.
  • 12.5.4-2 Information leakage risk is reduced through making use of systems and software that are considered to be of high integrity, e.g., using evaluated products.

12.5.5 Outsourced Software Development

Identificativo12.5.5 Outsourced Software Development
DescrizioneOutsourced software development should be supervised and monitored by the organization.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 12.5.5-1 Outsourced software development includes contractual requirements for quality and security functionality of code.
  • 12.5.5-2 Outsourced software development includes testing before installation to detect malicious and Trojan code.
  • 12.5.5-3 Outsourced software development includes licensing arrangements, code ownership, and intellectual property rights.
  • 12.5.5-4 Outsourced software development includes certification of the quality and accuracy of the work carried out.

12.6.1 Control of Technical Vulnerabilities

Identificativo12.6.1 Control of Technical Vulnerabilities
DescrizioneTimely information about technical vulnerabilities of information systems being used should be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 12.6.1-1 The latest security patches are applied.
  • 12.6.1-2 The risks associated with installing patches are assessed.
  • 12.6.1-3 Resources are maintained that provide information regarding technical vulnerabilities pertaining to software and other technology used within the organization.
  • 12.6.1-4 Security patches are installed within one month of release.
  • 12.6.1-5 The organization identifies the associated risks and the actions taken in response to identified potential technical vulnerabilities, such as patching vulnerable systems and/or applying other controls.
  • 12.6.1-6 The organization responds to identified potential technical vulnerabilities in a timely manner.
  • 12.6.1-7 Patches are tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated.


13 Information Security Incident Management

13.1.1 Reporting Information Security Events

Identificativo13.1.1 Reporting Information Security Events
DescrizioneInformation security events should be reported through appropriate management channels as quickly as possible.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 13.1.1-1 A formal information security event reporting procedure is established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event.
  • 13.1.1-2 A point of contact is established for the reporting of information security events.
  • 13.1.1-3 All employees, contractors and third party users are aware of their responsibility to report any information security events as quickly as possible.
  • 13.1.1-4 Security event reporting procedures include the correct behavior to be undertaken in case of an information security event, such as noting all important details immediately, and not carrying out any personal action but immediately reporting to the point of contact.
  • 13.1.1-5 Security event reporting procedures include reference to an established formal disciplinary process for dealing with employees, contractors or third party users who commit security breaches.

13.1.2 Reporting Security Weaknesses

Identificativo13.1.2 Reporting Security Weaknesses
DescrizioneAll employees, contractors and third party users of information systems and services should be required to note and report any observed or suspected security weaknesses in systems or services.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 13.1.2-1 All employees, contractors and third party users are directed to report suspected security events either to their management or directly to their service provider as quickly as possible in order to prevent information security incidents.

13.2.1 Responsibilities and Procedures

Identificativo13.2.1 Responsibilities and Procedures
DescrizioneManagement responsibilities and procedures should be established to ensure a quick, effective, and orderly response to information security incidents.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 13.2.1-1 System, alerts, and vulnerability monitoring are used to detect information security incidents.
  • 13.2.1-2 Procedures are established to handle different types of information security incidents, including information system failures and loss of service, malicious code, denial of service, errors resulting from incomplete or inaccurate business data, breaches of data, etc.
  • 13.2.1-3 Security incident management procedures cover analysis and identification of the cause of the incident, containment, planning and implementation of corrective action to prevent recurrence, communication with those affected by or involved with recovery activities.

13.2.2 Learning from Information Security Incidents

Identificativo13.2.2 Learning from Information Security Incidents
DescrizioneThere should be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 5.0 5.0 5.0 0.0
Controlli
  • 13.2.2-1 Incident data is analyzed to identify high-impact or recurring incidents.

13.2.3 Collection of Evidence

Identificativo13.2.3 Collection of Evidence
DescrizioneWhere a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence should be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 13.2.3-1 Internal procedures are developed and followed when collecting and presenting evidence for the purposes of disciplinary action handled within an organization.


14 Business Continuity Management

14.1.1 Including Information Security in the Business Continuity Management Process

Identificativo14.1.1 Including Information Security in the Business Continuity Management Process
DescrizioneA managed process should be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organization's business continuity.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 5.0 5.0 5.0
Rid. Probabilitą 0.0 5.0 5.0 0.0
Controlli
  • 14.1.1-1 The business continuity management process includes understanding the impact that interruptions caused by information security incidents are likely to have on the business.
  • 14.1.1-2 The business continuity management process includes regular testing and updating of the plans and processes put in place.
  • 14.1.1-3 The business continuity management process includes understanding the risks the organization is facing in terms of likelihood and impact in time, including an identification and prioritization of critical business processes.
  • 14.1.1-4 The business continuity management process includes identifying all the assets involved in critical business processes.

14.1.2 Business Continuity and Risk Assessment

Identificativo14.1.2 Business Continuity and Risk Assessment
DescrizioneEvents that can cause interruptions to business processes should be identified, along with the probability and impact of such interruptions and their consequences for information security.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 0.0
Rid. Probabilitą 0.0 5.0 5.0 0.0
Controlli
  • 14.1.2-1 Business continuity risk and criticality assessments are performed at least annually.
  • 14.1.2-2 A business continuity risk assessment is conducted to determine the probability and impact of interruptions, in terms of time, damage scale and recovery period.
  • 14.1.2-3 The business continuity risk assessment identifies, quantifies, and prioritizes risks against criteria and objectives relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities.

14.1.3 Developing and Implementing Continuity Plans Including Information Security

Identificativo14.1.3 Developing and Implementing Continuity Plans Including Information Security
DescrizionePlans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 0.0
Rid. Probabilitą 0.0 0.0 0.0 0.0
Controlli
  • 14.1.3-1 The business continuity planning process includes identification and agreement of all responsibilities and business continuity procedures.
  • 14.1.3-2 The business continuity planning process includes appropriate education of staff in the agreed procedures and processes, including crisis management.
  • 14.1.3-3 The business continuity planning process includes documentation of agreed procedures and processes.
  • 14.1.3-4 The business continuity planning process includes testing and updating of the plans.
  • 14.1.3-5 A usable copy of critical software is stored safely and securely.
  • 14.1.3-6 The level of implemented security controls at alternate locations of business continuity plans is equivalent to the main site.
  • 14.1.3-7 Other material necessary to execute the continuity plans is also stored at the remote location.

14.1.4 Business Continuity Planning Framework

Identificativo14.1.4 Business Continuity Planning Framework
DescrizioneA single framework of business continuity plans should be maintained to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 5.0 3.0 5.0 3.0
Rid. Probabilitą 0.0 0.0 0.0 0.0
Controlli
  • 14.1.4-1 The business continuity planning framework includes awareness, education, and training activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective.
  • 14.1.4-2 The business continuity planning framework includes the responsibilities of the individuals, describing who is responsible for executing which component of the plan. Alternatives are nominated as required.
  • 14.1.4-3 The business continuity planning framework includes resumption procedures which describe the actions to be taken to return to normal business operations.
  • 14.1.4-4 The business continuity planning framework includes temporary operational procedures to follow pending completion of recovery and restoration.
  • 14.1.4-5 The business continuity planning framework includes a maintenance schedule which specifies how and when the plan will be tested, and the process for maintaining the plan.
  • 14.1.4-6 The business continuity planning framework includes emergency procedures, which describe the actions to be taken following an incident that jeopardizes business operations.
  • 14.1.4-7 The business continuity planning framework includes the conditions for activating the plans which describe the process to be followed before each plan is activated.

14.1.5 Testing, Maintaining and Re-Assessing Business Continuity Plans

Identificativo14.1.5 Testing, Maintaining and Re-Assessing Business Continuity Plans
DescrizioneBusiness continuity plans should be tested and updated regularly to ensure that they are up to date and effective.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 5.0 0.0
Rid. Probabilitą 0.0 3.0 0.0 0.0
Controlli
  • 14.1.5-1 The business continuity plan is tested at least annually.
  • 14.1.5-2 The test schedule for business continuity plan(s) indicates how frequently and when each element of the plan will be tested.
  • 14.1.5-3 The results of business continuity tests are recorded and actions taken to improve the plans.


15 Compliance

15.1.1 Identification of Applicable Legislation

Identificativo15.1.1 Identification of Applicable Legislation
DescrizioneAll relevant statutory, regulatory, and contractual requirements and the organization's approach to meet these requirements should be explicitly defined, documented, and kept up to date for each information system and the organization.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 0.0 0.0 0.0 5.0
Controlli
  • 15.1.1-1 An occupancy permit is available for each physical facility.
  • 15.1.1-2 The specific controls and individual responsibilities to meet relevant statutory, regulatory, and contractual requirements are defined and documented.
  • 15.1.1-3 The requirements of the HIPAA security rule are addressed.
  • 15.1.1-4 The requirements of NERC CIP 002-009 are addressed.
  • 15.1.1-5 The requirements of PCI are addressed.
  • 15.1.1-6 Data retention requirements have been identified and policies have been developed to meet these requirements.

15.1.2 Intellectual Property Rights (IPR)

Identificativo15.1.2 Intellectual Property Rights (IPR)
DescrizioneAppropriate procedures should be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 0.0
Rid. Probabilitą 0.0 0.0 0.0 5.0
Controlli
  • 15.1.2-1 Intellectual property protections include maintaining awareness of policies to protect intellectual property rights, and giving notice of the intent to take disciplinary action against personnel breaching them.
  • 15.1.2-2 Intellectual property protections include maintaining appropriate asset registers, and identifying all assets with requirements to protect intellectual property rights.
  • 15.1.2-3 Intellectual property protections include publishing an intellectual property rights compliance policy that defines the legal use of software and information products.
  • 15.1.2-4 Intellectual property protections include acquiring software only through known and reputable sources, to ensure that copyright is not violated.

15.1.3 Protection of Organizational Records

Identificativo15.1.3 Protection of Organizational Records
DescrizioneImportant records should be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 5.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 5.0
Controlli
  • 15.1.3-1 Controls are in place to prevent or respond to the deterioration of media used for the storage of organizational records.
  • 15.1.3-2 Appropriate controls are implemented to protect organizational records and information from loss, destruction, and falsification.

15.1.4 Data Protection and Privacy of Personal Information

Identificativo15.1.4 Data Protection and Privacy of Personal Information
DescrizioneData protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 3.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 0.0 0.0 3.0
Controlli
  • 15.1.4-1 An organizational data protection and privacy policy is developed and implemented.
  • 15.1.4-2 Appropriate technical and organizational measures are implemented to protect personal information.

15.1.5 Prevention of Misuse of Information Processing Facilities

Identificativo15.1.5 Prevention of Misuse of Information Processing Facilities
DescrizioneUsers should be deterred from using information processing facilities for unauthorized purposes.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 0.0 5.0
Controlli
  • 15.1.5-1 At logon, a warning message is presented to indicate that the information processing facility being entered is owned by the organization and that unauthorized access is not permitted.
  • 15.1.5-2 Users acknowledge and react appropriately to the logon warning message on the screen to continue with the logon process.
  • 15.1.5-3 Users are made aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use for the purposes of protecting sensitive and personal data.

15.1.6 Regulation of Cryptographic Controls

Identificativo15.1.6 Regulation of Cryptographic Controls
DescrizioneCryptographic controls should be used in compliance with all relevant agreements, laws, and regulations.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5 5 0 5
Controlli
  • 15.1.6-1 Before encrypted information or cryptographic controls are moved to another country, legal requirements are considered pertaining to the import, export, and use of cryptographic controls for each jurisdiction.

15.2.1 Compliance with Security Policies and Standards

Identificativo15.2.1 Compliance with Security Policies and Standards
DescrizioneManagers should ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 3.0 3.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 15.2.1-1 The organization determines and implements appropriate corrective action to become compliant with relevant requirements.
  • 15.2.1-2 Managers regularly review the compliance of information processing within their area of responsibility with the appropriate security policies, standards, and any other security requirements.
  • 15.2.1-3 The organization evaluates the need for actions to ensure that non-compliance does not recur.
  • 15.2.1-4 Results of compliance reviews and corrective actions carried out by managers are recorded and these records are maintained.

15.2.2 Technical Compliance Checking

Identificativo15.2.2 Technical Compliance Checking
DescrizioneInformation systems should be regularly checked for compliance with security implementation standards.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 3.0
Controlli
  • 15.2.2-1 Vulnerability and penetration tests are planned, documented, repeatable, and conducted with caution to potential negative effects to information systems.
  • 15.2.2-2 Technical compliance checking is performed either manually by an experienced system engineer, or with the assistance of automated tools that generate a technical report for subsequent interpretation by a technical specialist.

15.3.1 Information Systems Audit Controls

Identificativo15.3.1 Information Systems Audit Controls
DescrizioneAudit requirements and activities involving checks on operational systems should be carefully planned and agreed to minimize the risk of disruptions to business processes.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 3.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 15.3.1-1 Resources for performing the checks are explicitly identified and made available.
  • 15.3.1-2 The scope of information system audit checks is agreed and controlled.

15.3.2 Protection of Information Systems Audit Tools

Identificativo15.3.2 Protection of Information Systems Audit Tools
DescrizioneAccess to information systems audit tools should be protected to prevent any possible misuse or compromise.
Efficace per : Riservatezza Integritą Disponibilitą Conformitą
Rid. impatto 0.0 0.0 0.0 5.0
Rid. Probabilitą 5.0 5.0 5.0 5.0
Controlli
  • 15.3.2-1 Information systems audit tools are separated from development and operational systems and not held in tape libraries or user areas, unless given an appropriate level of additional protection.