-The entity shall develop policies and procedures to protect information transferred across business information systems
-Log on, log off procedures-The entity shall control access to systems and applications using a secure log on and log off procedure.
-Procedure for publishing of public information-The entity shall develop and formalize procedures for the publishing of public information to ensure nonpublic information is not exposed
-Where shall we include 'fault logging' and 'clock synchronization' in Logging and Monitoring policy or procedure? And what all information related to 'fault logging' and 'clock synchronization' shall be captured?
-Also, in clock synchronization, what is recommended? NTP? Or other Algorithm.
Answer: In fact, you have to mention 'fault logging' and 'clock synchronization' in both documents, but considering different points of view.
Policies refer to high level intentions and behaviours an organization expects its users to follow and main guidance about the infrastructure, while procedures describe details on how to perform and record required actions.
Considering that, in the Logging and Monitoring policy you should state something like "both relevant successful and unsuccessful attempts to perform actions in the information systems must be recorded and periodically reviewed", and that "all systems must operate under the same time reference".
Regarding the Logging and Monitoring procedure, you must detail the previous information something like this:
- The following successful/unsuccessful attempts to perform actions in the information systems must be recorded: login attempts, deletion attempts, attempts to disable security functions, time and hour of the activity, IP origin, etc."
Observation: These examples are the most common information gathered by log systems, but you can add more information if your risk assessment identify such need.
- All information systems must be synchronized according XXXX time zone, using as reference the time server in this address:
>Thanks a lot for the support. I read it, but it dosent have answer to points 1to3. Request you to help me with the first 3 points mentioned my questions.
>I would like to know what I should keep in content of these? Or like share samples if possible.
Answer: The content of policies and procedures related to information transfer, log on and log off, and publication of public information shall depend of the relevant risks identified in your risk assessment, and legal requirements applicable to your organization, so there isn't a definitive answer for your question.
ISO 27002, a supporting standard for implementation of ISO 27001 Annex A controls can provide you a comprehensive set of guidance's and recommendations that you can use to tailor your documents. You should consider at least these controls:
- 9.1.1 Access control policy
- 9.4.2 Secure log-on procedures
- 13.2.1 Information transfer policies and procedures
- 13.2.2 Agreements on information transfer
- 13.2.4 Confidentiality or non-disclosure agreements