Question about IT Security Policy
2. In relation to the same document and even the same section, I would also like to understand the reason why the use of cryptographic tools is prohibited, which has been the point before the one I asked you first in this same mail thread.
Greetings and thanks in advance, I look forward to both feedbacks. Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. A small query, the "A.8.2_Politica_de_seguridad_de_TI_Premium_ES" mentions as prohibited activity the one that I highlight in red below, however, it is not entirely clear to me what it refers to, please clarify?
The original text from the English version is “to download program code from external media”, which means employees cannot use media not controlled by the organization, such as personal pen drives or third-party CDs/DVDs, to install any kind of software. This is so to avoid introduction in an organization’s environment of malware, or software that can violate intellectual property rights.
2. In relation to the same document and even the same section, I would also like to understand the reason why the use of cryptographic tools is prohibited, which has been the point before the one I asked you first in this same mail thread.
Greetings and thanks in advance, I look forward to both feedbacks.
Please note that this point refers to not use cryptographic solutions in situations not defined in the Information Classification Policy. This is so because the use of cryptographic solutions in not defined situations poses a risk that information can be unavailable when needed (e.g., if an employee encrypts their computer in a non-defined situation and go on vacation, loses the encryption key, or leaves the organization, and the IT team does know about this encrypted computer, the information in the local computer cannot be accessed).
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Thank you very much for the clarification Rhand, after turning the points so much I realized that they are problems in the Spanish translation.
In my case and as a contribution to you, I finally translated them as follows:
Utilizar herramientas criptográficas (encriptado) sobre ordenadores locales sin la correspondiente autorización de Tecnologías de Información (TI).
Descargar e instalar programas, aplicaciones y/o software desde dispositivos de almacenamiento externos personales o no suministrados por Tecnologías de Información (TI).
Comment as guest or Sign in
Jun 18, 2021