Over the next few weeks we will be showing simple steps to the transition; here is information about the mandatory policies that are required:
- Information Security Policy – sets out the policy of the company and covers C.I.A (confidentiality, integrity and availability)
- Mobile Device Policy – sets out the protections and controls for mobile devices, which includes tablets, laptops/notebooks and smart phones.
- Termination of Employment Policy – sets out the controls and actions to be taken when an employment ends; both resignation and dismissal or redundancy is covered.
- Teleworking Policy – sets the information security controls required for off-site workers.
- Acceptable Use of Assets Policy - sets out the policy on use of equipment and also the uses which are not permitted.
- Cryptographic Policy – sets out the controls for the use of cryptographic controls necessary to maximize the benefits and minimise the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.
- Cryptographic keys Lifetime Protection Policy – Sets out the controls for the issue, protection, storage and actions for retiring keys.
- Security for Assets while Off Site Policy- Controls to protect equipment and data when outside the protection of the organisation.
Unattended Equipment Policy – sets out the controls to protect unattended equipment on site.
- Clear Desk Policy – sets out the controls to protect sensitive documents or data on desks.
- Clear Screen Policy – sets out then controls for screens to be protected from being viewed by unauthorised people.
- Formal Information Transfer Policy - sets out the controls and protocols for the transfer of data. This include the methods of transfer and the requirement for cryptographic controls where necessary.
This is an important stage in the transition to the new standard.