Confidentiality
Security in projects and changes
Description Planned changes are evaluated for potential security impact. The classification of all processes and systems involved in the change is reviewed and adjusted where necessary. In projects, sufficient resources...
Emergency updates
Emergency changes requiring immediate implementation are properly handled to ensure minimal impact on systems and IT applications. The emergency change is registered, evaluated and tested after implementation and approved by...
Patch management
Available patches and/or security fixes are installed in compliance with set and approved policies (including those for operating systems, databases and installed applications) and recommendations of CERT and/or suppliers.
Detection of assets
Description Organisations actively and passively detect assets that may not be registered in the CMDB, both within the network and outside. Discrepancies in CMDB and detected assets are resolved.
Asset registration
The assets making up a system that are under control of the organisation are registered and tracked in the CMDB. System owners periodically check that the information in the CMDB...
Asset inventory
Organisations maintain an accurate and up-to-date registry of organisational hardware and software assets in a Configuration Management Database (CMDB).
Governance of Processes and Systems
The Information Systems and Processes are identified and registered. Each System and Process has an owner within the organisation. The owner is responsible for compliance with the organisational information security...
Acceptable use policy
End users are actively informed on the organisational policies regarding acceptable use of assets. Organisationally offered IT assets and services must be used for professional purposes, the usage of free/private...