Thursday 14 April 2016

Organization of Information Security Part 2

asp.net software companies india











Allocation of responsibilities

Information security responsibilities for asp.net software companies india should be defined clearly.  Following points could  be included:
·  Identification of the individual/individuals responsible for security of each information facility
· Clear definition and identification of assets and associated security controls for each information facility

Coordination of efforts

All the Information security activities should be coordinated by representatives from different parts of the organization with appropriate security job functions and roles.  Following points could  be included:

  • Coordinated efforts to assess the adequacy and effectiveness of  already implemented controls and to recommend additional measures based on the assessments
  • To ensure that all information security controls are executed in compliance with the organization’s information security policies and privacy
  • Identifying significant vulnerability changes and threat, both external and internal, and recommending appropriate action to deal with them
  • Proposing refinements to assessment processes and methodologies (e.g., risk assessment) subject to approval by management
  • Promoting training and security awareness programs for all persons affiliated with the organization.
  • Evaluating information security incident management (ISMS) data from across the organization,  as well as reporting these data to appropriate management personnel, and recommending appropriate action based on this data

Authorization processes

A management authorization process for new information processing capabilities and facilities, and for significant changes to existing capabilities and facilities for C# software company in india, should be defined as well as implemented.  Following points could  be included:

  • Certification that software/hardware used by the new or changed existing system meets standards of the organization
  • Formal approval of use and purpose for each new system, or for existing systems that are changed materially
  • Approval of any non-standard users, functions or locations, including approval of any personal, extra-organizational or privately-owned software/hardware/facilities to be used
  • Certification that the new or changed existing system complies with all applicable and relevant security controls mandated by the security policy of the organization

Confidentiality and non-disclosure agreements

Requirements for confidentiality and non-disclosure agreements for C# software company india should reflect the needs of organization for protection of information.  These agreements should be reviewed periodically.  Following points could  be included:

  • Responsibilities of signatories, which includes adherence to security controls and limitations on disclosure or use of information
  • Definition of the information, information system(s) or information type(s) that are to be protected
  • Actions required when the agreement is terminated that includes requirements to destroy or return information
  • Processes for notice of and reporting of breaches
  • Confidentiality and non-disclosure agreements for that information rendered in legally-enforceable, clear terms, that accord with all relevant statutory-regulatory and private certificatory authorities
  • Expected agreement duration
  • Right to monitor compliance with the agreement
  • Terms of ownership of information that includes both intellectual property or trade secret requirements
  • Expected actions that need to be taken in the event of a breach

Contacts with authorities

Appropriate contacts should be maintained with external authorities.  Following points could  be included:

  • Specification of the manner and timing in which breaches shall be communicated to external authorities so as to ensure appropriate reporting
  • Development of procedures, policies and contact lists that specify by whom and when external authorities should be contacted

Contacts with special interest groups

Appropriate contacts should be maintained with special interest groups or other professional associations and specialist security forums.

Contracts and contacts with external parties

Agreements with third parties for C# software companies india that involve processing, accessing, managing or communicating the organization's information or information processing facilities should cover all relevant security requirements. Such agreements could include following content:

  • Requirements for system administrator and user training efforts and awareness
  • The applicable information security policy/policies of all contracting organizations
  • Specific and clear process of change management
  • Appropriate definitions of verifiable performance criteria
  • Overall reporting formats, report contents and frequency, and reporting structure
  • Essential controls to ensure compliance with the security policies
  • Responsibilities related to software/hardware configuration and selection
  • Specific and clear process of incident management that includes requirements for notification, reporting and investigation
  • Ownership of data and intellectual property rights
  • Problem resolution processes that includes escalation steps
  • Conditions for termination/ renegotiation of the agreements
  • Rights to audit and monitor activities
  • Levels of service continuity and unacceptable/acceptable service
  • Policies regarding subcontractors

Contacts and contracts with customers

Before giving customers access to the organization's information or assets identified security requirements should be addressed. The control considerations are similar to those for other external parties mentioned above.
Independent review of information security

The organization's approach to managing information security and its implementation should be reviewed independently at planned and regular intervals as well as when there are significant changes to the external environment or the internal structure.

No comments:

Post a Comment