The organization will establish an inclusive set of rational and systematic policies for information assurance. These will be derived from a commonly accepted model of expert best practice. They will serve to ensure the protection and management control of the complete set of identified information and IT assets. This array of policies will be implemented through a strategic planning process. It will accurately reflect the long-term protection needs of each component of the information and IT resource base. It will ensure full and ongoing protection of all information assets. It will be continuously audited and enforced by the business.

The organization will design, implement and enforce a logical and consistent information assurance infrastructure. The infrastructure will be operated and maintained systematically and immediately responsive to the protection needs of the information and IT resource base. The architecture of this framework will embody procedures tailored to the particular organizational instance. These procedures will be based on as well as substantiate explicit best practice control objectives identified during the policy formulation process. The control objectives that the design process identifies as appropriate will be audited for conformance.

A proactive program will be established and maintained to ensure that the human resources of the organization are fully and continuously aware of security requirements and procedures relevant to their work. In addition the organization will develop a comprehensive plan to ensure that staff security capability will be maintained at acceptable levels, based on defined criteria. Finally, the organization will develop managerial capacity both with respect to security strategic planning and also with respect to supervision and control of the information resource.

The organization will establish an identification process and a baseline control scheme for the purpose of specific asset accounting for security control. The baseline will document and maintain a specific record of the status of each instance of an information resource element. Every item in the baseline will be identified, given a unique identifying label and will be maintained as an entry within an asset accounting repository. A designated decision maker will authorize material changes to the form of any entry in the repository. Upon completion the change must be verified as correct before being recorded as the current version in the repository.

The organization will establish and maintain a comprehensive action plan and defined practices to insure that business processes will not be disrupted if the information base is illegally accessed, or harmed. That includes procedural mechanisms for the preservation and recovery of information that might have been lost. Additionally it will involve the implementation and documentation of a consistent mechanism for the safe backup at a proscribed point in time and storage of all information assets. It will further include technical processes for the insurance of continuous operation of the information processing and storage function should harm occur.

The organization will establish comprehensive control procedures to identify and ensure the compliance of the information processing function and the information and IT asset base with all stipulations of contracts regulations and laws. This will include the definition of an oversight and accountability scheme to insure that due diligence will be continuously practiced.

The organization will establish a defined and repeatable process that will ensure that a complete and correct set of information security functional and non-functional requirements is specified and implemented as integral elements in all software and system development projects and project work. All development lifecycle process work will be dictated by, and performed based on, these requirements.

The organization will establish, document and make public a comprehensive set of formal procedures for assurance of worker compliance with security policy. This will include the provision of training sufficient for individual workers to understand all security policies. This will also involve the explicit assignment of worker accountability for identified information and IT assets as well as the definition of procedures to monitor worker compliance. All workers will be adequately screened to insure that they comply with the security requirements of their particular role in the organization. Workers will not be entitled to retrieve or possess information that they are not been properly qualified by their designated organizational role to access.

The security of physical assets and space will be assured by explicit policies and procedures, which will be systematically audited for compliance. These will be expressly designed to ensure that the integrity of all workspaces and physical resources will be maintained as specified. This will include a complete set of rational physical asset inventory controls as well as actions to reliably define and establish a secure perimeter. In addition the organization will develop, document and make public a coherent set of control procedures to assure that the physical space within that boundary is secure.

The organization will establish a complete set of procedures to fully monitor and control access, both electronic and physical, to information and IT resources. Specifically, this will include the design and implementation of a comprehensive and rational set of procedures and system utilities to ensure that all identified information and IT assets are protected from unauthorized access and/or harm from either internal, or external sources.

The organization will insure that staff will only be involved in work that is appropriate to their role and as defined by policy and procedure.  That includes measures to protect the organization from harm incurred as a result of the day-to-day course of doing business.

Principle Twelve: Network Security

The organization will establish comprehensive mechanisms to shield processes related to the everyday generation, manipulation, or transmission of information from unauthorized access, or harm.  That includes the identification and adoption of electronic and organizational means to ensure that transmissions of information along public and private networks will fulfill all availability, integrity and confidentiality requirements.  That includes measures to protect from direct attacks as well as denial of service and repudiation incidents.

The organization will establish procedures to ensure the physical and operational integrity of all application and system software. This will include mechanisms for timely reporting and effective response to incidents involving these assets. This also involves the definition and refinement of software controls to ensure protection. Utilities will be installed to ensure that all system and application software will be protected from malicious code. Additionally, the organization will identify and install mechanisms to ensure fault tolerance in released versions of all application and system software.

The organization will define explicit and valid standard operating procedures for the ongoing, business-wide assessment and control of operational security risks. All current operations and prospective projects will be systematically evaluated using this procedure in order to identify any potential threats, vulnerabilities and weaknesses that might be associated with the work. Risk assessment will be scheduled and performed on an ongoing basis as a fundamental element of proper management practice and the results will be documented and reported to the appropriate decision-makers for corrective action.

The organization will delineate, adopt and maintain a comprehensive code of defined ethical practices with respect to security. This code will accurately reflect community norms with respect to ethical behavior. It will underwrite and be directly referenced to the purpose and goals of the business. The staff will be explicitly trained with respect to their individual responsibilities relating to this code and its ramifications. This code will be rigorously enforced as part of integral organizational practice. All members of the organization will be held responsible for violations.

Principles must meet the following common criteria to be effectively practiced

Establishment - The organization must document its commitment to each principle. Criteria for judging this include: 1) The explicit and formally established designation of a manager responsible for monitoring and controlling ongoing operation, 2) The placement of the manager in a position of authority sufficient to enforce decisions, and 3). The continuous maintenance of that position in the organizational decision making structure

Means - The organization must provide qualified employees sufficient to ensure that each individual principle will be effectively carried out. Criteria for judging this include: 1) The necessary staff and resources to perform the actions embodied in these principles are identifiably designated and deployed, 2) It is possible to document, through formal training or recruitment actions, that staff are competent to perform their assigned roles and 3) The deployment of staff resources is explicitly demonstrable and traceable to individual principles.

Oversight - The organization must develop an objective mechanism to monitor the fulfillment of the purposes of each principle. Criteria for judging this include: 1) The development and use of formal measures of performance, 2) Use of analytic methods to support decision making and 3) The designation and adherence to formal reporting lines and follow-up procedures.

Enforcement - The organization must put into practice and document actions to reliably assure that each principle is adhered to. Criteria for judging this include: 1) Designation and empowerment of a person accountable for enforcement, 2) Regularly scheduled internal audit, or review of the actions embodied in the principle for compliance and 3) Formally defined procedures for corrective action.