M1.2.2 - SUPPORTING POLICICES FOR INFORMATION SECURITY Implementation Guidance

The information security policy (refer to M1.2.1 - INFORMATION SECURITY POLICY Implementation Guidance) should be supported by a set of supporting policies that address specific information security topics. Examples of topics to be addressed are:

• A. Logical access control

• B. Information classification and handling

• C. Physical security

• D. End user oriented topics such as:

- Acceptable use of assets

- Clear desk and clear screen

- Email and Internet

- Mobile devices

- Restrictions on software installations and use

- Media security

• E. Backup & recovery

• F. Information exchange/sharing and transfer

• G. Malware protection

• H. Patch management

• I. Cryptographic controls

• J. Supplier relationships

These policies should be communicated to users in a form that is relevant, accessible and understandable to the intended reader, and sufficient training and awareness should be put in place to ensure that all users of these policies have understood and are aware of their content. It is also recommended to include the acceptance of compliance with all applicable policies and procedures in the induction process.