T4.2.5 - BUSINESS INFORMATION SYSTEMS Implementation Guidance
The entity shall develop policies and procedures to protect information transferred across business information systems.
Back to T4.2.5 - P4 - BUSINESS INFORMATION SYSTEMS
Consideration given to the security and business implications of interconnecting such systems should include:
- A. Known vulnerabilities in the administrative and accounting systems where information is shared between different parts of the entity
- B. Vulnerabilities of information in business communication systems, e.g. recording phone calls or conference calls, confidentiality of calls, storage of facsimiles, opening mail, distribution of mail
- C. Policy and appropriate controls to manage information sharing
- D. Excluding categories of sensitive business information and classified documents if the system does not provide an appropriate level of protection
- E. Restricting access to diary information relating to selected individuals, e.g. personnel working on sensitive projects
- F. Categories of personnel, contractors or business partners allowed to use the system and the locations from which it may be accessed
- G. Restricting selected systems to specific categories of user
- H. identifying the status of users, e.g. employees of the entity or contractors in directories for the benefit of other users
- I. Retention and backup of information held on the system
- J. Fallback requirements and arrangements
