T4.2.1 - INFORMATION TRANSFER PROCEDURES Implemntation Guidance
The entity shall develop formal transfer procedures and controls should be in place to protect the exchange of information.
Back to T4.2.1 - P2 - INFORMATION TRANSFER PROCEDURES
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.
The procedures and controls to be followed when using communication systems for information transfer should consider the following items:
- A. Procedures designed to protect transferred information from interception, copying, modification, mis-routing and destruction
- B. Procedures for the detection of and protection against malware that may be transmitted through the use of electronic communications
- C. Procedures for protecting communicated sensitive or confidential electronic information that is in the form of an attachment
- D. Policy or guidelines outlining acceptable use of communication systems
- E. Personnel, external party and any other user’s responsibilities not to compromise the entity, e.g. through defamation, harassment, impersonation, forwarding of chain letters, unauthorized purchasing, etc.
- F. Use of cryptographic techniques e.g. to protect the confidentiality, integrity and authenticity of information
- G. Retention and disposal guidelines for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations
- H. Controls and restrictions associated with using communication systems, e.g. automatic forwarding of electronic mail to external mail addresses
- I. Advise personnel to take appropriate precautions not to reveal sensitive or confidential information
- J. Not leaving messages containing sensitive or confidential information on answering machines since these may be replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialing
- K. Advise personnel about the problems of using facsimile machines, namely
1- Unauthorized access to built-in message stores to retrieve messages
2- Deliberate or accidental programming of machines to send messages to specific numbers
3- Sending documents and messages to the wrong number either by misdialing or using the wrong stored number
In addition, personnel should be reminded that they should not have confidential conversations in public places or over unsecure communication channels, open offices and meeting places. Information transfer services should comply with any relevant legal requirements.
