Definitions of Terms Specific to This Standard:
Password Management: The best security against a password incident is simple. Follow a sound password construction strategy following industry standard best practice guidelines on password construction:
Examples of Confidential Data: The following list is not intended to be exhaustive but should provide the Organization with guidelines on what type of information is typically considered confidential. Confidential data can include:
Use of Confidential Data: A successful confidential data policy is dependent on the users knowing and adhering to the Organization’s standards involving the treatment of confidential data within approved business purposes.
Data Security: When a mobile device is lost or stolen, the data security controls that were implemented on the device are the last line of defense for protecting Organization data. Encrypt mobile devices whenever possible.
Reasons for Data Retention: Some reasons for data retention include:
Network Access and Authentication Policy
Access Control Account Set Up: Potential personnel are to be screened prior to hire,appropriate to the position, with more in-depth background checks required for personnel with greater responsibilities or access to confidential information. During initial account setup, certain checks shall be performed in order to ensure the integrity of the process. The following policies apply to account setup:
Types of Incidents: A security incident is defined as any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information; or any unauthorized attempted or successful interference with system operations. A security incident, can take one of two forms:
Confidentiality: All information related to an electronic or physical security incident shall be treated as confidential information until the incident is fully contained and investigated. This will serve both to protect employees' reputations (if an incident is due to an error, negligence, or carelessness), and to control the release of information to the media and/or customers until the scope and damage of the incident can be assessed.
Security Configuration
Configuration: The following statements apply to the Organization’s implementation of firewall technology:
Network Servers: Servers typically accept connections from a number of sources, both internal and external, access should be determined based on business need and use case.
Encryption Key Management: The use of technologies like key management or vaults should be utilized to help secure and manage encryption keys.