Documented operating procedures

Procedures should be documented (where appropriate) and made available though awareness training. This should cover those activities which, at a minimum, will affect the operation of information processing activities and those which protects them.

This should include the verification, installation, configuration and management of systems and applications; the processing and handling of information; backup management – including the testing and verification of backups; operational scheduling – should some processes require start and end times.

In line with requirements of the ISO 27001 standard, the handling of errors and exceptional conditions which may be defined as security incidents, or form part of one.

Special media handling instructions for confidential information including secure disposal. System recovery / restart. Management of logging and audit trail items. Network and asset monitoring procedures.

Change Management

Changes to business processes, information processing facilities and systems should be controlled. Risk assessments should be completed with formal authorisation. Planning and testing conducted and communications to all involved. An audit log should provide confidence that the change was handled in a controlled manner.

Capacity Management

Capacity is a contributing factor to availability. Monitoring should be undertaken and care taken with those potential bottlenecks which have long lead times if capacity is likely to reach / breach a point where processing would be affected. Consider optimising DB queries, batch processes out of hours, deletion/archiving of old data and throttling bandwidth for non-critical access.

Separation of development, testing and operational environments

Development sand boxes should be segregated from operational systems. Users should have separate IDs for operational and testing environments. Test data should not be a copy of live data unless a similar level of security has been applied to the test environment. Developers are in the position where they could introduce untested code or malicious code. Care should be taken to prevent this. Particular consideration should be given to migration of code to the operating environment with planned beta testing and the availability of known stable environments available if errors are encountered.