Bsi bip 0008 2 2014

Evide tialweight ndlegaladmis s ibi tyofinforma io tans feredelectro icaly–Codeofpr cticeforth impleme t tio ofBS10 0 refer e to inthisd cume tas‘th Co e’isprimarilyco cern d with th aut

t ansfer ed elect onical y

information transferr ed electr onical y

PeterH owesand Alan S hipman

BSISta d rdsLimite

3 9ChiswickHig R a

Lon onW44AL

©T eBritishSta d rdsInsitution2 14

Al rig t reserv d.E ceptaspermite u d r h C pyrig t,Desig sa dP te t Act 9 8,nopar of his

publcation ma bereprod ce , sore in aretie al sys emor ra smite ina yformorbya yme ns–elect onic,

photoco yin , recordin oroth rwise–withoutpriorpermisioninwritin f omth publsh r

Whis e erycareh sbe nta e ind v lo in a dcompi n thispublcation,BSIacept nolabi tyfora ylos or

d ma eca se ,arisin directlyorin irectlyincon ection withrela ceon it conte t e cept oth e te t h t

suchlabi tyma notbee clu e inlaw

Whiee eryef for h sbe nma etotaceal co yrig thold r,a yon claimin co yrig t houldg tintouchwith

th BSI at h ab v a dres

BSIh snoresp nsibi tyfor h per ise ceorac uracyofU Ls ore tern l or hird-paryintern twebsites efere

tointhisb ok,a ddoesnotg ara te th ta yconte tonsuchwebsitesis,orwi remain, ac urateor

ap ro riate

T erig t ofP terH wesa d Ala Shipma tobeid ntifie as h a thor of hisWorkh v be nasere by

th minac ord ncewithsections7 a d 7 of h C pyrig t,Desig sa dP te t Act 9 8

TpesetinGre tBritainbyL t erpar Limite ,www.eterpar.com

Printe in Gre tBritainbyB r or Group, www.ber or co.u

British LibraryCatalog in in P blcationData

Acatalog erecordfor hisb okisa aiablef omth BritishLibrary

ISBN 9 805 08 6 78

7.2 Preve tivean corec iveac io s 74

Evide tialweight ndlegaladmis s ibi tyofinforma io tans feredelectro icaly–Codeofpr cticefor

th impleme t tio ofBS10 0 (refer e to inthisd cume tas‘th Co e’)isprimarilyco cern d

with th auth nticity, nte rity an a ailability ofelec ro ical yt ans er e informatio ,to th

d mo s rablelevelsof eraintyre uire byan organiz tio Itisparicularlyap licablewh rethis

tans er e informatio ma b use asevid ncein disp tesinsid an o t id th le al sys em

T isisth fif he itio ofth Co e, whichwasfirtp blish d in19 8asPD5 0 T ise itio isan

e itorial revisio ofth fo rh e itio (BIP0 0 -2 (20 8).Itistech ical ysimilar,with anexte sio of

it s o etoinclu eth tans erofinformatio sore in databasesan oth relec ro icsys ems Ithas

also b e resruc ure in reco nitio ofth p blicatio ofBS 10 0 :2014,Evide tialweight ndlegal

admis s ibi tyofelectro icinforma io —S pecificatio ,an canb co sid re to b a g id to th

impleme tatio ofth British Stan ardin relatio to informatio tans er e elec ro icaly

User of h previo se itio ssh uldco sid r h adv ntag sofasesin th irinformatio

manag me t ys emsinth lig tofthisn we itio ,an ame dth irsysemsan /ord cume tatio

wh reap ro riate

T isp blicatio is h seco d par ofBIP0 0 ,whichismad u of h fol owin :

• BIP0 0 -1 (2014), Evide tialweightandlegaladmis s ibi tyofinforma io s toredelectro icaly—

Codeofpr ctice forth impleme t tio ofBS10 008 ;

• BIP0 0 -3 (2014), Evide tialweightandlegaladmis s ibi tyoflnkingelectro icide tityto

informa io —Codeofpr cticeforth impleme t tio ofBS10 08

T eCo eisp blish d byBSI in reco nitio ofth larg n mb rofimpleme tatio sofelec ro ic

informatio manag me t ys ems,an of h co tin in u cer ainty ab ut h le al ac e tabilityof

informatio thathasb e t ans er e elec ro icaly.Itprovid sg o prac iceg idanceforth

tusworhy elec ro ict anserofinformatio

T eEditor wo ldesp cialy lik to than th BSI Le al Admis ibilityEditorial B ard an Pan l an

commit e sIDT/1,Docume tmanageme tap lcatio san IDT/1/ 5,Re is io sofBS10 0 for h ir

co tib tio to th cur e tan previo se itio softhisp blicatio , n par icularforth irb sin s

foresig tan tireles readin of h man s ript T eir u g sio sforimproveme t ad e v lu to

th final p blicatio s

T ememb r ofIDT/1 areMarin Bailey, IanCurin to ,Aan iIns o ,Mar Fresk ,P terHowes, P ilip

Jo es,An rewKe ny, Bil Ma o -White,Ro erSP ole, NickP p , Ian W ald n,Le nieW at o , An rew

Pibwor h,Neil Pitman,Alan Shipman an T mWilso

T ememb r ofIDT/1/ 5areElisab th B lisle,B rnieDyer, P terHowes,Richard Jeffrey-Co k,Bil

Ma o -White,Ro erSP ole, Alan Shipman,Ro Sto ean T m Wilso

In paricular, wewo ld lik to than Je niferCar uth fomBSI forh rexcele tadvicean

co y-e itin worko BS 10 0 :2014

P terHowes

Alan Shipman

(Editor)

Gro p 5Trainin Limite

T eEditor wo ldalsolik tothan th fol owin organiz tio sforreviewin th previo se itio sof

thisp blicatio :

As ociatio ofChiefP liceOfficer (ACPO);

As ociatio forPa me tClearin Services(AP ACS);

British Comp terSociety (BCS)–Informatio RiskManag me t&Au it(IRMA)sp cialis gro p;

Natio al Au itOffice(NAO);

P liceInformatio T ch olo yOrganisatio (PITO);

T eNatio al Ar hives(TNA)

T efir te itio ofPD5 0 , p blish din 19 8,wassp nsore byGro p 5, nasociatio withth

Elec ro ic Original nitiative

BSI wo ldalso lik tothan th folowin wh reviewe th fifh e itio of hisb o :

Jo nAval an t,Managin Direc or& Principal,CeruleanAs ociatesL C;

Dian Shilito,QualityS s emsManag r,CDS;

Neil Mau e, Ge eral Manag r,Are a Gro p;

Elisab thB lisle,Managin Direc or,Scan ox

Information t ansf er

Elec ro ic informatio an d cume t thatwerec eate o elec ro ic sysemswil f e u ntlyb se t

u d rman al orautomatic co t ol to oth relec ro ic sysems.Elec ro ict ans ersysems(se n te)

thatse ddata (which it elfis tore in compliancewithBIP0 0 -1)f om o elocatio toan th rn e

to b co fig re an o erate in such a man erthatth auth nticityofth elec ro icinformatio is

n tcompromise Many exisin elec ro ic informatio an d cume t ransersys emsareinsecure,

with th p sibilityofco te tb in inter e te an ame d d d rin th t anserproces with utth

k owle g ofth se d rorth recipie t

NOT : npre iouse itionsof hisC d ofPractice,th phrase‘elect oniccommu ications’wasuse Durin th

drafin ofBS10 0 , th term‘elect onicta ser’wasintod ce T isupd teh sbe nreflecte inal thre par

ofBIP0 0 (2 14) t houldbenote th t‘electonict a ser’inclu esal formsofelectoniccommu icationsas

discuse ine rlere itionsof h C d ofPractice

T eCo ese ksto d fin o eratio al proce uresthat o form to ‘g o prac ice’ n th field of

elec ro ic tans er.Fol owin it recomme datio se suresthat h organiz tio impleme t wel

co t ol e an s ruc ure sys ems, withminimum riskofauth nticityb in chal e g d, an with

minimumriskofsecuritybreach s

Compliancewith th Co ed esn tg arante le al admisibility.Italso d esn t olowthatelec ro ic

informatio thatis rans er e by sysemsn tin co formanceto th Co eisn tle al yadmisible,b t

itma b moredifficult oproveit inte rityinco r

Insomecases, wh retwo pariesreach prioragre me to ajointt ans erp licy, nformatio an

d cume t exchan e elec ro icaly withinthisagre me tsh uld b ac e tablein co r oroth r

disp teresolutio e viro me t.In thiscase,le al advicen e sto b so g to th wordin ofth

agre me t oe surethat h tech ical d tailsareap ro riate.Such agre me t ma n tre uire

co formanceto th Co e, b tto d so wo ld improveth irac e tabilityto a co r

Inord r oprovid wid lyap licableg idance,th Co ed esn tsp cifysys em hardwareorsof ware

co fig ratio s, an th sistech olo yin e e d nt

Detailsofth co te toftansere informatio aren trelev ntto th Co e T us,th Co eis

e ual yap licableto simple‘mes ag ’d cume t ,to complexmulti-sec io e (comp u d) d cume t

an informatio tak n foman tansere toa s ruc ure database.In th Co e, al suchinformatio

isinclu e u d rth term ‘elec ro ict ans er ’

Elec ro ic mail (email), nsantmes agin (IM),we services, we forms,E te sibleMark pL n uag

(XML), mo ilemesagin (Sh r Mesag Service–SMS)an elec ro ic datainter han e(EDI)are

inc easin ly b in use forb sin s commu icatio s Manyof h seare‘f e format’ an givegreat

flexibilityofco te t.Chapter givesg id lin sfor h d velo me tofan organiz tio al p licyfor

th c eatio ,t ansmis io an receiptofth seu sruc ure formsofelec ro icalyt ansere

d cume t An exAgivesfurh rd tailsofproce uresthatareap licabletou sruc ure mes agin

sysems

P rpose of the Code

User ofelec ro ict ans ersys emsareb in ask dbyth ir ompanies,g vernme td par me t an

oth remployer to reviewth le al isu s elev ntto th iruse.T eap licatio ofth sesysemsis

chan in th wa in which many asp c sofb sin s an organiz tio al ifeareo erate ,aselec ro ic

commu icatio sareinc easin lyre lacin th moret aditio al pap r-base meth ds.Differe t

elec ro ic tans ersysemsan d vicesha eth irownin ere tadv ntag san limitatio s,an

exisin sysemswil ,atsomelater tag ,b re lace orb comeo solete.T ep rp seofth Co eis

to asis organiz tio sin d alin with th implicatio s,sp cifical yco cernin evid ntial an le al

is u s,ofthistech olo ical evolutio

T eCo eprovid saf ameworkan g id lin s, base o th provisio sofBS10 0 , which id ntify

k yareasofg o prac iceforth impleme tatio an o eratio ofsuch elec ro ic tansersys ems,

wh th rorn tanysuchinformatio isever e uire asevid nceinth eve tofa disp te.Assuch,

compliancewith th Co e(an th reforewithBS10 0 )sh uld b re ard d asa d mo s ratio of

resp nsibleb sin s manag me t

Management f amework

Chapter 4-7 of h Co eares ruc ure alo gth lin softh s an ardize s ruc ureofISO

Manag me tS semStan ards,such thatit impleme tatio can b synchro ize with oth r

manag me tsysems uch asBSISO/IEC2 0 1:2013,Informa io techn logy—S ecuritytechniq es—

Informa io s ecuritymanageme ts ys tem —Req ireme tswh reap ro riate

T eCo ed s rib sproce uresan proces esfor ranserin elec ro ic informatio fom o e

comp tersys em to an th rwh reth is u sofauth nticity, nte rity an a ailability asre uire by

th le al admis ibilityan evid ntial weig tofth se tan /orreceive informatio isimp r ant,

typical ywh retwo organiz tio sareinvolve Whils sp cificsys emsaren tad rese byth Co e,

th re uireme t ofth sys em (b th sys em an proce ural)areinclu e

DEFINITIONS

Auth nticity–tus wor hin s oforigin an evid ntial co te t

Inte rity–rete tio ofth evid ntial co te tof h informatio

Availability–ac esibilityofth informatio as e uire

Elec ro ic d cume ttans er areb in use inc easin lyforelec ro ic tadin ,wh rea ‘d cume t’ s

of e d s rib dasa‘t ansac io ’ora ‘mesag ’(e.g n e-commer eap licatio s) Suchsys emscan b

o erate u d rth recomme datio softh Co e

T ese d ran /orrecipie tofa data filema b a p ro ,an organiz tio ,anap licatio ,an

elec ro ic sysemora d vice.In many ins ancesth rewil b a 1:1 relatio ship b twe n th se d ran

th recipie t;th Co eap liesto th sean tosituatio swh reth rearemany recipie t an a sin le

se d r

T eCo eisforusewithanytyp ofcomp terfileusin awid ran eoftanserinfasruc ures.Data

filesma co tainbinarydata,text, mag s,comp ter -aid d d sig (CAD)data, movin ors il vid o

imag s,au io orany combinatio of h seorsimilardata typ s,orma b comp ter ofwarefiles(or

anycombinatio ofth se)

Appl cabi ty

T eCo eisap licableto tansersysems hatusecomp tern tworksor hatuseremotedata file

tansmis io sys emsviaan elec ro ic commu icatio scarier.Italso ad res escir uitswit h d or

elec ro ic commu icatio sswit h d sysems.T edata filetansmisio ma b bytele h n cir uit,

cable,radio orsatel itecommu icatio s ech olo y(orany combinatio of h se)

As uch itcanb ap lie to mesag -base sysemswh rea completetansac io isb iltu an se t

asa wh leto an th ruser(e.g.fa ,email,EDI usin a v lu -ad e n twork(V N),ore-b sin s usin

th Intern t).Itma alsob ap lie wh rea useriscommu icatin interac ivelywith a remotesysem

an b ildin u a t ansac io asa setofpar s(e.g.we forms)

T e users

T eCo eisinte d d for:

• e duserorganiz tio sthatwishtoe surethatinformatio t ansere elec ro ical yma b use

with co fid nceasevid ncein anydisp te,withinoro tid a co r oflaw;an

• inte rator an d velo er ofinformatio t ans ersys emsthatprovid facilitiesto me tuser

re uireme t

T eo jec ivesofth Co eareto:

• improvereliabilityof,an co fid ncein,tans er e informatio ;

• ma imizeth evid ntial weig tthata co r oroth rb dyma asig to prese te informatio ;

• provid co fid ncein inter -companyt adin ;an

• provid co fid nceto external insp c or (forex mple, re ulator an au itor )that h

organiz tio ’ sinformatio an b sin s commu icatio sprac icesarero us an reliable

T eCo ema b use asa commo refere ceforb sin s ac ivitieswithin an b twe n organiz tio s

an forsu co t ac in orprocureme tofITservicesorpro uc s

Compl ance

E ch chapterof h Co eco tainsag n ral d s riptio ofth is u sb in ad res e , fol owe by a

lis of‘k yisu s’ T esein icateth c itical compliancep int thatn e to b tak ninto

co sid ratio ,an ac e u o wh reap ro riate,b forecompliancewith th recomme datio softh

Co e(an with BS 10 0 )can b claime Complianceis laime o a volu tarybasis,by

self-cer ificatio

Acompliancework o k(BIP0 0 (2014) hasb e p blish d to e ablean as esme tofcompliance

withBS10 0 to b complete Wh rec itical compliancep int fomth Co earen tsp cifical y

inclu e inth British Stan ard,th sep int areinclu e asan o tio al comp n ntin th compliance

work o k

Typical compliancesateme t aresh wn in 6.3.4.Se also 6.3 forfurh rinformatio o compliance

au it

Keyr equir ements

Inclu e inth co t ols orthispar ofth Co earea n mb rofu d rlyin c iteria that, wh n

complie with,provid as urancesthatelec ro ic tanser ha eb e se tan receive in a co tole

an u d r tan ableman er.As uch th y areap licabletob th se d ran recipie tof h elec ro ic

tanser

T et ans er e informatio sh uld b sore inac ordancewith BIP0 0 -1.T ek yre uireme t for

ma imizin th evid ntial weig tofelec ro icmesag sareassate in Table1

Se d rauth nticatio Provin th se d rid ntity(se BIP0 0 -3)

Inte rity Ensurin th co te tofth elec ro ict anseriswhatit

p rp rsto b

Datean timeoftans er Id ntifyin th timeoft ans er

Datean timeofreceipt Id ntifyin th timeofd liveryan /orcolec io

Recipie tauth nticatio Provin th recipie tid ntity(se BIP0 0 -3)

T ble1 –Ke req ir eme t

Trusted thir d-par y services

Many cure telec ro ic tansersysemsma fail to provid ad q ateasurancesco cernin elec ro ic

tans erd livery Deliveryofan elec ro ic tans erbya t us e third-paryserviceprovid r an, n

n rmal cir umsances, provid s ro g in e e d ntevid nceofth k yrecomme datio sd taile in

2.2.3.8.Assuch,useof h sefacilitiescan provid e ual orgreaterevid ntial weig tcompare with

thatprovid dbyan elec ro ic tansern tusin thisfacility

EX MPLE

Email hasb comeanese tial b sin s to l, b titmus b use withcareif h se d ror

recipie tis orelyu o email in th eve tofa disp te.Itisn ttech icaly dif ficult omak

an email ap earto comefomsome n oth r han th real se d r.T isID‘sp ofin ’ suse

exte sivelyby spammer (se 5.7.3)to maskth irid ntities.E e th u hth tech olo ies

use byintern temail arep wer ul an intero erable,th reissil n g arante of

imme iated livery,orin fac ofd liveryatanytime.Ase d rsimplyre u s in an email

d liveryreceiptisn ta totalyreliablemeth d ford terminin d liveryasmanysys emsare

co fig re to with old th m; thisisf e u ntly topreve tspammer fomusin th d livery

receiptre u s tov lidateemail ad res d tails

Ifyo n e to rely o se d rid ntityorpro fofd livery th nad itio al safe uardsn e to

b tak n

Wh reth tuse third-par yserviceisretainin an ar hiveco yofth mes ag ,thissh uldb

retain d in ac ordancewith BIP0 0 -1

Recipient’s perspective

From th recipie t’ sp rp c ive, th main areasof hal e g are:

• th se d risn twh h orsh p rp r sto b ;

• th elec ro ict ans erwasn treceive ,orwasreceive multipletimes; an

• th informatio co te tofth elec ro ic tans erhasb e chan e in somewa in tansit

EX MPLE

Anemail ma n tb d livere atal, oritma b d livere multipletimes.Formany

elec ro ic tanser, re eate d liveryismerely an inco ve ie ce

Formany oth relec ro ict ansac io s,h wever, tisp te tialydan ero s:

• Wo ld yo realy wantto ha ed plicatepa me t ap earin o yo r re itcard

sateme t?

• Do sa b sin s wantto so selin a paricularpro uc b causeitb lievesitissold o t,

o lytofin thato eof h ap are tsaleswas, n fac , us a d plicateofa real ord r?

Such tansac io sn e solidpro fofd livery, so thata d plicatet ans eris ejec e an , fa

receiptisn t eceive withina pre efin dtime,th mesag isre-se t

Such pro fofd liveryisn rmalya fu dame tal comp n ntofth mesag q e in

tech olo iesthatu d rpinwe servicesan service-orie te ar hitec ures

Elec ro ict anser t ansere in compliancewithth termsof h Co ewil alowth recipie tto

ch ckse d rauth nticatio an elec ro ict ans erid ntityan inte rity

Wh rea receive elec ro ic tanserisq esio able,proce uresthatverifyit origin an inte rity n e

to b use Such proce uresma inclu ese din th elec ro ic tans erbacktoth su p se se d r,

with are u s fora co firmatio ofreceiptan inte rity

1.1 General

T issec io ofth Co erelates oClause4ofBS 10 0 , Co textofth organiz tio ’

Inc easin ly,elec ro icinformatio isb in se tfomo e elec ro icsys em to an th r,eith rwithin

anorganiz tio orb twe norganiz tio s T eman erin which thismoveme tofinformatio oc ur

ma d termin th suc es orfailureof h organiz tio T us,t ans ersys emsn e to b secure,

sruc ure an au itable

Elec ro ic tans ersysemsn e tob clasifie ,sruc ure an v lidate by th organiz tio Wh re

informatio isreceive elec ro ical yfoman th rorganiz tio ,k owle g ofth proces esuse to

tans erth informatio isk yto a suc esful,le aly admis ibleelec ro ict ans ersysem

Wh n d finin a tanserp licy,th relativeimp ranceofsp e ofd livery, b th to th recipie t

organiz tio an to th recipie tin thatorganiz tio ,ma b sig ificant Takin two ext emes,direc

tans erto a PCac os th intern torvia a carierusual yresult inalmos insantan o stanser,

wh reastans erbyp s ma b measure in da s

BIP0 0 -1 recomme dsth clasificatio ofal informatio use byan organiz tio into‘nformatio

typ s’ T isclas ificatio leadsto th c eatio ofa ‘p licyd cume t’which sh uld b exte d d to

ac ommo ateth t ans er e informatio covere in thispar ofth Co e

1.2 Is ues

T eorganiz tio n e s o d termin th external an internal is u s hatarerelev ntto it p rp se

an thatma af fec th auth nticityan inte rityofth informatio thatittanser

Typical isu sthatma b relev ntinclu e:

• th sizean complexityofth organiz tio ;

• th level ofb sin s riskatach dtob in u ableto d mo srateauth nticityan inte rityof

tans er e informatio ;

• driver forb sin s ef ficie cyimproveme t ;

• sp cifics ak h ld rre uireme t ;an

• th exis in tech olo yan infasruc uresys ems

P licys ateme t asd s rib din 2.2 sh uldtak into ac o ntth seis u sthatareagre d to b

relev ntto th abilityto d mo s rateauth nticity an inte rityofinformatio s ore elec ro icaly

Wh n reviewin th relev ntisu s, a riskmanag me tproces isth mos ap ro riateto usewh n

d cidin u o ac io s ob u d rak n.BS ISO310 0:20 9,Ris kmanageme t—Principlesand

g ideln sprovid sprinciples, a fameworkan a proces formanagin risk Itcan b use by any

organiz tio re ardles ofit size, ac ivityorsec or.Usin BSISO310 0can h lporganiz tio sinc ease

th lik lih o ofachievin o jec ives, mproveth id ntificatio ofo p r u itiesan threat an

effec ivelyalocatean usereso r esfor iskt eatme t

1.3 Requir ements

Wh n es ablishin or eviewin th sys emsan /orproceses hatmanag th evid ntial weig tof

informatio t ans er e elec ro icaly,th organiz tio n e sto d termin :

• sak h ld r thatarerelev ntto th auth nticityan inte rityofinformatio ;

• th re uireme t ofth ses ak h ld r relev nt othatinformatio ;an

• th re uireme t forinformatio sewardship withinth organiz tio

NOT :T ere uireme t of ta e old r ma inclu ele ala dre ulatoryre uireme t a dcont actu l o lg tions

Typical s ak h ld r ma inclu e:

• own r,manag r an saf fof h organiz tio ;

• third-par ieswith co t ac sorsimilaragre me t with th organiz tio ;

• clie t an cus omer in receiptofservicesprovid d byth organiz tio ;

• th p blic wh rep blicservicesareinvolve ;

Informatio sewardship sh uld b manag d byth id ntificatio ofInformatio AsetOwn r (IAO’s)

wh wil typicaly b th seresp nsibleforth proces esthatreceiveth informatio as etin q es io

1.4 Boundaries and appl cabi ity

T eorganiz tio n e sto d termin th b u dariesan ap licabilityofth auth nticityan inte rity

of h informatio it ranser in ord rto es ablish it s o e

Wh nd terminin thiss o e,th organiz tio n e sto co sid r:

• th external an internal is u srefere to in 1.2;

• th re uireme t refere toin 1.3; an

• inter acesan d p n e ciesb twe n ac ivitiesp r orme by th organiz tio ,an th sethatare

p r orme byoth rorganiz tio s

T es o en e sto b a ailableaspar ofth p licyd cume t

In manyorganiz tio s,th auth nticity an inte rity ofinformatio wil o lyb ofimp r ance topar

of h overal informatio aset.Aspar ofa projec to impleme tBS10 0 an th Co e, n ivid al

informatio as et n e to b id ntifie an a d cisio tak n as owh th reach sh uld b inclu e

withinth s o eof h relate p licy sateme t

2.1 Leadership and commitment

T issec io ofth Co erelates oClause5ofBS 10 0 , Lead r hip’

T pmanag me tn e sto d mo s ratelead rhip an commitme twith resp c toth manag me t

ofth informatio auth nticity an inte rityby:

a) e surin th informatio tanserp liciesan o jec ivesareesablish d an arecompatiblewith

th s rate ic direc io of h organiz tio ;

b) e surin th inte ratio ofth informatio tansersysem re uireme t into th organiz tio ’s

proces es;

c) e surin thatth reso r esn e e forth informatio t anser ys em area ailable;

d) commu icatin th imp r ance ofeffec iveinformatio t anseran ofco formin to th

informatio tans ersysemre uireme t;

e) e surin thatth informatio t ans ersys em achievesit inte d d o t ome(s);

f) direc in an su p r in p r o sto co t ib teto th ef fec ive es ofth informatio t ans er

sysem;

g) promotin co tin al improveme t;an

h) su p r in oth rrelev ntmanag me trolesto d mo s rateth irlead rhip asitap liesto th ir

areasof esp nsibility

2.2 Pol cy statements

2.2.1 General

T eBritish Stan ardsp cifiesth co te t ofan elec ro ictans erp licys ateme t,which cover th

s o eofth p licy,re uireme t forproce uresan tech olo yan th resp nsibilitiesofth

manag me tof h sysems.T eBritish Stan ardalso sp cifies h re uireme tforth to

manag me t eamto seta clearp licydirec io an d mo s ratesu p r for, an commitme tto,th

manag me tof h elec ro ic informatio thro g th is u an mainte anceofaninformatio

tans erp licy

T eBritish Stan ardalsosp cifies h co te t ofaninformatio securityp licywithin which th

informatio t ans erp licyo erates

P licyd cume tatio n e sto b retain din compliancewithth rete tio s h d le

KEY ISSUE

> Retainap rove p licyd cume t in lin withth rete tio s h d le

2.2.2 Information t ansfer pol cy statement

2.2.2.1 Rolesandres po s ibi ties

T ep licysateme tsh uldinclu ea sateme t,foreachinformatio typ b in tans er e , ofth

paryresp nsibleforth informatio

T ispary ma b a p r o ora jo fu c io

KEYIS UE

> Id ntifyin ivid al resp nsibilitiesforinformatio b in tansere

> Detail th sein th p licys ateme t

2.2.2.2S tructure

Differe t yp sofinformatio ma b tansere within an organiz tio , orb twe n organiz tio s,

usin dif fere tdata filetansmisio sysems.T e ableimpleme tatio of uch sys ems,th

organiz tio n e sa p licys ateme tthatcan b use to g id impleme ter, an to d mo s rateto

oth rpar iesthat h sysemsuse wereinlin with p licy

T impleme t h Co e,th p licysateme tpro uce in compliancewithBIP0 0 -1 sh uld b

exte d d to inclu ep licyo elec ro ict ans er

T ep licys ateme t h uld b ap rove byth to manag me tofth organiz tio ,an sh uld b

reviewe forrelev ncean co te tatre ularinterv ls T ef e u ncy forreviewsh uld b

ap ro riateto th ap licatio

T isp rio wil typicalyb th sameasth n rmal proce ural au itcyclewithin th organiz tio (e.g

an ual orin th eve tofmajorchan es oth sysem)

T erewil fe u ntlyb morethan o etyp ofdata t ansmis io sys em inusewithin an organiz tio

T et ans erre uireme t foreachinformatio typ n e tob reviewe , base o timelin s an

servicelevels Cos ma also b a co sid ratio

In ord rto alig tanserre uireme t with sp cificelec ro ic informatio , an informatio ‘typ ’

d sig atio sh uldb al ocate T esetyp sma b d s rib d byap licatio (e.g.financial re orsor

sockliss)orbyinformatio co te t(e.g.aninvoiceoran ord r)

An exB inclu esan ex mpleelec ro ict ans erp licys ateme t,which ma b use d rin th

draf in ofan organiz tio ’ sp licy sateme t.Itco tainssome‘typical’s ateme t thatma b

ap ro riateinmanyp licys ateme t

T ep licysh uld seto tg id lin s or h ap ro riatet ans erchan el foreach informatio typ

EX MPLE

Forsomeelec ro ict ansac io s,multiplediffere t ranser han elswil b of fere T ese

ma ha ediffere tcharac erisic , eachv riantofwhich n e sto b co sid re

Forex mple, asin letansac io co ldb se tby email,voicemesag ,SMSorIM

d p n in o se d ror ecipie tprefere ces Similarly,a we siteco ld offera we form to

completeora d wnloadableformtob complete an emaile orfa e

T ep licys ateme tsh uld ad res,asa minimum, th re uireme t seto tin Table2.Oth r ec io s

ma b ad e wh reap ro riate

T pic Content S ctio of

BIP 0 0 -2

Roles an resp nsibi ties Define resp nsibi ties for information t ans er 2.3

Trans er S t g idelnesfor the t ans erofspecific

elect o icdocument

2.2.2.3

Compres ion S t g idelnesfor the use of data compres ion 2.2.2.4

Proced res S t g idelnesfor proced resto be folowed

by worker when usin t ans er faci tiesto

send elect o ic d cument

2.2.2.5

Delv ry/receipt S t p lcy forprocedures to be folowed on

delv ryor receipt of a t ans er ed fie

2.2.2.6

Co sultations Consult with rele ant b dies to ensure the

legalty of elect o ic t ans er

2.2.2.7

T ble2—Information ta s erp lcys ateme t

COMMENT–Tra s ersys em r eq ireme t

Asin lemesag ma ha ea differe tv lu to th se d ran to th recipie t.Trans er

sysemre uireme t ma th sv ryd p n in u o in ivid al re uireme t ,ora

combinatio ofre uireme t

EX MPL

Anyelec ro ict ansac io involves wo ormoreparies,an itisq iteusual forit

sig ificanceto b completelydiffere tforth differe tpar ies Itis,asa result,q ite

commo for h co t olsan g id lin sfora tansac io (an it s orag u d rth co tols

ofBIP0 0 -1)to b dif fere t or h differe tpar iesinvolve ,eve wh n th yarewithin

th sameorganiz tio

Forex mple,anelec ro icexp nsesclaimma involveanin ivid al work r,hisorh r

auth rizin manag ran th d parme tresp nsibleforpa rol T epa rol d par me t

ma ha en fir t-han k owle g ofth work ror h manag ran wo ld,th refore,n e

in e e d ntevid nceas oth irid ntities,aslin e to th claim (u lik th work r,wh

k owshisorh rmanag r).B thwork ran manag rareles co cern d overauth nticatin

th id ntity ofth pa rol d par me t;th ywo ldrealizethat omethin wasamis wh n

th exp nsesweren treimb r e with th pa

KEY ISSUE

> Develo an ha eap rove byto manag me tan informatio t ans erp licy

2.2.2.3Trans fer

T erearemany formsoftech olo iesan proce uresthatcan b use forelec ro ic tans er T e

organiz tio ’ sp licys ateme t h uld setg id lin sfor h ap ro riatesys emsto b use foral

corp rateelec ro ict ans er

In paricular, th useof tuc ure an u s ruc ure formsofelec ro ict ans er sh uld b inclu e

Wh reu s ruc ure elec ro ict ans er areinvolve ,corp rateg id lin so mes ag sruc ures

sh uld b inclu e withinth p licysateme t,orrefere ce byit

KEYIS UE

> T ep licysateme tsh uldgiveg idanceo th typ oftansertech olo y touseinpar icular

cir umsances, an o th co te tan la o tofu sruc ure tanser

2.2.2.4Compres s io

Someelec ro ict anser wil n e tob comprese b foreb in t ans er e T isma b d eto:

• a larg filesize(a smaler,comprese filewil re uireles tansmisio time);

• a larg n mb rofin ivid al files(th secanb comprese intoa sin lefile);or

• th ap licatio ofa compresio k yto improveelec ro icd cume tsecurity

T ep licys ateme tsh uld giveg idanceo wh ncompres io isto b use , an h wtoformulate

T ep licys ateme tsh uld provid g id lin so th re uireme tforap ro riateproce ures ob

folowe wh n elec ro ic tanser areb in u d r ak n.Detailsofth seproce urescan b fo n in

Chapter5.T eseproce uresma n e to lin to th organiz tio ’ sinformatio securityp licyas

d taile in 2.2.3

KEYIS UE

> T ep licyd cume tsh uldgiveg id lin so th proce uresn cesaryto useth

organiz tio ’ selec ro ic tans ersysems

2.2.2.6Delv ry/receipt

In relatio to th Co e, th c itical proce ural is u sarerelate to th d livery ofan th receiptof

elec ro ict anser.T us, th p licys ateme t h uld giveg id lin so h wth seproce uresareto

b d velo e ,an to whatsan ards T eseproce uresinclu e:

• th a oidanceofmes ag swith ile al co te t;

• th a oidanceofco yrig tis u s;

• protec io agains malicio ssof ware;

• ap ro riatesecurity proce ures;

• th ap licatio ofth organiz tio ’ srete tio p licies; an

• th a oidanceof pam an similarmes ag s(incomin an o tg in )

KEY ISSUE

> T ep licys ateme t h uld giveg id lin so th proce uresre uire toprotec th

organiz tio ,wh reelec ro ict ans er arese tan /or eceive

2.2.2.7Co s ultations

T erema b internatio al,natio al an /or e io al awsan /orre ulatio scoverin th tanserof

informatio within,ac os, ntooro tofa co nt y Itisth ses e tial toco sultwith relev ntb dies

to e sureth le alityoftansersysemsimpleme te

Insomeco nties, tisil e al tot anserparicular yp sofelec ro ic d cume t.Organiz tio al

p liciesn e to id ntifysuch d cume t an e surethatth yaren tt ans er e E amplesofsuch

d cume t areth sethatco taino s e itiesorlib lo ssateme t oraree c ypte to levelsb yo d

th seal owe

T eresult ofal co sultatio ssh uld b d cume te an retain d in ac ordancewithBIP0 0 -1

KEY ISSUE

> Relev ntb dies h uld b co sulte to e sureth le alityoftansersysemsimpleme te

> T ele alityoft ans er(inclu in compres io an e c yptio tech iq es)ofpariculartyp sof

elec ro ic d cume tsh uldb d termin d,an anyre uireme tad ere to

2.2.2.8 E cry tio

Enc yptio can b use to improveth securityofelec ro ic tanser, byth useofc ypto rap ic

tech iq es.Ac es toth u e c ypte co te tofe c ypte elec ro icinformatio canb achieve by

th ap licatio of h ap ro riated c yptio alg rithm an k y

T ep licysateme tsh ulds ateth organiz tio ’ sp licyo wh ne c yptio isto b use ,an h w

to formulatean manag e c yptio an d c yptio k ys.Itsh uldalso inclu ep licyo th security

an ac es aran eme t ap ro riateto e c yptio an d c yptio k ys

Typicaly,email mesag sma b e c ypte at h organiz tio ’semail gatewa oratth se d r’s

email clie t T ee c yptio canofe b base o rulesto e for ee c yptio to sp cifie in ivid als

an organiz tio sorbase o clas ificatio an co te tc iteria.Caresh uldb exer ise wh n

e c ypte email isse tor eceive asto wh th rorn t h mes ag isind c ypte form within th

organiz tio ; fitisn tclearth n thisma re d rth mesag priv teto th se d ran recipie t

rath r han a ailableasa dis overableasettoth organiz tio sinvolve

T ismesag e c yptio sh uld n tb co fuse with e c yptio ofth chan el overwhich th email

ma ta ere th n tworkusin S L/TL

COMMENT–E cryption

Enc yptio oft ans ermesag sma b to preserveco fid ntialitywhils in tansitoverth

intern tan /orwithinth se din (orreceivin )organiz tio

Ifth intern tisth co cern,th n e c yptio ofemail isano tio wor hco sid rin

Mesag saree c ypte atan organiz tio al evel (e.g.mail serverormail rela )rath rthan

atth level ofth in ivid al e duser

T iswil g n ralymean thatth rearefewere c yptio k ysto manag ,b t h mes ag

wil b in aninteligibleformwithin th organiz tio

KEYIS UE

> T ep licysateme tsh uldgiveg idanceo th useofe c yptio tech olo y

2.2.3 Information securitymanagement

2.2.3.1 M anageme to erview

Itisese tial thatan organiz tio isawareofth v lu ofth informatio thatist ans er e within

th organiz tio ,orwith it tadin par n r T isaware es inclu esan u d rtan in of‘d ty of

care’principles

T eimplicatio sofaninsecureelec ro ict anser ys em ma b farreachin ,an p te tial y

damagin to an organiz tio Inord rto e sureth inte rityofelec ro icinformatio priorto,or

afer,t ans er, tn e s ob s ore u d r h co t olsin BIP0 0 -1.If,h wever,elec ro ic

informatio sore in compliancewith BIP0 0 -1 istansere bya sysemn tin co formanceto th

Co e, t le al admis ibilityma b compromise

Suitableg id lin s,whichsp cify sysemsecurityre uireme t,ma alreadyexis inorganiz tio al

p liciesorworkin prac ices.T erema alsob sec or -sp cificg idance(e.g financial or

p armace tical),natio al orinternatio al s an ards,orle al re uireme t Wh reth sed n texis ,

suitableg id lin sn e to b d velo e ,ap rove an impleme te

2.2.3.2Informatio s ecurityprinciples

2.2.3.2.1 Ge eral

BSISO/IEC2 0 2 isth UKrefere ced cume tforinformatio securitymanag me t.Pro fof

compliancewith th recomme datio softhisco eofprac ice,wh n impleme te within th

b u daries overe by th Co e, ma provid h lpful su p r in evid ncein co r Itwil in icatethat

th organiz tio hasexer ise it d tyof are,an itwil as is th co r in as es in th auth nticity

an inte rityof h informatio

BSISO/IEC2 0 1 isanau itablesp cificatio forusein th cerificatio ofan informatio security

manag me tsysemagains th san ard

Compliancewithth recomme datio sofBS ISO/IEC2 0 2 orcerificatio agains BSISO/IEC2 0 1

sh uld n tb re ard dasan alternativetocompliancewith th recomme datio softh Co e

BSISO/IEC2 0 1 inclu esd tailsofan informatio securitymo el,clas ifyin informatio security into

thre areas(th ‘CIA’principle):

• Co fid ntiality;

• Inte rity;

• Availability

T erelev nceofal thre ofth seprinciplessh uld b reviewe an suitableproce uresan proceses

impleme te

KEY ISSUE

> Informatio securitysan ardsprovid au itablesysemsthate ableorganiz tio sto

d mo s ratea d tyof arein relatio tos ore informatio

2.2.3.2.2 Co fid ntiality

Wh reap ro riate, data b in tans ere sh uld b protec e f omu auth rize ac es

COMMENT–Information security

Co fid ntialityisab utprotec in data fom u auth rize ac es.Formerly, nformatio

securityuse to primarily focuso co fid ntiality (rath rthanco fid ntiality, nte rityan

a ailability),e surin thatinformatio isn ta ailableo t id th inte d d auth rize

gro p.Whils thisisimp r antan in somecases ritical to th organiz tio , tisn tth

mos imp r antsecurity is u relev ntto d mo s ratio of to gevid ntial weig tan

co se u ntly,thispar ofth Co e

KEY ISSUE

> Ensurin co fid ntialityin elec ro ic tanser sh uldb asap ro riateto b sin s n e s

Co fid ntialityisn tan imp rantre uireme tofth Co e

2.2.3.2.3 Inte rityan auth nticity

Inte rityisab ute surin thatth co te tofa data fileisu chan e ;auth nticityisab ute surin

thatitiswhatitp rp rsto b

T us,b th inte rityan auth nticity arek y to th achieveme tofsro g evid ntial weig tan le al

admis ibility,e surin data ac uracyan complete es.Wh nco sid rin security, tisn cesaryto

ases th riskofinte rityorauth nticityb in compromise an tocomparethatwith th cos of

protec io agains such compromise.Securitymeasuresma inclu eth ap licatio ofe c yptio

tech olo yto re uceth riskofchan esto informatio

Proce uresan procesessh uld b impleme te to e sureth inte rityofelec ro ic informatio

d rin t anser.Somesysemsusefilenameslin e to mes ag auth nticatio co es(MACs)ordigital

sig aturesforthisp rp se(se 5.7.8)

Datarecoveryproce ures,to b impleme te in th caseoffailureofth elec ro ic informatio

t ans ersysem,sh uldb such asto maintain th inte rity of h relev ntdata

KEY ISSUE

> Ensurin inte rityan auth nticity areth k yisu sto tus wor hyinformatio t ans er

Proces esan proce uressh uld b ad pte inrelatio to th v lu to th organiz tio ofth

informatio b in t ansere

Availabilityisab ute surin thatth informatio isa ailablewh n itisre uire byanauth rize

user.Los ofinformatio co ld b interprete asb in jus assig ificantasfau ule tmo ificatio It

ma b n cesaryto d mo s ratethat p cificinformatio issil a ailablefora le aly sip late time

af ertanser.In thisarea,to ic such asre ularback pan b sin s co tin ityplan in arec itical

T eseto ic ared altwithin BIP0 0 -1

Proce uresan proces essh uld b impleme te thate surethatth elec ro icinformatio is

a ailableas e uire T isisb s impleme te by sorin informatio elec ro ical ytans er e in

compliancewith BIP0 0 -1

KEYIS UE

> Ensurin thatinformatio isa ailablewh n re uire isa k yre uireme t

2.2.3.3S ecuritymanageme tg idance

P blicatio sarea ailablethatprovid advicein d visin compre e siveset ofinformatio security

g id lin s ome tth organiz tio ’ sn e s.T eseg id lin s h uld b inclu e in th organiz tio ’s

reviewproces For omeap licatio s, th ad ptio ofexternal yac re ite securitys h mesas

ad itio al co firmatio of omplianceto th ir ecurity p licyma b ap ro riate

T erearea n mb rofnatio al an internatio al san ardsthat, fimpleme te , sh uld su p r th

organiz tio ’ sd mo s ratio ofd tyofcare(se n xt‘Comme t’ b x) Stan ardsthatcover

informatio securityan serviceq ality is u sareparicularly ap ro riate

COMMENT–Information securityma a eme ts a d rds

T einternatio alyac e te informatio security manag me tsan ardsare:

• BSISO/IEC2 0 1:2013,Informa io techn logy—S ecuritytechniq es—Informa io

s ecuritymanageme ts ys tems—Req ireme ts;

• BSISO/IEC2 0 2:20 5,Informa io techn logy—S ecuritytechniq es—Codeofpr ctice

forinforma io s ecuritymanageme t

T ereareoth rp blicatio sin th ISO/IEC2 0 0seriesthatma alsob ap licablein sp cific

ap licatio s

Informatio isth life lo d ofal organiz tio san canexis in manyforms.It an b sore

elec ro ical yan t ansmite bymail orby elec ro icmeans.In th comp titiveb sin s

e viro me t,such informatio isco santlyu d rthreat rom manyso r es.T esecan b

internal,external,ac id ntal ormalicio s

T eseinformatio securitymanag me tsan ardsad res th seis u san ha eth sb e

impleme te in manymajororganiz tio s T eyarerefere ce in manyplacesan are

b comin th commo b nchmarkagains whichinformatio securityismeasure

Within th UK,th reisa formal cer ificatio s h meagains th re uireme t of

BSISO/IEC2 0 1.An mb rofUKan over easorganiz tio sha ese nth b n fitof

compliance,par icularlywh reth y offerITservicesto oth rorganiz tio s.Oth r

organiz tio sha euse th two d cume t to as es th irinformatio securitymanag me t

sys ems,aspar ofth irriskasesme tproceses

Itisimp r antthatany d cisio smad co cernin cerificatio orcompliancewith th s an ardsare

record d byth organiz tio

KEY ISSUE

> Wh rean ap ro riatenatio al orinternatio al s an ard isimpleme te , elec ro ict anser

sysemssh uld b inclu e withinth s o eofcompliancewith th san ard

2.2.3.4 S cop

T fulfil th d tyofcareo jec ive,th organiz tio n e sto ac io th fol owin

BIP0 0 -2

Informatio securityp licy Impleme tan informatio securityp licy 2.2.3.5

Riskas es me t Caryo ta riskas es me tan impleme t

ap ro riaterecomme datio s

2.2.3.6

Informatio security

infasruc ure

Develo , mpleme tan tes an informatio

securitymanag me tsysem

2.2.3.7

T ird-paries Develo p liciesan proce ures orworkin with

third-paries

Al informatio thatisinth proces ofelec ro ic tans erisvuln rabletolos orchan e,wh th r

ac id ntal ormalicio s T protec such informatio ,ap ro riatesecuritymeasuresn e to b

impleme te tore uceth riskofa suc esful chale g to it auth nticity

Informatio security,wh th rinth area ofco fid ntiality, nte rityora ailability(se 2.2.3.2), sn t

simplya co srainttob place u o comp tersysems.Securityan ac es toth p ysical

e viro me t(e.g.b ildin san n tworks)an th impleme tatio ofp liciesan proce uresby al

saffarek y eleme t

T eorganiz tio sh uldad ptan informatio securityp licyforelec ro ict ans er(se din an /or

receivin asap ro riate)

Wh reth organiz tio hasan informatio securityp licyforoth rproceses(forex mple, sorag ),

th n itsh uld b exte d dtoincorp rateth re uireme t ofth elec ro ict ans ersys emswithin it

s o e

T einformatio securityp licyd cume t h uld co tain(forth elec ro ict anser ys ems),asa

minimum:

• th s o eof h informatio securityp licy;

• a sateme tof h manag me to jec ivesre ardin informatio securityforelec ro ictans er

(se din an /or eceivin asap ro riate);

• sp cific p licysateme t ;

• re uireme t fordiffere tinformatio clasificatio cate ories;

• d finitio an al ocatio ofelec ro ic tans erresp nsibilities;

• elec ro ict ans ert ainin an aware es re uireme t ;

• p licy ford alin withp te tial orac ual compromiseofelec ro ic tansersysems;

• p licy re ardin compliancewith ap ro riates an ards;an

• ap rov l an reviewproces

T einformatio security p licysh uld b ap rove byth organiz tio ’ sto manag me t T e

organiz tio sh uld th n agre an d cume tap ro riatelevelsofsecurity formanagin it

informatio tanser ys ems, ncompliancewith it sate informatio securityp licy

KEYIS UE

> Develo ,auth rizean impleme taninformatio securityp licy

> Ensurethatth p licy’ ss o einclu esth informatio tanser ys ems

2.2.3.6Ris kas s es s me t

Informatio securitymeasuresareofe ap lie piecemeal,reac in to security incid nt orto a ailable

comp tersof wareto ls.T istyp ofap roachcan fail to reco nizeth v lu ofth informatio aset

an th risksto th organiz tio fom securitycompromised rin elec ro ict ans er T isma lea e

gapsin security, which ma b file o ly atsomelaterdateaf era security breach

Amores ruc ure ap roach isto reviewth informatio as et an as ig riskfac or (base o aset

v lu ,sys em vuln rabilityan lik lih o ofat ack).T esecurityp licy can th nb pro uce an

ap rove agains th v lu mo el

T eorganiz tio sh uld u d r ak an informatio securityriskasesme talig e toth elec ro ic

tanser ys ems,an record th result.BS ISO310 0provid sprinciplesan g n ricg id lin so risk

manag me t Itcan b use by any p blic,priv teorcommu itye terprise,asociatio ,gro p or

in ivid al.It an b ap lie thro g o tth lifeofan organiz tio , an to a wid ran eofac ivities,

inclu in s rate iesan d cisio s,o eratio s,proces es, fu c io s,projec s, pro uc s, servicesan

aset Itcanb ap lie to anytyp of isk,whateverit nature, wh th rha in p sitiveorn gative

co se u nces

E is in securitymeasuressh uldb reviewe foreffec ive es F c or such asth balanceb twe n

th cos ofimpleme tatio an th securityachieve sh uld b tak n into co sid ratio d rin th

reviewproces

Wh redif fere t yp sofelec ro ic tanser ys em can b use , th irin ivid al impac o th risk

asesme tresult sh uld b reviewe

KEYIS UE

> P rorma riskas es me tofexisin securitymeasures,an impleme tcos -ef fec ivetech olo y

an /orproce uresto fil anygapsfo n

2.2.3.7Information s ecurityinfras tructure

Inord r oco tol an manag securityisu swith elec ro ict anser ys ems,a manag me t

infasruc uren e sto b impleme te , nclu in relev ntelec ro ic tans ersysemswithinit s o e

T einfasruc uresh uld ha easit o jec ives:

• ap rov l an reviewofth informatio security p licy;

• mo itorin ofthreat to informatio security;

• mo itorin an reviewof ecuritybreach s;an

• ap rov l ofmajorinitiativesto e hanceinformatio security

KEY ISSUE

> Plan an impleme taninformatio security famework

2.2.3.8 Third-paries

Al informatio thatisb in t ansere via a third-paryisp te tialyvuln rabletolos or han e,

wh th rac id ntal ormalicio s.T protec such informatio , ap ro riatesecuritymeasuresn e to b

impleme te tominimizeth riskofsuch a los orchan e,an th sa suc esful chale g to it

auth nticity

Wh reth third-paryisretainin t ans er e informatio fora p rio , h weversh r , tsh uld ha e

ad pte an informatio securityp licy in relatio to thisinformatio T isp licyma n e to b

incorp rate within, orrefer e to by,th organiz tio ’sown informatio security p licy; thismeans

th third-par ywil b formal y‘tuse ’

Wh reth tuse third-par y(T P)hasaninformatio securityp licyforoth rproces es(forex mple,

sorag ),th useofelec ro ic tanser h uld b incorp rate within it s o e

INFOR MATION

S L/TL areuse to e c yptintern ttaf fic;a similarc ypto rap ic ap roachisuse to

auth nticatean th rsys em ordatabaseco n c io k own asSecureSh l (S H)

S H isa c ypto rap icn tworkprotocol forsecuredata commu icatio ,remotecomman -lin

lo in,remotecomman executio , filet anseran oth rsecuren twork servicesb twe n two

sysemsvia a securechan el overan insecuren twork

S H fe u ntlyusesP blic/Priv teKeypair an ,aswithoth rc ypto rap ictech iq es,k y

manag me t anb comean o ero staskb tiso ethatcan otb ig ore asinap ro riate

ac es to a Priv teKeycan causemajorcompromisetoinformatio a ailability,auth nticityor

inte rity

T esan ardsforS H ared cume te in Intern tEn in erin TaskFor eRe u s forComme t

(IETFRFCs)which arelise atht p:/datat ack r.et org/wg/sec h/d cume t ;th reisalso useful

informatio atOp nS H, www.o e s h.com

EX MPLE

On area thatT Pswil f e u ntly ha ecovere inth irsecurityp licyisthatelec ro ic

t anserwith th m sh uld b over ecure,e c ypte chan els T iswil preve t

ea esdro pin o th mesag an wil alowth mtoauth nticateth id ntity ofth p ro

or ys em ac esin th ir ys ems T iswil fe u ntlyuseeith rS LorTL (se b low)

Such useofasecurechan el isalso of e use forsecuremail ap licatio sorac es to

we mail services.An mb rofsecureemail servicesarebase o th ap roach ofse din

lin s omesag sh ldo securewe server ,usin n rmal email services Recipie t fol ow

th lin susin th irbrowseran wil o ly b abletoac es th co fid ntial mes ag sover

an S LorTL protec e chan el,which wil o lyb o e e u to th mwh n th yha e

suc es ful yid ntifie th mselvesas h inte d d recipie t.Noteth u h thatsuch secure

chan elsma mean thatinformatio ma n tb ch ck d by th organiz tio ’ sb u dary

d fe cesinte d d to preve tac es to inap ro riateordan ero smaterial

DEFINITIONS–S La d T L

S Lissh r for‘SecureSock t L yer’ a protocol for o fid ntial t ansmis io ac os th intern t

S Lworksby usin a Priv teKeytoe c yptdata thataret ans er e over h S Lco n c io Mos

browser su p r S Lan manywe sitesuseth protocol to o tain co fid ntial userinformatio ,

such asc e it ard n mb r Normal y, U Lsthatre uirean S Lco n c io sar with htps: ns ead

ofhtp:

S Lc eatesa securechan el co n c io b twe n a clie tan a server,overwhich any amo ntof

datacan b se tsecurely.T isprotocol iss an ardsap rove byth Intern tEn in erin Task

For e(IETF)

S Lisb in su er e e byTL (Transp r L yerSecurity),whichisan exte sio ofS L TL isa

n werprotocol forpriv cyan data inte rityb twe n clie tan serverap licatio s

commu icatin over h intern t

T eTL protocol ismad u of wola er:

1 th TL Record Protocol –ite sures hatth co n c io ispriv tebyusin symmeticdata

e c yptio ,an ite suresthatth co n c io isreliable T eTL Record Protocol isalso use

fore capsulatio ofhig erlevel protocols, such asth TL Han shak Protocol;

2 th TL Han shak Protocol –ital owsauth nticatio b twe nth serveran th clie tan

th n g tiatio ofan e c yptio alg rithman c ypto rap ic k ysb foreth ap licatio

protocol t ansmit orreceivesanydata

TL an S Laren tintero erable

Whils S Lco tin es ob refere to an use it h uld b n te thatTL offer e hance

securityoverS L.Fre u ntlywh reTL isac ualy in useitisofe refere to,somewhat

ero e usly,asS L

Wh rea third-pary provid st ans erservices(forex mple, wh rea serviceprovid rmanag san EDI

sysem),suchservicessh uldb inclu e within th s o eofcompliance withth Co e.Services h uld

inclu eap ro riaterecovery an disaserrecoveryproces es

T eprovid rofthird-paryservicesn e sto b awareofth v lu of h servicethatitprovid s, an

n e sto executeit resp nsibilityu d rth ‘d tyofcare’ principle

T fulfil thiso jec ive, th provid rofthird-paryservicessh ulde surethatit:

• isawareofle islatio an re ulatoryb diesp rin nt oit elfan to it clie t’ sin us rysec or;

• isawareofle islatio p r in ntto co nties(oroth rg o rap ical areas)wh reit servicesare

d livere ;

• es ablish sa chain ofac o ntability an asig sresp nsibility forac ivitiesinvolvin t ans er

servicesatal levels;

• k e sabreas ofd velo me t by k e in inco tac with th ap ro riateb diesan

organiz tio s;an

• isawareofanyle islativeorre ulatoryco tol oftuse third-par yservices

Similarly,an reciprocal y,th organiz tio sh uld e surethatth third-pary:

• isawareofle islatio an re ulatoryb diesp rin nt oth tuse third-par y’sin usry;

• isawareofle islatio p r in ntto co nties(oroth rg o rap ical areas)wh reit servicesare

d livere ;

• es ablish sa chain ofac o ntability an asig sresp nsibility forac ivitiesinvolvin t ans er

servicesatal levels;

• k e sabreas ofd velo me t by k e in inco tac with th ap ro riateb diesan

organiz tio s;an

• isawareofanyle islativeorre ulatoryco tol oftuse third-par yservices

Wh reap ro riate, organiz tio ssh uldre u s d cume tatio thatd mo sratesth third-pary’ s

d tyofcare,aspar ofth agre dco tac

KEY ISSUE

> Wh nt anser ys emsusethird-par yreso r es, th third-pary sh uld o ly b co sid re tob

‘tus e ’wh reithasan ap ro riateinformatio securityp licy

> Wh rea third-pary provid st ans erservices,such services h uld b inclu e in th

organiz tio ’ sinformatio securityp licy

2.3 Roles and r esponsibi ities of workers

Itisimp r antwh n d velo in p liciesan proce uresto e surethat:

• informatio relate toth p liciesan proce uresismad a ailableto th sewh areorma b

affec e byth m;

• th reisa mechanismforfe d ackfom th impleme ter ofth p liciesan proce ures;

• th reisa mechanismforreviewin risksrelate to th p liciesan proce ures;

• d tailsofanychal e g sto th auth nticityan /orinte rityof tore informatio isfe backto

th seresp nsibleforcompliancewith th Co e;an

• k yin ivid alswithin th organiz tio resp nsibleformanagin such commu icatio sare

id ntifie

KEY ISSUE

> Ensurethata re orin an commu icatio smechanismisin place,toe surethatn wor

u date p liciesan proce uresareimpleme te by al ap ro riates aff

2.4 Legal and r egulatory envir onment

3.1 Actions to addr es risks and oppor unities

3.1.1 General

T issec io of h Co erelatesto Clause6ofBS10 0 , Plan in ’

Wh nplan in for h manag me tofth auth nticity an inte rityofinformatio d rin tanser,

th organiz tio n e s oco sid r h is u s efere toin 1.2 an th re uireme t refere to in 1.3

an d termin th risksan o p ru itiesthatn e tob ad res e to:

a) e sureth informatio t anser ys em can achieveit inte d d o t ome(s);

b) preve t,or e uce,u d sire effec s; an

c) achieveco tin al improveme t

Informatio tanserproce uresareofe d velo e in an u sruc ure wa ,by reac in to user

re uireme t, securityincid nt an /orto a ailablecomp tersof wareto ls.T isap roach o it own

can easily lea egapsin informatio t ans er, which areo ly file atsomelaterdate,typicaly af era

securitybreach.Amores ruc ure ap roach is oreviewth informatio aset ofth organiz tio

an as ig riskfac or (base o as etv lu , p te tial threat ,sys em vuln rability an lik lih o of

atack),o th basisofwhich ap ro riate,cos -effec iveinformatio t ans erproce urescanb

id ntifie An es e tial par ofinformatio tanseristh impleme tatio ofanap ro riatesecurity

p licy,whichsh uld b pro uce an ap rove base o th riskas es me t,an agains which

securitymeasurescan b d velo e an impleme te

NOT :Are iewof his ypeg n ralyre uires ecuritye perisea dara g ofap ro riatetech ical ski s

T eorganiz tio sh uld u d r ak an informatio securityriskasesme talo g th selin s,an

d cume tth result o tain d.Ofparicularimp ranceareth securitymeasuresimpleme te to

co tol th informatio t anser.T eriskanalysisn e s oinclu evuln rabilityriskfac or co sis e t

withth typ oftans erprotocol use

On th basisofth result ofth riskasesme t, exisin securitymeasuressh uldb reviewe for

effec ive es.F c or such as h balanceb twe n th cos ofimpleme tatio an th security

achieve n e tob tak n into co sid ratio d rin th reviewproces Wh reth reviewin icates

thatchan esto securitymeasuresareap ro riate, an ac io plansh uld b drawn u with n wor

ame d d security measuresprioritize forimpleme tatio

KEYIS UE

> P rorma riskas es me tofexisin securitymeasures,an impleme tcos -ef fec ivetech olo y

an /orproce uresto fil anygapsfo n

T eriskas es me twil lead to th acq isitio ofinformatio an th c eatio ofriskre or s.T ese

re or s,back d u byth informatio use to d velo th co clusio san recomme datio sinth

re or s,ma provid useful evid nceinrelatio to informatio t ans erd cisio smad byth b sin s

Itisth simp rant oretaininformatio relate to riskasesme t in lin with an informatio

rete tio s h d le

KEY ISSUE

> Retainrecordsofriskas es me tmeth dsan result in lin with th rete tio s h d le

3.1.3 Risk tr eatment

T eresult ofth riskasesme tsh uld b use to g id an d termin th ap ro riatemanag me t

ac io an priorities ormanagin informatio riskan impleme tin co tolsinord r oprotec

agains th serisks

ISO/IEC2 0 5provid sinformatio securityriskmanag me tg idance, nclu in adviceo risk

ases me t,riskt eatme t,riskac e tance,riskcommu icatio ,riskmo itorin an riskreview

ISO/IEC2 0 5d s rib sth in utto a riskteatme tproces asa lis ofid ntifie risks, prioritize

ac ordin to th organiz tio ’sriskev luatio c iteria.Riskteatme tinclu esth id ntificatio an

impleme tatio ofco tolsto re uce,retain, a oid orshareth id ntifie risks

Riskt eatme t an b impleme te by o eormoreof h fol owin n n-exclusiveproces es:

• riskmo ificatio ;

• riskrete tio ;

• riska oidance;

• risksharin

Riskmo ificatio involves h ad itio ,remov l ormo ificatio ofexis in co tolsso thatth resid al

risks an b re-ev luate

Riskrete tio is h proces ofretainin an id ntifie riskwith utfur h rac io T isisac e table

wh n th id ntifie riskiswithin th agre d riskc iteria

Riska oidanceinvolvesth remov l ofprocesesrelate to th risk,sothatth riskisn lo g r

prese t.T isma b use wh n th cos ofoth r ormsofriskteatme tareto cos ly to impleme t

Risksharin involvesth sharin ofth id ntifie riskswith oth rpar ies, such asbyinsuranceorby

su co t ac in paricularproces es

3.2 Objectives and achievements

T eorganiz tio n e s o esablishinformatio t ansero jec ivesatrelev nt u c io san levels

T einformatio tans ero jec ivesn e to:

• b co sise twithth informatio tans erp licy;

• b measurable(ifprac icable);

• tak into ac o ntap licableinformatio tans erre uireme t ,an result f omriskas es me t

an riskteatme t;

• b commu icate ;an

• b u date asap ro riate

Wh nplan in h wto achieveit informatio tansero jec ives,th organiz tio n e sto

d termin :

• whatwil b d n ;

• whatreso r eswil b re uire ;

• wh wil b resp nsible;

• wh n itwil b complete ; an

• h wth result wil b ev luate

4.1 Resour ces

T issec io ofth Co erelates oClause7 ofBS 10 0 , Su p r’

T eorganiz tio n e s o d termin an provid th reso r esn e e forth esablishme t,

impleme tatio ,mainte ancean co tin al improveme tof h informatio tans ersysem

4.2 Competence

T eorganiz tio n e s o:

• d termin th n ces ary comp te ce ofp r o (s)d in worku d rit co tol thataffec sit

informatio tans erp rormance;

• e surethatth sep ro sarecomp te to th basisofap ro riatee ucatio ,t ainin , or

exp rie ce;

• wh reap licable, tak ac io sto acq ireth n ces ary comp te ce,an ev luateth effec ive es

ofth ac io stak n;an

• retain ap ro riated cume te informatio asevid nceofcomp te ce

NOT : Ap lcableactionsma inclu e,fore ample:th provisionof rainin to,th me torin of,or h

re sig me tofcure twork r ;or h hirin orcontactin ofcompete tperons

4.3 A war enes

Work r d in worku d rth organiz tio ’ sco tol shal b awareof:

• th informatio t anserp licy;

• th ir o tib tio toth effec ive es ofth informatio t anser ys em, nclu in th b n fit of

improve informatio t anserp r ormance;an

• th implicatio sofn tco formin withth informatio tans ersysemre uireme t

4.4 Repor ing and communications

Itisimp r antwh n d velo in p liciesan proce uresto e surethat:

• informatio relate toth p liciesan proce uresismad a ailableto th sethatareorma b

affec e byth m;

• th reisa mechanismforfe d ackfom th impleme ter ofth p liciesan proce ures;

• th reisa mechanismforreviewin risksrelate to th p liciesan proce ures;

• d tailsofanychal e g sto th auth nticityan /orinte rityof ransere informatio isfe back

to th seresp nsibleforcompliancewith th Co e;an

• th meth dsuse for h secommu icatio sarere ularlyas es e foreffec ive es ,an u date

wh ren ces ary

KEY ISSUE

> Ensurethata re orin an commu icatio smechanismisin place,toe surethatn wor

u date p liciesan proce uresareimpleme te by al ap ro riatework r

>T isd cume tatio sh uld b retain d in compliancewithth rete tio s h d le.

Docume te informatio (also k ownasrecords)relate to th proces ofmanagin informatio

tansere elec ro ical yn e sto b c eate an retain d foraslo gasisn ces ary.Sec io 4.5.2

d tailsproce ural d cume tatio thatn e sto b c eate an retain d.T issec io alsoinclu es

informatio relate to th manag me tofthisinformatio , nclu in th re uireme tforver io

co tol an ap ro riaterete tio p rio s

4.5.2 Pr ocedural documentation

4.5.2.1 Ge eral

Compliancewithth Co ere uiresth a ailabilityan useofsp cifie d cume tatio T is

d cume tatio co sissofth :

• informatio tanserp licy sateme t(se 2.2.2);

• informatio securityp licyd cume t(se 2.2.3);

• proce uresman al (se 4.5.2.3);an

• sys em d s riptio man al (se 4.5.2.4)

T ea ailabilityofth sed cume t ,an d mo srablead ere ceto th proce uresd s rib d th rein,

sh uld, fef fec ivelyco sruc e ,provid th au it rail thatma b use to d mo srateth

auth nticity oftansere informatio ,an th se hanceit evid ntial weig t

Notethateach ofth d cume t me tio e ab vema ac ualy b maintain d asmultipled cume t,

orma b combin d T ek y recomme datio is hatth d cume tatio exis s, smaintain d,an is

readily ac esibleto th seauth rize within th organiz tio to ac es itan toanyauth rize

third-par ywh ma re uireac es Itma also b ap ro riateto useth d cume t c eate in

ac ordancewithBIP0 0 -1,an exte d th mto cover h recomme datio softhispar ofth Co e

Al d cume tatio n e s ob maintain d inlin with exisin workin prac ices,an th ssh uld b

maintain d u d ra verio co tol sys em (se 5.3)

Ad itio al d cume tatio ma b re uire to su p r th dailyo eratio of h sysem,forex mple:

• a sys em mainte ancelo (se 5.14);

• an au itt ail (se 4.5.3);an

• compliances ateme t (se 6.3.4)

T eco te tof h d cume tatio d s rib d ab vecan easilyb comeu reliablewh reth rearen

proce uresin placetoe surethatth y k e pacewithb th organiz tio al an sysemchan es

Unreliabled cume tatio ma adverely af fec le al arg me t relatin to th cor ec o eratio ofan

informatio tanser ys em Itis,th refore, mp rantto e surethatth d finitiveverio sofsys em

d cume t arebro g tu d rco fig ratio manag me t o tol, an arefirmlylin e toth

organiz tio ’ schan emanag me tproce ures

Wh recompliance withth Co eisclaime overa p rio oftimed rin which dif fere te itio sof

th ab ved cume tatio wereap ro riate, th nal e itio sof hisd cume tatio sh uld b k pt, n