General security guidelines for staff

Critical
High
Normal
Low

Personnel must have security guidelines that deal with e.g. the following topics:

  • Using and updating mobile devices
  • Storing and backing up data
  • Privacy
  • Using email
  • Handling of printouts, papers and files
  • Reporting incidents
  • Scam prevention
Connected other frameworks and requirements:
T11: Turvallisuuskoulutus ja -tietoisuus
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
29. Processing under the authority of the controller or processor
GDPR
9.4.4: Use of privileged utility programs
ISO 27001
11.2.7: Secure disposal or re-use of equipment
ISO 27001

Limitation of privileged utility programs

Critical
High
Normal
Low

Privileged utility programs are applications that require system or administrative privilege to do their jobs. Different kinds of utilities can include system utilities (e.g. malware protection), storage utilities (e.g. backup), file management utilities (e.g. encryption) or others (e.g. patching).

If use of privileged utility programs is permitted, the organisation should identify all privileged utility programs, also ones that are used in its cloud computing environment.

Organisation should ensure utility programs don’t interfere with controls of data systems hosted in any way (on-premises or cloud).

Connected other frameworks and requirements:
9.4.4: Use of privileged utility programs
ISO 27001
8.18: Use of privileged utility programs
ISO 27001

Minimization of information outside data systems

Critical
High
Normal
Low

A large amount of valuable information in an organization has often accumulated over time into hard-to-find and manageable unstructured data — excels, text documents, intranet pages, or emails.

Once this information has been identified, a determined effort can be made to minimize its amount.Important data outside data systems is subject to one of the following decisions:

  • move into a data system
  • get rid of (when the information is old, no longer necessary or otherwise irrelevant)
  • is kept in use and a responsible person is appointed to manage the risks
Connected other frameworks and requirements:
32. Security of processing
GDPR
8.1.3: Acceptable use of assets
ISO 27001
8.3.1: Management of removable media
ISO 27001
9.4.4: Use of privileged utility programs
ISO 27001
A.11.2: Restriction of the creation of hardcopy material
ISO 27018
No items found.