6 People controls

6.6 Confidentiality or non-disclosure agreements

Control type Information Cybersecurity Operational capabilities Security domains
security properties concepts
#Preventive #Confidentiality #Protect #Human_resource_security #Governance_and_
#Information_protection Ecosystem
#Supplier_relationships
Control
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the
protection of information should be identified, documented, regularly reviewed and signed by
personnel and other relevant interested parties.

Purpose
To maintain confidentiality of information accessible by personnel or external parties.

Guidance
Confidentiality or non-disclosure agreements should address the requirement to protect
confidential information using legally enforceable terms. Confidentiality or non-disclosure
agreements are applicable to interested parties and personnel of the organization. Based on an
organization’s information security requirements, the terms in the agreements should be
determined by taking into consideration the type of information that will be handled, its
classification level, its use and the permissible access by the other party. To identify
requirements for confidentiality or non-disclosure agreements, the following elements should
be considered:
a) a definition of the information to be protected (e.g. confidential information);
b) the expected duration of an agreement, including cases where it can be necessary to
maintain confidentiality indefinitely or until the information becomes publicly available;
c) the required actions when an agreement is terminated;
d) the responsibilities and actions of signatories to avoid unauthorized information disclosure;
e) the ownership of information, trade secrets and intellectual property, and how this relates
to the protection of confidential information;
f) the permitted use of confidential information and rights of the signatory to use the
information;
g) the right to audit and monitor activities that involve confidential information for highly
sensitive circumstances;
h) the process for notification and reporting of unauthorized disclosure or confidential
information leakage;
i) the terms for information to be returned or destroyed at agreement termination;
j) the expected actions to be taken in the case of non-compliance with the agreement.
The organization should take into consideration the compliance with confidentiality and non-
disclosure agreements for the jurisdiction to which they apply (see 5.31, 5.32, 5.33, 5.34).
Requirements for confidentiality and non-disclosure agreements should be reviewed
periodically and when changes occur that influence these requirements.
Other information
Confidentiality and non-disclosure agreements protect the organization's information and
inform signatories of their responsibility to protect, use and disclose information in a
responsible and authorized manner.

6.7 Remote working

Control type Information Cybersecurity Operational capabilities Security
security concepts domains
properties
#Preventive #Confidentiality #Protect #Asset_management #Protection
#Integrity #Information_protection
#Availability #Physical_security
#System_and_network_securit
y

Control
Security measures should be implemented when personnel are working remotely to protect
information accessed, processed or stored outside the organization’s premises.

Purpose
To ensure the security of information when personnel are working remotely.

Guidance
Remote working occurs whenever personnel of the organization work from a location outside of
the organization’s premises, accessing information whether in hardcopy or electronically via ICT
equipment. Remote working environments include those referred to as “teleworking”,
“telecommuting”, “flexible workplace”, “virtual work environments" and “remote maintenance”.
NOTE It is possible that not all the recommendations in this guidance can be applied due to local
legislation and regulations in different jurisdictions.

Organizations allowing remote working activities should issue a topic-specific policy on remote
working that defines the relevant conditions and restrictions. Where deemed applicable, the
following matters should be considered:
a) the existing or proposed physical security of the remote working site, taking into account
the physical security of the location and the local environment, including the different
jurisdictions where personnel are located;
b) rules and security mechanisms for the remote physical environment such as lockable filing
cabinets, secure transportation between locations and rules for remote access, clear desk,
printing and disposal of information and other associated assets, and information security
event reporting (see 6.8);
c) the expected physical remote working environments;
d) the communications security requirements, taking into account the need for remote access
to the organization’s systems, the sensitivity of the information to be accessed and passed
over the communication link and the sensitivity of the systems and applications;
e) the use of remote access such as virtual desktop access that supports processing and
storage of information on privately owned equipment;
f) the threat of unauthorized access to information or resources from other persons at the
remote working site (e.g. family and friends);
g) the threat of unauthorized access to information or resources from other persons in public
places;
h) the use of home networks and public networks, and requirements or restrictions on the
configuration of wireless network services;
i) use of security measures, such as firewalls and protection against malware;
j) secure mechanisms for deploying and initializing systems remotely;
k) secure mechanisms for authentication and enablement of access privileges taking into
consideration the vulnerability of single-factor authentication mechanisms where remote
access to the organization’s network is allowed.
The guidelines and measures to be considered should include:
a) the provision of suitable equipment and storage furniture for the remote working activities,
where the use of privately-owned equipment that is not under the control of the
organization is not allowed;
b) a definition of the work permitted, the classification of information that can be held and the
internal systems and services that the remote worker is authorized to access;
c) the provision of training for those working remotely and those providing support. This
should include how to conduct business in a secure manner while working remotely;
d) the provision of suitable communication equipment, including methods for securing remote
access, such as requirements on device screen locks and inactivity timers; the enabling of
device location tracking; installation of remote wipe capabilities;
e) physical security;
f) rules and guidance on family and visitor access to equipment and information;
g) the provision of hardware and software support and maintenance;
h) the provision of insurance;
i) the procedures for backup and business continuity;
j) audit and security monitoring;
k) revocation of authority and access rights and the return of equipment when the remote
working activities are terminated.

Other information
No other information.

6.8 Information security event reporting

Control type Information Cybersecurity Operational capabilities Security
security concepts domains
properties
#Detective #Confidentiality #Detect #Information_security_event_managemen #Defence
#Integrity t
#Availability
Control
The organization should provide a mechanism for personnel to report observed or suspected
information security events through appropriate channels in a timely manner.
Purpose
To support timely, consistent and effective reporting of information security events that can be
identified by personnel.

Guidance
All personnel and users should be made aware of their responsibility to report information
security events as quickly as possible in order to prevent or minimize the effect of information
security incidents.
They should also be aware of the procedure for reporting information security events and the
point of contact to which the events should be reported. The reporting mechanism should be as
easy, accessible and available as possible. Information security events include incidents,
breaches and vulnerabilities.
Situations to be considered for information security event reporting include:
a) ineffective information security controls;
b) breach of information confidentiality, integrity or availability expectations;
c) human errors;

d) non-compliance with the information security policy, topic-specific policies or applicable

standards; e) breaches of physical security measures;
f) system changes that have not gone through the change management
process;

g) malfunctions or other anomalous system behaviour of software or

hardware; h) access violations;
i) vulnerabilities;
j) suspected malware infection.
Personnel and users should be advised not to attempt to prove suspected information security
vulnerabilities. Testing vulnerabilities can be interpreted as a potential misuse of the system
and can also cause damage to the information system or service, and it can corrupt or obscure
digital evidence. Ultimately, this can result in legal liability for the individual performing the
testing. Other information
See the ISO/IEC 27035 series for additional information.