Information Security Policy

This essay discusses information security policy, focusing on information control and dissemination, for automated information systems (AISs). Most organizations have some sort of high-level information policy that addresses how and what information is to be handled by the organization. AISs have changed how information can be used. A further refinement of the high-level information policy is necessary to deal with this automation and establish what is considered acceptable behavior with respect to the information. This refinement process involves determining the appropriate set of policy-oriented limitations. It can take place at many levels, from a top-level corporate decision to a hardware implementation choice. An information security policy addresses many issues such as the following: disclosure, integrity, and availability concerns; who may access what information in what manner; basis on which the access decision is made (for example, user characteristic such as nationality or group affinity, or some external condition such as time or status); maximized sharing versus least privilege; separation of duties; who controls and who owns the information ; and authority issues. In the past, R&D has focused primarily on DoD policies based on user clearances and data classification, but many other access control policies are in use in the manual world, in other government agencies, and in the private sector. Policies such as a press release policy (sensitive until released at <time, date>), access based on roles (only vice presidents and above have access), and many others are real and useful policies with special characteristics not easily handled by most current systems. This essay discusses some of the aspects that must be considered when developing an information security policy for a given organization.

 Meet quarterly, or more often if deemed necessary;  Ensure that information security goals are identified, meet UMS requirements, and are integrated in relevant processes;  Formulate, review, and approve information security policy change requests as needed for submission to the Board of Trustees for adoption;  Formulate, review, and approve information security standards in support of this information security policy;  Review the effectiveness of the implementation of the information security program, and take action to improve effectiveness where needed;  Provide clear direction and visible management support for security initiatives;  Review and advocate for resources needed for information security;  Approve assignment of specific roles and responsibilities for information security across UMS;  Initiate plans and programs to maintain information security awareness;  Establish their own process and procedures for ensuring that information security needs are addressed without delay;  Periodically report to the Board of Trustees as requested.

Allocation of information security responsibilities
Information security responsibilities shall be clearly defined for all employees, and all authorized users of UMS information assets.
Allocation of information security responsibilities shall be done in accordance with this information security policy. Responsibilities for the protection of individual assets and for carrying out specific security processes shall be clearly identified.
Individuals with allocated security responsibilities may delegate security tasks to others. Nevertheless they remain responsible and shall determine that any delegated tasks have been correctly performed.
Management shall support the information security policy, assign security roles and coordinate and review the implementation of security across UMS.
A source of specialist information security advice shall be established and made available within UMS. Contacts with external security specialists or groups, including relevant authorities, shall be developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when handling information security incidents.
2.1.4 Authorization process for information processing facilities A management authorization process for new information processing facilities shall be defined and implemented.

Confidentiality agreements
Requirements for confidentiality or non-disclosure agreements reflecting UMS' needs for the protection of information shall be identified and regularly reviewed.

Contact with authorities
Appropriate contacts with relevant authorities shall be maintained.

Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Independent review of information security
UMS' approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

EXTERNAL PARTIES
The security of UMS' information and information processing facilities shall not be reduced by the introduction of external party products or services.
Any access to UMS' information processing facilities and processing and communication of information by external parties shall be controlled.
Where there is a business need for working with external parties that may require access to UMS' information and information processing facilities, or in obtaining or providing a product and service from or to an external party, a risk assessment shall be carried out to determine security implications and control requirements. Controls shall be agreed and defined in an agreement with the external party.
2.2.1 Identification of risks related to external parties.
The risks to UMS' information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access.

Addressing security when dealing with customers
All identified security requirements shall be addressed before giving customers access to UMS' information or assets.

Addressing security in third party agreements
Agreements with third parties involving accessing, processing, communicating or managing UMS' information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements.

ASSESSING SECURITY RISKS
Risk assessments shall identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to UMS.
The results shall guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.
The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of UMS or individual information systems.

TREATING SECURITY RISKS
For each of the risks identified following the risk assessment a risk treatment decision shall be made. Possible options for risk treatment include:  Applying appropriate controls to reduce the risks;  Knowingly and objectively accepting risks, providing they clearly satisfy UMS' policy and criteria for risk acceptance;  Avoiding risks by not allowing actions that would cause the risks to occur;  Transferring the associated risks to other parties, e.g. insurers or suppliers.

RESPONSIBILITY FOR ASSETS
All assets shall be accounted for and have a nominated owner.
Owners shall be identified for all assets and the responsibility for the maintenance of appropriate controls shall be assigned. The implementation of specific controls may be delegated by the owner as appropriate, but the owner remains responsible for the proper protection of the assets. 4.1.1 Inventory of assets All assets shall be clearly identified and an inventory of all important assets drawn up and maintained.

Ownership of assets
All information and assets associated with information processing facilities shall be owned by a designated part of UMS.

Acceptable use of assets
Rules for the acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented.

INFORMATION CLASSIFICATION
Information shall be classified to indicate the need, priorities, and expected degree of protection when handling the information.
Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification scheme shall be used to define an appropriate set of protection levels and communicate the need for special handling measures.

Classification guidelines
Information shall be classified in terms of its value, legal requirements, sensitivity, and criticality to UMS.

Information labeling and handling
An appropriate set of procedures for information labeling and handling shall be developed and implemented in accordance with the classification scheme adopted by UMS.

PRIOR TO EMPLOYMENT
Security responsibilities shall be addressed prior to employment in adequate job descriptions and in terms and conditions of employment.
All candidates for employment, contractors and third party users shall be adequately screened, commensurate with the sensitivity of their jobs.
Employees, contractors and third party users of information processing facilities shall sign an agreement on their security roles and responsibilities prior to beginning work.

Roles and responsibilities
Security roles and responsibilities of employees, contractors, and third party users shall be defined and documented in accordance with this information security policy and job requirements.

Screening
Background verification checks on all candidates for employment, contractors, and third party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.

Terms and conditions of employment
As part of their contractual obligation, employees, contractors and third party users shall agree and sign a statement of their and UMS' responsibilities for information security.

DURING EMPLOYMENT
Management responsibilities shall be defined to ensure that appropriate security practices are observed throughout an individual's employment within UMS.
An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities shall be provided to all employees, contractors, and third party users prior to being given access to minimize possible security risks.

Management responsibilities
Management shall require employees, contractors, and third party users to apply security practices in accordance with established policies and procedures of UMS. 5.2.2 Information security awareness, education, and training All employees of UMS and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates in UMS policies and procedures, as relevant for their job function.

Disciplinary process
There shall be a formal disciplinary process for employees who have committed a security breach.

TERMINATION OR CHANGE OF EMPLOYMENT
Responsibilities shall be in place to ensure an employee's, contractor's or third party user's exit from UMS is managed, and that the return of all equipment and the removal of all access rights are completed in a timely manner.
Change of responsibilities and employments within UMS shall be managed as the termination of the respective responsibility or employment in line with this section, and any new employments shall be managed as described in section 5.1.

Termination responsibilities
Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned.

Return of assets
All employees, contractors and third party users shall return all of UMS' assets in their possession upon termination of their employment, contract or agreement.

Removal of access rights
The access rights of all employees, contractors and third party users to information and information processing facilities shall be removed immediately upon termination of their employment, contract or agreement, or adjusted upon change.

SECURE AREAS
Critical or sensitive information processing facilities shall be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They shall be physically protected from unauthorized access, damage, and interference.
The protection provided shall be commensurate with the identified risks. 6.1.1 Physical security perimeter Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities.

Physical entry controls
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

Securing offices, rooms, and facilities
Physical security for offices, rooms, and facilities shall be designed and applied. 6.1.4 Protecting against external and environmental threats.
Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster shall be designed and applied.

Working in secure areas
Physical protection and guidelines for working in secure areas shall be designed and applied. 6.1.6 Public access, delivery, and loading areas Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

EQUIPMENT SECURITY
Equipment shall be protected from physical and environmental threats.
Protection of equipment (including that used off-site, and the removal of property) is necessary to reduce the risk of unauthorized access to information and to protect against loss or damage. This shall also consider equipment siting and disposal. Special controls may be required to protect against physical threats, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure. 6.2.1 Equipment siting and protection Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Supporting utilities
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

Cabling security
Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.

Equipment maintenance
Equipment shall be correctly maintained to ensure its continued availability and integrity. 6.2.5 Security of equipment off-premises Security shall be applied to off-site equipment taking into account the different risks of working outside UMS' premises.
6.2.6 Secure disposal or re-use of equipment All items of equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. 6.2.7 Removal of property Equipment, information or software shall not be taken off-site without prior authorization.

OPERATIONAL PROCEDURES AND RESPONSIBILITIES
Responsibilities and procedures for the management and operation of all information processing facilities shall be established. This includes the development of appropriate operating procedures.
Segregation of duties shall be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

Documented operating procedures
Operating procedures shall be documented, maintained, and made available to all users who need them.

Change management
Changes to information processing facilities and systems shall be controlled.

Segregation of duties
Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of UMS' assets. It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party.

Monitoring and review of third party services
The services, reports and records provided by the third party shall be regularly monitored and reviewed, and audits shall be carried out regularly.

Managing changes to third party services
Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks.

SYSTEM PLANNING AND ACCEPTANCE
Advance planning and preparation are required to ensure the availability of adequate capacity and resources to deliver the required system performance.
Projections of future capacity requirements shall be made, to reduce the risk of system overload. The operational requirements of new systems shall be established, documented, and tested prior to their acceptance and use.

Capacity management
The use of resources shall be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance.

System acceptance
Acceptance criteria for new information systems, upgrades, and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance.

PROTECTION AGAINST MALICIOUS AND MOBILE CODE
Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code.
Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs. Users shall be made aware of the dangers of malicious code. Managers shall, where appropriate, introduce controls to prevent, detect, and remove malicious code and control mobile code. 7.4.1 Controls against malicious code Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented.

Controls against mobile code
Where the use of mobile code is authorized, the configuration shall ensure that the authorized mobile code operates according to a clearly defined security standard, and unauthorized mobile code shall be prevented from executing. 7.5 BACK-UP Routine procedures shall be established to implement the agreed back-up standard and strategy for taking back-up copies of data and rehearsing their timely restoration.

Information back-up
Back-up copies of information and software shall be taken and tested regularly in accordance with the agreed backup standard.

NETWORK SECURITY MANAGEMENT
The secure management of networks, which may span organizational boundaries, requires careful consideration to dataflow, legal implications, monitoring, and protection.
Additional controls may also be required to protect sensitive information passing over public networks. 7.6.1 Network controls Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. 7.6.2 Security of network services Security features, service levels, and management requirements of all network services shall be identified and included in any network services agreement, whether these services are provided in-house or outsourced. 7.7 MEDIA HANDLING Media shall be controlled and physically protected.
Appropriate operating procedures shall be established to protect documents, computer media (e.g. tapes, disks), input/output data and system documentation from unauthorized disclosure, modification, removal, and destruction. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond UMS' physical boundaries.

Electronic messaging
Information involved in electronic messaging shall be appropriately protected.

Business information systems
Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems.

ELECTRONIC COMMERCE SERVICES
The security implications associated with using electronic commerce services, including on-line transactions, and the requirements for controls, shall be considered. The integrity and availability of information electronically published through publicly available systems shall also be considered. 7.9.1 Electronic commerce Information involved in electronic commerce passing over public networks shall be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.

On-Line Transactions
Information involved in on-line transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Publicly available information
The integrity of information being made available on a publicly available system shall be protected to prevent unauthorized modification. 7.10 MONITORING.
Systems shall be monitored and information security events shall be recorded. Operator logs and fault logging shall be used to ensure information system problems are identified. UMS shall comply with all relevant legal requirements applicable to its monitoring and logging activities.
System monitoring shall be used to check the effectiveness of controls adopted and to verify conformity to an access policy model. 7.10.1 Audit logging Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.

Monitoring system use
Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly.

Protection of log information
Logging facilities and log information shall be protected against tampering and unauthorized access. 7.10.4 Administrator and operator logs System administrator and system operator activities shall be logged.

Fault logging
Faults shall be logged, analyzed, and appropriate action taken.

Clock synchronization
The clocks of all relevant information processing systems within UMS shall be synchronized with an agreed accurate time source.

BUSINESS REQUIREMENT FOR ACCESS CONTROL
Access to information, information processing facilities, and business processes shall be controlled on the basis of business and security requirements.
Access control rules shall take account of policies for information dissemination and authorization.

Access control policy
An access control standard shall be established, documented, and reviewed based on business and security requirements for access.

USER ACCESS MANAGEMENT
Formal procedures shall be in place to control the allocation of access rights to information systems and services.
The procedures shall cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention shall be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

User registration
There shall be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.

Privilege management
The allocation and use of privileges shall be restricted and controlled.

User password management
The allocation of passwords shall be controlled through a formal management process.

Review of user access rights
Management shall review users' access rights at regular intervals using a formal process.

USER RESPONSIBILITIES
The cooperation of authorized users is essential for effective security.
Users shall be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.
A clear desk and clear screen policy shall be implemented to reduce the risk of unauthorized access or damage to papers, media, and information processing facilities.

Password use
Users shall be required to follow good security practices in the selection and use of passwords.

Unattended user equipment
Users shall ensure that unattended equipment has appropriate protection.

Clear desk and clear screen policy
A clear desk standard for papers and removable storage media and a clear screen standard for information processing facilities shall be adopted.

NETWORK ACCESS CONTROL
Access to both internal and external networked services shall be controlled.
User access to networks and network services shall not compromise the security of the network services by ensuring: a) Appropriate interfaces are in place between UMS' network and networks owned by other organizations, and public networks; b) Appropriate authentication mechanisms are applied for users and equipment; c) Control of user access to information services is enforced.

Policy on use of network services
Users shall only be provided with access to the services that they have been specifically authorized to use.

User authentication for external connections
Appropriate authentication methods shall be used to control access by remote users.

Equipment identification in networks
Automatic equipment identification shall be considered as a means to authenticate connections from specific locations and equipment.

Remote diagnostic and configuration port protection
Physical and logical access to diagnostic and configuration ports shall be controlled.

Segregation in networks
Groups of information services, users, and information systems shall be segregated on networks.

Network connection control
For shared networks, especially those extending across UMS' boundaries, the capability of users to connect to the network shall be restricted, in line with the access control standard and requirements of the business applications (see 8.1). 8.4.7 Network routing control Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control standard of the business applications.

OPERATING SYSTEM ACCESS CONTROL
Security facilities shall be used to restrict access to operating systems to authorized users. The facilities shall be capable of the following: a) Authenticating authorized users, in accordance with a defined access control policy; b) Recording successful and failed system authentication attempts; c) Recording the use of special system privileges; d) Issuing alarms when system security policies are breached; e) Providing appropriate means for authentication; f) Where appropriate, restricting the connection time of users. 8.5.1 Secure log-on procedures Access to operating systems shall be controlled by a secure log-on procedure.

User identification and authentication
All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user.

Password management system
Systems for managing passwords shall be interactive and shall ensure quality passwords.

Use of system utilities
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. Inactive sessions shall shut down after a defined period of inactivity.

Limitation of connection time
Restrictions on connection times shall be used to provide additional security for high-risk applications.

APPLICATION AND INFORMATION ACCESS CONTROL
Security facilities shall be used to restrict access to and within application systems.
Logical access to application software and information shall be restricted to authorized users. Application systems shall: a) Control user access to information and application system functions, in accordance with a defined access control policy; b) Provide protection from unauthorized access by any utility, operating system software, and malicious software that is capable of overriding or bypassing system or application controls; c) Not compromise other systems with which information resources are shared. 8.6.1 Information access restriction Access to information and application system functions by users and support personnel shall be restricted in accordance with the defined access control standard. 8.6.2 Sensitive system isolation Sensitive systems shall have a dedicated (isolated) computing environment.

MOBILE COMPUTING AND TELEWORKING
The protection required shall be commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment shall be considered and appropriate protection applied. In the case of teleworking UMS shall apply protection to the teleworking site and ensure that suitable arrangements are in place for this way of working.

Mobile computing and communications
A formal standard shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communication facilities.

Teleworking
A standard, operational plans and procedures shall be developed and implemented for teleworking activities.

SECURITY REQUIREMENTS OF INFORMATION SYSTEMS
Information systems include operating systems, infrastructure, business applications, off-the-shelf products, services, and user-developed applications. The design and implementation of the information system supporting the business process can be crucial for security. Security requirements shall be identified and agreed prior to the development and/or implementation of information systems.
All security requirements shall be identified at the requirements phase of a project and justified, agreed, and documented as part of the overall business case for an information system.

Security requirements analysis and specification
Statements of business requirements for new information systems, or enhancements to existing information systems shall specify the requirements for security controls.

CORRECT PROCESSING IN APPLICATIONS
Appropriate controls shall be designed into applications, including user developed applications to ensure correct processing. These controls shall include the validation of input data, internal processing and output data.
Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical information. Such controls shall be determined on the basis of security requirements and risk assessment.

Input data validation
Data input to applications shall be validated to ensure that this data is correct and appropriate.

Control of internal processing
Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

Message integrity
Requirements for ensuring authenticity and protecting message integrity in applications shall be identified, and appropriate controls identified and implemented.

Output data validation
Data output from an application shall be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.

CRYPTOGRAPHIC CONTROLS
A standard shall be developed on the use of cryptographic controls. Key management shall be in place to support the use of cryptographic techniques. 9.3.1 Policy on the use of cryptographic controls A standard on the use of cryptographic controls for protection of information shall be developed and implemented.

Key management
Key management shall be in place to support UMS' use of cryptographic techniques. 9.4 SECURITY OF SYSTEM FILES Access to system files and program source code shall be controlled, and IT projects and support activities conducted in a secure manner. Care shall be taken to avoid exposure of sensitive data in test environments. 9.4.1 Control of operational software There shall be procedures in place to control the installation of software on operational systems.

Protection of system test data
Test data shall be selected carefully, and protected and controlled. 9.4.3 Access control to program source code Access to program source code shall be restricted.

SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES
Project and support environments shall be strictly controlled.
Managers responsible for application systems shall also be responsible for the security of the project or support environment. They shall ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.

Change control procedures
The implementation of changes shall be controlled by the use of formal change control procedures. 9.5.2 Technical review of applications after operating system changes.
When operating systems are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. 9.5.3 Restrictions on changes to software packages Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled.

Information leakage
Opportunities for information leakage shall be prevented. 9.5.5 Outsourced software development.
Outsourced software development shall be supervised and monitored by UMS. 9.6 TECHNICAL VULNERABILITY MANAGEMENT Technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. These considerations shall include operating systems, and any other applications in use. 9.6.1 Control of technical vulnerabilities Timely information about technical vulnerabilities of information systems being used shall be obtained, UMS' exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.

REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES
Formal event reporting and escalation procedures shall be in place. All employees, contractors and third party users shall be made aware of the procedures for reporting the different types of events and weaknesses that might have an impact on the security of UMS assets. They shall be required to report any information security events and weaknesses as quickly as possible to the designated point of contact.

Reporting information security events
Information security events shall be reported through appropriate management channels as quickly as possible.

Reporting security weaknesses
All employees, contractors and third party users of information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services.

MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS
Responsibilities and procedures shall be in place to handle information security events and weaknesses effectively once they have been reported. A process of continual improvement shall be applied to the response to, monitoring, evaluating, and overall management of information security incidents.
Where evidence is required, it shall be collected to ensure compliance with legal requirements.

Responsibilities and procedures
Management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents.

Learning from information security incidents
There shall be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored.

Collection of evidence
Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).

INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
A business continuity management process shall be implemented to minimize the impact on UMS and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery controls. This process shall identify the critical business processes and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities.
The consequences of disasters, security failures, loss of service, and service availability shall be subject to a business impact analysis. Business continuity plans shall be developed and implemented to ensure timely resumption of essential operations. Information security shall be an integral part of the overall business continuity process, and other management processes within UMS.
Business continuity management shall include controls to identify and reduce risks, in addition to the general risks assessment process, limit the consequences of damaging incidents, and ensure that information required for business processes is readily available. 11.1.1 Including information security in the business continuity management process A managed process shall be developed and maintained for business continuity throughout UMS that addresses the information security requirements needed for UMS' business continuity. 11.1.2 Business continuity and risk assessment Events that can cause interruptions to business processes shall be identified, along with the probability and impact of such interruptions and their consequences for information security. 11.1.3 Developing and implementing continuity plans including information security Plans shall be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes. 11.1.4 Business continuity planning framework A single framework of business continuity plans shall be maintained to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance. 11.1.5 Testing, maintaining and re-assessing business continuity plans Business continuity plans shall be tested and updated regularly to ensure that they are up to date and effective.

COMPLIANCE WITH LEGAL REQUIREMENTS
The design, operation, use, and management of information systems may be subject to statutory, regulatory, and contractual security requirements.
Advice on specific legal requirements shall be sought from UMS' legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to another country (i.e. trans-border data flow).

Identification of applicable legislation
All relevant statutory, regulatory, and contractual requirements and UMS' approach to meet these requirements shall be explicitly defined, documented, and kept up to date for each information system and UMS.

Intellectual property rights (IPR)
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.