|5 Information security policies|
|5.1 Management direction for information security|
|Objective: To provide ACI Global Management direction and support for information security in accordance with business requirements and relevant laws and regulations.|
|5.1.1||Policies for information security||Control
A set of policies for information security have been defined, approved by ACI Global management, published and communicated to employees and relevant external parties.
|5.1.2||Review of the policies for information security||Control
The policies for information security are reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.
|6 Organisation of information security|
|6.1 Internal organisation|
|Objective: To establish a management framework to initiate and control the implementation and operation of information security within the business operations of ACI Global.|
|6.1.1||Information security roles and responsibilities||Control
All information security responsibilities have been defined and allocated.
|6.1.2||Segregation of duties||Control
Conflicting duties and areas of responsibility have been segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets.
|6.1.3||Contact with authorities||Control
Appropriate contacts with ACI Global’s Collaborative Business Partners are being maintained.
|6.1.4||Contact with special interest groups||Control
Appropriate contacts with special interest groups or other specialist security forums and professional associations are being maintained by the SER.
|6.1.5||Information security in project management||Control
Information security through collaborative business relationship management is being addressed in project management, regardless of the type of the project by ACI Global.
|6.2 Mobile devices and teleworking|
|Objective: To ensure the security of teleworking and use of mobile devices|
|6.2.1||Mobile device policy||Control
ACI Global has a policy and supporting security measures in place to manage the risks introduced by using mobile devices.
ACI Global has a policy and supporting security measures implemented and maintained to protect information accessed, processed or stored at teleworking sites.
|7 Human resource security|
|7.1 Prior to employment|
|Objective: ACI Global endeavours to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.|
ACI Global performs background verification checks on all candidates for employment in accordance with relevant laws, regulations and ethics and proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
|7.1.2||Terms and conditions of employment||Control
ACI Global has contractual agreements with employees and contractors which state their and the organisation’s responsibilities for information security.
|7.2 During employment|
|Objective: ACI Global endeavours to ensure that employees and contractors are aware of and fulfil their information security responsibilities.|
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organisation.
|7.2.2||Information security awareness, education and training||Control
All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function.
There is a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.
|7.3 Termination and change of employment|
|Objective: ACI Global endeavours to protect the organisation’s interests as part of the process of changing or terminating employment.|
|7.3.1||Termination or change of employment responsibilities||Control
Information security responsibilities and duties that remain valid after termination or change of employment are defined, communicated to the employee or contractor and enforced.
|8 Asset management|
|8.1 Responsibility for assets|
|Objective: To identify ACI Global’s organisational assets and define appropriate protection responsibilities.|
|8.1.1||Inventory of assets||Control
Assets associated with information and information processing facilities are identified and an inventory of these assets shall be drawn up and maintained.
|8.1.2||Ownership of assets||Control
Assets maintained in the inventory shall be owned.
|8.1.3||Acceptable use of assets||Control
Rules for the acceptable use of information and of assets associated with information and information processing facilities for ACI Global are identified, documented and implemented.
|8.1.4||Return of assets||Control
All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.
|8.2 Information classification|
|Objective: ACI Global endeavours to ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.|
|8.2.1||Classification of information||Control
Information is classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
|8.2.2||Labelling of information||Control
An appropriate set of procedures for information labelling have been developed and implemented in accordance with the information classification scheme adopted by the ACI Global.
|8.2.3||Handling of assets||Control
Procedures for handling assets have been developed and implemented in accordance with the information classification scheme adopted by the ACI Global.
|8.3 Media handling|
|Objective: ACI Global endeavours to prevent unauthorised disclosure, modification, removal or destruction of information stored on media.|
|8.3.1||Management of removable media||Control
Procedures have been beenimplemented for the management of removable media in accordance with the classification scheme adopted by the organization.
|8.3.2||Disposal of media||Control
Media shall be disposed of securely when no longer required, using formal procedures.
|8.3.3||Physical media transfer||Control
Media containing information is protected against unauthorized access, misuse or corruption during transportation.
|9 Access control|
|9.1 Business requirements of access control|
|Objective: ACI Global endeavours to limit access to information and information processing facilities.|
|9.1.1||Access control policy||Control
An access control policy has been established, documented and reviewed based on business and information security requirements.
|9.1.2||Access to networks and network services||Control
Users are only provided with access to the network and network services that they have been specifically authorised to use.
|9.2 User access management|
|Objective: ACI Global provides authorised user access only and has controls in place to prevent unauthorised access to systems and services.|
|9.2.1||User registration and deregistration||Control
A formal user registration and de-registration process has been implemented to enable assignment of access rights.
|9.2.2||User access provisioning||Control
A formal user access provisioning process has been implemented to assign or revoke access rights for all user types to all systems and services.
|9.2.3||Management of privileged access rights||Control
The allocation and use of privileged access rights shall be restricted and controlled by ACI Global.
|9.2.4||Management of secret authentication information of users||Control
The allocation of secret authentication information is controlled through a formal management process.
|9.2.5||Review of user access rights||Control
Asset owners shall review users’ access rights at regular intervals.
|9.2.6||Removal or adjustment of access rights||Control
The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
|9.3 User responsibilities|
|Objective: ACI Global endeavours to all users are aware they are accountable for safeguarding their authentication information.|
|9.3.1||Use of secret authentication information||Control
Users are required to follow the organisation’s practices in the use of secret authentication information.
|9.4 System and application access control|
|Objective: ACI Global endeavours to prevent unauthorised access to systems and applications.|
|9.4.1||Information access restriction||Control
Access to information and application system functions is restricted in accordance with the access control policy.
|9.4.2||Secure log-on procedures||Control
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
|9.4.3||Password management system||Control
Password management systems shall be interactive and shall ensure quality passwords.
|9.4.4||Use of privileged utility programs||Control
The use of utility programs that might be capable of overriding system and application controls are restricted and tightly controlled.
|9.4.5||Access control to program source code||Control
Access to program source code shall be restricted.
|10.1 Cryptographic controls|
|Objective: ACI Global endeavours to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.|
|10.1.1||Policy on the use of cryptographic controls||Control
A policy on the use, protection and lifetime of cryptographic keys has been developed and implemented through their whole lifecycle.
Users are only provided with access to the network and network services that they have been specifically authorised to use.
|11 Physical and environmental security|
|11.1 Secure areas|
|Objective: ACI Global endeavours to prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities.|
|11.1.1||Physical security perimeter||Control
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.
|11.1.2||Physical entry controls||Control
Secure areas shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed access.
|11.1.3||Securing offices, rooms and facilities||Control
Physical security for offices, rooms and facilities shall be designed and applied.
|11.1.4||Protecting against external and environmental threats||Control
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.
|11.1.5||Working in secure areas||Control
Procedures for working in secure areas shall be designed and applied.
|11.1.6||Delivery and loading areas||Control
Access points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access.
|Objective: ACI Global endeavours to prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.|
|11.2.1||Equipment siting and protection||Control
Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.
Equipment shall be correctly maintained to ensure its continued availability and integrity.
|11.2.5||Removal of assets||Control
Equipment, information or software shall not be taken off-site without prior authorisation.
|11.2.6||Security of equipment and assets off-premises||Control
Security shall be applied to off-site assets taking into account the different risks of working outside the organisation’s premises.
|11.2.7||Secure disposal or re- use of equipment||Control
All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
|11.2.8||Unattended user equipment||Control
Users shall ensure that unattended equipment has appropriate protection.
|11.2.9||Clear desk and clear screen policy||Control
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.
|13 Communications security|
|13.1 Network security management|
|Objective: ACI Global endeavours to ensure the protection of information in networks and its supporting information pro- cessing facilities.|
Networks are managed and controlled to protect information in systems and applications.
|13.1.2||Security of network services||Control
Security mechanisms, service levels and management requirements of all network services have been identified and included in network services agreements, whether these services are provided in-house or outsourced.
|13.1.3||Segregation in networks||Control
Groups of information services, users and information systems shall be segregated on networks.
|13.2 Information transfer|
|Objective: ACI Global endeavours to maintain the security of information transferred within the organisation and with any external entity.|
|13.2.1||Information transfer policies and procedures||Control
Formal transfer policies, procedures and controls are in place to protect the transfer of information through the use of all types of communication facilities.
|13.2.2||Agreements on information transfer||Control
Agreements endeavour to address the secure transfer of business information between the organisation and external parties.
Information involved in electronic messaging is appropriately protected.
|13.2.4||Confidentiality or non-disclosure agreements||Control
Requirements for confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information have been identified, and are regularly reviewed and documented.
|14 System acquisition, development and maintenance|
|14.1 Security requirements of information systems|
|Objective: ACI Global endeavours to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.|
|14.1.1||Information security requirements analysis and specification||Control
The information security related requirements are included in the requirements for new information systems or enhancements to existing information systems.
|14.1.2||Securing application services on public networks||Control
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
|14.1.3||Information security requirements analysis and specification||Control
Information involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauthorised message alteration, unauthorized disclosure, unauthorized message duplication or replay.
|14.2 Security in development and support processes|
|Objective: ACI Global endeavours to ensure that information security is designed and implemented within the development lifecycle of information systems.|
|14.2.1||Secure development policy||Control
Rules for the development of software and systems have been established and applied to developments within the organisation.
|14.2.2||System change control procedures||Control
Changes to systems within the development lifecycle shall be con- trolled by the use of formal change control procedures.
|14.2.3||Technical review of applications after operating platform changes||Control
When operating platforms are changed, business critical applications are reviewed and tested to ensure there is no adverse impact on organisational operations or security.
|14.2.4||Restrictions on changes to software packages||Control
Modifications to software packages are discouraged but, limited to necessary changes and all changes are strictly controlled.
|14.2.5||Secure system engineering principles||Control
Principles for engineering secure systems have been established, documented, maintained and are applied to any information system implementation efforts.
|14.4.6||Secure development environment||Control
ACI Global has endeavoured to establish and appropriately protect secure development environments for system development and integration efforts that cover the its entire system development lifecycle.
ACI Global endeavours to supervise if demmed necessary and plans to monitor the activity of out sourced system development.
|14.4.8||System security testing||Control
Testing of security functionality is carried out during development.
|14.4.9||System acceptance testing||Control
Acceptance testing programs and related criteria have been established for new information systems, upgrades and new versions.
|14.3 Test Data|
|Objective: ACI Global endeavours to ensure the the protection of data used for testing.|
|14.3.1||Protection of test data||Control
Test data when applied is selected carefully, protected and controlled.
|15 Supplier relationships|
|15.1 Information security in supplier relationships|
|Objective: ACI Global endeavours to ensure protection of the organisation’s assets that are accessible by suppliers.|
|15.1.1||Information security policy for supplier relationships||Control
Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets have been agreed with the supplier and documented.
|15.1.2||Addressing security within supplier agreements||Control
All relevant information security requirements have been established and agreed with each supplier that may have access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information.
|15.1.3||Information and communication technology supply chain||Control
Agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain.
|15.2 Supplier service delivery management|
|Objective: ACI Global endeavours to ensure it maintains an agreed level of information security and service delivery in line with supplier agreements.|
|15.2.1||Monitoring and review of supplier services||Control
ACI Global endeavours to regularly monitor, review and audit supplier service delivery.
|15.2.2||Managing changes to supplier services||Control|
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, is managed, taking account of the Criticality of the business information, systems and processes involved and re-assessment of risks.
|16 Information security incident management|
|16.1 Management of information security incidents and improvements|
|Objective: ACI Global endeavours to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.|
|16.1.1||Responsibilities and procedures||Control
Management responsibilities and procedures have been established to ensure a quick, effective and orderly response to information security incidents.
|16.1.2||Reporting information security events||Control
Information security events are reported through appropriate management channels as quickly as possible.
|16.1.3||Reporting information security weaknesses||Control
Employees and contractors using the organiation’s information systems and services are required to note and report any observed or suspected information security weaknesses in systems or services.
|16.1.4||Assessment of and decision on information security events||Control
Information security events are assessed and if it is decided they are to be classified as information security incidents, they are to be actioned according to the documented procedures.
|16.1.5||Response to information security incidents||Control
Information security incidents shall be responded to in accordance with the documented procedures.
|16.1.6||Learning from information security incidents||Control
Knowledge gained from analysing and resolving information security incidents is used to reduce the likelihood or impact of future incidents.
|16.1.7||Collection of evidence||Control
ACI Global has in place processes to define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.
|17 Information security aspects of business continuity management|
|17.1 Information security continuity|
|Objective: ACI Global's Information security continuity is embedded in the organisation’s business continuity management systems.|
|17.1.1||Planning information security continuity||Control
ACI Global has determined its requirements for information security and the continuity of information security management to cater for adverse situations, e.g. during a crisis or disaster.
|17.1.2||Implementing information security continuity||Control
ACI Global has established, documented, implemented and maintained processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.
|17.1.3||Verify, review and evaluate information security continuity||Control
ACI Global has processes in place to verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
|Objective: ACI Global endeavours to ensure it has in place the availability of information processing facilities.|
|17.2.1||Availability of information processing facilities||Control
Information processing facilities have been implemented with redundancy sufficient to meet availability requirements.
|18.1 Compliance with legal and contractual requirements|
|Objective: ACI Global endeavours to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.|
|18.1.1||Identification of applicable legislation and contractual requirements||Control
All relevant legislative statutory, regulatory, contractual requirements and ACI Global's approach to meet these requirements is explicitly identified, documented and kept up to date for each information system and the organisation.
|18.1.2||Intellectual property rights||Control
Appropriate procedures have been implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.
|18.1.3||Protection of records||Control
Records are protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislative, regulatory, contractual and business requirements.
|18.1.4||Privacy and protection of personally identifiable information||Control
Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.
|18.1.5||Regulation of crypto- graphic controls||Control
Cryptographic controls are used in compliance with all relevant agreements, legislation and regulations.
|18.2 Information security reviews|
|Objective: ACI Global endeavours to ensure that information security is implemented and operated in accordance with ACI Global's organisational policies and procedures.|
|18.2.1||Independent review of information security||Control
ACI Global's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) is reviewed independently at planned intervals or when significant changes occur.
|18.2.2||Compliance with security policies and standards||Control
Directors regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
|18.2.3||Technical compliance review||Control
Information systems are regularly reviewed for compliance with the organisation’s information security policies and standards.