Purpose
The objective of security technical resilience is to ensure that data, and in particular confidential data, is handled in a safe and trustworthy manner by the organisation and its staff.
CC3.4: Capability completeness of Technical Resilience - Security
- Initial: There is some awareness of the need for security resilience, but this is not fully described or communicated. There is an intent to meet the specific objectives but there is no evidence of a procedure in place to do so.
- Partial: There is at least one required activity that is not present or not at a repeatable level. There is evidence that the direction the organisation is taking will lead to a complete capability in this area.
- Complete: All required activities are shown to be present in the organisation and at least at a defined level.
SO3.4.1: Description of IT Security Systems
The organisation maintains a description of its IT security infrastructure that includes planning and procedures to mitigate security issues, concerns and incidents.
RA3.4.1.1 Policy and security planning documentation
Policy and security planning documentation is maintained by a responsible role and is communicated throughout the organisation. Information about current or imminent security threats and issues are regularly circulated throughout the organisation.
| (0) Not defined: |
There is no evidence, or little awareness for the requirement, of a security policy or planning document. |
| (1) Initial: |
There is some elements of a security policy within other policy documentation. There is no formally security planning or procedural documentation and all incidents are handled reactively when necessary. There are occasional security bulletins circulated. Not all staff are aware of the security. |
| (2) Repeated/partial: |
There is a security policy document. There is little or no formally written security planning or procedural documentation. Procedures come from repeated practice. |
| (3) Defined: |
Policy, security planning and security procedures documentation is maintained by a responsible role. It is communicated throughout the organisation. Security bulletins are circulated regularly and all staff are aware of security procedure relevant for their role and function. |
| (4) Managed: |
Policy, planning and security procedures are monitored and records of incidents are maintained. |
| (5) Optimised: |
At regular intervals the security policy, planning and procedures are reviewed and altered as required. Changes are communicated to all relevant stakeholders. |
SO3.4.2: Staff Roles and Responsibilities Related to Security
The organisation ensures that all staff understand and comply with security requirements that are part of their roles and responsibilities.
RA3.4.2.1: Staff awareness of security
A role has been assigned to manage security documentation, issues, concerns and incidents. All staff are aware of their individual responsibilities to ensuring safety of the technical infrastructure is maintained.
| (0) Not defined: |
There is no role assigned to take care of security, or this is not applicable. |
| (1) Initial: |
An individual takes care of security matters but a role has not been tasked with responsibility, however this may be inadequate. Some of the staff are aware of their responsibilities regarding security and safety of the technical infrastructure. |
| (2) Repeated/partial: |
A role has been assigned to manage security matters and documentation and there are adequate staff to perform this role. Most of the staff are aware of their responsibilities regarding security and safety of the technical infrastructure and the repository. |
| (3) Defined: |
A role has been assigned to manage security matters and documentation and there are adequate staff to perform this role including the communications of security issues and incidents. All staff are trained in security matter relevant to their work and are kept up to date on current issues and threats. |
| (4) Managed: |
The staff level required to adequately perform the security tasks and documentation is monitored and adjusted accordingly. Training of staff is monitored. Security incidents and threats are recorded. |
| (5) Optimised: |
At regular intervals staff awareness of security is assessed and training is reviewed. |
SO3.4.3: Viruses and Malware in Digital Objects
The organisation monitors and scans all deposited digital objects to ensure that they are not infected with software viruses or malware to ensure that viruses are not retransmitted to data users.
RA3.4.3.1: Scanning, quarantining and disinfection of digital objects
The organisation scans for infection with software viruses and malware on all new digital objects that are deposited (and all existing digital objects held by the repository) and if an issue is found then a quarantine or disinfection procedure is followed.
| (0) Not defined: |
There is no scanning or monitoring for virus or malware infections in deposited digital objects, there is no awareness of the topic, or this is not applicable. |
| (1) Initial: |
There is monitoring of the situation for all new deposits of digital objects, but there is no standard procedure for quarantining the infected digital objects, their removal, or disinfection of the virus or malware. |
| (2) Repeated/partial: |
There is regular monitoring and scanning of the situation for all new deposits of digital objects. Procedures for handling an infection have grown out of repeated practice, but there is no documented procedure for quarantining the infected digital objects, their removal, or disinfection of the virus or malware. |
| (3) Defined: |
There is regular monitoring and scanning of the situation for all new and existing deposits of digital objects. Procedures for handling instances of infection are documented and are in accordance with other service policies and service level agreements. The depositor is informed of the infection. |
| (4) Managed: |
Monitoring of the level of infections detected and containment procedures are undertaken. All incidents are recorded. A communication plan is used to communicate to all relevant stakeholders. |
| (5) Optimised: |
At regular intervals the procedures for managing infections of viruses and malware are reviewed. If adjustments are required to be made in the policy or procedure then these are communicated to all relevant stakeholders in accordance with the communication plan. |
SO3.4.4: Decommissioning of Data Storage Hardware
The organisation ensures that no data, and in particular no confidential data, remains accessible on decommissioned data storage hardware.
RA3.4.4.1: Decommissioning procedure for Data Storage Hardware
A policy and procedure for safe and trustworthy destruction of data from (or decommissioning of) data storage media are implemented for all computer hardware decommissionings at the end of their useful life.
| (0) Not defined: |
There is no evidence that data is destroyed during the decommissioning of storage media, or this is not applicable. |
| (1) Initial: |
Individuals involved in the decommissioning of computers may consider the overwriting of data for deletion, but to no particular standard. |
| (2) Repeated/partial: |
Data is destroyed during decommissioning in a method suitable for the media but this comes through repeated practice. |
| (3) Defined: |
There is a policy and clear set of procedures followed for the safe and trustworthy destruction of data from data storage media. |
| (4) Managed: |
Implementation of the procedures for destruction of data during decommissioning of data storage media are monitored for quality. |
| (5) Optimised: |
At regular intervals the procedures for data destruction are reviewed, and if necessary updated. |