IT security requirements

The IT security certification procedure of an electronic sales services provider covers the following six fields:

1. Organization of information security, Management Responsibilities.
2. Data asset classification.
3. Security requirements of applications.
4. Physical and environmental security.
5. Control of technical vulnerabilities.
6. Business continuity management.

The system of criteria of the certification is based on the following domestic and international standards and recommendations:

COBIT 4.1.
Control Objectives for Information and related Technology

MSZ ISO/IEC 27001:2006
IT Security Management System

ISO/IEC 20000:2008
IT Service Management System. (ITILv3)

Requirements:

1. Organization of information security, Management Responsibilities
As far as the Organisational and Operating Rules are concerned, it is mandatory that the scopes of tasks, responsibilities and competences be clearly defined and separated between the specific organisational units and personnel ensuring that organisational objectives are effectively achieved, overlapping responsibilities are minimised, and last but not least persons in charge become accountable.

2. Data asset classification.
All important digital data assets must be inventoried.
All digital data assets must have an identified owner, who determines the data managers (people and posts) that handle and process the data assets.
Prior to defining the security grades of the IT systems, the types of damage included in the manual must be taken into account by aggregating the types of damage and omitting irrelevant ones or expanding on them as may be necessary.

3. Security requirements of applications.
Areas examined during certification:

· Transaction management

· Access management

· Configuration management

· Change management

· Incident management

Control of the above area must be proportionate to the size of the organisation.

4. Physical and environmental security.
Business data processing tools must be used and placed in safe zones.
Where reasonable, specific security zones need be formed and protected by appropriate security protective measures (reception service, night patrol, alarm system, etc.).

5. Control of technical vulnerabilities.
The audit will primarily cover the effectiveness of the electronic virus and network perimeter defence.

6. Business continuity management.
Even the most sophisticated security measures cannot guarantee the continuous provision of IT services of an organisation. The organisation must be able to ensure continuous IT services and to restore services after a disaster in order to guarantee basic activities of the organisation and the reproduction of the digital assets.