Indicator |
Risk description |
Possible solutions |
References |
General |
Unauthorised access and/or intrusion to the economic operator’s computer systems and or programs. |
IT security policy, procedures and standards should be in place and available to staff; the presentation of an ISO 27001 certificate demonstrates high standards in IT security; information security policy; information security officer;
procedures for granting access rights to authorised persons; access rights are to be withdrawn immediately on transfer of duty or termination of employment. -access to data on need to know basis. using encryption software where appropriate; firewalls; anti-virus protection; password protection on all PC Stations and possibly on important programmes If employees leave their workplace the computer should always secured via keyword Password should be made out of at least eight characters being a mixture of two or more of upper and lower letters, numbers and other characters. The longer the password, the stronger it is. Usernames and passwords should never be shared. testing against unauthorised access; limit access to server rooms to authorised persons; perform tests intrusion at regular intervals; intrusion tests are to be recorded. implement procedures for dealing with incidents. |
SAQ - 3.7 ISO 27001:2013 |
General |
Deliberate destruction or loss of relevant information. |
contingency plan for loss of data; back-up routines for system disruption/failure; procedures for removing access right;
restrict the use of internet to sites that are only appropriate to business activities |
ISO 28001:2007, section A 3 ISO 27001:2013 |