10.8.5 Business Information systems

[heidarka]

hi,

I am sitting at my desk and having a brain melt down

this control 10.8.5 - can someone give me a example of a policy that could cover this one or just help me out with it.

thanks,

Heidar

[nanda245]

Control
Policies and procedures should be developed and implemented to protect information associated with
the interconnection of business information systems.
Implementation guidance
Consideration given to the security and business implications of interconnecting such facilities should
include:
a) known vulnerabilities in the administrative and accounting systems where information is
shared between different parts of the organization;
b) vulnerabilities of information in business communication systems, e.g. recording phone
calls or conference calls, confidentiality of calls, storage of facsimiles, opening mail,
distribution of mail;
c) policy and appropriate controls to manage information sharing;
d) excluding categories of sensitive business information and classified documents if the
system does not provide an appropriate level of protection
e) restricting access to diary information relating to selected individuals, e.g. personnel
working on sensitive projects;
f) categories of personnel, contractors or business partners allowed to use the system and the
locations from which it may be accessed
g) restricting selected facilities to specific categories of user;
h) identifying the status of users, e.g. employees of the organization or contractors in
directories for the benefit of other users;
i) retention and back-up of information held on the system
j) fallback requirements and arrangements

Office information systems are opportunities for faster dissemination and sharing of business
information using a combination of: documents, computers, mobile computing, mobile
communications, mail, voice mail, voice communications in general, multimedia, postal
services/facilities and facsimile machines.
Other Information

Hope this helps you

Nanda