1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and National Museum of American History.

Related content

Information security services and information

Recommended Data Practices

The Recommended Data Practices (RDP) are based on the ISO 27001/27002 standards. They are offered for educational purposes only, as a guide to possible components of information security policies and procedures. For additional information see the Frequently Asked Questions (FAQ) section. Click for a Word or PDF version.

• FAQ about the RDPs
--What are these, and where do they come from?
--Are these intended as organizational policies?
--Are these a guide to personal data security practices?
--What are the conditions of use?
--What if I have questions?

RDP Index

• Organization of Information Security
--Objective
--Management commitment
--Allocation of responsibilities
--Coordination of efforts
--Authorization processes
--Confidentiality and non-disclosure agreements
--Contacts with authorities
--Contacts with special interest groups
--Contacts and contracts with external parties
--Contacts and contracts with customers
--Independent review of information security

• Privacy and security policies
--Objective
--Scope
--Approval
--Documentation
--Communication, training and awareness
--Periodic review
--Coordination with other policies

• Risk assessment and treatment
--Objective
--Risk assessment
--Risk treatment
--Risk documentation

• Human resources security
--Objective
--Scope
--Roles and responsibilities
--Pre-employment screening
--Terms and conditions of employment
--Additional pre-employment agreements
--Management responsibilities
--Information security awareness, education and training
--Disciplinary process
--Termination responsibilities
--Return of assets
--Removal of access rights

• Physical and environmental security
--Objective
--Physical security perimeter
--Physical entry control
--Protection against external and environmental threats
--Working in sensitive areas
--Public access, delivery and loading access
--Equipment siting and protection
--Supporting utilities
--Cabling security
--Equipment maintenance
--Removal of property to off-premises locations
--Security of property off-premises
--Secure disposal or re-use of property

• Asset management
--Objective
--Inventory of assets
--Types of assets
--Ownership (control) of assets
--Classification of assets
--Labeling and handling
--Acceptable use of assets

• Asset acquisition, development and maintenance
--Objective
--Requirements analysis and specification
--Correct processing in applications
--Use of cryptographic controls
--Cryptographic key management
--Security of operational software
--Security of software code and test data
--Controls against malicious code
--Change control procedures
--Outsourced software development
--Information leakage
--Control of technical vulnerabilities

• Authentication and access control
--Objective
--Access control policy
--Access control policy content
--User access management policy
--User registration
--Privilege management
--User password management
--User access token management
--Review of user access rights
--Policy on use of network services
--User authentication for remote connections
--Equipment/location identification in networks
--Remote diagnostic and configuration port protection
--Segregation in networks
--Network connection control
--Network routing control
--Control of use of systems
--Secure log-on procedures
--User identification and authentication
--Password management system
--Access token management system
--Biometric access management system
--Use of system utilities that override controls
--Session time-out
--Limitation of connection time and location
--Information access restriction
--Sensitive system isolation

• Mobile computing and tele-working
--Objective
--Mobile computing and tele-working controls
--Applicability
--Portable devices and media controls
--Controls against malicious mobile code
--Tele-working controls

• Operations management
--Objective
--Documented operating procedures
--Segregation of duties
--Separation of development, test and operational facilities
--Controls for centralized resources
--Security of centralized resources
--Network controls
--Security of network services
--Client device controls
--Security of client devices
--Inter-connected information systems
--Internet and electronic messaging
--Electronic commerce
--On-line transactions
--Publicly available information
--Change and project management
--System acceptance criteria
--Incident and problem management
--Configuration management
--Service level and capacity management
--Third-party service contracts
--Monitoring and review of third-party services
--Managing changes to third-party services

• Data lifecycle management
--Objective
--Sensitivity level
--Retention period
--Information handling
--Information back-up
--Management of storage media
--Physical media in transit
--Electronic data transfers
--Disposal of media
--Security of system documentation
--Information exchange policies and procedures
--Exchange agreements

• Monitoring and audit logging
--Objective
--Monitoring
--Audit logging
--Protection of log information
--Retention of log information
--Administrator and operator logs
--Fault logging
--Clock synchronization

• Information security incident management
--Objective
--Reporting information security events
--Reporting information security weaknesses
--Responsibilities and procedures for security incident response
--Investigation of incidents
--Collection of evidence
--Learning from information security incidents

• Business continuity (disaster recovery) management
--Objective
--Information security in the business continuity management process
--Business continuity and risk assessment
--Developing and implementing continuity plans
--Business continuity planning framework
--Testing, maintaining and re-assessing plans

• Compliance with external and internal requirements
--Objective
--Identification of external and internal requirements
--Documentation
--Communication, training and awareness
--Periodic review

• Data retention classification
--Objective
--Applicability
--Retention criteria
--Retention classification level
--Mixed collections of data
--Retention "freezes"
--Retention classification responsibilities
--Retention classification review
--Documentation and historical record

• Data sensitivity classification
--Objective
--Applicability
--Sensitivity criteria
--Sensitivity classification level
--Sensitivity classification responsibilities
--Sensitivity classification review
--Documentation and historical record
--Data sensitivity classification matrix

• Terms and definitions
--Asset
--Authority
--Capability
--Control
--Countermeasure
--Guideline
--Data controller
--Data owner
--Data subject
--Data system
--Identified/identifiable data
--Incident
--Include(s)
--Information processing facilities
--Information security
--Information security event
--Information security incident
--Mobile computing
--Personal data
--Policy
--Procedure
--Risk
--Risk analysis
--Risk assessment
--Risk evaluation
--Risk management
--Risk treatment
--Safeguard
--Standard
--Tele-working
--Third party
--Threat
--Vulnerability

More information

ISO 17799/27001 Community Portal
Web portal for the 27001/27002 user group

ISO 27001 and ISO 27002 Directory
Tracks progress of the 27000 standards