Overview
Documented operating procedures are essential for ensuring the secure and consistent operation of information processing facilities. These procedures provide a clear framework for handling tasks, safeguarding organisational assets, and mitigating risks, all while supporting confidentiality, integrity, and availability of information.
Purpose
The primary purpose of documented operating procedures is to ensure that operational activities are performed correctly and securely. This control supports consistent practices across the organisation and reduces the likelihood of errors or mismanagement, particularly in critical or complex tasks.
Guidance
Preparing Documented Procedures
Operating procedures should be prepared for operational activities associated with information security. Documentation is particularly important when:
The activity needs to be performed uniformly by multiple individuals.
The activity is performed infrequently, increasing the likelihood of procedural steps being forgotten.
The activity is new and presents risks if not executed correctly.
Responsibility for the activity is being handed over to new personnel.
Key Elements of Operating Procedures
Documented operating procedures should include the following:
Responsible Individuals: Clearly identify the personnel responsible for each activity or task.
Secure Installation and Configuration: Provide detailed instructions for the secure installation and configuration of systems.
Processing and Handling of Information: Include guidelines for both automated and manual processes.
Backup and Resilience: Specify backup schedules, processes, and recovery plans (refer to 8.13).
Scheduling Requirements: Outline dependencies with other systems and timing requirements.
Error Handling: Define instructions for managing errors or exceptional conditions, such as restrictions on utility program use (see 8.18).
Support and Escalation Contacts: Include internal and external support contacts for operational or technical difficulties.
Storage Media Handling: Provide instructions for handling storage media (refer to 7.10 and 7.14).
System Restart and Recovery: Detail procedures for restarting and recovering systems after failure.
Audit Trails and Logs: Specify requirements for managing audit trails, system logs (refer to 8.15 and 8.17), and video monitoring systems (refer to 7.4).
Monitoring Procedures: Include monitoring guidelines for capacity, performance, and security (refer to 8.6 and 8.16).
Maintenance Instructions: Provide detailed maintenance steps to ensure systems remain secure and operational.
Reviewing and Updating Procedures
Documented procedures should be regularly reviewed and updated as necessary. Changes must be authorised and communicated to relevant personnel. Where feasible, systems should be managed consistently using standardised procedures, tools, and utilities.
Importance of Documentation
Properly documented procedures enhance operational efficiency, reduce errors, and provide clear guidance during routine and exceptional situations. They also ensure:
Continuity of operations despite personnel changes.
Faster recovery in case of incidents.
Consistency in system and information management.
Conclusion
Documented operating procedures are a cornerstone of an effective information security management framework. By providing clear, comprehensive, and regularly updated guidance, organisations can ensure that information processing facilities operate securely and efficiently, supporting their overall security objectives and reducing risks to their assets.
Comments