Operational procedures and responsibilities

Objective: To ensure the correct and secure operation of information processing facilities

Responsibilities and procedures for the management of all computers, networks and information processing facilities should be established.

Documented operating procedures

The operating procedures identified by the Information Security Policy relating to all information processing should be documented and maintained under formal change control.

Change management

All changes to operational information processing facilities and systems should be controlled.

Segregation of duties

Segregation of duties should be considered to minimise the risk of negligent or deliberate system misuse.

Separation of development, test and operational facilities

Development and testing facilities should be isolated from operational systems. Rules for the promotion of software to operational status should be defined and documented.