3.2.4 Cyber Security Review
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
The cyber security status of the Member Organization’s information assets should be subject to periodic cyber security review.
Objective
To ascertain whether the cyber security controls are securely designed and implemented, and the effectiveness of these controls is being monitored.
Control considerations
| 1. | Cyber security reviews should be periodically performed for critical information assets. | |
| 2. | Customer and internet facing services should be subject to annual review and penetration tests. | |
| 3. | Details of cyber security review performed should be recorded, including the results of review, issues identified and recommended actions. | |
| 4. | The results of cyber security review should be reported to business owner. | |
| 5. | Cyber security review should be subject to follow-up reviews to check that: | |
| a. | all identified issues have been addressed; | |
| b. | critical risks have been treated effectively; | |
| c. | all agreed actions are being managed on an ongoing basis. | |