Minimum security controls
The type and complexity of security controls and the extent to which they are deployed will be dictated by various factors. This includes:
- the method of processing and sharing
- the sensitivity of information
- the amount of information involved
It is necessary to set out minimum security controls to protect information. This promotes
- a consistent approach
- helps support service areas perform their business activity in a safe and secure manner
To ensure the standards are communicated and agreed by third parties they must be formalised. This can be within an information sharing agreement or written contract depending on the nature of the third-party relationship.
Any deficiencies in controls must be subject to a documented risk management process. Where appropriate, a remedial action plan must be implemented with the aim of reducing those deficiencies where possible.