5.2.2 Implemented controls to adequately address each of the defined security risks

From aptrust
Jump to: navigation, search


5.2.2 Implemented controls to adequately address each of the defined security risks
Status Ready for review
Compliance Rating Fully compliant
Responsible APTrust Staff

The repository shall have implemented controls to adequately address each of the defined security risks.

Supporting Text

This is necessary in order to ensure that controls are in place to meet the security needs of the repository

Examples for Meeting the Requirement

Repository employs the codes of practice found in the ISO 27000 series of standards; system control list; risk, threat, or control analyses; and addition of controls based on ongoing risk detection and assessment. Repository maintains ISO 17799 certification.

Discussion

The repository should show how it has dealt with its security requirements. If some types of material are more likely to be attacked, the repository will need to provide more protection, for instance. Repositories that have experienced incidents could record such instances, including the times when systems or content were affected and describe procedures that have been put in place to prevent similar occurrences in the future. Repositories may also conduct a variety of disaster drills that may involve their parent organization or the community at large. Contingency plans are especially important and need to be tested, updated, and revised on a regular basis.

Evidence Provided

Threat model and mitigations are documented here: Risk Management, Threats, and Mitigations