5.2.2 Implemented controls to adequately address each of the defined security risks
|5.2.2 Implemented controls to adequately address each of the defined security risks|
|Status||Ready for review|
|Compliance Rating||Fully compliant|
The repository shall have implemented controls to adequately address each of the defined security risks.
This is necessary in order to ensure that controls are in place to meet the security needs of the repository
Examples for Meeting the Requirement
Repository employs the codes of practice found in the ISO 27000 series of standards; system control list; risk, threat, or control analyses; and addition of controls based on ongoing risk detection and assessment. Repository maintains ISO 17799 certification.
The repository should show how it has dealt with its security requirements. If some types of material are more likely to be attacked, the repository will need to provide more protection, for instance. Repositories that have experienced incidents could record such instances, including the times when systems or content were affected and describe procedures that have been put in place to prevent similar occurrences in the future. Repositories may also conduct a variety of disaster drills that may involve their parent organization or the community at large. Contingency plans are especially important and need to be tested, updated, and revised on a regular basis.
Threat model and mitigations are documented here: Risk Management, Threats, and Mitigations