1 · Purpose
This policy establishes the requirements for operations security policy within the CAO-400 Cybersecurity. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.
2 · Scope
This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.
3 · Policy statements
3.x · CAO-450 Policy Controls
The organisation shall establish, implement and maintain a coherent and effective approach to operations security, giving effect to the organisational control objectives set out below.
3.1 · CAO-451 Operating Procedures
The organisation shall establish, implement and maintain effective Operating Procedures, giving effect to the organisational controls set out below.
3.1.x · CAO-451 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.2 · CAO-452 Threat Intelligence
The organisation shall establish, implement and maintain effective Threat Intelligence, giving effect to the organisational controls set out below.
3.2.x · CAO-452 Organisational Controls
3.3 · CAO-453 Endpoint Protection
The organisation shall establish, implement and maintain effective Endpoint Protection, giving effect to the organisational controls set out below.
3.3.x · CAO-453 Organisational Controls
3.4 · CAO-454 Logging
The organisation shall establish, implement and maintain effective Logging, giving effect to the organisational controls set out below.
3.4.x · CAO-454 Organisational Controls
3.5 · CAO-455 Security Monitoring and Detection
The organisation shall establish, implement and maintain effective Security Monitoring and Detection, giving effect to the organisational controls set out below.
3.5.x · CAO-455 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.6 · CAO-456 Clock Synchronisation
The organisation shall establish, implement and maintain effective Clock Synchronisation, giving effect to the organisational controls set out below.
3.6.x · CAO-456 Organisational Controls
4 · Roles & responsibilities
- Governing body — approves this policy and oversees its effectiveness.
- Executive management — allocates resources and assigns control ownership.
- Control owners — implement, operate and evidence the controls in their area.
- All personnel & third parties — comply with this policy within their role.
5 · Compliance, monitoring & review
Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.
