A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
Security perimeters should be defined and used to protect areas that contain information and other associated assets.
Secure areas should be protected by appropriate entry controls and access points.
Physical security for offices, rooms and facilities should be designed and implemented.
Premises should be continuously monitored for unauthorized physical access.
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.
Passcode