• Physical Control
• Technical Control
• Access Control
• Data Control
• Network Control
• Application Control
• Audit Trail
• Virus Attack Protection
• Disaster Recovery Planning
• Management Control
• Security Policies
• Personnel Security
• Education and Training
• Supervision
• Segregation of Duties
• Security Audits

Physical Control

• control and monitor the physical access to areas housing the computer resources
• shield computer systems and communication links for particularly sensitive installations
• provide uninterrupted power supply and air conditioning for computer equipment
• install devices or take precaution to protect computer systems against disasters

Technical Control

• define levels of access rights
• avoid shared accounts
• remind staff to keep their passwords strictly confidential and change the passwords periodically
• protect access to terminals
• restrict execution of sensitive applications at designated terminals

• classify data into different security levels
• encrypt confidential data
• shred confidential documents, format storage media before disposal
• keep up-to-date data backup

• install firewalls
• install intrusion detection systems
• install monitoring systems
• separate particularly sensitive applications from routine ones

• input control: check the validity, accuracy and completeness of data in correct format at the time of input
• processing control: ensure the consistency and integrity of the processed/ master data
• output control: ensure that reports and other outputs generated from the system are properly distributed to authorized users only

• subject audit trail records to random checks
• retain audit trail logs for a specified period
• prohibit any alterations to audit trail logs
• make audit trail accessible only to authorized persons only

• install memory-resident anti-virus software, keep it up-to-date
• perform virus scan on all external files and electronic mail attachments
• scan external disks with anti-virus software before use
• remove unnecessary floppy disk and compact disk drives from workstations to prevent accidental or intentional system booting with an infected disk

• devise a disaster recovery plan
• maintain up-to-date backup of data, programs, documentation and other system utilities
• establish a fully-functional stand-by recovery site

Management Control

• formulate a computer security policy and lay down guidelines for practices
• define the classification of computer resources and the corresponding security levels
• define responsibilities and accountabilities of staff given access rights
• define access control based on the principles of "Need-to-know, Need-to-do, Need-to-use"
• establish a “clear-desk” policy to ensure that confidential documents and storage media are locked away when not in use
• prohibit the use of pirated software and the processing of personal files or data on the system

• establish policies and procedures for recruitment screening, job rotation, and disciplinary actions
• include in the job descriptions staffs’ responsibilities to protect information security
• establish a mechanism to ensure access rights of dismissed, resigned or transferred employees are immediately revoked

• provide security education and technical training for the staff concerned
• circulate reminders to staff on a regular basis

• regularly conduct supervisory checks

• segregate duties to ensure that no single person has full control of the entire process

Security Audits

• conduct reviews on the control regularly, preferably by an independent party