Egyptian Code for Information Security V1.0.

0. Terms and definitions

The following terms and definitions apply to this document.

Agency
Any organization, department, agency, or establishment concerned with this code.

Asset
Anything that has value to the Agency.

Controls
Means of managing risk, including policies, procedures, guidelines, practices or
organizational structures, which can be of administrative, technical, management, or legal
nature NOTE Control is also used as a synonym for safeguard or countermeasure.

Guideline
A description that clarifies what should be done and how, to achieve the objectives set out in
policies

Information Processing Facilities

Any information processing system, service or infrastructure, or the physical locations housing them

Information Security
Preservation of confidentiality, integrity and availability of information; in addition, other
properties, such as authenticity, accountability, non-repudiation, and reliability can also be
involved

Information Security Event

An information security event is an identified occurrence of a system, service or network
state indicating a possible breach of information security policy or failure of safeguards, or
a previously unknown situation that may be security relevant

Information Security Incident (Incident)

An information security incident is indicated by a single or a series of unwanted or unexpected
information security events that have a significant probability of compromising business
operations
and threatening information security

Policy
Overall intention and direction as formally expressed by management

ISP
Information security policy

PropertyofMSADTopConfidential Page1

Egyptian Code for Information Security V1.0.S

Risk
A combination of the probability of an event and its consequence

Risk Analysis
Systematic use of information to identify sources and to estimate the risk

Risk Assessment
Overall process of risk analysis and risk evaluation

Risk Evaluation
Process of comparing the estimated risk against given risk criteria to determine the significance of
the risk

Risk Management
coordinated activities to direct and control an organization with regard to risk
management typically includes risk assessment, risk treatment, risk acceptance and
communication.

Risk Treatment
Process of selection and implementation of measures to modify risk issue in question

Third party
That person or body that is recognized as being independent of the parties involved as concerns
the issue in question

Threat
A potential cause of an unwanted incident, which may result in harm to a system or organization

Vulnerability
A weakness of an asset or a group of assets that can be exploited by one or more threats

PropertyofMSADTopConfidential Page2

Egyptian Code for Information Security V1.0.S

1. Scope
This code of information security defines the guide lines to be followed by any
governmental agency in the process of implementing its information security policy. It is
detailed to the extent that it forms the minimum requirement and compact enough to
allow any agency to tailor its policy according to the nature of its operation. This code
would form the base for security policy assessment at the minimal requirement level.

It is not meant to be implemented by itself but rather to form a clear comprehensive

guideline to design integrated Information Security Policy for the agency.

This Code is applicable to:

1. All governmental agencies and organizations that:

a. Has network connections with other agencies
b. Has remote connections to remote offices
c. Provides services over a public data network what so ever
d. Deals with third parties for information or information assets services
e. Utilizes Information service outsourcing
2. Any third party nongovernmental organization, that provides information and/or
information related services.

PropertyofMSADTopConfidential Page3

Egyptian Code for Information Security V1.0.S

2. Introduction
It is a new world. It is the world of information and information technology. It is the world of
knowledge. It is the communication world. It is the cyber world. Whatever it is, and whatever
we call it there is one fact. It is a world that depends thoroughly on information and information
system. Establishment, organizations, Agencies, persons and government strength and stability
are very much affected by two points:
a. How much information they posses, and
b. How competent they are in processing this information to transfer it into knowledge
when it is needed.

This led the world to another definition, "The world of cyber crime". Nowadays, cyber criminal
does not have to come through physical doors, windows or doors. He does not have to carry his
theft or load it in a car or truck. He simply can let it fly in the cyber space part of the time and
kill it in its place most of the time. In the field of information technology crime can start at one
end by invading the information system to get a glance at some of the available information,
through the change in part or in full of the information content leaving it in its place as if not
touched, up to what is called denial of using this part of the information or information systems.
The effect of any of these actions can vary from simply putting funny face on a friend web site
up to the complete destruction a nations defense system and destroying economies.
The defense against such actions is what is called "Information Security", and the collection of
actions and routines to be implemented is called "Information Security Plan"
Accordingly, Information Security is concerned by securing the following thee aspects
irrespective of who designs it, who applies it and where:
a. Confidentiality: Insuring that information and information processing systems are only
accessible by authorized parties and within the limits of their authorization.
b. Integrity: Safeguard the accuracy and completeness of the information and processing
systems and methods.
c. Availability: Ensuring that authorized users has access to information and assets when
required.

The weight placed on each aspect may vary according to the nature of activity of the
organization and its sensitivity.

Is it a Choice, Requirement or Mandatory?

Up till very recently, for a person to commit a crime I Bombay he has to travel physically to
Bombay. Similarly, a crime committed in London does stay in London. These days, a person can
commit a crime in Cairo while he is actually in Los Angles and vice versa. A crime committed in
Paris would spread to affect the whole world in a matter of seconds, like in the very well known

PropertyofMSADTopConfidential Page4

Egyptian Code for Information Security V1.0.S

case of injecting a virus on the internet and distribute it through email. This is one of the
interpretations of the famous statement "The World Is Becoming a Small Village".
For this specific reason, the utilization of Information technology policy is coming a Joint
Commitment of the whole information technology world not only those in one organization or a
country but the whole world. In addition, Organizations is not only committed to apply a clear
information security policy, but also the whole other connect to the information processing
system of the organization have to accept this policy. Otherwise, this organization, agency,
establishment or country will be disconnected and isolated.
Out of the above concept came the idea of preparing this "Egyptian Code of Information
Security" to create a joint way of thinking towards the subject of information technology
security of the whole nation and guarantee a minimum level of adequacy in securing nations
assets. This code was built on the same bases of the international standards for information
technology specially ISO 27001. It is the second version of the Egyptian Code Of Practice in
information technology issued by the Egyptian government before.

Whose responsibility?
For long time, the responsibility of protecting the organization assets was carried by book
keepers and stores keepers. Now, it is a little deferent. It is the responsibility of the TOP
MANAGEMNT carried by a team of IT specialists. The reason for this change is that
information security is a matter of joint responsibility between all members of the organization,
affiliated interties, third parties, contractors, temporary employees and guests.

Where to Start?
The best starting point always is by forming the Information Security Committee. This
committee includes all persons in the organization with authorization power in the area of
information processing and headed by a top management person. It may; at certain point of the
time, utilize external experts advice or consultancy.
The first task of the committee is to evaluate the IT security requirement of the organization. It is
essential that an organization identifies its security requirements. There are three main sources:
1. The first source is derived from assessing risks to the organization. Through risk
assessment threats to assets are identified, vulnerability to and likelihood of occurrence is
evaluated and potential impact is estimated. This is detailed in chapter four of this
document.
2. The second source is the legal, statutory, regulatory and contractual requirements that an
organization, its trading partners, contractors and service providers have to satisfy.
3. The third source is the particular set of principles, objectives and requirements for
information processing that an organization has developed to support its operations.

PropertyofMSADTopConfidential Page5

Egyptian Code for Information Security V1.0.S

Critical Success Factors
Experience has shown that TOP MANAGEMENT COMMETMENT is the most critical success
factor. In addition, the following factors are often critical to the successful implementation of
information security within an organization:
a) Security policy, objectives and activities that reflect business objectives;
b) An approach to implementing security that is consistent with the organizational
culture;
c) Visible support and commitment from management;
d) A good understanding of the security requirements, risk assessment and risk
management;
e) Effective marketing of security to all managers and employees;
f) Distribution of guidance on information security policy and standards to all employees
and contractors;
g) Providing appropriate training and education;
h) A comprehensive and balanced system of measurement which is used to evaluate
performance in information security management and feedback suggestions for
improvements.

Document Presentation and Usage

This document comes in two formats. A summarized format which provides the suggested
actions and controls and indicated by Vx.x S. The second is more detailed format that includes in
addition the principles, objectives, requirements, risks, controls and implementation guidance for
each task and is indicated by Vx.x D.. It is divided into 15 chapters each handles a separate
aspect of security.
This code may be regarded as a starting point for developing organization specific guidance. In
some situation, not all of the guidance and controls in this code of practice would be applicable.
On the other hand, when it is applicable it forms the minimum requirements and additional
controls not included in this document may be required. When this happens it may be useful to
retain cross-references which will facilitate compliance checking by auditors and business
partners.

PropertyofMSADTopConfidential Page6

Egyptian Code for Information Security V1.0.S

3. Structure of the document

This document is divided into 15 deferent sections. Each contains several sub-sections. It
is built in exact similar way to the ISO 27001 international standard for Information
Technology standard. It was built this way in order to facilitate its understanding and
implementation specially by those specialists and those who are familiar with the
international code and foreign IT technologists and experts who are serving in Egypt.
Each section and sub-section would be divided according to the following scheme:

i) Principle: Main idea behind this section (reason for inclusion).

ii) Objective: What will be achieved.
iii) Context:
(1) Scope: What this section does cover.
(2) Requirements: What is needed to be done to achieve the above objectives.
iv) Control(s): Actions to be taken to satisfy objectives.
v) Rationale: Basic steps required to achieve objectives.
vi) Implementation Guide: Minimum steps required to implement controls to achieve
objectives.

Some of these points may be omitted based on the clarity and nature of the subject. At
certain points also a statement to clarify the possible risk is added.

PropertyofMSADTopConfidential Page7

Egyptian Code for Information Security V1.0.S

4. Controls

Risk Assessment and Treatment

1. Each and Every Organization should maintain and develop continuously a formal Risk
Management Process to identify, quantify/qualify, monitor and mitigate Business and
Technical Risks affecting its objectives. Risk can be defined as the combination of the
probability of an event and its consequences.

2. This Process should at least covers:

a. The scope and depth of the review of information security risks are determined.
b. Identification, classification and listing of all the risks or vulnerabilities or threats
that may affect information assets.
c. Risks shall be profiled in regard to likelihood and consequences, and subsequently
their level shall be evaluated.
d. Estimated levels of risks should be evaluated against the pre-established criteria,
accepted and residual risks determined, priorities are set based on
threat/opportunities criteria.
e. A reporting and review structure should be in place to ensure that risks are
effectively identified and assessed and that appropriate controls and responses are
in place.
f. Consultation and communication should be a continued process involving the
project, business or function owner in all stages of risk management planning; all
actions should be comprehensively documented.

3. Each and every agency should development an Information Security Policy (ISP) that
provides a definitive and clear view about management direction and support for
information security. An Information Security Policy "ISP" should describe the IT
security policies, standards and responsibilities of an agency and set minimum
requirements, which will then feed into the development of Risk management plans. It
should also indicate clearly the management support and pack-up of the plan.

4. An Agency that does not have an ISP will not have risk assessment clearance certificate
and may be considered as a security threat and excluded from connection and /or provide
service to other agencies.

Information Security Policy

5. An ISP should at least consider:
a. the policy objectives
b. how the policy objectives will be achieved
c. the guidelines and legal framework under which the policy will operate
d. the stakeholders

PropertyofMSADTopConfidential Page8

Egyptian Code for Information Security V1.0.S

e. what resourcing will be supplied to support the implementation of the policy
f. what performance measures will be established to ensure the policy is being
implemented effectively.
g. An Independent review to assure the quality and completeness of the ISP and the
implementation of controls.

Organization of Information Security

6. All governmental agencies or agencies that are connected with the government agencies
should form an Information Management committee that
a. Has one manager, the information Security Manager "ISM", should be
responsible for all security related activities.
b. ISM should be a member of top management team.
c. Committee should reflect the real status and positioning within agency.
d. Has in place a clear timely escalation procedure.

7. Information management committee undertakes the following:

a. Establishing, reviewing and approving information security policy and overall

responsibilities;
b. Monitoring significant changes in the exposure of information assets to major
threats;
c. Reviewing and monitoring information security incidents; and
d. Approving major initiatives to enhance information security.

8. Each agency should put in place a clear and committed responsibility scheme within the
security management committee and across the agency including an authorization
management system with fallback plan for information processing facilities. This scheme
should be documented, accepted and declared beyond any doubt by and to the security
committee.

9. With respect to associated parties (those who may willingly receive a temporarily
authorization for usage and/or permit to access the agencies information and/or
information system); a clear system with fallback plan for handling authorizations with
associated parties should be in place, declared and accepted by them. This system should
clarify responsibilities and consequences and at least covers:

a. Design and implement an information protection plan to be used in such

cases.
b. Implement the system.
c. Define the exact authorization and backup plan.
d. Define the actions to be taken in case of security breach and how it will be
handled.
e. A system to inform the associated party of this policy without declaring all
agency's ISP
.

PropertyofMSADTopConfidential Page9

Egyptian Code for Information Security V1.0.S

10. Access to the organizations information processing facilities by third parties should be
controlled. Where there is a business need for such third party access, a risk assessment
should be carried out to determine security implications and control requirements.
Controls should be agreed upon and defined in the contract. In this context:

a. DefineanddocumenttheriskfromthirdpartyaccesstoInformationsystem.
b. Address all security requirements before allowing customer access to agency's
information or assets.
c. A comprehensive clear term contract with well defined security related contract
should be in place before allowing any access to information and information
systems.

11. Outsourcing arrangements should address the risks, security controls and procedures for
information systems, networks and/or desk top environments in the contract between the
parties and document the risk from access to Information system.

Assets Management
12. With respect to Agency assets, Each and every agency should:

a. Identify, compile, and maintain an inventory of all important assets.

b. All information and assets associated with information processing facilities
should be owned by a designated part of the organization.
c. Rules for the acceptable use of information and assets associated with information
processing facilities should be identified, documented, and implemented.
d. Information should be classified in terms of its value, legal requirement,
sensitivity, and criticality to the organization.
e. An appropriate set of procedures for information labelling and handling should be
developed and implemented in accordance with the classification scheme adopted
by the organization

13. An organization should follow the following guidelines to establish acceptable use rules
for information and assets:

a. Organizations managers should provide specific acceptable use guidance and

advice.
b. All employees, contractors, and third parties should be aware of organizations
acceptable use rules, guidelines, and limits.
c. All employees, contractors, and third parties should follow the acceptable use
rules.
d. Everyone should follow the rules that define how electronic mail should be used.
e. Everyone should follow the rules that define how the Internet should be used.
f. Everyone should follow the rules that define how mobile devices should be used.
g. Everyone should follow the rules that define how mobile devices should be used
outside of your premises.

PropertyofMSADTopConfidential Page10

Egyptian Code for Information Security V1.0.S

h. All employees, contractors, and third parties should be responsible for their use of
your organizations information processing resources, and of any such use carried
out under their responsibility.
14. Information should be classified in terms of its value, legal requirement, sensitivity, and
criticality to the organization. An appropriate set of procedures for information labeling
and handling should be developed and implemented in accordance with the classification
scheme adopted by the organization.

Human Resources Security

15. Each Agency should have a documented set of procedures for employees, contractors and
third parties users addressing pre-employment, during employment and after employment
terminations addressing:
a. Prior to employment:
i. Job description with reference to security policy, screening procedures and
terms and conditions (including Managers responsibilities, NDA and
Confidentiality Agreements).
ii. Security roles and responsibilities of employees, contractors and third
party users in accordance with the organizations information security
policy.
iii. Background verification checks on all candidates for employment,
contractors, and third party users in accordance with relevant laws,
regulations and ethics, and proportional to the business requirements, the
classification of the information to be accessed, and the perceived risks.
iv. As part of their contractual obligation, employees, contractors and third
party users should agree and sign the terms and conditions of their
employment contract, which should state their and the organizations
responsibilities for information security.
b. During Employment:
i. Managers responsibilities, personnel awareness, education and training
requirements and disciplinary procedures.
ii. Requirement for employees, contractors and third party users to apply
security in accordance with established policies and procedures of the
organization.
iii. Providing appropriate awareness training and regular updates on
organizational policies and procedures, as relevant for the job function.
iv. Procedures for employees who have access to sensitive or critical
information or systems to have security clearance identification SCID
indicating level of clearance and expiry date.
v. A formal disciplinary process for employees who have committed a
security breach.

PropertyofMSADTopConfidential Page11

Egyptian Code for Information Security V1.0.S

c. Termination or Change of Employment
i. Responsibilities and procedures for performing termination or change of
employment.
ii. Return of all of the organizations assets in the possession of employees
upon termination of their employment, contract or agreement.
iii. Removal (adjusting) of the access rights of all employees, contractors and
third party users to information and information processing facilities upon
termination (change) of theiremployment,contractoragreement.

Physical and Environmental Security

16. Governmental Agencies and other Entities dealing with it shall ensure that physical
security requirements for ICT systems are considered and documented in their
Information Security Management System manual. In this manual, agencies must also
specify the physical security requirements for a system in its associated ISMS and
standards/procedures for the provision of physical protections in areas housing critical
ICT facilities. Precautions may include at least:
security keys and containers to protect classified information;
access control measures;
security alarm systems to detect unauthorised access and alert a response;
physical barriers to deter, detect and delay unauthorised entry.

17. All high risk and secure areas and buildings throughout the agency that house critical ICT
facilities processing classified information should be physically protected against
unauthorized physical access, attack or accident. There should be documented
standards/procedures for the provision of physical protections in such areas.
18. Secure areas should be protected by appropriate entry controls to ensure that only
authorized personnel are allowed access.
19. Physical security for offices, rooms, and facilities should be designed and applied.

20. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest,
and other forms of natural or man-made disaster should be designed and applied.

21. Physical protection and guidelines for working in secure areas should be designed and
applied.

22. Access points such as delivery and loading areas and other points where unauthorized
persons may enter the premises should be controlled and, if possible, isolated from
information processing facilities to avoid unauthorized access.

PropertyofMSADTopConfidential Page12

Egyptian Code for Information Security V1.0.S

23. Critical equipment and facilities of the organization should be protected to ensure security
of information and service continuity.

24. Equipment should be sited or protected to reduce the risks from environmental threats and
hazards, and opportunities for unauthorized access.

25. Physical access to critical computer installation facilities should be restricted to authorized
individuals to prevent services being disrupted by loss of or damage to equipment or
facilities.
26. Documented procedures to ensure the above protection measures, including equipment
movement and disposal, will enhance the potential for physical security certification.
27. Equipment should be protected from power failures and other disruptions caused by
failures in supporting utilities.

28. Power and telecommunications cabling carrying data or supporting information services
should be protected from interception or damage.

29. Equipment should be correctly maintained to ensure its continued availability and
integrity.

30. Security should be applied to off-site equipment taking into account the different risks
working outside the organizations premises.

31. All items of equipment containing storage media should be checked to ensure that any
sensitive data and licensed software has been removed or securely overwritten prior to
disposal.

32. Equipment, information or software should not be taken off-site without prior authorization.

Communication and Operation Management

33. The organization is required to document, maintain and made available to all users the
operating procedures that identified as necessary in the security policy. Following areas
should be considered:
a. Operating procedures documentation.
b. Change management.
c. Segregation of duties and areas of responsibility.
d. Separation of development, test, operational facilities.

PropertyofMSADTopConfidential Page13

Egyptian Code for Information Security V1.0.S

34. Changes to operational systems should only be made when there is a valid business reason
to do so, such as an increase in the risk to the system and should be strictly controlled.
35. When an outsourcing contract is concluded, transfer of information should be planned in
detail and adequately resourced to preserve security. In this context:
a. The organization should insure that all the security controls, service definitions
and delivery levels identified in the third-party service contract are carried out.
b. The services, reports and records provided by the third party shall be regularly
monitored and reviewed, and audits shall be carried out regularly.
c. Changes to the provision of services, including maintaining and improving
existing information security policies, procedures and controls, should be
managed, taking account of the criticality of business systems and processes
involved and re-assessment of risks.
36. In order to safeguard information systems and applications from system failure and the
consequent security threats an accurate capacity planning and systems and software
acceptance should be done. To achieve this:
a. The use of resources shall be monitored, tuned, and projections made of future
capacity requirements to ensure the required system performance.
b. Particular attention needs to be paid to any resources with long procurement lead
times or high costs
c. Acceptance criteria for new information systems, upgrades, and new versions
shall be established and suitable tests of the system(s) carried out during
development and prior to acceptance.
37. Each and every Agency should implement detection and prevention controls against
malicious software and mobile code and to ensure that appropriate user awareness
procedures have been implemented.
38. Where the use of mobile code is authorized, the configuration shall ensure that the
authorized mobile code operates according to a clearly defined security policy, and
unauthorized mobile code shall be prevented from executing.

39. Back-up copies of information and software shall be taken and tested regularly in
accordance with the agreed backup policy.

40. Networks shall be adequately managed and controlled, in order to be protected from
threats, and to maintain security for the systems and applications using the network,
including information in transit.

41. Security features, service levels, and management requirements of all network services
shall be identified and included in any network.

42. There shall be procedures in place for the management of removable media.

PropertyofMSADTopConfidential Page14

Egyptian Code for Information Security V1.0.S

43. Media shall be disposed of securely and safely when no longer required, using formal
documented and approved procedures.

44. Procedures for the handling and storage of information shall be established to protect this
information from unauthorized disclosure or misuse.

45. System documentation shall be protected against unauthorized access.

46. Formal exchange policies, procedures, and controls shall be in place to protect the
exchange of information through the use of all types of communication facilities including
information and software exchanged within an organization and with any external entity.
This should also includes loss, modification or misuse of information exchanged either
within or between organizations.

47. Information involved in electronic messaging shall be appropriately protected.

48. Policies and procedures shall be developed and implemented to protect information
associated with the interconnection of business information systems.

49. Information involved in electronic commerce passing over public networks shall be
protected from fraudulent activity, contract dispute, and unauthorized disclosure and
modification.
50. Information involved in on-line transactions shall be protected to prevent incomplete
transmission, misrouting, unauthorized message alteration, unauthorized disclosure,
unauthorized message duplication or replay.

51. The integrity of information being made available on a publicly available system shall be
protected to prevent unauthorized modification.

52. To detect unauthorized information processing activities, a monitoring system should be

installed covering:
a. Audit logs recording user activities, exceptions, and information security events
shall be produced and kept for an agreed period to assist in future investigations
and access control monitoring.
b. Procedures for monitoring use of information processing facilities shall be
established and the results of the monitoring activities reviewed regularly.
c. Logging facilities and log information shall be protected against tampering and
unauthorized access.
d. System administrator and system operator activities shall be logged.
e. Faults shall be logged, analyzed, and appropriate action taken.
f. The clocks of all relevant information processing systems within an organization
or security domain shall be synchronized with an agreed accurate time source.

Access Control

PropertyofMSADTopConfidential Page15

Egyptian Code for Information Security V1.0.S

53. Agencies must specify in the Information security Policy any access requirements,
security clearances and briefings necessary for system access. In this context; an access
control policy should be established, documented, and reviewed based on business and
security requirements for access that takes account of:

a. Policies for information dissemination and authorization.

b. Restrictions on access to information and application system functions by users
and support personnel in accordance with the defined access control policy.
c. A dedicated (isolated) computing environment for sensitive systems.
d. Appropriate security measures that facilitates remote working and mobile
computing with protection against the associated risks.

54. There should be a formal procedure in place to control the allocation of access rights to
information systems and services including:
a. A formal user registration and de-registration procedure for granting and revoking
access to all information systems and services.
b. Prevention of unauthorized access.
c. Restrictions and controls on the allocation and use of privileges.
d. A secure log-on procedure for access to operating systems.
e. A formal management process for allocation of passwords.
f. Interactive systems for managing passwords and ensure its quality.
g. Restrictions on connection time.
h. Utility program that is capable of overriding system and application controls and
is restricted and tightly controlled.
i. A system to shut down inactive sessions after a defined period of inactivity.
j. A formal process for management to review users access rights at regular
intervals.

55. There should be formal instructions to users addressing their responsibilities for password,
terminals and desk security including:
a. User's requirement to follow good security practices in the selection and use of
passwords.
b. User's assurance that unattended equipment has appropriate protection.
c. A clear desk policy for papers and removable storage media and a clear screen
policy for information processing facilities.

56. There should be a documented and agreed upon rules and procedures specifying the
requirements for access to networks. These rules should ensure that:
a. Users are only provided with access to the services that they have been
specifically authorized to use.
b. Appropriate authentication methods are used to control access by remote users.
c. Automatic equipment identification should be considered as a means to
authenticate connections from specific locations and equipment.
d. Physical and logical access to diagnostic and configuration ports are controlled.

PropertyofMSADTopConfidential Page16

Egyptian Code for Information Security V1.0.S

e. Groups of information services, users, and information systems are segregated on
networks.
f. For shared networks, especially those extending across the organizations
boundaries, the capability of users to connect to the network are restricted and in
line with the access control policy and requirements of the business applications.
g. Routing controls are implemented for networks to ensure that computer
connections and information flows do not breach the access control policy of the
business applications.

Information Systems Acquisition, Development and Maintenance

57. Statements of business requirements for new information systems, or enhancements to
existing information systems should specify the requirements for security controls and
audit trails designed into applications, including user-developed ones to prevent errors,
loss, unauthorized modification or misuse of information in applications. This includes:
a. Validation checks against information corruption through processing errors and
deliberate acts.
b. Controls ensure authenticity and integrity of messages.
c. Validation of output data to insure correctness of stored information.
58. ISP should clearly indicate management policy and principles for using encryption.
a. Respective legislatives;
b. Responsibilities,
c. Key management and distribution,
d. Digital signature and similar methods of data protection.
59. ISP should have and implement security controls for system files including:
a. Software in operational systems;
b. Test data;
c. Source codes;
d. All systems connected, used or accessed through networks including restrictions
on access to system except through specific ports.
60. Strict control procedure should be defined and implemented over system changes in all
stages (before, during, and after change). These changes and modifications should be in
least possible frequency and should be discouraged unless for absolute nessecaty.
61. Strict measures should be in place to prevent information leakage. Special attention should
be given to outsourced software.
62. Timely information about technical vulnerabilities of information systems being used
shall be obtained, the organization's exposure to such vulnerabilities evaluated, and
appropriate measures taken to address the associated risk.

Information Security Incident Management

63. Agencies should have security events management system to allow incidents to be
recorded, reviewed, reported, and resolved properly and in the shortest time. This system
should be capable of:
a. Monitoring for incidents.
b. Planning/ preparation for incident management.

PropertyofMSADTopConfidential Page17

Egyptian Code for Information Security V1.0.S

c. Identification of incidents.
d. Containing incident.
e. Communication with involved entities.
f. Incident eradication.
g. System Recovery.
h. Corrective and preventive actions.

Business Continuity Management

64. Agencies should have a business continuity management process that is updated regularly
to reduce the disruption caused by disasters and security failures (which may be the result
of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to
an acceptable level through a combination of preventative and recovery controls.

Compliance
65. It is the agency's responsibility to explicitly define, document and keep up to date all
relevant statuary, regulations, and contractual requirements and organizations approach to
meet these requirements for each information system and the agency. Agency should:
a. Design, implement, publish and raise awareness of procedures to ensure
compliance with legislative, regulatory, and contractual requirements of
Intellectual property rights (IPR).
b. Identify clearly elements, systems products subject to IPR.
c. Protect records from loss, deterioration, destruction and falsification
d. Implement appropriate technical and organizational measures to protect personal
information.
e. Inform all who have access to its information system that unauthorized use of
their information processing system is not allowed and subject the user to
undesirable consequences.
f. Take all required steps to prevent and control misuse including monitoring both
the users and used systems.
g. Use an expert legal advice before using encryption systems specially in case of
using cryptography over public data networks.
h. Verify that all cryptographic systems in use should satisfy all import, export and
IPR regulations.
i. Regularly review the security of information system against the Security policy
which by its turn should be reviewed against security standards
j. Planned carefully and agreed with auditor on audit requirements and activities
involving checks on operational system to minimize the risk of disruptions to
system operation or violation of system security.
k. Control access to audit tools to prevent any misuse or compromise.

PropertyofMSADTopConfidential Page18