This domain covers the S&P Governance Model that defines the S&P roles and responsibilities at NOS, as well as methodologies for managing and assessing security risks related to third-party management, in accordance with business requirements, applicable laws and regulations. It also contains the specific components for management of S&P Processes and S&P Certifications.

Some of the ISP documents that fall within this domain are:

• General Policy for Information Security
• S&P Governance Model and S&P Processes (S&P Coordination)
• ISMS Manual – Information Security Management System (ISO 27001 Certification Management)

This domain covers security management aspects that specifically regard human resources, namely control objectives on changes in employee roles and security training and knowledge.

Some of the ISP documents that fall within this domain are:

• Manual of Security Rules for Users
• Quick Guide to Security and Privacy Rules
• Security Training Procedures

This domain covers logical and physical security objectives to be applied to systems and facilities throughout its development, management and operation life cycle. It also focuses on specific roles pertaining to the management of logical and physical access to these resources.

This domain is especially relevant in technological areas which must implement and monitor any security measures and technological, physical controls or procedures that fall under their purview.

Some of the ISP documents that fall within this domain are:

• Security standard for application environments and infrastructures
• Security standard for the development of applications and services
• Security standard for access management

This domain encompasses security objectives pertaining to information asset classification and management, to operational management and safe use of ICT assets that support end users, and also to adequate protection of information in some specific communication and transfer processes both within and without the organization.

Some of the ISP documents that fall within this domain are:

• Standard for the classification and management of information
• Quick guide to information classification
• Standard for the acquisition, use and management of equipment

This domain covers security objectives related to S&P incident  management processes (including detection, response, reporting and communication of incidents).

Some of the ISP documents that fall within this domain are:

• Standard for the management of security incidents
• Procedure for handling security and privacy incidents related with users
• Guidelines for safeguarding evidence in security incidents
• Incident reporting form

This domain covers security objectives pertaining to the continuity strategy and to continuity and crisis management plans, with the goal of mitigating failures with significant impact on the organisation, whether caused by technical-operational risks (e.g. faults in networks and services) or catastrophic risks (e.g. natural disasters).

Some of the ISP documents that fall within this domain are:

• Business Continuity Management Policy and Methodology
• NOS Mission Critical Activities
• NOS Crisis Management Plan

This domain covers security objectives related to the processes of logging, monitoring and security auditing of the Company’s networks, information systems and facilities.

Some of the ISP documents that fall within this domain are:

• Standard for log management
• Internal Audit Process (ISO 27001 Audits)

This domain covers security objectives pertaining to the protection of personal data, in particular the data of Customers and Employees and other subjects of personal data. It also defines the technical security measures and the specific organisational privacy measures that must be applied to the processes and systems that process personal data.

Some of the ISP documents that fall within this domain are:

• Employee Privacy Policy
• Customer Privacy Policy
• Rules for Customer Marketing Communications