Information Security. Manual Guideline. Version 3

Transcription

1 Information Security Manual Guideline Version 3 Group Risk

2 TABLE OF CONTENTS Document Control and Revisions Logs Purpose Scope Policy Statement Terms and definitions Security Policy Organization of information security Internal organization External parties Asset management Responsibility for assets Human resources security Prior to employment During employment Termination or change of employment Physical and environmental security Secure areas Equipment security Communications and operations management Operational procedures and responsibilities Third party service delivery management System planning and acceptance Protection against malicious and mobile code Back-up Network security management Media handling Exchange of information Electronic commerce services Group Risk 2

3 10.10 Monitoring Access Control Business requirement for access control User access management User responsibilities Network access control Operating system access control Application and information access control Mobile Computing and Teleworking Information systems acquisition, development and maintenance Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Technical Vulnerability Management Information security incident management Reporting information security events and weaknesses Management of information security incidents and improvements Business continuity management Information security aspects of business continuity management Compliance Compliance with legal requirements Compliance with security policies, standards and technical compliance Information systems audit considerations Document control Group Risk 3

4 Document Control and Revisions Logs Document Properties Document Title Zain Information Security Manual Guidelines Author Zain Group Risk Information Security Creation Date 02-February-2009 Last Updated 15 May Last Version 3.0 Change Record Date Version Author Designation Change Reference 01/10/ Ali Fayad Zain Group IS Specialist Finalize the document design 13/05/ Ali Fayad Zain Group IS Specialist Added Specific Policy Reviewers Name Designation Version Date Abdul-Ghaffar Setareh Zain Group Risk Director /05/2012 Ali Fayad Zain Group IS Specialist /05/2012 Approvals Name Designation Version Date Abdul-Ghaffar Setareh Zain Group Risk Director May-2012 Endorsements Name Designation Version Date Distribution Name Department Version Date Group Risk 4

5 1 Purpose Zain management has approved and published this policy to set a clear corporate direction and demonstrate support for, and commitment to, information security throughout Zain Operation. The Risk Management within Zain has been established to ensure the goals and principles of information security are properly followed. This includes responsibility for establishing, implementing, and monitoring the policies within this document. 2 Scope This policy applies to all employees, subsidiary staff, contractors, consultants, temporaries and those people affiliated with third parties who access Zain information or computer networks like system vendors and staff from outsourcing companies. This policy also applies to all information, computer, and data communication systems owned, licensed and / or administered by Zain and covers manifestations of other Zain information such as voice and data. Group Risk 5

6 3 Policy Statement Zain is committed to maintaining and improving information security within accepted best practice and minimizing its exposure to risks to protect Zain assets across all of Zain operations that will: Consistently meeting and exceeding customers expectations. Empower Zain employees through training and development. Comply with the applicable Information Security International Standards Apply effective risk management to identify and treat current and expected risks attached to our business. Protect Zain stakeholders, Information and assets from threats that could potentially disrupt business. Apply efficient business continuity and disaster recovery management Ensure compliance with all applicable regulatory and other legal requirements to protect the Company s financial health and to preserve Zain s brand image and reputation. Zain management and employees are responsible for implementing and maintaining this policy throughout Zain. This Information Security Policy falls under the responsibility of Zain s Risk Management Steering Committee, chaired by the Group Chief Financial Officer and with the Group Risk Department supervising its design, implementation and enforcement. Zain is committed to providing all the means and resources necessary to reach the adequate level of performance that will ensure that Zain can face any information security impacting events. Group Risk 6

7 4 Terms and definitions Computer Facility Rooms A facility Rooms are used to house mission critical computer systems and associated components. It generally includes environmental controls (air conditioning, fire suppression, etc.), redundant/backup power supplies, and high security. Confidential Information Any Zain information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form. Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts. Confidential Information also includes any confidential information received by Zain from a third party under a non-disclosure agreement. Corporate Governance structure Zain is committed to manage information security as part of the Corporate Governance process. Information Security Governance (ISG) is a subset of Corporate Governance dealing with the policies and internal controls related to information resources and their security. Policy Statement A high-level statement of enterprise goals and objectives accompanied by the reference to all relevant policies that provide the detailed direction for compliance. Information Security Policies Mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction that they require to be meaningful and effective. Procedures The step-by-step process required for the implementation of the requirements set by policies. Data Files Any electronic file(s) that contain Zain information including information you type, edit, view, or save. A data file may be a business report, a picture, or a letter and is stored as a file on a disk. Group Risk 7

8 Information Availability Ensuring that authorized users have access to information and associated assets whenever it is required. Information Custodian An Information Custodian is the person responsible for overseeing and implementing the necessary safeguards to protect the information assets, at the level classified by the Information Owner. Information Integrity Safeguarding the accuracy and completeness of information and processing methods. Information Security Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or electronic means, shown on films, or spoken in conversation and meetings. In whatever form Zain information takes, or means by which it is shared or stored, it must always be appropriately protected. Mobile Code Mobile code is software obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Some examples are browser hijackers, Spyware, Adware, etc. Zain Work Areas Zain Work Areas are those where the access is restricted to only the authorized personnel. For example, at any Zain Branch, the area behind the customer service counter is considered work area, since authorized branch personnel can attain access to it. Non Disclosure Agreement (NDA) It is a contract through which the parties agree not to disclose information covered by the agreement. An NDA creates a confidential relationship between the parties to protect any type of trade secret. As such, an NDA can protect non-public business information. Portable Device Portable devices include, Laptop computers, PDAs, Smart Phones, etc Group Risk 8

9 Production System A computer system is called a production system, when it is in live, day to day operation and process information. Proprietary A party, or proprietor, exercises private ownership, control or use over an item of property (e.g. a creative literary work, or software), usually to the exclusion of other parties. Security Administrator A Security Administrator Supervises and/or participates in the installation, configuration, modification, maintenance, and monitoring of network security hardware and software, including but not limited to firewalls, Virtual Private Networks (VPN), content filtering technologies, and intrusion detection devices. Security Procedures The security procedures are the set of actions that must be followed in order to comply with information security policy. Staff / Employee Any individual who has been hired directly by Zain. System Administrator A system administrator is a person who is responsible for managing a multi-user computing environment, such as a local area network (LAN). The responsibilities of the system administrator typically include: installing and configuring system hardware and software; establishing and managing user accounts; upgrading software; and backup and recovery tasks. System Owner The system owner is the person with the responsibility and authority to designate, allow or use special access account privileges. Telecommuting Telecommuting, also known as Teleworking, is the act of working from a remote location, usually one's home. This is made simple with the use of various telecommunications technologies such as a telephone, fax machine and the internet. Third Party Any non-employee of Zain who is contractually bound to provide some form of service to Zain. User Any Zain employee or third party who has been authorized to access any Zain information resource. Group Risk 9

10 Workers Workers are any consultants, contractors, temporaries, etc, working at Zain beside employees. Risk Management Steering Committee (RM-SC) The Risk Management Steering Committee (RM-SC) provides management direction and a sounding board for Zain Risk Management efforts to ensure that the risks are realistic, given Zain's business objectives and the efforts are appropriately prioritized, efficiently supported by the organization, adequately funded. Risk Management The Risk Management Department is charged with identifying, assessing, and appropriately managing risks to Zain Operations and its information systems. Policy Audience The general readership of this document is all employees in Zain. Labels on the right of policy title identify primary responsibility, as follows: Everyone RM-SC Risk Management Steering Committee Department Managers IT & Networks RM Risk Management LG Legal HR Human Resources BE Business Excellence IA Internal Audit PS Physical Security Group Risk 10

11 5 Security Policy Policy Approval RM-SC An information security policy must be approved executive management. Policy publishing RM The information security policy must be formally published. Policy Endorsement The information security policy must be formally and publicly endorsed by executive management. Information and Policy All accesses to, uses of, and processing of Zain information must be consistent with Zain information systems related policies and standards. Policy Communication Audience RM The information security policy must be communicated to all employees, contractors, and temporary employees. Legal Framework Conflicts LG The Information Security Department Manager must be promptly informed of any Zain information security policy that is believed to be in conflict with existing laws or regulations. Standards and Procedures Policy Linkage RM BE When a standard or procedure is intended to become an extension of the policy document, the document must include these words: "This standard or procedure has been created by the authority described in Zain Information Security Policy, and must be complied with as though it was part of the Policy document." Acceptable use The information technology services of Zain must only be used for conducting Zain business or other purposes expressly authorized by Zain management. Policy Non-Enforcement Management's non-enforcement of any policy requirement does not constitute its consent. Information is an Zain Asset Information is an important Zain asset which must be properly handled and controlled. Group Risk 11

12 Protection of Information Information must be protected in a manner commensurate with its sensitivity, value, and criticality. Policy Review RM The information Security Policy must be reviewed annually. The reviews must take into account the security incidents that have occurred since the last review, and the impact of changes in technology. Standards and Procedures The Risk Management Department in coordination with concerned business unit must be authorized to create, and periodically modify, both technical standards and standard operating procedures that support this information security policy document." Enforceable Security Measures RM RM All information systems security controls must be enforceable prior to being adopted as a part of standard operating procedure. Group Risk 12

13 6 Organization of information security 6.1 Internal organization Implementation of Security Management must establish and maintain sufficient preventive and detective security measures to ensure that Zain information is free from significant risk of undetected alteration. Top Management Security Communications to Staff RM-SC The senior management of Zain will lead by example by ensuring that Information Security is given a high priority in all current and future activities and initiatives. Information Security Management Committee RM-SC An information security management committee must be composed of senior managers from each of Zain major groups. Information Security Management Committee - Policy Review RM-SC The information security Management committee must review and approve all evaluation against Zain information security policy. Information Security Management Committee - Incident Review RM-SC The information security Management committee must actively monitor the information security incidents that occur at Zain and its subsidiaries. Information Security Management Committee - Initiative Approval RM-SC The information security Management committee must review and approve all initiatives designed to enhance information security at Zain. Information Security Management Committee Resources RM-SC The information security Management committee must be allotted sufficient resources for continual and effective oversight of information security activities within Zain. Information Security Management Committee Review - Security Policies RM-SC The information security Management committee must review and approve new or modified information security policies. Information Security Controls Implementation RM-SC The information security Management committee must bring together the Implementation of all information security controls for new systems or services across Zain business departments. Group Risk 13

14 Information Security Visibility RM-SC The information security Management committee must ensure that the business support for information security is visible throughout the organization. Information Security Department Responsibility RM The Risk Managment Department is responsible for establishing and maintaining organizationwide information security policies, standards, guidelines, and procedures. Centralized Responsibility for Information Security Guidance, direction, and authority for information security activities must be centralized for the entire organization in the Risk Managment Department. Information Security Department Direction RM The Risk Managment Department must provide the direction and technical expertise to ensure that Zain s information is properly protected. Information Security Liaison Every department manager must designate an information security liaison, and give this liaison sufficient training, supporting materials, and other resources to properly perform his or her job. Information Security Planning Process RM The Risk Management Department must annually prepare plans for the improvement of information security on all major Zain information systems. Management Approach to Security Management must ensure that information security within their departments is treated as a regular business problem to be faced and solved, like any other normal and continuing business activity. Security Administration - Systems Administrators RM In regards to segregation of duties principle, Systems Administrators must not be responsible for information systems security administration for any Zain production systems. Information Ownership The Information Technology Department and Networks Department must not be the owner of any information except of operational computers and network information and equipments. Asset Manager Assignment RM-SC The responsibility and accountability for each Zain asset must be formally assigned to the owner. Group Risk 14

15 New Hardware All purchases of new Zain systems hardware or new components for existing systems must be made in accordance with Information Security Policy and other Zain Policies, as well as technical standards. Such requests for purchase must be based upon a user requirements specification and consider longer-term business needs. Functional Needs Except for minor purchases, hardware must be purchased through a structured evaluation process that must include the development of a detailed Request for Proposal (RFP) document. Information Security features and requirements must be identified in the RFP. Installation All new hardware installations are to be planned formally and notified to all interested parties prior to the proposed installation date. Information Security requirements for new installations must be circulated for comment to all interested parties, well in advance of installation. Software User Requirements All requests for new applications, systems, or software enhancements must be presented to senior management with a Business Case that includes business requirements presented in a User Requirements Specification document. Selecting Software Packages Zain should generally avoid the selection of business critical software which, in the opinion of management, has not been adequately proven by the early adopters of the system. The selection process for all new business software must additionally incorporate the criteria upon which the selection will be made. Such criteria must receive the approval of Zain senior management and include security criteria. Selecting Office Software All office software packages must be compatible with Zain s preferred and approved computer operating system(s) and platform(s). Group Risk 15

16 New System Development Justification The development of bespoke software is only to be considered if warranted by a strong Business Case and supported by management, including adequate resources, over the projected lifetime of the project. New Technology Control In every instance where new technology is used in a Zain production information system, the operations and security controls associated with that new technology must be particularly stringent until the new technology has been shown to be reliable, readily controllable, and truly supportive of business activities. Speaking to the Media Only authorized personnel may speak to the media (newspapers, television, radio, magazines, etc) about matters relating to Zain. Speaking to Customers Information regarding Zain s customers or other people dealing with Zain is to be kept confidential at all times. The information should only be released by authorized and trained persons. Non Disclosure Agreements Non-disclosure agreements must be used in all situations where the confidentiality, sensitivity, or value of the information being disclosed is classified as private (or higher). Independent Review RM IA An independent and externally-provided review of information system controls must be obtained annually to determine both the adequacy of, and compliance with controls. Policy Complete Review RM IA The implementation of and compliance to Zain information security policy, standards, and procedures must be audited annually by an independent party, within or external to Zain. Group Risk 16

17 6.2 External parties Third Party Access to Information Third parties may be given access to Zain internal information only when a demonstrable need to know exists, and when such a disclosure has been expressly authorized by Zain management. Third Party Contracts - Security Requirements LG All contracts with third parties must include an explicit description of security requirements resulting from third-party access or internal controls. Third Party Non-Disclosure Agreements Prior to sending any secret, confidential, or private information to a third party for copying, printing, formatting, or other handling, a third party must sign and submit Zain non-disclosure agreement. Third Party Access Authorization LG Zain Management must ensure that a contract and/or the non-disclosure agreement (NDA) that defines the information security terms and conditions required by Zain has been signed before permitting access to any facility, computer system or information. Software Support All application software must be provided with the appropriate level of technical support to ensure that Zain is not compromised by ensuring any software problems are handled efficiently in an acceptable timescale. Vendor Software Vendor developed software must meet the User Requirements Specification and offer appropriate product support. Verifying Financial Claims and Invoices All claims for payment must be properly verified for correctness before payment is affected. External Service Providers for e-commerce Where 3rd parties are involved in e-commerce systems and delivery channels, it is essential that they are able to meet the resilience and Information Security objectives of Zain. Compliance with Information Security Requirements External consultants, contractors, and temporaries working at Zain environment must be subject to the same information security requirements, and have the same information security responsibilities, as Zain employees. Group Risk 17

18 7 Asset management 7.1 Responsibility for assets Information asset Inventory A formal inventory of all information assets must be maintained and kept up-to-date at all times including hardware, software, data files, asset location, user manuals, training material, operational procedures and recovery procedures. Documenting All new and enhanced systems must be fully supported at all times by comprehensive and upto-date documentation. New systems or upgraded systems should not be introduced to the live environment unless supporting documentation is available. Ownership All information, data, or documents are to be the responsibility of a designated information owner. Using Encryption Where appropriate, sensitive or confidential information or data should always be transmitted in encrypted form. Prior to transmission, consideration must always be given to the procedures to be used between the sending and recipient parties and any possible legal issues from using encryption techniques. Sharing Information HR Human Resources Management are to ensure that all employees are fully aware of their legal and corporate duties and responsibilities concerning the inappropriate sharing and releasing of information, both internally within the organization and to external parties. Information Classification Labeling All information must be labeled based on its criticality to Zain. Information Classification Impacts When classifying information, asset owners must consider the impact on Zain if the information is lost, damaged, disclosed, or stolen. Four Category Data Classification Scheme Data must be broken into four sensitivity classifications with separate handling requirements: SECRET, CONFIDENTIAL, PRIVATE, and UNCLASSIFIED Group Risk 18

19 SECRET Information This classification applies to the most sensitive business information, which is intended strictly for use within Zain, that if disclosed could seriously and adversely impact Zain, its stockholders, its business partners, and/or its customers. CONFIDENTIAL Information This classification applies to less sensitive business information, which is nonetheless intended for use within Zain, that if disclosed could adversely impact Zain, its stockholders, its business partners, and/or its customers. PRIVATE Information This classification applies to personal information, which is intended for use within Zain, that if disclosed could seriously and adversely impact Zain and/or its employees. UNCLASSIFIED Information This classification applies to all other information, which cannot be classified as SECRET, CONFIDENTIAL or PRIVATE, that if disclosed is not expected to seriously or adversely impact Zain, its employees, its stockholders, its business partners, and/or its customers. Information Security Policies and Procedures Classification Unless the Risk Managment Department has first approved their release in writing, all Zain information security policies and procedures are classified as confidential. Classifying New Production Information All workers who create, compile, alter, maintain, or procure any type of production information must assign a classification which is consistent with prior designations made by the relevant information owners. Default Classification All information is confidential until it is classified by its owner Labeling Classified Information All information, data, and documents are to be clearly labeled so that all users are aware of the ownership and classification of the information. Availability Of ZA Assets Ensuring that authorized users have access to information and associated assets whenever it is required. Group Risk 19

20 8 Human resources security 8.1 Prior to employment Security Roles and Responsibilities Documentation HR Security roles and responsibilities must be documented and incorporated into each job description at Zain. Data Confidentiality Protection All employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after contractual relations with Zain. Background Checks for New Staff HR New employees must first pass a background check and the employees must undertake to abide by Zain Information Security policy. Staff References Only authorized personnel may give employee references. Staff Security Clearance HR All staff must have previous employment and other references carefully checked. Background Checks for Positions of Trust HR All workers to be placed in positions of trust must first pass a background check. Qualifications for Working on Sensitive Projects HR Only trusted employees with good to excellent performance reviews may work on new product development and other major Zain projects. Preparing Terms and Conditions HR The Terms and Conditions of Employment of Zain are to include requirements for compliance with Information Security. Employment Terms - Disciplinary Action HR The terms and conditions of employment that is signed by every Zain employee must state clearly the resulting disciplinary action to be taken if the employee violates any information security policies, standards, or procedures. Group Risk 20

21 8.2 During employment Information Security Awareness Training HR RM Every worker must attend an information security awareness training within one month of the date when they began employment with Zain. Security Awareness HR Human Resources Department is to ensure that all employees are fully aware of their legal and Information Security responsibilities, which are to be included within key staff documentation (e.g., Terms and Conditions of Employment and Zain Code of Conduct). Information Security Policies and Procedures Awareness Every worker must understand and comply with Zain s policies and procedures about information security. Information Security Training HR All Departments Managers must be provided with sufficient training and supporting reference materials related to their jobs to allow them to properly protect Zain information resources. Security Training on New Systems HR Zain management is committed to providing training to all users of new systems to ensure that their use is both efficient and does not compromise Information Security. Protection of Badges When off Zain premises, workers must protect their identification badges with the same level of protection as their wallets and credit cards. Second Job Disclosure Workers that have part time jobs at the time when they are interviewed for a position with Zain, or after they are hired Zain, must inform their manager prior to taking on an additional job. Security Violations Requiring Instant Terminations LG HR All workers who have acted with insubordination, been convicted of a felony, or committed major security violation must be terminated immediately. Group Risk 21

22 8.3 Termination or change of employment Procedures for Staff Leaving Employment HR Termination procedures must be followed with extreme conscientiousness particularly in regards to termination of access privileges. Staff Resignations HR Upon notification of staff resignations, Human Resources management must consider with Information Security Manager, whether the member of staff s continued system access rights constitutes an unacceptable risk to the organization and, if so, revoke all access rights. Information Handling At Contract Termination LG If Zain terminates its contract with any third-party organization that is handling Zain private information; this same third-party organization must immediately thereafter destroy or return all of Zain private data in its possession. Return of ZA Property At the time that every employee, consultant, and contractor terminates his or her relationship with Zain, all Zain property must be returned Return of Information Upon the termination or expiration of their contract, all contractors, consultants, and temporaries must hand over to their project manager all copies of Zain information received or created during the performance of the contract. Escorting Workers who are involuntarily terminated PS HR In every case where workers are involuntarily terminated by Zain, the termination must take place in the presence of security personnel, who will escort them to the door after collecting their personal belongings. Non-compete Agreements At the time they join Zain; all employees must sign an agreement not to compete for six (6) months after their separation from Zain. Group Risk 22

23 9 Physical and environmental security 9.1 Secure areas Security Perimeter - Authorized Personnel PS Access to all Zain work areas must be limited to those employees and partners whose jobs require entrance to those areas. Security Perimeter - Access Control PS Every access point to Zain work areas must be controlled by a manned reception area or other equally-effective control method. Physical Intrusion Alarms PS All Zain work areas must be equipped with physical intrusion alarm systems that automatically alert those who can take immediate action. Fire Alarms PS All Zain work areas must be equipped with fire alarm systems that automatically alert those who can take immediate action. Computer Room Doors Secure PS All computer facility rooms must be equipped with riot doors that are resistant to fire and forcible entry. Computer Room Doors Alarmed PS All computer facility rooms must be equipped with doors that set off an audible alarm when they have been kept open beyond a certain period of time. Physical Access PS Physical access to Zain s highly secured areas is to be controlled with strong identification and authentication techniques. Staff authorized to enter such areas are to be provided with information security awareness on the potential security risks involved. Physical Access Tailgating Workers must not permit unknown or unauthorized persons to pass through doors, gates, and other entrances to restricted areas at the same time when authorized persons go through these entrances Challenging Strangers All employees are to be aware of the need to challenge strangers on Zain s work areas. Group Risk 23

24 Wearing Access Badges Whenever in Zain buildings or facilities, all persons must wear Zain identification badge on their outer garments so that both the picture and information on the badge are clearly visible. Individuals without Identification Badges Individuals without a proper Zain identification badge in a clearly visible place must be immediately questioned about their badge. Physical Access Audit Trail PS All access to every Zain secure area must be recorded in a secure log. Access Outside Normal Business Hours PS All visitors to Zain premises outside normal business hours must be escorted by an employee with a prior authorization by a department manager. Visitor Identification Process PS All visitors must provide official photo identification prior to gaining access to restricted Zain work areas. Physical Access Reporting Department heads must promptly report to the Physical Security Department about all enabled badges for their contractors which are no longer authorized. Physical Security System Testing PS The operation of all physical access control systems must be tested semi-annually. Lockable Cupboards Sensitive or valuable Zain documents or equipments must be stored securely and according to the classification status of the information being stored. The cupboards must be fire resistant. Secure Areas Confidentiality Employees and partners who are authorized to access secure areas must not discuss the operations that occur within any secure area with any non-authorized person. Secure Areas - Third Party Monitoring PS Third-party services support personnel must be accompanied and monitored by a Zain employee when accessing any Zain secure area. Group Risk 24

25 Sensitive Information - Third Party Monitoring All accesses of Zain sensitive information by third-party support services personnel must be logged. Cameras, Audio or Video Recording Equipment Within Zain secure area, personally owned cameras and audio or video recording equipment are prohibited. Delivery Areas Access PS Access to every Zain loading and delivery area must be limited to those employees, partners, and delivery personnel who have a legitimate business need to be there. Delivery Areas - Security Requirements PS The installation of all security mechanisms and processes to control access to any Zain loading or delivery area must be commensurate with the current level of risk in the area. Cabling Shafts Security PS Access to all the cabling shafts at Zain premises must be secured using lockable doors and access to them must be restricted only to the authorized personnel. Storage of any type of equipment or material in the cabling shafts is prohibited. Base Stations Security PS Access to all Zain base stations must be controlled with strong identification and authentication techniques and should be restricted to the authorized personnel only. All Zain base stations must be equipped with fire and intrusion alarms which are connected to Zain central alarm system. Group Risk 25

26 9.2 Equipment security Fire Risks All data and information must be protected against the risk of fire damage at all times. The level of such protection must always reflect the risk of fire and the value and classification of the information being safeguarded. Preparing Premises to Site Elements The sites chosen to locate network elements, computers and to store data must be suitably protected from physical intrusion, theft, fire, flood, and other hazards. Electronic Eavesdropping Electronic eavesdropping should be guarded against by using suitable detection mechanisms, which are to be deployed if and when justified by the periodic risk assessments of Zain. Data Centers Local management must provide and adequately maintain humidity control systems, air conditioning systems, fire detection/suppression, smoke detection devices, water damage alarm, power conditioning systems, and equipped to monitor all environmental conditions that could adversely affect the equipment. Smoking, Eating and Drinking in the Equipment Room Workers and visitors must not smoke, eat, or drink in the raised floor area at all Zain equipment rooms. Continuous Power An Uninterruptible Power Supply must be installed to ensure the continuity of services during power outages at all Zain equipment rooms. Backup Power PS Secondary and backup power generators are to be employed where necessary to ensure the continuity of services that supports critical Zain business during power outages. Equipment Power - Power Supply Testing & Certification All backup and secondary power units that protect critical Zain business functions and processes must be thoroughly tested and certified on a quarterly basis that the units have sufficient capacity to ensure that the supported equipment is adequately protected. Cabling Installation PS Power and telecommunications cabling should be installed and maintained by qualified technical personnel to ensure the integrity of both the cabling and the wall-mounted sockets. Any unused network wall sockets should be sealed-off and their status formally noted. A Network diagram shall always be kept updated and made available to the Risk Managment Department. Group Risk 26

27 Insurance All critical equipment that supports critical Zain business must have an insurance against theft, damage, or loss. Support All equipment (on-site or off-site) owned, leased, or licensed by Zain must be supported from appropriate maintenance facilities by qualified engineers. Equipment Damage Deliberate or accidental damage to Zain equipment must be reported to the Risk Managment Department as soon as it is noticed. Information Systems Equipment Maintenance All information systems equipment used for production processing must be maintained in accordance with the supplier's recommended service intervals and specifications. Preventive Maintenance Preventive maintenance must be performed semi-annually on all computer and communications systems to minimize the risk of errors.. Maintenance Records Routine A record of every instance of preventative or corrective maintenance to Zain equipment must be maintained and audited. Using Portable Devices Zain personnel who are issued portable computer devices must be aware of the information security issues relating to these devices and implement the appropriate safeguards to minimize security risks. Off-site Equipment Unattended Zain equipment that is taken off site must be never left unattended. Release of Used Equipment and Media Before information systems equipment or storage media that has been used for Zain business is provided to any third party, the equipment or media must first be inspected by the Risk Managment Department to determine that all sensitive information has been removed. Property Pass RM PS Computer peripherals, portable computers, modems, and related information systems equipment must accompanied by an approved property pass and must be inspected by the security personnel prior to leaving Zain premises. Property pass logs must include the dates that the item was removed from and returned to Zain. Group Risk 27

28 10 Communications and operations management 10.1 Operational procedures and responsibilities Operating Procedures Documentation All operating procedures that govern the processes within any Zain information processing facility must be authorized and documented. Operating Procedures Maintenance All Zain information processing facility operating procedures must be validated or revised on an annual basis. Operating Procedures Changes All changes to the operating procedures that govern the processes within any Zain information processing facility must be authorized by the applicable operations manager. Operating Procedures - Job Execution Operating procedures that govern the processes within any Zain information processing facility must include detailed instruction for: Execution, scheduling and interdependencies of every production job. Handling of output. Startup and shutdown of every computer system and application system. Backup of every computer system and application system. Periodic maintenance of every computer and communication system component. Operating System Changes Changes to routine systems operations are to be fully tested and approved and documented prior to implementation. Change Control Equipment Documented procedures must be established to control all changes to Zain information processing equipment. Equipment Change Authorization All changes to Zain information processing equipment must be authorized by the concerned operations manager. Production Operating Systems Change Review RM IA Annual reviews of production computer operating systems must be conducted to ensure that only authorized changes have been made. Group Risk 28

29 Back-off Procedures Adequate "back off" procedures must be developed for all changes to production systems software and production application software. Software - Change Log The details of all changes to Zain information processing software must be logged and communicated to all with need to know. Separation of Duties Whenever a Zain computer-based process involves sensitive, valuable, or critical information, the system must include controls involving a separation of duties or other compensating control measures ensuring that no one individual has exclusive control over these types of Zain information assets. Security Audit Independence RM IA The security audit of all Zain information processing facilities must be completed by resources independent of those who manage and control the facilities. Separation between Production and Development Business application software in development must be kept strictly separate from production application software. Unnecessary Software Unnecessary software and utilities must be removed from all Zain production systems. System Developers and Formal Testing Workers who have been involved in the development of specific business application software must not be involved in the formal testing or day-to-day production operation of such software. Group Risk 29

30 10.2 Third party service delivery management Contracts approval LG All information-systems-related Third-Party contracts must be reviewed and approved by the Risk Managment Department. Third-Party services Security Responsibilities The responsible manager must ensure that third-party services sufficiently implement, operate and maintain information security controls consistent with Zain information security policies and standards, and must re-assess risks when any changes occur in the third-party service. Third-Party Management Security All Zain security policies, standards, and procedures must be followed by any third party that manages an Zain information processing facility. Third-Party Management - Security Responsibilities & Reporting Any third party that manages a Zain information processing facility must identify sufficient resources to maintain and monitor all security activities and provide monthly status reports to Zain Risk Managment Department. Third-Party Management - Reporting Security Incidents Every security incident that occurs in a Zain information asset that is managed by a third party must be reported immediately to the Risk Managment Department. Third-Party Management - Security Audits RM IA A security audit must be performed every six months at every Zain information processing facility that is managed by a third party. Group Risk 30

31 10.3 System planning and acceptance Capacity Planning New systems must be tested for capacity, peak loading and stress testing. They must demonstrate a level of performance and resilience which meets or exceeds the technical and business needs and Zain s requirements. Capacity Projection Every Zain manager must submit a detailed annual projection of the following year's information processing capacity requirements necessary to support his or her area. Databases Databases must be fully tested for both business logic and processing prior to operational use. Where databases contain personal information, procedures and access controls must ensure compliance with necessary legislation (e.g., Data Protection). Capacity Monitoring A weekly review of the information processing hardware capacity and utilization must be completed and reported to the operations manager. Vendor Recommended Upgrades The decision whether to upgrade software is only to be taken after consideration of the associated risks of the upgrade and weighing these against the anticipated benefits and necessity for such change. Test and Live Environments Formal change control procedures must be employed for all amendments to systems. All changes to programs must be properly tested in a test environment before moving to the live environment. Parallel Running Normal System Testing procedures will incorporate a period of parallel running prior to the new or amended system being acceptable for use in the live environment. New Technology Evaluation Any new technology or information system that will be used in Zain production application software, hardware system or network must be evaluated and approved by Zain Managment prior to its adoption at Zain. Group Risk 31

32 10.4 Protection against malicious and mobile code Malicious Attacks Zain system hardware, operating systems, application software, networks, and communication systems must be adequately configured and safeguarded against both physical attack and unauthorized network intrusion. Emergency Data Amendment Emergency data amendments may only be used in extreme circumstances and only in accordance with emergency amendment procedures. Anti Virus Software Anti-Virus software is to be deployed across all Zain with regular virus definition updates and scanning across servers, PCs, laptops and other mobile computers. Mobile Code Execution Users must not enter into Internet processes that permit mobile code to placement, execute on their machines. Attempting to Eradicate a Computer Virus Users must not attempt to eradicate a computer virus without expert assistance. User Installation of Software Users must not install any software on their computers, network servers, or other machines. Group Risk 32

33 10.5 Back-up Restarting or Recovering Information system owners must ensure that adequate back-up and system recovery procedures are in place. Back-up and Recovery Procedures Back-up of Zain s data files and the ability to recover such data is a top priority. Operations Managers are responsible for ensuring that the frequency of back-up operations and the procedures for recovery meets Zain business needs. Archiving The storage media used for the archiving of information must be appropriate to the expected longevity. The format in which the data is stored must be carefully considered, especially where proprietary formats are involved. Group Risk 33

34 10.6 Network security management Network Management Suitably qualified staff will manage Zain s information network, and preserve its integrity in collaboration with the nominated individual system owner. Inbound and Outbound Network Connections The establishment of a direct connection between Zain systems and computers at external organizations via public network is prohibited unless this connection has first been approved by the Risk Managment Department. All connections to Zain internal networks and/or computer systems must pass through an additional, Risk Managment Department approved, access control point (such as a firewall) before users reach a log-in banner. Inventory of Network Connections All concerned Departments must maintain a current inventory of all connections to external networks including telephone networks, EDI networks, extranets, the Internet. Administrative Security Management Configurations and set-up parameters on all hosts attached to Zain network must comply with in-house security management policies and standards. Centralization Critical Networking Devices PS All business critical devices supporting Zain telephone system, intranet, local area networks, and the wide area network must be centralized in dedicated rooms with physical access controls, closed circuit TV, environmental monitoring systems, and other security measures indicated by the Risk Managment Department. Integrity Assessment Tools All Network-connected systems used for production purposes must employ integrity assessment tools that detects, reconciles and report changes on a daily basis. Group Risk 34