SOA ISO Statement of Applicability

Transcription

1 SOA ISO Statement of Applicability A.5 Security A.5.1 Information Security A A Information security policy document Review of the information security policy A.6 Organisation of Information Security Security has been approved by the Data Centre manager. The Security is reviewed for continuing applicability at intervals not exceeding 12 months. Security AGS Review of Information Security A.6.1 Internal Organization A Management Commitment to Information Security Management have demonstrated their commitment to information security by the allocation of resources and investment in their people. Management commitment A Information Security Co-ordination Within the data centre, all information security activities Information Security Reference: ISO27001:2005 1

2 A A Allocation of Information Security Responsibilities Authorisation Process for Information Processing Facilities are co-ordinated. All Staff need to fully understand their responsibilities and procedures related to information security. A change request is required for any new processing facilities A Confidentiality Agreements Confidentiality Agreements for the protection of information are identified and regularly reviewed A Contact with Authorities N Unnecessary owing to scope of registration N/A A Contact with special interest groups N Unnecessary owing to scope of registration ( rely on automatic update for security and anti-virus protection ) A Independent review of information security This is conducted at least once a year by an internal/ external independent body. Forum Roles And Responsibilities Change Request and Procedure Confidentially Agreement N/A Audit Procedure A.6.2 External Parties A A Identification of Risks related to external Parties Addressing security when dealing with customers External parties have access to the data centre. Security in Third Party Agreements Customers have access to the data centre. Dealing with Customer Access A Addressing security in third party agreements Third party controls employed. Security in Third Party Agreements Reference: ISO27001:2005 2

3 A.7 Asset Management A.7.1 Responsibility for Assets A Inventory of assets A record of all information assets are kept on-site Risk Assessment Report And Asset Register A Ownership of assets All assets in the scope of this registration are owned by the Technical Director. A Acceptable use of assets Acceptable use of assets is laid down in the policies & procedures of the system. Risk Assessment Report And Asset Register Acceptable Use of Assets A.7.2 Information Classification A Classification guidelines All data is held electronically and is application specific Information Handling A Information labelling and handling Impractical and unnecessary Information Handling Reference: ISO27001:2005 3

4 A.8 Human Resources Security A.8.1 Prior to employment A Roles and responsibilities All employees have job descriptions defining their roles and responsibilities. Roles responsibilities A Screening Data centre standards require independent references be sought prior to commencement of employment. Verification of the accuracy of CVs is also undertaken and identity checks. A Terms and conditions of employment All employees have Job security responsibilities included in their terms and conditions of employment Screening. Terms And Conditions. A.8.2 During employment A Management responsibilities All applicable personal made aware of their responsibilities with regard to security A Information security awareness, education and training All staff receive on-site security training with regards to ISO27001 where needed A Disciplinary process All staff have been made fully aware of their responsibilities regarding information security Roles and responsibilities Roles and Responsibilities Disciplinary Process Reference: ISO27001:2005 4

5 A.8.3 Termination or change of employment A Termination responsibilities To prevent unauthorized access following termination of employment contract. Termination Of Employment. A Return of assets To ensure return of all company assets Return of Assets A Removal of access rights To ensure no unauthorized access following termination of employment contract. User Access Management A.9 Physical and environmental security A.9.1 Secure areas A Physical Security Perimeter The building is situated in a business park and perimeter controls are in place. Physical Secure Perimeter A Physical Entry Controls Controlled access to all areas is necessary Securing Offices Rooms and Facilities A Securing Offices & Rooms and facilities To prevent unauthorised access to sensitive equipment Securing Offices Rooms and Facilities A Protecting against external and environmental threats To ensure continuity of service Business Continuity Plan A Working in Secure Areas Protection of both staff and equipment Working in Secure Areas A Public access, delivery and loading areas Deliveries are made to the data centre. Delivery and Loading Areas Reference: ISO27001:2005 5

6 A.9.2 Equipment Security A Equipment siting and protection To protect against environmental and physical threats Equipment Siting And Protection Cabling security policy A Supporting utilities Equipment running twenty four hours seven days a week Supporting Utilities A Cabling security False floors to carry IT cabling Cabling Security A Equipment maintenance Data centre requirement Equipment needs to be maintained to ensure continued availability. Maintenance schedules And Logs A Security Of equipment off premises Home working by some staff. Mobile Computing A Secure disposal or re-use of equipment All client data held electronically needs to be disposed of securely. Secure Disposal Reuse of Equipment A Removal of property Authorised staff have removable IT equipment. Removal of Information/Property Reference: ISO27001:2005 6

7 A.10 Communications and operations management A.10.1 Operational procedures and responsibilities A Documented operating procedures AGS employees will follow appropriate operating instructions Various Procedures/Polices as required by standard A Change management Adopted as best practice. Change control procedure A Segregation of duties To prevent unauthorised modification of IT systems or abuse of position A Separation of development, test and operational facilities N No development done at/by the Data Centre. Segregation of Duties A.10.2 Third party service delivery management A Service delivery 3 rd party services are used Contracts/SLA with providers A Monitoring and review of third party services Monitoring & review take place to ensure continuity of service Security in Third Party Agreements A Managing changes to third party services Managing changes to ensure continuity of service. Security in Third Party Agreements Reference: ISO27001:2005 7

8 A.10.3 System planning and acceptance A Capacity management Growth is core to the business. Capacity management A System acceptance To ensure all systems are acceptable prior to installation Change control policy A.10.4 Protection against malicious and mobile code A Controls against malicious code Protection against malicious code Malicious Code Protection A Controls against mobile code System administrators has access to DMZ zones DMZ zone A.10.5 Back- up A Information back-up To prevent the permanent loss of important information assets Back-up A.10.6 Network security management A Network controls Safeguarding of information in networks Network Usage A Security of network services N Do not provide any network services Reference: ISO27001:2005 8

9 A.10.7 Media Handling A Management of Removable Media There are times when information is stored temporary on removal media such as Laptops. A Disposal of Media Need to make sure that no confidential information is leaked. Management Of Removal Media Disposal of media policy A Information Handling Procedures To ensure business continuity and prevent disruption Information Handling A Security of System Documentation Documentation held in both hard and electronic format Security of System Documentation A.10.8 Exchange of information A Information exchange policies and procedures Contracts requirement Information Exchange Policies and Procedures A Exchange agreements Contracts requirement Information Exchange Policies and Procedures A Physical media in transit y Tape backup transported to AGS Fire Safe Backup policy A Electronic messaging All staff have access to a company account Security in documents policy A Business information systems N No interconnected business systems N/A Reference: ISO27001:2005 9

10 A.10.9 Electronic commerce services A Electronic Commerce N No E-commerce facilities used in ISMS A On-line transactions N No E-commerce facilities used in ISMS A Publicly available information All information has a security classification Information Handling A Monitoring A Audit logging User activities, exceptions, and information security events are recorded and kept for an agreed period to assist in future investigations and access control monitoring. Event Logging and Monitoring System Use. A Monitoring system use Procedures have been developed for monitoring system use. A Protection of log information Generated log information are well protected against tampering and unauthorized access A Administrator and operator logs System/Database Administrator activities are monitored and logged Event Logging and Monitoring System Use Event Logging and Monitoring System Use Event Logging and Monitoring System Use A Fault logging A log of all faults is kept in the IT department Reporting Faults A Clock synchronization All clocks are synchronised to GMT AGS Clock Synchronisation Reference: ISO27001:

11 A.11 Access control A.11.1 Business requirement for access control A Access control policy For the protection of sensitive data and systems. Access control A.11.2 User access management A User registration To prevent unauthorised access to information systems User Registration A Privilege management Certain positions carry privileges Privilege Management A User password management All applications need password protection Password Management A Review of user access rights Required to be reviewed periodically User Access Management, Access Control A.11.3 User responsibilities A Password use To ensure availability of systems Password Management A Unattended user equipment By User Equipment we mean the administrators workstations. Clear Desk and Screening policy A Clear desk and clear screen policy Although assets are sited in a secure area, information Clear Desk and Reference: ISO27001:

12 displayed on screen (or on paper) may be confidential. Screening policy A.11.4 Network access control A on use of network services Networked services available to authorised personnel Network Usage A User authentication for external connections Home workers use Dial in services for remote access Network Usage A Equipment identification in networks Automatic identification is used for servers and networks Dell open managed A Remote diagnostic and configuration port protection Remote diagnostic and configuration access, via Dell open managed A Segregation in networks Networks segregated for the control of unauthorised access A Network connection control To control access in accordance with the access control policy Dell open managed Network Usage Network Usage A Network routing control To prevent unauthorised access in shared networks Network Usage A.11.5 Operating system access control A Secure log on procedures To control and manage user access Password Management A User identification and authentication To maintain records and monitor unauthorised activities Password Management A Password management system N To control and manage user passwords N/A A Use of system utilities N No utility programs are allowed to run on application N/A Reference: ISO27001:

13 servers A Session time out N Only administrators can access the operating systems of the servers via their desk tops. The Desktop are sited in a secure environment with controlled access. Hence having a session time-out policy is not deemed necessary at this time. A Limitation of connection time N Only administrators can access the operating systems of the servers via their desk tops. The Desktop are sited in a secure environment with controlled access. Hence having a connection time limit is not deemed necessary at this time. N/A N/A A.11.6 Application and information access control A Information access restriction A need to know policy is employed Information Handling A Sensitive system isolation All systems are treated as sensitive Access Control A.11.7 Mobile Computing and teleworking A Mobile Computing and communications Used by system administrators to identify system failures and restart essential services after failure A Teleworking N AGS staff do not do teleworking. N/A Mobile Computing Reference: ISO27001:

14 A.12 Information systems acquisition, development and maintenance A.12.1 Security requirements of information systems A Security Requirements Analysis and Specification Data centre does not do any development maintenance or support of application system software. However any enhancements to hardware (i.e. extra disks, etc) require a change request. Change Request A.12.2 correct processing in applications A Input Data Validation N Data centre does not do any development maintenance or support of application system software A Control of Internal Processing N Data centre does not do any development maintenance or support of application system software A Message integrity N Data centre does not do any development maintenance or support of application system software A Output Data Validation N Data centre does not do any development maintenance or support of application system software A.12.3 Cryptographic controls A on the Use of Cryptographic Controls N Cryptographic Controls are application specific and not supported by AGS A Key Management N Cryptographic Controls are application specific and not supported by AGS Reference: ISO27001:

15 A.12.4 Security of system files A Control of Operational Software To prevent unauthorised change control Change control policy A Protection of System Test Data N Data centre does not do any development maintenance or support of application system software A Access Control to Program Source code Source code held as back up only. Backup Procedure A.12.5 Security in development and support processes A Change Control Procedures Any data centre asset change requires a change request. Change control policy A A Technical Review of applications after Operating System Changes Restrictions on Changes to Software Packages Not in remit of data centre but do inform owners of applications of when operating systems changes have been made. N Software packages are not used by AGS. ( Application software controlled by change control procedure ) A Information leakage Opportunities for information leakage need to be prevented A Outsourced Software Development N Software development is not done by AGS. N/a Maintenance schedules And Logs Access control policy A.12.6 Technical vulnerability management A Control of technical vulnerabilities Technical vulnerabilities need to be managed Risk Assessment Reference: ISO27001:

16 A.13 Information security incident management A.13.1 Reporting information security events and weaknesses A Reporting information security events All security problems are notified to the Data Centre Manager. A Reporting security weaknesses All security problems are notified to the Data Centre Manager. Reporting Security Incidents Procedure Reporting Security Incidents Procedure A.13.2 Management of information security incidents and improvements A Responsibilities and procedures Responsibilities and procedures need to be clearly defined Roles and Responsibilities Reporting Security Incidents Procedure A Learning from information security incidents Lessons learned need evaluating to prevent further incidents Learning from Security Incidents A Collection of evidence Collection of evidence is required Learning from Security Incidents Reference: ISO27001:

17 A.14 Business Continuity Management A.14.1 Information security aspects of business continuity management A Including information security in the business continuity management process To counteract major failures or Catastrophes Business Continuity Plans A Business continuity and risk assessment To know that the strategy adopted is feasible, planned and effective A Developing and implementing continuity plans including information security To ensure a structured and managed approach to restoring business functionality A Business continuity planning framework N Single BCP in place at Aimes Grid Services (CIC) A Testing, maintaining and re-assessing business continuity plans For on-going verification and validation of an effective approach to BCP Risk Assessment Procedure Business Continuity Plans Business Continuity Plan Test A.15 Compliance A.15.1 Compliance with legal requirements A Identification of applicable legislation Legal/Mandatory requirement Compliance with Legal Requirements A Intellectual property rights (IPR) ISMS only uses legal / licensed software Compliance with Legal Requirements A Protection of organizational records ISMS complies with industry, legal and contract Compliance with Legal Reference: ISO27001:

18 A A Data protection and privacy of personal information Prevention of misuse of information processing facilities requirements ISMS is legally required to register all personnel records under the data protection act 1998 To ensure that all employees are aware of the policy on the use of company information processing facilities A Regulation of cryptographic controls N Cryptography not used N/a Requirements Compliance with Legal Requirements Compliance with Legal Requirements A.15.2 Compliance with security policies and standards, and technical compliance A Compliance with security policies and standards Management ensure all security procedures are carried out to correctly to achieve compliance with security policies and standards A Technical compliance checking Conducted by an Audit specialists to ensure compliance with security policies and standards Audit procedure Audit Compliance A.15.3 Information systems audit considerations A Information systems audit controls Internal audit team conduct regular audits of all policies and procedures adopted by the company to ensure effective implementation A Protection of information system audit tools Controlled by IT manager to prevent misuse or compromise Reference: ISO27001: