DVLA ELISE GSi Closed User Group Code of Connection

Transcription

1 DVLA ELISE GSi Closed User Group Code of Connection Security Warning Notice The following handling instructions apply to this document: - Handle, use and transmit with care - Take basic precautions against accidental compromise, opportunist or deliberate attack - Dispose of sensibly by destroying in a manner to make reconstruction unlikely Author: Dave Betts, DVLA IT Security Version: 7.0 Date: November 2010 Status: Final

2 DVLA ELISE GSi Closed User Group Code of Connection Contact Details - DVLA Connection Information Organisation Name Driver and Vehicle Licensing Agency (DVLA) Information Security Manager Details IT/System Manager Name Mark Lees Leigh Allen Address DVLA, C2 East DVLA, C2 East Longview Road, Morriston, Swansea Longview Road, Morriston, Swansea SA6 7JL SA6 7JL Telephone Number mark.lees@dvla.gsi.gov.uk leigh.allen@dvla.gsi.gov.uk Accreditor Details Name Company (if applicable) Address David Pope DVLA DVLA, C1 East Longview Road, Morriston, Swansea SA6 7JL Telephone Number david.pope@dvla.gsi.gov.uk DVLA Contact Details (Enquiries relating to the completion of Code of Connection) - dave.betts@dvla.gsi.gov.uk Phone Fax Job Title - DVLA IT Security Assurance Manager Address - DVLA C2 East Longview Road Morriston

3 DVLA ELISE GSi Closed User Group Code of Connection Contact Details - Organisation Connection Information Organisation Name [Insert Name of Organisation] IT Security Officer Details IT/System Manager Name [See FAQs] [See FAQs] Address Telephone Number Accreditor Details (where relevant) Name [See FAQs] Company Address Telephone Number Alternate Contact Details (See FAQs) - Phone - Fax - Address -

4 Annex A - Common Terms Risk Owner Risk Manager The Risk Owner accepts responsibility for ensuring that Information Systems (IS) risk within the organisation is managed appropriately. The Risk Owner should hold a position at Board level and understand how the strategic business goals of the connecting organisation may be impacted by IS failures, including the compromise of data provided to the organisation by DVLA. Within UK Government this role is undertaken by a Senior Information Risk Owner (SIRO). The Risk Manager is responsible for the day to day evaluation of the organisation's exposure to risk and controlling these exposures through such means as mitigation, avoidance, management or transference. This role is usually held by an Information Security Manager or Departmental Security Officer. Each control in Annex B uses the following terms for each requirement. This word means that the control is an absolute requirement. SHOULD This word means that there may be valid reasons not to implement the control and therefore implementation of that control is optional. The valid reasons should be documented within Annex B. Each control in Annex B applies to a particular part of the organisation or network. A collection of hosts together with the network through which they can exchange data. Server A network entity that provides a service to other network entities. Host(s) A computer that is attached to a communication sub-network or inter-network and can use services provided by the network to exchange data with other attached systems. This includes both clients and servers. Host A computer or server that is directly attached to or provides services by proxy to the DVLA CUG. User(s) A person, organisation, or automated process that has direct or proxy access to the DVLA.

5 DVLA - ELISE Closed User Group - Control Table No. Subject Control Requirement Applies to Reference Sources Comply (Yes, No or Partial) Comments (Please give details of implementation e.g. products, if practical timescales) 1.0 Physical Security All hosts and network equipment providing connectivity to the DVLA ELISE GSI CUG be located in secure accommodation compliant with industry best practice, e.g. ISO27001 and ISO27002., Server ; 9.1.2; 9.1.3; 9.14 FAQ Question User Education All employees of the Organisation and where relevant contractors and third party users SHOULD receive appropriate awareness training and awareness updates in organisational policies and procedures as relevant for their job function. 2.1 User Education An acceptable usage policy SHOULD be in place. 3.0 Incident Response 3.1 Incident Response 3.2 Incident Response Information Security events relating to the DVLA ELISE GSI CUG or any DVLA services being used via the CUG be reported through appropriate management channels as quickly as possible. Management responsibilities be established to ensure quick, effective and orderly response to Information Security incidents relevant to the DVLA ELISE GSI CUG or any DVLA services being used via the CUG. The organisation report Information Security incidents to the DVLA Information Security Manager (contact shown on Contact Details - DVLA tab). 4.0 Clearance Levels All privileged users (e.g. System Administrators and Information Security Managers) SHOULD have been subjected to detailed background personnel checks (e.g. Criminal Record Check, Credit Worthiness Check). SHOULD Users SHOULD Users ; , Users,, Users,, Users, SHOULD Users FAQ Question Clearance Levels Details of the Security Clearance Processes in place which have been applied to all users of the DVLA ELISE GSI CUG within your organisation be provided to the DVLA Information Security Manager upon request. Users Schematic The connecting organisation submit a network schematic that details the networks that will utilise the DVLA ELISE GSI CUG connection. This schematic document any onward connections and remote access. 6.0 IP Addressing Servers have static IP addresses (even if DHCP is used). 7.0 Firewalls An assured (EAL) firewall be installed between the organisation and the DVLA ELISE GSI CUG. 7.1 Firewalls An assured (EAL) firewall be installed between the organisation and any third party networks it connects to. 7.2 Firewalls Firewalls be configured to limit communication to that required between connecting hosts and DVLA ELISE hosts providing the same proxy service. e.g. local HTTP proxies ONLY communicate with DVLA ELISE HTTP Proxies. 8.0 Proxies All communication utilising the DVLA ELISE GSI CUG SHOULD pass through a proxy service. and Servers and FAQ Question SHOULD Servers Page 1 of 2

6 DVLA - ELISE Closed User Group - Control Table 8.1 Proxies Where used, proxy servers ensure users are authenticated. 8.2 Proxies Where used, proxy servers authenticate the hosts with which they communicate. Servers Servers Proxies Where used, proxy servers perform protocol checking to prevent buffer overflows and other vulnerability exploitation. Servers 8.4 Proxies Where used, proxies implement controls against malicious content e.g. Anti Virus. 9.0 Protective Monitoring 9.1 Protective Monitoring Organisations carry out Protective Monitoring and have the ability to identify and investigate suspicious activity. Servers All audit logs relating to the use of the DVLA ELISE CUG be retained for a minimum of six months. Organisations also be aware of any additional legislation that may require them to hold logs for longer periods Protective Monitoring Organisations be prepared to provide logs to the DVLA IT Security Officer on request Configuration run a file system supporting access controls that limit access to only the required operations and data Configuration All connecting hosts and infrastructure elements be configured in accordance with current best practice and vendor recommendations for secure operation. Where possible relevant resources should be assessed and applied where effective technical operation is not impeded. e.g. NSA or CIS guides Configuration Organisations take steps to adequately disinfect any device that has been infected by malicious software Configuration Organisations SHOULD check configurations at least once during any period of 12 months. SHOULD 10.4 Configuration Countermeasures be provided to prevent the execution of software not authorised by the administrator on IT devices, particularly desktops Configuration All hosts be maintained at the most current patch level or as recommended by the vendor. Vendors' web sites, be monitored and relevant software and service packs be applied where practicable Configuration Unpatchable or unsupported software not be used Vulnerability Scanning 11.1 Vulnerability Scanning SHOULD be scanned for the presence of security vulnerabilities at least annually. The vulnerability scanner SHOULD not be run from the host being scanned. SHOULD SHOULD 11.2 Content Analysis SHOULD at least SHOULD identify viruses, macros, dangerous file-types (e.g. executable), mobile code and spyware. Content analysis of all incoming and outgoing data SHOULD be performed at the organisation's gateway and hosts ; Page 2 of 2

7 Annex C - Organisational Commitment Statement I confirm, on behalf of the organisation listed below, that my organisation will endeavour to uphold the Confidentiality, Integrity, Availability and reputation of the DVLA in compliance with the requirements of the DVLA ELISE GSI CUG Code of Connection. I will ensure that my organisation complies with all relevant legal requirements, including those of the Data Protection Act 1998, Freedom of Information Act 2000, Police and Criminal Evidence Act 1984, Computer Misuse Act 1990 and Regulation of Investigatory Powers Act 2000; and I will make all reasonable efforts to inform potential users of the system, including users not directly employed, that communications transmitted across the DVLA ELISE GSI CUG are logged and that their content may be monitored and/or recorded in accordance with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations These purposes include, but are not limited to: Preventing or detecting crime; The interests of national security; Investigating or detecting the unauthorised use of the DVLA ELISE GSI CUG including other connected systems; and in order to secure, or as an inherent part of, the effective operation of the system. I confirm that my organisation briefs, trains or otherwise formally disseminates information to staff about their secure use of the DVLA Service across the DVLA ELISE GSI CUG as laid down in the CoCo, contractual documentation and other materials as may be made available by DVLA. This includes either a personal commitment statement, user acceptance policy or equivalent in which the user agrees to comply with the security rules of the organisation as well as those within the DVLA ELISE GSI CUG CoCo and relevant Annexes. I confirm that my organisation maintains accurate records of who has access to the DVLA ELISE GSI CUG and that all such personnel signed the appropriate Personal Commitment Statement, or have otherwise positively confirmed their acceptance in a similar way. I confirm that my organisation regularly reviews DVLA access lists (at least bi-annually) to ensure that only users with a legitimate business need have access to DVLA data. I confirm that the Control Table and a description of the network(s) and physical infrastructure of this organisation are accurately completed and returned to DVLA. My organisation agrees to assist DVLA in conducting audits and investigation that pertain to this CoCo or the organisation s connection to the DVLA ELISE GSI CUG. I confirm that all reasonable efforts have been made to inform all users that their communications on the DVLA ELISE GSI CUG may be monitored and/or recorded for lawful purposes and that this may take place without the organisation s prior knowledge or consent. Name : Signature : Position : Printed Name : Date : Date : Please Note : DVLA will only accept physical signatures on this document. The documents should be either 1) signed, scanned and ed to DVLA 2) Faxed to DVLA 3) Posted to DVLA.

8 Frequently Asked Questions 1. Why is the Code of Connection necessary? We've signed a contract and the transaction is over a secure line. The Code of Connection gives DVLA assurance that connecting organisations have implemented best practice information assurance standards. DVLA has a responsibility to ensure the data it is responsible for is handled appropriately by data partners and customers. The Code of Connection is part of the governance and assurance DVLA has in place to ensure data handling meets minimum acceptable standards. 2. I'm not sure what you mean by an IT Security Officer or IT/System Manager, can you elaborate? (Contact Details tab) Job titles will undoubtedly vary from organisation to organisation. The IT Security Officer (also known as the Information Security Manager) would be the person within a connecting organisation most likely to complete the Code of Connection and would have an understanding of IT and Information Security within the organisation. An IT or System Manager would be the person with overall responsibility for IT or a subsystem within an organisation. The IT/System Manager would be likely to be consulted for completion of the Code of Connection. DVLA requires the contact details of these people within your organisation so that they can be reached in the event of any information security incidents as they should be best placed to manage such incidents. 3. What do you mean by an Accreditor? (Contact Details tab) UK Government uses system accreditation to ensure systems meet appropriate Information Assurance (IA) standards or are deployed within tolerable levels of risk. Each Department or Agency has at least one Accreditor with this responsibility. If your organisation has someone with an overall responsibility for ensuring that your network(s) and systems meet defined standards you should complete this section. 4. Whose details should I put in the Alternate Contacts Details? (Contact Details tab) You should only complete this if there is a different person other than those named already could be contacted to discuss any issues relating to the Code of Connection or in the case of information security incidents. 5. My organisation doesn't have ISO27001 certification, does this mean we cannot connect to DVLA? (Annex B Control 1.0) Not necessarily, not all organisations can afford to pursue full certification. However, DVLA expects connecting organisations to meet industry best practice in terms of its datacentres and network configurations and should be as near as possible compliant (but not necessarily certified) to ISO Our System Administrator(s) and Information Security Manager(s) have been with the organisation for a number of years and have earned a high level of trust. Are these additional checks necessary for such people? (Annex B Control 4.0) DVLA cannot mandate such checks, however it is best practice to carry out additional checks on staff with privileged levels of access to networks or systems. If your organisation is content with the level of trust earned over time this would be sufficient. 7. Our network diagrams are confidential and we are not comfortable with sharing them with DVLA. Can we ignore this control? (Annex B Control 5.0) No, however we require a high-level diagram/schematic rather than a detailed one. It is not DVLA's intention to contravene the confidentiality of connecting organisations' network designs, however we do need to see how you propose to connect to us. 8. My organisation doesn't use proxy services/proxy services aren't appropriate to the service my organisation is consuming, do we need to complete controls 8.0 to 8.4? No, in such cases this control is Not Applicable (N/A). 9. Who should sign the Organisational Commitment Statement (Annex C)? The statement should be signed by the Risk Owner (see Annex A) or equivalent.