(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Transcription

1 (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies the review and approval of this Process (signed copy held in safe) Name Job Title Signature Date Authored by:- <Name> Approved by:- <Name> Authorised by:- <Name> Information Security Consultant Information Security Officer Director of Finance & IT 2. Change History Version Date Reason Draft 1.0 Draft 1.1 Version 1.0 First draft for comments Second draft to incorporate font changes First Version Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 1 of 14

2 3. Contents 1. Approval and Authorisation 2. Change History 3. Contents 4. Abbreviations Used in this Report 5. Introduction 6. Internal Audit Policy Statement 7. Audit Process Appendix 1 - Three Year Audit Strategy Appendix 2 Example of the Calendar of Events Appendix 3 Example of the Record of Events Appendix 4 Example of an Information Security Audit Checklist 4. Abbreviations Used in this Report ISMS - Information Security Management System BSi - British Standards Institution TRUST - xxxxx NHS Trust Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 2 of 14

3 5. Introduction Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimise business damage and maximise return on investments and opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films or spoken in conversation. Whatever form it takes, or means by which it is shared or stored, it must always be appropriately protected. Information security is characterised as the preservation of confidentiality (information is only available to authorised persons), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets as and when required). Information security is achieved by implementing a suitable set of controls (following industry best practise), which will be policies, practices, procedures, organisational structures and software functions. In addition to the external audits undertaken by xxx, the Trust s Information Security Officer will also conduct (internal) audits. The approach is to audit each site at least once within a 12 month period (see Appendix 1). Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 3 of 14

4 6. Internal Audit Policy Statement It is the policy of the Trust that all aspects of the NHS TRUST Information Security Management System (ISMS) at all sites, be subject to an internal audit at least once every 12 months. This will help ensure that not only policies and procedures are being applied but that new best practice can be gathered and applied. 7. Audit Process 7.1 Overview The audit process involves the Auditor(s), in discussion with staff members in the area under review, identifying whether existing procedures are complied with and at the same time identifying whether the procedures are adequate. This will involve observing work in progress as well as sampling previous records. The auditor(s) will also gauge overall security awareness of the staff members interviewed. Audit Checklists, generated by the Trust s Information Security Officer will be used, an example is shown in Appendix 4. These documents are used for guidance only and will not limit the enquiries of an auditor who is following the audit trail. In addition the Audit Checklists may be used to record relevant information during the course of the audit. At the end of the audit, a short closing meeting will be held between the auditor(s) and auditee(s) to review the findings and issues identified. A senior member of line management (i.e. departmental manager or above) may be invited to participate, if appropriate. The audit frequency strategy is shown in Appendix 1. An Audit Checklist example is shown in Appendix 4. An example of the Calendar of Events is shown in Appendix 2. Please note, as well as IT Information Security audits, the calendar will show audits that cover certain areas of Information Security that are conducted by other functions (eg ISO9000 audits). Appendix 3 is an example of the Record of Events that have taken place. Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 4 of 14

5 7.2 Reporting Audit Findings Audit results and the areas/personnel/documentation covered are recorded during the audit. Observations will be recorded and subsequently will be classified by the auditor, as either a recommendation or as an observation. The Auditor will ensure that each recommendation has a unique identification number (the audit number followed by a second sequential number). This information will be added to the Internal Audit log. The Department Manager will sign to accept the recommendation. At the end of the audit the Auditor will generate an Audit Report. This Report will consist of any Audit Checklists and notes, copies of any observations, copies of any recommendations, if applicable, a summary of the audit findings and a front page. The front page will detail the Area/Function audited, the unique audit number, the date and time the audit was carried out, the auditor(s), auditee(s) and a list of attachments. An urgent Recommendation indicates that an aspect of the ISMS is either not defined or not being adhered to in any way and hence a risk to the business. Such a recommendation would need to be addressed as a matter of urgency in the case of an external audit being conducted, and a BS7799 certificate being held, the registration body would consider withdrawing the certificate if corrective action was not undertaken within strictly agreed timescales. The Auditor may also see fit to raise an Observation which is not a firm recommendation but rather a suggestion for improvement. Upon the next visit, the Auditor will expect the observation to have been taken on board (if appropriate) thus signifying ongoing improvement to the ISMS. Any non-site specific observations will be shared with other sites. 7.3 Following Up Corrective Actions Once the Information Security Officer has received the completed non-conformities the Audit Schedule is then updated to show when a Verification Audit is required. All points subject to recommendation are re-audited. The purpose of this verification (follow up) audit is to ensure that the defined corrective actions have been successfully implemented and are effective. The auditor who raised the original recommendation normally conducts this audit. Once objective evidence has been found confirming the successful implementation and effectiveness of the actions, the recommendation will be closed and signed off by the auditor and the department representative. The Information Security Officer will review the recommendation and authorise its closure. Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 5 of 14

6 Appendix 1 Three Year Audit Strategy BS7799 Clause Jan,02 Dec,02 Jan,03 Dec,03 Jan,04 Dec,04 Jan,05 Dec, General 3.2 Establishing a Management Framework 3.3 Implementation 3.4 Documentation 3.5 Document Control 3.6 Records 4.1 Security Policy 4.2 Security Organisation 4.3 Asset Classification & Control 4.4 Personnel Security 4.5 Physical & Environmental Security 4.6 Comms & Ops. Management 4.7 Access Control 4.8 Systems Development & Maintenance 4.9 Business Continuity Management 4.10 Compliance V= BSi Audit X = Internal Audit Site 1 Site 2 Site 3 Site 4 Site 1 Site 2 Site 3 Site 4 Site 1 Site 2 Site 3 Site 4 Site 1 Site 2 Site 3 Site 4 Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 6 of 14

7 Appendix 2 - Example of the Calendar of Events Date of Review/Audit Type of Review/Audit Reviewer Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 7 of 14

8 Appendix 3 - Example of the Record of Events Date of Review Type of Review/Review Details Reviewer(s) Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 8 of 14

9 Appendix 4 - Example of an Information Security Audit Checklist Site Site 1 NHS TRUST Information Security Audit Date of Audit Ref. Audit Detail Response Yes No N/A Procedure/ Guideline/ Policy Level of Understanding 1 (low) - 5 (high) Evidence Gathered Is the Information Security policy approved, published and communicated to all members of staff? Have all members of staff got copies of the NHS TRUST Information Security A Guide for Staff? (BS7799:2 3.1) Is the management framework established to initiate and control the implementation and ongoing effectiveness of Information Security at this specific location? (BS7799:2 3.2) Have all members of staff read and signed the Information Security policy? (BS7799:2 4.1) Is there an appropriate authorisation process for information processing facilities? (BS7799:2 4.2) Are controls for the Security of Third Party Access developed? (BS7799:2 4.2) Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 9 of 14

10 Ref. Audit Detail Response Yes No N/A Procedure/ Guideline/ Policy Level of Understanding 1 (low) - 5 (high) Evidence Gathered With respect to third party access, have the risks been identified and are the security controls and procedures for the outsourcing of information systems, Networks and/or desk top environments, in the contract between the parties? (BS7799:2 4.2) Are all major information assets accounted for and have a nominated owner? (BS7799:2 4.3) Are Information assets classified to indicate the need, priority and degree of protective controls, have these been agreed and documented and are these maintained on a regular basis? (BS7799:2 4.3) Are Security requirements clearly defined and responsibilities addressed at the recruitment stage and are they included in contracts and monitored during an individual s employment? (BS7799:2 4.4) Are users trained in security procedures and the correct use of information processing facilities? (BS7799:2 4.4) Are Incidents affecting security reported through appropriate channels as quickly as possible? (BS7799:2 4.4) Are critical or sensitive business Information Processing facilities housed in Secure Areas, protected by defined Security perimeter with appropriate security barriers and entry controls. Are they physically protected from unauthorised access, damage and interference. (BS7799:2 4.5) Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 10 of 14

11 Ref. Audit Detail Response Yes No N/A Procedure/ Guideline/ Policy Level of Understanding 1 (low) - 5 (high) Evidence Gathered Is equipment physically protected from security threats and environmental hazards by the use of secured rooms/offices, locked cabinets and authorised access control? (Do effective policies exist for portable equipment?) (BS7799:2 4.5) Are power and comms cabling suitably protected from physical damage and interception? (BS7799:2 4.5) Are alternative cabling/telephone exchange routes and backup power supplies available? (BS7799:2 4.5) Are responsibilities and procedures for the management and operation of all information processing facilities established? Do they include the development of appropriate operating instructions and incident response procedures? Are segregation of duties implemented where appropriate? Are there effective incident and incident management procedures in place? Is advance planning and preparation undertaken to ensure the availability of adequate capacity and resources? Are projections of future capacity made (to reduce the risk of system overload)? Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 11 of 14

12 Ref. Audit Detail Response Yes No N/A Procedure/ Guideline/ Policy Level of Understanding 1 (low) - 5 (high) Evidence Gathered Software and information processing facilities are vulnerable to the introduction of malicious software such as viruses, network worms, Trojan horses and logic bombs. Are there formal precautions in place to provide the required level of protection? Are routine procedures established for carrying out the agreed backup strategy, taking backup copies of data and rehearsing their timely restoration, logging events and faults and, where appropriate, monitoring the equipment environment? Are there controls in place to achieve and maintain security in computer networks which span organisational boundaries? Is Media controlled, physically protected and securely disposed of when no longer required? Are appropriate procedures in place for the secure handling of information (in whatever form)? Is access to information and Business Processes controlled on the basis of Business and security requirements? Does this take into account policies for information dissemination and authorisation? Are formal procedures in place to control the allocation of access rights to information systems and services? (BS7799:2 4.7) Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 12 of 14

13 Ref. Audit Detail Response Yes No N/A Procedure/ Guideline/ Policy Level of Understanding 1 (low) - 5 (high) Evidence Gathered Are users made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment? (BS7799:2 4.7) Is access to both internal and external networked services controlled? (BS7799:2 4.7) Are security facilities at the operating system level used to restrict access to computer resources? (BS7799:2 4.7) Are security facilities used to restrict access within application systems? Is logical access to software and information restricted to authorised users only? (BS7799:2 4.7) Are systems monitored to detect deviation from the Access Control Policy? Are monitorable events recorded to provide evidence in case of security incidents? (BS7799:2 4.7) Is appropriate additional protection applied when using mobile computing? (BS7799:2 4.7) Is a business continuity management process implemented (after undertaking appropriate risk analyses)? (to reduce the disruption caused by disasters and security failures to an acceptable level through a combination of preventative and recovery controls). (BS7799:2 4.9) Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 13 of 14

14 Ref. Audit Detail Response Yes No N/A Procedure/ Guideline/ Policy Level of Understanding 1 (low) - 5 (high) Evidence Gathered Are Site Emergency and IT Disaster Recovery plans maintained, up to date and tested on a regular basis? (BS7799:2 4.9) Do the Site Emergency and IT Disaster Recovery plans cross-refer and are of a similar style and format? (BS7799:2 4.9) Has applicable legislation been identified and are there controls and measures in place to ensure compliance? (BS7799:2 4.10) Does the Data Protection Act apply and are there controls and measures in place to ensure compliance? (BS7799:2 4.10) Are there controls and measures in place to ensure that information processing facilities are not misused? (BS7799:2 4.10) BS7799-2:1999 Information Security Management Controls 3.1 General 4.1 Security Policy 4.6 Communications and operations management 3.2 Establishing a management framework 4.2 Security organisation 4.7 Access control 3.3 Implementation 4.3 Assets classification & control 4.8 Systems development and maintenance 3.4 Documentation 4.4 Personnel security 4.9 Business continuity management 3.5 Document Control 4.5 Physical and environmental security 4.10 Compliance 3.6 Records Exemplar_ISMS Audit Process V1.0.rtf <Date> Page 14 of 14