PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1

Transcription

1 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1 Version: 1.0 Date of Version: 20/09/2006

2 Security Risk Management IT Systems History of Changes Date In charge of Changes Changes / Additions (reference of specific unit) Approval Version Number Date of Application 20/9/2006 B. Kolias Initial Version IT Manager 1.0 1/1/2007 Version 1.0 Page 2 of 46 20/9/2006

3 Security Risk Management IT Systems TABLE OF CONTENTS HISTORY OF CHANGES INTRODUCTION GENERAL OVERVIEW OF SECURITY RISK MANAGEMENT PROCEDURE FOR IT SYSTEMS 7 3. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE - SUMMARY TABLE IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE - DETAILED DESCRIPTION PREPARATION PHASE Determination of Scope of Operational risk management areas Selection of Measurement Methods RISK ASSESSMENT Identifying and Assessing Complex IT assets Identifying Composite IT Assets IT assets assessment Impact identification and assessment Identifying and Assessing Risks Classification of threats Identifying and assessing physical threats Identification and assessment of threats from human intervention Making Detailed Threat Table Identifying and Assessing Vulnerabilities Preparation of detailed vulnerability table Assessment of Risk Exposure Level Correlation of threats and vulnerabilities for each composite IT asset Preparation of detailed risk table Version 1.0 Page 3 of 46 20/9/2006

4 Security Risk Management IT Systems 4.3 RISK REDUCTION Risk Tolerance Level Assessment Comparison of Risk Exposure Levels with Risk Tolerance Levels Selection of Additional Protection Measures Assessment and Acceptance of Residual Risk MONITORING THE SYSTEM AND ITS ENVIRONMENT FOR CHANGES Identifying Endogenous Changes Monitoring IT assets Monitoring IT asset vulnerabilities Monitoring operational / organizational changes Identifying Exogenous Changes Monitoring the threat environment Monitoring the legal environment Management of Changes ANNEX A: INDICATIVE THREAT LIST ANNEX B: INDICATIVE VULNERABILITY LIST ANNEX C: INDICATIVE CONTROLS LIST ANNEX D: INDICATIVE ELECTRONIC SOURCES OF INFORMATION RELATING TO SECURITY THREATS AND VULNERABILITY ISSUES Version 1.0 Page 4 of 46 20/9/2006

5 Security Risk Management IT Systems 1. INTRODUCTION In the contemporary business environment, information is one of the most valuable assets of an enterprise, and the protection of the integrity, confidentiality and accessibility of IT assets is a necessary condition for the smooth and unhindered achievement of business goals. The Public Power Corporation S.A. (hereinafter referred to as PPC or the Corporation ), as an organization that relies on IT systems for the processing and management of operational information to support its business activity, has implemented a security framework for IT systems for the effective protection of its IT assets. IT Systems Security Risk Management (ITSSRM) is one of the components of this framework and includes the methodological approach required for the identification and effective management of the risks associated with the security of PPC IT assets. The ITSSRM procedure, which is based on the internationally recognized BS ISO/IEC standards, is an integrated approach, which is supported by the PPC IT systems security policy and includes the following stages: Recording and evaluating PPC IT assets. Identifying and assessing security threats and vulnerabilities of IT assets and existing protection measures. Assessment of security risks arising from the exploitation of the vulnerability of IT assets by recognized threats. Reduction of risks, through the implementation of suitable controls. Assessment and acceptance of residual risk, after implementation of protective measures. Continuous monitoring of systems and environment for changes and repetition of procedure if significant changes are detected. Version 1.0 Page 5 of 46 20/9/2006

6 Security Risk Management IT Systems The most important advantage of this approach is that it handles the security risks of information systems as issues concerning the entire Corporation, by examining the cost of the implementation of protective measures in correlation with the benefits resulting from the reduction of risks. The benefits of the implementation of this procedure are summarized as follows: The implementation of the procedure allows the PPC to focus on the achievement of its operational goals, through ensuring an acceptable level of risk. It provides the Corporation with the opportunity to evaluate its IT assets, by identifying threats and vulnerabilities, assessing the respective risks and by selecting the protection methods for limiting them through a cost-benefit analysis. Leads to the creation of an organized and controlled environment through which the Corporation can collect, process, transfer and store information in a secure way. In the following sections, the ITSSRM procedure is presented in detail, as well as the detailed individual guidelines for its implementation. Version 1.0 Page 6 of 46 20/9/2006

7 Security Risk Management IT Systems 2. GENERAL OVERVIEW OF THE SECURITY RISK MANAGEMENT PROCEDURE FOR IT SYSTEMS The following flow chart presents the steps to be followed in execution of the ITSSRM procedure. The chart graphically presents the successive stages of the approach, as well as the conditions that govern their relationship. Determination of the Scope of Operational risk management area Selection of Measurement Methods Identification and Assessment of IT assets Identification and Assessment of Risks Identification and Assessment of Vulnerabilities Identification and Assessment of Risk Exposure Selection and implementation of additional protection measures Determination of Risk Tolerance Level Does exposure to risk lie inside the Risk Tolerance Levels? YES Risk Acceptance Monitoring the system and its environment for changes Important changes to the IT system and/or its environment detected? NO Management of protective measures (controls) Repetition of Risk Assessment Procedure Version 1.0 Page 7 of 46 20/9/2006

8 Security Risk Management IT Systems 3. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE SUMMARY TABLE The following table summarizes the basic stages that must be followed for the implementation and the completion of the PPC ITSSRM procedure. ITSSRM procedure Preparation Phase Risk Assessment Risk Reduction Monitoring the Environment for Changes Determination of Scope of Operational risk management area Identifying and Assessing Composite IT assets Determination of Risk Tolerance Levels Identifying Endogenous Changes Selection of Measurement Methods Identifying and Assessing Risks Comparison of Risk Exposure Levels with Risk Tolerance Levels Identifying Endogenous Changes Identifying and Assessing Vulnerabilities Selection of Additional Protection Measures Management of Changes Assessment of Risk Exposure Assessment and Acceptance of Level Residual Risk Version 1.0 Page 8 of 46 20/9/2006

9 Security Risk Management IT Systems 4. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE DETAILED DESCRIPTION 4.1 Preparation Phase This phase is necessary to complete the appropriate preparation required before starting the ITSSRM procedure. The tasks to be undertaken at this phase are analyzed in the following paragraphs Determination of Scope of Operational risk management area Before the commencement of the risk management procedure, the scope and extent of the operational risk management area must be accurately determined, in order facilitate the prompt recognition of the critical IT assets which must be examined during the procedure. Within the scope of the PPC ITSSRM procedure, we determine four levels of study: the Computer System Level, the IT System Level, the Operating Unit Level and the Overall Corporation Level. Computer System Level: At this level, an integrated and complete risk management study is implemented for the selected computer system. A computer system is the IT system where the following elements have been subtracted : human resources and procedures. The software, hardware (e.g. servers, workstations, data transfer networks, etc.) and the data of the Payroll application or the e- mail system or the internet access infrastructure, are examples of computer systems, where we can implement the ITSSRM procedures. Therefore, at this level we focus mainly on the security risks related to the PPC technical IT infrastructure. IT System Level: At this level, the risk management study must be implemented for all the elements of the computer system, as described above (see Computer System Level). Furthermore, the risks must be analyzed for security issues related both to the personnel who operate and manage the computer system in question, and the procedures they carries out. This analysis may be carried out through interviews (e.g. with the use of questionnaires and checklists that arise from international standards, such as the ISO/IEC 17799) or with the use of adapted control programs or other special analysis tools. At this level we focus on the security risks related both to the PPC technical infrastructure and the procedures and people who operate and provide support for this infrastructure. Operating Unit Level: At this level, the IT systems security risk management procedure must be implemented for all IT systems supporting the operating unit under examination (e.g. General Division, Division, Subdivision, Section, Department, etc.). Version 1.0 Page 9 of 46 20/9/2006

10 Security Risk Management IT Systems Overall Corporation level: At this level the ITSSRM procedure is implemented for the entire Corporation, and all IT systems used by PPC must be recognized as fully as possible Selection of Measurement Methods The selection of the measurement methods of the individual components of the risk (i.e. the asset value, threat and vulnerability), and especially the determination of their correlation, is a prerequisite for the execution of the risk assessment procedure. For the combination of a series of different variables to be feasible during the calculation of the individual and final figures, a measurable rating for each variable under examination must be established. The variables used in assessmeny of risk exposure establish the value rating of IT assets, the threat assessment rating, the vulnerability assessment rating and the risk assessment rating. For the purposes of the security risk management procedure, the use of a scale is established for the measurement of the relevant importance of each variable, which is presented in the following tables: Version 1.0 Page 10 of 46 20/9/2006

11 Security Risk Management IT Systems IT Assets Assessment Rating Scale Value Description 1 Negligible / Very Low 2 Low 3 Medium 4 High 5 Very High Threat Assessment Rating Scale Value Description 1 Low 2 Medium 3 High Vulnerability Assessment Rating Scale Value Description 1 Low 2 Medium 3 High Version 1.0 Page 11 of 46 20/9/2006

12 Security Risk Management IT Systems IT Systems Security Risk Assessment Rating Scale Minimum Risk Maximum Risk Low Medium High It is noted that the risk is the outcome derived from the three variables (value of IT asset, threat, vulnerability) and for the purposes of this ITSSRM procedure, it is assessed using a measurement scale with values ranging between 0 (negligible/minimum risk) and 8 (maximum risk). 4.2 Risk Assessment The effective management of PPC IT systems security risks requires the identification and assessment of the risks which threaten its IT assets. In this context, an analytical and detailed risk assessment approach is established, which is described in the following paragraphs and consists of the following steps: Identifying and evaluating IT assets Identifying and assessing threats Identifying and assessing vulnerabilities Assessment of risk exposure level In order to better understand the procedure in more depth, the definitions of the basic terms of the risk assessment procedure are presented below: Vulnerability: Refers to the weak spot or susceptibility of an IT asset or a group of IT assets which may be utilized / exploited by a threat. It is the condition that allows a threat to have impact at greater frequency, with greater consequences or both. Version 1.0 Page 12 of 46 20/9/2006

13 Security Risk Management IT Systems Threat: An activity or event which may have an undesirable result. An incident or action, which may have undesirable results if it occurs. Information Systems Security Risk: The potential of a specific threat to exploit one or more vulnerabilities of an IT asset (or a group of IT assets) leading to loss or damage to this asset. Impact: The damage or downgrading of the operational value (money, reputation, trust, etc) or any other loss which could be the consequence of a potential violation of the PPC systems security Identifying and Assessing Composite IT assets It should be stressed that this phase is very important and is critical to the successful completion of the entire ITSSRM procedure, because all subsequent phases are based on the initial identification and evaluation of PPC IT assets. Additionally, for the better and more efficient execution of this phase, and by extension of the ITSSRM procedures, PPC IT assets are grouped based on their physical nature and in this context they are called composite IT assets. More specifically, in the context of an IT system, one or more composite IT assets, which are composed of a number of individual IT assests, are identified and examined. It is noted that in the context of this ITSSRM program, the analysis and assessment of risks is carried out based solely on identification of IT systems and the composite IT assets they contain, without carrying out further analysis at the level of individual IT assets Identifying Composite IT Assets At this stage, all composite IT assets falling within the defined scope of an operational risk management area must be identified and recorded (Computer System Level, IT System Level, Operating Unit Level, PPC Level). For their more effective identification, the following types of composite IT assets are determined, and their definitions presented in the following table: Version 1.0 Page 13 of 46 20/9/2006

14 Security Risk Management IT Systems Composite IT Assets Table Composite IT Asset Description Servers Risk assessment must cover any physically separate server or mainframe as a composite IT asset. The server includes the hardware, software and the information stored in the servers. Network Risk assessment must cover any physically separate component of the network as a different system component. The group of network components includes routers, hubs, switches, cabling, etc. Risk assessment here must ignore risks created by network servers. For each component, the hardware, software and transmitted information must be taken into account. Clients / Workstations Workstations include the hardware, software and the information stored in the equipment. Miscellaneous etc. Storage devices, ATMs, Printers, FAX machines, PBX call center, IT assets assessment Impact identification and assessment The valuation of IT assets will be carried out based on the assessment of the impact for each IT asset identified. Therefore, the impact from the violation of the security of an IT asset indicates its value to the Corporation. The following two parameters are considered fundamental to the effective identification of the impact: Version 1.0 Page 14 of 46 20/9/2006

15 Security Risk Management IT Systems Impact factors / Basic security principles - Confidentiality, Integrity and Accessibility Main impact areas Namely, critical areas where the violation of one of the basic security principles has serious consequences All IT assets identified are assigned values ranging between 1 and 5 for each of the critical impact areas in case of violation of each of the basic security principles (confidentiality/ integrity / accessibility). A detailed description of the scale of the degree of impact is presented in the following table. IT Assets Assessment Rating Scale Value Description Interpretation 1 Negligible / Very Low The violation of one of the security principles (confidentiality / integrity / accessibility) has a negligible or very low impact on the operation of the system and the Corporation. 2 Low The violation of one of the security principles (confidentiality / integrity / accessibility) may cause loss or damage of minimum importance. 3 Medium The violation of one of the security principles (confidentiality / integrity / accessibility) may cause significant loss or damage, which could have adverse effects on the operational procedure. 4 High The violation of one of the security principles (confidentiality / integrity / accessibility) may cause extensive damage or loss with significant adverse effects on the operation of the system and the PPC. 5 Very High The violation of one of the security principles (confidentiality / integrity / accessibility) has extremely significant impact on the operation of the system and the Corporation. Version 1.0 Page 15 of 46 20/9/2006

16 Security Risk Management IT Systems The assessment rating of IT assets is then calculated, based on the above scale, with the help of the following table. Version 1.0 Page 16 of 46 20/9/2006

17 Security Risk Management IT Systems Impact Identification and Assessment for each IT Resource Impact factors / Basic security principles Confidentiality Integrity Accessibility Main impact areas Personal safety Personal information Legal and regulatory obligations Commercial and economic interests Financial loss Disruption of activities Public order Compliance with business policies and standards Public image and PPC brand reputation Business performance Environmental safety Note: The values in the table are indicative Version 1.0 Page 17 of 46 20/9/2006

18 Security Risk Management IT Systems In this context, an impact rating of 3 in the personal safety area, in the event of violation of the accessibility of the IT asset under examination, implies that loss of the accessibility to this asset may contribute to the loss of human life. The total impact rating for each basic security principle is the maximum of the individual values assessed for each main impact area. The total impact rating for the IT asset under examination is the maximum of the three values estimated for each basic security principle Identifying and Assessing Risks The identification and assessment of the IT assets is achieved through identification of security threats and their properties and features, in order facilitae effective and detailed risk assessment for each PPC composite IT asset Classification of threats The first step in specifying threats is distinguishing between threats caused by human intervention and physical threats. The further analysis and classification of threats arising from human intervention uses the following features: Threat Intent: deliberate (D) or random (A) Threat Origin: internal (Int), external associates (X) and external (ex) intervention: By combining the above features, we can form the following threat categories arising from human Internal and Deliberate (IntD) Internal and Random (IntR) External Associates and Deliberate (XD) Version 1.0 Page 18 of 46 20/9/2006

19 Security Risk Management IT Systems External Associates and Random (XR) External and Deliberate (ExD) External and Random (ExR) Physical threats (e.g. fires, floods, earthquakes, etc) belong to the ExR category (external random threats). The above threat classification contributes to the risk assessment procedure in the following ways: It assists PPC personnel in the identification of threats. It will contribute to risk assessment evaluation: For example, an internal deliberate threat has a greater probability of occurring, given that the threat agent has the required knowledge and resources available, though there is reduced motivation, since he is aware of the higher risk of being caught. It will contribute to selection of suitable protection measures to reduce risk Identifying and assessing physical threats Physical threats are assessed separately, because their features differ from the features of human intervention threats. Physical threats are easier to determine and have a general impact, and therefore their assessment must be carried out according to the different locations of the PPC composite IT assets. The ITSSRM group must prepare tables for composite IT assets of the Corporation classified by location, according to the example shown in the following table. Computer System 1 Building A Building B Building C Building D Building E Composite IT Asset 1 Office 3C Version 1.0 Page 19 of 46 20/9/2006

20 Security Risk Management IT Systems Computer System 1 Building A Building B Building C Building D Building E Composite IT Asset 2 Network equipment storage area Secure area A1 Composite IT Asset 3 Offices, 3 rd floor Composite IT Asset 4 Kitchen Composite IT Asset 5 Corridor 3 rd floor Subsequently, based on historical data and with the assistance of specialized personnel, an assessment of the probability or frequency of threats arising for each location must be carried out. With the use of the Threat Assessment Rating Scale (High Medium Low), as presented in the following table, an assessment rating for threats may be specified. It is noted that if a physical threat is not related to a specific location, no assessment grade will be specified, since it does not need to be included in the risk assessment. Composite IT Asset Physical Threat Assessment Table Computer System 1 Physical Threat Physical Threat Assessment Rating Composite IT Asset 1 Physical Threat 1 Physical Threat 2 Physical Threat 3 Physical Threat 4 H L M M Version 1.0 Page 20 of 46 20/9/2006

21 Security Risk Management IT Systems Composite IT Assets Physical Threat Assessment Table Computer System 1 Physical Threat Physical Threat 5 Physical Threat Assessment Rating L Composite IT Asset 2 Physical Threat 1 Physical Threat 2 Physical Threat 3 Physical Threat 4 Physical Threat 5 H L M M L Composite IT Asset x Physical Threat 1 H It should be stressed that the above table must be completed for each composite IT asset and for all physical threats identified Identification and assessment of threats from human intervention Threats from human intervention are characterized by a different group of features. These threats must be identified and assessed for each composite PPC IT asset and cannot be grouped according to location. The first step in the assessment of the threats from human intervention is the identification variables and the use of a single scale for measuring these threats. As already specified (start of paragraph 4.2), a threat is an activity or event which may give rise to undesirable results. Based on this definition, we can distinguish two factors which may be used in order to measure the relative importance of threats: the agent of the threat, i.e. the agent whose actions may create this threat and the probability of the threat, i.e. how probable it is that the threat will arise. For the assessment of the two factors (agent and probability of occurrence of the threat) we can use the following variables: Version 1.0 Page 21 of 46 20/9/2006

22 Security Risk Management IT Systems Capability: The volume of information available to the threat agent (knowledge, education, technological specialization, etc) and the availability of the required resources. Motivation: The perception of the threat agent with regard to the interest value of PPC IT assets, in relation to the risk of being identified and caught, and motivation to violate policy, standards and PPC security procedures in general. The following table may be used as an example for calculation of the risk assessment rating. Each threat must be assessed with the use of the recognized features of the threats described above (capability, motivation and probability) and specify the risk assessment rating, using the Threat Assessment Rating Scale (paragraph 4.1.2). Threat Assessment Table from Human Intervention Computer System 1 Threat from Human Intervention Type of Threat Capability Motivation Threat Assessment Rating from Human Intervention Composite IT Asset 1 Threat 1 ExR L L L Threat 2 ExD L M L or M Threat 3 ExD M M M Threat 4 IntD H H H Threat 5 IntD H L L or M Composite IT Asset 2 Threat 1 ExR H H H Threat 2 ExD H L L or M Threat 3 ExD M H L or M Version 1.0 Page 22 of 46 20/9/2006

23 Security Risk Management IT Systems Threat Assessment Table from Human Intervention Computer System 1 Threat from Human Intervention Type of Threat Capability Motivation Threat Assessment Rating from Human Intervention Threat 4 IntD M L M or L Threat 5 IntD L L L Composite IT Asset x Threat 1 ExR H H H Preparation of Detailed Threat Table At this point, a detailed threat table should be prepared for each IT system, which will present the recognized threats (from human and physical interventions), their classification and the assessment rating of each threat. Detailed Threat Table Computer System 1 Threat Type of Threat Composite IT Asset 1 Threat Assessment Rating from Human Intervention Threat 1 ExR H Threat 2 IntD L Threat 3 ExD M Threat 4 ExR M Threat 5 ExR L Composite IT Asset 2 Threat 1 IntD H Threat 2 IntD L Version 1.0 Page 23 of 46 20/9/2006

24 Security Risk Management IT Systems Threat 3 ExD M Detailed Threat Table Computer System 1 Threat Type of Threat Threat Assessment Rating from Human Intervention Threat 4 ExR M Threat 5 ExR L Composite IT Asset x Threat 1 IntD H Identifying and Assessing Vulnerabilities The purpose of vulnerability identification and assessment is to identify and distinguish between security vulnerabilities and subsequently proceed with the assessment of vulnerabilities as a whole. At this point it should be noted that the terms related to security risk and vulnerability assessment frequently acquire a different significance depending on the context they are used in. For the purpose of the ITSSRM procedures, the term security vulnerability refers to a feature of the system whose security may be violated in order to gain access to it and allow use of its resources for purposes other than the original ones. Furthermore, vulnerabilities are the weak spots or susceptibilities, as well as inadequate security or disadvantages associated with the implementation of a system which is likely to be affected by a threat. Additionally, it should be emphasized that the existence of vulnerabilities does not depend on the actual realization of any cases of threat or attack. During the performance of the vulnerability assessment tasks, various methods and techniques may be used to identify and assess the risks related to PPC IT assets. These include the following: Version 1.0 Page 24 of 46 20/9/2006

25 Security Risk Management IT Systems Vulnerability scanning With the use of automated software tools, the ITSSRM group periodically scans IT assets for vulnerabilities. Attack and penetration testing in the PPC network: The ITSSRM team periodically coordinates the performance of such activities, in order to identify unknown vulnerabilities, not only from an external but also from internal points of access to PPC IT assets. Vulnerability updates: The ITSSRM team is responsible for maintaining contact with the suitable suppliers or organizations, in order to remain up to date regarding the appearance of new vulnerabilities related to PPC IT assets at all times. Technical security architecture assessment: The ITSSRM team periodically coordinates the execution of such assessments, in order to identify any vulnerability in the PPC technical security architecture. Security configuration assessment: The ITSSRM team periodically carries out security configuration assessments in specific systems, in accordance with internationally recognized security practices and configuration standards. The calculation of the assessment rating for each vulnerability identified will subsequently be based on the following features: Severity: The severity of the impact in case of exploitation of a specific vulnerability. This includes the range of impact and the probability of escalation (e.g. where the utilization / exploitation of a specific vulnerability might lead). Exposure: The ease of exploitation of a specific vulnerability via physical or electronic means (required expertise, required resources). Version 1.0 Page 25 of 46 20/9/2006

26 Security Risk Management IT Systems Preparation of the detailed vulnerability table At this point a detailed vulnerability table should be prepared for each IT system, which shall include the respective vulnerabilities and their assessment ratings, by using the example of the following table: Vulnerability Table Computer System 1 Vulnerability Severity Exposure Vulnerability Assessment Rating Composite IT Asset 1 Vulnerability 1: H H H Vulnerability 2: M L M or L Vulnerability 3: L L L Vulnerability 4: H M M Composite IT Asset 2 Vulnerability 1: H H H Vulnerability 2: M L M or L Vulnerability 3: L L L Vulnerability 4: H M M Vulnerability 5: H L M Composite IT Asset x Vulnerability 1: H H H Specifically with regard to security vulnerabilities which are related to computer system configuration issues (e.g. lack of service pack, security fixes, upgrades, etc), carrying out the respective adjustments and installation of improved versions is recommended, directly after discovery of the vulnerability in question. Version 1.0 Page 26 of 46 20/9/2006

27 Security Risk Management IT Systems Assessment of Risk Exposure Level Correlation of threats and vulnerabilities for each composite IT asset By definition, a risk is the capacity of a given threat to exploit a vulnerability, leading to loss or destruction of an IT asset or a group of IT assets. Consequently, it is necessary to establish the correlation between the threats and vulnerabilities identified for each composite IT asset. The possible combinations of threats and vulnerabilities for each IT system must be systemized and recorded in a Risk Determination Table, as presented in the table below. It is noted that the examples of threats and vulnerabilities presented in the table are indicative, and their correlation is random. Risk Determination Table Computer System 1 Risk Threat Vulnerability Composite IT Asset 1 Risk 1.1 Threat 1 Vulnerability 3 Risk 1.2 Threat 1 Vulnerability 5 Risk 1.3 Threat 2 Vulnerability 3 Risk 1.4 Threat 4 Vulnerability 3 Risk 1.5 Threat 5 Vulnerability 2 Composite IT Asset 2 Risk 2.1 Threat 3 Vulnerability 1 Risk 2.2 Threat 2 Vulnerability 6 Risk 2.3 Threat 3 Vulnerability 3 Risk 2.4 Threat 4 Vulnerability 3 Risk 2.5 Threat 6 Vulnerability 5 Composite IT Asset x Version 1.0 Page 27 of 46 20/9/2006

28 Security Risk Management IT Systems Risk Determination Table Computer System 1 Risk Threat Vulnerability Risk x.1 Threat 3 Vulnerability Preparation of detailed risk table For each identified risk, the Risk Assessment Rating must be calculated, which is dependent on the IT Asset Value Rating, the Vulnerability Assessment Rating and the Threat Assessment Rating. The combination of these elements may be achieved with the help of the following table: Risk Assessment Table Threat Low Medium High Vulnerability Low Medium High Low Medium High Low Medium High IT Asset Value Finally, with the use of the above table, a Detailed Risk Table must be prepared for each IT System, which will show the calculated risk assessment rating, based on the individual value ratings for composite IT assets, vulnerabilities and threats, according to the example of the following table: Version 1.0 Page 28 of 46 20/9/2006

29 Security Risk Management IT Systems Detailed Risks Table Computer System 1 Risk Impact Assessment Rating Vulnerability Assessment Rating Threat Assessment Rating Risk Assessment Rating Composite IT Asset 1 Risk 1.1 Risk 1.2 Risk 1.3 Risk 1.4 Risk 1.5 Composite IT Asset 2 Risk 2.1 Risk 2.2 Risk 2.3 Risk 2.4 Risk 2.5 Composite IT Asset x Risk x.1 Version 1.0 Page 29 of 46 20/9/2006

30 Security Risk Management IT Systems 4.3 Risk Reduction Risk Tolerance Level Assessment One of the most important tasks of the ITSSRM procedure is the assessment of risk tolerance levels. Risk tolerance levels (RTL) set the security level for IT systems which the PPC has decided and is prepared to accept. The RTL must be specified for each composite IT asset, and the person responsible for their specification is the Supervisor of the IT asset in question. However, it is also important for the IT Systems Security Supervisor to participate in the specification of these levels, through the assessment of the respective risks and the potential damage which the IT asset may suffer, if these risks arise. It is noted that the RTLs specified by agreement between the IT Asset Supervisor and the IT Systems Security Supervisor must be inspected and approved by the IT Director. During the determination of the risk tolerance levels (RTL) for each IT asset, particular attention must be paid to the following issues: RTL identification cannot be calculated in absolute numbers, as there is no commonly accepted practice for their calculation. Also, their specification is an administrative decision and can be made only in the context of the risk assessment results. It is recommended that the decision specifying the limit between acceptable and unacceptable risks is made through an analysis of available resources, the nature and the extent of the risks identified and the nature of the operational procedure supported by the IT asset. A more practical way to specify and interpret the RTLs is the classification of risks on a High Medium Low" scale (see Risk Measurement Scale) and calculation of the correlation between the risk category and the urgency of the need to address these risks. Indicatively, the following table may be used. Version 1.0 Page 30 of 46 20/9/2006

31 Security Risk Management IT Systems Risk Level Risk Level 1 (e.g. risk exposure assessment High Risk rating 6-8) Risk Level 2 (e.g. risk exposure assessment Medium Risk rating 3-5) Risk Level 3 (e.g. risk exposure assessment Low Risk rating 0-2) An issue of high importance requiring the direct attention of the Management Board and corrective actions of immediate priority. An important issue requiring the immediate attention of the IT division and an agreed program of corrective actions, within a relatively short space of time. An issue that does not require immediate attention, but for which resolution at some time in the future is advisable, unless this risk is acceptable to the Mangement Board Comparison between Risk Exposure Levels and Risk Tolerance Levels Following the establishment of the correlation between risk exposure levels (REL) and PPC IT assets carried out at the previous stage (paragraph 4.2.4), these levels must be compared to the specific RTLs of each composite IT asset. In this process of comparison, the following three cases will apply in each case where a corresponding course of action must be specified. Specifically: IF the RELs are higher that the RTLs, the possibility of implementing further protective measures must be examined. If the RELs are lower than the corresponding RTLs, then the respective IT asset is adequately protected. Nevertheless, in this case the risk management team must examine the possibility that these IT assets are excessively protected, i.e. that the security protection measures implemented exceed requirements. In this case, it is suggested that the possibility of removing unecessary protection measures be examined. However, this must be carried out via a detailed evaluation of those risks associated with the removal of protective measures. If the RELs are the same as the respective RTLs, then the ITSSRM procedure must proceed to the next stage of acceptance of residual risk and the monitoring of changes. Version 1.0 Page 31 of 46 20/9/2006

32 Security Risk Management IT Systems Selection of Additional Protective Measures If the existing or scheduled protective measures cannot reduce risk exposure to acceptable levels, then additional measures must be introduced. Protective measures which may be implemented fall into five categories; depending on the specific operations they perform in protection of IT assets. It should be noted that many protective measures operate over multiple categories, and these are usually preferrable. Preventive controls: These aim to avoid the occurrence of problems, errors, omissions or malicious actions. These controls monitor the operation of the systems and attempt to predict potential problems before they arise and also to make adjustments. Examples of preventive controls are: policies, standards and procedures, physical and logical access control systems, etc. Detective controls: These detect and report errors, omissions or malicious actions. Intrusion detection systems and monitoring and logging actions are typical examples of detection controls. Deterrent controls: These are the protection measures intended to impede a potential threat agent. The control, monitoring and awareness of the clear intent to pursue criminal prosecution to the fullest extent against violators, are controls that fall under this category. These increase the probability of creating concern and potentially reduce the threat agent s motivation to act. Corrective controls: They aim at correcting defects identified in systems, procedures and control actions, in order to minimize the probability of their reappearance. Version 1.0 Page 32 of 46 20/9/2006

33 Security Risk Management IT Systems Containment & Recovery: These refer to protective measures which minimize the impact of successfully executed threats and provide the capacity of direct recovery of IT systems operation after damage or destruction. The selection of additional controls for each IT asset must be carried out as required and will be determined on the basis of the Risk Assessment Table of each IT asset. The ITSSRM team will identify, analyze and select the protection measures required to handle the risks identified in the Risk Assessment Table. The selection of the controls will be based on the following factors. The nature of the protection measure (preventive, identifying, corrective, etc.) The respective efficiency of the protective measure (e.g. effective handling of risks as appropriate) The expected impact on daily operations Their transparency and comprehension by the user The assistance available to the user when carrying out control and protection operations The direct and indirect financial cost of implementation of the protective measure Assessment and Acceptance of Residual Risk Following improvement of existing measures or the implementation of new ones, the risks identified must be reevaluated, in order to determine the level of coverage provided, and therefore to assess the residual risk after the implementation of prevetive measures (residual risk). When the residual risk is assessed, it must then be compared to the RTLs: Version 1.0 Page 33 of 46 20/9/2006

34 Security Risk Management IT Systems If the residual risk is smaller than the RTLs, then new protective measures must be implemented in order to adequately limit the identified risk to acceptable levels. If the residual risk is higher that the established RTLs, then part of the risk identified has not been fully mitigated and an operational decision must be made to accept or reject the residual risk. If the Management Board decides against accepting the risk, then additional protective measures must be designed and implemented to limit residual risk to specified RTLs. 4.4 Monitoring the System and its Environment for Changes Given that IT systems are dynamic by nature, the management of the risks associated with the security of IT systems is a dynamic process. Therefore, when the risk management tasks are completed following risk assessment and the implementation of the additional protective measures, the IT System Security Supervisor, in cooperation with the IT Asset Supervisors and members of the IT Division, are responsible for monitoring the PPC operational environment and the IT environment in order to detect significant changes. These changes may have a significant impact on the security risks related to PPC IT assets and include endogenous changes of IT systems (basic system changes, personnel changes, operational changes, significant changes to IT asset value, etc) as well as exogenous changes (new legal and regulatory requirements, significant changes in the threat environment, etc). The following paragraphs describe the variables of the operational environment which must be monitored in order to allow for on-going updates in accordance with such changes, and consequently the appropriate adaptation and improvement of the ITSSRM. Version 1.0 Page 34 of 46 20/9/2006

35 Security Risk Management IT Systems Identifying Endogenous Changes Monitoring IT assets Protected PPC IT assets and their value are special factors taken into account within the risk assessment procedure. Initially, the risk assessment procedure is based on identified IT assets, their value and the threats and vulnerabilities which create risks. After the initial assessment, the IT assets must be monitored for any changes to their status or their value: Important changes to the status of PPC IT assets include modifications to systems, modifications to development procedures, operation and maintenance of the IT systems, the implementation of new systems and new features, upgrades, changes in equipment, the changes in configuration of systems and networks, addition of network connections, etc. Important changes to IT asset values may cause changes to the risk status of IT assets, given that the value of IT assets is the primary variable for specifying risk. A significant increase of the value of an IT system will increase the risks related to it, and therefore to its security requirements Monitoring IT asset vulnerabilities The vulnerabilities of IT assets must also be monitored for any modifications which might change the outcomes of risk assessments, either through the appearance of new risks or the growth or reduction of existing risks. The reasons for which identified vulnerabilities of IT systems may be modified include the following: Implementation of new system or application software (e.g. installation of a new operating system). Upgrade of hardware or software (e.g. installation of new operating system versions). Changes to data processing methods (e.g. new algorithms of applications correlating data from multiple sources which allow access from one source to another). Version 1.0 Page 35 of 46 20/9/2006

36 Security Risk Management IT Systems Monitoring operational / organizational changes Changes to the operational and organizational environment may affect the risks related to PPC IT systems. Examples of such changes are the following: Changes to the organizational structure of the PPC (e.g. new security requirements arising from new operational departments and/or roles). Changes implemented in operational procedures, for example, new procedures requiring the creation of new restricted reference documents, as well as participation of new roles involving new risks. New services, for example the settlement of customer bills through the Internet will fully change the risks related to PPC IT goods, through the increase of the interconnections and the provision of external access to specific IT assets Identifying Exogenous Changes Monitoring threat environment The threats related to the security of PPC IT assets must be constantly monitored to reflect existing risks to IT systems security. The threat assessment rating initially calculated is constantly subject to change as information technologies advance rapidly, and therefore provide threat agents with increased capabilities via the use of new, modern and specialized tools, as well as increased motivation to act, given that the value of PPC information is constantly increasing. Version 1.0 Page 36 of 46 20/9/2006

37 Security Risk Management IT Systems New tools and techniques are available to potential intruders (e.g. new techniques to bypass or reduce the effectiveness of biometric access control systems through use of state-of-the-art technology). Changes to PPC operational installations (e.g. transfer of equipment from the data center, or transfer of other processing equipment to a new location, etc.). Implementation of new IT systems and/or data networks Monitoring of the legal environment In the context of the ITSSRM procedure, the respective legal and/or regulatory requirements must be taken into account with regard to the specific sector (energy), as well as any changes to them. These requirements may arise from changes to the country's legal frameworks where the Corporation is active, or from regulations and directives that may be imposed by other central authorities (e.g. Ministries, the Hellenic Capital Market Commission, Hellenic Data Protection Authority, etc.). The areas normally affected by the legal and regulatory environment include the time period for maintaining financial and customer data, issues of personal data protection, operational continuity planning and environmental protection. Additionally, the regulations and directives of central authorities may recommend specific measures which must be in place to ensure the smooth operation of PPC IT systems Management of Changes When changes in PPC IT systems are identified, the ITSSRM team is responsible for the assessment of changes and making decisions regarding the necessity of new risk assessments. Depending on the importance of changes, the head of the team has the following options: For small changes, whose effect is identifiable and measurable, a risk assessment limited to the extent of the changes must be carried out, with the focus on IT systems affected by the change. This analysis must include all new risks created by the respective change which must be assessed and respectively reduced or accepted if they are within risk tolerance levels. Version 1.0 Page 37 of 46 20/9/2006

38 Security Risk Management IT Systems In the event of identification of significant changes with multiple impacts on many IT systems, the risk management procedure should be repeated, in order to ensure appropriate management of the new risk environment. Version 1.0 Page 38 of 46 20/9/2006

39 Security Risk Management IT Systems ANNEX A: INDICATIVE THREAT LIST 1 Risk List 1. Dust 2. Problem in cooling system 3. Bomb attack 4. Breach of communications 5. Destruction of communication lines/ cables 6. Wear and tear of storage media 7. Earthquake 8. Environmental pollution 9. Extreme temperature and humidity levels 10. Interruption of communications 11. Failure in parts of the network 12. Power outage 13. Water outage 14. Fire 15. Flood 16. Equipment damage 17. Illegal software use 18. Lightning 19. Maintenance error 1 Source: British Standards Institution, Guide to BS 7799 Risk Assessment and Risk Management, 1998 Version 1.0 Page 39 of 46 20/9/2006

40 Security Risk Management IT Systems 20. Malicious software e.g. viruses, worms, Trojans 21. User identity impersonation 22. Error or repetition of message transmission 23. Improper use of resources 24. Access to network by unauthorized persons 25. Errors by support personnel 26. Large voltage fluctuations 27. Software error 28. Personnel shortage 29. Theft 30. Overload of systems or network 31. Transmission errors 32. Unauthorized software use 33. Unauthorized use of storage media 34. Inappropriate network use 35. Use of software by unauthorized users 36. Inappropriate software use 37. User errors 38. Intentional destruction systems. It is noted that the above list is an indicative rather than exhaustive reference to security threats in IT Version 1.0 Page 40 of 46 20/9/2006

41 Security Risk Management IT Systems ANNEX B: INDICATIVE VULNERABILITY LIST 2 Vulnerability List IT Systems Security Management Procedure 1. IT systems architecture which do not meet IT systems security requirements 2. Organization and information flows within the Corporation which do not meet IT systems security requirements 3. Non-existent or inadequate classification of information 4. IT systems procurement procedures which do not meet IT systems security requirements 5. Service provision agreements by third parties which do not meet IT systems security requirements 6. Contractors representing third party products which may not handle the issues of accessibility / operational continuity in an adequate manner 7. IT systems development procedures which do not meet IT systems security requirements 8. Inadequate procedures for change management 9. Lack of documentation 10. Inadequate testing 11. Inadequate segregation of duties 12. Non-existent or inadequate documentation of roles and competences 13. Inadequate or non-existent allocation of responsibility for IT assets 14. Inadequate or non-existent procedures 15. Inadequate or non-existent security policies and standards 16. Inadequate user management procedures 2 Source: Government of New South Wales, Office of Information Technology, Information Security Guideline Part 2, Issue No:2.0 (June 2002) Version 1.0 Page 41 of 46 20/9/2006

42 Security Risk Management IT Systems 17. Absence of confidentiality agreements with users and contractors 18. Inadequate support by management on issues regarding the security of IT systems. 19. Non-existent or inadequate security incident management procedures 20. Non-existent or inadequate backup copy procedures 21. Non-existent or inadequate operational continuity plans 22. Absence or inadequate procedures for updating and training users in IT systems security issues 23. Non-existent or inadequate personnel selection procedures 24. Non-existent or inadequate paper copy management procedures 25. Non-existent or inadequate systems monitoring and control procedures 26. Non-existent or inadequate control procedures relating to proper implementation of security policies, standards and relevant laws and regulations. 27. Non-existent or inadequate IT systems security control procedures It is noted that the above list is an indicative rather than exhaustive reference to security vulnerability threats in IT systems. Version 1.0 Page 42 of 46 20/9/2006

43 Security Risk Management IT Systems ANNEX C: INDICATIVE LIST OF PROTECTIVE MEASURES 3 The following table presents certain protective measures classified under four broad areas: Organizational and Management Controls, Physical and Environmental Controls, Operational Controls and Technical Controls. in IT systems. It is also noted that the following list is an indicative rather than exhaustive reference to security threats Controls Organizational and management controls IT systems security policy IT systems security infrastructure Development / Management / Support of IT systems by third parties Classification and information control - Recording and handling information - Information storage - Information transmission - Information destruction Compliance with security standards and policies Updates and training in IT Systems Security issues 3 Sources: Government of New South Wales, Office of Information Technology, Information Security Guideline Part 3, Issue No: 2.0 (June 2002) êáé British Standards Institution, Guide to BS 7799 Risk Assessment and Risk Management, 1998 Version 1.0 Page 43 of 46 20/9/2006

44 Security Risk Management IT Systems Personnel security - Recruitment and selection of personnel - Confidentiality agreement - Employment terms and conditions - Job descriptions - Segregation of duties Management of operational continuity -Operational continuity plan -Disaster recovery plan -Protection from natural disasters - Procedures for storage and maintenance of backup copies System controls Compliance with laws and regulations - Protection of company files - Protection of data and secrecy of personal information Physical and Environmental Protection Measures Security zones - Entry control - Site inspection Intrusion testing Equipment security -Equipment protection - Electricity supply - Equipment maintenance Clean desk and clean screen policy Removal of IT assets Operating Controls Documentation Change management Management of security incidents Backup copies Software integrity control Maintenance of log files Data entry control E-commerce security - Commercial transactions through the internet Version 1.0 Page 44 of 46 20/9/2006

45 Security Risk Management IT Systems security Software development and testing environment Technical Controls Identification and certification elements - Password. - Biometric devices Controls for logical access - Operating system - Database. - Applications - Network control devices e.g. firewall, Air Gap devices Network management - Network monitoring tools - Network division into separate sections - Intrusion detection - Network connection policies Access Revision of user access rights - Control data log files Virus protection software Integrity control software Encryption Evaluation - Procedures - Applications - Network - Operating system Intrusion testing Version 1.0 Page 45 of 46 20/9/2006

46 Security Risk Management IT Systems ANNEX D: INDICATIVE ELECTRONIC SOURCES OF INFORMATION RELATING TO SECURITY THREATS AND VULNERABILITY ISSUES SANS Institute Top 20 Vulnerabilities: A list of security vulnerabilities in Windows 2000/ NT and Unix operating systems, classified according to frequency of occurrence CERT Vulnerabilities, Incidents and Fixes: An extensive database of IT Systems security incidents and vulnerabilities. Linux Vulnerabilities: NIST ICAT Metabase: Security Focus: com/ Common Vulnerabilities and Exposures: mitre.org/ Version 1.0 Page 46 of 46 20/9/2006

47 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION USER MANAGEMENT PROCEDURES FOR FOR PPC SA INFORMATION TECHNOLOGY SYSTEMS DA-2 Version: 3.0 Date of Issue: 1/9/2009

48 IT Systems User Management HISTORY OF CHANGES Date In charge of Changes Changes / Additions (specific unit reference) Approval Version Number Date of Application 1/3/2007 V.Kolias Initial Version IT Manager /3/2007 1/10/2008 V.Kolias Paragraph 5 (addition of new applications, merger of applications, materials storage). IT Manager 2.0 1/10/2008 1/9/2009 V.Kolias Paragraph 5 (addition of new and modification of old applications). Amendment of paragraph 4.1 IT Manager 3.0 1/9/2009 Version 3.0 Page 2 of 11 22/7/2009

49 IT Systems User Management TABLE OF CONTENTS HISTORY OF CHANGES INTRODUCTION BASIC CONCEPTS - DEFINITIONS APPLICATIONS USERS MINIMUM PRIVILEGES PRINCIPLE NEED-TO-KNOW PRINCIPLE APPLICATION MANAGER (AM) USER MANAGER (UM) USER MANAGEMENT PROCEDURE SPECIAL CASES USER ACCOUNT REVOCATION TRANSFER OF USER TO A DIFFERENT JOB POSITION PPC SA OPERATIONAL APPLICATIONS... 7 Version 3.0 Page 3 of 11 22/7/2009

50 IT Systems User Management 1. INTRODUCTION The User Management procedure covers the methodological approach required for access of PPC S.A. employees to operational applications. The benefits of the implementation of this procedure can be summarized as follows: Only authorized users can access operational applications. PPC S.A. is given a complete picture of users with access to operational applications and can manage licenses for the software it uses in the most cost-effective way. The manner in which a user can ask for access to an operational application is clarified. 2. BASIC CONCEPTS - DEFINITIONS 2.1 APPLICATIONS USERS Any person with authorized access to PPC S.A. applications. All company employees may be users of operational applications, but the extent and purpose of the access may differ. Third entities and outside associates are also considered users. 2.2 MINIMUM PRIVILEGES PRINCIPLE Based on security policies, the principle of minimum privileges must be observed, based on which privileges of users must be restricted only to those necessary for the performance of their work. Version 3.0 Page 4 of 11 22/7/2009

51 IT Systems User Management 2.3 NEED-TO-KNOW PRINCIPLE Based on security policies, the need-to-know principle basis must be observed, based on which user rights must be restricted according to the performance requirements of their work in each case, in order to protect the confidentiality of company data. 2.4 APPLICATION MANAGER (AM) In order establish a central point for granting access rights to users and to manage the operating requirements of operational applications uniformly, the respective Application Manager (Application Owner) is appointed for each of these. The Application Manager is defined as the service unit which is responsible for the application data and its security. Specifically, the AM: Records user requirements and determines the operating requirements of the application. Classifies information depending on protection requirements. Determines user roles and competences. Allocates access rights to users (inclusion, deletion, change of competences) according to the operational requirements, the need to know principle, as well as the minimum privileges principle as necessary in each case for the execution of the tasks in question. Establishes the procedure for submission and approval of user access requests. 2.5 USER MANAGER (UM) The User Manager implements the user access requests approved by the competent AMs. More specifically, the User Manager enters and deletes users and also changes their competences in the application or applications for which the UM been made responsible. In specific operational applications the User Manager may also act as Application Manager. Version 3.0 Page 5 of 11 22/7/2009

52 IT Systems User Management 3. USER MANAGEMENT PROCEDURE The user management procedure for operational applications includes the following steps: Step 1: For each user to be logged-on, deleted or subjected to changes of rights in a PPC S.A. application, a written request is submitted to the competent Application Manager by the staff team to which the user belongs. A special access application form is provided for each PPC S.A. operational application, which contains the details necessary for access to be granted. All applications must be given a reference code and according to the access level requested, be signed by the respective member of the staff team responsible for this. Specifically in the case of internet and , the access request must be signed by the competent General Manager and for the Basic Organizational Level Unit (BOK) Managing Director by the head of the Managing Director s office. Step 2: The Application Manager to whom the application is sent will accept or reject its activation and determine access rights. The request for activation will then be forwarded to the User Manager. Step 3: The application request is executed at this phase by the User Manager who will notify the user regarding the method of access. 4. SPECIAL CASES 4.1 USER ACCOUNT REVOCATION All user profiles and access codes linked to employees who are removed from the payroll shall be immediately revoked, and the head of the service unit must inform the managers of the applications to which the person had access with a request for deletion therefrom. Version 3.0 Page 6 of 11 22/7/2009

53 IT Systems User Management 4.2 TRANSFER OF USER TO A DIFFERENT JOB POSITION In the case of transfer to a different service unit or change of job position of the user, the head of the service unit must notify the managers of the applications to which he has access with a request for deletion from the applications. 5. PPC SA OPERATIONAL APPLICATIONS The applications supported by the IT Division of PPC S.A. are presented below, with details of the corresponding Application Manager (AM) and User Manager (UM). 1. ERP FINANCIAL General Accounting, Receivables, Payables, PPC Standing charges, PPC Projects, Purchasing offices (only for equipment purchase orders). AM: Planning & Performance Department / IT Applications Section (PPD/ITPS) Contact: Mr. Voutsinos H. tel UM: IT Division / (ITD/CSSS) 2. ERP CONTRACTORS STORAGE AM: Network Division / Contracts Sector (ND/CS) Contact: Mr. Tassoulas I. tel UM: IT Division / (ITD/CSSS) 3. ERP MATERIALS, STORAGE, PURCHASING OFFICES (material purchase orders) AM: Material Purchasing Transportation Department / Material Purchasing Section & Unified Purchasing Program (MP-TD/MP&UPS) Contact: Mr. Dotsias K.. tel UM: IT Division / (ITD/CSSS) 4. ERP HR (Personnel Matters) AM: HR Division / IT Systems Section (HR/ITSS) - Contact, Mr. Zografos tel UM: IT Division / (ITD/CSSS) 5. GORDIOS CONTRACTORS CERTIFICATION AM: Network Division / Contracts Section (ND/CS) Contact: Mr. Tassoulas I. tel Version 3.0 Page 7 of 11 22/7/2009

54 IT Systems User Management UM: Network Division / Contracts Section (ND/CS) 6. FINANCIAL Cash assets, old central contracts, historical financial information. AM: Planning & Performance Division / IT Applications Section (PPD/ITPS) Contact: Mr. Voutsinos H. tel UM: IT Division / (ITD/CSSS) 7. PAYROLL AM: Financial Operations Division / Payroll and Insurance Organizations Section (FOD/PIOS) Contact: Mr. Nikolopoulos F., tel Mr. Kolovos N. tel UM: IT Division / (ITD/CSSS) 8. PAYROLL EMPLOYMENT STATISTICS AM: IT Division (ITD) Contact: B. Kolias UM: IT Division / (ITD/CSSS) 9. PROMETHEUS EMPLOYMENT AM: HR Division / IT Systems Section (HR/ITSS) - Contact, Mr. Zografos tel UM: IT Division / (ITD/CSSS) 10. INTERNET, AM: IT Division (ITD) Contact: Mr. Symeonidis I. tel UM: IT Division / Office Systems Sector (ITD/OSS) 11. MEASUREMENT AM: IT Division / Office Systems Section (ITD/OSS) Contact: Mr. Symeonidis I. tel UM: IT Division / Office Systems Section (ITD/OSS) 12. POINT OF SALES SYSTEM AM: IT Division / Office Systems Section (ITD/OSS) Contact: Mr. Symeonidis I. tel Version 3.0 Page 8 of 11 22/7/2009

55 IT Systems User Management UM: IT Division / Office Systems Section (ITD/OSS) 13. ERMIS AM: For General Commercial Division users Sales Division / Accounting Management Section (SD/AMS) Contact: Mr. Larentzakis D. tel For General Distribution Division users Network Division / User Connections Section (ND/UCS) Contact: Ms. Kagaraki E. tel UM: Sales Division (SD) 14. ARTEMIS AM: Major Customers Division / Accounting Management Section (MCD/AMS) Contact: Ms. Christia A. tel UM: Major Customers Division / Accounting Management Section (MCD/AMS) 15. OPERATIONAL COOPERATION PORTAL AM: Communications Division / Internal Communications Section (CD/ICS) Contact: Ms. Apostolopoulou R. tel UM: IT Division / Office Systems Section (ITD/OSS) 16. ARTEMIS FOR LOW VOLTAGE CUSTOMERS AM: Sales Division (SD) Contact: Mr. Karakatsanis E. tel UM: IT Division / Distribution Relations Section (ITD/DRS) 17. FINANCIAL BUSINESS OBJECTS AM: Planning & Performance Division / IT Applications Section (PPD/ITPS) Contact: Mr. Voutsinos H. tel UM: IT Division / (ITD/CSSS) 18. BUSINESS OBJECTS EMPLOYMENT AM: HR Division / IT Systems Section (HR/ITSS) Contact Mr. Zografos D. tel UM: IT Division / (ITD/CSSS) 19. OCCUPATIONAL DOCTORS Version 3.0 Page 9 of 11 22/7/2009

56 IT Systems User Management AM: Occupational Health and Safety Division (OHSD) / Occupational Medicine Section (OMS) Contact: Mr. Alexopoulos H. tel UM: Occupational Health and Safety Division (OHSD) / Occupational Medicine Section (OMS) 20. MINE PRODUCTION STATISTICS AM: Mines Planning and Performance Department (MPPD) Contact: Mr. Antzoulatos B. tel UM: Mines Planning and Performance Department (MPPD) 21. ZEUS AM: Macedonia Thrace Region Department (MTRD) Contact: Mr. Mizamidis A. tel UM: Macedonia Thrace Region Department (MTRD) Contact: Kalomenidis S. tel , Lialios I. tel , Karapiperis H. tel DAILY WORK SHEET FOR OPERATIONAL DISTRIBUTION PROGRAMS AM: Distribution Planning and Performance Deparment (DPRD) Contact: Ms. Pantazopoulou E. tel UM: IT Division / (ITD/CSSS) 23. ERMIS CUTOFFS AM: Sales Division (SD) Contact: Mr. Ilias A.. tel UM: Sales Division (SD) 24. ERP SUPPLY CHAIN PURCHASING PROGRAM AM: Material Purchasing Transportation Department / Material Purchasing Section & Unified Purchasing Section (MP-TD/MP&UPS) Contact: Mr. Dotsias K. tel UM: IT Division / (ITD/CSSS) 25. PPC CUSTOMER INDICATION ACCEPTANCE SYSTEM AM: Network Division / User Connections Section (ND/UCS) Contact: Ms. Kagaraki E. tel UM: Network Division / User Connections Section (ND/UCS) Version 3.0 Page 10 of 11 22/7/2009

57 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION SECURITY FRAMEWORK FOR FOR PPC SA IT SYSTEMS DIRECTIVE No 1 Version: 1.0

58 HISTORY OF CHANGES Date In charge of Changes Changes / Additions (reference of specific unit) Approval Version Number Date of Application 4/4/2007 K. Gialelis Initial Version Gen. Director of Financial Services /4/2007

59 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework TABLE OF CONTENTS Page Α. GENERAL Scope of the Directive Purpose of the Directive Basic concepts - Definitions... 1 B. IT SYSTEMS SECURITY POLICIES Organization of IT Systems Operational Security Classification of IT assets Security pertaining to personnel matters Physical and environmental security Management of IT systems communications and operations Access control Development and maintenance of IT systems Management of operational continuity Compliance B. ROLES AND COMPETENCES OF IT SYSTEMS SECURITY MANAGEMENT The roles of the application manager and the user manager Competences in IT Systems Security issues Management Board IT Division Financial and Administrative Control Division Legal Services Department Human Resources Division and Human Resources Departments Head of Service Units PPC Personnel PPC External Associates Page i/i

60 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Α. GENERAL 1. Scope of the Directive Information technology systems are important assets of the Public Power Corporation S.A. (hereinafter referred to as PPC or the Corporation ) and therefore must be suitably protected and safeguarded. One of the most basic measures of protection is the existence of a complete and integrated system of security policies, which is the foundation for the implementation of an integrated security framework for IT systems. This Directive stipulates: 1.1. The security policies for PPC IT systems (unit B), based on the international BS ISO/IEC 17799:2000 standard The roles and competences for security management of PPC IT systems (unit C). 2. Purpose of the Directive The purpose of this Directive is to ensure that the required protection is provided to PPC operational information, and specifically: 2.1. Protection of the confidentiality, integrity and accessibility of operational information Ensuring unhindered operation of IT systems and recovery of critical information in case of their loss or destruction Ensuring the capacity to control the existing level of security for IT systems Maintenance of a consistent and integrated approach by the Corporation for issues pertaining to IT systems security. 3. Basic concepts - Definitions For the requirements of this Directive: 3.1 IT System is a system that consists of hardware, software, processes, human resources and data which are stored, processed, retrieved and transmitted via the above. Page - 1/37 -

61 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 3.2 IT Assets are Computers, data network and communications devices, data, information, IT systems, documentation material or any other IT resource, in physical or electronic format. Specifically, IT products may be categorized as follows: Hardware (PCs, workstations, servers, routers, printers, hubs/modems, cabling, etc.) Software (operating systems, ready made software packages, software applications developed internally or externally, etc) Information in physical or electronic format Main IT services (intranet, ftp, , file share, print outs, internet access, data and communications network management, access to and from the PPC data and communications network via telephone, etc) Operations / Support services (personnel services, legal and financial services, Control, Operations Continuity Planning, etc.) External data and access to it (if the PPC uses data which is provided by external associates). 3.3 IT Systems Security Policies are the basic framework of Operational regulations on which the development and operation of the Operational security architecture will be based. They describe the sum total of principles governing the security of specific thematic areas and specify the way in which the Corporation protects its IT assets. 3.4 IT Systems Security Standards are the individual rules and principles which ensure a consistent and integrated interpretation of the significance and goals of security policies. 3.5 Integrity is that feature of the information which allows it to remain accurate and complete, as well as the capacity to maintain that accuracy and completeness. 3.6 Confidentiality characterizes information for which disclosure is only permitted to authorized persons, entities and procedures which are granted the right to access it, at the time and in the manner required. Page - 2/37 -

62 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 3.7 Accessibility is that feature of information and IT systems which permits access and use by authorized persons, entities and procedures, at the time and in the manner required. 3.8 IT System Security is protection of the confidentiality, integrity and accessibility of the assets of an information system. 3.9 Protection Requirements are a group of control mechanisms which are required to be implemented for a specific category of IT assets for ameliorating or reducing risks to the accepted minimum level Minimum Privileges Principle is the principle based on which privileges of users must be restricted to those necessary for the performance of their stated duties only Need to Know Principle is the principle based on which user access rights must be restricted according to the requirements for performance of their stated duties in each case, in order to protect the confidentiality of company data IT Systems Security Incident is any event (e.g. unauthorized access attempts, system infection by virus software, network intrusion attempts, theft, or sudden operating shutdowns of the Corporation's systems) which threatens the confidentiality, integrity and accessibility of PPC systems, data or resources, and/or infringes on the security policies for IT systems IT Assets User is any person with authorized access to IT assets or IT systems. All PPC employees are considered users of information, even though the range and purpose of their access may differ. Third party entities, temporary employees and external associates are also considered users. Page - 3/37 -

63 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 3.14 Service Unit Head is the Head of the Unit which carries out independent productive activity according to the applicable regulations, using specific Corporation installations and is at least at the Basic Organizational Level Unit (BOK) Section Head level Designated Location of a Service Unit is considered to be all facilities and buildings utilized in fulfilling tasks within the framework of its competences. Page - 4/37 -

64 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework B. IT SYSTEMS SECURITY POLICIES IT Systems Security Policies cover the following general categories described in the following chapters: Organization of IT systems operational security Classification of IT assets Security in matters pertaining to personnel Physical and environmental security Management of IT systems communications and operations Access control IT systems development and maintenance Operational continuity management Compliance with obligations arising from the regulatory legislative environment. A policy is determined for each general category, in which the following information is provided: Purpose of Policy Specifies the purpose of the specific IT systems security policy. Scope of Policy Specifies the IT assets and personnel and/or external associates covered by this policy. Policy Statements Consisting of the description of the specific policy through which Corporation Management roles are defined and described with regard to the subject addressed by this policy. Any violations of security policies will result in the implementation of corrective and/or disciplinary actions by the Corporation Management. These actions must be consistent with the severity of the incident, which will be ascertained after the respective investigation, and shall comply with the applicable policies and procedures of the Corporation pertaining to personnel management issues. Page - 5/37 -

65 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 1. Organization of IT Systems Operational Security 1.1 Purpose of Policy The purpose of this policy is to provide an integrated framework for the effective and comprehensive organization and management of IT systems operational security. 1.2 Scope of Policy This policy covers all personnel / external associates and all IT assets of the Corporation. 1.3 Policy Statements IT systems security operation Establishes a framework of roles and competences for the management of PPC IT systems security, as described in unit C The PPC Management Board is responsible for the general supervision of the IT systems security framework The IT Division is responsible for the management of the security of the Corporation s IT systems The role of the Application Manager is defined. A Manager is appointed for each IT Operational Application, who shall have primary responsibility for the classification of application information, the determination of roles and competences, the allocation of access rights to users, as well as establishing operational requirements Security competences of IT systems are allocated to the Heads of the PPC Service Units, to ensure the effective implementation of security across the entire Corporation. Page - 6/37 -

66 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework If specialized advice is required regarding the security of IT systems, this is given by external and/or internal expert security consultants Suitable contacts and cooperation is established with police and judicial authorities, regulatory and legislative organizations, as well as public or private organizations providing information and telecommunications services Independent inspections and internal and/or external audits are regularly carried out for IT systems security policies and their implementation within the Corporation Security pertaining to access of external associates and third party entities Where there is an operational need for the access of third party entities to Corporation IT systems, the risks related to this access are identified and the relevant PPC security requirements are determined Arrangements related to access of third party organizations to the IT centers and facilities of the Corporation are to be accompanied by a formal agreement/ contract, whose terms shall include issues pertaining to IT systems security and ensure compliance with PPC security policies and standards Security for outsourcing services If part or the entire management and/ or control of all or some of the IT systems, company network or other PPC equipment and operations are outsourced to external associates, a suitable formal contract is to be drawn up, the terms of which shall cover the Corporation s security requirements. Page - 7/37 -

67 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 2. Classification of IT Assets 2.1 Purpose of Policy The purpose of this policy is the determination of the classification and protection requirements for PPC IT assets, as well as allocation of the suitable security level to all Corporation IT assets. 2.2 Scope of Policy This policy covers all personnel and all IT assets of the Corporation. 2.3 Policy Statements Identifying and recording IT assets All critical PPC IT assets are identified and recorded Each service unit is responsible for the creation and maintenance of an updated log file for all IT assets it uses or manages, which is subject to periodic updates Classification of information All the information stored on the computers or physical files of the Corporation are considered to be assets of the PPC A person is appointed responsible for each IT asset (IT Asset Supervisor) All Corporation information is classified according to protection requirements. The information classification procedure, as well as the respective measures taken for its suitable protection, is carried out according to PPC operational needs and the designated access level which Corporation personnel must have in order access to this information. Page - 8/37 -

68 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework A framework of procedures is laid down and followed for the labelling and management of information, which are compatible with the level of classification of the information in question. Page - 9/37 -

69 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 3. Security pertaining to Personnel matters 3.1 Purpose of Policy This policy aims to minimize risks originating from human error, theft, fraud or abuse of operational systems, installations and equipment. At the same time, it has the purpose of ensuring that PPC personnel are aware of the threats and general issues related to the security of IT assets and are in a position to implement the Corporation s security policies effectively. Lastly, it aims at minimizing the risk or loss from potential security-related incidents. 3.2 Scope of Policy This policy covers all personnel / third party entities which use and/or manage Corporation IT assets. 3.3 Policy Statements Security of IT assets All PPC personnel shall be informed of and sign a confidentiality agreement (nondisclosure agreement), as part of their contractual obligations to the Corporation. Personnel must read and sign this agreement before being granted any form of access to PPC IT assets. Third party entities (contractors, contracted employees, external associates etc) are also obligated to sign this confidentiality agreement The general terms of the employment contract must mention employee liability with respect to IT systems security issues Training and education of personnel All PPC employees, as well as its external associates, shall receive appropriate information and training with regard to security policies, standards and procedures for Corporation IT systems as required. Page - 10/37 -

70 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Reporting security incidents and malfunctions A security incident is any event which violates the corporation's security policies and may put it at risk, either from the point of view of damages or loss of assets, or injury to the good public image, or threats by personnel etc. (e.g. abuse, theft, disclosure of passwords, PPC network intrusions,or infection from viruses) Any security incidents or software malfunctions which may occur shall be reported to the competent staff as soon as possible after their identification, via suitable wellestablished reporting procedures IT systems users must immediately report any vulnerability or security threat in the Corporation s IT systems which they identify or suspect Special methods / procedures are established and used for the quantification and monitoring of the type, size and cost of the IT systems security incidents and malfunctions The violation of security policies, standards and procedures of PPC IT systems by its employees must be addressed via the formal procedure for imposing disciplinary or other measures, which shall be compatible and compliant with the Corporation s respective existing procedures. Page - 11/37 -

71 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 4. Physical and Environmental Security 4.1 Purpose of Policy This policy aims to ensure the effective protection of PPC equipment, facilities and IT assets from unauthorized access, damage, loss or any destructive consequence. 4.2 Range of Policy This policy covers all personnel and all IT assets of the Corporation. 4.3 Policy Statements Security of buildings and secure areas Physical Security Perimeters are specified for the effective protection of the buildings and areas where IT assets are installed PPC areas or installations requiring special protection are to be identified and recorded, including IT centers, air-conditioning and power supply installations, etc. These areas are characterized as Secure Areas and entry to them is appropriately protected by special access control measures, in order to ensure that only authorized personnel can access them Work with the Secure Areas is further safeguarded by the implementation of additional protection measures and security procedures IT equipment security IT equipment is installed in appropriate locations, in such a way as to ensure effective protection from physical threats and general physical security risks to IT systems. Page - 12/37 -

72 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework IT equipment is given appropriate protection from power supply problems which may potentially cause malfunctions or damage The cabling of PPC data, telecommunications and power supply networks is given appropriate protection from risks of destruction, unauthorized physical access and data theft The Corporation s IT equipment is to be repaired and regularly maintained, in order to ensure its accessibility and integrity Removal of PPC IT assets and equipment for their use outside Corporation buildings and facilities is to be carried out according to the respective procedures Electronic data files shall be deleted from storage media before the latter are reused or destroyed, in such a way that recovery of deleted data with advanced hardware and software tools will be prevented General physical security measures All PPC critical information and IT systems must be protected from unauthorized physical access when they are not in use Printed information shall be secured in locked cabinets, while sensitive operational documents and other information must not be left / placed on desktops after normal business hours and days, unless they are being processed by authorized personnel ( clean desktop" policy) The removal or destruction / disposal of IT equipment, data and software under ownership of the PPC, is to be carried out according to the respective procedures. Page - 13/37 -

73 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 5. Management of IT systems communications and operations 5.1 Purpose of Policy The purpose of this policy is to ensure the proper and safe operation of PPC IT assets. Additionally, this policy aims at safeguarding PPC s data networks in order to protect the Corporation s sensitive information during transmission via these networks in an appropriate manner. 5.2 Scope of Policy This policy covers all personnel / external associates and all IT assets of the Corporation. Furthermore, this policy refers to all data networks in operation within the PPC, as well as network connections to external associates / suppliers. The term data networks includes local area networks, metropolitan area networks, wide area networks, value added networks, intranets and extranets. 5.3 Policy Statements Operating procedures and competences in IT systems Operating procedures of IT systems are documented and periodically updated Changes carried out within the PPC IT facilities and infrastructures are subject to suitable controls. Furthermore, competences and procedures for management of changes are established, in order to ensure the satisfactory control of all changes in equipment, software or procedures Procedures and competences are established for the management of IT systems security incidents, in order to ensure the direct and effective handling of potential security incidents and to collect data related to security incidents Page - 14/37 -

74 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Duties and competences related to the development, operation, management, security and control of IT systems are fully segregated in order to reduce risks of unauthorized modification or malicious use of PPC IT systems The development and testing environment is fully segregated from systems production environments. The transfer of programs from the development and testing environment is carried out according to a specific documented procedure For the outsourcing of PPC IT infrastructure management services to an external associate, the risks hidden in such a decision shall be identified and appropriate terms to protect the PPC from such risks shall be jointly determined with the contractor for inclusion in the respective contract between the PPC and the contractor Design and acceptance of systems The requirements of systems capacity and computing power are systematically monitored and predictions of potential future requirements are to be made, in order to ensure the continuing adequacy of IT system capacity and computing power Criteria for the acceptance of new IT systems should be established and the systems must be suitably tested before their acceptance Protection from malicious software To effectively protect PPC IT systems from any type of malware, identification and preventive protection measures are implemented. Within the scope of effective protection, the relevant procedures are developed for training of PPC personnel in malware protection issues. Page - 15/37 -

75 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework General issues of proper management and operation Backup copies are to be made of critical operational information and PPC software programs, and are to be tested regularly Personnel performing IT systems operations tasks keep a special log of these tasks, which is examined by its supervisors and the Corporation s internal inspectors at regular intervals Any errors during works of development, operation and management of IT systems are reported immediately and the necessary corrective measures are taken Data network management Special protection measures are implemented in order to ensure PPC s data networks and their points of interface with external networks (e.g. Internet, external associates/supplier networks, etc.) Management and security of computer systems storage media The use of removable storage media on computer systems, such as tapes, disks, cassettes, CDs, printouts, is suitably monitored and controlled The PPC information and the media on which it is stored are kept at suitably protected Corporation locations and facilities When this media is no longer required, it is discarded or destroyed in such a way as to ensure that any sensitive Corporation data stored thereon cannot be retrieved or accessed Procedures are specified for the management and storage of PPC information, with the purpose of protecting them from unauthorized access or malicious use. Page - 16/37 -

76 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Systems documentation is to be suitably protected from unauthorized access Exchange and transfer of information and software Formal agreements are to be concluded for the exchange of information and software between PPC and other organizations or companies The media or information transferred or forwarded is protected from unauthorized access, amendment, malicious use or loss The dispatch and receipt of is protected with the implementation of suitable protection measures and established procedures for the use of A formal approval procedure is followed for the public distribution of PPC information. Also, the integrity of this information is protected, in order to deter any unauthorized amendment. Page - 17/37 -

77 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 6. Access Control 6.1 Purpose of Policy The objective of this policy is to ensure authorized access to PPC IT systems and deter access and modification of critical information by unauthorized users or intruders. 6.2 Scope of Policy This policy covers all personnel / external associates and all IT assets of the Corporation. 6.3 Policy Statements Operational requirements with regard to access control Access to information and operational procedures is controlled on the basis of operational needs and security requirements Access to IT systems is limited to those persons requiring the specific information for carrying out their operational tasks in each case PPC operational requirements regarding access control are specified and documented. Access rights are assigned according to these requirements User access management The registration and deletion of users from PPC systems and applications is carried out according to an established standard procedure The specification of user access rights to PPC s IT assets is based on the minimum privilege principle, based on which user privileges must be restricted only to those necessary for the performance of their determined duties and the need to know principle. Page - 18/37 -

78 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework User access to PPC IT infrastructure, as well as the allocation of access rights is appropriately restricted and controlled The specification of user access rights is made by Application Managers Passwords are determined through a standard procedure User passwords must remain confidential and must not be communicated or disclosed in any way A formal procedure is followed for the review and/or revision of user access rights at regular intervals, in order to ensure that only the required rights and privileges have been allocated User competences Users should follow optimum security policies when selecting and setting their passwords Users must take care to ensure the suitable protection of their work stations when they are not using them or when they are not under their supervision (e.g. screen locking with password clean screen policy) Access control to data network The option of user connection to the PPC data network is suitably restricted, depending on each user s operational needs Users have access only to systems and operations for which they have the respective authorization. Page - 19/37 -

79 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Remote access to PPC systems is granted only after obtaining the respective approval and in such a way as to ensure the protection of PPC information and infrastructure Special care is taken to separate individual PPC networks, depending on the services they provide and/or the user groups that utilize them and/or the classification of information distributed and stored and/ or their specific security requirements The features and security requirements for all network services and network infrastructure used are fully documented and described Access control to operating systems and IT applications Access to operating systems, IT applications and their data is restricted on the basis of PPC access control requirements Systems responsible for managing and processing sensitive data must operate in isolated logical or physical environments Monitoring use and access to systems Actions carried out or incidents related to the security of IT systems are recorded in special audit logs, which are kept for a specified time for use in potential future research and effective access control Procedures are established for monitoring the use of IT systems and the results of the monitoring actions are to be examined regularly. Page - 20/37 -

80 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Work on portable computer systems and teleworking Standards are established and special measures are adopted for protection from risks associated with the use of portable IT infrastructure, in particular in inadequately protected environments Standards and procedures are established for the effective monitoring and control of tele-working activities. Page - 21/37 -

81 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 7. Development and maintenance of IT systems 7.1 Purpose of Policy This policy aims to ensure the effective integration of security specifications during the development of PPC IT systems, the protection of the Corporation's applications from loss, unauthorized modification or use, as well as protection of the confidentiality, integrity and accessibility of PPC IT assets. 7.2 Scope of Policy This policy covers all personnel / external associates and all IT assets of the Corporation. 7.3 Policy Statements Analysis of system security requirements The specification and analysis of requirements during the development / procurement of new systems or during the upgrade / maintenance of existing systems must include the security requirements of these systems IT application security The data entered in PPC IT applications is examined and verified appropriately, in order to ensure its correctness and compatibility Special control and data verification processes are integrated into Corporation systems, to allow for identification of any corruption or errors in the data being processed The data exported from PPC applications is examined and verified, in order to ensure that it has undergone appropriate and proper processing. Page - 22/37 -

82 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Encryption of information Sensitive or critical information shall be encrypted, in order to ensure its confidentiality Standards and procedures must be established and followed for the use of encryption methods and systems Digital signatures are used, wherever possible, to safeguard the authenticity and integrity of PPC information During downloading or sending of extremely sensitive data from and to external associates or other third party entities, non-disclaimer services are used. These services allow for the effective handling of potential disputes regarding the dispatch or not of messages Encryption keys are subject to appropriate management based on an agreed framework of standards, procedures and methods, in order to ensure the effective use of encryption methods and systems Protection of system files Procedures are established and followed for the control of the installation of new software in the systems The data and results of the tests carried out on new or existing systems are appropriately protected and examined Access to source code libraries is subject to strict limitations and controls Security in development and maintenance procedures The realization of changes in the IT applications is strictly controlled through the use of standard procedures for management of changes In cases of changes made to existing PPC IT applications, these changes must be tested before their final implementation. Page - 23/37 -

83 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework The purchase, use and modification of software is subject to strict control in order to ensure that it does not contain any type of dangerous code (Trojan horses, covert channels) Special protection measures are taken for effective protection in software development by third party entities or external associates. Page - 24/37 -

84 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 8. Management of Operational Continuity 8.1 Purpose of Policy The purpose of this policy is to establish immediate response handling for potential interruptions / disruptions to the smooth operation of the main operational activities and the protection of critical operations from the consequences of potentially destructive or other unforeseen events. 8.2 Scope of Policy This policy covers the personnel and IT resources of the Corporation directly related to the development, implementation and maintenance of Operational Continuity Plans. 8.3 Policy Statements Management of operational continuity A procedure for the management of operational continuity is developed and implemented, with the aim of reducing the impact of catastrophic events or extended failures of measures for the protection of IT systems (e.g. natural disasters, accidents, equipment failure, malicious actions, electronic attacks, etc) to an acceptable level, using a combination of preventive and corrective measures The maintenance of continuity in critical operations is the responsibility of the Service Units. Alternative methods of operation for the execution of critical operations should be foreseen and planned The maintenance of continuity or prompt recovery of data and information processing services is the responsibility of the providers of these services Operational Continuity Plans must be developed, documented and implemented (crisis management, emergency event handling, recovery of IT infrastructure, recovery of operational units, etc.), with the purpose of preserving the operational continuity or the recovery of critical operations within the required time, in the case of any potential disaster or unforeseen event with extensive economic or operational impact. Page - 25/37 -

85 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Operational Continuity Plans must be regularly tested in order to ensure that they are always kept fully updated, and their effectiveness must be monitored. Furthermore, these tests have the purpose of providing familiarization and training for recovery groups and personnel generally involved in the implementation of the Plans A standard procedure for control of changes and maintenance of Operational Continuity Plans should be developed and implemented, in order to ensure their reliability and effectiveness All associates, suppliers or service providers of the PPC, who are involved in critical Corporation activities in any way, must have an integrated, documented, updated and tested Operational Continuity Plan. Page - 26/37 -

86 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 9. Compliance 9.1 Purpose of Policy This policy specifies PPC requirements for compliance with national legislative and regulatory frameworks, international standards, as well as the Corporation s policies and procedures. 9.2 Scope of Policy This policy covers all personnel and all IT assets of the Corporation. 9.3 Policy Statements Compliance with legislative and regulatory framework During the use of any materials, including software products belonging to the PPC, appropriate procedures are to be followed to ensure compliance with applicable provisions and legislative / regulatory regulations concerned with issues of protection of intellectual rights and property Documented standard compliance procedures and monitoring of compliance must be carried out within the legal framework governing protection of individuals in the processing personal data (Law 2472/1997) Important PPC files or registers that are considered essential or critical to compliance with legislative regulatory provisions, as well as any related information, must be appropriately protected from loss, destruction or manipulation Suitable protection measures must be adopted in order to ensure PPC compliance with all relevant national, legislative and regulatory provisions regarding access or use of processing methods and systems In case of lawsuits or criminal prosecution of the PPC pursued against a natural or legal entity, the evidence presented shall comply with the rules stipulated by the court responsible for trying the case. In addition, it must comply with any standards or regulations governing the collection and submission of evidence. Page - 27/37 -

87 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Revision of security policies and compliance with technical security standards The PPC Service Unit Heads must ensure compliance with PPC policies, standards and security procedures for the areas under their jurisdiction. Additionally, all Service Units of the Corporation are subject to regular overviews, in order to ensure their compliance with the policies and PPC IT systems security standards PPC IT systems are inspected regularly, in order to ensure their compliance with technical security standards System control issues System controls are carefully scheduled and planned, such that their performance does not disrupt PPC operations Access to system control tools is suitably protected in order to deter unauthorized access and use. Page - 28/37 -

88 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework C. ROLES AND COMPETENCES OF IT SYSTEMS SECURITY MANAGEMENT The following sections describe the competences and responsibilities allocated to Management, individual PPC Divisions (due to direct connection with IT systems security issues), the Heads of the PPC Service Units as well as all Corporation personnel and external associates with regard to IT systems security issues. Page - 29/37 -

89 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 1. The Roles of the Application Manager and the User Manager 1.1 Application Manager In order to establish a central point for allocating access rights to users and to ensure uniform management of the operating requirements of IT Operational Applications, an Application Manager is appointed for each of these (Application Owner). The service unit which includes the application data and its security under its competences is defined as the Application Manager. Specifically, the Application Manager: Records user requirements and specifies the operating requirements of the application Classifies information depending on protection requirements Specifies user roles and competences Allocates access rights to users (entry, deletion, change of competences) according to operational requirements, the need to know principle, as well as the minimum privileges principle in each case as required for the completion of their work Establishes the procedure for submission and approval of user access requests. 1.2 User Manager The User Manager implements the user access requests approved by the competent Application Managers. More specifically, the User Manager enters and deletes users and also changes their competences in the application or applications for which he is responsible. In certain operational applications the User Manager may also be the Application Manager. Page - 30/37 -

90 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 2. Competences in IT Systems Security issues PPC Management has the general responsibility for protecting the Corporation s IT assets and supports the implementation of the security framework. However, the implementation of protection measures derived from Corporation IT systems security policies is a responsibility borne by all users of PPC IT systems. The competences of Management, PPC s individual Divisions directly or indirectly related to IT systems security issues, the Heads of the Service Units as well as the obligations of all Corporation Personnel and external associates are presented below. 2.1 Management Board The PPC Management Board has responsibility for the general supervision of the IT systems security framework. The competences of the Management Board with regard to IT systems security issues include: Approval of the IT Systems Security Strategy and monitoring of its implementation Approval of Security Policies and monitoring of their implementation within the Corporation when new policies are determined or existing ones are altered Supervision of the implementation of the IT systems security framework and monitoring /evaluation of its implementation IT Division The IT Division has the following competences in IT systems security issues: Informing PPC Management regarding critical IT systems security issues which concern the Corporation Introducing subjects for discussion related to IT systems security to the Management Board (security risks, incidents, strategy, etc.). Page - 31/37 -

91 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Preparing status reports on IT systems security for the Management Board (e.g. regarding security incidents, user authorizations, control techniques, etc.) Carrying out discussions with Heads of Corporation Service Units regarding the security issues which concern them and the security of their Units Developing, documenting, maintaining and promoting IT systems security policies, standards and procedures Approving and communicating Corporation IT systems security procedures whenever new standards and/or new procedures are established or existing ones are changed Developing, documenting and maintaining security configurations and minimum security baselines for Corporation IT systems in cooperation with the competent Departments Managing the security measures required for the implementation of IT systems security policies and standards Developing and implementing a security incident management program (e.g. formation of an appropriately trained group to handle such risks, as well as for developing reporting, escalation and security incident management procedures) Approving and communicating procedures for the identification and management of IT systems security incidents Carrying out assessments of security risks, in order to specify security requirements for Corporation IT systems. Developing plans for reducing risks, establishing standards and taking protective control measures, where necessary Specifying security requirements for IT assets during the development or procurement of new systems and operational applications in cooperation with IT Assets Managers Continually evaluating and managing user access rights according to current needs, based on the need to know and minimum privileges principle Remaining aware of and monitoring developments related to IT systems security issues. Should also monitor and be in direct contact with organizations or services which monitor, research and announce new vulnerabilities and security threats related to various operating systems or applications and propose methods for their handling. Page - 32/37 -

92 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework Carrying out periodic vulnerability identification, assessment and management tasks for IT systems Systematic monitoring of IT systems operations to detect intrusions, periodically examining the content of log files of critical systems, as well as intrusion detection systems reports Systematic monitoring of the operation of IT security systems (e.g. IDS, firewalls, etc), and networks to identify violations of security policies Carrying out controls for system security and ensuring compliance with Corporation policies, standards and security procedures Developing and implementing a program for information and training of Corporation personnel regarding IT systems security issues Controlling all requests by third party entities for connection to the PPC network and IT systems, with the purpose of ensuring that such forms of connection do not expose the Corporation s IT assets to security threats, and that they fully comply with PPC security policies. In general, ensuring that the access of associates and third party entities conforms to PPC security policies and IT systems security standards Specifying IT systems security configurations and monitoring their implementation Developing and/or procuring IT systems and security software, whenever it deems that such a need has arisen. Also, it is responsible for ensuring that IT systems security specifications are upheld during the procurement and development of IT systems /security software Determining and monitoring the installation of upgrades and updates of software security, and ensuring that Corporation software programs are promptly and correctly updated according to the latest security upgrades. Page - 33/37 -

93 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 2.3 Financial and Administrative Control Division The Financial and Administration Division in the framework of IT systems security management, has the following competences: Control of compliance with policies, standards and security procedures Control of adequacy of existing policies, standards and security procedures Determination of areas for improvement and provision of corresponding suggestions Participation in Operational Continuity Plan testing. 2.5 Legal Services Department The role of the Legal Services Department during implementation and operation of IT systems security framework includes the following: Supply of information regarding the laws and regulations related to the operation of Corporation IT systems Participation in the specification and implementation of protection measures related to legal and regulatory Corporation obligations Participation in the analysis, design and implementation process for issues related to the protection of personal data Participation in the IT systems security incident management procedure Monitoring of contracts and agreements between the Corporation and third party entities related to the use of IT systems, with regard to compliance with security policies in each case Development, in cooperation with the IT Division, of agreements related to security issues (e.g. confidentiality agreements). Page - 34/37 -

94 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework 2.5 Human Resources Division and Human Resources Departments The competences of the Human Resources Division and Human Resources Departments with regard to IT systems security issues include: Procedures related to security issues when recruiting new employees (e.g. information on security policies and procedures, signing of confidential information agreements, etc) Cooperation with the person responsible in the individual Divisions / Units / Sections on removal or transfer of an employee to a new unit, related to the implementation of the provisions of the corresponding security policies. 2.7 Head of Service Units The Heads of Service Units have the following additional competences in IT systems security issues: They appoint persons responsible for IT assets, in cooperation with the IT Division They ensure that their personnel are aware of IT systems security policies, standards and procedures, as well as the manner in which they are implemented within the IT systems they use or have access to, as well as their obligation to protect all Corporation information They ensure that their personnel and any external associates / consultants comply with security policies, standards and procedures They report events and incidents related to the violation of IT systems security to the IT Division and offer the required assistance to handle them They periodically reexamine the degree of sensitivity of the various job positions and inform the persons responsible regarding requirements for carrying out appropriate checks of candidates during the recruitment procedure They inform the Application Managers and IT Division regarding any changes of personnel (transfer, retirement, change of competences) which affect access rights to IT systems. Page - 35/37 -

95 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework They ensure the availability of adequate means and procedures for the storage and destruction of the sensitive Corporation IT assets They develop, document and implement Operational Continuity Plans (crisis management, emergency event handling, recovery of IT infrastructure, recovery of operational units, etc.) in cooperation with the IT Division, with the purpose of preserving the operational continuity or the recovery of critical operations within the required time, to cover any potential disaster or unforeseen event with extensive economic or operational impact They create teams with specific competences and roles to secure recovery following disastrous events within the scope of Operational Continuity Plans They assign competences for all actions provided for by the Operational Continuity Plans They ensure that all personnel involved in Operational Continuity Plans are informed of their competences, giving priority to the preparation of a corresponding training program They ensure that Operational Continuity Plans are tested regularly. 2.7 PPC Personnel All PPC personnel (full, part-time or temporary employees) have the following additional obligations: To take all necessary measures for the protection of the confidentiality, integrity and accessibility of operational information and systems to which they have been granted access permission or rights of use To comply with IT systems security policies and the respective procedures and standards To report events and incidents related to IT systems security and violations thereof to their superior immediately, and provide the necessary assistance to IT systems security personnel to address such incidents To take all necessary measures for the physical protection of IT operational assets and systems which are under their control. Page - 36/37 -

96 ITD Directive No1 PPC S.A. Information Technology Systems Security Framework To inform their superiors when there is any change in information or systems access requirements (e.g. when access is required to more systems or applications, when access is no longer required at all or when a higher / lower level of access is required) To be aware of the content of Operational Continuity Plans and of the duties they have been assigned. 2.8 PPC External Associates All PPC external associates have the following obligations with regard to the security of the Corporation s IT systems: To take all necessary measures for the protection of confidentiality, integrity and accessibility of operational information and systems to which they have been granted access permission or rights of use To comply with IT systems security policies and the relevant procedures and standards To report events and incidents related to the security of IT systems immediately as well as any related violations by PPC employees with whom they directly collaborate To take all necessary measures for the physical protection of IT operational assets and systems to which they have been granted access permission or rights of use To inform the PPC staff, with whom they collaborate directly, whenever there is any change in information or systems access requirements (e.g. when access is required to more systems or applications, when access is no longer required at all or when a higher / lower level of access is required). Page - 37/37 -

97 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION SECURITY STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY APPLICATIONS PA-2 Version: 1.0 DATE OF ISSUE: 7/12/2005

98 Security Standard for PPC SA IT Applications HISTORY OF CHANGES Date In charge of Changes Changes / Additions (reference of specific unit) Approval Version Number Date of Application 7/12/2005 B. Kolias Initial Version IT Manager 1.0 1/1/2006 2/12

99 Security Standard for PPC SA IT Applications SECURITY STANDARD FOR IT APPLICATIONS 1. GENERAL In order to introduce any application into operation within the PPC production environment, it is necessary to integrate a minimum number of security specifications within it with the purpose of protecting Corporation applications from loss, unauthorized modification or use, as well as ensuring protection of the confidentiality, integrity and accessibility of the PPC IT data. 2. PURPOSE The purpose of this text is To establish security regulations which must be observed in order for an application to be introduced into active operation in the PPC environment To form an integral part of any tenders related to the development or procurement of applications for the PPC from third parties. 3. DESCRIPTION 3.1 Application security as the primary objective of design. The design of all applications, in particular those with high sensitivity and high levels of access requirements, must include security among its primary objectives. 3.2 User credentials: User credentials for access to applications consist of a user ID and a password, or any other element (digital certificates, tokens, etc), which shall be unique to each user. 3/12

100 Security Standard for PPC SA IT Applications 3.3 Composition of user ID: The user ID must consist of at least seven (7) alphanumeric characters, while its maximum length must not exceed the restrictions set by the IT system in each case. 3.4 Passwords: There must be full compliance with the PPC S.A. Password Standards (Standard Code PA-1). 3.5 Authentication of all user credentials: All user IDs and passwords must be authenticated in their entirety. Failure to authenticate shall result in an error message to the user, which shall not indicate exactly which element is incorrect (e.g. Incorrect login details and not Incorrect password ). 3.6 Maintaining user information: The application must maintain the following information for each end user 1. PPC Registration Number 2. User ID 3. Password. The password must always be encrypted. 4. User s last name 5. User s first name 6. Work Address 7. Contact number 8. Access rights 9. Date of last password change 10. Date of last login of user. 11. Date of user deletion: For security purposes, the deletion of a user is logical and not physical. If the user has not been deleted, this field shall be empty. 4/12

101 Security Standard for PPC SA IT Applications 12. Computer name: The name of the workstation where the user will be employed, which must be stated on his application for entry to the application. Fields 1, 4, 5, 6, 7 and 12 are mandatory when entering a new user. 3.7 Protection of application security data: All security data (e.g. lists of users, authorization lists) must be isolated from the other parts of the application, protected from unauthorized access and all interactions of these elements with other parts of the system must be clearly documented. Thus, in the case that the application is based on a relational basis, the above information shall belong to a separate user schema under the title secuser. 3.8 Activation of options based on user roles: The appearance of options on the menu of each application or of processing options for which the user does not have the appropriate execution authorization must be restricted through programming techniques. 3.9 The role of the user manager. A separate role must be foreseen for the user manager. The user manager must have the following powers. Entry/Deletion/Change of user information Granting and changing access rights according to the approved procedure The option to confirm access rights (through screen and printing) for all users entered. The above procedures shall be implemented via a specific option on the application menu 5/12

102 Security Standard for PPC SA IT Applications 3.10 The role of the application manager. A separate role must be foreseen for the application manager. This role includes responsibility for configuration of the application Deactivation of idle user accounts: The application must provide the option of deactivating users that have not used the application for a period of more than 60 days Data verification Verification of data entered in the application: A number of controls/protection measures must be used during entry of operational data in PPC IT applications. Specifically: Specific controls during data entry which will identify the following indicative errors: Entering of values outside the correct range Entering of invalid characters in special fields Incomplete data Periodic examination of the content of main fields or data files in the application, to determine their validity and integrity Development of procedures to address cases of invalid data entry Internal data processing assurance: The selection of suitable protection and control measures for internal data processing assurance shall be based on the nature of each application and the operational impact of data alteration. Specifically, the following protection measures are provided for: 6/12

103 Security Standard for PPC SA IT Applications Control and congruity of data files before they are entered and processed with the use of special automatic processes (batch controls) Verification of data created by the system Controls to ensure the integrity of data exchanged between central and remote systems Creation and inspection of hash totals of files Error report procedures Error correction procedures Data reentry procedures Control and repeat operations procedures Procedures for identification of incomplete or non-updated processing Automatic controls which guarantee the accuracy and effectiveness of the information. Verification of data exported from the application: A number of controls/protection measures shall be used to ensure the validity of operational data exported from PPC IT applications. Specifically: Special correctness checks to verify that exported data are reasonable Congruity of quantity totals before and after processing Provision of suitable information to data recipients or the subsequent processing system to determine the accuracy and completeness of the data Reports verifying the proper operation of the application 7/12

104 Security Standard for PPC SA IT Applications 3.13 Error recording. Application errors must be cumulatively stored in a special file Control and recording of changes in log files: The design team must take the integration of recording and monitoring of changes (logging) into account. Examples of such logs are the recording of important transactions as well as the dates of connection and disconnection times of end users. At the design stage, the desired level of action recording is to be determined, based on the degree of sensitivity and criticality of the information stored or processed by the system Generated printouts. All printouts generated must contain: Suitable titles Processing program name Date and time of generation 3.16 Documentation All applications must be accompanied by the necessary documentation which must consist of: Application documentation Operator Manuals User Manuals Documentation can be considered fully comprehensive when a third party, apart from the persons composing and maintaining it, can operate the application simply by reading it. Application documentation Contains all necessary information for full understanding of the application logic. Necessary for analysts and programmers for controlling changes and revisions to programs. It should include: 8/12

105 Security Standard for PPC SA IT Applications Description of the purpose of the application. Description of tools used. Logical diagrams and decision tables. Program code. The form and documentation of databases (if any). Check points. The formats for input and output files. Valid copies of authorizations through which changes are made to the program. Operator manual Contains advice for operators regarding the execution of the specific application. Helps in understanding their duties and determines the individual steps. It should include: Description of the purpose of the application. Description of input and output information. Instructions for the first set up. Instructions to operators regarding the order of execution of the programs. Instructions for uploading and downloading the application Instructions to operators regarding the generated messages and scheduled breaks. Instructions regarding further use of the input and availability of the generated output. Possible control procedures that operators must follow. Instructions for dealing with emergency technical problems. The normal execution time provided for. Instructions for dealing with emergencies. 9/12

106 Security Standard for PPC SA IT Applications User manual Contains all necessary information allowing each user to acquire understanding of the system/ application. It should include: Complete description of everything used by the user to execute the application. The individual and overall checks that users must carry out. The steps of the entire procedure that the user must follow. The procedures for disconnection and termination of the application. Complete description of generated messages and printed statements. The response in case of problems. What a user must avoid during use of the application. Documentation security Every category of documentation must be saved and completed as necessary. A librarian must be responsible for the control, guarding, maintenance and distribution of written documentation. Only authorized persons must have access, and only to specific types of documentation. The documentation of programs must be specially protected. Simple advice for the security of documentation is as follows: Written documentation is to be stored in a fireproof area with restricted access. A second copy of all types of documentation must be stored in a different building. Each employee must have access only to the type of documentation required and to no other. No documentation may be deleted and/or added without making a note in the respective log. 10/12

107 Security Standard for PPC SA IT Applications There must strict control when making photocopies of documentation. Documentation can be successfully used only when it is always kept fully updated Definition and responsibilities of the competent Basic Organizational Level Unit (BOK). For every central application the competent Basic Organizational Level Unit is determined, which: Issues the operating specifications both before and after the application begins active operation. Before starting active operation, it must approve: The classification of information depending on sensitivity and criticality (e.g. confidential, restricted access, etc.) The levels (roles) of users, depending on the operational needs and work duties. Access rights (competences) for each role The application form for access of end users The procedure for the management and approval of end user access. The procedure for the management and approval of end user access together with the relevant application form must be sent to the Units before the procedure of entering end users in the system Backup procedure: Before starting the active operation of the application, the backup / restore/ recovery procedures must be determined Conditions for starting the active operation of the application. A condition for starting the active operation of an application is to maintain and implement all previous paragraphs. 11/12

108 Security Standard for PPC SA IT Applications 3.20 Knowledge of requirements by external associates. All the above paragraphs also concern applications that are procured from external associates Deviations: Deviations from the provisions of previous paragraphs are permitted in exceptional cases. In any such case the reasons for the deviation must be fully documented. 4. REFERENCES PPC S.A. password standards (PA-1), Version 1.0, 27/01/ /12

109 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS PA-3 Version: 1.0 DATE OF ISSUE: 15/5/2008

110 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS HISTORY OF CHANGES Date In charge of Changes Changes / Additions (reference of specific unit) Approval Version Number Date of Application 15/5/2008 B. Kolias Initial Version IT Manager 1.0 1/6/2008 2/10

111 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS 1. GENERAL Specific procedures must be adhered to for all information technology systems operating in the PPC production environment, which ensure its protection from unauthorized use and protect the confidentiality, integrity and accessibility of the PPC s IT data. 2. PURPOSE The purpose of this text is to establish the security and operating rules that must be upheld for all information systems put into production operation within the PPC environment. 3. DESCRIPTION 3.1 Documented operating procedures A prerequisite for the productive operation of an application is the observance and implementation of the PPC S.A. Security Standard for IT Applications (PA-2) Operating procedures. The operating procedures of IT systems must be fully documented and kept updated at all times. They must include clear instructions for the detailed execution of any task, such as: Data processing and management. Scheduling of tasks, taking into account interactions with other systems and the shortest start time and maximum completion time of tasks. Instructions for correcting errors or other exceptions that may arise during the execution of a task, including limitations to the system usage. 3/10

112 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS Contacts for communication for providing support works in case of unexpected operating or technical difficulties. Special instructions for documentation and management of results/outcomes of tasks, such as the use of special stationery or the management of products of a confidential nature. System restart and data recovery processes for use in case of disruption of system operation. Procedures for management of system operating parameters Procedures for deterring installation and use of unauthorized software as well as software without appropriate licenses. Procedures for managing capacity, load and performance of systems and networks Constant monitoring of availability of systems and networks. System start-up and shut-down procedures. Adequate maintenance and technical support of systems based on their specifications and needs. Keeping complete and updated documentation for all systems with the official manuals of companies supplying system hardware and software. Storage and maintenance of backup copies. Computer center management and protection Recording hardware and software. Details of the computer hardware (central systems, servers, personal computers, peripherals, networks and telecommunications), architectural design, and software used, as well as the history of the versions, updates and licenses must be fully recorded Scheduling of tasks. The scheduling of the tasks to be performed, the problems arising and the actions that must be taken in cases of emergency must be recorded in writing. The successful or unsuccessful execution of scheduled and emergency tasks must be recorded in a special log, which shall be signed by the personnel executing them. Emergency tasks shall be executed with special authorization. 4/10

113 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS Data monitoring. Data must be monitored to ensure accuracy, integrity and confidentiality at all stages of data processing. Any type of incongruity must be identified and addressed on the basis of established procedures Event log. Procedures must be in place for the detailed recording of unavailability events (affected systems, duration of unavailability, cause of problem, resolution method and time) and the Security Manager must be informed immediately End user support. Support must take into account the user types and the nature of the problem. The number and type of problems must be recorded and statistically analyzed Output files. There must be a list of generated output files for each application involved in production, which includes information regarding the level of confidentiality of the information they contain. For each of the above output files and depending on the degree of confidentiality there is a list which includes the details of the respective recipients An archive must be kept of the media which stores and distributes sensitive Corporation data (cartridges, tapes, disks, CDs, printouts, microfiche, etc.) The log files must be updated in case of changes. 5/10

114 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS 3.2 Segregation of environments The system production environment is fully segregated from the development and testing environments Program transfer. The transfer of programs and data from the production environment to the development and testing environments and vice-versa is carried out according to a specified and documented procedure by authorized persons Use of data production copies during testing. System testing must be carried out with production data copies, where any sensitive information has been removed. Parallel testing or acceptance testing shall be examined in cooperation with the persons currently in charge of IT output Controlled access to test results. The access to testing results must be controlled, if such results are not for public use. 3.3 Segregation of duties During assignment of duties related to critical business operations, the principle of segregation of duties is applied Competencies must be segregated to an extent which minimizes the possibilities of unauthorized use or abuse of system capabilities. For example, an operator may not also be an application or system programmer. Also, system operators should not be business application users. Table 1.1 contains detailed instructions regarding allocation of tasks based on the principle of segregation of duties, in accordance with the standards of the international organization Information Systems Audit and Control Association (ISACA). 6/10

115 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS Table 1.1. Duty segregation control grid System Analyst Application programmer System Operator Database Manager Security Manager System Manager System Analyst Χ Χ Χ Application programmer Χ Χ Χ Χ System Operator Χ Χ Χ Χ Χ Database Manager Χ Χ Χ Security Manager Χ Χ Χ Χ System Manager Χ Χ Χ Χ Χ X: Marks competencies not assigned to the same person 3.4 Management of changes In order to minimize the risk of irregular operation of IT systems, there should be strict control of the implementation of any changes. The security and control procedures for changes should be formal and should ensure that access to IT systems is provided solely to persons as determined by the security policies of the company. As software changes may affect the business operating environment, control procedures for these changes should include the following: Maintaining a record of agreed access levels. Ensuring that changes are made only by authorized users. 7/10

116 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS Review of control and integrity checking procedures in order to ensure that they are not violated by the impeding changes. Identification of computer software, information, databases and hardware requiring modifications. Obtaining formal approval for impeding changes before they are made. Acceptance of changes by users before they are implemented. Ensuring that all IT systems documentation is updated on implementation of each change made, and that older documentation is either archived or destroyed. Maintenance of a record of changes for all software version updates. Keeping a record of all requested changes. Ensuring that user manuals and procedures determining work methods are changed in a manner which corresponds to the new changes. Ensuring that the changes are implemented at the right time and do not affect the smooth operation of the business. 3.5 Management of back up copies Storage and maintenance of backup copies. Backup copies must be made and maintained for the critical systems and IT applications according to clear and documented procedures. Backup copies, depending on the criticality of the application, must be made in double, with each copy stored at a different location Making backup copies before upgrades / maintenance. Backup copies should be made for all software and software system applications which might be affected by an upgrade or by maintenance Six monthly inspections of backup copies stored outside main location: Inspections must be carried out at regular intervals (at least every six months) of all backup copies stored on tape or other medium away from the main location. 8/10

117 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS 3.6 Management and security of storage media Obtaining authorization for removal of storage media. The removal of storage media (tapes, tape drives, cartridges, hard disks, etc) from the IT center area requires the respective approval Security of storage media. Storage media containing data or software (disks, tapes, CDs, etc) shall be stored in a secure location, which unauthorized persons shall not be allowed to access Data deletion from electronic or physical storage media. Electronic data files shall be deleted from storage media before they are sold, given away or discarded, in a way that will prohibit recovery of the deleted data with advanced hardware and software tools. Furthermore, physical records, files, documents containing sensitive information and data shall be destroyed in a way that will prohibit recovery of such information Protection of sensitive information during IT equipment decommissioning. Data may be exposed by careless disposal of IT equipment. All machinery containing storage media (e.g. hard disks) shall be inspected to ensure that they do not contain any sensitive information or software that has been deleted or uninstalled before disposal or destruction of machinery Necessity of authorization for movement of Corporation computers and hardware. Unauthorized movement of PPC computers or other hardware shall be considered theft. Computers, with the exception of laptops, may be transferred for business purposes only after the respective authorization has been obtained. 9/10

118 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR OPERATING STANDARD FOR PPC S.A. INFORMATION TECHNOLOGY SYSTEMS 4. REFERENCES PPC S.A. Security standard for IT applications (PA-2), Version 1.0, 7/12/ /10

119 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR PASSWORD STANDARDS FOR PPC SA PA-1 Version: 1.0 DATE OF ISSUE: 27/01/2005

120 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR PASSWORD STANDARDS FOR PPC SAPA-1 HISTORY OF CHANGES Date In charge of Changes Changes / Additions (reference of specific unit) Approval Version Number Date of Application 2/5

121 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR PASSWORD STANDARDS FOR PPC SAPA-1 PASSWORD STANDARDS 1. GENERAL Passwords are the second component of user credentials (user id, password), their combination being unique for each user. They are a significant aspect of IT system security, and the main line of protection for access to PPS S.A. IT systems and applications. 2. PURPOSE The purpose of this text is to establish the security and operating rules that must be upheld for creating passwords and the measures that must be taken by PPC S.A. IT system users and administrators for their protection. 3. DESCRIPTION 3.1 Passwords shall consist of at least six (6) letters, numerals and symbols. 3.2 All user passwords must be replaced with new ones every six months at the latest. Passwords of users with increased rights (e.g. system administrators, database administrators, network administrators) must be changed every four months at the latest. In general, the reuse of old passwords must be avoided. 3.3 The password given to each user by the system administrator shall be changed during the user s first access to the system. 3/5

122 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR PASSWORD STANDARDS FOR PPC SAPA Users shall be given the option by each application or operating system to change their password when this is considered necessary (but always following completion of the authentication procedure by the system). 3.5 Three successive failed access attempts shall result in locking of the user s account. In this case the user will be unable to access until the account is reactivated and a new password is issued. 3.6 User passwords shall not be included in batch logon sequences. If the use of such passwords is imposed, the system administrator in charge of these procedures shall change the encrypted password at regular intervals (e.g. at least every two (2) months). Under no circumstances should the user passwords be integrated into an application code. 3.7 Files containing passwords shall be protected and encrypted. Irreversible encoding techniques shall be used. 3.8 Passwords shall be entered in fields where the characters that are typed do not appear. 3.9 Default passwords connected with specific applications or operating systems, or in general, are created during software installation and should be changed before the first use, in accordance with applicable standards User passwords shall be given to users in a secure fashion. Dispatch of passwords in easily readable ways (e.g. open mail or without use of encryption) is not permitted User passwords are strictly personal and confidential and may not be communicated or disclosed in any way to any person (even a superior) or recorded anywhere or stored without encryption Password should not be easily predictable (e.g. the first name of the spouse, favorite football team, etc.). Accordingly, it is recommended that passwords do not include data such as: 4/5

123 Information Technology Devision CENTRAL SYSTEMS SUPPORT SECTOR IT SYSTEMS SECURITY SUBSECTOR PASSWORD STANDARDS FOR PPC SAPA-1 Months of the year, days of the week or any other date element. Words of any language. Family names, initials, license plate registry numbers, birthdays or other personal data such as addresses or telephone numbers. User id, user name, user group identity or other similar systems identifiers. More than two successive identical characters. Only letters or only numerals. Any of the above in reverse order. Any of the above, preceded or followed by a digit (e.g. Costas1). Characters next to each other on the keyboard When there is suspicion that the password has been revealed, the event should be reported and the password changed immediately Change of password requested by a user may be carried out by the competent department only after user id verification During development or procurement of new applications, there must be compliance with the above password standards. 4. REFERENCES BS ISO/IEC 17799:2000 "Information Technology - Code of practice for information security management". Information Security Forum "The standard of good practice for information security", March /5