Information Security Manual Guideline Version 3 Group Risk
TABLE OF CONTENTS Document Control and Revisions Logs... 4 1 Purpose... 5 2 Scope... 5 3 Policy Statement... 6 4 Terms and definitions... 7 5 Security Policy... 11 6 Organization of information security... 13 6.1 Internal organization... 13 6.2 External parties... 17 7 Asset management... 18 7.1 Responsibility for assets... 18 8 Human resources security... 20 8.1 Prior to employment... 20 8.2 During employment... 21 8.3 Termination or change of employment... 22 9 Physical and environmental security... 23 9.1 Secure areas... 23 9.2 Equipment security... 26 10 Communications and operations management... 28 10.1 Operational procedures and responsibilities... 28 10.2 Third party service delivery management... 30 10.3 System planning and acceptance... 31 10.4 Protection against malicious and mobile code... 32 10.5 Back-up... 33 10.6 Network security management... 34 10.7 Media handling... 35 10.8 Exchange of information... 36 10.9 Electronic commerce services... 37 Group Risk 2
10.10 Monitoring... 38 11 Access Control... 40 11.1 Business requirement for access control... 40 11.2 User access management... 41 11.3 User responsibilities... 43 11.4 Network access control... 44 11.5 Operating system access control... 46 11.6 Application and information access control... 48 11.7 Mobile Computing and Teleworking... 49 12 Information systems acquisition, development and maintenance... 50 12.1 Security requirements of information systems... 50 12.2 Correct processing in applications... 51 12.3 Cryptographic controls... 52 12.4 Security of system files... 53 12.5 Security in development and support processes... 54 12.6 Technical Vulnerability Management... 55 13 Information security incident management... 56 13.1 Reporting information security events and weaknesses... 56 13.2 Management of information security incidents and improvements... 57 14. Business continuity management... 58 14.1 Information security aspects of business continuity management... 58 15 Compliance... 60 15.1 Compliance with legal requirements... 60 15.2 Compliance with security policies, standards and technical compliance... 62 15.3 Information systems audit considerations... 63 16 Document control... 64 Group Risk 3
Document Control and Revisions Logs Document Properties Document Title Zain Information Security Manual Guidelines Author Zain Group Risk Information Security Creation Date 02-February-2009 Last Updated 15 May -2012 Last Version 3.0 Change Record Date Version Author Designation Change Reference 01/10/2011 2.0 Ali Fayad Zain Group IS Specialist Finalize the document design 13/05/2012 2.1 Ali Fayad Zain Group IS Specialist Added Specific Policy Reviewers Name Designation Version Date Abdul-Ghaffar Setareh Zain Group Risk Director 2.1 13/05/2012 Ali Fayad Zain Group IS Specialist 2.1 14/05/2012 Approvals Name Designation Version Date Abdul-Ghaffar Setareh Zain Group Risk Director 3.0 15-May-2012 Endorsements Name Designation Version Date Distribution Name Department Version Date Group Risk 4
1 Purpose Zain management has approved and published this policy to set a clear corporate direction and demonstrate support for, and commitment to, information security throughout Zain Operation. The Risk Management within Zain has been established to ensure the goals and principles of information security are properly followed. This includes responsibility for establishing, implementing, and monitoring the policies within this document. 2 Scope This policy applies to all employees, subsidiary staff, contractors, consultants, temporaries and those people affiliated with third parties who access Zain information or computer networks like system vendors and staff from outsourcing companies. This policy also applies to all information, computer, and data communication systems owned, licensed and / or administered by Zain and covers manifestations of other Zain information such as voice and data. Group Risk 5
3 Policy Statement Zain is committed to maintaining and improving information security within accepted best practice and minimizing its exposure to risks to protect Zain assets across all of Zain operations that will: Consistently meeting and exceeding customers expectations. Empower Zain employees through training and development. Comply with the applicable Information Security International Standards Apply effective risk management to identify and treat current and expected risks attached to our business. Protect Zain stakeholders, Information and assets from threats that could potentially disrupt business. Apply efficient business continuity and disaster recovery management Ensure compliance with all applicable regulatory and other legal requirements to protect the Company s financial health and to preserve Zain s brand image and reputation. Zain management and employees are responsible for implementing and maintaining this policy throughout Zain. This Information Security Policy falls under the responsibility of Zain s Risk Management Steering Committee, chaired by the Group Chief Financial Officer and with the Group Risk Department supervising its design, implementation and enforcement. Zain is committed to providing all the means and resources necessary to reach the adequate level of performance that will ensure that Zain can face any information security impacting events. Group Risk 6
4 Terms and definitions Computer Facility Rooms A facility Rooms are used to house mission critical computer systems and associated components. It generally includes environmental controls (air conditioning, fire suppression, etc.), redundant/backup power supplies, and high security. Confidential Information Any Zain information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form. Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts. Confidential Information also includes any confidential information received by Zain from a third party under a non-disclosure agreement. Corporate Governance structure Zain is committed to manage information security as part of the Corporate Governance process. Information Security Governance (ISG) is a subset of Corporate Governance dealing with the policies and internal controls related to information resources and their security. Policy Statement A high-level statement of enterprise goals and objectives accompanied by the reference to all relevant policies that provide the detailed direction for compliance. Information Security Policies Mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction that they require to be meaningful and effective. Procedures The step-by-step process required for the implementation of the requirements set by policies. Data Files Any electronic file(s) that contain Zain information including information you type, edit, view, or save. A data file may be a business report, a picture, or a letter and is stored as a file on a disk. Group Risk 7
Information Availability Ensuring that authorized users have access to information and associated assets whenever it is required. Information Custodian An Information Custodian is the person responsible for overseeing and implementing the necessary safeguards to protect the information assets, at the level classified by the Information Owner. Information Integrity Safeguarding the accuracy and completeness of information and processing methods. Information Security Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or electronic means, shown on films, or spoken in conversation and meetings. In whatever form Zain information takes, or means by which it is shared or stored, it must always be appropriately protected. Mobile Code Mobile code is software obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Some examples are browser hijackers, Spyware, Adware, etc. Zain Work Areas Zain Work Areas are those where the access is restricted to only the authorized personnel. For example, at any Zain Branch, the area behind the customer service counter is considered work area, since authorized branch personnel can attain access to it. Non Disclosure Agreement (NDA) It is a contract through which the parties agree not to disclose information covered by the agreement. An NDA creates a confidential relationship between the parties to protect any type of trade secret. As such, an NDA can protect non-public business information. Portable Device Portable devices include, Laptop computers, PDAs, Smart Phones, etc Group Risk 8
Production System A computer system is called a production system, when it is in live, day to day operation and process information. Proprietary A party, or proprietor, exercises private ownership, control or use over an item of property (e.g. a creative literary work, or software), usually to the exclusion of other parties. Security Administrator A Security Administrator Supervises and/or participates in the installation, configuration, modification, maintenance, and monitoring of network security hardware and software, including but not limited to firewalls, Virtual Private Networks (VPN), content filtering technologies, and intrusion detection devices. Security Procedures The security procedures are the set of actions that must be followed in order to comply with information security policy. Staff / Employee Any individual who has been hired directly by Zain. System Administrator A system administrator is a person who is responsible for managing a multi-user computing environment, such as a local area network (LAN). The responsibilities of the system administrator typically include: installing and configuring system hardware and software; establishing and managing user accounts; upgrading software; and backup and recovery tasks. System Owner The system owner is the person with the responsibility and authority to designate, allow or use special access account privileges. Telecommuting Telecommuting, also known as Teleworking, is the act of working from a remote location, usually one's home. This is made simple with the use of various telecommunications technologies such as a telephone, fax machine and the internet. Third Party Any non-employee of Zain who is contractually bound to provide some form of service to Zain. User Any Zain employee or third party who has been authorized to access any Zain information resource. Group Risk 9
Workers Workers are any consultants, contractors, temporaries, etc, working at Zain beside employees. Risk Management Steering Committee (RM-SC) The Risk Management Steering Committee (RM-SC) provides management direction and a sounding board for Zain Risk Management efforts to ensure that the risks are realistic, given Zain's business objectives and the efforts are appropriately prioritized, efficiently supported by the organization, adequately funded. Risk Management The Risk Management Department is charged with identifying, assessing, and appropriately managing risks to Zain Operations and its information systems. Policy Audience The general readership of this document is all employees in Zain. Labels on the right of policy title identify primary responsibility, as follows: Everyone RM-SC Risk Management Steering Committee Department Managers IT & Networks RM Risk Management LG Legal HR Human Resources BE Business Excellence IA Internal Audit PS Physical Security Group Risk 10
5 Security Policy Policy Approval RM-SC An information security policy must be approved executive management. Policy publishing RM The information security policy must be formally published. Policy Endorsement The information security policy must be formally and publicly endorsed by executive management. Information and Policy All accesses to, uses of, and processing of Zain information must be consistent with Zain information systems related policies and standards. Policy Communication Audience RM The information security policy must be communicated to all employees, contractors, and temporary employees. Legal Framework Conflicts LG The Information Security Department Manager must be promptly informed of any Zain information security policy that is believed to be in conflict with existing laws or regulations. Standards and Procedures Policy Linkage RM BE When a standard or procedure is intended to become an extension of the policy document, the document must include these words: "This standard or procedure has been created by the authority described in Zain Information Security Policy, and must be complied with as though it was part of the Policy document." Acceptable use The information technology services of Zain must only be used for conducting Zain business or other purposes expressly authorized by Zain management. Policy Non-Enforcement Management's non-enforcement of any policy requirement does not constitute its consent. Information is an Zain Asset Information is an important Zain asset which must be properly handled and controlled. Group Risk 11
Protection of Information Information must be protected in a manner commensurate with its sensitivity, value, and criticality. Policy Review RM The information Security Policy must be reviewed annually. The reviews must take into account the security incidents that have occurred since the last review, and the impact of changes in technology. Standards and Procedures The Risk Management Department in coordination with concerned business unit must be authorized to create, and periodically modify, both technical standards and standard operating procedures that support this information security policy document." Enforceable Security Measures RM RM All information systems security controls must be enforceable prior to being adopted as a part of standard operating procedure. Group Risk 12
6 Organization of information security 6.1 Internal organization Implementation of Security Management must establish and maintain sufficient preventive and detective security measures to ensure that Zain information is free from significant risk of undetected alteration. Top Management Security Communications to Staff RM-SC The senior management of Zain will lead by example by ensuring that Information Security is given a high priority in all current and future activities and initiatives. Information Security Management Committee RM-SC An information security management committee must be composed of senior managers from each of Zain major groups. Information Security Management Committee - Policy Review RM-SC The information security Management committee must review and approve all evaluation against Zain information security policy. Information Security Management Committee - Incident Review RM-SC The information security Management committee must actively monitor the information security incidents that occur at Zain and its subsidiaries. Information Security Management Committee - Initiative Approval RM-SC The information security Management committee must review and approve all initiatives designed to enhance information security at Zain. Information Security Management Committee Resources RM-SC The information security Management committee must be allotted sufficient resources for continual and effective oversight of information security activities within Zain. Information Security Management Committee Review - Security Policies RM-SC The information security Management committee must review and approve new or modified information security policies. Information Security Controls Implementation RM-SC The information security Management committee must bring together the Implementation of all information security controls for new systems or services across Zain business departments. Group Risk 13
Information Security Visibility RM-SC The information security Management committee must ensure that the business support for information security is visible throughout the organization. Information Security Department Responsibility RM The Risk Managment Department is responsible for establishing and maintaining organizationwide information security policies, standards, guidelines, and procedures. Centralized Responsibility for Information Security Guidance, direction, and authority for information security activities must be centralized for the entire organization in the Risk Managment Department. Information Security Department Direction RM The Risk Managment Department must provide the direction and technical expertise to ensure that Zain s information is properly protected. Information Security Liaison Every department manager must designate an information security liaison, and give this liaison sufficient training, supporting materials, and other resources to properly perform his or her job. Information Security Planning Process RM The Risk Management Department must annually prepare plans for the improvement of information security on all major Zain information systems. Management Approach to Security Management must ensure that information security within their departments is treated as a regular business problem to be faced and solved, like any other normal and continuing business activity. Security Administration - Systems Administrators RM In regards to segregation of duties principle, Systems Administrators must not be responsible for information systems security administration for any Zain production systems. Information Ownership The Information Technology Department and Networks Department must not be the owner of any information except of operational computers and network information and equipments. Asset Manager Assignment RM-SC The responsibility and accountability for each Zain asset must be formally assigned to the owner. Group Risk 14
New Hardware All purchases of new Zain systems hardware or new components for existing systems must be made in accordance with Information Security Policy and other Zain Policies, as well as technical standards. Such requests for purchase must be based upon a user requirements specification and consider longer-term business needs. Functional Needs Except for minor purchases, hardware must be purchased through a structured evaluation process that must include the development of a detailed Request for Proposal (RFP) document. Information Security features and requirements must be identified in the RFP. Installation All new hardware installations are to be planned formally and notified to all interested parties prior to the proposed installation date. Information Security requirements for new installations must be circulated for comment to all interested parties, well in advance of installation. Software User Requirements All requests for new applications, systems, or software enhancements must be presented to senior management with a Business Case that includes business requirements presented in a User Requirements Specification document. Selecting Software Packages Zain should generally avoid the selection of business critical software which, in the opinion of management, has not been adequately proven by the early adopters of the system. The selection process for all new business software must additionally incorporate the criteria upon which the selection will be made. Such criteria must receive the approval of Zain senior management and include security criteria. Selecting Office Software All office software packages must be compatible with Zain s preferred and approved computer operating system(s) and platform(s). Group Risk 15
New System Development Justification The development of bespoke software is only to be considered if warranted by a strong Business Case and supported by management, including adequate resources, over the projected lifetime of the project. New Technology Control In every instance where new technology is used in a Zain production information system, the operations and security controls associated with that new technology must be particularly stringent until the new technology has been shown to be reliable, readily controllable, and truly supportive of business activities. Speaking to the Media Only authorized personnel may speak to the media (newspapers, television, radio, magazines, etc) about matters relating to Zain. Speaking to Customers Information regarding Zain s customers or other people dealing with Zain is to be kept confidential at all times. The information should only be released by authorized and trained persons. Non Disclosure Agreements Non-disclosure agreements must be used in all situations where the confidentiality, sensitivity, or value of the information being disclosed is classified as private (or higher). Independent Review RM IA An independent and externally-provided review of information system controls must be obtained annually to determine both the adequacy of, and compliance with controls. Policy Complete Review RM IA The implementation of and compliance to Zain information security policy, standards, and procedures must be audited annually by an independent party, within or external to Zain. Group Risk 16
6.2 External parties Third Party Access to Information Third parties may be given access to Zain internal information only when a demonstrable need to know exists, and when such a disclosure has been expressly authorized by Zain management. Third Party Contracts - Security Requirements LG All contracts with third parties must include an explicit description of security requirements resulting from third-party access or internal controls. Third Party Non-Disclosure Agreements Prior to sending any secret, confidential, or private information to a third party for copying, printing, formatting, or other handling, a third party must sign and submit Zain non-disclosure agreement. Third Party Access Authorization LG Zain Management must ensure that a contract and/or the non-disclosure agreement (NDA) that defines the information security terms and conditions required by Zain has been signed before permitting access to any facility, computer system or information. Software Support All application software must be provided with the appropriate level of technical support to ensure that Zain is not compromised by ensuring any software problems are handled efficiently in an acceptable timescale. Vendor Software Vendor developed software must meet the User Requirements Specification and offer appropriate product support. Verifying Financial Claims and Invoices All claims for payment must be properly verified for correctness before payment is affected. External Service Providers for e-commerce Where 3rd parties are involved in e-commerce systems and delivery channels, it is essential that they are able to meet the resilience and Information Security objectives of Zain. Compliance with Information Security Requirements External consultants, contractors, and temporaries working at Zain environment must be subject to the same information security requirements, and have the same information security responsibilities, as Zain employees. Group Risk 17
7 Asset management 7.1 Responsibility for assets Information asset Inventory A formal inventory of all information assets must be maintained and kept up-to-date at all times including hardware, software, data files, asset location, user manuals, training material, operational procedures and recovery procedures. Documenting All new and enhanced systems must be fully supported at all times by comprehensive and upto-date documentation. New systems or upgraded systems should not be introduced to the live environment unless supporting documentation is available. Ownership All information, data, or documents are to be the responsibility of a designated information owner. Using Encryption Where appropriate, sensitive or confidential information or data should always be transmitted in encrypted form. Prior to transmission, consideration must always be given to the procedures to be used between the sending and recipient parties and any possible legal issues from using encryption techniques. Sharing Information HR Human Resources Management are to ensure that all employees are fully aware of their legal and corporate duties and responsibilities concerning the inappropriate sharing and releasing of information, both internally within the organization and to external parties. Information Classification Labeling All information must be labeled based on its criticality to Zain. Information Classification Impacts When classifying information, asset owners must consider the impact on Zain if the information is lost, damaged, disclosed, or stolen. Four Category Data Classification Scheme Data must be broken into four sensitivity classifications with separate handling requirements: SECRET, CONFIDENTIAL, PRIVATE, and UNCLASSIFIED Group Risk 18
SECRET Information This classification applies to the most sensitive business information, which is intended strictly for use within Zain, that if disclosed could seriously and adversely impact Zain, its stockholders, its business partners, and/or its customers. CONFIDENTIAL Information This classification applies to less sensitive business information, which is nonetheless intended for use within Zain, that if disclosed could adversely impact Zain, its stockholders, its business partners, and/or its customers. PRIVATE Information This classification applies to personal information, which is intended for use within Zain, that if disclosed could seriously and adversely impact Zain and/or its employees. UNCLASSIFIED Information This classification applies to all other information, which cannot be classified as SECRET, CONFIDENTIAL or PRIVATE, that if disclosed is not expected to seriously or adversely impact Zain, its employees, its stockholders, its business partners, and/or its customers. Information Security Policies and Procedures Classification Unless the Risk Managment Department has first approved their release in writing, all Zain information security policies and procedures are classified as confidential. Classifying New Production Information All workers who create, compile, alter, maintain, or procure any type of production information must assign a classification which is consistent with prior designations made by the relevant information owners. Default Classification All information is confidential until it is classified by its owner Labeling Classified Information All information, data, and documents are to be clearly labeled so that all users are aware of the ownership and classification of the information. Availability Of ZA Assets Ensuring that authorized users have access to information and associated assets whenever it is required. Group Risk 19
8 Human resources security 8.1 Prior to employment Security Roles and Responsibilities Documentation HR Security roles and responsibilities must be documented and incorporated into each job description at Zain. Data Confidentiality Protection All employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after contractual relations with Zain. Background Checks for New Staff HR New employees must first pass a background check and the employees must undertake to abide by Zain Information Security policy. Staff References Only authorized personnel may give employee references. Staff Security Clearance HR All staff must have previous employment and other references carefully checked. Background Checks for Positions of Trust HR All workers to be placed in positions of trust must first pass a background check. Qualifications for Working on Sensitive Projects HR Only trusted employees with good to excellent performance reviews may work on new product development and other major Zain projects. Preparing Terms and Conditions HR The Terms and Conditions of Employment of Zain are to include requirements for compliance with Information Security. Employment Terms - Disciplinary Action HR The terms and conditions of employment that is signed by every Zain employee must state clearly the resulting disciplinary action to be taken if the employee violates any information security policies, standards, or procedures. Group Risk 20
8.2 During employment Information Security Awareness Training HR RM Every worker must attend an information security awareness training within one month of the date when they began employment with Zain. Security Awareness HR Human Resources Department is to ensure that all employees are fully aware of their legal and Information Security responsibilities, which are to be included within key staff documentation (e.g., Terms and Conditions of Employment and Zain Code of Conduct). Information Security Policies and Procedures Awareness Every worker must understand and comply with Zain s policies and procedures about information security. Information Security Training HR All Departments Managers must be provided with sufficient training and supporting reference materials related to their jobs to allow them to properly protect Zain information resources. Security Training on New Systems HR Zain management is committed to providing training to all users of new systems to ensure that their use is both efficient and does not compromise Information Security. Protection of Badges When off Zain premises, workers must protect their identification badges with the same level of protection as their wallets and credit cards. Second Job Disclosure Workers that have part time jobs at the time when they are interviewed for a position with Zain, or after they are hired Zain, must inform their manager prior to taking on an additional job. Security Violations Requiring Instant Terminations LG HR All workers who have acted with insubordination, been convicted of a felony, or committed major security violation must be terminated immediately. Group Risk 21
8.3 Termination or change of employment Procedures for Staff Leaving Employment HR Termination procedures must be followed with extreme conscientiousness particularly in regards to termination of access privileges. Staff Resignations HR Upon notification of staff resignations, Human Resources management must consider with Information Security Manager, whether the member of staff s continued system access rights constitutes an unacceptable risk to the organization and, if so, revoke all access rights. Information Handling At Contract Termination LG If Zain terminates its contract with any third-party organization that is handling Zain private information; this same third-party organization must immediately thereafter destroy or return all of Zain private data in its possession. Return of ZA Property At the time that every employee, consultant, and contractor terminates his or her relationship with Zain, all Zain property must be returned Return of Information Upon the termination or expiration of their contract, all contractors, consultants, and temporaries must hand over to their project manager all copies of Zain information received or created during the performance of the contract. Escorting Workers who are involuntarily terminated PS HR In every case where workers are involuntarily terminated by Zain, the termination must take place in the presence of security personnel, who will escort them to the door after collecting their personal belongings. Non-compete Agreements At the time they join Zain; all employees must sign an agreement not to compete for six (6) months after their separation from Zain. Group Risk 22
9 Physical and environmental security 9.1 Secure areas Security Perimeter - Authorized Personnel PS Access to all Zain work areas must be limited to those employees and partners whose jobs require entrance to those areas. Security Perimeter - Access Control PS Every access point to Zain work areas must be controlled by a manned reception area or other equally-effective control method. Physical Intrusion Alarms PS All Zain work areas must be equipped with physical intrusion alarm systems that automatically alert those who can take immediate action. Fire Alarms PS All Zain work areas must be equipped with fire alarm systems that automatically alert those who can take immediate action. Computer Room Doors Secure PS All computer facility rooms must be equipped with riot doors that are resistant to fire and forcible entry. Computer Room Doors Alarmed PS All computer facility rooms must be equipped with doors that set off an audible alarm when they have been kept open beyond a certain period of time. Physical Access PS Physical access to Zain s highly secured areas is to be controlled with strong identification and authentication techniques. Staff authorized to enter such areas are to be provided with information security awareness on the potential security risks involved. Physical Access Tailgating Workers must not permit unknown or unauthorized persons to pass through doors, gates, and other entrances to restricted areas at the same time when authorized persons go through these entrances Challenging Strangers All employees are to be aware of the need to challenge strangers on Zain s work areas. Group Risk 23
Wearing Access Badges Whenever in Zain buildings or facilities, all persons must wear Zain identification badge on their outer garments so that both the picture and information on the badge are clearly visible. Individuals without Identification Badges Individuals without a proper Zain identification badge in a clearly visible place must be immediately questioned about their badge. Physical Access Audit Trail PS All access to every Zain secure area must be recorded in a secure log. Access Outside Normal Business Hours PS All visitors to Zain premises outside normal business hours must be escorted by an employee with a prior authorization by a department manager. Visitor Identification Process PS All visitors must provide official photo identification prior to gaining access to restricted Zain work areas. Physical Access Reporting Department heads must promptly report to the Physical Security Department about all enabled badges for their contractors which are no longer authorized. Physical Security System Testing PS The operation of all physical access control systems must be tested semi-annually. Lockable Cupboards Sensitive or valuable Zain documents or equipments must be stored securely and according to the classification status of the information being stored. The cupboards must be fire resistant. Secure Areas Confidentiality Employees and partners who are authorized to access secure areas must not discuss the operations that occur within any secure area with any non-authorized person. Secure Areas - Third Party Monitoring PS Third-party services support personnel must be accompanied and monitored by a Zain employee when accessing any Zain secure area. Group Risk 24
Sensitive Information - Third Party Monitoring All accesses of Zain sensitive information by third-party support services personnel must be logged. Cameras, Audio or Video Recording Equipment Within Zain secure area, personally owned cameras and audio or video recording equipment are prohibited. Delivery Areas Access PS Access to every Zain loading and delivery area must be limited to those employees, partners, and delivery personnel who have a legitimate business need to be there. Delivery Areas - Security Requirements PS The installation of all security mechanisms and processes to control access to any Zain loading or delivery area must be commensurate with the current level of risk in the area. Cabling Shafts Security PS Access to all the cabling shafts at Zain premises must be secured using lockable doors and access to them must be restricted only to the authorized personnel. Storage of any type of equipment or material in the cabling shafts is prohibited. Base Stations Security PS Access to all Zain base stations must be controlled with strong identification and authentication techniques and should be restricted to the authorized personnel only. All Zain base stations must be equipped with fire and intrusion alarms which are connected to Zain central alarm system. Group Risk 25
9.2 Equipment security Fire Risks All data and information must be protected against the risk of fire damage at all times. The level of such protection must always reflect the risk of fire and the value and classification of the information being safeguarded. Preparing Premises to Site Elements The sites chosen to locate network elements, computers and to store data must be suitably protected from physical intrusion, theft, fire, flood, and other hazards. Electronic Eavesdropping Electronic eavesdropping should be guarded against by using suitable detection mechanisms, which are to be deployed if and when justified by the periodic risk assessments of Zain. Data Centers Local management must provide and adequately maintain humidity control systems, air conditioning systems, fire detection/suppression, smoke detection devices, water damage alarm, power conditioning systems, and equipped to monitor all environmental conditions that could adversely affect the equipment. Smoking, Eating and Drinking in the Equipment Room Workers and visitors must not smoke, eat, or drink in the raised floor area at all Zain equipment rooms. Continuous Power An Uninterruptible Power Supply must be installed to ensure the continuity of services during power outages at all Zain equipment rooms. Backup Power PS Secondary and backup power generators are to be employed where necessary to ensure the continuity of services that supports critical Zain business during power outages. Equipment Power - Power Supply Testing & Certification All backup and secondary power units that protect critical Zain business functions and processes must be thoroughly tested and certified on a quarterly basis that the units have sufficient capacity to ensure that the supported equipment is adequately protected. Cabling Installation PS Power and telecommunications cabling should be installed and maintained by qualified technical personnel to ensure the integrity of both the cabling and the wall-mounted sockets. Any unused network wall sockets should be sealed-off and their status formally noted. A Network diagram shall always be kept updated and made available to the Risk Managment Department. Group Risk 26
Insurance All critical equipment that supports critical Zain business must have an insurance against theft, damage, or loss. Support All equipment (on-site or off-site) owned, leased, or licensed by Zain must be supported from appropriate maintenance facilities by qualified engineers. Equipment Damage Deliberate or accidental damage to Zain equipment must be reported to the Risk Managment Department as soon as it is noticed. Information Systems Equipment Maintenance All information systems equipment used for production processing must be maintained in accordance with the supplier's recommended service intervals and specifications. Preventive Maintenance Preventive maintenance must be performed semi-annually on all computer and communications systems to minimize the risk of errors.. Maintenance Records Routine A record of every instance of preventative or corrective maintenance to Zain equipment must be maintained and audited. Using Portable Devices Zain personnel who are issued portable computer devices must be aware of the information security issues relating to these devices and implement the appropriate safeguards to minimize security risks. Off-site Equipment Unattended Zain equipment that is taken off site must be never left unattended. Release of Used Equipment and Media Before information systems equipment or storage media that has been used for Zain business is provided to any third party, the equipment or media must first be inspected by the Risk Managment Department to determine that all sensitive information has been removed. Property Pass RM PS Computer peripherals, portable computers, modems, and related information systems equipment must accompanied by an approved property pass and must be inspected by the security personnel prior to leaving Zain premises. Property pass logs must include the dates that the item was removed from and returned to Zain. Group Risk 27
10 Communications and operations management 10.1 Operational procedures and responsibilities Operating Procedures Documentation All operating procedures that govern the processes within any Zain information processing facility must be authorized and documented. Operating Procedures Maintenance All Zain information processing facility operating procedures must be validated or revised on an annual basis. Operating Procedures Changes All changes to the operating procedures that govern the processes within any Zain information processing facility must be authorized by the applicable operations manager. Operating Procedures - Job Execution Operating procedures that govern the processes within any Zain information processing facility must include detailed instruction for: Execution, scheduling and interdependencies of every production job. Handling of output. Startup and shutdown of every computer system and application system. Backup of every computer system and application system. Periodic maintenance of every computer and communication system component. Operating System Changes Changes to routine systems operations are to be fully tested and approved and documented prior to implementation. Change Control Equipment Documented procedures must be established to control all changes to Zain information processing equipment. Equipment Change Authorization All changes to Zain information processing equipment must be authorized by the concerned operations manager. Production Operating Systems Change Review RM IA Annual reviews of production computer operating systems must be conducted to ensure that only authorized changes have been made. Group Risk 28
Back-off Procedures Adequate "back off" procedures must be developed for all changes to production systems software and production application software. Software - Change Log The details of all changes to Zain information processing software must be logged and communicated to all with need to know. Separation of Duties Whenever a Zain computer-based process involves sensitive, valuable, or critical information, the system must include controls involving a separation of duties or other compensating control measures ensuring that no one individual has exclusive control over these types of Zain information assets. Security Audit Independence RM IA The security audit of all Zain information processing facilities must be completed by resources independent of those who manage and control the facilities. Separation between Production and Development Business application software in development must be kept strictly separate from production application software. Unnecessary Software Unnecessary software and utilities must be removed from all Zain production systems. System Developers and Formal Testing Workers who have been involved in the development of specific business application software must not be involved in the formal testing or day-to-day production operation of such software. Group Risk 29
10.2 Third party service delivery management Contracts approval LG All information-systems-related Third-Party contracts must be reviewed and approved by the Risk Managment Department. Third-Party services Security Responsibilities The responsible manager must ensure that third-party services sufficiently implement, operate and maintain information security controls consistent with Zain information security policies and standards, and must re-assess risks when any changes occur in the third-party service. Third-Party Management Security All Zain security policies, standards, and procedures must be followed by any third party that manages an Zain information processing facility. Third-Party Management - Security Responsibilities & Reporting Any third party that manages a Zain information processing facility must identify sufficient resources to maintain and monitor all security activities and provide monthly status reports to Zain Risk Managment Department. Third-Party Management - Reporting Security Incidents Every security incident that occurs in a Zain information asset that is managed by a third party must be reported immediately to the Risk Managment Department. Third-Party Management - Security Audits RM IA A security audit must be performed every six months at every Zain information processing facility that is managed by a third party. Group Risk 30
10.3 System planning and acceptance Capacity Planning New systems must be tested for capacity, peak loading and stress testing. They must demonstrate a level of performance and resilience which meets or exceeds the technical and business needs and Zain s requirements. Capacity Projection Every Zain manager must submit a detailed annual projection of the following year's information processing capacity requirements necessary to support his or her area. Databases Databases must be fully tested for both business logic and processing prior to operational use. Where databases contain personal information, procedures and access controls must ensure compliance with necessary legislation (e.g., Data Protection). Capacity Monitoring A weekly review of the information processing hardware capacity and utilization must be completed and reported to the operations manager. Vendor Recommended Upgrades The decision whether to upgrade software is only to be taken after consideration of the associated risks of the upgrade and weighing these against the anticipated benefits and necessity for such change. Test and Live Environments Formal change control procedures must be employed for all amendments to systems. All changes to programs must be properly tested in a test environment before moving to the live environment. Parallel Running Normal System Testing procedures will incorporate a period of parallel running prior to the new or amended system being acceptable for use in the live environment. New Technology Evaluation Any new technology or information system that will be used in Zain production application software, hardware system or network must be evaluated and approved by Zain Managment prior to its adoption at Zain. Group Risk 31
10.4 Protection against malicious and mobile code Malicious Attacks Zain system hardware, operating systems, application software, networks, and communication systems must be adequately configured and safeguarded against both physical attack and unauthorized network intrusion. Emergency Data Amendment Emergency data amendments may only be used in extreme circumstances and only in accordance with emergency amendment procedures. Anti Virus Software Anti-Virus software is to be deployed across all Zain with regular virus definition updates and scanning across servers, PCs, laptops and other mobile computers. Mobile Code Execution Users must not enter into Internet processes that permit mobile code to placement, execute on their machines. Attempting to Eradicate a Computer Virus Users must not attempt to eradicate a computer virus without expert assistance. User Installation of Software Users must not install any software on their computers, network servers, or other machines. Group Risk 32
10.5 Back-up Restarting or Recovering Information system owners must ensure that adequate back-up and system recovery procedures are in place. Back-up and Recovery Procedures Back-up of Zain s data files and the ability to recover such data is a top priority. Operations Managers are responsible for ensuring that the frequency of back-up operations and the procedures for recovery meets Zain business needs. Archiving The storage media used for the archiving of information must be appropriate to the expected longevity. The format in which the data is stored must be carefully considered, especially where proprietary formats are involved. Group Risk 33
10.6 Network security management Network Management Suitably qualified staff will manage Zain s information network, and preserve its integrity in collaboration with the nominated individual system owner. Inbound and Outbound Network Connections The establishment of a direct connection between Zain systems and computers at external organizations via public network is prohibited unless this connection has first been approved by the Risk Managment Department. All connections to Zain internal networks and/or computer systems must pass through an additional, Risk Managment Department approved, access control point (such as a firewall) before users reach a log-in banner. Inventory of Network Connections All concerned Departments must maintain a current inventory of all connections to external networks including telephone networks, EDI networks, extranets, the Internet. Administrative Security Management Configurations and set-up parameters on all hosts attached to Zain network must comply with in-house security management policies and standards. Centralization Critical Networking Devices PS All business critical devices supporting Zain telephone system, intranet, local area networks, and the wide area network must be centralized in dedicated rooms with physical access controls, closed circuit TV, environmental monitoring systems, and other security measures indicated by the Risk Managment Department. Integrity Assessment Tools All Network-connected systems used for production purposes must employ integrity assessment tools that detects, reconciles and report changes on a daily basis. Group Risk 34
10.7 Media handling Media Storage Procedures Procedures for the handling of all media in media storage areas must be completely documented. Media Storage Security The security and environmental protection of all media storage areas must meet or exceed the standards required for all Zain secure areas. Sensitive Information Destruction Procedures After it becomes no longer needed, all sensitive or valuable Zain information must be securely destroyed using procedures approved by the Risk Managment Department. Information Handling Information owners must take steps to ensure that appropriate controls are utilized in the handling of information. Data Storage Day-to-Day data storage must ensure that current data is readily available to authorized users and that archives are both created and accessible if needed. Good Document Management Practice All users of information systems must manage the creation, storage, amendment, copying, deletion / destruction of data files in a manner which safeguards and protects the confidentiality, integrity, and availability of such files. The degree to which software techniques and disciplined user procedures are necessary will be applied by management and determined by the classification of the information / data in question. Storing Classified Information All information, data, and documents must be processed and stored strictly in accordance with the classification levels assigned to the information. Physical Security or Encryption Required for All Sensitive Information All information storage containing sensitive information must be physically secured when not in use, unless this information is protected via an encryption system approved by the Risk Managment Department. System Documentation BE BE System documentation is required for all Zain information systems. This documentation must be kept up-to-date and available to authorized personnel, and appropriately protected against unauthorized access or modification. Group Risk 35
10.8 Exchange of information Information Exchanges with Third Parties Handling Exchanges of in-house software or internal information between Zain and any third party may not proceed unless a written agreement has first been signed that specifies the ways in which the software or information is to be handled. Agreements with Third Parties Audits All agreements dealing with the handling of Zain information by third parties must include a clause that permits Zain to audit the controls used for these information handling activities. Transporting Sensitive Documents The confidentiality and integrity of Zain Secret, Confidential and Private information in any form must be protected during transportation / transmission. Hard copy documents of such classification must be transported externally in an unmarked, sealed envelope or container. Electronic documents of such classification must be encrypted if sent electronically across the Internet in email, or any other form. Prior to transmission, consideration must always be given to the procedures to be used between the sending and recipient parties and any possible legal issues from using encryption techniques. E-mail security Users of Zain e-mail systems must not open e-mail attachments coming from an unknown source must not create or forward chain letters. Customer Payment Details Customer credit card details or other payment information entrusted to Zain must be afforded a combination of security measures (technology and procedural), which, in combination, prevent all recognized possibilities of the information details being accessed, stolen, and modified or in any other way divulged to unauthorized persons. External Service Providers for e-business Where third parties are involved in e-commerce systems and delivery channels, it is essential that they are able to meet the resilience and Information Security objectives of Zain. Payment Information Storage All payment information, such as checking account numbers and credit card numbers, must be encrypted when stored on any Zain computer. Digital Certificates and Encryption All e-business servers must employ unique digital certificates and must use encryption to transfer information in and out of these servers. Information Owner Digital Signatures LG All information owners who post the information for which they are responsible on Zain intranet must generate digital signatures, which are posted along with the pages, indicating their approval of the final versions of the applicable pages. Group Risk 36
10.9 Electronic commerce services Web Sites Due to the significant risk of malicious intrusion from unauthorized external persons, external web sites (sites that can be reached from outside Zain networks) may only be developed and maintained by properly qualified and authorized personnel. Securing E-Commerce Networks E-Commerce related Web site(s) and their associated systems are to be secured using a combination of technology to prevent and detect intrusion together with robust procedures using dual control, where manual interaction is required. Structuring E-Commerce processing systems, including the e-commerce Web site(s), are to be designed with protection from malicious attack given the highest priority. Group Risk 37
10.10 Monitoring Computer System Logs Activation All core Zain computer systems must be configured with active and continuous logging of computer security relevant events and system errors. Computer System Logs Content Logs of computer security relevant events must provide sufficient data to support comprehensive audits of the effectiveness of, and compliance with security measures. Systems Architecture for Logging Application and/or database management system (DBMS) software must keep logs of user activities and statistics related to these activities which will allow them to spot and issue alarms reflecting suspicious business events. Log Rotation and Archiving A formal log rotation and archival process must be employed for all network periphery security systems (such as firewalls) and all multi-user production servers. Log Retention Computerized logs containing security relevant events must be retained according to the local laws and regulations. Error Logs IA Error logs must be properly reviewed and managed Recording Incidents All employees are to be aware that evidence of Information Security incidents must be formally recorded and retained and passed to the Risk Managment Department. Privileged System Commands All privileged commands issued by computer system operators must be traceable to specific individuals via the use of comprehensive logs. Log Tampering Controls All Zain production computer system logs must be protected by tampering control solution that will detects, reconciles and reports on unauthorized modification. Log Access Authorization Access to critical system and application logs must be authorized in writing by the Risk Managment Department. Group Risk 38
Log Monitoring All Zain production computer system logs must be automatically monitored to ensure that sudden decreases in size, failures of digital signatures, and/or gaps in log entry sequence numbers immediately trigger an alarm. System clock synchronization To ensure the accuracy of logs, all computer systems clocks must be synchronized to an agreed accurate time source. Group Risk 39
11 Access Control 11.1 Business requirement for access control Access Control Standards Access control standards for Information Security must be established by the responsible manager (information owner) and should incorporate the need to balance restrictions to prevent unauthorized access against the need to provide unhindered access to meet business needs. Access to Zain Information - Need to Know Access to Zain information must be limited on a need-to-know basis. Security setting The security setting of the access control system must be set at a level commensurate with the value of the information residing on the system or any system for which a direct network connection is present. Centralized Access Control Database Unambiguous, organized, and current records of all production information system access privileges must be maintained in a centralized database. Default Permissions Access control permissions for all Zain networked systems must be set to a default which blocks access by unauthorized users. Group Risk 40
11.2 User access management Access to Zain Information Approval Access to Zain information must always be authorized by a designated owner of such information. Unique User-ID and Password Every user who needs to access Zain multi-user systems networks must have a single, unique user-id and a personal secret password. Non-employee User-ID Expiration Every user-id established for a non-employee must have a specified expiration date not to exceed sixty (60) days from the establishment date. Changes in User Duties Concerned manager must promptly report all significant changes in end-user duties and/or employment status to the Risk Managment Department. Information Access Privileges at Termination or Transfer HR All Zain information systems access privileges must be promptly terminated at the time that a worker ceases to work for Zain or transferred to other business units. Privileged User-IDs The number of Administrators-IDs must be strictly limited to those individuals who absolutely must have such privileges for authorized business purposes. Information System Privilege Default Every information system privilege that has not been specifically permitted by the Risk Managment Department must not be employed for any Zain business purpose until approved in writing. Advanced Privilege Assignment System privileges beyond the capabilities routinely granted to general users must be approved in advance by the Risk Managment Department. Group Risk 41
Information Systems Logs - Privilege Management All information systems running Zain production application systems must include logs that record additions and changes to the privileges of users. User-ID and Privilege Records Records reflecting all the information systems on which users have user-ids must be kept current. Positive Identification RM New employees must show up in person to be granted a multi-sure system password at the first time Initial Passwords Expiration The initial passwords must be valid only for the involved user's first on-line session. Fixed Password Changes Follow-up All fixed password resets or changes must be promptly confirmed by regular mail so that the authorized user can readily detect and report any abusive behavior. Incorporation of Passwords into Software Passwords must never be hard-coded (incorporated) into software developed by or modified by Zain workers. Periodic Review of User Access Privileges The system privileges granted to every user must be reevaluated by the user's immediate manager every three (3) months. Group Risk 42
11.3 User responsibilities Password Management The selection of passwords, their use and management as a primary means to control access to Zain systems must strictly adhere to Zain password procedures. Written Passwords Passwords must not be written down and left in a place where unauthorized persons might discover them. Auto Logon Procedures Users must not employ any procedure which will automatically log them onto Zain systems which circumvents manual entry of a user-id and password. Password Escrow Passwords must not be stored in readable form in any physical or logical locations where unauthorized persons might discover or use them. Password Sharing Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorized user. Suspected Password Disclosure Each user must immediately change his or her password if the password is suspected of being disclosed, or known to have been disclosed to an unauthorized party. Password complexity All passwords assigned to a Zain system users must not be trivial or predictable, and must: Be at least 8 characters in length Contain a mix of alphabetic and non-alphabetic characters (numbers, punctuation or special characters) or a mix of at least two types of non-alphabetic characters. Not contain the users as part of the password. Securing Unattended Equipment Zain equipment shall always be appropriately safeguarded especially when left unattended. Leaving Sensitive Systems Workstations and/or terminals must not be left unlocked if not attended by assigned users. Clear Desk Policy Zain expects all employees to operate a clear desk policy. Removing printouts When printing Zain Confidential or Secret information it must be protected against theft and unauthorized viewing. If no secure printing is available, printouts must be removed from the printer/fax device within 30 minutes. Group Risk 43
11.4 Network access control Configuring Networks Zain information network must be designed and configured to deliver high performance and reliability to meet the demands of the business while providing a high degree of access control and a range of privilege restrictions (i.e. controlled path, node authentication, network connection control, network routing control etc). Remote User Access Remote access control procedures must provide adequate safeguards through robust identification, authentication, and encryption techniques. Remote Network Access Remote access to Zain s network and resources will only be permitted providing that authorized users are authenticated, data is encrypted across the network, and privileges are restricted. Remote Administration Remote administration of all Zain multi-user computer systems is prohibited unless equipment identification (e.g. remote administration is possible only from a specific IP address), and twofactor user authentication is employed over encrypted link approved by the Risk Managment Department. Accepting In-Coming Dial-Up Calls Zain workers must not establish any communications systems which accept in-coming dial-up calls unless these systems have first been approved by the Risk Managment Department. Diagnostic Port Access RM Access to all diagnostic ports must be securely controlled with the use of a key lock and effective procedures unless approved by Risk Managment Department. Guest Network Connections In every instance where Zain provides walk-up network access for visitors to connect back to their home networks, a separate subnet that has no connection to Zain internal network must be employed. Dedicated Computers and Networks All high-security and high-reliability system managed by or owned by Zain must have its own dedicated computers and networks. Group Risk 44
Network Security Zones All Zain internal data networks must be divided into security zones. Network Ports in Vacant Offices All network ports in vacant offices and meeting rooms must be promptly disconnected at the wiring closet or at another centralized location. Unattended Active Network Ports Unattended active network ports which connect to Zain internal computer network must not be permitted in public areas including building lobbies, company cafeterias, and conference rooms readily available to outsiders. Group Risk 45
11.5 Operating system access control Operating System Access Control All users must have their identity verified with a user-id and a secret password or by Authentication Techniques which provide equal or greater security -prior to being permitted to use Zain computers. Advanced Authentication Advanced user authentication mechanisms must be employed on all operating systems that process critical Zain information. Shared User IDs - Business Case User IDs must not be issued for use by multiple users unless an approved exception request that details the business case for this exception has been received by the Risk Managment department. Vendor Default Passwords All vendor-supplied default passwords must be changed before any computer or communications system is used for Zain business. Operating System Access control system All Zain information systems must employ an access control system that: Permits users to select their own passwords. Permits users to change their own passwords. Require every user to change their password every three months. Enforce the selection of quality passwords, as defined in Password Comlixty section. Does not display the password on the screen when it is being entered Additionally, all multi-user Zain s computer systems must employ an access control system that: Does not display system or application identifiers until the log-on process has been successfully completed. Limits the number of unsuccessful log-on attempts allowed to three attempts, records unsuccessful and successful attempts and disconnects data link connections if the maximum number of log-on attempts is reached. Stores and transmits passwords in protected (encrypted or hashed) form. Systems Software Utilities Access to systems software utilities must be restricted to trusted and authorized administrators. Group Risk 46
System Utility Usage The ad hoc usage of any system utility must be authorized by the concerned operation manager. Systems Software Utility Logging All usage of systems software utilities must be logged, and promptly thereafter reviewed by the computer operations manager. Control Override Facilities Usage Operations manager must establish override procedures to be used in those exceptional circumstances where controls must be compromised to maintain on-going business operations. Security Tools Screening Every multi-user system must include sufficient automated tools to assist the security administrator in verifying and, if necessary, correcting the security status of the computer. Systems Utilities Disks and other on-line storage facilities used on production computer systems must not contain compilers, assemblers, text editors, word processors, or other general purpose utilities which may be used to compromise the security of the system. Automatic Logoff Users must be automatically logged off after a fifteen minutes of inactivity. Session Time-out Process - Sensitive Information All Sessions that processes sensitive information must times out due to inactivity and the application and network sessions must be closed. Terminal Time-out Limit- Sensitive Information The time-out delay of the session time-out facility for all terminals with access to Zain information must be set to no more than 15 minutes. Time Dependency All multi-user computer systems must restrict user activities by time of day and day of the week. User Continuous Connect Time Users must not be continuously connected to critical system or application. User Daily Connect Time BE Users must not be authorized to connect to any system or application during any time outside of their normal working hours without prior approval from the concerned operation manager. Group Risk 47
11.6 Application and information access control Restricting Access Access controls are to be set at an appropriate level to minimize information security risks while allowing Zain s business activities to be performed without undue hindrance. Defending Against Internal Attacks RM IA In order to reduce the incidence and possibility of internal attacks, access control procedures and data classification procedures are to be reviewed annually whilst maintained at all times. Access Control Systems Software All software installed on Zain multi-user systems must be regulated by approved access control systems software. Secret User IDs Developers must not build or deploy secret user-ids or passwords which have special privileges and which are not clearly covered in the system documentation. Access to Customers' Information All sensitive information about customers such as credit card numbers, credit references, and local call trace, must be accessible only to those Zain personnel who need such access in order to perform their jobs. Production Application Access Control All production business applications supporting multiple users must be secured by an access control system approved by the Risk Managment Department. Critical Application Servers Critical production servers must be dedicated purpose machines, running only a single application and hosted in dedicated network segment. Group Risk 48
11.7 Mobile Computing and Teleworking Issuing Portable Devices Management must authorize the issue of portable computer devices. Usage is restricted to business purposes, and end users must be aware of, and accept the terms and conditions of use, especially responsibility for the security of information held on such devices. Using Portable Devices Zain personnel who are issued portable computer devices (e.g., laptop computers, PDAs, or similar devices) and who intend to travel for business purposes must be aware of the information security risks relating to these devices, and implement the appropriate safeguards to minimize security risks, as follows: activate a power-on password, activate disk or file system encryption where available, keep the device with them at all times if possible, make backup copies of any vital information, make sure that laptop computers run up-to-date antivirus and firewall software if connected to any external networks (e.g. the Internet), Make sure that the current security fixes are applied. Portable Computer Inspection All portables, laptops, notebooks, and other transportable computers can be inspected and audited at any time, by Zain Risk Managment Department. Teleworking Off-site computer usage, whether at home or at other locations, must only be used with an authorization from management. Usage is restricted to business purposes, and users must be aware of and accept the terms and conditions of use, which must include the adoption of adequate and appropriate information security measures. Structured Working Environments All telecommuters must structure their remote working environment so that it is in compliance with Zain policies and standards. Telecommuting Inspections Zain maintains the right to conduct inspections of telecommuter offices with one or more days advance notice. Group Risk 49
12 Information systems acquisition, development and maintenance 12.1 Security requirements of information systems Control of Software Development Software development and/or acquisition by Zain must follow a formalized process when addressing user specifications, user acceptance, security implementations and standard project management s practices and methods. Formal Specifications All software developed by in-house staff, and intended to process sensitive, valuable, or critical information, must have a written formal specification that is part of an agreement between the involved information owner(s) and the system developer(s). Security in the Systems Development Life Cycle (SDLC) For all business application systems, security must be considered by systems designers and developers from the beginning of the systems design process through conversion to a production system. Modifications to Critical Systems All major enhancements, upgrades, conversions, and related changes associated with critical systems or applications must be preceded by an information security risk assessment. Group Risk 50
12.2 Correct processing in applications Input Data Edits All transactions to be input to a multi-user system must first be subjected to Total Validation Checks Input Transaction Authorization Methods must be in place to ensure that any input to production computer systems that has been submitted for processing has been properly authorized. Changes to Information Transactions affecting sensitive, critical, or valuable information must only be processed if the originating individual or system has been shown to be authorized to submit such transactions. Message Integrity Confirmation Appropriate file checksum and processing controls must be established to ensure that attention is given to the confirmation of message integrity and authenticity prior to critical information processing. Transaction / Processing Reports Transaction and processing reports should be regularly reviewed by properly trained and qualified staff. Correctness of Information Zain values the integrity and correctness of all its business and related information and requires management to develop and adopt the appropriate procedures to safeguard this valuable asset. Output Data Controls Controls and procedures must be established to validate all sensitive or critical information output data processed by Zain application systems. Group Risk 51
12.3 Cryptographic controls Electronic Keys The management of electronic keys to control both encryption and decryption of sensitive messages must be performed under dual control, with duties being rotated between staff. Encryption Usage Training HR Users must be properly trained, and their systems must be configured by authorized personnel before they utilize encryption, digital signatures, or digital certificates for any Zain business activity Encryption Process Approval Encryption processes must not be used for Zain information unless the processes are first approved by the Risk Managment Department Encryption Initialization Whenever an encryption system to be used for Zain production information systems is being initialized, installed, enabled, or reset, Risk Managment Department must be present to document and witness the process. Key Management Delegation RM Key management responsibility must only be delegated to a party who has passed a background check, passed an operational security audit, and signed a confidentiality agreement. Group Risk 52
12.4 Security of system files Operational Program Libraries Only designated Zain staff may access operational program libraries. Amendments may only be made using a combination of technical access controls and robust procedures operated under dual control. Software Patches All software patches affecting the security of computer systems must be applied to all Zain systems in a timely fashion. Business Application System Testing All application systems developed in-house must go through multiple cycles of testing where all errors are discovered and corrected before these same application systems can be placed into production operation. Using Live Data The use of live data for testing new system or system changes may only be permitted where adequate controls for the security of the data are in place. Program Source Libraries Only designated Zain staff may access program source libraries. Amendments may only be made using a combination of technical access controls and robust procedures operated under dual control. Program Listings Program listings must be controlled and kept fully up-to-date at all times. Controlling Program Source Libraries Formal change control procedures with comprehensive audit trails are to be used to control Program Source Libraries. Group Risk 53
12.5 Security in development and support processes Change Control for Operational Software Prior to being installed, new or different versions of the operating system and related systems software for multi-user production computers must go through the established change control process. Emergency Amendments Emergency amendments to software are to be discouraged, except in circumstances previously designated by management as critical. Any such amendments must strictly follow agreed change control procedures. Formal Change Control Procedure All systems used for production processing at Zain must employ a formal change control procedure that is used to ensure that only authorized changes are made and documented in timely manner. Software Change Review Fully-tested software modules must be reviewed and recompiled before being moved to production libraries. Production System Changes Security RM Prior to installation, every non-emergency change to production systems must be shown to be consistent with the information security architecture. Software Integrity Statements If procurement of third party software is being considered, management must obtain a written integrity statement from the involved vendor that provides assurances that the software does not contain undocumented features, does not contain hidden mechanisms that could be used to compromise the software's security, and will not require the modification or abandonment of controls found in the affected operating system. Third-Party Software Development LG Third parties who develop software for Zain must be bound by a contract that includes, but is not limited to, clear and distinct definition of licensing arrangements, quality and accuracy expectations, escrow arrangements, auditing procedures, and testing requirements. Group Risk 54
12.6 Technical Vulnerability Management Monitoring Information Security Vulnerability Advisories On a weekly or more frequent basis, systems administration staff must review all information security vulnerability advisories issued by trusted organizations. Vulnerability Evaluation RM Risk Managment Department must perform technical vulnerabilities scan before approving any computer, communications systems or software for use in the production system. Production Information Systems Risk Assessments RM All production computer information systems must be evaluated annually by the Risk Managment Department to determine the security controls required to reduce risk to an acceptable level. Group Risk 55
13 Information security incident management 13.1 Reporting information security events and weaknesses Recording Incidents All workers are to be aware that evidence of Information Security incidents must be formally recorded and retained and passed to the Risk Managment Department. Reporting All suspected Information Security incidents must be reported promptly to the appointed Information Security Manager Outside Authorities RM LG Information Security incidents must be reported to outside authorities whenever this is required to comply with legal requirements or regulations. This may only be done by authorized persons. Security Breaches Any Information Security breaches must be reported without any delay to the appointed Information Security Manager to speed the identification of any damage caused, all restoration and required repairs, and gathering of any associated evidence. Witnessing Security Breach Persons witnessing Information Security incidents or breaches should report them to the ISM without delay. Security Weaknesses And Vulnerability Discussion Workers who discover a weakness or vulnerability in the information security measures used by Zain must not discuss these matters with anyone other than Information Security management. Retaliation Any form of retaliation against an individual reporting or investigating information security problems or violations is prohibited. Violation and Problem Reporting Identity RM Workers who report to Risk department a security problem, vulnerability, or an unethical condition within Zain may, at their sole discretion, have their identity held in strict confidence. Group Risk 56
13.2 Management of information security incidents and improvements Information Security Alerts Risk Managment Department must establish, maintain, and annually test a communications system allowing workers to promptly notify about suspected information security problems. Incident Response Procedure RM All computer operations staff must have an up-to-date documented procedure which clearly specifies how information security incidents will be handled. These staff members must also be annually trained in the usage of these same procedures. Emergency Response Team (ERT) RM BE RM-SC Management must organize and maintain an in-house Emergency Response Team ERT that will provide accelerated problem notification, damage control, and problem correction services in the event of emergencies. Security Incidents - Awareness Training RM HR User awareness training must include coverage of security incident response, using Zain database of security incidents as a tool for illustration. Security Incidents - Information Archive RM A database of Zain security incidents must be maintained that includes a description of the incident, the appropriate response, and, if available, measures to avoid future occurrences. Security Incidents Investigation RM-SC RM Whenever evidence clearly shows that Zain has been victimized by a computer or communications crime, a thorough investigation must be performed. Group Risk 57
14. Business continuity management 14.1 Information security aspects of business continuity management Initiate BCP RM-SC Management is required to initiate a Business Continuity Plan. Compliance with Standards All divisions, departments, and other Zain organizational units must implement hardware, software, policies, and related procedures consistent with Zain standards in order to be supported on a priority basis in the event of an emergency or a disaster Manual Procedures If Zain critical business activities could reasonably be performed (even for a short while) with manual procedures rather than computers, a manual computer contingency plan must be developed and annually tested and reviewed. Application Criticality Rating RM-SC In conjunction with relevant information owners, disaster recovery team must annually prepare or revise an assessment of the degree of criticality of all production multi-user computer applications. Minimizing Impact Plans are to be prepared, maintained, and tested annually to ensure that damage done by possible external cyber crime attacks can be minimized and that restoration takes place as quickly as possible. Assessing the BCP Management is to undertake a formal risk assessment in order to determine the requirements for a Business Continuity Plan. Business Impact Analysis (BIA) After the annual organization-wide risk assessment has been completed; Risk Managment Department or its designee must perform a business impact analysis. Developing the BCP RM-SC RM RM RM Management is to develop a Business Continuity Plan which covers all essential and critical business activities. Group Risk 58
Disaster Recovery Plan (DRP) Owners of Zain s information systems must ensure that disaster recovery plans for their systems are developed, implemented, and annually tested and reviewed. Business Continuity Plan BCP Documentation A standard organization-wide process for developing and maintaining both business contingency plans and computer contingency plans must be documented. RM Prioritizing Information Resources RM-SC Computer Operations management must establish and use a logical framework for segmenting required resources by recovery priority Departmental BCP Framework All departments must use the logical framework for segmenting required resources by recovery priority established by the Computer Operations department when preparing information systems contingency plans. Testing the BCP The Business Continuity Plan is to be annually tested to ensure that the management and staff understand how it is to be executed. Training and Awareness All staff must be trained and made aware of the Business Continuity Plan and their own respective roles. Maintaining the BCP RM-SC The Business Continuity Plan is to be kept up-to-date and reviewed annually or when changes to business processes occur. Contingency Planning and Systems Recovery Roles The roles and responsibilities for both information systems contingency planning and information systems recovery must be reviewed and updated annually by Risk Managment Department. Emergency Support Levels RM HR RM-SC RM User department management and Information Technology Department management must annually agree, document and obtain the information security Management committee approval for the support levels that will be provided in the event of a disaster and/or emergency. RM Group Risk 59
15 Compliance 15.1 Compliance with legal requirements Regulations and Requirements All relevant statutory, regulatory, and contractual requirements must be defined and documented for each Zain information system. Awareness Human Resources Management is to ensure that all employees are fully aware of their legal responsibilities with respect to their use of computer based information systems and data. Such responsibilities are to be included within key staff documentation (e.g., Terms and Conditions of Employment and Zain Code of Conduct. Copyright and Software Licensing Human Resources Management is to prepare guidelines to ensure that all employees and third party are aware of the key aspects of Software Copyright, intellectual property rights and licensing legislation, in so far as these requirements impact on their duties. Domain Name Licenses Registered domain names, whether or not actually used for Zain s Web sites, are to be protected and secured in a similar manner to any other valuable asset of Zain. Unauthorized Copyrighted Information Removal Systems administrators must remove all unauthorized copyrighted information and software stored on Zain systems or networks. Intellectual Property Review The Legal Department, working in conjunction with the Risk Managment Department, must annually perform an intellectual property and information protection law review. Information Retaining Data retention periods for Zain Information must be established to meet legal and business requirements and must be adhered to by all staff. Archiving Documents The archiving of documents must take place with due considerations for legal, regulatory, and business issues with liaison between technical and business staff. Information Retention The information created and stored by Zain s information systems must be retained for a minimum period that meets both legal and business requirements. Insuring Risks HR LG LG LG HR RM LG A re-assessment of the threats and risks involved relating to Zain s business activities must take place annually to ensure Zain is adequately insured at all times. Group Risk 60
Information Destruction All Zain information must be destroyed or disposed of when no longer needed. Data Protection Zain intends to fully comply with the requirements of data protection legislation in so far as it directly affects Zain business s activities. Data Confidentiality Protection All employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after contractual relations with Zain. Workplace Privacy Notwithstanding Zain s respect for employee s privacy in the workplace, it reserves the right to have access to all information created and stored on Zain s systems. Confidential Employee Information All employee data is to be treated as strictly confidential and made available to only properly authorized persons. Customer s Personal Information Procedures Documented procedures for handling customers personal information must be established, consistently followed, and reviewed annually. Privacy Policy Applicability Zain privacy policy must pertain to all interactions with customers. Gaining Unauthorized Access Workers using Zain information systems are prohibited from gaining unauthorized access to any other information systems, or in any way damaging, altering, or disrupting the operations of these systems, or capturing or otherwise obtaining passwords, encryption keys, or any other access control mechanism which could permit unauthorized access. Hacking Tools Zain workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Using Encryption BE HR Where appropriate, sensitive or confidential information or data should always be transmitted in encrypted form. Prior to transmission, consideration must always be given to the procedures to be used between the sending and recipient parties and any possible legal issues from using encryption techniques. Information Technology - Regulatory Requirements The legal department must advise the chief information officer of all new or modified regulatory requirements to which the information technology department must comply. BE LG Group Risk 61
15.2 Compliance with security policies, standards and technical compliance Policy Compliance All employees are required to fully comply with Zain s Information Security policy. The monitoring of such compliance is the responsibility of management. Complying with Information Security Policy All employees must comply with the Information Security Policy of Zain. Any Information Security incidents resulting from non-compliance will result in immediate disciplinary action. Divisional Information Security Plans Management within each Zain division must prepare an annual plan for bringing its computer and communications systems into compliance with published policies and standards. Security Compliance - Information Systems All information systems must be reviewed annually for their compliance with security policies and standards. Security Compliance - Systems Providers All systems providers must be reviewed annually for their compliance with security policies and standards. Security Compliance Review Owners Internal audit must include a review of information asset owners for compliance to their security responsibilities on an annual basis. Security Compliance Review Users All managers must review their subordinates compliance to their security responsibilities for inclusion in the annual Performance reviews. Security Compliance Review Management Internal audit must include a review of management for compliance to their security responsibilities on an annual basis. Information Security Risk Assessment Risk Managment Department must conduct (or manage an independent party who conducts) an organization-wide risk assessment on annual basis. Information Security Compliance Checking The Internal Audit Department must annually perform compliance checking related to information security policies, standards, and procedures. Review of Information System Controls IA RM IA The Internal Audit Department must annually review the adequacy of information system controls as well as compliance with such controls. RM IA IA RM Group Risk 62
15.3 Information systems audit considerations Audit Verification Timing All audit verifications that must be performed on operational versions of production information must be executed during non-business hours. Audit Verification Disruptions RM IA All audit verifications that must be performed on operational versions of production information must be executed when the processing is least likely to disrupt any operation of Zain business. Audit Charter IA A formal document that defines the responsibility, authority, and accountability of the internal audit department must be established. System Audit Tools Access RM IA Any areas that contain or store system audit tools must be equipped with sufficient access controls to ensure that the tools are not accessible to anyone without a need to know. Group Risk 63
16 Document control AISTRATION This Policy Must be communicated to all employees through appropriate channel to make them aware of the commitment to particular aims and targets. The policy might require changes to established ways of thinking or working so you must introduce it in a suitable way. OWNER The owner of this policy is Zain Group Risk Department. TERPRETATION Questions pertaining to the interpretation of this policy may be referred to Zain Group Risk Department. COMPLIANCE Annual and ad-hoc reporting on the monitoring activities that support this policy must be implemented. VIOLATIONS Any violation of this policy may result in disciplinary action, up to and including termination of employment. Zain reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Zain does not consider conduct in violation of this policy to be within an employees or third party s course and scope of employment, or the direct consequence of the discharge of the employee s or third party s duties. Accordingly to the extent permitted by law, Zain reserves the right not to defend or pay any damages awarded against employees or third parties that result from violation of this policy. Any employee or third party who is requested to undertake an activity which he or she believes is in violation of this policy, should provide a written or verbal complaint to his or her manager, any other manager or the Risk Managment Department as soon as possible. NOTE: Within the constraints of applicable law, Zain reserves the right to modify or terminate this policy at any time, with or without notice. Any exception to this policy must be approved in advance by the Risk Managment Department. This document in no way shall be construed to represent a contract of employment between Zain and any employee or third party. Group Risk 64
ENFORCEMENT Any violations of the policy must be reported to the Group Risk Department, who determines the appropriate corrective and disciplinary action only after comprehensive analysis. REFERENCES This Information Security Manual Guidelines document is created according to ISO 27001:2005 Information Security Management Standards. Issue Specific Policies Issue Specific Policies are directed policies created specifically to address day-to-day Zain activities and particularly guide line Employees & Workers on how to securely deal with Zain information, resources and properties. Following are/ but not limited to Issue Specific Policies which are currently available for implementation: Zain Password Policy Zain Email Use Policy. Zain Wireless Communication Policy. Zain Virtual Private Network Policy. Zain Internet Use Policy. Zain Clean Disk and Clear Screen Policy Network Access and Authentication Policy Security and Safety Guidelines Firewall Configuration Policy Zain Web Development baseline Group Risk 65