External Supplier Control Requirements

Similar documents
External Supplier Control Requirements

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Enterprise Computing Solutions

05.0 Application Development

Passing PCI Compliance How to Address the Application Security Mandates

8070.S000 Application Security

Cybersecurity and internal audit. August 15, 2014

Reducing the Cyber Risk in 10 Critical Areas

MS Information Security (MSIS)

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Secure Code Development

Lot 1 Service Specification MANAGED SECURITY SERVICES

Protecting Your Organisation from Targeted Cyber Intrusion

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

G-Cloud Definition of Services Security Penetration Testing

93% of large organisations and 76% of small businesses

CompTIA Security+ (Exam SY0-410)

INFORMATION TECHNOLOGY SECURITY STANDARDS

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

CESG Certification of Cyber Security Training Courses

Attachment A. Identification of Risks/Cybersecurity Governance

The Protection Mission a constant endeavor

Introduction to Cyber Security / Information Security

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

Managing internet security

Where every interaction matters.

Critical Controls for Cyber Security.

Procuring Penetration Testing Services

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Defending Against Data Beaches: Internal Controls for Cybersecurity

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

INCIDENT RESPONSE CHECKLIST

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

DISTRIBUTED SYSTEMS SECURITY

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Technology Risk Management

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

The Education Fellowship Finance Centralisation IT Security Strategy

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Reducing Application Vulnerabilities by Security Engineering

Ovation Security Center Data Sheet

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Working Practices for Protecting Electronic Information

Data Security Concerns for the Electric Grid

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Policy Title: HIPAA Security Awareness and Training

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Privacy + Security + Integrity

2015 Vulnerability Statistics Report

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information security controls. Briefing for clients on Experian information security controls

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Web App Security Audit Services

Qualification Specification. Level 4 Certificate in Cyber Security and Intrusion For Business

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Data Security Incident Response Plan. [Insert Organization Name]

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Global Partner Management Notice

ABB s approach concerning IS Security for Automation Systems

Critical Security Controls

Patch and Vulnerability Management Program

IT Security Testing Services

Ovation Security Center Data Sheet

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

PENETRATION TESTING GUIDE. 1

INFORMATION SECURITY TESTING

Secure Web Applications. The front line defense

LogRhythm and NERC CIP Compliance

Goals. Understanding security testing

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

Cyber Essentials Scheme

How To Protect Decd Information From Harm

Cyber security standard

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

ICANWK406A Install, configure and test network security

Managing IT Security with Penetration Testing

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Data Access Request Service

Supplier Security Assessment Questionnaire

Incident Response. Proactive Incident Management. Sean Curran Director

OCIE CYBERSECURITY INITIATIVE

Developing Secure Software in the Age of Advanced Persistent Threats

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

SUPPLIER SECURITY STANDARD

Transcription:

External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk

1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must be protected against physical tampering, loss, damage or seizure and inappropriate configuration or changes. If this principle is not implemented inappropriately protected Barclays Data could be compromised, which may result in legal and regulatory sanction, or reputational damage. Also services may be vulnerable to security issues which could compromise Barclays Data, cause loss of service or enable other malicious activity. 2. Change and Patch Management Barclays Data and all the systems used storing or processing it must be protected against inappropriate changes which could compromise availability or integrity. If this principle is not implemented, services may be vulnerable to security issues which could compromise consumer data, cause loss of service or enable other malicious activity. 3. Cloud / Internet Computing Barclays Data stored in the cloud private or on a public facing internet connection must be adequately protected via appropriate controls to prevent data leakage. If this principle is not implemented, inappropriately protected Barclays Data could be compromised which may result in legal and regulatory sanction, or reputational damage. 4. Cyber Security Risk Management Barclays Data and critical infrastructure must be adequately protected via appropriate people, processes and technology controls to prevent disruption of service or loss of data following cyber attacks. If this principle is not implemented, then sensitive information may be disclosed and / or there may be loss of service leading to legal and regulatory sanction, or reputational damage. Cyber risk assessment: The cyber security risk profile to the organisational operations, assets, and individuals must be understood by Assessing asset vulnerabilities Identifying both internal and external threats; and Assessing potential business impacts Risks and threats must be identified, prioritised and action taken accordingly to mitigate.

4. Cyber Security Risk Management (cont d ) Cyber security governance: Appropriate cyber security governance must be in place by ensuring that: A specialist Information / cyber security function which has responsibility for integrating information security consistently into the Supplier s business is in place The policies, procedures, and processes to manage and monitor the supplier s regulatory, legal, cyber risk, environmental, and operational requirements are understood, documented and in place and approved by Senior Management on an annual basis Incident response: Security incidents and data breaches must be responded to and reported to Barclays. An incident response process for timely handling and reporting of intrusions involving Barclays Data and/or services used by Barclays must be established. This must also include an appropriate approach to forensic investigations. 5. Malware Protection Anti-malware controls and tools must be in place to adequately protect against malicious software such as viruses and other forms of malware. If this principle is not implemented, then sensitive information may be disclosed leading to legal and regulatory sanction, or reputational damage. 6. Network Security All external and internal networks as part of the service must be identified and have appropriate protections to defend against attacks through them. If this principle is not implemented, external or internal networks could be subverted by attackers in order to gain access to the service or data within it. External connections: All external connections to the network must be documented, routed through a firewall and verified and approved prior to the connections being established to prevent data security breaches

6. Network Security (cont d) Wireless access: All wireless access to the network must be subject to authorisation, authentication, segregation and encryption protocols to prevent security breaches and agreed with Barclays Intrusion detection /prevention: Intrusion detection and prevention tools and systems must be deployed at all appropriate locations on the network and output monitored accordingly to detect for cyber security breaches including Advanced Persistent Threats (APTs). Distributed Denial of Service (DDoS): A defence in depth approach must be implemented in the network and key systems to protect at all times against service interruption via Cyber Attacks. This includes Denial of Service (DoS) and Distributed Denial of Services (DDoS) attacks. 7. Secure Development Services and systems including mobile applications must be designed and developed to mitigate and protect against vulnerabilities and threats to their security. If this principle is not implemented, services may be vulnerable to security issues which could compromise consumer data, cause loss of service or enable other malicious activity. Secure development methodology: All development must be undertaken in line with an approved documented Systems Development Methodology at all times to prevent security vulnerabilities and remediate the vulnerabilities. Environment segregation: All systems development/build must be undertaken in a non-production environment and segregation of duty enforced at all times to prevent data leakage and accidental data modification/deletion. There must be no live data in test unless agreed in advance by Barclays.

Why is this important 7. Secure Development (cont d) Quality assurance: The quality assurance function must check that all the key security activities have been incorporated into the system development process to prevent service interruptions and security vulnerabilities. 8. Security Assessment Software, IT Systems and services must be independently and rigorously tested for vulnerabilities. If this principle is not implemented, then sensitive information may be disclosed and / or loss of service may occur leading to legal and regulatory sanction, or reputational damage. 8. Security Assessment (cont d) Penetration test The Supplier shall engage an independent IT security assessment / penetration test of the IT infrastructure including disaster recovery sites. This must be undertaken at least annually to identify vulnerabilities that could be exploited to breach the privacy of Barclays Data through cyber attacks. All vulnerabilities must be prioritised and tracked to resolution. The test must be undertaken in line with Good Industry Practice and by a recognised Security Assessment Vendor.

Security Assessment means tests performed on the Supplier Systems in order to: a) identify design and/or functionality issues in applications or infrastructure; b) probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures; c) identify potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws including, but not limited to, the following examples for infrastructure and application testing which could expose the Supplier and Barclays to risks from malicious activities; i. invalidated or un-sanitised input; ii. broken access control; iii. broken authentication and session management; iv. cross-site scripting (XSS) flaws; v. buffer overflows; vi. injection flaws; vii. improper error handling; viii. insecure storage; ix. denial of service; x. insecure configuration management; xi. proper use of SSL/TLS; xii. proper use of encryption; and xiii. anti-virus reliability and testing, This assessment will typically incorporate activities also commonly referred to as penetration testing. Security Assessment Vendor means a suitably qualified Third Party employed to perform a Security Assessment. IT Security 9. Systems Monitoring Monitoring and auditing and logging of systems must be in place to detect inappropriate or malicious activity. If this principle is not implemented, suppliers will not be able to detect and respond to inappropriate or malicious use of their service or data within reasonable timescales.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information