EUROPEAN COMMISSIONEUROSTAT

Directorate B: Methodology; Corporate statistical and IT services

Contact: Eurostat LISO

Guidelines for the implementation of the ESS Core IT Security Framework

Commission européenne, 2920 Luxembourg, LUXEMBOURGOffice: BECH

http://ec.europa.eu/eurostat

Index

1. INTRODUCTION......................................................................................................................4

1.1. Objective.....................................................................................................................4

1.2. Scope...........................................................................................................................4

2. SECURITY POLICY MANAGEMENT..........................................................................................5

2.1. Management direction for information security.........................................................5

3. ORGANIZATION OF INFORMATION SECURITY........................................................................7

3.1. Internal organization...................................................................................................7

4. HUMAN RESOURCE SECURITY................................................................................................9

4.1. Prior to employment...................................................................................................9

4.2. During employment.....................................................................................................9

5. ASSET MANAGEMENT..........................................................................................................12

5.1. Responsibility for assets............................................................................................12

5.2. Information classification..........................................................................................13

5.3. Media handling..........................................................................................................14

6. ACCESS CONTROL.................................................................................................................17

6.1. Business requirements of access control...................................................................17

6.2. User access management..........................................................................................18

6.3. User responsibilities..................................................................................................21

6.4. System and application access control......................................................................21

7. CRYPTOGRAPHY...................................................................................................................24

7.1. Cryptography controls...............................................................................................24

8. PHYSICAL AND ENVIRONMENTAL SECURITY........................................................................26

8.1. Secure areas..............................................................................................................26

8.2. Equipment.................................................................................................................27

9. OPERATIONS SECURITY........................................................................................................30

9.1. Operational procedures and responsibilities.............................................................30

9.2. Protection from malware..........................................................................................32

9.3. Backup.......................................................................................................................32

9.4. Logging and monitoring.............................................................................................33

9.5. Control of operational software................................................................................35

9.6. Technical vulnerability management.........................................................................352

10. COMMUNICATIONS SECURITY.............................................................................................37

10.1. Network security management.................................................................................37

10.2. Information transfer..................................................................................................37

11. SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE...............................................40

11.1. Security requirements of information systems.........................................................40

11.2. Security in development and support processes.......................................................41

12. SUPPLIER RELATIONSHIPS....................................................................................................43

12.1. Information security in supplier relationships...........................................................43

13. INFORMATION SECURITY INCIDENT MANAGEMENT............................................................44

13.1. Management of information security incidents and improvements.........................44

14. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT..................48

14.1. Information security continuity.................................................................................48

15. COMPLIANCE........................................................................................................................49

15.1. Compliance with legal and contractual requirements...............................................49

3

1. INTRODUCTION

1.1. Objective

The objective of the document is to provide a common framework applicable to all and between ESS members on the security measures to be put in place in order to build common and mutual trust.

The purpose is to provide the basic guidelines to cover entry pack level of the security controls to be implemented by the organizations and information systems supporting the ESS.

The framework and related guidelines have been developed to achieve more secure information systems and effective risk management within the ESS by:

Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems and organizations;

Providing a stable list of security controls meeting current information protection needs and the demands of future protection needs based on changing threats, requirements, and technologies;

Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness;

Facilitating communication and information exchange among ESS members regarding IT security;

1.2. Scope

The Scope of the security framework is "management and exchange of microdata between member states". This "ESS Core IT Security Framework Guidelines" document prepared by ESS expert group is only focus on this defined scope, covering entry pack level controls.

4

2. SECURITY POLICY MANAGEMENT

2.1. Management direction for information security

Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization.

2.1.1. Policies for information security (5.1.1)

Control

A set of policies approved by the top management should be defined, published and communicated to all employees, external contractors and relevant parties.

Guidelines

A general corporate information security policy statement should be prepared. For this statement, information security objectives and security environment threats (current and projected) treatment should be clarified.

A high-level presentation of the scope of the information security policy should be provided including:

a) Strategic business needs and requirementsb) Organization legal requirements

o Regulatory requirementso Legislative requirementso Contractual requirements

The core of the information security policy should include

Information security definition, objectives and principles, using basic principles to guide information security activities

Information security management responsibilities should be included as well, assigning general and specifying responsibilities to defined roles.

Processes for handling deviations and exceptions.

The information security statement should be supported by concrete policies at a lower level, which further mandate the implementation of information security controls. Those are usually structured to address the needs of specific groups within an organization (e.g. teleworkers) or to cover certain topics (e.g. statistical confidentiality and SDC).

Examples of such policy topics include:

a) access control b) information classification (and handling) c) physical and environmental security d) end user oriented topics such as:

1. acceptable use of assets 2. clear desk and clear screen 3. information transfer 4. mobile devices and teleworking 5. restrictions on software installations and use

e) backup

5

f) information transfer g) protection from malware h) management of technical vulnerabilities i) cryptographic controls j) communications security k) privacy and protection of personally identifiable information l) supplier relationships

Through an information security awareness, education and training programme (4.2.2), these policies should be communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to all stakeholders.

Evidences

Last version of general policy statement as well as policy topic policies should be provided. Those documents should be available in English and published on the NSI's website.

2.1.2. Review of the policies for information security (5.1.2)

Control

Information security policy review should be carried out at regular intervals or whenever significant change occurs ensuring suitability, adequacy and effectiveness.

Guidelines

Information security policies approved by top-level management should have an owner caring for the development, review and evaluation for each of them.

Review of the policies for information security should include

a) Assessing opportunities for improvementb) Response to organizational environment changes, business circumstances, legal

conditions or technical environment

Evidences

An adequate frequency for information security policy review should be provided, with a maximum period of one review per year.

Management might approve the review periodicity. Finally, each policy document should contain a history document and/or revision history with at least document version, date and approval name to ensure that document is reviewed within planned intervals.

6

3. ORGANIZATION OF INFORMATION SECURITY

3.1. Internal organization

A management framework should be established to initiate and control the implementation of information security within the organization. Management should approve the information security policy, assign security roles and co-ordinate and review the implementation of security across the organization.If necessary, a source of specialist information security advice should be established and made available within the organization. Contacts with external security specialists or groups, including relevant authorities, should be developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when handling information security incidents. A multi-disciplinary approach to information security should be encouraged.

3.1.1. Information security roles and responsibilities (6.1.1)

Control

Information security roles and responsibilities into the organization should be defined and allocated.

Guidelines

Security policies should set information security responsibilities into the organization, to act accordance to that. Protection for individual assets might be identified under information security responsibilities. These responsibilities cover risk management activities, defining residual risk acceptance. Identification and definition for assets and information security processes should be done, assigning an entity responsible and documenting the details of this responsibility.

Security tasks may be delegated from security responsible to others, remaining accountable into all tasks ensuring that they have been correctly performed.

Authorization levels should be defined, ensuring that appointed individuals for information security responsibilities are covered with a minimum of quality level

Evidences

Organizational chart should be provided, highlighting security roles and providing job description for them. Background references for security positions should be provided in order to assess minimum required qualifications.

3.1.2. Segregation of duties (6.1.2)

Control

Assets should be protected against unauthorized or unintentional modifications by segregating conflicting duties and responsibilities, minimizing opportunities for asset misuse or abuse.

Guidelines

Controls should be designed and implemented in order to prevent that a single person can access, modify or use assets out of their responsibilities. Unauthorized employees should be restricted to initiate an event separating their duties.

Evidences

Provide proofs of controls in place (e.g. screenshots, configurations) to get appropriate segregation of duties and list of users based on role-based access control (RBAC) approach.

7

3.1.3. Information security in project management (6.1.5)

Control

In each project addressed by the organization information security should be part of the process.

Guidelines

In order to cover all possible information security risks that can exist in a project, information security should be integrated into project management process. Information security objectives should be added into project objectives, making information security as central part of each project phase and defining information security responsibilities.

Information security risk assessments should be done in the beginning of each project, ensuring that needed controls are identified.

Finally, regular reviews should be carried out for each project, addressing all possible information security issues and implications.

Evidences

Provide organization project management processes which reflect security as part of it and a proof of communication with security requirements for a specific internal project have been established.

8

4. HUMAN RESOURCE SECURITY

4.1. Prior to employment

Security responsibilities should be addressed prior to employment in adequate job descriptions and in terms and conditions of employment. All candidates for employment, contractors and third party users should be adequately screened, especially for sensitive jobs. Employees, contractors and third party users of information processing facilities should sign an agreement on their security roles and responsibilities.

4.1.1. Terms and conditions of employment (7.1.2)

Control

Information security responsibilities should be specified using contractual terms and conditions for employees, contractors and third parties.

Guidelines

Employees and contractors contractual obligations should reflect next points related to information security policies:

a) Sign a confidential or non-disclosure agreement (10.2.4) if access to confidential information is needed

b) Legal responsibilities and rights (e.g. copyright law, data protection legislation (15.1.3))c) Responsibilities for the classification of information and management of corporate

assets (Clause 5)d) Handling of information received from other companies or third partiese) Actions in case there are disregards with organization security requirements

Information security terms and conditions should be accepted before employees and contractors get access to organization assets associated with information systems and services.

Evidences

Provide a contract sample for employees and contractors, signed by all stakeholders where all above points are reflected.

4.2. During employment

Management responsibilities should be defined to ensure that security is applied throughout an individual's employment within the organization. An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary process for handling security breaches should be established.

4.2.1. Management responsibilities (7.2.1)

Control

All employees and contracts should be required to apply organization information security policies and procedures, endorsed by management.

Guidelines

Management should act as information security role models, supporting organization policies, procedures and controls, enforcing them and motivating employees and contractors.

At same time, management should make people aware of their responsibilities, clarifying information security responsibilities to each job and expecting that people achieve a certain

9

level of security awareness. Management should enforce terms and conditions to employees and contractors, using the appropriate work methods.

All personnel should comply with minimum qualifications to become competent in their daily tasks, ensured by management that right skills and qualifications are covered. People knowledge should be followed-up. A confidential channel to report security policy and procedure violations should be set up by management.

Evidences

Provide a sample of internal communication signed by management supporting information security policies. Proof of corporate channel created with the purpose to report security policy and procedure violations, as well as an inventory of incidents reported by users as proof of employee's knowledge.

4.2.2. Information security awareness, education and training (7.2.2)

Control

Organization employees and contractor should receive information security updates, keeping them aware of organization security policies and procedures, last changes and receiving appropriate training and education accordingly to their job responsibilities.

Guidelines

Organization security policies and procedures should ensure that information security awareness programme is in compliance, providing to employees and contractors appropriate information for their roles.

Awareness programme should cover all relevant information for employees and contractors like specific security obligations, information that should be protected and controls to be adopted.

Information security awareness programme might be delivered using different options like:

a) Booklets and newsletters to raise awarenessb) Campaigns to raise security awarenessc) Classroom-based teaching methods d) Web-based teaching methodse) Self-paced learning methodsf) Distance learning methods

Awareness activities should be scheduled in a specific regular period for current employees, new employees or role changes. Activity should cover importance to comply within policies, legislation, regulations, agreements, standards and contracts, handling information security expectations and responsibilities. Acceptable usage policies (e.g. clear desk and screen policy) might be included in the training. Points of contact into security department to get additional information, further training materials or training resources should be provided to the users.

At the end of the information security awareness programme, users should be evaluated in order to ensure that they comply with organization policies and procedures, security measures and as a proof of assistance. Awareness programme might be updated based on lessons learnt from security incidents.

10

Evidences

Training presentation document sample should be provided. List of attendances with their signature should complement presentation proof. Training date should be included into attendance list, in order to proof period frequency. Training evaluations should be provided (questionnaire and marks). Internal communications within security awareness campaigns should be provided. Also internal channels, websites or web-based courses (e.g. using screenshots) if any should be demonstrated.

11

5. ASSET MANAGEMENT

5.1. Responsibility for assets

All assets should be accounted for and have a nominated owner. Owners should be identified for all assets and the responsibility for the maintenance of appropriate controls should be assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains responsible for the proper protection of the assets.

5.1.1. Inventory of assets (8.1.1)

Control

Corporate assets which contain information and information processing facilities should be identified and an inventory containing all of them compiled and selected.

Guidelines

In order to protect corporate assets associated with information, organization should:

a) Identify assets in the lifecycle of informationb) Document each asset importance aligned with business objectivesc) Include into lifecycle of information the creation, processing, storage, transmission,

deletion and destruction processesd) Maintain documentation in dedicated or existing repositories, adequately protected

(Clause 7)e) Assign ownership for each identified asset, identifying information classification

Evidences

Provide an asset inventory within the owner of each asset and all relevant information needed for asset identification.

5.1.2. Acceptable use of assets (8.1.3)

Control

Acceptable use of assets associated with information and information processing facilities rules should be defined, documented and implemented.

Guidelines

All employees working into corporate facilities, as well as third parties, should comply with:

a) Be aware of the information security requirements of the organization related with information and information processing facilities and resources

b) Assign responsibility for the use of any information processing resources

Evidences

Provide a sample of acceptable use policy for corporate assets and internal communication sent to all users to be aware about this policy.

5.1.3. Return of assets (8.1.7)

Control

All employees, contractors and external parties should return corporate assets associated with information processing facilities when employment has been finished.

12

Guidelines

Process should be in place in order to ensure asset return in a formal way by employees, returning physical and electronic assets when employment or contract end. Valuable knowledge from all personnel should be preserved, documented and transferred before they leave company. Unauthorized copying of company information during noticed period of termination should be controlled and prevented.

Evidences

Provide security process sample for asset return for employees and how it is integrated into corporate processes.

5.2. Information classification

Information should be classified to indicate the need, priorities, and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification scheme should be used to define an appropriate set of protection levels and communicate the need for special handling measures.

5.2.1. Classification of information (8.2.1)

Control

Corporate information classification scheme should be adopted, in order to comply with applicable legal requirements, prevent unauthorized disclosure or modification of sensitive information and classify information according to criticality for corporate business.

Guidelines

Information classification scheme should be done in order to meet applicable legal requirements, following access control policy and addressing business needs. Scheme shall allow information sharing and access restrict. Owner assets should be accountable for applicable classification, ensuring consistency and sharing a common understanding. Adopted classification level scheme should have an intuitive name, making classifications at the same way for all employees. It should be ensured that security measures to protect confidential information are widely understood, ensuring that information security principles, those are confidentiality, availability and integrity requirements are covered and understood.

Information classification scheme should be included into corporate processes, in order to ensure that valuable, sensitive and critical information is protected. Lifecycle for information classification should be in place aligned with organizational changes. Lifecycle should be also reviewed reflecting changes in requirements (e.g. confidentiality, availability, integrity) and changes in information (e.g. valuable, criticality, sensitivity).

Evidences

Provide a sample of each type of document aligned with information classification scheme, as well as how scheme is integrated into corporate process.

5.2.2. Labelling of information (8.2.2)

Control

Information labelling procedures should be developed and implemented, accordingly to information classification scheme (5.2.1).

13

Guidelines

Procedures for information labelling should cover follow points:

a) Labelling reflects information classification schemeb) Labels are easily recognized by employeesc) Guidance into procedure to establish where and how labels are attached, based on how

information is accessed

Evidences

A sample (e.g. screenshot, picture) of a document with correspondence label should be provided and procedures for information labeling.

5.2.3. Handling of assets (8.2.3)

Control

Procedures for handling assets related with information and information processing facilities should be developed and implemented, accordingly information classification scheme (5.2.1)

Guidelines

Procedures for handling, processing, storing and communicating information should be developed as follow:

a) Protection requirements to restrict access for each level of classificationb) Keep a record of authorized recipients of assetsc) Ensuring that copies of information are protected at the same way of original

informationd) Follow manufacturer specifications for IT assets storage

It should be taken into account that classification can vary with information moving between organizations depending on business objectives:

e) Agreements with other organizations should be in place to include procedures for information identification and label interpretation

Evidences

Provide a sample of procedure for handling of assets and protection controls (e.g. configuration files, screenshots) to restrict access to the assets. Provide document of authorized recipients, document files for copies of information realized and agreements signed with other organizations.

5.3. Media handling

Information should be protected against unauthorized access to prevent disclosure, modification, removal or destruction of information stored on media. Protection measures should be set accordingly to the classification scheme adopted by the organization.

5.3.1. Management of removable media (8.3.1)

Control

14

Procedures for managing removable media should be established, ensuring that media management procedures are aligned with information classification scheme.

Guidelines

Removable media management procedures should control the appropriate usage, reducing the risk of data loss, enabling media drives under business justification and monitoring data transfer. Protection measures should include cryptographic techniques, preventing data degradation when transferring to fresh media and making content unrecoverable when it is no longer needed.

Methods to control storage on removable media should be in place, storing valuable data on separate media and protection removable media against multiple copying. Removable media should be stored in safe and secure environments following manufacturer specifications.

A system of authorization to control media removals should be established, creating and documenting authorization levels. Records should be kept and maintain an audit trail.

Evidences

Provide a sample of procedure for management of removable media. Authorization level document should be provided complemented by record kept for audit purposes.

5.3.2. Disposal of media (8.3.2)

Control

To securely dispose storage media that are no longer required formal procedures should be established covering all the company employees.

Guidelines

A formal procedure to manage the secure disposal of media should be established, being able to identify confidential items where this procedure shall be applicable to reduce the risk of damaging leaks. Data that may become sensitive should be carefully selected, considering the “aggregation effect”.

Procedures should control how information is destroyed, considering incineration, shredding and erasure procedures. Procedures might also cover the selection of disposal companies, based on suitable experiences and adequate controls.

Procedures to control media disposal records should be developed, maintaining an audit trail based on applicable legal requirements.

Evidences

Provide a sample of procedure for disposal of media. Proof that organization provides to employees necessary measures to destroy or deposit confidential information in a secured manner (e.g. shredders, special trash for confidential papers).

5.3.3. Physical media transfer (8.3.3)

Control

15

Physical media should be protected while it is being transported when it contains information that must be protected, preventing unauthorized access, corruption or misuse of media.

Guidelines

Procedures to verify the identity of couriers should be developed, ensuring usage of reliable methods and establishing a list of authorized couriers enforced by management.

Usage of adequate packaging to protect media during transit should be ensured, covering manufacturer specifications and protecting content from physical damage. Exposure to environmental hazards and threats (e.g. electromagnetic fields, heat, moisture) should be prevented.

Logs or record of media transfers should be kept, in compliance with applicable legal requirements, identifying information that has been transferred, specifying methods used and keeping delivery and arrival times and dates.

Evidences

Provide a sample of procedure for physical media transfer. Proof for physical media being transferred, compliance with required controls (e.g. picture). Document with logs of record should be provided.

16

6. ACCESS CONTROL

6.1. Business requirements of access control

Access to information, information processing facilities, and business processes should be controlled on the basis of business and security requirements. Access control rules should take account of policies for information dissemination and authorization.

6.1.1. Access control policy (9.1.1)

Control

A policy to control access to information should be established, documented and should be aligned with organization business requirements.

Guidelines

Policy should be used to clarify access rules, rights and restrictions. Policy should contain business requirements to control access to corporate applications as well as importance of access control policy including applicable legal requirements compliance. Requirements for keeping and archiving access records should be established.

Authorization and dissemination policies should be developed based on the need-to-know principle. Policy should be also aligned with information classification scheme (8.2), clarifying security levels and ensuring that classification and access policies have consistency. Access control roles should be defined, segregating access requests, authorizations and administration ensuring that requests are formally authorized.

Policy implementation should be done based on follow parameters:

a) Asset owners should be involved for access control policy implementation1. Access controls should be done across systems and networks2. Access controls consistency should be applied

b) Asset owner should control that policy is applied by each user group and rolec) Access rules, rights and restrictions should be clarified by asset ownersd) Security risk assessment should be done to establish access controlse) Logical and physical measures should be considered for access control application

Evidences

Provide a sample of policy for access control, proof (e.g. screenshot) how this policy is available for all users and internal communication sent to all users to be aware about it. Provide list of logical and physical security controls in place to control access to organization (e.g. configuration files, screenshots, pictures). A sample of document created by asset owner controlling access under their responsibility should be provided.

6.1.2. Access to networks and network services (9.1.2)

Control

Access to corporate network and network services should be granted specifically to users that are authorized to do so.

17

Guidelines

A policy to control the usage of corporate networks and network services should be established based as follow:

a) Identification of networks and network services that users may accessb) Define authorization procedures to control which users may have accessc) Develop management controls and procedures to protect access

Methods that may be used to gain access should be specified into the policy, specifying usage of VPN or wireless networks. Authentication requirements for each network service should be clarified, adding monitoring controls for each of them accordingly to information classification scheme. Network use policy and access control policy should be synchronized.

Evidences

Provide a sample of policy for usage of corporate network, proof (e.g. screenshot) how this policy is available for all users and internal communication sent to all users to be aware about it. Network diagram should be provided, identification different zones with IPs and services for each zone. Provide a proof for remote access measures in place (e.g. configuration files, screenshots).

6.2. User access management

Formal procedures should be in place to control the allocation of access rights to information systems and services. The procedures should cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

6.2.1. User registration and de-registration (9.2.1)

Control

A formal user registration process should be established and implemented enabling assignment of access rights.

Guidelines

A formal user management process should be developed and documented, assigning a unique ID to each individual user and linking actions to this user ID to hold them accountability. Shared IDs should be granted under business justification ensuring a formal approval process.

Process should contemplate clear procedures to disable or remove IDs imminently when users leave organization. Process should include as well periodical identification to remove or disable redundant or duplicated user IDs.

Evidences

Provide process for user access management. Configuration files for active directory or any other database used to control user registration should be provided. Internal communication within organizational units (e.g. HR) to centrally managed registration and de-registration for users.

18

6.2.2. User access provisioning (9.2.2)

Control

Formal process for user access provisioning should be established and implemented, ensuring that that access for all types of user to all types of systems and services is covered, assigning or revoking those accessing depending on their job functions.

Guidelines

User access provisioning process should contain communication with owner of systems and services in order to authorize and update accesses. Management approval might be included into the process. Granted access should be contrasted with segregation of duty requirements (3.1.2) and according to security policies.

Central record of access rights granted to user IDs should be maintained for a specific period of time, in order to comply with applicable legal requirements. Asset owners should be asked to periodically review of access rights.

Evidences

Provide process document and internal communication sample to grant access to user to specific systems, including in the communication flow management approval. Provide copy of saved records, accordingly to applicable laws.

6.2.3. Management of privileged access rights (9.2.3)

Control

Allocation and usage of privileged access rights should be controlled and restricted.

Guidelines

Authorization process should be developed in order to manage grant and usage of privileged access rights, ensuring that it complies with corporate access control policy (6.1.1). Need-to-use principle should be used for user identification and authorization, assigning the minimum required rights for their specific jobs. Expiration period should be assign for each allocation.

Generic administrative user IDs should be forbidden using easily recognizable accounts and different construction than regular ones, establishing procedures to control the usage of administrative IDs. Secret authentication information sharing for administrators should be controlled, preserving the confidentiality of authentication information. Passwords should be changed accordingly with corporate password policy.

Record of privileged access authorizations should be kept, keeping person who received and who authorized as well to which access rights. Process should be reviewed periodically accordingly to information security policy review, verifying list of users and competences to perform their duties.

Evidences

Provide authorization process related to privileged access rights. Provide documentation record, which should contain user id avoiding generic account usage, expiration time of granted privileges, business justification and management approval.

19

6.2.4. Management of secret authentication information of users (9.2.4)

Control

A formal process should handle management of secret authentication information of users in order to control allocation of this sensitive information.

Guidelines

The allocation of secret authentication information should be managed under user responsibility, making them accountable through agreement signing.

Procedures should be established to verify user identities, making verifications before authentication assignment. Acknowledge receipt of authentication data should be ensured by the users, preventing the use of default secret authentication information. Usage of default authentications used by software vendors should be prevented.

Evidences

Provide process and procedures for secret authentication information management.

6.2.5. Review of user access rights (9.2.5)

Control

Access rights to corporate assets should be reviewed by asset owners in a regular basis.

Guidelines

Access right reviews should be done based on:

a) At least every 6 months or after any internal changes in the organization happen user access rights should be reviewed

b) Privilege access rights authorizations should be reviewed in a regular basisc) Changes to privileged accounts should be logged

Evidences

Provide process to specify how reviews should be done to control internal access rights and process approval from management.

6.2.6. Removal or adjustment of access rights (9.2.6)

Control

User access rights to information and information processing facilities should be removed or adjusted whenever contractual relationship with the organization is terminated or modified.

Guidelines

Risk assessment whenever users change jobs or leave should be done, considering change reasons, current responsibilities and asset criticality.

Whenever there is an employment change user access rights, physical and logical, should be modified or adjusted, removing, revoking or replacing keys and identifications cards for access to facilities and subscriptions. Access rights for new job functions should be reviewed and removed, accordingly to the new functions. Passwords should be changed whenever there is a job change or leave, updating all documents that identify user access rights.

20

Evidences

Provide risk assessment performed and procedure to manage internal job function change by an employee assessing access rights.

6.3. User responsibilities

The co-operation of authorized users is essential for effective security. Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment. A clear desk and clear screen policy should be implemented to reduce the risk of unauthorized access or damage to papers, media, and information processing facilities.

6.3.1. Use of secret authentication information (9.3.1)

Control

Secret authentication information management should be clarified and specified to the users following best practices, making sure that users understand how information should be safeguarded and organization requirements are complied.

Guidelines

Awareness to the users should include secret authentication information safeguarding, not sharing this information with others. Users should securely store secret information using only officially approved storage methods not keeping informal records of this information. Whenever this information is compromised users should be advised to change secret information.

Password policy should be implemented, enforcing users to set a minimum quality for passwords and protecting confidentiality of them. Enforcement measures should be in place to change default password after first log-on.

Evidences

Provide internal communication realized to the users as secret authentication information awareness. Provide password policy.

6.4. System and application access control

Access to information and application system functions should be restricted in accordance with the access control policy to prevent unauthorized accesses.

6.4.1. Information access restriction (9.4.1)

Control

Access control policy (6.1.1) should be applied to restrict access to information and application system functions.

Guidelines

Security measures should be developed to restrict access to information and applications, aligned with access control policy and base on business requirements. Next points should be considered:

a) Providing menus to control access to application system functions;b) Controlling which data can be accessed by a particular user;c) Controlling the access rights of users, e.g. read, write, delete and execute;d) Controlling the access rights of other applications;e) Limiting the information contained in outputs;

21

f) Providing physical or logical access controls for the isolation of sensitive applications, application data, or systems.

Evidences

Provide all possible proofs (e.g. screenshots, configuration files) to ensure information and application accesses are restricted and aligned with access control policy. Policy should be provided as well.

6.4.2. Secure log-on procedures (9.4.2)

Control

If it is contained into access control policy, a secure log-on procedure to control access to systems and applications should be developed.

Guidelines

Authentication techniques measures to verify identities should be in place using strong passwords. When access to confidential information is required, strong authentication should be used, considering usage of cryptographic, token-based, smart card or biometric authentication methods.

Procedures for logging into systems and applications should be developed, using warning messages to only allow access to corporate computer to authorized users. Access to unauthorized users should be restricted, limiting information displayed in the system, avoiding help messages and protect passwords. Passwords should be hidden or masked, protecting against brute force attacks, avoiding transmission in clear text passwords and limit opportunity chances for unauthorized users.

Security event should be reported whenever log-on controls are breached, logging successful and unsuccessful log-on attempts.

Evidences

Provide all possible proofs to provide how log-on is done into each system, and additional information for log-on into systems containing confidential information (e.g. screenshots, configuration files) showing warning message to the users. Procedure should be provided and record of security issues reported by the users and channel to be reported.

6.4.3. Password management system (9.4.3)

Control

Password management systems should be used to improve corporate control access, ensuring that password are interactive and with a good quality.

Guidelines

Password management system should:

a) Enforce individual user IDs to assign accountabilityb) Allow users to change their own password c) Enforce a minimum of quality password as follow:

At least 10 characters Do not choose obvious names, dates of birth, dictionary words or default

passwords

22

Use at least 3 from the next 4 classes of characters: uppercase, lowercase, numeric, punctuation characters

d) Enforce password change after first log-one) Change password with a specific frequency (at least every 90 days)f) Prevent password re-use maintaining a record of previous password (at least last 6

passwords)g) Hide password on the screen when being enteredh) Save password file encrypted in a different location than application system datai) Store and transmit forms in a protected way

Evidences

Provide password policy and mechanisms that enforce this policy to the users (e.g. screenshots, configuration files).

6.4.4. Use of privileged utility programs (9.4.4)

Control

Privileged utility programs usage should be restricted and tightly control to prevent overriding of systems and applications controls.

Guidelines

Guidelines should be implemented as follow to prevent overriding systems and applications controls:

a) Identification, authentication and authorization procedures for utility programsb) Segregate utility programs from applications softwarec) Keep record of logging for utility programsd) Authorization levels definition and documentatione) Removal or disabling unnecessary utility programsf) Separate utility programs when segregation of duties is required

Evidences

Provide documented guidelines for privileged utility programs restriction as well as measures in place to prevent this usage (e.g. screenshots, configuration files).

23

7. CRYPTOGRAPHY

7.1. Cryptography controls

To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

7.1.1. Policy on the use of cryptographic controls (10.1.1)

Control

Policy for usage of cryptographic controls should be developed and implemented, using needed controls to protect information.

Guidelines

A policy on the use of cryptographic controls should be prepared, considering management approach and clarifying corporate information security principles. Based on risk assessments, controls to be used should be assessed, doing identification of level of protection needed considering type of encryption to be applied.

Information should be protected in every moment, encrypting information at rest and information being transported (mobile devices, removable media and communication lines). Roles and responsibilities should be defined for policy implementation responsible and managing and generating keys.

Cryptographic controls should achieve corporate security objectives, achieving information security principles (confidentiality, integrity, authentication and non-repudiation) considering national and cross-border restriction laws for cryptography.

Evidences

Provide cryptographic policy and a proof of implemented controls in place (e.g. screenshots, configuration files) ensuring that information at rest and in transit is being protected. Provide document with applicable legal requirements.

7.1.2. Key management (10.1.2)

Control

Cryptographic keys management should be controlled by a policy, covering into the policy the use, protection and management of keys throughout their lifecycle.

Guidelines

Cryptographic key management policy should be implemented within key lifecycle management, considering key generation, usage, storage, archiving, retrieval, distribution, retirement, protection and destruction requirements.

Key management system should be established using standards and best practices. Secure methods and procedures for managing keys should be established, protecting keys from loss or change. These procedures should cover key distribution, distribution to intended entities and key activation.

Procedures should be in place for key generation, compromised keys and recovery methods for lost and corrupted keys. Key modification and deactivation should be contemplated as well.

24

Audit methods should be included into procedure documentation, to specify the way to audit key management activities in compliance with applicable regulations.

Cryptographic service agreements should be established with suppliers, to address service reliability and liability issues, discussing service responsiveness and response times.

Evidences

Provide key management policy, procedures, agreements with suppliers and audit methods in place as well as all measures to comply with the policy (e.g. screenshots) in order to ensure that it complies with all applicable regulations and business objectives.

25

8. PHYSICAL AND ENVIRONMENTAL SECURITY

8.1. Secure areas

Critical or sensitive information processing facilities should be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They should be physically protected from unauthorized access, damage, and interference. The protection provided should be commensurate with the identified risks.

8.1.1. Physical security perimeter (11.1.1)

Control

Corporate physical security perimeters should be defined in order to protect important business areas, protecting areas which contain sensitive or critical information and information processing facilities.

Guidelines

Security risk assessment should be performed in order to identify group of assets that might be protected to define physical security areas. Information processing facilities should have a defined security perimeter. To ensure areas where break-ins might happen, walls and roofs should have a solid structure, external doors should prevent unauthorized accesses using control mechanisms as bars, alarms or locks and windows should be locked and protected.

Physical access to sites and buildings should be controlled, allowing only access to authorized personnel. Physical barriers should protect building outside from unauthorized accesses and environmental contamination. Site should be safeguarded against fire damage, installing fire alarms and making fire doors tests. Standards to create a suitable level of protection should be used, applying local, regional, national and international codes.

Evidences

Provide risk assessment performed to assess physical security and a proof of measures in place (e.g. pictures) in order to protect business assets.

8.1.2. Protecting against external and environmental threats (11.1.4)

Control

Physical methods should be designed and implemented in order to protect information and facilities against natural disasters, malicious attacks and accidents.

Guidelines

Specialist advised should be obtained in order to protect organization facilities against:

a) Fireb) Floodc) Earthquaked) Explosione) Civil unrestf) Other forms of natural disaster or man-made disaster

Evidences

Proof of measures in place to protect against external and environmental threats (e.g. pictures).

26

8.1.3. Working in secure areas (11.1.5)

Control

Procedures should be designed and implemented to regulate work into secure areas.

Guidelines

Activity into secure areas should be controlled, restricting access to them and using need-to-know approach to share information. Access to secure areas should be locked, implementing an approval process to grant access for external parties. Usage of recording devices as video, audio and/or photographic equipment into the secure areas should be forbidden.

Evidences

Provide proof of special secure working areas existence (e.g. pictures), procedures in place to control areas usage, approval process to access to these areas and record about who access, who approved access, date and business justification.

8.1.4. Delivery and loading areas (11.1.6)

Control

Accesses to corporate premises and processing facilities should be controlled and prevented from unauthorized persons, isolating public access points from information processing facilities.

Guidelines

Only identified and authorized people should gain access to delivery and loading areas. External doors should be secured when internal doors are opened. Shipments and incoming supplies and materials should be inspected, looking for explosives, chemicals and other hazardous items.

Evidences

Provide a proof of measures in place to prevent access to corporate delivery and loading areas (e.g. pictures).

8.2. Equipment

To prevent loss, damage, theft or compromise of equipment and the operational interruptions that can occur

8.2.1. Equipment sitting and protection (11.2.1)

Control

Adequately siting equipment should be used in order to reduce the risk caused by environmental threats and hazards and to prevent unauthorized access to your equipment and other assets.

Guidelines

Guidelines should be implemented as follow to protect equipment:

a) Carefully positioning equipment which handles confidential information to reduce risk being viewed by unauthorized persons

b) Secure storage facilities to avoid unauthorized accessesc) Adopt necessary controls to protect equipment against physical and environmental risks

(e.g. thefts, fire, explosives, smoke, water, etc.)

27

d) Acceptable use policy for eating, drinking and smoking into corporate areas, especially in the proximities of information processing facilities

e) Monitoring of environmental conditions (e.g. humidity, temperature) into information processing facilities

f) Protection against electromagnetic emanation should be considered for equipment processing confidential information

Evidences

Provide acceptable use policy for information processing facilities behaviour, monitoring tools (e.g. screenshot, picture) and security measures in place to protect assets and equipment (e.g. pictures).

8.2.2. Cabling security (11.2.3)

Control

Power and telecommunication cables that carry data or supporting information services should be protected against deterioration, damage, interception or interference.

Guidelines

Following guidelines should be follow for cabling security:

a) Cables should be protected, situating underground or using any other required protection to avoid manipulation

b) Communication and power cables should be separated to avoid interferencesc) For telecommunication cabling carrying confidential data:

Locked rooms or boxes to save the equipment Shielding fibre optic cable

Evidences

Provide security measures in place to protect cabling security (e.g. pictures).

8.2.3. Equipment maintenance (11.2.4)

Control

Equipment should comply with availability requirements, protecting integrity and reviewing maintenance.

Guidelines

As described below, these guidelines should be implemented:

a) Manufacturer recommended service intervals and specifications should be followedb) Equipment maintenance should be done only by authorized personnel

Evidences

Provide procedure for equipment maintenance and a record for maintenance operations performed, which at least should contain operator name, company name and actions performed.

28

8.2.4. Secure disposal or re-use of equipment (11.2.7)

Control

All sensitive data and licenced software should be removed and verified from equipment which is going to be re-used.

Guidelines

Specific techniques should be used in order to destroy, delete or overwrite confidential data or copyrighted information into storage media, not being retrievable.

Evidences

Provide procedures in place to clean information into equipment that needs to be re-used.

8.2.5. Clear desk and clear screen policy (11.2.9)

Control

Clear desk and clear screen policy should be adopted in order to protect corporate information contains on papers, removable storage media or information processing facilities.

Guidelines

Both policies should be done accordingly to information classification scheme (5.2.1), legal and contractual requirements (15.1) and with the applicable risks aligned with organization objectives:

a) Sensitive information (e.g. on paper, electronic storage media) should be locked awayb) When computers are not used should be locked off protected by an authentication

mechanism (e.g. password, token)c) Reproduction technologies (e.g. photocopiers, scanners) should be monitored and

controlled to prevent sensitive information copies by unauthorized personsd) Classified information cannot stay in the printers, being removed immediately

Evidences

Provide clear desk and clear screen policy, and measures in place to comply with policy (e.g. screenshots, pictures). Provide as well how policy is accessible for all internal employees, contractors and third parties and internal communication realized referring to this policy.

29

9. OPERATIONS SECURITY

9.1. Operational procedures and responsibilities

Responsibilities and procedures for the management and operation of all information processing facilities should be established. This includes the development of appropriate operating procedures. Segregation of duties should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

9.1.1. Documented operating procedures (12.1.1)

Control

Corporate document procedures related to information security activities should be documented and available for all corporate employees, contractors and third parties.

Guidelines

Operational activities associated with information processing and communication facilities should be documented into corporate procedures. These procedures should cover at least:

a) Installation and configuration of systemsb) Processing and handling of informationc) Error handling or other exceptional conditions during job executiond) Support and escalation contacts including external support for unexpected events or

technical difficultiese) System restart and recovery procedures for use in the event of system failuref) Audit-trail and system log information managementg) Monitoring procedures

Procedures should be treated as corporate formal documents and should be approved by management, including possible changes.

Evidences

Provide procedure for operational activities related to information security which reflects management approval.

9.1.2. Change management (12.1.2)

Control

Control changes that affect organization, business processes, information processing or systems should be controlled whenever these changes affect the security of the information.

Guidelines

To provide an appropriate level of security over corporate changes, it should be controlled how changes are identified, recorded, planned, tested and assessed, specifically security impact assessments. Approval process should be in place to control all changes and changes verification should be reviewed, ensuring security requirements are applied.

Communication of changes and implementation should be covered, managing unsuccessful changes establishing a fall-back procedure. Emergency changes should be taken into account, developing a process to control quickness on changes implementation.

All changes over corporate processes, systems and facilities might be allocated responsibility, using audit logs to establish detailed record of all changes.

30

Evidences

Provide change management procedure, which should contain internal approval process. Provide a record of changes realized into company with affected system, approval name, date and business justification.

9.1.3. Capacity management (12.1.3)

Control

In order to ensure that business objectives are achieved resources should be monitored, tuned and projected for capacity management.

Guidelines

Usage of resources should be control to achieve business objectives. Follow points should be considered:

a) Business criticality of the systems should be considered to plan capacity managementb) Availability and efficiency of the systems should be tuned and monitoredc) Long procurement lead time, high cost and key system resources should be specially

monitored in alignment with business objectivesd) Information should be transmitted to management in order to avoid bottlenecks and

dependence that can suppose a threat to system security or servicese) Sufficient capacity should be achieved increasing capacity or reducing demand (e.g.

deletion of obsolete data, decommissioning of applications or systems, optimising batch processes, denying or restricting bandwidth for resource-hungry services when it is not critical)

All above points should be reflected into a capacity management plan document.

Evidences

Provide capacity process aligned with business objectives and applicable legal requirements.

9.1.4. Separation of development, testing and operational environments (12.1.4)

Control

Development, testing and operational environments should be defined in order to reduce the risk of unauthorized changes and preventing unauthorized access to operational environment.

Guidelines

Depending on environment conditions, separation should be done based on risk assessment. Transference from development to operational status should be defined and documented.

Development and operational software should keep separated, running it on different systems and directories. In case test environment is afforded, it should be completely isolated, making sure that tests are not done into operational systems.

Access to all development tools and system utilities should be controlled, using different user profiles for each environment.

Evidences

Provide corporate network topology showing logical separation of environments and approval process describing how to pass application from one environment to another.

31

9.2. Protection from malware

Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness to ensure that information and information processing facilities are protected against malware.

9.2.1. Controls against malware (12.2.1)

Control

Controls to detect, prevent and recover from malware should be established and implemented.

Guidelines

Policies should be developed to protect information and facilities against malware. These policies should cover at least:

a) Installation of unauthorized software should be forbidden and using prevention controls

b) Usage of external software and files and protective measures that should be taken

To protect information and facilities against malware, procedures should be implemented and established, to teach users about their specific malware responsibilities, explaining how to protect and recover systems from malware and report it. Mailing list that provides malware information should be covered into procedures, to collect all relevant information about malware. Malware information should be verified against reliable sources. Protection of information and facilities against malware should be covered into education and awareness programme.

Business continuity plan containing recover methods from malware attacks should be implemented, as well as vulnerability management process.

Specific software should be used to protect information and facilities against malware. Software should be able to scan files for malicious code before usage start. Files received over network should be scanned, as well as email, attachments and other places like computers, web pages and storage media looking for possible malware.

Evidences

Provide corporate malware policies. Also, for big organizations where there are more than 200 employees, a central console to control malware into the organization should be in place. Provide screenshots, configuration files for specific anti-malware software and a list of reliable sources to get malware information (exchange of information if any).

9.3. Backup

Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy and in compliance with applicable laws to protect against loss of data.

9.3.1. Information backup (12.3.1)

Control

Backup policy should be established and implemented specifying handle of backup to protect information, software and system images, accordingly to corporate requirements and applicable legal requirements.

32

Guidelines

Backup policy should clarify retention and protection requirements, identifying systems that should be backed up through a risk assessment. Backup methods should be accordingly to business requirements, using methods that reflect criticality of information and encryption to protect confidential information.

Backup periodicity and retention period should be done base on business requirements and to be in compliance with applicable legal requirements. Backup should be stored in a remote location away from main site, providing physical and environmental protection to both sites, in order to comply with business continuity and disaster recovery corporate plan.

Evidences

Provide backup policy which corresponding retention period and technical method procedure to set organization backup. Provide as well backup configuration into remote location (e.g. documentation, processes, procedures).

9.4. Logging and monitoring

Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are identified. An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities. System monitoring should be used to check the effectiveness of controls adopted and to verify conformity to an access policy model.

9.4.1. Event logging (12.4.1)

Control

Logs related with information security user activities, events, exceptions and faults should be recorded, maintained, monitored and retained.

Guidelines

Information to be logged should be got through a risk assessment. At least, information to be logged should contain:

a) User IDsb) Key user events

1. User system logons2. User system logouts

c) Dates and timesd) System activitye) Device identityf) Access attempts for both successful data access and rejected access attemptsg) Protection system activities such as activation of protection systems, intrusion detection

system or anti-virus systems as well as de-activation of protection systems.

Automated monitoring systems might be used in order to generate automatic system security alerts and periodic system reports to control user activity in a centralized manner.

Evidences

Provide a risk assessment and a log file which contains all required information from at least one risky corporate system.

33

9.4.2. Protection of log information (12.4.2)

Control

Logging facilities and log information should be protected against tampering and unauthorized access.

Guidelines

Controls to prevent operational problems (e.g. information log file media storage capacity problems) and unauthorized changes to logs should be established and implemented. Logs files should be recorded accordingly to corporate record retention policy and to retain evidences.

Evidences

Provide proof of controls in place to protect log information (e.g. screenshots, configuration files).

9.4.3. Administrator and operator logs (12.4.3)

Control

System administrator and operator activities should be logged and protected.

Guidelines

In order to prevent privileged users to modify logs that are under their control, all activity should be recorded and protected.

Evidences

Provide log file with administrator and operator logs recorded.

9.4.4. Clock synchronization (12.4.4)

Control

For all relevant information processing systems into the organization or security domain all clocks should be synchronized in a single time source.

Guidelines

Legal and regulatory time requirements should be defined in order to make a proper synchronization. Clock synchronization might be imposed by external standards or contractual time requirements. Clock synchronization should be documented, making all stakeholders accountable of the process and taking into account synchronization reliability. Standard reference times from external trusted sources should be used.

Evidences

Provide NET configuration time used for synchronize internal systems and proof that same configuration is used for main systems (e.g. screenshots).

34

9.5. Control of operational software

Access to system files and program source code should be controlled, and IT projects and support activities conducted in a secure manner. Care should be taken to avoid exposure of sensitive data in test environments.

9.5.1. Installation of software on operational systems (12.5.1)

Control

To control the installation of software on operational systems procedures should be developed and implemented.

Guidelines

In order to control changes of software on operational systems, procedures should be implemented as below:

a) Program updates should be performed by concrete member staffs with the required skills upon appropriate management authorization

b) Operational systems should only run approved executable code, avoiding development code or compilers

c) Operating systems should be tested before installation on operational systems. Test should cover:

Usability Security Effects on other systems User-friendliness

d) Rollback procedures should be in place before implementations Keep previous versions as contingency measure

Upgrades to new releases should be covered by business requirements following corporate process as described into change management (9.1.2). Software patches should be applied when is required to remove or reduce security weaknesses (9.6).

Evidences

Provide software management procedure, included into change management process, and a document with previous changes done over operational systems. Corporate patch management procedure should be provided as well.

9.6. Technical vulnerability management

Technical vulnerability management should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. These considerations should include operating systems, and any other applications in use.

9.6.1. Management of technical vulnerabilities (12.6.1)

Control

Information about technical system vulnerabilities should be obtained in a timely manner, evaluated within a business impact assessment and take necessary measures to address risk and reduce vulnerability.

Guidelines

A vulnerability management programme, acting in a timely manner following guidelines as below, should cover potential technical vulnerabilities:

35

a) Vulnerability management programme should take as reference asset inventory list (5.1.1)

b) Timeline should be defined c) Risks and actions to be taken should be associated to each identified vulnerabilityd) Audit log should be kept for all process undertakene) Technical vulnerability management programme should be evaluated to improve

effectiveness and efficiencyf) Systems at high risk should be addresses firstg) Technical vulnerability management programme should be aligned with corporate

incident management activities

Evidences

Provide vulnerability management program document in parallel with risk assessment perform over internal systems to know criticality and log file.

9.6.2. Restrictions on software installation (12.6.2)

Control

Rules to govern the installation of software by users should be established and implemented.

Guidelines

Strict policy should be enforced by the organization in order to prevent possible risk by installation of certain applications using guidelines as follow:

a) Use principle of least privilegeb) Identify permitted software installation (e.g. updates and security patches to existing

software) based on business needsc) Identity prohibited installations (e.g. personal use software, potentially malicious, bad

reputation)d) Privileges granted based on user role positions

Evidences

Provide policy in place for software installation restriction and measures to prevent these actions by a particular user (least privilege approach).

36

10. COMMUNICATIONS SECURITY

10.1. Network security management

The secure management of networks, which may span organizational boundaries, requires careful consideration to dataflow, legal implications, monitoring, and protection. Additional controls may also be required to protect sensitive information passing over public networks.

10.1.1. Network controls (13.1.1)

Control

Corporate network should be properly managed and controlled, protecting information in systems and applications.

Guidelines

Controls to protect network and infrastructure such as segregate duties separating operational responsibility from computer operations should be implemented. Action that could affect information security and provoke issues should be logged, recorded, detected with a properly reaction time and monitored within a proper frequency of time.

Confidentiality and integrity of the data should be safeguarded, protecting data passing over public and wireless networks. Procedures should be developed and controls implemented to protect networking equipment, allocating responsibility for managing it.

Systems and applications should be protected, implementing controls to authenticate systems that are on or connected to the network and restrict how connected systems connect to the network. Availability of network services and connected computers should be controlled and maintained.

Evidences

Provide corporate network topology, log file and proof of measures to control data confidentiality and integrity (e.g. screenshots, configuration files). Health of the network should be monitored to control systems availability (e.g. screenshots).

10.2. Information transfer

To maintain the security of information transferred within an organization and with any external entity formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. Agreements should address the secure transfer of business information between the organization and external parties and information involved in electronic messaging should be appropriately protected. Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented.

10.2.1. Information transfer policies and procedures (13.2.1)

Control

Policies, procedures and appropriate controls should be established in order to protect transferred information using any and all types of communication facilities.

Guidelines

A general policy to protect all types of communication facilities should be implemented, ensuring that it complies with all applicable legal requirements. Acceptable use policy for communication facilities should be established which end users should use.

37

Procedures to protect transferred information from being intercepted, misrouted, destroyed, modified or copied should be implemented, taking into account all types of communication facilities. Procedures should be also implemented to detect and protect information against malware (9.2.1) and safeguard the transfer of attachments.

Controls to protect all types of communication facilities, particularly being transferred, should be used such as cryptographic techniques. Also, controls might restrict how communication facilities may be used.

Acceptable use guidelines should be established to prohibit unacceptable communication that could damage organization reputation and to prevent user behaviour to reveal confidential information. All business units should be covered by guidelines in compliance with all applicable legal and regulatory requirements.

Evidences

Provide policy, procedures and acceptable use policy and guidelines documentation to protect transfer of information. All this information should be accessible and communicated to end users (employees, contractors, third parties). Finally, implemented controls proof (e.g. screenshots, configuration files) about systems to protect information transference should be provided.

10.2.2. Agreements on information transfer (13.2.2)

Control

Ensuring that business information will be transferred securely between the organization and external parties, agreements should be established applying information security requirements.

Guidelines

Agreements should be established in order to protect the transfer of business information, defining security responsibilities and specifying management responsibilities for controlling transfers. Security incident management responsibilities should be specified clarifying potential security management liabilities.

Procedures for information transfers should be defined to ensure traceability and nonrepudiation principles. Physical media transfers should be covered by these procedures.

Standards should be defined to protect information transfers, covering technical standards for packaging, transmission, recording and reading.

Controls such as cryptographic methods and security labels should be used in order to protect corporate information, ensuring that protection is higher for sensitive items.

Security requirements for at least how acceptable levels of access control will be maintained, security chain of custody and escrow agreements to be applied to transmissions should be defined for information transfers.

Policies that information transfers are going to comply should be defined, covering as well protection of physical media in transit (5.3.3).

Evidences

Provide agreements with external parties in order to protect transference of information between companies, enforcing to apply corporate policies, standards and procedures, handling information with same corporate information classification scheme.

38

10.2.3. Electronic messaging (13.2.3)

Control

Information transferred using electronic messaging services should be accordingly protected.

Guidelines

Security considerations to protect information in electronic messaging should include:

a) Messages should be protected of unauthorized accesses from access, modification or denial of service

b) Ensure correct addressing and transportation of the message protecting information integrity

c) Reliability and availability of the serviced) Legal considerations (e.g. electronic signatures)e) Authentication control systems controlling accesses from public networks

Evidences

Provide proofs of security controls in place (e.g. screenshots, configuration files) to protect information transferences in electronic messaging systems.

10.2.4. Confidentiality or non-disclosure agreements (13.2.4)

Control

Corporate confidentiality or non-disclosure needs and requirements should be established and documented.

Guidelines

Confidentiality or non-disclosure agreements should be design, identifying security requirements and type, owner and sensitivity of information to be protected.

Clear explanation about why trade secrets and intellectual property must be safeguarded should be included into the agreements. Signature responsibilities and agreement duration in case there is a termination should be also included.

Rights to audit, monitor and control activities related to confidential information protection should be established. Agreements should comply with all applicable legal regulations.

Evidences

Provide confidentiality or non-disclosure agreement sample, signed by employee or contractor, including all required points, as well as proofs of monitoring measures in place to protect confidential information (e.g. screenshots, configuration files).

39

11. SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

11.1. Security requirements of information systems

Information systems include operating systems, infrastructure, business applications, off- the-shelf products, services, and user-developed applications. The design and implementation of the information system supporting the business process can be crucial for security. Security requirements should be identified and agreed prior to the development and/or implementation of information systems. All security requirements should be identified at the requirements phase of a project and justified, agreed, and documented as part of the overall business case for an information system.

11.1.1. Information security requirements analysis and specification (14.1.1)

Control

Security requirements for new or enhanced information systems should be identified, including them whenever into organization processes.

Guidelines

Organization information security requirements should derive from policies and regulations, vulnerability thresholds, incident review, threat models, general business processes and security needs. Confidentiality, integrity and availability of information should be protected in every moment accordingly to business needs.

Information security requirements should be defined, documented and reviewed, attending to information and assets classification and possible business impact. In the development cycle or acquiring new products (e.g. software) security requirements should be part of the process, considering corporate risks.

Evidences

Provide corporate security requirements document aligned with information classification policy and business goals.

11.1.2. Securing application services on public networks (14.1.2)

Control

Information and application services on public networks should be protected against fraudulent activities, contractual disputes and unauthorized disclosures or modifications.

Guidelines

Application services on public network should be controlled, using agreement with network service provider defining resilience requirements. At least application servers, network interconnections and service arrangements should be protected.

Authenticated user identities and key transactional document authorizations should be controlled. Confidentiality and integrity of all payment details, confirmation details and delivery address details (if applicable) should be protected. Non-reputation methods and fraud prevention should be applied to contracts

Evidences

Provide measures in place to keep right security level over public networks (e.g. screenshots, configuration files) and agreement with service providers ensuring that corporate security requirements are ensured.

40

11.1.3. Protecting application services transactions (14.1.3)

Control

Information involved in application service transactions should be protected against misrouting, incomplete transmissions and unauthorized disclosures, replay, alterations and duplications.

Guidelines

Secure communication protocols should be used in order to protect information, encrypting communication paths between participating parties and using trusted authorities (e.g. digital signatures, certificates) to protect application service transactions. Security should be integrated throughout the entire process.

Evidences

Provide proofs of controls in place (e.g. screenshots, configuration files) to ensure that application service transactions are protected.

11.2. Security in development and support processes

Appropriate controls should be designed into applications, including user developed applications to ensure correct processing. These controls should include the validation of input data, internal processing and output data. Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical information. Such controls should be determined on the basis of security requirements and risk assessment.

11.2.1. Secure development policy (14.2.1)

Control

Software and system development should be done base on security best practices establishing security rules and controls to be applied into lifecycle process.

Guidelines

System and software development best practices should be established to avoid potential vulnerabilities. Guidelines should be established for each programming language used, using a common methodology as part of the design phase and defining security checkpoints into project milestones.

Evidences

Provide security development policy and how this policy is accessible for all internal employees (employees, contractors, third parties) and internally communicated.

11.2.2. Restrictions on changes to software packages (14.2.4)

Control

Changes over software packages should be controlled should be controlled and limited to necessary changes supported by business justification.

Guidelines

Original software packages from vendors should be used without modifications. When changes are necessary due to business needs, these changes should be applied over a designated copy, retaining original. Software update management process should be implemented to ensure up-to-date patches and updates.

41

Evidences

Provide process that maintains security ensuring that all software installed is with last available patch and updates. Change management process should be reflected into this process.

11.2.3. Outsources development (14.2.7)

Control

Development activities carry out by third parties should be supervised and monitored

Guidelines

When system development is outsourced, following points should be considered across organizations:

a) Licensing arrangements, code ownership and intellectual property rightsb) Corporate best practices for secure development through contractual requirements

(11.2.1)c) Acceptance testing for quality and accuracy over deliverablesd) Contractual right to audit development processes and controlse) Detail and document full project processf) Organization remains responsible for compliance with applicable laws

Evidences

Provide a sample of agreement signed by an external company (if any in place) to develop internal applications and how corporate security requirements and policies are forced.

42

12. SUPPLIER RELATIONSHIPS

12.1. Information security in supplier relationships

When third parties like suppliers have access to organization assets, this should be protected in order to ensure than unauthorized persons cannot access confidential information.

12.1.1. Information security policy for supplier relationships (15.1.1)

Control

Whenever supplies have access to organization assets information security risks should be identified in order to establish security risk mitigation agreements for each supplier. Security risk mitigation agreements should be documented.

Guidelines

Access to asset information by suppliers should be address by an information security controls in a policy. These controls should derive into processes and procedures to be implemented by the organization, which at least should contain:

a) Identified types of suppliers (e.g. IT services, logistic utilities, financial services) and define type of information access for each of them.

b) Standardised process and lifecycle for managing supplier relationshipsc) Minimum information security requirements for each type of accessd) Controls to ensure information integritye) Contractual requirements to protect organization informationf) Corporate awareness training for applicable policies, processes and procedures

Evidences

Provide defined policy, processes and procedures for supplier relationships and agreement sample to ensure that corporate requirements are forced.

43

13. INFORMATION SECURITY INCIDENT MANAGEMENT

13.1. Management of information security incidents and improvements

Formal event reporting and escalation procedures should be in place. All employees, contractors and third party users should be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organizational assets. They should be required to report any information security events and weaknesses as quickly as possible to the designated point of contact. Also, responsibilities and procedures should be in place to handle information security events and weaknesses effectively once they have been reported. A process of continual improvement should be applied to the response to, monitoring, evaluating, and overall management of information security incidents. Where evidence is required, it should be collected to ensure compliance with legal requirements.

13.1.1. Responsibilities and procedures (16.1.1)

Control

Information security incident response procedures should be established and documented, allocating manager responsibility to ensure that organization responds to incident in a quick and effective way.

Guidelines

Corporate priorities should be clarified in order to align incident management procedure to business objectives, getting management support. Incident management procedures should be developed, assigning responsibilities for procedures development and handling information security incidents. Participants should have necessary competences, accepting priorities and objectives. Responsibility for receiving and handling security reports should be assigned.

Procedures for incident response, detection and analysis should be developed as part of information security incident management. Assessment procedures should be developed, describing the correct way to assess incidents and weaknesses. Security incident decision making procedures and response procedures, which contain incident escalation, incident recovery and incident communication procedures should be developed. Points of contact in case of security incident should be included in the procedures.

Post incident procedures such as incident logging, record keeping and forensic evidence management procedures should be developed as part of lessons learned process. External authorities, security agencies and external interest groups should be contacted in order to share valuable information.

Evidences

Provide incident management procedure document, which should be aligned with business objectives and getting management support.

13.1.2. Reporting information security events (16.1.2)

Control

Information security events should be reported using the appropriate management reporting channel and ensuring that events are reported as quick as possible.

44

Guidelines

Employees and contractors should be taught to report security incidents as quick as possible providing clear point of contacts.

Information security events such as ineffective security controls, access violations and abuses and security breaches that can cause confidentiality, integrity, availability or non-compliance issues should be reported without delay. Non-compliance issues can be related to corporate policies or procedures.

Other issues related to security such as physical security breaches and failures, software and hardware malfunctions, uncontrolled system changes or human errors and mistakes might be reported.

Evidences

Provide a proof that security breaches are internally reported, providing communication channel and internal communication realized as awareness to let users know.

13.1.3. Reporting information security weaknesses (16.1.3)

Control

Corporate information system and services users (employees, contractors, third parties) should note and report suspicious information security weaknesses over these systems.

Guidelines

In order to report information security weaknesses in a proper manner, next points should be considered:

a) Point of contact should be clarified for all users in case a security weakness is identifiedb) Provide a reporting mechanism

Easy to use Accessible for all users Ensure availability

Evidences

Provide a proof that security weaknesses are internally reported, providing communication channel and internal communication realized as awareness to let users know within point of contact.

13.1.4. Assessment of and decision on information security events (16.1.4)

Control

Information security events into the organization should be assessed.

Guidelines

Responsibility should be allocated to assess information security events. All assessments and decisions related to security incidents and events should be recorded as future reference (lessons learned).

Information security incident response team (ISIRT) should be established in order to reassess or confirm decisions.

45

Evidences

Provide document record kept of security assessments done and organization chart of ISIRT team within their member competences.

13.1.5. Response to information security incidents (16.1.5)

Control

Incident response procedures should be established and implemented in order to respond all possible information security incidents.

Guidelines

Information security incident responses should be performed as quick as possible, following guidelines as below:

a) Collect evidences exactly after incidentb) Conduct a security forensic analysis if required (13.1.7)c) Escalate incident responsed) Log all incident response activities analysis and review (13.1.6)e) Share information with all relevant parties (e.g. internal employees, external

organizations)f) Address weaknesses that cause or allowed incident occurs

Evidences

Provide proof of responses related to information security incidents (e.g. screenshots, .pst file), log file of incidents, escalation process and how forensic is done.

13.1.6. Learning from information security incidents (16.1.6)

Control

Information security incidents and responses should be analyzed in order to reduce likelihood and moderate impact when same incidents occur.

Guidelines

Mechanisms to monitor information security incidents should be established to quantify type of incidents, volumes and costs and to get proper information security incidents evaluation. Recurrent and high impact incidents should be identified.

Evidences

Provide corporate monitoring mechanisms (e.g. screenshots, configuration files) and a sample of document with analysis realized over a specific information security incident.

13.1.7. Collection of evidence (16.1.7)

Control

Procedures should be developed in order to identify, collect and preserve evidences related to information security incidents and responses.

46

Guidelines

With the purposes to apply disciplinary and legal actions when an information security incident occurs, evidences should be collected and preserve. Procedures should be developed for evidence management, containing:

a) Chain of custodyb) Safety evidencec) Safety personneld) Roles and responsibilities of personnel involvede) Competency of personnelf) Documentationg) Briefing

Personnel qualification, certifications and tools to be used should be required in order to ensure that person is able to manage evidences properly following corporate procedures.

Evidences

Provide corporate forensic procedure in place and responsible person to handle with security requirements.

47

14. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

14.1. Information security continuity

The consequences of disasters, security failures, loss of service, and service availability should be subject to a business impact analysis. Business continuity plans should be developed and implemented to ensure timely resumption of essential operations. Information security should be an integral part of the overall business continuity process, and other management processes within the organization.

14.1.1. Planning information security continuity (17.1.1)

Control

During a disaster or crisis occurs requirements should be set to ensure that information security activities continue into the organization, being part of corporate business continuity plan.

Guidelines

Information security should be part of organization business continuity and disaster recovery plan, to ensure that activities can continue working. In case there is no formal business continuity and/or disaster recovery plan, business impact analysis should be performed in order to determine the information security requirements applicable to adverse situations.

Evidences

Provide business continuity document, and how information security continuity is part of it, getting necessary management support.

14.1.2. Implementing information security continuity (17.1.2)

Control

Processes, procedures and controls should be documented, implemented and maintained by security continuity management in order to ensure that required level of continuity is achieved during a disaster or crisis.

Guidelines

In order to ensure information security continuity during a disaster, requirements should be established and organization should:

a) Promote a management structure in order to be prepared for mitigate and respond to a disaster event using personnel with the necessary required skills

b) Allocate responsibility to specific personnel able to manage an incident and maintain information security

c) Document plans, response and recovery procedures to manage disruptive events

d) Create information security controls aligned with business continuity and disaster recovery plans

e) Establish processes, procedures and implementation changes which support existing information security controls

Evidences

Provide process and procedure documents and a proof of controls in place to ensure that information security continuity requirements are applied during disaster.

48

15. COMPLIANCE

15.1. Compliance with legal and contractual requirements

The design, operation, use, and management of information systems may be subject to statutory, regulatory and contractual security requirements. Advice on specific legal requirements should be sought from the organization's legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to another country (i.e. trans-border data flow).

15.1.1. Identification of applicable legislation and contractual requirements (18.1.1)

Control

Relevant legal, statutory, regulatory and contractual information security obligations and requirements should be identified and documented, keeping up-to-date record if organization complies with them.

Guidelines

Organization should comply with legislated requirements in all relevant jurisdictions, expecting management support to identify these requirements. Responsibilities should be allocated and documented for meeting legal requirements.

Controls to be used in order to meet legal security requirements should be defined and documented.

Evidences

Provide document with required controls and security measures in place to ensure that all applicable legal requirements are complied. Document identifying applicable legislation, regulation and laws might be provided as well.

15.1.2. Protection of records (18.1.3)

Control

Records should be protected to comply with all relevant legislative, regulatory, contractual and business requirements against loss, falsification, destruction, access or release.

Guidelines

Information classification scheme (5.2.1) should be used in order to categorize business records. Guidelines should be developed in order to specify storage media or systems for each type of records. Data should be retrievable during specified data frame from storage systems. Retention period should comply with applicable regulations, ensuring that records are destroyed after specified time.

Cryptographic methods might be used in order to protect confidential records. Cryptographic keys should be also retained to enable decryption. Records should be protected as well from physical damage, using manufacturer specifications in order to define media storage and handling procedures. Technology changes should be considered to ensure that data would be available in the future.

Evidences

Provide applicable retention period document aligned with applicable legal requirements and a procedure documents to ensure that record are protected during necessary period of time.

49

15.1.3. Privacy and protection of personally identifiable information (18.1.4)

Control

Privacy protection practices that comply with all relevant legislative and regulatory requirements should be established to protect privacy and personally identifiable information.

Guidelines

Privacy and personal information security policy should be developed and used to protect privacy and personally identifiable information from employees, contractors and third parties. Management structure with an appointed privacy officer should be established to protect organization personal privacy. Management structure and support should ensure that privacy policy is being followed.

Compliance with applicable legislation and regulations should be ensured and policy should be communicated to all employees, contractors and stakeholders, being accountable in order to protect all personal corporate information.

Evidences

Provide corporate data protection policy, including name of assigned as privacy officer and management approval proof (e.g. internal communication). All this should be aligned with applicable legal requirements.

15.1.4. Regulation of cryptographic controls (18.1.5)

Control

Organization cryptographic controls (4.1) should be regulated to ensure that it complies with all relevant laws, regulations and agreements.

Guidelines

Legal restrictions on computer hardware and software on the use of cryptographic controls should be considered. Authorities may expect that data is encrypted, for that reason organization cryptographic used should comply with applicable law, taking into account possibility of item movements across national borders.

Evidences

Provide a document with identified applicable legal requirements and how it is aligned with organization cryptographic controls.

50