Академический Документы
Профессиональный Документы
Культура Документы
Security Policy
Information Security Policy
Description Information security policy document Review of the information security policy Adopted Y Y Justification Security Policy has been approved by the Data Centre manager. The Security Policy is reviewed for continuing applicability at intervals not exceeding 12 months.
A.6
A.6.1
Control A.6.1.1
A.6.1.2
Allocation of Information Security Responsibilities Authorisation Process for Information Processing Facilities Confidentiality Agreements Contact with Authorities Contact with special interest groups Independent review of information security
Y Y Y N N Y
All Staff need to fully understand their responsibilities and procedures related to information security. A change request is required for any new processing facilities Confidentiality Agreements for the protection of information are identified and regularly reviewed Unnecessary owing to scope of registration Unnecessary owing to scope of registration ( rely on automatic update for security and anti-virus protection ) This is conducted at least once a year by an internal/ external independent body.
A.6.1.7 A.6.1.8
A.6.2
External Parties
Description Identification of Risks related to external Parties Addressing security when dealing with customers Addressing security in third party agreements Adopted Y Y Y Justification External parties have access to the data centre. Customers have access to the data centre. Third party controls employed.
Control
A.6.2.1 A.6.2.2 A.6.2.3
Information Classification Description Classification guidelines Information labelling and handling Adopted Y Y Justification All data is held electronically and is application specific Impractical and unnecessary
A.8.1.2
Screening
A.8.1.3
During employment Description Management responsibilities Information security awareness, education and training Disciplinary process Adopted Y Y Y Justification All applicable personal made aware of their responsibilities with regard to security All staff receive on-site security training with regards to ISO27001 where needed All staff have been made fully aware of their responsibilities regarding information security
A.8.3
Termination or change of employment Description Termination responsibilities Return of assets Removal of access rights Adopted Y Y Y Justification To prevent unauthorized access following termination of employment contract. To ensure return of all company assets To ensure no unauthorized access following termination of employment contract.
A.9.2
Equipment Security 5
Description Equipment siting and protection Supporting utilities Cabling security Equipment maintenance Security Of equipment off premises Secure disposal or re-use of equipment Removal of property
Adopted Y Y Y Y Y Y Y
Justification To protect against environmental and physical threats Equipment running twenty four hours seven days a week False floors to carry IT cabling Data centre requirement Equipment needs to be maintained to ensure continued availability. Home working by some staff. All client data held electronically needs to be disposed of securely. Authorised staff have removable IT equipment.
A.10.2
Description Service delivery Monitoring and review of third party services Managing changes to third party services
Adopted Y Y Y
rd
Justification 3 party services are used Monitoring & review take place to ensure continuity of service Managing changes to ensure continuity of service.
System planning and acceptance Description Capacity management System acceptance Adopted Y Y Justification Growth is core to the business. To ensure all systems are acceptable prior to installation
Protection against malicious and mobile code Description Controls against malicious code Controls against mobile code Adopted Y Y Justification Protection against malicious code System administrators has access to DMZ zones
Back- up Description Information back-up Adopted Y Justification To prevent the permanent loss of important information 7
assets A.10.6 Control A.10.6.1 A.10.6.2 Network security management Description Network controls Security of network services Adopted Y N Justification Safeguarding of information in networks Do not provide any network services
A.10.7 Control A.10.7.1 A.10.7.2 A.10.7.3 A.10.7.4 A.10.8 Control A.10.8.1 A.10.8.2 A.10.8.3 A.10.8.4 A.10.8.5
Media Handling Description Management of Removable Media Disposal of Media Information Handling Procedures Security of System Documentation Exchange of information Description Information exchange policies and procedures Exchange agreements Physical media in transit Electronic messaging Business information systems Adopted Y Y y Y N Contracts requirement Contracts requirement Tape backup transported to AGS Fire Safe All staff have access to a company e-mail account No interconnected business systems Justification Adopted Y Y Y Y Justification There are times when information is stored temporary on removal media such as Laptops. Need to make sure that no confidential information is leaked. To ensure business continuity and prevent disruption Documentation held in both hard and electronic format
Electronic commerce services Description Electronic Commerce On-line transactions Publicly available information Adopted N N Y Justification No E-commerce facilities used in ISMS No E-commerce facilities used in ISMS All information has a security classification
User activities, exceptions, and information security events are recorded and kept for an agreed period to assist in future investigations and access control monitoring. Procedures have been developed for monitoring system use. Generated log information are well protected against tampering and unauthorized access
System/Database Administrator activities are monitored and logged A log of all faults is kept in the IT department All clocks are synchronised to GMT
Monitoring system use Protection of log information Administrator and operator logs Fault logging Clock synchronization
Y Y Y Y Y
A.11
A.11.1 Control A.11.1.1 A.11.2 Control A.11.2.1 A.11.2.2 A.11.2.3 A.11.2.4 A.11.3 Control A.11.3.1 A.11.3.2 A.11.3.3
Access control
Business requirement for access control Description Access control policy User access management Description User registration Privilege management User password management Review of user access rights User responsibilities Description Password use Unattended user equipment Clear desk and clear screen policy Adopted Y Y Y Justification To ensure availability of systems By User Equipment we mean the administrators workstations. Although assets are sited in a secure area, information displayed on screen (or on paper) may be confidential. Adopted Y Y Y Y Justification To prevent unauthorised access to information systems Certain positions carry privileges All applications need password protection Required to be reviewed periodically Adopted Y Justification For the protection of sensitive data and systems.
A.11.4
Description Policy on use of network services User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control
Adopted Y Y Y Y Y Y Y
Justification Networked services available to authorised personnel Home workers use Dial in services for remote access Automatic identification is used for servers and networks Remote diagnostic and configuration access, via Dell open managed Networks segregated for the control of unauthorised access To control access in accordance with the access control policy To prevent unauthorised access in shared networks
Operating system access control Description Secure log on procedures User identification and authentication Password management system Use of system utilities Session time out Adopted Y Y N N N Justification To control and manage user access To maintain records and monitor unauthorised activities To control and manage user passwords No utility programs are allowed to run on application servers Only administrators can access the operating systems of the servers via their desk tops. The Desktop are sited in a secure environment with controlled access. Hence having a session time-out policy is not deemed necessary at this time. Only administrators can access the operating systems of
A.11.5.6
the servers via their desk tops. The Desktop are sited in a secure environment with controlled access. Hence having a connection time limit is not deemed necessary at this time.
Application and information access control Description Information access restriction Sensitive system isolation Mobile Computing and teleworking Description Mobile Computing and communications Adopted Y Justification Used by system administrators to identify system failures and restart essential services after failure Adopted Y Y Justification A need to know policy is employed All systems are treated as sensitive
A.11.7.2
Teleworking
correct processing in applications Description Input Data Validation Control of Internal Processing Message integrity Adopted N N N Justification Data centre does not do any development maintenance or support of application system software Data centre does not do any development maintenance or support of application system software Data centre does not do any development maintenance or support of application system software Data centre does not do any development maintenance or support of application system software Reference n/a n/a n/a n/a
A.12.2.4
Cryptographic controls Description Policy on the Use of Cryptographic Controls Key Management Adopted N
N
Justification Cryptographic Controls are application specific and not supported by AGS Cryptographic Controls are application specific and not supported by AGS
Reference n/a
n/a
Security of system files Description Control of Operational Software Protection of System Test Data Access Control to Program Source code Security in development and support processes Description Change Control Procedures Adopted Y Justification Any data centre asset change requires a change request. Reference Change control policy Maintenance schedules And Logs Adopted Y N Y Justification To prevent unauthorised change control Data centre does not do any development maintenance or support of application system software Source code held as back up only . Reference Change control policy n/a Backup Procedure
A.12.5.2
Technical Review of applications after Operating System Changes Restrictions on Changes to Software Packages Information leakage Outsourced Software Development
Technical vulnerability management Description
Not in remit of data centre but do inform owners of applications of when operating systems changes have been made. Software packages are not used by AGS. ( Application software controlled by change control procedure ) Opportunities for information leakage need to be prevented Software development is not done by AGS.
A.12.5.3
n/a
A.12.5.4 A.12.5.5
A.12.6 Control
Y N
Adopted
Justification
Reference
A.12.6.1
Risk Assessment
Management of information security incidents and improvements Description Responsibilities and procedures Adopted Y Justification Responsibilities and procedures need to be clearly defined Reference Roles and Responsibilities Reporting Security Incidents Procedure
A.13.2.2 A.13.2.3
Y Y
Lessons learned need evaluating to prevent further incidents Collection of evidence is required
A.15 Compliance
A.15.1 Control A.15.1.1 A.15.1.2 Compliance with legal requirements Description Identification of applicable legislation Intellectual property rights (IPR) Adopted Y Y Justification Legal/Mandatory requirement ISMS only uses legal / licensed software Reference Compliance with Legal Requirements Compliance with Legal Requirements
Protection of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls
Y Y Y N
ISMS complies with industry, legal and contract requirements ISMS is legally required to register all personnel records under the data protection act 1998 To ensure that all employees are aware of the policy on the use of company information processing facilities Cryptography not used
Compliance with Legal Requirements Compliance with Legal Requirements Compliance with Legal Requirements N/a
Compliance with security policies and standards, and technical compliance Description Compliance with security policies and standards Technical compliance checking Adopted Y Justification Management ensure all security procedures are carried out to correctly to achieve compliance with security policies and standards Conducted by an Audit specialists to ensure compliance with security policies and standards Reference Audit procedure
A.15.2.2
Audit Compliance
Information systems audit considerations Description Information systems audit controls Adopted Y Justification Internal audit team conduct regular audits of all policies and procedures adopted by the company to ensure effective implementation Controlled by IT manager to prevent misuse or compromise Reference n/a
A.15.3.2
n/a