Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

SOA ISO 27001 2005 Statement of Applicability A.5

A .5.1
Control A.5.1.1 A.5.1.2

Security Policy
Information Security Policy
Description Information security policy document Review of the information security policy Adopted Y Y Justification Security Policy has been approved by the Data Centre manager. The Security Policy is reviewed for continuing applicability at intervals not exceeding 12 months.

A.6
A.6.1
Control A.6.1.1

Organisation of Information Security

Internal Organization
Description Management Commitment to Information Security Information Security Co-ordination Adopted Y Justification Management have demonstrated their commitment to information security by the allocation of resources and investment in their people. Within the data centre, all information security activities are co-ordinated. 1

A.6.1.2

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.6.1.3 A.6.1.4 A.6.1.5 A.6.1.6

Allocation of Information Security Responsibilities Authorisation Process for Information Processing Facilities Confidentiality Agreements Contact with Authorities Contact with special interest groups Independent review of information security

Y Y Y N N Y

All Staff need to fully understand their responsibilities and procedures related to information security. A change request is required for any new processing facilities Confidentiality Agreements for the protection of information are identified and regularly reviewed Unnecessary owing to scope of registration Unnecessary owing to scope of registration ( rely on automatic update for security and anti-virus protection ) This is conducted at least once a year by an internal/ external independent body.

A.6.1.7 A.6.1.8

A.6.2

External Parties
Description Identification of Risks related to external Parties Addressing security when dealing with customers Addressing security in third party agreements Adopted Y Y Y Justification External parties have access to the data centre. Customers have access to the data centre. Third party controls employed.

Control
A.6.2.1 A.6.2.2 A.6.2.3

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.7 Asset Management

A.7.1 Control A.7.1.1 A.7.1.2 A.7.1.3 Responsibility for Assets Description Inventory of assets Ownership of assets Acceptable use of assets Adopted Y Y Y Justification A record of all information assets are kept on-site All assets in the scope of this registration are owned by the Data Centre Manager. Acceptable use of assets is laid down in the policies & procedures of the system.

A.7.2 Control A.7.2.1 A.7.2.2

Information Classification Description Classification guidelines Information labelling and handling Adopted Y Y Justification All data is held electronically and is application specific Impractical and unnecessary

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.8 Human Resources Security

A.8.1 Control A.8.1.1 Prior to employment Description Roles and responsibilities Adopted Y Justification All employees have job descriptions defining their roles and responsibilities. Data centre standards require independent references be sought prior to commencement of employment. Verification of the accuracy of CVs is also undertaken and identity checks. All employees have Job security responsibilities included in their terms and conditions of employment

A.8.1.2

Screening

A.8.1.3

Terms and conditions of employment

A.8.2 Control A.8.2.1 A.8.2.2 A.8.2.3

During employment Description Management responsibilities Information security awareness, education and training Disciplinary process Adopted Y Y Y Justification All applicable personal made aware of their responsibilities with regard to security All staff receive on-site security training with regards to ISO27001 where needed All staff have been made fully aware of their responsibilities regarding information security

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.8.3

Termination or change of employment Description Termination responsibilities Return of assets Removal of access rights Adopted Y Y Y Justification To prevent unauthorized access following termination of employment contract. To ensure return of all company assets To ensure no unauthorized access following termination of employment contract.

Control A.8.3.1 A.8.3.2 A.8.3.3

A.9 Physical and environmental security

A.9.1 Secure areas Description Physical Security Perimeter Physical Entry Controls Securing Offices & Rooms and facilities Protecting against external and environmental threats Working in Secure Areas Public access, delivery and loading areas Adopted Y Y Y Y Y Y Justification The building is situated in a business park and perimeter controls are in place. Controlled access to all areas is necessary To prevent unauthorised access to sensitive equipment To ensure continuity of service Protection of both staff and equipment Deliveries are made to the data centre. Control A.9.1.1 A.9.1.2 A.9.1.3 A.9.1.4 A.9.1.5 A.9.1.6

A.9.2

Equipment Security 5

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

Control A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.5 A.9.2.6 A.9.2.7

Description Equipment siting and protection Supporting utilities Cabling security Equipment maintenance Security Of equipment off premises Secure disposal or re-use of equipment Removal of property

Adopted Y Y Y Y Y Y Y

Justification To protect against environmental and physical threats Equipment running twenty four hours seven days a week False floors to carry IT cabling Data centre requirement Equipment needs to be maintained to ensure continued availability. Home working by some staff. All client data held electronically needs to be disposed of securely. Authorised staff have removable IT equipment.

A.10 Communications and operations management

A.10.1 Operational procedures and responsibilities Control A.10.1.1 A.10.1.2 A.10.1.3 A.10.1.4 Description Documented operating procedures Change management Segregation of duties Separation of development, test and operational facilities Adopted Y Y Y N Justification AGS employees will follow appropriate operating instructions Adopted as best practice. To prevent unauthorised modification of IT systems or abuse of position No development done at/by the Data Centre.

A.10.2

Third party service delivery management

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

Control A.10.2.1 A.10.2.2 A.10.2.3

Description Service delivery Monitoring and review of third party services Managing changes to third party services

Adopted Y Y Y
rd

Justification 3 party services are used Monitoring & review take place to ensure continuity of service Managing changes to ensure continuity of service.

A.10.3 Control A.10.3.1 A.10.3.2

System planning and acceptance Description Capacity management System acceptance Adopted Y Y Justification Growth is core to the business. To ensure all systems are acceptable prior to installation

A.10.4 Control A.10.4.1 A.10.4.2

Protection against malicious and mobile code Description Controls against malicious code Controls against mobile code Adopted Y Y Justification Protection against malicious code System administrators has access to DMZ zones

A.10.5 Control A.10.5.1

Back- up Description Information back-up Adopted Y Justification To prevent the permanent loss of important information 7

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

assets A.10.6 Control A.10.6.1 A.10.6.2 Network security management Description Network controls Security of network services Adopted Y N Justification Safeguarding of information in networks Do not provide any network services

A.10.7 Control A.10.7.1 A.10.7.2 A.10.7.3 A.10.7.4 A.10.8 Control A.10.8.1 A.10.8.2 A.10.8.3 A.10.8.4 A.10.8.5

Media Handling Description Management of Removable Media Disposal of Media Information Handling Procedures Security of System Documentation Exchange of information Description Information exchange policies and procedures Exchange agreements Physical media in transit Electronic messaging Business information systems Adopted Y Y y Y N Contracts requirement Contracts requirement Tape backup transported to AGS Fire Safe All staff have access to a company e-mail account No interconnected business systems Justification Adopted Y Y Y Y Justification There are times when information is stored temporary on removal media such as Laptops. Need to make sure that no confidential information is leaked. To ensure business continuity and prevent disruption Documentation held in both hard and electronic format

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.10.9 Control A.10.9.1 A.10.9.2 A.10.9.3

Electronic commerce services Description Electronic Commerce On-line transactions Publicly available information Adopted N N Y Justification No E-commerce facilities used in ISMS No E-commerce facilities used in ISMS All information has a security classification

A.10.10 Monitoring Control A.10.10.1 Description Audit logging Adopted Y Justification

User activities, exceptions, and information security events are recorded and kept for an agreed period to assist in future investigations and access control monitoring. Procedures have been developed for monitoring system use. Generated log information are well protected against tampering and unauthorized access
System/Database Administrator activities are monitored and logged A log of all faults is kept in the IT department All clocks are synchronised to GMT

A.10.10.2 A.10.10.3 A.10.10.4 A.10.10.5 A.10.10.6

Monitoring system use Protection of log information Administrator and operator logs Fault logging Clock synchronization

Y Y Y Y Y

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.11
A.11.1 Control A.11.1.1 A.11.2 Control A.11.2.1 A.11.2.2 A.11.2.3 A.11.2.4 A.11.3 Control A.11.3.1 A.11.3.2 A.11.3.3

Access control
Business requirement for access control Description Access control policy User access management Description User registration Privilege management User password management Review of user access rights User responsibilities Description Password use Unattended user equipment Clear desk and clear screen policy Adopted Y Y Y Justification To ensure availability of systems By User Equipment we mean the administrators workstations. Although assets are sited in a secure area, information displayed on screen (or on paper) may be confidential. Adopted Y Y Y Y Justification To prevent unauthorised access to information systems Certain positions carry privileges All applications need password protection Required to be reviewed periodically Adopted Y Justification For the protection of sensitive data and systems.

A.11.4

Network access control

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 10 Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

Control A.11.4.1 A.11.4.2 A.11.4.3 A.11.4.4 A.11.4.5 A.11.4.6 A.11.4.7

Description Policy on use of network services User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control

Adopted Y Y Y Y Y Y Y

Justification Networked services available to authorised personnel Home workers use Dial in services for remote access Automatic identification is used for servers and networks Remote diagnostic and configuration access, via Dell open managed Networks segregated for the control of unauthorised access To control access in accordance with the access control policy To prevent unauthorised access in shared networks

A.11.5 Control A.11.5.1 A.11.5.2 A.11.5.3 A.11.5.4 A.11.5.5

Operating system access control Description Secure log on procedures User identification and authentication Password management system Use of system utilities Session time out Adopted Y Y N N N Justification To control and manage user access To maintain records and monitor unauthorised activities To control and manage user passwords No utility programs are allowed to run on application servers Only administrators can access the operating systems of the servers via their desk tops. The Desktop are sited in a secure environment with controlled access. Hence having a session time-out policy is not deemed necessary at this time. Only administrators can access the operating systems of

A.11.5.6

Limitation of connection time

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 11 Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

the servers via their desk tops. The Desktop are sited in a secure environment with controlled access. Hence having a connection time limit is not deemed necessary at this time.

A.11.6 Control A.11.6.1 A.11.6.2 A.11.7 Control A.11.7.1

Application and information access control Description Information access restriction Sensitive system isolation Mobile Computing and teleworking Description Mobile Computing and communications Adopted Y Justification Used by system administrators to identify system failures and restart essential services after failure Adopted Y Y Justification A need to know policy is employed All systems are treated as sensitive

A.11.7.2

Teleworking

AGS staff do not do teleworking.

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 12 Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.12 Information systems acquisition, development and maintenance

A.12.1 Control A.12.1.1 Security requirements of information systems Description Security Requirements Analysis and Specification Adopted Y Justification Data centre does not do any development maintenance or support of application system software. However any enhancements to hardware (i.e. extra disks, etc) require a change request. Reference Change Request

A.12.2 Control A.12..2.1 A.12.2.2 A.12.2.3

correct processing in applications Description Input Data Validation Control of Internal Processing Message integrity Adopted N N N Justification Data centre does not do any development maintenance or support of application system software Data centre does not do any development maintenance or support of application system software Data centre does not do any development maintenance or support of application system software Data centre does not do any development maintenance or support of application system software Reference n/a n/a n/a n/a

A.12.2.4

Output Data Validation

A.12.3 Control A.12.3.1 A.12.3.2

Cryptographic controls Description Policy on the Use of Cryptographic Controls Key Management Adopted N
N

Justification Cryptographic Controls are application specific and not supported by AGS Cryptographic Controls are application specific and not supported by AGS

Reference n/a
n/a

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 13 Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.12.4 Control A.12.4.1 A.12.4.2 A.12.4.3 A.12.5 Control A.12.5.1

Security of system files Description Control of Operational Software Protection of System Test Data Access Control to Program Source code Security in development and support processes Description Change Control Procedures Adopted Y Justification Any data centre asset change requires a change request. Reference Change control policy Maintenance schedules And Logs Adopted Y N Y Justification To prevent unauthorised change control Data centre does not do any development maintenance or support of application system software Source code held as back up only . Reference Change control policy n/a Backup Procedure

A.12.5.2

Technical Review of applications after Operating System Changes Restrictions on Changes to Software Packages Information leakage Outsourced Software Development
Technical vulnerability management Description

Not in remit of data centre but do inform owners of applications of when operating systems changes have been made. Software packages are not used by AGS. ( Application software controlled by change control procedure ) Opportunities for information leakage need to be prevented Software development is not done by AGS.

A.12.5.3

n/a

A.12.5.4 A.12.5.5
A.12.6 Control

Y N

Access control policy N/a

Adopted

Justification

Reference

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 14 Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.12.6.1

Control of technical vulnerabilities

Technical vulnerabilities need to be managed

Risk Assessment

A.13 Information security incident management

A.13.1 Control A.13.1.1 A.13.1.2 Reporting information security events and weaknesses Description Reporting information security events Reporting security weaknesses Adopted Y Y Justification All security problems are notified to the Data Centre Manager. All security problems are notified to the Data Centre Manager. Reference Reporting Security Incidents Procedure Reporting Security Incidents Procedure

A.13.2 Control A.13.2.1

Management of information security incidents and improvements Description Responsibilities and procedures Adopted Y Justification Responsibilities and procedures need to be clearly defined Reference Roles and Responsibilities Reporting Security Incidents Procedure

A.13.2.2 A.13.2.3

Learning from information security incidents Collection of evidence

Y Y

Lessons learned need evaluating to prevent further incidents Collection of evidence is required

Learning from Security Incidents Learning from Security Incidents

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 15 Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.14 Business Continuity Management

A.14.1 Control A.14.1.1 A.14.1.2 A.14.1.3 A.14.1.4 A.14.1.5 Information security aspects of business continuity management Description Including information security in the business continuity management process Business continuity and risk assessment Developing and implementing continuity plans including information security Business continuity planning framework Testing, maintaining and re-assessing business continuity plans Adopted Y Y Y N Y Justification To counteract major failures or Catastrophes To know that the strategy adopted is feasible, planned and effective To ensure a structured and managed approach to restoring business functionality Single BCP in place at Aimes Grid Services (CIC) For on-going verification and validation of an effective approach to BCP Reference Business Continuity Plans Risk Assessment Procedure Business Continuity Plans n/a Business Continuity Plan Test Policy

A.15 Compliance
A.15.1 Control A.15.1.1 A.15.1.2 Compliance with legal requirements Description Identification of applicable legislation Intellectual property rights (IPR) Adopted Y Y Justification Legal/Mandatory requirement ISMS only uses legal / licensed software Reference Compliance with Legal Requirements Compliance with Legal Requirements

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 16 Security Classification: Public

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.15.1.3 A.15.1.4 A.15.1.5 A.15.1.6

Protection of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls

Y Y Y N

ISMS complies with industry, legal and contract requirements ISMS is legally required to register all personnel records under the data protection act 1998 To ensure that all employees are aware of the policy on the use of company information processing facilities Cryptography not used

Compliance with Legal Requirements Compliance with Legal Requirements Compliance with Legal Requirements N/a

A.15.2 Control A.15.2.1

Compliance with security policies and standards, and technical compliance Description Compliance with security policies and standards Technical compliance checking Adopted Y Justification Management ensure all security procedures are carried out to correctly to achieve compliance with security policies and standards Conducted by an Audit specialists to ensure compliance with security policies and standards Reference Audit procedure

A.15.2.2

Audit Compliance

A.15.3 Control A.15.3.1

Information systems audit considerations Description Information systems audit controls Adopted Y Justification Internal audit team conduct regular audits of all policies and procedures adopted by the company to ensure effective implementation Controlled by IT manager to prevent misuse or compromise Reference n/a

A.15.3.2

Protection of information system audit tools

n/a

Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 17 Security Classification: Public