Your SlideShare is downloading. ×
statement of applicability.doc
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

statement of applicability.doc

2,388
views

Published on


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,388
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
144
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 SOA ISO 27001 2005 Statement of Applicability A.5 Security Policy A .5.1 Information Security Policy Control Description Adopted Justification A.5.1.1 Information security policy document Y Security Policy has been approved by the Data Centre manager. A.5.1.2 Review of the information security policy Y The Security Policy is reviewed for continuing applicability at intervals not exceeding 12 months. A.6 Organisation of Information Security A.6.1 Internal Organization Control Description Adopted Justification A.6.1.1 Management Commitment to Information Y Management have demonstrated their commitment to Security information security by the allocation of resources and investment in their people. A.6.1.2 Information Security Co-ordination Y Within the data centre, all information security activities are co-ordinated. Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 1 Security Classification: Public
  • 2. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.6.1.3 Allocation of Information Security Y All Staff need to fully understand their responsibilities and Responsibilities procedures related to information security. A.6.1.4 Authorisation Process for Information Y A change request is required for any new processing Processing Facilities facilities A.6.1.5 Confidentiality Agreements Y Confidentiality Agreements for the protection of information are identified and regularly reviewed A.6.1.6 Contact with Authorities N Unnecessary owing to scope of registration A.6.1.7 Contact with special interest groups N Unnecessary owing to scope of registration ( rely on automatic update for security and anti-virus protection ) A.6.1.8 Independent review of information security Y This is conducted at least once a year by an internal/ external independent body. A.6.2 External Parties Control Description Adopted Justification A.6.2.1 Identification of Risks related to external Y External parties have access to the data centre. Parties A.6.2.2 Addressing security when dealing with Y Customers have access to the data centre. customers A.6.2.3 Addressing security in third party agreements Y Third party controls employed. Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 2 Security Classification: Public
  • 3. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.7 Asset Management A.7.1 Responsibility for Assets Control Description Adopted Justification A.7.1.1 Inventory of assets Y A record of all information assets are kept on-site A.7.1.2 Ownership of assets Y All assets in the scope of this registration are owned by the Data Centre Manager. A.7.1.3 Acceptable use of assets Y Acceptable use of assets is laid down in the policies & procedures of the system. A.7.2 Information Classification Control Description Adopted Justification A.7.2.1 Classification guidelines Y All data is held electronically and is application specific A.7.2.2 Information labelling and handling Y Impractical and unnecessary Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 3 Security Classification: Public
  • 4. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.8 Human Resources Security A.8.1 Prior to employment Control Description Adopted Justification A.8.1.1 Roles and responsibilities Y All employees have job descriptions defining their roles and responsibilities. A.8.1.2 Screening Y Data centre standards require independent references be sought prior to commencement of employment. Verification of the accuracy of CVs is also undertaken and identity checks. A.8.1.3 Terms and conditions of employment Y All employees have Job security responsibilities included in their terms and conditions of employment A.8.2 During employment Control Description Adopted Justification A.8.2.1 Management responsibilities Y All applicable personal made aware of their responsibilities with regard to security A.8.2.2 Information security awareness, education and Y All staff receive on-site security training with regards to training ISO27001 where needed A.8.2.3 Disciplinary process Y All staff have been made fully aware of their responsibilities regarding information security Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 4 Security Classification: Public
  • 5. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.8.3 Termination or change of employment Control Description Adopted Justification A.8.3.1 Termination responsibilities Y To prevent unauthorized access following termination of employment contract. A.8.3.2 Return of assets Y To ensure return of all company assets A.8.3.3 Removal of access rights Y To ensure no unauthorized access following termination of employment contract. A.9 Physical and environmental security A.9.1 Secure areas Control Description Adopted Justification A.9.1.1 Physical Security Perimeter Y The building is situated in a business park and perimeter controls are in place. A.9.1.2 Physical Entry Controls Y Controlled access to all areas is necessary A.9.1.3 Securing Offices & Rooms and facilities Y To prevent unauthorised access to sensitive equipment A.9.1.4 Protecting against external and environmental Y To ensure continuity of service threats A.9.1.5 Working in Secure Areas Y Protection of both staff and equipment A.9.1.6 Public access, delivery and loading areas Y Deliveries are made to the data centre. A.9.2 Equipment Security Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 5 Security Classification: Public
  • 6. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 Control Description Adopted Justification A.9.2.1 Equipment siting and protection Y To protect against environmental and physical threats A.9.2.2 Supporting utilities Y Equipment running twenty four hours seven days a week A.9.2.3 Cabling security Y False floors to carry IT cabling A.9.2.4 Equipment maintenance Y Data centre requirement – Equipment needs to be maintained to ensure continued availability. A.9.2.5 Security Of equipment off premises Y Home working by some staff. A.9.2.6 Secure disposal or re-use of equipment Y All client data held electronically needs to be disposed of securely. A.9.2.7 Removal of property Y Authorised staff have removable IT equipment. A.10 Communications and operations management A.10.1 Operational procedures and responsibilities Control Description Adopted Justification A.10.1.1 Documented operating procedures Y AGS employees will follow appropriate operating instructions A.10.1.2 Change management Y Adopted as best practice. A.10.1.3 Segregation of duties Y To prevent unauthorised modification of IT systems or abuse of position A.10.1.4 Separation of development, test and N No development done at/by the Data Centre. operational facilities A.10.2 Third party service delivery management Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 6 Security Classification: Public
  • 7. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 Control Description Adopted Justification rd A.10.2.1 Service delivery Y 3 party services are used A.10.2.2 Monitoring and review of third party services Y Monitoring & review take place to ensure continuity of service A.10.2.3 Managing changes to third party services Y Managing changes to ensure continuity of service. A.10.3 System planning and acceptance Control Description Adopted Justification A.10.3.1 Capacity management Y Growth is core to the business. A.10.3.2 System acceptance Y To ensure all systems are acceptable prior to installation A.10.4 Protection against malicious and mobile code Control Description Adopted Justification A.10.4.1 Controls against malicious code Y Protection against malicious code A.10.4.2 Controls against mobile code Y System administrators has access to DMZ zones A.10.5 Back- up Control Description Adopted Justification A.10.5.1 Information back-up Y To prevent the permanent loss of important information Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 7 Security Classification: Public
  • 8. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 assets A.10.6 Network security management Control Description Adopted Justification A.10.6.1 Network controls Y Safeguarding of information in networks A.10.6.2 Security of network services N Do not provide any network services A.10.7 Media Handling Control Description Adopted Justification A.10.7.1 Management of Removable Media Y There are times when information is stored temporary on removal media such as Laptops. A.10.7.2 Disposal of Media Y Need to make sure that no confidential information is leaked. A.10.7.3 Information Handling Procedures Y To ensure business continuity and prevent disruption A.10.7.4 Security of System Documentation Y Documentation held in both hard and electronic format A.10.8 Exchange of information Control Description Adopted Justification A.10.8.1 Information exchange policies and procedures Y Contracts requirement A.10.8.2 Exchange agreements Y Contracts requirement A.10.8.3 Physical media in transit y Tape backup transported to AGS Fire Safe A.10.8.4 Electronic messaging Y All staff have access to a company e-mail account A.10.8.5 Business information systems N No interconnected business systems Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 8 Security Classification: Public
  • 9. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.10.9 Electronic commerce services Control Description Adopted Justification A.10.9.1 Electronic Commerce N No E-commerce facilities used in ISMS A.10.9.2 On-line transactions N No E-commerce facilities used in ISMS A.10.9.3 Publicly available information Y All information has a security classification A.10.10 Monitoring Control Description Adopted Justification A.10.10.1 Audit logging Y User activities, exceptions, and information security events are recorded and kept for an agreed period to assist in future investigations and access control monitoring. A.10.10.2 Monitoring system use Y Procedures have been developed for monitoring system use. A.10.10.3 Protection of log information Y Generated log information are well protected against tampering and unauthorized access A.10.10.4 Administrator and operator logs Y System/Database Administrator activities are monitored and logged A.10.10.5 Fault logging Y A log of all faults is kept in the IT department A.10.10.6 Clock synchronization Y All clocks are synchronised to GMT Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 9 Security Classification: Public
  • 10. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.11 Access control A.11.1 Business requirement for access control Control Description Adopted Justification A.11.1.1 Access control policy Y For the protection of sensitive data and systems. A.11.2 User access management Control Description Adopted Justification A.11.2.1 User registration Y To prevent unauthorised access to information systems A.11.2.2 Privilege management Y Certain positions carry privileges A.11.2.3 User password management Y All applications need password protection A.11.2.4 Review of user access rights Y Required to be reviewed periodically A.11.3 User responsibilities Control Description Adopted Justification A.11.3.1 Password use Y To ensure availability of systems A.11.3.2 Unattended user equipment Y By User Equipment we mean the administrators’ workstations. A.11.3.3 Clear desk and clear screen policy Y Although assets are sited in a secure area, information displayed on screen (or on paper) may be confidential. A.11.4 Network access control Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 10 Security Classification: Public
  • 11. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 Control Description Adopted Justification A.11.4.1 Policy on use of network services Y Networked services available to authorised personnel A.11.4.2 User authentication for external connections Y Home workers use Dial in services for remote access A.11.4.3 Equipment identification in networks Y Automatic identification is used for servers and networks A.11.4.4 Remote diagnostic and configuration port Y Remote diagnostic and configuration access, via Dell open protection managed A.11.4.5 Segregation in networks Y Networks segregated for the control of unauthorised access A.11.4.6 Network connection control Y To control access in accordance with the access control policy A.11.4.7 Network routing control Y To prevent unauthorised access in shared networks A.11.5 Operating system access control Control Description Adopted Justification A.11.5.1 Secure log on procedures Y To control and manage user access A.11.5.2 User identification and authentication Y To maintain records and monitor unauthorised activities A.11.5.3 Password management system N To control and manage user passwords A.11.5.4 Use of system utilities N No utility programs are allowed to run on application servers A.11.5.5 Session time out N Only administrators can access the operating systems of the servers via their desk tops. The Desktop are sited in a secure environment with controlled access. Hence having a session time-out policy is not deemed necessary at this time. A.11.5.6 Limitation of connection time N Only administrators can access the operating systems of Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 11 Security Classification: Public
  • 12. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 the servers via their desk tops. The Desktop are sited in a secure environment with controlled access. Hence having a connection time limit is not deemed necessary at this time. A.11.6 Application and information access control Control Description Adopted Justification A.11.6.1 Information access restriction Y A need to know policy is employed A.11.6.2 Sensitive system isolation Y All systems are treated as sensitive A.11.7 Mobile Computing and teleworking Control Description Adopted Justification A.11.7.1 Mobile Computing and communications Y Used by system administrators to identify system failures and restart essential services after failure A.11.7.2 Teleworking N AGS staff do not do teleworking. Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 12 Security Classification: Public
  • 13. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.12 Information systems acquisition, development and maintenance A.12.1 Security requirements of information systems Control Description Adopted Justification Reference A.12.1.1 Security Requirements Analysis and Y Data centre does not do any development maintenance or Change Request Specification support of application system software. However any enhancements to hardware (i.e. extra disks, etc) require a change request. A.12.2 correct processing in applications Control Description Adopted Justification Reference A.12..2.1 Input Data Validation N Data centre does not do any development maintenance or n/a support of application system software A.12.2.2 Control of Internal Processing N Data centre does not do any development maintenance or n/a support of application system software A.12.2.3 Message integrity N Data centre does not do any development maintenance or n/a support of application system software A.12.2.4 Output Data Validation N Data centre does not do any development maintenance or n/a support of application system software A.12.3 Cryptographic controls Control Description Adopted Justification Reference A.12.3.1 Policy on the Use of Cryptographic Controls N Cryptographic Controls are application specific and not n/a supported by AGS A.12.3.2 Key Management N Cryptographic Controls are application specific and not n/a supported by AGS Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 13 Security Classification: Public
  • 14. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.12.4 Security of system files Control Description Adopted Justification Reference A.12.4.1 Control of Operational Software Y To prevent unauthorised change control Change control policy A.12.4.2 Protection of System Test Data N Data centre does not do any development maintenance or n/a support of application system software A.12.4.3 Access Control to Program Source code Y Source code held as back up only . Backup Procedure A.12.5 Security in development and support processes Control Description Adopted Justification Reference A.12.5.1 Change Control Procedures Y Any data centre asset change requires a change request. Change control policy A.12.5.2 Technical Review of applications after Y Not in remit of data centre but do inform owners of Maintenance schedules Operating System Changes applications of when operating systems changes And Logs have been made. A.12.5.3 Restrictions on Changes to Software N Software packages are not used by AGS. n/a Packages ( Application software controlled by change control procedure ) A.12.5.4 Information leakage Y Opportunities for information leakage need to be Access control policy prevented A.12.5.5 Outsourced Software Development N Software development is not done by AGS. N/a A.12.6 Technical vulnerability management Control Description Adopted Justification Reference Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 14 Security Classification: Public
  • 15. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.12.6.1 Control of technical vulnerabilities Y Technical vulnerabilities need to be managed Risk Assessment A.13 Information security incident management A.13.1 Reporting information security events and weaknesses Control Description Adopted Justification Reference A.13.1.1 Reporting information security events Y All security problems are notified to the Data Centre Reporting Security Manager. Incidents Procedure A.13.1.2 Reporting security weaknesses Y All security problems are notified to the Data Centre Reporting Security Manager. Incidents Procedure A.13.2 Management of information security incidents and improvements Control Description Adopted Justification Reference A.13.2.1 Responsibilities and procedures Y Responsibilities and procedures need to be clearly defined Roles and Responsibilities Reporting Security Incidents Procedure A.13.2.2 Learning from information security incidents Y Lessons learned need evaluating to prevent further Learning from Security incidents Incidents A.13.2.3 Collection of evidence Y Collection of evidence is required Learning from Security Incidents Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 15 Security Classification: Public
  • 16. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.14 Business Continuity Management A.14.1 Information security aspects of business continuity management Control Description Adopted Justification Reference A.14.1.1 Including information security in the business Y To counteract major failures or Catastrophes Business Continuity continuity management process Plans A.14.1.2 Business continuity and risk assessment Y To know that the strategy adopted is feasible, planned and Risk Assessment effective Procedure A.14.1.3 Developing and implementing continuity plans Y To ensure a structured and managed approach to Business Continuity including information security restoring business functionality Plans A.14.1.4 Business continuity planning framework N Single BCP in place at Aimes Grid Services (CIC) n/a A.14.1.5 Testing, maintaining and re-assessing Y For on-going verification and validation of an effective Business Continuity business continuity plans approach to BCP Plan Test Policy A.15 Compliance A.15.1 Compliance with legal requirements Control Description Adopted Justification Reference A.15.1.1 Identification of applicable legislation Y Legal/Mandatory requirement Compliance with Legal Requirements A.15.1.2 Intellectual property rights (IPR) Y ISMS only uses legal / licensed software Compliance with Legal Requirements Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 16 Security Classification: Public
  • 17. Aimes Grid Services (CIC) Issue Date: 06-Dec-2007 A.15.1.3 Protection of organizational records Y ISMS complies with industry, legal and contract Compliance with Legal requirements Requirements A.15.1.4 Data protection and privacy of personal Y ISMS is legally required to register all personnel records Compliance with Legal information under the data protection act 1998 Requirements A.15.1.5 Prevention of misuse of information Y To ensure that all employees are aware of the policy on Compliance with Legal processing facilities the use of company information processing facilities Requirements A.15.1.6 Regulation of cryptographic controls N Cryptography not used N/a A.15.2 Compliance with security policies and standards, and technical compliance Control Description Adopted Justification Reference A.15.2.1 Compliance with security policies and Y Management ensure all security procedures are carried Audit procedure standards out to correctly to achieve compliance with security policies and standards A.15.2.2 Technical compliance checking Y Conducted by an Audit specialists to ensure compliance Audit Compliance with security policies and standards A.15.3 Information systems audit considerations Control Description Adopted Justification Reference A.15.3.1 Information systems audit controls Y Internal audit team conduct regular audits of all policies n/a and procedures adopted by the company to ensure effective implementation A.15.3.2 Protection of information system audit tools Y Controlled by IT manager to prevent misuse or n/a compromise Document Name: ISO27001_SCO_StatementOfApplicability_02.doc 17 Security Classification: Public