Beruflich Dokumente
Kultur Dokumente
November 2000
'cut and paste' specific parts of the Forum's Standard to complement existing standards within their organisations create an 'html' version of the Standard, which could be posted on a corporate intranet and include links to associated documents and sites produce a database of detailed standards, incorporating useful 'search' facilities facilitate the generation of checklists used for security audits.
Note: The complete version of the Standard is available as an Adobe Acrobat .pdf document.
Pages Area SM1 HIGH-LEVEL DIRECTION SM11 Management Commitment SM12 Security Policy SM13 Personnel Policies SM2 SECURITY ORGANISATION SM21 High-level Control SM22 Driving Force SM23 Local Co-ordination SM24 Security Awareness SM25 Security Education SM3 RISK ASSESSMENT SM31 Security Classification SM32 Ownership SM33 Risk Analysis SM4 SECURE ENVIRONMENT SM41 Standards / Procedures SM42 Security Architecture SM43 Data Privacy SM44 Physical Protection SM45 Business Continuity SM5 SPECIAL TOPICS SM51 Protection from Malicious Code SM52 Use of Cryptography SM53 Electronic Mail SM54 Remote Working SM55 Third Party Access SM56 Electronic Commerce SM6 MANAGEMENT REVIEW SM61 Security Audit / Review SM62 Security Monitoring 2 3 4 5 5 6 6 7 8 9 10 11 12 12 13 13 14 15 16 17 18 19 20 21
Area
Area
Area
Area
Area
Area
SM1
HIGH-LEVEL DIRECTION
Achieving a consistent standard of good practice for information security across the enterprise requires clear direction from the top. Accordingly, this area covers top managements direction on, and commitment to, information security. It specifies arrangements for communicating this direction and commitment to individuals who have access to the information and systems of the enterprise. Section Objective Standard of good Practice
Section Objective
Area
SM2
SECURITY ORGANISATION
Safeguarding information and systems requires information security activity to be organised efficiently across the enterprise. Accordingly, this area covers the organisational arrangements for managing information security across the enterprise and the security awareness, know-how and skills of individuals with authorised access to the organisations information and systems. Section Objective Standard of good Practice
Section Objective
Section Objective
Area
SM3
RISK ASSESSMENT
Ensuring that the safeguards applied to information and systems are proportionate to their importance to the business is a fundamental element of good practice. Accordingly, this area covers arrangements for identifying risk and control requirements in a structured, business-oriented manner. Section Objective
SM32 Ownership
To achieve individual accountability for all information and systems within the enterprise and to give responsible individuals a vested interest in safeguarding them. Ownership of all information, software and associated computer and network facilities of the enterprise should be assigned to the person(s) in charge of the business processes or organisational units most dependent on them. An owner should be an individual, rather than a collective body. Responsibilities of owners should be clearly defined and documented. They should be formally accepted by all owners. Responsibilities should include: determining business requirements (including information security requirements) classifying information and systems according to their criticality, sensitivity and vulnerability defining access policies establishing and maintaining service agreements authorising specifications for business requirements (including changes) being involved in information security reviews protecting information and systems in line with business risk. A process should be established for reassigning ownership and for fulfilling responsibilities when the owner is unavailable.
Section Objective
10
Area
11
Section Objective
12
Section Objective Standard of good Practice
buildings that house critical IT facilities against unauthorised access, by using locks, employing security guards and providing video surveillance important papers and removable storage media such as CDs and diskettes against theft or copying, by complying with a clear desk policy, providing lock-out on unattended terminals and restricting physical access to important post / fax points easily portable computers and components against theft, by using physical locks and indelibly marking vulnerable equipment staff against coercion from malicious third parties by providing duress alarms in susceptible public areas and establishing a process of responding to emergencies.
13
Area
SM5
SPECIAL TOPICS
The rapid pace of change in business and technology has resulted in the emergence of special topics with particular security concerns that should be dealt with enterprise-wide. Accordingly, this area covers the special security controls that apply to electronic commerce, electronic mail, remote working, use of cryptography and the provision of third party access. It also covers the arrangements required to protect against malicious mobile code. Section Objective Standard of good Practice
14
15
16
Section Objective
17
Section Objective
18
19
Area
SM6
MANAGEMENT REVIEW
An accurate understanding of the information security condition of the enterprise (including the level of dependence on information and systems, its security status, incidents statistics, likely threats and improvement activity) is required in order to manage information security effectively. Accordingly, this area covers the arrangements needed to provide decision-makers with sound information on the security condition of information and systems across the enterprise. Section Objective
20
21
Pages Area CB1 SECURITY REQUIREMENTS CB11 Confidentiality Requirements CB12 Integrity Requirements CB13 Availability Requirements CB2 RISK ASSESSMENT CB21 Security Classification CB22 Risk Analysis CB3 APPLICATION MANAGEMENT CB31 Roles and Responsibilities CB32 Running the Application CB33 Application Controls CB34 Change Management CB35 Incident Management CB36 Security Audit / Review CB37 Business Continuity CB38 Sensitive Material and Information CB4 USER ENVIRONMENT CB41 Access Control CB42 Workstation Configuration CB43 User Awareness CB5 SYSTEM MANAGEMENT CB51 Service Agreements CB52 Resilience CB53 External Connections CB54 Back-up CB6 SPECIAL TOPICS CB61 Third Party Access CB62 Cryptographic Key Management CB63 Electronic Commerce Applications 23 24 24 25 26 27 28 28 29 29 30 30 31 32 33 33 34 34 35 35 36 37 38
Area
Area
Area
Area
Area
22
Area
CB1
SECURITY REQUIREMENTS
Business applications vary enormously in their importance to the business; hence the level of protection that is required also varies. Accordingly, this area identifies the information security requirements of the application. Section Objective Standard of good Practice
CB11Confidentiality Requirements
To enable the confidentiality requirements of the application to be assessed in a consistent manner. The impact of business information stored in or processed by the application being disclosed to unauthorised individuals should be assessed in terms of: loss of competitive advantage direct loss of business loss of public confidence additional costs being incurred breach of legal, regulatory or contractual obligations damage to staff morale fraud. The confidentiality requirements of the application should be documented, agreed by the business owner and made available to top management.
23
CB12Integrity Requirements
To enable the integrity requirements of the application to be assessed in a consistent manner. The impact of business information stored in or processed by the application being accidentally corrupted or deliberately manipulated should be assessed in terms of: incorrect management decisions being made direct loss of business fraud loss of public confidence additional costs being incurred breach of legal, regulatory or contractual obligations damage to staff morale business disruption. The integrity requirements of the application should be documented, agreed by the business owner and made available to top management.
CB13Availability Requirements
To enable the availability requirements of the application to be assessed in a consistent manner. The impact of business information stored in or processed by the application being unavailable for any length of time should be assessed in terms of: incorrect management decisions being made direct loss of business fraud loss of public confidence additional costs being incurred breach of legal, regulatory or contractual obligations damage to staff morale business disruption. The critical timescale of the application should be determined (ie the timescale beyond which the unavailability of information or systems would be unacceptable to the business). The availability requirements of the application should be documented, agreed by the business owner and made available to top management.
24
Area
CB2
RISK ASSESSMENT
The controls applied to a business application should be proportional to business risk. Accordingly, this area covers the arrangements made to identify the relative importance of the application, the associated business risks and the level of protection required. Section Objective Standard of good Practice
25
26
Area
CB3
APPLICATION MANAGEMENT
Keeping business risks within acceptable limits requires a coherent set of information security arrangements. Accordingly, this area covers the roles and responsibilities required (including business ownership), key issues associated with running the application, integral application controls and special controls for handling sensitive material and exchanging sensitive information. In addition, this area covers general management controls including change management, incident management, security audit / review and business continuity. Section Objective Standard of good Practice
27
CB33Application Controls
To ensure that controls to protect information stored in or processed by the application have been designed into the application and applied rigorously. The application should be designed so that: the validity of the information it processes can be readily established, for example, using range, consistency and hash total checks the completeness and accuracy of information processed can be confirmed, for example by comparison with control balances or original documentation and rigorous checking of changes to key files and parameters accountability for actions can be determined the opportunity for error or abuse is minimised, for example by automating processes and the maintenance of a complete and reliable audit trail, including error and exception reports. Where the application is used to initiate critical business processes, such as funds transfers or publication of financial results, additional controls should be applied. These should include confirmation from the person initiating the process to ensure it is valid and authorised, dual control over important activities (such as data input or payments) and the ability to revoke critical processes initiated in error.
28
CB34Change Management
To ensure that changes do not affect the availability of the application or compromise the confidentiality / integrity of associated business information. Changes affecting the application should be made in accordance with a formal process. The process should apply to all forms of change such as: upgrades and modifications to application software, including emergency fixes revisions to parameter tables and settings modification of business information, such as data tables, files and databases changes to user or operating procedures changes to the computers / networks that support the application. Before changes are made, their impact should be assessed, they should be rigorously tested and approved by the business owner. Changes to the computers and networks that support the application should be organised to avoid disrupting use of the application. Development and acceptance testing activity should be isolated from the live environment.
CB35Incident Management
To identify and resolve incidents effectively, minimise their business impact and reduce the risk of similar incidents occurring. All types of incident (including malfunctions, loss of power / communications services, overloads, mistakes by users or computer staff, access violations) should be dealt with in accordance with a formal process. The incident management process should: ensure incidents are reported to a single point of contact specify requirements for the recording of incidents include categorising incidents by type and prioritising them according to their impact / urgency define procedures for dealing with incidents (including investigation, planning of remedial action, resolution, communication with users, supervising activities and documenting actions taken). Significant incidents should be reported to the business owner who should assess their business impact. Patterns of incidents (including number and frequency) should be reviewed to diagnose common problems and to minimise their recurrence.
29
CB37Business Continuity
To enable the business processes associated with the application to continue in the event of a disaster. Arrangements should be made to enable the business processes associated with critical business applications to continue in the event of a disaster. Alternative facilities capable of running the application should be ready for use within the critical timescale of the application. Contingency arrangements should: cover prolonged unavailability of critical computer facilities or equipment, communications services, information, personnel, buildings or access to buildings be based on a thorough analysis of risk and approved by the business owner be the responsibility of a particular individual or working group be documented in a formal plan and updated following any significant changes (such as to network services and facilities and legal, regulatory or contractual obligations). Business continuity plans should include a schedule of key tasks to be carried out, responsibilities for each task and a list of services to be recovered, in priority order. To ensure that services can continue within the critical timescale of the application (ie the point beyond which unacceptable loss would be suffered) periodic tests or rehearsals should be carried out using realistic simulations, involving both users and IT personnel. Key components of the application should be covered by insurance arrangements that address key risks, (such as loss of data, business interruption, or liabilities to third parties) and provide adequate protection against likely threats (such as fire, theft, fraud or malicious damage).
30
31
Area
CB4
USER ENVIRONMENT
Critical business applications can be used by internal or external business or technical users who may be sited locally or at a remote location, each with differing business and security requirements. It is, therefore, important that access to business information associated with the application is restricted and users are aware of key risks and important security controls. Accordingly, this area covers the disciplines required to control access to the application, configure workstations and make users aware of information security and their associated responsibilities. Section Objective Standard of good Practice
32
33
Area
CB5
SYSTEM MANAGEMENT
To enable applications to function, they have to run on one or more computers and typically make use of one or more networks. Accordingly, this area covers service agreements, external connections and the information security arrangements which apply to the computers / networks that support the application. Section Objective Standard of good Practice
CB52 Resilience
To ensure that the application is supported by a robust and reliable set of hardware and software. Components that are critical to the continuity of the application should be identified and recorded in an inventory. Single points of failure should be minimised by: duplicating processors, such as by using fault tolerant systems processing information simultaneously at multiple locations (ie hot back-up) automatically identifying and recovering transactions following a system failure duplicating data storage, for example using disk mirroring or RAID protecting power supplies by uninterruptible power supplies (UPS). An alternative source of power, such as a backup electricity generator, should be provided to enable the application to continue running in the event of an extended power failure. To prevent the application from being disrupted by other systems: the application should be run on dedicated computers information should not be not transferred from any connected system that does not have equivalent security controls. The application should be supported by up-to-date makes and models of software and hardware (ie rather than by obsolete products).
34
CB54 Back-up
To prevent loss of essential information and software. Back-up versions of essential information and software used by the application should be taken, according to a defined cycle. Back-ups should be: taken frequently enough to meet the time-criticality of business processes performed using an automated back-up management package verified to ensure that the back-up versions are readable and can be restored within the critical timescale of the application (ie the point beyond which unacceptable loss would be suffered) restricted to authorised personnel protected from loss or damage by storage on-site in a fireproof safe and supported by copies stored off-site.
35
Area
CB6
SPECIAL TOPICS
The rapid pace of change in business and technology has resulted in the emergence of special topics with particular security concerns. Where these topics apply to a critical business application, special security arrangements are required. Accordingly, this area covers the additional security controls applicable to applications that provide third party access, employ cryptographic key management (for example, a Public Key Infrastructure) or support electronic commerce. Section Objective
36
37
38
Pages Area IP1 INSTALLATION MANAGEMENT IP11 Organisation IP12 Standards / Procedures IP13 Service Agreements IP14 System Documentation IP15 System Monitoring IP16 Outsourcing IP2 LIVE ENVIRONMENT IP21 Installation Design IP22 Host Configuration IP23 Workstation Configuration IP24 Resilience IP25 Hazard Protection IP26 Power Supplies IP27 Physical Access IP3 SYSTEM OPERATION IP31 Day-to-day Operations IP32 Handling Computer Media IP33 Back-up IP34 Incident Management IP35 Virus Protection IP4 ACCESS CONTROL IP41 Access Control Policies IP42 Access Control Arrangements IP43 User Authorisation IP44 Access Privileges IP45 Sign-on Process IP46 User Authentication IP47 Access Logging IP5 CHANGE MANAGEMENT IP51 Change Management Standards / Procedures IP52 Change Management Process IP53 Acceptance Criteria IP54 Emergency Fixes 41 42 42 43 43 44 45 46 46 47 47 48 48 49 50 51 51 52 53 54 55 56 57 58 59 60 61 62 62
Area
Area
Area
Area
39
Pages Area IP6 LOCAL SECURITY MANAGEMENT IP61 Security Organisation IP62 Security Awareness IP63 Security Classification IP64 Risk Analysis IP65 Security Audit / Review IP7 SERVICE CONTINUITY IP71 Contingency Plans IP72 Contingency Arrangements IP73 Validation and Maintenance 63 64 65 66 66 67 68 68
Area
40
Area
IP11 Organisation
To provide a sound management structure for personnel running the computer installation. Overall responsibility for information processing activity should be assigned to an individual. Responsibilities for key tasks should be assigned to individuals equipped with the know-how, skills and time to fulfil their roles. Responsibilities should be clearly assigned for: controlling the technical aspects of the installation, such as installation design, host or workstation configuration, access control and virus protection general management of the installation, such as day-to-day operations, incident management, change management, system monitoring and service continuity establishing service agreements with users of applications supported by the installation co-ordinating information security activity. The risk of staff disrupting the running of the installation either in error or by malicious intent should be reduced by: segregating the duties of personnel running the installation from those developing new systems ensuring all installation staff sign non-disclosure agreements reducing dependence on key individuals by automating tasks, ensuring complete and accurate documentation and arranging alternative cover of key positions closely controlling activities of installation staff, by supervision and recording of activity screening applicants for positions that involve running the installation, by taking up references, checking career history / qualifications and confirming identity, for example using a passport.
41
42
43
IP16 Outsourcing
To ensure that security requirements are satisfied when the running of the computer installation is entrusted to an outsource contractor. Prior to outsourcing responsibility for the installation, an organisation should: subject the selection of outsource contractors and the transfer of responsibilities to a formal process identify risks and assess security practices employed by outsource contractors agree security controls, approve transfer and establish formal agreements. Formal agreements should oblige contractors to: comply with good business practice, report incidents and provide regular reports on system performance maintain the confidentiality / integrity of information gained in the course of work limiting access to authorised users maintain continuity of services in the event of a disaster apply agreed information security controls, ensuring legal and regulatory requirements, including those for data privacy, are met permit their activities to be audited provide compensation if service targets are not met. Arrangements should be made to: deal with a single point of contact within the outsource contractor provide sufficient technical resources to manage the relationship with the outsource contractor on an informed basis cover the possibility of services being interrupted for a prolonged period. Responsibility for managing the relationship with the outsource contractor should be assigned to a designated individual, equipped with sufficient technical skills and knowledge.
44
Area
45
46
IP24 Resilience
To ensure that the computer installation is supported by a robust and reliable set of hardware and software. Components that are critical to the functioning of the computer installation should be identified. Single points of failure should be minimised by the provision of duplicate or alternate: processors, for example using fault-tolerant systems on-line storage and file / database servers points from which the installation can be run. The resilience of critical communications equipment, software, links and services should be improved by: giving high priority to reliability, compatibility and capacity in the acquisition process using only proven products, keeping them up-to-date and in good running order ensuring that key equipment can be replaced quickly, by holding a stock of spares onsite and ensuring timely repairs.
47
48
Area
49
50
IP33 Back-up
To prevent loss of essential information or software. Back-up versions of essential information and software used by the computer installation should be taken, according to a defined cycle. Back-up processes should be approved by business owners and comply with: enterprise-wide policies and standards / procedures business continuity plans legal, regulatory and contractual obligations long-term archiving requirements manufacturers recommendations for reliable storage, such as maximum shelf-life. Back-ups should be taken of master files / databases, transaction files, system programs / utilities, application software, parameter settings and system documentation. Back-ups should be: performed in accordance with a defined back-up / retention cycle that reflects security classifications, importance and time-criticality performed so that individual files can be recovered timestamped, reconciled to live versions and retained for at least three generations checked periodically to ensure recovery is possible clearly and accurately labelled, and protected from accidental overwriting stored in readily accessible locations on-site and supported by copies stored off-site protected in transit, for example by packing them in locked, robust containers and using only reputable couriers.
51
52
Area
applied rigorously supported by formal standards / procedures and clearly-defined responsibilities for business owners, users and specialist IT staff reviewed periodically and upgraded in response to new threats, capabilities, business requirements or access violations.
53
54
55
56
57
58
59
Area
60
61
62
Area
63
64
65
66
Area
67
68
Pages Area CN1 COMMUNICATIONS MANAGEMENT CN11 Organisation CN12 Standards / Procedures CN13 Network Design CN14 Network Resilience CN15 Network Documentation CN16 Service Providers CN17 Outsourcing CN2 TRAFFIC MANAGEMENT CN21 Configuring Network Devices CN22 Traffic Filtering CN23 External Access CN3 NETWORK OPERATIONS CN31 Day-to-day Operations CN32 Network Monitoring CN33 Incident Management CN34 Change Management CN35 Physical Security CN36 Back-up CN37 Service Continuity CN38 Remote Maintenance CN4 LOCAL SECURITY MANAGEMENT CN41 Security Organisation CN42 Security Awareness CN43 Security Classification CN44 Risk Analysis CN45 Security Audit / Review CN5 VOICE COMMUNICATIONS CN51 Policies and Documentation CN52 Resilience CN53 Special Controls 70 71 71 72 72 73 74 75 76 77 78 79 79 80 80 81 81 81
Area
Area
Area
82 82 83 84 84 85 85 86
Area
69
Area
CN1
COMMUNICATIONS MANAGEMENT
Computer networks are complex. They have to link different systems together, are subject to constant change and often rely on services provided by external parties. Orchestrating the technical and organisational issues involved requires sound management. Accordingly, this area covers: the standards / procedures and organisational arrangements applied to the network; its design, configuration and documentation; and the management of relationships with service providers and outsource contractors. Section Objective Standard of good Practice
CN11 Organisation
To provide a sound management structure for personnel running the network. Overall responsibility for network activity should be clearly assigned to an individual. Responsibilities for network activity should be assigned to individuals who are equipped with the know-how, skills and time to fulfil their roles. Responsibility should be clearly assigned for: controlling the technical aspects of the network such as network design, configuration management, traffic management and network monitoring the general management of the network environment, such as day-to-day operations, incident management and change management establishing service agreements, such as those with users or external service providers methods of co-ordinating information security activity. The risk of staff disrupting the running of the network either in error or by malicious intent should be reduced by: segregating the duties of staff running the network from those developing / designing the network ensuring all network staff sign non-disclosure agreements reducing dependence on key individuals by automating key tasks, ensuring complete and accurate documentation and arranging alternative cover for key positions closely controlling activities of network staff, by supervision and recording of activity screening applicants for positions that involve running the network, by taking up references, checking career history / qualifications and confirming identity, for example using a passport.
70
71
72
73
CN17 Outsourcing
To ensure that security requirements are satisfied when the running of the network is entrusted to an outsource contractor. Prior to outsourcing responsibility for all or part of a network, an organisation should: subject the selection of outsource contractors and the transfer of responsibilities to a formal process identify risks and assess security practices employed by outsource contractors agree security controls, approve transfer and establish formal agreements. Formal agreements should oblige contractors to: comply with good business practice, report incidents and provide regular reports on network performance maintain the confidentiality / integrity of information gained in the course of work, limiting access to authorised users maintain continuity of services in the event of a disaster apply agreed information security controls, ensuring legal and regulatory requirements (including those for data privacy) are met permit their activities to be audited and to provide compensation if service targets are not met. Arrangements should be made to: deal with a single point of contact within the outsource contractor provide sufficient resources to manage the relationship with the outsource contractor on an informed basis cover the possibility of network services being interrupted for a prolonged period. Responsibility for managing the relationship with the outsource contractor should be assigned to a designated individual, equipped with sufficient technical skills and knowledge.
74
Area
CN2
TRAFFIC MANAGEMENT
Communications networks can handle many types of network traffic from a wide variety of sources. To manage network traffic effectively, network devices have to be configured correctly and particular types of network traffic denied access. Accordingly, this area covers the disciplines required to ensure undesirable network traffic or unauthorised external users are prevented from gaining access to specified parts of the network. Section Objective Standard of good Practice
75
76
77
Area
CN3
NETWORK OPERATIONS
Maintaining the continuity of service to users requires networks to be run in accordance with sound disciplines. Accordingly this area covers the arrangements made to run the network, monitor performance and to manage changes and incidents. In addition, the area covers the arrangements required to provide physical security, take back-ups and ensure service continuity. Section Objective Standard of good Practice
78
79
Section Objective
80
CN36 Back-up
To prevent loss of essential network information or software. Back-up versions of essential network information and software (including communications software and utilities, network control tables / settings, configuration diagrams and inventories) should be taken, according to a defined cycle. Steps should be taken to verify that the back-up versions are readable and can be restored within the critical timescale of the network (ie the point beyond which unacceptable loss would be suffered). Back-ups should be protected from loss, damage and unauthorised access. They should be stored in a fireproof safe on-site and copies kept off-site.
81
Area
CN4
Communications networks play an essential role in the functioning of many critical business applications. They convey information that needs to be protected, and are valuable assets in their own right. Each of these perspectives needs to be considered in order to achieve network security. Accordingly, this area covers the arrangements made to ensure that information security is managed and co-ordinated for the network as a whole. Section Objective Standard of good Practice
82
83
84
Area
CN5
VOICE COMMUNICATIONS
Business processes can be disrupted if telephone systems go down or are overloaded. Harm can also be caused if telephone systems are subject to unauthorised use by outsiders, or sensitive conversations are compromised. Accordingly, this area covers the security arrangements applied to voice communications. Section Objective Standard of good Practice
CN52 Resilience
To provide continuity of service to users of voice communication facilities. In-house telephone exchanges should: have sufficient capacity to cope with peak workloads and expansion / upgrade capabilities to cope with projected demand be supported by alternative power supplies, such as batteries, to cope with brief power outages have a control and monitoring facility capable of providing reports on usage, traffic and response statistics be housed in secure physical environments be supported by contingency plans and arrangements. Steps should be taken to ensure that in-house telephone exchanges have: duplicate or alternative processors, alternative groups of exchange lines and routes to more than one main external exchange emergency bypass, so that they can fall-back to direct calls a source of power capable of coping with prolonged power failures labels for telephone wires / cables and armoured ducting for critical cables. Maintenance contracts should be in force to ensure timely repair.
85
86
Pages Area SD1 APPROACH SD11 Roles and Responsibilities SD12 Development Methodologies SD13 Quality Assurance SD14 Development Environment SD15 Outsourcing SD2 BUSINESS REQUIREMENTS SD21 Security Classification SD22 Risk Analysis SD23 Specification of Requirements SD24 Security Controls SD3 DESIGN AND BUILD SD31 Design SD32 Acquisition SD33 System Build SD34 Electronic Commerce Development SD4 TESTING SD41 Testing Standards / Procedures SD42 Testing Process SD43 Acceptance Testing SD5 IMPLEMENTATION SD51 Acceptance Criteria SD52 Installation Process SD53 User Procedures and Training SD54 Post-implementation Review SD6 CHANGE MANAGEMENT SD61 Change Management Standards / Procedures SD62 Change Management Process SD63 Emergency Fixes 88 89 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 104 104 105 106 106
Area
Area
Area
Area
Area
87
Area
SD1 APPROACH
Producing robust systems, on which the enterprise can depend, requires a sound approach to systems development. Accordingly, this area covers the roles and responsibilities of systems development staff, the methodologies used in developing systems, arrangements made for assuring quality, the security of the development environment and the arrangements needed to ensure that outsource contractors satisfy security requirements.
88
89
90
SD15 Outsourcing
To ensure that security requirements are satisfied when systems development is entrusted to an outsource contractor. Prior to outsourcing responsibility for some or all systems development activity, an organisation should: identify particularly sensitive or critical systems, the development of which might be better retained in-house subject the selection of outsource contractors and the transfer of responsibilities to a formal process identify risks and assess security practices employed by outsource contractors agree security controls, approve transfer and establish formal agreements. Formal agreements should oblige contractors to: comply with good business practice, report incidents and provide regular reports on systems development activity maintain the confidentiality / integrity of information gained in the course of work, limiting access to authorised users maintain continuity of services in the event of a disaster apply agreed information security controls, ensuring legal and regulatory requirements, including data privacy, are met assure the quality and accuracy of development activity undertaken permit their activities to be audited provide compensation if service targets are not met. Formal agreements should specify details of licensing arrangements, ownership of code and intellectual property rights. Arrangements should be made to deal with a single point of contact within the outsource contractor. Sufficient resources should be provided to manage the relationship with the outsource contractor on an informed basis. Responsibility for managing the relationship with the outsource contractor should be assigned to a designated individual, equipped with sufficient technical skills and knowledge.
91
Area
SD2
BUSINESS REQUIREMENTS
A thorough understanding of business requirements (including information security requirements) is essential if systems are to fulfil their intended purpose. Accordingly, this area covers the arrangements made for identifying the level of criticality of systems under development, conducting risk analyses, specifying business requirements and assessing the security controls needed to fulfil them. Section Objective Standard of good Practice
92
93
Section Objective
94
95
Area
SD3
Building systems that function as intended requires careful consideration of information security and the maintenance of sound disciplines throughout the design and build stage of development. Accordingly, this area covers the arrangements made to address information security during design, acquisition and system build, including additional controls required for electronic commerce developments. Section Objective Standard of good Practice
SD31 Design
To produce an operational system based on sound design principles which has security functionality built in and / or enables controls to be incorporated easily. Information security requirements for the system under development should be considered when evaluating alternative designs. The design phase should include: specification of a system architecture that can support technical system requirements identification of where security controls are to be applied documentation of control limitations and a review of designs to ensure controls are in place consideration of how individual controls work together to produce an integrated system of controls. The evaluation of alternative designs for the system under development should take into account the: integration with existing information security architecture use of wider security solutions, for example a Public Key Infrastructure or enterprisewide security administration cost of implementing controls skills needed to develop required solutions capability of the organisation to develop and support the chosen technology. Before coding or acquisition work begins, system designs should be documented, verified to ensure that they meet business requirements and approved by the information security steering committee or equivalent. System designs should be signed-off by the project manager and a specialist in information security. Designs for critical systems should also be signed-off by the person in charge of development activity.
96
Section Objective
SD32 Acquisition
To ensure that the use of software, hardware and services acquired from third parties provide the required functionality and do not compromise the security of systems under development. The acquisition of system components should be in accordance with formal standards / procedures. All types of system component should be covered, including application packages, systems software, specialised security products (such as anti-virus software, encryption mechanisms and firewalls), computer / communications equipment and external services. Controls over acquisition should include: selecting products and services from approved lists (with a high priority placed on reliability), assessing them against security requirements and supporting them by contractual terms agreed with suppliers addressing potential security weaknesses in products and services by considering external security ratings, identifying security deficiencies and implementing remedial measures meeting software licensing requirements by obtaining adequate licenses for planned use, maintaining software documentation as proof of ownership and recording details, for example in an inventory. The acquisition of products should be reviewed by staff who are equipped to evaluate them, and approved by the person in charge of development activity.
97
98
99
Area
SD4
TESTING
Testing is a fundamental element of good practice in systems development. Well-planned, and correctly performed, it provides assurance that systems, including security controls, function as intended - before they are used for business purposes - and reduces the likelihood of system malfunctions occurring. Accordingly, this area covers the arrangements needed to carry out testing thoroughly, without disrupting other activities. Section Objective Standard of good Practice
100
101
102
Area
SD5
IMPLEMENTATION
Sound disciplines are required when new systems are transferred from the development into the live environment. Accordingly, this area covers the promotion of new systems from the development environment, their installation in the live environment, user procedures and training and post-implementation reviews. Section Objective Standard of good Practice
103
104
Area
SD6
CHANGE MANAGEMENT
Once systems have been promoted to the live environment, it is important for any changes to be well managed. Changes to live systems (ie enhancements, software fixes, data adjustments, hardware / software upgrades) often have unforeseen effects, and may accidentally or deliberately impact service levels or compromise security controls. Sound management can reduce the risk of such incidents occurring. Accordingly, this area covers the disciplines applied throughout the change process. Section Objective Standard of good Practice
105
106
The Information Security Forum is an independent, not-for-profit association of leading organisations dedicated to clarifying and resolving key issues in information security and developing security solutions that meet the business needs of its Members. Members of the Forum profit from sharing information security solutions drawn from the considerable experience within their organisations and developed through an extensive work programme. Members recognise that information security is a key business issue and the Forum provides a mechanism which can ensure that the practices they adopt are on the leading edge of information security developments, while avoiding the significant expenditure that individual development of solutions would incur.
The Information Security Forum 1 London Bridge London SE1 9QL United Kingdom Telephone: +44 (0)20 7213 1745 Facsimile: +44 (0)20 7213 4813 E-mail: info@securityforum.org Web: www.securityforum.org
Reference: 2000/11/05
Copyright 2000