A1 Information Security Supplier / Provider Requirements

Transcription

1 A1 Information Security Supplier / Provider Requirements Requirements for suppliers & providers A1 Information Security Management System Classification: public Seite 1

2 Version history Version history Version 1.0 Regarding: Creation Approval Creation Maha Sounble Philipp Röhm 26 September October 2017 Note: This document refers to the A1 Information Security Guidelines V1.0. Classification: public Page 2

3 Inhaltsverzeichnis Inhaltsverzeichnis Version history... 1 Inhaltsverzeichnis... 3 Framework requirements Contractual requirements for service providers Non Disclosure Agreements (NDAs) Contract components for Information Security & Data Privacy Organisational requirements for service providers Certifications Audit right of A Use of sub-contractors Technical requirements for service providers Data storage & data transfer Data transfer & deletion... 6 System & application requirements Organisational system requirements Requirements management Change management Tests before start-up Authorisation management Internal Control System (ICS) Technical system requirements Authentication Hardening Logging Data backup Architecture Software development Administration Data deletion Penetration testing Vulnerability Management Incident Management Anforderungen an Internet of Things (IoT) Services Anforderungen an Cloud Service Provider Additional requirements for system outsourcing Contractual requirements for service providers in case of outsourcing Classification: public Page 3

4 Inhaltsverzeichnis Underpinning Contract (UC) Organisational requirements for service providers in case of outsourcing Security concept Human Resource Management Data Storage & Data Transfer Data storage within A Data storage outside of A Minimum standards for external data storage Ongoing inspection Externally stored customer data and personal data Publication & responsibility for content Classification: public Page 4

5 Framework requirements Framework requirements Projects, services and provided services have to be tested before implementation and - ideally during planning - checked and monitored for the necessary security requirements. For each major technical adaptation or modification, as well as with any substantive contract change, but at least every three years as a rule, the departments concerned must check whether the relevant facts for external data storage have changed and whether an adjustment is necessary. 1.1 Contractual requirements for service providers Non Disclosure Agreements (NDAs) External service providers must be obliged to secrecy before confidential information is exchanged. Non Disclosure Agreements (NDAs) 1 are available for this purpose Contract components for Information Security & Data Privacy In contracts between external service providers and A1, the established security measures must be defined and the appropriate processing of the data agreed. Unilateral changes to the agreement are not permitted. 1.2 Organisational requirements for service providers Certifications Information technology service providers, in particular those who provide infrastructure or services, should be able to demonstrate certification according to the ISO / IEC standard. Cloud service providers must also have ISO/IEC certification. For external data storage, ISAE 3402 conformity of the data centre must be present. The certifications shall be maintained throughout the duration of the partnership. When verifying the service provider, appropriate proof is required. If valid certificates are not presented, other certifications may be included in the course of the inspection, if they are equivalent or higher Audit right of A1 A1 performs service provider audits to check for compliance with the agreed security requirements on-site. The service provider must provide the necessary documents and provide access to relevant 1 You can find templates for NDAs here. Classification: public Page 5

6 Framework requirements facilities and systems. A service provider audit is announced to the service provider at least 4 weeks in advance Use of sub-contractors The service provider shall ensure that all requirements placed on it also apply to all subcontractors who are required to provide the service for A Technical requirements for service providers Data storage & data transfer Internal data storage is preferred. Should external data storage be carried out for technical or economic reasons, the service provider shall provide for a physical separation or client separation of the data from other customers. The requirements in Section 4 - Data Storage & Data Transfer must be met Data transfer & deletion Regular deletion of customer, traffic or other protective data must be carried out according to the requirements of A1; more detailed information can be found in Section Data Deletion. At the end of the contract, the contract partner must be given the option to transfer all existing data to A1. Each supplier shall delete the data if they are no longer required for fulfilling the contractual obligations. Classification: public Page 6

7 System & application requirements System & application requirements Systems and applications deployed at or for A1 must meet minimum requirements to protect them against threats such as data theft, data manipulation, sabotage, denial of service attacks, and many more. These provisions contain relevant requirements for systems and applications that are in use of A1, whether or not they have been outsourced. Systems and applications that are for customers are subject to the same requirements, if applicable. In case of inapplicable provisions, compensatory measures shall be taken that ensure the same or higher level of protection. 2.1 Organisational system requirements Requirements management The structured handling of technical demands (requirements) for a new business requirement or a change to an existing technical solution is to be dealt with via an appropriate ticketing system. Interfaces have to be defined in the Underpinning Contract (UC) Change management All changes and implementations of systems or applications must be carried out according to a documented change process Tests before start-up Prior to start-up, several tests are carried out during the A1 change management process, including a comprehensive security check Authorisation management Authorisations must, in principle, be assigned based on the role. The standard approval process for user administration shall be used for the authorisation. The service provider has to enable, that A1 can assign and revoke permissions flexibly. A centralised listing or insight and automatic evaluation of all authorisations must be ensured Internal Control System (ICS) When a new system is installed, a relevance analysis will be carried out by A1 with the internal ICS Competence Centre. If ICS relevance exists, all controls of the internal control system must be carried out on the system. The minimum requirements are the IT General Controls of A1. Classification: public Page 7

8 System & application requirements 2.2 Technical system requirements Authentication Data and other content contained in systems / applications may only be issued following successful authentication of the users or target systems. A user should be authenticated using a directory service, such as Active Directory (AD). AD is the Central User Database at A1. Kerberos authentication also implements single-sign-on (SSO). If the use of Kerberos / SSO is not possible, users may also be authenticated using alternative systems as long as they meet the A1 internal requirements for passwords as described in the A1 Information Security Guidelines, Section 3 - Passwords. In any case, each created user must also be maintained in the corporate directory (CD). Passwords must be encrypted in the file system or stored in the database and transferred to the network in order to reduce the risk of password theft. For this purpose, only state-of-the-art methods may be used. Password storage and transmission is not permitted in plain text. If access from outside the corporate network occurs, authentication must meet higher protection requirements. A two-factor authentication with the A1 account and associated password, as well as another factor, such as a certificate, an SMS token or an RSA token, is required Hardening Unneeded ports, interfaces and services must be disabled. A description of the required ports has to be documented. Systems are transferred to the A1 company free from known security defects. Default passwords must be changed before the transfer to A1 operation. It must be possible to use the standard virus protection used by A1 for all systems at A1. Since this regulation also applies to purchased systems, suppliers can obtain the necessary information prior to implementation. Hardening measures and patch level are regularly checked by the vulnerability scans of A Logging The A1 internal requirements for the logging as described in A1 Information Security Guidelines Section 7 - Logging must be observed. Ideally, systems whose operation has been outsourced are also integrated into the centralised attack detection. Forensic analyses should be possible without the intervention of a supplier Data backup The A1 internal requirements for data backup as described in A1 Information Security Guidelines Section 8 - Data Backup must be observed. In the case of outsourced systems, the supplier is obliged to guarantee corresponding data backups and recovery options. Classification: public Page 8

9 System & application requirements Architecture Applications must be set up in several tiers, which must be safely separated from each other; no tier must be skipped during access. Access from one tier to the next can only be done via defined protocols (ports). There must be a separation into test, integration and productive systems. Developers have no access to productive systems without the express written permission of A1. If the use of Simple Network Management Protocol (SNMP) is required, SNMPv3 should preferably be used. Older versions of SNMP should not be used Software development When developing software, it is recommended to follow the relevant standards (e.g. ÖNORM A7700 in the current version) or the OWASP Guide 2. In any case, the OWASP Top 10 Application Security Risks must be considered Administration A direct link to a system for administration purposes is only permitted within the A1 network. If administration occurs outside (the A1 network), there may only be a link via specified ports in the firewall to an access point in the Demilitarised Zone (DMZ), from where one can then link further to the particular target system. (Remote access by service partners terminate in a separate zone.) Such a connection must be encrypted and prior authentication is required. Service partners are not entitled to transfer maintenance work and thus access to the A1 network to third parties without the express consent of the customer Data deletion Customer, traffic or other protectable data shall be deleted promptly and regularly in accordance with legal and A1 internal requirements. In the design phase, specific deletion requirements for the respective system will be specified by A1. In any event, each supplier must delete the data if they are no longer required for the fulfilment of contractual obligations Penetration testing In the test phase, at least prior to acceptance, a tool is used to test systems for security deficiencies. If deficiencies are found, they must be rectified immediately. Suppliers may not charge additional costs for the rectification. 2 Click here to go to the OWASP Guide. Classification: public Page 9

10 System & application requirements Vulnerability Management Products and systems or applications must be supplied and implemented in a hardened and currently patched state. Before being started up, their condition is ensured by means of vulnerability scans. The supplier must provide the necessary updates free of charge for any security vulnerabilities discovered after start-up. In principle, manufacturers and suppliers must provide security patches at least one week after public announcement on security platforms (e.g. CERT, SecurityTracker, Heise, etc.) or during a period defined in the Underpinning Contract (UC). If vulnerabilities are identified by A1, they must be made available within two weeks. There must be an automated way of checking downloaded patches or software updates for their integrity. Services that are classified as critical (service class 4) are additionally subjected to a source code analysis Incident Management Security incidents at the contractor must be reported immediately to A1 as part of contract fulfilment. 2.3 Anforderungen an Internet of Things (IoT) Services The IoT sensors (e.g. cameras, smart meters, sockets, etc.) must not be accessible directly from the Internet. For the IoT sensors, security updates are automated and must be carried out without manual intervention over the entire lifetime of the product. No hard-coded passwords are allowed in the IoT sensors. Default passwords of the IoT sensors must be changed at start-up. Where technically feasible and practicable, 2-factor authentication must be provided for customer interfaces. The principles of Security by Default and Security by Design apply throughout the entire product life cycle of the overall solution. 2.4 Anforderungen an Cloud Service Provider Cloud Service providers require cloud computing that complies with the EU General Data Protection Regulation (GDPR). In addition, the following certifications are required to be maintained for the entire duration of the partnership or the use of the service: ISO/IEC (information security) and ISO/IEC (PII data in the cloud) of the service provider Classification: public Page 10

11 System & application requirements ISAE 3402-conformance of the computing centre for external data storage (see Section 13 - Data Storage and Data Transfer ) The service provider shall provide appropriate evidence to document the certifications. In the case of non-presentation of valid certificates for ISO/IEC 27001, ISO / IEC and ISAE 3402, other certifications can be applied if they are equivalent or higher. For example, a 5 star StarAudit certificate from EuroCloud 3 is also provided, which also guarantees compliance with general requirements for cloud providers. Cloud Services are tested. The will be approved for use if they comply with the minimum requirements and corresponding contractual arrangements for ensuring the security of the information and data. Unverified cloud services must not be used. 3 You can find more information about the 5 star StarAudit certificate from EuroCloud here. Classification: public Page 11

12 Additional requirements for system outsourcing Additional requirements for system outsourcing 3.1 Contractual requirements for service providers in case of outsourcing Underpinning Contract (UC) Underpinning Contracts (UCs) must be contractually agreed. A competence matrix of the respective services must be agreed upon by contract. 3.2 Organisational requirements for service providers in case of outsourcing Security concept When a system or system part is outsourced to a vendor, the service provider must present a security concept for the security of the data, which is assessed by A1 in the context of the bid negotiations Human Resource Management The service provider must carry out a security check on its employees when they are employed for purposes of the contract with A1. The minimum requirements are an identity check and obtaining a current police clearance certificate. The service provider must complete valid confidentiality agreements with them and train or instruct them in the correct and responsible handling of the information and data of A1. Responsibilities with regard to information security and data protection must be defined. For this purpose, the service provider must publish appropriate guidelines or service instructions on information security and data protection, and must have made them available to its internal and external employees. They must be adequately trained and educated in order to perform the activities for partnership with A1 accordingly. Bottlenecks in human resources are to be avoided, for example, through personnel redundancies and substitution agreements, so that the provision of the service to A1 does no suffer on this account. Classification: public Page 12

13 Data Storage & Data Transfer Data Storage & Data Transfer 4.1 Data storage within A1 In principle, local data storage at A1 is preferred in domestic computing centres, if economically justifiable. 4.2 Data storage outside of A1 Each storage of data outside of A1 means that the data are no longer within the sphere of influence of A1 and are therefore not directly controlled by A1. This assumes that increased safety requirements must be observed. If minimum standards are not met, data storage outside of A1 is not permitted. In addition, a risk assessment (legal, data protection, technical and economic) must be carried out within A1 in each case. If data are affected that A1 processes on behalf of our customers as a service provider outside our computing centres, the affected customers must in any case be informed accordingly for reasons of transparency Minimum standards for external data storage Any storage of data arising from the business operations of A1 outside of A1 is subject to a proven economic, legal, data protection and technical assessment as well as risk assessment. The risk assessment is carried out in accordance with the departments involved with the subject and must be documented in accordance with the established processes in those departments. Only then can the data be provided to a service provider. This also affects data storage at Group companies (TAG, AMEX), which must be viewed like any other service provider. If minimum requirements are not met, external data storage is prohibited. Data storage outside of A1 (e.g. for Cloud Services) is permitted, if data protection regulations are not violated and its use has been explicitly approved. Confidential information may only be transmitted and stored externally in encrypted form. In principle, company-critical and secret information may not be hosted externally. Only in special cases can they be stored in encrypted form outside of the A1, with the key being located exclusively at A1. Particular care should be taken when dealing with customer data, since data protection and contractual obligations must also be taken into account. Classification: public Page 13

14 Data Storage & Data Transfer The following matrix shows which data may be stored externally, provided that the minimum standards are complied with: EXTERNAL DATA STORAGE ACCORDING TO A1 INFORMATION CLASSES INFORMATION CLASS public internal A1 external (AUT, EU & safe third countries or third countries subject to authorisation) confidential (with encryption) A/B/C company-critical (only in exceptional cases) A/B/C of which: sensitive data A/B/C of which: Content data (contents of transmitted messages) secret (only in exceptional cases) The provider of the data centre where the external storage is carried out must confirm conformity with ISAE 3402 or have an equivalent or higher quality certification Ongoing inspection For each major technical adaptation or modification, as well as with any substantive contract change, but at least every three years as a rule, the departments concerned must check whether the relevant facts for external data storage have changed and whether an adjustment is necessary. Unless they already exist, appropriate processes are to be implemented by the relevant specialist areas Externally stored customer data and personal data If data is processed or stored by A1 (e.g. for hosting or housing) on behalf of the customer, and if the processing or storage is to be done outside of the data centres of A1 (e.g. for service providers in the case of Cloud Service providers), the verifiable consent of the customer must be obtained. The consent may be given in the form of an individual contract arrangement, a clause in the service description, or electronically (e.g. in the online shop). In this way, the transparency of the data storage (even outside of A1) is ensured for the customer, so that they can meet their data protection and legal reporting and approval requirements. If customer data within the meaning of the Telecommunications Act (TKG) or personal data generated by the business of A1 are to be stored and/or processed outside of A1, the country in which the data is to be stored must be determined in advance. Classification: public Page 14

15 Data Storage & Data Transfer If the data are subsequently stored in the European Economic Area or in secure third countries, the data transfer is permitted without authorisation by the data protection authority (additional security requirements may apply if relevant). In all other cases, if the data are not only indirectly personally identifiable to the recipient, the approval of the data protection authority must be obtained. The procedure before the data protection authority is carried out by the National Data Privacy department. Access to data from abroad (outside the European Economic Area or a secure third country) is equivalent to the storage of data abroad. Safe third countries include: Switzerland Argentina Guernsey Isle of Man Jersey Faroe Islands Andorra Uruguay New Zealand Canada Israel Classification: public Page 15

16 Publication & responsibility for content Publication & responsibility for content The A1 Information Security Guidelines can be viewed after approval and release in the intranet 4 of A1. The content was created by: security@a1telekom.at 4 The existing security guidelines can be found under A1 Inside/Knowledge/Secure Data. Classification: public Page 16