Cyber Security Guidelines for Defining NIAP Scope Statements

Similar documents
Cyber Security Guidelines for Securing Home and Small Office Routers

Cyber Security Guidelines for Public Wi-Fi Networks

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

ITG. Information Security Management System Manual

ITG. Information Security Management System Manual

E-Signature Law of Iraq no. ( 78) of 2012

Achilles System Certification (ASC) from GE Digital

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Cyber Security Guidelines Distributed Denial of Service (DDoS) Attacks

OF ELECTRICAL AND ELECTRONICS ENGINEERS POWER & ENERGY SOCIETY

REPORT 2015/010 INTERNAL AUDIT DIVISION

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

CYBERSECURITY INITIATIVES IN VANUATU

Cybersecurity & Privacy Enhancements

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

REPORT 2015/149 INTERNAL AUDIT DIVISION

TEL2813/IS2820 Security Management

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

World Telecommunication Development Conference (WTDC- 14) Dubai, 30 March 10 April 2014

Regulating Cyber: the UK s plans for the NIS Directive

International Conference on Automation, Mechanical Control and Computational Engineering (AMCCE 2015)

ISO/IEC INTERNATIONAL STANDARD. Information technology Software asset management Part 1: Processes and tiered assessment of conformance

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Government of Ontario IT Standard (GO ITS) GO-ITS Number 56.3 Information Modeling Standard

Threat and Vulnerability Assessment Tool

Information Security Controls Policy

Information Security Controls Policy

Information Security Strategy

BCS Foundation Certificate in Software Asset Management Essentials Syllabus

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

EU General Data Protection Regulation (GDPR) Achieving compliance

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Liberia ICT Policy

Exam Questions IIA-CGAP

Technical Security Standard

Security Management Models And Practices Feb 5, 2008

Serviceable Luminaires in a Circular Economy - White Paper -

John Snare Chair Standards Australia Committee IT/12/4

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

European Union Agency for Network and Information Security

ISO 27001:2013 certification

Streamlined FISMA Compliance For Hosted Information Systems

Resolution: Advancing the National Preparedness for Cyber Security

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Government of Ontario IT Standard (GO-ITS) Number 30.2 OPS Middleware Software for Java Platform

Manchester Metropolitan University Information Security Strategy

REGULATION OF THE MINISTER OF COMMUNICATION AND INFORMATION TECHNOLOGY. NUMBER: 12/Per/M.KOMINFO/02/2006 ON THE TERMS OF

IIA EXAM - IIA-CGAP. Certified Government Auditing Professional. Buy Full Product.

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

<Document Title> INFORMATION SECURITY POLICY

Newsletters We may send out newsletters to our customers providing them with articles and information which we believe may be of interest to you.

Government of Ontario IT Standard (GO ITS)

Information technology Security techniques Information security controls for the energy utility industry

Company presentation Transition and Transformation

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

Directive on Security of Network and Information Systems

Framework for Improving Critical Infrastructure Cybersecurity

INFORMATIZATION AND COMMUNICATION DEVELOPMENT TRENDS IN ARMENIA

Compliance with NIST

Level Access Information Security Policy

Information Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community

National Open Source Strategy

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Cybersecurity Risk Management:

Sustainable Management of Waste Electrical and Electronic Equipment (WEEE) in Latin America

Legal framework of ensuring of cyber security in the Republic of Azerbaijan

Protecting your data. EY s approach to data privacy and information security

Committee on the Internal Market and Consumer Protection

Sri Lanka THE JOURNEY OF TOWARDS A CREATIVE KNOWLEDGE BASED ECONOMY

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Section One of the Order: The Cybersecurity of Federal Networks.

GDPR: A QUICK OVERVIEW

POSITION DESCRIPTION

Final Project Report. Abstract. Document information

Overview. Business value

WORLD TRADE ORGANIZATION

Dated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB

Asda. Privacy and Electronic Communications Regulations audit report

DoD Internet Protocol Version 6 (IPv6) Contractual Language

Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

MITA s approach to Open Standards. Presented by: Noel Cuschieri 24 th November 2015

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

ENISA s Position on the NIS Directive

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

Cyber Security Strategy

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

IT Governance Framework at KIT

POSITION DESCRIPTION

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form

Abu Dhabi e Government Strategy and ICT Standardization. Abu Dhabi, November 2014

Transcription:

Cyber Security Guidelines for Defining NIAP Scope Statements Version 1.1 Author: Cyber Security Policy and Standards Document Published Date: June 2018

Document History: Version Description Date 1.0 Published V1.0 document August 2017 1.1 MOTC Logo & Branding Changed June 2018 Version 1.1 Page 2 of 8

Table of Contents Guidelines for Defining NIAP Scope Statements... 1 Legal Mandate(s)... 4 Introduction... 5 Audience... 5 Guidelines:... 5 Scope Examples... 7 Generic Scope Statement:... 7 Scope Definition Related to Agency s Org Structure... 7 Scope Definition related to Agency s Services... 7 Scope Definition Related to Agency s Locations... 8 Version 1.1 Page 3 of 8

Legal Mandate(s) Emiri decision No. (8) for the year 2016 sets the mandate for the Ministry of Transport and Communication (hereinafter referred to as MOTC ) provides that MOTC has the authority to supervise, regulate and develop the sectors of Information and Communications Technology (hereinafter ICT ) in the State of Qatar in a manner consistent with the requirements of national development goals, with the objectives to create an environment suitable for fair competition, support the development and stimulate investment in these sectors; to secure and raise efficiency of information and technological infrastructure; to implement and supervise e-government programs; and to promote community awareness of the importance of ICT to improve individual s life and community and build knowledgebased society and digital economy. Article (22) of Emiri Decision No. 8 of 2016 stipulated the role of the Ministry in protecting the security of the National Critical Information Infrastructure by proposing and issuing policies and standards and ensuring compliance. This guideline has been prepared taking into consideration current applicable laws of the State of Qatar. In the event that a conflict arises between this document and the laws of Qatar, the latter, shall take precedence. Any such term shall, to that extent be omitted from this Document, and the rest of the document shall stand without affecting the remaining provisions. Amendments in that case shall then be required to ensure compliance with the relevant applicable laws of the State of Qatar. Version 1.1 Page 4 of 8

Introduction The Ministry of Transport & Communication (MoTC) has issued the National Information Assurance Policy (NIAP) V2.0. The policy is mandatory for compliance by the government sector and strongly recommended for the critical sector organizations. In line with the objectives of the Cybersecurity department of MoTC, to drive the adoption of NIAP, this document is a step in this direction to help agencies choose the right scope statement in pursuit of NIAP compliance. The main purpose of setting the ISMS (information security management system) scope is to define which information you intend to protect Audience Any agency that has initiated a plan to comply with NIA Policy V2.0 Guidelines: The journey towards establishing an Information Security Management System is in some ways challenging for established organizations as it entails reengineering existing processes or introducing new processes to comply with the security requirements, ditto for organizations that are huge in terms of the line of business it does, sheer size and locations. It is extremely important that in such cases Agencies carefully develop a roadmap for compliance. The compliance journey should be broken down into small scopes that are practical, manageable and aligned as per the criticality needs of the business. Alignment to NIAP Compliance Roadmap Agencies should ensure that the scope chosen by them, aligns to the NIAP Compliance roadmap agreed by the agency with MoTC. The scope statement should reflect in entirety the desired scope of work and the milestone as defined in the NIAP Compliance roadmap. Smaller scope does not mean an easier job. The agency has to ensure that within the selected scope, all the relevant controls are applied. The agency will have to regulate information that flows out to or in from areas that are outside the scope. This in itself may become tricky and as such is not recommended for smaller organizations. Version 1.1 Page 5 of 8

Exclusion of controls has nothing to do with the ISMS scope. Scope limitation, does not in any way mean controls limitation. The agency cannot for e.g. say we will apply all controls, except Network and Access Management. The agency should document all exclusions in the Statement of Exception with valid justifications, vetted by the senior management of the agency. E.g. The agency could state that a certain Legacy system cannot be hardened, because no support exists or that certain controls have not been implemented as they are due for upgrade / replacement etc. The agency can exclude the controls only if there are no risks nor requirements, which would require the implementation of those controls Mapping the Scope One of the effective ways to identify what is in the scope is the OBASHI methodology. A methodology for mapping and developing how IT systems relate to organizational operations (OBASHI stands for Ownership, Business Processes, Applications, Systems, Hardware, and Infrastructure). The OBASHI methodology provides a framework and method for capturing, illustrating and modeling the relationships, dependencies and data flows between business and Information technology (IT) assets and resources in a business context. It is a formal and structured way of communicating the logical and physical relationships and dependencies between IT assets and resources (Ownership, Business Processes, Applications, Systems, Hardware, and Infrastructure) to define the business services of a modern enterprise. This is not the only method, and may not necessarily the best method for your specific ISMS. Some other options include using graphical representation. This might be suited for small agencies. The agency can draw draw the processes that are included in ISMS scope within a circle, and then outside of this circle draw the processes that are provided from outside of your scope. By processes, we mean the main business processes within your scope The next step after determining the boundaries are to identify the interfaces that is the input and output of these processes and how they relate to each other in order to protect them better. For smaller organization, it is usually easy and safe to include the whole organization. This includes all its people, processes, systems and physical locations. This is usually suited for organizations with single office, small head count and very limited service offerings. Version 1.1 Page 6 of 8

Scope Examples The following statement and examples are to provide guidance to agencies in choosing and framing their scope statement in pursuit of NIAP compliance. The following examples are by no means the only syntax / format and agencies can choose to re-write / re-draft their scope statements. Generic Scope Statement: The scope of the <Agency> s ISMS applies to the provision of <agency function / services> in accordance with the <Agency s> NIAP Compliance Plan version dated and Statement of Exception, version Dated. The ISMS is compliant to the National Information Assurance Policy [NIAP] V2.0, issued by the Ministry of Transport and Communication. It covers the Assurance of <Agency s> information assets and business activities. The scope includes staff, assets and third parties that support the agency function. Scope Definition Related to Agency s Org Structure The scope of the <Agency> s ISMS applies to the provision of information assets and business activities of <XYZ> Sector / Directorate in accordance with the <Agency s> NIAP Compliance Plan version dated and Statement of Exception, version Dated. The ISMS is compliant to the National Information Assurance Policy [NIAP] V2.0, issued by the Ministry of Transport and Communication. It covers the Assurance of <Agency s> information assets and business activities. The scope includes staff, assets and third parties that support the agency function. Scope Definition related to Agency s Services Example 1 The scope of the <Agency> s ISMS applies to the provision of <Agency s e-services> in accordance with the <Agency s> NIAP Compliance Plan version dated and Statement of Exception, version Dated. The ISMS is compliant to the National Information Assurance Policy [NIAP] V2.0, issued by the Ministry of Transport and Communication. It covers the Assurance of <Agency s> information assets and business activities. Version 1.1 Page 7 of 8

The scope includes staff, assets and third parties that support the agency function. Example 2 The development, operation, administration and maintenance of the e-services (listed below) provided by the Agency, in accordance with the <Agency s> NIAP Compliance Plan version dated and Statement of Exception, version Dated. List of e-services in Scope 1. ABC 2. XYZ 3. Etc. Example 3 The Information Security Management System (ISMS) applies to the provision of the listed services to internal and external customers of <Agency> in accordance with the <Agency s> NIAP Compliance Plan version dated and Statement of Exception, version Dated. Scope Definition Related to Agency s Locations As stated in the <Agency s> NIAP Compliance Plan version dated and Statement of Exception, version Dated. the Information Security Management System (ISMS) encompasses <Agency> s Information Technology Division Office, Data Centre, and WAN infrastructure, covering business activities relating to the provision of operation, maintenance and management of corporate IT services. Version 1.1 Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback