Security Principles for Stratos. Part no. 667/UE/31701/004

Similar documents
Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

AUTHORITY FOR ELECTRICITY REGULATION

Information Security Controls Policy

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

A company built on security

ASD CERTIFICATION REPORT

Cloud Security Whitepaper

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Cloud Security Standards Supplier Survey. Version 1

SECURITY PRACTICES OVERVIEW

Online Services Security v2.1

April Appendix 3. IA System Security. Sida 1 (8)

Information Security Data Classification Procedure

Digital Health Cyber Security Centre

External Supplier Control Obligations. Cyber Security

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

SDL Privacy Policy Cloud Services

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cyber Security Program

NEN The Education Network

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IT Services IT LOGGING POLICY

WORKSHARE SECURITY OVERVIEW

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security Architecture

SECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data

Juniper Vendor Security Requirements

Security and Compliance at Mavenlink

The Common Controls Framework BY ADOBE

zsah Cloud Offering Security FAQ In partnership with Clearswift

Security. ITM Platform

INFORMATION ASSET MANAGEMENT POLICY

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

A practical guide to IT security

Layer Security White Paper

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Canada Life Cyber Security Statement 2018

Information Technology General Control Review

ECSA Assessment Report

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Protecting your data. EY s approach to data privacy and information security

Awareness Technologies Systems Security. PHONE: (888)

Data Security at Smart Assessor

Education Network Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Network Security Policy

Daxko s PCI DSS Responsibilities

GLOBAL PAYMENTS AND CASH MANAGEMENT. Security

KantanMT.com. Security & Infra-Structure Overview

Recommendations for Implementing an Information Security Framework for Life Science Organizations

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

SECURITY & PRIVACY DOCUMENTATION

Cyber Security Technologies

ADIENT VENDOR SECURITY STANDARD

10 FOCUS AREAS FOR BREACH PREVENTION

Eco Web Hosting Security and Data Processing Agreement

IC32E - Pre-Instructional Survey

PCI DSS and VNC Connect

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Verasys Enterprise Security and IT Guide

Information Security at Veritext Protecting Your Data

Watson Developer Cloud Security Overview

Payment Card Industry (PCI) Data Security Standard

Cyber Criminal Methods & Prevention Techniques. By

Vendor Security Questionnaire

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Google Cloud Platform: Customer Responsibility Matrix. April 2017

CS 356 Operating System Security. Fall 2013

Internet of Things Toolkit for Small and Medium Businesses

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Building a More Secure Cloud Architecture

Security+ SY0-501 Study Guide Table of Contents

A1 Information Security Supplier / Provider Requirements

A Security Admin's Survival Guide to the GDPR.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Twilio cloud communications SECURITY

PCI DSS and the VNC SDK

WHITE PAPER- Managed Services Security Practices

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Secure Access & SWIFT Customer Security Controls Framework

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Manchester Metropolitan University Information Security Strategy

ITG. Information Security Management System Manual

Data Security and Privacy Principles IBM Cloud Services

AppPulse Point of Presence (POP)

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

CYBER SECURITY POLICY REVISION: 12

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Information Technology Branch Organization of Cyber Security Technical Standard

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

General Data Protection Regulation

This document provides a general overview of information security at Aegon UK for existing and prospective clients.

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Deep Freeze Cloud. Architecture and Security Overview

1. Security of your personal information collected and/or processed through AmFIRST REIT s Web Portal; and

Transcription:

Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED COPIES Prepared By Checked and Released Division/BU Mobility and Logistics, Traffic Solutions Mobility and Logistics, Traffic Solutions Department Engineering Engineering Name Patrick Lismore Martin Gilham Function Date COPYRIGHT STATEMENT Engineering Manager The information contained herein is the property of Siemens plc. and is supplied without liability for errors or omissions. No part may be reproduced or used except as authorised by contract or other written permission. The copyright and the foregoing restriction on reproduction and use extend to all media in which the information may be embodied. Copyright Siemens plc 2016 All Rights Reserved Security classification Unrestricted Page 1 of 7

Mobility and Logistics, Traffic Solutions CONTENTS: 1 Introduction... 3 1.1 Purpose... 3 1.2 Scope... 3 1.3 Document Specific Abbreviations and Definitions... 3 2 Security Principles... 4 2.1 Stratos Functional Overview... 4 2.2 Cloud-based System Security... 6 2.3 Security Requirements... 6 2.4 Confidentiality... 6 2.5 Integrity... 7 2.6 Security Assessments... 7 2.7 Operational Security Plan... 7 TABLES: Table 1 - Issue History... 2 Table 2 - Abbreviations and Definitions... 3 CHANGE HISTORY: Version Date Change Author A March 2016 Initial Release Martin Gilham 1 May 2016 First Release Patrick Lismore Table 1 - Issue History Security classification Unrestricted Page 2 of 7

Mobility and Logistics, Traffic Solutions 1 Introduction 1.1 Purpose The purpose of this document is to provide an overview of security principles associated with Stratos. 1.2 Scope The scope of the document is to include details of Security associated will all Siemens Hosted Traffic management Services. 1.3 Document Specific Abbreviations and Definitions See the TS Engineering Glossary, [see section 1.5 References] Abbreviation AWS CERT DoS FOI I MO TS IaaS SaaS SLA SOA SQL UTC VPC Explanation Amazon Web Services, the Amazon cloud platform Computer Emergency Response Team Denial of Service Freedom Of Information Industry Mobility Traffic Solutions Infrastructure as a Service Software as a Service Service Level Agreement Service Oriented Architecture Structured Query Language Urban Traffic Control Virtual Private Cloud Table 2 - Abbreviations and Definitions Security classification Unrestricted Page 3 of 7

Siemens Mobility, Traffic Solutions 2 Security Principles 2.1 Stratos Functional Overview The Siemens Stratos solution delivers secure, resilient, scalable, accessible and real-time traffic information, management and control of complex urban traffic environments by providing functionality ranging from basic monitoring to strategic control. The Siemens Stratos Solution is a cloud-based solution hosted within a Virtual Private Cloud (VPC) in the Amazon cloud. Siemens Stratos uses both Linux and Windows operating systems within its VPC to fulfil various system functions. These operating systems and network subnets are fully managed by Siemens in accordance with Siemens internal Information Security Polices. Changes to the VPC environment go through a Change Control Board and both the network and operating systems adhere to Siemens mandatory Information Security Framework policies that are based off the ISO27001 standard. The VPC also adheres to the 14 Cloud Security Principles (which can be found in https://aws.amazon.com/compliance / https://aws.amazon.com/security) within Amazon s shared-responsibility model. Where Siemens is responsible for security within the cloud we apply guidance from the Cloud Security Principles. Amazon is responsible for the security of the cloud. At the network level within the VPC, security controls are provided by Amazon as detailed below: Security groups that restrict the ingress and egress network traffic at the VPC perimeter and also within the VPC between hosts and subnets. Each server instance within the VPC has its own Security Group controlling what ports are accessible in addition to firewalls that define its allowed protocols and ports. Everything else is denied by default. This gives Siemens full control over network traffic within the VPC. Siemens also makes use of access control lists (ACLs) provided by Amazon s VPC. This further helps restrict and lockdown network routes within the VPC to authorised devices and users. The diagram below shows Amazons share responsibility model, on the left it highlights the standards and guidance used by Siemens to govern and secure the Stratos solution within Amazon s cloud. Security classification Unrestricted Page 4 of 7

Security classification Unrestricted Page 5 of 7

Siemens Mobility, Traffic Solutions 2.2 Cloud-based System Security The Siemens Stratos solution is hosted within Amazon s AWS Secure Cloud Data Centre in Dublin, Ireland. Physical security at the data centre site includes perimeter fencing with manned security access gates monitored 24 hours a day, seven days a week, 365 days a year. Electric locks and access-card readers also control all areas and biometric fingerprint access and photographic ID is required for employees to enter the Data Centre. All racks are kept locked unless being accessed by authorised parties. CCTV covers all major access and common areas. Aisles are monitored by IP based cameras with motion detection and off-site recording and are controlled by card and PIN. Amazon AWS Data Centres adhere to ISO27001 and also Cloud Security Principles. Siemens Stratos solution is accessed by remote operators using a secure web link to the Stratos tenant. User login and rights management are administered by the Siemens Support department. Anti-virus and Malware software is installed on all servers managed by Siemens as part of mandatory Information Security policy compliance. The Siemens Stratos Cloud-based system runs a combination of fully patched Windows Server 2012 R2 and Linux Servers which are hardened based on mandatory policy requirements set by Siemens Information Security CERT (SiemensCERT) group. Each server managed and controlled by Siemens must follow the mandatory measure plans to ensure servers are patched and hardened against vulnerabilities. Audits are performed independently within Siemens from a central audit division to ensure ongoing compliance 2.3 Security Requirements Confidentiality, integrity and availability are key tenants and areas of focus for Siemens Information Security policies. Each Siemens Information Security policy is created with these three areas of focus in mind. Siemens Information Security policies are built on top of the ISO27001 standard, they state mandatory actions on Siemens employees at all levels with regards to securing information, handling of information and securing IT systems managed and maintained by Siemens. This includes on site IT systems and Cloud based systems. The Siemens Stratos Cloud solution has been assessed, classified and audited by Siemens to follow mandatory corporate policies based on ISO27001 and technical implementations to secure and harden IT systems and protect the data that reside in them and pass through them. 2.4 Confidentiality Siemens follows industry best practices for addressing the secrecy and privacy of information. Siemens uses several methods to prevent the disclosure of information or data to unauthorised individuals and systems. All users connecting to Siemens Stratos use user names and strong passwords to access the service. The roll out of 2 factor authentication is planned for end users in 2016. All Siemens support staff as well as engineers that support Stratos use multi-factor authentication by default. Within Siemens Stratos roles based access control restricts system access to authorised users. Siemens restricts access to live production systems to a limited small team of trusted individuals within the Siemens Traffic support team for help with assisting customers. Security classification Unrestricted Page 6 of 7

Siemens Mobility, Traffic Solutions Each remote user is able to access the Siemens Stratos Cloud-based system using unique login details (Username and Password) - confidentiality is a key requirement not only to ensure security of the system but also to enable traceability of changes within the system. 2.5 Integrity The integrity of information within the Siemens Stratos solution has various measures in place to prevent unauthorised alteration or revision of data. Cloud Security Principles 1 and 2 provide clear guidance on protecting data at rest and in transit. Much of the data transiting through the Siemens Stratos cloud solution is encrypted from server to server although not all network routes are encrypted with the virtual private cloud. Connection to the virtual private cloud is over a secure VPN connection from Siemens. The Stratos code base is held securely under version control and regularly audited with each release. By ensuring Stratos adheres to cloud security principles means the data is protected in transit via encryption of network traffic and secure endpoints. In addition check sums and cryptographic measures are in place throughout the system. 2.6 Security Assessments Siemens Regularly completes a Threat and Risk assessment on all products and solutions at Siemens Traffic UK. This is a mandatory action; the output from that exercise is a risk register of all the potential threats and risks that need mitigation. Having the risk register allows Siemens Traffic to plan and mitigate the highest priority items first and track the completion of all items on the list. During and as part of each software release a security review is undertaken on new components and features to ensure new risk is not introduced to the system. An internal penetration test is also performed as part of each software release; this is embedded within the Siemens software development life cycle. Siemens Traffic gets approval from Amazon AWS prior to performing simulated Cyber Attacks against the VPC solutions. 2.7 Operational Security Plan Siemens works under the guidance of Siemens Operational Security policy, this ISEC policy defines the rules related to the management of IT operation, including change management, capacity management, protection from malware, backup, logging and monitoring of information security events, software installation on operational IT systems, and technical vulnerability management through patching and updating. Siemens, through this policy has a patch management process for the Stratos system, the operations team work closely with SiemensCERT and Siemens ProductCERT to ensure any newly disclosed vulnerability that may affect any components used in Stratos is patched in a timely manner. The operations team ensure anti-virus, anti-malware and IDS is updated and monitored regularly and that any triggered intrusion detection alerts are investigated. The Siemens Stratos VPC is reviewed constantly as part of Siemens internal processes and policy. Siemens also has an Incident Handling Policy and process that clearly defines guidance, roles and responsibilities for handling any incidents in a professional and timely manner. Security classification Unrestricted Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback