TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Similar documents
Information Security Management

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

Advent IM Ltd ISO/IEC 27001:2013 vs

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

ISO27001 Preparing your business with Snare

Information Security Policy

ISO/IEC Information technology Security techniques Code of practice for information security management

BS ISO IEC SANS Checklist

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

ISO/IEC FDIS INTERNATIONAL STANDARD FINAL DRAFT. Information technology Security techniques Information security management systems Requirements

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

Table of Contents 1. INTRODUCTION CONCEPT ORGANISATIONAL AND MANAGEMENT CONTROLS...7

The Common Controls Framework BY ADOBE

Information technology Security techniques Information security controls for the energy utility industry

Apex Information Security Policy

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

General Data Protection Regulation

PHYSICAL AND ENVIRONMENTAL SECURITY

Physical and Environmental Security Standards

WELCOME ISO/IEC 27001:2017 Information Briefing

ISO/IEC TR TECHNICAL REPORT

Trust Services Principles and Criteria

Security Policies and Procedures Principles and Practices

Network Security Policy

MEETING ISO STANDARDS

AUTHORITY FOR ELECTRICITY REGULATION

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Version 1/2018. GDPR Processor Security Controls

ADIENT VENDOR SECURITY STANDARD

INFORMATION SECURITY POLICY

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Corporate Information Security Policy

EXHIBIT A. - HIPAA Security Assessment Template -

Information Security Policy

Checklist: Credit Union Information Security and Privacy Policies

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

GDPR Draft: Data Access Control and Password Policy

Data Protection Policy

Information Security Controls Policy

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

WHITE PAPER. Achieving Effective IT Security with Continuous ISO Compliance

Information Services IT Security Policies L. Network Management

Baseline Information Security and Privacy Requirements for Suppliers

Google Cloud & the General Data Protection Regulation (GDPR)

WORKSHARE SECURITY OVERVIEW

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Information security management guidelines for financial services

INTERNATIONAL STANDARD

REPORTING INFORMATION SECURITY INCIDENTS

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

ISMS Essentials. Version 1.1

Information Security Policy

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

First edition Reference number ISO/IEC 27018:2014(E) ISO/IEC 2014

Information Security Management System

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

PS 176 Removable Media Policy

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Information Security Management Criteria for Our Business Partners

Louisiana State University System

ISO/IEC Information technology Security techniques Code of practice for information security controls

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

An Introduction to the ISO Security Standards

SECURITY & PRIVACY DOCUMENTATION

University of Liverpool

INFORMATION SECURITY AND RISK POLICY

ISAE 3402-II. LESSOR Group. April 2016

INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

Information technology Security techniques Information security controls for the energy utility industry

Computer Security Policy

01.0 Policy Responsibilities and Oversight

PCA Staff guide: Information Security Code of Practice (ISCoP)

Data Security and Privacy Principles IBM Cloud Services

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Workshop on Certification Schemes for Cloud Computing

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

LESSOR Group CVR no.:

Standard CIP Cyber Security Critical Cyber Asset Identification

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Standard CIP Cyber Security Critical Cyber Asset Identification

ICT Security Policy. ~ 1 od 21 ~

Ohio Supercomputer Center

Eco Web Hosting Security and Data Processing Agreement

Information Security Strategy

Virginia Commonwealth University School of Medicine Information Security Standard

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

IT risks and controls

Information Technology General Control Review

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Operations Security Plan Document Name: New Hampshire Lottery Operations Security Plan Date: January 2014

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Ulster University Standard Cover Sheet

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

INFORMATION ASSET MANAGEMENT POLICY

Transcription:

Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft

Target2-Securities - User s TABLE OF CONTENTS 1 Introduction... 5 2 Policy... 5 3 Organisation of information security... 6 3.1 Internal Organisation... 6 3.2 External Parties... 7 4 Asset management... 8 4.1 Responsibility for assets... 8 4.2 Information classification... 8 5 Human resource security... 9 5.1 Prior to employment... 9 5.2 During employment... 9 5.3 Termination or change of employment... 10 6 Physical and environmental security... 11 6.1 Secure areas... 11 6.2 Equipment security... 12 7 Communications and operations management... 14 7.1 Operational procedures and responsibilities... 14 7.2 Third party service delivery management... 14 7.3 System planning and acceptance... 15 7.4 Protection against malicious and mobile code... 15 7.5 Back-up... 16 7.6 Network security management... 16 7.7 Media handling... 17 7.8 Exchange of information and software... 17 7.9 Monitoring... 18 8 Access control... 20 8.1 Business requirements for access control... 20 8.2 User access management... 20 8.3 User responsibilities... 21 8.4 Network access control... 21 8.5 Operating system access control... 22 8.6 Application and information access control... 23 8.7 Mobile computing and communications... 24 9 Information systems acquisition, development and maintenance... 25 9.1 Security requirements of information systems... 25 9.2 Correct processing in applications... 25 9.3 Cryptographic controls... 26 9.4 Security of system files... 26 9.5 Security in development and support process... 26 9.6 Technical Vulnerability Management... 27 10 Information security incident management... 29 10.1 Reporting information security events and weaknesses... 29 10.2 Management of information security incidents and improvements... 29 11 Information security aspects of business continuity management... 31 Version: 0.1 Page 3 of 34 Status: Draft

Target2-Securities - User s 12 Compliance... 33 12.1 Compliance with legal requirements... 33 12.2 Compliance with security policies and technical compliance... 34 12.3 Information systems audit considerations... 34 Version: 0.1 Page 4 of 34 Status: Draft

Target2-Securities - User s 22 s 22.1 Introduction T2S is a systemically critical system that will be operated and used by different organisations independent from each other. Considering the risks to such a system, information security is a crucial part of T2S definition. Therefore to ensure an appropriate level of security T2S will be fully compliant with the state of the art standard ISO 17799 recently renumbered in ISO/IEC 27002:2005. The following sections present a list of high level security requirements as extracted from ISO 17799 and slightly amended where necessary. This will form the basis for the development of General Functional Specification in the next project phase. In accordance with the ISO standard an Policy shall be defined and endorsed to create the reference for a comprehensive risk management framework for T2S information system and subsequently T2S security requirements and controls will be specified. 22.2 Policy Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. 22.2.1.1 Information security policy document IS.1 An Information security policy document shall be approved by the system owner and the governance body of T2S, published and communicated to all relevant parties as appropriate. 22.2.1.2 Review of the information security policy IS.2 The T2S information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. Version: 0.1 Page 5 of 34 Status: Draft

Target2-Securities - User s 22.3 Organisation of information security Objective: To manage information security for T2S. 22.3.1 Internal Organisation 22.3.1.1 Management commitment to information security IS.3 The system owner shall actively and visibly support information security for T2S through clear direction, demonstrated commitment, explicit assignment and acknowledgement of information security responsibilities. 22.3.1.2 Information security co-ordination IS.4 Information security activities shall be co-ordinated by the system owner, T2S governance body and other relevant parties with relevant roles and job functions. 22.3.1.3 Allocation of information security responsibilities IS.5 All information security responsibilities shall be clearly defined 22.3.1.4 Authorisation process for information processing facilities IS.6 A management authorisation process for T2S shall be defined and implemented 22.3.1.5 Contact with authorities IS.7 Appropriate contacts with relevant authorities shall be maintained 22.3.1.6 Contact with special interest groups IS.8 Version: 0.1 Page 6 of 34 Status: Draft

Target2-Securities - User s Appropriate contacts with special interest groups shall be maintained 22.3.1.7 Confidentiality agreements IS.9 Confidentiality or non-disclosure agreements shall be in place and regularly reviewed. 22.3.1.8 Independent review of information security IS.10 The T2S approach and implementation to managing information (system) security shall be reviewed independently at planned intervals or when significant changes to the security implementation occur. 22.3.2 External Parties Objective: To maintain the security of T2S information processing facilities and information assets to be accessed, processed, communicated or managed by external parties. 22.3.2.1 Identification of risks related to external parties IS.11 The risks to T2S information and information processing facilities from business processes involving external parties shall be identified and appropriate security controls implemented before granting access. 22.3.2.2 Addressing security when dealing with customers IS.12 All identified security requirements shall be addressed before giving customers access to T2S information or assets. 22.3.2.3 Addressing security in third party arrangements IS.13 Agreements with third parties involving accessing, processing, communicating or managing T2S information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements. Version: 0.1 Page 7 of 34 Status: Draft

Target2-Securities - User s 22.4 Asset management 22.4.1 Responsibility for assets Objective: To achieve and maintain appropriate protection of T2S assets. 22.4.1.1 Inventory of assets IS.14 All T2S assets shall be clearly identified and an inventory of all important assets shall be drawn up and maintained. 22.4.1.2 Ownership of assets IS.15 All information and assets associated with information processing facilities shall be owned by a designated part of the T2S organisation. 22.4.1.3 Acceptable use of assets IS.16 Rules for the acceptable use of information and assets associated with T2S information systems and assets shall be identified, documented and implemented. 22.4.2 Information classification Objective: To ensure that information receives an appropriate level of protection. 22.4.2.1 Classification guidelines IS.17 Information shall be classified in terms of value, sensitivity and criticality to T2S. 22.4.2.2 Information labelling and handling IS.18 An appropriate set of procedures for information labelling and handling shall be developed and implemented in accordance with the classification scheme adopted by T2S. Version: 0.1 Page 8 of 34 Status: Draft

Target2-Securities - User s 22.5 Human resource security 22.5.1 Prior to employment Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risks of human error, theft, fraud or misuse of facilities. 22.5.1.1 Roles and responsibilities IS.19 Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the T2S information security policy. 22.5.1.2 Screening IS.20 Background verification checks on all candidates for employment, contractors and third party users shall be carried out in accordance with relevant laws and regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. 22.5.1.3 Terms and condition of employment IS.21 As part of their contracted obligation, employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which shall state their employee s and the T2S organisation s responsibilities for information security. 22.5.2 During employment Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support security policy in the course of their normal work, and to reduce the risk of human error. 22.5.2.1 Management responsibilities IS.22 Management shall encourage employees, contractors and third party users to apply security in accordance with established policies and procedures of the T2S organisation. Version: 0.1 Page 9 of 34 Status: Draft

Target2-Securities - User s 22.5.2.2 Information awareness, education and training IS.23 All employees of the T2S organisation and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates in T2S policies and procedures, as relevant for their job function 22.5.2.3 Disciplinary process IS.24 There shall be a formal disciplinary process for employees, contractors and third party users who have committed a security breach. 22.5.3 Termination or change of employment Objective: To ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner. 22.5.3.1 Termination responsibilities IS.25 Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned. 22.5.3.2 Return of assets IS.26 All employees, contractors and third party users shall return all T2S assets in their possession upon termination of their employment, contract or agreement. 22.5.3.3 Removal of access rights IS.27 The access rights of all employees, contractors and third party users to T2S information and information systems shall be removed upon termination of their employment, contract or agreement or adjusted upon change. Version: 0.1 Page 10 of 34 Status: Draft

Target2-Securities - User s 22.6 Physical and environmental security 22.6.1 Secure areas Objective: To prevent unauthorised physical access, damage and interference to T2S information systems. 22.6.1.1 Physical security perimeter IS.28 Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) shall be used to protect areas that contain T2S information and information processing facilities. 22.6.1.2 Physical entry controls IS.29 Secure areas shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed access. 22.6.1.3 Securing offices, rooms and facilities IS.30 Physical security for offices, rooms and facilities shall be designed and applied. 22.6.1.4 Protecting against external and environmental threats IS.31 Physical protection against damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster shall be designed and applied. 22.6.1.5 Working in secure areas IS.32 Physical protection and guidelines for working in secure areas shall be designed and applied. 22.6.1.6 Public access, delivery and loading areas IS.33 Version: 0.1 Page 11 of 34 Status: Draft

Target2-Securities - User s Access points such as delivery and loading areas and other points where unauthorised persons may enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access. 22.6.2 Equipment security Objective: To prevent loss, damage, theft or compromise of assets and interruption to T2S activities. 22.6.2.1 Equipment sitting and protection IS.34 T2S equipment shall be sited or protected to reduce the risks from environmental threats and hazards and opportunities for unauthorised access. 22.6.2.2 Supporting utilities IS.35 T2S equipment shall be protected from power failures and other disruptions caused by supporting utilities. 22.6.2.3 Cabling security IS.36 Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage. 22.6.2.4 Equipment maintenance IS.37 T2S equipment shall be correctly maintained to ensure its continued availability and integrity. 22.6.2.5 Security of equipment off-premises IS.38 Version: 0.1 Page 12 of 34 Status: Draft

Target2-Securities - User s Security shall be applied to off-site equipment taking into account the different risks of working outside the T2S premises. 22.6.2.6 Secure disposal or re-use of equipment IS.39 All items of equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. 22.6.2.7 Removal of property IS.40 Equipment, information or software shall not be taken off-site without prior authorisation. Version: 0.1 Page 13 of 34 Status: Draft

Target2-Securities - User s 22.7 Communications and operations management 22.7.1 Operational procedures and responsibilities Objective: To ensure the correct and secure operation of T2S information processing facilities. 22.7.1.1 Documented operating procedures IS.41 Operating procedures shall be documented, maintained and made available to all users who need them. 22.7.1.2 Change management IS.42 Changes to T2S information processing facilities and systems shall be controlled. 22.7.1.3 Segregation of duties IS.43 Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the T2S assets. 22.7.1.4 Separation of development, test and operational facilities IS.44 Development, test and operational environments shall be separated to reduce the risks of unauthorised access or changes to the operational system. 22.7.2 Third party service delivery management Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. 22.7.2.1 Monitoring and review of third party services IS.45 The services, reports and records provided by the third party shall be regularly monitored and reviewed, and regular audits shall be carried out. Version: 0.1 Page 14 of 34 Status: Draft

Target2-Securities - User s 22.7.2.2 Managing changes to TP services IS.46 Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks. 22.7.3 System planning and acceptance Objective: To minimise the risk of systems failures 22.7.3.1 Service delivery IS.47 It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated and maintained by the third party. 22.7.3.2 Capacity management IS.48 The use of resource shall be monitored and tuned and projections made of future capacity requirements to ensure the required system performance. 22.7.3.3 System acceptance IS.49 Acceptance criteria for new information systems, upgrades and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance. 22.7.4 Protection against malicious and mobile code Objective: To protect the integrity of software and information by prevention and detection of the introduction of malicious code 22.7.4.1 Controls against malicious code IS.50 Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented on the system components. Version: 0.1 Page 15 of 34 Status: Draft

Target2-Securities - User s IS.51 This requirement has not been approved by yet and must be considered as a draft All the necessary updates protection software shall be implemented on the system components to ensure a continuously revised protection. 22.7.4.2 Controls against mobile code IS.52 Where the use of mobile code is authorised, the configuration shall ensure that the authorised mobile code operates according to a clearly defined security policy, and authorised mobile code shall be prevented from executing. 22.7.5 Back-up Objective: To maintain the integrity and availability of T2S information and information processing facilities and communication services 22.7.5.1 Information Back-up IS.53 Back-up copies of information and software shall be taken and tested regularly in accordance with the agreed backup policy. 22.7.6 Network security management Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure. 22.7.6.1 Security of network services IS.54 Security features, service levels and management requirements of all T2S network services shall be identified and included in any network services agreement, whether these services are provided in house or outsourced. 22.7.6.2 Network controls IS.55 Version: 0.1 Page 16 of 34 Status: Draft

Target2-Securities - User s T2S networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. 22.7.7 Media handling Objective: To prevent unauthorised disclosure, modification, removal or destruction of assets and interruptions to business activities. 22.7.7.1 Management of removable media IS.56 There shall be procedures in place for the management of removable media. 22.7.7.2 Disposal of media IS.57 Media shall be disposed of securely and safely when no longer required, using formal procedures. 22.7.7.3 Information handling procedures IS.58 Procedures for the handling and storage of information shall be established to protect it from unauthorised disclosure or misuse. 22.7.7.4 Security of system documentation IS.59 System documentation shall be protected against unauthorised access. 22.7.8 Exchange of information and software Objective: To maintain the security of information exchanged within the T2S organisation and with any external entity. 22.7.8.1 Information exchange policies and procedures IS.60 Formal exchange policies and procedures shall be in place to protect the exchange of information through the use of any types of communication facilities. Version: 0.1 Page 17 of 34 Status: Draft

Target2-Securities - User s 22.7.8.2 Exchange agreements IS.61 Agreements shall be established for the exchange of information and software between the T2S organisation and Third Parties. 22.7.8.3 Physical media in transit IS.62 Media containing T2S information shall be protected against unauthorized access, misuse or corruption during transportation beyond the T2S physical boundaries. 22.7.8.4 Electronic messaging IS.63 Information involved in electronic messaging shall be appropriately protected. 22.7.8.5 Business information systems IS.64 Policies and procedures shall be developed and implemented to protect T2S information associated with the interconnection of business information systems. 22.7.9 Monitoring Objective: To detect unauthorised information processing activities. 22.7.9.1 Audit logging IS.65 This requirement has not been approved by yet and must be considered as a draft Audit logs recording user activities, exceptions and information security events shall be produced and kept for an agreed period to assist in future investigations and system and access control monitoring under the control of the T2S Governance body. 22.7.9.2 Monitoring system use IS.66 Version: 0.1 Page 18 of 34 Status: Draft

Target2-Securities - User s Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly. 22.7.9.3 Protection of log information IS.67 Logging facilities and log information shall be protected against tampering and unauthorised access. 22.7.9.4 Administrator and operator logs IS.68 System administrator and system operator activities shall be logged. 22.7.9.5 Fault logging IS.69 Faults shall be logged, analysed, and appropriate action taken. 22.7.9.6 Clock synchronisation IS.70 The clocks of the relevant information processing systems within an organisation or security domain shall be synchronised with an agreed accurate time. Version: 0.1 Page 19 of 34 Status: Draft

Target2-Securities - User s 22.8 Access control 22.8.1 Business requirements for access control Objective: To control access to T2S information. 22.8.1.1 Access control policy IS.71 An access control policy shall be established, documented and reviewed based on business and security requirements for access. 22.8.2 User access management Objective: To ensure authorised user access and prevent unauthorised access to T2S information systems. 22.8.2.1 User registration IS.72 There shall be a formal user registration and de-registration procedure shall be in place for granting and revoking access to the all information systems and services. 22.8.2.2 Privilege management IS.73 The allocation and use of privileges shall be restricted and controlled. 22.8.2.3 User password management IS.74 The allocation of passwords shall be controlled through a formal management process. 22.8.2.4 Review of user access rights IS.75 Management shall review users access rights at regular intervals using a formal process. Version: 0.1 Page 20 of 34 Status: Draft

Target2-Securities - User s 22.8.3 User responsibilities Objective: To prevent unauthorised user access, and compromise or theft of information and information processing facilities. 22.8.3.1 Password use IS.76 Users shall follow the T2S password policy and good security practices in the selection and use of passwords. 22.8.3.2 Unattended user equipment IS.77 Users shall ensure that unattended equipment has appropriate protection. 22.8.3.3 Clear desk and clear screen policy IS.78 T2S shall have a clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities. 22.8.4 Network access control Objective: To protect unauthorised access to T2S networked services. 22.8.4.1 Policy on use of network services IS.79 T2S information system(s) shall provide only those services that users have been specifically authorised to use. 22.8.4.2 User authentication for external connections IS.80 Appropriate authentication methods shall be used to control access by remote users. 22.8.4.3 Equipment identification in the network IS.81 Version: 0.1 Page 21 of 34 Status: Draft

Target2-Securities - User s Automatic equipment identification shall be considered as a means to authenticate connections from specific locations and equipment. 22.8.4.4 Remote diagnostic and configuration port protection IS.82 Physical and logical access to diagnostic and configuration ports shall be controlled. 22.8.4.5 Segregation in networks IS.83 Groups of information services, users, and information systems shall be segregated from a logical point of view. 22.8.4.6 Network connection control IS.84 For shared networks, especially those extending across the T2S boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. 22.8.4.7 Network routing control IS.85 Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. 22.8.5 Operating system access control Objective: To prevent unauthorised computer access to operating systems. 22.8.5.1 Secure log-on procedures IS.86 Access to operating systems shall be controlled by a secure log-on procedure. 22.8.5.2 User identification and authentication IS.87 Version: 0.1 Page 22 of 34 Status: Draft

Target2-Securities - User s All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user. 22.8.5.3 Password management system IS.88 Systems for managing passwords shall be interactive and shall ensure quality passwords. 22.8.5.4 Use of system utilities IS.89 The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. 22.8.5.5 Session time-out IS.90 Inactive sessions shall shut down after a defined period of inactivity. 22.8.5.6 Limitation of connection time IS.91 Restrictions on connection times shall be used to provide additional security for high-risk applications. 22.8.6 Application and information access control Objective: To prevent unauthorised computer access to operating systems. 22.8.6.1 Information access restriction IS.92 Access to information and application system functions by users and support staff shall be restricted in accordance with the defined access control policy. 22.8.6.2 Sensitive system isolation IS.93 Version: 0.1 Page 23 of 34 Status: Draft

Target2-Securities - User s Sensitive systems shall have a dedicated (isolated) computing environment. 22.8.7 Mobile computing and communications Objective: To ensure information security when using mobile computing and tele-working facilities. 22.8.7.1 Mobile computing and communications IS.94 A formal policy shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communication facilities. 22.8.7.2 Teleworking IS.95 A policy, operational plans and procedures shall be developed and implemented for teleworking activities. Version: 0.1 Page 24 of 34 Status: Draft

Target2-Securities - User s 22.9 Information systems acquisition, development and maintenance 22.9.1 Security requirements of information systems Objective: To ensure that security is an integral part of built into information systems. 22.9.1.1 Security requirements analysis and specification IS.96 Statements of business requirements for new information system(s), or enhancements to existing information systems shall specify the requirements for security controls. 22.9.2 Correct processing in applications Objective: To prevent loss, unauthorised modification or misuse of data in applications. 22.9.2.1 Input data validation IS.97 Data input to applications shall be validated to ensure that it is correct and appropriate. 22.9.2.2 Control of internal processing IS.98 Validation checks shall be incorporated into applications to detect any corruption of information processing errors or deliberate acts. 22.9.2.3 Message integrity IS.99 s for ensuring authenticity and protecting message integrity in applications shall be identified, and appropriate controls identified and implemented. 22.9.2.4 Output data validation IS.100 Data output from an application shall be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. Version: 0.1 Page 25 of 34 Status: Draft

Target2-Securities - User s 22.9.3 Cryptographic controls Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means. 22.9.3.1 Policy on the use of cryptographic controls IS.101 A policy on the use of cryptographic controls for protection of T2S information shall be developed and implemented. 22.9.3.2 Key management IS.102 Key management shall be in place to support the use of cryptographic techniques. 22.9.4 Security of system files Objective: To ensure the security (integrity) of system files. 22.9.4.1 Control of operational software IS.103 There shall be procedures in place to control the installation of components on operational systems. 22.9.4.2 Protection of system test data IS.104 Test data shall be selected carefully, protected and controlled. 22.9.4.3 Access control to program code IS.105 Access to program code shall be restricted according to the T2S governance body decision. 22.9.5 Security in development and support process Objective: To maintain the security of application system software and information. Project and support environments shall be strictly controlled. Version: 0.1 Page 26 of 34 Status: Draft

Target2-Securities - User s 22.9.5.1 Change control procedures IS.106 The implementation of changes shall be controlled by the use of formal change control procedures. 22.9.5.2 Technical review of applications after operating system changes IS.107 When operating systems are changed, all business critical applications shall be reviewed and tested to ensure that there is no adverse impact on organisational operation or security. 22.9.5.3 Restrictions on changes to software packages IS.108 Modifications to software packages shall be discouraged, limited to necessary changes, which shall be strictly controlled. 22.9.5.4 Information leakage IS.109 Opportunities for information leakage shall be prevented. 22.9.5.5 Outsourced software development IS.110 Outsourced software development shall be supervised and monitored by the T2S organisation. 22.9.6 Technical Vulnerability Management Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. 22.9.6.1 Control of technical vulnerabilities IS.111 Version: 0.1 Page 27 of 34 Status: Draft

Target2-Securities - User s Timely information about technical vulnerabilities of information systems being used shall be obtained, T2S exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. Version: 0.1 Page 28 of 34 Status: Draft

Target2-Securities - User s 22.10 Information security incident management 22.10.1 Reporting information security events and weaknesses Objective: To ensure security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. 22.10.1.1 Reporting information security events IS.112 Information security events shall be reported through appropriate management channels as quickly as possible. 22.10.1.2 Reporting security weaknesses IS.113 All employees, contractors and third party users of T2S information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services. 22.10.2 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach is applied to the management of information security incidents 22.10.2.1 Responsibilities and procedures IS.114 Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. 22.10.2.2 Learning from information security incidents IS.115 There shall be mechanisms in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. 22.10.2.3 Collection of evidence IS.116 Version: 0.1 Page 29 of 34 Status: Draft

Target2-Securities - User s Where a follow-up action against a person or organisation after an information security incident involves legal action (either civil or criminal), evidence shall be collected and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). Version: 0.1 Page 30 of 34 Status: Draft

Target2-Securities - User s 22.11 Information security aspects of business continuity management Objective: To counteract interruptions to business activities, to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. 22.11.1.1 Including information security in the business continuity management process elements IS.117 A managed process shall be developed and maintained for business continuity throughout the T2S organisation that addresses the information security requirements needed for the T2S business continuity. 22.11.1.2 Business continuity and risk assessment IS.118 Events that can cause interruptions to business processes shall be identified, along with the probability and impact of such interruptions and their consequences for information security. 22.11.1.3 Developing and implementing continuity plans including information security IS.119 Plans shall be developed and implemented to maintain or restore business operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes. 22.11.1.4 Business continuity planning framework IS.120 A single framework of business continuity plans shall be maintained to ensure that all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance. 22.11.1.5 Testing, maintaining and re-assessing business continuity plans IS.121 Version: 0.1 Page 31 of 34 Status: Draft

Target2-Securities - User s Business continuity plans shall be tested and updated regularly to ensure that they are up to date and effective. Version: 0.1 Page 32 of 34 Status: Draft

Target2-Securities - User s 22.12 Compliance 22.12.1 Compliance with legal requirements Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations and of any security requirements. 22.12.1.1 Identification of applicable legislation IS.122 All relevant statutory, regulatory and contractual requirements and the T2S approach to meet these requirements shall be explicitly defined, documented and kept up to date for each information system and the T2S organisation. 22.12.1.2 Intellectual property rights (IPR) IS.123 Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products. 22.12.1.3 Protection of organisational records IS.124 Important T2S records shall be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements. 22.12.1.4 Data protection and privacy of personal information IS.125 22.12.1.5 Prevention of misuse of information processing facilities IS.126 Users shall be deterred from using information processing facilities for unauthorised purposes. 22.12.1.6 Regulation of cryptographic controls IS.127 Version: 0.1 Page 33 of 34 Status: Draft

Target2-Securities - User s Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. 22.12.2 Compliance with security policies and technical compliance Objective: To ensure compliance of systems with T2S security policies and standards. 22.12.2.1 Compliance with security policy and standards IS.128 Managers shall ensure that all security procedures within their area of responsibility are carried to achieve compliance with security policy and standards. 22.12.2.2 Technical compliance checking IS.129 Information systems shall be regularly checked for compliance with security implementation standards. 22.12.3 Information systems audit considerations Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process. 22.12.3.1 Information systems audit controls IS.130 Audit requirements and activities involving checks on operational systems shall be carefully planned and agreed to minimize the risk of disruptions to business processes. 22.12.3.2 Protection of information systems audit tools IS.131 Access to information systems audit tools shall be protected to prevent any possible misuse or compromise. Version: 0.1 Page 34 of 34 Status: Draft

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback