Information Security General Requirements | Synextra

Information Security General Requirements

Completed by Michael Pyne (ISMS Management Representative)

Updated 22/05/2018

1 Introduction

1. Our information and the systems supporting it are major business assets. The integrity, availability and confidentiality of this information are essential in maintaining competitive edge, financial stability, legal compliance and respected image.

2. Personal information relates to a living individual who can be identified from that data, or when combining that data with other information already in the possession of the holder of that data. It also includes any expression of opinion about the individual and any indications of the intentions of any person in respect of the individual. So for example, personal data includes names, addresses, dates of birth, national insurance numbers, pay references, photographs, voice recordings, work records, bank details, immigration status, political affiliations and so on. One or a combination of these data could allow a living individual to be identified.

3. Commercial information is proprietary to company, clients or suppliers. Examples of sensitive commercial information are; policies, procedures, financial information, tenders, contracts, customer details, supplier details and business plans. Commercial information should be treated in the same manner as sensitive personal data.

4. The purpose of Information Security Management is to protect information held in three ways:

  • Confidentiality - preventing unauthorised disclosure and interception.
  • Integrity - safeguarding accuracy and completeness.
  • Availability - ensuring that information and services are available when required.
  • 5. Policies and procedures describe the mechanisms we will use to manage all aspects of information security and have been written in line with the relevant major principles of the Information Security Standard ISO27001.

    6. It is the responsibility of our Information Security Management Representative to ensure that information security documentation is regularly reviewed and updated, as a minimum at the management review.

    7. Documentation will also be reviewed when there are changes to location, business processes, threat levels, core technology or there is a security incident.

    2 Related Documents

    A range of policies and procedures have been prepared for guidance and are to be read in conjunction with this document and the following documents contained in the “Information Security System”:

    (a) The “Information Security Policy Statement” which is defined in the Information Security Manual

    (b) The Information Security Manual which defines the processes required for the ISO 27001 management system

    (c) “Controls and Countermeasures” spreadsheet which defines the controls for each identified threat / event.

    (d) The following information security related policies:

    • Acceptable Use Policy
    • Asset Management Policy
    • Cryptographic Control Policy
    • Data Destruction Policy
    • Data Retention Policy
    • Data transfers and removable media Policy
    • Email Policy
    • Forensic Readiness Policy
    • Hardware Disposal Policy
    • Patch Management Policy
    • Remote Working Policy
    • Security Incidents Policy

    3 Information Security Roles and Responsibilities

    1. Our organisation structure is defined in the Information Security Management System.

    2. Roles and responsibilities are summarised in the Information Security Manual.

    3. Further detailed responsibilities are defined in these policies and procedures.

    4 Use of Information Systems

    1. This document sets out the policies and procedures for users accessing our information systems, in order to achieve the required level of information security.

    2. The rules for the acceptable use of information assets is defined in the “Acceptable Use” policy.

    4.1 Definitions

    1. An Information Security Event is an identified occurrence of a system, service or network state indicating a possible breach of information security procedure or failure of safeguards, or a previously unknown situation which may be security relevant. [ISO/IEC TR 18044:2004]

    2. An Information Security Incident is a single or a series of unwanted or expected Information Security Events that have a significant probability of compromising business operations and threatening information security. [ISO/IEC TR 18044:2004]

    4.2 Information Security Awareness

    Objective: To ensure that employees understand the nature of Information Security Management and that they are equipped to implement the Information Security procedure during their working activities.

    1. On recruitment, all employed and temporary staff will receive an induction which will contain a briefing on Information Systems and an explanation of their responsibilities for implementing the Information Security Management procedure.

    2. Information security briefings will be carried out periodically to provide a refresher on information security and data protection.

    3. Policies and procedures are made available to all staff.

    4. When updates to the information security management system documentation are made, employees will be notified and, where required, employees will receive a formal security briefing.

    5. Records of information security training will be maintained.

    4.3 Physical Security and Access Control

    Objective: To prevent unauthorised access to equipment, physical damage or compromise of assets and the interruption of business activities which would result.

    4.3.1 Building Security

    1. A means of controlling entry to buildings or areas within buildings is required, in order that non-authorised persons are prevented from entering. At its simplest, this may consist of a staffed entry point with visitors’ book but, depending upon the sensitivity of information held within the area, more stringent methods may be necessary.

    2. Physical security is based on having different secure zones, with each zone having its own security appropriate to the level of information risk, for example:

    • Zone 1 – Outer zone with external building entry, controlled by visitors’ passes and/or reception staff and/or security guards
    • Zone 2 – data processing areas, controlled by means such as swipe cards, key fobs, and digital locks
    • Zone 3 – server room with its own separate access control such as a digital lock or swipe system.

    3. Staff are required to challenge any person not recognised and who is not wearing a visitor’s pass, staff identity pass or not accompanied by a member of staff. If no satisfactory explanation is forthcoming, this must be reported to a member of management who will log the occurrence as a Security Incident.

    4. In any case where a direct challenge is felt to be inadvisable or dangerous, the matter must immediately be reported to a member of management and to building security where they exist. This will also be logged the occurrence as a Security Incident.

    5. Access to security zones within the outer zone will be controlled by different means. Where a staff pass system is in operation, passes will permit entry to only those areas into which the member of staff concerned requires access in the performance of his/her duties.

    6. Where a staff pass system is in operation, a member of staff is not permitted to use the pass of another member of staff.

    7. Where a staff pass system is in operation, loss of a member of staff’s pass will be immediately reported to his/her line manager who will ensure that access permissions on the pass are removed as soon as possible.

    8. A visitor management process will be implemented at all sites, whereby visitors will be required to sign in with the following information:

    • Date and time of arrival.
    • Name and, where relevant, organisation.
    • Whom visiting.

    9. Contractors and other users who may have access to “sensitive” information are required to obtain an authorised “Access Approval Form”

    10. Visitors will at all times be accompanied by a member of staff, unless in a public area of the building or toilet. Where a staff pass system is in operation, visitors will be issued with a temporary pass which does not permit access to any sensitive areas.

    11. The general public will not be allowed access to any company area, with the sole exception of persons making deliveries. In this case, such persons will be required to display identification and will be taken by building security or a member of staff to the person to whom the delivery is to be made.

    12. If it is necessary for staff to leave their computer unattended for any reason, they will log off or lock the screen. Inactivity timeouts will be applied to all desktops, such that after 30 minutes, the screen will lock automatically.

    13. All staff will maintain a clear desk with no business papers being left in view when the desk is unattended. Sensitive papers of any sort will be locked away when not in use and staff will clear their desks at the end of each working day or shift. The printing of emails and similar material which is available for on-screen viewing is deprecated and all papers no longer required will be disposed of by cross-cut shredding.

    4.3.2 Equipment

    1. It is essential that access to all IT equipment is denied to non-company staff, except in the case of authorised persons (e.g. contractors) specifically allowed access to perform necessary work.

    2. All company IT equipment will normally be installed within areas controlled by company staff. Thus any person in the same area as company IT equipment will either be a member of staff or an authorised (and accompanied) visitor.

    3. Authorised third parties given access to systems will be supervised at all times to ensure that only the necessary work is carried out. Prior to this access being granted, the scope of the work and required access will be agreed and recorded on an “Access Approval Form”.

    4. Any member of staff who sees an unknown and unaccompanied person operating or interfering with company IT equipment must approach the individual and request their authorisation to work on the equipment (see also the next item). If the answer is in any way unsatisfactory, this becomes a Security Incident and the member of staff must immediately report the matter to management who will follow the Security Incident procedure described below.

    5. As stated above, authorised third parties must be supervised. Lack of this supervision, without satisfactory explanation, is a breach of security. See above for the requirement to challenge unrecognised and unescorted persons.

    6. On rare occasions, it may be necessary to install items of infrastructure equipment (e.g. data switches) in areas outside our direct control. In these cases, the room or cabinet containing the equipment must be locked, with access limited to company staff, and represents an isolated security zone. Equipment installed in such a location will contain no bulk data storage. Special considerations apply to Computer Rooms – see below.

    7. Equipment must be sited and installed in such a way as to minimise any risk of external or environmental threat. Thus, equipment must not be accessible from outside controlled access zones and must not be subject to issues such as water damage or overheating.

    8. Where required by the terms of a client contract or particular regulations, additional access controls may be implemented and/or additional secure zones defined as required. Staff must be aware that unauthorised entry to such secure zones may render them liable to disciplinary action and in some cases legal action. Advice from line management should always be sought.

    9. All IT equipment must be properly maintained, according to manufacturers’ instructions, and all failures must be immediately reported to the IT Administrator.

    10. Data, power and telecommunications cabling must be protected from damage or interception.

    11. System documentation will be regarded as sensitive information and will be securely stored and disposed of.

    4.3.3 Equipment Taken Off Site

    1. Company equipment should normally be kept within company premises. In some cases, each of which must be authorised by a manager, equipment will be issued to members of staff for performance of their duties outside company premises. This includes, but is not limited to, laptops and mobile phones.

    2. In each case, the “Information Security New Starter Form” and/or the “Asset Items and Owners List” will list the equipment and will be signed by the member of staff receiving the equipment, confirming their responsibility for the equipment and any data it may contain. The forms will be kept in the employee file and the equipment will be recovered upon termination of employment.

    3. All equipment permitted to be used off-site will be operated in accordance with this and all other company policies.

    4. Members of staff authorised to use company equipment off-site are responsible for ensuring that the equipment is safely and securely operated and when not in use, is securely stored.

    4.3.4 Equipment in Transit

    1. It will occasionally be necessary to transport used equipment between. Such operations must always be organised and supervised by company staff. Only approved, secure carrier services will be used.

    2. Equipment containing sensitive data will be packed in sturdy crates / boxes and securely closed by means of sealed wires ties or similar means. Each crate / box will be clearly labelled with the following information:

    • Despatch and delivery addresses.
    • Named individual receiving the shipment.
    • An identifying crate / box number.

    3. The contents of filing cabinets and similar storage units will be removed and their contents crated / boxed for transportation. The crates /boxes will be labelled as above.

    4. An inventory of the shipment will be made out before despatch and sent by separate means to the recipient. The inventory must contain a full list of the contents of each crate, along with the crate/box identifying number, and an indication of the sensitivity of any data included.

    5. Once the consignment has been loaded, a check of the area will be made, in case any items intended for transport have been missed.

    6. Upon receipt, the consignment will be checked against the inventory. Any losses will be immediately reported to the carrier and will be treated as a Security Incident.

    4.3.5 Computer Rooms

    1. Because these areas are normally unoccupied and may contain stored information in bulk, they will be treated as an additional security zone, at a higher level than the wider area within which it exists. The following general conditions will be observed for all computer rooms:

    2. Access to Computer Rooms will be limited to IT staff / IT contractors. All other persons must be accompanied by the IT administrator or by management except where the terms of building occupancy require access by building security staff in emergency. In this case, the management must be informed of the visit as soon as practical after it has occurred and will log it as a potential security incident.

    3. Computer Rooms, when unoccupied, will be kept locked by means of a digital lock or swipe card system.

    4. Files servers, gateways and other items of core infrastructure will be protected from short term power outages (20 minutes or less) and power surges, by UPS systems.

    5. Computer rooms will be kept tidy and as free as possible of paper and other combustible materials.

    6. Appropriate safety equipment such as smoke detectors, fire alarms, fire extinguishers and fire escapes will be installed. Staff must be properly trained in the use of safety equipment.

    4.3.6 Asset Management

    1. It is necessary that company is aware of the scope and detail of the hardware, software and other related assets which it holds. A detailed “asset items and owners list” is maintained.

    2. No equipment may be moved or altered by non-IT staff without the knowledge and agreement of the IT Administrator or by management. Once equipment is relocated, its entry in the “asset items and owners list” must be updated.

    Refer to the “Asset Management Policy” for more detail on classification and marking of assets.

    4.3.7 Malicious Software

    Objective: To protect IT assets from the effects of malicious software such as viruses, spyware and Trojans.

    1. All desktop and server systems will be protected by a proprietary anti-virus software suite. All elements of this suite will be updateable by means of data file upgrades which are regularly published. Where possible, centralised distribution of upgrades will be implemented and where this is not possible, the systems concerned must be configured for automatic daily update via the internet. Update status will be checked regularly, as part of the regular system checks, with any failures recorded as a security incident, along with the results of any corrective action.

    2. A robust email scanning system, which may be a hosted service, is employed to ensure the elimination of email-borne malicious software and spam and all external email, incoming and outgoing, is passed through this system. Status reports will be monitored and any irregularities addressed. Any malicious software and spam penetrating the scanning system will be recorded as a security incident.

    3. All removable data media originating or written outside will be checked for virus infection by The IT administrator prior to any use.

    4. It is the responsibility of all staff to report every instance of virus detection and unexplained PC symptoms to the IT Administrator. All such reports, along with actual virus warnings and infections, will be logged as Security Incidents.

    5. On evidence of a malicious software attack, The IT administrator will isolate affected machines from the network and attempt to determine the source, which will also be isolated. If the source can be determined and is outside company, the originator will be warned. Isolation and clean-up of any infection will be given the highest possible priority within the company.

    4.4 System Access

    Objective: To prevent unauthorised access to company IT systems and software.

    4.4.1 New User Registration, Changes to User Access Rights and Removal of Users

    1. A New User procedure has been implemented in which IT are informed (by copying the New Starter Checklist) of each potential new user and any special requirements that the user may have for systems access. The normal situation is that the user will use a standard desktop unless access to additional systems is authorised. Support and Management staff are dealt with individually as their requirements are likely to be more specialised.

    2. “Generic” user access is not permitted. Thus all users given access to company information systems will be separately identified and logins such as “Temp1” are forbidden.

    3. Upon induction (which is received by all staff, including temporary staff), copies of this procedures manual and other security relevant materials are made available to staff, and a suitable level of instruction is given into the security aspects of the use of IT systems. Every member of staff must then confirm by means of signature on the New Starter checklist that she/he has received the information and will abide by all the requirements. Record of this confirmation is held in the personal file.

    4. User access rights (either for each individual person or for a group of persons) are listed in the “User Access Rights Log”

    5. During the course of their employment, staff may have changing needs for systems access, for example on promotion. Requests for changes will be made to the IT Administrator, where they will be logged on the “Change Control Log”. In the case of temporary changes, it is essential that a diary reminder is scheduled to prompt the IT Administrator to revert the user’s access to normal.

    6. When a member of staff leaves the company, a “Leaver Form” is completed and the IT Administrator remove system access and the equipment is returned.

    7. User access rights shall be reviewed regularly, as set out in, to ensure that no changes to access requirements have been missed. These reviews are recorded on the “User Monitoring Log”

    4.4.2 Principles for Password Creation

    1. The following fundamental rules for the creation of user IDs and passwords will be implemented:

    2. Passwords, where pre-assigned when users are initially granted access, will be changed by the user on first access.

    3. Passwords will be not less than six characters in length and will contain both alpha cases and digits, providing the target system will support their use. User names, common words and abbreviations must not be used, for example:

    • Birth dates;
    • Names (First, Last, or any combination);
    • Unaltered words that could be found in a dictionary
    • Telephone numbers;
    • Famous or other proper names; and
    • Alphabet or keyboard sequences (e.g. “QWERTY”).

    4. Automatic password ageing, with a period of not more than forty days will, where available, be implemented. Where automatic ageing is not available, users will change their passwords every three months as a minimum.

    5. Password re-use detection will be set up to reject passwords within six change cycles.

    6. No user may release any of his/her passwords to any other person. Doing so will be considered a breach of security and will be subject to the Security Incident reporting procedure. At the option of Management, disciplinary action may be taken.

    7. Manufacturers’ default passwords must always be changed before systems enter service.

    8. Where practicable, the principles for password creation above comply. Further guidance on password best practice is given below and advice is also given in the CESG Password Guidance document:

    • Using a different password for each account;
    • Changing passwords regularly (at least every six months or as required by policy); and
    • Not writing down your password(s) on paper or recording them in a file or password vault on any computer.

    4.4.3 User Access Policies

    1. Access control will be implemented by means of the facilities within Active Directory, on the basis of permitting the minimum access necessary for each individual or group to perform their duties satisfactorily.

    2. Temporary staff will not be given access to the internet unless this is specifically required by the service on which they are working.

    3. Only where necessary to perform their duties, IT contractors may be granted administrative access to the network and systems thereon. This will be done on an individual basis, not by issuing the high level system administration password to them.

    4. The system administration password will only be known by the IT Administrator. However, for safety, copies will be kept in a sealed envelope. The envelopes will be placed in secure storage commensurate with the highest impact level of data on the company network.

    5. In the event of emergency use of the system administration password, the process to change the password will be initiated, once the immediate emergency is over.

    6. The system administration password envelope will be inspected regularly by Information Security Management Representative. Should the seal be found not to be intact, the process to change the password will immediately be initiated and this will be recorded as a security incident.

    4.5 Data Network Security

    Objectives: To ensure reliable and secure control of the data network by protecting it from internal and external risks.

    4.5.1 Internal Network

    1. The company operates a private WiFi network on a single site.

    2. Tasks which require administration permissions may be performed by any member of IT Service staff from any site or, subject to additional security measures, from outside the company network.

    4.5.2 External Connectivity / Remote Access

    1. All connections to external data networks will be made through firewall systems.

    2. All breaches of firewall security, potential or actual, will be logged as Security Incidents and the appropriate action taken (see below).

    3. Portable computers may be given access to the company network for agreed purposes, the most usual of which will be the use of the company Email system. Access will not be automatically granted and each application for access will be treated on its own merits.

    4. All portable computers with access must be protected by a randomly chosen start-up password. If the computer is stolen or lost, this will be recorded as a Security Incident and its VDI account must be immediately removed.

    5. Portable computers with VDI access will have their Anti-Virus software updated automatically upon connection, if possible.

    6. Where officially supplied portable storage devices including, but not limited to USB memory sticks, CD/DVD and laptop computers may contain sensitive personal information, they will be protected by whole disk encryption.

    7. Diagnostic and similar physical test ports will be left unconnected at all times unless in attended use for specific tests.

    Refer to the “Remote Working” policy for additional requirements for remote working./

    4.5.3 External Web Access

    1. It may be necessary to provide access to systems within the company network over the internet. In all such cases, the following requirements will apply.

    2. Web front end systems will be located in a physical ‘De-militarised Zone’ (DMZ), established by a firewall or other security appliance. The use of virtual DMZs is prohibited.

    3. Associated databases will not be installed in the DMZ.

    4. All traffic will be encrypted by means of the HTTPS protocol.

    5. Access will be controlled by username and password, the passwords being generated by us and issued to the client’s representative, or the client’s agent’s representative, in writing. Passwords will not be sent by unencrypted email.

    6. When a username and password are issued, the recipient will be required to acknowledge receipt in writing or by email and also to agree that the details will not be passed to those not authorised to gain access to the system in question.

    7. The password creation and changing rules detailed in 4.4.2 above will apply.

    4.5.4 Access Recording

    1. We will maintain an up to date “External Party List” containing all individuals and organisations currently granted access to any company information system.

    2. The list will be checked regularly.

    4.6 Data & Software

    Objective: To ensure information systems and the data they contain are used in accordance with best industry practice and current legislation.

    4.6.1 Unsuitable Material

    1. The introduction of pornographic or otherwise illegal, dangerous or unsuitable material of any sort into any company system or network will result in disciplinary action.

    4.6.2 Copyright

    1. It is company procedure that copyright material will not be copied without the copyright owner’s consent.

    2. Information not owned by company may only be copied when to do so does not breach copyright or intellectual property legislation and is necessary in support of company operations. Breach of this procedure will result in disciplinary action.

    3. Software (programs, etc.) may only be installed or removed once authorised on the “Change Control Log”. It is important for all staff to note that desktop Internet access, where granted, is a potential source of unapproved software. Breach of this procedure will result in disciplinary action.

    4. It is the responsibility of the Information Systems Management Representative to ensure that necessary software licensing arrangements are in place and these licences details will be recorded on the “Information Assets List”.

    4.6.3 Safeguarding of Records

    1. Some information held on company information systems is required by statute to be available currently and to be archived for a period and location, as defined on the “Document Log”.

    4.6.4 Personal & Confidential Information

    1. Personal information is any information that relates to a specific, identifiable, living individual. The individual may be a member of staff, a client, a caller or any other person. Such information may include, for example, address, telephone number, age, and gender – this is not an exhaustive list.

    2. Within personal information, the Data Protection Act recognises some information as “sensitive” and this includes financial information, religion, political views, sexual preference, and record of legal judgements – again, this is not an exhaustive list.

    3. Confidential information stored on computer systems is subject to the Data Protection Act.

    4. The Act defines eight principles to be followed by organisations processing personal data and these are summarised for reference below. Personal information must be:

    1. Fairly and lawfully processed.
    2. Processed for limited purposes.
    3. Adequate, relevant and not excessive.
    4. Accurate and up to date.
    5. Not kept for longer than is necessary.
    6. Processed in line with the data subject’s rights.
    7. Securely held.
    8. Not transferred to other countries without adequate protection.

    5. Personal information will be treated as confidential at all times.

    6. Confidential information regarding a member of staff will only be disclosed to that individual’s line manager, a manager further up the hierarchy within the same department or, in the case of salaries information, a manager in the same department with direct or indirect budgetary responsibility for the salary. It will never be disclosed to:

    • An individual of equal or lower managerial status.
    • Someone not in a line management hierarchy.
    • A manager from another Department.

    If there is doubt about the eligibility of a manager to receive the information, the matter should immediately be escalated to a more senior manager in the same department.

    7. Commercially confidential information will be treated in the same way as personal and other confidential information.

    8. Confidential information of any other sort will not be disclosed to third parties without specific written authorisation from Top Management.

    9. Information is classified as defined in the “Asset Management Policy” and access to the different classifications is controlled as defined below:

    a) “No Marking Required”

    • No specific approval is required for anyone to access this information
    • This information may be made public

    b) “Sensitive”

    • access is automatically granted to any employee, agency staff and third parties (such as contractors, consultants, professional advisers, suppliers) who have had an induction and/or signed the terms and conditions of employment or a non-disclosure agreement.

    c) “Highly Sensitive”

    • access is granted to company directors after signing induction and/or signed the terms and conditions of employment
    • access may be granted to company management, staff and to agency staff and third parties if:
      • they have signed the terms and conditions of employment and/or non-disclosure agreement
      • access has been approved by a director and recorded on the “User Access Rights Log”

    4.6.3 Safeguarding of Records

    1. Some information held on company information systems is required by statute to be available currently and to be archived for a period and location, as defined on the “Document Log”.

    4.7 Privileged Access

    1. “Special privileges” are those allowed to the IT Administrator, programmers or specialist external suppliers, allowing access to sensitive area (for example, passwords, data, programmes).

    2. The unnecessary allocation and use of special privileges is often found to be a major contributing factor to the vulnerability of systems that have been breached.

    3. Any such privileged access must be authorised by a Director and recorded on the “User Access Rights Log”.

    4. All requests for access outside normal working hours must be supported by a completed and authorised on the “User Access Rights Log”.

    4.8 Monitoring

    1. We will carry out regular monitoring of the following and this will be recorded on the “Event / User Monitoring Log”:

    • user access rights
    • event logs
    • system administrator / privileged access activities

    2. We will monitor external parties’ use of our information systems and this will be recorded in the “External Party Monitoring Log”.

    4.9 Change Management

    1. Any changes to the organisation, its business processes, information processing facilities and any systems that affect Information security must be formally recorded and controlled to ensure that any undesirable effect’s on Information Security are avoided.

    2. Therefore, all such changes will be recorded on the “Change Control Log”.

    4.10 System / Software Development

    1. Where carried out, any system / software development, whether carried out internally or by suppliers, will be managed and recorded as a change on the “Change Control Log”.

    2. The development/test environment and live environment will be separate.

    3. All system / software changes will be made in accordance with sound engineering principles, for example:

    1. Website development will be carried out in accordance with OWASP guidance.
    2. A clear specification will be defined for the work to be carried out, including the requirements for information security.
    3. Coding will be carried out with a standardised approach with appropriate commenting.
    4. Testing will be planned and this will include information security testing.
    5. Unit testing / testing of each module or release will be carried out and records kept.
    6. A record of user acceptance testing will be kept.

    4. Although the above outlines the key principles, it may be appropriate to document the software/system engineering principles in more detail, dependent on who is carrying out the development and on the complexity and risks of the changes.

    5. The release will be planned and deployed to prevent an information security incident. Release notes will be made available.

    4.11 Information Security Audits

    1. At regular intervals, internal and external auditors will check compliance with these policies, principles and standards by spot check and/or audit, and will report the findings to senior management. It is essential that all areas should be subject to this review process. The internal audit process is defined in “Process P10” in the “Information Security Management System Manual”.