Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

European Citizens' Initiative - Application for Certification of an

advertisement 
European Citizens’ Initiative
Application for Certification of an Online Collection System
in Ireland
1. The title of the proposed Citizens’ Initiative (max. 100 characters)
________________________________________________________________________
________________________________________________________________________
2. The subject matter of the proposed Citizens’ Initiative (max. 200 characters)
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
3. Outline the steps being taken in relation to the registration of the proposed initiative
by the European Commission
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
4. Details of the location, including company name and address, where the Online
Collection System infrastructure and the data collected is stored and contact details
of people who control access to the site (all data relating to the Online Collection
System must be stored in the Republic of Ireland - please see the note below entitled
‘Storage of Online Collection Systems Data’)
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
5. The full names, postal addresses, nationalities and dates of birth of the seven
members of the citizens’ committee, indicating specifically the representatives
designated as primary and substitute contacts for the certification process, as well as
their email addresses and telephone numbers
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
6. Software has been made available to organisers by the EU for the online collection of
statements of support. Is the Initiative that is the subject of this application using
this software? (tick as appropriate)
YES
NO
7. Does the documentation being submitted with this application form fully satisfy the
risk assessment requirements detailed below? (tick as appropriate)
YES
NO
8. Declaration:
I, who have been designated under article 3.2 of Regulation (EU) No 211/2011 of the
European Parliament and of the Council of 16 February 2011 to act on behalf of the
citizens’ committee,
(i) am satisfied that the Online Collection System which is the subject of this
application complies with Article 6(4) of the above mentioned Regulation,
(ii) confirm that all data collected through the Online Collection System certified by
the Irish Competent Authority will be stored within and will not leave the Republic of
Ireland at any time during the collection phase of this Citizens’ Initiative, and
apply, accordingly, for certification of the system under Article 6(3) of Regulation
(EU) No 211/2011 of the European Parliament and of the Council of 16 February
2011.
Name: ______________________________
(PRINT)
Signed:_______________________________
Dated: _______________________________
PLEASE READ NOTES BELOW
NOTES
“Regulation 211/2011” means Regulation (EU) No 211/2011 of the European Parliament and of the
Council of 16 February 2011 on the Citizens’ Initiative and is available at
http://eur-lex.europa.eu/JOHtml.do?uri=OJ:L:2011:065:SOM:EN:HTML
“Regulation 1179/2011” means Commission Implementing Regulation (EU) No 1179/2011 of 17
November 2011 laying down technical specifications for online collection systems pursuant to
Regulation (EU) No 211/2011 of the European Parliament and of the Council on the Citizens’
Initiative and is available at
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:301:0003:0009:EN:PDF
S.I. No. 79 of 2012 – European Union (Citizens’ Initiative) Regulations 2012, which puts in place the
arrangements that apply in Ireland to give effect to the European Union Citizens’ Initiative, provides
as follows in relation to the certification of online collection systems:
4. Certification of Online Systems
(1) Online Collection Systems submitted to the Competent Authority for certification
shall include the technical and security features necessary to enable the
Competent Authority to assess the compliance of the organisers’ online
collection systems with Article 6(4) of Regulation 211/2011.
(2) Online Collection Systems complying with Regulation 1179/2011 shall be
regarded by the Competent Authority as meeting the requirements of Article 6(4)
of Regulation 211/2011.
Accordingly, Online Collection Systems should have adequate technical and security features in place
to ensure that data is securely collected and stored. It is the responsibility of the Department of the
Environment, Community and Local Government to verify the conformity of online collection
systems certified in the Republic of Ireland with the requirements of Regulation 211/2011.
The Online Collection System must be capable of ensuring that:
 only real persons (not computers) may submit a statement of support form
 data provided online are securely collected and stored
 the statements of support can be produced in the format that can be verified by the
competent national authorities – this format is set out in the Schedule to S.I. No. 79 of 2012
The commission has developed open-source software that already complies with Points 1, 2(3) to
2(14) and 3(1) to 3(3) of the Annex to Regulation (EU) No 1179/2011. It is available at
http://ec.europa.eu/citizens-initiative/public/software . Organisers need to ensure that the other
elements of the Online Collection System - the hardware, hosting environment, business processes
and staff – also comply with the remaining technical specifications. Organisers are not obliged to use
this software – they may, if they wish, elect to develop their own Online Collection System.
Risk Assessment Requirements:
The application should include a comprehensive risk analysis, compliance assessment and
vulnerability assessment of the whole system, covering hardware, environment, operating system,
service configuration and backup system. The risk analysis must identify the scope of the system,
highlighting business impact in case of various breaches in information assurance, enumerating the
threats and vulnerabilities of the information system. It must produce a risk analysis document that
also lists countermeasures to avoid such threats and remedies that will be taken if a threat occurs,
and draw up a prioritised list of improvements. The risk analysis should fulfil the requirements of
standard ISO/IEC 27001, short of adoption. Security controls based on the risk analysis should be
chosen from standard ISO/IEC 27002 or the Information Security Forum’s ‘Standard of Good
Practice’. More information on the issues these measures should address are detailed in section 2.2
of Regulation 1179/2011. These are listed below in Annex I.
It is recommended that a penetration test be carried out to evaluate how vulnerabilities are
exploitable and to identify possible attack paths. The penetration test should also propose solutions
on how to remedy these vulnerabilities in order to make the system secure.
The organisers must ensure that all possible solutions are put in place to ensure that the entire IT
system is secure. In order to achieve this, it is recommended that the checks outlined in Annex II are
followed prior to deploying the online collection system platform.
Storage of Online Collection System Data:
All data collected through the system must be stored within the Republic of Ireland. It is an offence
under Regulation 6(f) of S.I. No. 79 of 2012 to store data in any other Member State where
statements of support are collected on an online collection system certified by the Department of
the Environment, Community and Local Government.
Relevant Documentation:
Organisers should refer to the following documents to assist in ensuring their online collection
system is compliant with security standards, security best practices and Regulation 211/2011.

Regulation 1179/2011

Common Weakness Enumeration (CWE) and in particular "potential mitigations" that are
proposed to "contrast" a specific threat-vulnerability

FIPS PUB 140-2 - Security requirements for cryptographic modules

ISO/IEC 17799:2005 - Information technology — Security techniques — Code of practice for
information security management

ISO/IEC 27001:2005 - Information technology — Security techniques — Information security
management systems — Requirements

OWASP Application Security Verification Standard – Web Application Standard (for short
OWASP ASVS)
Note to Organisers:
Certification of an Online Collection System by the Department of the Environment, Community and
Local Government means that it provides the technical and security features necessary for
certification in accordance with Article 6(3) of Regulation 211/2011. As such, it is not a guarantee of
the security of the system or compliance with data protection legislation throughout the process of
collection of statements of support.
Organisers are reminded of the full range of their responsibilities in relation to online collection
systems, statements of support and data protection, as set out in the relevant EU and Irish
legislation. Regulation 211/2011, Regulation 1179/2011 and S.I. No. 79 of 2012 refer.
Annex I Technical specifications from annex of Regulation 1179/2011 of the European Parliament
and of the Council on the Citizens’ Initiative
1.
TECHNICAL SPECIFICATIONS AIMING AT IMPLEMENTING ARTICLE 6(4)(a) OF REGULATION
(EU) No 211/2011
In order to prevent automated submission of a statement of support using the system, the signatory
goes through an adequate verification process in line with current practice before submission of a
statement of support. One possible verification process is the use of strong ‘captcha’.
2.
TECHNICAL SPECIFICATIONS AIMING AT IMPLEMENTING ARTICLE 6(4)(b) OF REGULATION
(EU) No 211/2011
Information assurance standards
2.1.
Organisers provide documentation showing that they fulfil the requirements of standard
ISO/IEC 27001, short of adoption. For that purpose, they have:
(a) performed a full risk assessment, which identifies the scope of the system,
highlights business impact in case of various breaches in information assurance,
enumerates the threats and vulnerabilities of the information system, produces a
risk analysis document that also list countermeasures to avoid such threats and
remedies that will be taken if a threat occurs, and finally draws up a prioritised
list of improvements;
(b) designed and implemented measures for treating risks with regard to the
protection of personal data and the protection of family and private life and
measures that will be taken in the case risk occurs;
(c) identified the residual risks in writing;
(d) provided the organisational means to receive feedback on new threats and
security improvements.
2.2.
Organisers choose security controls based on the risk analysis in 2.1(a) from the following
standards:
(1) ISO/IEC 27002; or
(2) the Information Security Forum’s ‘Standard of Good Practice’
to address the following issues:
(a) risk assessments (ISO/IEC 27005 or another specific and suitable risk assessment
methodology are recommended);
(b) physical and environmental security;
(c) human resources security;
(d) communications and operations management;
(e) standard access control measures, in addition to those set forth in this
Regulation;
(f) information systems acquisition, development and maintenance;
(g) information security incident management;
(h) measures to remedy and mitigate breaches in information systems which would
result in the destruction or accidental loss, alteration, unauthorised disclosure or
access of personal data processed;
(i) compliance;
(j) computer network security (ISO/IEC 27033 or the SoGP are recommended).EN
18.11.2011 Official Journal of the European Union L 301/5
Application of these standards can be limited to the parts of the organisation that are
relevant for the online collection system. For instance, human resources security can be
limited to any staff that has physical or networking access to the online collection system,
and physical/environmental security can be limited to the building(s) hosting the system.
Functional requirements
2.3.
The online collection system consists of a web-based application instance set up for the
purpose of collecting statements of support for a single Citizens’ Initiative.
2.4.
If administering the system requires different roles, then different levels of access control
are established according to the principle of least privilege.
2.5.
The publicly accessed features are clearly separated from the features destined for
administration purposes. No access control hinders reading of the information available in
the public area of the system, including information on the initiative and the electronic
statement of support form. Signing up for an initiative is possible only via this public area.
2.6.
The system detects and prevents submission of duplicate statements of support.
Application level security
2.7.
The system is suitably protected against known vulnerabilities and exploits. For this purpose
it satisfies, inter alia, the following requirements:
2.7.1. The system guards against injection flaws such as structured query language (SQL) queries,
lightweight directory access protocol (LDAP) queries, XML path language (XPath) queries,
operating system (OS) commands or program arguments. For this purpose, it requires at
least that:
(a) all user input is validated;
(b) validation is performed at least by the server-side logic;
(c) all use of interpreters clearly separates untrusted data from the command or
query. For SQL calls, this means using bind variables in all prepared statements
and stored procedures, and avoiding dynamic queries.
2.7.2. The system guards against cross-site scripting (XSS). For this purpose, it requires at least
that:
(a) all user supplied input sent back to the browser is verified to be safe (via input
validation);
(b) all user input is properly escaped before it is included in the output page;
(c) proper output encoding ensures that such input is always treated as text in the
browser. No active content is used.
2.7.3. The system has strong authentication and session management, which requires at least that:
(a) credentials are always protected when stored using hashing or encryption. The
risk that someone authenticates using ‘pass-the-hash’ is mitigated;
(b) credentials cannot be guessed or overwritten through weak account
management functions (e.g. account creation, change password, recover
password, weak session identifiers (IDs));
(c) session IDs and session data are not exposed in the uniform resource locator
(URL);
(d) session IDs are not vulnerable to session fixation attacks;
(e) session IDs timeout, which ensures that users log out;
(f) session IDs are not rotated after successful login;
(g) passwords, session IDs, and other credentials are sent only over transport layer
security (TLS);EN L 301/6 Official Journal of the European Union 18.11.2011
(h) the administration part of the system is protected. If it is protected by singlefactor authentication, then the password is composed of a minimum of 10
characters, including at least one letter, one number and one special character.
Alternatively two-factor authentication may be used. Where only single-factor
authentication is used, it includes a two-step verification mechanism for
accessing the administration part of the system via the Internet, in which the
single factor is augmented by another means of authentication, such as a onetime pass-phrase/code via SMS or an asymmetrically encrypted random challenge
string to be decrypted using the organisers’/administrators’ private key unknown
to the system.
2.7.4. The system does not have insecure direct object references. For this purpose, it requires at
least that:
(a) for direct references to restricted resources, the application verifies that the user
is authorised to access the exact resource requested;
(b) if the reference is an indirect reference, the mapping to the direct reference is
limited to values authorised for the current user.
2.7.5. The system guards against cross-site request forgery flaw.
2.7.6. Proper security configuration is in place, which requires, at least, that:
(a) all software components are up to date, including the OS, web/application
server, database management system (DBMS), applications, and all code libraries;
(b) OS and web/application server unnecessary services are disabled, removed, or
not installed;
(c) default account passwords are changed or disabled;
(d) error handling is set up to prevent stack traces and other overly informative error
messages from leaking;
(e) security settings in the development frameworks and libraries are configured in
accordance with best practices, such as the guidelines of OWASP.
2.7.7. The system provides for encryption of data as follows:
(a) personal data in electronic format is encrypted when stored or transferred to the
competent authorities of the Member States in accordance with Article 8(1) of
Regulation (EU) No 211/2011, the keys being managed and backed up separately;
(b) strong standard algorithms and strong keys are used in line with international
standards. Key management is in place;
(c) passwords are hashed with a strong standard algorithm and an appropriate ‘salt’
is used;
(d) all keys and passwords are protected from unauthorised access.
2.7.8. The system restricts URL access based on the user access levels and permissions. For this
purpose, it requires at least that:
(a) if external security mechanisms are used to provide authentication and
authorisation checks for page access, they need to be properly configured for
every page;
(b) if code level protection is used, code level protection needs to be in place for
every required page.
2.7.9. The system uses sufficient transport layer protection. For this purpose, all of the following
measures or measures of at least equal strength are in place:
(a) the system requires the most current version of the hypertext transfer protocol
secure (HTTPS) to access any sensitive resource using certificates that are valid,
not expired, not revoked, and match all domains used by the site;
(b) the system sets the ‘secure’ flag on all sensitive cookies;
(c) the server configures the TLS provider to only support encryption algorithms in
line with best practices. The users are informed that they must enable TLS
support in their browser.
2.7.10. The system guards against invalidated redirects and forwards.EN 18.11.2011 Official Journal
of the European Union L 301/7
Database security and data integrity
2.8.
Where online collection systems used for different Citizens’ Initiatives share hardware and
operating system resources, they do not share any data, including access/encryption
credentials. In addition, this is reflected in the risk assessment and in the implemented
countermeasures.
2.9.
The risk that someone authenticates on the database using ‘pass-the-hash’ is mitigated.
2.10.
The data provided by the signatories is only accessible to the database
administrator/organiser.
2.11.
Administrative credentials, personal data collected from signatories and its backup are
secured via strong encryption algorithms in line with point 2.7.7(b). However, the Member
State where the statement of support will be counted, the date of submission of the
statement of support and the language in which the signatory filled in the statement of
support form may be stored unencrypted in the system.
2.12.
Signatories only have access to the data submitted during the session in which they
complete the statement of support form. Once the statement of support form is submitted
the above session is closed and the submitted data is not accessible anymore.
2.13.
Signatories’ personal data are only available in the system, including the backup, in
encrypted format. For the purpose of data consultation or certification by the national
authorities in accordance with Article 8 of Regulation (EU) No 211/2011, organisers may
export the encrypted data in accordance with point 2.7.7(a).
2.14.
The persistence of the data entered in the statement of support form is atomic. That is, once
the user has entered all required details in the statement of support form, and validates
his/her decision to support the initiative, the system either successfully commits all of the
form data to the database, or, in case of error, fails by saving no data at all. The system
informs the user of the success or failure of his/her request.
2.15.
The DBMS used is up to date and continuously patched for newly discovered exploits.
2.16.
All system activity logs are in place. The system makes sure that audit logs recording
exceptions and other security-relevant events listed below may be produced and kept until
the data is destroyed in accordance with Article 12(3) or (5) of Regulation (EU) No 211/2011.
Logs are adequately protected, for instance by storage on encrypted media.
Organisers/administrators regularly check the logs for suspicious activity. Log contents
include at least:
(a) dates and times for log-on and log-off by organisers/administrators;
(b) performed backups;
(c) all database administrator changes and updates.
Infrastructure security — physical location, network infrastructure and server environment
2.17.
Physical security
Whatever the type of hosting used, the machine hosting the application is properly
protected, which provides:
(a) hosting area access control and audit log;
(b) physical protection of backup data against theft or incidental misplacement;
(c) that the server hosting the application is installed in a secured rack.
2.18.
Network security
2.18.1. The system is hosted on an Internet facing server installed on a demilitarised zone (DMZ) and
protected by a firewall.
2.18.2. When relevant updates and patches of the firewall product become public, then such
updates or patches are installed expediently.
2.18.3. All inbound and outbound traffic to the server (destined to the online collection system) is
inspected by the firewall rules and logged. The firewall rules deny all traffic that is not
needed for the secure use and administration of the system.
2.18.4. The online collection system must be hosted on an adequately protected production network
segment that is separated from segments used to host non-production systems such as
development or testing environments. EN L 301/8 Official Journal of the European Union
18.11.2011
2.18.5. Local area network (LAN) security measures are in place such as:
(a) layer 2 (L2) access list/port switch security;
(b) unused switch ports are disabled;
(c) the DMZ is on a dedicated virtual local area network (VLAN)/LAN;
(d) no L2 trunking enabled on unnecessary ports.
2.19.
OS and web/application server security
2.19.1. A proper security configuration is in place including the elements listed in point 2.7.6.
2.19.2. Applications run with the lowest set of privileges that they require to run.
2.19.3. Administrator access to the management interface of the online collection system has a
short session time-out (maximum 15 minutes).
2.19.4. When relevant updates and patches of the OS, the application runtimes, applications
running on the servers, or anti-malware become public, then such updates or patches are
installed expediently.
2.19.5. The risk that someone authenticates on the system using ‘pass-the-hash’ is mitigated.
2.20.
Organiser client security
For the sake of end-to-end security, the organisers take necessary measures to secure their
client application/ device that they use to manage and access the online collection system,
such as:
2.20.1. Users run non-maintenance tasks (such as office automation) with the lowest set of
privileges that they require to run.
2.20.2. When relevant updates and patches of the OS, any installed applications, or anti-malware
become public, then such updates or patches are installed expediently.
3.
TECHNICAL SPECIFICATIONS AIMING AT IMPLEMENTING ARTICLE 6(4)(c) OF REGULATION
(EU) No 211/2011
3.1.
The system provides the possibility to extract for each individual Member State a report
listing the initiative and the personal data of the signatories subject to verification by the
Competent Authority of that Member State.
3.2.
Exporting of signatories’ statements of support is possible in the format of Annex III to
Regulation (EU) No 211/2011. The system may in addition provide for the possibility of
exporting the statements of support in an interoperable format such as the extensible markup language (XML).
3.3.
The exported statements of support are marked as being of limited distribution to the
Member State concerned, and labelled as personal data.
3.4.
The electronic transmission of exported data to the Member States is secured against
eavesdropping using suitable end-to-end encryption.
Annex II – Sugested guidelines and checks to follow prior to deploying the OCS platform
Verify that all requirements defined in the technical specification have been implemented. In particular:
Passwords, session IDs, and other credentials are sent only over
Transport Layer Security (TLS).
TS – point 2.7.3.g
The system does not have insecure direct object references.
TS – point 2.7.4
For direct references to restricted resources, the application
verifies that the user is authorized to access the exact resource
requested.
TS – point 2.7.4.a
If the reference is an indirect reference, the mapping to the
direct reference is limited to values authorized for the current
user.
TS – point 2.7.4.b
Proper security configuration is in place, which requires, at least,
that:
TS – point 2.7.6
a) All software components are up-to-date, including the OS,
web/application server, Data Base Management System
(DBMS), applications, and all code libraries.
b) OS and web/application server unnecessary services are
disabled, removed, or not installed.
c) Default account passwords are changed or disabled.
d) Error handling is set up to prevent stack traces and other
overly informative error messages from leaking.
e) Security settings in the development frameworks and libraries
are configured in accordance with best practices, such as the
guidelines of OWASP.
The system requires the most current version of the Hypertext
Transfer Protocol Secure (HTTPS) to access any sensitive
resource using certificates that are valid, not expired, not
revoked, and match all domains used by the site.
TS – point 2.7.9.a
The system sets the 'secure' flag on all sensitive cookies.
TS – point 2.7.9.b
The server configures the TLS provider to only support
encryption algorithms in line with best practices. The users are
informed that they must enable TLS support in their browser.
TS – point 2.7.9.c
The DBMS used is up-to-date and continuously patched for
newly discovered exploits
TS – point 2.15
A database activity log is in place. The system makes sure that
audit logs recording exceptions and other security-relevant
events listed below may be produced and kept until the data is
destroyed in accordance with Article 12(3) or (5) of Regulation
(EU) No 211/2011. Logs are adequately protected, for instance
by storage on encrypted media. Organisers/administrators
regularly check the logs for suspicious activity. Log contents
include at least
TS – point 2.16
a) Dates and times for log-on and log-off by
organisers/administrators;
b) Performed backups;
c) All database administrator changes and updates.
Physical security
TS – point 2.17
Whatever the type of hosting used, the machine hosting the
application is properly protected, which provides:
a) Hosting area access control and audit log;
c) Physical protection of backup data due to theft or incidental
misplacement;
d) That the server hosting the application is installed in a
secured rack.
The system is hosted on an internet facing server installed on a
demilitarized zone (DMZ) and protected by a Firewall.
TS – point 2.18.1
When relevant updates and patches of the Firewall product
become public, then such updates or patches are installed
expediently.
TS – point 2.18.2
All inbound and outbound traffic to the server (destined to the
online collection system) is inspected by the Firewall rules and
logged.
TS – point 2.18.3
The online collection system must be hosted on an adequately
protected production network segment that is separated from
segments used to host non-production systems such as
development or testing environments.
TS – point 2.18.4
Local Area Network (LAN) security measures are in place such
TS – point 2.18.5
as:
a) Layer 2 (L2) Access list / Port switch security;
b) Unused switch ports are disabled;
c) The DMZ is on a dedicated Virtual Local Area Network
(VLAN)/LAN;
d) No L2 trunking enabled on unnecessary ports.
Administrator access to the management interface of the online
collection system has a short session time-out (maximum 15
minutes).
TS – point 2.19.3
When relevant updates and patches of the OS, the application
runtimes, applications running on the servers, or anti-malware
become public, then such updates or patches are installed
expediently.
TS – point 2.19.4
Organiser client security
TS – point 2.20
For the sake of end-to-end security, the organisers take
necessary measures to secure their client application/device
that they use to manage and access the online collection
system.
Users run non-maintenance tasks (such as office automation)
with the lowest set of privileges that they require to run
TS – point 2.20.1
When relevant updates and patches of the OS, any installed
applications, or anti-malware become public, then such updates
or patches are installed expediently.
TS – point 2.20.2
Verify that at least the security objective proposed by the Standard ISO27001 are implemented.
Responsibility for asset
All assets should be accounted for and have a nominated owner.
ISO/IEC 27001:2005
Objective 7.1
Owners should be identified for all assets and the responsibility
for the maintenance of appropriate controls should be assigned.
The implementation of specific controls may be delegated by
the owner as appropriate but the owner remains responsible for
the proper protection of the assets.
Secure Areas
Critical or sensitive information processing facilities should be
housed in secure areas, protected by defined security
ISO/IEC 27001:2005
Objective 9.1
perimeters, with appropriate security barriers and entry
controls. They should be physically protected from unauthorized
access, damage, and interference.
The protection provided should be commensurate with the
identified risks.
Equipment security
Equipment should be protected from physical and
environmental threats.
ISO/IEC 27001:2005
Objective 9.2
Protection of equipment (including that used off-site, and the
removal of property) is necessary to reduce the risk of
unauthorized access to information and to protect against loss
or damage. This should also consider equipment siting and
disposal. Special controls may be required to protect against
physical threats, and to safeguard supporting facilities, such as
the electrical supply and cabling infrastructure.
Third party service delivery management
The organization should check the implementation of
agreements, monitor compliance with the agreements and
manage changes to ensure that the services delivered meet all
requirements agreed with the third party.
System planning and acceptance
Advance planning and preparation are required to ensure the
availability of adequate capacity and resources to deliver the
required system performance.
ISO/IEC 27001:2005
Objective 10.2
ISO/IEC 27001:2005
Objective 10.3
Projections of future capacity requirements should be made, to
reduce the risk of system overload.
The operational requirements of new systems should be
established, documented, and tested prior to their acceptance
and use.
Protection against malicious and mobile code
Precautions are required to prevent and detect the introduction
of malicious code and unauthorized mobile code.
Software and information processing facilities are vulnerable to
the introduction of malicious code, such as computer viruses,
network worms, Trojan horses, and logic bombs. Users should
be made aware of the dangers of malicious code. Managers
ISO/IEC 27001:2005
Objective 10.4
should, where appropriate, introduce controls to prevent,
detect, and remove malicious code and control mobile code.
Backup
Routine procedures should be established to implement the
agreed back-up policy and strategy for taking back-up copies of
data and rehearsing their timely restoration.
Network security management
The secure management of networks, which may span
organizational boundaries, requires careful consideration to
dataflow, legal implications, monitoring, and protection.
ISO/IEC 27001:2005
Objective 10.5
ISO/IEC 27001:2005
Objective 10.6
Additional controls may also be required to protect sensitive
information passing over public networks.
Media handling
Media should be controlled and physically protected.
ISO/IEC 27001:2005
Objective 10.7
Appropriate operating procedures should be established to
protect documents, computer media (e.g. tapes, disks),
input/output data and system documentation from
unauthorized disclosure, modification, removal, and
destruction.
Exchange of information
Exchanges of information and software between organizations
should be based on a formal exchange policy, carried out in line
with exchange agreements, and should be compliant with any
relevant legislation (see clause 15).
ISO/IEC 27001:2005
Objective 10.8
Procedures and standards should be established to protect
information and physical media containing information in
transit.
Monitoring
Systems should be monitored and information security events
should be recorded. Operator logs and fault logging should be
used to ensure information system problems are identified.
An organization should comply with all relevant legal
requirements applicable to its monitoring and logging activities.
System monitoring should be used to check the effectiveness of
controls adopted and to verify conformity to an access policy
ISO/IEC 27001:2005
Objective 10.10
model.
User access management
Formal procedures should be in place to control the allocation
of access rights to information systems and services. The
procedures should cover all stages in the life-cycle of user
access, from the initial registration of new users to the final deregistration of users who no longer require access to
information systems and services. Special attention should be
given, where appropriate, to the need to control the allocation
of privileged access rights, which allow users to override system
controls.
Network access control
Access to both internal and external networked services should
be controlled. User access to networks and network services
should not compromise the security of the network services by
ensuring:
ISO/IEC 27001:2005
Objective 11.2
ISO/IEC 27001:2005
Objective 11.4
a) appropriate interfaces are in place between the
organization’s network and networks owned by other
organizations, and public networks;
b) appropriate authentication mechanisms are applied for users
and equipment;
c) control of user access to information services in enforced.
Operating system access control
Security facilities should be used to restrict access to operating
systems to authorized users. The facilities should be capable of
the following:
a) authenticating authorized users, in accordance with a defined
access control policy;
b) recording successful and failed system authentication
attempts;
c) recording the use of special system privileges;
d) issuing alarms when system security policies are breached;
e) providing appropriate means for authentication;
f) where appropriate, restricting the connection time of users.
ISO/IEC 27001:2005
Objective 11.5
Application and information access control
Security facilities should be used to restrict access to and within
application systems. Logical access to application software and
information should be restricted to authorized users.
ISO/IEC 27001:2005
Objective 11.6
Application systems should:
a) control user access to information and application system
functions, in accordance with a defined access control policy;
b) provide protection from unauthorized access by any utility,
operating system software, and malicious software that is
capable of overriding or bypassing system or application
controls;
c) not compromise other systems with which information
resources are shared.
Security requirements of information system
Information systems include operating systems, infrastructure,
business applications, off-the-shelf products, services, and userdeveloped applications. The design and implementation of the
information system supporting the business process can be
crucial for security. Security requirements should be identified
and agreed prior to the development and/or implementation of
information systems.
ISO/IEC 27001:2005
Objective 12.1
All security requirements should be identified at the
requirements phase of a project and justified, agreed, and
documented as part of the overall business case for an
information system.
Cryptographic control
A policy should be developed on the use of cryptographic
controls. Key management should be in place to support the use
of cryptographic techniques.
Security of system file
Access to system files and program source code should be
controlled, and IT projects and support activities conducted in a
secure manner. Care should be taken to avoid exposure of
sensitive data in test environments.
Technical vulnerability management
ISO/IEC 27001:2005
Objective 12.3
ISO/IEC 27001:2005
Objective 12.4
ISO/IEC 27001:2005
Technical vulnerability management should be implemented in
an effective, systematic, and repeatable way with
measurements taken to confirm its effectiveness. These
considerations should include operating systems, and any other
applications in use.
Objective 12.6
Reporting information security events and weaknesses
ISO/IEC 27001:2005
Objective 13.1
Formal event reporting and escalation procedures should be in
place. All employees, contractors and third party users should
be made aware of the procedures for reporting the different
types of event and weakness that might have an impact on the
security of organizational assets. They should be required to
report any information security events and weaknesses as
quickly as possible to the designated point of contact.
Management of information security incidents and
improvements
ISO/IEC 27001:2005
Objective 13.2
Responsibilities and procedures should be in place to handle
information security events and weaknesses effectively once
they have been reported. A process of continual improvement
should be applied to the response to, monitoring, evaluating,
and overall management of information security incidents.
Where evidence is required, it should be collected to ensure
compliance with legal requirements.
Information security aspects of business continuity
management
A business continuity management process should be
implemented to minimize the impact on the organization and
recover from loss of information assets (which may be the result
of, for example, natural disasters, accidents, equipment failures,
and deliberate actions) to an acceptable level through a
combination of preventive and recovery controls. This process
should identify the critical business processes and integrate the
information security management requirements of business
continuity with other continuity requirements relating to such
aspects as operations, staffing, materials, transport and
facilities.
The consequences of disasters, security failures, loss of service,
and service availability should be subject to a business impact
analysis. Business continuity plans should be developed and
implemented to ensure timely resumption of essential
ISO/IEC 27001:2005
Objective 14.1
operations. Information security should be an integral part of
the overall business continuity process, and other management
processes within the organization.
Business continuity management should include controls to
identify and reduce risks, in addition to the general risks
assessment process, limit the consequences of damaging
incidents, and ensure that information required for business
processes is readily available.
Compliance with legal requirements
The design, operation, use, and management of information
systems may be subject to statutory, regulatory, and contractual
security requirements.
ISO/IEC 27001:2005
Objective 15.1
Advice on specific legal requirements should be sought from the
organization’s legal advisers, or suitably qualified legal
practitioners. Legislative requirements vary from country to
country and may vary for information created in one country
that is transmitted to another country (i.e. trans-border data
flow).
Compliance with security policies and standards, and technical
compliance
The security of information systems should be regularly
reviewed. Such reviews should be performed against the
appropriate security policies and the technical platforms and
information systems should be audited for compliance with
applicable security implementation standards and documented
security controls.
ISO/IEC 27001:2005
Objective 15.2
Related documents
Policy & Procedure Review Policy & Procedure Number: CWUP 2
Policy & Procedure Review Policy & Procedure Number: CWUP 2
features and benefits of ISO/IEC 27001
features and benefits of ISO/IEC 27001
Fort Hood Sentinel Advertisement.pub
Fort Hood Sentinel Advertisement.pub
OpenWebNet – comparison S.Tomasina 25/02/14 Series ISO/IEC
OpenWebNet – comparison S.Tomasina 25/02/14 Series ISO/IEC
AMA-61850-FiT4HANA
AMA-61850-FiT4HANA
Quality Policy Statement
Quality Policy Statement
Download
advertisement