ARCHIBUS Hosting Services – Authorized Hosting Partner
All ARCHIBUS Hosting Services
TECHNICAL REQUIREMENTS CHECK-LIST
The world’s #1 Hosted solution for
TOTAL infrastructure AND FACILITIES management
Confidential Technical information
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
Copyright © 2015, ARCHIBUS Solution Center – Hosting Services, OÜ. All Rights
Reserved.
This document is only for information purposes and its contents can be subject to
change without notice.
This document cannot be reproduced or transmitted in any form without written
authorization of ARCHIBUS Solution Center – Hosting Services.
“ARCHIBUS On Demand”, “ARCHIBUS in the Cloud (SaaS), “ARCHIBUS Hosted”,
“ARCHIBUS SaaS in House” and “ARCHIBUS Hosting Services” are trademarks of
ARCHIBUS, Inc. All Rights Reserved.
2
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
Version Control
Version
0.1
0.2
0.5
1
2
3
3
4
Issued by
Ana Maria
Fernandez
Ana Maria
Fernandez
Miguel Sánchez
Miguel
Miguel Sánchez
Miguel
Miguel Sánchez
Miguel
Jose Luis López
Ana Maria
Fernandez
Miguel Sanchez
Miguel
Date
NOV 05
2010
NOV 08
2010
NOV 08
2010
AUG 10
2011
FEB 2 2012
MAY 21
2014
MAY 23
2014
JUN 7 2015
Comments / Changes
Initial Draft
Technical concepts & checklist added.
Approved. Initial revision (English grammar & syntax) pending.
Approved. Second version. Authorized Hosting Partner Program
Approved. Separated versions for AARCHIBUS On Demand & ARCHIBUS
Hosted
Technical Review.
Approved. Technical Review.
Update
For any question related to document, please contact:
For technical matters
Ana María Fernández de Simón
CIO and Innovation Manager
Mobile : (+34) 671 660 742
e-mail : ana.fernandez@asc-hs.com
For business, partnership or commercial matters
Miguel Sánchez Miguel
CEO & Member of the Board
Mobile (+372) 56252718
e-mail: msm@asc-hs.com
CONFIDENTIALITY
This document encloses confidential information property of “ARCHIBUS Solution
Center - Hosting Services” and which constitutes valuable trade secrets. It is delivered
to YOU, the recipient, who expressly agrees to keep it as confidential.
By reading hereafter YOU agree not to use it for any other purpose, not to transfer it to
other documents, nor to reproduce it in whole or in part, nor to transfer it to others
parties except those stated in the “ARCHIBUS Hosting Services” provision and solely to
“ARCHIBUS Solution Center – Hosting Services” approved partners.
3
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
Scope
The scope of this document is to know by this check-list more about the Candidate to
ARCHIBUS Hosting Services Authorized Hosting Partner, in order to qualify if is able to
be a real Candidate for the ARCHIBUS Hosting Services Program.
Contenido
1
2
3
Definitions ................................................................................................................. 5
ARCHIBUS Delivery modes ..........................................Error! Bookmark not defined.
Infrastructure to deliver ARCHIBUS Hosting Services .Error! Bookmark not defined.
3.1
3.2
4
5
Network system infrastructure .......................................Error! Bookmark not defined.
Server Farm .....................................................................Error! Bookmark not defined.
Authorized Hosting Partner Compliance. ...................Error! Bookmark not defined.
Best Practices for Authorized Hosting Partners ..........Error! Bookmark not defined.
5.1
5.2
General ............................................................................Error! Bookmark not defined.
Deployment and back-up ................................................Error! Bookmark not defined.
5.2.1
5.2.2
5.2.3
Deployment requirements ......................................Error! Bookmark not defined.
Backup Requirements .............................................Error! Bookmark not defined.
Backup Restore Requirements ................................Error! Bookmark not defined.
6 Access and Control rules for Authorized Hosting Partner Platform Error! Bookmark
not defined.
6.1
General rules for each ASC-HS Authorized Hosting Platform. ...... Error! Bookmark not
defined.
6.2
ASC-HS control and report. .............................................Error! Bookmark not defined.
6.3
Optional requirements for controlling the Authorized Hosting Platform .............Error!
Bookmark not defined.
4
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
1 Definitions
AHS: ARCHIBUS Hosting Services / ARCHIBUS Hosting Solutions, includes: ARCHIBUS On
Demand (SaaS model), and ARCHIBUS Hosted (PaaS or condo method).
AHS-AHP or AHP: ARCHIBUS Hosting Services – Authorized Hosting Partner.
AI: ARCHIBUS, Inc. – Proprietary of ARCHIBUS Hosting Services, and the ARCHIBUS
Hosting Services – Authorized Hosting Partner program.
ASC-HS: ARCHIBUS Solution Center – Hosting Services, is in charge of global
management of ARCHIBUS Hosting Services and the ARCHIBUS Hosting Services Authorized Hosting Partner program.
ARCHIBUS Cloud Computing global framework: The collection of all the ARCHIBUS
Hosting Services - Authorized Hosting Partners, working connected, creating a global
network all together.
5
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
2 General Information
Company
Contact
Tittle
e-mail
Website
Phone
Address
Postcode (ZIP)
City
State
Country
Region
3 Product(S)
We are interested to host this solution(s):
(mark here IF
ACCEPT)
ARCHIBUS Hosted
PaaS (Platform as a Service or Condo method)
(mark here IF
ACCEPT)
ARCHIBUS in the Cloud (SaaS) or ARCHIBUS On Demand
SaaS (Software as a Service)
4 Hosting Infrastructure
Hosting Platform
owner is
Our Company (proprietary hosting data Center)
An external provider
(specify if external provider)
6
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
Experience
ISO 9001
Hosting ARCHIBUS since (years)
Hosting other vendor software since (years)
Is your company ISO 9001 Certified?
(Quality)
We will request your processes and specific certification confirmation
ISO 27001
Is your company ISO 27001 Certified?*
(Data Management)
We will request your processes and specific certification confirmation
Other
Certifications
FISMA – NIST
Others
*If your company or hosting provider is ISO 27001 Certified most probably will not needed the
Auditory on Site, in the ARCHIBUS Hosting Services – Authorized Hosting Partner Program
certification process.
5 Territory
State
Country
Region
Check if you want to be exclusive ARCHIBUS Hosting Services – Authorized
Hosting Partner in Territory specified
1 ARCHIBUS Hosting Services – Authorized Hosting
Partner Compliance Checklist
Fill the form with these criteria on the Compliance column
A
B
C
E
X
Our arrangements comply with the state standard
Our arrangements partially comply with the state standard – More work is needed
Good idea- we should do this
We believe that the stated standard does not apply in our case
Current status is not known
These are the columns of Check-List
Checklist item Section
Audit question Comments
7
Compliance
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
1.1 Security Policy
5.1.1
Information security policy
5.1.1.
1
Information
security policy
document
There exists an Information Security policy, which
is approved by the management, published and
communicated as appropriate to all employees.
5.1.1.
2
Review of
Informational
Security Policy
The Information Security Policy is reviewed at
planned intervals, or if significant changes occur
to ensure its continuing suitability, adequacy and
effectiveness.
Defined Information Security Policy procedures
exist and do they include requirements for the
management review.
The Information Security policy has an owner,
who has approved management responsibility for
development, review and evaluation of the
security policy.
1.2 Organization of information security
5.2.1
Internal Organization
5.2.1.
1
Information
security
coordination
Information security activities are coordinated by
representatives from diverse parts of the
organization, with pertinent roles and
responsibilities.
5.2.1.
2
Allocation of
information
security
responsibilities
Responsibilities for the protection of individual
assets, and for carrying out specific security
processes, are clearly identified and defined.
5.2.1.
3
Authorization
process for
information
processing
facilities
Management authorization process is defined and
implemented for any new information processing
facility within the organization.
5.2.1.
4
Confidentiality
agreements
Whether the organization’s need for
Confidentiality or Non-Disclosure Agreement
(NDA) for protection of information is clearly
defined and regularly reviewed. Does this address
the requirement to protect the confidential
information using legal enforceable terms?
5.2.1.
5
Contact with
authorities
There exists a procedure that describes when,
and by whom: relevant authorities such as Law
enforcement, fire department etc., should be
8
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
contacted, and how the incident should be
reported.
5.2.1.
6
Independent
review of
information
security
5.2.2
External Parties
5.2.2.
1
Identification of
risks related to
external parties
Risks to the organization’s information and
information processing facility, from a process
involving external party access, is identified and
appropriate control measures implemented
before granting access.
5.2.2.
2
Addressing
security when
dealing with
customers
All identified security requirements are fulfilled
before granting customer access to the
organization’s information or assets.
5.2.2.
3
Addressing
Security in third
party
agreements
The agreement with third parties, involving
accessing, processing, communicating or
managing the organization’s information or
information processing facility, or introducing
products or services to information processing
facility, complies with all appropriate security
requirements.
Whether the organization’s approach to
managing information security, and its
implementation, is reviewed independently at
planned intervals, or when major changes to
security implementation occur.
1.3 Asset Management
5.3.1
Responsibility for assets
5.3.1.
1
Inventory of
assets
All assets are identified and an inventory or
register is maintained with all the important
assets.
5.3.1.
2
Ownership of
assets
Each asset identified has an owner, a defined and
agreed-upon security classification, and access
restrictions that are periodically reviewed.
5.3.1.
3
Acceptable use
of assets
Regulations for acceptable use of information
and assets associated with an information
processing facility are identified, documented
and implemented.
5.3.2
Information classification
5.3.2.
1
Classification
guidelines
The information is classified in terms of its value,
legal requirements, sensitivity and criticality to
the organization.
5.3.2.
2
Information
labelling and
handling
An appropriate set of procedures are defined for
information labelling and handling, in accordance
with the classification scheme adopted by the
organization.
9
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
1.4 Human resources security
5.4.1
Prior to employment
5.4.1.
1
Roles and
responsibilities
Employee security roles and responsibilities,
contractors and third party users are defined and
documented in accordance with the
organization’s information security policy. The
roles and responsibilities are defined and clearly
communicated to job candidates during the preemployment process.
5.4.1.
3
Terms and
conditions of
employment
Employee, contractors and third party users are
asked to sign confidentiality or non-disclosure
agreement as a part of their initial terms and
conditions of the employment contract and this
agreement covers the information security
responsibility of the organization and the
employee, third party users and contractors.
5.4.2
During employment
5.4.2.
1
Management
responsibilities
The management requires employees,
contractors and third party users to apply security
in accordance with the established policies and
procedures of the organization.
5.4.2.
2
Information
security
awareness,
education and
training
All employees in the organization, and where
relevant, contractors and third party users,
receive appropriate security awareness training
and regular updates in organizational policies and
procedures as it pertains to their job function.
5.4.2.
3
Disciplinary
process
There is a formal disciplinary process for the
employees who have committed a security
breach.
5.4.3
Termination or change of employment
5.4.3.
1
Termination
responsibilities
Responsibilities for performing employment
termination, or change of employment, are
clearly defined and assigned.
5.4.3.
2
Return of assets
There is a process in place that ensures all
employees, contractors and third party users
surrender all of the organization’s assets in their
possession upon termination of their
employment, contract or agreement.
5.4.3.
3
Removal of
access rights
Access rights of all employees, contractors and
third party users, to information and information
processing facilities, will be removed upon
termination of their employment, contract or
agreement, or will be adjusted upon change.
10
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
1.5 Physical and Environmental Security
5.5.1
Secure Areas
5.5.1.
1
Physical entry
Controls
Whether entry controls are in place to allow only
authorized personnel into various areas within
the organization.
5.5.1.
2
Securing
Offices, rooms
and facilities
The rooms, which have the information
processing service, are locked or have lockable
cabinets or safes.
5.5.1.
3
Protecting
against external
and
environmental
threats
The physical protection against damage from fire,
flood, earthquake, explosion, civil unrest and
other forms of natural or man-made disaster
should be designed and applied.
5.5.1.
4
Public access
delivery and
loading areas
The delivery, loading, and other areas where
unauthorized persons may enter the premises are
controlled, and information processing facilities
are isolated, to avoid unauthorized access.
5.5.2
Equipment Security
5.5.2.
1
Equipment
siting
protection
The equipment is protected to reduce the risks
from environmental threats and hazards, and
opportunities for unauthorized access.
5.2.2.
2
Supporting
utilities
The equipment is protected from power failures
and other disruptions caused by failures in
supporting utilities.
Whether permanence of power supplies, such as
a multiple feed, an Uninterruptible Power Supply
(ups), a backup generator, etc. are being utilized.
5.5.2.
3
Cabling Security
Power and telecommunications cable, carrying
data or supporting information services, is
protected from interception or damage.
5.5.2.
4
Equipment
Maintenance
The equipment is correctly maintained to ensure
its continued availability and integrity as per the
supplier’s recommended service intervals and
specifications and the maintenance is carried out
only by authorized personnel.
Logs are maintained with all suspected or actual
faults and all preventive and corrective measures.
Appropriate controls are implemented while
sending equipment off premises.
Are the equipment covered by insurance and the
insurance requirements satisfied?
11
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
5.5.2.
5
Securing of
equipment offpremises
Risks are assessed with regards to any equipment
usage outside an organization’s premises, and
mitigation controls implemented.
5.5.2.
6
Secure disposal
or re-use of
equipment
All equipment, containing storage media, is
checked to ensure that any sensitive information
or licensed software is physically destroyed, or
securely over-written, prior to disposal or reuse.
5.5.2.
7
Removal of
property
Any controls are in place so that equipment,
information and software is not taken off-site
without prior authorization.
1.6 Communications and Operations Management
5.6.1
Operational Procedures and responsibilities
5.6.1.
1
Documented
Operating
procedures
Operating procedure is documented, maintained
and available to all users who need it.
5.6.1.
2
Change
management
All changes to information processing facilities
and systems are controlled.
5.6.1.
3
Separation of
development,
test and
operational
facilities
Development and testing facilities are isolated
from operational facilities. For example,
DEVELOPMENT and PRODUCTION servers should
be run on different physical computers. Where
necessary, development and production networks
should be kept separate from each other.
5.6.2
Third party service delivery management
5.6.2.
1
Service delivery
Measures are taken to ensure that the security
controls, service definitions and delivery levels,
included in the third party service delivery
agreement, are implemented, operated and
maintained by a third party.
5.6.2.
2
Monitoring and
review of third
party services
The services, reports and records provided by
third party are regularly monitored and reviewed
and audits are conducted on the above third
party services, reports and records, on regular
interval.
5.6.3
System planning and acceptance
5.6.3.
1
Capacity
Management
The capacity demands are monitored and
projections of future capacity requirements are
made, to ensure that adequate processing power
and storage are available.
Example: Monitoring hard disk space, RAM and
CPU on critical servers.
5.6.3.
2
System
acceptance
System acceptance criteria are established for
new information systems, upgrades and new
versions and are always aligned with ASC-HS
12
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
policies. Suitable tests are carried out prior to
acceptance.
5.6.4
Protection against malicious and mobile code
5.6.4.
1
Controls against
malicious code
5.6.5
Backup
5.6.5.
1
Information
backup
Detection, prevention and recovery controls, to
protect against malicious code and appropriate
user awareness procedures, are developed and
implemented.
Back-ups of information and software is taken
and tested regularly in accordance with the
agreed ASC-HS backup policy.
All essential information and software:
Application(s), Client(s) Project(s), ARCHIBUS Files
and Database, can be recovered following a
disaster or media failure.
One daily completed backup should be done.
Fortnightly copies are stored; therefore data can
be restored as it was any previous day before
backup was done.
5.6.6
Network Security Management
5.6.6.
1
Network
Controls
The network is adequately managed and
controlled, to protect from threats, and to
maintain security for the systems and
applications using the network, including the
information in transit.
Controls are implemented to ensure the security
of the information in networks, and the
protection of the connected services from
threats, such as unauthorized access.
5.6.6.
2
Security of
network
services
Security features, service levels and management
requirements, of all network services, are
identified and included in any network services
agreement. The ability of the network service
provider, to manage agreed services in a secure
way, is determined and regularly monitored, and
the right to audit is agreed upon.
5.6.6.
3
Network
Architecture
Redundant Core and edge network infrastructure.
All network hardware is redundant and
replicated: firewalls, routers, switches…
Network with private VLAN and 100/1000 mbps
redundant network drop availability using HSRP
or VRRP.
5.6.7
13
Media handling
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
5.6.7.
1
Management of
removable
media
Procedures exist for management of removable
media, such as tapes, disks, cassettes, memory
cards, and reports. All procedures and
authorization levels are clearly defined and
documented.
5.6.7.
2
Disposal of
Media
The media that are no longer required are
disposed of securely and safely, as per formal
procedures.
5.6.7.
3
Information
handling
procedures
A procedure exists for handling information
storage.
Does this procedure address issues, such as
information protection, from unauthorized
disclosure or misuse?
5.6.7.
4
Security of
system
documentation
System documentation is protected against
unauthorized access.
5.6.8
Exchange of Information
5.6.8.
1
Information
exchange
policies and
procedures
There is a formal exchange policy, procedure and
control in place to ensure the protection of
information.
Does the procedure and control cover using
electronic communication facilities for
information exchange?
5.6.8.
2
Exchange
agreements
Agreements are established concerning exchange
of information and software between the
organization and external parties.
The security content of the agreement reflects
the sensitivity of the business information
involved.
5.6.8.
3
Physical Media
in transit
Media containing information is protected against
unauthorized access, misuse or corruption during
transportation beyond the organization’s physical
boundary.
5.6.8.
4
Electronic
Messaging
The information involved in electronic messaging
is well protected.
(Electronic messaging includes but is not
restricted to Email, Electronic Data Interchange,
Instant Messaging)
5.6.8.
5
Business
information
systems
Policies and procedures are developed and
enforced to protect information associated with
the interconnection of business information
systems.
5.6.9
ARCHIBUS Hosting Services
5.6.9.
1
General
Practices
14
The information involved in AHS passing over the
public network is protected from fraudulent
activity, contract dispute, and any unauthorized
access or modification.
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
Security controls such as application of
cryptographic controls are taken into
consideration.
Service arrangements between trading partners
include a documented agreement, which commits
both parties to the agreed terms of trading,
including details of security issues.
5.6.9.
2
On-Line
Transactions
Information involved in online transactions is
protected to prevent incomplete transmission,
miss-routing, unauthorized message alteration,
unauthorized disclosure, unauthorized message
duplication or replay.
5.6.9.
3
Publicly
available
information
Integrity of the publicly available information is
protected against any unauthorized modification.
5.6.9.
4
Policies and
standard
Requirements for confidentiality or nondisclosure agreements reflecting the
organization's need for the protection of
information shall be identified and regularly
reviewed.
5.6.9.
5
Service
agreement
Defined Service level agreement over 99.00%
Monitoring and review of the third party services
24x7x365 Support
Working time Support only
5.6.9.
6
User
capabilities
Employees with experience on ARCHIBUS™ use
and consultancy.
Experience in ARCHIBUS™ Installations and
Software Updates.
Experience in ARCHIBUS™ Hosting delivery.
5.6.9.
7
Hosting
Infrastructure
Virtualized platform provision
Internet access to Desktop Users (Citrix)
Secure Socket Layer line (SSL)
Virus Protection
Critical Patching
Managed VPN Access
The clocks of all relevant information processing
systems within an organization or security
domain shall be synchronized with an agreed
accurate time source.
5.6.9.
8
Issues
management
Information security events shall be reported
through official ASC-HS management channels as
quickly as possible (no more 48 hours delayed).
Faults shall be logged, analysed, and appropriate
action taken and reported in the official ASC-HS
issues tracking system.
15
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
5.6.9.
9
Projects
Deployment
Once the project is on Production (PRODUCTION
Server), all the customization and changes
required by customer must be done in a different
environment. ASC-HS recommend testing all the
customization using QA Server before applying it
to Production.
If the partner has made changes which affects the
database, we recommend to generate SQL Script
with the changes that modify the Database
schema, instead of to use ‘Update Schema
wizard’ de ARCHIBUS to do it . These scripts will
facilitate the ARCHIBUS updates and the upgrades
of releases.
5.6.9.
10
Access
Application,
Service &
Licenses Control
(Global Quality
Assurance by
ASC-HS) Mandatory
VPN Access for the Front-End, Application and
Back-End (Data Base and Back-up) layers or levels
 IPSEC is required and the Authorized Hosting
Partner must establish a concurrent connection
infrastructure accessed by ASC-HS.
 VPN Site (Authorized Hosting Partner) to Site
(ASC-HS) is mandatory.
The bandwidth assigned to the VPN Access needs
to be independent of the bandwidth assigned to
the customer service, that is, the traffic control
for the VPN needs a different circuit of the traffic
generated by the customers using ARCHIBUS
Hosting Services product.
Provide a minimum of 1 SO administrator user
account for logging to ASC-HS for each server.
Report to ASC-HS the result of ICMP Tests done at
least each minute. Notify to ASC-HS via email or
phone call when a server goes downs or if
everything is working correctly (the standard
notifications).
On fault case, an e-mail´s alert is required: At
least one email to local Partner administrator and
other one to ASC-HS administrator.
Follow the ASC-HS name syntax rules for the
server name: convention defined by ASC-HS
(Hosting Partner code –assigned by ASC-HS- (3
characters) + Project name (8 characters) + Server
number (3 characters).
Snapshot weekly of each virtual server with at
least 4 retention snapshot.
Restore test of the virtual server snapshot. It’s
required a test each 6 month including an initial
test of start-up of the Hosting Platform.
16
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
Provide online access to ASC-HS for a monitoring
Tool for each defined level: web, application and
databases.
Allow ASC-HS modify the partner´s Filters Firewall
in a fast and secured way.
Weekly Snapshot of each virtual server with
retention of 4 copies.
Configuration of ASC-HS Administrator’s accounts
for the server which has the web server
separated from the application servers.
Provide monthly reports of the use of the
application and licenses. This reports depend on
the software application
In the administrator’s user group of database
server there are also included the ASC-HS
Administrator user accounts.
Configuration of ASC-HS Administrator’s accounts
for the server which has the web server
separated from the application servers.
5.6.9.
10
Optional
controls by ASCHS
Audit logs recording user activities, exceptions,
and information security events are produced and
kept for an agreed period to assist in future
investigations and access control monitoring.
Appropriate Privacy protection measures are
considered in Audit log maintenance.
Procedures are developed and enforced for
monitoring system use for information processing
facility. The results of the monitoring activity are
reviewed regularly. The level of monitoring
required for individual information processing
facility is determined by a risk assessment.
Logging facility and log information are well
protected against tampering and unauthorized
access.
5.6.9.
10
ASC-HS Control
Level - Web
System administrator and system operator
activities are logged and the logged activities are
reviewed on regular basis.
5.6.9.
11
ASC-HS Control
Level Application
Faults are logged analysed and appropriate action
taken. Levels of logging required for individual
system are determined by a risk assessment,
taking performance degradation into account.
System clocks of all information processing
system within the organization or security
domain is synchronised with an agreed accurate
time source.
17
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
(The correct setting of computer clock is
important to ensure the accuracy of audit logs)
Procedures are developed and enforced for
monitoring system use for information processing
facility. The results of the monitoring activity are
reviewed regularly. The level of monitoring
required for individual information processing
facility is determined by a risk assessment.
5.6.9.
12
ASC-HS Control
Level - Database
Logging facility and log information are well
protected against tampering and unauthorized
access.
An access control policy is developed and
reviewed based on the business and security
requirements.
5.6.10
Monitoring
5.6.10.
1
Audit logging
Audit logs recording user activities, exceptions,
and information security events are produced
and kept for an agreed period to assist in future
investigations and access control monitoring.
Appropriate Privacy protection measures are
considered in Audit log maintenance.
5.6.10.
2
Monitoring
system use
Procedures are developed and enforced for
monitoring system use for information
processing facility. The results of the monitoring
activity are reviewed regularly. The level of
monitoring required for individual information
processing facility is determined by a risk
assessment.
5.6.10.
3
Protection of log
information
Logging facility and log information are well
protected against tampering and unauthorized
access.
5.6.10.
4
Administrator
and operator logs
System administrator and system operator
activities are logged and the logged activities are
reviewed on regular basis.
5.6.10.
5
Fault logging
Faults are logged analysed and appropriate
action taken. Levels of logging required for
individual system are determined by a risk
assessment, taking performance degradation
into account.
5.6.10.
6
Clock
synchronisation
System clocks of all information processing
system within the organization or security
domain is synchronised with an agreed accurate
time source.
(The correct setting of computer clock is
important to ensure the accuracy of audit logs)
18
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
1.7 Access Control
5.7.1
Business Requirement for Access Control
5.7.1.
1
Access Control
Policy
An access control policy is developed and
reviewed based on the business and security
requirements.
Both logical and physical access control are taken
into consideration in the policy
The users and service providers are given a clear
statement of the business requirement to be met
by access controls.
5.7.2
User Access Management
5.7.2.
1
User
Registration
There is any formal user registration and deregistration procedure for granting access to all
information systems and services.
5.7.2.
2
Privilege
Management
The allocation and use of any privileges in
information system environment is restricted and
controlled i.e., Privileges are allocated on needto-use basis, privileges are allocated only after
formal authorization process.
5.7.2.
3
User Password
Management
The allocation and reallocation of passwords
should be controlled through a formal
management process.
The users are asked to sign a statement to keep
the password confidential.
5.7.2.
4
Review of user
access rights
5.7.3
User Responsibilities
5.7.3.
1
Password use
There are any security practice in place to guide
users in selecting and maintaining secure
passwords.
5.7.3.
2
Unattended
user equipment
The users and contractors are made aware of the
security requirements and procedures for
protecting unattended equipment. .
Example: Logoff when session is finished or set up
auto log off, terminate sessions when finished
etc.,
5.7.3.
3
Clear desk and
clear screen
policy
The organisation has adopted clear desk policy
with regards to papers and removable storage
media and clear screen policy with regards to
information processing facility.
5.7.4
Network Access Control
19
There exists a process to review user access rights
at regular intervals. Example: Special privilege
review every 3 months, normal privileges every 6
months.
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
5.7.4.
1
Policy on use of
network
services
Users are provided with access only to the
services that they have been specifically
authorized to use. There exists a policy that does
address concerns relating to networks and
network services.
5.7.4.
2
User
authentication
for external
connections
Appropriate authentication mechanism is used to
control access by remote users.
5.7.4.
3
Network
connection
control
Exists an access control policy which states
network connection control for shared networks,
especially for those extend across organization’s
boundaries.
5.7.5
Operating system access control
5.7.5.
1
Secure log-on
procedures
Access to operating system is controlled by
secure log-on procedure.
5.7.5.
2
User
identification
and
authentication
Unique identifier (user ID) is provided to every
user such as operators, system administrators
and all other staff including technical.
5.7.5.
3
Password
management
system
There exists a password management system that
enforces various password controls such as:
individual password for accountability, enforce
password changes, store passwords in encrypted
form, not display passwords on screen etc.,
5.7.5.
4
Use of system
utilities
Utility programs that might be capable of
overriding system and application controls is
restricted and tightly controlled.
5.7.5.
5
Session timeout
Inactive session is shut down after a defined
period of inactivity.
(A limited form of timeouts can be provided for
some systems, which clear the screen and
prevents unauthorized access but does not close
down the application or network sessions.
5.7.5.
6
Limitation of
connection time
There exists restriction on connection time for
high-risk applications. This type of set up should
be considered for sensitive applications for which
the terminals are installed in high-risk locations.
5.7.6
Application and Information Access Control
5.7.6.
1
Information
access
restriction
Access to information and application system
functions by users and support personnel is
restricted in accordance with the defined access
control policy.
5.7.6.
2
Sensitive
system isolation
Sensitive systems are provided with dedicated
(isolated) computing environment such as
running on a dedicated computer, share
20
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
resources only with trusted application systems,
etc.,
5.7.7
Mobile Computing and teleworking
5.7.7.
1
Mobile
computing and
communications
A formal policy is in place, and appropriate
security measures are adopted to protect against
the risk of using mobile computing and
communication facilities.
Some example of Mobile computing and
communications facility include: notebooks,
palmtops, laptops, smart cards, mobile phones.
Risks such as working in unprotected
environment are taken into account by Mobile
computing policy.
5.7.7.
2
Teleworking
Policy, operational plan and procedures are
developed and implemented for teleworking
activities. Teleworking activity is authorized and
controlled by management and does it ensure
that suitable arrangements are in place for this
way of working.
1.8 Information systems acquisition, development and maintenance
5.8.1
Security requirements of information systems
5.8.1
.1
Security
requirements
analysis and
specification
5.8.2
Cryptographic controls
5.8.2
.1
Policy on use of
cryptographic
controls
The organization has Policy on use of
cryptographic controls for protection of
information like SSL (required). The policy is
successfully implemented.
5.8.2
.2
Key
management
Key management is in place to support the
organizations use of cryptographic techniques.
Cryptographic keys are protected against
modification, loss, and destruction.
Secret keys and private keys are protected
against unauthorized disclosure.
Equipment used to generate, store keys are
physically protected.
Security requirements for new information
systems and enhancement to existing information
system specify the requirements for security
controls
Key management system is based on agreed set
of standards, procedures and secure methods.
5.8.3
Security of system files
5.8.3
.1
Control of
operational
software
21
There are any procedures in place to control
installation of software on operational systems.
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
(This is to minimise the risk of corruption of
operational systems.)
5.8.3
.2
Protection of
system test data
System test data is protected and controlled. Use
of personal information or any sensitive
information for testing operational database is
shunned.
5.8.3
.3
Access Control
to program
source code
Strict controls are in place to restrict access to
program source libraries.
(This is to avoid the potential for unauthorized,
unintentional changes.)
5.8.4
Security in development and support processes
5.8.4
.1
Change control
procedures
There is strict control procedure in place over
implementation of changes to the information
system. (This is to minimise the corruption of
information system.) This procedure addresses
need for risk assessment, analysis of impacts of
changes,
5.8.4
.2
Technical
review of
applications
after operating
system changes
There is process or procedure in place to review
and test business critical applications for adverse
impact on organizational operations or security
after the change to Operating Systems.
Periodically it is necessary to upgrade operating
system i.e., to install service packs, patches, hot
fixes etc.,
5.8.4
.3
Restriction on
changes to
software
packages
Modifications to software package is discouraged
and/ or limited to necessary changes and all
changes are strictly controlled.
5.8.4
.4
Information
leakage
Controls are in place to prevent information
leakage.
Controls such as scanning of outbound media,
regular monitoring of personnel and system
activities permitted under local legislation,
monitoring resource usage are considered.
5.8.4
.5
Outsourced
software
development
Outsourced software development is supervised
and monitored by the organization. Points such
as: Licensing arrangements, escrow
arrangements, contractual requirement for
quality assurance, testing before installation to
detect Trojan code etc., are considered.
5.8.5
Technical Vulnerability Management
5.8.5
.1
Control of
technical
vulnerabilities
22
Timely information about technical vulnerabilities
of information systems being used is obtained.
The organization’s exposure to such
vulnerabilities evaluated and appropriate
measures taken to mitigate the associated risk.
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
1.9 Information security incident management
5.9.1
Reporting information security events and weaknesses
5.9.1.
1
Reporting
information
security events
Information security events are reported through
appropriate management channels as quickly as
possible. Formal information security event
reporting procedure, Incident response and
escalation procedure is developed and
implemented. ASC-HS will be immediately
informed through internal and secured channels.
5.9.1.
2
Reporting
security
weaknesses
There exists a procedure that ensures all
employees of information systems and services
are required to note and report any observed or
suspected security weakness in the system or
services.
5.9.2
Management of information security incidents and improvements
5.9.2.
1
Responsibilities
and procedures
Management responsibilities and procedures are
established to ensure quick, effective and orderly
response to information security incidents.
Monitoring of systems, alerts and vulnerabilities
are used to detect information security incidents.
The objective of information security incident
management is agreed with the management.
5.9.2.
2
Learning from
information
security
incidents
There is a mechanism in place to identify and
quantify the type, volume and costs of
information security incidents. The information
gained from the evaluation of the past
information security incidents are used to identify
recurring or high impact incidents.
5.9.2.
3
Collection of
evidence
Follow-up action against a person or organization
after an information security incident involves
legal action (either civil or criminal). Evidence
relating to the incident are collected, retained
and presented to conform to the rules for
evidence laid down in the relevant jurisdiction(s).
Internal procedures are developed and followed
when collecting and presenting evidence for the
purpose of disciplinary action within the
organization.
1.10 Business Continuity Management
5.10.1
Information security aspects of business continuity management
5.10.1
.1
Including
information
security in the
business
23
There is a managed process in place that
addresses the information security requirements
for developing and maintaining business
continuity throughout the organization.
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
continuity
management
process
This process understands the risks the
organization is facing, identify business critical
assets, identify incident impacts, and consider the
implementation of additional preventative
controls and documenting the business continuity
plans addressing the security requirements.
5.10.1
.2
Business
continuity and
risk assessment
Events that cause interruption to business
process is identified along with the probability
and impact of such interruptions and their
consequence for information security.
5.10.1
.3
Developing and
implementing
continuity plans
including
information
security
Plans are developed to maintain and restore
business operations, ensure availability of
information within the required level in the
required time frame following an interruption or
failure to business processes.
The plan considers identification and agreement
of responsibilities, identification of acceptable
loss, implementation of recovery and restoration
procedure, documentation of procedure and
regular testing.
5.10.1
.4
Business
continuity
planning
framework
There is a single framework of Business continuity
plan.
This framework is maintained to ensure that all
plans are consistent and identify priorities for
testing and maintenance.
Business continuity plan addresses the identified
information security requirement.
5.10.1
.5
Testing,
maintaining and
re-assessing
business
continuity plans
Business continuity plans are tested regularly to
ensure that they are up to date and effective.
Business continuity plan tests ensure that all
members of the recovery team and other relevant
staff are aware of the plans and their
responsibility for business continuity and
information security and know their role when
plan is evoked.
1.11 Compliance
5.11.1
Compliance with legal requirements
5.11.1
.1
Identification of
applicable
legislation
5.11.1
.2
24
All relevant statutory, regulatory, contractual
requirements and organizational approach to
meet the requirements are explicitly defined and
documented for each information system and
organization. Specific controls and individual
responsibilities to meet these requirements are
defined and documented.
There are procedures to ensure compliance with
legislative, regulatory and contractual
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
Intellectual
property rights
(IPR)
requirements on the use of material in respect of
which there may be intellectual property rights
and on the use of proprietary software products.
The procedures are well implemented.
Controls such as: publishing intellectual property
rights compliance policy, procedures for acquiring
software, policy awareness, maintaining proof of
ownership, complying with software terms and
conditions are considered.
5.11.1
.3
Protection of
organizational
records
Important records of the organization are
protected from loss destruction and falsification,
in accordance with statutory, regulatory,
contractual and business requirement. Whether
consideration is given to possibility of
deterioration of media used for storage of
records. Data storage systems are chosen so that
required data can be retrieved in an acceptable
timeframe and format, depending on
requirements to be fulfilled.
5.11.1
.4
Data protection
and privacy of
personal
information
Data protection and privacy is ensured as per
relevant legislation, regulations and if applicable
as per the contractual clauses.
5.11.1
.5
Regulation of
cryptographic
controls
Whether the cryptographic controls are used in
compliance with all relevant agreements, laws,
and regulations.
5.11.2
Compliance with security policies and standards, and technical compliance
5.11.2
.1
Compliance with
security policies
and standards
Managers ensure that all security procedures
within their area of responsibility are carried out
correctly to achieve compliance with security
policies and standards.
Managers regularly review the compliance of
information processing facility within their area
of responsibility for compliance with appropriate
security policy and procedure
5.11.2
.2
Technical
compliance
checking
Information systems are regularly checked for
compliance with security implementation
standards.
The technical compliance check is carried out by,
or under the supervision of, competent,
authorized personnel.
5.11.3
Information Systems audit considerations
5.11.3
.1
Information
systems audit
controls
25
Audit requirements and activities involving checks
on operational systems should be carefully
planned and agreed to minimise the risk of
disruptions to business process.
ARCHIBUS Hosting Services – Authorized Hosting Partner – Technical Requirements Overview
The audit requirements, scope are agreed with
appropriate management.
5.11.3
.2
Protection of
information
system audit
tools
Whether access to information system audit tools
such as software or data files are protected to
prevent any possible misuse or compromise.
Whether information system audit tools are
separated from development and operational
systems, unless given an appropriate level of
additional protection.
Submit of this document means you accept ARCHIBUS Solution Center – Hosting Services, OU
Privacy Policy http://www.asc-hs.com/online-privacy-policy/
Submit the document fulfilled to contact@asc-hs.com
26