A.12.

1 Operational procedures and responsibilities

Control Objective: To ensure the correct and secure operation of information processing
facilities.

A.12.1.1 – Documented operating procedures

The purpose is to ensure correct operations of information systems and information processing
facilities. XXX. has a set of defined operating manuals for processing the department functionality.
All documented operating manuals are identified in the ‘PAL-Process Asset Library-Content
Master’. Operating procedures and responsibilities for information systems and information
processing facilities must be authorized, documented, and maintained. Information Owner must
ensure that approved operating procedures and standards are:

 Documented;
 Consistent with the policies, standards and guidelines;
 Reviewed and updated annually or when there are:
o Alterations to building layouts,
o Changes to equipment/systems located in the facility,
o Changes in business services and the supporting information systems operations,
and,
o As part of any related security incident investigation.

Operations documentation must contain detailed instructions regarding:

 Information processing and handling;

 Last review and update;
 Classification of document;
 System re-start and recovery;
 Back-up and recovery, including on-site and off-site storage;
 Exceptions handling, including a log of exceptions;
 Output and media handling, including secure disposal or destruction;
 Audit and system log management;
 Change management including scheduled maintenance and interdependencies;
 Computer room management and safety;
 Information Incident Management Process;
 Disaster recovery;
 Business continuity;
 Operations, technical, emergency and business contacts.

A.12.1.2 –Change management

The purpose is to ensure changes to information systems and facilities are applied correctly and do
not compromise the security of information and information systems. Whenever a change in the IT
infrastructure is to be done, a proper evaluation and analysis is done which includes cost, security,
technical functionality and compatibility. Any user can initiate change request. Manager/IT is
authorized to initiate the change & Head/IT approves these operational and process changes. To
control all operational changes XXX. has defined policy. Changes to information systems and
information processing facilities must be controlled.
a) Planning changes
b) Change management process
c) Implementing change

a) Planning changes
Information Owners must plan for changes to information systems and information processing
facilities by assessing the impact of the proposed change on security by conducting a security
review based on the size of the change.

b) Change management process

Information Owners must plan, document and implement a change management process to control
changes by:

 Identifying and recording significant changes;

 Assessing the potential impact, including the security impact, of the change by conducting
a Security Threat and Risk Assessment;
 Developing an implementation strategy;
 Obtaining approval of changes from the manager(s) responsible for the information system;
 Planning and testing changes including documenting fallback procedures;
 Communicating change details to relevant employees;
 Identifying the impact on agreements with business partners and third parties including
information sharing agreements, Memoranda of Understanding, licensing and provision of
services;
 Evaluating that planned changes were performed as intended; and,
 Training technical and operations employees if required.

c) Implementing changes
Information Owners must implement changes by:

 Notifying affected parties, including business partners and third parties;

 Completing re-certification and re-accreditation as required prior to implementation;
 Training employees if required;
 Documenting and reviewing the documentation throughout the testing and implementation
phases;
 Recording all pertinent details regarding the changes;
 Checking after the change has been performed that only the intended changes took place.

A.12.1.3 – Capacity management

The purpose is to protect information and information systems from unauthorized access, theft or
misuse. It is the responsibility of the individual managers to look for capacity demands for their
projects in advance. This ensures that the required capacity can be arranged in time to minimize
the risk of failure due to lack of capacity. It also ensures the continuous availability of operational
systems. Utilization of existing resources is monitored regularly. Controls must be applied to limit
opportunities for information leakage. Information Owners must implement processes to reduce
the opportunity for information leakage in information systems by:

 Scanning for malicious code;

 Monitoring resource usage in information systems;
 Identifying and limiting the trusted connections in and out of the organization network;
 Controlling third party network connections (e.g., only authorized traffic permitted);
 Using software that is considered to be of high integrity;
 Regular monitoring of information systems; and
 Reviewing usage and access logs for irregularities.

Guidelines:
Scanning outbound media and communications for hidden information should be considered.

A.12.1.4 – Separation of development, test and operational facilities

The purpose is to reduce the risk of system failures and unacceptable performance levels by
monitoring and optimizing resources to meet current and future information system capacity
requirements. The development and testing activities shall not be done in production server. The
use of information system resources must be monitored, optimized and projections made of future
capacity requirements.
a) Resource capacity management
b) Resource capacity planning

a) Resource capacity management

Information Owners are responsible for implementing capacity management processes by:

 Documenting capacity requirements and capacity planning processes;

 Identifying and managing storage requirements;
 Including capacity requirements in service agreements;
 Monitoring and optimizing information systems to detect impending capacity limits;
 Projecting future capacity requirements based on:
o New business and information systems requirements,
o Statistical or historical capacity requirement information,
o Current and expected trends in information processing capabilities (e.g.,
introduction of more efficient hardware or software).

b) Resource capacity planning

Information Owner must use trend information from the capacity management process to identify
and remediate potential bottlenecks that present a threat to system security or services. Information
Owners must plan and budget for business and service capacity management.
Guidelines:
Resource capacity management processes should be automated where feasible.

A12.2 Protection from Malware

Control Objective: To protect the integrity of software and information processing facilities are
protected against malware.

A.12.2.1 – Controls against malicious code

The purpose is to protect the integrity of information systems and software through requirements
for the prevention and detection of network and host-based threats. Precautions are required to
prevent and detect the introduction of malicious software. Software information processing
facilities are vulnerable to the introduction of malicious software, such as computer viruses,
network worms, Trojan horses, and logic bombs etc. XXX. has implemented several controls to
address the threat:

 XXX. has a policy for prevention against malicious software.

 XXX. has a policy for the use of networks or any other medium as a preventive measure
against virus attacks.
 Virus attacks and software malfunctions due to malicious software are treated as security
incidents and handled.
 To prevent loss of data due to malicious software regular backups of critical data are taken
regularly.

Security awareness, prevention and detection controls must be utilized to protect information
systems against network and host-based threats.
a) Prevention and detection controls
b) User awareness

a) Prevention and detection controls

Information Owners must protect information systems from network and host-based threats by
undertaking such activities as:

 Installing, updating and consistently using software designed to scan for, detect and provide
protection from network and host-based threats;
 Prohibiting the use of unauthorized software;
 Checking files, including electronic mail attachments and file downloads for malware
before use;
 Maintaining business continuity plans to recover from security incidents;
 Regularly reviewing file and data content on critical systems to identify unapproved or
unauthorized files and file changes; and
 Scanning back-up media prior to restoration so that malware is not introduced or re-
introduced into an information system and network.

The Chief Information Security Officer must ensure processes are implemented to:
  Maintain a critical incident management plan to identify and respond to security incidents;
and,
 Maintain a register of specific threat countermeasures (e.g., blocked websites, blocked
electronic mail attachment file types, blocked network ports, additional monitoring, etc.)
including a description, the rationale, the approval authority and the date applied.

b) User awareness
The Chief Information Security Officer is responsible for developing user awareness programs for
threat countermeasures. The Information Security Officers are responsible for communicating
technical advice and providing information and awareness activities regarding network and host-
based threats. Employees are required to complete the information protection courses provided by
the CISO as part of their awareness training.

A.12.3 Back-up

Control Objective: To maintain the integrity and availability of information and information
processing facilities.

A.12.3.1 – Information back up

The purpose is to enable the timely recovery of information and information systems. Backup of
informational Servers are taken regularly. XXX. has a well-defined procedure for Information
backup and restoration. Information and information systems must be backed up and the recovery
process tested regularly.
a) Defining requirements
b) Safeguarding backup facilities and media
c) Testing

a) Defining requirements
Information Owners must define and document backup and recovery processes that reflect the
security classification and availability requirements of information and information systems
including:

 Confirming that the backup and recovery strategy complies with:

o Business continuity plans,
o Policy, legislative, regulatory and other legal obligations, and,
o Records management requirements, including the Administrative Records
Classification System (ARCS)
o Operational Records Classification System (ORCS), and,
 Documenting the backup and recovery processes including:
o Types of information to be backed up,
o Schedules for the backup of information and information systems,
o Backup media management (e.g., retention period, pattern of backup cycles),
o Methods for performing, validating and labelling backups, and,
o Methods for validating recovery of the information and information system.
b) Safeguarding backup facilities and media
Information Owner must conduct a Security Threat and Risk Assessment to identify safeguards for
backup facilities and media that are commensurate with the value and sensitivity of the information
and information systems. Safeguards include:

 Using encryption to protect the backed up information;

 Using digital signatures to protect the integrity of the information;
 Physical and environmental security;
 Access controls;
 Methods of transit to and from offsite locations (e.g., by authorized couriers, by encrypted
electronic transfer);
 Storage of media adhering to manufacturer recommendations for storage conditions and
maximum shelf-life; and,
 Remote storage of backup media at a sufficient distance to escape any damage from a
disaster at the main site.

c) Testing
Information Owners must regularly test backup and recovery processes.

A.12.4 Logging and Monitoring

Control Objective: To detect unauthorized information processing activities

A.12.4.1 – Event logging

The purpose is t0 ensure usage of information systems can be monitored and audited. XXX. has
defined policy for event logs. All systems are monitored to detect deviation from access control
policy. This audit trail serves as evidence in case of security breach, and is the basis for any action.
Audit logs are maintained on servers and provide audit information related to User Id, Date and
time of log-on and log-off, failed login attempts, Terminal Location. Audit logs must be produced,
retained and regularly reviewed.
a) Audit logging
b) Review of monitoring activities
c) Audit log retention
d) Response to alarms

a) Audit logging
Information Owners must ensure that audit logs are used to record user and system activities,
exceptions, and information security and operational events including information about activity
on networks, applications and systems. Information Owners and Information Custodians will
determine the degree of detail to be logged based on the value and sensitivity of information assets,
the criticality of the system and the resources required to review and analyze the audit logs. Audit
logs must include, when relevant, the following information:

 User identifier;
 Dates, times and details of key events (e.g., logon and logoff);
  Logon method, location, terminal identity (if possible), network address;
 Records of successful and unsuccessful system logon attempts;
 Records of successful and unsuccessful data access (including record and field access where
applicable) and other resource access attempts;
 Changes to system configuration;
 Use of privileges;
 Use of system utilities and applications;
 Files accessed and type of access (e.g., view, read, modify, delete);
 For voice calls: source and destination telephone numbers, date, time, and length of call;
 Name and size of file attachments that are part of or are included in data transmissions (e.g.,
email, instant messaging, unified communications platforms, etc.);
 Network addresses (source and destination), ports (source and destination), protocols, and
transferred network data traffic flow (packets and bytes);
 Alarms raised by the access control system;
 Activation and de-activation of protection systems (e.g., anti-virus, intrusion detection).

Audit logs may contain confidential data and access must be restricted to employees with need-to-
know privileged access and be protected accordingly. Information Owners must not have the ability
to modify, erase or de-activate logs of their own activities. If audit logs are not activated, this
decision must be documented and include the name and position of the approver, date and a
rationale for de-activating the log. Where required, the Privacy Impact Assessment and Security
Threat and Risk Assessment must be updated to reflect this decision.

b) Review of monitoring activities

Information Owner must set up and document processes for the review of audit logs based on the
Information Owners assessment of the value and sensitivity of the information assets, the criticality
of the system and the resources required for review. Audit log reviews must:

 Prioritize reviews of high value and highly sensitive information assets;

 Be based on a documented Security Threat and Risk Assessment; and
 Utilize automated tools to identify exceptions (e.g., failed access attempts, unusual activity)
and facilitate ongoing analysis and review.

Monitoring must be tested at least annually to ensure that desired events are detected. Analysis of
monitoring activities can indicate:

 The efficacy of user awareness and training and indicate new training requirements;
 Vulnerabilities that could be, or that are being, exploited; or
 Increases or decreases in unauthorized access attempts or unauthorized use of privileges.

c) Audit log retention

Audit logs must be:

 Retained according to the approved records retention schedule for the system or information
asset; and,
 Retained indefinitely if an investigation has commenced which may require evidence be
obtained from the audit logs.
d) Response to alarms
Information Owners must establish and document alarm response procedures in collaboration with
Information Owners to ensure alarms are responded to immediately and consistently. They should
have documented authority to shut down all or part of a system or network when the alarm indicates
new unacceptable threats are present. When exercising this authority, Information Owners must
report the circumstances to the CISO as soon as possible .Normally, the response to an alarm will
include:

 Identification of the alarm event;

 Isolation of the event including affected assets;
 Identification and isolation or neutralization of the source;
 Corrective action;
 Forensic analysis of event;
 Action to prevent recurrence; and,
 Securing of audit logs as evidence.

A.12.4.2 – Protection of log information

The purpose is to preserve the integrity of information system logging facilities and log
information. Logging facilities and log information are protected against tampering and
unauthorized access.Information system logging facilities and log information must be protected
against tampering and unauthorized access.
a) Protecting information system logging facilities
b) Protecting log information

a) Protecting information system logging facilities

CISO is responsible for ensuring periodic independent reviews or audits are conducted to confirm
that Information Owners have implemented appropriate controls. They must implement controls to
protect logging facilities and log files from unauthorized modification, access or disposal. Controls
must include physical security safeguards such as situating logging facilities within a secure zone
with restricted access.

b) Protecting log information

Information Owners must apply controls to protect log files from tampering or modification.
Controls must include:

 Consideration of multi-factor authentication for access to sensitive records;

 Back-up of audit logs to off-site facilities;
 Automatic archiving of audit logs to remain within storage capacity;
 Scheduling the audit logs as part of the records management process; and,
 Digital signing for detecting alteration or corruption where available.
 All employees must not have permission to erase logs or de-activate logging of their own
activities.

A.12.4.3 – Administrator and operator logs

The purpose is to protect information from unauthorized access, modification or deletion. Logging
facilities and log information are protected against tampering and unauthorized access.Activities
of privileged users must be logged, and the log must be subject to regular independent review.
a) Activities logged
b) Independent review
c) Repairing and logging fault
d) Analysis, resolution and corrective action

a) Activities logged
Privileged users typically have extensive system permissions not granted to most users.
Information Owners must ensure that the activities of privileged users are regularly reviewed,
including logging:

 Event occurrence times;

 Event details, such as files accessed, modified or deleted, errors and corrective action;
 Identity of the account and the privileged user involved; and,
 The system processes involved.

Privileged users must not have permission to erase logs or de-activate logging of their own
activities.

b) Independent review
Information Owner must have a documented process to ensure that activity of privileged users is
independently reviewed. Reviews must be conducted regularly and at random with the frequency
being commensurate with the criticality, value and sensitivity of system and information assets.
Following verification of logs, the individual checking them should digitally sign them and store
or archive them securely in accordance with the approved records retention schedule. The audit
logs must be reviewed prior to being discarded or overwritten.

c) Reporting and logging faults

Information Owners must implement processes for monitoring, reporting, logging, analyzing and
correcting system faults reported by users and automated detection systems. Fault logging
requirements should be determined through a Security Threat and Risk Assessment and Privacy
Impact Assessments. Fault management reports must include:

 Description of fault including date and time, location, extent of fault;

 Analysis of probable source and cause;
 Actions taken to respond to and resolve the fault; and,
 Corrective action taken.

d) Analysis, resolution and corrective action

Information Owners must review fault logs to ensure that faults have been resolved and
documented in a fault management report. They must provide the fault management report to
CISO.
Analysis and corrective action includes:
  Defining the fault and probable cause(s);
 Assessing the effectiveness of corrective action(s);
 Checking to ensure that corrective action has not introduced unforeseen vulnerabilities;
 Identifying trends so that corrective action makes increasingly effective use of resources
while improving results;
 Recommending upgrades, replacement of components, software or other elements that
create or cause faults;
 Improving fault detection and reporting to reduce the time between fault occurrence and
taking corrective action;
 Measuring the exposure caused by the fault;
 Reporting on performance impact(s); and,
 Periodically re-assessing logging requirements.

A.12.4.4 – Clock synchronization

the purpose is to ensure the integrity of information system logs. The correct setting of critical
computer clocks is important and carried out to ensure the accuracy of audit logs, which may be
required for investigation or as evidence in legal or disciplinary cases. One Server is identified as
Time Master Server & other Servers of the network are synchronized with the Master. Computer
clocks must be synchronized for accurate reporting.
a) Synchronization
b) Checking and Verification

a) Synchronization
System administrators must synchronize information system clocks to:

 the local router gateway; or,

 the organization approved clock host.

b) Checking and Verification

System administrators must confirm system clock synchronization:

 Following power outages or brownouts;

 As part of incident analysis and audit log review; and,
 At least semi-annually in conjunction with Daylight Savings Time.

Time discrepancies must be reported to IT Helpdesk, Customer Service Centre. The clock hosts
must be synchronized with a national time service

A.12.5 Control of operational software

Control Objective: To ensure the integrity of operational systems.

A.12.5.1 – Installation of software on operational systems

The purpose is to prevent compromise of operational information systems providing services from
unauthorized software installation. To ensure secured implementation of Software on Operational
System. The installation of software on operational information systems providing services must
be controlled.
a) Software changes to operational information systems
b) Software implementation controls
c) Protection of systems documentation

a) Software changes to operational information systems

Information Owners must implement procedures to control software installation on operational
information systems providing services to ensure that:

 Updates of operational information systems are planned, approved, impacts assessed,

tested, logged and have a rollback plan;
 Operations employees and end users have been notified of the changes, potential impacts
and if required have received additional training;
 New releases of software are reviewed to determine if the release will introduce new
security vulnerabilities;
 Modifications to operational software are logged;
 The number of employees able to perform the updates is restricted and kept to a minimum;
 Development code or compilers are not present on operational information systems;
 Vendor supplied software is maintained at the supported level.

b) Software implementation controls:

1. Pre-Implementation
Before an updated or new information system is implemented into the operational
environment, checks must be performed to ensure that:
o A Security Threat and Risk Assessment has been carried out;
o A Privacy Impact Assessment has been performed and approved;
o Limitations of security controls are documented;
o Performance and capacity requirements can be met and support organizations have
the capacity to maintain the information system;
o Development problems have been resolved successfully;
o The effects on existing operational information systems are known;
o Arrangements for fall-back have been established if the updated or new information
system fails to function as intended;
o Error recovery and restart procedures are established;
o Business continuity plans are developed or updated;
o Operating procedures are tested;
o Changes are communicated to users who may be affected by the change;
o Users are educated to use the information system correctly and securely; and,
o Computer operators and system administrators are trained in how to run the
information system correctly and securely.
2. Implementation
The installation process must include:
o Validating the load or conversion of data files;
 o Installing executable code only, and not source code;
o Providing ongoing technical support;
o Implementing new or revised procedures and documentation;
o Discontinuing old software, procedures and documentation;
o Arranging for fallback in the event of failure;
o Informing the individuals involved of their roles and responsibilities;
o Transferring responsibility for the information system from development teams to
operational teams to ensure segregation of duties; and,
o Recording installation activity.
3. Post-implementation
Post-implementation reviews must include:
o The efficiency, effectiveness and cost of security controls;
o Lessons learned and scope for improvements of security controls; and,
o Security incidents and mitigation.

c) Protection of systems documentation

Information Owners must ensure that documented procedures for the secure use and storage of
systems documentation are established and followed. Procedures must:

 Require information classification labelling of system documentation;

 Establish lists of users authorized to access system documentation on a ‘need to know’
basis;
 Establish handling rules for the information regardless of storage media (e.g., electronic,
paper);
 Require use of access controls, passwords, encryption or digital signatures as appropriate
to the information classification; and,
 Include a compliance monitoring process.

A.12.6 Technical Vulnerability Management

Control objective: To reduce risks resulting from exploitation of published technical

vulnerabilities.

A.12.6.1 – Management of technical vulnerabilities

The purpose is to mitigate damage to the operations resulting from exploitation of published
vulnerabilities. XXX. is using VA/PT to obtain information on new exposures while applying
patches for earlier identified threats and vulnerabilities. The VA/PT shall be carried out as per
Security Committee Review Procedure. Appropriate actions will be initiated based on threat
assessment diagnosed from VA/PT. Assessments for known exposures must be conducted to
evaluate information system vulnerabilities and the management of associated risks.
Vulnerabilities which impact information systems must be addressed in a timely manner to mitigate
or minimize the impact on the operations. Information Owners must establish processes to identify,
assess and respond to vulnerabilities that may impact information systems by:
  Monitoring external sources of information on published vulnerabilities;
 Assessing the risk of published vulnerabilities;
 Testing and evaluating options to mitigate or minimize the impact of vulnerabilities;
 Applying corrective measures to address the vulnerabilities;
 Completing a Security Threat and Risk Assessment to verify the risk has been mitigated;
and,
 Reporting to the Chief Information Security Officer on progress in responding to
vulnerabilities.
 Responsibilities for vulnerability response by service providers must be included in external
party service agreements.

The Chief Information Security Officer must:

 Evaluate vulnerabilities and provide advice on appropriate the responses;

 Monitor progress in responding to vulnerabilities;
 Publish summary reports on vulnerability response activities and costs; and,
 When required, initiate incident response processes to address vulnerabilities.

A.12.6.2 – Restrictions on software installation

The purpose is to limit the installation of software to authorized employees to avoid security
incidents. Users should not run any unauthorized or undocumented software on their desktops. IT
department will approve on the recommendation of Department Heads, the installation of any
software on Desktop/Laptop/Servers. Review of the rules governing the installation of software by
employees must be established and implemented. Uncontrolled installation of software on
computing devices can lead to introducing vulnerabilities and then to information leakage, loss of
integrity or other information security incidents, or to violation of intellectual property rights.
Employees must receive authorization prior to installing software on the organization devices.
Software installation must be consistent with the requirements of the Appropriate Use Policy.

A.12.7 Information systems audit considerations

Control Objective: To maximize the effectiveness of and to minimize interference to/from the
information systems audit process.

A.12.7.1- Information systems audit controls

The purpose is to prevent compliance checking activities from causing unplanned disruptions to
operational information systems.Audit activities involving checks on operational system shall be
carefully planned and agreed to minimize the risk of disruption to business processes. Audit
requirements and activities involving checks on operational systems must be planned and approved
to minimize disruption to business processes.Audit requirements and activities involving checks
on operational systems must be planned and approved to minimize disruption to business processes.
a) Management of information systems compliance checking
b)Protection of information system audit tools
a) Management of information systems compliance checking
Prior to commencing compliance checking activities such as audits, risk and controls reviews,
monitoring or security reviews of operational information systems, the Manager responsible for
the compliance checking activity, Information Owners must define, document and approve the
activities by:

 Determining the scope, duration and level of detail of the compliance checking activity;
 Limiting access rights to operational information systems for compliance checking
employees to “read only”;
 Determining handling requirements for copies of files made by compliance checking
employees including:
o establishing a separate environment for the analysis of files,
o restricting access to those files,
o logging the accesses made to those files, and,
o erasing files at the conclusion of compliance checking activities unless needed to
support report findings;
  Identifying special testing or processing which may impact the operational information
system (e.g., penetration tests, server vulnerability assessments) and by:
o notifying the Chief Information Security Officer prior to compliance checking
activities to prevent triggering false security alarms from the infrastructure, and,
o scheduling tests to minimize disruption;
 Submitting the reports of penetration tests or vulnerability assessments to the Chief
Information Security Officer immediately upon receipt; and,
 Requiring that employees conducting compliance checking activities maintain a
segregation of duty from the operational information systems being checked.

Guidance for compliance checking activities can be obtained from the Information Security
Branch, Office of Chief Information Officer.

b) Protection of information system audit tools

Managers responsible for compliance checking activities and Information Custodians must control
the use of audit tools by:

 Restricting access to authorized employees who have a need-to-know;

 Installing or enabling specialized audit tools for the duration required by the compliance
checking activity;
 Removing information system access at the conclusion of the compliance checking
activities; and,
 Notifying the Chief Information Security Officer prior to the use of audit tools.

A.13 Communications and Operations Management

It identifies the information security requirements for network and communication services.

A.13.1 Network security management

Control Objective: To ensure the protection of information in networks and the protection of the
supporting infrastructure.

A.13.1.1 – Network controls

The purpose is to ensure that network security controls and network security management practices
are implemented and documented to maintain network security. XXX. has a dedicated team of
employed professionals in network, who are responsible for the smooth and secure operation of the
network. Policies of network usage are defined. 9.1.1 Controls must be implemented to achieve
and maintain security within the network.
a) Control and management of networks
b) Configuration control
c) Secured path
d) Wireless Local Area Networking
e) Equipment management
f) Logging, monitoring and detection
g) Coordination and consistency of control implementation

a) Control and management of networks

Information Owners must implement network infrastructure security controls and security
management systems for networks to ensure the protection of information and attached information
systems. Selection of controls must be based on a Security Threat and Risk Assessment, taking into
account the information security classification determined by the Information Owners, and
applicability to the network technology. The Security Threat and Risk Assessment must consider
network-related assets which require protection including:

 Information in transit;
 Stored information (e.g., cached content, temporary files);
 Network infrastructure;
 Network configuration information, including device configuration, access control
definitions, routing information, passwords and cryptographic keys;
 Network management information;
 Network pathways and routes;
 Network resources such as bandwidth;
 Network security boundaries and perimeters; and,
 Information system interfaces to networks.

b) Configuration control
To maintain the integrity of networks, Information Owners must manage and control changes to
network device configuration information such as configuration data, access control definitions,
routing information and passwords. Network device configuration data must be protected from
unauthorized access, modification, misuse or loss by the use of controls such as:

 Encryption;
 Access controls and multi-factor authentication;
 Monitoring of access;
 Configuration change logs;
  Configuration baselines protected by cryptographic checksums; and,
 Regular backups.

Status accounting must be regularly performed to ensure that configuration baselines reflect actual
device configuration.

c) Secured path
Where required by information classification and a Security Threat and Risk Assessment,
information must only be transmitted using a secured path. Secured paths for information
transmission must use controls such as:

 Data, message or session encryption, such as SSH, SSL or VPN tunnels; and,
 Systems to detect tampering.

d) Wireless Local Area Networking

Wireless Local Area Network access points must be authorized by the Chief Information Officer
for attachment to the network. Wireless Local Area Networks must utilize the controls specified
by the Chief Information Security Officer and must include:

 Strong link layer encryption, such as Wi-Fi Protected Access;

 User and device network access controlled by authentication services;
 The use of strong, frequently changed, automatically expiring encryption keys and
passwords;
 Segregation of wireless networks from wired networks by the use of filters, firewalls or
proxies; and,
 Port-based access control, for example use of 802.1x technology.

Where supported by the information classification or a Security Threat and Risk Assessment,
additional controls for wireless networks may include:

 Virtual Private Network tunnel technology;

 The use of Desktop Terminal Services (DTS) technology; and,
 Intrusion detection systems, firewalls and Media Access Control (MAC) address filtering.

e) Equipment management
Information Owners must document responsibilities and procedures for operational management
of network infrastructure, including devices at network boundaries and in user areas.

f) Logging, monitoring and detection

To facilitate monitoring, response and investigation, logging to a centralized log management
service must be enabled, including logging of:

 Traffic traversing network security boundaries;

 Traffic within networks housing sensitive or critical systems or information;
 Security-relevant events on network devices, such as operator logon and configuration
changes;
  Security-relevant events on systems that provide authentication and authorization services
to network infrastructure devices such as routers, firewalls or switches.

Logs must be continuously monitored to enable detection and response to security events and
intrusions (e.g., automation of log monitoring and event alerting). Logs from available sources
(including, but not limited to, network traffic, network firewalls, Intrusion Prevention Systems,
routers, switches, content filtering, servers, applications, databases, application firewalls,
authentication services) must be continuously correlated to enable detection and response to
security events and intrusions, that otherwise would go undetected without such correlation and
alerting.
In order to support the monitoring and correlation of logs from available sources, in cases when
infrastructure or services are provided via a third-party, it must be ensured that security event logs
from the respective outsourced infrastructure or services can be forwarded real-time to
the centralized monitoring services to allow for the centralized monitoring, correlation and alerting
across the organization. Information Owner must ensure there is a clear segregation of duties for
employees involved in logging, monitoring or detection activities. Active automated surveillance
of networks must be implemented to detect and report on security events (e.g., network intrusion
detection systems). Sensors enabling on-demand capture of network traffic must be implemented
at network security boundaries and within networks housing sensitive information or information
systems as determined by a Security Threat and Risk Assessment.

g) Coordination and consistency of control implementation

Information Owners must document network security controls in the System Security Plan
including:

 A summary of risks identified in the Security Threat and Risk Assessment;

 Roles and responsibilities for network security management;
 Specific procedures and standards used to mitigate risks and protect the network;
 Communication procedures for security-relevant events and incidents; and,
 Monitoring procedures (including monitoring frequency, review and remediation
processes).

A.13.1.2 – Security of network services

The purpose is to specify what security features are required for delivery of a network service.
Security attributes for network services like Leased Line / Wireless Radio modem is taken care
through SLA (Service Level Agreement) with ISP (Internet Service Provider) viz., STPI. Security
configuration, service levels and management requirements of all network services must be
documented and included in any network service agreement. Formal network service agreements
must be established between network service providers and consumers of network services to
specify service levels, services offered, security requirements and security features of network
services. The network service agreement must include specification of:

 The rules of use to be followed by consumers to maintain the security of network services;
 The schedule for ongoing verification of network security controls;
 The rights of either party to monitor, audit or investigate as needed;
 Security incident response responsibilities, contacts and procedures; and,
  The requirement to meet or exceed Information Security Policy and standards.

Information Owners must confirm that the specified security features are implemented prior to
commencement of service delivery.

A.13.1.3 – Segregation in networks

The purpose is to isolate information systems, users and networks based on risk and business
connectivity requirements. Groups of information services, users and information systems must be
segregated on networks.
a) Segregation based on risk and requirements.

a) Segregation based on risk and requirements

Information Order must segregate services, information systems and users to support business
requirements for information system connectivity and access control based on the principles of
least privilege, management of risk and segregation of duties. Information Order must establish
network perimeters and control traffic flow between networks. Network traffic flow control points
such as firewalls, routers, switches, security gateways, VPN gateways or proxy servers must be
implemented at multiple points throughout the network to provide the required level of control.
The techniques and technologies selected for network segregation must be based on Security Threat
and Risk Assessment and Privacy Impact Assessment findings. Factors to consider include:

 The information and information system security classification;

 The trustworthiness of the network, based on the amount of uncontrolled malicious traffic
present, the level of device identification and authentication in the networks, and sensitivity
to eavesdropping (e.g., the Internet is a less trusted network than a controlled server network
zone);
 Transparency, usability and management costs of network segregation technologies; and,
 The availability of compensating controls for detection, prevention and correction of
malicious network traffic and unauthorized access attempts.

Network zones must be defined and network perimeters established, according to business
requirements and risk as identified in the Security Threat and Risk Assessment and Privacy Impact
Assessment (e.g., network zones, core network, wireless network). Information system operational
management and business applications must be defined and separated by network flow control
points.

Guidelines:
Security gateways should be used to verify the trustworthiness of devices attempting to connect to
the network (e.g., VPN Quarantine systems, network switch isolation and admission control
systems).

A.13.2 Exchange of Information

Control Objective: To maintain the security of information and software exchanged within an
organization and with any external entity.
A.13.2.1 – Information transfer policies and procedures

The purpose is to protect information from unauthorized disclosure. The Electronic Office Systems
like Telephone, Fax etc. are maintained by a 3rd Party. Security of Information available through
such system is ensured through suitable clauses in the contract. Users shall be made aware about
the risk of Information Security while exchanging information through Voice, Fax, and Video
Communication facility. The Information exchange policies, procedures and controls must be
documented and implemented to protect the exchange of information through all types of electronic
communication services. The Chief Information Security Officer must document and implement
procedures to protect information from interception, copying, misrouting and disposal when being
transmitted electronically. Transmission methods include but are not limited to:

 E-mail, including attachments;

 Electronic file transfer (e.g., File Transfer Protocol (FTP), Electronic Data Interchange
(EDI));
 Use of mobile devices;
 Telephone, cell, and other voice messaging;
 Faxes; and,
 Instant messaging.

A.13.2.2 – Agreements on information transfer

The purpose to protect information or software from loss or unauthorized disclosure. Agreements
shall be established for the exchange of information and software between XXX and external
parties like Oracle, MS, and IBM etc. Information and software exchange agreements
between XXX and other organizations must address the secure transfer of information between
parties.
a) Exchange agreements
b) Information and software exchange requirements

a) Exchange agreements
Information Owners must ensure the terms and conditions for secure exchange of information
assets with external parties is documented in an agreement. The agreement must define:

 Custody and control accountabilities;

 Authority of a custodian to publish, grant access to or redistribute the information;
 Purpose and authorized uses of the information or software;
 Limitations on data linkage;
 Duration, renewal and termination provisions;
 Primary contacts for agreement, governance and management;
 Requirements for:
o Protecting information according to its security classification,
o Handling information (e.g., recording authorized recipients, confirming receipt of
transmitted data, periodically reviewing records of authorized recipients),
o Labelling information (e.g., methods to be used to apply and recognize labelling),
o Maintaining integrity and non-repudiation of information, and,
o Media management and disposal;