ADA Security Policy – ITS Project

Non-compliance with Policy

Non-compliance with or violation of this policy could result in a penalty and/or disciplinary
action that may include, but not limited to, the following:

• Warning/Caution;
• Suspension;
• Contractual Penalties;
• Termination;
• Legal proceedings.

Action taken against a policy violation would depend upon the context and gravity of violation
and would be taken in accordance with legal, contracts and human resource department.
The context and gravity of violations as well as the sanctions coupled to them can be found
it the ITS HR Policy and ITS disciplinary process.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 32 of 278

 ADA Security Policy – ITS Project

Definitions

• Availability: ensuring that authorized users have access to information and

associated assets when required.
• Audit is an unbiased assessment of the practices and results of an organization
relating to the requirement of a recognized set of standards of measurable
objectives.
• Confidentiality: ensuring that information is accessible only to those authorized to
have access.
• Guidelines: are the only discretionary element of these controls. They are used to
help focus people who need to make judgment in the performance of security
actions. Guidelines are recommended actions. Examples of Guidelines:

• NIST SP 800-53 Security and Privacy Controls for Federal Information

Systems and Organizations
• Control Objectives for Information and Related Technology V 5 (COBIT 5)

• Information Security: secure preservation of confidentiality, integrity and availability

of information.
• Integrity: safeguarding the accuracy and completeness of information and
processing methods.
• ISMS: is that part of the overall management system, based on a business risk
approach, to establish, implement, operate, monitor, review, maintain and improve
information security. (It includes organizational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources).
• Procedures: are statements of step-by-step actions to be performed to accomplish
a security requirement. Procedures are typically technology dependent. Examples
of Procedures:

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 33 of 278

 ADA Security Policy – ITS Project

• Symantec Netbackup Backup Procedure

• Firewall Rule Change Procedure
• HEAT Call Logging Procedure

• Process: are a series of actions or operations conducing to an end. Examples of

processes are:

• Risk management Process

• HR Induction Process
• Incident Management Process

• Policy: is management’s statement of direction - what is expected to be

accomplished to properly secure organization’s information.
• Risk acceptance: decision to accept a risk.
• Risk Analysis: is the systematic use of information to identify sources and to
eliminate the risk.
• Risk Assessment: is the overall process of risk analysis and risk evaluation.
• Risk Evaluation: process of comparing the estimated risk against given risk criteria
to determine the significance of risk.
• Risk Management: coordinated activities to direct and control an organization with
regard to risk.1
• Risk Treatment: is the process of selection and implementation of measures to
modify risk.
• Standards: are hardware or software mechanisms selected as the organizations
method of addressing a security risk. For instance a password generation method
that has been chosen for use throughout the organization.

1 Generally includes risk -assessment, -treatment, -acceptance and –communication.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 34 of 278

 ADA Security Policy – ITS Project

o ISO/IEC 27001:2013 Information technology -- Security techniques –

Information security management systems -- Requirements
o ISO/IEC 27005:2011 Information technology — Security techniques —
Information security risk management

• Statement of Applicability (SOA): document describing the control objectives and

controls that are relevant and applicable to the organization’s ISMS, based on the
results and conclusions of the risk assessment and treatment purposes.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 35 of 278

 ADA Security Policy – ITS Project

3. POLICY AND IMPLEMENTATION

IT infrastructure is a critical supporting element that ADA depends on to facilitate information

exchange, and is more technical in nature. Due to its criticality, it is important to use a
reference model to ensure all segments are covered. The Open Group Architecture
Framework (TOGAF) Technical Reference Model (TRM)2 depicted in Figure 1 is selected
since it provides an industry accepted reference model for ICT infrastructures.

IT infrastructure of ITS Components is broadly divided into four inter-reliant segments of as

prescribed by the TOGAF TRM:

• Communications Infrastructure - Describes the hard and software elements enabling

the network, and physical communications links and provides the mechanisms for
the transfer of data between a system and interconnected systems.
• Communications Infrastructure Interfaces - The Communications Infrastructure
Interface is the interface between the application platform and the communications
infrastructure.
• Infrastructure Applications - Infrastructure Applications are applications that are
typically commercial off the shelf (COTS) applications
• Business Applications - Business Applications are applications that are specific to a
particular enterprise or vertical industry. Such applications typically model elements
of an enterprise's domain of activity or business processes.

Using the TOGAF TRM ensures that all Information and Communication Technology (ICT)
components are considered and addressed by the ADA IT Security Policy.

2 http://www.opengroup.org/public/arch/p3/trm/trm_dtail.htm#Fig3_3

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 36 of 278

 ADA Security Policy – ITS Project

Figure 1: TOGAF TRM

Network security is greatly dependent on the working relationships among all seven
segments, and a multi-layered approach should be taken to ensure all seven segments
working together in integrated manner. The ITS ISP shall be reviewed annually or as and
when there are any changes to the ADA and ITS security posture.

Audience & Policy Content

The audience for the policy will be ADA, non ADA staff & ITS Stakeholders

The policy focuses upon the data in all its states (in motion, in use and at rest), and services
that ADA exchanges and provides to the community and its partners. Each policy mentioned
hereunder provides both strategic reasoning and tactical implementation requirements and
standards. Use cases within each of the policy areas will help users relate the Policy to their
own circumstances. To ensure traceability to standards, guides, processes and procedures,

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 37 of 278

 ADA Security Policy – ITS Project

each policy statement (PS) is indicated with an indication of the policy area (as an example,
Audience Policy Area 1: Information Security Policy is indicated as ISP PS.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 38 of 278

 ADA Security Policy – ITS Project

4. AUDIENCE POLICY AREA 1: INFORMATION SECURITY POLICY

References

• ISO/IEC 27001:2013/Cor 2:2015 A.5.1.1 Information Security Policy

Document
• ISO/IEC 27001:2013/Cor 2:2015 A.5.1.2 Review of the information security
policy

The governing documents for Information Security Management are defined below. The
foundation for this best practice is ISO/IEC 27001:2013 and ISO/IEC 27002:2013 which have
been condensed to a manageable and applicable level (25-30 pages as opposed to the 108
pages of ISO/IEC 27002:2013). 3

The EU equivalents can be found in:

• Directive 95/46/EC (Data Protection Directive)

• Directive 2002/58/EC (the E-Privacy Directive)
• Directive 2006/24/EC Article 5 (The Data Retention Directive)

Policy Statement

The policy statements for Policy Area 1 – Information Security Policy is described as
Information Security Policy Statement (ISP PS)The following three principles are the core
requirements for information security:

3 Important Note: It is based on ISO/IEC 27001:2013 and ISO/IEC 27002:2013 and has been condensed to a
manageable and applicable level (25-30 pages as opposed to the 108 pages of ISO/IEC 27002:2013).

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 39 of 278

 ADA Security Policy – ITS Project

CONFIDENTIALITY:
The principle that information is not made available or disclosed to unauthorized individuals,
entities, or processes.

INTEGRITY:

The principle of safeguarding the accuracy and completeness of assets.

AVAILABILITY:

The principle of being accessible and usable upon demand by an authorized entity.

General

ISP PS 1: Information and information processing systems shall be used in a

manner that supports the strategic goals and objectives of ADA.
ISP PS 2: All applicable legal and/or regulatory requirements relating to
information security shall be met.
ISP PS 3: All information & information processing systems shall be identified,
valued and classified to ensure adequate protection, all ITS
Stakeholders must incorporate security measures in their SDS
documents and seek ADA’s approval.
ISP PS 4: All risks related to information and information processing systems
shall be identified and mitigated on a timely basis. See the ITS Risk
Management Policy and ITS Risk Management Process for guidance.
ISP PS 5: Employees, non-employees and ITS Stakeholders shall be adequately
aware of their roles and responsibilities towards information security and
exercise discretion, common sense, and reasonable judgment towards use
of ADA’s information.
ISP PS 6: The ITS ISP is introduced during induction according to the HR On-
boarding Process.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 40 of 278

 ADA Security Policy – ITS Project

ISP PS 7: Employees, non-employees and ITS Stakeholders shall sign-off that

they have read and understood the ITS ISP. Proof shall be recorded
and stored for one year after termination of employment or expiry of
contract.
ISP PS 8: Employees, non-employees and ITS Stakeholders shall adhere to the
information security policies, procedures, standards, guidelines etc.
approved by the management of ADA.
ISP PS 9: Information shall be handled in a secured manner to avoid any loss of
confidentiality, integrity, and availability during its creation, storage,
processing, transmission and disposal.
ISP PS 10: Information and information processing systems shall be accessible to the
authorized users as per their business needs.
ISP PS 11: Information and information processing systems shall be physically
secured from any loss of confidentiality, integrity and availability.
ISP PS 12: All changes related to information and information processing systems
shall be managed in a secured manner.
ISP PS 13: All information security incidents shall be reported and managed in a timely
manner.
ISP PS 14: IT Business Continuity Plans shall be defined by respective stakeholders,
implemented and tested adequately to ensure availability of information
and information processing systems during any emergency.
ISP PS 15: The posture of information security shall be continuously reviewed and
improved to ensure continuous adherence to this policy.
ISP PS 16: Employees, non-employees of ADA and ITS Stakeholders shall not attempt
to circumvent or subvert any of the information security controls.
ISP PS 17: Attempts by Employees, non-employees of ADA and ITS Stakeholders to
circumvent or subvert the information security controls, shall expose them
to the ADA disciplinary process.
ISP PS 18: Ensure compliance to applicable international standards as a minimum
on information security e.g. ISO/IEC 27001:2013/Cor 2:2015.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 41 of 278

 ADA Security Policy – ITS Project

ISP PS 19: Compliance shall be proved through the ITS ICT audit process.

Security Goals:

ADA is committed to safeguard the confidentiality, integrity and availability of all physical and
electronic information assets of the institution to ensure that regulatory, operational and
contractual requirements are fulfilled. The overall goals for information and Physical security
at ADA are the following:

ISP PS 20: Ensure compliance with current laws, regulations and guidelines of KSA
specified in Section 1.1.
ISP PS 21: Comply with requirements for confidentiality, integrity and availability for
ADA's Employees, non-employees and ITS Stakeholders physical and
electronic information assets.
ISP PS 22: Establish technical and administrative controls for protecting ADA's
information and information systems against theft, abuse and other forms
of harm and loss.
ISP PS 23: Motivate administrators and employees to maintain the responsibility for,
ownership of and knowledge about information security, in order to
minimize the risk of security incidents. For additional information on
motivation, rewards and incentives please consult the ADA HR Policy.
ISP PS 24: Ensure that ADA is capable of continuing their services even if major
security incidents occur.
ISP PS 25: Ensure the protection of personal data (privacy).
ISP PS 26: Ensure the availability and reliability of the network infrastructure and the
services supplied and operated by ADA and ITS Stakeholders.
ISP PS 27: Comply with methods from international standards for information security
management, e.g. ISO/IEC 27001:2013.
ISP PS 28: Ensure that external service providers comply with ADA's information
security needs and requirements.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 42 of 278

 ADA Security Policy – ITS Project

ISP PS 29: Ensure flexibility and an acceptable level of security for accessing
information systems.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 43 of 278

 ADA Security Policy – ITS Project

5. POLICY AREA 2: PHYSICAL AND ENVIRONMENTAL SECURITY

Policy Area 2 – Physical and Environmental Security is described as Physical and

Environmental Security Policy Statement (PES PS). ADA requires from all Stakeholders
to secure against unauthorized physical access, damage and interference to the premises
and information assets including but not limited to personal information, ITS and IT
Resources by implementing:

• Workforce security
• Facility access controls of IT & ITS Resources
• Equipment security
• Least privilege
• Visitor control
• Secure disposal or reuse of equipment

References

• ISO/IEC 27001:2013/Cor 2:2015 A.9.1.1 Physical Security Perimeter

• ISO/IEC 27001:2013/Cor 2:2015 A.9.1.2 Physical Entry Controls
• ISO/IEC 27001:2013/Cor 2:2015 A.9.1.3 Securing offices, rooms and
facilities
• ISO/IEC 27001:2013/Cor 2:2015 A.9.1.4 Protecting against external and
environmental threats
• ISO/IEC 27001:2013/Cor 2:2015 A.9.1.5 Working in secure areas
• ISO/IEC 27001:2013/Cor 2:2015 A.9.1.6 Public access delivery and loading
areas
• ISO/IEC 27001:2013/Cor 2:2015 A.9.2.1 Equipment sitting and protection
• ISO/IEC 27001:2013/Cor 2:2015 A.9.2.2 Supporting utilities
• ISO/IEC 27001:2013/Cor 2:2015 A.9.2.3 Cabling security

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 44 of 278

 ADA Security Policy – ITS Project

• ISO/IEC 27001:2013/Cor 2:2015 A.9.2.4 Equipment maintenance

• ISO/IEC 27001:2013/Cor 2:2015 A.9.2.5 Security of equipment off premises
• ISO/IEC 27001:2013/Cor 2:2015 A.9.2.6 Secure disposal or re-use of
equipment

Physical Access Control

PES PS 1. MoI prescripts in terms of site physical security shall be followed.

PES PS 2. Entrance of all the buildings shall be manned by physical security guards,
whereas, all critical locations, rooms and areas shall be monitored by
CCTV system preferably with Audio Video Recording.
PES PS 3. Records of all visitors accessing internal premises of ADA shall be
maintained and shall include (But not limited to) the following:

• Name of the visitor

• Organization of the visitor
• Contact details for the visitor
• Purpose of Visit
• Contact person from ADA
• Exact date and time (entry time and exit time) of the visit.

PES PS 4. Records of all visitors accessing internal premises of ADA shall be

Stored for a minimum period of 90 days or as agreed with the MoI.
PES PS 5. A notice requesting all visitors to declare their laptops, tablets, camera,
phone and any other data-capturing (audio/video) device shall be
displayed at the main entrance of the buildings.
PES PS 6. If any visitor needs to carry these devices inside the premises, details about
the device such as serial no. MAC Address (preferably), make, model etc.
must be recorded before allowing them to enter.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 45 of 278

 ADA Security Policy – ITS Project

PES PS 7. Identity of the visitors shall be verified at the reception using their national
ID card, driving license or passport. before issuing them visitors badge.
Where none of these documents are available, the identity of the visitor
shall be verified by the person being visited.
PES PS 8. Entry shall be provided to visitors only after notifying the particular
employee being visited and verifying the purpose of visit with him/her.
PES PS 9. Strong physical access control mechanisms (e.g. magnetic stripe cards,
padlocks, pins etc.) shall be used for areas containing critical information
and information processing systems, or/and high value equipment.
PES PS 10. Physical access to areas containing critical information and information
processing systems shall be controlled and allowed to authorized
personnel only. .
PES PS 11. When the physical access of an employee or non-employee is permanently
or temporarily terminated due to employment contract termination, all
identity authentication means of the user (magnetic stripe cards, pin
numbers, etc.) shall be de-activated and the relevant access rights
revoked.
PES PS 12. Physical access rights of all employees and non-employees to critical
information processing facilities such as data centers shall be checked and
updated on a periodic basis by the information security officer.
PES PS 13. A formal, documented physical and environmental protection policy that
addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance; and formal, documented processes and procedures to
facilitate the implementation of the physical and environmental
protection policy and associated physical and environmental
protection controls. This policy need to be developed.
PES PS 14. Stakeholders should enforce physical access authorizations for all physical
access points (including designated entry/exit points) to the facility where

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 46 of 278

 ADA Security Policy – ITS Project

the information system resides (excluding those areas within the facility
officially designated as publicly accessible).
PES PS 15. Stakeholders should verify individual access authorizations before granting
access to the facility.
PES PS 16. Stakeholders should deploy entry controls to facilitate access to the facility
containing the information system such as physical access devices and/or
guards.
PES PS 17. Stakeholders should control access to areas officially designated as
publicly accessible in accordance with the organization’s assessment of
risk.
PES PS 18. Stakeholders should deploy controls such as secure keys, combinations,
and other physical access devices.
PES PS 19. Stakeholders should inventory physical access devices at least annually.
PES PS 20. Stakeholders should change combinations and keys at least annually and
when keys are lost, combinations are compromised, or individuals are
transferred or terminated.

Secure Offices

PES PS 21. Sites hosting critical information processing facilities shall be sited at
appropriate areas so that they are less prone to natural disasters. For
example areas where natural disasters such as floods and earthquakes
occur frequently must be avoided.
PES PS 22. Sites hosting critical information processing facilities shall be sited at
appropriate areas so that they are less prone to incidents such as theft, fire,
electrocution etc..
PES PS 23. Buildings hosting critical information processing systems such as
datacenters shall be unobtrusive in nature and shall not have external signs
or indications that would give minimum indication of their actual
purpose and use.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 47 of 278

 ADA Security Policy – ITS Project

PES PS 24. Buildings hosting critical information processing systems such as

datacenters shall have reinforced floors and ceilings. For guidance on
datacenter requirements, please see TIA-942 Data Center Certification.
PES PS 25. Buildings hosting critical information processing systems such as
datacenters shall be equipped with multiple security zones in order to
increase protection. Creating multiple secure zones with more than one
physically access controlled doors around the critical information assets
increases the overall physical protection. It is recommended to establish
Tier 3 facility for ITS Data Center. For guidance on datacenter
requirements, please see TIA-942 Data Center Certification.
PES PS 26. Working in critical information processing facilities beyond normal
office hours shall be authorized by the Infrastructure Manager. Unless
approved, employees, non-employees and Stakeholder shall not be
allowed to work in the critical premises beyond office hours.
PES PS 27. All storage media such as hard disk drives, floppy disks, magnetic
tapes, CD-ROMs, DVDs containing sensitive information, shall be
physically secured when not in use. This can be achieved by keeping
them in locked cabinets thus protecting them from attempts of
unauthorized access. Such protection measures shall take into account the
classification of information assets.
PES PS 28. All paper documents containing sensitive information shall be protected by
keeping them in fire- resistant cabinets.
PES PS 29. The screens of computers used to handle sensitive information must be
positioned in such a way that it cannot be easily viewed by an unauthorized
viewer or Screen Privacy Protectors shall be used instead.
PES PS 30. Employees, non-employees, ITS Stakeholders and visitors shall refrain
from eating food items and drinking beverages inside critical information
processing facilities. Separate food serving areas shall be used for such
activities.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 48 of 278

 ADA Security Policy – ITS Project

Identification badges

ITS Stakeholders shall position information system components within the facility to minimize
potential damage from physical and environmental hazards and to minimize the opportunity
for unauthorized access. No visitor shall be allowed to enter into ITS Facilities.

PES PS 31. All employees, non-employees, ITS Stakeholders and visitors shall wear
identification badges while they are in ADA premises. The identification
badge should be worn such that it is clearly visible to all.
PES PS 32. Employees, non-employees and ITS Stakeholders who have forgotten their
identification badge must obtain a temporary ID at the reception, by
providing a token of identification such as National ID Card, driving license
or passport and shall be considered as Guests / visitors.
PES PS 33. Whenever an employee, non-employee, ITS Stakeholders or visitor is
noticed without an identification badge, the person shall be questioned
about the purpose of his/her presence and shall be immediately
accompanied to the reception desk.

Asset Movement

PES PS 34. Security guards at the reception reserve the right to inspect all kinds of
belongings including personal items e.g. briefcases of employees, non-
employees, ITS Stakeholders or visitors before allowing them to enter or
leave the building.
PES PS 35. Security guards shall ensure that incoming packages doesn’t pose any
danger (e.g. explosives, flammables, chemicals or other dangerous
materials) to ADA premises. This could be done by scanning all incoming
packages with a X-Ray scanner.
PES PS 36. All incoming and outgoing assets shall be recorded in an asset movement
register by the security guards at the reception.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 49 of 278

 ADA Security Policy – ITS Project

PES PS 37. Any IT or ITS assets (e.g. hardware, software, mobile computers etc.) shall
not be removed off premises for any reason (use, maintenance, repair etc.)
unless otherwise authorized by the Infrastructure Manager.
PES PS 38. ITS Stakeholder authorizes, monitors, and controls all information system
components entering and exiting the facility and maintains records of those
items.

Equipment Protection

PES PS 39. Areas where critical equipment are located shall have the appropriate
environmental conditions in place (temperature, humidity, electromagnetic
exposure etc.), according to the manufacturer recommendations. Every
Stakeholder maintains temperature and humidity levels within the facility
where the information system resides at consistent with American
Society of Heating, Refrigerating and Air-conditioning Engineers
(ASHRAE) document entitled Thermal Guidelines for Data
Processing Environments; and Monitors temperature and humidity
levels continuously.
PES PS 40. All equipment shall undergo periodic maintenance to ensure operational
conditions and prevent damage from dust and airborne particles are
minimized
PES PS 41. Building hosting critical Information processing facilities shall be located in
places where the risk of water damage is limited due to water leakage,
sewerage problems, rain, flood etc.
PES PS 42. No water sprinkler system shall be used at locations where ITS, IT Systems
and Electrical systems are installed. FM200 or equivalent shall be used
instead.
PES PS 43. Critical information facilities shall be protected against voltage
fluctuations or any other problems related to power supply through

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 50 of 278

 ADA Security Policy – ITS Project

solutions such as Uninterrupted Power Supply (UPS) systems and Backup

power generator with sufficient capacity.
PES PS 44. All kinds of electrical, voice and data communication cables shall be fire
rated and shall be protected against physical damage or destruction by
laying them under the ground/floor or enclosing with proper shields.
PES PS 45. Fire extinguishers shall be placed at visible and easily accessible points
inside ADA. Necessary fire instructions should be displayed across for
ADA for quick reference including nearest exit location.
PES PS 46. Fire suppression and detection devices/systems include, for example,
sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
detectors. This control, to include any enhancements specified, may be
satisfied by similar requirements fulfilled by another organizational
entity other than the information security program. Organizations avoid
duplicating actions already covered. For guidance on
environmental health and safety, see ADA Environmental
Health and Safety (EHS) Policy and Process.
PES PS 47. All critical equipment shall be supported with adequate vendor support and
defined service level agreements.
PES PS 48. Equipment shall be placed in secure locations to protect from theft or
damage. The organization shall protect the information system from
damage resulting from water leakage by providing master shutoff valves
that are accessible, working properly, and known to key personnel.
PES PS 49. Physical access logs shall be reviewed at least quarterly.
PES PS 50. Coordinate results of reviews and investigations with the organization’s
incident response capability.
Monitoring

PES PS 51. The areas containing or leading to critical information processing facilities
should be continuously monitored by physical security guards and via

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 51 of 278

 ADA Security Policy – ITS Project

Closed Circuit TV (CCTV). E.g. entrance and exit of buildings &

Critical Areas.
PES PS 52. Physical access to the information system shall be monitored to detect and
respond to physical security incidents.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 52 of 278

 ADA Security Policy – ITS Project

6. POLICY AREA 3: ACCESS CONTROL

Policy Area 3 – Access Control is described as AC PS. This policy provides the planning and
implementation of mechanisms to restrict reading, writing, processing and transmission of all
ADA information in addition to the modification of information systems, applications, services
and communication configurations.

Logical and physical access controls are required to ensure the integrity of the information
and physical assets.

The following mandatory requirements for controlling logical access should be implemented
by all stakeholder hosting agencies:

• Document and adhere to procedures for granting, modifying and revoking access
• Install detection mechanisms for unauthorized access attempts
• Timeout a session after 30 minutes of inactivity unless specifically required by ITS
• Component, if there are any exceptions ITS Consultants & ADA shall approve that.
• Revoke access after an inactivity period of 60 days.

Physical access control guidelines for all agencies include:

• All telecommunication and computer related equipment are to be in a secured,

locked environment with restricted access
• Access codes for secure environments must be changed at least every 60 days or
in the event of an individual departing that previously had access,
• Account for all keys issued for those facilities using this method and replace locking
mechanism when a key is missing,
• When the system permits, log all accesses and retain, and
• Secure all peripherals such as air conditioning, generators, etc.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 53 of 278

 ADA Security Policy – ITS Project

References:

• ISO/IEC 27001:2013/Cor 2:2015. Information security – Security techniques –

Information security management systems – Requirements.
• ISO/IEC 27002: 2013 Information security – Security techniques – Code of practice
for information security management.
• ISO/IEC 27005: 2011 Information security – Security techniques – Information
security risk management.

Account Management

AC PS 1. The information system accounts, including establishing, activating,

modifying, reviewing, disabling, and removing accounts should be
managed by ADA.
AC PS 2. This information system accounts should be validated by ADA on
requirement basis but for minimum once a year and this process should be
documented. These can be delegated by Systems Administrators.
AC PS 3. The Account management should include the identification of account
types, establishment of conditions for group membership, and assignment
of associated authorizations defined by previously group policy.
AC PS 4. The Systems Administrators should be identifying authorized users of the
information system and specify each access rights or privileges.
AC PS 5. The Systems Administrators shall grant this access based on a valid need-
to-know or need-to-share basis that is determined by an assigned ADA
official duties (Role), and by the satisfaction of all personnel security
criteria.
AC PS 6. The responsible person (Role) from ADA will be notified for account
creation when: a user’s information system usage or need-to-know or
need-to-share changes or a user is terminated or transferred or associated
accounts are removed, disabled, or otherwise secured.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 54 of 278

 ADA Security Policy – ITS Project

AC PS 7. The account creation process should pass to ADA the check list with the
users’ responsibilities and the privilege check list , the privilege access to
shares, and also their management accounts. ADA, after which, shall
consider creation of any user accounts or a permission to do so.
AC PS 8. For ITS Components, ADA shall establish a central “Active Directory”
service for all stakeholders which shall be established at both TCC & DRC.
The Active Directory shall grant each Systems Administrator a privilege to
administer its own domain entity. For guidance on Active Directory, see
ADA Active Directory Design document.

Access Enforcement

AC PS 9. The assigned authorizations for controlling access to the system and

contained information should be imposed by the information system.
AC PS 10. These information system controls shall restrict access to privileged
functions which are deployed in hardware, software, and firmware; and
security-relevant information to explicitly authorized personnel. Explicitly
authorized personnel include, for example, security administrators,
system and network administrators, and other privileged users with access
to system control, monitoring, or administration functions (for example
authorized system administrators, information system security officers,
maintainers, system programmers).
AC PS 11. Access control policies like identity-based policies, role-based policies,
rule-based policies and associated access enforcement mechanisms like
access control lists, access control matrices, and cryptography should be
implemented by agencies to control access between users, or processes
acting on behalf of users and objects like devices, files, records, processes,
programs, domains in the information system.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 55 of 278

 ADA Security Policy – ITS Project

Least Privilege

AC PS 12. ADA shall be approving individual access privileges and shall be enforcing
physical and logical access restrictions associated with changes to the
information system; and generate, retain, and review records reflecting all
such changes.
AC PS 13. The local agencies shall enforce the most restrictive set of rights, privileges
or access needed by users for the performance of specified tasks.
AC PS 14. The Stakeholder shall implement least privilege based on specific duties,
operations, or information systems as necessary to mitigate risk to ADA.
This limits access to ADA to only authorized personnel with the need and
the right to know.
AC PS 15. Logs of access privilege changes shall be maintained for a minimum of one
year or at least equal to the ADA’s record retention policy.

System Access Control

AC PS 16. The Access control mechanisms that enable access to ADA shall be
restricted by objects like data set, volumes, files, records including the
ability to read, write, or delete the objects.
AC PS 17. These Access controls shall be in place and operational for all IT systems
to prevent multiple concurrent active sessions for one user identification,
for those accessing applications. ADA shall document the parameters of
the operational business needs for multiple concurrent active sessions.
AC PS 18. The mechanism shall ensure that only authorized personnel can add,
change, or remove component devices, dial- up connections, and remove
or alter programs.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 56 of 278

 ADA Security Policy – ITS Project

Access Control Criteria

AC PS 19. The main access control criteria:

• Logical location
• Network and MAC addresses
• Time-of-day and day-of-week or month restrictions
• Physical location
• Job assignment or function of the user seeking access

For guidance on access control, consider ISO/IEC 29146:2016 Information technology --

Security techniques -- A framework for access management.

Access Control Mechanisms

AC PS 20. The Stakeholders shall use the following mechanisms when setting up
access controls: for ITS Contractors, these Access Control Mechanisms
shall be discussed and agreed during detailed design
AC PS 21. Encryption: Encrypted information can only be decrypted, and therefore
read, by those possessing the appropriate cryptographic key. While
encryption can provide strong access control, it is accompanied by the
need for strong key management.
AC PS 22. Resource Restrictions: Access to specific functions will be restricted by
never allowing users to request information, functions, or other resources
for which they do not have access. Three major types of resource
restrictions are: menus, database views, and network devices.
AC PS 23. Application Level: In addition to controlling access at the information
system level, access enforcement mechanisms are employed at the

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 57 of 278

 ADA Security Policy – ITS Project

application level to provide increased information security for the

Stakeholder.
AC PS 24. Access Control Lists (ACLs): ACLs are a register of users including
groups, machines, processes who have been given permission to use a
particular object (system resource) and the types of access they have been
permitted.
AC PS 25. Network Access Control – This should be considered at the network level.

Unsuccessful Login Attempts

AC PS 26. The system shall enforce a limit of no more than 5 consecutive invalid
access attempts by a user attempting to access ADA or systems with
access to ADA.
AC PS 27. The system shall automatically lock the account for 30 minutes unless
released by an administrator or if there is any special requirement of ITS
System Operator.
AC PS 28. Unsuccessful Login Attempts shall be carefully logged.

System Use Notification

AC PS 29. The information system shall display an approved system use notification
message, before granting access, informing potential users of various
usages and monitoring rules.
AC PS 30. The system use notification message shall, at a minimum, provide the
following information:

• Unauthorized use of the system is prohibited

• The user is accessing a restricted information system.
• System usage may be monitored, and subject to audit.

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 58 of 278

 ADA Security Policy – ITS Project

AC PS 31. The systems shall use notification message which shall provide appropriate
privacy and security notices and remain on the screen until the user
acknowledges the notification and takes explicit actions to log on to the
information system.
AC PS 32. Privacy and security policies shall be consistent with applicable laws,
executive orders, directives, policies, regulations, standards, and
guidance.
AC PS 33. System-use notification messages can be implemented in the form of
warning banners, displayed when individuals log in to the information
system.

Session Lock

AC PS 34. The information system shall prevent further access to the system by
initiating a session lock after a maximum of 30 minutes of inactivity, and
the session lock remains in effect until the user re-establishes access using
appropriate identification and authentication procedures.
AC PS 35. There could be an exception to the session lock requirement for ITS
Components in OCC.
AC PS 36. Users shall directly initiate session lock mechanisms to prevent inadvertent
viewing when a device is unattended. A session lock is not a substitute for
logging out of the information system. Note: an example of a session lock
is a screen saver with password.

Remote Access

AC PS 37. ADA shall authorize, monitor, and control all methods of remote access to
the information system. Remote access is any temporary access to an ITS

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 59 of 278

 ADA Security Policy – ITS Project

Stakeholder’s information system by a user communicating temporarily

through an external, non-ADA controlled network like the Internet.
AC PS 38. ITS Contractors may be allowed to have 24/7 VPN connection with TCC
Firewall, however, access to any particular service shall be granted once
approved by ADA.
AC PS 39. Remote computing uses communications technology to enable staff or ITS
Stakeholders to work remotely from a fixed location outside of their
organization. Suitable protection of the remote computing site should be in
place against, e.g., the theft of equipment and information, the
unauthorized disclosure of information, unauthorized remote access to the
organization’s internal systems or misuse of facilities.
AC PS 40. It is important that remote computing is both authorized and controlled by
management and that suitable arrangements are in place for this way of
working.
AC PS 41. ITS Stakeholder may be allowed to establish VPN Connections from their
TAC support centers to TCC / DRC based on Authentication and Security
Mechanism.
AC PS 42. 2FA shall be employed strictly for VPN sessions. For guidance on 2FA see
ISO/IEC 29115:2013 Information technology -- Security techniques --
Entity authentication assurance framework.
AC PS 43. Procedures must be developed from best practices to authorize and control
remote computing activities. ITS Stakeholders should only authorize
remote computing activities if they are satisfied that appropriate security
arrangements and controls are in place and that these comply with the
Stakeholder's security procedures.

The following should be considered, however any procedure before implementation shall be
approved by ADA:

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 60 of 278

 ADA Security Policy – ITS Project

AC PS 44. ADA must consider the existing physical security of the remote computing
site, taking into account the physical security of the building and the local
environment, e.g. 2FA.
AC PS 45. ADA must consider the communications security requirements, taking into
account the need for remote access to the organization's internal systems,
the sensitivity of the information that will be accessed and passed over the
communication link and the sensitivity of the internal system.
AC PS 46. ADA must consider the threat of unauthorized access to information or
resources from other parties using the accommodation.

The controls and arrangements to be considered for access to the TCC include:

AC PS 47. ADA shall provide space and storage space for stakeholders’ equipment
used for remote computing
AC PS 48. ADA shall define the work permitted, the hours of work, the classification
of information that may be held and the internal systems and services that
the user is authorized to access
AC PS 49. Provision of suitable communication equipment, including methods for
securing remote access by all stakeholders for access to the TCC
AC PS 50. Physical security controls shall be considered
AC PS 51. Provisioning of hardware and software support and maintenance shall be
considered.
AC PS 52. Processes and procedures for back-up and business continuity shall be
considered
AC PS 53. Audit and security monitoring as per approved SDS of ITS Stakeholders
shall be considered.

The following steps are recommended for ITS Stakeholders remote access process:

ITS-SEC-POL-REQ-0135_Security Policy Rev 000_DOR_MAT_PJ 61 of 278