17. Appendix II – Inventory of Assets, Suppliers & Authorities

Hardware

Date	Owner	Asset type	Make	Model	Serial No	Location	Classification	Cost	Compliance requirements	Security Processes
CA (Inner Core) Safe Room
13/12/2006		Safe	Chubb	Europe	SN 77620	PKI DC		5000		OWI
20/12/2006		HSM	nCipher	netHSM 500	07-N55077M	PKI DC		11000		OWI
30/9/2007		HSM	nCipher	netHSM 500	SO-12-06-H002	PKI DC		11000		OWI
14/1/2007		Server Rack	UK	APW		PKI DC		1238		OWI
01/01/2005		2 Network Points to inner Core				PKI DC				OWI
01/01/2005		Fire/Dust Sensors	Somke	Fire Detectors	NA	PKI DC		120		OWI due 23/10/07
01/01/2005		Fire Suppression System	Fike SHP Pro Fire Alarm/Suppression Control System	FM 200 Gas	341861.2	PKI DC		15000		OWI due 23/10/07
01/01/2005		Air Conditioning from Main Aircon	Clivet	VR-DX 71	FLStDmCZ0A	PKI DC		20000		OWI due 23/10/07
01/12/2006		Backup air conditioning unit	YOKO	LD-24CS/A1	HKA 1135	PKI DC		300		OWI due 23/10/07
01/01/2005		Light Fitting & switches				PKI DC				OWI
01/12/2006		Door Exit Switch	Alpro	NA	NA	PKI DC		2000		OWI due 23/10/07
13/12/2006		Door Latch	Trimec	TS2001	NA	PKI DC		456		OWI due 23/10/07
CA (Inner) Core
08/01/2007		Server	Dell	PE2950 Xeon 5160	CBXGK2J	PKI DC		1814		OWI
08/01/2007		Server	Dell	PE2950 Xeon 5160	9WCHK2J	PKI DC		1814		OWI
08/01/2007		Server	HP	Proliant HP 380	CZC7262Q6B	PKI DC		1814		OWI
08/01/2007		Server	HP	Proliant HP 381	CZC7263523	PKI DC		1814		OWI
13/12/2006		Switch	Cisco	Catalyst2960	F0C1041X2G4	PKI DC		817		OWI
13/12/2006		Firewall	TippingPoint	X505	Zuz96E00009904	PKI DC		13973		OWI
		KBM Keyboard	N/C	N/C	N/C	N/C	N/C	N/C	N/C	N/C
		KBM Switch	N/C	N/C	N/C	N/C	N/C	N/C	N/C	N/C
01/01/2005		2 Network Points to Safe Room				PKI DC				OWI
01/01/2005		2 Network Points to Main Juffair Fibre				PKI DC				OWI
01/01/2005		2 Network Points to outer Core				PKI DC				OWI
13/12/2006		Server Rack	UK	APW	47170	PKI DC		1238		OWI
13/12/2006		Server Rack	UK	APW	47166	PKI DC		1238		OWI
01/01/2005		Fire Suppression System	Fike SHP Pro Fire Alarm/Suppression Control System	FM 200 Gas	341861.2	PKI DC		15000
01/01/2005		Fire/Dust Sensors	Somke	Fire Detectors	NA	PKI DC		15000	N/C	N/C
13/12/2006		Motion Sensor	Texecom	Mirage Pro-Quad	NA	PKI DC		33
01/01/2005		Light Fitting & switches				PKI DC				OWI
01/01/2005		Air Conditioning from Main Aircon	Clivet	VR-DX 71	FLStDmCZ0A	PKI DC		20000
01/01/2005		Backup air conditioning unit	YOKO	LD-24CS/A1	HKA 1272	PKI DC		300
13/12/2006		CCTV Camera	Infinova	V1481L-36A15	63121040	PKI DC		285
13/12/2006		Door Exit Switch	Alpro	NA	NA	PKI DC		2000
13/12/2006		Door Latch	Trimec	TS2001	0	PKI DC		456
CA Outer Core (Admin)
13/12/2006		Access Control to Safe Room	Identix	V20 UA HTLV20P-5K	390600348	PKI DC		2520
13/12/2006		Access Control CA Inner Core Room	Identix	V20 UA HTLV20P-5K	30700024	PKI DC		2520
13/12/2006		Access Control to Unner Core	Identix	V20 UA HTLV20P-5K	500303254	PKI DC		2520
13/12/2006		DVR	Infinova	V3010/4L	61210298	PKI DC		477
01/12/2006		Remote Control				PKI DC		25
13/12/2006		Monitor	Infinova	V1322/14	6300145	PKI DC		117		OWI
01/12/2006		Coaxial cables				PKI DC				OWI
13/12/2006		PC	Acer	Veriton 2800	PS280D5601647000495W	PKI DC		405		OWI
00/01/1900		Keyboard	Acer	Keyboard	TH097YRD371711A22532	PKI DC		35		OWI
00/01/1900		Mouse	Acer	Mouse	3892A378	PKI DC		10		OWI
13/12/2006		Monitor	Acer	AC713B	ESC04080345220024FPK11	PKI DC		125		OWI
13/12/2006		Switch	SMC	EZSWITCH 8 Port	SMSFS8EUA	PKI DC				OWI
13/12/2006		Door Latch	Trimec	TS2001	NA	PKI DC		456
13/12/2006		Exit switches	ALPRO	NA	NA	PKI DC		88
13/12/2006		Power supply		12V 5 amps	NA	PKI DC		116		OWI
13/12/2006		Alarm Control Panel	Veritas	Excel	NA	PKI DC		74
13/12/2006		LCD Keypad	Texecom	Premier LCD Keypad	NA	PKI DC		50
13/12/2006		Dialer	Texecom	Speech Dialler	NA	PKI DC		63
13/12/2006		Siren	Texecom	Odyssey 1	NA	PKI DC		18
13/12/2006		CCTV Cameras	Infinova	V1481L-36A15	63121034	PKI DC		285
14/12/2006		Fully Funtional Telephone	Panasonic	KX-T2375JXW	5CAOD062187	PKI DC
13/12/2006		Access Control CA Main Entrance	Identix	V20 UA HTLV20P-5K		PKI DC		2520
13/12/2006		Emergency lights	Khind	EM2004G	R2-042234
External
13/12/2006		Server Rack	UK	APW	0	Juffair		1238		OWI
08/01/2007		Server	Dell	PE2950 Xeon 5160	41WHK2J	Juffair		1814		OWI
08/01/2007
13/12/2006		Switch	Cisco	Catalyst2960	F0C1041X2G4	Juffair		817		OWI
13/12/2006		Firewall	TippingPoint	X505	Zuz96E00009904	Juffair		13973		OWI
		KBM Keyboard				Juffair				OWI
		KBM Switch				Juffair				OWI
01/01/2005		Network Points (itemise ( in& out))				Juffair				OWI
01/01/2005		Fire Suppression System	EMI Fire Alarm System	AFA MINERVA System 2100	NA	Juffair
01/01/2005		Fire/Dust Sensors	EMI Fire Alarm System	Fire Detectors	NA	Juffair
01/01/2005		Light Fitting & switches				Juffair
01/01/2005		Air Conditioning from Main Aircon	Denco Miller	DM5	NA	Juffair
01/01/2005		Backup air conditioning unit	Pearl	EG024FCAC	800390	Juffair

The Information Security Manager is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners

This document was issued by the Information Security Manager on 08 November, 2007 and is issued on a version controlled basis.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Software

Date	Owner	Asset type	Make	Model	Serial No	Location	Classification	Cost	Compliance requirements	Security Processes
CA (Inner Core) Safe Room
14/01/2007		OS	Microsoft	Windows Server 2003	1	PKI DC
20/09/2007		OS	RedHat	Enterprise Linux 5	3	PKI DC
07/10/2007		Digi-CA™	Digi-Sign	Xp	1	PKI DC		97,000
CA (Inner) Core
14/01/2007		Access Control	Identix	4.6.1.0	1	PKI DC
14/01/2007		CCTV control	Infinova	V.1.00.09	1	PKI DC
14/01/2007		OS	Microsoft	XP Pro	1	PKI DC
15/01/2007		AntiVirus	Trend Micro	OfficeScan 8.0	1	PKI DC
CA Outer Core (Admin)
External
Juffair
20/09/2007		OS	RedHat	Enterprise Linux 5	2	PKI DC
		SMTP	Microsoft	Exchange 2003	1	Juffair
		DNS (*.gov.bh)	RedHat	Enterprise Linux 4	1	Juffair
		DNS (*.gdn)	Microsoft	Windows Server 2003	1	Juffair

The Information Security Manager is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners

This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Intangible

Date	Owner	Asset type	Make	Model	Serial No	Location	Classification	Compliance requirements	Security Processes
CA (Inner Core) Safe Room
CA (Inner) Core
CA Outer Core (Admin)
External
Juffair

The [Information Security Manager] is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners

This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.

Signature: Date:

Authorities & Suppliers

Owner	Organization	Function	Address	Contact	Telephone	e-mail	Web

The [Information Security Manager] is the owner of this document and is responsible for ensuring that it is maintained by the relationship Owners

This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

External Parties: Information Security Procedure

1 Scope
According to DOC 6.8 / DOC 6.8 of this Manual, the Organization maintains the security of its information processing facilities and information assets in relation to external parties. All external parties who need to access any Organizational information assets are subject to this procedure. The Organization has (or may have) external party agreements with the following categories of organizations, all of whom are covered by this procedure; risks may be assessed for external parties as individual organizations or as categories, depending on the level of risk involved:
a) Service providers
b) Managed security services
c) Customers
d) Outsourcing suppliers (facilities, operations, IT systems, data collection, call centres, others)
e) Consultants and auditors
f) Developers and suppliers of IT systems and services
g) Cleaning, catering and other outsourced support services
h) Temporary personnel, placement and other (casual) short-term appointments

2 Responsibilities
2.1 All relationship Owners (see sub section 7.1.2 of the Manual) responsible for services in any of the above categories are required to ensure that external parties have entered into a formal external party agreement under this procedure and that transitions (of information, information processing facilities, and any other information assets or personnel) are planned and executed without a reduction in the level of security that existed prior to commencement of the transition.
2.2 Relationship Owners are responsible for ensuring that the security controls, service definitions and delivery levels included in external party agreements are implemented, maintained and operated by the external party.
2.3 The Information Security Manager is responsible for carrying out risk assessments (see DOC 4.4) where required by this procedure.

3 Procedure [ISO 17799 sub section 6.2]
3.1 Where there is a business need for working with external parties, the Organization ensures that its information security is not reduced; access to Organizational assets is not granted until a risk assessment (DOC 4.4) has been completed, appropriate controls identified and implemented.

4 Risk Identification [ISO 17799 clause 6.2.1]
4.1 The Organization carries out a risk assessment (in line with the requirements of procedure DOC 4.4) to identify risks related to external party access.

4.2 The risk assessment identifies (in addition to the requirements of DOC 4.4) and documents, for each external party:
a) The information processing facilities and information assets the external party will access;
b) The type of access the third party will have – physical access and/or logical access (identifying the assets that will be accessed), whether the access is taking place on-site or off-site and the exact location from which access will be made;
c) The value and classification (see sub section 7.2 of the Manual) of the information that will be accessed;
d) The information assets that the external party are not intended to access and which may required additional controls to secure;
e) The external party’s personnel (see sub section 8.1 of the Manual), including their contractors and partners, who will or might be involved;
f) How external party personnel are to be authenticated (see Section 11 of the Manual);
g) How the external party will process, communicate and store information;
h) The impact to the external party of access not being available when required, or of inaccurate or misleading information being entered, received or shared;
i) How the Organization’s information security incident management procedure (see Section 13 of the Manual) will be extended to incorporate information security incidents involving the external party;
j) Any legal, regulatory or other contractual issues that should be taken into account with respect to the external party;
k) How the interests of other stakeholders might be affected by any decisions.

5 Controls are selected in line with the requirements of DOC 4.3.

6 The Organization implements those controls that are within its own power, and in line with the requirements of sub section 3.2 of the Manual (the DO phase).

7 The Organization agrees with the external party those controls that the external party is required to implement and documents them in an agreement (drawn up by the Organization’s legal advisers) that the third party signs. The obligations on the external party include ensuring that all its personnel are aware of their obligations.

8 The agreements between the Organization and external parties (whether suppliers or customers) are created by the Organization’s legal advisers, who are required to specifically include or provide documented reasons for excluding any of the items on the checklist below, and the requirement for which may have been identified through the risk assessment, from any such contract:
a) The information security policy (sub section 5.1.1 of the Manual);
b) The controls identified as required through the risk assessment process (see 4), which may include procedures and technical controls;
c) A clear definition and/or description of the product or service to be provided, and a description of information (including its classification) to be made available;
d) Requirements for user and administrator education, training and awareness (see sub section 8.2.2 of the Manual);
e) Provisions for personnel transfer;
f) Description of responsibilities regarding software and hardware installation, maintenance and de-commissioning;
g) Clearly defined reporting process, reporting structure, reporting formats, escalation procedures and the requirement for the external party to adequately resource the compliance, monitoring and reporting activities;
h) A specified change management process (see sub section 10.1.2 in the Manual);
i) Physical controls, including secure perimeters (see Section 9 of the Manual);
j) Controls against malware (see sub section 10.4 of the Manual);
k) Access control policy (see Section 11 of the Manual);
l) Information security incident management (see Section 13 of the Manual) and agreement violation management procedures;
m) The target level for service and security, unacceptable service and security levels, definition of verifiable performance and security criteria, monitoring and reporting;
n) The right to monitor and audit performance (including of the third party’s processes for change management, vulnerability identification and information security incident management), to revoke activities, and to use external auditors;
o) Service continuity requirements;
p) Liabilities on both sides, legal responsibilities and how legal responsibilities (including data protection and privacy) are to be met;
q) The protection of IPR and copyright;
r) Controls over any allowed sub-contractors;
s) Conditions for termination/re-negotiation of agreements, including contingency plans.

9 Information exchange agreements [ISO 17799 clause 10.8.2]

o9.1 Additional controls must (subject to an individual risk assessment in relation to each proposed agreement) be considered where the contract is for the exchange of information or software:
9a) the specific management responsibilities and procedures on each side for notifying transmission, dispatch and receipt and any specific controls associated with each action;
10b) procedures to ensure non-repudiation and to ensure traceability;
11c) the required standards for packaging (see DOC 9.12) and means of transmission;
12d) The agreed labelling system (see DOC 7.6);
13e) Courier selection and identification methods (see DOC 9.12);
14f) Escrow agreements (where applicable);
15g) How information security incidents (loss of or damage to an information asset in transit) will be managed;
16h) Data protection, copyright, software licensing (see sub section 15.1 of the Manual);
17i) Any technical standards that be required for recording or reading software or information;
18j) Any other special controls, such as cryptography (see sub section 12.3 of the Manual).

-10 Managing changes to third party services [ISO 17799 clause 10.2.3]

o10.1 The Organization may need to agree changes to external party contracts and agreements to take account of changes that it makes to, or as a result of:
oa) the services it currently offers to its clients;
ob) new applications and systems it has developed or acquired;
oc) modifications, changes or updates to its own policies and procedures;
od) new or amended controls arising from new risk assessments or information security incidents.

o10.2 The external party may need to request changes to the contract in order to implement:
oa) changes or improvements to their networks or other infrastructure;
ob) new or improved technologies, new products or new releases of current products;
oc) new development tools, methodologies and environments;
od) new physical locations or physical services;
oe) new vendors or other suppliers of hardware, software or services.

o10.3 Any changes that may be required are subject to a new risk assessment (taking into account the criticality of the business systems involved) and review of the selected controls (see clauses 4.1 and 5).
o10.4 New controls, or changes to existing controls are identified, authorized, agreed with the third party, and made the subject of an agreed variation to the existing contract. This must be clearly documented and signed off by both parties.
o10.5 The relationship Owner is responsible for ensuring that the revised controls are implemented and incorporated into the existing review and monitoring arrangements.

The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.
A current version of this document is available to PKI team members of staff on the corporate intranet.

This procedure was approved by the Information Security Manager on 08 November, 2007 and is issued on a version controlled basis under his signature

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue