1. Scope of the ISMS

[4] This ISMS is specific only to the three Certificate Authority [CA] rooms in Isa Town, the five Registration Authority Control Centre operator desks located on the ground floor of the National ID card issuing centre in Isa Town and the two Public Servers located in Juffair, in the Kingdom of Bahrain. The ISMS does not extend beyond these two geographicaal locations and the personnel that make up the operational and management team for these areas. It should also be noted that the Key Ceremony(s) that occurs is outside the physical environment and is not included in the ISMS, however, detailed scripts, explanations and security documentation from each Key Ceremony will be introduced into the ISMS as required.

The Information Security Management System covers all activities within the PKI [5] infrastructure in Juffair and ISA Town including related infrastructure key components such as Digi-CA and associated HSM. It relates to all assets, software and infrastructure used for storing, handling, processing and distributing digital certificates to Bahrain citizens.

1.2 Definitions

Where terms which are used in ISO27001:2005 are used here, the definitions provided in clause 3 of that standard are applied. Where terms are defined in ISO17799:2005 but not in ISO27001:2005, the ISO17799:2005 definitions are applied here.

1.3 ISMS

In particular, the ISMS is defined as the part (which includes organisational structure, policies, planning activities, plans, responsibilities, working practices, procedures, processes and resources) of the Organisation’s overall management system which, based on a business risk approach, enables management to establish, implement, operate, monitor, review, maintain and improve information security within the Organisation.

A current version of this document is available to PKI staff members of staff and is available on request from the Information Security Manager.

This procedure was approved by the Director General of IT and the Information Security Manager on 08 November, 2007 and is issued on a version controlled basis under his/her signature

Adlin Hisyamuddin Shaikh Salman Mohammed Al-Khalifa
Information Security Manager Director General of IT

____________________________ _______________________________

On:

08 November, 2007 08 November, 2007
____________________________ _______________________________

Change history

Issue 1 7 November, 2007 Initial issue

2. Documentation

2.1 Constituents

[4] The Organisation’s ISMS documentation consists of:

2.1.1

2.1.2 The separate, version controlled risk assessment report and risk treatment plan, whose preparation follows the methodology described in Section 4 of this manual; [ISO27001 4.3.1c, d and f]

2.1.3 Records of how the Organisation applied (and continues to apply) the PLAN-DO-CHECK-ACT process, which is described in Section 3 of this manual, in the planning, implementation and maintenance of its ISMS; [ISO27001 4.3.3]

2.1.4 Those procedures, which describe how the policies are implemented, and which are identified in this manual but are separate from it, are Tier 2 documents; [ISO27001 4.3.1e]

2.1.5 Work Instructions and Operations Work Instructions, which set out specific requirements for the performance or execution of specific tasks, including for the measurement of the effectiveness of the controls, in the Organisation generally and in the [IT operations department] specifically, and which are identified in procedures, and similar documents, such as User Agreements and job descriptions, are Tier 3 documentation;

2.1.6 Records of the Organisation’s control of its information security processes, including details of audits, information security incidents and management reviews gathered during the CHECK phase, described in 3.3 below, are the fourth tier of the Organisation’s ISMS documentation. [ISO27001 4.3.1h]

2.2 Authorisation Levels

2.2.1

2.2.2 The board of directors has ultimate authority over the information security policy and ISMS and approves and authorizes all changes to the information security policy, the Statement of Applicability, the information security manual and any separate policy statements (tier 1 documents).

2.2.3 The Director General of IT (see sub section 6.1.3.2 [6]) has lead executive authority for information security and works with the Information Security Manager to approve, authorize and issue all tier 2 documents.

2.2.4 The Information Security Manager and the Director General of IT approve and authorize tier 3 documents owned by individuals or entities in their areas of responsibility. Any information security documents personally owned by any member of the Trust Centre Team have to be approved and authorized by the Director General of IT.

2.2.5 Owners of information assets (see sub section 7.1.2 [6] of the Manual) are responsible for the security classification of their asset(s), the day-to-day protection of their asset(s) and for the day-to-day operation of related security processes. The responsibility for carrying out these processes or associated task(s) can be delegated to anyone within the Owner’s area of responsibility, provided that:

a) The individual has the necessary skill, competence and resources to carry out the processes or task(s) and

b) The Owner retains accountability for ensuring that the process or task is carried out correctly.

2.2.6 Access rights are specified in sub section 11.1 below. Access rights are personal, are set out in individual User Agreements (see sub sections 11.2 [7] and 11.3 [7]) and cannot be delegated.

2.2.7 The authorization procedure for new information processing facilities is set out in DOC 6.4. wherever this type of reference occurs, can you specifically write [ISO27001 DOC 6.4] so the CIO knows where to find this.

2.3 The Organisation’s ISMS documentation is protected and controlled. There is a documented procedure (DOC ISMS 1) which takes 2.2 above into account and defines the management actions for document control. [ISO27001 4.3.2]

2.4 The Organisation has a documented procedure which defines the controls for identification, storage, protection, retrieval, retention time and disposal of records. [ISO27001 4.3.3] Documents are available to those who need and are authorised to access them in line with these retention requirements.

Adlin Hisyamuddin Shaikh Salman Mohammed Al-Khalifa
Information Security Manager Director General of IT

____________________________ _______________________________

On:

08 November, 2007 08 November, 2007
____________________________ _______________________________

Change history

Issue 1 08 November, 2007 Initial issue

3. PLAN-DO-CHECK-ACT

[4] 3.1 The PLAN Phase – Establish the ISMS

3.1 a)

3.1 b) The Organisation has defined its information security policy, which is set out in Section 5, to apply throughout the Organisation as defined in the scope (Section 1 above). The policy includes:

3.1 b1)

3.1 b2) The requirement for “legal, regulatory and contractual” in accordance with the standard is adequately addressed by the Civil Service Bureau; [ISO27001 4.2.1 b2)]

3.1 b3) The strategic organizational and risk management context for the establishment and maintenance of the ISMS (“the Organization’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks”); [ISO27001 4.2.1b3)] and

3.1 b4) Reference to a systematic approach to risk assessment, the risk management framework (4.2 below) in which the criteria for risk evaluation are described and the structure of the risk assessment is defined (4.4 below). [ISO27001 4.2.1 b4)]

3.1 b5) The policy, and this manual, have been approved by The Director General of IT and the President of the CIO. [ISO27001 4.2.1 b5)]

3.1 c) The Organization has identified a suitable, systematic approach to and framework for risk assessment that produces comparable and reproducible results and that is appropriate for its business, legal, regulatory and contractual requirements, and this is described in Section 4 below. [ISO27001 4.2.1c)]

3.1 d) Identification of risks is carried out in line with the process set out in Section 4 below. [ISO27001 4.2.1d)]

3.1 e) Assessment (the analysis and evaluation) of risks is carried out in line with the process set out in Section 4 below. [ISO27001 4.2.1e)]

3.1 f) Options for risk treatment are identified and evaluated in line with the process set out in Section 4 below. [ISO27001 4.2.1f)]

3.1 g) Control objectives and controls are selected from [Annex A of ISO27001 :2005] to meet the criteria and requirements of the risk management framework, take into account the risk acceptance criteria (Section 4, below) and current legal, regulatory and contractual requirements and are contained in the Statement of Applicability [ISO27001 4.2.1g)], together with details of the controls currently implemented [ISO27001 4.2.1.j.2].

3.1 h) The Statement of Applicability is contained in Sections 5 - 15 of this manual and in approving this manual management accept the residual risks (see sub section 4.6.3 [7] also). [ISO27001 4.2.1h)]

3.1 i) Management authorises the implementation of the ISMS and any changes to this manual [and approve the residual risks] [ISO27001 4.2.1i)]

3.2 The DO Phase – Implement & Operate the ISMS

3.2 a)

DOC 4.1

[7]

3.2 b) Appropriate funding and resources are, as described in the risk treatment plan, allocated to its implementation. [ISO27001 4.2.2b)]

3.2 c) The selected controls are implemented (and their implementation is co-ordinated across the Organisation) to meet the identified control objectives. [ISO27001 4.2.2c)]

3.2 d) The Organisation has defined how it measures the effectiveness of its controls and has specified how to use these measurements to improve control effectiveness to produce comparable and reproducible results, and this is set out in DOC 3.1. [ISO27001 4.2.2d]

3.2 e) Training and awareness programmes are implemented as required in the risk treatment plan. [ISO27001 4.2.2e)]

3.2 f) The operational management procedures and work instructions required in this policy are implemented. [ISO27001 4.2.2f)]

3.2 g) The Organisation has committed specific resources to the effective management of the ISMS, including the nomination of Mubarak Abdulla Alhiddi as the Chief Security Officer [CSO] for the Trust Centre and Adlin Hisyamuddin as the Information Security Manager; and the recruitment of additional technical staff, inclusion of information security in all jobs relating to the management, maintenance and operations of a National Trust Centre for the issuing of Digital Certificate [8] as well as investing in information security products and services as required by the risk treatment plan (DOC 4.1 [7]). [ISO27001 4.2.2g)]

3.2 h) The Organisation has implemented monitoring procedures and controls as required by control objectives 10.10 and 13.1 below. [ISO27001 4.2.2h)]

3.3 The CHECK Phase – Monitor and Review the ISMS

3.3 a)

3.4

3.3 b)

3.3 c)

DOC 3.1

3.3 d)

3.3 e) Management ensures that the Organisation carries out regular internal ISMS and other audits, as required in controls 6.1.8, 15.2 and 15.3 below, and the results of these audits inform the reviews identified in 3.3b) above. [ISO27001 5.1.g & 4.2.3e)]

3.3 f) Actions or events that could impact the effectiveness of the ISMS are recorded in line with sub sections 10.10 and 13 below [ISO27001 4.2.3f & g)] and are reviewed at management review.

3.3 g) The risk treatment plan (DOC 4.1 [7]) is updated to take into account the findings of monitoring and reviewing activities.
3.3 The ACT Phase – Maintain & Improve the ISMS

3.4 Opportunities for The ISMS

3.4 a)

3.3b)

d)

3.4 b) The Organisation has documented procedures for corrective and preventative action throughout the ISMS (including but not limited to those in sections 10.2.2, 13, 14.1.5 and 15.2 of this manual; sub section 6.1.7 enables it to learn from the experiences of other organisations and control 13.2.2 ensures it learns from its own experiences) and these include evaluating the need for action to prevent the occurrence of non-conformities. [ISO27001 4.2.4b] All controls have an element of preventative action involved in them.

3.4 c) The results of reviews are communicated to everyone involved via email and action delegated to the appropriate people, in line with 6.1.3 and 13.2.1 below. [ISO27001 4.2.4c)]

3.4 d) The implemented improvements are subject to monitoring and audit (see 15 [7]) to ensure that their intended objectives have been achieved. [ISO27001 4.2.4 d)]

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

4. Risk Management Framework

4.1 Risk Approach

[4] The Organisation’s approach to risk, which has been specifically approved and authorised by management, is contained in the risk management framework, which it applies to its overall strategic planning process. The risk management framework is designed to identify and assess risks (including information security risk) in the business plan, to identify and evaluate options for the treatment of those risks, and to select control objectives and controls that will reduce those risks to acceptable levels within the context of the business plan, operational requirements, constraints and objectives and national and international legislation and regulation. [ISO17799 4.1 and 4.2]

4.2 Risk Framework

4.2.1 Choice of risk assessment tool/methodology

CIO has decided not to use an automated tool to perform risk assessments. Instead it has sought advice from external security consultants VigiTrust to set out the initial to procedures and documentation and in conjunction and co-operation with the Digi-CAST3™ Team, has been trained on the use of this manual and the implementation of the procedures necessary to produce a number of methodologies to perform risk assessment on a regular basis

4.2.2 Requirements

Risk assessments projects need to be carried out regularly and need to help CIO identify the threat landscape, vulnerabilities and threat levels associated to each vulnerability against each of its tangible and intangible assets.

4.2.3 Selection Criteria

CIO opted to work with Digi-Sign because of its knowledge of Certificate Authority [CA [9]] and Public Key Infrastructures [PKI [5]] and with VigiTrust because of their in the filed of risk assessment for particularly sensitive information and projects related to the security of sensitive assets.

4.2.4 Tools/Methodologies Considered

CIO considered tools such as RA2 or equivalent on the market. However these tools require a deep understanding of the current security threat landscape and are only extremely effective for security professionals.

It was therefore decided to work with security consultants who had their own methodologies backed by a proven track record of helping blue chip organizations to meet security best practice guidelines.

4.2.5 How the Tool/ Methodology was Selected
Some initial research was conducted by CIO as to whether an automated tool would be appropriate to perform the risk assessment tasks related to this project. It was very quickly identified that consultants would be required in order to engage with CIO and conduct risks assessments. After a full tendering process in accordance with the laws of the Kingdom of Bahrain and a lengthy and careful consideration process, Batelco and Digi-Sign were selected to provide this service to the CIO in co-operation with Digi-Sign’s ISO consultancy partner VigiTrust.

4.2.6 How the Methodology Works

The chosen methodology is based on benchmarking vulnerabilities and threats to each assets against a risk matrix. The matrix consists in evaluation of the asset in terms of importance to CIO, assigning a probability of likelihood for each threat and determining an absolute impact for the threat. The risk is calculated as follows:

Risk (aka “Absolute risk”) = Probability of Threat * Absolute Impact of Threat

The information below details all of the elements of this risk calculation model:

Evaluation of Assets

The operation owner defines the value of each asset detected depending on his perception of impact on operations) or on users in general in case of loss, theft, inaccessibility, deterioration / corruption or any other security violations. Perceived value is ranked as follows:

Unimportant (0) Damage on the asset never affects the data system

Not very important (1) Damage on the asset has very little impact on the data system. The data system keeps operating. Damage on it does not tarnish the company name.

Medium (2) Damage on the asset affects the data system. The data system keeps operating but the asset in question must be replaced. Damage thereon can affect the company name negatively to a somewhat noticeable extent.

Important (3) Damage on the asset has major impact on the data system. The data system is only half operational in that it may not be fully accessible or its integrity might have been somewhat compromised. The asset in question must be replaced. Damage thereon affects the company name adversely.

Very important (4) The asset plays a major part for the operation of the data system. Damage on the asset has a huge impact on the operability of the data system. Only parts of the data system remain useable. Damage thereon has substantial adverse impact on the company name.

Extremely important (5) The asset is essential for the operation of the data system. Damage on the asset directly influences the data system. The data system is out of operation. Damage thereof has very adverse impact on the company name.

At this stage Potential vulnerabilities are listed for each asset. Vulnerabilities are the weaknesses identified for assets. Potential threats are listed for each asset. Threats are potential tools by which vulnerabilities can be misused or exploited.

Important Note: The value as determined by the above procedure is entered in the “Critical” column Risk Treatment Plan file that accompanies this document and is referenced “Digi-CAST Asset List & Risk Treatment Issue 001-071107.xls”.
Threat Probability Values

Negligible (0) Not likely to happen.

Very low (1) Twice or three times in a period of 5 years.

Low (2) May happen once a year or a shorter period of time.

Medium (3) May happen every six months or within a period of time between one to 6 months.

High (4) May happen once a month or within a period of time between 2 days to one month.

Very high (5) May happen once a day.

Extremely High (6) May happen multiple times a day.

Threat Impact Values

Unimportant (0) The threat has no impact on the asset.

Small (1) The threat has little impact on the asset. There is no need to repair or re-configure the asset.

Important (2) Although the impact by the threat is minor and is only reported by a few persons or organizations, the threat can still have concrete damage. Corrective action involving time, effort and financial input may have to be implemented to make up for the damage and eradicate the issues.

Detrimental (3) The Threat can damage the reputation of asset and system operators. Significant spending may be necessary to repair the damage and eradicate the issues.

Serious (4) The Threat inflicts substantial damage on the asset and/or many staff members and the organization itself may be significantly impacted by the damage. Large scale restructuring may be necessary in the damaged system. Corrective action needs to be taken to eradicate the issues.

Very serious (5) Threats causes the asset to be out of operation indefinitely. It requires the system to be re-designed and re-structured totally. Corrective action needs to be taken to eradicate the issues.
The information pertaining to absolute risks requires the use of the values detailed above according to the formula, Absolute Risk = Threat Probability Value * Threat Impact Value.

So by determining the “Threat Probability Value” (i.e. 1 – 6) using the horizontal part of the following Risk Calculation Table and then searching down the vertical column for the “Threat Impact Value”, the “Absolute Risk Value” can be calculated.

Important Note: All three values are entered in the Risk Treatment Plan file that accompanies this document and is referenced “Digi-CAST Asset List & Risk Treatment Issue 001-071107.xls”.

Every time an asset is added or removed from the Trust Centre, this Digi-CAST™ [2] Manual and the “Digi-CAST Asset List & Risk Treatment” must be updated and must be signed by the Information Security Manual.

In addition, the new Issue must be circulated to all members of the Trust Centre Team and Trust Centre Management. And this is the responsibility of the Information Security Manager.

Risk Calculation Table

Probability of the Threat to Happen	Unimportant (0)	Minor (1)	Important (2)	Detrimental (3)	Serious (4)	Very serious (5)
Negligible (0)	None (0)	None (0)	None (0)	None (0)	None (0)	None (0)
Very low (1)	None (0)	Low (1)	Low (2)	Low (3)	Medium (4)	Medium (5)
Low (2)	None (0)	Low (2)	Medium (4)	Medium (6)	High (8)	High (10)
Medium (3)	None (0)	Low (3)	Medium (6)	High (9)	High (9)	Critical (15)
High (4)	None (0)	Medium (4)	High (8)	High (12)	Critical (16)	Very High (20)
Very High (5)	None (0)	Medium (5)	High (10)	Critical (15)	Very High (20)	Very High (25)
Extremely High (6)	None (0)	Medium (6)	High (12)	Critical (18)	Very High (24)	Very High (30)

Absolute Risk Table

Absolute Risk	Risk Score	Multiplication Values Corresponding to the Risk Score
None	0	0
Low	1	1,2,3
Medium	2	4,5,6
High	3	8,9,10,12
Critical	4	15,16,18
Very high	5	20,24,25,30

Actual Risk Value is calculated by using the following final formula:

1. Absolute Risk = Probability of the Threat * Absolute Impact of the Threat

2. Absolute Risk Score  Simplified Absolute Risk Score (Table 4)

3. Actual Risk Value = New Absolute Risk Score * Asset Value Identification of Targets, Controls and Counter Measures and Management of Risks
3–Step Absolute Risk Calculation

Step 1

Take into consideration the impact an event using the “Threat Impact Values” scale above (0 - 5).

Step 2

Then consider the likelihood it could happen using the “Threat Possibility Values” scale above (0 - 6).

Step 3

Then use the table, which gives you the risk for the RTP (it is a basic multiplier). The value you get will appear on the “Absolute Risk Table” and this enables you to label the Risk appropriately.

Example

Rack server:

The Rack could be physically damaged or it could collapse resulting in machines having to be powered off before being moved - results in disruption to services.

Probability of that happening is low (2) however impact of the issue, if it did happen, is high (4) as it would seriously disrupt services. Therefore the Absolute Risk Value is 4 x 2 = 8. The Absolute Risk (8) is then entered in the Absolute Risk column of the Digi-CAST Asset List & Risk Treatment.

In Summary

Low Absolute Risk Value is typically low to high impact with little probability of occurrence (or vice versa).

High Absolute Risk Value is typically high impact and high probability (unusual and rare, but may occur).

Medium Absolute Risk Value is more complicated and requires careful attention as it suggests that the impact would be medium to high and so is the probability. This is where indicating actual controls in place will ensure that a proper risk assessment has been conducted.

Consider the asset and carefully consider the likelihood of the potential threat happening. Should it happen, what impact would have it have on the CIO Trust Centre if it did happen and then using the above system assign figures and calculate the Absolute Risk Value.

4.2.7 Training requirements
The CIO Trust Centre staff must understand the scoring mechanism and regular training should be provided by the Information Security Manager to all the members of the Trust Centre Team. In addition ongoing security awareness through training, reference manual, demonstration and incident reporting, resolution and documentation is provided in order for Trust Centre Team to keep abreast of the latest threats in order to be able to continually assess risks and take pre-emptive action.

4.3 Information Security Risk Management

4.3.1

DOC 4.3

DOC 4.4

DOC 4.2.

4.3.2 Control objectives and controls are selected from Annex A of [ISO27001/ISO17799:2005] on the basis of the conclusions to step 4.3.1. Additional control objectives and controls are, not required from other sources other than ISO27001. All control objectives and controls are documented in the Statement of Applicability, which is set out in Sections 5 to 15 of this manual.

4.3.3 A consolidated; corporate level risk treatment plan (DOC 4.1) is formulated in order to implement the selected controls.

4.3.4 The implementation is reviewed for effectiveness and, where possible, improvements are identified and these, within the context of the overall ISMS, are implemented, using a PDCA process.

4.3.5 This process is followed irrespective of whether a single risk is being considered, or multiple risks.

4.4 Risk Assessment Tool & Methodology
The Organisation’s method for risk assessment is to use risk assessment tool in this Digi-CAST™ [2] Manual and uses the procedure as set out below. This tool and methodology is suitable for the scope of the Organisation’s ISMS (Section 1), the business objectives (3.1b1 above), the security, contractual, legal and regulatory requirements (3.1b2) above and risk management framework that were identified earlier. The selection criteria are set out in DOC 4.2. [ISO27001 4.2.1c] and the risk assessment procedure itself is carried out as described in DOC 4.4.

4.4.1 Scope

This method of risk assessment is applied throughout the Organization in respect of information risks.

4.4.2 Responsibilities

The Information Security Manager is responsible for carrying out risk assessments wherever they are required by the ISMS.

Procedure

4.4.3 Identity of Risks

4.4.3.1

DOC 7.1

[7]

DOC 7.1.

[7]

4.4.3.2 When new information assets (in the broad sense of DOC 7.1 [7]) are acquired, or existing assets in any way changed, those assets are added to the inventory and are treated in line with the requirements below.

4.4.3.3 The threats to each of those assets are identified in process 4.1. For each asset within the ISMS, all applicable threats are selected from the list of example threats. The Information Security Manager is responsible for ensuring that the list of threats is adequate for the ISMS.

4.4.3.4 The vulnerabilities that might be exploited by each of these threats are identified once each threat has been identified and listed.

4.4.3.5 Where new vulnerabilities or weaknesses are identified (for e.g., through the information security event reporting procedure in DOC 13.1 [7]), the risk database is updated and, if appropriate, the risk assessment procedure set out here is repeated and any changed controls implemented.

4.4.3.6 Risk of exposure is assessed using process 4.2. For each threat/vulnerability combination, the threat likelihood and vulnerability level are calculated and a brief explanation may added for further clarity. Finally, at this stage, the security properties that are affected by this exposure risk are identified.

4.4.4 Assess the Risks

4.4.4.1

4.4.4.2Within this process, a risk name is allocated to each threat/vulnerability combination and is placed within the appropriate risk category available.

4.4.5 Identify & Evaluate Options for the Treatment of Risks

4.4.5.1

DOC 4.3.

4.4.5.2For each of the risk treatment decisions, document the reasons for the decision in the appropriate tab, together with specific actions to be taken (usually, apply appropriate controls from Annex A of ISO 27001)

4.4.6 Select Control Objectives & Controls for Treatment of Risks

4.4.6.1

4.4.6.2 These control objectives and controls are then manually summarized into the Statement of Applicability.

4.4.6.3. Provide justifications for all selected controls and for non-selected controls. Once this is complete for all controls.

4.4.6.4The complete Statement of Applicability is printed out, a signed copy retained by the Information Security Manager and decision for each control objective and control is manually transferred to the ISMS Manual, which describes how each control is actually implemented.

4.4.7 Implementation

Controls are implemented according to relevant associated processes and OWIs pertaining to each threat.

The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.

A current version of this document is available to the Trust Centre team members on request.

This procedure was approved by the Director General of IT and the President of the CIO on 08 November 2007 and is issued on a version-controlled basis under their signatures.

4.5 Systematic approach to risk assessment
The Organisation has a documented approach (framework in DOC 4.3, tool in DOC 4.2 and procedure/methodology in DOC 4.4) to risk assessment.

4.6 Prepare a Statement of Applicability

4.6.1

DOC 4.4

4.6.2 Any controls or control objectives in Annex A of [ISO27001/ISO17799:2005] that are excluded are documented, together with the justification for their exclusion; any additional controls or control objectives that may be required are also documented in the Statement of Applicability.

4.6.3 The remaining residual risks are highlighted in the risk treatment plan (DOC 4.1) as required by DOC 4.3, and board authorisation is obtained for implementation of the ISMS.

4.6.4 Any changes to the risk treatment plan (DOC 4.1), which lead to a change in the ISMS, are subject to authorisation by the board.

Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO

____________________________ _______________________________

On:

08 November, 2007 08 November, 2007
____________________________ _______________________________
Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

5. Information Security Policy

5 [4] Information Security Policy
Control objective: The organization provides management direction and support for information security in accordance with business requirements and relevant laws and regulations of the Kingdom of Bahrain.

5.1.1 Information security policy document

The management team and the board of directors have approved and authorized an information security policy for the Organisation. This policy is set out below and is authorized for separate distribution under the President of CIO’s signature, with the reference DOC 5.1. A current version of this document is available to all staff and contractors, and to external parties [when signing supply contracts]. The development of the information security policy is carried out under the PDCA process described in Section 3 of the Information Security Manual.

INFORMATION SECURITY POLICY

The Board and management of The Central Informatics Organization [CIO], located at National Smart Card Centre [NSCC], Building 1088, Road 4025, Block 842, Isa Town and Government Data Network Centre, 1091, Road 4225, Juffair 342, and both locations are in the Kingdom of Bahrain and provide for the operation of the National ID card, identity verification and validation of the citizens and residents of the Kingdom of Bahrain is in the business of providing Digital Certificates [8] and related Public Key Infrastructure [PKI [5]] services, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout the CIO CA [9] and RA areas in order to preserve the integrity, reputation and security of the citizens, residents and Government Departments and Agents it serves. Information and information security requirements will continue to be aligned with the CIO goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.
The CIO’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The risk assessment, Statement of Applicability and risk treatment plan identify how information-related risks are controlled. The Information Security Manager is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data back up procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the Manual and are supported by specific, documented policies and procedures.
All employees of the CIO [and certain external parties identified in the ISMS] are expected to comply with this policy and with the ISMS that implements this policy. All staff, and certain external parties, will receive appropriate training, initially by the Digi-CAST3™ Team and ultimately by the Information Security Manager.

The CIO has established Trust Centre top-level management steering committee chaired by the Director General of IT and including the President of the CIO and the Chief Security Officer to support the ISMS framework and to periodically review the security policy.

The CIO is committed to achieving certification [10] of its ISMS to ISO27001:2005

This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually.
In this policy, “information security” is defined as:
preserving
This means that management, all full time or part time staff, sub contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in Section 13 of the Manual) and to act in accordance with the requirements of the ISMS. The consequences of security policy violations are described in the [organization’s] disciplinary policy. All staff will receive information security awareness training and more specialized staff will receive appropriately specialized information security training
the availability.
This means that information and associated assets should be accessible to authorized users when required and therefore physically secure. The computer network identified as part of the scoping work for Section 1 of the Manual is resilient and the organization is able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There are appropriate business continuity plans to meet the requirements of the CIO Trust Centre as approved by the Director General of IT.
Confidentiality
This involves ensuring that information is only accessible to those authorized to access it and therefore to preventing both deliberate and accidental unauthorized access to the CIO Trust Centre’s information and proprietary knowledge and its systems including its network(s), website(s), extranet(s), and e-commerce systems.

And integrity
This involves safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of either physical assets or electronic data. There must be appropriate contingency [including for network(s), e-commerce system(s), web site(s), extranet(s)] and data back-up plans, and security incident reporting. The CIO Trust Centre will comply with all relevant data-related legislation in the Kingdom of Bahrain within which it operates.
Of the physical (assets)

The physical assets of the CIO Trust Centre including but not limited to computer hardware, data cabling, telephone systems, filing systems and physical data files and information assets
The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, web site(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs as well as on CD ROMs, floppy disks, USB sticks, back up tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context “data” also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc)
of the CIO.
The CIO Trust Centre and such partners that are part of our integrated network and have signed up to our security policy and have accepted our ISMS.

The ISMS is the Information Security Management System, of which this policy, the information security manual (“the Manual”) and other supporting and related documentation is a part, and which has been designed in accordance with the [specification contained in ISO27001:2005]

A SECURITY BREACH

A SECURITY BREACH is any incident or activity that causes or may cause a break down in the availability, confidentiality or integrity of the physical or electronic information assets of the Organization.

The Information Security Manager is the Owner of this document and is responsible for ensuring that this policy document is reviewed in line with the requirements in clause 5.1.2 in the Manual.

A current version of this document is available to all members of staff on the on request and as it does not contain confidential information, it can be released to relevant external parties.

This information security policy was approved by the Trust Centre Committee and the Directors of the CIO on 08 November, 2007 and is issued on a version-controlled basis under the signature of the Information Security Manager.

Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO

____________________________ _______________________________
On:

08 November, 2007 08 November, 2007
____________________________ _______________________________

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

5.1.2 Review of the information security policy

The Organisation’s information security policy is reviewed at planned intervals, or when and if significant changes occur, to ensure its continuing suitability, adequacy, and effectiveness.

5.1.2.1

5.1.2.2The Organisation has a defined procedure (DOC 5.2) for the management review of the information security policy, and this includes continuous improvement, and assessing policy changes that might be necessary in response to significant changes in the organisational environment, business circumstances, legal conditions or technical environment.

Note: The Information Security Manager accepts his role as owner of this document and intends to conduct several internal audits before 30 November, 2007 to ensure all aspects of the ISMS are correct, accurate and that this ISMS accurately reflects the total CIO Trust Centre environment.

5.1.2.3 All changes to the information security policy are subject to approval by the Organisation’s board.

Adlin Hisyamuddin
Information Security Manager
____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

6. Organisation of Information Security

6 Organisation of Information Security

6.1 Internal Organisation

[4] Control objective: management of information security within the Organisation and establishment of a management framework for the initiation, implementation and control of the ISMS.

6.1.1

The Organisation’s management actively supports information security within the Organisation through clear direction, demonstrated commitment, explicit assignment and acknowledgement of its – and everyone else’s - information security responsibilities.

6.1.1.1

6.1.1.2

6.1.1.3 The board has allocated clear responsibilities to management and specific individuals for specific aspects of information security and these responsibilities are documented throughout the ISMS.

6.1.1.4The board has ensured that there are adequately funded, resourced and trained to provide the level of information security it requires.

6.1.1.5The board has identified the need for specialist information security advice and has appointed Digi-Sign & Vigitrust to provide this expertise, reporting to the Director General of IT. The Director General of IT is responsible for reviewing the effectiveness and value of this advice and ensuring that it is co-ordinated across the Organisation.

6.1.1.6 The board has set up a dedicated management group to support the Director General of IT in managing information security within the Organisation, to be called the Information Security Committee. The goals of this committee, its members and its method of working are set out in procedure DOC 6.1.

6.1.2 Information security co-ordination

Due to the small size of the organisation, it co-ordinates its information security activities through a the Trust Centre Managers consisting of Director General of IT and the Information Security Manager from different parts of the organisation who have relevant roles and job functions

6.1.2.1

DOC 6.2.

The Organisation has clearly defined all information security responsibilities.

6.1.3 Allocation of information security responsibilities

6.1.3.1

6.1.3.2 The Director General of IT, who has lead responsibility in the management team for information security (see 6.1.1.2 ) for the development, implementation and maintenance of the ISMS.

6.1.3.3 The Information Security Manager reports to the Director General of IT.

6.1.3.4 The Information Security Manager’s responsibilities are documented in his job description and includes the day-to-day responsibility for the implementation and maintenance of the ISMS.

The Organisation has clearly defined all information security responsibilities

6.1.3.5 All staff (and certain third party contractors) have accepted their specific responsibilities in the User Agreements which they sign before they are authorized to access organisational information assets.

6.1.3.6 All information assets have been identified (see 7.1.1 [7]) and the security processes associated with each asset have been defined following a risk assessment (see sub section 4.4 [7]) and documented on the asset inventory schedules (see sub section 7.1 [7]).

6.1.3.7 All assets have identified Owners (see 7.1.2 [7]), whose responsibility for the day-to-day maintenance of the controls applied to their asset is documented in their job descriptions (see 8.1.1 [7]) and elsewhere through the ISMS.

6.1.3.8 The two sites have an identified Site Manager, the Information Security Manager, who is responsible for co-ordinating information security activities or carrying out specific processes within the two sites in line with the Manual and applicable procedures. The authority of this individual is in their job descriptions (see 8.1.1 [7]).

6.1.3.9 Authorisation levels are clearly defined and documented (see manual sub section 2.2) and enforce segregation of duties (see 10.1.3 [7]).

6.1.4 Authorisation process for information processing facilities

The Organisation has defined and implemented a management authorisation process (see DOC 6.4) for new information processing facilities.

6.1.5 Confidentiality agreements

A confidentiality and non-disclosure agreement (DOC 6.5) reflecting the Organisation’s requirements for the handling of information is in place (also see 8.1.3 [7]) and is reviewed regularly

6.1.6 Contact with authorities

The Organisation maintains appropriate contacts with relevant authorities

6.1.6.1

6.1.7 Contact with special interest groups

The organisation maintains appropriate contact with special interest groups and other specialist security forums and professional associations

6.1.7.1

6.1.7.2 The Information Security Manager is required to ensure the Organisation has up-to-date information security knowledge, including about the changing malware threat environment.

6.1.7.3 The Organisation’s Information Security Incident Management procedure (see Section 13 [7]) requires the Information Security Manager to have suitable liaison for dealing with incidents

6.1.8 Independent review of information security
The Organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, rules, processes and procedures for information security) is independently reviewed at planned intervals, and when significant changes to the security implementation occur.

6.1.8.1

6.1.8.2 The ISMS is also subject to periodic reviews by external compliance [11] auditors.

6.1.8.3 Risk assessments are [independently] reviewed annually to ensure that they are still complete and up-to-date.

6.2 External Parties

Control objective: to maintain the security of organisational information processing facilities and information assets that are accessed, processed, communicated to or managed by external parties

6.2.1 Identification of risks related to external parties

The Organisation’s procedures for identifying risks to its information assets and information processing facilities from business processes involving external parties, and for implementing appropriate controls before granting access, are identified in DOC 6.8.

6.2.2 Addressing security when dealing with customers

All identified security requirements are addressed, in line with the procedure in DOC 6.8 and the Organisation does not apply this control because none of its customers access any of its information assets.

6.2.3 Addressing security in third party agreements

Agreements with third parties involving accessing, processing, communicating or managing organisational information assets or information processing facilities, or adding products or services to information processing facilities, contain or refer to all identified security requirements, as required in DOC 6.8, and third parties are not allowed to access the Organisation’s information assets until such an agreement has been signed.

6.2.3.1 Where an external provider has a standard agreement and no provision to vary it to meet a client’s requirement, the external parties standard clauses are assessed against the Organisation’s requirements and the risk associated with the gap is assessed before deciding whether or not to proceed with the offered terms. Where there is a significant variation between the requirements and what is offered, the Director General of IT’s approval to proceed with the provider is required.

6.3 Authorizing New Information Processing Facilities

6.3.1 Scope

“Facility” is defined as “any system(s) or device(s) that will be used to process or store organizational information or that will connect to an organizational network or other information processing facility.” It includes hardware, software and services.

6.3.2 Responsibilities

6.3.2.1

6.3.2.2

6.3.2.3

6.3.2.4

6.3.2.5

6.3.3 Procedure

a) Approved (as to adequacy for the business purpose) and authorized by the line manager who/whose team will use them (business approval);
b) Approved and authorized by the local Site Managers (see 6.1.3.8) as to meeting all relevant security policies and requirements are met (site approval);
c) Approved and authorized by the IT Manager as to compatibility with current (and planned future) system components (technical approval);
d) Approved and authorized by the Information Security Manager as to meeting information security requirements (e.g. information classification, anti-malware, etc) (security approval).
e) Signatures and dates must be on the procurement documentation before the procurement can proceed.

6.3.4 Information Processing Devices

User-level information processing devices (notebooks, PDAs, mobile phones, etc) are all considered as “facilities” in terms of this procedure and the Organization requires each individual deployment of any such device to be approved and authorized in line with this procedure. Where relevant, a risk assessment will be carried out in line with DOC 4.4 [7]

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

7. Asset Management

Control objective: to achieve and maintain appropriate protection of organizational assets.

[4] 7.1.Responsibility for Asset

7.1.1 Inventory of assets

All information assets are clearly identified, and an inventory of all important assets has been drawn up and is maintained in line with the requirements of DOC 7.1

7.1.2 Ownership of assets

All assets associated with the information systems or services are ‘owned’ by a designated individual or part of the Organisation, and details of the Owner are identified on the asset inventory in line with DOC 7.1.

7.1.3 Acceptable use of assets

Rules for the acceptable use of information and assets associated with information processing facilities have been identified, documented and implemented.

7.1.3.1

11.2

[7]

DOC 7.2

7.1.3.2These User Agreements (see sub section 11.2 [7]) also explicitly accept the Organisation’s Rules for Use of E-mail (DOC 7.3).

7.1.3.3The Information Security Manager is responsible for monitoring compliance, as set out in Work Instruction DOC 7.4, with the AUP as set out in 5.1.1 of this manual

7.1.3.4Guidelines for the use of mobile devices are included in the ‘mobile on the road’ annex to the User Agreement (see sub sections 11.2 [7] 11.7 [7]) for users issued with such devices.

7.2 Information Classification

Control objective: to ensure that information receives an appropriate level of protection

7.2.1

Information has been classified in terms of value, legal requirements, sensitivity and criticality to the Organisation

7.2.1.1

7.2.2 Information labelling and handling
An appropriate set of procedures for information labelling and handling has been developed in accordance with the classification scheme adopted by the Organisation and this is set out in DOC 7.6

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

8. Human Resource Security

Control objective: to ensure that all employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

[4] 8.1 Prior to Employment

8.1.1 Roles and responsibilities

Security roles and responsibilities of employees, contractors and third party users have been defined and documented as required by the Organisation’s information security policy.

8.1.1.1

8.1.1.2 The Information Security Manager is responsible for ensuring that information security and IT staff have specific information security responsibilities and that these are detailed in their job descriptions.

8.1.1.3 The Civil Service Bureau is responsible for ensuring that all users sign User Agreements (see 11.2 [7]) before they are allowed to access Organisational information assets; these User Agreements contain specific information security responsibilities.

8.1.1.4 Owners of information assets have specific responsibilities, and these are documented in sub section 7.1.2 above.

8.1.1.5Other responsibilities are identified as necessary throughout the ISMS.

8.1.2 Screening

Background verification checks on all candidates for employment, contractors and third party users are carried out in line with DOC 8.1 and in accordance with the laws, regulations and ethics of the Kingdom of Bahrain, and proportional to the Organization business requirements, the classification of the information to be accessed, and the perceived risks

8.1.3 Terms and conditions of employment
Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, which state their and the Organization responsibility for information security

8.2 During Employment
Control objective: to ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.

8.2.1 Management responsibilities

8.2.1.1

8.2.2

8.2.1.2 Management ensures that employees, contractors and third parties receive guidelines on security expectations (User Agreement, job descriptions and terms and conditions of employment).

8.2.1.3 Management provides personal leadership and example in information security and ensures that the Organization policies and procedures are followed (see 6.1.8 [7]).

8.2.2. Information security awareness, education and training

All employees of the Organization and, where relevant, contractors and third party users receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.

8.2.2.1

8.2.2.2 The Information Security Manager is responsible fore ensuring that all users receive regular updates and alerts on information security issues as and when necessary, and that additional security-related training is made available as and when required.

8.2.2.3 The Information Security Manager is responsible for ensuring that specialized information security staff receive appropriate specialist training in line with their job requirements.

8.2.3 Disciplinary process

The Organisation has a formal disciplinary process for employees who have committed a security breach

8.2.3.1

8.3 Termination or Change of Employment
Control objective: to ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner

8.3.1 Termination responsibilities

8.3.2 Return of assets
All employees, contractors and third party users are required to return all Organisational assets in their possession upon termination of their employment, contract or agreement.

8.3.3 Removal of access rights
The access rights of all employees, contractors and third party users to information and information processing facilities are removed upon termination of their employment, contract or agreement, or adjusted upon change

Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO

____________________________ _______________________________

On:

08 November, 2007 08 November, 2007
____________________________ _______________________________

9. Physical & Environment Security

Control objective: to prevent unauthorized physical access, damage and interference to the organization premises and information.

[4] 9.1 Secure Areas

9.1.1 Physical security perimeter

The Organization uses security perimeters to protect areas that contain information and information processing facilities.

9.1.1.1

DOC 9.7

9.1.1.2 The Information Security Manager is responsible for maintaining both site’s secure perimeter.

9.1.1.3 The Organization central information processing facilities are within secure areas, each of which have Owners (see sub section 7.1.2 [7]) that are themselves within a site’s secure perimeter.

9.1.1.4 The Information Security Manager has a site map for each site or secure area, together with a current security checklist DOC in sub section 9.7 that identifies the current state of conformity to the requirements in that checklist.

9.1.2 Physical entry controls
Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

9.1.2.1

4.4

[7]

DOC 9.8.

9.1.2.2The Information Security Manager is responsible for maintaining required physical entry controls.

9.1.3 Securing offices, rooms and facilities

The Organization has designed and applied physical security for offices, rooms and facilities.

9.1.3.1

DOC 4.4

[7]

DOC 9.7.

6.2.3

[7]

9.1.4 Protecting against external and environmental threats

The Organization has designed and applied physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster

9.1.4.1

DOC 9.7

14

[7]

9.1.5 Working in secure areas

The Organization has designed and applied physical protection and guidelines for working in secure areas and these are contained in DOC 9.8.

9.1.6 Public access, delivery and loading areas

Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises are controlled and isolated from information processing facilities to avoid unauthorized access.

9.1.6.1

9.2 Equipment security

Control objective: to prevent loss, damage, theft or compromise of assets and interruption to the organization activities

9.2.1 Equipment site locating and protection

Equipment is sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access

9.2.1.1

9.2.2 Supporting utilities
Equipment is protected from power failures and other disruptions caused by failures in supporting utilities.

9.2.2.1

DOC 9.10

9.2.3 Cabling security
Power and telecommunications cabling carrying data or supporting information services is protected from interception or damage

9.2.3.1

DOC 9.10

9.2.4 Equipment maintenance
Equipment is correctly maintained to ensure its continued availability and integrity

9.2.4.1

DOC 9.10

9.2.5 Security of equipment off-premises

Security is applied to off-site equipment taking into account the different risks of working outside the Organization premises

9.2.5.1

11.1

[7]

9.2.5.2 Home working is not permitted for the Trust Centre.

9.2.5.3 The Organization specifically does not provides cover against loss of or damage to mobile devices because no mobile divides are used by the Trust Centre.

9.2.6 Secure disposal or re-use of equipment
All items of equipment containing storage media are checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal

9.2.6.1

9.2.7 Removal of property
Equipment, information or software may not be taken off-site without prior authorization as required by DOC 9.12

9.7 Additional requirements

9.7.1

9.7.2 If there is a computer or communications room or other designated secure area within one of the Organization’s sites, treat it as a separate set of premises and complete a checklist for each room AS WELL AS for the site.

9.7.3Ensure any Health and Safety issues have been identified and resolved.

PREMISES INSPECTION
Site Address:

Date and time of Inspection:
Inspector:

9.7.3 Attach a current site (room) map, with the physical security perimeter clearly marked.

9.7.4 Identify and list the information assets that are on the site together with their information security classification:

9.7.5 Checklist (identify improvement requirements):

a) Completeness of perimeter:
b) External walls of solid construction:
c) Access possible over walls/through roof?
d) Access possible under walls?
e) External doors solid?
1. With required locks/breach alarms?
2. With automatic closing mechanisms?
3. Remote access doors protected by cameras?
f) External windows locked/barred?
g) Fire doors alarmed and monitored in accordance with Work Instruction DOC 9.2
h) Fire alarms installed and working (DOC 9.2)
i) Fire suppression equipment installed and working (DOC 9.4)
j) Burglar/intruder alarms installed and working (DOC 9.3)
1. All [accessible] external windows covered?
2. All external doors covered?
3. Unoccupied areas alarmed at all times?
4. Reception area controlled (DOC 9.6)
k) Air conditioning installed and working (DOC 9.5)
l) Health and safety regulations [insert details of relevant code] applied?
m) (If it houses systems processing confidential information) how easy is it for the public to access the facility?
n) (If it houses systems processing confidential information) how unobtrusive is this to the public? Are there any obvious signs of information processing activities?
o) Are internal directories appropriately classified to restrict access to details of confidential sites?
p) Are hazardous, combustible materials safely stored (at a safe distance from a secure area)?
q) Are bulk supplies of non-confidential items stored outside secure areas?
r) Are necessary fire extinguishers available [insert details of requirements] and tested [insert details of testing regime]?

Distribution: copies of this report are held by the Premises Security Manager and the Information Security Manager.

The Site Security Managers at the CIO are the owners of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.

9.8 Physical Entry Controls & Secure Areas

1 Scope

All designated secure areas (see DOC 9.7 and DOC 9.10) on any of the Organization’s premises are subject to controlled access and usage.

2 Responsibilities

2.1

7.1.2

[7]

2.2 The [Site Manager/secure area Owner] is responsible for authorizing access to secure areas.

2.3 All employees, contractors and third parties have certain responsibilities as defined below. Procedure

3 Secure areas must be locked at all times. The lock specification is as set out in sub section 11.1 [7] of this manual. The Owner must check the secure area at least once per day, even if no-one is working in it.

4 Access to secure areas/areas where confidential or restricted information is processed (including in conversation) or stored is restricted to authorized persons. Authorization is provided as set out in sub section 11.1 [7] of this manual.

5 Access to secure areas requires authentication and authorized persons are issued with username and password access controls as provided and set out in sub section 11.1 [7] of this manual.

6 The Owner of a secure area is responsible for ensuring that no unsupervised working takes place within the secure area.

7 The authentication system retains a record of accesses and these are reviewed monthly to identify any unauthorized accesses.

9 The Owner of a secure area is responsible for ensuring that photographic, video, audio or other recording equipment and mobile phone cameras are not taken into the secure area.

10 All employees, contractors and third parties are required to wear an identification badge issued by the Guards at the entry point to the National Smart Card Centre on arrival. These ID cards are only issued upon presentation and verification of a Passport or CPR card and are required to notify security if they encounter unescorted visitors and anyone not wearing required identification (see DOC 9.6).

11 Third party support personnel only have access to secure areas when required and this access is specifically requested, authorized and monitored as set out in sub section 11.1 [7] of this manual.

12 In general, the Owner of a secure area and all those who are authorized to work within it, are required only to divulge details of the area and what is done in the area to other staff on a need to know basis.

9.10 Equipment Security

All information processing equipment owned or used by the Organization is subject to secure site location and protection requirements.

9.10.2 Responsibilities

9.10.2.1

9.10.2.2 The Site Managers are responsible for ensuring that equipment is protected from possible power supplies and other power-related disruptions.

9.10.2.3 The Site Managers are responsible for cabling security.

9.10.2.4 The Site Managers are is responsible for maintenance of equipment.

9.10.2.5 The Site Managers are responsible for the secure site location or all telecommunications facilities.

9.10.2.6 The Information Security Manager is responsible for defining and resourcing business continuity needs.

9.10.2.7The Director General of IT is responsible for insurance.

9.10.2.8 Where necessary, other responsibilities are identified in the course of this procedure.

9.10.2.10 Access to secure areas is controlled in line with DOC 9.8.

9.10.3 Site location and protection of equipment [ISO 17799 clause 9.2.1]

The requirements are:

a) That equipment is sited so as to minimize [public/unnecessary] access to work areas;
b) Information processing and storage equipment (including faxes, photocopiers and telephone equipment used for confidential information) is sited in secure areas [server/communications rooms/secured offices] so that it is not possible for confidential information to be seen by unauthorized people;
c) Secure areas are subject to the same level of physical perimeter protection as secure sites;
d) Equipment that requires special protection is isolated in the CA [9] Inner Core Room;
e) Controls are implemented to deal with theft (see sub section 9.1 of the Manual), natural or man-made disaster (see sub section 9.1.4 of the Manual).
f) The Organization does not allow smoking inside any of its sites, nor does it allow eating or drinking inside secure areas;
g) Secure areas are monitored for temperature increases above X degrees Celsius and an acceptable limit has been set at X degrees Celsius and the Information Security Manager receives an immediate alert as set out in the OWI for the fire detection system once they are breached.

9.10.4 Supporting utilities [ISO 17799 clause 9.2.2]

9.10.4.1

b) The Site Managers are responsible for ensuring that Heating and Ventilation engineers provide a formal report on the heating, cooling/air conditioning and ventilation requirements of each secure area and each site that contains information processing equipment and for reporting on the adequacy or otherwise of current installations. Shortfalls in requirements are to be treated by escalating their concerns to the Information Security Manager for Risk Assessment, treatment and the creation of an Operation Work Instruction [OWI] as necessary.

c) The Site Managers are responsible for ensuring that all supporting utilities and equipment is inspected (also see DOC 9.7 and DOC 9.8) on a frequency determined by manufacturer’s recommendations [and previous inspections] and that inspection certificates are retained in line with sub section 15.1.3 of the Manual.

9.10.4.2 A UPS is installed outside each secure area and their operation and working are outside the scope of this ISMS other than to state that they are available and operational as a ‘fail over’ power supply. The Information Security Manager has assessed the risk of their failure and prepared the OWI in Appendix III to address the Risk associated with this system.

9.10.5 Cabling security [ISO 17799 clause 9.2.3]

9.10.5.1

9.10.5.2Network cabling is protected from unauthorized access by virtue of this being a closed network and power and network cables are segregated using separate conduits and clearly marked for ease of maintenance on the site map.

9.10.5.3Connections between these are further protected by:
a) Electromagnetic shielding for cables;
e) Technical sweeps and physical inspections that are carried out by the Information Security Manager and/or the Security Administrator to ensure that no unauthorized devices are attached to cables.

9.10.6 Equipment maintenance [ISO 17799 clause 9.2.4] Information Security Manager

9.10.6.1

DOC 9.7

9.10.6.2 Only authorized and experienced maintenance personnel and only from suppliers identified on the current signed Asset List are permitted to carry out maintenance at the Trust Centre in line with the policy set out in sub section 11.1 [7] of this manual.

9.10.6.3 Equipment that processes or stores confidential information is serviced only by technicians who have been screened in line with the requirements of 8.1.2 of the Manual is cleaned of confidential information prior to servicing.

9.10.6.4 The Organization’s insurance policy is the responsibility of the Director General of IT and is outside the commitments normally associated with a private enterprise.

Scope

The Organization requires, under sub section 9.2.6 of the Manual, that all removable storage media are clean (which means: it is not possible to read or re-constitute the information that was stored on the device or document) prior to disposal.

Responsibilities

The Information Security Manager is responsible for managing the secure disposal of all storage media in line with this procedure when they are no longer required, and is the Owner of the relationship with Al Falwa Cleaning WLL who is the approved contractor for removing shredded documents.

All Owners (see sub section 7.1.2 [7] of the Manual) of removable storage media are responsible for ensuring that these media are disposed of in line with this procedure.

Procedure [ISO 17799 clause 9.2.6]

Hard disks must be cleared of all software and all Organizational confidential and restricted information prior to disposal or re-use, as set out in clause 5 below.

The Information Security Manager is responsible for the secure disposal of storage media and the disposal of all information processing equipment is routed through his/her office. A log (REC 9.1) is retained showing what media was destroyed, disposed of, and when. The asset inventory is adjusted once the asset has been disposed of.

Hard disks are cleaned by the Security Administrator prior to destruction.

Devices containing confidential information are broken and then burnt prior to disposal and are never re-used.

Devices containing confidential information that are damaged are subject to a risk assessment prior to sending for repair, to establish whether they should be repaired or replaced in which case they are destroyed according to this procedure.

Documents containing confidential and restricted information which are to be destroyed are shredded by their owners, using a shredder with an appropriate security classification. These shredders are located in the ISA Town National Smart Card Centre outside the Trust Centre. The waste is removed by the approved contractor.

The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.

Yousif Mohammed Ali Muthanna Yousif Mohammed Abdulla
Site Security Manager Site Security Manager

____________________________ ____________________________

On: On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

10. Communications & Operations Management

10.1. Operational Procedures & Responsibilities

[4]

10.1.1 Documented operating procedures

10.1.1.1

DOC 10.1.

10.1.2 Change management

Changes to information processing facilities and systems are controlled

10.1.2.1

DOC 10.7

10.1.3 Segregation of duties

Duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of organisational assets

10.1.3.1

1. Risk Assessment Adlin Hisyamuddin - Information Security Manager, Head PKI [5]
2. Authorisation of Controls Mubarak Abdulla Alhiddi - CSO/CIO
3. Change Initiation Ahmed Essa Abualfath - Computer Security Administrator
4. Change Management Shaikh Salman Mohammed Al-Khalifa – Director General of IT
5. Network Management Khalid Al Othman – Chief, Network
6. Network Administration Khalid Ali Al Jalahma – Network Administrator
7. IT Operations Mohammed Al-Yassi – Director IT Operations
8. Software Development Sameh Abo-El-Ela
9. System Testing Osama Khalid Rafai - Computer Security Administrator
10. Employee Administration Hesham Al-Ghatam - Chief, Personnel & Admin’ Development
11. Asset Purchase Khulood Al-Jassim - Supervisor Administration Service
12. Site/Secure Area Security Adel Khalifa Bu-Alai - Chief of Police in Juffair
13. Site/Secure Area Security Mohammed Hamdan Mohammed - Chief of Police in Isa Town
14. Security Audit Osama Khalid Rafai - Computer Security Administrator
15. PKI Manager Adlin Hisyamuddin - Information Security Manager, Head PKI
16. Physical Site Security Yousif Mohammed Ali Muthanna – Site Security Manager
17. Physical Site Security Yousif Mohammed Abdulla – Site Security Manager

10.1.3.2 Segregation of duties is built into procedures, including the requirement that that the Owner of a procedure or process cannot authorize its modification, withdrawal or release.

10.1.3.3 Activity monitoring, audit trails and management supervision are used to support duty segregation.

10.1.4 Separation of development, test and operational facilities

Development, test and operational facilities are separated to reduce the risks of unauthorized access or changes to the operational system

10.1.4.1

DOC 10.8.

10.2 Third Party Service Delivery Management

Control objective: to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements

10.2.1 Service delivery

The Organization ensures that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated and maintained by the third party

10.2.1.1

6.2

[7]

7.1.2

[7]

DOC 6.8.

[7]

10.2.1.2 The Information Security Manager is responsible for ensuring that external party services are linked into the Organisation’s business continuity framework and arrangements (see Section 14 [7]).

10.2.2 Monitoring and review of third party services
The Organisation regularly monitors and reviews the services, reports and records provided by third parties and carries out regular audits

10.2.2.1

DOC 10.9

10.2.3 Managing changes to third party services

The Organisation manages changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, taking account of the criticality of business systems and processes involved and re-assessment of risks, and the procedures for doing this are contained in DOC 6.8. [7]

10.3 System Planning & Acceptance

Control objective: to minimize the risks of systems failures

10.3.1 Capacity management

DOC 10.10

10.3.2 System acceptance
Acceptance criteria for new information systems, upgrades and new versions have been established and suitable tests of the system(s) are carried out during development and prior to acceptance, all as specified in DOC 10.10. rotection

10.4 Protection Against Malicious & Mobile Code

Control objective: to protect the integrity of software and information

10.4.1 Controls against malicious code

Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures have been implemented

10.4.1.1

10.4.2 Controls against mobile code

The execution of mobile code is prohibited in the Trust Centre

10.5 Back-Up

Control objective: to maintain the integrity and availability of information and information processing facilities

10.5.1 Information back-up

Back-up copies of information and software are taken and tested regularly in accordance with the agreed back-up policy below

10.5.1.1

14

[7]

10.6 Network Security Management

Control objective: to ensure the safeguarding of information in networks and the protection of the supporting infrastructure

10.6.1 Network controls

Networks are managed and controlled as set out in DOC 10.14, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit

10.6.2 Security of network services

Security features, service levels and management requirements of all network services have been identified and included in the network service level agreement and are managed in line with DOC 10.14.

10.7 Media Handling
Control objective: to prevent the unauthorized disclosure, modification, removal or destruction of assets and interruption to business activities

10.7.1 Management of removable computer media

10.7.2 Disposal of media
Media are disposed of securely and safely when no longer required, in line with DOC 9.11. [7]

10.7.3 Information handling procedures
Procedures for the handling and storage of information are set out in DOC 7.6 [7] and DOC 10.15 to protect this information from unauthorized disclosure or misuse

10.7.4 Security of system documentation
System documentation is protected against unauthorized access, as set out in DOC 10.15.

10.8 Exchanges of Information

Control objective: to maintain the security of information exchanged within an organization and with any external entity

10.8.1 Information exchange policies and procedures

Formal exchange policies, procedures and controls are in place to protect the exchange of information through the use of all types of communication facilities

10.8.1.1

DOC 7.2

[7]

DOC 7.3

[7]

DOC 7.6

[7]

10.8.1.2 The wireless user’s addendum to the standard User Agreement (see sub section 11.1 [7] of this Manual) sets out how wireless communication is protected.

10.8.1.3 The mobile phone user’s addendum to the standard User Agreement (see sub section 11.1 [7] of this Manual) sets out how mobile voice communication is protected.

10.8.1.4 The organization has a procedure (DOC 7.11) for secure voice communication at all its sites.

10.8.1.5 The Organization use of cryptographic techniques is controlled under sub section 12.3 [7] below.

10.8.1.6 The Organization has procedures for handling (DOC 10.15), retention (DOC 15.2 [7]) and disposal (DOC 9.11 [7]) of information and related media.

10.8.2 Exchange agreements

Agreements are established in line with DOC 6.8 [7] for the exchange of information and software between the Organization and external parties

10.8.3 Physical media in transit

DOC 9.12 [7] sets out how the Organization ensures that media are protected against unauthorized access, misuse or corruption during transportation beyond the Organization physical boundaries

10.8.4 Electronic messaging
Messaging is outbound only and no inbound email system exists within the CIO Trust Centre

10.8.5 Business information systems

A policy and procedures have been developed and implemented to protect information associated with the interconnection of business information systems.

10.8.5.1

DOC 7.6

[7]

10.9 Electronic Commerce Services
Control objective: to ensure the security of electronic commerce services, and their secure use

10.9.1 Electronic Commerce

Electronic commerce information passing over public networks is protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification as set out in DOC 10.17.

10.9.2 On-line Transactions
Information involved in on-line transactions is protected in line with DOC 10.17 to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized message duplication or replay

10.9.3 Publicly available information

The integrity of information being made available on a publicly available system is protected in DOC 10.17 to prevent unauthorized modification

10.10 Monitoring
Control objective: to detect unauthorized information processing activities

10.10.1 Audit logging

Audit logs recording user activities, exceptions and information security events are produced and kept, in line with DOC 10.18, for a period specified in DOC 15.2 [7] to assist in future investigations and access control monitoring

10.10.2 Monitoring system use

Procedures for monitoring use of information processing facilities have been established in DOC 10.18 and the results of the monitoring activities are reviewed [regularly]

10.10.3 Protection of log information

Logging facilities and log information are protected against tampering and unauthorized access, as required by DOC 10.18
10.10.4 Administrator and operator logs
System administrator and system operator activities are logged as required by DOC 10.18

10.10.5 Fault logging

Faults are logged, analysed and appropriate action taken, all in line with DOC 10.18

10.10.6 Clock synchronization

The clocks of all relevant information processing systems within the organisation are synchronized with an agreed accurate time source as specified in DOC 10.18.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

11. Access Control

Control objective: to control access to information

[4] 11.1 Business Requirement For Access Control

11.1.1 Access control policy

An access control policy has been established, documented in DOC 11.1, and is reviewed when required in the light of business and security needs. In addition, as the Trust Centre protects National Assets, the following are the physical procedures that must be followed every time the Trust Centre in the National Smart Card Centre in Isa Town is accessed.

Administration Area

When access is required to the Administration Area of the Trust Centre, any two of following five members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Administration Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Administration Area unaccompanied by one of the following personnel:

If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.

Outer Core

When access is required to the Outer Core Area of the Trust Centre, all three of following members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Outer Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Outer Core Area unaccompanied by all of the following personnel:

If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.

Inner Core
When access is required to the Inner Core Area of the Trust Centre, all three of following members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Outer Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Inner Core Area unaccompanied by all of the following personnel:

If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.

Setting Access Control on the Idendix System

Access to all areas of the Trust Centre is controlled by the Identix biometric locking system on all of the doors. The system is configured according to the policy set out in sub section 11.1 above. Only two people have the username and password to access this system:

The Identix control system is located in the Administration Area of the Trust Centre and as no one can access this area alone, both people will be monitored by one of the other personnel with access rights to the Administration Area. A change log must be signed by the Director General of IT or the President of the CIO to change the access configuration for any of the doors in the Trust Centre.

No changes to this system are permitted without this change control document signed by the Director General of IT or the President of the CIO.

In addition, as part of the monthly controls checking procedure, the Information Security Manager will check the los on the Identix system, print out these logs and sign them to demonstrate that no unauthorised changes have occurred without authorisation.

11.2 User Access Management

Control objective: to ensure authorized users’ access and to prevent unauthorised access to information systems

11.2.1 User registration

DOC 11.3

DOC 11.4

11.2.2 Privilege management
The allocation and use of privileges is restricted and controlled in DOC 11.3

11.2.3 User password management
The allocation of passwords is controlled through a formal management process as set out in DOC 11.3

11.2.4 Review of user access rights

Management reviews users’ access rights at regular intervals using the formal process as set out in DOC 11.3

11.3 User Responsibilities

Control objective: to prevent unauthorized user access, and compromise or theft of information and information processing facilities

11.3.1 Password use

Users are required (in their User Agreements DOC 11.4) to follow good security practices in the selection and use of passwords

11.3.2 Unattended user equipment

Users are required (in their User Agreements DOC 11.4) to ensure that unattended equipment has appropriate protection

11.3.3 Clear desk and screen policy

The Organisation has adopted a clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities and the requirement for compliance [12] with this policy is set out in DOC 11.4.

11.4 Network Access Control

Control objective: to prevent unauthorized access to networked services

11.4.1 Policy on use of network services

DOC 11.7

11.4.2 User authentication for external connections

DOC 11.8 sets out the authentication methods that are used to control access by remote users.

11.4.3 Equipment identification in the network

Automatic equipment identification is used as set out in DOC 11.8 as a means to authenticate connections from specific locations and equipment

11.4.4 Remote diagnostic and configuration port protection

Physical and logical access to diagnostic and configuration ports is controlled as required by DOC 11.8.

11.4.5 Segregation in networks

Groups of information services, users and information systems are segregated in the network(s) in line with the requirements of DOC 11.7 and 11.8

11.4.6 Network connection control

The Organization has a single shared network which extends across the organizational boundaries; the Organization restricts the capability of users to connect to the network, in line with the access control policy (DOC 11.1) and requirements of the business applications and as set out in DOC 11.8.

11.4.7 Network routing control

Routing controls have been implemented in line with DOC 11.8 for the Organization networks to ensure that computer connections and information flows do not breach the Organization access control policy as applied to the business applications

11.5 Operating System Access Control

Control objective: to prevent unauthorized access to operating systems

11.5.1 Secure log-on procedure

Access to information systems is controlled by the secure log-on procedure set out in DOC 11.9

11.5.2 User identification and authentication

All users have a unique identifier (user ID) for their personal and sole use, issued in line with the requirements of DOC 11.3, and [a suitable authentication technique] has been chosen to substantiate the claimed identity of a user

11.5.3 Password management system

The password management system set out in DOC 11.3 ensures quality passwords

11.5.4 Use of system utilities

The use of utility programs that might be capable of overriding system and application controls is restricted and controlled as specified in DOC 11.10.

11.5.5 Session time-out

Inactive sessions are shut down in accordance with DOC 11.9 after a defined period of inactivity

11.5.6 Limitation of connection time

Restrictions on connection times are used to provide additional security for high-risk applications, as specified in DOC 11.8.

11.6 Application & Information Access Control

Control objective: to prevent unauthorized access to information held in application systems

11.6.1 Information access restriction

Access to information and application system functions by users and support personnel is restricted in DOC 11.2 in accordance with the access control policy in DOC 11.1

11.6.2 Sensitive system isolation

Sensitive systems have a dedicated (isolated) computing environment as provided in DOC 11.9

11.7 Mobile Computing & Teleworking

Control objective: to ensure information security when using mobile computing and teleworking facilities

11.7.1 Mobile computing and communications

A formal policy is in place and appropriate security measures have been adopted to protect against the risks of using mobile computing and communication facilities

11.7.1.1

DOC 11.4

DOC 11.5

11.6

11.7.2 Teleworking

Is not permitted in the Trust Centre.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

12. Information Systems

Information Systems Acquisition, Development & Maintenance

Control objective: to ensure that security is an integral party of information systems

[4]12.1 Security Requirements of Information Systems

12.1.1 Security requirements analysis and specification

12.1.1.1

DOC 4.4

[7]

4.4

[7]

12.1.1.2 Application controls that ensure correct processing are also (where appropriate) considered at the design stage.

12.1.1.3 Software is subject to testing and formal approval in line with DOC 10.10 [7]; non-compliant products are not accepted.

12.1.1.4 The Organisation accepts products tested and evaluated in line with Appendix V.

12.2 Correct Processing in Applications

Control objective: to prevent errors, loss, unauthorized modification or misuse of information in applications

12.2.1 Input data validation

Data input to applications is provided from an external source and the responsibility of its accuracy is outside this ISMS.

12.2.2 Control on internal processing

Validation checks are incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

12.2.3 Message integrity

Requirements for ensuring authenticity and protecting message integrity in applications have been identified, and appropriate controls identified and implemented

12.2.4 Output data validation

Data output from an application is validated to ensure that the processing of stored information is correct and appropriate to the circumstances

12.3 Cryptographic Controls

Control objective: to protect the confidentiality, authenticity or integrity of information by cryptographic means

12.3.1 Policy on the use of cryptographic controls

The Organisation has a policy on its use of cryptographic controls for protection of its information, as set out below

12.3.1.1

DOC 10.17

[7]

DOC 12.1

12.3.2 Key management

Key management, as documented in DOC 12.2, supports the Organization use of cryptographic techniques

Control objective: to ensure the security of system files

12.4 Security of System Files

12.4.1 Control of operational software

The installation of software on operational systems is controlled by DOC 12.3

12.4.2 Protection of system test data

Test data is selected, protected and controlled in line with DOC 10.10 [7].

12.4.3 Access control to program source code

Access to program source code is restricted in line with DOC 10.15 [7]

12.5 Security in Development & Support Processes
Control objective: to maintain the security of application system software and information

12.5.1 Change control procedures

The implementation of changes is controlled by the use of the formal change control procedures set out in DOC 10.7.

12.5.2 Technical review of applications after operating system changes

When operating systems are changed, business critical applications are reviewed and tested in line with DOC 10.10 [7] to ensure there is no adverse impact on organisational operations or security.

12.5.3 Restrictions on changes to software packages

The Organisation does not seek bespoke modifications to commercial software packages.

12.5.4 Information leakage

Controls are applied to limit the opportunities for information leakage

12.5.4.1

5.1.1

[7]

12.5.4.4 Malware, that might give cause covert channels, is controlled through the anti-malware software (see 10.4 [7]) and User Agreements (see 11.2 [7] and 11.3 [7]).

12.5.5 Outsourced software development

The Organization does not outsource software development

12.6 Technical Vulnerability Management
Control objective: to prevent the damage resulting from exploitation of published technical vulnerabilities

12.6.1 Control of technical vulnerabilities

DOC 12.4

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

13. Information Security Incident Management

Control objective: to ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

[4] 13.1 Reporting Information Security Events & Weaknesses

13.1.1 Reporting information security events

Information security events must be reported to the Information Security Manager as quickly as possible, as set out in DOC 13.1

13.1.2 Reporting security weaknesses

All employees, contractors and third party users of information systems and services are required by DOC 13.1 to note and report to the Information Security Manager any actual or suspected weaknesses in Organizational systems or services

13.2 Management of Information Security Incidents & Improvements

Control objective: to ensure a consistent and effective approach is applied to the management of information security incidents

13.2.1 Responsibilities and procedures

Management responsibilities and procedures have been established in DOC 13.2 to ensure a quick, effective and orderly response to information security incidents that ensures appropriate corrective or preventative actions, restores normal operations as quickly as possible, and ensures that improvement opportunities are identified and acted upon.

13.2.2 Learning from information security incidents

DOC 13.2 requires the Information Security Manager to quantify and monitor the types, volumes and costs of information security incidents.

13.2.3 Collection of evidence

In all information security incidents, irrespective of whether or not a follow-up action against a person or organization involves legal action (either civil or criminal), evidence is collected, retained and presented as set out in DOC 13.5 to conform to the rules for evidence laid down in the laws of the Kingdom of Bahrain.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

14. Business Continuity Management

[4]

14.1 Information Security Aspects of Business Continuity Management

Control objective: to counteract interruptions to business activities, to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption

14.1.1 Including information security in the business continuity management process

DOC 14.1

14.1.2 Business continuity and risk assessment

Events that can cause interruptions to business processes are identified as set out in DOC 14.2, along with the probability and impact of such interruptions, and the risk assessment process (DOC 4.4 [7]) is extended to apply to business continuity risks. These risk assessments drive the business continuity planning framework (DOC 14.3)

14.1.3 Developing and implementing continuity plans including information security

The Organisation’s Business Continuity Plan is developed in line with DOC 14.1 and is set out in DOC 14.3. It enables the Organisation to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes

14.1.4 Business continuity planning framework
A single framework (as described in DOC 14.1) of business continuity plans is maintained to ensure that the plan and all its sub-plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance

14.1.5 Testing, maintaining and re-assessing business continuity plans
Business continuity plans are tested and updated regularly, in line with the requirements of DOC 14.4, to ensure that they are up to date and effective

Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO

____________________________ _______________________________

On:

08 November, 2007
____________________________ _______________________________

Change history

Issue 1 08 November, 2007 Initial issue

15. Compliance

Control objective: to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements

[4] 15.1 Compliance With Legal Requirements

15.1.1 Identification of applicable legislation

All relevant statutory, regulatory and contractual requirements and the Organization approach to meet these requirements have been explicitly defined, documented and are kept up to date for
each information system and the Organization

15.1.1.1

7.1.2

[7]

7.1.1

[7]

15.1.1.2 The Information Security Manager is responsible for creating and maintaining the schedule of the Organization statutory and regulatory information/data and computer-related compliance [12] requirements. The controls and responsibilities necessary to meet these compliance requirements are also identified in this schedule.

15.1.2 Intellectual property rights
Appropriate procedures have been implemented to ensure compliance with legislative, regulatory and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.

15.1.2.1

15.1.2.2 The Organization procedures to implement this policy are contained in DOC 15.3.

15.1.3 Safeguarding of organizational records
The Organization procedure, set out in DOC 15.2 protects important records from loss, destruction and falsification, in accordance with statutory, regulatory, contractual and business requirements

15.1.4 Data protection and privacy of personal information
Data protection and privacy are ensured as required and, where applicable, contractual clauses

15.1.4.1

15.1.4.2 The Organization has appointed an Information Security Manager who is responsible for ensuring that the procedures set out in sub sections 15.4 and 15.5 are implemented.

15.1.4.3 The Organization has implemented specific technical measures to protect personal information.

15.1.5 Prevention of misuse of information processing facilities

Users are be deterred from using information processing facilities for unauthorized purposes.

15.1.5.1

[7]

[7]

[7]

[7]

15.1.5.2 The Organization monitors compliance with these requirements, as described in DOC 7.4 [7] and DOC 10.18 [7].

15.1.6 Regulation of cryptographic controls

Cryptographic controls are used in compliance with all relevant agreements, laws and regulations, as set out in DOC 12.2 [7].

15.2 Compliance With Security Policies & Standards

Control objective: to ensure compliance of systems with organizational security policies and standards [10]

15.2.1 Compliance with security policy and standards

Managers ensure that all documented security procedures and work instructions within their area of responsibility are carried out correctly to achieve compliance with security policies and standards

15.2.1.1

15.2.1.2 Managers are required to document these reviews in accordance with DOC 15.4 as well as the actions required, and responsibilities and timeframes, in the case of shortfalls.

15.2.1.3 These management reviews and any actions arising must be reported in accordance with DOC 15.4 to the independent reviewers (see DOC 6.7 [7])

15.2.2 Technical compliance checking

Information systems are regularly checked for compliance with security implementation standards, and the Organization procedures for managing technical compliance checking are set out in DOC 15.4

15.3 Information Systems Audit Considerations

Control objective: to maximize the effectiveness of and to minimize interference to/from the information systems audit process

15.3.1 Information systems audit controls

Audit requirements and activities involving checks on operational systems are carefully planned as set out in DOC 15.5 and agreed with appropriate management to minimize the risk of disruptions to business processes.

15.3.2 Protection of information systems audit tools
Access to information systems audit tools are protected as required in DOC 15.5 to prevent any possible misuse or compromise

15.4 Compliance & Compliance Checking Procedure

The Organization’s entire ISMS is within the scope of this procedure.

Responsibilities

All personnel connected with the Trust Centre are responsible for ensuring and checking for procedural compliance.

The Information Security Manager is responsible for planning and commissioning technical compliance checking.

Procedure

Management review [ISO 17799 clause 15.2.1]

15.4.3.1

15.4.3.2 The review must be reported/recorded on the Monthly Trust Centre Operational Report.

15.4.3.3 Where a non-conformance is identified, the manager must determine the cause of the non-conformance, evaluate what action is required to ensure that the non-conformance does not re-occur, determine necessary corrective action (including obtaining any required authorizations) and take the identified action

15.4.3.4 The details of the corrective actions, and confirmation of their successful implementation, should also be recorded in the [review report].

15.4.3.5 Review reports are made available to independent reviewers carrying out independent reviews in line with DOC 6.7 [7].

15.4.3.6 Managers are also responsible for identifying non-conformances in the ordinary course of business and taking appropriate corrective action appropriately.

Technical Compliance Checking [ISO 17799 clause 15.2.2]

15.4.4.1 The Information Security Manager has a schedule of the Organization’s information assets (gathered under DOC 7.1 [7]) and these are prioritized by their value to the Organization.

15.4.4.2 All assets that are Risk Level 2 or above are checked for technical compliance with their documented configuration requirements as part of the monthly audit carried out by the Information Security Manager.

ISO 27001 Auditor

15.4.4.3 The Organization requires that any person/organization who carries out technical compliance checking has been either certified as an ISO 27001 Auditor or is an accredited WebTrust Compliance Auditor.

15.4.4.4 The Information Security Manager approves the technical checking plan put forward by the ISO 27001 Auditor or WebTrust Compliance Auditor and authorizes commencement of the check plan only when satisfied that the testing will not compromise the asset or system being checked.

15.4.4.5 Non conformances are identified and dealt with as described in Section 3, above.

15.4.4.6 New weaknesses or vulnerabilities uncovered as a result of the technical compliance checking are reported in line with DOC 13.1 [7] and dealt with in line with DOC 13.2 [7].

Systems Auditing Procedure

The Organization’s information assets and whole ISMS are within the scope of this procedure.

Responsibilities

The Information Security Manager is responsible for planning systems audit activities. The Information Security Manager is responsible for authorizing audit activity to occur.

Procedure [ISO 17799 clause 15.3.1]

Audit controls

The audit regime and the specific audit requirements will be documented and identified as part of the initial internal audit and will be identified and documented here, once completed. You should refer to the guidance of ISO 17799 clause 15.3.1 in drafting your procedure for this activity.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

16. Change Management

[4] The Information Security Manager is the Owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements stated above.

A current version of this document is available to all members of staff on request.

This manual was approved by the Board of the CIO Trust Centre on 08 November, 2007 and is issued on a version controlled basis under the signature of the Director General of IT.

Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO

____________________________ _______________________________

On:

08 November, 2007 08 November, 2007
____________________________ _______________________________

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Issue 2 [issue date]

Issue 3 [issue date]

Issue 4 [issue date]

17. Appendix I – Contact List & Details

[4] Operational Roles

1. Risk Assessment & PKI [5] Manager
Adlin Hisyamuddin
Information Security Manager, Head PKI
+973 1 772-6732
+973 3 986-7661
adlinh@cio.gov.bh [13]

2. Authorisation of Controls
Mubarak Abdulla Alhiddi
CSO/CIO

3 Change Initiation.
Ahmed Essa Abualfath
Computer Security Administrator
+973 1 772-6731
+973 3 968-7334
aabualfath@cio.gov.bh [14]

4 Change Management.
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [15]

5 Network Management.
Khalid Al Othman
Chief, Network
+973 1 772-6325
+973 3 609-9167
osamarf@cio.gov.bh [16]

6 Network Administration.
Khalid Ali Al Jalahma
Network Administrator
+973 1 772-6729
kaljalahma@cio.gov.bh [17]

7 IT Operations.
Mohammed Al-Yassi
Director IT Operations

8 Software Development.
Sameh Abo-El-Ela
Development Manager

cssoshg@cio.gov.bh [18]
9 System Testing & Security Audit.
Osama Khalid Rafai
Computer Security Administrator
+973 1 772-6325
+973 36099167
osamarf@cio.gov.bh [16]

10 Employee Administration.
Hesham Al-Ghatam
Chief, Personnel & Admin’ Development
+973 1 787-8177
alghatamhe@cio.gov.bh [19]
Asset Purchase
11.
Khulood Al-Jassim
Supervisor Administration Service
+973 1 772-6760
aljassimk@cio.gov.bh [20]

12 Site/Secure Area Security Juffair.
Adel Khalifa Bu-Alai
Chief of Police in Juffair
+973 3 981-1055

13 Site/Secure Area Security Isa Town.
Mohammed Hamdan Mohammed
Chief of Police in Isa Town
+973 3 980-8096

Operational Controlling Roles
1. Digi-CA™ [21] Operating System Root Password Holders
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [15]

Mohammed Al-Amer
President of CIO
+973 1 787-8101
+973 3 967-2222
malamer@cio.gov.bh [22]

2. Digi-CA™ Operating System Operation Password holders
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [15]

Mubarak Abdulla Alhiddi
CSO/CIO

3. Digi-CA™ Operating System Administrators
Khalid Al Othman
Chief, Network
+973 1 772-6767
alothmank@cio.gov.bh [23]

Khalid Ali Al Jalahma
Network Administrator
+973 1 772-6729
kaljalahma@cio.gov.bh [17]

4. Master Digi-CA™ Administrator
Adlin Hisyamuddin
Information Security Manager
+973 1 772-6732
+973 3 986-7661
adlinh@cio.gov.bh [13]

Ahmed Essa Abualfath
Computer Security Administrator
+973 1 772-6731
+973 3 968-7334
aabualfath@cio.gov.bh [14]

5. Master Digi-CA™ Operator
Osama Khalid Rafai
Computer Security Administrator
+973 1 772-6325
+973 3 609-9167
osamarf@cio.gov.bh [16]

Khalid Ali Al Jalahma
Network Administrator
+973 1 772-6729
kaljalahma@cio.gov.bh [17]

6. Digi-CA™ RA Administrator
Saud Abdulaziz Bahzad
Smart Card Support
+973 3 903-3319
soudbah@cio.gov.bh [24]

Sameh Abo-El-Ela
Smart Card Technical
+973 1 772-6704
+973 3 6439376
cssoshg@cio.gov.bh [18]

7. Digi-CA™ Control Centre Operator

Isa Town Card Issuer No. 1 - to be selected by Adlin

Isa Town Card Issuer No. 2 - to be selected by Adlin

Key Ceremony Roles

1 Key Ceremony Administrator (& future Master of Ceremonies).
Adlin Hisyamuddin
Information Security Manager, Head PKI
+973 1 772-6732
+973 3 986-7661
adlinh@cio.gov.bh [13]

1. 1st Witness.
Osama Khalid Rafai - Computer Security Administrator
+973 1 772-6325
+973 3 609-9167
osamarf@cio.gov.bh [16]

3. 2nd Witness.
Elham Moh’d Saleh
Director Technical Resources
+973 17878017
elhama@cio.gov.bh [25]

4. Key Holder No. 1.
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [15]

5. Key Holder No. 2.
Mubarak Abdulla Alhiddi
Senior Population Inspector – Supervisor
+973 39655366
monamj@cio.gov.bh [26]

6. Key Holder No. 3.,/h7>
Yousif Abdulla Ashoor
Senior Population Inspector – Clerk
+973 39457566
yashoor@cio.gov.bh [27]

7. Key Holder No. 4 - Ahmed Abdulmonem Alshami.
Ahmed Abdulmonem Alshami
Smart Card Support
+973 39537089
alshamyah@cio.gov.bh [28]

8. Key Holder No. 5 - Razan Abdulrahman Al Khalifa.
Razan Abdulrahman Al Khalifa
Smart Card Support
+973 39456565
razanaak@cio.gov.bh [29]

9. Member No.1 Security World.
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [15]

10. Member No.2 Security World.
Mubarak Abdulla Alhiddi

11. Member No. 3 Security World.
Ahmed Al Mahmood
Director of Population Registry
+973 39672677
aalmahmood@cio.gov.bh [30]

13 Member No. 4 Security World.

14 Member No. 5 Security World.

HSM Configuration Roles

1. Key Ceremony Administrator (& future Master of Ceremonies)
Adlin Hisyamuddin
Information Security Manager, Head PKI
+973 1 772-6732
+973 3 986-7661
adlinh@cio.gov.bh [13]

2. 1st Witness.
Osama Khalid Rafai - Computer Security Administrator
+973 1 772-6325
+973 3 609-9167
osamarf@cio.gov.bh [16]

3. 2nd Witness.
Elham Moh’d Saleh
Director Technical Resources
+973 17878017
elhama@cio.gov.bh [25]

4. Member No.1 Security World.
Mubarak Abdulla Alhiddi

11. Member No. 3 Security World.
Ahmed Al Mahmood
Director of Population Registry
+973 39672677
aalmahmood@cio.gov.bh [30]

13. Member No. 4 Security World.

14. Member No. 5 Security World.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

17. Appendix II – Inventory of Assets, Suppliers & Authorities

[4] Hardware

Date	Owner	Asset type	Make	Model	Serial No	Location	Classification	Cost	Compliance requirements	Security Processes
CA (Inner Core) Safe Room
13/12/2006		Safe	Chubb	Europe	SN 77620	PKI DC		5000		OWI
20/12/2006		HSM	nCipher	netHSM 500	07-N55077M	PKI DC		11000		OWI
30/9/2007		HSM	nCipher	netHSM 500	SO-12-06-H002	PKI DC		11000		OWI
14/1/2007		Server Rack	UK	APW		PKI DC		1238		OWI
01/01/2005		2 Network Points to inner Core				PKI DC				OWI
01/01/2005		Fire/Dust Sensors	Somke	Fire Detectors	NA	PKI DC		120		OWI due 23/10/07
01/01/2005		Fire Suppression System	Fike SHP Pro Fire Alarm/Suppression Control System	FM 200 Gas	341861.2	PKI DC		15000		OWI due 23/10/07
01/01/2005		Air Conditioning from Main Aircon	Clivet	VR-DX 71	FLStDmCZ0A	PKI DC		20000		OWI due 23/10/07
01/12/2006		Backup air conditioning unit	YOKO	LD-24CS/A1	HKA 1135	PKI DC		300		OWI due 23/10/07
01/01/2005		Light Fitting & switches				PKI DC				OWI
01/12/2006		Door Exit Switch	Alpro	NA	NA	PKI DC		2000		OWI due 23/10/07
13/12/2006		Door Latch	Trimec	TS2001	NA	PKI DC		456		OWI due 23/10/07
CA (Inner) Core
08/01/2007		Server	Dell	PE2950 Xeon 5160	CBXGK2J	PKI DC		1814		OWI
08/01/2007		Server	Dell	PE2950 Xeon 5160	9WCHK2J	PKI DC		1814		OWI
08/01/2007		Server	HP	Proliant HP 380	CZC7262Q6B	PKI DC		1814		OWI
08/01/2007		Server	HP	Proliant HP 381	CZC7263523	PKI DC		1814		OWI
13/12/2006		Switch	Cisco	Catalyst2960	F0C1041X2G4	PKI DC		817		OWI
13/12/2006		Firewall	TippingPoint	X505	Zuz96E00009904	PKI DC		13973		OWI
		KBM Keyboard	N/C	N/C	N/C	N/C	N/C	N/C	N/C	N/C
		KBM Switch	N/C	N/C	N/C	N/C	N/C	N/C	N/C	N/C
01/01/2005		2 Network Points to Safe Room				PKI DC				OWI
01/01/2005		2 Network Points to Main Juffair Fibre				PKI DC				OWI
01/01/2005		2 Network Points to outer Core				PKI DC				OWI
13/12/2006		Server Rack	UK	APW	47170	PKI DC		1238		OWI
13/12/2006		Server Rack	UK	APW	47166	PKI DC		1238		OWI
01/01/2005		Fire Suppression System	Fike SHP Pro Fire Alarm/Suppression Control System	FM 200 Gas	341861.2	PKI DC		15000
01/01/2005		Fire/Dust Sensors	Somke	Fire Detectors	NA	PKI DC		15000	N/C	N/C
13/12/2006		Motion Sensor	Texecom	Mirage Pro-Quad	NA	PKI DC		33
01/01/2005		Light Fitting & switches				PKI DC				OWI
01/01/2005		Air Conditioning from Main Aircon	Clivet	VR-DX 71	FLStDmCZ0A	PKI DC		20000
01/01/2005		Backup air conditioning unit	YOKO	LD-24CS/A1	HKA 1272	PKI DC		300
13/12/2006		CCTV Camera	Infinova	V1481L-36A15	63121040	PKI DC		285
13/12/2006		Door Exit Switch	Alpro	NA	NA	PKI DC		2000
13/12/2006		Door Latch	Trimec	TS2001	0	PKI DC		456
CA Outer Core (Admin)
13/12/2006		Access Control to Safe Room	Identix	V20 UA HTLV20P-5K	390600348	PKI DC		2520
13/12/2006		Access Control CA Inner Core Room	Identix	V20 UA HTLV20P-5K	30700024	PKI DC		2520
13/12/2006		Access Control to Unner Core	Identix	V20 UA HTLV20P-5K	500303254	PKI DC		2520
13/12/2006		DVR	Infinova	V3010/4L	61210298	PKI DC		477
01/12/2006		Remote Control				PKI DC		25
13/12/2006		Monitor	Infinova	V1322/14	6300145	PKI DC		117		OWI
01/12/2006		Coaxial cables				PKI DC				OWI
13/12/2006		PC	Acer	Veriton 2800	PS280D5601647000495W	PKI DC		405		OWI
00/01/1900		Keyboard	Acer	Keyboard	TH097YRD371711A22532	PKI DC		35		OWI
00/01/1900		Mouse	Acer	Mouse	3892A378	PKI DC		10		OWI
13/12/2006		Monitor	Acer	AC713B	ESC04080345220024FPK11	PKI DC		125		OWI
13/12/2006		Switch	SMC	EZSWITCH 8 Port	SMSFS8EUA	PKI DC				OWI
13/12/2006		Door Latch	Trimec	TS2001	NA	PKI DC		456
13/12/2006		Exit switches	ALPRO	NA	NA	PKI DC		88
13/12/2006		Power supply		12V 5 amps	NA	PKI DC		116		OWI
13/12/2006		Alarm Control Panel	Veritas	Excel	NA	PKI DC		74
13/12/2006		LCD Keypad	Texecom	Premier LCD Keypad	NA	PKI DC		50
13/12/2006		Dialer	Texecom	Speech Dialler	NA	PKI DC		63
13/12/2006		Siren	Texecom	Odyssey 1	NA	PKI DC		18
13/12/2006		CCTV Cameras	Infinova	V1481L-36A15	63121034	PKI DC		285
14/12/2006		Fully Funtional Telephone	Panasonic	KX-T2375JXW	5CAOD062187	PKI DC
13/12/2006		Access Control CA Main Entrance	Identix	V20 UA HTLV20P-5K		PKI DC		2520
13/12/2006		Emergency lights	Khind	EM2004G	R2-042234
External
13/12/2006		Server Rack	UK	APW	0	Juffair		1238		OWI
08/01/2007		Server	Dell	PE2950 Xeon 5160	41WHK2J	Juffair		1814		OWI
08/01/2007
13/12/2006		Switch	Cisco	Catalyst2960	F0C1041X2G4	Juffair		817		OWI
13/12/2006		Firewall	TippingPoint	X505	Zuz96E00009904	Juffair		13973		OWI
		KBM Keyboard				Juffair				OWI
		KBM Switch				Juffair				OWI
01/01/2005		Network Points (itemise ( in& out))				Juffair				OWI
01/01/2005		Fire Suppression System	EMI Fire Alarm System	AFA MINERVA System 2100	NA	Juffair
01/01/2005		Fire/Dust Sensors	EMI Fire Alarm System	Fire Detectors	NA	Juffair
01/01/2005		Light Fitting & switches				Juffair
01/01/2005		Air Conditioning from Main Aircon	Denco Miller	DM5	NA	Juffair
01/01/2005		Backup air conditioning unit	Pearl	EG024FCAC	800390	Juffair

The Information Security Manager is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners

This document was issued by the Information Security Manager on 08 November, 2007 and is issued on a version controlled basis.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Software

Date	Owner	Asset type	Make	Model	Serial No	Location	Classification	Cost	Compliance requirements	Security Processes
CA (Inner Core) Safe Room
14/01/2007		OS	Microsoft	Windows Server 2003	1	PKI DC
20/09/2007		OS	RedHat	Enterprise Linux 5	3	PKI DC
07/10/2007		Digi-CA™	Digi-Sign	Xp	1	PKI DC		97,000
CA (Inner) Core
14/01/2007		Access Control	Identix	4.6.1.0	1	PKI DC
14/01/2007		CCTV control	Infinova	V.1.00.09	1	PKI DC
14/01/2007		OS	Microsoft	XP Pro	1	PKI DC
15/01/2007		AntiVirus	Trend Micro	OfficeScan 8.0	1	PKI DC
CA Outer Core (Admin)


External


Juffair
20/09/2007		OS	RedHat	Enterprise Linux 5	2	PKI DC
		SMTP	Microsoft	Exchange 2003	1	Juffair
		DNS (*.gov.bh)	RedHat	Enterprise Linux 4	1	Juffair
		DNS (*.gdn)	Microsoft	Windows Server 2003	1	Juffair

The Information Security Manager is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners

This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Intangible

Date	Owner	Asset type	Make	Model	Serial No	Location	Classification	Compliance requirements	Security Processes
CA (Inner Core) Safe Room


CA (Inner) Core


CA Outer Core (Admin)


External


Juffair

The [Information Security Manager] is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners

This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.

Signature: Date:

Authorities & Suppliers

Owner	Organization	Function	Address	Contact	Telephone	e-mail	Web

The [Information Security Manager] is the owner of this document and is responsible for ensuring that it is maintained by the relationship Owners

This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

External Parties: Information Security Procedure

1 Scope
According to DOC 6.8 [7] / DOC 6.8 [7] of this Manual, the Organization maintains the security of its information processing facilities and information assets in relation to external parties. All external parties who need to access any Organizational information assets are subject to this procedure. The Organization has (or may have) external party agreements with the following categories of organizations, all of whom are covered by this procedure; risks may be assessed for external parties as individual organizations or as categories, depending on the level of risk involved:
a) Service providers
b) Managed security services
c) Customers
d) Outsourcing suppliers (facilities, operations, IT systems, data collection, call centres, others)
e) Consultants and auditors
f) Developers and suppliers of IT systems and services
g) Cleaning, catering and other outsourced support services
h) Temporary personnel, placement and other (casual) short-term appointments

2 Responsibilities
2.1 All relationship Owners (see sub section 7.1.2 [7] of the Manual) responsible for services in any of the above categories are required to ensure that external parties have entered into a formal external party agreement under this procedure and that transitions (of information, information processing facilities, and any other information assets or personnel) are planned and executed without a reduction in the level of security that existed prior to commencement of the transition.
2.2 Relationship Owners are responsible for ensuring that the security controls, service definitions and delivery levels included in external party agreements are implemented, maintained and operated by the external party.
2.3 The Information Security Manager is responsible for carrying out risk assessments (see DOC 4.4 [7]) where required by this procedure.

3 Procedure [ISO 17799 sub section 6.2]
3.1 Where there is a business need for working with external parties, the Organization ensures that its information security is not reduced; access to Organizational assets is not granted until a risk assessment (DOC 4.4 [7]) has been completed, appropriate controls identified and implemented.

4 Risk Identification [ISO 17799 clause 6.2.1]
4.1 The Organization carries out a risk assessment (in line with the requirements of procedure DOC 4.4 [7]) to identify risks related to external party access.

4.2 The risk assessment identifies (in addition to the requirements of DOC 4.4 [7]) and documents, for each external party:
a) The information processing facilities and information assets the external party will access;
b) The type of access the third party will have – physical access and/or logical access (identifying the assets that will be accessed), whether the access is taking place on-site or off-site and the exact location from which access will be made;
c) The value and classification (see sub section 7.2 [7] of the Manual) of the information that will be accessed;
d) The information assets that the external party are not intended to access and which may required additional controls to secure;
e) The external party’s personnel (see sub section 8.1 [7] of the Manual), including their contractors and partners, who will or might be involved;
f) How external party personnel are to be authenticated (see Section 11 [7] of the Manual);
g) How the external party will process, communicate and store information;
h) The impact to the external party of access not being available when required, or of inaccurate or misleading information being entered, received or shared;
i) How the Organization’s information security incident management procedure (see Section 13 [7] of the Manual) will be extended to incorporate information security incidents involving the external party;
j) Any legal, regulatory or other contractual issues that should be taken into account with respect to the external party;
k) How the interests of other stakeholders might be affected by any decisions.

5 Controls are selected in line with the requirements of DOC 4.3 [7].

6 The Organization implements those controls that are within its own power, and in line with the requirements of sub section 3.2 of the Manual (the DO phase). [7]

7 The Organization agrees with the external party those controls that the external party is required to implement and documents them in an agreement (drawn up by the Organization’s legal advisers) that the third party signs. The obligations on the external party include ensuring that all its personnel are aware of their obligations.

8 The agreements between the Organization and external parties (whether suppliers or customers) are created by the Organization’s legal advisers, who are required to specifically include or provide documented reasons for excluding any of the items on the checklist below, and the requirement for which may have been identified through the risk assessment, from any such contract:
a) The information security policy (sub section 5.1.1 of the Manual);
b) The controls identified as required through the risk assessment process (see 4 [7]), which may include procedures and technical controls;
c) A clear definition and/or description of the product or service to be provided, and a description of information (including its classification) to be made available;
d) Requirements for user and administrator education, training and awareness (see sub section 8.2.2 [7] of the Manual);
e) Provisions for personnel transfer;
f) Description of responsibilities regarding software and hardware installation, maintenance and de-commissioning;
g) Clearly defined reporting process, reporting structure, reporting formats, escalation procedures and the requirement for the external party to adequately resource the compliance [12], monitoring and reporting activities;
h) A specified change management process (see sub section 10.1.2 [7] in the Manual);
i) Physical controls, including secure perimeters (see Section 9 [7] of the Manual);
j) Controls against malware (see sub section 10.4 [7] of the Manual);
k) Access control policy (see Section 11 [7] of the Manual);
l) Information security incident management (see Section 13 [7] of the Manual) and agreement violation management procedures;
m) The target level for service and security, unacceptable service and security levels, definition of verifiable performance and security criteria, monitoring and reporting;
n) The right to monitor and audit performance (including of the third party’s processes for change management, vulnerability identification and information security incident management), to revoke activities, and to use external auditors;
o) Service continuity requirements;
p) Liabilities on both sides, legal responsibilities and how legal responsibilities (including data protection and privacy) are to be met;
q) The protection of IPR and copyright;
r) Controls over any allowed sub-contractors;
s) Conditions for termination/re-negotiation of agreements, including contingency plans.

9 Information exchange agreements [ISO 17799 clause 10.8.2]

o9.1 Additional controls must (subject to an individual risk assessment in relation to each proposed agreement) be considered where the contract is for the exchange of information or software:
9a) the specific management responsibilities and procedures on each side for notifying transmission, dispatch and receipt and any specific controls associated with each action;
10b) procedures to ensure non-repudiation and to ensure traceability;
11c) the required standards [10] for packaging (see DOC 9.12 [7]) and means of transmission;
12d) The agreed labelling system (see DOC 7.6);
13e) Courier selection and identification methods (see DOC 9.12 [7]);
14f) Escrow agreements (where applicable);
15g) How information security incidents (loss of or damage to an information asset in transit) will be managed;
16h) Data protection, copyright, software licensing (see sub section 15.1 [7] of the Manual);
17i) Any technical standards that be required for recording or reading software or information;
18j) Any other special controls, such as cryptography (see sub section 12.3 [7] of the Manual).

-10 Managing changes to third party services [ISO 17799 clause 10.2.3]

o10.1 The Organization may need to agree changes to external party contracts and agreements to take account of changes that it makes to, or as a result of:
oa) the services it currently offers to its clients;
ob) new applications and systems it has developed or acquired;
oc) modifications, changes or updates to its own policies and procedures;
od) new or amended controls arising from new risk assessments or information security incidents.

o10.2 The external party may need to request changes to the contract in order to implement:
oa) changes or improvements to their networks or other infrastructure;
ob) new or improved technologies, new products or new releases of current products;
oc) new development tools, methodologies and environments;
od) new physical locations or physical services;
oe) new vendors or other suppliers of hardware, software or services.

o10.3 Any changes that may be required are subject to a new risk assessment (taking into account the criticality of the business systems involved) and review of the selected controls (see clauses 4.1 [7] and 5 [7]).
o10.4 New controls, or changes to existing controls are identified, authorized, agreed with the third party, and made the subject of an agreed variation to the existing contract. This must be clearly documented and signed off by both parties.
o10.5 The relationship Owner is responsible for ensuring that the revised controls are implemented and incorporated into the existing review and monitoring arrangements.

The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.
A current version of this document is available to PKI team members of staff on the corporate intranet.

This procedure was approved by the Information Security Manager on 08 November, 2007 and is issued on a version controlled basis under his signature

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

17. Appendix III - Operating Work Instructions [OWIs]

HSM OWI

[4] Scope:

The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the HSM in place at CIO

Responsibility & Asset Ownership:

[Please Indicate – probably Information Security Manager] is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the {Indicate – probably Information Security Manager] is the owner of the assets covered in this OWI.

Details of the Operating Work Instruction:

1. The business specification and user requirements (usability and user friendliness) for the system

The nCipher net HSM is a hardware platform for providing cryptographic services to enhance the security of a variety of applications - from PKI [5] and authentication systems to Web services and SSL protected communications. The net HSM acts as a network-attached resource for secure cryptographic processing, providing an alternative deployment scenario to the traditional approach of dedicated HSMs on individual servers. By allowing multiple servers to securely access a single HSM to perform cryptographic functions, overall equipment costs can be reduced and system management simplified. Whilst dedicated HSMs are appropriate for security applications and servers that demand guaranteed availability and/or processing power, many deployments encompass multiple servers, either in a single site or across a wide
geographic area, where a shareable, network connected HSM is a perfect solution.

The CIO uses the nCipher HSM device (herein referred to as “HSM”) to securely generate and store the private keys for the CAs it operates.

The HSM device has been designed to remove any daily administration responsibilities from the administering users. The daily administration duties of the HSM device are reduced to a minimum and are internally performed by a self automated system management control mechanisms, that reside inside the HSM device. On a scheduled basis, CIO users appointed as administrators of the HSM device, are required to inspect the HSM operations by checking the log report accessible on the front panel screen of the HSM device.

The daily operating duties of the HSM are limited to the cryptographic signing operations and on periodic basis, the HSM device may be used by the CIO to generate fresh cryptographic keys when a new CA [9] is created. In the event of a new CA creation, the generation of new private keys is performed in a secure environment, video recorded, documented, witnessed and notarized thus assuring, that highest security is in place.

The device has a text based interface provided through the flat screen residing on the front panel of the HSM device.

All features and functionalities provided by the HSM device are documented and described in the hardware installation, administration and operation manuals available to CIO personnel.

2. The operational efficiency of the system - i.e. does it deliver the business benefits expected of it?

Since this is a hardware device, no maintenance is required to keep the device in an ongoing operational state. The supplied hardware documentation available to CIO personnel describes all features and functionalities provided by the HSM device, including installation guides, configuration instructions and error correction.

3. Basic implementation guide for the system (where does it sit on the IT, ICT or electric network (connectivity wise), how users are set-up, administration console, basic maintenance and back up (see below), disaster recovery functionality (if applicable)

The HSM device is located in the CIO’s highly secured data centre: ISA Town, which has two independent power supply sources, one from an external power supplier and the second from the CIO’s internal power generator. The power provided to the HSM device is isolated from other power segments inside the data centre building, thus meeting the independency and failover requirements in the event of any power failure or circuit overload.

The HSM deployment architecture includes a multi two HSM devices configured for High Availability. This mechanism balances the usage of network and hardware resources between two HSM devices and thus provides greater system performance and fail over support. The diagram below illustrates the current CIO’s deployment architecture of the Digi-CA™ [21] PKI System, with which the two HSM devices have been configured for operation:

Both HSM devices are placed in a dedicated, CISCO firewall/switch protected network segment. The CA core network in ISA Town, to which the HSMs are connected, is isolated from other corporate networks inside CIO and physical access to the Inner and Outer Core rooms as presented on the above diagram, is strictly protected with biometric devices and video camera monitoring performed 24 hours per day throughout the entire year.

The HSM devices, which are located in the Inner Core room inside the ISA Town Data Centre building, are the central cryptographic operation processing units for the CA System deployed inside CIO. Each HSM is connected to a dedicated back-end server hosting the relevant CA System components and both of the back-end servers have been configured for High Availability and provide a failover mechanism to the operation of CA System. The HSM provides the following main functionalities:

Each of the above functionalities is documented in the hardware manual available to CIO administering and operating personnel.

4. The identified acceptance criteria
The installation and configuration of the HSM devices inside the CIO has been completed with the accordance to the hardware installation manual available to the CIO personnel. The manual provides a step by step instruction set allowing the administering users to correctly install and configure an HSM device. Upon successful installation of each device, a manual device operation check was run by the administering user to ensure the device has been installed and configured correctly and is up and running. For this purpose, a HSM support toolkit provided by the device vendor was used. Before the system was switched into a production environment, a set of test private keys was generated to ensure the HSMs are operating correctly. After each test, the HSM log was inspected to verify whether each operation was accomplished correctly.

The set of testing operations for CA AMC included:

All operations have been performed with the accordance to the hardware administration and operation manual available to CIO personnel.

5. The Organization's performance requirements and current capacity

CIO expects Digi-CA™ HSM to store up to 100 private keys of either 1024 bits, 2048 bits or 4096 bits size and sign around 100 000 Digital Certificates [8] in total, provided the current deployment architecture and allocated hardware capacity for the CA System. The maximum number of digital certificates issued per day will not reach 10 000. The CA System deployment architecture is expected to support 24/7/365 availability and currently there is no requirement for CIO to have an online disaster recovery centre. In an event of an irrecoverable major system or hardware failure, all disaster recovery activities will be carried out manually by the CIO appointed administering personnel, by recreating the CA System environment or loading configuration to a HSM device from backup resources. The above performance requirements have been measured, confirmed and tested by the CA System software and HSM hardware vendors and they meet the CIO requirements stated above.

6. Methods of error recovery, system restart and contingency plans

The HSM device provides extended system operation control mechanisms, that automatically raise an alert when a critical exception error is encountered during the operations of the device. The alert is immediately logged in the HSM log. The HSM log is accessible to CIO appointed administering users from the flat screen residing on the front panel of the device or from the operating system command prompt of the server connecting to the HSM device. All exception error log entries are reported by HSM device using a unique error number and associated descriptive text, that informs the inspecting user about the type of the error and why it was generated. This architecture provides CIO administering users with an easy mechanism for identifying the source for the error and allows immediate correction of the problem. For irrecoverable or unidentified errors, CIO administering users should contact the hardware vendor to obtain further assistance.

7. Methods of testing the systems routine operating procedures (and, where appropriate, manual procedures) to defined and agreed standards [10]

The HSM administering users should perform regular inspections of HSM log to verify the correctness of its operations.

To ensure, that HSM devices are not vulnerable to any attacks or exploits, CIO appointed administering personnel should perform a weekly CA System network scans searching for possible new vulnerabilities.

The CISO network devices used inside the CA System network, such as firewalls and switches are equipped with network Intrusion Detection Systems [IDS], which constantly monitor all network traffic within the CA System network and immediately alert all administering users in an event of an intrusion attempt. These devices are configured by default to automatically disable any connectivity for a potential attacker. Administering users should additionally analyze the IDS reports on a weekly basis to attempt to identify any suspicious communication directed to any of the CA System Services or HSM devices.

8. The set of required security controls (for the systems and in terms of any impact on the overall organization) that were identified at project initiation

Physical access to the CA System core location, where HSM devices are placed, should be protected with biometrics and should be divided into multiple access points excluding the existence of a single access point. CIO has assigned its secure Data Centre in ISA Town to install both HSM devices. This location provide security guarding of the building entrance, camera monitoring of entire building, biometric access to Data Centre IT operations rooms and book logging for all entries and exists.

Network access to the CA System, where HSM devices reside, is divided into two general segments: public and private. While the public segment can be accessed by any one through Internet, private segment is strictly secured for internal communications only and disabled for external access. In the CIO deployment architecture of the CA System, public access is allowed only to the Services located in the Juffair Data Centre building and it includes RA Registration Service, Time-Stamping [31] Service and OCSP [32] Service. The HSM devices are accessible only to the CSP Service installed on two dedicated back-end servers residing in the Outer Core room inside the ISA Town Data Centre building. For authentication purposes, hardware cryptographic devices are installed on each of the back-end servers to ensure that no other server can connect to any of the HSM devices. All communication to the HSM devices is encrypted using strong cryptography standards and a cryptographic authentication mechanisms are in place to ensure that only authorized Services can access the HSM device resources.

9. Methods of testing for covert channels and Trojans

The HSM devices use industry standard cryptography, encryption mechanisms and hardware cryptographic devices for secure communications, such as AES encryption and nCipher nToken PCI devices, therefore ensuring, that no man-in-the-middle attack can succeed and no unauthorized party can obtain sensitive data or spoof the identity of the accessing Service. The operating core of the CA System, where HSMs are located, is isolated from any external networks such as Extranets or Internet and access to HSM devices is only possible after successful authentication using strong cryptographic mechanisms. Leaving the devices with no write-access from Internet or any external networks, makes enough protected against unwanted application and computer viruses circling throughout the Internet. The physical and network isolation of the HSM devices along with strict network access control policies in place, significantly reduce the possibility of an injection of a computer virus or an application commonly referred to as a Trojan Horse. Given the architecture of the device, it is not possible to inject any third party application code without prior cryptographic authentication to the device.

10. Business continuity arrangements (as you know this is to simply rebuild a new environment, but we need an outline of the cause & affects)

The CIO currently does not require an online disaster recovery solution and relies on multi service High Availability configuration of the CA System and failover configuration of two HSM devices. In an event of a failure of one HSM device, a second device will be used instead.

In an event of irrecoverable failure, the HSM devices will either be re-initialized or replaced with new hardware and system environment will be rebuild from scratch and HSM configuration data will be restored from the most recent backup stored on a dedicated backup server. The HSM hardware manual documents the process of hardware installation and CIO administering personnel should refer to the manual for instructions related to hardware installation and recovery from a major HSM failure.

The reinstallation and recovery of the HSM device should take no more than 48 hours. During the outage period Digital Certificates issued by the CA System, which uses the HSM devices, will remain valid and therefore the event will not affect the business continuity of the CIO nor will it cause any damage to End Entities to whom certificates are issued.

11. Interactions with other systems, to ensure that the new system will not adversely affect existing systems, including in capacity requirements

The preliminary calculation of device capacity utilization of the was performed by the CIO during the project initialization phase and therefore a sufficient capacity and hardware resources were allocated to the CA System upon installation, allowing the HSM hardware to continue an uninterrupted operations utilizing the necessary capacity for around 100 private keys and signing around 100 000 digital certificates in total. During the maintenance period, CIO appointed administering users will inspect the hardware performance logs once per 6 months and produce a report based on which the CIO will decide whether an additional hardware resource allocation or hardware replacement is required.

The hardware, network and physical location resources dedicated for the CA System have been completely separated by the CIO from any of its other network and application layer segments. Both HSM devices, that the CA System is using, are solely dedicated to the operation of the CA infrastructure and therefore do not interact nor interfere with any other network and software solutions, applications and facilities deployed inside CIO. The operations of the HSM devices does not have any technical impact on any of the areas of the CIO’s daily operations.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Digi-CA OWI

Scope:

The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the Digi-Ca in place at CIO

Responsibility & Asset Ownership:

[Please Indicate – probably Information Security Manager] is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the {Indicate – probably Information Security Manager] is the owner of the assets covered in this OWI.

Details of the Operating Work Instruction:

1. The business specification and user requirements (usability and user friendliness) for the system

Digi-CA™ PKI System (herein referred to as: “CA System”) is the complete Certificate Authority [CA] system deployed inside Central Informatics Organization [CIO], which required to have its own CA to provide enhanced communication security and identity assurance to its own organization and to Bahraini Citizens. The CA System issues the Digital Certificates, in conformance with RFC 3280 standard, that are used by the CIO personnel and Bahraini Citizens for two factor authentication, electronic signatures and email protection. The CA System also issues Digital Certificates, that are used by the CIO to introduce client-to-device and device-to-device authentication using public key cryptography.

The CIO uses CA System to create multiple instances of unique CAs in a single CA System installation. The Digi-CA™ model imposes delegation of trust downwards from Root CAs to their Subordinate Certification Authorities [Sub-CAs]. The same installation of Digi-CA™ also enables any of these CAs to be cross signed by an external third party CA and any number of CAs can have any number of cross signed Subordinate CAs. This CA model is a requirement for CIO, which intends to deliver unique CA services to various governmental departments inside the Kingdom of Bahrain and to the Bahraini Citizens.

The daily administration duties of the CA System are reduced to a minimum and are internally performed by a self automated system management control mechanisms, that reside inside the CA System. On a scheduled basis, CIO users appointed as administrators of the CA System, are required to inspect the CA System operations by checking the log report and the service status report, which are both accessed through a web based CA Administration Management Console [CA AMC] or alternatively can be viewed directly from the Operating System command prompt console.

The daily operating duties of the CA System are limited to the issuance, revocation or suspension of Digital Certificates to the requesting entities, Bahraini Citizens, government institutions or CIO personnel. CIO users appointed as Registration Authority [RA] Operators can issue, revoke, suspend and de-suspend digital certificates by accessing a web based RA Management Console [RA MC] GUI.

All features provided by GUI management interfaces of the CA system, such as CA AMC and RA MC consoles, are logically grouped and easy to access upon successful authentication through an intuitive graphical menu. The CIO users appointed as administrators and operators, can easily access relevant console features without having great prior knowledge of PKI technology or CA System architecture.

The software manual provided by the CA System software vendor delivers the necessary documentation needed to administer and operate the CA system. CIO users should refer to this manual to identify the meaning of all CA System and individual console functionalities, the scope of their administering and operating responsibilities as well as deployment and configuration guidelines.

2. The operational efficiency of the system - i.e. does it deliver the business benefits expected of it?

The maintenance of the CA System has been made easy to perform by the software vendor to an extend where a non technical personnel, having basic understanding of the software manual, can perform the necessary activities to correctly maintain the system to allow its uninterrupted operations. Daily duties of CIO users appointed as system administrators have been reduced to weekly inspections of the correct system operations. The necessary administering activities can be performed on a weekly basis by an authenticated personnel only, using a web based CA AMC GUI, through which users can view status reports of various CA System services and inspect the CA System logs to verify the correctness of its operations. All reporting information produced by the CA System provides a unique identifying number for a reported event as well as its intuitive and easy to understand textual description. The log reporting feature introduces different type of log entries, therefore it is easy for the CIO personnel to distinguish log entries between informational messages, critical errors and warning alerts. This enables CIO personnel with the ability to correctly inspect the system operations and troubleshoot any errors encountered during the CA System operations.

The CA System clearly distinguishes the roles and responsibilities of individual users, therefore administering the system is explicitly separated from the operating activities, which do not require from the appointed CIO personnel any technical knowledge related to the CA System administration as well as any knowledge in cryptography or Public Key Infrastructure industry standards. By following processes driven by the CA System, operating users can easily issue, revoke, suspend and de-suspend digital certificates. All administering and operating procedures are clearly documented in the CA System manual provided by the software vendor.

3. Basic implementation guide for the system (where does it sit on the IT, ICT or electric network (connectivity wise), how users are set-up, administration console, basic maintenance and back up (see below), disaster recovery functionality (if applicable)

The Digi-CA™ PKI System software suite is a multi application component based PKI system for managing cryptographic keys, Digital [X.509] Certificates and supplemental PKI related services. Each application component (herein referred to as “Service”) provides a series of defined functionalities to other PKI application components of the system, as well as to administering and operating parties, as well as to end entities, to whom certificates are issued. This CA System is built with the following modules:

a. CA Application Server [CA APS]
b. Cryptographic Service Provider [CSP]
c. Time-Stamp Gateway Server [TSA Gateway]
d. Online Certificate Status Protocol Gateway Server [OCSP Gateway]
e. CA Administration Management Console [CA AMC]
f. Registration Authority [RA] Management Console [RA MC]
g. Registration Authority [RA] Registration Service [RA RS]
e. CA Database Server [CA DB]

All of the CA System components are located in the CIO’s highly secured data centres: ISA Town and Juffair, which both have two independent power supply sources, one from an external power supplier and the second from the CIO’s internal power generator. The power provided to the CA System is isolated from other power segments inside the data centre buildings, thus meeting the independency and failover requirements in the event of any power failure or circuit overload.

The CA System deployment architecture includes a multi server Service distribution model for each PKI application component provided by the CA System. This mechanism balances the usage of network and hardware resources between several server devices and thus provides greater system performance and fail over support. The diagram below illustrates the current CIO’s deployment architecture of the Digi-CA™ PKI System:

Each Service of the CA System is placed in a dedicated, CISCO firewall/switch protected network segment. The CA core network in ISA Town is isolated from other corporate networks inside CIO and physical access to the Inner and Outer Core rooms as presented on the above diagram, is strictly protected with biometric devices and video camera monitoring performed 24 hours per day throughout the entire year.

The CA Administration Management Console [CA AMC], which is installed on two dedicated back-end servers located in the Outer Core room inside the ISA Town Data Centre building, is a central CA management panel GUI for CIO users appointed as CA Administrators and CA Operators. The two back-end server hosting the CA AMC has been configured for High Availability and provide a failover mechanism to the operation of CA AMC component. The console provides the following main functionalities:

Each of the above functionalities is documented in the CA System manual available to CIO administering and operating personnel.

The RA Management Console [RA MC], which is installed on a dedicated front-end server located in the Outer Core room inside the ISA Town Data Centre building, is a central RA management panel GUI for CIO users appointed as RA Administrators and RA Operators. The front-end server hosting the RA MC provides the first point of access for the RA Operations Centre, from where RA Administrators and RA Operators can access the console features. This Service has been also installed on two front-end servers, configured for High Availability, located inside the Juffair Data Centre building, to provide – if necessary - a failover support as a second access point for the RA Operations Centre, from where RA Administrators and RA Operators can access the console. The RA MC console provides the following main functionalities:

Each of the above functionalities is documented in the CA System manual available to CIO administering and operating personnel.

The RA Registration Service [RA RS], which is installed on a dedicated front-end server located in the Outer Core room inside the ISA Town Data Centre building, is a central panel GUI for certificate subscribers [End Entities], to whom digital certificates are issued. The front-end server hosting the RA RS provides the first point of access for the RA Operations Centre, from where End Entities can access the Service features. This Service has been also installed on two front-end servers, configured for High Availability, located inside the Juffair Data Centre building, to provide second access point for End Entities, who can access the Service through the Internet. The RA RS console provides the following main functionalities:

Each of the above functionalities is documented in the CA System manual available to CIO administering and operating personnel.

The CA Application Server, which is installed on two dedicated back-end servers located in the Outer Core room inside the ISA Town Data Centre building, is an internal module of the CA system and is self-operated, meaning it does not provide or require any user management or user access functionalities. Only a CIO appointed administering personnel acting as the operating system super user can stop or start this service. The Service is registered by the administering user through the CA AMC. This Service can be accessed only by another CA System Service, that was previously registered within the CA system.

Cryptographic Service Provider is an internal module of the CA system, which is installed on two dedicated back-end servers, configured for High Availability, located in the Outer Core room inside the ISA Town Data Centre building. This Service is self-operated and does not provide or require any user management or user access functionalities. Only a CIO appointed administering personnel acting as the operating system super user can stop or start this Service. The Service is registered with the CA System by administering user through the CA AMC. This Service is not accessible to any user or other Service of the CA System.

Time-Stamp Service Gateway Server is a user accessible Service of the CA System, which is installed on two dedicated front-end servers, configured for High Availability, located in the Juffair Data Centre building. This Service is self-operated and does not provide or require any user management functionalities. It however authenticates, using a username and password, all individual subscribed users being the Citizens of Bahrain or any other Time-Stamping Service subscribed users against the CA Database before access to the Service can be provided to the user. Only a CIO appointed administering user acting as the operating system super user can stop or start this Service. The Service is registered with the CA System by the administering user through the CA AMC. This Service has been designed to be accessed by public Internet community as well as by CIO personnel.

Online Certificate Status Protocol Gateway Server is a user accessible Service of the CA System, which is installed on two dedicated front-end servers, configured for High Availability, located in the Juffair Data Centre building. This Service is self-operated and does not provide or require any user management functionalities. It however provides an open access to end users requiring OCSP service, as defined in the RFC 2560 standard. This Service has been designed to be accessed by public Internet community as well as by CIO personnel.

The CA Database is a SQL based database server, which is installed on two dedicated back-end servers, configured for High Availability, located in the Outer Core room inside the ISA Town Data Centre building. This Service is self-operated and provides the central storage facility for CA System managed data. Access to the CA DB resources is possible only to authenticated Services of the CA System and to the CIO appointed personnel acting as the super user of the operating system, who can access database for low level operations from the operating system command prompt. Each Service or administering user accessing the database resources must pass two factor authentication [33]:

The CA DB does not store any security critical data such as CA or End Entity private cryptographic keys and therefore it is not considered as a critical security point in the overall architecture of the deployed CA System. The CA DB data is backed up regularly on a daily basis and the backup data is automatically stored on a dedicated backup server residing in the ISA Town Data Centre building.

4. The identified acceptance criteria.

The installation of the CA System inside the CIO has been completed with the accordance to the software installation manual available to the CIO personnel. The manual provides a step by step instruction set allowing the administering users to correctly install and configure each of the CA System Services. Upon successful installation of each Service, a manual Service operation check was run by the administering user to ensure the Service has been installed correctly and is up and running. For this purpose, the Service Status Reporting of the CA AMC was used. Before the system was switched into a production environment, a set of test activities were performed to ensure entire CA System is operating correctly. After each test, the CA System log was inspected to verify whether each operation was accomplished correctly.

The set of testing operations for CA AMC included:

1. Logging to the CA AMC
2 Accessing all CA AMC features
3. Registering new Services (RA MC, RA RS, CA APS, TSA, OCSP)
4. Inspecting Service Status Report
5. Creating new Administrative Accounts
6. Creating new CA Accounts
7. Creating new RA Accounts
8. Inspecting CA System log

The set of testing operations for RA MC included:

1 Logging to the RA MC.
2 Inspecting certificate utilization report.
3 Creating new Digital Certificate.
4 Creating a multiple number of Digital Certificates in a batched process.
5 Creating new Time-Stamping Service users.
6 Inspecting Activity log.

The set of testing operations for RA RS included:

1 Accessing the RA RS.
2 Requesting new Digital Certificate.
3 Revoking a Digital Certificate.
4 Suspending a Digital Certificate.
5 De-suspending a Digital Certificate.
6 Installing a Digital Certificate on an End Entity computer.
7 Installing a Digital Certificate on an End Entity Cryptographic Hardware Device.

Test set of testing operations for CA APS in combination with Time-Stamping Gateway included:

1 Requesting a Time-Stamp Token.
2 Verifying the Service response.

Test set of testing operations for CA APS in combination with OCSP Gateway included:

1 Requesting an OCSP response.
2 Verifying the Service OCSP response.

All operations have been performed with the accordance to the CA System manual available to CIO personnel.

5. The Organization's performance requirements and current capacity

CIO expects Digi-CA™ System to issue around 100 000 Digital Certificates in total, provided the current deployment architecture and allocated hardware capacity. The maximum number of digital certificates issued per day will not reach 10 000. The CA System deployment architecture is expected to support 24/7/365 availability and currently there is no requirement for CIO to have an online disaster recovery centre. In an event of an irrecoverable major system failure, all disaster recovery activities will be carried out manually by the CIO appointed administering personnel, by recreating the CA System environment from backup resources. The above performance requirements have been measured, confirmed and tested by the CA System software vendor and they meet the CIO requirements stated above.

6. Methods of error recovery, system restart and contingency plans.

The CA System provides extended system operation control mechanisms, that automatically raise an alert when a critical exception error is encountered during the operations of any of the system Services. The alert is immediately logged in the CA System log and delivered through an SMTP messaging system to all registered administering users. The CA system log is accessible to CIO appointed administering users from a web based management console [CA AMC] or from the operating system command prompt. All exception error log entries are reported by CA System using a unique error number and associated descriptive text, that informs the inspecting user about the type of the error, the Service that generated it and the line of the application code, at which the error has occurred. This architecture provides CIO administering users with an easy mechanism for identifying the source for the error and allows immediate correction of the problem. For irrecoverable or unidentified errors, CIO administering users should contact the software vendor to obtain further assistance.

7. Methods of testing the systems routine operating procedures (and, where appropriate, manual procedures) to defined and agreed standards

The CA System administering users should perform regular inspections of CA System log to verify the correctness of its operations.

To ensure, that CA System Services are not vulnerable to any attacks or exploits, CIO appointed administering personnel should perform a weekly CA System network scans searching for possible new vulnerabilities.

The CISO network devices such used inside the CA System network, such as firewalls and switches are equipped with network Intrusion Detection Systems [IDS], which constantly monitor all network traffic within the CA System network and immediately alert all administering users in an event of an intrusion attempt. These devices are configured by default to automatically disable any connectivity for a potential attacker. Administering users should additionally analyze the IDS reports on a weekly basis to attempt to identify any suspicious communication directed to any of the CA System Services.

8. The set of required security controls (for the systems and in terms of any impact on the overall organization) that were identified at project initiation

Physical access to the CA System core location should be protected with biometrics and should be divided into multiple access points excluding the existence of a single access point. CIO has assigned its secure Data Centre in ISA Town and Juffair to host the CA System. Both locations provide security guarding of the building entrance, camera monitoring of entire building, biometric access to Data Centre IT operations rooms and book logging for all entries and exists.

Network access to the CA System is divided into two general segments: public and private. While the public segment can be accessed by any one through Internet, private segment is strictly secured for internal communications only and disabled for external access. In the CIO deployment architecture of the CA System, public access is allowed only to the Services located in the Juffair Data Centre building and it includes RA Registration Service, Time-Stamping Service and OCSP Service. The remaining Services of the CA System are using strong cryptography standards for encrypting the communication from User-to-Service as well as Service-to-Service and a cryptographic authentication mechanisms are in place to ensure that only authorized identities can access relevant system resources.

9. Methods of testing for covert channels and Trojans

The CA System uses industry standard cryptography and encryption mechanisms for secure communications, such as Secure Socket Layer [34] and Transport Layer Security protocols between Service, therefore ensuring, that no man-in-the-middle attack can succeed and no unauthorized party can obtain sensitive data or spoof the identity of the accessing user or device. The operating core of the CA System is isolated from any external networks such as Extranets or Internet and access to individual CA System Services is only possible after successful authentication using strong cryptographic mechanisms, such as SSL Client Authentication. Leaving the system with no write-access to Internet or any external networks, makes enough protected against unwanted application and computer viruses circling throughout the Internet. The physical and network isolation of the CA System along with strict network access control policies in place, significantly reduce the possibility of an injection of a computer virus or an application commonly referred to as a Trojan Horse.

10. Business continuity arrangements (as you know this is to simply rebuild a new environment, but we need an outline of the cause & affects)

The CIO currently does not require an online disaster recovery solution and relies on multi service High Availability configuration of the CA System. Each of the CA System Services has been distributed to two dedicated servers configured for High Availability to enable support for failover in an event of a failure of one server.

In an event of irrecoverable failure, the CA System will be rebuild from scratch and configuration and database data will be restored from the most recent backup stored on a dedicated backup server. The CA System software manual documents the process of system installation and CIO administering personnel should refer to the manual for instructions related to system installation and recovery from a major system failure.

The reinstallation and recovery of the entire CA System should take no more than 48 hours. During the outage period Digital Certificates issued by the CA System will remain valid and therefore the event will not affect the business continuity of the CIO nor will it cause any damage to End Entities to whom certificates are issued.

11. Interactions with other systems, to ensure that the new system will not adversely affect existing systems, including in capacity requirements

The preliminary calculation of drive capacity utilization of the CA System was performed by the CIO during the project initialization phase and therefore a sufficient capacity and hardware resources were allocated to the CA System upon installation, allowing it to continue an uninterrupted operations utilizing the necessary capacity for around 100 000 digital certificates. During the maintenance period, CIO appointed administering users will inspect the utilization process of the drive capacity and hardware resources once per 6 months and produce a report based on which the CIO will decide whether an increase of the drive capacity or additional hardware resource allocation or hardware replacement is required.

The hardware, network and physical location resources dedicated for the CA System has been completely separated by the CIO from any of its other network and application layer segments. All hardware and software components, that the CA System is using, are solely dedicated to its operation and therefore do not interact nor interfere any other network and software solutions, applications and facilities inside CIO. The operations of the CA System does not have any technical impact on any of the areas of the CIO’s daily operations.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Monitors, Mouse & Keyboards, KBMs, Coaxial Cables & Network Points OWI

Scope:

The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the Monitors, Mice and Keyboards in use within the framework of the PKI CA.

Responsibility & Asset Ownership:

The Network Manager is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the Network Manager is the owner of the assets covered in this OWI.

Details of the Operating Work Instruction:

A. Monitors

Monitors are to be plugged into a PC or Server for which it has been allocated (cross referenced in the asset list). Monitors should be switched to power saving mode when not used.

Monitors are to be kept clean of dust and users may not leave drink or food beside monitors.

Monitors are not under warranty. No specific support contract is in place to replace monitors within agreed periods of time should the monitor become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be appropriate to unplug a monitor used in another machine (PC or Server) to plug it back into the machine whose assigned monitor is faulty. When replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager.

Monitors may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.

B. Mouse

CIO use a number of various models of “mouse”. Each mouse is to be plugged into a PC or Server for which it has been allocated (cross referenced in the asset list).

Each mouse is to be kept clean of dust and users may not leave drink or food beside mouse.

No mouse is under supplier warranty. No specific support contract is in place to replace mouse units within agreed periods of time should they become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be appropriate to unplug a mouse used in another machine (PC or Server) to plug it back into the machine whose assigned mouse is faulty. When replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager.

Mouse units may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.

C. Keyboard

CIO use a number of various models of keyboards. Each keyboard is to be plugged into a PC or Server for which it has been allocated (cross referenced in the asset list).

Each keyboard is to be kept clean of dust and users may not leave drink or food beside keyboards.

Keyboards are not under supplier warranty. No specific support contract is in place to replace keyboards within agreed periods of time should they become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be appropriate to unplug a keyboard used in another machine (PC or Server) to plug it back into the machine whose assigned keyboard is faulty. Once replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager.

Keyboards may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.

Please note that anti-spyware software approved by the Information Security Manager must be ran on the network at least [once a month] to ensure that no keyloggers are present on the network as this could compromise the overall security of the PKI infrastructure.

D. KBM

CIO use KBMs to allow one monitor to be used for a number of designated server(s) or PC(s). Each KBM is to be plugged into the PCs or Servers for which it has been allocated (cross referenced in the asset list).

Each KBM is to be kept clean of dust and users may not leave drink or food beside keyboards.

KBMs are not under supplier warranty. No specific support contract is in place to replace them within agreed periods of time should they become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network manager whether it might be appropriate to plug monitors directly into a PC or server. Once replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager. When replacement units are delivered and implemented, existing units should be returned to their original place.

KBMs may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.

E. Coaxial Cables & Network Points

CIO use coaxial cables and network points as referenced in the Asset List. These items are not under supplier warranty. No specific support contract is in place to replace them within agreed periods of time should they become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network manager whether it might be appropriate interchange Coaxial Cables or Network Points (where applicable). Once replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager. When replacement units are delivered and implemented, existing units should be returned to their original place.

Cables and Network Points may not be taken out of the CA rooms without prior approval from the Information Security Manager under any circumstances whatsoever.

Additional Notes pertaining to the Operational Working Instructions:

Keyboards, Monitors and Mouse units are delivered by vendors with users manuals either with dedicated Sections related to each asset or with a full users manual allowing for customization of the configuration. Where applicable such manuals are available in the manuals folder.

Other than at the initial installation stage, no specific testing of the assets is required. Basic performance criteria consist in making sure that monitors, keyboards and mouse units function properly and allow interaction with the PC(s) or server(s) these assets are allocated to.

No specific training is provided to users in relation to the assets covered in this OWI as most users intuitively know how to use basic functionality.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Switch Catalyst 2960 OWI

Scope:

The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the Switch Catalyst 2960 in use within the framework of the PKI CA (namely for PKI DC and Juffair).

Responsibility & Asset Ownership:

The Network Manager is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the Network Manager is the owner of the assets covered in this OWI.

Details of the Operating Work Instruction:

A. Integration and Initial Set-up

The Cisco Switch Catalyst 2960 should be implemented using the guidelines of the software guidance guide produced by Cisco. The switch is configured using Cisco command line access.

Switches are line between machines and a network access point the unit needs to be powered up and is already working in transparent mode.

The unit can be configured either by using CLI (Command Line Interface). All of the following needs to be fully configured:

Initial Configuration and Settings

The switch is configured to 4 different subnets:

Subnet 1
10.10.19.0/26
10.10.19.1 – First IP
10.10.19.63 – Broadcast

Subnet 2
10.10.19.64/26
10.10.19.65 – First IP
10.10.19.127 – Broadcast

Subnet 3
10.10.19.128/26
10.10.19.129 – First IP
10.10.19.191 – Broadcast

Subnet 4
10.10.19.192/26
10.10.19.193 – First IP
10.10.19.255 - Broadcast

Performance Features

Intelligent features at the network edge, such as sophisticated access control lists (ACLs) and enhanced security
Dual-purpose uplinks for Gigabit Ethernet uplink flexibility, allowing use of either a copper or a fibre uplink-each dual-purpose uplink port has one 10/100/1000 Ethernet port and one Small Form-Factor Pluggable (SFP)-based Gigabit Ethernet port, with one port active at a time
Network control and bandwidth optimization using advanced QoS, granular rate limiting, ACLs, and multicast services
Network security through a wide range of authentication methods, data encryption technologies, and NAC based on users, ports, and MAC addresses
Easy network configuration, upgrades, and troubleshooting using Cisco Network Assistant software
Autoconfiguration for specialized applications using Smartports
Limited lifetime hardware warranty
Software updates at no additional charge

Policy and Configuration Instructions:

The Network Manager in co-operation with the Information Security Manager decides on the policy implemented on the Cisco Switch Catalyst appliances. The policy is then implemented and saved with a back-up of the latest policy to saved in CIO Juffair to allow for Disaster Recovery purposes.

Item Policy Rule Description Justification
1 Switch Authentication Rule User Authentication at Switch User Management to guarantee confidentiality

The policy which is implemented must be fully documented and updated on a regular basis within this document.

Alert Escalations and IOS Updates:

The Cisco Switch Catalyst 2960 allows the Network Administrator to create rules for alerts to be a configured to be sent to either the Network Manager and the Information Security Manager. CIO to include details of escalation rules here-switch is transparent, no logging, escalation rules.

Update of the Cisco IOS must be done regularly and performed by the Network Manager as and when the latest IOS for the switch is made available from Cisco; must be agreed with the Information Security Manager and IT Operations Manager.

CISCO IOS Software Release 12.2(25)SEB.

In terms of performance monitoring, the Cisco Switch 2960 should be ample for the requirements of CIO at present. However should service be degraded and performance be impacted CIO should review the logs of the Cisco Catalyst 2960 to check that the bandwidth and performance capabilities of the units are not maxed out. If so configuration might be changed or a requirement for a clustered Cisco Catalyst environment to improve performance should also be envisaged, to be decided by the Network Manager and Information Security Manager to be submitted for approval according to the rules of this ISMS.

B. Subscription and Advance Replacement Instructions:

Cisco Catalyst 2960 units are covered under subscription with Fakhro Electronics with 1 year warranty. This ensures that the IOS version is regularly available for updates. Fakhro Electronics can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be interchange Cisco 2960s or to use a third party Switch to continue operations instead of the original Cisco Catalyst 2960. When replacement units are delivered and implemented, the configuration of the original unit must be implemented and tested as per the initial implementation. All associated actions must be documented and signed off by the Information Security Manager and the Network Manager.

Additional Notes pertaining to the Operational Working Instructions:

The Cisco Catalyst 2960 units are to be kept clean of dust and users may not leave drink or food beside the appliances.

Cisco Catalyst 2960 units may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.

Cisco Catalyst 2960 units are delivered by vendors with users manuals either with dedicated Sections related to each asset or with a full users manual allowing for customization of the configuration. The main reference guide for the Cisco 2960 is entitled Catalyst 2960 Switch
Software Configuration Guide. CIO uses all the best practice guidelines available for these units in the guide. The guide is included in the series of manuals which are available in the manuals folder.

No specific training is provided to users in relation to the assets covered in this OWI as most users intuitively know how to use basic functionality. However CIO have a number of Cisco trained professionals to CCNA levels which allows CIO to perform a number of administration duties with internal staff and without requiring external assistance.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Tipping Point X505 OWI

Scope:

The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the Tipping Point X505 in use within the framework of the PKI CA (namely for PKI DC and Juffair).

Responsibility & Asset Ownership:

The Network Manager is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the Network Manager is the owner of the assets covered in this OWI.

Details of the Operating Work Instruction:

F. Integration and Initial Set-up

The Tipping Point hardware firewall and IPS appliance(UTM) is easy to install and very intuitive to set-up. Once plugged in line between a switch and a network access the unit needs to be powered up and is already working in transparent mode.

The Tipping Point Unit can support mixed environments irrespective of topology or IP addressing scheme. We have implemented the following mode of the UTM:

- NAT (including Virtual Server and PAT)

The UTM is configured with the following:

Interface 1 – External (Connected to CIO Isa Town main core switch)

Interface 2 – Frontend (Connected to Switch Subnet 2)

Interface 3 – Backend (Connected to Switch Subnet 3)

Interface 4 – HSM (Connected to Switch Subnet 4)

Tipping Point testing is carried out initially to ensure that the solution works transparently and allows legitimate traffic through and does show in its logging interface the number of attacks being stopped or simply logged. Each type of attack will generate an alert which can be sent via multi channel such as SMS or e-mail to the Network Manager and/or Information Security Manager.

Policy and Configuration Instructions:

The Network Manager in co-operation with the Information Security Manager decides on the policy implemented on the Tipping Point appliances. The policy is then implemented and saved with a back-up of the latest policy to be saved in CIO Juffair to allow for Disaster Recovery purposes.

The units allow for the following features to be implemented.

User Set-up

The Network manager will set-up accounts for themselves and the Information Security Manager.

Client and Server Protection

Spyware and Peer-to-Peer Protection

Multiple Security Zones

Flexible Policy Engine

Unified control of multiple services:

Encryption and Authentication

On-box and external RADIUS database
URL Filtering

Web Content Filtering

Annual subscription includes:

TippingPoint Isa Town

Item Policy Rule Description Justification
1 Deny all services Firewall is set to deny all access for all services to any servers behind it. Allows only specific traffic through the network.
2 Spyware turned on Allows to protect CIO against known Spyware attacks Spyware could compromise the Integrity and availability of CIO PKI CA
3 X.509 Digital Certificate authentication
from internal or third-party certificate
authorities Allows CIO to ensure that certificates created by Digi-CA are let through the Tipping Point Allows for secure communication of CA certs to relevant parties
4 Intrusion Prevention System/Intrusion Detection System Detects and prevents intrusion from all attacks. Blocks and prevents any other attacks not blocked by firewall

TippingPoint Firewall Juffair

Item Policy Rule Description Justification
1 Deny all services Firewall is set to deny all access for all services to any servers behind it. Allows only specific traffic through the network.
2 Spyware turned on Allows to protect CIO against known Spyware attacks Spyware could compromise the Integrity and availability of CIO PKI CA
3 X.509 Digital Certificate authentication
from internal or third-party certificate
authorities Allows CIO to ensure that certificates created by Digi-CA are let through the Tipping Point Allows for secure communication of CA certs to relevant parties
4 Intrusion Prevention System/Intrusion Detection System Detects and prevents intrusion from all attacks. Blocks and prevents any other attacks not blocked by firewall

The policy which is implemented must be fully documented and updated on a regular basis within this document.

Secure Management and & Alert Escalations:

The TippingPoint X505 is supported by the TippingPoint Security Management System (SMS), an enterprise-class management platform, which provides intuitive management for multiple TippingPoint IPS or X505 devices. The TippingPoint SMS arrives with factory-installed software for simplistic installation. CIO use the standard web based configuration so that the Network manager can perform installation and maintenance routine tasks and to allow the Information Security Manager to access the logs and policy where applicable.

The SMS is to be used to create rules for alerts to be a configured to be sent to either the Network Manager [NM] and the Information Security Manager [ISM]. Currently the rules are not agreed and the NM & ISM have identified this as a risk that will be addressed, documented and provided in this Manual in time for the second update of the manual on 14 November, 2007

The X505 is configured to send email notification when a High Level alert is detected by it.

Red Hat Isa Town

Item Issue Escalation patch Action Item / Remediation
1 Red(High Priority Alert) – can be from Intrusion Detected, Worm outbreak, etc. Send alert to Network Manager Integrity Checks to be ran on CIO network

Red Hat Juffair

Item Issue Escalation patch Action Item / Remediation
1 Red(High Priority Alert) – can be from Intrusion Detected, Worm outbreak, etc. Send alert to Network Manager Integrity Checks to be ran on CIO network

CIO to complete tables for each implementation PKI DC and Juffair. Information included in the example shown is for guidance purposes only.

In terms of performance monitoring, the Tipping Point x505 should be ample for the requirements of CIO at present. However should service be degraded and performance be impacted CIO should review the logs of the Tipping Point to check that the bandwidth and performance capabilities of the units are not maxed out. If so configuration might be changed or a requirement for a clustered Tipping environment to improve performance should also be envisaged, to be decided by the Network Manager and Information Security Manager to be submitted for approval according to the rules of this ISMS.

Subscription and Advance Replacement Instructions:

Tipping Point is covered under subscription with Fakhro Electronics with 1 year subscription. This ensures that the database of attacks for which Tipping Point scans is fully up to date. Fakhro Electronics can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be appropriate to continue operations without Tipping Point Protection. When replacement units are delivered and implemented, the configuration of the original unit must be implemented and tested as per the initial implementation. All associated actions must be documented and signed off by the Information Security Manager and the Network Manager.

Additional Notes pertaining to the Operational Working Instructions:

The Tipping Point units are to be kept clean of dust and users may not leave drink or food beside the appliances.

Tipping Points units may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.

Tipping Point units are delivered by vendors with users manuals either with dedicated Sections related to each asset or with a full users manual allowing for customization of the configuration. Where applicable such manuals are available in the manuals folder.

Full activity and log reports are available out of the box for Tipping Point and should be produced on a monthly basis by the Network Manager and sent to the Information Security Manager for review. Should the Information Security Manager request changes to the policy this must be done in accordance to the change control procedure.

No specific training is provided to users in relation to the assets covered in this OWI as most users intuitively know how to use basic functionality.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Motion Detector, Alarm, Power Supply & Siren OWI

Operating Work Instructions – Alarm Control Panel, Speech Dialler, Siren, Power supply, LCD Keypad and Motion Sensors

Scope:

This document covers the Operating Work Instructions for the Alarm Control Panel, Dialer, Siren, Power supply and LCD Keypad located throughout the datacenter in Isa Town.

Responsibilities:

The safe is the responsibility of the Physical Security Section of CIO’s Information Security Section.

Details of Operating Work Instructions:

1. Alarm Control Panel is Veritas Excel.
a. 12 zones panel, 2 partitions, 32 user codes, 4 outputs relay modules, 8 programmable outputs with 12 V battery for backup
2. Speech Dialler is Texecom Speech Dialler.
a. 32 character LCD display, 4 voice message(each up to 32 seconds), 8 voice message, 4 trigger input
3. Siren is Texecom Odyssey 1 and is mounted on the outside wall of Isa Town’s Computer Room.
4. Power supply is Yuasa NP2.8-12 12V 2.8AMP Battery to provide backup power in case of power failure to the Alarm Control Panel.
5. LCD Keypad is Texecom Premier LCDL Keypad
a. Remote keypads with standard 32 character LCD display and a speaker driver unit for programmable volume control, surface mount
6. The motion sensors are Texecom Mirage Pro-Quad Q-Logic Movement sensors.
7. All the sensors are connected to the alarm control panel.
8. To ARM the alarm: PRESS
and FULL button.
9. To RESET the alarm: PRESS <4 digit access code> and RESET button.
10. As part of the PKI Data centre construction project, all the items mentioned above have a 2 year warranty and support from Mantech from the date of handover.
11. Security:
a. The access code for the alarm is held by Physical Security Section personnel only and is changed regularly.
b. The alarm has a 20 second window from alarm is armed OR when an intruder detected inside the Data centre.
c. If the access code is failed to be entered in 20 seconds, the siren on the outside of the building will sound and flash. The speech dialler will then call the numbers stored in memory in the following order:
i. Physical Security Personnel 1
ii. Physical Security Personnel 2
iii. Head of PKI
iv. CA Administrator
d. The dialler will keep on dialling the numbers above in order until it is answered.
12. Emergencies:
a. In case of failure, contact Mantech 17730459.
.
Ownership:

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Backup Air Conditioning Unit OWI

Scope:

This document covers the Operating Work Instructions for the Backup Air Conditioning Unit located throughout the PKI Data centre in Isa Town.

Responsibilities:

The backup air conditioning unit is the responsibility of the PKI Section of CIO’s Information Security Section.

Details of Operating Work Instructions:

1. The backup air conditioning units to be used in case of failure of the main air conditioning unit or when the temperature in the data centre is not of suitable operational temperature.
2. The backup air conditioning units consists of an outdoor unit and an indoor unit.
3. The indoor unit is rated 2400 BTU.
4. All the air conditioning units are part of the PKI Data centre construction project.
5. As per contract with Mantech (Ref:PKI Data centre Construction contract), all parts and fittings of the data centre are subject to two years warranty by Mantech from the date of the handover, which is 11 March 2007 (Ref: LTR/VP/07/08/CIO/H1)
6. All the air conditioning units have been tested prior to handover.
7. Emergencies:
a. In case of any malfunction of the air conditioning units, the Vendor shall be informed for any replacements (Ref: Doc 7.1B)

Ownership:

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Dust & Fire Protection OWI

Operating Work Instructions – Fire/Dust Detection & Fire Suppression System

Scope:

This document covers the Operating Work Instructions for the Fire/Dust Detection & Fire Suppression System located throughout the PKI Data centre in Isa Town.

Responsibilities:

The safe is the responsibility of CIO’s Administration Department.

Details of Operating Work Instructions:

1. CIO Isa Town’s Computer Room is protected by Fike Corporation’s SHP Pro Fire Protection System.
2. The system consists of :
a. Somke Fire/Dust Detectors (located on the ceiling void, roof and under the raised floorings)
b. Fike Corporation Single Hazard Panel(SHP) – Alarm/System Control Panel
c. FM 200 Gas tank and release nozzles
3. The Fire Protection System is installed by ALMoayyed Trading & Contracting.
4. This system is part of a project which includes the installation and commission of UPS, Main Air Conditioning Unit and Fire Protection System.
5. The Fire Protection System is regularly tested to by the Vendor.
6. The SHP for the system is located on the outside of the Computer
7. Manual for the Fire Suppression System is available.
8. Emergencies:
a. When a fire is detected, the alarm siren will immediately sound, after 90 seconds the FM 200 gas will be released.
b. The release of the gas can be delayed by 1 minute by pressing a button on the SHP panel.
c. The SHP has a battery backup, in case of power failure.
d. For support, contact Al Moayyed Trading and Contraction 17700777.

Ownership:

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Access Control System OWI

Scope:

This document covers the Operating Work Instructions for the Access Control in PKI Data centre in Isa Town.

Responsibilities:

The access control is the responsibility of the Physical Security Section of CIO’s Information Security Section.

Details of Operating Work Instructions:

1. Access to each of the room in the PKI Data centre is via Identix Fingerscan V20 UA biometrics fingerprint reader. The readers are connected to the fingerprint database pc in the Outer Core room via Ethernet.
2. Reader Description :
a. Identix Fingerscan V20 UA
b. Dimensions : Length: 6-1/2”, Width 6-3/4”
c. Enrollment time : <5 seconds
d. Verification time : <1 second
e. FAR/FRR: variable, configuration dependant
f. Template size: 512 bytes
g. Allowable Finger Rotation: =/1 18 degrees
h. Power: 12V DC, unregulated
i. Weight: 2lbs
j. Transaction Storage: 8000 (minimum buffering)
k. Communications: RS485, Wiegang, RS232;optional gateway-supported Ethernet or modem
l. Baud rate: 9600 to 57600 bps
m. Template storage: 512 or optional 5000 and 32000 template memory
n. Door controls: Lock output, tamper switch, 3 auxiliary outputs, 4 auxiliary inputs
o. Card reader input: Wiegand, proximity, magnetic stripe (serial), smartcard (serial), barcode(serial)
p. Card reader emulation output: Wiegand
q. Timezones: 30
r. Operating temperature: -10 to 50 degrees Celsius
s. Display: 2 line, 16 characters
t. Options: User memory expansions: 5000 and 32000 templates, LCD display, integrated proximity card reader, dial up modem, Ethernet communications (10BAST-t), and Fingerlan IV
3. Manual for the safe is available in the Manuals folder (Access control tab).
4. As part of PKI Data centre Construction project deliverables, the access control items has a 2 year warranty from the date of handover.
5. Security:
a. Entry would require a Physical security personnel and another person ie. all rooms require dual access.
b. A Physical Security personnel MUST be present in all room which requires access.
c. A user can use either his/her access code or an access card with his/her fingerprint to access.
6. Emergencies:
a. In case of power failure, access would not be available but the door lock will be powered.
b. In case of network failure between reader and Fingerlan pc, the reader would still be able to provide access with templates stored on the reader itself.
c. For support, contact Mantech 17730459.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Telephone OWI
Scope:

This document covers the Operating Work Instructions for the fully functional telephone located in the Outer Core room in PKI Data centre in Isa Town.

Responsibilities:

The fully functional telephone is the responsibility of the CIO’s Administration Department.

Details of Operating Work Instructions:

1. Telephone Description : Panasonic Phone KX-T2375JXW
2. The telephone is connected to a direct line in Isa Town. Phone number: 17878121. It is also connected to the intrusion alarm dialler which dials in case of emergency.(Refer to OWI – Alarm).
3. The telephone line is provided by Batelco, which provides exchange for the whole Isa Town building.
4. The wiring for the telephone line is done by Technoland.
5. Manual for the safe is available in the Manuals folder (Telephone).
6. Emergencies:
a. Should the telephone fails, the telephone line can be connected directly to the alarm.
b. If the telephone line is down, please contact Batelco on 17881111
c. If the telephone line is down due to error in wiring, contact Techoland on 17271714.

Ownership:

This document is owned by CIO’s Administration Department.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Safe OWI

Scope:

This document covers the Operating Work Instructions for the Safe located in the Safe room in PKI Data centre in Isa Town.

Responsibilities:

The safe is the responsibility of the PKI Section of CIO’s Information Security Section.

Details of Operating Work Instructions:

1. Safe is a Media rated TL-15 safe
2. Safe Description : Chubb Safe Europa Grade 1 Size 2
3. Front safe door is protected by digital combination lock and a key. The deposit boxes in the safe have dual locks. One individual key and one common key for all locks.
4. Manual for the safe is available in the Manuals folder (Safe tab).
5. As part of the PKI Data centre construction project, the Safe has a 2 year warranty and support from Mantech from the date of delivery.
6. Security:
a. The digital combination for the safe door and the safe door key will be held by different individuals. If needed, the combination lock can also be set to require 2 user inputs instead of it. Current setting is set to 1.
b. One personnel will hold the common key to all deposit boxes while and individual responsible for the safe deposit box will hold the individual key.
7. Emergencies:
a. In case of fire, the safe is rated to withstand fires up to 2 hours
b. If the batteries to the combination lock have not been changed in time and the tension does not suffice to cancel the lock’s blocking feature, a new 9V ALKALINE battery can be pressed to the contacts on the entry pad.
c. The code the safe remains active even as the power supply fails.
d. For support, contact Mantech 17730459.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Door Exit Push Buttons & Door Latch OWI
Scope:

This document covers the Operating Work Instructions for the Door Exit Switches and Door Latches in the PKI Data centre

Responsibilities:

The items are the responsibility of the PKI Section of CIO’s Information Security Section.

Details of Operating Work Instructions:

1. There are 4 door exit push buttons and 4 door latches in the PKI Data centre
2. Exit Push Button Description : ALPRO Waterproof Exit Switches with Solid State Piezo technology with PUSH TO EXIT engraving
3. Door Latch Description : Trimec TS2001 Stainless Steel Mortice Latch Release (Monitored)
4. Pushing of the exit button releases the door latch, allowing exit. Both the exit button and the door latch are connected to the Access Control Biometrics (Refer to OWI – Access control).
5. Both latch and exit buttons are part of PKI CA Data centre construction project which has a two year warranty from the date of handover (Ref: PKI CA Data centre contract).
6. Emergencies:
a. The door latch is held magnetically via power from the Data centre. In case of power failure, the battery in the Access control is to provide power to the latch until power supply is restored.
b. In case of any failures, contact Mantech 17730459.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

CCTV OWI

Scope:

This document covers the Operating Work Instructions for the CCTV Cameras, DVR Remote Control ,Monitor, Digital Video Recorder (DVR) and coaxial cables located in the Outer Core room in PKI Data centre in Isa Town.

Responsibilities:

The safe is the responsibility of the Physical Security Section of CIO’s Information Security Section.

Details of Operating Work Instructions:

1. Three CCTV cameras are connected via coaxial cables to the DVR. The monitor is attached to the DVR and DVR can be controlled using keypads on the DVR or via remote control.
2. Descriptions:
a. CCTC Camera – Infinova V1466F-3895A14 CCTV, Vandal resistant x 3
b. DVR - Infinova V3010/4L Digital Video Recorder,4 Channels 80 GB Hard disk
c. Monitor - Infinova V1322T/14 14” Digital Color Monitor 1 channel
d. Coaxial cables - LOT

3. The CCTV camera monitors:
a. Entrance to the Outer Core room
b. Entrance to the Inner Core room
c. Entrance to the Safe Room.
4. The DVR is set to capture only movement detected by the CCTV cameras.
5. The CCTV cameras is also able to capture movement in 0 LUX(no lights) as such the lights to the data centre are switched off when not occupied.
6. The manual for all the items mentioned above is available in the Manuals folder.
7. Security:
a. Access to the DVR is protected via a PIN code. PIN code can be entered using keypad on the DVR or via the remote.
b. The DVR is also accessible via Infinova’s Remote Monitoring Software.
c. Setup of the DVR can be done either via the DVR or by using the Remote Monitoring Software.
8. Footage from the DVR will be periodically downloaded to the PC with the Remote Monitoring Software installed.
9. As part of PKI Data centre Construction project deliverables, all the items above have a 2 year warranty from the date of handover of project.
10. Emergencies:
a. In case of lost feed from cameras, please contact Mantech 17730459 for support.

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

Light Fittings & Switches OWI

Scope:

This document covers the Operating Work Instructions for the Lights fitting and switches located throughout the PKI Data centre in Isa Town.

Responsibilities:

The lights fitting and switches is the responsibility of the PKI Section of CIO’s Information Security Section.

Details of Operating Work Instructions:

1. All the lights fitting and switches are part of the PKI Data centre construction project.
2. As per contract with Mantech (Ref:PKI Data centre Construction contract), all parts and fittings of the data centre are subject to two years warranty by Mantech from the date of the handover, which is 11 March 2007 (Ref: LTR/VP/07/08/CIO/H1)
3. All the lights fittings and switches have been tested prior to handover.
4. Emergencies:
a. In case of any breakage/malfunction of the lights fittings and switches, the Vendor shall be informed for any replacements (Ref: Doc 7.1B)

Adlin Hisyamuddin
Information Security Manager

____________________________

On:

08 November, 2007
____________________________

Change history

Issue 1 08 November, 2007 Initial issue

17. Appendix IV

Appendix IV – Place Organizational Chart here

17. Appendix V – Standards & Compliance

[4] All future assets used in the Trust Centre must conform to the following, as applicable:

Owner	Organization	Function	Address	Contact	Telephone	E-mail	Web

Implementing ISO 27001

1. Scope of the ISMS

2. Documentation

3. PLAN-DO-CHECK-ACT

4. Risk Management Framework

5. Information Security Policy

6. Organisation of Information Security

7. Asset Management

8. Human Resource Security

9. Physical & Environment Security

10. Communications & Operations Management

11. Access Control

12. Information Systems

13. Information Security Incident Management

14. Business Continuity Management

15. Compliance

16. Change Management

17. Appendix I – Contact List & Details

17. Appendix II – Inventory of Assets, Suppliers & Authorities

17. Appendix III - Operating Work Instructions [OWIs]

17. Appendix IV

17. Appendix V – Standards & Compliance