Professional Documents
Culture Documents
Communications Limited
(PMCL)
Policy Manual
Rev 00
Page 2 of 93
Table of Contents
1. INTRODUCTION AND PURPOSE ........................................................................................... 5
2. SCOPE............................................................................................................................................. 5
3. TERMS AND ABBREVIATIONS .............................................................................................. 5
4. POLICIES MAPPING WITH ISO CONTROLS .................................................................. 11
4.1. INFORMATION SECURITY GOVERNANCE ............................................................................... 16
4.2. ORGANIZATION OF INFORMATION SECURITY ........................................................................ 22
4.3. HUMAN RESOURCE SECURITY .............................................................................................. 27
4.4. ASSET MANAGEMENT ........................................................................................................... 31
4.5. ACCESS CONTROL ............................................................................................................... 36
4.6. CRYPTOGRAPHY ................................................................................................................... 45
4.7. PHYSICAL AND ENVIRONMENTAL SECURITY .......................................................................... 47
4.8. OPERATIONS SECURITY ....................................................................................................... 53
4.9. COMMUNICATIONS SECURITY .............................................................................................. 60
4.10.
4.11.
4.12.
4.13.
4.14.
COMPLIANCE ................................................................................................................... 74
5. APPENDICES .............................................................................................................................. 77
Rev 00
Page 3 of 93
Rev 00
Page 4 of 93
Date
Author
Reviewer
1. Head IS, Strategy &
Governance.
2. Legal Department.
Information Security
Governance (ISG) Team
1.0
Comments
First Version
Approvers
Version
Approver
Division
1.0
1.0
Technology
1.0
Human Resource
1.0
Legal
1.0
Finance
1.0
Regulatory &
Corporate Affairs
Distribution List
S. No.
1
Name
All Employees & PMCL Users
2
3
4
5
6
7
Purpose
Adherence and Compliance.
Date
Rev 00
Page 5 of 93
2. Scope
The scope of this document covers a set of directives required to be in place to support
the implementation of information security in accordance with ISO 27001:2013 standard
and business requirement to achieve PMCL goals for the protection and management of
PMCL information assets.
All Users including employees of PMCL, contractors and authorised guests (i.e., staff,
temporary staff, third-party contactors, affiliates and guests, etc.) shall comply with
these directives and follow the appropriate and relevant procedures envisaged under or
pursuant to this Policy Manual.
Admin / Super User: means relevant Users within the IT department with
unlimited access or extensive access rights in the application, on database level
and/or operating system level.
Rev 00
Page 6 of 93
Black box testing: means a method of software testing that examines the
functionality of an application without peering into its internal structures or
workings.
FTP: means File Transfer Protocol which is a standard network protocol used to
transfer computer files between a client and server on a computer network.
FTPS: means an extension to the commonly used File Transfer Protocol (FTP)
that adds support for the Transport Layer Security (TLS) and the Secure Sockets
Layer (SSL) cryptographic protocols.
to
the
Rev 00
Page 7 of 93
Rev 00
Page 8 of 93
PMCL Users: Are users with access to PMCL information and information
processing environment categorized into the following user groups:
o
o
o
o
Rev 00
Page 9 of 93
Public networks: means a type of network wherein anyone, namely the general
public, has access and through it can connect to other networks or the Internet.
Root Cause Analysis: is a method of problem solving that tries to identify the
root causes of faults or problems. A root cause is a cause that once removed from
the problem fault sequence, prevents the final undesirable event from recurring.
Risk Assessment: means overall process of risk identification, risk analysis and
risk evaluation.
SFTP: means SSH File Transfer Protocol, or Secure File Transfer Protocol which is
a separate protocol packaged with SSH that works in a similar way over a secure
connection.
SLT: means Senior Leadership Team constituted for the purpose of this Policy.
Telnet: means a user command and an underlying TCP/IP protocol for accessing
remote computers.
Third party code review: means a software source code review performed by
an independent expert.
Rev 00
Page 10 of 93
TIA-942: means the Telecommunications Industry Association (TIA) ANSI/TIA942-A Telecommunications Infrastructure Standard for Data Centers which is an
American National Standard (ANS) that specifies the minimum requirements for
telecommunications infrastructure of data centers and computer rooms including
single tenant enterprise data centers and multi-tenant Internet hosting data
centers.
Transport Layer Security (TLS): means TLS and its predecessor, Secure
Sockets Layer (SSL), both of which are frequently referred to as "SSL", are
cryptographic protocols that provide communications security over a computer
network.
VLAN: A virtual LAN (VLAN) is any broadcast domain that is partitioned and
isolated in a computer network at the data link layer (OSI layer 2).
Wireless networks: means the computer networks that does not require to be
connected by cables of any kind for its fuctioning.
Rev 00
Page 11 of 93
Organization of
Information
Security
Controls
Asset
Managment
Access Control
Rev 00
Policy
Page 12 of 93
Controls
Operations
Security
Policy
Rev 00
Page 13 of 93
Controls
System
Acquisition,
Development
and Maintenance
Policy
Rev 00
Page 14 of 93
Controls
Compliance
Rev 00
Policy
Page 15 of 93
Controls
Rev 00
Page 16 of 93
Manager
Information
Security
IS Tactical /
Operational
Team
Information
Security / Cyber
Security
Coordinator(s)
Operational Level
Information
Security Group
(ISG) Head
Tactical Level
Chief
Technology
Officer (CTO)
Chief Executive
Officer (CEO)
Strategic Level
Rev 00
Page 17 of 93
The following information outlines the primary roles and responsibilities of various PMCL
employees, departments, and workgroups (i.e., committees), only as they pertain to the
ISMS.
4.1.2.1. Board of Directors
Board of Directors responsibilities include, but are not limited to:
a. Provide executive level strategy and guidance to PMCL senior leadership
b. Review and approve information security policy(ies), as needed.
4.1.2.2. Senior Leadership Team (SLT)
The Information Security (IS) SLT headed by the PMCL CEO and assited by the CTO,
leading the PMCLs ISMS, shall bear the overall responsibility to direct and drive the
PMCLs IS vision, business goals and objectives, and in collaboration with the ISG Head
set the strategic direction for Information Security.
The key responsibilities of the PMCL SLT include:
Set the strategic direction for information security by establishing goals for PMCL
information security management program.
Rev 00
Page 18 of 93
Provide executive level strategy and guidance to the ISMS and other information
security stakeholders, as needed.
Review the ISMS policies and procedure and propose amendments, if required,
for seeking approval from the Board of Directors..
f.
g.
h.
i.
j.
k.
l.
m.
n.
o.
Rev 00
Page 19 of 93
Rev 00
Page 20 of 93
Follow-up with third party service providers on all information security incidents
in a timely manner and report to IS Manager and/or ISG Head as required.
Perform or direct the performance of root cause analysis on key security events
and incidents reported.
Maintain the risk register and ensure that all threats and vulnerabilities reported
by internal audit, vulnerability assessment / penetration testing projects, Risk
Management department etc. are all followed and remediated in a timely manner.
Coordinate delivery of information security awareness and training programs to
personnel.
The ISMS Coordinators shall meet with the IS Manager and IS Operational Team on a
regular basis (at least once a month) or as needed, to discuss on the ISMS maintenance,
implementation and continual improvement activities going on throughout PMCL.
List of ISMS Coordinators shall be maintained by the IS Manager.
4.1.2.7. PMCL Business Unit-Level Information Security Management:
All managers including business unit heads are responsible to ensure the established IS
procedures are satisfied within their areas of responsibilities.
The PMCL HR must ensure that established IS procedures are included within the whole
employee life-cycle, e.g. new hires, changes in role and leavers.
Rev 00
Page 21 of 93
Rev 00
Page 22 of 93
Responsibilities for major security areas other than the ISG function are defined
in the table below:
Security Area
Designated Department
Asset / Risk Owners
Human Resource
Department
Security Department
Contracts / Legal
department
Technology Compliance
function
Page 23 of 93
Rev 00
Proper authentication
Adequate audit
segregation
logging
to
check
for
circumvention
of
the
Use strict change control of software and data changes requiring separate
persons to perform the following roles:
Change request
Implementation in production
Anticipate and
regulations.
prepare
for
upcoming
changes
to
such
laws
and
Relevant Areas
Rev 00
Page 24 of 93
Relevant Areas
Legal Department
For maximum effectiveness and impact, the Information Security Advisor shall be
allowed direct access to management all across the organization.
Projects executed at PMCL, regardless of the type of the project, shall involve the
Information Security team to perform due diligence to integrate the security
requirements in projects.
Rev 00
Page 25 of 93
Portable devices shall be controlled through this policy to protect the information
processed or stored on end users portable devices. This is essential to ensure
protection when using these devices to access sensitive or confidential data /
information by PMCL users.
Privately owned portable devices shall be prohibited from connecting to the PMCL
networks unless explicitly allowed for business use in accordance with Access
Control Policy.
All access to PMCL data from a portable device should be through prior approval
in accordance with Access Control Policy.
Users shall be instructed not to permanently alter any built-in or installed security
controls (configuration settings, software and/or service) that reduces the
security posture of the device (unless as directed by the PMCL IT or ISG team),
and where appropriate, these settings should be managed centrally.
Portable devices shall be maintained according to the Portable Device / Bring Your
Own Device standard mentioned in Appendix 1
4.2.2.2. Teleworking
Rev 00
Page 26 of 93
Access control: PMCL users shall ensure that access to PMCL resources is
properly protected at the teleworking site including protection of PMCL
equipment and information from family and/or visitors access.
Rev 00
Page 27 of 93
HRs employee selection and recruitment process should ensure that employee
verification procedures (for background checks and screening) take into account
all relevant privacy, protection of personally identifiable information and
employment based legislations. Such procedures should identify that who is
eligible to screen people and how, when and why verification reviews are carried
out. All personal information on candidates should be handled in accordance with
all applicable legislation including, where applicable, informing candidates
beforehand about the screening activities.
The screening process should also cover contractors i.e. Third Parties with access
to Confidential Information pertaining to PMCL and/or its Customers. In these
cases, the agreement between PMCL and the contractor should specify
responsibilities for conducting the screening and the notification procedures that
need to be followed if screening has not been completed or if the results give
cause for doubt or concern. These background checks should either be similar to
those used for employee candidate checks or through a confirmation received
from a reputable commercial supplier that equivalent checks have occurred and
no adverse factors were discovered.
All employees shall sign the terms and conditions of their employment, the
Acceptable Usage policy, and also the Non-Disclosure Agreement, where
Rev 00
Page 28 of 93
The process of hiring should ensure that the candidates be disqualified upon
providing incorrect information at the time of hiring e.g. falsified employment
history, incorrect academic / professional qualifications record etc.
The contractual obligations for employees or contractors should reflect the PMCLs
information security policies and require:
o
for
information
Relevant line managers should require that all users apply security in accordance
with the established information security policies and procedures by ensuring that
users:
o
Are provided with access to the relevant security policies, standards and
procedures
Rev 00
Page 29 of 93
PMCLs staff shall undergo security awareness training on a periodic basis (at
least once in a year), on PMCL information security policy and related
documentation, responsibilities and expectations.
Disciplinary actions shall be taken against PMCL users in the event of violation of
PMCL Information Security Policy and related documentation, according to
applicable regulatory requirements and in co-ordination and compliance with the
HR disciplinary action process.
HR department should also document any disciplinary steps that would be applied
to any employee or contractor who accidently or inadvertently violates security
policies or procedures. Such steps could include warnings, along with mandatory
Rev 00
Page 30 of 93
Rev 00
Page 31 of 93
All information assets listed in the asset inventory shall be assigned an Asset
Owner, according to the Information Asset Management Procedure.
The Asset inventory should serve as input to a risk register used for risk
management activities where assets can be summarized by Asset type
(electronic, paper, physical hardware (servers, laptops, workstations, routers,
Rev 00
Page 32 of 93
All employees and external party users using or having access to PMCLs assets
should be made aware of the information security requirements, in the form of
Acceptable Usage requirements (see Appendix 2), of PMCLs assets associated
with information and information processing facilities and resources. They should
be responsible for their use of any information processing resources and of any
such use carried out under their responsibility.
Employees and Third Party staff shall be prohibited from doing any of the
following:
Gaining access to other PMCL systems for which proper authorization has
not been granted
Employees and Third Party staff shall be prohibited from establishing the
following within PMCLs technical infrastructure or on behalf of PMCL without prior
documented approval from PMCL ISG team:
o
Information Usage
E-mail Usage
Portal Usage
Rev 00
Internet Usage
Remote Access
Password Usage
Printer Usage
Physical Security
Unacceptable use
Disclaimer
Enforcement
Page 33 of 93
All users shall return all of the organizational Assets in their possession upon
resignation, termination or transfer in accordance with the Information Asset
Management Procedure and HR procedures.
All information assets identified in the asset inventory shall be classified based on
a formal process according to the classification scheme defined in the
Information Asset Management Procedure.
Rev 00
Page 34 of 93
Information asset
classification
Information asset classification should be aligned with the access control policy
classification
should
have
conventions
for
assigning
When in use, storage or transit, removable media shall be physically and logically
protected against loss, damage, abuse or misuse.
Media should be removed based on formal authorization from the asset owner
and how audit trails should be maintained.
Old media should be replaced with fresh media periodically before it becomes
unreadable from degradation. Relevant operational teams shall be responsible for
classifying the media as Old media.
Use of removable media drives should only be allowed based on access control
policies and valid business requirements.
PMCL ISG should monitor the transfer of information to removable media with
appropriate mechanism such as a Data Leakage Prevention (DLP) system.
Rev 00
Page 35 of 93
Third party collection and disposal services for media should be carefully
selected with adequate safeguards and experience and require certificates
of disposal or removal completion
For hard copy documents, CDs, DVD, etc., sealed shredder containers should be
available where hard copy outputs are generated (e.g., rooms with printers and
fax machines).
Audit logs should be kept, identifying the content of the media, the
protection applied as well as recording the times of transfer to the transit
custodians and receipt at the destination.
Rev 00
Page 36 of 93
Asset owners shall determine appropriate access control rules (both logical and
physical) towards their assets based on risk.
Access rights shall be defined on minimum level of access in accordance with the
job description, roles and responsibilities of the user.
Administrative access rights shall not be given to any user unless it is highly
required by the business and the request for which shall be approved by the
relevant Head of Department. Such requests should subsequently be assessed
and approved by ISG team manager or the appropriate delegate. Moreover, ISG
team shall maintain a record to identify who have been assigned the
administrative / super user access rights.
Approval of request
Monitoring of changes
be changed
following
the
Rev 00
Page 37 of 93
Access to networks and network services shall be granted after approval by ISG
team, based on business needs and after evaluating any security risks and their
impact on PMCL, according to the Access Control Procedure.
maintain a list of the networks and network services which are allowed to
be accessed
define the means used to access different networks and network services
(e.g. use of VPN or wireless network) along with appropriate user
authorization requirements for securing the access
Using unique user IDs to positively identify users; shared IDs should only
be permitted where they are necessary for business or operational reasons
and should be approved and documented
Immediately disabling or removing user IDs of users who have left PMCL
Rev 00
Page 38 of 93
PMCL ISG team shall review periodic reports (e.g., weekly or fortnightly) for
account exceptions (e.g., locked-out accounts, accounts with passwords that
exceed the maximum password age, and accounts with passwords that never
expire).
A formal process for the assignment of user access rights (access provisioning) to
a system shall be defined and implemented according to the Access Control
Procedure in order to assign or revoke access rights and privileges for all user
types to all systems and services.
The level of access granted shall be verified as appropriate to the access control
policies and is consistent with other requirements such as:
o
Access for Third Parties is only for the duration of their work for PMCL and
access is granted only after receipt of a signed confidentiality agreement
or PMCL-wide confidentiality agreement. All service personnel performing
work on PMCL systems, such as hardware repair, software upgrade, and
maintenance vendors, should either have a PMCL-wide confidentiality
agreement in place or sign a confidentiality agreement prior to starting
work
Access rights and privileges should not be activated before the authorization
process is completed.
The allocation and use of privileged access rights shall be restricted and
controlled through a formal authorization process according to the Access
Control Procedure.
The privileged access rights associated with each system, process or application
and the users to whom they need to be allocated shall be identified.
Privileged access rights should be limited and only allocated to users on a needto-use basis and on an event-by-event basis in line with the access control policy,
i.e. based on the minimum requirement for their functional roles.
Privileged access rights should only be granted with a defined expiry so as to not
grant permanent administrative privileges to PMCL Employees that require such
privileges only for infrequent or special job responsibilities.
Privileged access rights shall be assigned to a user ID different from those used
for regular business activities. Regular business activities should not be
performed from privileged ID. Where technically feasible, privileged IDs should
Rev 00
Page 39 of 93
never be shared. Users should only use the Windows administrator or Unix
root accounts in emergency situations. Individual Domain administration
accounts should be used when required for system administration instead of local
administrative accounts.
For secret authentication information assigned to a group, the group owner shall
be its owner and shall bear the overall accountability for its use. The secret
authentication information for the group shall be changed on periodic intervals
based on risk.
Rev 00
Page 40 of 93
Asset owners shall review users access rights i.e. matching active users to each
account, on periodic basis / at regular intervals. If an account is not assigned to
an active user or no longer authorized it should be disabled.
Access may continue for a specified period of time if this is provided for as
part of a separation agreement; access should be limited to only PMCL
systems specified in such a separation agreement.
Access for group IDs remove departing users from any group access lists
Rev 00
Page 41 of 93
Users shall be required to follow PMCLs policy on the use of secret authentication
information i.e. passwords for authentication to PMCLs systems, networks, and
computing devices as outlined in Appendix 5.
Do not use the same secret authentication information for business and
non-business purposes (e.g., Internet email, Internet banking and social
networking services)
Applications shall have the functionalities to control the access rights of users.
Access to information and application system functions should be restricted by
considering the following in order to support the access restriction requirements:
o
Rev 00
Page 42 of 93
Controlling the access rights of users, e.g. read, write, delete and execute
Network and systems login shall be protected against brute force log-on attacks
by locking accounts after a maximum number of consecutive failed login
attempts. The account should be locked out and allowed to be reset after a
minimum period of time as defined in Appendix 6.
Do not provide help messages during the log-on procedure that would aid
an unauthorized user
log-on
attempts
since
the
last
Raise a security event if a potential attempted or successful breach of logon controls is detected
Rev 00
Page 43 of 93
Program source code and the program source libraries should be managed
by automated tools, where possible
Rev 00
Page 44 of 93
Rev 00
Page 45 of 93
4.6. Cryptography
The purpose of this policy is to outline the controls that to ensure appropriate and
effective protection to the confidentiality, authenticity and / or integrity of confidential
information.
User Computers (including laptops and portable devices (e.g., mobile phone,
smartphone, PDA, media pad or tablet)) shall be configured to encrypt PMCL
confidential information data using cryptography standard mentioned in this
policy.
All confidential information stored on portable media (e.g., CDs, external hard
disks, flash drives) shall be encrypted using cryptography standard mentioned in
this policy. Where feasible, user should be required to use PMCL issued and
approved encrypted portable storage media.
All remote access shall be over approved encrypted channels using cryptography
standard mentioned in this policy.
shall
be
encrypted
using
Key Management
Rev 00
Page 46 of 93
Activation and deactivation dates for keys should be defined so that the
keys can only be used for the period of time defined in the associated key
management policy
Rev 00
Page 47 of 93
Security perimeters should be defined, and the siting and strength of each
of the perimeters should depend on the security requirements of the
assets within the perimeter and the results of a physical security risk
assessment
prevent
Rev 00
Page 48 of 93
the date and time of entry and departure of visitors should be recorded,
and all visitors should be supervised unless their access has been
previously approved
a physical log book or electronic audit trail of all access should be securely
maintained and monitored
PMCL shall maintain relevant contacts as well as obtain and document specialist
guidelines specifying how to avoid damage from fire, flood, earthquake,
explosion, civil unrest and other forms of natural or man-made disaster.
Rev 00
Page 49 of 93
being operated within that area. SOPs should include controls for the Employees
and relevant Third Party users and cover activities such as the following:
o
Delivery and loading areas shall be isolated from PMCLs information processing
environment and shall be adequately monitored.
Delivery personnel should not directly access rooms containing computer and
communications hardware and software. In addition, delivery personnel should be
escorted by authorized personnel at all times.
Equipment siting controls shall be inherited from the PMCLs HSE physical and
environmental controls procedures. The following guidelines should be
considered, where appropriate, for the protection of sensitive equipment:
o
Rev 00
Page 50 of 93
Supporting utilities such as power supply, UPS, backup generator, gas, etc shall be
controlled and maintained in accordance with the supplier specifications and the
services criticality.
Supporting utilities controls shall alarm relevant parties in the event of failure or
performance degradation.
Only authorized maintenance personnel should carry out repairs and equipment
service.
Records should be kept of all suspected or actual faults, and of all preventive and
corrective maintenance.
Rev 00
Page 51 of 93
Spot checks shall be performed on a periodic basis (at least annually) to detect
unauthorized removal of information assets.
PMCL equipment dealing with the sensitive information held off-premises should
be protected by adhering to the following directives:
o
All items of equipment containing storage media should be verified to ensure that
any sensitive data and licensed software or copyrighted information has been
physically destroyed, deleted or overwritten using techniques to make the original
information non-retrievable prior to disposal or re-use. Where disposal is through
a Third Party service provider, a certificate of removal completion shall be
required.
Rev 00
Page 52 of 93
Portable storage devices, such as USB thumb drives, flash memory cards
& portable hard drives
All data on media shall be erased by overwriting storage areas in multiple passes
with random data.
PMCL should consider using data erasure software to facilitate the destruction of
data. This software should provide the user with a validation certificate indicating
that the overwriting procedure was completed properly, that all hidden areas
have been erased, provides a defects log list, and lists the bad sectors that could
not be overwritten.
Unattended equipment shall be protected from unauthorized access and use. This
includes appropriate protection for both physical theft and unauthorized access to
data contained on the devices. This should include the following measures:
o
Physically securing laptops and portable devices when not in use (e.g.,
cable locks, locking cabinet or locked room)
PMCL shall establish following controls to ensure clear desk and clear screen to
protect PMCLs information assets:
Rev 00
Page 53 of 93
Computers and users terminals should be left logged off or protected with
a screen and keyboard locking mechanism controlled by a password, token
or similar user authentication mechanism when unattended
Capacity analysis shall be performed for all systems based on the service
criticality on a regular basis or whenever a major change is being planned.
Projected capacity and available budget shall be analysed and resources shall be
tuned timely to avoid degradation of service or business disruption in accordance
with Performance, Availability and Capacity Management Procedure.
Rev 00
Page 54 of 93
Users should use different user profiles for operational and testing
systems, and menus should display appropriate identification messages to
reduce the risk of error
Sensitive data should not be copied into the testing system environment
unless equivalent controls are provided for the testing system
Testers and developers shall be granted limited access to the development and
test environments in accordance with the Access Control Procedure.
Malware protection for system, user computers and media shall be provided
through the installation of appropriate approved centrally managed anti-malware
programs. Scans carried out should include:
o
Any files received over networks from the Internet or via any form of
removable storage media when inserted
Anti-malware software on systems and user computers shall be updated with new
anti-malware signatures as soon as possible but no later than 12 hours after
release. If a user computer has not been connected to the Internet or a PMCL
system or network for an extended time, the signature should be updated as
soon as the computer is reconnected.
User Computers and Systems shall be configured to not allow auto-run content
from removable devices when inserted. If the removable devices are not required
for business use, they should be disabled.
Controls should be implemented that detect and/or prevent the use of known or
suspected malicious websites (e.g. blacklisting).
Rev 00
Page 55 of 93
4.8.3. Backup
4.8.3.1. Information Backup
Backups shall be performed on a periodic basis, the extent (e.g. full or differential
backup) and frequency of which, should reflect the business requirements for
data recovery, data retention and the criticality of the information to continued
operations.
Event logs shall be kept and regularly reviewed for security exceptions and
inappropriate user activities or automated alerts should be implemented (e.g.
through Security Incident and Event Monitoring (SIEM) solutions) to identify and
respond to security issues.
Event logging settings shall be defined and implemented as defined in the Log
Management Procedure in accordance with the service criticality.
Rev 00
Page 56 of 93
Use of privileges
Logging facilities and log information shall be protected against tampering and
unauthorized access. Access controls shall be implemented with the aim to
protect against unauthorized changes to log information and operational problems
with the logging facility including:
Rev 00
Page 57 of 93
Storage capacity of the log file media being exceeded, resulting in either
the failure to record events or over-writing of past recorded events in
alignment with data retention requirements
Audit logs shall be retained in accordance with PMCL record retention policies and
relevant local laws and regulations. Audit logs may be required to be archived and
digitally signed based on record retention policies or because of requirements to
collect and retain evidence.
Rev 00
Page 58 of 93
Rev 00
Page 59 of 93
End users using corporate devices shall have limited privileges to restrict them
from installing softwares or utility programs.
Audit controls shall be defined and implemented in accordance with the service
criticality.
Prior to enabling audit controls, a detailed analysis of the impact on the business
operation or system performance shall be conducted and adequate measures
shall be implemented.
Rev 00
Page 60 of 93
Appropriate logging and monitoring should be applied to all key systems, inbound
/ outbound traffic, and intranet / WAN boundaries to enable recording and
detection of actions that may affect, or are relevant to, information security. This
should include:
o
Rev 00
Page 61 of 93
Security controls over the network providers shall be defined and incorporated
into the relevant agreement. These controls shall cover but not be limited to:
service levels, security features and the right to audit.
The ability of the network service provider to manage agreed services in a secure
way should be determined and regularly monitored, and the right to audit should
be agreed.
PMCLs public Internet servers shall be separated from internal PMCL networks
and intranet servers. In addition, routers and firewalls should be implemented to
restrict traffic from public servers to internal PMCL networks. At a minimum,
firewalls should be deployed at all access points to non-PMCL networks.
Rev 00
Page 62 of 93
Content involving PMCL users, customers, business partners or any other subjects
related to PMCL shall not be published on social media unless authorized by the
PMCL Corporate Communications team.
Users shall publish content on social media only on their own behalf and shall
refrain from speaking on behalf of PMCL without prior authorization.
Personal social media use shall not interfere with normal business activities,
involve solicitations, be associated with any for-profit outside business activity or
potentially embarrass the company and damage its reputation or image.
PMCL reserves the right to monitor how PMCL owned information assets,
including computers, laptops and networking equipment are used and users shall
be mindful that any web browsing they do on the PMCLs premises may be
monitored.
Guests shall be allowed PMCL Guest Wireless Access only after approval by PMCL
ISG team.
Access to PMCL wireless service shall be restricted to PMCL staff and authorised
users.
PMCL users shall not be allowed to set up any form of proxy service or similar
arrangements to enable more than one computer to access the network via a
wireless connection.
4.10.
Rev 00
Page 63 of 93
The purpose of this Policy is to ensure that information security is embedded in the
information system acquisition, development and maintenance lifecycle.
An understanding of how the application will be used (use cases) and how
it might be misused and/or attacked (anti-use cases)
The data and services that the application will access or provide, and what
level of protection is appropriate given the acceptance of risk, applicable
regulations, and any reputational impacts should the application be
exploited
Previous incidents
Where applicable,
following:
information
security
requirements
should
address
the
Rev 00
Page 64 of 93
PMCL information passing over public networks or third party domains shall be
protected formally by an agreement between PMCL and external authorized
signatories to ensure that information in use and at rest is protected in
accordance with PMCLs information security requirements.
Rules for the development and maintenance of software and systems shall be
established and applied to developments within PMCL (e.g., explicit error
checking, input validation, and prohibiting hard-coding or otherwise incorporating
passwords or User IDs into software developed by or modified by PMCL
Employees) according to Application Security Framework.
Rev 00
Page 65 of 93
Development, test, and production source code and files should be stored
in separate locations
Evidence that:
Acceptance testing programs and related criteria shall be established for new
information systems, upgrades and new versions. Criteria for accepting
applications should be defined to provide a level of assurance that the identified
security requirements are met. Specific techniques that should be used depending
on risk include:
o
penetration testing
Rev 00
Page 66 of 93
Test data should be selected carefully, protected and controlled. Production data
used for software testing should be sanitized and de-identified, including
removing or altering all Confidential and private information unless a written
exception is first obtained from the asset owner and ISG team. The following
guidelines should be applied if production data is allowed, based on a valid
exception, for testing:
o
Randomizing
numbers
numeric
values
to
protect
any
personally
identifiable
4.11.
Rev 00
Page 67 of 93
Supplier Relationships
The purpose of this Policy is to protect PMCLs information assets accessible by thirdparties.
Third Parties shall be required to secure their systems at a level consistent with
PMCL security requirements prior to connecting a Third Party System or network
to PMCL systems or networks. Also, PMCL shall reserve the right to immediately
terminate network connections with all Third Party Systems if PMCL believes the
Third Party is not meeting such requirements or if the Third Party systems
present a risk to PMCL Systems.
Third party related information security risks shall be identified and documented.
Subsequently, security mandates to address these risks shall be identified and
incorporated in the relevant agreement to ensure that there is no
misunderstanding between PMCL and the supplier regarding both parties
obligations to fulfil relevant information security requirements.
PMCL should consider incorporating the following terms, where appropriate, for
inclusion in the agreements in order to satisfy the identified information security
requirements:
o
Rev 00
Page 68 of 93
right to audit the supplier processes and controls related to the agreement
Note: Any contractual obligations with the external parties / service providers
must be routed through the ISG team. The ISG team will conduct a thorough
evaluation of the third-party / service providers capabilities against a formal
Third Party Agreement Security Requirements Checklist in order to ensure their
adherence to PMCLs information security requirements.
Third party agreements shall clearly include the information security mandates
associated with information technology security risks in the whole Information
and Communication Technology services and product supply chain (e.g., product
or service acquisition and any Third Party supplier services that have been further
subcontracted to another Third Party suppliers).
Services and products delivered by the third party shall be monitored and
evaluated to ensure they are delivered in accordance with the information
security mandates articulated in the agreement. Frequency of the monitoring
shall be appropriate to the contract duration and type of service, but should be
Rev 00
Page 69 of 93
conducted on a periodic basis (atleast once in a year). This should involve that a
service management relationship process between PMCL and the supplier is
defined to:
o
Rev 00
Page 70 of 93
4.12.
Rev 00
Page 71 of 93
The purpose of this Policy is to ensure information security events and weaknesses
associated with information systems are managed in a timely manner.
4.12.1.Management
Improvements
of
Information
Security
Incidents
and
according
to
the
Employees and Third Parties using PMCLs information systems and services
during their normal course of business use (e.g., excluding technical security
testing) shall be required to note and report any observed or suspected
information security weaknesses in systems or services as quickly as possible to
facilitate a timely response process to either PMCL ISG Team. Users should not
try to prove or test an observed or suspected security weakness.
The response to information security incidents shall only be done according to the
Information Security Incident Management Procedure.
Rev 00
Page 72 of 93
4.13.
Rev 00
Page 73 of 93
The purpose of this Policy is to define the organizational direction regarding embedding
information security continuity within the PMCLs business continuity management
system.
PMCL should determine their requirements for information security and the
continuity of information security management in adverse situations, e.g. during
a crisis or disaster.
4.13.2. Redundancies
4.13.2.1. Availability of Information Processing Facilities
4.14.
Rev 00
Page 74 of 93
Compliance
The purpose of this Policy is to define the organizational direction to ensure compliance
with Information Security Management System requirements in order to avoid breaches
of legal, statutory, regulatory or contractual obligations related to information security.
Information stored on PMCL Assets shall remain the property of PMCL and all
PMCL users are bound by the information security policies.
PMCL users & service providers shall report all the instances of actual or
suspected copyright infringement to PMCL ISG team.
Proof and evidence of ownership of software licenses for all PMCL software shall
be maintained.
Reviews to ensure that only authorized software and licensed products are
installed shall be carried out on a periodic basis.
Record should be maintained in accordance with the law. PMCL should also
consider implementing Data Leakage Prevention (DLP) or Digital Archiving
Solution (DAS) for protection of sensitive records.
Rev 00
Page 75 of 93
The PMCL Technology Compliance officer shall be responsible for monitoring the
compliance against the information security policy, manual, procedures, and
related documentation.
Review the corrective action taken to verify its effectiveness and identify
any deficiencies or weaknesses.
Rev 00
Page 76 of 93
assessments
should
be
well
planned,
Rev 00
Page 77 of 93
5. Appendices
Appendix 1: Portable Device / Bring Your Own Device Standard
Device Control
Users of mobile / personal devices need to agree to the terms and conditions
within the Acceptable Usage Policy. (BYOD related terms and conditions are
included within the Acceptable Usage Policy.)
Users shall not own any PMCL data stored or communicated on / from their
device
PMCL shall have access to other information on the device including device
hardware details, operating system and other installed applications on the device.
PMCL corporate data pushed to the device shall be removed if and when deemed
necessary. Applications that determined to be a security risk to the organization
shall be removed from the device.
PMCL shall not be responsible for the backup or recovery of data on any personal
device. The responsibility for any personal data stored on the personal device
remains with the device owner.
Support
PMCL shall use a best effort support model for all devices providing reasonable
remote assistance to PMCL staff through the following:
o
Smartphones
Tablets
with
following
Rev 00
Page 78 of 93
Security
Physical security of the personal device shall be the responsibility of the device
owner.
The device owner shall immediately report the loss, theft or damage of the device to the ESS
(Ph: 4848, Email: IT-CSREGIONALTEAM@mobilink.net.pk) and where appropriate, to the
police. If deemed necessary and if it contains sensitive PMCL information, the users device
may be remotely wiped.
If the personal device is subsequently found, the device owner must immediately
notify those parties originally advised of the loss or theft.
Emergency destruction / locking plan / remote wipe shall be performed for lost /
stolen devices if devices contained PMCL confidential / sensitive information.
Recording from personal devices shall not be allowed into high risk areas,
including but not limited to, data centres, sites of Mobile Switching Centres (MSC)
etc without prior approval of onsite physical security team.
Device owners and ESS shall ensure that all PMCL data is permanently removed
from devices prior to leaving the organisation.
Device owners should ensure that devices are updated regularly and should
update applications and operating systems to the latest approved updates and
security patches.
Device owners must agree to be responsible for the use of the device, and to not
allow others to use it without direct supervision.
Jail broken iOS or rooted Android Devices shall not be permitted to connect to
PMCL network or services.
While PMCL will take every precaution to prevent the employees personal data
from being lost however, as a caution for any such unfortunate event, it is the
employees responsibility to take additional precautions, such as backing up
personal data. Device owners shall use only PMCL facilities to backup official data
and not any external service provided by third party.
PMCL shall reserve the right to perform remote wipe of PMCL data in case of theft
or loss, when access is no longer authorized, the user changes roles, or is no
longer employed, where deemed necessary.
Rev 00
Page 79 of 93
The device owner shall be personally liable for all costs associated with his or her
device.
The device owner shall be required to use his or her devices in an ethical manner
at all times and adhere to PMCLs Acceptable Usage Policy.
Rev 00
Page 80 of 93
Users shall take due care to protect PMCLs information systems and resources
from unauthorized access, tampering and / or accidental damage.
Each user of PMCL shall be allocated a limited server usage space for their
business related data. The data / information contained within such user folders
are under the custody of the respective users. However, users shall not store
unauthorized content in such folders.
Users shall not use PMCL systems or networks to access unauthorized systems,
networks and / or services.
Users shall not install any software or applications which is not included within the
PMCL Authorized Software List, into desktops or laptops given by PMCL for
business purposes. Users are referred to Appendix 2 of this policy for a list of
software approved for use on PMCL information systems. This list will be updated
on a regular basis and forwarded to the individual users via e-mails.
Users with administrative rights shall not disable or by-pass any controls, such as
anti-virus software, proxy servers and / or firewalls, implemented to protect PMCL
network and / or information assets. Such by-pass shall be considered as an
information security violation and may lead to disciplinary actions according to HR
policies and procedures.
Rev 00
Page 81 of 93
Information Usage
Users shall use, handle and treat all information in accordance with the
information asset management procedure.
Users shall be responsible for the security of any corporate information stored on
portable media in their possession. Protection of such portable media shall be
done according to the PMCL Information Security Policy. Users shall report the
loss of such portable media (containing corporate data) immediately to the ESS.
Users shall not transmit sensitive or confidential information, over the network,
without adequate protection controls (encryption, strong passwords etc.). If a
user needs assistance in communicating sensitive or confidential information, he
or she should contact the ESS.
Users need to appropriately protect when not required any information asset
classified as internal use or higher.
Users shall remove from the desk any documents classified as Internal Use or
higher and lock them in a drawer or file cabinet when the workstation is
unattended. Keys used to access these documents shall not be left at an
unattended work area.
E-mail Usage
Users allowed to access their email account from their personal devices shall
comply with the Portable Devices and Bring Your Own Device Policy included in
PMCL Information Security Policies Manual.
PMCL employees are encouraged to use email to further the goals and objectives
of PMCL as well as for fulfilling business and role-oriented tasks. PMCL employees
are therefore expected to check their email in a consistent and timely manner so
that they are aware of important company announcements and updates.
Email users are responsible for mailbox management, including organization and
cleaning.
Users shall not use PMCL provided email facilities to distribute material that
typically qualifies as unsolicited email, chain emails or scamming.
Users are not permitted to use any other users email account without his/ her
approval.
Users shall not open, execute or store emails and/or attachments received from
unknown or un-trusted sources as they may contain viruses, email bomb,
Rev 00
Page 82 of 93
malicious codes etc. Users shall report the presence of such emails or
attachments to the ESS.
Users shall not provide their PMCL email address to mailing lists, blogs, forums or
subscribing to internet sites that are not related to PMCL, unless required for
business purposes.
Users shall add the organization's standard email signature templates in all e-mail
communications.
Portals Usage
Users shall not use the PMCL portal functionalities to deliberately propagate any
Virus, Worm, Trojan horse, or trap door program code.
Users are not permitted to use any other users portal account.
Users shall not store documents received from unknown or un-trusted sources,
and shall report the presence of such documents to the ESS.
Portal access shall be terminated when the employee or third party terminates
their association with PMCL.
Internet Usage
Users must use PMCL Internet services appropriately, responsibly and ethically.
The Internet access shall not be used in a way that violates PMCL policies, rules
or administrative orders.
Users shall only use PMCL Internet services for business related activities. The
illegal or non-business use of such services is not permitted.
Users shall not use PMCL Internet services for viewing or downloading
inappropriate material (offensive, sexual images, jokes and comments, or any
other comments that are reasonably expected to offend someone based on their
physical or mental disability, age, religion, marital status, national origin).
Rev 00
Page 83 of 93
Access to websites containing the following type of content is prohibited and shall
be blocked:
o
Gambling
Hacking
Spam
Spyware, and
Offensive content
The PMCL IT team shall block access to Internet websites and protocols that are
deemed inappropriate for PMCLs corporate environment. If a site is incorrectly
categorized, employees may request the site to be un-blocked by contacting the
ESS.
Following the review of the request by the ISG team, the site may be unblocked if
it is deemed to be incorrectly categorized.
Users should not download any documents or images not related to PMCL
business.
Users with administrative rights shall not alter or attempt to alter their internet
access settings and/or configurations.
Users shall carefully read all security alerts presented by their Internet web
browser. If the user is unable to understand or is uncertain about the security
alerts, he/she should contact the ESS prior to proceeding with web browsing.
Remote Access
Any remote connection that is configured to access PMCL resources must adhere
to PMCL information security policies manual.
All remote computer equipment and devices used for business activity, whether
personal or PMCL-owned, must be compliant with PMCL Information Security
policy and related documentation.
It is the responsibility of all PMCL users with remote access privileges to ensure
that their remote access connection remains as secure as possible and not to
connect to other networks during business operations.
Password Usage
Users are reminded that they are personally responsible for all events that occur
under their logon accounts. Therefore, users are responsible for keeping their
passwords confidential.
Rev 00
Page 84 of 93
Users shall not store passwords on the computer screen or under the computer or
in any other accessible location.
Printer Usage
Avoid printing email messages. Instead use the folders and archiving functionality
in the email application to organize and view messages.
where
Physical Security
Employees must use only their own card to access PMCLs premises. Sharing of
cards is not permitted.
Exit doors are provided for emergency use only. These shall not be used for
regular access.
Unacceptable Use
Users shall not use PMCL provided systems, services and facilities for illegal or
unlawful purposes, including, but not limited to copyright infringement, obscenity,
libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery,
impersonation, illegal gambling, soliciting for illegal pyramid schemes, and
computer tampering (e.g. spreading computer viruses).
Rev 00
Page 85 of 93
Systems and services used/provided by PMCL are the property of PMCL. This
gives PMCL the right to monitor all activities performed using these resources.
Users shall maintain continued compliance with all PMCL policies and related
documentation while using PMCL systems, facilities and/or services.
If PMCL discovers or has good reason to suspect activities that do not comply
with applicable laws or policy, activity logs or records may be retrieved and
used/presented as evidence for disciplinary action against the involved user.
Disclaimer
PMCL assumes no liability for direct and/ or indirect damages arising from users
use of PMCL systems and/ or services.
Enforcement
Any identified violation of these policies shall lead to disciplinary actions in-line
with the PMCL HR disciplinary process.
Rev 00
Page 86 of 93
Sub product
Microsoft Office
All flavors
Microsoft Windows
All flavors
License agreement
WinZip version 8
Microsoft IE 10 or higher
Internet browser
McAfee Anti-virus software
Special software, i.e. software not in general use by all Business units:
Name
Adobe Acrobat reader v8
Exchange Server
Microsoft Project
License Agreement
Rev 00
Page 87 of 93
Exceptions
Type
.torrent
None
LOIC wildcard
None
emule.exe
None
P2P
morpheus.exe
None
P2P
iMesh.exe
None
P2P
napster.exe
None
P2P
bearshare.exe
None
P2P
limewire.exe
None
P2P
grokster.exe
None
P2P
bittorrent.exe
None
P2P
dokeyip.exe
None
P2P
kazaa.exe
None
P2P
utorrent.exe
None
P2P
bitcomet.exe
None
P2P
azureus.exe
None
P2P
bitlord.exe
None
P2P
ares.exe
None
P2P
dc++.exe
None
P2P
abc.exe
None
P2P
sahreaza.exe
None
P2P
pando.exe
None
P2P
tor.exe
None
Proxy
loic.exe
None
Hacking Tool
None
Proxy
TeamViewer.exe
None
Remote Access
Winamp.exe
None
Multimedia
Jpg or jpeg
Graphics
Gif
Graphics
UltraSurf.exe
Rev 00
Page 88 of 93
Exceptions
Type
Bitmap (Bmp)
Graphics
Graphics documentation
Http, Asp
Web documents
Png
Graphics
Mp3 or mpeg
Avi
Programming
All
None
All
None
All
Mid
Snd
Word (doc)
Word processing
Excel (xls)
Spreadsheet
Zip (zip)
Compression
Powerpoint (ppt)
Presentation
Access (mdb)
Database
Screensavers,
not.
licensed
or
Rev 00
Page 89 of 93
Exceptions
Type
Text
Internet browsers
Microsoft
IE7,
Google
Chrome, Mozilla Firefox
Web
Hacking
software,
documentations or tools
No
execution
of
tools/software on the PMCL
network.
All
Network/computer probing
or sniffing software
All
None
All
None
All
All
As explicitly allowed in
some offices with adequate
PMCL-guided security
All
IT
Internet/Intranet
services to PMCL
FTP
FTP
Encryption software
None
All
Reverse
software
engineering
None
All
None
All
None
All
Virus
building
software,
documentation or tools
None
All
Rev 00
Page 90 of 93
Settings
Password
Password Complexity
8 Characters
Do not contain the User's ID, the Users first and/or last
name, a close relative's name, or a famous persons
name. For example, mahmad would not be used as a
password for Muhammad Ahmad
60 days
Minimum
age
interval
between changes (re-use)
1 day
Minimum history
23 remembered
Initial passwords
Minimum
Baseline
Directory
for
Security
Active
Rev 00
Page 91 of 93
Settings
30 minutes
Rev 00
Page 92 of 93
The lifetime of the key shall be determined primarily by the application, the
information and the infrastructure it is used in. Keys shall be immediately revoked
and replaced if they have been or are suspected of being compromised.
Where Hardware Security Modules (HSMs) are used, they shall be certified to at
least FIPS 140-2 Level 2 [FIPS-140-2] or Common Criteria [CC3.1] EAL4.
Cryptographic keys shall only be physically moved in HSMs meeting the above
criteria.
Key Generation
Key Usage
Rev 00
Key Compromise
Page 93 of 93
References
Approved Use
AES
Advanced
Encryption
Standard
block
cipher
based on the Rijndael
algorithm [AES]
TDES /3DES
Triple
Data
Encryption
Standard (or Triple DES)
block cipher [SP800-67]
General Data
Encryption
General Data
Encryption
Required Key
Length
256-bit keys
Note: AES should be used unless this is not technically possible. TDES usage should be
limited to systems not supporting AES.
References
RSA
Rivest-Shamir-Adleman
algorithm for public key
cryptography [RSA]
DSA
Digital
Signature
Algorithm [FIP186-2]
Approved Use
Digital Signatures,
Transport of encryption
General Data
Encryption
Required Key
Length
2048-bit keys
2048-bit keys