ISMS Policy Manual

Pakistan Mobile
Communications Limited
(PMCL)
Information Security Management System
Policy Manual
PMCL Information Security Governance (ISG)

Document Code: PMCL-ISP-ISMS Policy
Manual
Rev 00
Page 2 of 93
Table of Contents
1. INTRODUCTION AND PURPOSE ........................................................................................... 5
2. SCOPE............................................................................................................................................. 5
3. TERMS AND ABBREVIATIONS .............................................................................................. 5
4. POLICIES MAPPING WITH ISO CONTROLS .................................................................. 11
4.1. INFORMATION SECURITY GOVERNANCE ............................................................................... 16
4.2. ORGANIZATION OF INFORMATION SECURITY ........................................................................ 22
4.3. HUMAN RESOURCE SECURITY .............................................................................................. 27
4.4. ASSET MANAGEMENT ........................................................................................................... 31
4.5. ACCESS CONTROL ............................................................................................................... 36
4.6. CRYPTOGRAPHY ................................................................................................................... 45
4.7. PHYSICAL AND ENVIRONMENTAL SECURITY .......................................................................... 47
4.8. OPERATIONS SECURITY ....................................................................................................... 53
4.9. COMMUNICATIONS SECURITY .............................................................................................. 60
4.10.
SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE ............................................. 63
4.11.
SUPPLIER RELATIONSHIPS .............................................................................................. 67
4.12.
INFORMATION SECURITY INCIDENT MANAGEMENT .......................................................... 71
4.13.
INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT ................. 73
4.14.
COMPLIANCE ................................................................................................................... 74
5. APPENDICES .............................................................................................................................. 77
Information Security Governance

Manual
Rev 00
Page 3 of 93

Manual
Rev 00
Page 4 of 93
Authors and Reviewers

Version
Date
Author
Reviewer
1. Head IS, Strategy &
Governance.
2. Legal Department.
Information Security
Governance (ISG) Team
1.0
Comments
First Version
Approvers
Version
Approver
Division
1.0
Chief Executive Officer
1.0
Chief Technology Officer
Technology
1.0
Chief Human Resource Officer
Human Resource
1.0
Chief Legal Officer (CLO)
Legal
1.0
Chief Financial Officer (CFO)
Finance
1.0
Chief Regulatory & Corporate Affairs

Officer
Regulatory &
Corporate Affairs
Distribution List
S. No.
1
Name
All Employees & PMCL Users
2
3
4
5
6
7
Purpose
Adherence and Compliance.
Date

Manual
Rev 00
Page 5 of 93
1. Introduction and Purpose

Pakistan Mobile Communications Limited (PMCL), also known as Mobilink, is a leading
telecommunications service provider in Pakistan and a subsidiary of VimpelCom Ltd.
Through a comprehensive set of information security control
statements, this manual explains how ISO 27001 applies within
this Policy is to outline the responsibilities of PMCL to ensure its
sufficiently protected against misuse and harm by PMCLs users
employment.
objectives and policy

PMCL. The purpose of
information assets are
and its candidates for
2. Scope
The scope of this document covers a set of directives required to be in place to support
the implementation of information security in accordance with ISO 27001:2013 standard
and business requirement to achieve PMCL goals for the protection and management of
PMCL information assets.
All Users including employees of PMCL, contractors and authorised guests (i.e., staff,
temporary staff, third-party contactors, affiliates and guests, etc.) shall comply with
these directives and follow the appropriate and relevant procedures envisaged under or
pursuant to this Policy Manual.
3. Terms and Abbreviations

In this Policy Manual, unless there is anything repugnant in the subject or context, the
following terms and definitions shall have the below meaning assigned to them,
however, in case of conflict or inconsistency, the defintitions provided in ISO/IEC
27000:2014 (E) shall prevail:
Active Directory (AD) / Windows Domain: means a part of Active Platform

based on Microsoft Technology that enables applications to find, use, and manage
directory resources (such as user names, network printers, and permissions) in a
distributed computing environment.
Admin / Super User: means relevant Users within the IT department with
unlimited access or extensive access rights in the application, on database level
and/or operating system level.
Air-gapped: means a network security measure employed on one or more

computers to ensure that a secure computer network is physically isolated from
insecure networks.
Asset / Risk Owner: are generally heads of departments, sections, groups or

individuals whose work is most affected by the Asset (s) required to provide their
services, and are perceived by the PMCL as the ultimate decision makers when it
comes to the management of the Asset(s).

Manual
Rev 00
Page 6 of 93
Asset Custodian: are individuals / third party entity in physical or logical

possession of PMCL information or information asset. These Assest Custodians are
also required to implement, operate, and maintain the security measures defined
by information asset owners.
Asset: includes anything that has value to the PMCL.
Availability: means information being accessible and usable upon demand by an

authorized entity.
Backup: includes a copy of a file or directory on a separate storage media.
Black box testing: means a method of software testing that examines the
functionality of an application without peering into its internal structures or
workings.
CEO: Chief Executive Officer.
Change Management: includes Process of controlling changes

infrastructure or any aspect of services in a controlled manner.
Confidentiality: means the safety, secrecy, protection and non disclosure of

information and information assets against unintended or unauthorized access to
the standards and directions provided in this Policy.
Cryptography: is a method of storing and transmitting data in a particular form

that only those for whom it is intended can read and process it.
CTO: Chief Technology Officer.
Data: includes any Information stored or processed by any information system.
Domain Name System (DNS): means a hierarchical decentralized naming

system for computers, services, or any resource connected to the Internet or a
private network.
Firewalled segment: refers to the portion of the network protected by a

firewall.
FTP: means File Transfer Protocol which is a standard network protocol used to
transfer computer files between a client and server on a computer network.
FTPS: means an extension to the commonly used File Transfer Protocol (FTP)
that adds support for the Transport Layer Security (TLS) and the Secure Sockets
Layer (SSL) cryptographic protocols.
GCSC: means Group Cyber Security Center.
HR Department: means Human Resources Department.
HSSE: means Health Safety Security & Environment.
HTTP: means an application protocol for distributed, collaborative, hypermedia

information systems.
to
the

Manual
Rev 00
Page 7 of 93
HTTPS: means a protocol for secure communication over a computer network

which is widely used on the Internet.
IDS: means an Intrusion Detection System which is a device or a software

application that monitors a network or a system for malicious activity or policy
violations.
Information Asset: means piece of information or data, regardless of the

format, that has value to PMCL.
Information Security (IS): includes Protection of information from a wide

range of threats in order to ensure business continuity, minimize business risk
and maximize return on investments and business opportunities.
Information Security Event: means an identified occurrence of a system,

service or network state indicating a possible breach of information security policy
or failure of safeguards, or a previously unknown situation that may be relevant
to security.
Information Security Governance (ISG) Team: means a group of employees

in PMCL who are responsible for the establishment, implementation, operation,
monitoring, review, maintenance and improvement of the ISMS for the defined
scope and boundaries.
Information Security Incident: is a Single or a series of unwanted or

unexpected information security events that have a significant probability of
compromising business operations and threatening information security.
Information Security Leadership (ISL): means a group of employees in PMCL

who are Responsible for providing oversight to the information security activities
at the organization level and ensuring that overall PMCL Information Security
plans and objectives are met.
Information Security Management System (ISMS) Coordinators: means a

group of employees in PMCL who are Responsible for monitoring compliance with
ISMS Policies and Procedures within their respective operational units.
Information Security Management System (ISMS): means set of policies

and processes established by management to assess the security requirements,
develop and implement controls, evaluate effectiveness of controls and
implement improvements continual improvement process.
Integrity: means accuracy and completeness of information.
Intellectual Property Rights (IPR): means protections granted to the creators

of IP, and include trademarks, copyright, patents, industrial design rights, and in
some jurisdictions trade secrets.
Interested Party / Stakeholder: means such person(s) or organization (s) that

can affect, be affected by, or perceive themselves to be affected by, or perceive
themselves to be affected by a decision or activity.

Manual
Rev 00
Page 8 of 93
iOS jailbreaking: is the removal of software restrictions imposed by iOS, Apples

operating system, on devices running it through the use of software exploits.
IPS: means an Intrusion Prevention System which is a network security threat

prevention technology that examines the network flow to detect and prevent
vulnerability exploits.
ISO: means International Organization for Standardization.
IS Manager: means an employee at a managerial position responsible for

managing Information Security of an organization.
Enterprise Support & Services (ESS): Looks after Nationwide IT Helpdesk

Support including End User Computing, IT Tier 2 Support, Unified Communication
[VC] and Enterprise Security Operations & Planning.
LDAP: means Lightweight Directory Access Protocol (LDAP) which is a software

protocol for enabling anyone to locate organizations, individuals, and other
resources such as files and devices in a network, whether on the public Internet
or on a corporate intranet.
Local Laws: Laws applicable within Pakistan.
Malicuous Activities: Any activity specifically intended to cause harm to an

organization or its computing resources.
NDA: means Non-Disclosure Agreement.
NOC AMT: means a Network Operations Center Access Management Team, a

centralized group within PMCL responsible for managing Access Management over
information Asset(s).
Outlook Web Access (OWA): means establishing access to Microsoft Exchange

Server mailbox from almost any web browser.
Password: means secret words, letters, numbers, symbols, characters, phrase

or any combination thereof in electronic form that must be used to gain
access/admission to the system.
Penetration testing: means the practice of testing a computer system, network

or Web application to find vulnerabilities that an attacker could exploit.
PMCL Users: Are users with access to PMCL information and information
processing environment categorized into the following user groups:
o
o
o
o
Permanent / Contractual Staff

Trainees / Interns
Vendors / Third-party Service Providers
Guests
PMCL: means Pakistan Mobile Communications Limited.
Policy: Intentions and direction of PMCL as formally expressed by its Top

Management pursuant to this ISMS Policy Manual or relating to or for the
purposes of Information Security Management Systems

Manual
Rev 00
Page 9 of 93
Procedure: means specified and prescribed way to carry out an activity or

process.
Public networks: means a type of network wherein anyone, namely the general
public, has access and through it can connect to other networks or the Internet.
Root Cause Analysis: is a method of problem solving that tries to identify the
root causes of faults or problems. A root cause is a cause that once removed from
the problem fault sequence, prevents the final undesirable event from recurring.
Recovery: means retrieval of data/operations/services/information/Asset (s) in

case of disruption.
Risk Assessment: means overall process of risk identification, risk analysis and
risk evaluation.
Risk: mean effect of uncertainty on objectives.
S/MIME: means Secure/Multipurpose Internet Mail Extensions is a standard for

public key encryption and signing of MIME data.
Secure Shell (SSH): means a cryptographic network protocol for operating

network services securely over an unsecured network.
Service Level Agreement (SLA): means a part of a contract/agreement

wherein the service provider specifies in measurable terms, what services will be
furnished at the given KPIs and for achieving objectives smoothly.
SFTP: means SSH File Transfer Protocol, or Secure File Transfer Protocol which is
a separate protocol packaged with SSH that works in a similar way over a secure
connection.
SLT: means Senior Leadership Team constituted for the purpose of this Policy.
SOC: means Security Operations Center.
Stakeholder: means a Person(s) or organization(s) that can affect, be affected

by, or to perceive themselves to be affected by a decision or activity.
Static code analysis: means a method of computer program debugging that is

done by examining the code without executing the program.
Supplier / Third-party: means a person(s), firm or body that is recognized as

being independent from PMCL and is providing services to the PMCL under an
agreement/arrangement. Examples include service providers, maintenance
agencies, consultants, technology partners and trainees.
Teleworking: means a work arrangement in which employees do not commute

to a central place of work.
Telnet: means a user command and an underlying TCP/IP protocol for accessing
remote computers.
Third party code review: means a software source code review performed by
an independent expert.

Manual
Rev 00
Page 10 of 93
Threat: means a potential cause of an unwanted incident, which may result in

harm to an IT/computing system, Asset or organization.
TIA-942: means the Telecommunications Industry Association (TIA) ANSI/TIA942-A Telecommunications Infrastructure Standard for Data Centers which is an
American National Standard (ANS) that specifies the minimum requirements for
telecommunications infrastructure of data centers and computer rooms including
single tenant enterprise data centers and multi-tenant Internet hosting data
centers.
Transport Layer Security (TLS): means TLS and its predecessor, Secure
Sockets Layer (SSL), both of which are frequently referred to as "SSL", are
cryptographic protocols that provide communications security over a computer
network.
Top Management: refers to the PMCL Information Security Leadership team.
UPS: means an uninterruptible power supply, also uninterruptible power source,

UPS or battery/flywheel backup which is an electrical apparatus that provides
emergency power to a load when the input power source or mains power fails.
User Account: A user is a person who uses a computer or Internet service. A

user may have a user account that identifies the user by a username (also user
name), screen name (also screen name).
Virtualization: means the creation of a virtual (rather than actual) version of

something, such as an operating system, a server, a storage device or network
resources.
VLAN: A virtual LAN (VLAN) is any broadcast domain that is partitioned and
isolated in a computer network at the data link layer (OSI layer 2).
Vulnerability: means a weakness in a computing system that can result in

harm to the system or its operations, especially when this weakness is exploited
by a hostile person or organization or when it is present in conjunction with
particular events or circumstances.
Vulnerability Analysis: Also known as vulnerability assessment which means a

process that defines, identifies, and classifies the security holes (vulnerabilities)
in a computer, network, or communications infrastructure.
Wireless networks: means the computer networks that does not require to be
connected by cables of any kind for its fuctioning.

Manual
Rev 00
Page 11 of 93
4. Policies Mapping with ISO Controls

Policy
Organization of
Information
Security
Controls
A.6.1.1, ISO 27001 Information Security Roles and

Responsibilities
A.6.1.2, ISO 27001 Segregation of Duties

A.6.1.3, ISO 27001 Contact with Authorities
A.6.1.4, ISO 27001 Contact with Special Interest Groups
A.6.1.5, ISO 27001 Information Security in Project
Management
A.6.2.1, ISO 27001 Mobile Device Policy

A.6.2.2, ISO 27001 Teleworking
Human Resource
Security
A.7.1.1, ISO 27001 Screening

A.7.1.2, ISO 27001 Terms and Conditions of Employment
A.7.2.1, ISO 27001 Management Responsibilities
A.7.2.2, ISO 27001 Information Security Awareness,
Education and Training
A.7.2.3, ISO 27001 Disciplinary Process

A.7.3.1, ISO 27001 Termination or Change of Employment
Responsibilities
Asset
Managment
A.8.1.1, ISO 27001 Inventory of Assets

A.8.1.2, ISO 27001 Ownership of Assets
A.8.1.3, ISO 27001 Acceptable Use of Assets
A.8.1.4, ISO 27001 Return of Assets
A.8.2.1, ISO 27001 Classification of Information
A.8.2.2, ISO 27001 Labelling of Information
A.8.2.3, ISO 27001 Handling of Assets
A.8.3.1, ISO 27001 Management of Removable Media
A.8.3.2, ISO 27001 Disposal of Media
A.8.3.3, ISO 27001 Physical Media Transfer
Access Control
A.9.1.1, ISO 27001 Access Control Policy

A.9.1.2, ISO 27001 Access to Networks and Network Services
A.9.2.1, ISO 27001 User Registration and De-Registration
A.9.2.2, ISO 27001 User Access Provisioning

Manual
Rev 00
Policy
Page 12 of 93
Controls
A.9.2.3, ISO 27001 Management of Privileged Access Rights

A.9.2.4, ISO 27001 Management of Secret Authentication
Information of Users
A.9.2.5, ISO 27001 Review of User Access Rights

A.9.2.6, ISO 27001 Removal or Adjustment of Access Rights
A.9.3.1, ISO 27001 Use of Secret Authentication Information
A.9.4.1, ISO 27001 Information Access Restriction
A.9.4.2, ISO 27001 Secure Log-On Procedures
A.9.4.3, ISO 27001 Password Management System
A.9.4.4, ISO 27001 Use of Privileged Utility Programs
A.9.4.5, ISO 27001 Access Control to Program Source Code
Cryptography
A.10.1.1, ISO 27001 Policy On the Use of Cryptographic

Controls
A.10.1.2, ISO 27001 Key Management

Physical and
Environmental
Security
A.11.1.1, ISO 27001 Physical Security Perimeter

A.11.1.2, ISO 27001 Physical Entry Controls
A.11.1.3, ISO 27001 Securing Offices, Rooms and facilities
A.11.1.4, ISO 27001 Protecting Against External and
Environmental Threats
A.11.1.5, ISO 27001 Working in Secure Areas

A.11.1.6, ISO 27001 Delivery and Loading Areas
A.11.2.1, ISO 27001 Equipment Siting and Protection
A.11.2.2, ISO 27001 Supporting Utilities
A.11.2.3, ISO 27001 Cabling Security
A.11.2.4, ISO 27001 Equipment Maintenance
A.11.2.5, ISO 27001 Removal of Assets
A.11.2.6, ISO 27001 Security of Equipment and Assets OffPremises
A.11.2.7, ISO 27001 Secure Disposal or Re-Use of Equipment

A.11.2.8, ISO 27001 Unattended User Equipment
A.11.2.9, ISO 27001 Clear Desk and Clear Screen
Policy
Operations
Security
A.12.1.1, ISO 27001 Documented Operating Procedures

A.12.1.2, ISO 27001 Change Management

Manual
Policy
Rev 00
Page 13 of 93
Controls
A.12.1.3, ISO 27001 Capacity Management

A.12.1.4, ISO 27001 Separation of Development, Testing and
Operational Environments
A.12.2.1, ISO 27001 Controls Against Malware

A.12.3.1, ISO 27001 Information Backup
A.12.4.1, ISO 27001 Event Logging
A.12.4.2, ISO 27001 Protection of Log Information
A.12.4.3, ISO 27001 Administrator and Operator Logs
A.12.4.4, ISO 27001 Clock Synchronization
A.12.5.1, ISO 27001 Installation of Software On Operational
Systems
A.12.6.1, ISO 27001 Management of Technical Vulnerabilities

A.12.6.2, ISO 27001 Restrictions On Software Installation
A.12.7.1, ISO 27001 Information Systems Audit Controls
Communications
Security
A.13.1.1, ISO 27001 Network Controls

A.13.1.2, ISO 27001 Security of Network Services
A.13.1.3, ISO 27001 Segregation in Networks
A.13.2.1, ISO 27001 Information Transfer Policies and
Procedures
A.13.2.2, ISO 27001 Agreements on Information Transfer

A.13.2.3, ISO 27001 Electronic Messaging
A.13.2.4, ISO 27001 Confidentiality or Non-Disclosure
Agreements
System
Acquisition,
Development
and Maintenance
A.14.1.1, ISO 27001 Information Security Requirements

Analysis and Specification
A.14.1.2, ISO 27001 Securing Application Services On Public

Networks
A.14.1.3, ISO 27001 Protecting Application Services

Transactions
A.14.2.1, ISO 27001 Secure Development Policy

A.14.2.2, ISO 27001 System Change Control Procedures
A.14.2.3, ISO 27001 Technical Review of Applications After
Operating Platform Changes
A.14.2.4, ISO 27001 Restrictions On Changes to Software

Packages
A.14.2.5, ISO 27001 Secure System Engineering Principles

Manual
Policy
Rev 00
Page 14 of 93
Controls
A.14.2.6, ISO 27001 Secure Development Environment

A.14.2.7, ISO 27001 Outsourced Development
A.14.2.8, ISO 27001 System Security Testing
A.14.2.9, ISO 27001 System Acceptance Testing
A.14.3.1, ISO 27001 Protection of Test Data
Supplier
Relationship
A.15.1.1, ISO 27001 Information Security Policy for Supplier

Relationships
A.15.1.2, ISO 27001 Addressing Security Within Supplier

Agreements
A.15.1.3, ISO 27001 Information and Communication

Technology Supply Chain
A.15.2.1, ISO 27001 Monitoring and Review of Supplier

Services
A.15.2.2, ISO 27001 Managing Changes to Supplier Services

Information
Security Incident
Management
A.16.1.1, ISO 27001 Responsibilities and Procedures

A.16.1.2, ISO 27001 Reporting Information Security Events
A.16.1.3, ISO 27001 Reporting Information Security
Weaknesses
A.16.1.4, ISO 27001 Assessment of and Decision On

Information Security Events
A.16.1.5, ISO 27001 Response to Information Security

Incidents
A.16.1.6, ISO 27001 Learning from Information Security

Incidents
A.16.1.7, ISO 27001 Collection of Evidence

Information
Security Aspects
of Business
Continuity
Management
A.17.1.1, ISO 27001 Planning Information Security Continuity

A.17.1.2, ISO 27001 Implementing Information Security
Continuity
A.17.1.3, ISO 27001 Verify, Review and Evaluate Information

Security Continuity
A.17.2.1, ISO 27001 Availability of Information Processing

Facilities
Compliance
A.18.1.1, ISO 27001 Identification of Applicable Legislation

and Contractual Requirements
A.18.1.2, ISO 27001 Intellectual Property Rights

Manual
Rev 00
Policy
Page 15 of 93
Controls
A.18.1.3, ISO 27001 Protection of Records

A.18.1.4, ISO 27001 Privacy and Protection of Personally
Identifiable Information
A.18.1.5, ISO 27001 Regulation of Cryptographic Controls

A.18.2.1, ISO 27001 Independent Review of Information
Security
A.18.2.2, ISO 27001 Compliance with Security Policies and

Standards
A.18.2.3, ISO 27001 Technical Compliance Review

Manual
Rev 00
Page 16 of 93
4.1. Information Security Governance

4.1.1. PMCL Information Security Organizational Structure
The policies relating to ISMS are owned by the PMCL and the ISMS governance model
and organization thereof within PMCL is grouped into strategic, tactical and operational
levels of implementation, highlighting the individual roles and responsibilities and the
reporting structure within the Information Security domain.
The PMCL Chief Executive Officer (CEO) is overall responsible for the direction and
implementation of the ISMS in PMCL whereas this responsibility is further delegated to
Chief Technology Officer (CTO) for the purpose of performance of functions relating to
ISMS including supporting, coordinating and monitoring implementation of PMCL ISMS,
for providing further guidance and for regularly reviewing and updating whenever it is
required or circumstances so warrant.
The organizational function and structure of PMCL is depicted in the diagram below:
Manager
Information
Security
IS Tactical /
Operational
Team
Information
Security / Cyber
Security
Coordinator(s)
Operational Level
Information
Security Group
(ISG) Head
Tactical Level
Chief
Technology
Officer (CTO)
Security Operations Center (SOC)
PMCL InfoSec Leadership
Chief Executive
Officer (CEO)
Strategic Level
PMCL Information Security / Cyber Security Organization

Manual
Rev 00
Page 17 of 93
4.1.2. Roles, Responsibilities and Authorities

The information security organization will be active at three different levels as detailed
below:
Strategic level: This will be led by PMCL CTO, under the guidance of PMCL CEO, Group
Chief Technology Officer and Global Cybersecurity Center (GCSC), and will be supported
by the PMCL Information Security Group (ISG) Head. These members of top
management shall establish leadership and commitment towards information security by
being part of this organization structure.
Tactical level: This will be represented by PMCL Information Security Group (ISG)
Head, who will be assisted by Information Security Manager and shall be responsible for
defining, implementing and maintaining PMCLs information security policies and
procedures under ISMS.
Operational level: The ISG Head is responsible for IS state of the PMCL Security
Operations Centre (SOC). The operational IS management is based on the IS
requriements / definitions from the ISG Head.
SOC is responsible for monitoring and management of information security risks at an
operational level. It performs on-going monitoring of information security related events
and acts according to risk and relevance.
PMCL SOC is represented by:
PMCL ISMS Operational Team
PMCL ISMS Coordinators
The following information outlines the primary roles and responsibilities of various PMCL
employees, departments, and workgroups (i.e., committees), only as they pertain to the
ISMS.
4.1.2.1. Board of Directors
Board of Directors responsibilities include, but are not limited to:
a. Provide executive level strategy and guidance to PMCL senior leadership
b. Review and approve information security policy(ies), as needed.
4.1.2.2. Senior Leadership Team (SLT)
The Information Security (IS) SLT headed by the PMCL CEO and assited by the CTO,
leading the PMCLs ISMS, shall bear the overall responsibility to direct and drive the
PMCLs IS vision, business goals and objectives, and in collaboration with the ISG Head
set the strategic direction for Information Security.
The key responsibilities of the PMCL SLT include:
Take primary responsibility of PMCLs overall Information Security Management

program.
Set the strategic direction for information security by establishing goals for PMCL
information security management program.

Manual
Rev 00
Page 18 of 93
Approve key information security projects and initiatives in a timely manner.
Review the performance and effectiveness of the information security program.
Establish appropriate accountability for information security and provide support

and oversight for the program.
Provide executive level strategy and guidance to the ISMS and other information
security stakeholders, as needed.
Approve budgeting for information security operations and projects.
Assist in the reporting and notification requirements related to security

incidents/breaches, as needed.
Review the ISMS policies and procedure and propose amendments, if required,
for seeking approval from the Board of Directors..
4.1.2.3. The Information Security Group (ISG) Head:

The ISG Head is the central point of contact for matters of information security both
internally and externally. ISG Head responsibilities include, but are not limited to:
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
o.
Support CTO information security responsibilities, as needed.

Establish and maintain information security governance (i.e., the ISMS).
Align security initiatives with PMCLs mission, vision and values.
Oversee activities of PMCL ISG to implement information security across various
functions.
Develop and implement information security policies, standards, procedures, and
other guidance that covers best practices as well as related laws and regulatory
requirements.
Develop documentation (e.g., policies, operating procedures, guidance) that are
responsive to any systematic gaps identified from on-going reviews or security
reports.
Enforce security policy and standards compliance.
Review PMCL information security policies and standards and submit for review to
the SLT.
Work with the CTO and Information Security Manager to approve risk acceptance
and Exceptions to Policy, as needed.
Establish and provide oversight to specific ISMS sub-programs (e.g., risk
assessment, incident response, security training) and other capabilities (e.g.,
data loss prevention [DLP] tool, governance, risk and compliance [GRC] tool) to
promote a strong information security posture across PMCL.
Manage security risk by analyzing assets, threats, vulnerabilities and exposures,
and recommend cost-effective countermeasures to reduce likelihood or impact of
adverse occurrences.
Oversee security assessments, and other activities related to risk management,
across PMCL.
Monitor security activities and oversee the application/implementation of specified
security standards.
Work with the Information Security manager and other employees to report,
respond to, and remediate security incidents.
Build relationships between and coordinate with various technology functions to
bolster support for security initiatives across PMCL.

Manual
Rev 00
Page 19 of 93
p. Coordinate information security activities with Legal, Compliance Office, Internal

Audit, Project Management, outside law enforcement, and other parties, as
appropriate.
q. Provide information security reports to PMCL senior leadership (e.g., CTO, SLT,
Board of Directors), as needed.
4.1.2.4. The Information Security Manager (IS Manager):
The Information Security Manager is an active member of the ISMS and is heavily
involved in security documentation and implementation efforts. The IS Manager
responsibilities include, but are not limited to:
a. Support ISG Head information security responsibilities, as needed.
b. Develop, maintain, review/update security policies, standards, and other
documentation and make it available to appropriate audiences atleast once in a
year.
c. Cooperate with PMCL business unit managers and staff across various functions
to promote compliance with security policy and standards.
d. Review Policy Exception Requests, provide recommendations, and if deemed
appropriate, facilitate the review and approval process with the ISG Head and
CTO.
e. Assist the ISG Head to establish, implement and maintain specific ISMS subprograms (e.g., risk assessment, incident response, security training) and other
capabilities (e.g., data loss prevention
[DLP] tool, governance, risk and
compliance [GRC] tool) to promote a strong information security posture
throughout PMCL.
f. Develop and maintain security training and awareness program content. The IS
Manager will also work with Human Resources to help the program run smoothly
and appropriate employees receive training and sign the appropriate documents
(e.g., Acceptable Use) acknowledging their responsibilities related to information
security.
g. Work with Human Resources to track and report the completion of security
training requirements.
h. Conduct information security assessments, analyze assessment results, document
corrective action plans, track remedial action, and report results to the ISG Head.
i. Coordinate with Legal, Compliance Office, Internal Audit, and Project
Management teams to ensure information security practices comply with
applicable laws, statutory regulations, and other requirements.
j. Maintain list of ISMS operational team members.
4.1.2.5. ISMS Operational Team:
The IS Tactical / Operational Team will be responsible for the following:
Support IS Manager information security responsibilities.

Collect, analyze and follow-up on information security events, metrics, incidents
and other information that are required to achieve information security
objectives.
Determine and manage the implementation of administrative, technical and
physical security controls as required to maintain confidentiality, integrity and
availability of information systems.

Manual
Rev 00
Page 20 of 93
Follow-up with third party service providers on all information security incidents
in a timely manner and report to IS Manager and/or ISG Head as required.
Perform or direct the performance of root cause analysis on key security events
and incidents reported.
Maintain the risk register and ensure that all threats and vulnerabilities reported
by internal audit, vulnerability assessment / penetration testing projects, Risk
Management department etc. are all followed and remediated in a timely manner.
Coordinate delivery of information security awareness and training programs to
personnel.
4.1.2.6. ISMS Coordinators:

Departments in PMCL, where deemed appropriate, will be represented by an IS
Coordinator who would be responsible to implement, monitor and report on the ISMS
based on the below responsibilities within their departments.
The IS Coordinators will:
Support IS Manager information security responsibilities, as needed.

Be the information security liason staff within the department and communicate
to all personnel regarding information security updates / best practices as and
when required.
Be responsible for coordinating with the IS Operational Team and the IS Manager,
and reporting all high threats, risks, security events and incidents on an ongoing
and priority basis;
Identify, implement and incorporate appropriate security controls within the
respective department in consultation with the IS Manager;
Ensure that all contracts and Aervice Level Agreements established by the
department adequately factor in information security requirements;
Coordinate the delivery of information security awareness and training programs
to personnel within respective department;
Gather metrics and other information on the overall effectiveness of information
security controls within their oversight;
Report to IS Manager on the information security risks, activities and
improvements required within their respective department; and
Support in the investigation and remediation of information security incidents or
other policy violations and report to the IS Manager.
The ISMS Coordinators shall meet with the IS Manager and IS Operational Team on a
regular basis (at least once a month) or as needed, to discuss on the ISMS maintenance,
implementation and continual improvement activities going on throughout PMCL.
List of ISMS Coordinators shall be maintained by the IS Manager.
4.1.2.7. PMCL Business Unit-Level Information Security Management:
All managers including business unit heads are responsible to ensure the established IS
procedures are satisfied within their areas of responsibilities.
The PMCL HR must ensure that established IS procedures are included within the whole
employee life-cycle, e.g. new hires, changes in role and leavers.

Manual
Rev 00
Page 21 of 93
4.1.2.8. PMCL Employees, Contractors and Third Parties (Users):

All employees and contractors are responsible for:
a. Performing the established IS procedures within their environment.
b. Reporting risks and violations and any activities which undermine supporting IS of
PMCL.
c. Familiarizing themselves with established IS procedures, their responsibilities and
liabilities.
d. Supporting PMCL security policy in the course of their normal work.

Manual
Rev 00
Page 22 of 93
4.2. Organization of Information Security

The purpose of this policy is to outline the requirements in terms of information security
organizational structure along with relevant roles and responsibilities for establishing a
management framework to drive the implementation of information security within
PMCL.
4.2.1. Internal Organization

4.2.1.1 Information Security Roles and Responsibilities
Information security responsibilities related to ISG function shall be clearly

defined in the Information Security Governance.
Responsibilities for major security areas other than the ISG function are defined
in the table below:
Security Area
Information classification and handling
Designated Department
Asset / Risk Owners
Application security including password resets,

identity management, user provisioning and
access controls, applications security etc.
Changes to the Information Assets

Security awareness and education,
communications.
Human Resource
Department
Personnel security: background checks, travel

security, executive protection, Employee
separation, Security investigations.
Physical security: facility security, asset security.
Security Department
Third Party / Supplier Security
Contracts / Legal
department
Compliance with Legal, Regulatory requirements

pertaining to Information Security
Legal Affairs / Regulatory &

Corporate Affairs
Technical compliance of information systems with

information security policies
Technology Compliance
function
Designated departments should have either experience and/or training in the

areas of security for which they are responsible.
4.2.1.2. Segregation of Duties
Adequate segregation of duties controls shall be maintained to reduce the risk of

intentional or unintentional Malicious Activities; where segregation of duties is not
practical, appropriate compensating controls shall be implemented.

Manual
Page 23 of 93
The principles to identify conflicting duties should be applied as far as possible

and practicable across PMCL. Segregation of duties includes, at a minimum:
o
Dividing conflicting business functions and information system / IT support

functions among different individuals.
Separating information system / IT support functions between different

individuals (e.g., system management, programming, configuration
management, quality assurance and testing, and network security).
Separating access control administration functions (e.g., access requests,

formal authorization, provisioning, delegating, revoking, and tracking)
from any audit functions.
Managing access permissions so no single person can access, modify or

use assets without authorization or detection:
Rev 00
Role based access control
Proper authentication
Adequate audit
segregation
logging
to
check
for
circumvention
of
the
Use strict change control of software and data changes requiring separate
persons to perform the following roles:
Change request
Authorization and approval
Design and development for the change
Testing and review
Implementation in production
Where it is not practical, or where it is difficult to apply segregation of duties,

other controls such as monitoring of activities, audit trails and management
supervision should be used.
4.2.1.3. Contact with Authorities
Contacts with relevant authorities shall be formally maintained to:

o
Ensure compliance with applicable laws and regulations.
Anticipate and
regulations.
Ensure timely reporting and implementation of corrective actions in the

event of a security breach.
prepare
for
upcoming
changes
to
such
laws
and
A list of relevant local authorities and contacts related to security should be

created and maintained up to date to facilitate contact during emergencies or
when external assistance is required. Following departments / functions at PMCL
are responsible to maintain contact with authorities, at a minimum:
Name of Function / Department
Relevant Areas

Manual
Rev 00
Page 24 of 93
Name of Function / Department
Relevant Areas
Security Department along with

Regulatory & Corporate Affairs
Department
Law Enforcement Agencies (LEA)
Regulatory & Corporate Affairs

Department
Regulators such as PTA, Frequency

Allocation Board (FAB), Privacy
issues
Legal Department
Litigation and Contractual

obligations / issues
Relevant PMCL departments
Utilities, emergency services,

electricity suppliers, health and
safety, fire departments
Reporting of information security incidents to the authorities where laws or regulations

have been violated should be performed according to the Information Security Incident
Management Procedure.
4.2.1.4. Contact with Special Interest Groups
Special interest groups, specialist security forums and professional associations

shall be identified and contacts with these groups, forums, and associations shall
be maintained.
A role of Information Security Advisor should be assigned to appropriate

individual(s) within PMCL ISG function who will co-ordinate in-house knowledge
and experiences to ensure consistency and provide help in security decision
making. Furthermore, this individual will also have access to suitable external
advisors to provide specialist advice. This includes having consultation with Group
Cyber Security Centre (GCSC) for security intelligence on need basis. Security
Intelligence includes having a central, comprehensive and real-time view of PMCL
information security posture throughout the organization, based on analysis of
information security related data collected from the numerous sites, devices and
applications.
Information Security Advisor shall be tasked with providing assessment of

security threats and advice on controls. He/she may also be called on to advise,
lead or conduct investigations.
For maximum effectiveness and impact, the Information Security Advisor shall be
allowed direct access to management all across the organization.
4.2.1.5. Information Security in Project Management
Projects executed at PMCL, regardless of the type of the project, shall involve the
Information Security team to perform due diligence to integrate the security
requirements in projects.

Manual
Rev 00
Page 25 of 93
PMCL project management method(s) should ensure that Information Security

risks are identified and addressed as part of a project by requiring that:
o
Information security objectives and project objectives are aligned at the

beginning of a project.
An information security risk assessment is conducted early on to identify

any required controls.
Information security is included as part of all phases of the project

method.
4.2.2. Portable Devices and Teleworking

4.2.2.1. Portable Device Policy
Portable devices shall be controlled through this policy to protect the information
processed or stored on end users portable devices. This is essential to ensure
protection when using these devices to access sensitive or confidential data /
information by PMCL users.
Privately owned portable devices shall be prohibited from connecting to the PMCL
networks unless explicitly allowed for business use in accordance with Access
Control Policy.
All access to PMCL data from a portable device should be through prior approval
in accordance with Access Control Policy.
PMCL IT shall maintain an approved list of Third Party software, systems or

services for portable devices. Any non-approved Third Party software, systems or
services shall be prohibited unless explicitly allowed for business use by PMCL ISG
team.
Users shall be instructed not to permanently alter any built-in or installed security
controls (configuration settings, software and/or service) that reduces the
security posture of the device (unless as directed by the PMCL IT or ISG team),
and where appropriate, these settings should be managed centrally.
Portable devices shall be maintained according to the Portable Device / Bring Your
Own Device standard mentioned in Appendix 1
4.2.2.2. Teleworking
PMCL users shall be allowed to telework if prior management approval is obtained

and the external location security is compliant with Information Security Policy,
including:
o
Physical security: PMCL users shall ensure the teleworking site is

physically secure.
Communication security: PMCL IT Support team shall ensure that

hardware and software used to connect to PMCL resources are compliant
with PMCL Information Security policies.

Manual
Rev 00
Page 26 of 93
Access control: PMCL users shall ensure that access to PMCL resources is
properly protected at the teleworking site including protection of PMCL
equipment and information from family and/or visitors access.
Appropriate communication security requirements and communication

equipment, including methods for secure encrypted remote access (e.g.,
Virtual Private Network (VPN) or equivalent) shall be ensured over
teleworking site networks.
PMCL users shall be required to use PMCL-provided computer only to

connect to PMCL networks with the exception of Outlook Web Access
(OWA), web based applications or if using a PMCL provisioned nonpersistent virtual desktop environment that prevents processing and
storage of information on privately owned equipment.

Manual
Rev 00
Page 27 of 93
4.3. Human Resource Security

The purpose of this policy is to outline the responsibilities of PMCL to ensure its
information assets are sufficiently protected against misuse and harm by PMCLs users
and its candidates for employment.
4.3.1. Prior to Employment

4.3.1.1. Screening
New hires shall be subject to screening / background verification covering

character references, (e.g. one business and one personal), academic and
professional qualifications, independent identity verification (passport or similar
national document) and employment background checks prior to employment in
accordance with HR departments employee selection and recruitment process
and relevant laws and regulations.
HRs employee selection and recruitment process should ensure that employee
verification procedures (for background checks and screening) take into account
all relevant privacy, protection of personally identifiable information and
employment based legislations. Such procedures should identify that who is
eligible to screen people and how, when and why verification reviews are carried
out. All personal information on candidates should be handled in accordance with
all applicable legislation including, where applicable, informing candidates
beforehand about the screening activities.
Where a job, either on initial appointment or on promotion, involves the person

having access to critical information processing facilities, and, in particular, if
these are handling Confidential Information, e.g. candidates for professional and
leadership roles and sensitive roles based on the information security
requirements of the position applied for, such as financial information or highly
Confidential Information, PMCL should also consider further, more detailed
verifications. Additional checks performed should
(1) be allowed by Local Laws, and
(2) provide accurate and useful information about a candidate.
The screening process should also cover contractors i.e. Third Parties with access
to Confidential Information pertaining to PMCL and/or its Customers. In these
cases, the agreement between PMCL and the contractor should specify
responsibilities for conducting the screening and the notification procedures that
need to be followed if screening has not been completed or if the results give
cause for doubt or concern. These background checks should either be similar to
those used for employee candidate checks or through a confirmation received
from a reputable commercial supplier that equivalent checks have occurred and
no adverse factors were discovered.
4.3.1.2. Terms and Conditions of Employment
All employees shall sign the terms and conditions of their employment, the
Acceptable Usage policy, and also the Non-Disclosure Agreement, where

Manual
Rev 00
Page 28 of 93
applicable prior to being permitted access to PMCLs information assets. A record

of every employees acceptance shall be maintained by the HR department.
PMCL offers of employment shall be contingent upon satisfactory completion of

background checks. Offers of employment should not be extend to a candidate for
any position if background checks identify concerns as to the honesty and
integrity of the candidate.
The process of hiring should ensure that the candidates be disqualified upon
providing incorrect information at the time of hiring e.g. falsified employment
history, incorrect academic / professional qualifications record etc.
The contractual obligations for employees or contractors should reflect the PMCLs
information security policies and require:
o
Signature of a confidentiality or non-disclosure agreement prior to being

given access to information processing facilities.
Identification of Employee or Third Party legal responsibilities and rights,

e.g., copyright laws or data protection legislation.
Applicable Employee or Third Party responsibilities

classification and handling of PMCL information assets.
Disciplinary actions for violations of the PMCLs security requirements.
for
information
Information security roles and responsibilities should be communicated to job

candidates during the pre-employment process and acknowledged. This
communication can be in the form of a code of conduct that covers
confidentiality, data protection, ethics, acceptable use of assets, etc., and can be
incorporated into employment agreements.
Where appropriate, responsibilities contained within the terms and conditions of

employment should continue for a defined period after the end of the
employment.
4.3.2. During Employment

4.3.2.1. Management Responsibilities
Relevant line managers should require that all users apply security in accordance
with the established information security policies and procedures by ensuring that
users:
o
Complete all required security training prior to accessing Confidential

Information and critical systems
Conform with their terms and conditions of employment relating to

Information Security
Are provided with access to the relevant security policies, standards and
procedures
Are given updated security training as appropriate to their role on a

periodic basis

Manual
Rev 00
Page 29 of 93
4.3.2.2. Information Security Awareness, Education and Training
PMCLs staff shall undergo security awareness training on a periodic basis (at
least once in a year), on PMCL information security policy and related
documentation, responsibilities and expectations.
Changes to information security policy or related documentation shall be

communicated across PMCL through formal communication channels i.e. email,
inter-office memo, and trainings in a timely manner that is upon approval of the
changes.
An information security awareness programme should be established in line with

PMCLs information security policies and relevant procedures that aims to make
employees and, where relevant, contractors aware of their responsibilities for
information security and the means by which those responsibilities are
discharged. Information security awareness program should cover the following
topics, where appropriate:
o
Managements commitment to information security
Compliance with applicable information security policies, standards,

procedures, laws, regulations, contracts and agreements
Personal accountability for security
Basic information security policies and procedures including those related

to acceptable use of assets, security incident reporting, information
transfer/exchange requirements and other baseline controls (e.g.,
password security, malware controls and clear desks)
Where feasible, information security awareness should include an

assessment of a users comprehension at the end of an awareness,
education and training course to verify they understood the material with
a minimum passing score required
4.3.2.3. Disciplinary Process
Disciplinary actions shall be taken against PMCL users in the event of violation of
PMCL Information Security Policy and related documentation, according to
applicable regulatory requirements and in co-ordination and compliance with the
HR disciplinary action process.
HR disciplinary process shall include a formal disciplinary process defined for

PMCL employees and contractors who deliberately or repeatedly violate security
policies and procedures. The process should apply consistent and legally
acceptable treatment for individuals who are suspected of committing serious or
persistent breaches of information security and should result in disciplinary action
up to and including immediate dismissal and penalties depending upon the
severity and business impact of the committed breach / violation.
HR department should also document any disciplinary steps that would be applied
to any employee or contractor who accidently or inadvertently violates security
policies or procedures. Such steps could include warnings, along with mandatory

Manual
Rev 00
Page 30 of 93
participation in counselling sessions and trainings to reduce the chance of future

accidental violations.
4.3.3. Termination and Change of Employment

4.3.3.1 Termination or Change of Employment Responsibilities
Should a user resign, be terminated or transferred internally, HR shall notify the

ESS about the appropriate details to ensure timely and appropriate removal or
update of the users physical access and logical access to PMCLs information
assets in accordance with HR departments employee change request (Transfer)
process and employee exit process.
Changes of responsibility or employment should be managed in the same way as

a termination of current responsibility or employment and the initiation of the
new responsibility or employment except for the domain and email accounts.
Confidentiality agreements and/or terms and conditions of employment

acknowledged / signed should include, where appropriate, any responsibilities
that may continue for a defined period after the end of the Employees or
contractors employment. The communication of these responsibilities should
include any on-going information security requirements and legal responsibilities.

Manual
Rev 00
Page 31 of 93
4.4. Asset Management

The purpose of this Policy is to ensure that all PMCLs information assets are protected in
an appropriate manner against misuse and harm, and are safeguarded against the risks
associated with security breaches impacting the confidentiality, integrity and availability
of the Information Assets.
4.4.1. Responsibility for Assets

4.4.1.1. Inventory of Assets
Critical Assets associated with information and information processing facilities

shall be identified across each phase (creation, processing, storage, transmission,
deletion and destruction) and an inventory of these assets shall be drawn up and
maintained (e.g., a configuration management database). This should include the
following assets along with relevant information for each asset to aid in disaster
recovery:
o
Approved physical devices and systems authorized to connect to the

network
Authorized software platforms and applications allowed to be installed on

systems and user computers
4.4.1.2. Ownership of Assets
All information assets listed in the asset inventory shall be assigned an Asset
Owner, according to the Information Asset Management Procedure.
PMCLs Technology department has approved management responsibility for the

entire asset lifecycle and are therefore assigned the role of Asset Owners.
Whereas, relevant operational teams within Technology department who have
physical or logical possession of PMCL information or information asset are
assigned the role of Asset Custodians.
Asset owners are responsible to:

o
Ensure that Assets are inventoried
Ensure that Assets are appropriately classified and/or protected (based on

their sensitivity and criticality to the organization, e.g. in terms of
confidentiality, integrity and availability), as well as legal requirements
Define and periodically review access restrictions and classifications, where

applicable, to important Assets, taking into account applicable access
control policies
Ensure proper handling when the Asset is deleted or destroyed
Asset Custodians are responsible to implement, operate, and maintain the

security measures defined by information asset owners.
The Asset inventory should serve as input to a risk register used for risk
management activities where assets can be summarized by Asset type
(electronic, paper, physical hardware (servers, laptops, workstations, routers,

Manual
Rev 00
Page 32 of 93
Firewalls, switches, phones, printers, etc.), software, processes, people) to which

existing or future controls can be defined.
4.4.1.3. Acceptable Use of Assets
All employees and external party users using or having access to PMCLs assets
should be made aware of the information security requirements, in the form of
Acceptable Usage requirements (see Appendix 2), of PMCLs assets associated
with information and information processing facilities and resources. They should
be responsible for their use of any information processing resources and of any
such use carried out under their responsibility.
Employees and Third Party staff shall be prohibited from doing any of the
following:
Exploiting vulnerabilities or deficiencies in any PMCL Information Systems

security unless specifically approved in advance by PMCL Information
Security Leadership
Deliberately damaging PMCL systems or information
Obtaining resources beyond those they have been authorized to obtain
Gaining access to other PMCL systems for which proper authorization has
not been granted
Testing or attempting to compromise PMCL information and system

controls
Exchanging music files, digital movies, software, or any other copyrighted

or licensed material for which PMCL or the user do not own a license or
have copyright use permission
Employees and Third Party staff shall be prohibited from establishing the
following within PMCLs technical infrastructure or on behalf of PMCL without prior
documented approval from PMCL ISG team:
o
Intranet server, Internet servers, social media sites including blogs or

electronic bulletin boards (any external or public facing blog, requires
specific prior approval of PMCL ISG team.
Local area networks
Wireless access points
Software or other technology that enables remote access to existing

internal networks or systems or user computers
Acceptable use of information and information assets shall be covered as below

and defined (in Appendix 2):
o
Information Systems and Services Usage
Information Usage
E-mail Usage
Portal Usage

Manual
Rev 00
Internet Usage
Remote Access
Password Usage
Printer Usage
Physical Security
Unacceptable use
Compliance and Monitoring
Disclaimer
Enforcement
Reporting Acceptable Usage Violations
Page 33 of 93
4.4.1.4. Return of Assets
All users shall return all of the organizational Assets in their possession upon
resignation, termination or transfer in accordance with the Information Asset
Management Procedure and HR procedures.
When an employee leaves PMCL, HR employee exit procedures shall ensure to

collect the organizational assets, ID badges and keys. HR should include the
following security measures into exit interview processes and other general
procedures surrounding employee termination or resignation, in order to achieve
consistency and ensure that functional groups are coordinating their efforts with
the security function.
o
Property - Retrieve any PMCL physical and electronic property stored on

corporate issued or personal devices, including company or customer
information, computers, software, keys, identification badges, tokens,
access cards
Software - Remove PMCL information and licensed software from any

property that will remain in the possession of the employee or contractor
being separated
Securely erase any relevant organizational or customer related information

stored on personally owned devices and backups
4.4.2. Information Classification

4.4.2.1. Classification of Information
Information Asset Management Procedure shall be appropriately implemented

to effectively address the business requirements.
All information assets identified in the asset inventory shall be classified based on
a formal process according to the classification scheme defined in the
Information Asset Management Procedure.
The default classification for all information assets shall be Confidential

Information until a specific classification has been assigned.

Manual
Rev 00
Page 34 of 93
Information asset classification shall be reviewed on a periodic basis (e.g atleast

once in a year) in accordance with the emerging risks and threats.
Information asset
classification
Information asset classification should be reviewed / re-performed over time as

value, sensitivity and criticality change through the asset life-cycle
Information asset classification should be aligned with the access control policy
Information asset classification should be integrated with asset inventory

processes
classification
should
have
conventions
for
assigning
4.4.2.2. Labelling and Handling of Assets
All information assets shall be labelled, protected and managed in accordance

with the classification scheme and naming convention defined in Information
Asset Management Procedure.
The identified controls shall be implemented and enforced to ensure adequate

prevention and detection of information leakage.
4.4.3. Media Handling

4.4.3.1. Management of Removable Media
When in use, storage or transit, removable media shall be physically and logically
protected against loss, damage, abuse or misuse.
Data classified as internal use or higher, stored on removable media, shall be

timely removed when the business purpose is achieved.
Removable media should be controlled and managed in a way to ensure that

contents of re-usable media that are no longer required and is to be removed
from PMCL should be made unrecoverable.
Media should be removed based on formal authorization from the asset owner
and how audit trails should be maintained.
Removable media should be encrypted to ensure protection of data.
Old media should be replaced with fresh media periodically before it becomes
unreadable from degradation. Relevant operational teams shall be responsible for
classifying the media as Old media.
Redundant copies of critical media should be maintained to reduce the risk of

damage or loss.
Critical removable media should be registered and tracked in accordance with

Information Asset Management Procedure.
Use of removable media drives should only be allowed based on access control
policies and valid business requirements.
PMCL ISG should monitor the transfer of information to removable media with
appropriate mechanism such as a Data Leakage Prevention (DLP) system.

Manual
Rev 00
Page 35 of 93
4.4.3.2. Disposal of Media
Media should be disposed of securely when no longer required, using Media

Handling and Disposal Procedure to remove PMCL Confidential information and
licensed software prior to the disposal or reuse of the media, including:
o
Media containing Confidential Information should be stored and disposed

of securely, e.g. by incineration or shredding, or data should be properly
erased from the media prior to the media being used for another purpose
within PMCL
Third party collection and disposal services for media should be carefully
selected with adequate safeguards and experience and require certificates
of disposal or removal completion
Disposal of sensitive items should be logged in order to maintain an audit

trail
For hard copy documents, CDs, DVD, etc., sealed shredder containers should be
available where hard copy outputs are generated (e.g., rooms with printers and
fax machines).
4.4.3.3. Physical Media Transfer
Media containing sensitive information shall be protected against unauthorized

access, misuse or corruption during transportation as per the following:
o
Use only reliable and authorized transport or couriers as well as criteria or

procedures to verify the identification of couriers
Ensure secure packaging sufficient to protect media from physical damage

in accordance with any manufacturers specifications (e.g., such as
exposure to heat, moisture or electromagnetic fields)
Encrypt confidential information on media in-transit where possible, and if

not, additional physical protection of the media should be considered
Audit logs should be kept, identifying the content of the media, the
protection applied as well as recording the times of transfer to the transit
custodians and receipt at the destination.

Manual
Rev 00
Page 36 of 93
4.5. Access Control

The purpose of this Policy is to ensure that only authorized personnel are granted access
to PMCLs information and information processing facilities (including operating system,
network components and applications).
4.5.1. Business Requirements of Access Control

4.5.1.1. Access Control Policy
Respective line managers (in coordination with HR department, where

appropriate) shall be responsible to notify ESS and NOC AMT of employees
(permanent and contractual) that are joining or leaving the PMCL or changing job
roles.
Asset owners shall be responsible for determining appropriate access control

rules, access rights and restrictions for specific user roles towards their assets,
with the amount of detail and the strictness of the controls reflecting the
associated information security risks. Asset owners shall provide ESS with a
standard user role profile to be used in provisioning access to PMCL wide specific
systems and applications.
Asset owners shall determine appropriate access control rules (both logical and
physical) towards their assets based on risk.
Access rights shall be defined on minimum level of access in accordance with the
job description, roles and responsibilities of the user.
Administrative access rights shall not be given to any user unless it is highly
required by the business and the request for which shall be approved by the
relevant Head of Department. Such requests should subsequently be assessed
and approved by ISG team manager or the appropriate delegate. Moreover, ISG
team shall maintain a record to identify who have been assigned the
administrative / super user access rights.
Access to PMCL information and information assets shall be authorized and

approved with valid business justification and shall be reviewed on a regular
basis.
Default vendor authentication credentials shall

installation of the systems or software.
Segregation of duties shall be enforced during entire lifecycle for management of

access rights to ensure that no single individual can make changes to access
rights without explicit approval of authorized personnel. At minimum, the
following functions shall be segregated:
Request for user access
Approval of request
Implementation of request, and
Monitoring of changes
be changed
Access controls shall take into account the principles of:
following
the

Manual
Rev 00
Page 37 of 93
Least-privilege (e.g., user(s) are only granted minimum level of privilege

and access required to perform their business function(s))
"Need-to-know" (e.g., user(s) are only granted access to the information

they need to perform their duties)
"Need-to-use" (e.g., user(s) are only granted access to the information

processing facilities (IT equipment, applications, procedures, rooms)
needed to perform their task / job / role)
4.5.1.2. Access to Networks and Network Services
Access to networks and network services shall be granted after approval by ISG
team, based on business needs and after evaluating any security risks and their
impact on PMCL, according to the Access Control Procedure.
Insecure protocols shall be strictly prohibited unless protected by secure protocols

(e.g., SSH vs. telnet, HTTPS vs. HTTP, sFTP or FTPs vs. FTP when used to access
networked devices or transfer non-public information.
Networks team shall be responsible to:

o
maintain a list of the networks and network services which are allowed to
be accessed
determine who is allowed to access which networks and network services
define the means used to access different networks and network services
(e.g. use of VPN or wireless network) along with appropriate user
authorization requirements for securing the access
monitor the use of network services by deploying adequate tools to protect

and monitor the access to the network infrastructure and network services
4.5.2. User Access Management

4.5.2.1. User Registration and De-Registration
A formal user registration and de-registration process shall be established

according to the Access Control Procedure to enable assignment of access rights
for PMCL systems, applications, and networks. This process should include:
o
Using unique user IDs to positively identify users; shared IDs should only
be permitted where they are necessary for business or operational reasons
and should be approved and documented
Immediately disabling or removing user IDs of users who have left PMCL
Periodically identifying and removing or disabling redundant user IDs and

ensuring that redundant user IDs are not issued to other users
Directories, networks, and Systems shall be configured to deactivate or lock PMCL

inactive accounts on a periodic basis (e.g., accounts not used for more than 90
days), including active directory/LDAP Users, network Users, and System User
accounts. The account should remain locked until the account owners manager or

Manual
Rev 00
Page 38 of 93
other authorized individual requests that the account be either reactivated or

disabled and removed.
PMCL ISG team shall review periodic reports (e.g., weekly or fortnightly) for
account exceptions (e.g., locked-out accounts, accounts with passwords that
exceed the maximum password age, and accounts with passwords that never
expire).
4.5.2.2. User Access Provisioning
A formal process for the assignment of user access rights (access provisioning) to
a system shall be defined and implemented according to the Access Control
Procedure in order to assign or revoke access rights and privileges for all user
types to all systems and services.
Access shall be authorized by the owner of the information system or service.
The level of access granted shall be verified as appropriate to the access control
policies and is consistent with other requirements such as:
o
Segregation of duties, least-privilege, need-to-know and need-to-use
Access for Third Parties is only for the duration of their work for PMCL and
access is granted only after receipt of a signed confidentiality agreement
or PMCL-wide confidentiality agreement. All service personnel performing
work on PMCL systems, such as hardware repair, software upgrade, and
maintenance vendors, should either have a PMCL-wide confidentiality
agreement in place or sign a confidentiality agreement prior to starting
work
Access rights and privileges should not be activated before the authorization
process is completed.
A central record shall be maintained of access rights and privileges granted to a

user ID to access information systems and services.
4.5.2.3. Management of Privileged Access Rights
The allocation and use of privileged access rights shall be restricted and
controlled through a formal authorization process according to the Access
Control Procedure.
The privileged access rights associated with each system, process or application
and the users to whom they need to be allocated shall be identified.
Privileged access rights should be limited and only allocated to users on a needto-use basis and on an event-by-event basis in line with the access control policy,
i.e. based on the minimum requirement for their functional roles.
Privileged access rights should only be granted with a defined expiry so as to not
grant permanent administrative privileges to PMCL Employees that require such
privileges only for infrequent or special job responsibilities.
Privileged access rights shall be assigned to a user ID different from those used
for regular business activities. Regular business activities should not be
performed from privileged ID. Where technically feasible, privileged IDs should

Manual
Rev 00
Page 39 of 93
never be shared. Users should only use the Windows administrator or Unix
root accounts in emergency situations. Individual Domain administration
accounts should be used when required for system administration instead of local
administrative accounts.
Direct administrative access to systems shall be prohibited, where technically

feasible, and shall require a fully logged and non-administrative account for initial
login followed by a brokered transition to administrative privileges using their
own administrative accounts and password (e.g., Sudo on Linux/UNIX, RunAs on
Windows or other similar facilities).
For generic administration user IDs, the confidentiality of secret authentication

information (e.g. passwords) should be maintained when shared (e.g. changing
passwords frequently and as soon as possible when a privileged user leaves or
changes job, communicating them among privileged users through appropriate
secure mechanisms).
4.5.2.4. Management of Secret Authentication Information of Users
The secret authentication information (password, or other authentication

mechanism) shall be given to users in a secure manner, according to the Access
Control Procedure.
Users should be required to acknowledge a statement to keep personal secret

authentication information confidential and to keep group (i.e. shared) secret
authentication information solely within the members of the group; this
acknowledgement may be included in the terms and conditions of employment or
third-party agreements in case of contractual relationships such as franchises etc.
For secret authentication information assigned to a group, the group owner shall
be its owner and shall bear the overall accountability for its use. The secret
authentication information for the group shall be changed on periodic intervals
based on risk.
User should be provided initially with secure temporary secret authentication

information unique to an individual and in adherence with the PMCL password
complexity requirements and should be required to change their temporary secret
authentication information on first use.
User should be provided with their temporary secret authentication information in

a secure manner.
Default vendor secret authentication information should be altered following

installation of the system before going into production.
All service accounts should have difficult-to-guess passwords and configured to

deny local logon access, terminal services access and/or remote control of
terminal services sessions. If local logon access cannot be denied, service account
passwords should be changed on a periodic basis (e.g., every 6 months) or when
a user who knows the password leaves or changes roles within the PMCL.

Manual
Rev 00
Page 40 of 93
4.5.2.5. Review of User Access Rights
Asset owners shall review users access rights i.e. matching active users to each
account, on periodic basis / at regular intervals. If an account is not assigned to
an active user or no longer authorized it should be disabled.
Any changes to administrative / super users and privileged accounts should be

logged for periodic review.
4.5.2.6. Removal or Adjustment of Access Rights
Timely revocation or deactivation of user IDs shall be executed upon user

resignation, termination or security breach identification in accordance with PMCL
Incident Management Procedure. To reduce the administrative burden of
removing access, access accounts should be set up with an appropriate expiration
date, where possible, that automatically removes access unless access is reauthorized.
The required approvals defined in the Access Control Procedure shall be

obtained prior to adjusting the access rights.
A formal process should be established according to the Access Control

Procedure for removal of access rights upon resignation, termination, end of
contract / agreement as well as for adjustment of access rights upon change in
user role. The process should include the following:
o
Passwords and Keys - change all shared or administrator passwords,

removal, revocation or replacement of cipher keys, and change pin
numbers, or combination locks known or used by the separated person.
Access for resigning or terminated users - revoke access to PMCL systems.
Access may continue for a specified period of time if this is provided for as
part of a separation agreement; access should be limited to only PMCL
systems specified in such a separation agreement.
Access rights should be reduced or removed before the employment

terminates or changes, depending on the evaluation of risk factors such
as:
Who initiated the termination or change and the reason for

termination;
The current responsibilities of the user;
The value of the assets currently accessible.
Access for changes of employment position or role - the changes in access

should be reflected in removal of all access rights that were not approved
for the new position (both physical and logical).
Access for group IDs remove departing users from any group access lists

Manual
Rev 00
Page 41 of 93
4.5.3. User Responsibilities

4.5.3.1. Use of Secret Authentication Information
Users shall be required to follow PMCLs policy on the use of secret authentication
information i.e. passwords for authentication to PMCLs systems, networks, and
computing devices as outlined in Appendix 5.
Where possible, enforcement of the password settings shall be automated and

enforced by system facilities. Exceptions may be granted if this is not technically
feasible.
Users shall be instructed on their responsibilities related to protecting secret

authentication information (e.g., passwords; use of password management tools)
where not system enforced such as the following:
o
Keep passwords confidential, ensuring that it is not divulged to any other

parties, including people of authority with the exception if required by local
laws in coordination with PMCL's legal department
Avoid keeping a record (e.g. on paper, software file or hand-held device)

of secret authentication information, unless this can be stored securely
and the method of storing has been approved for use (e.g. password
vault), however, any unapproved Third Party and/or cloud-based
"password keeper" or "password wallet" software or service should be
prohibited
Do not use the same secret authentication information for business and
non-business purposes (e.g., Internet email, Internet banking and social
networking services)
Ensure proper protection of passwords when passwords are used as secret

authentication information in automated log-on procedures and are stored.
Do not use the "remember password" feature in any Web browser.
Choose a password that meets or exceeds PMCL requirements for length

and complexity, maximum age, minimum history and re-use
Do not perform any activity with User-IDs belonging to other users
Change passwords immediately whenever there is any indication of its

possible compromise and notify their local security or information
technology group or designee
Do not share secret authentication information with other users
4.5.4. System and Application Access Control

4.5.4.1. Information Access Restrictions
Applications shall have the functionalities to control the access rights of users.
Access to information and application system functions should be restricted by
considering the following in order to support the access restriction requirements:
o
Providing menus to control access to application system functions

Manual
Rev 00
Page 42 of 93
Controlling which data can be accessed by a particular user
Controlling the access rights of users, e.g. read, write, delete and execute
Controlling the access rights of other applications
Limiting the information contained in outputs
Providing physical or logical access controls for the isolation of sensitive

applications, application data, or systems
4.5.4.2. Secure Log-on Procedures
Information systems shall be configured to positively identify users prior to their

use of PMCLs computer or system resources. Positive identification should involve
User IDs and passwords or biometrics, call-back systems, dynamic password
tokens, or digital certificates. Where stronger authentication is required, PMCL
should consider the use of two-factors of authentication.
Network and systems login shall be protected against brute force log-on attacks
by locking accounts after a maximum number of consecutive failed login
attempts. The account should be locked out and allowed to be reset after a
minimum period of time as defined in Appendix 6.
Access to systems and applications shall be controlled by additional secure log-on

procedures designed to minimize the opportunity for unauthorized access and
disclose the minimum of information about the system or application to avoid
providing an unauthorized user with any unnecessary assistance. This should
include the following:
o
Do not display system or application identifiers until the log-on process

has been successfully completed
Display a general notice warning that the computer should only be

accessed by authorized users
Do not provide help messages during the log-on procedure that would aid
an unauthorized user
Validate the log-on information only on completion of all input data. If an

error condition arises, the system should not indicate which part of the
data is correct or incorrect
Display the following information on completion of a successful log-on:
Date and time of the previous successful log-on
Details of any unsuccessful

successful log-on
log-on
attempts
since
the
last
Log unsuccessful and successful attempts
Raise a security event if a potential attempted or successful breach of logon controls is detected
Do not display a password being entered
Do not transmit passwords in clear text over a network

Manual
Rev 00
Page 43 of 93
Where appropriate, terminate inactive sessions after a defined period of

inactivity, especially in high risk locations such as public or external areas
outside PMCL's security management or on portable devices
Where appropriate, restrict connection times to provide additional security

for high-risk applications and reduce the window of opportunity for
unauthorized access
4.5.4.3. Password Management System
The applications / systems / devices shall be enabled to enforce a strong

password policy to ensure quality passwords in accordance with the settings as
outlined in Appendix 5.
4.5.4.4. Use of Privileged Utility Programs
The installation or use of utility programs (that might be capable of overriding

system and application controls) shall be limited to a specific timeframe, justified
and approved by the ISG team.
Access to system utilities shall be granted only to authorized personnel to carry

out administrative or business required activities.
System utilities activities shall be logged and reviewed on a periodic basis, at

least annually. Unnecessary utility programs should be identified and disabled
timely.
All utility programs should be segregated from applications software.
Use of utility programs should be limited to the minimum practical number of

trusted, authorized users.
4.5.4.5. Access Control to Program Source Code
Program source code, if available and associated information such as designs,

specifications, program listings, test plans and reports shall be maintained in a
controlled manner:
o
Where possible, program source libraries should not be held in operational

systems.
Program source code and the program source libraries should be managed
by automated tools, where possible
Support personnel access to program source libraries should be controlled

and should not left unrestricted
Authorization should be required to update program source libraries and

for issuing of program sources to programmers and developers
Program listings should be held in a secure environment.
All accesses to program source libraries should be logged
Strict change control procedures should be followed for maintenance and

copying of program source libraries

Manual
Rev 00
Page 44 of 93
The use of digitally signed code should be considered if the program

source code is intended to be published or if a higher degree of integrity is
required.

Manual
Rev 00
Page 45 of 93
4.6. Cryptography
The purpose of this policy is to outline the controls that to ensure appropriate and
effective protection to the confidentiality, authenticity and / or integrity of confidential
information.
Use of Cryptographic Controls
Cryptographic controls shall be designed as per Cryptography Standard (refer to

Appendix 7) to protect PMCLs information assets when stored or in transit.
User Computers (including laptops and portable devices (e.g., mobile phone,
smartphone, PDA, media pad or tablet)) shall be configured to encrypt PMCL
confidential information data using cryptography standard mentioned in this
policy.
All confidential information stored on portable media (e.g., CDs, external hard
disks, flash drives) shall be encrypted using cryptography standard mentioned in
this policy. Where feasible, user should be required to use PMCL issued and
approved encrypted portable storage media.
Passwords shall be protected using cryptography standard mentioned in this

policy when transmitted across the network and stored at-rest. When available,
non-reversible industry standard cryptographic transforms (hash formats) should
be used; systems must not hold passwords in clear text (e.g., bcrypt, scrypt
PBKDF2, or SHA-2).
Communications that transmit PMCL confidential information from a more secure

/ trusted zone to or across a less secure / trusted zone, shall be encrypted using
cryptography standard mentioned in this policy. Email that traverses the public
Internet may not always be automatically encrypted, as such confidential
information in an email should be encrypted using industry accepted best
practices such as TLS and/or S/MIME or via alternate secure communication
mechanisms where supported (e.g. SFTP).
Data being transmitted over wireless networks shall be encrypted based on

cryptography standard mentioned in this policy.
Non-console administrative access to systems

cryptography standard mentioned in this policy.
All remote access shall be over approved encrypted channels using cryptography
standard mentioned in this policy.
shall
be
encrypted
using
Key Management
PMCL shall implement key management controls as follows to maintain the

confidentiality, integrity and availability of cryptographic keys throughout the
keys lifecycle including generating, storing, using, retrieving, distributing,
backing-up and destroying keys.

Manual
Rev 00
Page 46 of 93
All cryptographic keys should be protected against modification and loss.

All secret and private keys should be protected against unauthorized use
and access or disclosure
The equipment used to generate, store and archive keys should be

physically protected
Activation and deactivation dates for keys should be defined so that the
keys can only be used for the period of time defined in the associated key
management policy

Manual
Rev 00
Page 47 of 93
4.7. Physical and Environmental Security

The purpose of this policy is to outline the physical and environmental security controls
that shall be established and maintained to protect PMCLs information processing
facilities, systems, devices and records from unauthorized physical access, interference
and damage to equipment.
4.7.1 Secure Areas

4.7.1.1. Physical Security Perimeter, Entry Controls & Securing Offices, Rooms
& Facilities
Physical security requirements shall be formally defined and implemented in

accordance with industry standards and benchmarks. Following guidelines shall
be considered where appropriate to enhance the PMCL standard operating
procedure on physical security:
o
Security perimeters should be defined, and the siting and strength of each
of the perimeters should depend on the security requirements of the
assets within the perimeter and the results of a physical security risk
assessment
perimeters of a building or site containing information processing facilities

should be physically sound (i.e. there should be no gaps in the perimeter
or areas where a break-in could easily occur); the exterior roof, walls and
flooring of the site should be of solid construction and all external doors
should be suitably protected against unauthorized access with control
mechanisms, (e.g. bars, alarms, locks); doors and windows should be
locked when unattended and external protection should be considered for
windows, particularly at ground level
a manned reception area or other means to control physical access to the

site or building should be in place; access to sites and buildings should be
restricted to authorized personnel only
physical barriers should, where applicable, be built to

unauthorized physical access and environmental contamination
all fire doors on a security perimeter should be alarmed, monitored and

tested in conjunction with the walls to establish the required level of
resistance in accordance with suitable standards; they should operate in
accordance with the local fire code in a failsafe manner
suitable intruder detection systems should be installed as per international

standards (e.g. TIA-942) and regularly tested to cover all external doors
and accessible windows; unoccupied areas should be alarmed at all times;
cover should also be provided for other areas, e.g. computer room or
communications rooms
information processing facilities managed by PMCL should be physically

separated from those managed by external parties
prevent

Manual
Rev 00
Page 48 of 93
the date and time of entry and departure of visitors should be recorded,
and all visitors should be supervised unless their access has been
previously approved
The visitors should only be granted access for specific, authorized

purposes and should be issued with instructions on the security
requirements of the area and on emergency procedures. The identity of
visitors should be authenticated by an appropriate means
access to areas where confidential information is processed or stored

should be restricted to authorized individuals only by implementing
appropriate access controls, e.g. by implementing a two-factor
authentication mechanism such as an access card and secret PIN
a physical log book or electronic audit trail of all access should be securely
maintained and monitored
all employees, contractors and external parties should be required to wear

some form of visible identification and should immediately notify security
personnel if they encounter unescorted visitors and anyone not wearing
visible identification
external party support service personnel should be granted restricted

access to secure areas or confidential information processing facilities only
when required; this access should be authorized and monitored
access rights to secure areas should be regularly reviewed and updated,

and revoked when necessary
key facilities should be sited to avoid access by the public
where applicable, buildings should be unobtrusive and give minimum

indication of their purpose, with no obvious signs, outside or inside the
building, identifying the presence of information processing activities
facilities should be configured to prevent confidential information or

activities from being visible and audible from the outside.
directories and internal telephone books identifying locations of

confidential information processing facilities should not be readily
accessible to anyone unauthorized
4.7.1.2. Protecting Against External and Environmental Threats
PMCL shall maintain relevant contacts as well as obtain and document specialist
guidelines specifying how to avoid damage from fire, flood, earthquake,
explosion, civil unrest and other forms of natural or man-made disaster.
4.7.1.3. Working in Secure Areas
Secure areas should be identified and protected by designing and implementing

adequate standard operating procedures (SOP) for working in secure areas (e.g.,
data centres, other areas deemed to be secure areas). These should include
controls for the Employees and relevant Third Party users. The SOP should be
designed in such a way that does not divulge the type or nature of the services

Manual
Rev 00
Page 49 of 93
being operated within that area. SOPs should include controls for the Employees
and relevant Third Party users and cover activities such as the following:
o
Monitoring of secure areas for safety reasons and to prevent opportunities

for malicious activities
Vacant information systems equipment secure areas should be physically

locked and periodically reviewed (e.g., by remote monitoring systems
and/or security guards)
Procedures and signage prohibiting smoking, eating, and drinking shall be

implemented in data centres, network wiring closets, server rooms
Use of video or audio recordings should be prohibited within secure areas

and facilities unless required to fulfil job responsibilities and authorization
is obtained from appropriate management
4.7.1.4. Delivery and Loading Areas
Delivery and loading areas shall be isolated from PMCLs information processing
environment and shall be adequately monitored.
A secured intermediate holding area should be used for delivery of computer

supplies, equipment, information media, and other related information processing
or storage devices.
Delivery personnel should not directly access rooms containing computer and
communications hardware and software. In addition, delivery personnel should be
escorted by authorized personnel at all times.
4.7.2. Information Processing Equipment

4.7.2.1. Equipment Siting and Protection
Equipment shall be sited and protected to reduce the risks of environmental

threats, hazards, and opportunities for unauthorized access, in accordance with
the service criticality.
Equipment siting controls shall be inherited from the PMCLs HSE physical and
environmental controls procedures. The following guidelines should be
considered, where appropriate, for the protection of sensitive equipment:
o
information processing facilities handling sensitive data should be

positioned carefully to reduce the risk of information being viewed by
unauthorized persons during their use
storage facilities / warehouses should be secured to avoid unauthorized

access
items requiring special protection should be adequately safeguarded
controls should be adopted to minimize the risk of potential physical and

environmental threats, e.g. theft, fire, explosives, smoke, water (or water
supply failure), dust, vibration, chemical effects, electrical supply
interference, communications interference, electromagnetic radiation and
vandalism

Manual
Rev 00
Page 50 of 93
guidelines for eating, drinking and smoking in proximity to information

processing facilities should be established
environmental conditions, such as temperature and humidity, should be

monitored for conditions which could adversely affect the operation of
information processing facilities
Where appropriate, lightning protection should be applied to buildings and

lightning protection filters should be fitted to all incoming power and
communications lines
4.7.2.2. Supporting Utilities
Supporting utilities such as power supply, UPS, backup generator, gas, etc shall be
controlled and maintained in accordance with the supplier specifications and the
services criticality.
Supporting utilities controls shall alarm relevant parties in the event of failure or
performance degradation.
4.7.2.3. Cabling Security
Power and telecommunication cables shall be physically secured to prevent

intentional or unintentional failure and line tapping.
Power and telecommunication cables shall be regularly inspected, maintained,

segregated and protected to prevent interference and unauthorized access.
All the power and telecommunications cabling carrying data or supporting

information services should be protected from interception, interference or
damage in accordance with the detailed technical guidelines provided by best
practices standards such as TIA 942.
4.7.2.4. Equipment Maintenance
Equipment shall be maintained in accordance with the suppliers recommended

specifications and with the service criticality by authorized personnel or
contractors.
Only authorized maintenance personnel should carry out repairs and equipment
service.
Records should be kept of all suspected or actual faults, and of all preventive and
corrective maintenance.
Appropriate access controls should be implemented when equipment is scheduled

for maintenance to prevent unauthorized access to confidential or sensitive
information.
Equipment requiring offsite maintenance shall not be moved or taken off-site

unless appropriate approvals are obtained and business impacts are considered
and accepted.
Equipment maintenance activities shall be monitored, reported to the concerned

authority and controlled.

Manual
Rev 00
Page 51 of 93
4.7.2.5. Removal of Assets
Information Assets shall not be moved or taken off-site unless appropriate

approvals are obtained according to the Media Handling and Disposal Procedure.
Spot checks shall be performed on a periodic basis (at least annually) to detect
unauthorized removal of information assets.
4.7.2.6. Security of Equipment Off-Premises
The off-premises use of information Assets shall be authorized by the Asset

Owner.
PMCL equipment dealing with the sensitive information held off-premises should
be protected by adhering to the following directives:
o
Off-site equipment should be protected to the same degree as on-site

equipment. When traveling, personnel should protect equipment and
media, ensuring that it is not left unattended in public, and is carried as
hand luggage
Manufacturers instructions for protecting equipment should be observed

at all times, e.g. protection against exposure to strong electromagnetic
fields
Controls for off-premises locations, such as home-working, teleworking

and temporary sites should be determined by a risk assessment and
suitable controls applied as appropriate to achieve the same level of
security controls as would be applied to the equivalent equipment located
within PMCL facilities, e.g. lockable filing cabinets or rooms, clear desk
policy, access controls for computers and secure communication with the
office, and adequate insurance
Where appropriate, when off-premises equipment is transferred among

different individuals or external parties, a log should be maintained that
defines the chain of custody for the equipment including at least names
and organizations of those who are responsible for the equipment
4.7.2.7. Secure Disposal or Reuse Of Equipment
Information assets shall be sanitized prior to re-use.
Asset owners approval shall be obtained prior to re-using or destroying an

information asset.
All items of equipment containing storage media should be verified to ensure that
any sensitive data and licensed software or copyrighted information has been
physically destroyed, deleted or overwritten using techniques to make the original
information non-retrievable prior to disposal or re-use. Where disposal is through
a Third Party service provider, a certificate of removal completion shall be
required.
PMCL shall ensure that no confidential information is left on any computer,

device, or media when it is disposed of or when it is reissued to someone else.

Manual
Rev 00
Page 52 of 93
PMCL shall securely erase all confidential information regardless of media

including, but not limited to:
o
Internal hard drive storage
Internal flash memory
Portable storage devices, such as USB thumb drives, flash memory cards
& portable hard drives
User computers and hand held portable devices
All data on media shall be erased by overwriting storage areas in multiple passes
with random data.
PMCL should consider using data erasure software to facilitate the destruction of
data. This software should provide the user with a validation certificate indicating
that the overwriting procedure was completed properly, that all hidden areas
have been erased, provides a defects log list, and lists the bad sectors that could
not be overwritten.
In cases where a computer or other portable device is going to be reissued, the

device should be reimaged to a standard state (as is usually done for computers
and handhelds). To decrease the number of steps, PMCL may include data
erasure in the reimage process.
Where storage media contains confidential or copyrighted information that cannot

be deleted or overwritten using standard techniques to make the original
information non-retrievable, these media should be physically destroyed (e.g.,
damaged equipment containing storage media). Damaged equipment containing
storage media may require a risk assessment to determine whether the items
should be physically destroyed rather than sent for repair or discarded.
4.7.2.8. Unattended User Equipment
Unattended equipment shall be protected from unauthorized access and use. This
includes appropriate protection for both physical theft and unauthorized access to
data contained on the devices. This should include the following measures:
o
Terminating active sessions when finished, unless they can be secured by

an appropriate locking mechanism, e.g. a password protected screen saver
Logging-off from applications or network services when no longer needed
Physically securing laptops and portable devices when not in use (e.g.,
cable locks, locking cabinet or locked room)
Mobile computers, cell phones, and other computing equipment should be

protected while left unattended and while travelling.
4.7.2.9. Clear Desk and Clear Screen Directives
PMCL shall establish following controls to ensure clear desk and clear screen to
protect PMCLs information assets:

Manual
Rev 00
Page 53 of 93
Computers and users terminals should be left logged off or protected with
a screen and keyboard locking mechanism controlled by a password, token
or similar user authentication mechanism when unattended
User computers should be configured such that screen savers are

automatically invoked requiring re-authentication after a maximum of 15
minutes or less of inactivity
PMCL confidential information should be removed from printers, photocopiers and

other reproduction technology (e.g. scanners, digital cameras) as soon as
possible to avoid any unauthorized disclosure.
4.8. Operations Security

The purpose of this policy is to establish the necessary requirements to enable secure
operations within PMCL information processing environment.
4.8.1. Operational Procedures and Responsibilities

4.8.1.1. Documented Operating Procedures
Operating procedures shall be approved and communicated to relevant parties,

and shall be reviewed on a regular basis or whenever a major change has been
introduced to the information processing environment.
IT Operating Procedures outsourced to third-parties shall be documented by the

contractor and communicated to the relevant parties within PMCL.
4.8.1.2. Change Management
Changes to PMCL business processes, information processing facilities and

systems that affect information security shall be controlled in accordance with a
formal change management procedure.
4.8.1.3. Capacity Management
Capacity analysis shall be performed for all systems based on the service
criticality on a regular basis or whenever a major change is being planned.
Projected capacity and available budget shall be analysed and resources shall be
tuned timely to avoid degradation of service or business disruption in accordance
with Performance, Availability and Capacity Management Procedure.
4.8.1.4. Separation of Development, Test and Operational Facilities
Development, testing, and operational environments shall be separated to reduce

the risks of unauthorized access or changes to the operational environment
including the following:
o
Rules for the transfer of software from development to operational status

should be defined and documented
Development and operational software should run on different systems or

computer processors and in different domains or directories

Manual
Rev 00
Page 54 of 93
Changes to operational systems and applications should be tested in a

testing or staging environment prior to being applied to operational
systems
Other than in exceptional circumstances, testing should not be done on

operational systems
Compilers, editors and other development tools or system utilities should

not be accessible from operational systems when not required
Users should use different user profiles for operational and testing
systems, and menus should display appropriate identification messages to
reduce the risk of error
Sensitive data should not be copied into the testing system environment
unless equivalent controls are provided for the testing system
Developers should not have access to production or operational

environment/systems
Testers and developers shall be granted limited access to the development and
test environments in accordance with the Access Control Procedure.
4.8.2. Protection from Malware

4.8.2.1. Controls against Malware
Detection, prevention and recovery controls to protect against malware shall be

implemented, and combined with appropriate user awareness to ensure users are
aware of the risks of malware, and their responsibilities in protecting PMCLs User
Computers and Systems.
Malware protection for system, user computers and media shall be provided
through the installation of appropriate approved centrally managed anti-malware
programs. Scans carried out should include:
o
Any files received over networks from the Internet or via any form of
removable storage media when inserted
Electronic mail attachments and downloads (at several locations including:

electronic mail servers, user computers / systems and when entering the
network of PMCL at the perimeter or web proxy gateway)
Anti-malware software on systems and user computers shall be updated with new
anti-malware signatures as soon as possible but no later than 12 hours after
release. If a user computer has not been connected to the Internet or a PMCL
system or network for an extended time, the signature should be updated as
soon as the computer is reconnected.
User Computers and Systems shall be configured to not allow auto-run content
from removable devices when inserted. If the removable devices are not required
for business use, they should be disabled.
Controls should be implemented that detect and/or prevent the use of known or
suspected malicious websites (e.g. blacklisting).

Manual
Rev 00
Page 55 of 93
4.8.3. Backup
4.8.3.1. Information Backup
Backups shall be performed on a periodic basis, the extent (e.g. full or differential
backup) and frequency of which, should reflect the business requirements for
data recovery, data retention and the criticality of the information to continued
operations.
Backups shall be periodically tested where appropriate or at least annually, to

ensure that they can be relied upon for emergency use when necessary; this
should be combined with a test of the restoration procedures and checked against
the restoration time required on to dedicated test media.
In situations where confidentiality is of importance, backups shall be protected in

accordance with any information classification and handling requirements. End of
life backup media should be erased or destroyed through formal processes in
accordance with media handling requirements.
Adequate backup facilities shall be provided to ensure that all essential

information and software can be recovered following a disaster or media failure.
Backups should be stored in a remote location, at a sufficient distance to escape
any damage from a disaster at the main site and should be given an appropriate
level of physical and environmental protection consistent with the standards
applied at the main site.
4.8.4. Logging and Monitoring

4.8.4.1. Event Logging
Event logs shall be configured (especially on systems transmitting or storing

Personally Identifiable Information (PII) or confidential data, intellectual property,
or other data or systems which impacts the brand) to record user activities,
exceptions, faults and information security events whenever those systems
possess logging capability.
Event logs shall be kept and regularly reviewed for security exceptions and
inappropriate user activities or automated alerts should be implemented (e.g.
through Security Incident and Event Monitoring (SIEM) solutions) to identify and
respond to security issues.
Event logging settings shall be defined and implemented as defined in the Log
Management Procedure in accordance with the service criticality.
Event logs monitoring shall be conducted as defined in the Log Management

Procedure on a pre-defined timeframe in accordance with the service criticality.
Where possible, system administrators should not have permission to erase or

de-activate logs of their own activities. Real time copying of logs to a system
outside the control of system administrator can be considered to safeguard logs.
Production systems and network devices shall be configured to include logs

whenever those systems possess logging capability. Information logged may
include the following when relevant:

Manual
Rev 00
Page 56 of 93
User session activity including user-IDs, log-in date/time and log-out

date/time
Failed SU / sudo commands, successful su / sudo commands
Device identity or location if possible and system identifier
Records of successful and rejected system access attempts
Records of successful and rejected data and other resource access

attempts
Changes to system configuration
Changes to critical application system files
Use of privileges
Additions and changes to the privileges of users
Use of system utilities and applications
Files accessed and the kind of access
File permission changes
System start-ups and shut-downs
Configuration previous and new values (e.g., for Windows 2008)
Windows / Active Directory policy changes
Source and destination network IP addresses, ports and protocols
Alarms raised by the access control system
Activation and de-activation of protection systems, such as anti-malware

systems and intrusion detection systems
Disabling / deletion of audit logs
Records of transactions executed by users in applications
Systems and database management systems (DBMS) that process, transmit or

store confidential or critical information may be configured to log all significant
security events, including:
o
Use of systems outside normal hours
Authentication using multiple IDs from single IP addresses
Select queries on confidential tables resulting in statistically large returned

datasets
Multiple concurrent authentications
4.8.4.2. Protection of Log Information
Logging facilities and log information shall be protected against tampering and
unauthorized access. Access controls shall be implemented with the aim to
protect against unauthorized changes to log information and operational problems
with the logging facility including:

Manual
Rev 00
Page 57 of 93
Alterations to the message types that are recorded
Log files being edited or deleted
Storage capacity of the log file media being exceeded, resulting in either
the failure to record events or over-writing of past recorded events in
alignment with data retention requirements
Audit logs shall be retained in accordance with PMCL record retention policies and
relevant local laws and regulations. Audit logs may be required to be archived and
digitally signed based on record retention policies or because of requirements to
collect and retain evidence.
4.8.4.3. Administrator and Operator Logs
Administrators activities shall be comprehensively logged and reviewed as

defined in the Log Management Procedure.
Third parties and contractors administrative activities shall be monitored

continually and reported regularly.
4.8.4.4. Clock Synchronization
Clocks of all relevant information processing systems shall be synchronized with

an agreed reference (such as Coordinated Universal Time, UTC) using the
appropriate tools (like the Network Time Protocol server).
4.8.5. Control of Operational Software

4.8.5.1. Installation of Software on Operational Systems
Installation of software on operational systems shall be based on business

requirements in accordance with the Change and Release Management
Procedure.
Whenever possible, back out procedures as part of change control shall be in

place before changes are implemented to systems and software to allow data
processing activities to quickly and expediently revert to the prior version of the
software, when necessary, so business activities are not interrupted.
Vendor supplied software used in operational systems shall be maintained at a

level supported by the supplier.
Physical or logical access to operational systems shall only be given to suppliers

for support purposes when necessary and with management approval. The
suppliers activities should be monitored.
A secure and controlled operating system image shall be maintained based on

documented security standards that is a hardened version of the operating
system platform used for all new systems deployed. All deviations or exceptions
from the standard images should be formally approved.
Production systems shall be hardened based on appropriate security standards

and configurations and only have the services and components required for the
systems business function; all others are removed or turned off. Critical services

Manual
Rev 00
Page 58 of 93
should be operated on separate and dedicated physical or logical systems, such

as DNS, file, mail, web, and database servers.
Record should be documented and a formal review of software installed on

machines should be perfomed at least annually.
4.8.6. Technical Vulnerability Management

4.8.6.1. Management of Technical Vulnerabilities
Information about technical vulnerabilities of information systems being used

shall be obtained in a timely fashion, PMCLs exposure to such vulnerabilities
evaluated and appropriate measures taken to address the associated risk. This
should include:
o
Documented information resources that have been used to identify

technical vulnerabilities for software and other technology in the asset
inventory
Timelines to react to notifications of potential technical vulnerabilities

based on severity
Information systems (e.g., Systems, User Computers, and Network

Infrastructure) shall be regularly inspected, using automated tools to identify and
document known vulnerabilities. Other asset vulnerabilities should be manually
identified and documented.
The risks associated with technical vulnerabilities (based on threats,

vulnerabilities, likelihood and impact) shall be identified and actions taken (e.g.,
patching or applying other controls) in accordance with either change
management or incident response procedures and within specified timeframes.
Vulnerabilities should be either mitigated or documented as acceptable risk. Audit
logs should be kept for all procedures undertaken.
IT operations team shall ensure that a process is developed and implemented to

distribute software patches and updates in response to identified security
vulnerabilities within specified timeframes. This process should provide for timely
testing of patches and updates to susceptible computers and applications within
PMCL after successful testing of such patches prior to the installation of software
patch / update. Process shall include steps for the situation where a vulnerability
has been identified but there is no suitable countermeasure, including but not
limited to:
Turning off services or capabilities related to the vulnerability
Removing or replacing the device
Adapting or adding access controls, e.g. firewalls, at network borders
Increased monitoring to detect actual attacks
Raising awareness of the vulnerability
The technical vulnerability management process shall be aligned with incident

management activities, to communicate data on vulnerabilities to the incident

Manual
Rev 00
Page 59 of 93
response function and provide technical procedures to be carried out should an

incident occur.
4.8.6.2. Restrictions on Software Installation
End users using corporate devices shall have limited privileges to restrict them
from installing softwares or utility programs.
Installation of software not approved and documented in the Authorized

Software List shall not be allowed.
4.8.7. Information Systems Audit Considerations

4.8.7.1. Information Systems Audit Controls
Audit requirements and activities involving verification of operational systems

should be carefully planned and agreed with relevant operations team to
minimise disruptions to business processes.
Audit controls shall be defined and implemented in accordance with the service
criticality.
Prior to enabling audit controls, a detailed analysis of the impact on the business
operation or system performance shall be conducted and adequate measures
shall be implemented.

Manual
Rev 00
Page 60 of 93
4.9. Communications Security

The purpose of this Policy is to establish the necessary requirements to enable secure
flow of PMCL information inside and outside PMCL network and its supporting information
processing facilities.
Network Security Management

4.9.1.1. Network Controls
Networks shall be managed and controlled to protect information in systems and

applications.
Responsibilities and operational procedures for the management of networking

equipment shall be established with operational responsibility for networks
separated from computer operations where appropriate.
Special controls should be established to safeguard the confidentiality and

integrity of data passing over public networks or over wireless networks and to
protect the connected systems and applications. Following should be considered:
Approved encryption and authentication standards should be implemented

for internal wireless networks when accessing PMCL systems / applications
PMCL, if allowing remote access to its systems or information based on

business need should implement a standardized, centrally managed
remote access solution; all remote access should be authorized using
formal procedures including:
PMCL issued devices should connect to the corporate network using

only secure methods such as Virtual Private Network (VPN) or
equivalent, Outlook Web Access (OWA), secure web application
access, or PMCL provisioned non-persistent virtual desktop
environment
Non-PMCL issued devices should be restricted to Outlook Web

Access (OWA), secure web application access, or PMCL provisioned
non-persistent virtual desktop environment that prevents
processing and storage of information on privately owned
equipment
Appropriate logging and monitoring should be applied to all key systems, inbound
/ outbound traffic, and intranet / WAN boundaries to enable recording and
detection of actions that may affect, or are relevant to, information security. This
should include:
o
Intranet and public Internet servers should be configured to detect

unauthorized access attempts
Intrusion detection systems at the network and host level should be

implemented to monitor PMCL systems, computers, applications, firewalls,
and networks
IPS should be used to compliment IDS where automation is required for

timely blocking of unauthorized traffic

Manual
Rev 00
Page 61 of 93
Logging and monitoring data should be correlated (preferably through

SIEM solution) to detect abnormal activity and support analysis of unusual
events
Network Infrastructure devices should be hardened based on best practice

security standards and configurations such as those suggested by CIS, NIST etc.
Deviations from the standard configuration or updates to the standard
configuration should be documented and approved in a change control system.
The latest stable version of any security-related update to networking devices
should be installed within specified timeframes of the update being released.
4.9.1.2. Security of Network Services
Security controls over the network providers shall be defined and incorporated
into the relevant agreement. These controls shall cover but not be limited to:
service levels, security features and the right to audit.
The ability of the network service provider to manage agreed services in a secure
way should be determined and regularly monitored, and the right to audit should
be agreed.
The security arrangements necessary for particular services, such as security

features, service levels and management requirements, should be identified.
PMCL should ensure that network service providers implement these measures.
4.9.1.3. Segregation in Networks
PMCLs public Internet servers shall be separated from internal PMCL networks
and intranet servers. In addition, routers and firewalls should be implemented to
restrict traffic from public servers to internal PMCL networks. At a minimum,
firewalls should be deployed at all access points to non-PMCL networks.
Internal networks shall be logically or physically segregated based on groups of

information services, user and systems where appropriate. Systems that are
considered high-risk should be adequately segregated to the extent possible from
other parts of the network (e.g. separate VLAN, firewalled segment,
virtualization, air-gapped).
Network infrastructure shall be managed across network connections that are

separated from the business use of that network and limited to administrative
users (e.g., separate management VLANs or physical connectivity for
management sessions for network devices).
Information Transfer Policy

4.9.2.1. Agreements on Information Transfer and its Policies and Procedures
Information transfer refers to all forms of communications and information

exchange including voice conversations in person or by telephone, video and
email communications, Instant Messaging etc.
Agreements between PMCL and external parties on exchange / transfer of

information shall address the secure transfer (e.g. by the use of VPN) of business
information.

Manual
Rev 00
Page 62 of 93
Exchanged information must be suitably protected from interception, copying,

modification, mis-routing and destruction according to the classification level and
risk of compromise.
Suitable security controls (such as egress filtering on firewalls) must be

implemented to minimize the risk of transmission of malicious code.
4.9.2.2. Electronic Messaging
Electronic communication facilities must be used in accordance with acceptable

usage policies.
PMCL employees and contractors must not compromise or disadvantage the

company or bypass other controls through particular types of communication, for
example by email defamation, harassment, impersonation, forwarding of chain
letters, making unauthorized purchases or contractual agreements etc.
Personal email address shall be used to register on social networks, blogs or

other online tools utilized for personal use. Company specific social media profiles
shall not be created by users without prior authorization.
Content involving PMCL users, customers, business partners or any other subjects
related to PMCL shall not be published on social media unless authorized by the
PMCL Corporate Communications team.
Users shall publish content on social media only on their own behalf and shall
refrain from speaking on behalf of PMCL without prior authorization.
Personal social media use shall not interfere with normal business activities,
involve solicitations, be associated with any for-profit outside business activity or
potentially embarrass the company and damage its reputation or image.
PMCL reserves the right to monitor how PMCL owned information assets,
including computers, laptops and networking equipment are used and users shall
be mindful that any web browsing they do on the PMCLs premises may be
monitored.
Guests shall be allowed PMCL Guest Wireless Access only after approval by PMCL
ISG team.
Access to PMCL wireless service shall be restricted to PMCL staff and authorised
users.
The installation of personal wireless networking equipment or rouge wireless

access points in PMCL owned or leased spaces shall not be allowed.
PMCL users shall not be allowed to set up any form of proxy service or similar
arrangements to enable more than one computer to access the network via a
wireless connection.
4.9.2.3. Confidentiality or Non-Disclosure Agreements
Confidentiality and non-disclosure agreements shall be signed by all parties

involved in transmission of PMCL information.

Manual
4.10.
Rev 00
Page 63 of 93
System Acquisition, Development and Maintenance
The purpose of this Policy is to ensure that information security is embedded in the
information system acquisition, development and maintenance lifecycle.
4.10.1. Security Requirements of Information Systems

4.10.1.1. Information Security Requirements Analysis and Specification
Information security requirements shall be identified and outlined during the

request for proposal and in the design phase or other related phases of a new
information system. While defining the requirements, following factors should be
considered:
o
An understanding of how the application will be used (use cases) and how
it might be misused and/or attacked (anti-use cases)
The data and services that the application will access or provide, and what
level of protection is appropriate given the acceptance of risk, applicable
regulations, and any reputational impacts should the application be
exploited
The architecture of the application and possible attack vectors
Compensating controls and their cost and effectiveness
Compliance requirements form security policies, laws, and regulations
Previous incidents
Where applicable,
following:
information
security
requirements
should
address
the
Authentication Defining the authentication requirements e.g., UserID

and password, Two-factor authentication, Single Sign-On
Authorization defining access provisioning and authorization processes,

for business users as well as for privileged or technical users
Roles & responsibilities / segregation of duties defining informing users

and administrators / operators of their duties and responsibilities and
ensuring segregation of duties are taken into accounted
Confidentiality, Integrity, Availability defining information protection

needs of the assets e.g., encryption, nonrepudiation requirements,
message authentication codes, digital signatures, nonrepudiation
requirements, and backup and recovery, redundancy
Audit logging and monitoring defining access control mechanism for

audit logging and monitoring e.g., interfaces to logging and monitoring, as
well as defining transaction logging and monitoring mechanism,
nonrepudiation requirements, etc.
Data leakage defining requirements related to data leakage detection

and protection

Manual
Rev 00
Page 64 of 93
In the event of inability to incorporate the security requirements, the new or

enhanced information system shall be deployed on an isolated domain.
Acquisition of any IT service, application, solution or product shall require

information security due diligence and the approval of PMCL ISG team.
4.10.1.2. Securing Application Services on Public Networks
PMCL information passing over public networks or third party domains shall be
protected formally by an agreement between PMCL and external authorized
signatories to ensure that information in use and at rest is protected in
accordance with PMCLs information security requirements.
4.10.1.3. Protecting Application Services Transactions
Information involved in application service transactions should be protected to

prevent incomplete transmission, misrouting, unauthorized message alteration,
unauthorized access or disclosure, unauthorized message duplication or replay
4.10.2. Security in Development and Support Processes

4.10.2.1. Security Development Policy
Rules for the development and maintenance of software and systems shall be
established and applied to developments within PMCL (e.g., explicit error
checking, input validation, and prohibiting hard-coding or otherwise incorporating
passwords or User IDs into software developed by or modified by PMCL
Employees) according to Application Security Framework.
Secure development controls shall be designed to protect the development

lifecycle of a new service, according to the Application Security Framework.
4.10.2.2. System Change Control Procedures
Changes to systems within the development lifecycle shall be controlled according

to the Change and Release Management Procedure.
4.10.2.3. Technical Review of Applications after Operating Platform Changes
Technical security assessment of the applications shall be undertaken whenever

operating platforms are changed. The applications shall be tested prior to
implementation to ensure that there is no adverse impact on security.
4.10.2.4. Restrictions on Changes to Software Packages
Modifications to software packages (commercial off-the-shelf softwares) shall be

justified, and strictly limited. The vendor-supplied software packages shall
preferably be used without modification as much as possible.
4.10.2.5. Secure system engineering principles
Secure information system engineering procedures based on security engineering

principles shall be documented, approved and applied to development activities
according to the Application Security Framework.

Manual
Rev 00
Page 65 of 93
4.10.2.6. Secure Development Environment
PMCL shall appropriately protect secure development environments for system

development and integration efforts that cover the entire system development
lifecycle. Following should be ensured:
o
Access to PMCLs development, test, and production environments should

be controlled
Access; updates; and duplication of source code, executable code, and

System files for each environment should be controlled
Development, test, and production source code and files should be stored
in separate locations
4.10.2.7. Outsourced Development
Outsourced system development activities shall be supervised and monitored to

ensure the following:
o
Licensing arrangements, code ownership and intellectual property rights
Contractual requirements for secure design, coding and testing practices
Acceptance testing for the quality and accuracy of the deliverables
Evidence that:
Acceptable security thresholds were used to establish minimum

acceptable levels of security and privacy quality
Sufficient testing has been applied to guard against the absence of

both intentional and unintentional malicious content upon delivery,
as well as the presence of known vulnerabilities
4.10.2.8. System Security Testing
Testing of security functionality / controls shall be conducted throughout the

systems development lifecycle. A formal plan for security testing should be
established for all the applications systems in the development phase.
4.10.2.9. System Acceptance Testing
Acceptance testing programs and related criteria shall be established for new
information systems, upgrades and new versions. Criteria for accepting
applications should be defined to provide a level of assurance that the identified
security requirements are met. Specific techniques that should be used depending
on risk include:
o
static code analysis
penetration testing
black box testing
third-party code reviews
Custom-developed or packaged software should not be implemented before

adequate security testing has been performed and results accepted by PMCL

Manual
Rev 00
Page 66 of 93
personnel responsible for security or an authorized Third-Party security service

provider.
4.10.3. Test Data

4.10.2.9. Protection of Test Data
Test data should be selected carefully, protected and controlled. Production data
used for software testing should be sanitized and de-identified, including
removing or altering all Confidential and private information unless a written
exception is first obtained from the asset owner and ISG team. The following
guidelines should be applied if production data is allowed, based on a valid
exception, for testing:
o
Access control procedures for the production environment should also

apply to test application systems
Separate authorization is required each time production information is

copied to a test environment
Production information should be erased from a test environment

immediately after the testing is complete
The copying and use of production information should be logged
Following ways should be considered to sanitize and de-identify production data

used for testing purposes:
o
Scrambling data to ensure it is not authentic, yet meets any input

validation requirements
Randomizing
numbers
Encrypting or masking sensitive data fields during software testing

activities
numeric
values
to
protect
any
personally
identifiable

Manual
4.11.
Rev 00
Page 67 of 93
Supplier Relationships
The purpose of this Policy is to protect PMCLs information assets accessible by thirdparties.
4.11.1. Information Security in Supplier Relationships

4.11.1.1. Information Security Policy for Supplier Relationships
PMCL software, documentation, computers, or internal PMCL information assets

should not be installed, sold, or transferred, communicated, processed, and/or
stored on any Third Party, or Third Party provisioned infrastructure; unless it is
for a business purpose, the information security risks have been assessed for the
intended use, and it has been approved by appropriate PMCL leadership (or their
designees) prior to commencement of services. In addition, all installations or
transfers should be in compliance with applicable software license agreements.
Third Parties shall be required to secure their systems at a level consistent with
PMCL security requirements prior to connecting a Third Party System or network
to PMCL systems or networks. Also, PMCL shall reserve the right to immediately
terminate network connections with all Third Party Systems if PMCL believes the
Third Party is not meeting such requirements or if the Third Party systems
present a risk to PMCL Systems.
Third Parties shall be granted access to PMCL computers, Systems, and

information only after they have signed a confidentiality agreement or have a
company-wide confidentiality agreement in place. All service personnel
performing work on PMCL Systems, such as hardware repair, software upgrade,
and maintenance vendors, should either have a company-wide confidentiality
agreement in place or sign a confidentiality agreement prior to starting work.
4.11.1.2. Addressing Security within Supplier Agreements
Third party related information security risks shall be identified and documented.
Subsequently, security mandates to address these risks shall be identified and
incorporated in the relevant agreement to ensure that there is no
misunderstanding between PMCL and the supplier regarding both parties
obligations to fulfil relevant information security requirements.
PMCL should consider incorporating the following terms, where appropriate, for
inclusion in the agreements in order to satisfy the identified information security
requirements:
o
description of the information to be provided or accessed and methods of

providing or accessing the information
classification of information according to PMCLs classification scheme; if

necessary also mapping between PMCLs own classification scheme and
the classification scheme of the supplier
legal and regulatory requirements, including data protection, intellectual

property rights and copyright, and a description of how it will be ensured
that they are met

Manual
Rev 00
Page 68 of 93
obligation of each contractual party to implement an agreed set of controls

including access control, performance review, monitoring, reporting and
auditing
rules of acceptable use of information, including unacceptable use if

necessary
information security policies relevant to the specific contract
incident management requirements and procedures (especially notification

and collaboration during incident remediation)
training and awareness requirements for

information security requirements,
e.g.
authorization procedures
relevant regulations for sub-contracting, including the controls that need

to be implemented
screening requirements, if any, for suppliers personnel including

responsibilities for conducting the screening and notification procedures if
screening has not been completed or if the results give cause for doubt or
concern
right to audit the supplier processes and controls related to the agreement
defect resolution and conflict resolution processes
suppliers obligation to periodically deliver an independent report on the

effectiveness of controls and agreement on timely correction of relevant
issues raised in the report
suppliers obligations to comply with PMCLs security requirements
specific procedures and

for incident response,
Note: Any contractual obligations with the external parties / service providers
must be routed through the ISG team. The ISG team will conduct a thorough
evaluation of the third-party / service providers capabilities against a formal
Third Party Agreement Security Requirements Checklist in order to ensure their
adherence to PMCLs information security requirements.
4.11.1.3. Information and Communication Technology Supply Chain
Third party agreements shall clearly include the information security mandates
associated with information technology security risks in the whole Information
and Communication Technology services and product supply chain (e.g., product
or service acquisition and any Third Party supplier services that have been further
subcontracted to another Third Party suppliers).
4.11.2. Supplier Service Delivery Management

4.11.2.1. Monitoring and Review of Supplier Services
Services and products delivered by the third party shall be monitored and
evaluated to ensure they are delivered in accordance with the information
security mandates articulated in the agreement. Frequency of the monitoring
shall be appropriate to the contract duration and type of service, but should be

Manual
Rev 00
Page 69 of 93
conducted on a periodic basis (atleast once in a year). This should involve that a
service management relationship process between PMCL and the supplier is
defined to:
o
monitor service performance levels to verify adherence to the agreements
review service reports produced by the supplier and arrange regular

progress meetings as required by the agreements
conduct audits of suppliers, in conjunction with review of independent

auditors reports, if available, and follow-up on issues identified
provide information about information security incidents and review this

information as required by the agreements and any supporting guidelines
and procedures
review supplier audit trails and records of information security events,

operational problems, failures, tracing of faults and disruptions related to
the service delivered
resolve and manage any identified problems
review information security aspects of the suppliers relationships with its

own suppliers
ensure that the supplier maintains sufficient service capability together

with workable plans designed to ensure that agreed service continuity
levels are maintained following major service failures or disaster
The responsibility for managing supplier relationships should be assigned to a

designated individual or service management team. In addition, PMCL should
ensure that suppliers assign responsibilities for reviewing compliance and
enforcing the requirements of the agreements.
Third party agreements shall only be awarded if its information security

capabilities are compliant with PMCLs requirements. The agreement with a third
party supplier shall be terminated if there are repeated violations of agreed
information security mandates.
4.11.2.2. Managing Changes to Supplier Services
PMCL shall ensure that changes to the provision of services or technology

products provided by Third Party suppliers that impact agreed upon information
security requirements, are re-assessed for risks and managed accordingly. The
following aspects should be taken into consideration:
o
Changes to supplier agreements.
Changes by the PMCL to implement:
New services or service enhancements
Development new applications and systems
Modifications or updates of the PMCLs policies and procedures
New or changed controls to resolve information security incidents

and to improve security

Manual
Rev 00
Page 70 of 93
Changes by the supplier to their services to implement:
Changes and enhancement to networks

Manual
4.12.
Rev 00
Page 71 of 93
Information Security Incident Management
The purpose of this Policy is to ensure information security events and weaknesses
associated with information systems are managed in a timely manner.
4.12.1.Management
Improvements
of
Information
Security
Incidents
and
4.12.1.1. Responsibilities and Procedures
The Information security incidents shall be managed

Information Security Incident Management Procedure.
according
to
the
4.12.1.2. Reporting Information Security Events
Information security events shall be reported through appropriate management

channels to the PMCL ISG team as quickly as possible. All users should be made
aware of their responsibilities, procedures and points of contact (POCs) to report
information security events as quickly as possible. Obligations of Employees
should include the following:
o
Change passwords whenever there is any indication of a possible password

compromise, and notify PMCL ISG team of any suspected password
compromise
Report unlicensed software, copyright violations, or other improperly

licensed material installed or in use on PMCL hardware to ESS
Report security incidents (e.g., unauthorized access to a System, loss or

theft of a User Computer) or suspected security issues to PMCL ISG team.
4.12.1.3. Reporting Information Security Weaknesses
Employees and Third Parties using PMCLs information systems and services
during their normal course of business use (e.g., excluding technical security
testing) shall be required to note and report any observed or suspected
information security weaknesses in systems or services as quickly as possible to
facilitate a timely response process to either PMCL ISG Team. Users should not
try to prove or test an observed or suspected security weakness.
Reporting channels, layers and escalation mechanisms (including the notification

to regulatory body authority, if needed) shall be defined and implemented
according to the Information Security Incident Management Procedure.
4.12.1.4. Assessment of and Decision on Information Security Events
Information security events shall be classified and investigated according to the

4.12.1.5. Response to Information Security Incidents
The response to information security incidents shall only be done according to the

Manual
Rev 00
Page 72 of 93
4.12.1.6. Learning from Information Security Incidents
The incident management report, outcome of the Information Security Incident

Management Procedure shall produce lessons learnt and corrective actions to
minimize the impact of future incidents, should it occur.
4.12.1.7. Collection of Evidence
Evidence collection shall be done according to the Information Security Incident

Management Procedure to enable effective information security incident
investigation and forensics activities.

Manual
4.13.
Rev 00
Page 73 of 93
Information Security Aspects of Business Continuity Management
The purpose of this Policy is to define the organizational direction regarding embedding
information security continuity within the PMCLs business continuity management
system.
4.13.1. Information Security Continuity

4.13.1.1. Planning Information Security Continuity
PMCL should determine their requirements for information security and the
continuity of information security management in adverse situations, e.g. during
a crisis or disaster.
In the absence of formal business continuity and disaster recovery planning,

information security management should assume that information security
requirements shall remain the same in adverse situations, compared to normal
operational conditions.
Information security continuity shall be defined, documented and approved within

PMCLs Business Continuity Framework.
4.13.1.2. Implementing Information Security Continuity
Implementation of the information security continuity shall be documented and

maintained within PMCLs Business Continuity Framework.
4.13.1.3. Verify, Review and Evaluate Information Security Continuity
Information security continuity capabilities shall be periodically tested according

to PMCLs Business Continuity Framework.
Established and implemented information security continuity controls shall be

verified during continuity testing in order to ensure that they are valid and
effective during adverse situations.
4.13.2. Redundancies
4.13.2.1. Availability of Information Processing Facilities
Information processing facilities shall be sufficient to meet availability

requirements and implemented with redundancy sufficient to meet business
availability requirements, as identified in PMCLs Business Continuity Framework.
Asset owners shall identify business requirements for the availability of

information systems and implement redundancy sufficient to meet availability
requirements.
Where applicable, redundant information systems should be tested to ensure the

failover from one component to another component works as intended.

Manual
4.14.
Rev 00
Page 74 of 93
Compliance
The purpose of this Policy is to define the organizational direction to ensure compliance
with Information Security Management System requirements in order to avoid breaches
of legal, statutory, regulatory or contractual obligations related to information security.
4.14.1. Compliance with Legal and Contractual Requirements

4.14.1.1. Identification of Applicable Legislation and Contractual Requirements
All lawful requirements/obligations relating to Information Security may be

identified and executed from time to time.
4.14.1.2. Intellectual Property Rights
No PMCL user shall violate Intellectual Property rights.
Information stored on PMCL Assets shall remain the property of PMCL and all
PMCL users are bound by the information security policies.
If a work is copyrighted, explicit written permission to reproduce the work shall

be taken from the copyright holder. Copyrighted works include but not limited to:
text (e.g. articles), images (e.g. photographs), graphics (e.g. logos), sound
recordings (e.g. MP3), video recordings (e.g. movies) or software programs. The
materials which are not considered copyrighted materials includes: ideas, facts,
process, methods, systems, government works and works in the public domain.
PMCL users & service providers shall report all the instances of actual or
suspected copyright infringement to PMCL ISG team.
The Legal Department in PMCL shall respond to all appropriate notices of

copyright infringement and violations. Software on systems shall be installed or
renewed only if a valid proof of license is available.
Proof and evidence of ownership of software licenses for all PMCL software shall
be maintained.
Reviews to ensure that only authorized software and licensed products are
installed shall be carried out on a periodic basis.
PMCL should implement a system (such as 'Microsoft Software Inventory Analyzer

(MSIA)' or 'Microsoft Software Asset Management downloadable documents and
templates') to track software licensing on an on-going basis, so that license
compliance information can be provided on short notice should it be required.
PMCL should assign an individual or team within the company to track software
purchases, upgrades, and installations on new computers. This individual should
be responsible for managing all Third Party software license agreements as well
to reconcile any global licensing report required by VimpelCom.
4.14.1.3. Protection of Records
Record should be maintained in accordance with the law. PMCL should also
consider implementing Data Leakage Prevention (DLP) or Digital Archiving
Solution (DAS) for protection of sensitive records.
4.14.1.4 Privacy and Protection of Personally Identifiable Information
Data privacy and protection of personally identifiable information controls shall be

implemented in accordance with the PMCL Data Protection Policy.

Manual
Rev 00
Page 75 of 93
4.14.1.5. Regulation of Cryptographic Controls
Cryptographic controls shall be implemented as per Cryptography Standard.
4.14.2. Information security reviews

4.14.2.1. Independent Review of Information Security
Independent reviews of information security posture of selected ISMS areas

should be initiated by PMCL management at planned intervals based on need or
atleast annually to help ensure the continuing suitability, adequacy and
effectiveness of PMCLs approach to managing information security.
Reviews should be conducted by individuals independent of the area under review

(e.g. the Technology Compliance manager, internal audit or an external Third
Party organization) and who have the appropriate skills and experience in
security. The results should be documented and reported to the management
who initiated the review. These records should be maintained.
Any deficiencies or gaps found in the approach and implementation to managing

information security should be addressed through corrective actions.
4.14.2.2. Compliance with Security Policy and Standards
The PMCL Technology Compliance officer shall be responsible for monitoring the
compliance against the information security policy, manual, procedures, and
related documentation.
PMCL Management should regularly review the compliance of information

processing and procedures within their area of responsibility with the appropriate
security policies, standards and any other security requirements. If any noncompliance is found as a result of the review, managers should identify the root
cause and develop action plans, where required, to implement appropriate
corrective action. The use of automatic measurement and reporting tools (e.g.,
Qualys, McAfee ePO) should be considered for efficient regular review. For any
areas of non-compliance found, managers should:
Identify the causes of the non-compliance.
Evaluate the need for actions to achieve compliance.
Implement appropriate corrective action.
Review the corrective action taken to verify its effectiveness and identify
any deficiencies or weaknesses.
Maintain a record of reviews completed and corrective actions carried out.
Information systems shall be periodically, at least annually, reviewed for

compliance with PMCLs information security policy, manual, procedures and
standards.
4.14.2.3. Technology Compliance Review
Detailed technical security assessments of information systems and networks

shall be regularly conducted to assess compliance with PMCL information security
policies and standards. This includes both technical compliance reviews of system
configurations as well as vulnerability and penetration testing.

Manual
Rev 00
Page 76 of 93
Technical compliance should be based on automated tools and their technical

reports; manual reviews should only be performed by an experienced system
engineer
Penetration tests or vulnerability

documented and repeatable
Technical compliance review should only be carried out by competent, authorized

persons or under the supervision of such persons
Any intentional deviations from technical standards should be documented and

approved and any temporary exception should be undone when no longer
supported by a business need.
assessments
should
be
well
planned,

Manual
Rev 00
Page 77 of 93
5. Appendices
Appendix 1: Portable Device / Bring Your Own Device Standard
Device Control
Users of mobile / personal devices need to agree to the terms and conditions
within the Acceptable Usage Policy. (BYOD related terms and conditions are
included within the Acceptable Usage Policy.)
Security policies, service configurations, and any required security applications

shall be updated and pushed out on the device automatically.
All user activities will be subject to monitoring if deemed necessary by PMCL
Users shall not own any PMCL data stored or communicated on / from their
device
PMCL shall have access to other information on the device including device
hardware details, operating system and other installed applications on the device.
PMCL corporate data pushed to the device shall be removed if and when deemed
necessary. Applications that determined to be a security risk to the organization
shall be removed from the device.
PMCL shall not be responsible for the backup or recovery of data on any personal
device. The responsibility for any personal data stored on the personal device
remains with the device owner.
Support
PMCL shall use a best effort support model for all devices providing reasonable
remote assistance to PMCL staff through the following:
o
Troubleshooting for wireless connectivity; and
Configuration and login to the corporate email
Unless expressly communicated otherwise, the devices

specifications are allowed to be used under this standard:
o
Smartphones
iPhone (iOS 6.0 and above);
Android (4.0 and above);
Blackberry (7.0 and above); and
Windows phones (8.0 and above)
Tablets
iPad (iOS 6.0 and above); and
Android (4.0 and above).
Windows Tablets (8.0 and above).
with
following

Manual
Rev 00
Page 78 of 93
Security
A device password / PIN and timeout setting shall be established and

automatically pushed out on all mobile / personal devices accessing PMCL data or
email.
Physical security of the personal device shall be the responsibility of the device
owner.
The device owner shall immediately report the loss, theft or damage of the device to the ESS
(Ph: 4848, Email: IT-CSREGIONALTEAM@mobilink.net.pk) and where appropriate, to the
police. If deemed necessary and if it contains sensitive PMCL information, the users device
may be remotely wiped.
If the personal device is subsequently found, the device owner must immediately
notify those parties originally advised of the loss or theft.
Emergency destruction / locking plan / remote wipe shall be performed for lost /
stolen devices if devices contained PMCL confidential / sensitive information.
Personal devices, if deemed to be a security risk shall be prevented from

accessing PMCL information.
Recording from personal devices shall not be allowed into high risk areas,
including but not limited to, data centres, sites of Mobile Switching Centres (MSC)
etc without prior approval of onsite physical security team.
Information classified as Secret or Restricted (refer Information Asset Security

Classification Standard for details) should not be stored on personal devices e.g.
sensitive staff matters, budget papers. Appropriate encryption mechanisms
should be implemented to safeguard such information, if stored.
Device owners and ESS shall ensure that all PMCL data is permanently removed
from devices prior to leaving the organisation.
Device owners should ensure that devices are updated regularly and should
update applications and operating systems to the latest approved updates and
security patches.
Device owners must agree to be responsible for the use of the device, and to not
allow others to use it without direct supervision.
Jail broken iOS or rooted Android Devices shall not be permitted to connect to
PMCL network or services.
Suitable antivirus software must be installed and running on the device.
While PMCL will take every precaution to prevent the employees personal data
from being lost however, as a caution for any such unfortunate event, it is the
employees responsibility to take additional precautions, such as backing up
personal data. Device owners shall use only PMCL facilities to backup official data
and not any external service provided by third party.
PMCL shall reserve the right to perform remote wipe of PMCL data in case of theft
or loss, when access is no longer authorized, the user changes roles, or is no
longer employed, where deemed necessary.

Manual
Rev 00
Page 79 of 93
At a very minimum, the following security policies should be applied to all

devices:
o
Device inactivity lock: 10 minutes or less
Security Passcode: 4 characters or more
Device wipe after: 8 failed security passcode attempts or less
PMCL reserves right to disconnect devices or disable services without notification.
The device owner shall be personally liable for all costs associated with his or her
device.
The device owner shall be required to use his or her devices in an ethical manner
at all times and adhere to PMCLs Acceptable Usage Policy.

Manual
Rev 00
Page 80 of 93
Appendix 2: Acceptable Usage Policies

The purpose of these policies is to outline the acceptable use of information systems and
services provided by PMCL to its users.
PMCL users must acknowledge and sign this Acceptable Usage Policies before gaining
access to PMCL information systems and / or services.
Information Systems and Services Usage
Users shall take due care to protect PMCLs information systems and resources
from unauthorized access, tampering and / or accidental damage.
PMCLs information systems including desktops, laptops, mobile devices, printers,

fax machines, photocopiers, as well as networks, servers and applications shall be
provided for business purposes only, to assist users in carrying out their official
duties.
Each user of PMCL shall be allocated a limited server usage space for their
business related data. The data / information contained within such user folders
are under the custody of the respective users. However, users shall not store
unauthorized content in such folders.
Information created on PMCL information systems shall remain the property of

PMCL.
Responsibility for backing up the data on users local desktop computers or

laptops solely rests with the individual users. Users are strongly encouraged to
save their critical data to the appropriate servers so that this data can be backed
up regularly, in accordance with the PMCL backup policy, procedure and
schedules.
If a PMCL-owned computer equipment is damaged, lost or stolen, the respective

user shall be responsible for immediately notifying their manager and the ESS.
Users shall not use PMCL systems or networks to access unauthorized systems,
networks and / or services.
Users shall not install any software or applications which is not included within the
PMCL Authorized Software List, into desktops or laptops given by PMCL for
business purposes. Users are referred to Appendix 2 of this policy for a list of
software approved for use on PMCL information systems. This list will be updated
on a regular basis and forwarded to the individual users via e-mails.
Users with administrative rights shall not disable or by-pass any controls, such as
anti-virus software, proxy servers and / or firewalls, implemented to protect PMCL
network and / or information assets. Such by-pass shall be considered as an
information security violation and may lead to disciplinary actions according to HR
policies and procedures.
Users shall log on to information systems by providing a valid username and

password. At the end of the working session, users shall logoff the information
system. If a system is left unattended, it should be locked to prevent
unauthorized access and use.
Personal devices accessing PMCL resources shall be password protected with a

strong password or PIN and shall lock itself automatically in idle state.
For security, administration, and compliance purposes, authorized individuals

within PMCL may monitor information systems, system usage logs and the data
stored on those systems at any time.

Manual
Rev 00
Page 81 of 93
Information Usage
Users shall not disclose, communicate or discuss in public any of PMCL

information. Users shall not post any PMCL related sensitive or confidential
information on public accessible Internet sites, such as social networks, mailing
lists or public news groups, without obtaining appropriate authorized approval.
Users shall use, handle and treat all information in accordance with the
information asset management procedure.
Users shall be responsible for the security of any corporate information stored on
portable media in their possession. Protection of such portable media shall be
done according to the PMCL Information Security Policy. Users shall report the
loss of such portable media (containing corporate data) immediately to the ESS.
Users shall not transmit sensitive or confidential information, over the network,
without adequate protection controls (encryption, strong passwords etc.). If a
user needs assistance in communicating sensitive or confidential information, he
or she should contact the ESS.
Users shall obtain appropriate intellectual property rights / copyright or

contractual clearances before using any proprietary material. Using or providing
PMCL developed software, innovative ideas, designs or repositories (software or
otherwise) outside PMCL environment is prohibited.
Users need to appropriately protect when not required any information asset
classified as internal use or higher.
Users shall remove from the desk any documents classified as Internal Use or
higher and lock them in a drawer or file cabinet when the workstation is
unattended. Keys used to access these documents shall not be left at an
unattended work area.
E-mail Usage
Users allowed to access their email account from their personal devices shall
comply with the Portable Devices and Bring Your Own Device Policy included in
PMCL Information Security Policies Manual.
PMCL employees are encouraged to use email to further the goals and objectives
of PMCL as well as for fulfilling business and role-oriented tasks. PMCL employees
are therefore expected to check their email in a consistent and timely manner so
that they are aware of important company announcements and updates.
Email users are responsible for mailbox management, including organization and
cleaning.
Users shall not use PMCL provided email facilities to distribute material that
typically qualifies as unsolicited email, chain emails or scamming.
Use of personal and/or external email services for business messaging is

prohibited
Users are not permitted to use any other users email account without his/ her
approval.
Emails containing confidential or sensitive content must be protected in-line with

the related Information Asset Management Procedure, in electronic form, when
printed onto paper or saved onto another media.
Users shall not open, execute or store emails and/or attachments received from
unknown or un-trusted sources as they may contain viruses, email bomb,

Manual
Rev 00
Page 82 of 93
malicious codes etc. Users shall report the presence of such emails or
attachments to the ESS.
Users shall not provide their PMCL email address to mailing lists, blogs, forums or
subscribing to internet sites that are not related to PMCL, unless required for
business purposes.
Users shall add the organization's standard email signature templates in all e-mail
communications.
The contents of an individuals email inbox/outbox shall not be stored by the

individual after the term of their employment has ceased and shall be stored by
PMCL as per the retention policy.
Portals Usage
Portals access may be granted to third party non-employees on a case-by-case

basis with appropriate approval by the ISG team. Such access shall always be
based on their need-to-access and the least-privileges required to perform their
duties.
The following uses of the PMCL portals is prohibited:

o
To upload, download, or distribute pornographic or sexually explicit

material
Violate any applicable law or regulation
To invade or abuse the privacy of others
Violate copyright or use intellectual material without permission
To use the portal for financial or commercial gain, and
To degrade or disrupt PMCL networks and systems performance
Users shall not use the PMCL portal functionalities to deliberately propagate any
Virus, Worm, Trojan horse, or trap door program code.
Users are not permitted to use any other users portal account.
Documents containing confidential or sensitive content must be protected in-line

with the Information Asset Management procedure, in electronic form, when
printed onto paper or saved onto another media.
Users shall not store documents received from unknown or un-trusted sources,
and shall report the presence of such documents to the ESS.
Portal access shall be terminated when the employee or third party terminates
their association with PMCL.
Internet Usage
Users must use PMCL Internet services appropriately, responsibly and ethically.
The Internet access shall not be used in a way that violates PMCL policies, rules
or administrative orders.
Users shall only use PMCL Internet services for business related activities. The
illegal or non-business use of such services is not permitted.
Users shall not use PMCL Internet services for viewing or downloading
inappropriate material (offensive, sexual images, jokes and comments, or any
other comments that are reasonably expected to offend someone based on their
physical or mental disability, age, religion, marital status, national origin).

Manual
Rev 00
Page 83 of 93
Access to websites containing the following type of content is prohibited and shall
be blocked:
o
Adult / sexually explicit material
Advertisements & pop-ups
Gambling
Hacking
Illegal drugs & pharmaceuticals
Peer to Peer file sharing
Spam
Phishing and fraud
Spyware, and
Offensive content
The PMCL IT team shall block access to Internet websites and protocols that are
deemed inappropriate for PMCLs corporate environment. If a site is incorrectly
categorized, employees may request the site to be un-blocked by contacting the
ESS.
Following the review of the request by the ISG team, the site may be unblocked if
it is deemed to be incorrectly categorized.
Users should not download any documents or images not related to PMCL
business.
Users with administrative rights shall not alter or attempt to alter their internet
access settings and/or configurations.
Users shall carefully read all security alerts presented by their Internet web
browser. If the user is unable to understand or is uncertain about the security
alerts, he/she should contact the ESS prior to proceeding with web browsing.
Remote Access
Any remote connection that is configured to access PMCL resources must adhere
to PMCL information security policies manual.
All remote computer equipment and devices used for business activity, whether
personal or PMCL-owned, must be compliant with PMCL Information Security
policy and related documentation.
It is the responsibility of all PMCL users with remote access privileges to ensure
that their remote access connection remains as secure as possible and not to
connect to other networks during business operations.
Password Usage
Users are reminded that they are personally responsible for all events that occur
under their logon accounts. Therefore, users are responsible for keeping their
passwords confidential.
No employee is to give, tell, share or hint at their password to another person,

including the IT staff, administrators, superiors, other co-workers, friends and
family members, under any circumstances. If someone demands your password,
refer them to this policy or have them contact the ESS.

Manual
Rev 00
Page 84 of 93
It is advisable not to use remember password feature of applications such as

internet explorer, email program or any other program.
If possible, users should use different passwords to access different systems.
If an employee either knows or suspects that his/her password has been

compromised, it must be reported to the ESS and the password should be
changed immediately.
Users shall not store passwords on the computer screen or under the computer or
in any other accessible location.
Printer Usage
Printers should not be used to print personal documents.
Personal printers shall be considered in certain circumstances

confidentiality, remote location or other unusual circumstances warrant it.
All printed copies shall be collected as soon as possible shall be disposed

immediately if no longer required. Any unattended printed copies will be disposed
by facilities management.
Avoid printing email messages. Instead use the folders and archiving functionality
in the email application to organize and view messages.
where
Physical Security
Employees must use only their own card to access PMCLs premises. Sharing of
cards is not permitted.
Exit doors are provided for emergency use only. These shall not be used for
regular access.
Unacceptable Use
Users shall not use PMCL provided systems, services and facilities for illegal or
unlawful purposes, including, but not limited to copyright infringement, obscenity,
libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery,
impersonation, illegal gambling, soliciting for illegal pyramid schemes, and
computer tampering (e.g. spreading computer viruses).
The following activities are strictly prohibited, with no exceptions:

o
Using PMCL information systems to actively engage in procuring or

transmitting material that shall be deemed as obscene, offensive to the
state and/or co-employees
Making fraudulent offers of products, items, or services originating from

any PMCL account
Bypassing the security systems implemented to protect information

systems
Providing PMCLs Internal, Restricted or Confidential information including,

personal information of PMCL Employees, its financial information,
strategic plans etc. to parties outside PMCL for personal gain
Using of anonymous, faked or forged identities on information systems
Compliance and Monitoring

Manual
Rev 00
Page 85 of 93
Systems and services used/provided by PMCL are the property of PMCL. This
gives PMCL the right to monitor all activities performed using these resources.
Users shall maintain continued compliance with all PMCL policies and related
documentation while using PMCL systems, facilities and/or services.
If PMCL discovers or has good reason to suspect activities that do not comply
with applicable laws or policy, activity logs or records may be retrieved and
used/presented as evidence for disciplinary action against the involved user.
Disclaimer
PMCL assumes no liability for direct and/ or indirect damages arising from users
use of PMCL systems and/ or services.
Enforcement
Any identified violation of these policies shall lead to disciplinary actions in-line
with the PMCL HR disciplinary process.
Reporting Acceptable Usage Violations
Violation of information security policy, these policies or procedure by another

user, employee, contractor or third party service provider should be reported to
ISG team through the ESS at 4848 or IT-CSREGIONALTEAM@mobilink.net.pk.

Manual
Rev 00
Page 86 of 93
Appendix 3: Authorized Software List

Note: This list might change from time to time.
The following is authorized list of software on PMCL owned systems for which PMCL owns
valid license.
If software in use within your Business unit does not appear here, please e-mail ESS (ITCSREGIONALTEAM@mobilink.net.pk) with the details. Software on PMCL computers have
to be PMCL owned, licensed (full, not shareware) and approved as a business or process
tool within your Business unit and tested by ESS and relevant authorized staff within
your business unit. Copies of proof of purchase and valid software licenses must be
submitted to ESS for record keeping.
The below list does not include hardware driver software i.e. printers, scanners, CDwriters, modems, etc. because it is licensed and bundled with the device or part of the
Operating system.
Name
Sub product
Microsoft Office
All flavors
Microsoft Windows
All flavors
License agreement
WinZip version 8
Microsoft IE 10 or higher
Internet browser
McAfee Anti-virus software
Special software, i.e. software not in general use by all Business units:
Name
Adobe Acrobat reader v8
Exchange Server
Microsoft Project
License Agreement

Manual
Rev 00
Page 87 of 93
Appendix 4: Prohibited File Types and Programs

Note: This list might change from time to time.
The following electronic computer media are prohibited to download, e-mail, install
and/or store on PMCL systems:
File Extensions of format
Exceptions
Type
.torrent
None
All Torrent Files
LOIC wildcard
None
LOIC Tool variation
emule.exe
None
P2P
morpheus.exe
None
P2P
iMesh.exe
None
P2P
napster.exe
None
P2P
bearshare.exe
None
P2P
limewire.exe
None
P2P
grokster.exe
None
P2P
bittorrent.exe
None
P2P
dokeyip.exe
None
P2P
kazaa.exe
None
P2P
utorrent.exe
None
P2P
bitcomet.exe
None
P2P
azureus.exe
None
P2P
bitlord.exe
None
P2P
ares.exe
None
P2P
dc++.exe
None
P2P
abc.exe
None
P2P
sahreaza.exe
None
P2P
pando.exe
None
P2P
tor.exe
None
Proxy
loic.exe
None
Hacking Tool
None
Proxy
TeamViewer.exe
None
Remote Access
Winamp.exe
None
Multimedia
Jpg or jpeg
PMCL or work related.
Graphics
Gif
Graphics
UltraSurf.exe

Manual
Rev 00
Page 88 of 93
Exceptions
Type
Bitmap (Bmp)
Graphics
Adobe Acrobat PDF
Graphics documentation
Http, Asp
Web documents
Png
Graphics
Mp3 or mpeg
Downloaded file size from

Internet is less than 2MB,
no sending via e-mail.
Sound, music and movie
Avi
Sound and movie
Visual basic scripts
Downloaded file size from

no sending via e-mail.
Programming
Real player (RPM)
Specifically designed for

PMCL or PMCL software.
Sound and movie
Any content or electronic

file on a "Warez" software,
pirated Internet site or sites
that are specifically geared
to store pirated electronic
content.
All
Games, licensed or not.
None
All
None
All
Electronic greeting cards
PMCL designed or standard

with Operating system.
Graphics and Sound
Mid
PMCL related, less than 1

MB, PMCL or work related.
Sound and music
Snd
Downloadable file size from

Sound and music
Word (doc)
Downloadable file size from

Word processing
Excel (xls)
Spreadsheet
Zip (zip)
Compression
Powerpoint (ppt)
Presentation
Access (mdb)
Database
Screensavers,
not.
licensed
or

Manual
Rev 00
Page 89 of 93
Exceptions
Type
Text (txt, csv, asc)
Text
Internet browsers
Microsoft
IE7,
Google
Chrome, Mozilla Firefox
Web
Hacking
software,
documentations or tools
No
execution
of
tools/software on the PMCL
network.
All
Network/computer probing
or sniffing software
IT Authorized specialists for

official
Internal
security
audit or network problem
search.
All
Password cracking software

or crack codes for licensed
software
None
All
IRC chat or other chat

client software, or software
with chat functionalities
None
All
Remote control software
IT Authorized support staff

for assisting in problem
finding
and
remote
configuration of systems
All
POP3 mail server of client

software or personal e-mail
software
As explicitly allowed in
some offices with adequate
PMCL-guided security
All
FTP server software
IT
Internet/Intranet
services to PMCL
FTP
FTP client software
Operating system built-in
FTP
Encryption software
None
All
Reverse
software
engineering
None
All
Leech file transfers or web

site download software
None
All
Password information store

software
None
All
Virus
building
software,
documentation or tools
None
All

Manual
Rev 00
Page 90 of 93
Appendix 5: Password Parameter Settings

Password
Parameters
Minimum
Length
Settings
Password
Password Complexity
8 Characters
Contain uppercase letters (A, B, C)
Contain lowercase letters (a, b, c)
Contain numerals (0, 1, 2)
Contain non-alphanumeric characters (#, &, !, %, @, ?,

-, *)
Do not contain the User's ID, the Users first and/or last
name, a close relative's name, or a famous persons
name. For example, mahmad would not be used as a
password for Muhammad Ahmad
Do not include a single instance of a dictionary word.
Maximum age interval

between changes
60 days
Minimum
age
interval
between changes (re-use)
1 day
Minimum history
23 remembered
Initial passwords
Set to expired requiring change at first login
Minimum
Baseline
Directory
for
Security
Active
As per VimpelComs Information Security Standard for

servers

Manual
Rev 00
Page 91 of 93
Appendix 6: Secure Log-on Parameters

Secure Log-on Parameters
Settings
Maximum account lockout
6 consecutive failed login attempts
Minimum account lockout duration
30 minutes

Manual
Rev 00
Page 92 of 93
Appendix 7: Cryptographic Standards
The cryptographic algorithms, encryption hardware / software, key management

systems and digital signatures should meet the requirements specified in this
appendix for Approved Encryption / Cryptographic Algorithms and Systems.
The lifetime of the key shall be determined primarily by the application, the
information and the infrastructure it is used in. Keys shall be immediately revoked
and replaced if they have been or are suspected of being compromised.
The need for encryption and protection against unauthorized disclosure of

information assets classified as Confidential Information and above (according to
the Information Asset Security Classification Standard) shall be considered,
assessed and implemented accordingly. These cryptographic controls may be
applied to assets with lower confidentiality requirements, if determined necessary
by the risk assessment.
The following protocols or better, with approved algorithms outlined in this

appendix, shall be considered for use for securing data classified as Confidential
Information and above (according to the Information Asset Security
Classification Standard) when in transit:
o
For securing web traffic: TLS (128+ bits) [RFC4346]
For securing file transfers: SFTP [SFTP]
For secure remote access: SSH v2 [RFC4253] or IPSEC [RFC 4301]
Only S/MIME v3 [RFC3851] or better are used for securing emails.
Where Hardware Security Modules (HSMs) are used, they shall be certified to at
least FIPS 140-2 Level 2 [FIPS-140-2] or Common Criteria [CC3.1] EAL4.
Cryptographic keys shall only be physically moved in HSMs meeting the above
criteria.
Passwords must always be encrypted / hashed and protected against

unauthorized disclosure when they are stored and / or in transit regardless of the
storing format or media according to the PMCL password standards. Privileged
passwords shall be encrypted and stored off-site with backup files each time the
password is changed to ensure complete recovery.
Suitable key management process shall be used to manage the lifecycle of

cryptographic keys, covering the following functions:
o
Key Custodians Roles and Responsibilities
Key Generation
Dual Control and Split Knowledge
Secure Key Storage
Key Usage
Secure Key Distribution and in Transit
Key Backup and Recovery
Periodic Key Status Checking

Manual
Rev 00
Key Compromise
Key Revocation and Destruction
Audit Trails and Documentation
Page 93 of 93
Approved Cryptographic Algorithms and Protocols

The following algorithms and protocols shall be considered for use for encryption, digital
signatures, random number generation, key agreement, key transportation, key
wrapping, deriving additional keys from a cryptographic key, hash numbers, MAC, etc.
Symmetric Key / Private Key:
Cryptographic functions that use a symmetric key cipher (sometimes referred to as
private key encryption) employing a shared secret key must adopt any of the following
specifications.
Algorithm Name
References
Approved Use
AES
Advanced
Encryption
Standard
block
cipher
based on the Rijndael
algorithm [AES]
TDES /3DES
Triple
Data
Encryption
Standard (or Triple DES)
block cipher [SP800-67]
General Data
Encryption
General Data
Encryption
Required Key
Length
256-bit keys
Three unique 56-bit

keys
Note: AES should be used unless this is not technically possible. TDES usage should be
limited to systems not supporting AES.
Asymmetric Key/Public Key:

Cryptographic functions that use asymmetric key ciphers (also known as public key
encryption) that employ a pair of cryptographic keys consisting of one public key and
one private key must adhere to the following specifications:
Algorithm
Name
References
RSA
Rivest-Shamir-Adleman
algorithm for public key
cryptography [RSA]
DSA
Digital
Signature
Algorithm [FIP186-2]
Approved Use
Digital Signatures,
Transport of encryption
General Data
Encryption
Required Key
Length
2048-bit keys
2048-bit keys

ISMS Policy Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISMS Policy Manual

Uploaded by

Copyright:

Available Formats

Pakistan Mobile

Information Security Management System

PMCL Information Security Governance (ISG)

SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE ............................................. 63

SUPPLIER RELATIONSHIPS .............................................................................................. 67

INFORMATION SECURITY INCIDENT MANAGEMENT .......................................................... 71

INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT ................. 73

Information Security Governance

PMCL Information Security Governance (ISG)

Information Security Governance

PMCL Information Security Governance (ISG)

Authors and Reviewers

Chief Executive Officer

Chief Technology Officer

Chief Human Resource Officer

Chief Legal Officer (CLO)

Chief Financial Officer (CFO)

Chief Regulatory & Corporate Affairs

Information Security Governance

PMCL Information Security Governance (ISG)

1. Introduction and Purpose

objectives and policy

3. Terms and Abbreviations

Active Directory (AD) / Windows Domain: means a part of Active Platform

Air-gapped: means a network security measure employed on one or more

Asset / Risk Owner: are generally heads of departments, sections, groups or

Information Security Governance

PMCL Information Security Governance (ISG)

Asset Custodian: are individuals / third party entity in physical or logical

Asset: includes anything that has value to the PMCL.

Availability: means information being accessible and usable upon demand by an

Backup: includes a copy of a file or directory on a separate storage media.

CEO: Chief Executive Officer.

Change Management: includes Process of controlling changes

Confidentiality: means the safety, secrecy, protection and non disclosure of

Cryptography: is a method of storing and transmitting data in a particular form

CTO: Chief Technology Officer.

Data: includes any Information stored or processed by any information system.

Domain Name System (DNS): means a hierarchical decentralized naming

Firewalled segment: refers to the portion of the network protected by a

GCSC: means Group Cyber Security Center.

HR Department: means Human Resources Department.

HSSE: means Health Safety Security & Environment.

HTTP: means an application protocol for distributed, collaborative, hypermedia

Information Security Governance

PMCL Information Security Governance (ISG)

HTTPS: means a protocol for secure communication over a computer network

IDS: means an Intrusion Detection System which is a device or a software

Information Asset: means piece of information or data, regardless of the

Information Security (IS): includes Protection of information from a wide

Information Security Event: means an identified occurrence of a system,

Information Security Governance (ISG) Team: means a group of employees

Information Security Incident: is a Single or a series of unwanted or

Information Security Leadership (ISL): means a group of employees in PMCL

Information Security Management System (ISMS) Coordinators: means a

Information Security Management System (ISMS): means set of policies

Integrity: means accuracy and completeness of information.

Intellectual Property Rights (IPR): means protections granted to the creators

Interested Party / Stakeholder: means such person(s) or organization (s) that

Information Security Governance

PMCL Information Security Governance (ISG)

iOS jailbreaking: is the removal of software restrictions imposed by iOS, Apples

IPS: means an Intrusion Prevention System which is a network security threat

ISO: means International Organization for Standardization.