ISO/IEC 27001
Statement of Applicability  

ibCom management attest that following controls are in place in regards to risks
relating to confidentiality, integrity and availability of customer data stored on the
ibCom mydigitalstructure platform.

Mark Byers
Chief Risk Officer, October 2013

  Management  direction  for  information  security  

5.1.1 Policies  for   Part  of  the  employment  contract.

information  
security

5.1.2 Review  of  the   Monthly  review  and  re-­‐distribution.

policies  for  
information  
security

  Internal  organization  

6.1.1 Information   ibCom's  Chief  Risk  Officer  (CRO)  controls  all  roles.
security  roles  
and  
responsibilities

6.1.2 Segregation  of   Only  operational  employees  have  access  to  data.
duties  

6.1.3   Contact  with   Responsibility  of  CRO.

authorities

6.1.4 Contact  with   Responsibility  of  CRO.

special  interest  
groups.

6.1.5 Information   All  projects  relating  to  a  potential  change  in  the  
security  in   platform  have  information  security  as  a  first  class  
project   citizen.
management

  Mobile  devices  &  teleworking  

6.2.1 Mobile  device   All  access  to  AWS  infrastructure  on  a  mobile  device  is  
policy also  protected  via  2  factor  authentication  and/or  IP  
address  restrictions.
     ISO/IEC 27001
Statement of Applicability  

6.2.2 Teleworking No  data  is  stored  at  teleworking  sites.

  Prior  to  employment  

7.1.1 Screening As  its  first  measure,  ibCom  uses  very  few  employees  
that  have  access  to  customer  data.    To  get  access  to  
customer  data  an  employee  must  have  a  minimum  of  
one  (1)  years  experience  with  ibCom  or  an  
equivalent  well  proven  service.

7.1.2 Terms  and   Information  security  is  at  the  heart  of  the  ibCom  
conditions  of   employment  contract  -­‐  including  post  employment.
employment

  During  employment  

7.2.1 Management   Any  breach  by  an  ibCom  employee  in  regards  to  
responsibilities information  security  results  in  immediate  
termination.

7.2.2 Information   All  employees  will  have  appropriate  industry  

security   qualifications  or  experience  and  are  constantly  made  
awareness,   aware  of  information  security  policies  -­‐  it  is  a  core  
education  &   value  of  ibCom.
training

7.2.3 Disciplinary   Any  breach  by  an  ibCom  employee  in  regards  to  
process information  security  results  in  immediate  
termination.

  Termination  &  change  of  employment  

7.3.1 Termination  of   User  access  roles  are  effected  immediately  and  
change  of   employee  obligations  are  re-­‐communicated.
employment  
responsibilities

  Asset  Management  

8.1.1 Inventory  of   All  core  customer  data  management  assets  are  
assets managed  contractually  within  AWS.    All  ibCom  assets  
used  to  access  AWS  or  other  operational  
administrative  services  are  registered  and  
maintained.

8.1.2 Ownership  of   All  assets  are  owned  by  ibCom  operations  and  the  
     ISO/IEC 27001
Statement of Applicability  

assets CRO.

8.1.3 Acceptable  use   All  ibCom  assets  are  clearly  identified  and  linked  to  
of  assets the  employees  role.  

8.1.4 Return  of  assets Once  an  employee  now  longer  has  a  role  within  
ibCom,  assets  are  automatically  returned  to  the  
direct  responsibility  of  the  CRO.

  Information  classification  

8.2.1 Classification  of   All  information  is  classified  based  on  zone:  lab  
information (private),  operations  (private)  &  engagement  
(public)

8.2.2 Labelling  of   Documented  

information

8,2.3 Handling  of   Documented

assets

  Media  handling  

8.3.1 Management  of   Removable  media  is  not  allowed  on  operational  
removable   assets.
media

8.3.2 Disposal  of   Not  applicable

media

8.3.3 Physical  media   Not  applicable

transfer

  Business  requirements  of  access  control  

9.1.1 Access  control   Information  is  controlled  within  AWS  and  

policy mydigitalstructure  using  inherent  access  control  
functionality.

9.1.2 Access  to   All  key  information  is  stored  in  internet  based  secure  
networks  &   stores,  using  encrypted  access  protocols  -­‐  no  
network   measures  needed  to  control  this  risk.
services

  User  access  management  

     ISO/IEC 27001
Statement of Applicability  

9.2.1 User   Information  is  controlled  within  AWS  and  

registration  &   mydigitalstructure  using  inherent  access  control  
de-­‐registration functionality.

9.2.2 User  access   Provisioning  can  only  be  done  by  the  directors  of  
provisioning ibCom.

9.2.3 Management  of   Privileged  rights  can  only  be  assigned  by  the  
privileged   directors  of  ibCom.
access  rights

9.2.4 Management  of   Can  only  be  done  by  the  directors  of  ibCom.
secret  
authentication  
information  of  
users

9.2.5 Review  of  user   Reviewed  monthly.

access  rights

9.2.6 Removal  of   As  soon  as  an  employee's  role  is  changed,  so  are  their  
adjustment  of   access  rights.    They  are  removed  before  the  
access  rights employee  is  notified.

  User  responsibilities  

9.3.1 Use  of  secret   All  employee's  are  aware  of  restrictions  on  the  use  of  
authentication   secret  information.
information  

  System  &  application  access  control  

9.4.1 Information   Controlled  by  AWS  &  mydigitalstructure  access  

access   control  functionality.
restriction

9.4.2 Secure  log-­‐on   All  information  is  protected  by  secure  log-­‐on  
procedures   procedures.

9.4.3 Password   All  passwords  have  industry  standard  minimum  

management   lengths/strengths  and  2nd  factor  is  used.
system

9.4.4 Use  of   There  are  no  privileged  utility  programs.

privileged  
utility  
     ISO/IEC 27001
Statement of Applicability  

programs  

9.4.5 Access  control   All  access  to  all  source  code  is  highly  restricted.
to  program  
source  code  

  Cryptographic  controls  

10.1.1 Policy  on  the   Documented

user  of  
cryptographic  
controls

10.1.2 Key   Documented

management

  Secure  areas  

11.1.1 Physical   Refer  AWS  security  compliance

security  
perimeter

11.1.2 Physical  entry   Refer  AWS  security  compliance

controls

11.1.3 Securing  offices,   Refer  AWS  security  compliance

rooms  &  
facilitates

11.1.4 Protecting   Refer  AWS  security  compliance

against  external  
and  
environmental  
threats

11.1.5 Working  in   Refer  AWS  security  compliance  

secure  areas

11.1.6 Delivery  &   Refer  AWS  security  compliance

loading  areas

  Equipment  

11.2.1 Equipment   Refer  AWS  security  compliance

siting  &  
protection
     ISO/IEC 27001
Statement of Applicability  

11.2.2 Supporting   Refer  AWS  security  compliance

utilities  

11.2.3 Cabling  security Refer  AWS  security  compliance

11.2.4 Equipment   Refer  AWS  security  compliance

maintenance

11.2.5 Removal  of   Refer  AWS  security  compliance

assets

11.2.6 Security  of   Refer  AWS  security  compliance

equipment  &  
assets  off-­‐
premises

11.2.7 Secure  disposal   Refer  AWS  security  compliance

or  reuse  of  
equipment  

11.2.8 Unattended   Refer  AWS  security  compliance

user  equipment

11.2.9 Clear  desk  and   Refer  AWS  security  compliance

clear  screen  
policy

  Operational  procedures  &  responsibilities  

12.1.1 Documented   Documented  

operating  
procedures

12.1.2 Change   All  change  management  is  tightly  controlled.

management

12.1.3 Capacity   ibCom  uses  the  inherent  scalability  in  AWS  

management Infrastructure  as  a  Service.

12.1.4 Separation  of   The  lab  and  operational  zones  are  procedurally  
development,   separated.
testing  &  
operational  
environments.

  Protection  from  malware  

     ISO/IEC 27001
Statement of Applicability  

12.2.1 Controls  agains   All  employees  are  aware  of  the  issues  associated  with  
malware malware  and  scanning  software  is  used.

  Backup  

12.3.1 Information   All  information  is  backed  up  and  restore  procedures  
backup are  constantly  being  tested.

  Logging  &  monitoring  

12.4.1 Event  logging All  events/actions  on  information  are  logged  and  
reviewed.

12.4.2 Protection  of   All  logs  are  secured.

log  information  

12.4.3 Administrator   As  per  12.4.1

&  operator  logs

12.4.4 Clock   All  information  is  stored  in  a  single  time  zone.
synchronisation

  Control  of  operational  software  

12.5.1 Installation  of   Instances  are  re-­‐imaged  once  a  well-­‐proven  instance  

software  on   has  been  fully  tested.
operational  
systems

  Technical  vulnerability  management  

12.6.1 Management  of   Documented

technical  
vulnerabilities

12.6.2 Restrictions  on   Documented

software  
installation

  Information  systems  audit  considerations  

12.7.1 Information   All  verification  process  are  carefully  controlled  and  

systems  audit   use  "mirror"  images.
controls

  Network  security  management  

     ISO/IEC 27001
Statement of Applicability  

13.1.1 Network   All  networks  are  protected  using  firewalls.    Refer  

controls AWS  security  compliance

13.1.2   Security  of   Refer  AWS  security  compliance

network  
services

13.1.3   Segregation  in   All  ibCom  zones  (lab,  operations,  engagement)  use  
networks isolated  networks.

  Information  transfer    

13.2.1 Information   Refer  AWS  security  compliance

transfer  policies  
&  procedures

13.2.2   Agreements  on   All  information  is  secured  by  encryption  over  the  
information   wire.
transfer

13.2.3   Electronic   All  highly  sensitive  information  can  be  secure  using  
messaging theoperations@ibcom.biz  PGP  public  key.

13.2.4 Confidentiality   Confidentiality  and  non-­‐disclosure  is  default  in  any  

or  non-­‐ engagement  with  ibCom.
disclosure  
agreements

  Security  requirements  of  information  systems  

14.1.1 Information   Documented

security  
requirements  
analysis  &  
specification

14.1.2 Securing   Documented  

application  
services  on  
public  networks

14.1.3 Protecting   All  transactions  are  encrypted  with  SSL  and  DH  
application   based  perfect  forward  security.
services  
transactions
     ISO/IEC 27001
Statement of Applicability  

  Security  in  development  &  support  processes  

14.2.1 Secure   Documented

development  
policy

14.2.2 System  change   Documented.    Changes  are  minimal.    There  is  a  clear  
control   separation  between  the  lab  zone  and  
procedures   the  operational  zone.

14.2.3 Technical   Documented

review  of  
applications  
after  operating  
platform  
changes

14.2.4 Restrictions  on   All  changes  are  discouraged  and  strictly  controlled.
changes  to  
software

14.2.5 Secure  system   Using  of  MVC  and  separation-­‐of-­‐concerns,  combined  

engineering   with  a  "kernel"  mode  and  "user"  mode  allow  for  
principles security  zoning,more...

14.2.6 Secure   The  development  environment  (lab  zone)  uses  the  

development   same  protocols  as  the  production  environment  
environment (operations  zone).

14.2.7 Outsourced   There  is  no  outsourced  development  within  the  

security  testing ibCom  layer.

14.2.9 System   Documented

acceptance  
testing

  Test  data  

14.3.1 Protection  of   Test  data  is  protected  under  same  protocols  as  
test  data production  data.

  Information  security  in  supplier  relationships  

15.1.1 Information   Refer  AWS  security  compliance

security  policy  
for  supplier  
     ISO/IEC 27001
Statement of Applicability  

relationships

15.1.2 Addressing   Refer  AWS  security  compliance

security  within  
supplier  
agreements

15.1.3 Information  &   Documented  and  refer  AWS  security  compliance

communication  
technology  
supply  chain

  Supplier  service  delivery  management  

15.2.1 Monitoring  &   AWS  is  monitored  constantly.

review  of  
supplier  
services

15.2.2 Managing   Highly  infrequent,  if  at  all.    Months  of  planning  an  
changes  to   risk  analysis  before  any  change  is  made.
supplier  
services

  Management  of  information  security  incidents  &  improvements  

16.1.1 Responsibilities   Documented

&  procedures

16.1.2 Reporting   Events  are  reported  to  all  stake-­‐holders  as  soon  as  
information   they  are  known,  including  the  @ibComMYDS  twitter  
security  events   account  andstatus.mydigitalstructure.com.

16.1.3 Reporting   ibCom  has  a  reward  for  report  program.    All  highly  
information   sensitive  information  can  be  secure  using  
security   the  operations@ibcom.biz  PGP  public  key.
weakness

16.1.4 Assessment  of   Documented

&  decision  on  
information  
security  events

16.1.5 Response  to   All  incidents  considered  to  be  security  incidents  are  
information   immediately  communicated  to  all  effected  
security   stakeholders.    Including  the  use  
     ISO/IEC 27001
Statement of Applicability  

incidents of  @ibComMYDS  twitter  account  

&  status.mydigitalstructure.com.

16.1.6 Learning  from   All  learnings  from  incidents  are  immediately  applied  
information   to  the  platform.
security  
incidents

16.1.7 Collection  of   Documented

evidence

  Information  security  continuity  

17.1.1 Planning   ibCom  has  a  full  disaster  plan  -­‐  including  running  
information   mirror  instances  in  other  geographical  locations.
security  
continuity

17.1.2 Implementing   All  mirror  sites  operate  within  the  same  production  
information   (operational  zone)  protocols.
security  
continuity

17.1.3 Verify,  review  &   Verification,  review  &  evaluation  occurs  constantly.
evaluate  
information  
continuity

  Redundancies  

17.2.1 Availability  of   Mirror  sites  are  implemented  in  other  geographical  
information   locations.
processing  
facilities

  Compliance  with  legal  &  contractual  requirements  

18.1.1 Identification  of   Documented

applicable  
legislation  &  
contractual  
requirements

18.1.2 Intellectual   All  software  and  information  intellectual  property  

property  rights rights  are  well  known  and  managed.
     ISO/IEC 27001
Statement of Applicability  

18.1.3 Protection  of   All  records  are  highly  protected.

records

18.1.4 Privacy  &   All  private  information  is  highly  protected.

protection  of  
personally  
identifiable  
information

18.1.5 Regulation  of   Documented

cryptographic  
controls

  Information  security  reviews  

18.2.1 Independent   Third  party  certiification  is  underway  (as  at  

review  of   December  2013)
information  
security

18.2.2   Compliance   Constantly  being  reviewed  for  compliance.

with  security  
policies  &  
standards

18.2.3   Technical   Constantly  being  reviewed  for  compliance.

compliance  
review
 
 
END