Information Security Management

Information Security Management

Contents
1. PURPOSE ........................................................................................ 5
2. STRUCTURE OF THE DOCUMENT ........................................................... 6
3. SCOPE ............................................................................................ 7
4. GENERAL ASSUMPTIONS ..................................................................... 8
5. INFORMATION SECURITY MANAGEMENT FRAMEWORK .............................. 9
5.1 ISM Interactions ............................................................................... 9
5.2 ISMS Framework ............................................................................. 10
5.2.1 Security Policy ................................................................................ 10
5.2.2 Planning....................................................................................... 10
5.2.3 Implementation .............................................................................. 10
5.2.4 Support ....................................................................................... 10
5.2.5 Evaluation..................................................................................... 11
5.2.6 Monitoring .................................................................................... 11
5.3 ISM Policy ..................................................................................... 11
5.4 Asset Management Policy .................................................................... 11
5.4.1 Responsibility ................................................................................. 11
5.4.2 Policy Statement and Objective .............................................................. 12
5.4.3 Asset Register................................................................................. 12
5.4.4 Information Classification .................................................................... 12
5.4.5 Information labeling and handling ........................................................... 13
5.5 Access Control Policy ......................................................................... 13
5.5.1 Responsibility ................................................................................. 13
5.5.2 Policy Statement and Objective .............................................................. 13
5.5.3 User Access Management .................................................................... 14
5.5.4 User Identity Management .................................................................. 14
5.5.5 Password Management Policy ............................................................... 14
5.5.6 User password management ................................................................. 15
5.5.7 Review of User Access Rights ................................................................ 15
5.5.8 User Responsibilities for Access Management .............................................. 15
5.5.8.1 Password use management ............................................................... 16
5.5.8.2 Unattended User Equipment .............................................................. 16
5.5.9 Device Security Controls ..................................................................... 16
5.5.9.1 Remote Access Control Policy ............................................................. 17

2
Hartono Subirto 2016
 Information Security Management

5.5.9.2 Network Connection Control .............................................................. 17

5.5.9.3 Network Routing Control .................................................................. 18
5.5.9.4 Operating System Control ................................................................. 18
5.5.9.5 Use of System Utilities ..................................................................... 18
5.5.10 Mobile Computing and Tele-working ..................................................... 18
5.6 E-mail Security Policy ......................................................................... 19
5.6.1 Responsibility ................................................................................. 19
5.6.2 Policy Statement and Objective .............................................................. 19
5.6.3 Authorized Use of E-mail ..................................................................... 19
5.6.4 Prohibited Use of E-mail...................................................................... 20
5.6.5 User Accountability ........................................................................... 20
5.6.6 User Identity .................................................................................. 20
5.6.7 Electronic Mail Encryption ................................................................... 21
5.6.8 Contents of Electronic Messages ............................................................ 21
5.6.9 Attachments and Virus Protection ........................................................... 21
5.6.10 Disclaimer .................................................................................. 21
5.6.11 Monitoring and Enforcement ............................................................. 21
5.7 Internet Policy ................................................................................ 21
5.7.1 Responsibility ................................................................................. 21
5.7.2 Web Site Monitoring ......................................................................... 22
5.7.3 Access to Web Site Monitoring Reports ..................................................... 22
5.7.4 Internet Use Filtering System ................................................................ 22
5.7.5 Internet Use Filtering Rule Changes ......................................................... 23
5.7.6 Internet Use Filtering Exceptions ............................................................ 23
5.8 Antivirus Policy ............................................................................... 23
5.8.1 Responsibility ................................................................................. 23
5.8.2 Policy.......................................................................................... 23
5.9 Management of Security Breaches and Incidents ........................................... 24
5.9.1 Incident Identification & Handling ........................................................... 24
5.9.2 Learning from Information Security Incidents ............................................... 25
6. INFORMATION SECURITY MANAGEMENT SYSTEM ....................................26
6.1 Process Model ................................................................................ 26
6.2 Process Specification ......................................................................... 27
6.3 Roles and responsibilities .................................................................... 29

3
Hartono Subirto 2016
 Information Security Management

7. REFERENCE ....................................................................................30
7.1 Business Rules ................................................................................ 30
7.2 Risk ............................................................................................ 30
7.3 Quality Attribute.............................................................................. 30
7.4 Data Quality Dimension ...................................................................... 30
7.5 Operation Policy .............................................................................. 31
7.6 KPI............................................................................................. 31
7.7 Critical To Quality CTQ ....................................................................... 31
7.8 Abstract Time-Scale .......................................................................... 31
7.9 SLA Terms ..................................................................................... 32
8. GLOSSARY/ACRONYMS......................................................................33

4
Hartono Subirto 2016
 Information Security Management

1. PURPOSE

To establish an Information Security Management (ISM) for network operations to ensure

that information security is effectively managed in all service and service management
activities, such that:
 Information is available and usable when required (availability)
 Information is observed by or disclosed to only those who have a right to know
(confidentiality)
 Information is complete, accurate and protected against unauthorized modification
(integrity)
 Business transactions, as well as information exchanges, are trusted (authenticity)

TR

5
Hartono Subirto 2016
 Information Security Management

2. STRUCTURE OF THE DOCUMENT

The document comprises the following chapters:

Chapter–3: Scope: In this chapter we will present the scope of the document and the
process.

Chapter–4: General Assumptions: In this chapter we will present the underlined

Assumptions for both the document and the process.

Chapter–5: Information Security Management Framework: In this chapter we will present

the tailored ITIL framework that will be used in the Engineering of the process.

Chapter–6: Information Security Management System: All the processes will be depicted
and specified using rigorous representation using BPMN and process specification
templates.

Chapter–7: References: In this chapter we will present the details supporting the
Information Security Management process in tabular formats. This chapter describes
Business rule, Risk, Quality Attribute, Data Quality dimension, Operation policy, KPI, CTQ,
Abstract Time-scale and SLA terms.

6
Hartono Subirto 2016
 Information Security Management

3. SCOPE

The ISM is applicable to all information assets of network operations. An information asset
is a definable piece of information, stored and/ or processed in any manner, which is
recognized as valuable to the network operations. The types of Information assets are:
 Software/ physical/ documents/ services/ people/ and information that are
physically or electronically stored, processed and/or transmitted by any of the
aforesaid types of assets.

Information Security Management is applicable to:

 /THE OPERATOR operations
 NOC
 Field Operations or Maintenance centres
 Third parties associated with operations

Objectives:
ISM provides directions to the network operations on Information Security and ensures that
appropriate security controls are implemented to maintain and manage the information
security in network operations.

Objective of ISM is to secure information pertaining to network operations by:-

 Establishing and organizing an Information Security Management Framework;
 Developing and maintaining an effective Information Security Management System
(ISMS) consisting of an Information Security Policy document, supporting Procedures
and a Risk Management;
 Deploying appropriate technology, resources and infrastructure;
 Constantly monitoring, reviewing, reporting and taking actions thereon for
improving the effectiveness of the ISMS;
 Taking appropriate actions for any violations of the Information Security Policies;
and
 Creating awareness and maintaining a security-conscious culture for staff

7
Hartono Subirto 2016
 Information Security Management

4. GENERAL ASSUMPTIONS

The following are the General Assumptions included in this process:

 This is a high level document. The following are some of the sections that are not
mandatory at this stage and will be elaborated in the next stage:
o Information Labelling and Handling Procedure
o Password Management Standard
o Information marked as TBD in the reference section
 The following are described at the general level and will be explained in details
after the security design is finalized:
o Specific device security controls
o Network connection controls
o Remote access procedures
o Operating system controls
o Network routing controls
o Mobile Computing and Tele-working
o Actual E-mail policy
o Security Incident Identification and controls

8
Hartono Subirto 2016
 Information Security Management

5. INFORMATION SECURITY MANAGEMENT FRAMEWORK

5.1 ISM Interactions

Configuration Capacity
Management Management

Asset
Information
Information

IT Service
Change Information Continuity
Policies
Management Management

Information Security
Management
Policies &
Controls
Access Availability
Reports
Management Management
SLA Problem
requirements Records

Security
Incidents

Service Level Incident Problem

Management Management Management

Information Security Management is directly responsible for:

 Collaborating with the Access Management to ensure access security.
 Collaborating with the Incident Management to handle and resolve security-
related incidents.
 Installing and maintaining the hardware and software tools necessary to ensure
security.
 Collaborating with Change Management and Configuration Management to
ensure that new vulnerabilities are not introduced into live systems or test
environments.
 Proposing RFCs to Change Management with a view to enhancing security.
 Collaborating with Service Continuity Management to ensure that the integrity
and confidentiality of the data are not compromised in the event of a disaster.
 Establishing the policies and protocols for access to information.
 Monitoring the networks and online services to detect intruders and attacks

9
Hartono Subirto 2016
 Information Security Management

5.2 ISMS Framework

Information security framework comprises of six stages which include defining policies,
planning, implementing the controls, support, evaluation and finally the monitoring of the
controls.
5.2.1 Security Policy
It is essential to establish a clear security policy so that:
 Its objectives are aligned with those of the business as a whole;
 All IT processes are co-ordinated properly;
 Resources are assigned and responsibilities are established.

5.2.2 Planning
Security management draws up a security plan that covers customers needs,
information access protocols and collaborates with the Service Level Management on
defining SLAs, OLAs and other contracts.

Security
Planning Implementation Support
Policies
+ + + +
Service
Requirement

Evaluation
+

Monitoring & Follow Up

5.2.3 Implementation
Security Management is responsible for:
 Applying security measures established in the policy and plan ;
 Train personnel on security and information access procedures;
 Collaborate on solving security related incidents.

5.2.4 Support
It includes:
 Complying with security standards agreed with the customers and the service
providers;
 Ensuring that the equipment and the test procedures are up to date;

10
Hartono Subirto 2016
 Information Security Management

 Submit RFCs to Change Management team to improve security levels or

adapt them to new technology developments.
5.2.5 Evaluation
 This includes evaluating the security management system in order to:
 Guarantee that the established plans and procedures are comply with;
 Inform customers and the management of possible vulnerabilities or threats.
5.2.6 Monitoring
The whole Security Management System is monitored to ensure that:
 The security requirements laid down are complied with;
 team are correctly informed about the security protocols in place;
 Security plan is being complied with and is regularly updated.

5.3 ISM Policy

Below is the list of Security Policies for network operations:
 Asset Management policy
o Information classification
o Asset disposal
 Access control policy
o Password control
o Device security control
o Remote access control
o Supplier access of IT service, information and components
 E-mail policy
 Internet policy
 Anti-virus policy

5.4 Asset Management Policy

The Asset Management Policy specifies the importance of information assets including
identification of the asset owner, asset classification and determining confidentiality,
integrity and availability ratings of the assets. The policy establishes the requirement of
controls that are implemented for protecting information assets.

5.4.1 Responsibility
The asset owners are responsible for identifying, classifying, labelling and ensuring the
protection of the information assets. The asset custodians are responsible for the
implementation of the required controls for the protection of information assets. The
asset users are responsible for handling information assets as per the classification of
the asset.
Detailed information is explained in Service Asset and Configuration Management.

11
Hartono Subirto 2016
 Information Security Management

5.4.2 Policy Statement and Objective

Information assets of network operations have comprehensive protection and an
identified owner. The objective of the policy ensures that:-
a. The information assets are identified and documented in the Asset Register
b. The information assets have designated owners and custodians
c. The CIA ratings of information assets are ascertained.

5.4.3 Asset Register

The asset register documents the information assets of network operations. All
respective owners/custodian maintains the asset register of their area as per the
procedure defined in the Asset Management Process. The asset register at a minimum
contains the following information about the assets:-
a. The type and location of assets;
b. Asset information (ID, Name, Part code, Serial number) and the department
c. The Asset Owner, Custodian and User;
d. The CIA ratings of the asset, etc.

5.4.4 Information Classification

Information owned, used, created or maintained by/for the NOC operation is classified
into the following four categories:

Restricted: This classification applies to the most critical asset, which is intended strictly
for use within network operation. Its unauthorised disclosure could adversely impact its
business, and/ or its customers leading to legal and financial repercussions and adverse
public opinion. The information that sometimes considered being private is included in
this classification.
Some examples include:
 Business strategy documents
 Business initiatives document
 Agreement copies

Confidential: This classification applies to any sensitive business information which is

intended for use within network operation. Its unauthorised disclosure could adversely
impact its business, its business partners, its employees and/or its customers. Some
examples include:
 Business reports or SLA reports
 Process documents
 Employee performance evaluations
 Internal audit reports
12
Hartono Subirto 2016
 Information Security Management

 Network performance reports

Public: This classification applies to information, which is explicitly approved by the

management for release to the public. By definition, there is no such thing as
unauthorised disclosure of this information and it may be freely disseminated without
potential harm.

Internal: This classification applies to all other information which does not clearly fit into
any of the other three classifications. While its unauthorised disclosure is against the
policy, it is not expected to adversely impact the business, employees, customers,
stockholders and/ or business partners.
Some examples include:
 Telephone directory
 Training materials and manuals
 Internal staff circulars

5.4.5 Information labeling and handling

All important tangible assets are labelled physically as per the Information Labelling and
Handling Procedure. The asset owners ensure that their assets are appropriately labelled
(marked) for ease of identification. This may exclude information classified as ‘Public’. For
each classification level, the handling including its secure processing, storage, transmission
and destruction have been defined in the Information Labelling and Handling Procedure.

5.5 Access Control Policy

The Access Control Policy defines the controls that are implemented and maintained to
protect information assets against unauthorized access that poses substantial risk to the
network operation. The policy intends to establish adequate controls for user access
management, device security and mobile computing and tele-working controls in network.

5.5.1 Responsibility
It is the responsibility of the Security officer to implement and maintain the controls
defined in the Access Control Policy.

5.5.2 Policy Statement and Objective

Access to information assets are controlled, based on the business and security
requirements and commensurate with the asset classification. Access controls are
deployed on the principle of ‘deny all unless explicitly permitted’ to protect the
information from unauthorized access.

13
Hartono Subirto 2016
 Information Security Management

The objectives of the Access Control Policy are to:-

 Restrict access to the information assets as per the business requirement;
 Prevent unauthorized access to devices (Like information systems, network
services, operating systems) and information held in database and
application systems;
 Ensure that the security controls are in place while using mobile computing
and tele-working facilities.

5.5.3 User Access Management

The allocation of access rights to information systems and services are done in
accordance with the Access Management Process. The procedure encompasses all
stages in the life-cycle of user access, from the initial registration request of new users
to the final removing or restricting rights of users who no longer require access to
information systems and services. Special attention is given, where required, to control
the allocation of privileged access rights, which could allow users to override the system
controls.

5.5.4 User Identity Management

The User Identity Management is done in accordance with the Access Management
Process for granting access to all information systems including Operating Systems,
Applications, Databases, and Network Devices. The following steps are implemented:-
 A unique user ID for all users having access to the information systems;
 Approval from the Security officer dealing with the third party prior to
creating user IDs for third party staff;
 Obtaining appropriate authorization prior to creating user IDs
 Assigning of access privileges to the user only in accordance with the user
role and appropriate approval;
 Keeping audit trails for all requests for addition, modification or deletion of
user accounts/ IDs and access rights;
 Reviewing user accounts at specified intervals to identify and facilitate
removal/ deletion of inactive accounts or accounts that have not been used
for a longer duration;
 Reviewing results of user account at specified intervals, including subsequent
actions to provide an audit trail.

5.5.5 Password Management Policy

Passwords are strings of characters that are input to a system to authenticate an identity
and/or authority and/or access rights. Appropriate technical specifications for password

14
Hartono Subirto 2016
 Information Security Management

management, as specified in Password Management Standard, are implemented on the

information systems and applications.

5.5.6 User password management

Allocation of passwords is controlled through a formal management process.
Implementation guidance the process includes the following:-
 Users are required to keep personal passwords confidential and to keep group
passwords solely within the members of the group; this signed statement is
included in the terms and conditions of employment;
 When users are required to maintain their own passwords they are provided
initially with a secure temporary password, which they are forced to change
immediately;
 Procedures are established to verify the identity of a user prior to providing a
new, replacement or temporary password;
 Temporary passwords are given to users in a secure manner; the use of third
parties or unprotected (clear text) electronic mail messages are avoided;
 Temporary passwords are unique to an individual and is not guessable;
 Users have to acknowledge receipt of passwords;
 Passwords are never stored on computer systems in an unprotected form;
 Default vendor passwords are altered following installation of systems or
software

5.5.7 Review of User Access Rights

The review of user access rights considers the following:-
 User access rights are reviewed at regular intervals for users having access to
critical systems/ applications;
 Whenever a user is transferred from one role to another role or geography
within network operation, the user access rights are revoked and re-allocated
appropriately;
 Authorizations for special privileged access rights are reviewed at regular
intervals;
 Privilege allocations are checked at regular intervals to ensure that unauthorized
privileges are not obtained;
 Changes to privileged accounts are logged for periodic reviews.

5.5.8 User Responsibilities for Access Management

All operation staff with access to information assets understands their responsibilities
for maintaining the effective access controls, particularly regarding the use of passwords

15
Hartono Subirto 2016
 Information Security Management

and the security of user equipment. This is facilitated through training or awareness
program conducted within network operation.

5.5.8.1 Password use management

operations staff is required to:-
 Keep their passwords confidential and refrain from sharing them with others;
 Change their passwords whenever there is any indication of a possible
compromise of the system or password;
 Change passwords at regular intervals or based on the number of accesses;
 Select quality passwords with sufficient minimum length which are:
o Easy to remember;
o Not based on anything somebody else could easily guess or obtain using
person related information, e.g. names, telephone numbers, and dates of
birth etc.;
o Not vulnerable to dictionary attacks (i.e. do not consist of words included
in dictionaries);
o Free of consecutive identical, all-numeric or all-alphabetic characters;
 Change temporary passwords at the first log on

5.5.8.2 Unattended User Equipment

All operations staff and third party staff with access to information assets are made
aware of the information security requirements and procedures for protecting
unattended equipment, as well as their responsibilities for implementing such
protection. Following steps are followed:-
 Terminate active sessions when finished or implement an appropriate equipment
locking mechanism;
 Logout from the workstation, servers and/ or network device when the session is
finished.

5.5.9 Device Security Controls

A device for which the policy is applicable includes Routers, Switches, Firewalls, IDS, IPS,
NMS (Applications and Database), Client Systems, EMS which are a part of the NOC and
Sites. Appropriate controls for user access to devices are applied.

The control ensures that:-

 Appropriate interfaces are created to segregate the devices from the networks
owned by other provider and public networks;
 Authentication, Authorization and Auditing mechanisms are applied for devices
using Central AAA server. TACACS+ protocol is used by the central AAA server.

16
Hartono Subirto 2016
 Information Security Management

 Telnet Access to NE from other systems are logged in AAA

 Appropriate password mechanisms are implemented on the devices;
 Devices and services are accessible from the network only through the approved
network services and segments;
 Lists of standard services that are not allowed on the device are formally
documented and such services are disabled.
 Appropriate session time out is configured on devices;
 Banners (Unauthorized access warnings, Disclaimer etc.,) are configured on
Devices;

5.5.9.1 Remote Access Control Policy

Adequate security controls are implemented to authenticate the user for remote access.
There is a formal procedure to manage the remote access connections. It is ensured
that:-
 Remote access connections to the network are provided to authorized users
only and appropriate controls implemented to maintain the confidentiality,
integrity and availability of information;
 An updated list of all such connections and users is maintained;
 Remote access to the network is allowed through secure channels only;
 Appropriate controls meeting the THE OPERATOR requirements are
implemented, if remote access is provided to manufacturers or suppliers for
diagnosis or maintenance activities;
 Only approved remote control software are used in the network for remote
connections;
 Communication between out of band devices and call back server is controlled
using secure call back mechanism;
 As an additional authentication control for remote access, the device identifier is
used to authenticate the device connecting to the critical information systems of
network.

5.5.9.2 Network Connection Control

 For shared networks, especially those extending across the boundaries of
network operations, the capability of the users to connect to the network are
restricted as per the requirements of business application(s);
 The download from the Internet through insecure file transfer application(s) is
not allowed. If there is a business requirement for such downloads, prior
authorization from the Security officer is required;
 Insecure file transfer uploads to the Internet is not allowed. The only exclusion to
this is when data like configuration details, fault logs, screen shots, (but not
limited to these), is required to a manufacturer, service provider or other such
17
Hartono Subirto 2016
 Information Security Management

authorized support third parties for the purpose of diagnostics and fault repairs.
Such uploads are executed only if authorized by the owner of the equipment and
the Security officer;
 Use of personal mail services is restricted in network operations.

5.5.9.3 Network Routing Control

 Appropriate routing controls meeting the requirements of the Access Controls
Policy are implemented;
 Controls that filter the traffic by means of pre-defined tables or rules are
implemented through network gateways;
 Routing controls are defined based on the source and destination address
checking mechanism.

5.5.9.4 Operating System Control

Adequate security controls are implemented on the information systems to restrict
access to operating systems to authorized users only. The controls authenticate the
authorized users and record the successful and failed system authentication attempts.

5.5.9.5 Use of System Utilities

Any use of utility programs that could override the system and application controls is
restricted and tightly controlled. Only utilities authorized for the remote management of
the servers, workstations and network devices are used. security SPOC ensures that
third party default utilities are disabled. If for troubleshooting purpose there is a need to
use these utilities, administrators of the servers and network devices ensures that such
utilities are enabled for an authorized activity and are disabled immediately after the
use. They ensure that activities carried out by using such utilities are logged.

5.5.10 Mobile Computing and Tele-working

This includes network operation staff accessing the information from remote using
Mobile internet access while travelling. The following controls are applied:
 operations staff is allowed to remotely connect to the network using mobile
computing device to access the business information, only after successful
identification and authentication;
 operations staff are required to take special care of the mobile computing
resources such as, but not limited to, laptops, mobile phones, handheld
computing devices like PDA, blackberry, etc. to prevent any compromise and/ or
destruction of business information;
 Latest virus definitions are regularly updated on the laptops to prevent the
corruption of information stored on these devices;

18
Hartono Subirto 2016
 Information Security Management

 Personal firewall is installed on the laptops of staff with appropriate policy

configured on it;
 Third party staff is not allowed to connect their computing devices to the wired
or wireless network, unless authorized by the Security officer;
 Revocation of authority, access rights and return of equipment when the tele-
working activity ceases or when the employee exits.

5.6 E-mail Security Policy

The E-mail Security Policy provides the directions to ensure that the E-mail system is not
vulnerable to interception, modification, interruption and/ or misuse.

5.6.1 Responsibility
The THE OPERATOR security officer implements appropriate controls ensuring
prevention of interception, modification, interruption of the E-mail system. All THE
OPERATOR users using the THE OPERATOR E-mail system are required to adhere to the
E-mail Security Policy.

5.6.2 Policy Statement and Objective

As a productivity enhancement tool, THE OPERATOR operations encourage the business
use of electronic messaging systems. E-mail security is of prime importance and suitable
technological and user level controls are implemented to maintain the confidentiality,
integrity and availability of the E-mail system.

The objectives of the E-mail policy are to:-

 Establish the rules for the business use of the E-mail system and to adequately
protect the information transmitted through E-mails;
 Ensure that the THE OPERATOR E-mail system is not used for malicious activities.

5.6.3 Authorized Use of E-mail

 All messages generated by the E-mail System are considered to be the property
of THE OPERATOR. The E-mail system is used for business purposes only.
However, the personal use of the E-mail systems is allowed to a reasonable
extent as long as that does not damage the information and/ or reputation of
THE OPERATOR operations.
 If users receive any offensive or unsolicited material from external sources, they
are not permitted to forward/ redistribute it to either other peers or third party
staff.

19
Hartono Subirto 2016
 Information Security Management

5.6.4 Prohibited Use of E-mail

The use of the E-mail System is restricted for the following:-
 Charitable fundraising campaigns, political advocacy efforts, private business
activities or personal amusement and entertainment;
 Creating or distributing any disruptive or offensive messages, including offensive
comments about race, gender, hair colour, disabilities, age, sexual orientation,
pornography, religious beliefs and practice, political beliefs or national origin;
 Forwarding or sending messages that have racial or sexual slur, political or
religious solicitations or any other message that could damage THE OPERATOR
reputation;
 Transmitting any material that potentially contains viruses, Trojan horses,
worms, time bombs or any other harmful or malicious program;
 Defaming abusing, harassing, stalking, threatening or violating any legal and
privacy laws;
 Forwarding of official E-mails to personal E-mail accounts such as Gmail, Yahoo
mail, Hotmail, etc. is prohibited;
 Using it in connection with surveys, contests, chain letters, junk E-mail,
spamming, or any duplicative or unsolicited messages; or Mail-bombing the
other users.

5.6.5 User Accountability

Following are the controls that are included:
 Users are restricted to use any unauthorized web-mail services or portals;
 Users are restricted to share their email passwords with others under any
circumstances;
 Users have to choose quality passwords as per established standards;
 Users are restricted not auto forward their emails to an external email Id.

5.6.6 User Identity

The controls under this section include:
 Misrepresenting, obscuring, suppressing or replacing another user identity on an
electronic communications system is forbidden;
 The user name, electronic mail address, organizational affiliation and other
information related to electronic messages or postings reflects the actual
originator of the messages or postings;
 At a minimum, users provide their name and phone numbers in all electronic
communications. Electronic mail ignatures’ indicating job title, company
affiliation, address and the other particulars are recommended for all E-mail
messages.

20
Hartono Subirto 2016
 Information Security Management

5.6.7 Electronic Mail Encryption

All users aware that electronic communications through the E-mail systems are not
encrypted by default, if they need to send any information marked as ‘Confidential’ or
strictly Confidential’, it is recommended that they encrypt the e-mail before sending it.

5.6.8 Contents of Electronic Messages

 Users are restricted to use profanity, obscenities or derogatory remarks in
electronic mail;
 All E-mail communications made by E-mail users are consistent with the Code of
Conduct of THE OPERATOR.

5.6.9 Attachments and Virus Protection

 All malicious attachment are quarantined and deleted at the E-mail gateway/
server end. The THE OPERATOR E-mail administrator documents malicious file
extensions that is blocked at the E-mail gateway/ server level and ensure that
these are blocked. They keep this document updated;
 THE OPERATOR E-mail administrator implements E-mail content filtering and
virus protection software at the E-mail gateway/ server.

5.6.10 Disclaimer
An approved disclaimer is appended to all electronic messages intended for domains.

5.6.11 Monitoring and Enforcement

 The users have no expectation of privacy in anything they store, send or receive
on the Email system. THE OPERATOR reserves the right to monitor all the
messages without prior notice;
 Users of the E-mail system are required to comply with the THE OPERATOR E-
mail Security Policy.

5.7 Internet Policy

The Internet Policy provides standards for systems that monitor and limit web use from any
host within THE OPERATOR network. These standards are designed to ensure that the THE
OPERATOR/ user and operations staff uses the Internet in a safe and responsible manner
and web use can be monitored or researched during an incident.

5.7.1 Responsibility
The THE OPERATOR security officer implements appropriate controls within the
network operations. All THE OPERATOR/ users and operation staff and third party staff

21
Hartono Subirto 2016
 Information Security Management

using the Internet system of network are required to adhere to the Internet Security
Policy.

5.7.2 Web Site Monitoring

The THE OPERATOR operations team monitors Internet usages from all computers and
devices connected to the network. For all traffic the monitoring system records the
source IP Address, the date, the time, the protocol, and the destination site or server.
Where possible, the system records the User ID of the person or account initiating the
traffic. Internet Usage records must be preserved for the days as per the policy defined
by THE OPERATOR.

5.7.3 Access to Web Site Monitoring Reports

Trending and activity reports are made available by THE OPERATOR operations team to
THE OPERATOR management as needed upon request. THE OPERATOR users are
provided with access to all reports and data on security incidents if necessary.

5.7.4 Internet Use Filtering System

The THE OPERATOR operations team blocks access to Internet websites and protocols
that are deemed inappropriate for THE OPERATOR environment. The following protocols
and categories of websites are blocked:
 Adult/Sexually Explicit Material
 Advertisements & Pop-Ups
 Chat and Instant Messaging
 Gambling
 Hacking
 Illegal Drugs
 Intimate Apparel and Swimwear
 Peer to Peer File Sharing
 Personals and Dating
 Social Network Services
 SPAM, Phishing and Fraud
 Spyware
 Tasteless and Offensive Content
 Violence, Intolerance and Hate
 Web Based Email

22
Hartono Subirto 2016
 Information Security Management

5.7.5 Internet Use Filtering Rule Changes

The THE OPERATOR operations team periodically reviews and recommends changes to
web and protocol filtering rules. THE OPERATOR security officer reviews these
recommendations and decides if any changes are required to be made.

5.7.6 Internet Use Filtering Exceptions

 If a site is mis-categorized, THE OPERATOR users requests the site to be un-
blocked by submitting a request to the THE OPERATOR operations team. THE
OPERATOR operations team reviews the request and based on THE OPERATOR
Security officer approval un-blocks the site if it is mis-categorized;
 THE OPERATOR users may access blocked sites with permission if appropriate
and necessary for business purposes;
 If THE OPERATOR user needs access to a site that is blocked and appropriately
categorized, they submit a request to their THE OPERATOR operations team. THE
OPERATOR operations team presents all approved exception requests to THE
OPERATOR security officer. THE OPERATOR security officer approves and
Operations team unblocks that site or category for that user only.

5.8 Antivirus Policy

Antivirus policy provides requirements which are met by all computers connected to
network to ensure effective virus detection and prevention. This policy applies to all
network computers that are PC-based or utilize PC-file directory sharing. This includes, but is
not limited to, desktop computers; laptop computers and windows based servers.

5.8.1 Responsibility
IT Administrator is responsible for creating and implementing the antivirus procedures in
the NOC network.

5.8.2 Policy
 All PC-based computers have standard, supported anti-virus software installed
and scheduled to run at regular intervals.;
 In addition, the anti-virus software and the virus pattern files are kept up-to-
date.
 Virus-infected computers are removed from the network until they are verified
as virus-free;
 IT Administrator is responsible for creating procedures that ensure anti-virus
software is run at regular intervals, and computers are verified as virus-free;

23
Hartono Subirto 2016
 Information Security Management

 Any activities with the intention to create and/or distribute malicious programs
into networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are
prohibited.

5.9 Management of Security Breaches and Incidents

All security breaches or attempts to breach and all discovered security weaknesses in
information systems are reported and follow the Incident Management process. The
Incident & Problem Management Process ensures that all reported security breaches or
weaknesses are responded to promptly and actions taken to prevent reoccurrence.

The objective is to:

 Develop the proactive measures to minimize the impact of any Incident on
information systems;
 Create the awareness and encourage the users to report the security weaknesses
and/ or incident that they identify;
 Enable the proactive management of problems by capturing data that can be used to
analyze trends and problems areas, thereby preventing the security incidents to
occur;
 Learning from the incidents and continually improving the information security
within network operations.

5.9.1 Incident Identification & Handling

 A security incident is defined as the act of violating the security policy. The
following is an illustrative list of what actions can be classified as incidents:-
o Attempts to gain unauthorized access to a system or its data; masquerading,
spoofing as authorized users;
o Unwanted disruption or denial of service;
o Unauthorized use of a system for the processing, transmitting or storing data
by authorized/ unauthorized users;
o Changes to system hardware, firmware or software characteristics and data
without the knowledge of application owner;
o Existence of unknown user accounts.
 Appropriate detective mechanism is designed for timely detection of information
security incidents.
 Preventive controls are put in place to minimize the occurrence of information
security incidents;
 All information security incidents are recorded;
 Appropriate forensic methods are applied, whenever required, to collect
evidence in the course of investigation of information security incidents.

24
Hartono Subirto 2016
 Information Security Management

5.9.2 Learning from Information Security Incidents

Key learning includes:
 The Incident / Problem Management team updates knowledge database (KEDB)
for the information gained from the evaluation of all information security
incidents;
 KEDB is referred for incident handling and as a learning source of information
security incidents;
 NOC shift leader and Operations manager organizes and conducts appropriate
training sessions / workshops to create awareness on security incidents and
controls periodically;
 Overall Information Security policy

25
Hartono Subirto 2016
 Information Security Management

6. INFORMATION SECURITY MANAGEMENT SYSTEM

6.1 Process Model

Information Security Management System
MOI NEMO STC NEMO NEMO NOC MCs

Business
requireme
nts
Establishing
Security Policies
+

Formulating Plan

Implement & Implement Security

Support Security Controls as per Plan
Controls & Policy
+ +

Evaluate the
security
compliance
+

Monitor the Security

Management System
+

Review &
Update

26
Hartono Subirto 2016
 Information Security Management

6.2 Process Specification

Specification Description
ISM provides directions to the network operations on
Information Security and ensures that appropriate security
Summary/Purpose
controls are implemented to maintain and manage the
information security in network operations.
Scope This is a level 1 Process Specification.
Primary ITIL Reference Information Security Management
Related ITIL Practices Change Management, Service Level management, Service
continuity management, Access Management, Incident
Management, Configuration Management, Capacity
Management, Problem Management and Availability
Management.
Related Business Driver  To maintain Confidentiality, Integrity and Availability of
Information and assets
Related Operational OP-001, OP-002 (Ref:7.5)
Policies
Assumptions  Security policies are established by
 Security plan is formulated by in discussion with third
parties
Trigger  Business Requirement
 Security Policy
Basic Course of Event 1. Business Requirement
2. Establish Security policies
3. Develop security plan
4. Implement the controls as per policy & plan
5. Evaluate the security compliance
6. Monitor the effectiveness of security management system
7. Update and review
Alternate Path Nil
Exception Path While monitoring, any Security Threat, Vulnerability observed:
1. Escalate to the management
2. Escalate to the third party
3. Get technical support from third party to handle
Extension points Change Management
Service Level Management
Service Continuity Management

27
Hartono Subirto 2016
 Information Security Management

Preconditions 1. Policy & Plan is available

2. Availability of necessary information & resources
Post -conditions 1. Monitor the security management system
2. Maintain compliance
Related Business Rules* BR-001 (Ref: 7.1)
Related Risks * RSK-001, RSK-002 (Ref:7.2)
Related Quality QA-001, QA-002 (Ref:7.3)
Attributes
Related Data Quality DQ-001, DQ-002 (Ref:7.4)
Dimensions
Related Primary SLA SLA-001 (Ref:7.5)
Terms
Related KPIs KPI - 001 (Ref:7.6)
Related CTQs * CTQ-001 (Ref:7.7)
Actors/Agents THE OPERATOR, , NOC, MCs
Delegation Delegation Rule -1: Agent Not Available
1. Delegate the Issue to additional Agent with same Role
2. Update the Issue
3. Log the Delegation
Delegation Rule -2: Agent Overloaded
1. Delegate the Issue to additional Agent with same Role
2. Update the Issue
3. Log the Delegation
Escalation Escalation Rule 1: Security Incident Observed. Escalate to the
levels as defined below:
1. Shift Leader
2. Operations Manager
3. NOC Manager
4. Management
Process Map Section 5.1
Section 5.2
Process Model Section 6.1
Other References  CTQs
 KPIs
 Abstract Time Scale

28
Hartono Subirto 2016
 Information Security Management

6.3 Roles and responsibilities

Roles Responsibilities
 Request for services
THE OPERATOR
 Defining the requirements
 Establishing security policies
 Formulating security plan
 Seeking support from third parties
 Guide NOC for implementing the controls
 Review the effectiveness of Security Management System
 Act as a bridge between customers and operations
 Validate the requirements
 Maintain the operations process and procedures up to date
 Implement the control measures as defined in policies and plans
 Support the operations for compliance
 Monitor the effectiveness of Security Management System
 Escalate for security incidents to defined levels
 Co-ordinate with third parties for security support
NOC  Create awareness on security measures and controls
 Conduct training for team on security management
 Establish operational measures and monitor
 Review periodically with the customer
 Monitor the SLA, OLA performance related to security compliance
 Raise issues to the management for security related
 Implement RFCs as per Change Management process
 Maintain information assets and update and track periodically
 Implement the control measures as defined in policies and plans
 Support the NOC for implementation
 Adhere to security policies and compliance strictly
MCS
 Maintain confidentiality and integrity of information
 Maintain the information assets and update periodically to NOC

29
Hartono Subirto 2016
 Information Security Management

7. REFERENCE

7.1 Business Rules

BR ID Description Context Rule Source

Security policies and plans are

BR-001 Operations NA
established and are maintained

7.2 Risk
Severity
Risk ID Description Source Status Resolution
Level
Security controls
validation criteria not
RSK - 001 5 TBD TBD
defined in acceptance
testing
Security controls not
RSK-002 implemented in Operations 5 TBD TBD
operations

7.3 Quality Attribute

QA ID Description Threshold
QA- 001 Authenticity TBD
QA - 002 Non Repudiation TBD

7.4 Data Quality Dimension

DQ ID Description Threshold
DQ - 001 Accuracy TBD
DQ - 002 Timeliness TBD

30
Hartono Subirto 2016
 Information Security Management

7.5 Operation Policy

Policy ID Description Context Importance (1-5)
NOC follows the Security policy of THE
OP-001 Operations 5
OPERATOR for using e-mails.
Only authorised users are allowed to access
OP-002 Operations 3
the information

7.6 KPI
Import Soft Hard
Name Acronym Description Context
ance Threshold Threshold
Policy changes
KPI – 001 PCIWT implemented Operations 5 TBD TBD
within timeline

7.7 Critical To Quality CTQ

Name Acronym Description Context Importance Soft Hard
Threshold threshold
CTQ-001 DPCIWT Deviations Operations 5 TBD TBD
in PCIWT

7.8 Abstract Time-Scale

Name Acronym Description Quantification
NA NA NA NA

31
Hartono Subirto 2016
 Information Security Management

7.9 SLA Terms

SLA ID Description Context KPI OPI CTQ
Percent of
changes
completed
ACL or Security
SLA-001 Operations within target NA NA
policy change
(within specified
timing on the
request)

32
Hartono Subirto 2016
 Information Security Management

8. GLOSSARY/ACRONYMS

Terminology Description
AAA Authentication, Authorization and Accounting
BPMN Business Process Modelling Notation
CIA Confidentiality, Integrity and Availability
CTQ Critical to Quality
DQ Data Quality Dimension
EMS Element Management System
IDS Intrusion Detection System
IPS Intrusion Prevention System
ISMS Information Security Management System
KEDB Known Error Database
KPI Key Performance Indicator
MC Maintenance Center
THE OPERATOR Ministry of Interior
NE Network Element
Network Modernization
NMS Network Management System
NOC Network Operations Centre
OLA Operation Level Agreement
PDA Portable Digital Assistant
QA Quality Attribute
RSK Risk
SLA Service Level Agreement

33
Hartono Subirto 2016