Professional Documents
Culture Documents
Contents
1. PURPOSE ........................................................................................ 5
2. STRUCTURE OF THE DOCUMENT ........................................................... 6
3. SCOPE ............................................................................................ 7
4. GENERAL ASSUMPTIONS ..................................................................... 8
5. INFORMATION SECURITY MANAGEMENT FRAMEWORK .............................. 9
5.1 ISM Interactions ............................................................................... 9
5.2 ISMS Framework ............................................................................. 10
5.2.1 Security Policy ................................................................................ 10
5.2.2 Planning....................................................................................... 10
5.2.3 Implementation .............................................................................. 10
5.2.4 Support ....................................................................................... 10
5.2.5 Evaluation..................................................................................... 11
5.2.6 Monitoring .................................................................................... 11
5.3 ISM Policy ..................................................................................... 11
5.4 Asset Management Policy .................................................................... 11
5.4.1 Responsibility ................................................................................. 11
5.4.2 Policy Statement and Objective .............................................................. 12
5.4.3 Asset Register................................................................................. 12
5.4.4 Information Classification .................................................................... 12
5.4.5 Information labeling and handling ........................................................... 13
5.5 Access Control Policy ......................................................................... 13
5.5.1 Responsibility ................................................................................. 13
5.5.2 Policy Statement and Objective .............................................................. 13
5.5.3 User Access Management .................................................................... 14
5.5.4 User Identity Management .................................................................. 14
5.5.5 Password Management Policy ............................................................... 14
5.5.6 User password management ................................................................. 15
5.5.7 Review of User Access Rights ................................................................ 15
5.5.8 User Responsibilities for Access Management .............................................. 15
5.5.8.1 Password use management ............................................................... 16
5.5.8.2 Unattended User Equipment .............................................................. 16
5.5.9 Device Security Controls ..................................................................... 16
5.5.9.1 Remote Access Control Policy ............................................................. 17
2
Hartono Subirto 2016
Information Security Management
3
Hartono Subirto 2016
Information Security Management
7. REFERENCE ....................................................................................30
7.1 Business Rules ................................................................................ 30
7.2 Risk ............................................................................................ 30
7.3 Quality Attribute.............................................................................. 30
7.4 Data Quality Dimension ...................................................................... 30
7.5 Operation Policy .............................................................................. 31
7.6 KPI............................................................................................. 31
7.7 Critical To Quality CTQ ....................................................................... 31
7.8 Abstract Time-Scale .......................................................................... 31
7.9 SLA Terms ..................................................................................... 32
8. GLOSSARY/ACRONYMS......................................................................33
4
Hartono Subirto 2016
Information Security Management
1. PURPOSE
TR
5
Hartono Subirto 2016
Information Security Management
Chapter–3: Scope: In this chapter we will present the scope of the document and the
process.
Chapter–6: Information Security Management System: All the processes will be depicted
and specified using rigorous representation using BPMN and process specification
templates.
Chapter–7: References: In this chapter we will present the details supporting the
Information Security Management process in tabular formats. This chapter describes
Business rule, Risk, Quality Attribute, Data Quality dimension, Operation policy, KPI, CTQ,
Abstract Time-scale and SLA terms.
6
Hartono Subirto 2016
Information Security Management
3. SCOPE
The ISM is applicable to all information assets of network operations. An information asset
is a definable piece of information, stored and/ or processed in any manner, which is
recognized as valuable to the network operations. The types of Information assets are:
Software/ physical/ documents/ services/ people/ and information that are
physically or electronically stored, processed and/or transmitted by any of the
aforesaid types of assets.
Objectives:
ISM provides directions to the network operations on Information Security and ensures that
appropriate security controls are implemented to maintain and manage the information
security in network operations.
7
Hartono Subirto 2016
Information Security Management
4. GENERAL ASSUMPTIONS
8
Hartono Subirto 2016
Information Security Management
Configuration Capacity
Management Management
Asset
Information
Information
IT Service
Change Information Continuity
Policies
Management Management
Information Security
Management
Policies &
Controls
Access Availability
Reports
Management Management
SLA Problem
requirements Records
Security
Incidents
9
Hartono Subirto 2016
Information Security Management
5.2.2 Planning
Security management draws up a security plan that covers customers needs,
information access protocols and collaborates with the Service Level Management on
defining SLAs, OLAs and other contracts.
Security
Planning Implementation Support
Policies
+ + + +
Service
Requirement
Evaluation
+
5.2.3 Implementation
Security Management is responsible for:
Applying security measures established in the policy and plan ;
Train personnel on security and information access procedures;
Collaborate on solving security related incidents.
5.2.4 Support
It includes:
Complying with security standards agreed with the customers and the service
providers;
Ensuring that the equipment and the test procedures are up to date;
10
Hartono Subirto 2016
Information Security Management
5.4.1 Responsibility
The asset owners are responsible for identifying, classifying, labelling and ensuring the
protection of the information assets. The asset custodians are responsible for the
implementation of the required controls for the protection of information assets. The
asset users are responsible for handling information assets as per the classification of
the asset.
Detailed information is explained in Service Asset and Configuration Management.
11
Hartono Subirto 2016
Information Security Management
Restricted: This classification applies to the most critical asset, which is intended strictly
for use within network operation. Its unauthorised disclosure could adversely impact its
business, and/ or its customers leading to legal and financial repercussions and adverse
public opinion. The information that sometimes considered being private is included in
this classification.
Some examples include:
Business strategy documents
Business initiatives document
Agreement copies
Internal: This classification applies to all other information which does not clearly fit into
any of the other three classifications. While its unauthorised disclosure is against the
policy, it is not expected to adversely impact the business, employees, customers,
stockholders and/ or business partners.
Some examples include:
Telephone directory
Training materials and manuals
Internal staff circulars
5.5.1 Responsibility
It is the responsibility of the Security officer to implement and maintain the controls
defined in the Access Control Policy.
13
Hartono Subirto 2016
Information Security Management
14
Hartono Subirto 2016
Information Security Management
15
Hartono Subirto 2016
Information Security Management
and the security of user equipment. This is facilitated through training or awareness
program conducted within network operation.
16
Hartono Subirto 2016
Information Security Management
authorized support third parties for the purpose of diagnostics and fault repairs.
Such uploads are executed only if authorized by the owner of the equipment and
the Security officer;
Use of personal mail services is restricted in network operations.
18
Hartono Subirto 2016
Information Security Management
5.6.1 Responsibility
The THE OPERATOR security officer implements appropriate controls ensuring
prevention of interception, modification, interruption of the E-mail system. All THE
OPERATOR users using the THE OPERATOR E-mail system are required to adhere to the
E-mail Security Policy.
19
Hartono Subirto 2016
Information Security Management
20
Hartono Subirto 2016
Information Security Management
5.6.10 Disclaimer
An approved disclaimer is appended to all electronic messages intended for domains.
5.7.1 Responsibility
The THE OPERATOR security officer implements appropriate controls within the
network operations. All THE OPERATOR/ users and operation staff and third party staff
21
Hartono Subirto 2016
Information Security Management
using the Internet system of network are required to adhere to the Internet Security
Policy.
22
Hartono Subirto 2016
Information Security Management
5.8.1 Responsibility
IT Administrator is responsible for creating and implementing the antivirus procedures in
the NOC network.
5.8.2 Policy
All PC-based computers have standard, supported anti-virus software installed
and scheduled to run at regular intervals.;
In addition, the anti-virus software and the virus pattern files are kept up-to-
date.
Virus-infected computers are removed from the network until they are verified
as virus-free;
IT Administrator is responsible for creating procedures that ensure anti-virus
software is run at regular intervals, and computers are verified as virus-free;
23
Hartono Subirto 2016
Information Security Management
Any activities with the intention to create and/or distribute malicious programs
into networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are
prohibited.
24
Hartono Subirto 2016
Information Security Management
25
Hartono Subirto 2016
Information Security Management
Business
requireme
nts
Establishing
Security Policies
+
Formulating Plan
Evaluate the
security
compliance
+
Review &
Update
26
Hartono Subirto 2016
Information Security Management
27
Hartono Subirto 2016
Information Security Management
28
Hartono Subirto 2016
Information Security Management
29
Hartono Subirto 2016
Information Security Management
7. REFERENCE
7.2 Risk
Severity
Risk ID Description Source Status Resolution
Level
Security controls
validation criteria not
RSK - 001 5 TBD TBD
defined in acceptance
testing
Security controls not
RSK-002 implemented in Operations 5 TBD TBD
operations
30
Hartono Subirto 2016
Information Security Management
7.6 KPI
Import Soft Hard
Name Acronym Description Context
ance Threshold Threshold
Policy changes
KPI – 001 PCIWT implemented Operations 5 TBD TBD
within timeline
31
Hartono Subirto 2016
Information Security Management
32
Hartono Subirto 2016
Information Security Management
8. GLOSSARY/ACRONYMS
Terminology Description
AAA Authentication, Authorization and Accounting
BPMN Business Process Modelling Notation
CIA Confidentiality, Integrity and Availability
CTQ Critical to Quality
DQ Data Quality Dimension
EMS Element Management System
IDS Intrusion Detection System
IPS Intrusion Prevention System
ISMS Information Security Management System
KEDB Known Error Database
KPI Key Performance Indicator
MC Maintenance Center
THE OPERATOR Ministry of Interior
NE Network Element
Network Modernization
NMS Network Management System
NOC Network Operations Centre
OLA Operation Level Agreement
PDA Portable Digital Assistant
QA Quality Attribute
RSK Risk
SLA Service Level Agreement
33
Hartono Subirto 2016