ANNEX 2 Security Management Plan

Transcription

1 ANNEX 2 Page 1 of 24

2 The following pages define our draft security management plan (a complete and up to date shall be submitted to The Authority within 20 days of contract award as per Schedule 2.4, para 4.1) IBM Process Definition Release: Publication Date: January 2015 Product Number: IBM Product Owner: Product Author(s): Page 2 of 24

3 CONTROL RATINGS Protective Marking NOT PROTECTIVELY MARKED Associated Baseline Product Title: Product Number: IBM Product Owner: IBM MANAGEMENT APPROVAL RESPONSIBILITY NAME SIGNATURE DATE IBM Programme Director Project Design Authority PRODUCT OWNER APPROVAL This Product has been agreed to have met the Product description and therefore meets its purpose. It is confirmed that the product is consistent with all other products at the date signed. RESPONSIBILITY NAME SIGNATURE DATE IBM Product Owner The following stakeholders interests have been consulted and their views taken into consideration. (Type names no signature required). Transition Lead Transformation Lead Technical Solution Lead Page 3 of 24

4 DOCUMENT HISTORY & REVISION INFORMATION Release Date CR No. Description of Change Page 4 of 24

5 CONTENTS LIST OF ABBREVIATIONS AND ACRONYMS... 6 REFERENCE DOCUMENTS... 6 GLOSSARY OF TERMS INTRODUCTION Purpose Scope MANAGEMENT OF THE SECURITY MANAGEMENT PLAN Review, approval and document control Changes to this data security plan DATA SECURITY AND PRIVACY RISKS Data Security and Privacy Risks MANAGING DATA SECURITY AND PRIVACY Introduction Client-specified, Industry and Local Regulations System Inventory Training and On / Off-Boarding Workplace Security (WPS) User Id Administration and Access Controls Data Management Review Incident Management & Reporting DATA INVENTORY Overview Roles and Responsibilities Create or Update PI/SPI/BSI Inventory Procedure Frequency Procedure Steps Page 5 of 24

6 No table of figures entries found. FIGURES TABLES Table 3-1:Risk Areas CS Connectivity Services IUS Integrated User Services SOM Secure Operating Model List of Abbreviations and Acronyms Reference Documents Documents are referenced using the convention: RD/n, where n represents the number of the document in the following list: RD/1: Glossary of Terms None Page 6 of 24

7 1 - INTRODUCTION 1.1 Purpose This document defines the plan and controls used to manage and support access to the client s systems, production environment and personal information, sensitive personal information and business sensitive information (PI/SPI/BSI) Note: a) Access to the client s system and especially the production environment containing PI/SPI/BSI by any Workforce Member is a risk to the project, and must be managed in accordance with the Continuous Risk Management Procedure (IMSP600) b) The IBM project team includes all IBM Workforce Members, including sub-contractors, global delivery resources, and external third party suppliers The purpose of this data security plan is to: Document the client s security and privacy requirements Describe the types of client data that will be handled by IBM (for example, PI/SPI/BSI) and the form in which that data will be provided (for example, systems, applications, paper documentation, downloads, and so on) Describe the system environments and the types of data contained in all systems or environments to which IBM Workforce Members have access Document the processes used by IBM to manage and support access to the Client project environments where PI/SPI/BSI is displayed or stored Ensure that all members of the IBM project team are aware of: 1.2 Scope a) How the use, access, process, management and/or transfer of client data (PI/SPI/BSI) will be managed and how it needs to be protected, and b) Their roles within the project in managing and supporting the use, access, process and/or transfer of client data This plan applies to all work performed for the Client under the terms of this contract. Page 7 of 24

8 1.2.2 The scope of this plan includes: The client specified data security and privacy requirements in accordance with the Agreement for Exchange of Confidential Information and its supplement dated August 2013 [RD/1] The requirements and controls for working across the client, IBM and home office sites The definition of Personal Information, Sensitive Personal Information and Business Sensitive Information The Client project client sensitive data that is accessed on client internal websites, the data that is contained on or sourced from any production environment, and any data copied from production for test or development The training that IBM Workforce Members must take to enable them to manage and support access to the client s systems and information a) Workplace Security controls to ensure security of the client s PI/SPI/BSI at the workplace b) The data security techniques used for controlling and restricting access to the client s systems and PI/SPI/BSI in all environments (including development, test and production environment). These techniques can include: i) Storage and disposal of PI/SPI/BSI ii) Data encryption iii) Data masking iv) Simulated production environment v) Dummy data vi) Trans-border movement of data The controls for restricting user access to the client s system or data, including: a) User authorization b) Maintaining the user access log c) Periodic re-validation of user access d) Revoking user access e) Managing Privileged User accesses f) Managing Shared User and Emergency ID accesses Page 8 of 24

9 Separation of Duties to reduce the risk of misuse of client code and assets Change management, risk management and issue management is exercised as part of Management Reviews Secondary controls to mitigate risks Page 9 of 24

10 2 - MANAGEMENT OF THE SECURITY MANAGEMENT PLAN 2.1 Review, approval and document control This document is reviewed annually by the IBM Programme Director, and when significant project changes occur. The review participants will include: a) TBC - Transformation Lead b) TBC Transition Lead c) TBC Technical Solution Lead Reviewers comment on changes to the document by ing agreement to the product owner This document is approved by: a) TBC Programme Director b) IBM UKI DSP Risk Team Task ID The document may be approved by This data security plan and associated security documentation is stored in Team Room repository on IBM Connections. 2.2 Changes to this data security plan IBM Workforce Members may initiate changes to this data security plan. The changes will be negotiated with and reviewed by the key stakeholders All changes to the document are recorded in the revision history, located at the beginning of the document A member of IBM authors changes. The document is then reviewed and approved as outlined in section 2.1, Review, approval and document control. Page 10 of 24

11 3 - DATA SECURITY AND PRIVACY RISKS 3.1 Data Security and Privacy Risks Below are the risk characteristics of the client s project and a mapping to the controls implemented to mitigate those risks. Additional details on the controls are included in this security plan. All risks listed below have been captured in risk logs and evaluated as part of the client s project Risk Management Procedure. Table 3-1:Risk Areas Risk Area Protectively marked data will be accessed by ineligible IBM workforce members Some IBM workforce members will sit at the client site Some IBM workforce members will sit at client sites Some IBM workforce members will sit at Home Office sites Some IBM workforce members will use client workstations IBM workforce members will have use of IBM and client systems Sub-contractors will have access to client data Some IBM workforce members will access to PI/SPI/BI in protected or unprotected formats Some IBM workforce members will have access to regulated data Mitigating Controls Conduct On/Off boarding, risk management BCG, Project specific training, Workplace Security Rules, Risk Management BCG, Project specific training, Workplace Security Rules, Risk Management BCG, Project specific training, Workplace Security Rules, Risk Management, ITCS300 adherence, Work at Home Guidance BCG, Project specific training, Workplace Security Rules, Risk Management BCG, Project specific training, Workplace Security Rules, Risk Management, Access Management Use of IBM or client-provided systems, BCG, Project specific training, Workplace Security Rules, Risk Management, ITCS300 adherence (for IBM systems) BCG, Project specific training, Workplace Security Rules, Risk Management BCG, Project specific training, Workplace Security Rules, Risk Management Page 11 of 24

12 Some IBM workforce members will access Production systems and data Use of client-provided systems, BCG, Project specific training, Workplace Security Rules, Risk Management Page 12 of 24

13 4 - MANAGING DATA SECURITY AND PRIVACY 4.1 Introduction This section describes the control activities implemented. 4.2 Client-specified, Industry and Local Regulations Client security requirements are specified in RD/1 including annex (located in the Team Room repository on IBM Connections), which in turn refers to other sources which are available as required on request either from the Client Team Room, or physically in the IL3 project room, e.g. JSP440. In each case access is restricted to authorised users In addition, all IBM and contractor workforce staff must adhere to IBM rules governing their handling of sensitive data in line with standard IBM Public Sector processes. 4.3 System Inventory The following client systems are to be used by the IBM workforce: IBM Team Room IBM intranet based system containing client bid and client related information for use by IBM personnel only; Client Team Room Internet based system containing client bid and client related information for use by bid partnership; The following workstations are to be used by the IBM workforce: IBM Laptops IBM owned and managed assets for use by team members, connecting to Client guest network while on site IL3 Laptop Available in Client IL3 location containing Restricted and client regulated information, air-gapped from networks. 4.4 Training and On / Off-Boarding In order to maintain a strong awareness of security practices needed on this engagement, all IBM workforce members supporting the client engagement must: Receive an on-boarding briefing from the responsible member of the project management team (i.e. line manager of new member) prior to, or immediately on joining the project. Page 13 of 24

14 a) Confirmation of completion of on-boarding briefing is submitted to the Programme Director and maintained in the project control book b) On-boarding briefing is reviewed for an update whenever there is a significant change to the engagement or at least annually. All reviews and updates are approved by the Programme Director Read the data security plan as part of on-boarding and within 30 business days of joining the engagement; and annually thereafter a) Confirmation of review of data security plan is submitted to the On-Boarding Coordinator or the PM by the workforce member and is maintained in the project control book b) The data security plan is updated and approved according to the plan description All members of the IBM workforce must ensure adherence to the IBM training programme including: a) Annual IBM Business Conduct Guidelines training and recertification On and Off Boarding On-boarding and Off-boarding of the Project workforce members is conducted by the responsible member of the project management team, and including all of the workforce, IBM members and subcontractors The on-boarding checklist referenced at RD/2 is used to on-board all new workforce members. The Programme Director administers on-boarding and completion of on-boarding is required on the start date of the new workforce member and recorded in the Project Control book Updates to the on-boarding and off-boarding process will require review and approval by the project management team reviewers and approvers, and will be communicated to the existing team members if applicable A member of the project management team is assigned to coach each new IBM Workforce Member for 1 month The following Client on-boarding requirements have been incorporated into the on-boarding checklist: a) Security clearances b) Process for gaining access to Client and MOD systems/data Page 14 of 24

15 A member may access non-bsi information related to the project prior to the completion of the on-boarding process, but access to the client systems must await the completion of the process The off-boarding checklist referenced at RD/2 is used to off-board all departing workforce members. The Programme Director administers offboarding. The off-boarding process begins one week prior to the planned date of departure and completion of off-boarding is required by the end of the day of departure of the workforce member from the team The following Client off-boarding requirements have been incorporated into the off-boarding checklist: a) Confirmation of removal of any sensitive data from the leaver s IBM laptop, phone or other memory device. 4.5 Workplace Security (WPS) Workplace Security Processes are documented in the Workplace Security Document [RD/3] Workstation and Laptop Security Workstations used by IBM workforce members must comply with ITCS300 which states: a) Only IBM or client workstations are used when accessing or storing client PI/SPI/BSI b) IBM information is not to be stored on client workstations c) Unless using a client workstation, all workforce member workstations used to conduct IBM business are registered in ISAM (especially if SPI data will be stored) Screens must be locked when the laptop is left unattended and should be secured to prevent physical removal. Physical documentation and media must not be left unattended IBM Laptops may use the Client network to obtain internet access, and IBM-provided VPN technologies must be used to connect through to the IBM corporate network. Individual authentication details must be obtained and used by each individual from the Client Reception Desk. Laptops using this connection must adhere to ITSC300, use the IBM VPN for the transfer of data, and ensure that IBM firewalls and share configurations do not permit access to data on the laptop Office Security Page 15 of 24

16 Access to the Client IL3 area is through badge control and PIN entry, which are issued by the Client Security Office and require sponsorship from the Client team (to be requested as part of on-boarding process) RD/ Visitors to the Client IL3 location (classed as anyone without a badge activated for access to the IL3 area) must be signed in and escorted at all times The Client IL3 area is operated as a Hot Desk environment and all documents and equipment must be cleared at the end of the working day Classified documents must not be left unattended in the office and should be secured and not removed from the IL3 area Supporting Processes and Documentation Workstation Security Tool (WST) reports for ITSC300 compliance for IBM workstations are accessible by the workforce member and available through personnel manager Workplace Security [RD/3] contains the full Workplace Security process details. 4.6 User Id Administration and Access Controls Access to the systems will be authorised by the line manager and recorded in the Project Control Book including the following information i) IBM team member name ii) IBM team member type (for example, Regular, Subcontractor and so on) iii) Serial number iv) Manager's name v) Role on the team (for example, developer, tester, and so on) vi) Environment, application, database, network, and so on, for which access is granted vii) The type of access to the system (for example, read only, read/write/update, Administrator access) viii) Business Justification for the access ix) Date access was granted, which system x) Date access was revoked, which system These details will be validated on an annual basis, to ensure appropriate rights are in place and remove any obsolete details Further details for client system user ID administration and access control processes are contained within the DCNS User ID Administration and Access Controls document [RD/5] Client Team Room Page 16 of 24

17 The Client Team Room provides the storage mechanism for files being shared between the Client Team Partners. It is controlled and maintained by Client with access permitted to members of the team across the partner companies Access to the Client Team Room is administered by the Client team and a request for access will be submitted by the line manager via as part of the on-boarding process. Access will be revoked as part of the offboarding process via request from the line manager. The user list will be kept in the Project Control Book The ID for access will be the user s IBM address, and the password will be set and maintained following creation of the account using the portal password maintenance procedures User access controls will be defined by the Client team and granted to the user roles. Client have the responsibility for the administration and monitoring of the team room including access levels. The access to the system will be reviewed annually, including any changes and updates to the Client processes IBM Connections Team Room The IBM Connections Team Room provides the storage mechanism for file sharing with the IBM team, and does not permit sharing with external parties The authentication and authorisation to the IBM team room will use the IBM w3 username and password system in accordance to the IBM policies Access to the team room will be managed by the project management team as part of the on-boarding and off-boarding procedures and recorded in the Project Control Book User access controls will be maintained by the Project Management team as the Connections site administrators, who will define permissions based on individual user requirements and add / revoke access rights Annual checks will be performed on the user permissions across the Team Room, and any excess privileges revoked. 4.7 Data All data is required to be treated in accordance with the information handling requirements as detailed by the client in RD/1, and access by IBM to the client data should be reduced to required personnel and only requested for specific requirements. Page 17 of 24

18 4.7.2 The Need to Know principle is fundamental to information handling, and means that the disclosure of project information is only made to someone who needs it for the proper performance of their work. In addition strict controls are needed to limit access to, and possible compromise of, Personal Information at rest and in transit Protectively Marked electronic assets (eg electronic files, data, media, etc) must be stored according to the following rules. This is a personal obligation and individuals will be held accountable for protectively marked, or otherwise sensitive, assets: a) Official Sensitive: May be stored on the RESTRICTED systems b) Official: May be stored on the corporate laptops and supporting back office infrastructure (including Team Rooms) All workforce members will adhere to the processes for storing and disposing of the client s PI/SPI/BSI, which is in electronic or printed form (or both). The storing of the client s PI/SPI/BSI is restricted to the purposes associated with its use on the IBM project. Project data stored on IBM Workforce Member workstations must be located in a single file directory for ease of identification and future disposal. The disposal of the client s PI/SPI/BSI is performed after it is no longer required and should use the secure disposal facilities provided at the Client and IBM sites within a week PI/SPI/BSI data in all environments at rest and in transit should be protected. Transfer of data needs to be performed in adherence to IBM Security Standard (ITCS104) Use of portable storage devices such as USB flash drives, external hard drive, etc. to store client data is prohibited and only allowable upon management approval. 4.8 Management Review The Programme Director is required to review the on-boarding and offboarding for starters and leavers and ensure compliance with the requirements outlined above Security risks identified, and the results from formal and informal reviews, will be raised to the management team for review on an ongoing basis, and action plans addressed at team meetings The project team must identify and manage DS&P risks. Risks need to be properly evaluated, including the risk rating (high, medium, low) and the probability of the risk occurring. The identification and management or risks needs to be done on an ongoing basis. Risks identified in section 4 of this plan are included. Page 18 of 24

19 4.8.4 The project team must conduct periodic Management reviews of unresolved risks to determine if they are still valid Results from formal and informal reviews such as audits, business controls reviews, key controls over operations tests, and data security and privacy self-evaluations and proactive reviews Changes to areas such as contract, work scope, IBM Workforce Members, etc, that could affect the data security and privacy risk situation Metrics from execution of security controls. Metrics should represent status of risk mitigating activities and controls as defined in Section 4 of this plan. 4.9 Incident Management & Reporting The Programme Director shall handle and take appropriate action within a week upon being informed of security infringements, breaches or vulnerabilities. Occurrences with a Client or MoD significance will be reported to the appropriate client teams All team members are required to report security infringements, breaches or vulnerabilities to the Programme Director Assets to be protected are the following: a) Workstations used by IBM Workforce Members b) Client data managed or accessed by IBM c) IBM data d) IBM printed PI/SPI/BSI and confidential information e) Client printed PI/SPI/BSI f) Any storage device storing the above information g) Databases, code and applications Misplacement, loss or theft of IBM or Client assets or data must be reported immediately to the Programme Director. The Programme Director will work with the Project Executive to immediately: a) Report the loss or theft of IBM and Client assets according to the IBM ITCS104 b) Report the loss or theft of IBM or Client data according to the IBM Data Incident Reporting process and follow the guidance of Page 19 of 24

20 the IBM Data Incident Manager for all steps involved in resolving the incident Incidents will be reported to the IBM Incident Contact Center before any communication is made with the client. Any communication with the client related to the incident will be directed by Legal and the IBM Data Incident Manager who will work with the appropriate account team members to resolve the situation Physical security incidents at the client site or at the IBM site (For ex: threatening safety of persons, bomb threats, fraud, theft, loss of physical assets, suspicious activity) should be reported to the local physical security officer and the IBM Programme Director For any IT related incidents (Ex: Virus attacks, hacking attempts, DOS attacks, theft of software) the IBM workforce member will report the incident to the IBM Programme Director The titles and location of references, procedures, and execution artefacts to support this control area are: a) IBM ITCS104 Security Incident Management and Reporting b) IBM Data Incident Reporting: Page 20 of 24

21 5 - DATA INVENTORY 5.1 Overview The purpose of this section is to outline the steps taken by the team to produce a PI/SPI/BSI Inventory that shows where the IBM workforce has access to PI/SPI/BSI. 5.2 Roles and Responsibilities Role Name IBM Project Manager IBM Subject Matter Experts IBM Contracts Manager Client Subject Matter Experts Client Approver (management level required) IBM Approver (management level required) Role Responsibilities Ensure a PI/SPI/BSI inventory is produced, signed and dated by the IBM and Client management Ensure the inventory is reviewed annually and with each major change, and updated as appropriate Manage the execution of the inventory process and maintain and store the resulting documentation Participate in the inventory analysis Participate in the inventory analysis Participate in the inventory analysis Review resulting PI/SPI/BSI inventory for completeness, accuracy, and appropriateness of access by signature and date Review resulting PI/SPI/BSI inventory for completeness, accuracy, and appropriateness of access by signature and date Page 21 of 24

22 5.3 Create or Update PI/SPI/BSI Inventory Figure 5-1 Procedure Flow Changing or Updating a PI/SPI/BSI Inventory Project Manager Obtain approvals Project Manager or Inventory Owner First time creation needed Retrieve PI/SPI/BSI inventory template and schedule working sessions Update for major change or Annual Revalidation Retrieve existing inventory and schedule working sessions End Store change controlled inventory project documents IBM and Client SMEs Develop a complete inventory of systems, tools and other forms to which IBM workforce has access Updated Inventory Identify the data accessed in each system Determine which of that data constitutes Client defined PI, SPI or BSI and update inventory Updated Inventory Define how the IBM workforce accesses the PI/SPI/BSI, capture mitigating controls and update template Completed Inventory Approver Review, sign and date inventory Approved Inventory 5.4 Procedure Frequency The PI/SPI/BSI Inventory is created once at the beginning of a project. Thereafter, it is reviewed and updated annually and with each major project change. The document control table reflects each review and resulting changes. i) Initial creation (one time) ii) As needed (each major change) iii) Annually: (review, revalidation and change as needed) 5.5 Procedure Steps Retrieve PI/SPI/BSI Inventory template or use an existing inventory document if one already exists Develop a complete inventory of systems, tools, and other forms where IBM workforce has access and update the PI/SPI/BSI Inventory list a) Work with project and Client subject matter experts (SMEs) to identify the complete list of systems, tools, and other sources where PI/SPI/BSI may exist. b) For systems, identify the system name, and each environment where at least one IBM workforce member has access. Also identify each system interface to other systems. Page 22 of 24

23 c) For tools, consider all tools where at least one IBM workforce member has access, such as problem, change, or configuration management tool, issue & defect tracking system, and so on. d) Lastly, consider other potential sources such as hard copy printed materials, such as order forms, risk logs, reports, Client team rooms and so on. e) Update the PI/SPI/BSI Inventory with the most recent list of systems, tools, and other sources of and forms where PI/SPI/BSI may exist Identify the data accessed in each system a) Analyze each system, tool and other sources to determine what data is accessible to the IBM workforce Determine which of that data constitutes PI, SPI, or BSI and update PI/SPI/BSI Inventory document a) Analyze the data that is in each system, tool or other source and determine if it constitutes Client PI, SPI or BSI as defined by the Client. b) For each system, tool or other potential source identified in the PI/SPI/BSI Inventory, create or update the specific list of data elements that are considered PI/SPI/BSI within that system, system interface, tool, or other source Define how the IBM workforce access the PI/SPI/BSI (for example, which roles have access) and update template a) For each PI/SPI/BSI element listed, identify how the IBM workforce has access. b) For example, is access limited to IBM workforce users with a specific system role? For non-electronic forms such as files, reports, or order forms, is there a specific project role which would have access, for example, order processor? c) Update the PI/SPI/BSI Inventory with the details on how it is accessed by the IBM workforce. d) If you find the system does not contain PI/SPI/BSI or the access that is granted to the IBM workforce does not expose the PI/SPI/BSI to them, then, document this fact in sufficient detail. For example, The XYZ system contains first and last names, address information below the state level, and credit card numbers. However, the IBM Workforce does not have access to these items. Page 23 of 24

24 e) Note: During the assessment process to create or revalidate the PI/SPI/BSI Inventory, you may find that access exists but is not needed. Look for these opportunities to remove IBM workforce access to PI/SPI/BSI Review, Sign and Date the PI/SPI/BSI Inventory a) The newly created or updated PI/SPI/BSI Inventory is prepared for management review and signature. This includes validating the content, headers, footers, change log, version number, and location of the electronic and signed paper copy location. b) Present the final version to management for approval. Minimally, at least one IBM and Client management representative must review, sign and date the PI/SPI/BSI Inventory. The signature indicates the inventory document correctly and completely identifies where IBM has access to Client PI/SPI/BSI data Store the signed PI/SPI/BSI Inventory in the project repository a) The signed PI/SPI/BSI Inventory document is stored in the IBM DCNS TeamRoom As appropriate, update project specific training a) Project specific training is updated, as appropriate, to inform on-boarding workforce members of the types of data that will be accessed, where it will be accessed and any special handling instructions. ** END OF DOCUMENT ** Page 24 of 24