9911796707
TMI BlogInformation Security GuidelinesX X X X Extracts X X X X X X X X Extracts X X X X ..... Government of a country/jurisdiction will, however, agree to exchange information with another country only if the information exchanged is kept confidential, used only for the specified purposes and disclosed only to authorized person(s) in accordance with the agreement on the basis of which it is exchanged. It is, therefore, essential that for continued assistance by the treaty partners of India, the information received is kept confidential and is used and disclosed strictly as per the terms of the Agreement. 3. An Information Security Committee (ISC) has been constituted in the Central Board of Direct Taxes (CBDT) under the chairmanship of Member (IT) through orders F. No. 500/137/2011-FTTR-III dated 7th April, 2015 and 19th June 2015 with a view to pulling in place a robust Information Security Mechanism in the Department. The ISC shall consist of a Chief Information Security Officer (CISO) and six other members. The responsibilities of the ISC and CI SO arc enclosed at Annexure A. 4. It has now been decided that all Cadre Controlling Pr. CCsIT should set up a Local Information Security Committee (LISC) headed by a Pr. CIT level officer and comprising CIT (Administration) ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... round- Provides an overview and the coverage of each domain and states the important evolutions and developments in each area. (b) Relevance of domain to information security-Establishes role and scope of a domain in context of Information Security. (c) Management guidelines- Provides domain specific recommendations in the form of guidelines and objectives. These are denoted by the nomenclature "XX.G" followed by the guideline number, where XX is the code for domain. For example, PH.G1, PH.G2, G3 ... (d) Security controls- Provides control statements which arc administrative, technical, operational or procedural and need to be diligently followed. Security controls provide insight into multiple areas which need to be implemented/addressed in order to achieve the objectives laid out in the management guidelines section. These arc denoted by the nomenclature "XX.C" followed by the control number, where XX is the code for domain. For example, PH.C1, PH.C2, PHC3... (e) Implementation guidelines - Provides specific recommendations to aid implementation of management guidelines and security controls. These are denoted by the nomenclature "XX.1G" foll ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... nternal and external security reviews and ensuring that action is taken to rectify any identified shortfalls. (e) Responsible for disciplinary action in cases of breach of ISPP. Broad Responsibilities of CISO have been specified as under: (a) Responsible for preparing, maintaining and communicating ISPP. (b) Oversee all information security processes and serve as the focal point for all information security issues and concerns. (c) Ensure that responsibilities are defined for and that procedures are in effect to promptly detect, investigate, report and resolve security incidents. (d) Ensure that ongoing information security awareness education and training is provided to all employees. (e) Provide reports to the ISC on the status of information security, policy violations and information security incidents. Annexure B Information Classification Guidelines All information available with the office concerned should be classified into one of the following categories (based on Manual of Departmental Security Instructions issued by the Ministry of Home Affairs in 1994): Classification Description Example Top Secret Information, unauthorized disclosure of which coul ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... lip;…………………………...19 2.1. Background ………………………………………………………………...19 2.2. Relevance of domain to information security ………………………………19 2.3. Personnel security guidelines ……………………………………………….19 2.4. Personnel security controls ……………………………...…………………..20 2.5. Personnel security implementation guidelines ……………………………... 22 2.6. Adoption matrix for Personnel Security ……………………………………..25 3. Identity, access and privilege management …… ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ional physical events on the particular facilities 1.1.2. Physical security in an important component of information security and requires a careful attention in planning, selecting countermeasures, deploying controls, ensuring secure operations and respond in case of an event 1.1.3. Physical security is not only restricted to barriers or locks but have evolved with the use of access control measures, risk based or multifactor authentications, monitoring cameras, alarms, intrusion detectors, etc. b. Relevance of domain to information security i. Lack of due consideration to the area and to the choice of the building may expose information and IT systems to threats. Choice of the area, building architecture and plan have a significant impact on security posture of information and information systems ii. Insufficient entry controls may give access to unintended persons. It may allow entry of unauthorized assets or easy passage of sensitive assets from premises iii. Without adequate interior physical control, unauthorized personnel may gain access to sensitive areas. Instances such as theft of information may remain undetected iv. Without processes for physical access provision ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ored and tracked. User should not be allowed to carry external devices such as laptops; USB drives etc. without prior approval and authorization, into areas which house critical information infrastructure such as data centers etc. PH.G8 d. Physical and environmental security controls * Map and characteristics of physical facilities: The organization must obtain visibility over physical facilities and information systems housed within a. A list of persons who are authorized to gain access to information assets and systems housed in data centers or other areas supporting critical activities, where computer equipment and data are located or stored, shall be kept up-to-date and should be reviewed periodically PH.CI * Hazard assessment: The facility housing information assets and systems must be protected from natural hazard and man-made hazard. All facilities located in geographically vulnerable areas must undergo annual assessment to check structural strength PH.C2 * Hazard protection: All facilities must be equipped with adequate equipment to counter man-made disasters or accidents such as fire. The facility should have a combination of hazard detection and control measu ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... with appropriate facilities or techniques such as degaussing of hard drives, secure delete technologies etc. PH.C13 * Protection of information assets and systems: All information assets and systems must be protected with appropriate access control methodologies such as authorized log-in and password control, smart cards or biometric access PH.C14 * Authorization for change: Ensure that security authorization is performed for all changes pertaining to physical security, instances that may introduce security vulnerabilities and exception to the policy PH.C15 * Inactivity timeout: All information systems must be configured to time-out a user's activity post inactivity for a designated period of time PH.C16 * Protection of access keys and methodology: All access keys, cards, passwords, etc. for entry to any of the information systems and networks shall be physically secured or subject to well-defined and strictly enforced security procedures PH.C17 * Shoulder surfing: The display screen of an information system on which classified information can be viewed shall be carefully positioned so that unauthorized persons cannot readily view it PH.C18 * Categorization of ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... each facility housing classified information PH.IG3 * Securing gateways: All entry and exit points to facilities/areas housing classified information in an organization must have biometric access controls such as fingerprint scanners or other similar gateway access control mechanisms PH.lG4 * Identity badges: The organization must issue photo identity cards with additional security features such as smart chips to employees for identification and entry to facilities a. Appropriate measures must be undertaken to prevent tailgating inside the organizations facility PH.IG5 * Entry of visitors & external service providers: The organization should maintain records for visitor entry such as name of visitor, time of visit, concerned person for visit, purpose of visit, address of the visitor, phone number of the visitor, ID proof presented, devices on-person etc. b. Entry by visitors such as vendor support staff, maintenance staff, project teams or other external parties, must not be allowed unless accompanied by authorized staff c. Authorized personnel permitted to enter the data center or computer room must display their identification cards at all instances d. Visitor a ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... dopted at vehicle entry, exit and parking areas such as deploying physical barriers, manual inspection of vehicles, security lighting, video surveillance, deploying adequate security guards etc. PH.IG10 * Correlation between physical and logical security: Physical security and logical security linkages must be created a. Only approved personnel should have physical access to facility housing systems or devices which enable physical or logical access to sensitive data and systems. This includes areas within the facility which house backup tapes, servers, cables and communication systems etc. b. Access controls should encompass areas containing system hardware, network wiring, backup media, and any other elements required for the system 's operation PH.IG11 * Monitoring & surveillance: The organization must establish mechanism for 24/7 surveillance of all areas inside the physical perimeter by' use of technology such as security cameras (or closed-circuit TV) a. The organization must monitor the areas such as hosting critical/sensitive systems and have video images recorded. The recording of the camera should be retained for at least a month for future review b. ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ransition from a public zone to a restricted access area is demarcated and controlled. It is typically located at the entry to the facility where initial contact between visitors and the department occurs; this can include such spaces as places where services are provided and information is exchanged. Access by visitors may be limited to specific times of the day or for specific reasons c. Operations zone: an area where access is limited to personnel who work there and to properly-escorted visitors; it must be indicated by a recognizable perimeter and monitored continuously, Examples: typical open office space, or typical electrical room d. Security zone: area to which access is limited to authorized personnel, and to authorized and properly-escorted visitors; it must be indicated by a recognizable perimeter and monitored continuously. Example: an area where secret information is processed or stored e. High security zone: an area to which access is limited to authorized, appropriately-screened personnel and authorized and properly-escorted visitors; it must be indicated by a perimeter built to the specifications, monitored continuously and be an area to which details of acces ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... s to correlate logs to identify physical security incidents c. Integrating physical security logs with logical security logs d. Integrating physical security with SIEM solutions e. Real time monitoring of physical security logs for classified information PH.IG22 f. Adoption matrix for Physical Security Top secret Secret Confidential Restricted Unclassified Guidelines Map and characteristics of physical facilities PH.G1 PH.G1 PH.G1 PH.G1 Protection from hazard PH.G2 PH.G2 PH.G2 PH.G2 PH.G2 Physical boundary protection PH.G3 PH.G3 PH.G3 PH.G3 PH.G3 Restricting entry PH.G4 PH.G4 PH.G4 Interior security PH.G5 PH.G5 PH.G5 PH.G5 Security zones PH.G6 PH.G6 PH.G6 PH.G6 Access to restricted area PH.G7 PH.G7 PH.G7 PH.G7 Physical activity monitoring and review PH.G8 PH.G8 PH.G8 PH.G8 Controls Map and characteristics of physical facilities PH.C1 PH.C1 PH.C1 PH.C1 Hazard assessment PH.C2 PH.C2 PH.C2 PH.C2 PH.C2 Hazard protection PH.C3 PH.C3 PH.C3 PH.C3 PH.C3 Securing gateways PH.C4 PH.C4 PH.C4 PH.C4 Identity badges PH.C5 PH.C5 PH.C5 PH.C5 Entry of vis ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... , (c) PH.IG12, PH.IG12(b), (c) PH.IG12, PH.IG12(b), (c) Disposal of equipment PH.IG 13, PH.IG13(a) PH.IG 13, PH.IG 13(a) PH.IG13, PH.IG13(a) PH.IG13, PH.IG13(a) Protection of information assets and systems PH.IG 14 PH.IG14 PH.IG14 Authorization for change PH.IG15 PH.IG15 PH.IG15 Top secret Secret Confidential Restricted Unclassified Inactivity timeout PH.IG16 PH.IG16 PH.IG16 PH.IG16 Protection of access keys PH.IGI7, PH.lG17 (a),(b),(c) PH.IGI7, PH.lG17 (a),(b),(c) PH.IGI7, PH.IG17(c) Shoulder surfing PH.IG18 PH.IG18 PH.IG18 PH.IG18 Categorization of zones PH.IG19, PH.IG13(e) PH.IGI9, PH.IG13(d) PH.IGI9, PH.IG 13(d) PH.IGI9, PH.IG 13(c) Access to restricted areas PH.IG20, PH.IG20 (a),(b),(c) PH.IG20, PH.IG20 (a),(b),(c) PH.IG20, PH.IG20(a), (b),(c) PH. IG20 Visitor device management PH.IG21, PH.IG21 (a),(b),(c) PH.IG21, PH.IG21 (a),(b),(c) PH.IG21, PH.IG21 (a),(b) PH.IG21, PH.IG21 (a),(b) Physical access auditing and review PH.IG22, PH.IG22 (a),(b),(c)(d)(e) PH.IG22, PH.IG22 (a),(b),(c)(d)(e) PH.IG22, PH.IG22 (a),(b) PH.IG ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... e c. Personnel security guidelines * Awareness & training: The organization must develop an appropriate information security awareness and training program for all personnel. All adequate tools and systems to support such training programs should be made available by the organization PE.GI * Employee verification: The organization must conduct background checks or security clearance as part of its employee hiring process PE.G2 * Authorizing access to third parties: The organization must develop and document a process for authorizing physical and logical access to third parties for organization owned information assets and systems PE.G3 * Record of authorized users: The organization should maintain an updated record of all users granted access to each information asset and system PE.G4 * Acceptable usage policy: The organization must develop an acceptable usage policy for all information assets and systems including Web and email resources provided to employees, amongst others PE.G5 * Monitoring and review: The organization must implement appropriate monitoring tools and technology to track compliance of personnel with organization 's policies PE.G6 * Limiti ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... sciplinary processes are established to resolve non-compliance issues and other variances in a timely manner PE.C5 * Record of authorized users: The organization must prepare and continuously update records of access granted to all users such as employees and third party personnel The record management must be performed in an automated manner to ensure access authorization granted by different functions are maintained in a central repository/ system PE.C6 * Monitoring and review: The organization must define processes to monitor and review access granted to personnel including temporary or emergency access to any information asset or system PE.C7 * Non- disclosure agreements: The organization must incorporate considerations such as signing non-disclosure contracts and agreements in the HR process, both for employees and third parties allowed to access information assets and systems PE.C8 * Legal and contractual obligations: The organization must ensure that employees and third parties are aware of legal and contractual obligations with respect to security of information a. The organization must ensure that users are aware of policies, procedures and guidelines issue ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... cords, family details amongst others PE.IG2 * Authorizing access to third parties: The organization must restrict the level of access provided to authorized individuals from third parties based on their role; function performed and associated need for access a. Prior to granting physical and logical access to third party personnel, the organization must seek sufficient proof of identity of personnel from the third party employer such as recent background check and verification by competent authority b. Authorization for access to third party personnel must be supported by documented request from head of department, where third party personnel will be deployed c. Organization must strictly monitor all activity conducted by third party personnel d. Organization must strictly monitor physical movement of third party personnel within its facility e. Organization should permit authorized individuals to use an external information system to access or to process, store, or transmit organization-controlled information only post verification of the implementation of required security controls on the external system as specified in the organization's information security pol ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... mployment a. Non-disclosure agreements should restrict employees and third parties from sharing organizational information publically PE.1G8 * Legal and contractual obligations: Organization must brief all personnel about their legal and contractual obligation to protect the organizations information and to follow all security advisories issued by competent authority so as to prevent disclosure of information, loss of sensitive data amongst and information compromise a. The terms of employment must contain a copy of all relevant policies and guidelines b. The organization must obtain a formal signoff from the employee on all such policies and guidelines such as end user policy, acceptable usage policy etc. PE.IG9 * Communication practices: Organization must establish, documented and implemented policies, procedures and controls to restrict personnel from unintended communication, both internally and with external entities such as media a. Communication messages should be circulated to state security requirements or alert employees must be sent by designated personnel only b. Only official spokesperson/ designated person from organization must be allowed to communica ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ements PE.IG8, PE.IG8(a) PE.IG8, PE.IG8(a) PE.IG8, PE.IG8(a) PE.IG8, PE.IG8(a) Legal and contractual obligations PE.IG9, PE.IG9(a), (b) PE.IG9, PE.IG9(a), (b) PE.IG9, PE.IG9(a), (b) PE.IG9, PE.IG9(a), (b) Communication practices PE.IG 10, PE.IG10 (a),(b),(c) PE.IG 10, PE.IG10 (a),(b),(c) PE.IG 10, PE.IG10 (a),(b),(c) PE.IG 10, PE.IG10 (a),(b),(c) 3. Identity, access and privilege management a. Background i. Users have a diverse set of access requirements based on their roles and privileges that lead to complex authentication, access, role & privilege management scenarios in respect of access to information and information systems ii. The access requirements vary widely from providing access to endpoints to network, server systems, applications, data and databases, messaging systems, and so on. Organization's information is stored, processed and shared over these components of infrastructure. Access to these systems may expose the users to the information iii. Further, users and user groups, with their respective operational roles, seek access to different information assets for diverse purposes and through vari ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... e recorded b. Inactive accounts must be disabled as per the organization's policy IA.G2 * Password management: The organizations must have standardized, reliable and secure way of managing passwords of users a. A standard for password must be defined length, type of characters permitted b. Password history, password change duration etc. should be determined depending on the sensitivity of information and transactions c. Password reset requests must be handled carefully and securely d. Password of privileged user accounts should be handled with additional care e. Shared passwords with vendors must be changed regularly IA.G3 * Credential monitoring: The organization must ensure that instances of user access provisioning, identification, authentication, access authorization, credential changes and deprovisioning are logged a. The access instances should be monitored and reviewed for identifying discrepancies b. Malicious attempts of authentication should be prevented, recorded and reviewed IA.G4 Provisioning personal devices and remote access: The organizations must ensure that provisioning of access to employees of external service providers and vendors is ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... d monitored as per organization's policy IA.C7 * Authentication mechanism for access: The organization must enforce appropriate authentication mechanism to allow access to information and information systems which is commensurate with the sensitivity of the information being accessed. IA.C8 * Inactive accounts: Inactive accounts must be disabled as per organizations policy IA.C9 * Acceptable usage of Information assets & systems: The organization must define an acceptable usage policy and procedures specifying the security requirements and user responsibility for ensuring only organization mandated use of user account privileges IA.C10 * Password policy: The organization must define a password policy a. Password standards- such as minimum password length, restricted words and format, password life cycle, and include guidelines on user password selection b. Password reset process must be set in order to secure the credential in the process IA.C11 * Default device credentials: The organization must ensure that all vendorsupplied default passwords for equipment and information systems are changed before any information system is put into operation IA.C12 * Mo ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... must develop a formal procedure to govern allocation of user identification and access mechanism. All privileges associated with a user-ID must also be governed as per standard procedure a. Operational roles must be mapped to corresponding IT roles b. IT roles must be grouped for performing particular operations c. Credential requirements of the roles must be mapped carefully d. Operational rules for granting and revoking access must be studied and an inventory should be created of the same IA.IG1 * Unique identity of each user: All employees including temporary and contract workers must be allotted a unique ID. The system for managing user IDs must function directly under the head of the department or his authorized representative a. User identity schemes must be defined and enforced b. Identity provisioning workflow must be defined with proper checks and balances c. Identity provisioning process must be audited at periodic interval d. Any sharing of user ID's should be restricted to special instances, which are duly approved by the information or information system owner e. The shared ID's passwords must be changed promptly when the need no longer ex ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... s of physical access and logical access using IP enabled physical security devices, collection and correlation of logs and rules written to correlate physical and logical instances IA.1G4 * Need - to -- know access: Access privileges to users must be based on operational role and requirements a. Access to higher category of classified information must not be granted unless authorized by information owner b. Access to systems containing higher category of classified information must be restricted by logical access control c. Access security matrix must be prepared which contains the access rights mapped to different roles. This must be done to achieve the objective of role based access control (RBAC) d. Access to system must be granted based on access security matrix IA.1G5 * Review of user privileges: All user accounts must be reviewed periodically by concerned authority by use of system activity logs, log-in attempts to access non-authorized resources, abuse of system privileges, frequent deletion of data by user etc. IA.1G6 * Special privileges: The organization must ensure that the use of special privileges for users to access additional information systems, res ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... organization must define its password policy, with specific focus on password issuance and activation methods along with standard process for governance and communicate the same to user upon creation of user account a. All active sessions of a user must be terminated post 15 minutes of inactivity and must be activated only post re-authentication by specified mechanism such as re-entering password etc. b. Passwords must be encrypted when transmitting over an un-trusted communication network c. Issue guidelines to end user to help in selection of strong alphanumeric password comprising of a minimum of 12 characters d. Prevent users from using passwords shorter than a pre-defined length, or reusing previously used passwords e. Passwords must be automatically reset if user accounts are revoked or disabled upon inactivity beyond 30 days of inactivity f. Password communication must on verified alternate channel such as SMS, email, etc. IA.IG11 * Default device credentials: The organization must ensure that default login credentials of devices such as routers, firewall, storage equipment etc, are changed prior to the deployment of such devices in the operational environment ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... performing administer audit functions g. Create different administrator accounts for different roles IA.1G18 * User awareness & liability: Refer Personnel security IA.IG19 f. Adoption matrix for Identity, access and privilege management Top secret Secret Confidential Restricted Unclassified Guidelines Governance procedures for access rights, identity & privileges IA.G1 IA.G1 IA.G1 IA.G1 IA.G1 Authentication & authorization for access IA.G2 IA.G2 IA.G2 IA.G2 Password management IA.G3 IA.G3 IA.G3 IA.G3 Credential monitoring IA.G4 IA.G4 IA.G4 Provisioning personal devices and remote access IA.G5 IA.G5 IA.G5 IA.G5 Segregation of duties IA.G6 IA.G6 IA.G6 IA.G6 Access record documentation IA.G7 IA.G7 IA.G7 Linkage of logical and physical access IA.G8 IA.G8 Disciplinary actions IA.G9 IA.G9 IA.G9 IA.G9 Controls Operational requirement mapping IA.C1 IA.C1 IA.C1 IA.C1 Unique identity of each user IA.C2 IA.C2 IA.C2 IA.C2 User access management IA.C3 IA.C3 IA.C3 IA.C3 Access control policies IA.C4 IA.C4 IA.C4 IA.C4 Need -- to -- know access IA.C5 ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... IA.IG10 (a),(b),(c) IA.IG 10, IA.IG10 (a),(b),(c) Password policy IA.IG11, IA.IG11 (a) to (f) IA.IG11, IA.IG11 (a) to (f) IA.IG11, IA.IG11 (a) to (f) IA.IG11, IA.IG11 (a) to (e), Default device credentials IA.IG12 IA.IG12 IA.IG12 IA.IG12 Monitoring and retention of logs IA.IG13 IA.IG13 IA.IG13 Unsuccessful login attempts IA.IG14, IA.IG14 (a),(b) IA.IG14, IA.IG14 (a),(b) IA.IG14, IA.IG14 (a),(b) IA.IG14, IA.IG14 (a),(b) Ad-hoc access to systems IA.IG15 IA.IG15 IA.IG15 IA.IG15 Remote access IA.IG16, IA.IG 16 (a),(b),(c) IA.IG16, IA.IG 16 (a),(b),(c) IA.IG16, IA.IG 16 (a),(b),(c) IA.IG16, IA.IG 16 (a),(b),(c) Provisioning of personal devices IA.IG17 IA.IG17 IA.IG17 IA.IG17 Segregation of duties IA.IG18, IA.IG18 (a) to (g) IA.IG18, IA.IG18 (a) to (g) IA.IG18, IA.IG18 (a) to (g) IA.IG18, IA.IG18 (a) User awareness & liability IA.IG19 IA.IG19 IA.IG19 IA.IG19 4. Security monitoring and incident management a. Background i. Organizations face significant risks of information loss through inappropriate account access and malicious tra ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... The incident scenarios should be based on criticality and sensitivity of information, threat ecosystem around the organization SM.G2 * Security intelligence information: The organization must establish capability to monitor and record specific information about vulnerabilities (existing and new) that could affect information, systems & assets SM.G3 * Enterprise log management: The organization must ensure that logs are collected, stored, retained and analyzed for the purpose of identifying compromise or breach SM.G4 * Deployment of skilled resources: The organization must deploy adequate resources and skills for investigation of information security incidents such as building competencies in digital forensics SM.G5 * Disciplinary action: The organization must establish procedures in dealing with individuals involved in or being party to the incidents SM.G6 * Structure & responsibility: The organizations should define and establish roles and responsibilities of all the stakeholders of incident management team, including reporting measures, escalation metrics, SLAs and their contact information SM.G7 * Incident management awareness and training: The organization mus ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... t occurred c. A description of incident, including the information, asset & system, personnel and locations involved d. Action taken, resolution imparted and corresponding update in knowledge base SM.C6 * Configuring devices for logging: The organization must configure the devices to generate log information required to identify security compromise or breach SM.C7 * Activity logging: The organization must define a process for collection, management and retention of log information from all information sources a. The scope of generating logs should be extended to all critical systems SM.C8 * Log information: Logs must contain, at a minimum the following information: unauthorized update/access, starting/ending date and time of activity. user identification, sign-on and sign-off activity, connection session or terminal, file services such as file copying, search, log successful and unsuccessful log-in attempts, activities of privileged user-IDs, changes to user access rights, details of password changes, modification to software etc. a. The organization must ensure that time consistency is maintained between all log sources through mechanisms such as time stamping and syn ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ations or business processes and what information is accessed c. Applications -- usage of applications, transactions, access points, file systems which holds sensitive information d. Networks -- traffic patterns, sessions and protocol management which are used to access the information e. Databases -- access patterns, read & updates activity, database queries on information f. Data -- access and transactions on the amount of unstructured/ structured data, sensitivity of data such as PII, PHI, financial Information etc SM.IGI * Incident management: The organization must establish a security incident response procedure with necessary guidance on the security incident response and handling process. The procedure must be communicated to all employees, management and third party staff located at the organizations facility a. Organization should establish guidelines for prioritization of information security incidents based on - criticality of information on affected resources (e.g. servers, networks, applications etc.) and potential technical effects of such incidents (e.g. denial of service, information stealing etc.) on usage and access to information b. Organization sh ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... r media (or other systems) which are separated from the compromised system or network d. Keep a record of all actions taken during this stage e. Check any systems associated with the compromised system through shared network-based services or through any trust relationship f. Isolate the compromised computer or system temporarily to prevent further damage to other interconnected systems, or to prevent the compromised system from being used to launch attack on other connected systems g. Remove user access or login to the system h. Ensure that incidents are reported in timely manner so that fastest possible remedial measures can be taken to reduce further damage to the IT assets SM.IG4 * Escalation processes: The organization must create and periodically update an escalation process to address different types of incidents and facilitate coordination amongst various functions and personnel during the lifecycle of the incident a. The escalation procedure must identify and establish points of contact, at various levels of hierarchy, both within the organization and with vendors and third parties responsible for hardware/ software b. Maintain an updated list containing d ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ing access to log files, securing transfer of log information and securing logs in storage b. Organization should integrate the log architecture with packaged applications or/and customized systems. There should be standardized log formats of unsupported event sources which may lead to information security incidents c. Log archival, retention and disposal measures should be deployed as per the compliance requirements of the organization SM.IG8 * Log Information: Ensure that system logs contain information capture including all the key events, activity, transactions such as: a. Individual user accesses; b. Rejected systems, applications, file and data accesses; c. Attempts and Other failed actions; d. Privileged, administrative or root accesses; e. Use of identification and authentication mechanisms; f. Remote and wireless accesses; g. Changes to system or application configurations; h. Changes to access rights; i. Use of system utilities; j. Activation or deactivation Of security systems; k. Transfer of classified information l. Deletion and modification of classified information m. System crashes n. Unexpected large deviation on system clock o. ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... sposed as per standard data disposal policy e. Log information of all administrative and privilege accounts activity must also be maintained f. Log information must be protected from modification or unauthorized access SM.IG11 * Deployment of skilled resources: The organization must define the resources and management support needed to effectively maintain and mature an incident response capability a. Individuals conducting incident analyses must have the appropriate skills and technical expertise to analyze the changes to information systems and the associated security ramifications b. The organization must trains personnel in their incident response roles and responsibilities with respect to the information system c. The organization should incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations d. The organization should develop competencies in cyber forensics and investigations or seek support from authorized cyber investigation agencies SM.IG12 * Incident reporting: The organization must ensure that appropriate procedures are followed to enable reporting of incidents both by employees and ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... tion SM.C11 SM.C11 SM.11 SM.C11 Deployment of skilled resources SM.C12 SM.C12 SM.C12 SM.C12 Incident reporting SM.C13 SM.C13 SM.C13 SM.C13 Sharing of log information With law enforcement agencies SM.C14 SM.C14 SM.C14 SM.C14 Communication of incidents SM.C15 SM.C15 SM.C15 SM.C15 Implementation Guidelines Security incident monitoring SM.IGI, SM.IGI (a) to (f) SM.IGI, SM.IGI (a) to (f) SM.IGI, SM.IGI (a) to (f) SM.IGI, SM.IGI (a) to (f) Incident management SM.IG2, SM.lG2 (a) to (d) SM.lG2, SM .lG2 (a) to (d) SM.lG2 (c),(d) SM.1G2 (c),(d) Incident identification SM.lG3, SM.lG3(a) to (h) SM.lG3, SM.1G3(a) to (h) SM.lG3, SM.lG3 SM.lG3, SM.IG3 (g),(h) Incident evaluation SM.IG4, SM.lG4 (a) to (h) SM.lG4, SM.lG4 (a) to (h) SM.lG4, SM.lG4 (a) to (h) SM.lG4, SM.IG4 (a) to (h) Escalation processes SM.lG5, SM.lG5 (a) to (e) SM.lG5, SM.lG5 (a) to (e) SM.lG5, SM.lG5 (a) to (e) SM.lG5, SM.lG5 (a) to (e) Breach information SM.lG6, SM.IG6(a),(b) SM.lG6, SM.lG6(a), (b) SVI.lG6, SM.lG6 (a),(b) SM.lG6, SM.lG6 (a),(b) ..... X X X X Extracts X X X X X X X X Extracts X X X X
|
