Security Management Plan - Template v1.0

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 38

Security Management Plan

PharmaUniversity
2022
Table of contents

1 Introduction.................................................................9
1.1 Background.............................................................................9
1.2 Purpose....................................................................................9
1.3 Readership..............................................................................9
2 Solution Overview.....................................................10
2.1 Security control overview....................................................10
2.2 Secure architecture scope...................................................11
3 Scope..........................................................................12
3.1 Assurance Approach............................................................12
3.2 Assurance Frameworks........................................................12
3.3 Scope of Security Services..................................................12
3.4 Security Services Out Of Scope..........................................12
4 Information Security Management System............13
4.1.1 Certification delivery schedule..................................................................13
4.1.2 Risk Management.....................................................................................13
4.1.3 Continual Improvement.............................................................................13
4.1.4 Effectiveness measures............................................................................13
4.2 Security Testing....................................................................13
4.2.1 Scheduled penetration testing..................................................................13
4.2.2 Specific testing - considerations...............................................................13

5 Information Security Policies..................................14


5.1 Policies and Standards.........................................................14
6 Organisation of Information Security.....................15
6.1 Operational Model.................................................................15
6.1.1 Roles and Responsibilities........................................................................15
6.1.2 Segregation of Duties...............................................................................15
6.1.3 Privacy by Design.....................................................................................15
6.2 Teleworking...........................................................................15
7 Personnel Security....................................................16
7.1 Prior to joining.......................................................................16
7.2 During employment..............................................................16
7.2.1 Management Responsibilities...................................................................16
7.2.2 Security Training.......................................................................................17
7.2.3 Disciplinary process..................................................................................17
7.3 Termination and Change of Employment...........................18
8 Asset Management...................................................19
8.1 Responsibility for assets......................................................19
8.1.1 Inventory of Assets...................................................................................19
8.1.2 Ownership of assets.................................................................................19
8.1.3 Acceptable Use of Assets.........................................................................19
8.2 Information classification.....................................................19
8.2.1 Classification of information......................................................................19
8.2.2 Labelling of information.............................................................................20
8.2.3 Handling of assets....................................................................................20
8.3 Media handling......................................................................20
8.3.1 Management of Removable media...........................................................20
8.3.2 Disposal of media.....................................................................................20
8.3.3 Physical media transfer............................................................................20

9 Access Control..........................................................21
9.1 Business requirements of access control..........................21
9.2 User access management....................................................21
9.3 User responsibilities.............................................................21
9.4 System and application access control..............................21
9.4.1 Privileged utility programs.........................................................................21
9.4.2 Program source code...............................................................................21

10 Cryptography.............................................................22
10.1 Encryption of Data in Transit...............................................22
10.2 Encryption of Data at Rest...................................................23
10.3 Certificate and Key Management.........................................24
11 Physical & Environmental Security.........................25
11.1 Secure Areas.........................................................................25
11.2 Equipment Security..............................................................25
12 Operations Security..................................................26
12.1 Operational procedures and responsibilities.....................26
12.1.1 Documented operating procedures..........................................................26
12.1.2 Change management...............................................................................26
12.1.3 Capacity management..............................................................................26
12.1.4 Separation of development, testing and operational environments.........26
12.2 Protection from malware......................................................26
12.3 Backup...................................................................................26
12.4 Logging and monitoring.......................................................26
12.4.1 Event Logging...........................................................................................26
12.4.2 Protection of log information.....................................................................26
12.4.3 Clock Synchronisation..............................................................................26
12.5 Control of operational software...........................................27
12.6 Technical vulnerability management..................................27
12.6.1 Management of technical vulnerabilities...................................................27
12.6.2 Restrictions on software installation.........................................................27
12.7 Information systems audit considerations.........................27
13 Network controls.......................................................28
13.1.1 Security of network services.....................................................................28
13.2 Information transfer..............................................................28
13.2.1 Agreements on information transfer.........................................................28
13.2.2 Electronic messaging................................................................................28
13.2.3 Confidentiality or non-disclosure agreements..........................................28

14 System Acquisition, Development and Maintenance


29
14.1 Security requirements of information systems..................29
14.1.1 Information security requirements analysis and specification..................29
14.1.2 Securing application services on public networks....................................29
14.1.3 Protecting applications services transactions...........................................29
14.2 Security in development and support processes..............29
14.2.1 Secure development policy.......................................................................29
14.2.2 System change control procedures..........................................................29
14.2.3 Technical review of applications after operating platform changes..........29
14.2.4 Restrictions on changes to software packages........................................29
14.2.5 Secure systems engineering principles....................................................29
14.2.6 Secure development environment............................................................29
14.2.7 Outsourced development..........................................................................29
14.2.8 System security testing.............................................................................29
14.2.9 System Acceptance Testing.....................................................................29
14.3 Test data................................................................................29
15 Supplier Relationships.............................................30
15.1 Information security in supplier relationships...................30
16 Information Security Incident Management...........31
16.1.1 Responsibilities and procedures...............................................................31
16.1.2 Reporting information security events......................................................31
16.1.3 Reporting information security weaknesses.............................................31
16.1.4 Assessment of and decision on information security events....................31
16.1.5 Response to information security incidents..............................................31
16.1.6 Learning from information security incidents............................................31
16.1.7 Collection of evidence...............................................................................31

17 Business Continuity.................................................32
17.1 Information security continuity...........................................32
17.1.1 Planning information security continuity...................................................32
17.1.2 Implementing information security continuity...........................................32
17.1.3 Verify, review and evaluate information security continuity......................32
17.1.4 Resilience.................................................................................................32

18 Compliance................................................................33
18.1 Compliance with legal and contractual requirements.......33
18.1.1 Identification of applicable legislation and contractual requirements.......33
18.1.2 Intellectual property rights.........................................................................33
18.1.3 Protection of records.................................................................................33
18.1.4 Privacy and protection of personally identifiable information...................33
18.1.5 Regulation of cryptographic controls........................................................33
18.2 Information security reviews...............................................33
18.2.1 Independent review of information security..............................................33
18.2.2 Compliance with security policies and standards.....................................33
18.2.3 Technical compliance review....................................................................33
Approval History

Next
Approver’s Date
Version: Reviewed By: Approved By: Review
Position: Approved:
Date:

Revision History

Version Date Author Description


Glossary:

Abbreviations

Abbreviation Expansion

SMP Security Management Plan


Abbreviations

Abbreviation Expansion
1 Introduction
1.1 Background

1.2 Purpose

1.3 Readership
2 Solution Overview
2.1 Security control overview
2.2 Secure architecture scope
3 Scope
3.1 Assurance Approach

3.2 Assurance Frameworks

3.3 Scope of Security Services

3.4 Security Services Out Of Scope


4 Information Security Management
System

e.g. Figure 4.1 ISO/IEC 27001:2013 control coverage

4.1.1 Certification delivery schedule

4.1.2 Risk Management

e.g. Figure 4.1.2 Risk method

e.g. Impact levels

e.g. Probability levels

4.1.3 Continual Improvement

4.1.4 Effectiveness measures

4.2 Security Testing

4.2.1 Scheduled penetration testing

e.g. Figure 4.2.1 Penetration testing schedule for PharmaUniversity

4.2.2 Specific testing - considerations


5 Information Security Policies

e.g. Information Security policy is structured in accordance with ISO/IEC 27001:2013.

5.1 Policies and Standards


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
6 Organisation of Information Security
6.1 Operational Model
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

6.1.1 Roles and Responsibilities

6.1.2 Segregation of Duties


ISO/IEC 27001 Control References Control Description
Control#
Sec. 5.1 Obj. Control Desc
5.2.3

Joiners
Movers
Leavers…process?

6.1.3 Privacy by Design


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

6.2 Teleworking
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
7 Personnel Security
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

7.1 Prior to joining

7.2 During employment


7.2.1 Management Responsibilities
7.2.2 Security Training

7.2.3 Disciplinary process


7.3 Termination and Change of Employment

7.4
8 Asset Management
8.1 Responsibility for assets
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

8.1.1 Inventory of Assets

8.1.2 Ownership of assets

8.1.3 Acceptable Use of Assets

8.2 Information classification


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

8.2.1 Classification of information

Type Description
A ?
B
C
D
E

The following table identifies further the types of data associated with each of the sub-sets identified in the
previous table (if required):

Information Pharma Type Notes


Universe
Classification

e.g. Personal information ? B Protection of personal information


as defined by the Data
Protection Act (DPA)

e.g. Sensitive personal ? A Protection of sensitive personal


information as defined by information. Note the more sensitive
the Data Protection Act information may be marked Official-
(DPA) Sensitive

e.g. Legal privilege ? A or B Treat as sensitive personal information


information
Information Pharma Type Notes
Universe
Classification

e.g. Witness information ? A Specifically sensitive; as compromise


may cause personal injury. Note the
more sensitive information may be
marked Official-Sensitive

8.2.2 Labelling of information

8.2.3 Handling of assets

8.3 Media handling


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

8.3.1 Management of Removable media

8.3.2 Disposal of media

8.3.3 Physical media transfer


9 Access Control
9.1 Business requirements of access control
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

9.2 User access management


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

9.3 User responsibilities


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

9.4 System and application access control


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

9.4.1 Privileged utility programs


9.4.2 Program source code
10 Cryptography
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

10.1 Encryption of Data in Transit


Following table summarises the security controls that will be implemented to achieve data-in-transit for
various solutions within PharmaUniversity.

Solution Encryption Key Management


Compliancy Level
Components Methodology Process

Securely locked on NCSC foundation or


e.g. VPN IPsec
VPN gateway devices PRIME profile

e.g. Business
applications to end TLS 1.2 Digital certificates NCSC assured level
users
10.2 Encryption of Data at Rest
10.3 Certificate and Key Management
11 Physical & Environmental Security
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

11.1 Secure Areas


11.2 Equipment Security


12 Operations Security
12.1 Operational procedures and responsibilities
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

12.1.1 Documented operating procedures


12.1.2 Change management
12.1.3 Capacity management
12.1.4 Separation of development, testing and operational environments.

12.2 Protection from malware


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

12.3 Backup
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

12.4 Logging and monitoring


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

12.4.1 Event Logging

12.4.2 Protection of log information

12.4.3 Clock Synchronisation


12.5 Control of operational software
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

12.6 Technical vulnerability management


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

12.6.1 Management of technical vulnerabilities

12.6.2 Restrictions on software installation

12.7 Information systems audit considerations


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

.
13 Network controls
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

13.1.1 Security of network services

13.2 Information transfer


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

13.2.1 Agreements on information transfer

13.2.2 Electronic messaging

13.2.3 Confidentiality or non-disclosure agreements


14 System Acquisition, Development and
Maintenance
14.1 Security requirements of information systems
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

14.1.1 Information security requirements analysis and specification


14.1.2 Securing application services on public networks
14.1.3 Protecting applications services transactions

14.2 Security in development and support processes


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

14.2.1 Secure development policy


14.2.2 System change control procedures
14.2.3 Technical review of applications after operating platform changes
14.2.4 Restrictions on changes to software packages
14.2.5 Secure systems engineering principles
14.2.6 Secure development environment
14.2.7 Outsourced development
14.2.8 System security testing
14.2.9 System Acceptance Testing

14.3 Test data


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

HINT: From 25th May 2018 GDPR requirements also apply.


15 Supplier Relationships
15.1 Information security in supplier relationships
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
16 Information Security Incident
Management

ISO/IEC 27001 Control References Control Description


Sec. Obj. Control# <description>

16.1.1 Responsibilities and procedures


There will be a security incident handling governance framework which will put overall process control in
the hands of PharmaUniversity Operational Security Team.
Below is a table illustrating the identified roles and responsibilities in the process:

Role Who Description


e.g. Operational
PharmaUniversity ?
Security Team
3rd Party? ?

16.1.2 Reporting information security events


16.1.3 Reporting information security weaknesses
16.1.4 Assessment of and decision on information security events
16.1.5 Response to information security incidents
16.1.6 Learning from information security incidents
16.1.7 Collection of evidence
17 Business Continuity
17.1 Information security continuity
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

17.1.1 Planning information security continuity

17.1.2 Implementing information security continuity

17.1.3 Verify, review and evaluate information security continuity


17.1.4 Resilience
18 Compliance
18.1 Compliance with legal and contractual requirements
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

18.1.1 Identification of applicable legislation and contractual requirements

HINT what various legislation / acts are relevant?

18.1.1.1 General Data Protection Regulation (GDPR)

18.1.1.2 Law Enforcement Directive (LED)

18.1.2 Intellectual property rights


18.1.3 Protection of records
18.1.4 Privacy and protection of personally identifiable information
18.1.5 Regulation of cryptographic controls

18.2 Information security reviews


ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>

18.2.1 Independent review of information security


18.2.2 Compliance with security policies and standards
18.2.3 Technical compliance review
APPENDIX 1 - Assets

APPENDIX 2 - Risks
APPENDIX 3 – Controls
APPENDIX 4 – Estimated
Effectiveness
APPENDIX 5 – Security Policy
APPENDIX 6 – Key Barriers

You might also like