Security Management Plan - Template v1.0
Security Management Plan - Template v1.0
Security Management Plan - Template v1.0
PharmaUniversity
2022
Table of contents
1 Introduction.................................................................9
1.1 Background.............................................................................9
1.2 Purpose....................................................................................9
1.3 Readership..............................................................................9
2 Solution Overview.....................................................10
2.1 Security control overview....................................................10
2.2 Secure architecture scope...................................................11
3 Scope..........................................................................12
3.1 Assurance Approach............................................................12
3.2 Assurance Frameworks........................................................12
3.3 Scope of Security Services..................................................12
3.4 Security Services Out Of Scope..........................................12
4 Information Security Management System............13
4.1.1 Certification delivery schedule..................................................................13
4.1.2 Risk Management.....................................................................................13
4.1.3 Continual Improvement.............................................................................13
4.1.4 Effectiveness measures............................................................................13
4.2 Security Testing....................................................................13
4.2.1 Scheduled penetration testing..................................................................13
4.2.2 Specific testing - considerations...............................................................13
9 Access Control..........................................................21
9.1 Business requirements of access control..........................21
9.2 User access management....................................................21
9.3 User responsibilities.............................................................21
9.4 System and application access control..............................21
9.4.1 Privileged utility programs.........................................................................21
9.4.2 Program source code...............................................................................21
10 Cryptography.............................................................22
10.1 Encryption of Data in Transit...............................................22
10.2 Encryption of Data at Rest...................................................23
10.3 Certificate and Key Management.........................................24
11 Physical & Environmental Security.........................25
11.1 Secure Areas.........................................................................25
11.2 Equipment Security..............................................................25
12 Operations Security..................................................26
12.1 Operational procedures and responsibilities.....................26
12.1.1 Documented operating procedures..........................................................26
12.1.2 Change management...............................................................................26
12.1.3 Capacity management..............................................................................26
12.1.4 Separation of development, testing and operational environments.........26
12.2 Protection from malware......................................................26
12.3 Backup...................................................................................26
12.4 Logging and monitoring.......................................................26
12.4.1 Event Logging...........................................................................................26
12.4.2 Protection of log information.....................................................................26
12.4.3 Clock Synchronisation..............................................................................26
12.5 Control of operational software...........................................27
12.6 Technical vulnerability management..................................27
12.6.1 Management of technical vulnerabilities...................................................27
12.6.2 Restrictions on software installation.........................................................27
12.7 Information systems audit considerations.........................27
13 Network controls.......................................................28
13.1.1 Security of network services.....................................................................28
13.2 Information transfer..............................................................28
13.2.1 Agreements on information transfer.........................................................28
13.2.2 Electronic messaging................................................................................28
13.2.3 Confidentiality or non-disclosure agreements..........................................28
17 Business Continuity.................................................32
17.1 Information security continuity...........................................32
17.1.1 Planning information security continuity...................................................32
17.1.2 Implementing information security continuity...........................................32
17.1.3 Verify, review and evaluate information security continuity......................32
17.1.4 Resilience.................................................................................................32
18 Compliance................................................................33
18.1 Compliance with legal and contractual requirements.......33
18.1.1 Identification of applicable legislation and contractual requirements.......33
18.1.2 Intellectual property rights.........................................................................33
18.1.3 Protection of records.................................................................................33
18.1.4 Privacy and protection of personally identifiable information...................33
18.1.5 Regulation of cryptographic controls........................................................33
18.2 Information security reviews...............................................33
18.2.1 Independent review of information security..............................................33
18.2.2 Compliance with security policies and standards.....................................33
18.2.3 Technical compliance review....................................................................33
Approval History
Next
Approver’s Date
Version: Reviewed By: Approved By: Review
Position: Approved:
Date:
Revision History
Abbreviations
Abbreviation Expansion
Abbreviation Expansion
1 Introduction
1.1 Background
1.2 Purpose
1.3 Readership
2 Solution Overview
2.1 Security control overview
2.2 Secure architecture scope
3 Scope
3.1 Assurance Approach
Joiners
Movers
Leavers…process?
6.2 Teleworking
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
7 Personnel Security
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
7.4
8 Asset Management
8.1 Responsibility for assets
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
Type Description
A ?
B
C
D
E
The following table identifies further the types of data associated with each of the sub-sets identified in the
previous table (if required):
e.g. Business
applications to end TLS 1.2 Digital certificates NCSC assured level
users
10.2 Encryption of Data at Rest
10.3 Certificate and Key Management
11 Physical & Environmental Security
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
12.3 Backup
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
.
13 Network controls
ISO/IEC 27001 Control References Control Description
Sec. Obj. Control# <description>
APPENDIX 2 - Risks
APPENDIX 3 – Controls
APPENDIX 4 – Estimated
Effectiveness
APPENDIX 5 – Security Policy
APPENDIX 6 – Key Barriers