Grading chart Bad Mediocre Good

IM = Identity Management 5. Security Policy 5.1 Information security policy

5.1.1 5.1.2 6. 6.1

Information security policy document Review of the information policy Organization of information security Network security management

X X

IM IM

6.1.2

Information security coordination

IM

6.1.5 6.2

Confidentiality agreements External parties

UAM

IM

6.2.1 6.2.2 8.1

Identification of risks related to external parties Addressing security when dealing with customers Prior to employment

UAM UAM

X X

8.1.1 8. 8.2

Roles and responsibilities Human resources security During employement Information, security awareness, education and training Termination of change of employment

UAM

8.2.2 8.3

IM

8.3.1

Termination of responsibilities

UAM

8.3.3 10. 10.1

Removal of access rights Communications and operations management Operational procedures and responsibilities

UAM

10.1.3 Segregation of duties 11. Access control 11.1 Business requirments for access control 11.1.1 Access control policy 11.2 "User access management"

UAM

UAM

IM

11.2.1 11.2.2 11.2.3 11.2.4 11.3

User registration Privilige management User password management Review of user access rights "User responsibilities"

X X X X

UAM UAM IM UAM

11.3.1 Password use 11.5 "Operating system access control" 11.5.2 User identification and authentication 11.5.1 Secure log-on procedures

UAM

X X

IM UAM

11.5.3 Password management system 11.6 "Application and information access control" 11.6.1 Information access restriction 11.7 "Mobile Computing and Teleworking" 11.7.1 Mobbile computing and communications 11.7.2 Teleworking

UAM

UAM

X X

IM IM

DS5.3

Identity management

UAM

DS5.4

User account management

IM

IST-Position according to standards

At the moment there are not procedures for User Account Management. They do not have a security policy document. The policy are not reviewed at significant changes. They have a policy, but it is created a few years ago.

Information security activites are coordinated by the representatives from different parts of the organizstion (HR Department and IT Systems Department)

The IT Systems Department uses a list of Authorised Employees and has a printed copy of relevant pages of the ISO standard on information security with regard to User Access Management. Some policy statements were documented recently, but the document is not official yet because the management of the IT Systems Department has not approved the draft policy yet. A copy of the policy could not be found and may be delivered later with regard to the audit that will be carried out.

There is a procedure for removal of user accounts from employees that leave the company within one month after discharge. Dismissal is passed by HRM to IT system administration and IT system administration removes the account.

When an employee changes jobs or needs additional access rights the direct manager contacts IT system administration for efficiency reasons. IT system administration checks whether the requesting manager is on the list of authorized applicants. Sometimes it happens additional rights are assigned (too) hastily. It is possible that an employee collects so many additional rights within a system that he can do just about everything with a system.

All users have a unique identifier, account and password. One main rule for user passwords is known by everyone in our organisation: everyone needs to use a strong password of at least 8 positions and some additional requirements. It is not possible to bypass the strong password rule thanks to our IT Systems Department that enforced this rule for all our information systems.

IST-Position according to standards

SOLL-Position according to standards

An information security policy document shall be approved by management, and published and communicated to all employees and relevant external parties The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.

Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions

Requirements for confidentiality or non-disclosure agreements reflecting the organization's need for the protection of information shall be identified and regurly reviewed The risks to the organization's information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access All identified requirements shall be addressed before giving customers access to the organization's information assets

Security roles and responsibilities of employees, contractors and third party users shall be defined and documentated in accordance with the organization's information security policy

All employees of the organization and, where relevant, contractors and third party users shall receive appropiate awareness training and regular updates in organizational policies and procedures, as relevant for their job function

Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned

The access rights of all employees, contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change

Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets

An access control policy shall be established, documented, and reviewed based on business and security requirements for access.

There shall be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services The allocation and use of priviliges shall be restricted and controlled The allocation of passwords shall be controlled trough a formal management process Management shall review user access rights at regular intervals using a formal process

Users shall be required to follow good security practices in the selection and use of passwords All users shall have a unque identifier (User ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user Access to operating system shall be controlled by a secure log-on procedure.

Systems for managing passwords shall be interactive and shall ensure quality passwords Access to information and application system functions by users and support personel shall be restricted in accordance with the defined acess control policy Control: A formal policy shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing Control: A policy, operational plands and procedures shall be developed and implemented for teleworking activities

SOLL-Position according to standards

All users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. User identities are enabled via authentication mechanisms. User access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. User access rights are requested by user management, approved by system owners and implemented by the security-responsible person. User identities and access rights are maintained in a central repository. Deploy cost-effective technical and procedural measures are deployed, and kept current to establish user identification, implement authentication and enforce access rights. Requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed with a set of user account management procedures. An approval procedure outlining the data or system owner granting the access privileges is included. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Regular management review of all accounts and related privileges are performed.

GRADE

GRADE