TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Document Sample
TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Powered By Docstoc
					Target2-Securities Project Team




                           TARGET2-SECURITIES


          INFORMATION SECURITY REQUIREMENTS
Reference:   T2S-07-0270
Date:        09 October 2007
Version:     0.1
Status:      Draft
                                       Target2-Securities - User Requirements
                                                     Information Security




                                         TABLE OF CONTENTS
1    Introduction..................................................................................................................... 5
2     Information Security Policy ........................................................................................... 5
3     Organisation of information security............................................................................ 6
   3.1    Internal Organisation ................................................................................................ 6
   3.2    External Parties ......................................................................................................... 7
4     Asset management .......................................................................................................... 8
   4.1    Responsibility for assets ........................................................................................... 8
   4.2     Information classification ......................................................................................... 8
5     Human resource security ............................................................................................... 9
   5.1     Prior to employment ................................................................................................. 9
   5.2     During employment .................................................................................................. 9
   5.3     Termination or change of employment................................................................... 10
6     Physical and environmental security .......................................................................... 11
   6.1    Secure areas ............................................................................................................ 11
   6.2     Equipment security ................................................................................................. 12
7     Communications and operations management .......................................................... 14
   7.1     Operational procedures and responsibilities ........................................................... 14
   7.2     Third party service delivery management............................................................... 14
   7.3     System planning and acceptance ............................................................................ 15
   7.4     Protection against malicious and mobile code........................................................ 15
   7.5    Back-up ................................................................................................................... 16
   7.6     Network security management ............................................................................... 16
   7.7    Media handling ....................................................................................................... 17
   7.8     Exchange of information and software ................................................................... 17
   7.9    Monitoring .............................................................................................................. 18
8     Access control ................................................................................................................ 20
   8.1     Business requirements for access control ............................................................... 20
   8.2    User access management ........................................................................................ 20
   8.3     User responsibilities................................................................................................ 21
   8.4    Network access control ........................................................................................... 21
   8.5     Operating system access control............................................................................. 22
   8.6     Application and information access control ........................................................... 23
   8.7    Mobile computing and communications................................................................. 24
9     Information systems acquisition, development and maintenance............................ 25
   9.1     Security requirements of information systems ....................................................... 25
   9.2    Correct processing in applications .......................................................................... 25
   9.3     Cryptographic controls............................................................................................ 26
   9.4     Security of system files........................................................................................... 26
   9.5     Security in development and support process......................................................... 26
   9.6     Technical Vulnerability Management..................................................................... 27
10      Information security incident management ........................................................... 29
   10.1 Reporting information security events and weaknesses ......................................... 29
   10.2 Management of information security incidents and improvements........................ 29
11      Information security aspects of business continuity management ....................... 31


Version: 0.1                                              Page 3 of 34                                           Status: Draft
                                      Target2-Securities - User Requirements
                                                   Information Security


12       Compliance ................................................................................................................ 33
  12.1     Compliance with legal requirements ...................................................................... 33
  12.2     Compliance with security policies and technical compliance ................................ 34
  12.3     Information systems audit considerations............................................................... 34




Version: 0.1                                             Page 4 of 34                                           Status: Draft
                           Target2-Securities - User Requirements
                                     Information Security



22     Information Security Requirements

22.1 Introduction
T2S is a systemically critical system that will be operated and used by different
organisations independent from each other. Considering the risks to such a system,
information security is a crucial part of T2S definition. Therefore to ensure an appropriate
level of security T2S will be fully compliant with the state of the art Information Security
standard ISO 17799 recently renumbered in ISO/IEC 27002:2005.
The following sections present a list of high level security requirements as extracted from
ISO 17799 and slightly amended where necessary. This will form the basis for the
development of General Functional Specification in the next project phase.
In accordance with the ISO standard an Information Security Policy shall be defined and
endorsed to create the reference for a comprehensive risk management framework for T2S
information system and subsequently T2S security requirements and controls will be
specified.

22.2 Information Security Policy
Objective: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.

22.2.1.1 Information security policy document
 Requirement               IS.1
 Source                    TG6

An Information security policy document shall be approved by the system owner and the
governance body of T2S, published and communicated to all relevant parties as appropriate.

22.2.1.2 Review of the information security policy
 Requirement               IS.2
 Source                    TG6

The T2S information security policy shall be reviewed at planned intervals or if significant
changes occur to ensure its continuing suitability, adequacy, and effectiveness.




Version: 0.1                            Page 5 of 34                          Status: Draft
                            Target2-Securities - User Requirements
                                      Information Security



22.3 Organisation of information security
Objective: To manage information security for T2S.

22.3.1 Internal Organisation

22.3.1.1 Management commitment to information security
 Requirement                IS.3
 Source                     TG6

The system owner shall actively and visibly support information security for T2S through
clear direction, demonstrated commitment, explicit assignment and acknowledgement of
information security responsibilities.

22.3.1.2 Information security co-ordination
 Requirement                IS.4
 Source                     TG6

Information security activities shall be co-ordinated by the system owner, T2S governance
body and other relevant parties with relevant roles and job functions.

22.3.1.3 Allocation of information security responsibilities
 Requirement                IS.5
 Source                     TG6

All information security responsibilities shall be clearly defined

22.3.1.4 Authorisation process for information processing facilities
 Requirement                IS.6
 Source                     TG6

A management authorisation process for T2S shall be defined and implemented

22.3.1.5 Contact with authorities
 Requirement                IS.7
 Source                     TG6

Appropriate contacts with relevant authorities shall be maintained

22.3.1.6 Contact with special interest groups
 Requirement                IS.8
 Source                     TG6




Version: 0.1                              Page 6 of 34                     Status: Draft
                             Target2-Securities - User Requirements
                                       Information Security


Appropriate contacts with special interest groups shall be maintained

22.3.1.7 Confidentiality agreements
 Requirement                 IS.9
 Source                      TG6

Confidentiality or non-disclosure agreements shall be in place and regularly reviewed.

22.3.1.8 Independent review of information security
 Requirement                 IS.10
 Source                      TG6

The T2S approach and implementation to managing information (system) security shall be
reviewed independently at planned intervals or when significant changes to the security
implementation occur.

22.3.2 External Parties
Objective: To maintain the security of T2S information processing facilities and
information assets to be accessed, processed, communicated or managed by external
parties.

22.3.2.1 Identification of risks related to external parties
 Requirement                 IS.11
 Source                      TG6

The risks to T2S information and information processing facilities from business processes
involving external parties shall be identified and appropriate security controls implemented
before granting access.

22.3.2.2 Addressing security when dealing with customers
 Requirement                 IS.12
 Source                      TG6

All identified security requirements shall be addressed before giving customers access to
T2S information or assets.

22.3.2.3 Addressing security in third party arrangements
 Requirement                 IS.13
 Source                      TG6

Agreements with third parties involving accessing, processing, communicating or managing
T2S information or information processing facilities, or adding products or services to
information processing facilities shall cover all relevant security requirements.



Version: 0.1                               Page 7 of 34                       Status: Draft
                               Target2-Securities - User Requirements
                                       Information Security



22.4 Asset management

22.4.1 Responsibility for assets
Objective: To achieve and maintain appropriate protection of T2S assets.

22.4.1.1 Inventory of assets
 Requirement                   IS.14
 Source                        TG6

All T2S assets shall be clearly identified and an inventory of all important assets shall be
drawn up and maintained.

22.4.1.2 Ownership of assets
 Requirement                   IS.15
 Source                        TG6

All information and assets associated with information processing facilities shall be owned
by a designated part of the T2S organisation.

22.4.1.3 Acceptable use of assets
 Requirement                   IS.16
 Source                        TG6

Rules for the acceptable use of information and assets associated with T2S information
systems and assets shall be identified, documented and implemented.

22.4.2 Information classification
Objective: To ensure that information receives an appropriate level of protection.

22.4.2.1 Classification guidelines
 Requirement                   IS.17
 Source                        TG6

Information shall be classified in terms of value, sensitivity and criticality to T2S.

22.4.2.2 Information labelling and handling

 Requirement                   IS.18
 Source                        TG6

An appropriate set of procedures for information labelling and handling shall be developed
and implemented in accordance with the classification scheme adopted by T2S.



Version: 0.1                               Page 8 of 34                           Status: Draft
                            Target2-Securities - User Requirements
                                      Information Security



22.5 Human resource security

22.5.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand their
responsibilities, and are suitable for the roles they are considered for, and to reduce the risks
of human error, theft, fraud or misuse of facilities.

22.5.1.1 Roles and responsibilities
 Requirement                IS.19
 Source                     TG6

Security roles and responsibilities of employees, contractors and third party users shall be
defined and documented in accordance with the T2S information security policy.

22.5.1.2 Screening
 Requirement                IS.20
 Source                     TG6

Background verification checks on all candidates for employment, contractors and third
party users shall be carried out in accordance with relevant laws and regulations and ethics,
and proportional to the business requirements, the classification of the information to be
accessed, and the perceived risks.

22.5.1.3 Terms and condition of employment
 Requirement                IS.21
 Source                     TG6

As part of their contracted obligation, employees, contractors and third party users shall
agree and sign the terms and conditions of their employment contract, which shall state
their employee’s and the T2S organisation’s responsibilities for information security.

22.5.2 During employment
Objective: To ensure that all employees, contractors and third party users are aware of
information security threats and concerns, their responsibilities and liabilities, and are
equipped to support security policy in the course of their normal work, and to reduce the
risk of human error.

22.5.2.1 Management responsibilities

 Requirement                IS.22
 Source                     TG6

Management shall encourage employees, contractors and third party users to apply security
in accordance with established policies and procedures of the T2S organisation.


Version: 0.1                              Page 9 of 34                            Status: Draft
                            Target2-Securities - User Requirements
                                    Information Security


22.5.2.2 Information awareness, education and training
 Requirement                IS.23
 Source                     TG6

All employees of the T2S organisation and, where relevant, contractors and third party
users shall receive appropriate awareness training and regular updates in T2S policies and
procedures, as relevant for their job function

22.5.2.3 Disciplinary process
 Requirement                IS.24
 Source                     TG6

There shall be a formal disciplinary process for employees, contractors and third party users
who have committed a security breach.

22.5.3 Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organisation or
change employment in an orderly manner.

22.5.3.1 Termination responsibilities
 Requirement                IS.25
 Source                     TG6

Responsibilities for performing employment termination or change of employment shall be
clearly defined and assigned.

22.5.3.2 Return of assets
 Requirement                IS.26
 Source                     TG6

All employees, contractors and third party users shall return all T2S assets in their
possession upon termination of their employment, contract or agreement.

22.5.3.3 Removal of access rights
 Requirement                IS.27
 Source                     TG6

The access rights of all employees, contractors and third party users to T2S information and
information systems shall be removed upon termination of their employment, contract or
agreement or adjusted upon change.




Version: 0.1                            Page 10 of 34                          Status: Draft
                            Target2-Securities - User Requirements
                                       Information Security



22.6 Physical and environmental security

22.6.1 Secure areas
Objective: To prevent unauthorised physical access, damage and interference to T2S
information systems.

22.6.1.1 Physical security perimeter
 Requirement                IS.28
 Source                     TG6

Security perimeters (barriers such as walls, card controlled entry gates or manned reception
desks) shall be used to protect areas that contain T2S information and information
processing facilities.

22.6.1.2 Physical entry controls
 Requirement                IS.29
 Source                     TG6

Secure areas shall be protected by appropriate entry controls to ensure that only authorised
personnel are allowed access.

22.6.1.3 Securing offices, rooms and facilities
 Requirement                IS.30
 Source                     TG6

Physical security for offices, rooms and facilities shall be designed and applied.

22.6.1.4 Protecting against external and environmental threats
 Requirement                IS.31
 Source                     TG6

Physical protection against damage from fire, flood, earthquake, explosion, civil unrest and
other forms of natural or man-made disaster shall be designed and applied.

22.6.1.5 Working in secure areas
 Requirement                IS.32
 Source                     TG6

Physical protection and guidelines for working in secure areas shall be designed and
applied.

22.6.1.6 Public access, delivery and loading areas
 Requirement                IS.33


Version: 0.1                             Page 11 of 34                          Status: Draft
                            Target2-Securities - User Requirements
                                    Information Security


 Source                     TG6

Access points such as delivery and loading areas and other points where unauthorised
persons may enter the premises shall be controlled and, if possible, isolated from
information processing facilities to avoid unauthorised access.

22.6.2 Equipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to T2S
activities.

22.6.2.1 Equipment sitting and protection
 Requirement                IS.34
 Source                     TG6

T2S equipment shall be sited or protected to reduce the risks from environmental threats
and hazards and opportunities for unauthorised access.

22.6.2.2 Supporting utilities
 Requirement                IS.35
 Source                     TG6

T2S equipment shall be protected from power failures and other disruptions caused by
supporting utilities.

22.6.2.3 Cabling security
 Requirement                IS.36
 Source                     TG6

Power and telecommunications cabling carrying data or supporting information services
shall be protected from interception or damage.

22.6.2.4 Equipment maintenance


 Requirement                IS.37
 Source                     TG6

T2S equipment shall be correctly maintained to ensure its continued availability and
integrity.

22.6.2.5 Security of equipment off-premises
 Requirement                IS.38
 Source                     TG6




Version: 0.1                           Page 12 of 34                       Status: Draft
                           Target2-Securities - User Requirements
                                    Information Security


Security shall be applied to off-site equipment taking into account the different risks of
working outside the T2S premises.

22.6.2.6 Secure disposal or re-use of equipment
 Requirement               IS.39
 Source                    TG6

All items of equipment containing storage media shall be checked to ensure that any
sensitive data and licensed software has been removed or securely overwritten prior to
disposal.

22.6.2.7 Removal of property
 Requirement               IS.40
 Source                    TG6

Equipment, information or software shall not be taken off-site without prior authorisation.




Version: 0.1                           Page 13 of 34                           Status: Draft
                            Target2-Securities - User Requirements
                                     Information Security



22.7 Communications and operations management

22.7.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of T2S information processing
facilities.

22.7.1.1 Documented operating procedures
 Requirement                IS.41
 Source                     TG6

Operating procedures shall be documented, maintained and made available to all users who
need them.

22.7.1.2 Change management
 Requirement                IS.42
 Source                     TG6

Changes to T2S information processing facilities and systems shall be controlled.

22.7.1.3 Segregation of duties
 Requirement                IS.43
 Source                     TG6

Duties and areas of responsibility shall be segregated to reduce opportunities for
unauthorised or unintentional modification or misuse of the T2S assets.

22.7.1.4 Separation of development, test and operational facilities
 Requirement                IS.44
 Source                     TG6

Development, test and operational environments shall be separated to reduce the risks of
unauthorised access or changes to the operational system.

22.7.2 Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and
service delivery in line with third party service delivery agreements.

22.7.2.1 Monitoring and review of third party services
 Requirement                IS.45
 Source                     TG6

The services, reports and records provided by the third party shall be regularly monitored
and reviewed, and regular audits shall be carried out.


Version: 0.1                            Page 14 of 34                        Status: Draft
                             Target2-Securities - User Requirements
                                      Information Security


22.7.2.2 Managing changes to TP services
 Requirement                 IS.46
 Source                      TG6

Changes to the provision of services, including maintaining and improving existing
information security policies, procedures and controls, shall be managed, taking account of
the criticality of business systems and processes involved and re-assessment of risks.

22.7.3 System planning and acceptance
Objective: To minimise the risk of systems failures

22.7.3.1 Service delivery
 Requirement                 IS.47
 Source                      TG6

It shall be ensured that the security controls, service definitions and delivery levels included
in the third party service delivery agreement are implemented, operated and maintained by
the third party.

22.7.3.2 Capacity management
 Requirement                 IS.48
 Source                      TG6

The use of resource shall be monitored and tuned and projections made of future capacity
requirements to ensure the required system performance.

22.7.3.3 System acceptance
 Requirement                 IS.49
 Source                      TG6

Acceptance criteria for new information systems, upgrades and new versions shall be
established and suitable tests of the system(s) carried out during development and prior to
acceptance.

22.7.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information by prevention and detection
of the introduction of malicious code

22.7.4.1 Controls against malicious code
 Requirement                 IS.50
 Source                      TG6

Detection, prevention and recovery controls to protect against malicious code and
appropriate user awareness procedures shall be implemented on the system components.


Version: 0.1                            Page 15 of 34                            Status: Draft
                            Target2-Securities - User Requirements
                                        Information Security



 Requirement                IS.51
 Source                     TG6
This requirement has not been approved by TG6 yet and must be considered as a draft

All the necessary updates protection software shall be implemented on the system
components to ensure a continuously revised protection.

22.7.4.2 Controls against mobile code
 Requirement                IS.52
 Source                     TG6

Where the use of mobile code is authorised, the configuration shall ensure that the
authorised mobile code operates according to a clearly defined security policy, and
authorised mobile code shall be prevented from executing.

22.7.5 Back-up
Objective: To maintain the integrity and availability of T2S information and information
processing facilities and communication services

22.7.5.1 Information Back-up
 Requirement                IS.53
 Source                     TG6

Back-up copies of information and software shall be taken and tested regularly in
accordance with the agreed backup policy.

22.7.6 Network security management
Objective: To ensure the protection of information in networks and the protection of the
supporting infrastructure.

22.7.6.1 Security of network services
 Requirement                IS.54
 Source                     TG6

Security features, service levels and management requirements of all T2S network services
shall be identified and included in any network services agreement, whether these services
are provided in house or outsourced.

22.7.6.2 Network controls
 Requirement                IS.55
 Source                     TG6




Version: 0.1                              Page 16 of 34                     Status: Draft
                             Target2-Securities - User Requirements
                                     Information Security


T2S networks shall be adequately managed and controlled, in order to be protected from
threats, and to maintain security for the systems and applications using the network,
including information in transit.

22.7.7 Media handling
Objective: To prevent unauthorised disclosure, modification, removal or destruction of
assets and interruptions to business activities.

22.7.7.1 Management of removable media
 Requirement                 IS.56
 Source                      TG6

There shall be procedures in place for the management of removable media.

22.7.7.2 Disposal of media
 Requirement                 IS.57
 Source                      TG6

Media shall be disposed of securely and safely when no longer required, using formal
procedures.

22.7.7.3 Information handling procedures
 Requirement                 IS.58
 Source                      TG6

Procedures for the handling and storage of information shall be established to protect it
from unauthorised disclosure or misuse.

22.7.7.4 Security of system documentation
 Requirement                 IS.59
 Source                      TG6

System documentation shall be protected against unauthorised access.

22.7.8 Exchange of information and software
Objective: To maintain the security of information exchanged within the T2S organisation
and with any external entity.

22.7.8.1 Information exchange policies and procedures
 Requirement                 IS.60
 Source                      TG6

Formal exchange policies and procedures shall be in place to protect the exchange of
information through the use of any types of communication facilities.


Version: 0.1                            Page 17 of 34                       Status: Draft
                            Target2-Securities - User Requirements
                                     Information Security


22.7.8.2 Exchange agreements
 Requirement                IS.61
 Source                     TG6

Agreements shall be established for the exchange of information and software between the
T2S organisation and Third Parties.

22.7.8.3 Physical media in transit
 Requirement                IS.62
 Source                     TG6

Media containing T2S information shall be protected against unauthorized access, misuse
or corruption during transportation beyond the T2S physical boundaries.

22.7.8.4 Electronic messaging
 Requirement                IS.63
 Source                     TG6

Information involved in electronic messaging shall be appropriately protected.

22.7.8.5 Business information systems
 Requirement                IS.64
 Source                     TG6

Policies and procedures shall be developed and implemented to protect T2S information
associated with the interconnection of business information systems.

22.7.9 Monitoring
Objective: To detect unauthorised information processing activities.

22.7.9.1 Audit logging
 Requirement                IS.65
 Source                     TG6

This requirement has not been approved by TG6 yet and must be considered as a draft

Audit logs recording user activities, exceptions and information security events shall be
produced and kept for an agreed period to assist in future investigations and system and
access control monitoring under the control of the T2S Governance body.

22.7.9.2 Monitoring system use
 Requirement                IS.66
 Source                     TG6



Version: 0.1                            Page 18 of 34                            Status: Draft
                           Target2-Securities - User Requirements
                                     Information Security



Procedures for monitoring use of information processing facilities shall be established and
the results of the monitoring activities reviewed regularly.

22.7.9.3 Protection of log information
 Requirement               IS.67
 Source                    TG6

Logging facilities and log information shall be protected against tampering and
unauthorised access.

22.7.9.4 Administrator and operator logs
 Requirement               IS.68
 Source                    TG6

System administrator and system operator activities shall be logged.

22.7.9.5 Fault logging
 Requirement               IS.69
 Source                    TG6

Faults shall be logged, analysed, and appropriate action taken.

22.7.9.6 Clock synchronisation
 Requirement               IS.70
 Source                    TG6

The clocks of the relevant information processing systems within an organisation or
security domain shall be synchronised with an agreed accurate time.




Version: 0.1                             Page 19 of 34                       Status: Draft
                             Target2-Securities - User Requirements
                                        Information Security



22.8 Access control

22.8.1 Business requirements for access control
Objective: To control access to T2S information.

22.8.1.1 Access control policy
 Requirement                 IS.71
 Source                      TG6

An access control policy shall be established, documented and reviewed based on business
and security requirements for access.

22.8.2 User access management
Objective: To ensure authorised user access and prevent unauthorised access to T2S
information systems.

22.8.2.1 User registration
 Requirement                 IS.72
 Source                      TG6

There shall be a formal user registration and de-registration procedure shall be in place for
granting and revoking access to the all information systems and services.

22.8.2.2 Privilege management
 Requirement                 IS.73
 Source                      TG6

The allocation and use of privileges shall be restricted and controlled.

22.8.2.3 User password management
 Requirement                 IS.74
 Source                      TG6

The allocation of passwords shall be controlled through a formal management process.

22.8.2.4 Review of user access rights
 Requirement                 IS.75
 Source                      TG6

Management shall review users’ access rights at regular intervals using a formal process.




Version: 0.1                              Page 20 of 34                       Status: Draft
                           Target2-Securities - User Requirements
                                     Information Security


22.8.3 User responsibilities
Objective: To prevent unauthorised user access, and compromise or theft of information
and information processing facilities.

22.8.3.1 Password use
 Requirement               IS.76
 Source                    TG6

Users shall follow the T2S password policy and good security practices in the selection and
use of passwords.

22.8.3.2 Unattended user equipment
 Requirement               IS.77
 Source                    TG6

Users shall ensure that unattended equipment has appropriate protection.

22.8.3.3 Clear desk and clear screen policy
 Requirement               IS.78
 Source                    TG6

T2S shall have a clear desk policy for papers and removable storage media and a clear
screen policy for information processing facilities.

22.8.4 Network access control
Objective: To protect unauthorised access to T2S networked services.

22.8.4.1 Policy on use of network services
 Requirement               IS.79
 Source                    TG6

T2S information system(s) shall provide only those services that users have been
specifically authorised to use.

22.8.4.2 User authentication for external connections
 Requirement               IS.80
 Source                    TG6

Appropriate authentication methods shall be used to control access by remote users.

22.8.4.3 Equipment identification in the network
 Requirement               IS.81
 Source                    TG6



Version: 0.1                           Page 21 of 34                         Status: Draft
                            Target2-Securities - User Requirements
                                      Information Security



Automatic equipment identification shall be considered as a means to authenticate
connections from specific locations and equipment.

22.8.4.4 Remote diagnostic and configuration port protection
 Requirement               IS.82
 Source                    TG6

Physical and logical access to diagnostic and configuration ports shall be controlled.

22.8.4.5 Segregation in networks
 Requirement               IS.83
 Source                    TG6

Groups of information services, users, and information systems shall be segregated from a
logical point of view.

22.8.4.6 Network connection control
 Requirement               IS.84
 Source                    TG6

For shared networks, especially those extending across the T2S boundaries, the capability
of users to connect to the network shall be restricted, in line with the access control policy
and requirements of the business applications.

22.8.4.7 Network routing control
 Requirement               IS.85
 Source                    TG6

Routing controls shall be implemented for networks to ensure that computer connections
and information flows do not breach the access control policy of the business applications.

22.8.5 Operating system access control
Objective: To prevent unauthorised computer access to operating systems.

22.8.5.1 Secure log-on procedures
 Requirement               IS.86
 Source                    TG6

Access to operating systems shall be controlled by a secure log-on procedure.

22.8.5.2 User identification and authentication
 Requirement               IS.87
 Source                    TG6


Version: 0.1                            Page 22 of 34                           Status: Draft
                             Target2-Securities - User Requirements
                                      Information Security



All users shall have a unique identifier (user ID) for their personal use only, and a suitable
authentication technique shall be chosen to substantiate the claimed identity of a user.

22.8.5.3 Password management system
 Requirement                 IS.88
 Source                      TG6

Systems for managing passwords shall be interactive and shall ensure quality passwords.

22.8.5.4 Use of system utilities
 Requirement                 IS.89
 Source                      TG6

The use of utility programs that might be capable of overriding system and application
controls shall be restricted and tightly controlled.

22.8.5.5 Session time-out
 Requirement                 IS.90
 Source                      TG6

Inactive sessions shall shut down after a defined period of inactivity.

22.8.5.6 Limitation of connection time
 Requirement                 IS.91
 Source                      TG6

Restrictions on connection times shall be used to provide additional security for high-risk
applications.

22.8.6 Application and information access control
Objective: To prevent unauthorised computer access to operating systems.

22.8.6.1 Information access restriction
 Requirement                 IS.92
 Source                      TG6

Access to information and application system functions by users and support staff shall be
restricted in accordance with the defined access control policy.

22.8.6.2 Sensitive system isolation
 Requirement                 IS.93
 Source                      TG6



Version: 0.1                              Page 23 of 34                        Status: Draft
                          Target2-Securities - User Requirements
                                   Information Security


Sensitive systems shall have a dedicated (isolated) computing environment.

22.8.7 Mobile computing and communications
Objective: To ensure information security when using mobile computing and tele-working
facilities.

22.8.7.1 Mobile computing and communications
 Requirement              IS.94
 Source                   TG6

A formal policy shall be in place, and appropriate security measures shall be adopted to
protect against the risks of using mobile computing and communication facilities.

22.8.7.2 Teleworking
 Requirement              IS.95
 Source                   TG6

A policy, operational plans and procedures shall be developed and implemented for
teleworking activities.




Version: 0.1                          Page 24 of 34                          Status: Draft
                             Target2-Securities - User Requirements
                                      Information Security



22.9 Information systems acquisition, development and
     maintenance

22.9.1 Security requirements of information systems
Objective: To ensure that security is an integral part of built into information systems.

22.9.1.1 Security requirements analysis and specification
 Requirement                 IS.96
 Source                      TG6

Statements of business requirements for new information system(s), or enhancements to
existing information systems shall specify the requirements for security controls.

22.9.2 Correct processing in applications
Objective: To prevent loss, unauthorised modification or misuse of data in applications.

22.9.2.1 Input data validation
 Requirement                 IS.97
 Source                      TG6

Data input to applications shall be validated to ensure that it is correct and appropriate.

22.9.2.2 Control of internal processing
 Requirement                 IS.98
 Source                      TG6

Validation checks shall be incorporated into applications to detect any corruption of
information processing errors or deliberate acts.

22.9.2.3 Message integrity
 Requirement                 IS.99
 Source                      TG6

Requirements for ensuring authenticity and protecting message integrity in applications
shall be identified, and appropriate controls identified and implemented.

22.9.2.4 Output data validation
 Requirement                 IS.100
 Source                      TG6

Data output from an application shall be validated to ensure that the processing of stored
information is correct and appropriate to the circumstances.



Version: 0.1                              Page 25 of 34                           Status: Draft
                            Target2-Securities - User Requirements
                                     Information Security


22.9.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by
cryptographic means.

22.9.3.1 Policy on the use of cryptographic controls
 Requirement                IS.101
 Source                     TG6

A policy on the use of cryptographic controls for protection of T2S information shall be
developed and implemented.

22.9.3.2 Key management
 Requirement                IS.102
 Source                     TG6

Key management shall be in place to support the use of cryptographic techniques.

22.9.4 Security of system files
Objective: To ensure the security (integrity) of system files.

22.9.4.1 Control of operational software
 Requirement                IS.103
 Source                     TG6

There shall be procedures in place to control the installation of components on operational
systems.

22.9.4.2 Protection of system test data
 Requirement                IS.104
 Source                     TG6

Test data shall be selected carefully, protected and controlled.

22.9.4.3 Access control to program code
 Requirement                IS.105
 Source                     TG6

Access to program code shall be restricted according to the T2S governance body decision.

22.9.5 Security in development and support process
Objective: To maintain the security of application system software and information. Project
and support environments shall be strictly controlled.




Version: 0.1                              Page 26 of 34                      Status: Draft
                            Target2-Securities - User Requirements
                                      Information Security


22.9.5.1 Change control procedures
 Requirement                IS.106
 Source                     TG6

The implementation of changes shall be controlled by the use of formal change control
procedures.

22.9.5.2 Technical review of applications after operating system changes
 Requirement                IS.107
 Source                     TG6

When operating systems are changed, all business critical applications shall be reviewed
and tested to ensure that there is no adverse impact on organisational operation or security.

22.9.5.3 Restrictions on changes to software packages
 Requirement                IS.108
 Source                     TG6

Modifications to software packages shall be discouraged, limited to necessary changes,
which shall be strictly controlled.

22.9.5.4 Information leakage
 Requirement                IS.109
 Source                     TG6

Opportunities for information leakage shall be prevented.

22.9.5.5 Outsourced software development
 Requirement                IS.110
 Source                     TG6

Outsourced software development shall be supervised and monitored by the T2S
organisation.

22.9.6 Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.

22.9.6.1 Control of technical vulnerabilities
 Requirement                IS.111
 Source                     TG6




Version: 0.1                            Page 27 of 34                          Status: Draft
                          Target2-Securities - User Requirements
                                   Information Security


Timely information about technical vulnerabilities of information systems being used shall
be obtained, T2S’ exposure to such vulnerabilities evaluated, and appropriate measures
taken to address the associated risk.




Version: 0.1                          Page 28 of 34                         Status: Draft
                            Target2-Securities - User Requirements
                                     Information Security



22.10 Information security incident management

22.10.1     Reporting information security events and weaknesses
Objective: To ensure security events and weaknesses associated with information systems
are communicated in a manner allowing timely corrective action to be taken.

22.10.1.1 Reporting information security events
 Requirement                IS.112
 Source                     TG6

Information security events shall be reported through appropriate management channels as
quickly as possible.

22.10.1.2 Reporting security weaknesses
 Requirement                IS.113
 Source                     TG6

All employees, contractors and third party users of T2S information systems and services
shall be required to note and report any observed or suspected security weaknesses in
systems or services.

22.10.2      Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management of
information security incidents

22.10.2.1 Responsibilities and procedures
 Requirement                IS.114
 Source                     TG6

Management responsibilities and procedures shall be established to ensure a quick,
effective and orderly response to information security incidents.

22.10.2.2 Learning from information security incidents
 Requirement                IS.115
 Source                     TG6

There shall be mechanisms in place to enable the types, volumes and costs of information
security incidents to be quantified and monitored.

22.10.2.3 Collection of evidence
 Requirement                IS.116
 Source                     TG6




Version: 0.1                              Page 29 of 34                   Status: Draft
                          Target2-Securities - User Requirements
                                   Information Security


Where a follow-up action against a person or organisation after an information security
incident involves legal action (either civil or criminal), evidence shall be collected and
presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).




Version: 0.1                          Page 30 of 34                         Status: Draft
                            Target2-Securities - User Requirements
                                     Information Security



22.11 Information security aspects of business continuity
      management
Objective: To counteract interruptions to business activities, to protect critical business
processes from the effects of major failures of information systems or disasters and to
ensure their timely resumption.

22.11.1.1 Including information security in the business continuity management process
          elements
 Requirement                IS.117
 Source                     TG6

A managed process shall be developed and maintained for business continuity throughout
the T2S organisation that addresses the information security requirements needed for the
T2S business continuity.

22.11.1.2 Business continuity and risk assessment
 Requirement                IS.118
 Source                     TG6

Events that can cause interruptions to business processes shall be identified, along with the
probability and impact of such interruptions and their consequences for information
security.

22.11.1.3 Developing and implementing continuity plans including information security
 Requirement                IS.119
 Source                     TG6

Plans shall be developed and implemented to maintain or restore business operations and
ensure availability of information at the required level and in the required time scales
following interruption to, or failure of, critical business processes.

22.11.1.4 Business continuity planning framework
 Requirement                IS.120
 Source                     TG6

A single framework of business continuity plans shall be maintained to ensure that all plans
are consistent, to consistently address information security requirements, and to identify
priorities for testing and maintenance.

22.11.1.5 Testing, maintaining and re-assessing business continuity plans
 Requirement                IS.121
 Source                     TG6




Version: 0.1                            Page 31 of 34                         Status: Draft
                           Target2-Securities - User Requirements
                                    Information Security


Business continuity plans shall be tested and updated regularly to ensure that they are up to
date and effective.




Version: 0.1                           Page 32 of 34                           Status: Draft
                             Target2-Securities - User Requirements
                                       Information Security



22.12 Compliance

22.12.1      Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations
and of any security requirements.

22.12.1.1 Identification of applicable legislation
 Requirement                 IS.122
 Source                      TG6

All relevant statutory, regulatory and contractual requirements and the T2S’ approach to
meet these requirements shall be explicitly defined, documented and kept up to date for
each information system and the T2S organisation.

22.12.1.2 Intellectual property rights (IPR)
 Requirement                 IS.123
 Source                      TG6

Appropriate procedures shall be implemented to ensure compliance with legislative,
regulatory, and contractual requirements on the use of material in respect of which there
may be intellectual property rights and on the use of proprietary software products.

22.12.1.3 Protection of organisational records
 Requirement                 IS.124
 Source                      TG6

Important T2S records shall be protected from loss, destruction and falsification, in
accordance with statutory, regulatory, contractual, and business requirements.

22.12.1.4 Data protection and privacy of personal information
 Requirement                 IS.125
 Source                      TG6


22.12.1.5 Prevention of misuse of information processing facilities
 Requirement                 IS.126
 Source                      TG6

Users shall be deterred from using information processing facilities for unauthorised
purposes.

22.12.1.6 Regulation of cryptographic controls
 Requirement                 IS.127


Version: 0.1                              Page 33 of 34                    Status: Draft
                            Target2-Securities - User Requirements
                                      Information Security


 Source                     TG6

Cryptographic controls shall be used in compliance with all relevant agreements, laws and
regulations.

22.12.2      Compliance with security policies and technical compliance
Objective: To ensure compliance of systems with T2S security policies and standards.

22.12.2.1 Compliance with security policy and standards
 Requirement                IS.128
 Source                     TG6

Managers shall ensure that all security procedures within their area of responsibility are
carried to achieve compliance with security policy and standards.

22.12.2.2 Technical compliance checking
 Requirement                IS.129
 Source                     TG6

Information systems shall be regularly checked for compliance with security implementation
standards.

22.12.3      Information systems audit considerations
Objective: To maximize the effectiveness of and to minimize interference to/from the
information systems audit process.

22.12.3.1 Information systems audit controls
 Requirement                IS.130
 Source                     TG6

Audit requirements and activities involving checks on operational systems shall be carefully
planned and agreed to minimize the risk of disruptions to business processes.

22.12.3.2 Protection of information systems audit tools
 Requirement                IS.131
 Source                     TG6

Access to information systems audit tools shall be protected to prevent any possible misuse
or compromise.




Version: 0.1                            Page 34 of 34                           Status: Draft