Asset Management Iso27001 - DOC - DOC

Document Sample
Asset Management Iso27001 - DOC - DOC Powered By Docstoc
					UNITED NATIONS ECONOMIC AND SOCIAL COMMISSION FOR ASIA
               AND THE PACIFIC (UNESCAP)



         Quality management system document No.: QDOC/IMCTU/ISO27001-2



                                             DOCUMENT TITLE:

                UNESCAP ISO27001 CERTIFICATION PROJECT
    SCOPE OF INFORMATION SECURITY MANAGEMENT SYSTEM
                          (ISMS)


This is a section level quality management system document which has been written by
Adnan Aksel, reviewed by Kalman Andrasi and Anne Matthews. It has been approved by
the Project Board, and issued to the copy holder in accordance with the quality
management system documentation procedures as shown below.

APPROVED BY:

SIGNED:                           ________________________                   DATE: _________________

COPY No.:                         1

HELD BY:             Adnan Aksel, Information Systems Officer, Information
Management, Communications and Technology Unit (IMCTU).

SIGNED:                           ________________________                   DATE: _________________



ISSUE No.:                        1                                          REVISION No.:

EFFECTIVE DATE:

CONTROL STATUS OF THIS DOCUMENT IS1




1
 A hard copy of this document is considered uncontrolled if it does not have the original signature of the authorised
person. The electronic version of this document, maintained in the quality system document database, is considered as the
controlled electronic version.
                                         Version History



   Version             Date            Author                            Description

     1.0         17 Nov. 2006         A. Aksel        Initial version.
                                                      First revision incorporating feedback from
     1.1         21 Dec. 2006         A. Aksel
                                                      Messrs Anne Matthews and Kalman Andrasi.




                                         Distribution List

   All staff members have access to the latest electronic version of this document on a “read-
   only” basis. Hard copies have been issued to the following copy holders on a controlled
   basis:


The Central Registry
The Office of the Chief of Administration Services Division (ASD)
The Office of the Chief of Central Support Services Section (CSSS)
The Office of the Chief of Information Management, Communications and Technology Unit
(IMCTU)
The Project Board Registry




   UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS                                        2
   By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                       References



                           Document                                         Available
“International Standard ISO/IEC 17799, Information technology –    H:\ESS\ADNAN
Security techniques – Code of practice for information security    SHARE\UNESCAP AND
management” Second Edition 2005-06-15, Reference number            ISO27001\STANDARDS
ISO/IEC 17799:2005 (E)                                             THEMSELVES
“International Standard ISO/IEC 27001, Information technology –    H:\ESS\ADNAN
Security techniques – Information security management systems -    SHARE\UNESCAP AND
Requirements” First Edition 2005-10-15, Reference number ISO/IEC   ISO27001\STANDARDS
27001:2005 (E)                                                     THEMSELVES
“ISO27001:2005 ISMS Implementation”, July 2005, by BSI
                                                                   In hard copy.
Management Systems.
“UN – Scope of Work: ISO 17799 Compliance Project for LAN and      H:\ESS\ADNAN
MAN Services of the United Nations Secretariat, Headquarters”,     SHARE\UNESCAP AND
Nov. 2004, Ver. 2.0, ITSD, UN Secretariat                          ISO27001\SCOPE
“UNOG – Scope of Work: ISO 27001 Certification Project for LAN     H:\ESS\ADNAN
and MAN Services of the United Nations Office at Geneva            SHARE\UNESCAP AND
Secretariat, Geneva”, Mar. 2006, Ver. 1.0, UNOG ICTS               ISO27001\SCOPE




  UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS                                3
  By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                  Definitions and Acronyms
                                               Definitions


      Term                                              Explanation

     Asset          Anything that has value to the Organization.
                    Preservation of Confidentiality, Integrity and Availability; in addition, other
  Information
                    properties such as authenticity, accountability, non-repudiation and reliability
    Security
                    can also be involved.
 Residual Risk      The risk remaining after risk treatment.
Risk Acceptance     Decision to accept risk.
Risk Assessment     Overall process of risk analysis and risk evaluation.
                    Process of comparing the estimated risk against given risk criteria to determine
Risk Evaluation
                    the significance of risk.
Risk Management     Coordinated activities to direct and control an organization with regard to risk.
  Statement of      Document statement describing the control objectives and controls that are
  Applicability     relevant and applicable to the Organization’s ISMS.
                    A potential cause of an unwanted incident, which may result in harm to a
     Threat
                    system or organization.
  Vulnerability     A weakness of an asset or group of assets that can be exploited by a threat.



                                               Acronyms


 Acronym                                              Full Name

  ASD         Administrative Services Division (of UNESCAP)
  CSSS        Central Support Services Section (of UNESCAP)
   ICT        Information and Communication Technologies
 IMCTU        Information Management, Communications and Technology Unit (of UNESCAP)
  ISMS        Information Security Management System
  ITSD        Information Technology Services Division (of the United Nations, New York, USA)
   KM         Knowledge Management
  LAN         Local Area Network
  OES         Office of the Executive Secretary (of UNESCAP)
  PDCA        Plan – Do – Check – Act (the Deming cycle)
  UNLB        United Nations Logistics Base (Brindisi, Italy)
  UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS                                           4
  By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
Acronym                                       Full Name

UNOG      United Nations Office in Geneva (Geneva, Switzerland)
WAN       Wide Area Network




UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS            5
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                      Table of Contents

                                                                                    Page No.

 1      Objective                                                                      7

 2      Overview of Organization                                                       7
        2.1    IMCTU                                                                    7
               2.1.1 The Office of the Chief                                            7
               2.1.2 The Enterprise Data Centre and Network Operations                  8
               2.1.3 The IT Operational Security                                        8

 3      ISO 27001 Project Scope                                                        9
        3.1    Programmatic Scope                                                       9
        3.2    Technical Scope                                                          9

 4      Discretionary                                                                 10

 5      Expected Results                                                              10


 ANNEXES                                                                              10
          I    Organizational Chart Reflecting Roles and Responsibilities for the
               Management of UNESCAP IMCTU                                            11
          II   UNESCAP ISMS Scope Topology Map                                        12
         III   Inventory of Assets                                                    13




UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS                                      6
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
1         Objective
The objective of this project is to achieve and sustain ISO27001 certification for the service
delivery of Local Area Network (LAN) and Wide Area Network (WAN) resources within the
United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP)
community.



2         Overview of Organization
2.1       IMCTU

The Information Management, Communications and Technology Unit (IMCTU) of
UNESCAP supports and maintains the local and wide area network infrastructure of the
Secretariat. The Service is comprised of four segments:

      1. The Office of the Chief (together with the business systems administration and
         quality management functions);

      2. Systems Development and Operations (including network operations, IT operational
         security and IMIS support);

      3. Telecommunications (including telephony); and

      4. Client Services (including IT Help Desk)


The Chief of IMCTU reports directly to the Chief of Central Support Services Section (CSSS)
of the Administrative Services Division (ASD). The strategic direction for IT resources is
overseen by the UNESCAP Information and Communication Technology / Knowledge
Management (ICT/KM) Committee. Annex I shows the relevant organizational chart.

The areas of focus for this Information Security Management System (ISMS) are:

      -    The Office of the Chief;
      -    The Enterprise Data Centre and Network Operations; and
      -    The IT Operational Security.

Neither the Systems Development nor the Client Services are included within the scope of
this ISMS.


2.1.1 The Office of the Chief

The Office of the Chief is IMCTU’s main internal service provider, providing representational
support, administrative support, business analysis, project support, quality management, and
coordination for the common needs of other IMCTU segments. The roles and responsibilities
of the Office of the Chief to be covered in the scope of the project are outlined as follows:


UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS                                      7
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
     -   Provision of administrative support to other IMCTU segments;
     -   Interfacing between IMCTU & other UNESCAP substantive offices;
     -   Coordination, support & monitoring of common IMCTU databases / information
         repositories;
     -   Coordination & support in establishing, promulgating and use of standards and
         policies;
     -   Coordination of training for IMCTU staff;
     -   Quality management;
     -   Management & coordination of policies & procedures;
     -   Inventory & license management; and
     -   Business systems administration, monitoring and maintenance of all operations for
         business services provided by IMCTU.


2.1.2 The Enterprise Data Centre and Network Operations

The Enterprise Data Centre and Network Operations is responsible for the management,
administration, monitoring and maintenance of the IMCTU Enterprise Data Centre core
server infrastructure (hardware, operating systems and relevant software) and the operations
utilizing this infrastructure. Its duties also include the same for the Local Area Network
(LAN) and Wide Area Network (WAN) infrastructure, physical network architecture, and the
provision of various network services, including telephony and wireless communications.
The roles and responsibilities of the Enterprise Data Centre and Network Operations to be
covered in the scope of this project are outlined as follows:

     - Management of the Enterprise Data Centre located in Service Building 2. Floor,
       IMCTU Quarter (including all the related maintenance activities) which houses the
       servers, networking infrastructure, IMIS servers, departmental LAN servers, Intranet
       servers, Internet support facility (e.g., firewalls, DNS, DHCP), network switches,
       routers, and other supporting facility;

     - Basic network infrastructure and services such as firewalls, VPN, DHCP servers,
       domain name servers (DNS), FTP server, WINS server, Intranet servers, file servers,
       remote access servers, anti-SPAM server/appliance, anti-virus server/appliance;

     - Systems and network monitoring facilities, NTP servers, LDAP servers, central
       application servers, Active Directory services;

     - Enterprise backup systems and offsite storage;

     - Planning, engineering, implementation, and operations and maintenance of the
       UNESCAP Local Area Network (LAN) and Wide Area Network (WAN).


2.1.3 The IT Operational Security

The IT Operational Security segment is responsible for:

     - Establishment of an information security management system (ISMS) with related
       security policies, administrative directives, procedures and working instructions;
UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS                                    8
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
       - Establishment of a disaster recovery plan (DRP) and business continuity management
         (BCM) programme; and

       - Periodic review and audit of IT operational security measures being implemented as
         well as the effectiveness of the DRP and BCM programme.



3        ISO 27001 Project Scope
3.1      Programmatic Scope

      To achieve and certify the LAN and WAN environment with the ISO27001 security
      standard, all 11 ISO27001 domains will be tested:

         -   Security Policies;
         -   Organization of Information Security;
         -   Asset Management;
         -   Human Resources Security;
         -   Physical and Environmental Security;
         -   Communications and Operations Management;
         -   Access Control;
         -   Systems Development and Maintenance;
         -   Information Security Incident Management;
         -   Business Continuity Management; and
         -   Compliance with international standards and UN rules & regulations.


      The activities related to the above domains will include:

         -   Planning;
         -   Identification of Critical Information Assets;
         -   Preparation of Gap Analysis;
         -   Risk Assessment;
         -   Risk Management;
         -   Risk Treatment;
         -   Preparation of Statement of Applicability (SoA);
         -   Establishing Policies and Procedures;
         -   Training and Awareness Activities;
         -   Monitoring and Report; and
         -   Certification Audit Processes.


3.2      Technical Scope

The technical scope of the project includes the following main components:

         3.2.1   LAN and WAN assets related to network hosts, switches, firewalls and
                 uninterruptible power supplies (UPS);

UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS                                    9
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
          3.2.2   All OSI Layers subject to 3.2.1;

          3.2.3   Any corollary devices, hardware, software relating to item 3.2.1 and 3.2.2;

          3.2.4   All supporting technologies and protection measures to include physical
                  conditions, environment controls, etc. relating to items 3.2.1, 3.2.2 and 3.2.3;

          3.2.5   Assets subject to the above under the direct management of UNESCAP
                  IMCTU;

          3.2.6   Those assets meeting the criteria of 3.2.1 to 3.2.5 and are requisite (core) for
                  connectivity and the functioning of the LAN/WAN; and

          3.2.7   Those assets not meeting the criteria for 3.2.6 will be included in subsequent
                  phases as indicated in Section 4.


Technical details related to the LAN and WAN topology, hardware and software are
documented in Annex II and III.



4         Discretionary
Additional components may be included into the scope of work, based on the analysis and
determinations made by the team during the course of the project. In such a case, the scope of
work will be amended accordingly where the criteria utilized by the team will also be
indicated.



5         Expected Results
The expected result of this project is the establishment and implementation of an Information
Security Management System (ISMS) in compliance with the specifications defined by the
international standard ISO27001.




ANNEXES
      I    Organizational Chart Reflecting Roles and Responsibilities for the Management of
           the UNESCAP IMCTU LAN & WAN

    II     ISMS Scope Topology Map

    III    Inventory of Assets



UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS                                          10
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                      ANNEX I




  ORGANIZATIONAL CHART REFLECTING ROLES AND RESPONSIBILITIES FOR
         THE MANAGEMENT OF THE UNESCAP IMCTU LAN & WAN




UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS             11
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                      ANNEX II




                           ISMS SCOPE TOPOLOGY MAP




UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS   12
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                     ANNEX III




                              INVENTORY OF ASSETS




UNESCAP ISO27001 CERTIFICATION PROJECT – Scope of ISMS   13
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)

				
DOCUMENT INFO
Description: Asset Management Iso27001 document sample