10. Communications & Operations Management

10.1. Operational Procedures & Responsibilities

    PDF 10.1.1 Documented operating procedures
    Operating procedures have been documented, are maintained and are made available to all users who need them Information Security Manager is responsible for documenting all the IT working procedures for system activities related to information processing and communications facilities. The procedures required by the Organisation are listed in DOC 10.1.

    10.1.2 Change management

    Changes to information processing facilities and systems are controlled The Director General of IT is responsible for ensuring that all requests for significant non-routine changes to Organisational information processing facilities are managed in line with DOC 10.7 and sub section 12.5 below is also relevant.

    10.1.3 Segregation of duties

    Duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of organisational assets As far as is practicable and possible, the Organisation segregates duties and areas of responsibility. In particular, the following functions are segregated:

      1. Risk Assessment Adlin Hisyamuddin - Information Security Manager, Head PKI
      2. Authorisation of Controls Mubarak Abdulla Alhiddi - CSO/CIO
      3. Change Initiation Ahmed Essa Abualfath - Computer Security Administrator
      4. Change Management Shaikh Salman Mohammed Al-Khalifa – Director General of IT
      5. Network Management Khalid Al Othman – Chief, Network
      6. Network Administration Khalid Ali Al Jalahma – Network Administrator
      7. IT Operations Mohammed Al-Yassi – Director IT Operations
      8. Software Development Sameh Abo-El-Ela
      9. System Testing Osama Khalid Rafai - Computer Security Administrator
      10. Employee Administration Hesham Al-Ghatam - Chief, Personnel & Admin’ Development
      11. Asset Purchase Khulood Al-Jassim - Supervisor Administration Service
      12. Site/Secure Area Security Adel Khalifa Bu-Alai - Chief of Police in Juffair
      13. Site/Secure Area Security Mohammed Hamdan Mohammed - Chief of Police in Isa Town
      14. Security Audit Osama Khalid Rafai - Computer Security Administrator
      15. PKI Manager Adlin Hisyamuddin - Information Security Manager, Head PKI
      16. Physical Site Security Yousif Mohammed Ali Muthanna – Site Security Manager
      17. Physical Site Security Yousif Mohammed Abdulla – Site Security Manager Segregation of duties is built into procedures, including the requirement that that the Owner of a procedure or process cannot authorize its modification, withdrawal or release. Activity monitoring, audit trails and management supervision are used to support duty segregation.

    10.1.4 Separation of development, test and operational facilities

    Development, test and operational facilities are separated to reduce the risks of unauthorized access or changes to the operational system The Organisation’s requirements for separate development, test and operational facilities, and its rules for their use and for the transfer of software to the operational environment are documented in DOC 10.8.

10.2 Third Party Service Delivery Management

Control objective: to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements

    10.2.1 Service delivery

    The Organization ensures that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated and maintained by the third party Third party relationship Owners (see sub section 6.2 and 7.1.2) are required to ensure that security is maintained through transition periods and for ensuring that external parties deliver services and maintain security in line with their agreements, all as specified in DOC 6.8. The Information Security Manager is responsible for ensuring that external party services are linked into the Organisation’s business continuity framework and arrangements (see Section 14).

    10.2.2 Monitoring and review of third party services
    The Organisation regularly monitors and reviews the services, reports and records provided by third parties and carries out regular audits The Organisation has a defined process (DOC 10.9) for managing third party service contracts.

    10.2.3 Managing changes to third party services

    The Organisation manages changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, taking account of the criticality of business systems and processes involved and re-assessment of risks, and the procedures for doing this are contained in DOC 6.8.

10.3 System Planning & Acceptance

Control objective: to minimize the risks of systems failures

    10.3.1 Capacity management
    DOC 10.10 sets out the Organisation’s approach to ensuring that the use of resources is monitored, tuned, and projections made of future capacity requirements to ensure the adequate system performance.

    10.3.2 System acceptance
    Acceptance criteria for new information systems, upgrades and new versions have been established and suitable tests of the system(s) are carried out during development and prior to acceptance, all as specified in DOC 10.10. rotection

10.4 Protection Against Malicious & Mobile Code

Control objective: to protect the integrity of software and information

    10.4.1 Controls against malicious code

    Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures have been implemented Organization has a formal policy (DOC 10.11) prohibiting the use of unauthorized software, protecting against the risks associated with obtaining files from or via external networks, and has defined appropriate responsibilities and procedures (DOC 10.12) for dealing with the risks from malicious code.

    10.4.2 Controls against mobile code

    The execution of mobile code is prohibited in the Trust Centre

10.5 Back-Up

Control objective: to maintain the integrity and availability of information and information processing facilities

    10.5.1 Information back-up

    Back-up copies of information and software are taken and tested regularly in accordance with the agreed back-up policy below The Organization’s policy is that it acts to maintain the integrity and availability of information and information processing facilities by establishing criteria and routine procedures (in DOC 10.13) to ensure that all the Organization’s information assets are backed up and that there are tested procedures (see Section 14) for restoring them within an adequate time frame.

10.6 Network Security Management

Control objective: to ensure the safeguarding of information in networks and the protection of the supporting infrastructure

    10.6.1 Network controls

    Networks are managed and controlled as set out in DOC 10.14, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit

    10.6.2 Security of network services

    Security features, service levels and management requirements of all network services have been identified and included in the network service level agreement and are managed in line with DOC 10.14.

10.7 Media Handling
Control objective: to prevent the unauthorized disclosure, modification, removal or destruction of assets and interruption to business activities

    10.7.1 Management of removable computer media
    Procedure DOC 10.15 identifies the controls for the management of removable media.

    10.7.2 Disposal of media
    Media are disposed of securely and safely when no longer required, in line with DOC 9.11.

    10.7.3 Information handling procedures
    Procedures for the handling and storage of information are set out in DOC 7.6 and DOC 10.15 to protect this information from unauthorized disclosure or misuse

    10.7.4 Security of system documentation
    System documentation is protected against unauthorized access, as set out in DOC 10.15.

10.8 Exchanges of Information

Control objective: to maintain the security of information exchanged within an organization and with any external entity

    10.8.1 Information exchange policies and procedures

    Formal exchange policies, procedures and controls are in place to protect the exchange of information through the use of all types of communication facilities The Organization Internet Acceptable Use Policy (DOC 7.2), its e-mail usage rules (DOC 7.3), its information classification procedures (DOC 7.6), its anti-malware policy (DOC 10.11) and related procedures, and the technological controls implemented as required in all those procedures, protect exchanges of information from interception, unauthorized copying, modification, destruction or mis routing. The wireless user’s addendum to the standard User Agreement (see sub section 11.1 of this Manual) sets out how wireless communication is protected. The mobile phone user’s addendum to the standard User Agreement (see sub section 11.1 of this Manual) sets out how mobile voice communication is protected. The organization has a procedure (DOC 7.11) for secure voice communication at all its sites. The Organization use of cryptographic techniques is controlled under sub section 12.3 below. The Organization has procedures for handling (DOC 10.15), retention (DOC 15.2) and disposal (DOC 9.11) of information and related media.

    10.8.2 Exchange agreements

    Agreements are established in line with DOC 6.8 for the exchange of information and software between the Organization and external parties

    10.8.3 Physical media in transit

    DOC 9.12 sets out how the Organization ensures that media are protected against unauthorized access, misuse or corruption during transportation beyond the Organization physical boundaries

    10.8.4 Electronic messaging
    Messaging is outbound only and no inbound email system exists within the CIO Trust Centre

    10.8.5 Business information systems

    A policy and procedures have been developed and implemented to protect information associated with the interconnection of business information systems. The Organization’s policy is that information should be as widely shared within the Organization as is permitted by its security classification (see DOC 7.6), that information should have as low a classification as is practical, given its sensitivity, and that information within its interconnected systems should be protected in line with its classification. Procedures (see DOC 10.16) have been developed to implement this policy.

10.9 Electronic Commerce Services
Control objective: to ensure the security of electronic commerce services, and their secure use

    10.9.1 Electronic Commerce

    Electronic commerce information passing over public networks is protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification as set out in DOC 10.17.

    10.9.2 On-line Transactions
    Information involved in on-line transactions is protected in line with DOC 10.17 to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized message duplication or replay

    10.9.3 Publicly available information

    The integrity of information being made available on a publicly available system is protected in DOC 10.17 to prevent unauthorized modification

10.10 Monitoring
Control objective: to detect unauthorized information processing activities

    10.10.1 Audit logging

    Audit logs recording user activities, exceptions and information security events are produced and kept, in line with DOC 10.18, for a period specified in DOC 15.2 to assist in future investigations and access control monitoring

    10.10.2 Monitoring system use

    Procedures for monitoring use of information processing facilities have been established in DOC 10.18 and the results of the monitoring activities are reviewed [regularly]

    10.10.3 Protection of log information

    Logging facilities and log information are protected against tampering and unauthorized access, as required by DOC 10.18
    10.10.4 Administrator and operator logs
    System administrator and system operator activities are logged as required by DOC 10.18

    10.10.5 Fault logging

    Faults are logged, analysed and appropriate action taken, all in line with DOC 10.18

    10.10.6 Clock synchronization

    The clocks of all relevant information processing systems within the organisation are synchronized with an agreed accurate time source as specified in DOC 10.18.

    Adlin Hisyamuddin
    Information Security Manager



    08 November, 2007

    Change history

    Issue 1 08 November, 2007 Initial issue