FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
Document Title:
Document Type:
Abstract:
Distribution:
Document Status:
Document Predecessor:
Associated Documents:
Author:
Approval Authority:
Signature/Date
Comments To:
Comments By:
ICL PATHWAY SECURITY POLICY
Policy Document
This Security Policy specifies mandatory
security requirements to be applied throughout
ICL Pathway.
DSS
POCL
ICL Pathway
ICL Pathway Library
Approved
Version 3.0
See section 0.2
Peter J Harrison
Martyn Bennett,
Director Quality and Risk Management
Author, copy to Martyn Bennett
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC
Page 1 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
FOREWORD
This document defines ICL Pathway’s policy for the protection of its
assets (including hardware, applications, databases, network, people
and documentation) against loss of confidentiality, integrity and
availability. It will also ensures compliance with legislative and
commercial requirements.
ICL Pathway’s policy statement (which is essentially the same as the
Corporate Policy statement used by the ICL Group) is:
It is the policy of ICL Pathway Limited to provide a secure working
environment for the protection of employees, and also to ensure the
security of all assets owned by or entrusted to ICL Pathway.
This document fits into the structure illustrated below, with the BS7799
Code of Practice being used as a basis for ICL Pathway’s Security
Procedures. Lower level implementation standards will be incorporated
as appropriate.
Corporate ICL BA POCL
Policy Policy Policy Policy
T T
v
Detailed Security
Policy Policy
Security Baseline Based on
Procedures Controls BS7799
Windows NT Security Physical Security
Standards Unix Security Personnel Security
d Oracle Security Fraud & Risk Management
an Network Security Contingency Planning
Guidelines PC Security ‘System Management
Key Management Health & Safety
ete ..... etc .....
ICL Pathway’s Security Policy, Procedures and Standards
C:A\POLICY\POL-4P0.DOC
COMPANY IN-CONFIDENCE
Page 2 of 27
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
0. CONTENT
0.1 Document History
Version [Date [Reason
0.1 27/5/96 Initial draft issued for comments
0.2 31/5/96 Revised draft issued for comments
0.3 26/6/96 Incorporates comments from the ICL Pathway
Management team
1.0 16/8/96 Incorporates comments from DSS/BA and
POCL
2.0 23/9/96 Incorporates further comments from Authority
3.0 8/10/96 Approved
3.1 24/11/97 I Revised for internal review purposes
3.2 10/01/98 _I Incorporates comments from internal review
3.3 23/2/98 Incorporates further comments
3.4 28/9/98 Minor updates
4.0 30/4/99 Approved
0.2 Associated Documents
Version [Date Title [Source
2 1/5/92 ICL Group Security Policy ICL
5.0 9/1/98 System Architecture Design ICL
Document Pathway
(0.3 15/12/98 {ICL Pathway Security Procedures ICL
Pathway
3.0 18/12/98 IICL Pathway Access Control Policy {ICL
Pathway
0.8 19/11/97 IICL Pathway Audit Policy ICL
Pathway
6.2 - DSS IT Security Policy (Departmental IDSS
IT Security Standards)
DITSG/ITSS/0001.04
b a Post Office Information Systems POCL
Security Policy Document (KH2879)
F F Post Office Counters Information POCL
Systems Security Policy
(SSR Appendix 4-1)
1.5 28/10/94 I A Code of Practice for PO POCL
Information Systems Security
- - Schedule B01 - Requirements
Catalogue
1 15/2/95 BS7799 - A Code of Practice for BSI
Information Security Management
C:A\POLICY\POL-4P0.DOC
COMPANY IN-CONFIDENCE
Page 3 of 27
FUJ00001294
FUJ00001294
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
0.3 Abbreviations
APS Automated Payment Services
BA Benefits Agency
BES Benefit Encashment Service
CASA Contracting Authorities Security Authority
CESG Communications-Electronics Security Group
CMS Card Management Service
CLEF Commercial Licensed Evaluation Facility
COTS Commercial Off The Shelf
DSS Department of Social Security
EPOSS Electronic Point Of Sale Service
OBCS Order Book Control Service
PAS Payment Authorisation Service
PFI Private Finance Initiative
POCL Post Office Counters Limited
PUN Pick Up Notice
0.4 Contents
0. CONTENT...
0.1 Document History...
0.2 Associated Documents.
0.3 Abbreviations.
0.4 Contents...
1. INTRODUCTION.
1.1 Service Overview.
1.2 Scope............ .
1.3 Policy Review...........0:.
1.4 Implementation Prioritie:
2. OBJECTIVES.
2.1 Business Objectives.
2.2 IT Security Objectives.
2.3 Legal Obligations...
3. RESPONSIBILITIES FOR SECURITY.
3.1 Director, Quality and Risk Management.
3.2 ICL Pathway Security Board.
3.3 Security Manager.... 12
3.4 Security Administration.. .12
3.5 Responsibilities for Physical Securit 13
3.6 Hardware Security.
3.7 All Personnel.
3.8 Reporting Security Incidents.
4, RESPONSIBILITIES FOR A‘
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 4 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
4.1 Audit Manager’s Responsibilities...... coeeeseee 15
4.2 Business Function Monitoring Respons' ies. 15
4.3 Security Event Management Responsibilities...
5. FRAUD AND RISK MANAGEMENT.
5.1 Fraud Risk Manager.
5.2 Investigation Team..
5.3 Management of Fraud Risk.
5.4 Risk Managet........00...0...0004
6. PERSONNEL SECURITY.
6.1 Recruitment Selection.
6.2 Job Descriptions, Contracts and Assessmen
6.3 Security Education and Training....
7. IMPLEMENTATION POLICIES....
7.1 Information Classification. ceeeseseeeeee
7.2 Safeguarding DSS/BA and POCL Records.
7.3 Physical and Environmental Security.
7.4 System Access Contro! 20
7.5 Cryptography
8. ADMINISTRATION OF SECURITY.
8.1 System and Network Management.
8.2 Audit Management.
8.3 Systems Development and Maintenance.
8.4 Virus Control Policy.
8.5 Information Exchange Control....
8.6 Control of Proprietary Software...
8.7 External Contractors and Suppliers...
9. BUSINESS CONTINUIT
9.1 Contingency Planning.
9.2 Testing Contingency Plans
9.3 Subcontractor’s Contingency Plans
10. COMPLIANCE
10.1 Compliance with ICL Pathway’s Security Policy....
10.2 Compliance with Legislative Requirements.
10.3 Compliance with BS7799.............:cc0
COMPANY IN-CONFIDENCE
C:\POLICY\POL-4P0.DOC Page 5 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
1. INTRODUCTION
In May 1996, ICL Pathway Limited was selected to set up and operate
the services that will automate counter transactions at Post Offices
throughout the UK.
The purpose of this policy document is to lay the foundation that will
enable ICL Pathway to protect the integrity, availability and
confidentiality of all assets associated with the services. It also
enables ICL Pathway to comply with legislative and commercial
requirements.
1.1 Service Overview
The agreement is one of the UK Government's major Private Finance
Initiative (PFI) projects, whereby ICL Pathway will automate 20,000
Post Offices and provide the infrastructure used to make benefit
payments to an estimated 20 million recipients.
The Benefit Payment Service (BPS) translates input from the Benefit
Agency (BA), in the form of authorised payments, into benefit
payments that are collected, from nominated Post Offices, by card
holding claimants. It also provides returns to BA on the payments that
are made, together with other information.
BPS is defined as the end-to-end service provided by the combination
of Benefit Encashment Service (BES), Payment Authorisation Service
(PAS) and Card Management Service (CMS).
Computerised facilities at Post Office counters also enable a range of
Automated Payment Services (APS) to be provided, allowing
customers to make payments to utilities and other clients supported by
Post Office Counters Limited (POCL).
The Electronic Point Of Sale Service (EPOSS) supports all services, or
products, provided by the counter clerk to the customer. Order Book
Control Service (OBCS) is an optional counter application operating
through EPOSS.
The services are designed to minimise fraudulent encashment and
provide secure payment facilities, hence particular attention is focused
upon the security aspects of the services throughout their life cycle.
1.2 Scope
This Security Policy specifies mandatory security requirements to be
applied throughout ICL Pathway.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 6 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
ICL Pathway has overall responsibility for the design, development,
implementation, roll-out, operation and support of the service
throughout the contract period. Specific activities will be
subcontracted to appropriate organisations, who will be required to
work within the security framework defined by ICL Pathway.
Figure 1 illustrates how particular service functions are mapped to
typical subcontractors for key components of the operational service.
BA POCL
Pathway 2a o¢
Girobank ICL (Outsourcing) De La Rue
Payment Payment
Authorisation and Authorisation and Gard and PUN
Card Management Card Management d Distributi
Enquiries Services ana bisinipurion
Help Desks
ICL (Outsourcing) Post Offices
‘System Management
and
Neowork Management II Wal (EEN CES) Ei Ga
Figure 1 Subcontracted Functions for ICL Pathway’s Services
ICL Pathway’s Security Policy must be compatible with the DSS and
POCL Security Policies. The interfaces between ICL Pathway and all
external organisations must be clearly defined and formally agreed
with the organisations concerned.
Security obligations for subcontractors involved in development
activities (including Escher, Oracle and ICL) and suppliers of key
service components (including De La Rue) will be subject to individual
agreements with ICL Pathway. Commercial off the shelf (COTS)
products will be provided by the appropriate product suppliers
(including Microsoft). De La Rue has responsibility for manufacture
and initial distribution of all Cards and Pick Up Notices (PUNs).
1.3 Policy Review
Once approved, this policy document will be formally reviewed at least
annually and after any significant attack or occurrence of fraud, and
updated whenever necessary.
Responsibilities for approval, review and issue of ICL Pathway’s
Security Policy and Procedures are defined in section 3.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 7 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
1.4 Implementation Priorities
The short implementation timescales, agreed between ICL Pathway,
DSS/BA and POCL, dictate that detailed Security Procedures may not
be in place at the outset of all development activities.
The planned implementation order is:
ICL Pathway Security Policy (this document),
security procedures for system development activities,
security procedures for system integration and validation,
security procedures for system roll-out, and
security procedures for all operational environments.
Guidelines provided by BS7799, a Code of Practice for Information
Security Management, and relevant sections of the documents listed in
section 0.2, will be used. Where appropriate, these will be
supplemented by ICL Pathway specific procedures.
OBJECTIVES
This document aims to provide a clear definition of ICL Pathway’s high-
level Security Policy.
ICL Pathway will establish an infrastructure that will minimise and
control liabilities to itself, the DSS and POCL (thereby meeting the
requirements outlined in Appendix A).
This policy document is intended to lay the foundation that will enable
ICL Pathway to protect the integrity, availability and confidentiality of
information used and produced by the services. This includes making
adequate provision for:
e Business Continuity,
e Fraud Risk Management, and
e compliance with relevant legislation.
The responsibilities for policy implementation are defined (in section 3)
in order that the policy requirements can be communicated throughout
ICL Pathway. This will ensure that all parties are fully aware of their
responsibilities and legal obligations.
ICL Pathway has stated its commitment to ensuring that it
encompasses the very best commercial practices for security. ICL
Pathway’s aim is to be fully compliant with BS7799.
Compliance with legislative requirements (including the Data
Protection Act) and BS7799 is considered under “Compliance” (in
section 10).
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 8 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
2.1 Business Objectives
2.2
The profitability and viability of ICL Pathway’s business operation are
dependent upon identifying and managing all risks for which ICL
Pathway has accepted responsibility. Protecting the information assets
owned by DSS/BA, POCL and POCL clients is also of fundamental
importance.
ICL Pathway will develop Contingency Plans that will be used to
ensure continuity of service. The plans, to be agreed between ICL
Pathway, DSS/BA and POCL, will be based upon the results of
comprehensive Risk Assessment.
Maintaining ICL Pathway’s reputation as a supplier of secure, efficient,
reliable, cost-effective services, and the reputation of DSS/BA and
POCL, is extremely important. Any service malfunction might be widely
publicised and exploited to the detriment of Pathway, DSS/BA or
POCL.
The opportunities for additional POCL services will be influenced by
the confidence established by the base services.
IT Security Objectives
ICL Pathway’s overall IT security objective can be summarised as
achieving the requirement expressed in the following policy statement:
It is the policy of ICL Pathway Limited to protect its investment in IT
assets, and to ensure the security of all information conveyed,
processed or stored, by the services.
1. Security measures in ICL Pathway’s IT systems will ensure
appropriate confidentiality, integrity and availability of data,
whether in storage or in transit. Maintaining the integrity of the
services and software components is also essential.
2. Physical and logical access to the system will be controlled, with
access granted selectively, and permitted only where there is a
specific need. Access will be limited to persons with appropriate
authorisation and a “need to know” requirement.
3. Authentication, whereby a user’s claimed identity is verified, is
essential before any access is granted to the system.
Authentication mechanisms are also required to ensure that trust
relationships can be established between communicating
components within, and external to, the system.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 9 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
4. Allusers of ICL Pathway’s services will be individually accountable
for their actions. Accountability for information assets will be
maintained by assigning owners, who will be responsible for
defining who is authorised to access the information. If
responsibilities are delegated then accountability will remain with
the nominated owner of the asset.
5. Audit mechanisms are required to monitor, detect and record
events that might threaten the security of the ICL Pathway services
or any service(s) to which it is connected. Regular analysis of audit
trails is essential to facilitate the identification and investigation of
security breaches.
6. Alarm mechanisms are required to alert security personnel of the
occurrence of security violations that could seriously threaten the
secure operation of the services. These alarms will be used to
trigger prompt investigation and remedial action in order to
minimise the impact of any security breach.
7. ICL Pathway will monitor all developments and operations to
maintain assurance that its services are performing in accordance
with approved security procedures and controls. This will give a
high level of confidence that all information is being protected
during processing, transmission and storage.
2.3 Legal Obligations
ICL Pathway must remain fully compliant with all relevant legislation
and (relevant) regulations.
In addition to the existing legislative obligations, identified in section
10.2, it is important to track and anticipate emerging UK and European
regulations that could affect ICL Pathway’s operation.
3. RESPONSIBILITIES FOR SECURITY
ICL Pathway’s Managing Director has ultimate responsibility for
security.
ICL Pathway’s commitment to security will be communicated
throughout ICL Pathway, as evidenced by board level approval of ICL
Pathway’s Security Policy.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 10 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
\
External t ICL Pathway Managing Director ICL Pathway I Extemal
' '
I
! Director '
ICL Pathway >I Quality and Risk '
Security Board Management '
7 ! Dss/BA
Security I [ ' Audit
Advisors I [ I I I "a
'
Fraud Risk Risk Security " 1
[>I Manager Manager Manager Manager I] poet
\
' Management ' NAO
' ' Audit
Security Business !
Girobank I I IInvestigation Security
FRM Services I I Team Administration} I anager ent ie torn '
' f
Fraud Risk Management SEM and Audit Management
Figure 2 ICL Pathway’s Security Management Structure
Figure 2 illustrates the security organisation used within ICL Pathway
and the activities subcontracted to Girobank. Senior management is
supported by experienced specialists and technical staff with specific
expertise in the areas of IT, security, fraud prevention and risk
management.
3.1 Director, Quality and Risk Management
The responsibilities of the Director, Quality and Risk Management,
include:
¢ overall control and management of security throughout ICL
Pathway,
e provision of adequate resources for security,
¢ being Chairman of the ICL Pathway Security Board (see section
3.2),
¢ owner of ICL Pathway’s Security Policy,
© approval authority for ICL Pathway’s Security Policy,
e approval authority for ICL Pathway’s Security Procedures,
e overall control of fraud and risk management functions,
e establishing the security interface with the DSS/BA and POCL, and
e establishing the security interface with all subcontractors.
3.2 ICL Pathway Security Board
The representatives on ICL Pathway’s Security Board are nominated
by the Director, Quality and Risk Management, and approved by the
ICL Pathway Board.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 11 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
3.3
3.4
The Security Board participants, which will include the Contracting
Authorities Security Authority (CASA), represent a broad range of
interests to ensure that alternative perspectives are considered.
Whenever necessary, the Security Board can commission
independent specialists to undertake studies, investigations or audits.
Security Board responsibilities include:
e ownership of ICL Pathway’s Security Strategy,
e determining the adequacy of ICL Pathway’s Security Policy
definition,
e formal review of all Security Policy documents,
e review of security incidents, on a regular basis, and
e liaison with external bodies and specialists.
Security Manager
The Security Manager is responsible for ensuring implementation of
policy and procedures, and maintaining “best practice”, within the remit
of ICL Pathway.
ICL Pathway’s Security Manager's responsibilities include:
e physical and environmental security,
¢ monitoring for compliance with ICL Pathway’s Security Policy,
e providing the point of contact for reporting all types of security
incidents,
recording and investigating security incidents,
ensuring that security relevant events are audited by the system,
ensuring that audit trails are analysed on a regular basis,
documentation of ICL Pathway’s Security Policy,
owner of ICL Pathway’s Security Procedures,
documentation of ICL Pathway’s Security Procedures,
communication of security policy and procedures throughout ICL
Pathway,
authorisation and approval for system changes,
co-ordinating the evaluation of all new security products proposed,
specifying and arranging security education and training,
devising and conducting security awareness programmes,
maintaining a partnership approach to security with CASA,
liaison with DSS/BA, POCL and suppliers’ security personnel, and
recruitment selection of security administration personnel.
Security Administration
The description “Security Administration” has been used to describe
ICL Pathway personnel assigned to roles with particular responsibility
for security.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 12 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
3.5
3.6
3.7
ICL Pathway’s Security Manager is the normal line manager for this
group, hence many of the activities assigned to Security Administrators
will be to support the functions listed in section 3.3.
Wherever possible, Security Administrators will act in a supporting or
monitoring role rather than as a Service Provider for the operational
service. In this capacity they can:
¢ monitor compliance with ICL Pathway’s Security Policy,
¢ implement ICL Pathway’s Security Procedures,
e conduct independent reviews of compliance to policy and
procedures,
e report security incidents, and
e recommend changes, to enhance ICL Pathway’s security controls,
to the Security Manager.
Responsibilities for Physical Security
By using existing operational sites, ICL Pathway benefits from the
current security infrastructure in order to protect against threats from
physical and environmental sources.
ICL Pathway has responsibility for reviewing the adequacy of all
existing controls, working with a nominated manager agreed with each
subcontractor. The physical security of facilities used by ICL Pathway
and its subcontractors, including development, test and integration
areas, will be specified by ICL Pathway.
Hardware Security
Post Offices pose some significant challenges for several reasons:
ICL Pathway will use approximately 20,000 sites throughout the UK,
ICL Pathway cannot control the physical security at Post Offices,
ICL Pathway owns the IT assets installed in each Post Office,
high specification commercial PCs will be installed at each site,
ICL Pathway cannot vet or select Post Office personnel, and
changes to the Post Office operating environment can occur.
The physical security measures associated with equipment installation
will take these factors into account to reduce ICL Pathway’s risks to an
acceptable level.
All Personnel
All service users, most of whom will be at Post Office counters, will be
included in ICL Pathway’s awareness and/or training programmes.
Security aspects, an integral part of these programmes, will be set ina
context appropriate to the user's role (for example, Postmaster or
clerk).
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 13 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
3.8
41
All ICL Pathway employees, subcontractors and system users have
security responsibilities and they will be required to work together in
support of this security policy. Personnel who may not regard
themselves as any kind of “system user” will still have security
responsibilities. In particular, they are expected to be vigilant in
reporting anything they believe may be suspicious.
Promoting security awareness, throughout ICL Pathway, to
subcontractors, and within Post Offices, is an important responsibility
assigned to ICL Pathway’s Security Manager.
Publicising security reporting and escalation procedures will be part of
this awareness strategy.
Reporting Security Incidents
ICL Pathway will establish effective procedures for reporting, acting
upon and escalating all incidents that could affect security.
ICL Pathway’s Security Manager will ensure that all incidents are
recorded, investigated and resolved with appropriate urgency. This will
include liaison with CASA to review incidents and actions.
RESPONSIBILITIES FOR AUDIT
The Director, Quality and Risk Management, is accountable for the
Audit function within ICL Pathway, as illustrated in figure 2.
The Audit Manager’s responsibilities, listed in section 4.1, are primarily
concerned with managing the internal Audit function within ICL
Pathway but they also include liaison with DSS/BA, POCL and NAO
audit personnel.
As the point of contact with all external audit personnel, the Audit
Manager will need to maintain regular contact with many ICL Pathway
groups (e.g. Customer Service, Programmes, Commercial and
Finance) to co-ordinate audit related activities.
The Security Event Management function, illustrated in figure 2,
encompasses the routine IT Security activities concerned with security
relevant events recorded by the ICL Pathway system(s). It is really part
of the day-to-day security administration activity but has been
highlighted to identify the need for regular analysis of event logs.
Audit Manager’s Responsi ies
ICL Pathway’s Audit Manager is responsible for ensuring
implementation of ICL Pathway’s Audit Policy and maintaining “best
practice”, within the remit of ICL Pathway.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 14 of 27
ICL Pathway
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
FUJ00001294
FUJ00001294
The Audit Manager’s responsibilities include:
planning and carrying out audits of ICL Pathway’s business
functions,
examining and evaluating the results of (business function) audits,
developing and agreeing improvement programmes,
monitoring and reporting improvement activities,
monitoring for compliance with ICL Pathway’s Audit Policy,
providing the point of contact for all audit related matters,
overall responsibility for ICL Pathway’s Audit activities,
ensuring that appropriate events are audited by the system,
ensuring that computer audits are conducted on a regular basis,
documentation of ICL Pathway’s Audit Policy,
being the owner of ICL Pathway’s Audit Standards,
documentation of ICL Pathway’s Audit Standards,
communication of Audit policy and standards within ICL Pathway,
co-ordinating the evaluation of all new audit products proposed,
specifying and arranging Audit education and training,
maintaining a partnership approach to audit with Contracting
Authorities,
liaison with DSS/BA, POCL and NAO audit personnel,
liaison with ICL Group Audit personnel, and
recruitment selection of Audit personnel.
4.2 Business Function Monitoring Responsibilities
The description “Business Function Monitoring” has been used to
describe ICL Pathway personnel assigned to roles with particular
responsibility for Audit.
ICL Pathway’s Audit Manager is the normal line manager for this
group, hence many of the activities assigned to Business Function
Monitoring will be to support the functions listed in section 4.1.
Wherever possible, Business Function Monitoring will act in a
supporting role rather than as a Service Provider for the operational
service. In this capacity they can:
monitor compliance with ICL Pathway’s Audit Policy,
implement ICL Pathway’s Audit Standards,
conduct independent reviews of compliance to policy and standards,
report security incidents, and
recommend changes, to enhance ICL Pathway’s audit controls, to
the Audit Manager.
C:A\POLICY\POL-4P0.DOC
COMPANY IN-CONFIDENCE
Page 15 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
4.3 Security Event Management Responsibilities
The description “Security Event Management” has been used to
describe ICL Pathway personnel assigned to roles with particular
responsibility for security relevant events recorded by the ICL Pathway
system(s).
ICL Pathway’s Security Manager is the normal line manager for this
group, hence many of the activities assigned to Security Event
Management personnel will be supporting functions.
Wherever possible, Security Event Management will act in a
monitoring role supporting the audit related security administration
activities. In this capacity they can:
e ensure that specified events are being audited on the relevant
platforms,
e ensure that all access (and attempted access) to the ICL Pathway
system is audited,
¢ monitor usage by ICL Pathway operations and management staff,
analyse the audit logs generated by the different ICL Pathway
platforms,
assist with investigations (as assigned by the Security Manager),
extract copies of audit information for investigation purposes,
ensure that archived audit information is being stored securely,
implement ICL Pathway’s Security Procedures (particularly with
regard to audit),
report security incidents, and
recommend changes, to enhance ICL Pathway’s security controls,
to the Security Manager.
FRAUD AND RISK MANAGEMENT
ICL Pathway’s policy is to identify and minimise the risk of fraud within
the ICL Pathway services. However, ICL Pathway recognises that the
threat of fraud incidents exists inside and outside ICL Pathway’s
responsibility.
ICL Pathway’s Director, Quality and Risk Management, has
responsibility for fraud and risk management, in addition to security, as
outlined in section 3.1. In this former capacity, he/she is supported by
a Fraud Risk Manager, an investigation team, and external specialist
services, as illustrated in figure 2.
The Fraud Risk Management (FRM) service will concentrate on the
identification, monitoring and management of encashment fraud within
the Benefit Payment Service and the POCL Strategic Infrastructure.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 16 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
5.1
5.2
5.3
ICL Pathway’s Risk Manager is responsible for minimising risk from the
business perspective. Responsibilities of the Risk Manager, also
illustrated in figure 2, are outlined in section 5.4.
Fraud Risk Manager
ICL Pathway’s Fraud Risk Manager's responsibilities include:
e identifying and categorising risks associated with fraud,
e analysis of trend incidents and fraud losses,
e fraud monitoring, to profile abnormal or irregular encashment
patterns and identify potential fraud incidents,
e establishing internal controls to reduce the potential for fraud,
in conjunction with the Contracting Authorities, establish external
controls for the use of the ICL Pathway FRM services,
operate in accordance with agreed Change Control Process,
reducing the potential for fraud perpetrated through collusion,
reviewing security policy and procedures from a fraud perspective,
providing the point of contact for reporting all fraud incidents,
recording and investigating fraud incidents,
management of the provision of information for the investigation of
fraud incidents,
managing the supporting FRM services, and
¢ liaison with external authorities in the event of fraud.
Investigation Team
The investigation team, shown in figure 2, carry out investigations
instigated by the Fraud Risk Manager. The team’s activities include:
e collecting and examining system evidence in support of
investigations,
reporting on the findings of all investigations,
quantifying the amounts involved in fraud incidents,
identifying persons implicated in fraud perpetration,
recommending measures which could reduce fraud risks, and
working with specialist external bodies developing new techniques.
Management of Fraud Risk
As illustrated, in figure 2, specialist Fraud Risk Management services
will be invoked to supplement ICL Pathway’s internal resources.
Girobank’s use of the data will be restricted to that required for FRM
investigations.
Use of external services enables:
¢ specialist skills to be invoked whenever needed,
e adequate resources to be available for special investigations,
e independent review of ICL Pathway’s own procedures, and
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 17 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
5.4
6.1
6.2
6.3
e ICL Pathway to keep abreast of new methods for reducing risk.
Risk Manager
ICL Pathway’s Risk Manager is responsible for minimising risk from the
business perspective. Activities undertaken in this capacity are
concerned with maintaining profitability, integrity and good reputation
of the organisation, in pursuit of the business objectives outlined in
section 2.1.
The Risk Manager, like the Quality Manager, does not have specific
responsibilities for management of security, audit or fraud, hence such
roles are not considered further within this security policy document.
PERSONNEL SECURITY
Staff concerned with the operations and management of central
services are to be managed under the guidance of ICL’s Personnel
Policy Manual and associated documents.
Staff working on high risk areas in the organisation (those classified as
“sensitive”), are to be subject to more frequent vetting reviews and
internal audits. This applies to ICL Pathway’s own employees and to
staff from subcontractor’s organisations.
Recruitment Selection
All applicants will be subject to vetting, which will include checks on
their identification and financial circumstances.
Business and personal references will be checked for all applicants.
Job Descriptions, Contracts and Assessment
ICL Pathway will apply best commercial practice, based upon BS7799,
to include security considerations within:
e Employees Terms and Conditions for Employment, and
e generic job descriptions.
Security Education and Training
ICL Pathway’s education and training programme will promote security
awareness and explain the importance and use of security controls.
The programme will include:
e all ICL Pathway employees,
e training for all system users, tailored to their particular role, and
e appropriate training for contractors and third parties.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 18 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
7. IMPLEMENTATION POLICIES
7.1
7.2
7.3
The following subsections provide an overview of the controls required
for:
e asset classification and control,
e physical and environmental security, and
¢ system access control.
ICL Pathway’s Security Procedures will provide more detailed
guidance based upon the corresponding BS7799 sections. This will
include the provision and maintenance of an asset register.
Information Classification
All information used by ICL Pathway will be handled in accordance
with its classification, as specified by its owner. Information owners are
required to classify all information that they own, in accordance with a
process that will be jointly agreed.
The sensitivity of information will be measured by the consequences of
a potential security breach associated with that information.
ICL Pathway will assume that aggregation cannot increase the
classification of any information (unless otherwise agreed with the
Authority).
ICL Pathway’s Security Procedures will include guidance on protective
marking and handling of information.
Safeguarding DSS/BA and POCL Records
ICL Pathway will establish appropriate controls to safeguard all manual
and electronic records supplied by DSS/BA and POCL. The records
will be safeguarded from unauthorised disclosure, modification, loss,
destruction and falsification. The security characteristics of the records
and requirements for processing and storage will be agreed, formally,
with the DSS/BA or POCL provider.
Physical and Environmental Security
Use of existing secure computing facilities for ICL Pathway’s central
services will simplify the task of establishing secure areas for the
protection of IT facilities. The physical security measures will include:
specialist site security staff in attendance 24 hours per day,
surveillance and intruder detection systems,
multi-zone areas controlled by a card access system, and
regular security reviews and audit checks.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 19 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
7.4
All equipment and cabling will be well maintained and protected
against environmental hazards, including fire and water damage.
Alternative power supplies will be provided in accordance with ICL
Pathway’s contingency plans.
System Access Control
Control of access to ICL Pathway’s systems and data will be in
accordance with ICL Pathway’s Access Control Policy which will be
based upon analysis of security and business requirements.
The Access Control Policy and its associated Security Procedures will
specify:
e aclear definition of responsibilities for all authorised users,
e specification of roles and responsibilities for all types of system
usage,
control of access to all ICL Pathway system components,
control of access to all data within the ICL Pathway system,
control of access to all stored information and documentation,
control of access to database facilities and tools,
control of access to applications running on servers and
workstations,
control of access to the network and network management systems,
procedures for allocation of access rights to IT services,
management, assignment and revocation of privileges,
mechanisms to be used for user identification and authentication,
password management, including password generation and expiry,
and
e monitoring system access and use of facilities.
Accountability of individuals is essential and segregation of duties will
be enforced where appropriate. For particularly critical operations “two
person controls” will be considered.
Wherever authorisation is given orally, normally over a telephone link,
additional verification methods must be used. In particular:
e DSS/BA’s instruction to ICL Pathway to enter a fall-back mode,
e DSS/BA’s calls to the PAS Help Desk to stop payments or place
other actions,
¢ calls from Post Offices to the PAS Help Desk for payment
authorisation when operating in fallback mode (notably for
encashment at “foreign” Post Offices), and
e customer calls to the CMS Help Desk for card enquiries.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 20 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
7.5 Cryptography
ICL Pathway will seek the guidance of Communications-Electronics
Security Group (CESG) on all matters concerning cryptography.
Typically, this would include:
choice of encryption algorithms,
strength of mechanisms,
encryption of information stored on disks within Post Offices, and
encryption key management (including key generation, distribution
and change).
ICL Pathway will comply with Government Policy with regard to the
application of cryptographic techniques to the protection of
Government Data.
8. ADMINISTRATION OF SECURITY
ICL Pathway will implement effective controls to protect against the
possibility of attack from “users” who are granted privileges and
access rights. Similarly, individuals with access to source code and
development facilities will be monitored.
The following subsections provide an overview of the controls required
within ICL Pathway’s organisation. ICL Pathway’s Security Procedures
will provide more detailed guidance based upon the BS7799 controls
for:
e computer and network management, and
e system development and maintenance.
8.1 System and Network Management
Operational control of ICL Pathway’s services will be managed by a
central System Support unit responsible for system and network
management.
The system privileges and access permissions required to perform
management functions are considerably higher than those assigned to
normal users. ICL Pathway will therefore ensure that:
staff assigned to management functions are carefully selected,
particular attention is paid to logical and physical access controls,
individuals are not granted unnecessary privileges,
separation of duties is achieved whenever appropriate,
individuals are held accountable for all system changes,
the ability to grant and modify access permission is controlled, and
all significant system changes are recorded with before and after
states.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 21 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
8.2 Audit Management
8.3
ICL Pathway will ensure that:
all security critical events are time stamped and recorded,
auditable events are carefully selected to minimise overheads,
audit trail information is protected from modification,
audit trails include a record of all significant system changes,
effective audit analysis reduction and analysis tools are used,
all observed system irregularities are investigated, and
audit trails are archived and stored for an agreed duration.
Systems Development and Maintenance
ICL Pathway will ensure that system security, considered at the
requirements analysis stage, fully reflects the business value of the
information assets involved. The analysis will consider:
control of access to information and services,
segregation of duties,
secure operation in degraded mode,
incorporation and analysis of audit trails,
ensuring integrity of data using sealing and verification
mechanisms,
use of encryption to prevent unauthorised disclosure of data, and
e system resilience, including operation in fall-back mode and
recovery.
All software developed by or for ICL Pathway will be specified and
implemented using proven methodologies, taking care to ensure that:
e input data validation is comprehensive and reliable,
e processing protects against errors and attacks, and
e integrity checking is performed, using hash totals and balance
controls.
ICL Pathway will ensure that software development activities are fully
supported by procedures and standards which cover all aspects of the
development process. Audits and reviews will be conducted to ensure
that the procedures are being applied effectively and that the
supporting documentation meets approved standards. Security testing
will provide confirmation that the security functionality of the system
has been implemented to meet the agreed security objectives.
Assurance during development will be supported by the definition of
security requirements, security architecture, detailed security design,
design reviews and security testing.
Design and specification changes will be reviewed to ensure they do
not compromise the security of the system.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 22 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
8.4
8.5
8.6
8.7
All software will be subject to appropriate acceptance procedures prior
to integration with other components.
Virus Control Policy
ICL Pathway will analyse threats associated with malicious software
and, where appropriate, will implement effective controls. These
controls will provide virus prevention, virus detection and appropriate
user awareness procedures.
Information Exchange Control
ICL Pathway will define, agree and enforce (with relevant parties)
procedures for the exchange of information handled electronically and
by other means. The procedures used will comply with legal and
contractual requirements and will depend upon the sensitivity of the
information.
In particular, the exchange of information, with DSS/BA and POCL, will
be subject to formally agreed controls.
Control of Proprietary Software
Proprietary software will only be used within the terms of the licence
conditions.
Unauthorised copying of software and documentation will be
prohibited.
ICL Pathway will not permit any modified or non-standard software
components to be incorporated unless the modifications have been
applied and validated by the normal supplier, and approved by ICL
Pathway’s Security Manager.
ICL Pathway’s configuration management system will maintain an
inventory of all proprietary software used by their services.
External Contractors and Suppliers
ICL Pathway will ensure that the use of external contractors and
suppliers is covered by appropriate safeguards. This will include
agreements with contractual terms and conditions and checks on the
integrity of external contractors before any work is assigned to them.
External personnel will not be allowed access to any classified
information without prior written authority from the information owner
and completion of a non-disclosure agreement.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 23 of 27
ICL Pathway
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
9.1
9.2
9.3
10.
Suppliers of goods and services (including Escher and Oracle) will be
subject to formal agreements in support of this security policy.
Individual agreements with suppliers of standard COTS components
are not required.
Evidence of the suppliers’ security procedures will be sought where
externally supplied goods or services are used to process critical
information.
BUSINESS CONTINUITY
ICL Pathway will ensure that an effective business continuity plan is
agreed with CASA and implemented to reduce the risks from deliberate
or accidental threats to deny access to vital services or information.
Plans will be developed to enable internal operations and business
services to be maintained following failure or damage to vital services,
facilities or information. All relevant security provisions will be
maintained, even if degraded conditions are in effect.
Contingency Planning
In order to minimise any disruption to the services managed by ICL
Pathway, contingency plans will be developed to encompass:
e handling emergency situations,
e operating in fall-back mode, and
e recovery (or Business Resumption) to full operational status.
Testing Contingency Plans
All contingency plans will be tested on a regular basis under
representative operational conditions.
Subcontractor’s Contingency Plans
Contingency arrangements will be examined and managed to ensure
that risks are minimised, wherever ICL Pathway is dependent upon
subcontractors (or third parties), for essential services or supplies.
COMPLIANCE
ICL Pathway is required to comply with legislative requirements and
commercial standards.
The importance of compliance is illustrated by the fact that 4 out of 10
of the key controls, defined in BS7799, are about compliance.
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 24 of 27
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
10.1 Compliance with ICL Pathway’s Security Policy
10.2
10.3
Compliance with the requirements defined in this Security Policy is
mandatory. The policy is to be applied throughout ICL Pathway for the
secure management and operation of the services.
Periodic reviews will be carried out, under the direction of ICL
Pathway’s line managers, to verify that ICL Pathway is operating in
accordance with its security policy and procedures.
ICL Pathway’s Audit function (see section 4) will provide the essential
monitoring activities needed to provide senior management with
visibility that ICL Pathway is operating in accordance with this policy.
Compliance with Legislative Requirements
ICL Pathway will ensure compliance with all legislative requirements,
including the:
e Data Protection Act (1984),
e Computer Misuse Act (1990), and
e Copyright, Designs and Patents Act (1988).
All applications handling personal data on individuals, will comply with
data protection legislation and principles.
Under the Computer Misuse Act, it is an offence to access or modify
material without proper authority, or to access material with intent to
commit further offences.
ICL Pathway will protect against unauthorised copying of
documentation and software.
In addition to the Acts identified above, ICL Pathway will comply with
appropriate sections of PACE, the Social Security Administration Act,
Post Office and Telegraph Acts, Official Secrets Act 1989, Companies
Act, EU Directives and other obligations to be defined in ICL Pathway’
procedures.
o
Compliance with BS7799
The controls defined in BS7799 are designed to provide a sound
baseline for commercial organisations of many types.
ICL Pathway will apply BS7799 to provide a baseline definition for
information security encompassing the ten categories of controls:
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 25 of 27
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
ale Category of Controls yak
Section
1 Security Policy All
2 Security organisation 3 (4 and 5)
3 [Asset classification and control 7.1 and 7.2
4 Personnel security 6
5 Physical and environmental security 7.3
6 (Computer and network management 8.1
7 System access control 74
8 Systems development and maintenance 7.3
9 Business continuity planning 9
10 Compliance 10
Table 1 BS7799 Control Categories
This security policy document considers each of these categories, as
indicated in Table 1, and outlines the requirements in the ICL Pathway
context.
ICL Pathway’s Security Procedures will provide further guidance based
upon the
BS7799 Code of Practice.
C:A\POLICY\POL-4P0.DOC
COMPANY IN-CONFIDENCE
Page 26 of 27
FUJ00001294
FUJ00001294
FUJ00001294
FUJ00001294
COMPANY IN-CONFIDENCE
ICL Pathway Ref: RS/POL/002
ICL PATHWAY SECURITY POLICY Version: 4.0
Date: 30/4/99
APPENDIXA SECURITY POLICY REQUIREMENTS
This Security Policy document encompasses all of the requirements
specified in ICL Pathway’s agreement with the Authority (as defined in
Schedule BO‘).
By implementing the agreed Security Policy, ICL Pathway will minimise
and control liabilities to itself and the Authorities.
The security infrastructure established by ICL Pathway will cover all
areas specified by the Authority. Table A1 (which is based upon
Schedule B01, Requirement 698) indicates the section of BS7799 that
describes the category of control and the nature of the ten “key”
controls.
Security Features Sectio I BS7799
n
The agreement of a Security Policy 1.2 1 I key
Allocation of Security Responsibilities 3 2_I key
Security Education and Training 6.3 4 I key
Reporting Security Incidents 3.8 4 I key
Physical Security Control 7.3 5
irus Control 7.4 6 I key
Business Continuity 9 9 I key
Control of Proprietary Software 8.6 10 I key
Safeguarding DSS/BA and POCL Records 7.2 10 I key
Information Classification 7.1 3
Compliance with Data Protection and other legislation 10.2 I 10 I key
Information Exchange Control 8.5 6
External Contractors and Suppliers 8.7 2
[Compliance with Security Policy 10.1 10 I key
[Management of fraud and risk during service operation 5 6
Table A1 Requirement 698 Cross Reference
COMPANY IN-CONFIDENCE
C:A\POLICY\POL-4P0.DOC Page 27 of 27