FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
Document Title: RMGA User Management Procedure
Document Reference: SVM/SEC/PRO/0012
Document Type: Process (PRO)
Release: N/A
Abstract: This document establishes the controls that RMGA has to meet to
manage user access to its assets based on its contractual
requirements.
Document Status: FOR REVIEW
Author & Dept: Bill Membery, Kirsty Gallacher
External Distribution: N/A
Security Risk Assessment YES
Confirmed
Approval Authorities:
Name Role Signature Date
Steve Denham RMGA Head of Service See Dimensions for record
Management
Howard Pritchard RMGA CISO See Dimensions for record
See HNG-X Reviewers/Approvers Matrix (PGM/DCM/ION/0001) for guidance on who should approve.
Ref: SVM/SEC/PRO/0012
© Copyright Fujitsu (UK & Ireland) 2009 COMMERCIAL IN CONFIDENCE Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 1 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
0 Document Control
0.1 Table of Contents
DOCUMENT CONTROL 2
ie Io
fe = ISIEISISIFIEISISI
a [e0 Foo Na Jos Leon} feo Lo
Table of Contents
Document History
Review Details .
Associated Documents (Internal & External).
Abbreviations
Glossary
Changes Exp .
Accuracy ....
Security Risk Assessment ..
INTRODUCTION...
iS
4 1S027001
2 Security Requirements,
2.3 DOORS Requirements
2 PROCESS 10
2.4 User managemen'
2.2 New Joiners
2.3 Movers
24
25
26
3
Ref: SVM/SEC/PRO/0012
© Copyright Fujitsu (UK & Ireland) 2009 COMMERCIAL IN CONFIDENCE Version: 1.0
UNCONTROLLED IF PRINTEDOR _ Date: 27/07/2009
LOCALLY STORED PageNo: 2 of 28
Fe)
FUJITSU
RMGA User Management Procedure
COMMERCIAL IN CONFIDENCE
FUJ00235010
FUJ00235010
0.2 Document History
Version No. Date
Summary of Changes and Reason for Issue
Associated Change -
CP/PEAK/PPRR
Reference
04 12/12/08
Initial Draft version
NIA
0.2 27/07/09
Amended following full review
NA I
0.3 Review Details
See HNG-X Reviewers/Approvers Matrix (PGM/DCM/ION/0001) for guidance on completing the lists below. You
may include additional reviewers if necessary, but you should generally not exclude any of the mandatory reviewers
shown in the matrix for the document type you are authoring.
Review Comments by :
20 July 2009
Review Comments to
Mandatory Review
Role
Kirsty. Gallacher”
Name
Kirsty Gallacher
Service Support Manager
Howard Pritchard
ciso
Nigel Hatcher*
RMGA Quality Manager
‘Andy Dunks
RMA Security Operations
Ellie Sims
Role
RMGA HR Representative
Name
Optional Review
Leighton Machin
Branch Services SDM
Jan Venables*
OBC/DMN Manager
Janet Reynolds
Operations Support
David Wilcox* Reference Data Manager
Sarah Bull Branch Services & Release Management SDM.
Mik Peach* SSC Manager
fan Mills Networks SDM
Mike Stewart Online Services & SAP SDM
Claire Drake Data centres SDM
Sandie Bothick
HSD SDM
Jim Sweeting
Security Architect
Damian McClintock
sued for Information — Please
ibution list to a minimum
dis
Principal Solution Architect
© Copyright Fujitsu (UK & Ireland) 2009
COMMERCIAL IN CONFIDENCE
UNCONTROLLED IF PRINTED OR
LOCALLY STORED
Ref.
Version:
Date:
Page No:
SVM/SEC/PRO/0012
1.0
27/07/2009
3 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
Position/Role Name
Dave Jackson Practice Head - Northern Implementations
Adrienne Thompson Team Manager SoP Northern Ireland
Catherine Irvine Service Manager, Network Security Support, Infrastructure Svces
Martin Menally Data Centre Manager
Pete Thompson Operations Transition Manager
Vince Cochrane Implementation Delivery Manager -- HNG-x Programme
Infrastructure Deployment
( * ) = Reviewers that retuned comments.
0.4 Associated Documents (Internal & External)
Reference Version Date Title Source
PGM/DCM/TEM/0001 I 4.0 21-Nov-2008 RMGA HNG-X Generic Document Dimensions
(DO NOT REMOVE) Template
SVM/SEC/PRO/0006 I 0.1 Application For Access To The Live Dimensions
Network
ARC/SEC/ARC/0003. HNG-X Technical Security Dimensions
Architecture
DES/GEN/TEM/0004 HNG-X LIVE Physical Platform Dimensions
Design Template
DES/PPS/HLD/0006 HNG-X NAMING STANDARD Dimension
DES/PPS/HLD/0003 Active Directory HLD Dimension
DES/SEC/HLD/0001 HNG-X Authentication HLD Dimensions
DES/SEC/HLD/0003 I 1.3 05/11/2007 HNG-X Key Management High Level I Dimensions
Design
DES/SEC/HLD/0004 HNG-X Authorization High Level Dimensions
Design
DES/SEC/HLD/0009 Windows server Security Settings Dimension
DES/SYM/HLD/0020 Secure Console Access High Level Dimension
Design
DEV/APP/LLD/0028 Active Directory LLD Dimension
DEV/GEN/SPG/0012 Active Directory Support Guide Dimensions
DEV/INF/LLD/0059 0.1 18/01/2008 HNGX Cygwin/SSH LLD Dimensions
PA/PRO/O01 Change Management Process Dimensions
SVM/SDM/POL/0027 Access Control Policy Dimensions
SVM/SDM/SD/0017 Security Management Service: Dimensions
Service Description
SVM/SDM/OLA/0014 Fujitsu Standard Data Centre OLA Dimensions
SVM/SDM/OLA/0015. OLA for Core Division Wintel & Dimensions
NT, Nearshore
SVM/SEC/PLA/O007 RMGA Security Risk Register Dimensions
Ref: SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 4 of 28
Fe)
FUJITSU
FUJ00235010
FUJ00235010
RMGA User Management Procedure
COMMERCIAL IN CONFIDENCE
jerent
SVM/SEC/POL/0003
Title Source
RMGA Information Security Policy Dimensions
BS ISO/IEC
27001:2005
Information
technology — Security
techniques —
Information security
management
systems —
Requirements
External
BSI ISO/IEC
27002:2005
Information
technology —
Security techniques —
Code of practice for
information security management
External
BS/ISO IEC 20002
Contact RMGA Security for details External
cCISP
Post Office Ltd Community
Information Security Policy
External
Unless a specific version is referred to above, reference should be made to the current approved
versions of the documents.
0.5 Abbreviations
Abbreviation Definition
ccD Contract Controlled Document
ciso Chief Information Security Officer
HR Human Resources
FS Fujitsu Services
POL Post Office Limited
RMGA Royal Mail Group Account
0.6 Glossary
Accountability
Term Definition
A Security principle that requires individuals must be identifiable.
Authenticity Indentifying or verifying, the eligibility of a piece of hardware, software , network
equipment, or individual to access specific categories of information.
Availability The property of being accessible and usable upon demand
Confidentiality
The property that information is not made available or disclosed to unauthorised
individuals
Corrective Controls
Corrective controls involve physical, administrative, and technical measures
designed to react to detection of an incident in order to reduce or eliminate the
opportunity for the unwanted event to recur.
Detective controls
These use practices, processes and tools that identify and react to security violations
© Copyright Fujitsu (UK & Ireland) 2009
COMMERCIAL IN CONFIDENCE — RF SVMISEC/PRO/0012
Version. 1.0
UNCONTROLLED IF PRINTEDOR Date: 2710712009
LOCALLY STORED Page No: 5 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
Term Definition
Directive controls These are controls used to advise employees, third parties and contractors of the
behaviour expected of them during their interfaces or use of RMGA or POL’s
information systems.
Integrity The property of safeguarding the accuracy and completeness of assets
Non -repudiation Ameans whereby the authenticity or integrity of the information cannot be refuted
Preventative Controls These are controls like physical, administrative, and technical measures to preclude
actions violating policy or increasing risk to system resources.
Recovery Controls These controls are used once an incident has occurred that results in the
compromise of integrity or availability, these controls are implemented to restore the
system or operation to a normal operating state.
Reliability The ability of a person or system to perform and maintain its functions in routine
circumstances, as well as hostile or unexpected circumstances.
0.7 Changes Expected
Details of areas other than the management of users to be included
0.8 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained because of any error or omission in the same.
0.9 Security Risk Assessment
I consider there are security risks related to the content of this document, and I will follow Fujitsu Services
Risk Assessment Process as described in C-MP 1.2 on Café VIK. I have inserted into Section 0.4
(above) a cross-reference to the SVM/SEC/PLA/0007 RMGA Security Risk Register where all risks are
documented and will follow RMGA Risk management framework SVM/SEC/STD/0006.
Ref: SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 6 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
1. Introduction
The User Management Guidelines is to help managers and users of both physical and technical assets
within the RMGA account and FS supporting functions. It sets out how accesses to these assets are to
be created, managed, and removed and explains how they are to be monitored and reviewed.
1.1 Scope
This document covers buildings, rooms, networks, support, estate management, applications and tools
used by RMGA and any associated third parties (external and Fujitsu internal) to provide and meet both
it's contractual and regulatory obligations to Post Office Ltd.
1.2 Purpose
This document establishes the controls that RMGA has to meet to manage user access to its assets,
based on its contractual requirements stated in schedule A4 (Policies and Standards), in particular the
following sections:
4.1.2 “Fujitsu Services shall be compliant with ISO 27001.”
4.1.4 “Fujitsu Services shall adhere to the relevant parts of the CCD entitled “Community
Information Security Policy for Horizon” (RM/POL/002*) and co-operate with Post Office
to assist Post Office in complying with this standard and requirement.
4.1.5 “The confidentiality, integrity, validity, and completeness of data shall be maintained
throughout all storage, processes, and transmissions, including during periods of Service
Failure and recovery from Service Failure.”
*RM/POL/002 has since been superseded by SVM/SEC/POL/0005.
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 7 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
1.2.1 1$027001
ISO 27001 has two clear sections, the clauses which are detailed in sections 4-8 and those which are
guidelines as to best practices in Annexes 5.-15, usually referred to with an A preceding them.
To assist users of this document detailed in Appendix A are those clauses of ISO 27001, their reference
within the standard, the area which the controls are expected to be applied to, and the details of the
control and its ownership. As can be seen ownership falls throughout the whole organisation and
throughout all areas of the business.
In the ISO 27001 framework the controls that we are required to meet fall into the following generic
areas, People, Infrastructure, Applications, Control, Operations and Management Review and Monitoring
as is in Appendix A.
1.2.2 Security Requirements
Information Security is based on a number of precepts, the most important of which are defined as being;
confidentiality, integrity and availability. In addition, other properties such as authenticity, accountability
non-repudiation, and reliability are involved.
These are broad categories of security controls which can be employed to provide various levels of
security to guard against specific or perceived ‘risks’ which have been jointly identified by Post Office Ltd
and Fujitsu. This document defines the policies for controlling access to the RMGA IT system in
compliance with the Post Office CISP.
BS/ISO IEC 20002, “A Code of Practice for Information Security Management,” is primarily concerned
with management and operational controls, but also sets out a number of technical security controls.
BS/ISO IEC 20002 is used as the basis of RMGA Security Policy and Procedures to define the controls
used throughout RMGA.
Fujitsu Services shall operate a quality management system, which complies with BS EN ISO 9001:2008.
Controlling access to IT resources requires a combination of directive, preventive, detective, corrective,
and recovery controls that are used to manage hardware, software, operations, data, media, network
equipment, support systems, physical areas, and personnel. They involve both manual procedures as
well as technical controls on the IT system.
Documents defining the Corporate Fujitsu (UK & Ireland) related policies, processes and procedures that
are used take precedence over any RMGA documentation, are held on Café Vik at:
o Group property and Facilities management
http://www.cafevik.fs.fujitsu.com/index.aspx?portal=106
o Human Resources http://www.cafevik.fs.fujitsu.com/index.aspx?portal=152
o Fujitsu Services Security (in particular Security vetting) -
http://www.cafevik fs. fujitsu.com/index.aspx?portal=107
o Risk management http://www.cafevik.fs.fujitsu.com/index.aspx?portal=227
o Data centre Access http://www is.fs.fujitsu.com/datacentres/
o Resource requests http://toolset1 fs.fujitsu.com/InternalRequests.asp
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 8 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
Documentation of RMGA's own Policies, processes and procedures is held on Dimensions and follows
guidance given in SVM/SEC/POL/0003 RMGA Information Security Policy and SVM/SDM/POL/0027
RMGA Access Control Policy.
This document is therefore solely a set of guidelines concerned with the way that RMGA administers
those people who join, move, or leave its account.
Reference to all technical details of how this is managed is shown in the document list included in section
0.4 of this document
1.2.3. DOORS Requirements
In addition to requirements placed on RMGA by Post Office Ltd user management requirements are
detailed in DOORS RMGA's internal management requirement. These can be found in ProjectWeb.
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED PageNo: 9 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
2 Process
2.1 User management
User management within the RMGA is based on the creation and control of a complete list of all
personnel who work on or have access to systems on the RMGA. This list is controlled by the CS
Security team, and is reviewed and updated on a monthly basis to aid any Audit that may be recorded,
with the following areas considered:
Joiners — On a monthly basis, all team managers notify the CS Security team of all personnel who join
the RMGA after that person has gone through the required security checks.
Leavers - On a monthly basis, all team managers notify CS Security team of anyone who no longer works
on the RMGA. Any person who leaves the account, this list is used to check and remove any access
permissions they may have had.
Movers — The CS Security team is informed of anyone who leaves one team and joins another team
within the RMGA. Any person who changes their role within the account, the list is used to check that
their access permission is still correct for their new role.
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 10 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
2.2 New Joiners
Figure 2.2 Diagram of User management for new joiners
; Request for Corporate Security I
“Team Manager
(ee
IGA Seutty Pol rt
ts peu comindeanp pone 07
RMGA Securty Portal (htp:wirw.cafevk fs fyteu.comindexiaspxpartal=t07
Physical Signature Regine
Email to CS Securty Operations Mailbox
—=6 = 6
MGA CS Socurity Operations
anatomic AN
<4 \ cmnsttoanasad
Detailed below are the steps that must be followed prior to an individual who is new to Fujitsu Services
joining RMGA.
1. Prior to an individual joining RMGA a line manager must follow HR Direct policies and
procedures for a new starter these are found on the Cafevik Internal Website for Human
Resources http://www.cafevik fs fujitsu.com/index.aspx?portal=152 and advise and guidance can
be obtained from HR Professional services.
2. The line manager requesting the new person must ensure that any information passed to HR
details clearly that the role, the function, and job details the individual will be undertaking. It must
clearly state the person is working on the RMGA account and provide any forms required to HR
and Group Security for reference checking. Details of any forms required for Security vetting are
held on http://www.cafevik.fs.fujitsu.com/index.aspx?portal=107 .
3. HR will pass the forms detailing security checks to group security and they will ensure that they
have Fujitsu Services basic checks and because the individual is working on the RMGA account
specific Credit worthiness and Criminal Record checks. (N.B. if the individual is to work on any
Government related Post Office Ltd functions there may be a requirement for additional checks
and this will need to be stated by the line manager to HR)
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 11 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
4. The line manager will receive details back from HR confirming whether the individual is accepted
or rejected in this role.
5. If the individual is rejected then HR procedures detailed at
http:/Awww.cafevik.fs. fujitsu.com/index.aspx?portal=152 will be followed and advice to the line
manager can again be obtained from HR professional services.
6. If the individual is accepted into this role and requires access to the RMGA live network then the
process described in SVM/SEC/PRO/006 “RMGA APPLICATION FOR ACCESS TO THE LIVE
NETWORK’ is followed and the form in Annex A sent by the line manager to Operational
Security mailbox CSPOA Security.
7. Guidance as to the roles available and their functionality on the live network is detailed in
DES/SEC/HLD/0004 HNG-X Authorization High Level Design and devgenspg0012 Active
Directory Support Guide.
8. Details of this user and there role is then compared to the role definitions detailed in
DES/SEC/HLD/0004 and provided they are documented in here then Operational Security will
approve the individuals acceptance into the live network
9. The Operational Security will maintain a record of all users that have been approved and their
roles and clearance levels and review this regularly.
10. The Operational Management of user access to the live systems is controlled under Operational
Level agreements with FS SoP in Northern Ireland and is subject to OLA agreements for Data
centres SDM/SDM/OLA/0014 and for NT and Unix SDM/SDM/OLA/0015 and users will then be
set up using their procedures.
11. If users do not require access to the live network but other FS support systems for RMGA e.g.
Dimensions, Doors, HP Openview , PEAK, Operational Change systems , then it is the
responsibility of the team manager managing this function to ensure processes, procedures and
work instructions are in place for the acceptance, change and removal of users from these
systems. They must also ensure that the criterion for ISO 27001 compliance is available for
RMGA audit.
12. In addition, Operational Security will notify Group property and Facilities management
http://www.cafevik.fs.fujitsu.com/index.aspx?portal=106 to ensure that their access to dedicated
RMGA locations is approved.
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED PageNo: 12 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
2.3 Movers
In addition to individuals who join RMGA as new staff in Fujitsu Services, there are cases where people
with key skills are brought onto the account to perform specific specialist functions. This type of staff may
be a contractor employed by Post Office Ltd, a third party employed by Fujitsu or an individual who
belongs to another area of Fujitsu. This applies particularly to Post Office Ltd Joint test team, and
individuals brought into the account from Architecture and Design practices.
In addition, individuals may change roles within the RMGA account and therefore their access will need
to be reviewed.
Figure 2.3 Diagram of User management for movers
>
Human Resources
2. User record amended on HR system
Team Manager
RMGA Security Portal (http\iwmw-cafevk fs fujtsu.comlindex\aspx2portal=107,
HR SERVER
Physical Signature
1b, Emailto CS Q. Mailbox
Taner
I___» rweacs Security Operations
~<a se DOMAIN
sere omeny, "New ccees ita ebocted
savin etree
I__ frecaqseow
Ret SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 13 of 28
Fe)
FUJ00235010
FUJ00235010
RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
10.
11
12.
13.
14.
If a specialist is to be brought into the account then Line managers will obtain approval through
RMGA's change management system to obtain the specialist resource by raising a Change
Proposal as defined in PA/PRO/0001 Change Management Process.
Line Mangers will then apply for a RIO or Eric according to FS procedures as detailed on Cafevik
at http://toolset .fs.fujitsu.com/InternalRequests.asp and follow the corporate procedures.
The line manager must advise HR that these individuals are transferring into the account and
provide the Eric and Rio references and the date that these individuals moved roles. The
procedures for a these new RMGA staff are on the Cafevik Internal Website for Human
Resources http://www. cafevik.fs.fujitsu.com/index.aspx?portal=152 and advise and guidance can
be obtained from HR Professional services.
For any change of role, the line manager requesting the transferred person must ensure that any
information passed to HR details clearly that the role, the function, and job details the individual
will be undertaking. It must clearly state the person is working on the RMGA account and provide
any forms required to HR and Group Security for reference checking. Details of any forms
required for Security vetting are held on http://www.cafevik fs fujitsu.com/index.aspx?portal=107 .
HR will pass the forms detailing security checks to group security and they will ensure that they
have Fujitsu Services basic checks and because the individual is working on the RMGA account
specific Credit worthiness and Criminal Record checks. (N.B. if the individual is to work on any
Government related Post Office Ltd functions there may be a requirement for additional checks
and this will need to be stated by the line manager to HR). If these checks have already been
undertaken as, it is an internal check then this may be skipped.
The line manager will receive details back from HR confirming whether the individual is accepted
or rejected in this role.
If the individual is rejected then HR procedures detailed at
http://www. cafevik.fs.fujitsu.com/index.aspx?rtal=152 will be followed and advice to the line
manager can again be obtained from HR professional services.
If the individual is not employed by RMGA directly then they need to sign an NDA that requests
them to maintain all information that they gather whilst on the account is confidential and must
not go outside the account, without the specific permission of the RMGA CISO.
If the individual is accepted into this role and requires access to the RMGA live network then the
process described in SVM/SEC/PRO/006 “RMGA APPLICATION FOR ACCESS TO THE LIVE
NETWORK’ is followed and the form in Annex A sent by the line manager to Operational
Security mailbox CSPOA Security.
Guidance as to the roles available and their functionality on the live network is detailed in
DES/SEC/HLD/0004 HNG-X Authorization High Level Design and devgenspg0012 Active
Directory Support Guide.
Details of this user and their role is then compared to the role definitions detailed in
DES/SEC/HLD/0004 and provided they are documented in here then Operational Security will
approve the individuals acceptance into the live network
The Operational Security will maintain a record of all users that have been approved and their
roles and clearance levels and review this regularly.
The Operational Management of user access to the live systems is controlled under Operational
Level agreements with FS SoP in Northern Ireland and is subject to OLA agreements for Data
centres SDM/SDM/OLA/0014 and for NT and Unix SDM/SDM/OLA/0015 and users will then be
set up using their procedures.
RMGA Operational Security will be notified by the operational management team to the CSPOA
Security mailbox when this has occurred and will update their records.
COMMERCIAL IN CONFIDENCE Ret SVMISEC/PRO/0012
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR —_Date: 27/07/2009
LOCALLY STORED Page No: 14 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
15. If users have access to the live network but other FS support systems for RMGA e.g.
Dimensions, Doors, HP Openview , PEAK, Operational Change systems , then it is the
responsibility of the team manager managing this function to ensure processes, procedures and
work instructions are in place for the acceptance, change and removal of users from these
systems. They must also ensure that the criterion for ISO 27001 compliance is available for
RMGA audit.
16. In addition, Operational Security will notify Group property and Facilities management
http://www. cafevik.fs.fujitsu.com/index.aspx?portal=106 to ensure that their access to dedicated
RMGA locations is approved.
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 15 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJI U COMMERCIAL IN CONFIDENCE
2.4 Leavers
Figure 2.4 Diagram of User management for leavers
Team Manager I
I
HR SERVER
Physical Signature
Eat to €8 Seurty Seaton Maton
.
L “Dis tcoue
— — I sexed ons sooty
1. Line managers are required to notify Human resources of an individual leaving the RMGA
account
2. There are three types leavers
a. Those whose assignment within RMGA has been completed
b. Those who are leaving RMGA and moving to another part of Fujitsu Services
c. Those leaving Fujitsu services completely.
Ref: SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 16 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
3. For those individuals who fall into categories a and b above the process is the same.
a. RMGA Operational Security must be notified by the individuals line manager that an
individual has left, via the CSPOA Security mailbox.
b. RMGA Operational Security must record the fact that the individual has left , date of
leaving and the name of the manager informing them.
c. If access to live systems has been granted, then RMGA Operational Security will advise
Operational Management teams via a revocation of rights form that this user is no longer
to be granted access to the live network.
d. The Operational Management of user access to the live systems is controlled under
Operational Level agreements with FS SoP in Northern Ireland and are subject to OLA
agreements for Data centres SDM/SDM/OLA/0014 and for NT and Unix
SDM/SDM/OLA/0015 and users will then be deactivated using those procedures.
e. RMGA Operational Security will be notified by the operational management to the
CSPOA Security mailbox when this has occurred and will update their records.
f. The line manager must notify the team management of any support systems that this
individual has access to on RMGA's behalf e.g. Dimensions, Doors, HP Openview ,
PEAK, Operational Change systems. Then it is the responsibility of the team manager
managing this function to ensure processes, procedures and work instructions are in
place for the removal of users from these systems. They must also ensure that the
criterion for ISO 27001 compliance is available for RMGA audit.
g. In addition, Operational Security will notify Group property and Facilities management
http://www.cafevik.fs.fujitsu.com/index.aspx?portal=106 to ensure that their access to
dedicated RMGA locations is removed.
h. The line manager must also ensure that any dedicated RMGA assets used by this
individual are returned to RMGA.
4. For those individuals who are leaving Fujitsu Services completely then the RMGA line manager
must follow HR Direct policies and procedures for a termination these are found on the Cafevik
Internal Website for Human Resources http://www.cafevik.fs.fujitsu.com/index.aspx?portal=152
and advice and guidance can be obtained from HR Professional services.
5. The line manager must ensure that any information passed to HR details clearly that the role, the
function, and job details that the individual is leaving. It must clearly state the person was working
on the RMGA account and provide any forms required by Group property and Facilities
management http://www. cafevik.fs.fujitsu.com/index.aspx?portal=106 to ensure that their access
to dedicated RMGA locations is removed.
6. The line manager must also notify the equipment management services team
http://www. cafevik. fs. fujitsu.com/index.aspx?portal=105 so that any FS Resources are recovered
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 17 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
2.5 Review
1. Line Managers will review the access rights they have allocated to individuals and have evidence
they have done so.
2. Operational Security will audit access rights and roles with each functional area regularly and
have evidence it has done so.
3. Operational Level Agreements will be in place for all non-RMGA functions of FS involved in this
process and these will be reviewed annually.
4. Operational Level agreements will include the requirement to report on joiners, movers and
leavers to RMGA Operational Security monthly.
5. Senior management will review six monthly any risks relating to third parties and other areas of
FS brought onto the RMGA.
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 18 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
2.6 Audit
All areas involved in the provision of this joiners, movers and leavers process must have records
available to enable RMGA to provide evidence of the following for its ISO 27001 Compliance.
1. That any joiners movers and leavers into RMGA follow a planned process
2. Only authorised individuals have access to the assets that their role requires.
3. The access provided is managed, monitored, reviewed and controlled
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 19 of 28
Fe)
FUJITSU
RMGA User Management Procedure
COMMERCIAL IN CONFIDENCE
FUJ00235010
FUJ00235010
3 AppendixA
Table 3 ISO 27001 Controls
ISO 27001
Section
Control Area
Control Details
Ownership
Framework
Area
42.2b
Implement and
Operate the ISMS.
Implement the risk
treatment plan in order to
achieve the identified
control objectives, which
includes consideration of
funding and allocation of
roles and responsibilities.
RMGA Senior
Management Team
Management
Review and
Monitoring
4.3.3
Control of Records
Records shall be
established and
maintained to provide
evidence of conformity to
requirements and the
effective operation of the
ISMS. They shall be
protected and controlled.
The ISMS shall take
account of any relevant
legal or regulatory
requirements and
contractual obligations.
Records shall remain
legible, readily identifiable,
and retrievable. The
controls needed for the
identification, storage,
protection, retrieval,
retention time and
disposition of records shall
be documented and
implemented.
Records shall be kept of
the performance of the
process as outlined in 4.2
and of all occurrences of
significant security
incidents related to the
ISMS.
EXAMPLE
Examples of records are a
visitors’ book, audit
reports and completed
access authorization
forms
All Management,
FS HR
FS Legal
RMGA Commercial
Management
Review and
Monitoring
© Copyright Fujitsu (UK & Ireland) 2009
COMMERCIAL IN CONFIDENCE
UNCONTROLLED IF PRINTED OR
LOCALLY STORED
Version: 1.0
Date:
Page Not
Ref: SVM/SEC/PRO/0012
27/07/2009
20 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
ISO 27001 Control Area Control Details Ownership Framework
Section Area
5.1¢ Management Management shall provide I RMGA Senior Management
Commitment evidence of its Management Review and
commitment to the Monitoring
establishment,
implementation, operation,
monitoring, review,
maintenance and
improvement of the ISMS
by:
establishing roles and
responsibilities for
information security;
A6.1.2 Information Information security ciso Management
security co- activities shall be co- HR Review and
ordination ordinated by Monitoring
representatives from
different parts of the
organization with relevant
roles and job functions.
A6.2 External Parties To maintain the security of I CISO Control
the organization’s Inf ti
information and Governance
information processing
facilities that are FS Legal
accessed, processed, .
communicated to, or FS Commercial
managed by external Architecture and
parties. Design
Security Operations
A6.2.1 Identification of The risks to the CcISO Control
risks related to organization's information Information
external parties and information Governance
processing facilities from
business processes FS Legal
involving external parties .
shall be identified and FS Commercial
appropriate controls Architecture and
implemented before Design
granting access.
Control
A6.2.2 Addressing All identified security cISO
security when requirements shall be Information
dealing with addressed before giving G
customers customers access to the jovernance
organization's information I FS Legal
or assets.
Ref: SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version 4.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 21 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
ISO 27001 Control Area Control Details Ownership Framework
Section Area
FS Commercial
Architecture and
Design
Security Operations
A6.2.3 Addressing Agreements with third cISO Control
security in third parties involving Information
party agreements accessing, processing, Governance
communicating or
managing the FS Legal
organization's information .
or information processing FS Commercial
facilities, or adding Architecture and
products or services to Design
information processing .
facilities shall cover all Security Operations
relevant security
requirements.
A8.1 Human resources To ensure that ciISO People
Prior to employees, contractors Human Resources
Employment and third party users
understand their Information
responsibilities, and are Governance
suitable for the roles they
are considered for, and to
reduce the risk of theft,
fraud or misuse of
facilities.
A8.1.1 Roles and Security roles and RMGA Senior People
responsibilities responsibilities of Management
employees, contractors Line managers
and third party users shall g
be defined and FS HR
documented in
accordance with the
organization's information
security policy.
A8.1.2 Screening Background verification FS HR People
checks on all candidates
for employment,
contractors, and third
party users shall be
carried out in accordance
with relevant laws,
regulations and ethics,
and proportional to the
business requirements,
the classification of the
information to be
Ref: SVM/SEC/PRO/0012
© Copyright Fujitsu (UK & Ireland) 2009 COMMERCIAL IN CONFIDENCE Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 22 of 28
Fe)
FUJITSU
RMGA User Management Procedure
COMMERCIAL IN CONFIDENCE
FUJ00235010
FUJ00235010
ISO 27001
Section
Control Area
Control Details
Ownership
Framework
Area
accessed, and the
perceived risks.
A8.1.3
Terms and
conditions of
employment
As part of their contractual
obligation, employees,
contractors and third party
users shall agree and sign
the terms and conditions
of their employment
contract, which shall state
their and the
organization's
responsibilities for
information security.
FS HR
People
A8.2
During
Employment
To ensure that all
employees, contractors
and third party users are
aware of information
security threats and
concerns, their
responsibilities and
liabilities, and are
equipped to support
organizational security
policy in the course of
their normal work, and to
reduce the risk of human
error.
FS HR
CcISO
Information
Governance
Line Managers
People
A8.2.1
Management
responsibilities
Management shall require
employees, contractors
and third party users to
apply security in
accordance with
established policies and
procedures of the
organization.
Senior management
Line managers
Control
A8.2.2
Information
security
awareness,
education and
training
All employees of the
organization and, where
relevant, contractors and
third party users shall
receive appropriate
awareness training and
regular updates in
organizational policies and
procedures, as relevant
for their job function.
CISO
Information
Governance
People
A8.3
Termination or
change of
employment
To ensure that
employees, contractors,
and third party users exit
FS HR
Line managers
People
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009
UNCONTROLLED IF PRINTED OR
LOCALLY STORED
Date:
Page Not
Ref: SVM/SEC/PRO/0012
Version: 1.0
27/07/2009
23 of 28
Fe)
FUJITSU
RMGA User Management Procedure
COMMERCIAL IN CONFIDENCE
FUJ00235010
FUJ00235010
ISO 27001
Section
Control Area
Control Details
Ownership
Framework
Area
an organization or change
employment in an orderly
manner.
A8.3.2
Return of Assets
All employees, contractors
and third party users shall
return all of the
organization's assets in
their possession upon
termination of their
employment, contract, or
agreement.
FS HR
Line Managers
Operational
A8.3.3
Removal of access
rights
The access rights of all
employees, contractors
and third party users to
information and
information processing
facilities shall be removed
upon termination of their
employment, contract, or
agreement, or adjusted
upon change.
Line managers
Operational Security
Operational
AQ.1
Secure areas
To prevent unauthorized
physical access, damage
and interference to the
organization's premises
and information.
FS Facilities
Management
Infrastructure
A9.1.2
Physical entry
controls
Secure areas shall be
protected by appropriate
entry controls to ensure
that only authorized
personnel are allowed
access.
FS Facilities
Management
Infrastructure
A916
Public access,
delivery and
loading areas
Access points such as
delivery and loading areas
and other points where
unauthorized persons may
enter the premises shall
be controlled and, if
possible, isolated from
information processing
facilities to avoid
unauthorized access.
FS Facilities
Management
Infrastructure
A9.2.1
Equipment siting
and protection
Equipment shall be sited
or protected to reduce the
risks from environmental
threats and hazards, and
opportunities for
FS Facilities
Management
Infrastructure
© Copyright Fujitsu (UK & Ireland) 2009
COMMERCIAL IN CONFIDENCE
UNCONTROLLED IF PRINTED OR
LOCALLY STORED
Ref.
Date:
Page Not
SVM/SEC/PRO/0012
Version: 1.0
27/07/2009
24 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJI U COMMERCIAL IN CONFIDENCE
ISO 27001 Control Area Control Details Ownership Framework
Section Area
unauthorized access.
A10.1.1 Documented Operating procedures Line managers Control
operating shall be documented, Operational Securit
procedures maintained, and made Ps ty
available to all users who
need them.
A 10.1.4 Separation of Development, test, and Architecture and Infrastructure
development, test operational facilities shall Design
and operational be separated to reduce Change
facilities the risks of unauthorised pala ement
access or changes to the 'g
operational system. Test
A10.4.1 Controls against Detection, prevention, and I Information Control
malicious code recovery controls to Governance
protect against malicious
code and appropriate user
awareness procedures
shall be implemented.
A 10.7.4 Security of system I System documentation Document People
documentation shall be protected against I management
unauthorized access.
A 10.8.3 Physical media in Media containing Line managers Control
transit information shall be Operational Security
protected against Pr
unauthorized access,
misuse, or corruption
during transportation
beyond an organization's
physical boundaries.
A10.10.1 Audit logging Audit logs recording user I Line Managers Management
activities, exceptions, and Help Desk Review and
information security elp Des Monitoring
events shall be produced I Operational Security
and kept for an agreed
period to assist in future
investigations and access
control monitoring.
A10.10.3 Protection of log Logging facilities and log I Architecture and Management
information information shall be Design Review and
protected against Line managers Monitoring
tampering and io
unauthorized access. Operational Security
All Access control Control
A111 Business To control access to Senior Management I Control
requirement for information. .
Line Managers
Ref: SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 25 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJI U COMMERCIAL IN CONFIDENCE
ISO 27001 Control Area Control Details Ownership Framework
Section Area
access control
A11.1.1 Access control An access control policy Information Control
policy shall be established, governance
documented, and
reviewed based on
business and security
requirements for access.
A11.2 User access Management
management Review and
Monitoring
A11.2.1 User Registration There shall be a formal Line Managers Operational
user registration and de-
Operational Security
registration procedure in
place for granting and
revoking access to all
information systems and
services.
A11.2.3 User password The allocation of Line managers Operational
management passwords shall be Operational Securit
controlled through a Pr y
formal management
process.
A11.2.4 Review of user Management shall review I Line Managers Management
access rights users’ access rights at Operational Securi Review and
regular intervals using a Pi ty Monitoring
formal process. Information
Governance
A11.3 To prevent Control
unauthorized user
access, and
compromise or
theft of information
and information
processing
facilities.
A11.3.4 Password use Users shall be required to I Users Operational
follow good security
ice I Information
practices in the selection overnance
and use of passwords. gs
A11.3.2 Unattended user Users shall ensure that Users Operational
equipment unattended equipment Information
has appropriate Governance
protection.
A11.4.1 Policy on use of Users shall only be Information Control
network services provided with access to governance
the services that they
Ref: SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 26 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJITSU COMMERCIAL IN CONFIDENCE
ISO 27001 Control Area Control Details Ownership Framework
Section Area
have been specifically
authorized to use.
A11.4.2 User authentication I Appropriate authentication I Architecture and Infrastructure
for external methods shall be used to I Design
connections control access by remote
users.
A11.4.5 Segregation in Groups of information Architecture and Infrastructure
networks services, users, and Design
information systems shall
be segregated on
networks.
A11.4.6 Network For shared networks, Architecture and Infrastructure
connection control especially those extending I Design
across the organization's
boundaries, the capability
of users to connect to the
network shall be
restricted, in line with the
access control policy and
requirements of the
business applications (see
11.1).
A11.5.2 User identification I All users shall have a Architecture and Infrastructure
and authentication I unique identifier (user 1D) I Design
for their personal use only,
and a suitable
authentication technique
shall be chosen to
substantiate the claimed
identity of a user.
A11.6.1 Information access I Access to information and I Architecture and Infrastructure
application system Design
functions by users and
support personnel shall be
restricted in accordance
with the defined access
control policy.
restriction
A13.1.2 Reporting Security I Allemployees, contractors I Everyone Control
Weaknesses and third party users of
information systems and
services shall be required
to note and report any
observed or suspected
security weaknesses in
systems or services.
Ref SVM/SEC/PRO/0012
COMMERCIAL IN CONFIDENCE
© Copyright Fujitsu (UK & Ireland) 2009 Version: 1.0
UNCONTROLLED IF PRINTED OR —_Date: 27/07/2009
LOCALLY STORED Page No: 27 of 28
FUJ00235010
FUJ00235010
(oe) RMGA User Management Procedure
FUJI SU COMMERCIAL IN CONFIDENCE
ISO 27001 Control Area Control Details Ownership Framework
Section Area
A15.1.5 Prevention of Users shall be deterred Users Control
misuse of from using information-
information processing facilities for
processing facilities I unauthorized purposes.
Ref: SVM/SEC/PRO/0012
© Copyright Fujitsu (UK & Ireland) 2009 COMMERCIAL IN CONFIDENCE Version: 1.0
UNCONTROLLED IF PRINTED OR Date: 27/07/2009
LOCALLY STORED Page No: 28 of 28