Information security Management Program. ⢠Systems Operation. ⢠Personnel Security. ⢠Facility Security. ⢠Third
Examples of Controls for CCSL v1.0
Objective The objective of this document is to complement the information showed in CCSL website with further information of some controls as required in question 8 of part 2.
Contents OBJECTIVE
2
EXAMPLE 1 – RATING DEFINITIONS
2
EXAMPLE 2. – THIRD-‐PARTY PROCESSING [TPP]
3
EXAMPLE 3 – COMPLIANCE [CO]
5
Example 1 – Rating definitions Criteria analyzed by the rating methodology are divided into the following (14) chapters: • • • • •
Information security Management Program Systems Operation Personnel Security Facility Security Third-party processing
CONFIDENTIAL
• • • • •
Resilience Compliance Malware protection Network controls Monitoring
• • • •
Access control Secure development Incident handling Cryptography
Page 2
Examples of Controls for CCSL v1.0 Every chapter is also divided in a number of variable different elements that should be considered to evaluate the rating of each chapter. Finally, for each element, this methodology states the conditions that should be meet for achieve each level, considering that the conditions are cumulative; this is for achieving rating B, conditions of rating E, D and C should also be met. In order to aggregate the rating levels obtained, the formula is the minimum one. This is, when aggregating rating levels, the result is the minimum of the levels achieved in each element or chapter. That is, a service may have different ratings for different chapters of its infrastructure. However, the service’s overall rating is equal to the lowest rating across all chapters. Thus, a service that is rated B for all chapters except Systems Operation, where it is rated C, is rated C overall. The overall rating for the data center is based on its weakest component. Besides, chapters are divided into the following categories: • Common security measures • Security Measures regarding confidentiality • Security Measures regarding integrity • Security Measures regarding availability As mentioned before, the final rating level is composed of three letters, one for each security dimension. In order to calculate each letter, the level for each dimension is the minimum of the levels corresponding to the common security measures and those measures applicable to each dimension specific controls.
Example 2. – Third-party processing [TPP] Safeguard / process / control [TPP.2] Supply-chain assurance
E
CONFIDENTIAL
D • Maintain a list of service providers. • All relations with third parties are regulated by contracts. • Network and infrastructure service level agreements clearly document
Rating C • Risk factors because of third parties subcontracting identified and controls implemented when needed. • 3rd party agreements that directly, or indirectly, impact the
B • Program in place to monitor service provider adherence to vendor guidelines. • Inter-organizational agreements and procedures with entities involved in the supply chain to
Page 3
A • Use of all-source intelligence to analyze potential suppliers. • Critical providers are redundant. • Transparency as to which interventions the service provider or third parties are
Examples of Controls for CCSL v1.0 Safeguard / process / control
E
D security controls, capacity and service levels, and business or customer requirements. • Providers engaged have at least a 'D' rating.
•
•
•
•
•
CONFIDENTIAL
Rating C organizations information assets or data include explicit coverage of all relevant security requirements. Established process for engaging service providers including proper due diligence prior to engagement. SLA provisions (including security aspects) guaranteed by outsourcers. SLAs with clients are clearly stated and independent tools are provided for use to monitor SLA compliance. Management interface is secure and monitored. Providers engaged have at least a 'C' rating.
B provide notification of supply chain compromises. • Disclosure of the service provider’s subcontractors who are vital for providing the services. • Providers engaged have at least a 'B' rating.
Page 4
A allowed in the customer’s data and processes. • Providers engaged has an 'A' rating.
Examples of Controls for CCSL v1.0
Example 3 – Compliance [CO] Safeguard / process / control [CO.2] With security policies and standards, and technical compliance
E
[CO.3] Compliance audit
D
• There is an audit plan agreed to minimize the risk of disruptions to business processes.
CONFIDENTIAL
Rating C • Managers ensure that all security procedures within their area of responsibility are carried out correctly. • Results of reviews and corrective actions are recorded and maintained. • IS are annually checked (pentest) for compliance with security implementation standards. • An Audit Plan is annually executed.
B • There is an annual program of review of security controls. • IS are annually checked for compliance with security implementation standards and after any change. • Technical compliance checks are carried out by competent, authorized, independent person/team. • The person/team carrying out the audit is independent of the activities audited.
Page 5
A • There are online facilities implemented to monitor the adherence to security policies and standards. • IS are continually checked for compliance with security implementation standards.
• The person/team members carrying out the audit is(are) accredited: CISA and audits are conducted according to general standards, like ISACA ITAF.
