Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Proteccion Activos
Proteccion Activos
ACTIVOS
Introducción
En esta sección se cubren los controles de acceso lógico provistos por los
componentes de software y hardware.
1 de 19
Índice
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 2 of 19
Uncontrolled copy if printed
CONTROL DE ACCESOS
4.1.2 Cuando las personas acceden a los sistemas de información de la SBS deben
Autentificador identificarse por medio de un autentificador único que debe ser secreto,
único más disponible solo para el individuo y nunca debe ser impreso (excepto cuando se le
“user id” comunica al interesado) ni desplegado en pantalla. Ejemplos de autentificador
único son: contaseña, PIN, o un código secreto.
Las personas deberán usar además un identificador único ( user id) para
diferenciarse en el sistema, no necesariamente secreto, ejemplo las iniciales,
número de cuenta, número de empleado o un elemento físico (ej. Tarjeta
inteligente).
4.1.3 El autentificador único ( como por ejemplo la contaseña), no debe ser divulgado
Nunca divulgue nunca a una segunda persona, excepto cuando:
su contraseña
a) Se utilice una cuenta interna de correo o agenda electrónica compartida,
como se especifica en 4.2.11.
b) Se trate de personal de “help desk” que van a dar mantenimiento autorizado ,
en cuyo caso la contraseña de ser cambiada inmediatamente después.
4.1.4 Cada persona a la que se le da acceso mediante una contraseña debe garantizar
Garantizar que que ésta no está en riesgo, y si así ocurriese deberá ser cambiada de inmediato
la contraseña poniendo en conocimiento del administrador de seguridad este hecho.
no está en
riesgo
4.1.6 Los PIN´s, las contraseñas y los identificadores de terminales para ser
Las transmitidos fuera de sitios seguros debe ser protegida mediante encripción
contraseñas se (excepto “one time passwords”).
deben encriptar
para su
transmisión
4.2.2 Las contraseñas deben tener una longitud mínima de 6 caracteres, a menos que
alguna aplicación específica permita menos (caso de PIN´s) o bien exija mayor
Longitud longitud ( W NT). Se permite que contengan espacios a menos que el sistema
mínima los trate como delimitadores. **** más cosas...
4.2.3 La selección de una contraseña debe hacerse de tal manera que esta no se pueda
Selección de adivinar fácilmente, que no sea una palabara del diccionario, que no se repita y
una contraseña otras ****
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 4 of 19
Uncontrolled copy if printed
4.2.4 El sistema de control de contraseñas deben requerir periódicamente el cambio de
Cambio ésta a los usuarios ( internos y externos o solo a externos??****).
obligatorio de .
contraseña
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 5 of 19
Uncontrolled copy if printed
4.2.6 La administración de contraseñas debe garantizar que ser cambiadas los usuarios
Mínimo ed 5 no puedan repetir una de las 5 últimas que haya utilizado.
contraseñas
históricas Nota: Algunos estándares de seguridad pueden requerir un número mayor.
4.2.7 Los perfiles de usuario deben ser deshabilitados luego de tres intentos fallidos
Deshabilitar al escribir la contraseña.
luego de tres
intentos fallidos
4.2.9 Cuando los datos ingreso a la red o a servidores sean pre-registrados para mayor
No incluir rapidez de acceso, no se debe incluir la contraseña..
contraseñas en
acceso pre-
registrados
4.2.10 El titular de una contraseña maestra*** debe anotarla en una pieza de papel que
Copia de colocará en un sobre opaco sellado y con la fecha y guardarlo en un lugar
contraseñas seguro. Debe ser guardada bajo control de dos personas y será disponible
maestras unicamente por el titular o un delegado autorizado.
4.2.11 Las contraseñas que permiten acceso solamente a cuentas de email o agendas
El uso de electrónicas pueden ser compartidas en sistemas internos. Cuando hay
contraseñas de conectividad externa las contraseñas compartidas se podrán utilizar solamente
email para la transferencia o almacenamiento de información Pública (ver 3). El
compartidas compartir o el uso de cuentas de email departamentales debe ser autorizado por
debe ser el jefe de la Unidad respectiva, quien será responsable de la seguridad.
aprobado
4.2.12 The following rules also apply to memorable security information which is used
Memorable primarily to enable users to reset passwords.
Security
4.1.3 4.1.4 4.1.5 4.1.6 4.2.1 4.2.2 4.2.3 4.2.7 4.2.8 4.2.9
Information
When using such security information, consideration must be given to ensuring that
it is not likely to be known by unauthorised parties, and a combination of at least
two from a minimum of three different pieces of memorable information must be
required.
This type of password reset mechanism is not appropriate for high value/high
integrity data.
4.3.2 Business data captured at the initial point of entry into Group systems, must
Capture who include the identities of all those involved in its input and authorisation.
inputs data
4.3.3 Persons must not hold passwords which would allow them to carry out alone
Dual control operations which require dual control or would grant them a level of authority to
which they are not entitled.
4.3.4 Persons must only be granted access to such data and facilities required for their
Access only for current tasks, as authorised by their line manager and the relevant Data Owner.
current tasks
4.3.5 Systems must have the means to restrict the access of each user to those
Restrict user functions defined by the Data Owner.
access to
authorised
functions
4.3.6 Access control systems must have the facility to enforce segregation of duties.
Segregation of
duties
4.3.7 When a user is logged-on, and there has been no user activity for a
No user activity predetermined period of time, and the system is capable of terminating the
session gracefully without requiring user intervention, the system must terminate
the session and log the user off. The period of time will be determined by the
Data Owner and be based on the required security for the data being accessed
and the application concerned.
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 7 of 19
Uncontrolled copy if printed
4.4 Protection Against Unauthorised Access
4.4.1 Systems must detect and deny access by unauthorised personnel or systems, as
Detect, deny well as detect misuse of computer facilities, record such attempts, and report
and report them promptly for thorough investigation, in line with the process defined by
unauthorised the Data Owner.
access
4.4.2 Audit trails of unauthorised access attempts must be retained for one year for
Retain reports review by Group Audit together with the results of any investigations
for Group undertaken.
Audit
4.4.3 Sign-on screens must contain minimal information and not invite users to
Unauthorised log-on. They must inform potential users that they afford access to private
logon warning computer systems and data, and that only authorised people should proceed.
Note: See the Information Security Standard: Computer Misuse Act for the
recommended wording applicable in the UK. For those outside the UK refer to
local IT legal representatives.
4.4.4 Senders of high integrity or highly confidential data must ensure that any
Printers and receiving printer or facsimile machine (fax) is either situated in a locked room or
fax machines is attended only by persons specifically authorised to receive such messages.
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 8 of 19
Uncontrolled copy if printed
DATA MANAGEMENT ROLES
4.5.1 Ownership rests with a business/operational unit and the Data Owner (an
Owner identified job holder) must be designated by that unit. For data assessed to be
designation Highly Confidential or requiring High Integrity and/or High Availability, the
owner must be of management status.
4.5.2 The Data Owner has primary responsibility for the data, must assess the value
Prime and risks of the data to the Group (See ITEC 3), determine and define the
responsibility required levels of control and access restrictions, ensure adequate monitoring of
for data access is implemented by the Security Administrator, and define archiving
requirements.
4.5.3 Data Owners must ensure their activities conform to Group and business unit
Conformance policies, rules and local legislation.
to policies,
rules &
legislation
4.5.4 The Data Owner must appoint a custodian for the data who must be the manager
Appoint of the unit which provides information technology services for owners or
custodian maintains physical custody of computer based information for them.
4.5.5 The Data Owner must appoint a Security Administrator. The Security
Appoint Administrator must not have responsibility for the development or operation of
Security systems managed.
Administrator
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 9 of 19
Uncontrolled copy if printed
, Continued
4.5.6 Data Owners may delegate their duties to a suitable person. Where the data on
Delegation of the system has been assessed to be higher than either Confidential or Low
Data Owner Integrity, this Data Owner delegate must not have computer operational or
duties development duties.
4.5.7 Data Owners may assume the role of Data Custodian providing the data on the
May assume system is not assessed to be higher than Confidential or Low Integrity or Low
role of Data Availability.
Custodian
Document and a) The Data Custodian, Security Administrator, and Users of the Value and
advise V&RA, Risk Assessment classifications of the data.
controls and b) The Data Custodian and Security Administrator of the levels of controls,
roles access restrictions, and availability required over the data.
c) The allocation of duties of the Data Owner / Data Custodian / Security
Administrator and User.
d) The Data Custodian, Security Administrator and Users of any specified
retention periods for stored information in accordance with business, legal or
regulatory requirements.
e) The Data Custodian and Security Administrator of the requirements for the
creation and management of event logs as specified in the Information
Security Standard: Auditing & Monitoring.
4.5.9 Where data is passed from one area of the Group to another, ownership of the
Ownership re data may also be transferred, with the mutual agreement of the previous and new
data transfer owners. The receiving owner must ensure that the result of the subsequent value
and risk assessment of the data is not lower than the previous assessment, except
with the consent of the previous owner.
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 10 of 19
Uncontrolled copy if printed
4.6 Role of Data Custodian
4.6.1 The Data Custodian must provide physical and procedural safeguards for the
Provide use, storage and transfer (within and outside the Group) of the information.
safeguards
4.6.2 The Data Custodian must provide the level of control and availability specified
Control & by the owner.
availability
4.7.1 The Security Administrator or delegate must ensure that all requests for the
Ensure access provision of access to a computer system are appropriately authorised in
requests are accordance with the instructions of the Data Owner. All requests must be
authorised retained for review by Group Audit.
4.7.2 Systems must have the facility to provide the Security Administrator with
Facility in sufficient information to enable the administrator or delegate to control and
systems to review authorised users and their permitted functions. Reviews must be at least
control and weekly for systems processing data assessed to require High Integrity or High
review users Availability, monthly for other systems, and immediately following changes in
user personnel and/or existing users’ permitted functions.
4.7.3 Provision of access facilities to permitted functions must be carried out by the
Provision of Security Administrator, who must not have computer development or
access facilities operational duties. Access to those permitted functions processing data assessed
to be Highly Confidential and/or requiring High Integrity or High Availability
must be granted under the dual control of delegates of the Security
Administrator and/or audited. The Security Administrator may be one of the
delegates.
4.7.4 The Security Administrator must ensure the password is passed to the recipient
Passwords in a secure manner.
passed securely
4.7.5 An audit trail of privilege access allocations must be produced daily for review
Review, retain by the Security Administrator or delegate and retained for review by Group
daily audit trail Audit.
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 11 of 19
Uncontrolled copy if printed
PRIVILEGED & RESTRICTED ACCESS
4.8 Control of Highly Confidential Data (e.g. Passwords)
4.10.1 Development & Support personnel may not have access to live data and
software, current or historical, except under exceptional circumstances and with
Access to live the written consent of the Data Owner or delegate. Procedures for retrospective
data authorisation not later than the next working day are permitted. Such accesses
must be recorded, either automatically by the operating system (or by use of an
authorised third-party product), or where that is not possible, clerically, with full
details of the circumstances and the action taken. Where "read" access is
required on a permanent basis, approval must be obtained from the Data Owner
(see also ITEC 6.9).
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 12 of 19
Uncontrolled copy if printed
, Continued
4.10.2 Copies of live data, required for system testing, may only be taken with the
Copied live written permission of the Data Owner and the Data Custodian, or their delegates.
data de- The copied data must be de-sensitised, or it must only be accessible to
sensitised authorised Group staff and contractors. Printed output from it must be kept or
destroyed in accordance with the requirements defined by the Data Custodian
(see also 6.4.2).
4.10.3 Where access to privileged functions, live data or software has been granted
Emergency temporarily to support personnel to provide emergency support, such access
support must be withdrawn immediately following completion of the support task.
4.10.4 Emergency amendments to live data and software may only be performed by
authorised support and from an approved secure location, only after copies have
Updates to live been taken, and with the consent of the Data Owner or delegate. Where data has
data only by been amended user departments must subsequently ensure the correctness and
authorised completeness of all data processed.
support
4.11.1 The introduction of new or amended business input data, transactions and master
Must not files is not permitted into the live operational environment.
initiate new
data
4.11.2 Operators must be restricted to those tasks, facilities and utilities, that their
Normal daily normal daily duties require except in exceptional circumstances, e.g. system or
duties only software failure. In such circumstances, any variation must be logged,
preferably automatically, and reviewed by management.
4.11.3 Utilities and privileged access which provide the means to make uncontrolled
No all-powerful changes to data on the system must not be available to system operators.
utilities or
privilege access
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 13 of 19
Uncontrolled copy if printed
4.12 Protection of Data Off Group Premises
4.12.1 Any Group data to be used off Group premises must be protected with due
Assess the level regard to its degree of sensitivity; or, the value of and risks to the information
of protection must be assessed to determine the level of protection the data merits (see also
required ITEC 2.10).
Note: Data Owners may decide that customer or Group information in transit
should be protected over and above the minimum security controls required by
ITEC, e.g. through encryption or additional physical controls.
4.12.2 All persons using the data off Group premises must be aware of its classification
All aware of and the level of control required to be exercised, and comply with those
controls requirements.
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 14 of 19
Uncontrolled copy if printed
REMOTE ACCESS
4.13.2 Staff and contractors may use a Group PC to carry out their normal work
Flexible remotely in environments not controlled by the Group, using a PC connected to
Working Group IT facilities, i.e. Teleworking, or using a PC in a Stand-alone
environment.
4.13.3 The PC and peripherals must be provided by the Group for Teleworking, Home
Group IT Working or Mobile Working. Remote Application Development is only
facilities must permitted in a Home Working environment.
be used
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 15 of 19
Uncontrolled copy if printed
, Continued
4.14.2 Remote Supplier Access to Group IT facilities is only permitted from untrusted
Remote sites (including when the supplier is mobile) for:
supplier access a) application and System Software Support.
from untrusted b) access to Group internal e-mail systems.
sites
4.15.2 Only equipment owned and controlled by the Group may be used by staff and
Restrictions on contractors for Remote Support.
remote support
equipment The use of all equipment for Remote Support will continue to be subject to the
used by staff Group’s and business unit’s rules.
4.15.3 Where the equipment used for Remote Support is not sited on Group premises,
No capability to it must not have the capability to upload/download live data/software to/from
upload live the host environment.
data
4.15.4 All Remote Support activity involving access to live system/application data
Audit of and software must be fully audited and subject to independent review no later
remote support than 10:00 hours the following working day where the support had UPDATE
activities capability and 17:00 hours for READ ONLY capability. (see also ITEC 4.10.1).
4.15.5 Inventories must be kept of all equipment and software issued to staff
Inventories performing Remote Support duties.
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 16 of 19
Uncontrolled copy if printed
, Continued
4.15.6 As part of the process for authorising Remote Working from a pre-determined
Authorisation authorised site, including a staff/contractor home, checks must be made to
process for ensure that the site meets all relevant legislation and Group requirements (e.g.
remote workers Human Resources, occupational health and safety, insurance, security and
support). Reasonable access to the premises must therefore be permitted to
relevant managers, in accordance with local legislation.
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 17 of 19
Uncontrolled copy if printed
AUTHENTICATION & CRYPTOGRAPHY
4.16.1 All integrity and message authentication techniques must comply with the
Information Information Security Standard: Integrity and Message Origin Authentication.
Security
Standard
4.16.3 Group systems used for the transmission of High Integrity messages across
Audit trail of internal and external networks, must have the capability of recording all
all High messages sent and received. A record of all messages must be written on
Integrity archivable media in chronological order showing the date and time
messages sent/received. Continuity must be demonstrated on the media.
4.16.5 All High Integrity value messages must be reviewed on a daily basis by an
High Integrity independent member of management or an authorised deputy, in the business
value messages location originating or in receipt of the transaction. Special attention should be
must be given to all outward High Integrity value messages, which must be checked to
reviewed daily ensure that they are bona fide. The review must be completed on the day on
which the value messages were sent. Exceptionally and only when there is
heavy or very late traffic, the review may be completed the following morning
but by no later than 10.00 hrs.
4.16.6 A log must be kept of all High Integrity value messages received showing date
Retain log of all and time of receipt. This may be in the form of copies of all High Integrity
value messages value messages. When such messages are manually distributed, the recipient
must acknowledge receipt on the log or on the message copy constituting the
log.
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 18 of 19
Uncontrolled copy if printed
4.17 Security of Cryptographic Keys
4.17.4 Where authenticator key information is stored on integral hard disks, that cannot
Encrypt if not be removed from the equipment when not required and locked away, it must be
locked away encrypted.
4.17.5 Where those responsible for the custody or use of authenticator keys suspect that
Replace keys if the integrity of the keys may have been compromised, the keys must be
compromised immediately cancelled and replaced.
4.17.6 There must be documented procedures in place for the cancellation and
Process for key replacement of authenticator keys.
replacement
Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 19 of 19
Uncontrolled copy if printed