POL- 4 – PROTECCIÓN DE LA INFORMACIÓN Y OTROS

ACTIVOS
Introducción

Toda la información evaluada por el propietario con clasificación mayor que

“Publica”, o “Baja Integridad”, o “Baja Disponibilidad” debe estar protegida por
todos los medios razonables de efectos de error o negligencia, actos maliciosos,
fraude, vandalismo o desastres.

En esta sección se cubren los controles de acceso lógico provistos por los
componentes de software y hardware.

Fallas en la aplicación de las reglas de esta sección podría exponer a la SBS a

los siguientes riesgos:

 Insuficiente segregación entre grupos de usuarios.

 Insuficiente segregación entre desarrollo y usuarios.
 Inadecuado monitoreo y auditoría a las cuentas de usuario especiales.
 Incorrecta autenticación de origen de los mensajes.
 Modificaciones a datos y a sistemas sin controles.

1 de 19
 Índice

POL- 4 – PROTECCIÓN DE LA INFORMACIÓN Y OTROS ACTIVOS.........................................1

Introducción......................................................................................................................................1
CONTROL DE ACCESOS..............................................................................................................3
4.1 Identificación de usuarios............................................................................................................3
4.2 Controles de contraseña y restricciones del sistema....................................................................4
4.3 User Access Restrictions.............................................................................................................7
4.4 Protection Against Unauthorised Access.....................................................................................8
DATA MANAGEMENT ROLES.....................................................................................................9
4.5 Role of Data Owner.....................................................................................................................9
4.6 Role of Data Custodian.............................................................................................................11
4.7 Role of Security Administrator.................................................................................................11
PRIVILEGED & RESTRICTED ACCESS....................................................................................12
4.8 Control of Highly Confidential Data (e.g. Passwords)..............................................................12
4.9 [Section removed].....................................................................................................................12
4.10 Additional Restrictions on Development & Support Personnel..............................................12
4.11 Additional Restrictions on Operations Personnel....................................................................13
4.12 Protection of Data Off Group Premises...................................................................................14
REMOTE ACCESS........................................................................................................................15
4.13 Remote Working by Staff and Contractors..............................................................................15
4.14 Remote Supplier Access..........................................................................................................15
4.15 Remote Support.......................................................................................................................16
AUTHENTICATION & CRYPTOGRAPHY.................................................................................18
4.16 Integrity and Message Origin Authentication .........................................................................18
4.17 Security of Cryptographic Keys .............................................................................................19
POL- 4 – PROTECCIÓN DE LA INFORMACIÓN Y OTROS ACTIVOS.........................................1
Introducción......................................................................................................................................1
CONTROL DE ACCESOS..............................................................................................................3
4.1 Identificación de usuarios............................................................................................................3
4.2 Control de contraseñas y restricciones del sistema......................................................................4
4.3 Restricciones de accesos de usuarios...........................................................................................8
4.4 Protección contra accesos no autorizados....................................................................................9
ROLES DE LA DMINISTRACIÓN DE DATOS...........................................................................10
4.5 Rol de propietario de datos......................................................................................................10
4.6 Rol de custodio de datos............................................................................................................12
4.7 Rol de administrador de seguridad............................................................................................12
ACCESOS PRIVILEGIADOS Y RESTRINGIDOS......................................................................13
4.8 Control de datos altamente confienciales (ejemlplo: contraseñas).............................................13
4.10 Restricciones adicionales al personal de desarrollo y de soporte.............................................13
4.11 Restricciones adicionales al personal de operaciones..............................................................14
4.12 Protección de datos de fuera de las instalaciones de la SBS....................................................15
ACCESO REMOTO.......................................................................................................................16
4.13 Trabajo remoto del personal de funcionarios y empleados (a contrato)...................................16
4.14 Acceso de proveedores remotos..............................................................................................16
4.15 soporte remoto.........................................................................................................................17
AUTENTICACIÓN Y CRIPTIGRAFIA........................................................................................19
4.16 Autenticación de la integridad y del origen de los mensajes ..................................................19

4.17 Control de claves criptográficas .................................................................................................20

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 2 of 19
Uncontrolled copy if printed
 CONTROL DE ACCESOS

4.1 Identificación de usuarios

4.1.1 El acceso a los sistemas de computación de la SBS debe ser restringido a

Asegurar personas identificadas para garantizar la determinación de responsabilidades.
responsabilidad

4.1.2 Cuando las personas acceden a los sistemas de información de la SBS deben
Autentificador identificarse por medio de un autentificador único que debe ser secreto,
único más disponible solo para el individuo y nunca debe ser impreso (excepto cuando se le
“user id” comunica al interesado) ni desplegado en pantalla. Ejemplos de autentificador
único son: contaseña, PIN, o un código secreto.

Las personas deberán usar además un identificador único ( user id) para
diferenciarse en el sistema, no necesariamente secreto, ejemplo las iniciales,
número de cuenta, número de empleado o un elemento físico (ej. Tarjeta
inteligente).

Nota: En determinadas circunstancias (ejemplo: en un área de entrenamiento o

de grupos de respuesta rápida) se puede destinar un conjunto de identificadores
únicos al área siempre y cuando:

 Sea aprobado por el propietario de los datos

 Esté acordado con la USI
 La administración local toma la responsabilidad total de las brechas de
seguridad.
 La adiministración local mantiene un log de registro de los
identificadores.
 Permiten un acceso restringido solamente

4.1.3 El autentificador único ( como por ejemplo la contaseña), no debe ser divulgado
Nunca divulgue nunca a una segunda persona, excepto cuando:
su contraseña
a) Se utilice una cuenta interna de correo o agenda electrónica compartida,
como se especifica en 4.2.11.
b) Se trate de personal de “help desk” que van a dar mantenimiento autorizado ,
en cuyo caso la contraseña de ser cambiada inmediatamente después.

4.1.4 Cada persona a la que se le da acceso mediante una contraseña debe garantizar
Garantizar que que ésta no está en riesgo, y si así ocurriese deberá ser cambiada de inmediato
la contraseña poniendo en conocimiento del administrador de seguridad este hecho.
no está en
riesgo

Continued on next page

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 3 of 19
Uncontrolled copy if printed
 4.1.5 La impresión, distribución y la activación de las contraseñas a los usuarios debe
La distribución realizarse con las debidas seguridades y de acuerdo al procedimiento establecido
de contraseñas para ello. .
debe hacerse
con seguridades

4.1.6 Los PIN´s, las contraseñas y los identificadores de terminales para ser
Las transmitidos fuera de sitios seguros debe ser protegida mediante encripción
contraseñas se (excepto “one time passwords”).
deben encriptar
para su
transmisión

4.2 Controles de contraseña y restricciones del sistema

4.2.1 Quienes utilicen una contraseña deben mantenerla únicamente en su

Quien utilice conocimiento y poder cambiarla cuando así lo deseen
contraseñas

4.2.2 Las contraseñas deben tener una longitud mínima de 6 caracteres, a menos que
alguna aplicación específica permita menos (caso de PIN´s) o bien exija mayor
Longitud longitud ( W NT). Se permite que contengan espacios a menos que el sistema
mínima los trate como delimitadores. **** más cosas...

4.2.3 La selección de una contraseña debe hacerse de tal manera que esta no se pueda
Selección de adivinar fácilmente, que no sea una palabara del diccionario, que no se repita y
una contraseña otras ****

Continued on next page

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 4 of 19
Uncontrolled copy if printed
 4.2.4 El sistema de control de contraseñas deben requerir periódicamente el cambio de
Cambio ésta a los usuarios ( internos y externos o solo a externos??****).
obligatorio de .
contraseña

4.2.5 Las contraseñas de cuentas de Usuarios, Sistema y Servicio deberán ser

cambiadas en las siguientes circunstancias :
Frecuencia de
cambio de
contraseñas
Cuándo debe hacerse el cambio
Cuantas de Cuantas del Cuentas de
Evento
Usuario Sistema Servicio
Si la contraseña ha sido comprometida Immediatamente Immediatamente Immediaamente
No es necesario
Luego de un mantenimiento rutinario o a menos que el
de emergencia (acorde a 4.1.3 (b) Immediatamente Immediatamente propietario de
los datos
especifique otra
cosa
Ante entrega de contraseñas temporales Immediatamente 1 Immediatamente N/A
o por defecto 1

Acceso a sistemas cuyos datos son

clasificados como de:
Al menos
Alta Confidencialidad, or
mensualmente
De Alta Integridad, or
No es necesario a menos que el
De Alta Disponibilidad
propietario de los datos especifique
Al menos otra cosa.
Acceso a desarrollo de sistemas
mensualmente
Acceso a todos los demás sistemas Al menos
trimestralmente
1
En lo posible, el pedido al usuario de que debe hacer el cambio de la contraseña
temporal debe ser generado automáticamente.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 5 of 19
Uncontrolled copy if printed
 4.2.6 La administración de contraseñas debe garantizar que ser cambiadas los usuarios
Mínimo ed 5 no puedan repetir una de las 5 últimas que haya utilizado.
contraseñas
históricas Nota: Algunos estándares de seguridad pueden requerir un número mayor.

4.2.7 Los perfiles de usuario deben ser deshabilitados luego de tres intentos fallidos
Deshabilitar al escribir la contraseña.
luego de tres
intentos fallidos

4.2.8 Cuando las estaciones de trabajo tengan la capacidad de registrar y reutilizar lo

Disabilitar el tecleado, los datos reutilizados no deben incluir la contraseña. Ver 4.1.2.
registro de
datos tecleados

4.2.9 Cuando los datos ingreso a la red o a servidores sean pre-registrados para mayor
No incluir rapidez de acceso, no se debe incluir la contraseña..
contraseñas en
acceso pre-
registrados

4.2.10 El titular de una contraseña maestra*** debe anotarla en una pieza de papel que
Copia de colocará en un sobre opaco sellado y con la fecha y guardarlo en un lugar
contraseñas seguro. Debe ser guardada bajo control de dos personas y será disponible
maestras unicamente por el titular o un delegado autorizado.

4.2.11 Las contraseñas que permiten acceso solamente a cuentas de email o agendas
El uso de electrónicas pueden ser compartidas en sistemas internos. Cuando hay
contraseñas de conectividad externa las contraseñas compartidas se podrán utilizar solamente
email para la transferencia o almacenamiento de información Pública (ver 3). El
compartidas compartir o el uso de cuentas de email departamentales debe ser autorizado por
debe ser el jefe de la Unidad respectiva, quien será responsable de la seguridad.
aprobado

4.2.12 The following rules also apply to memorable security information which is used
Memorable primarily to enable users to reset passwords.
Security
4.1.3 4.1.4 4.1.5 4.1.6 4.2.1 4.2.2 4.2.3 4.2.7 4.2.8 4.2.9
Information
When using such security information, consideration must be given to ensuring that
it is not likely to be known by unauthorised parties, and a combination of at least
two from a minimum of three different pieces of memorable information must be
required.
This type of password reset mechanism is not appropriate for high value/high
integrity data.

4.3 User Access Restrictions

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 6 of 19
Uncontrolled copy if printed
 4.3.1 Access to systems must be within pre-defined hours, specified by the Data
Within pre- Owner. Exceptional access to systems outside of these pre-defined hours must
defined hours be authorised by the Data Owner.

4.3.2 Business data captured at the initial point of entry into Group systems, must
Capture who include the identities of all those involved in its input and authorisation.
inputs data

4.3.3 Persons must not hold passwords which would allow them to carry out alone
Dual control operations which require dual control or would grant them a level of authority to
which they are not entitled.

4.3.4 Persons must only be granted access to such data and facilities required for their
Access only for current tasks, as authorised by their line manager and the relevant Data Owner.
current tasks

4.3.5 Systems must have the means to restrict the access of each user to those
Restrict user functions defined by the Data Owner.
access to
authorised
functions

4.3.6 Access control systems must have the facility to enforce segregation of duties.
Segregation of
duties

4.3.7 When a user is logged-on, and there has been no user activity for a
No user activity predetermined period of time, and the system is capable of terminating the
session gracefully without requiring user intervention, the system must terminate
the session and log the user off. The period of time will be determined by the
Data Owner and be based on the required security for the data being accessed
and the application concerned.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 7 of 19
Uncontrolled copy if printed
 4.4 Protection Against Unauthorised Access

4.4.1 Systems must detect and deny access by unauthorised personnel or systems, as
Detect, deny well as detect misuse of computer facilities, record such attempts, and report
and report them promptly for thorough investigation, in line with the process defined by
unauthorised the Data Owner.
access

4.4.2 Audit trails of unauthorised access attempts must be retained for one year for
Retain reports review by Group Audit together with the results of any investigations
for Group undertaken.
Audit

4.4.3 Sign-on screens must contain minimal information and not invite users to
Unauthorised log-on. They must inform potential users that they afford access to private
logon warning computer systems and data, and that only authorised people should proceed.

Note: See the Information Security Standard: Computer Misuse Act for the
recommended wording applicable in the UK. For those outside the UK refer to
local IT legal representatives.

4.4.4 Senders of high integrity or highly confidential data must ensure that any
Printers and receiving printer or facsimile machine (fax) is either situated in a locked room or
fax machines is attended only by persons specifically authorised to receive such messages.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 8 of 19
Uncontrolled copy if printed
 DATA MANAGEMENT ROLES

4.5 Role of Data Owner

4.5.1 Ownership rests with a business/operational unit and the Data Owner (an
Owner identified job holder) must be designated by that unit. For data assessed to be
designation Highly Confidential or requiring High Integrity and/or High Availability, the
owner must be of management status.

Data processed by a system must be divided into documented groups related to

types of business transactions, to assist determination of ownership.

Ownership of groups of data must be decided by the business/operational unit

primarily responsible for the development / acquisition of the system creating
the data. There must be only one owner of a group of data.

4.5.2 The Data Owner has primary responsibility for the data, must assess the value
Prime and risks of the data to the Group (See ITEC 3), determine and define the
responsibility required levels of control and access restrictions, ensure adequate monitoring of
for data access is implemented by the Security Administrator, and define archiving
requirements.

4.5.3 Data Owners must ensure their activities conform to Group and business unit
Conformance policies, rules and local legislation.
to policies,
rules &
legislation

4.5.4 The Data Owner must appoint a custodian for the data who must be the manager
Appoint of the unit which provides information technology services for owners or
custodian maintains physical custody of computer based information for them.

4.5.5 The Data Owner must appoint a Security Administrator. The Security
Appoint Administrator must not have responsibility for the development or operation of
Security systems managed.
Administrator

Continued on next page

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 9 of 19
Uncontrolled copy if printed
 , Continued

4.5.6 Data Owners may delegate their duties to a suitable person. Where the data on
Delegation of the system has been assessed to be higher than either Confidential or Low
Data Owner Integrity, this Data Owner delegate must not have computer operational or
duties development duties.

4.5.7 Data Owners may assume the role of Data Custodian providing the data on the
May assume system is not assessed to be higher than Confidential or Low Integrity or Low
role of Data Availability.
Custodian

4.5.8  The Data Owner must document and advise:

Document and a) The Data Custodian, Security Administrator, and Users of the Value and
advise V&RA, Risk Assessment classifications of the data.
controls and b) The Data Custodian and Security Administrator of the levels of controls,
roles access restrictions, and availability required over the data.
c) The allocation of duties of the Data Owner / Data Custodian / Security
Administrator and User.
d) The Data Custodian, Security Administrator and Users of any specified
retention periods for stored information in accordance with business, legal or
regulatory requirements.
e) The Data Custodian and Security Administrator of the requirements for the
creation and management of event logs as specified in the Information
Security Standard: Auditing & Monitoring.

Note: Provided the above requirements are followed there is no difference in

legal terms between e-mails stored electronically or as paper records.
For e-mails containing customer and/or personal information, a minimum
retention period of six years is recommended, unless the Data Owner
specifies otherwise. Note that different document retention rules apply to
documents which have a legal effect and you should consult Group
Compliance and Group Legal if you have any queries in this regard.

4.5.9 Where data is passed from one area of the Group to another, ownership of the
Ownership re data may also be transferred, with the mutual agreement of the previous and new
data transfer owners. The receiving owner must ensure that the result of the subsequent value
and risk assessment of the data is not lower than the previous assessment, except
with the consent of the previous owner.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 10 of 19
Uncontrolled copy if printed
 4.6 Role of Data Custodian

4.6.1 The Data Custodian must provide physical and procedural safeguards for the
Provide use, storage and transfer (within and outside the Group) of the information.
safeguards

4.6.2 The Data Custodian must provide the level of control and availability specified
Control & by the owner.
availability

4.7 Role of Security Administrator

4.7.1 The Security Administrator or delegate must ensure that all requests for the
Ensure access provision of access to a computer system are appropriately authorised in
requests are accordance with the instructions of the Data Owner. All requests must be
authorised retained for review by Group Audit.

4.7.2 Systems must have the facility to provide the Security Administrator with
Facility in sufficient information to enable the administrator or delegate to control and
systems to review authorised users and their permitted functions. Reviews must be at least
control and weekly for systems processing data assessed to require High Integrity or High
review users Availability, monthly for other systems, and immediately following changes in
user personnel and/or existing users’ permitted functions.

4.7.3 Provision of access facilities to permitted functions must be carried out by the
Provision of Security Administrator, who must not have computer development or
access facilities operational duties. Access to those permitted functions processing data assessed
to be Highly Confidential and/or requiring High Integrity or High Availability
must be granted under the dual control of delegates of the Security
Administrator and/or audited. The Security Administrator may be one of the
delegates.

4.7.4 The Security Administrator must ensure the password is passed to the recipient
Passwords in a secure manner.
passed securely

4.7.5 An audit trail of privilege access allocations must be produced daily for review
Review, retain by the Security Administrator or delegate and retained for review by Group
daily audit trail Audit.

Note: See the Information Security Standard: Auditing & Monitoring.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 11 of 19
Uncontrolled copy if printed
 PRIVILEGED & RESTRICTED ACCESS
4.8 Control of Highly Confidential Data (e.g. Passwords)

4.8.1 Where data on an IT system is Highly Confidential, it must be held on computer

Must be systems and storage media in encrypted form (see also 4.12). Access to such
encrypted & data must be restricted to a defined list of persons, whose accesses are audited,
access or it must be under dual control.
restricted

4.9 [Section removed]

4.10 Additional Restrictions on Development & Support

Personnel

4.10.1 Development & Support personnel may not have access to live data and
software, current or historical, except under exceptional circumstances and with
Access to live the written consent of the Data Owner or delegate. Procedures for retrospective
data authorisation not later than the next working day are permitted. Such accesses
must be recorded, either automatically by the operating system (or by use of an
authorised third-party product), or where that is not possible, clerically, with full
details of the circumstances and the action taken. Where "read" access is
required on a permanent basis, approval must be obtained from the Data Owner
(see also ITEC 6.9).

Continued on next page

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 12 of 19
Uncontrolled copy if printed
 , Continued

4.10.2 Copies of live data, required for system testing, may only be taken with the
Copied live written permission of the Data Owner and the Data Custodian, or their delegates.
data de- The copied data must be de-sensitised, or it must only be accessible to
sensitised authorised Group staff and contractors. Printed output from it must be kept or
destroyed in accordance with the requirements defined by the Data Custodian
(see also 6.4.2).

4.10.3 Where access to privileged functions, live data or software has been granted
Emergency temporarily to support personnel to provide emergency support, such access
support must be withdrawn immediately following completion of the support task.

4.10.4 Emergency amendments to live data and software may only be performed by
authorised support and from an approved secure location, only after copies have
Updates to live been taken, and with the consent of the Data Owner or delegate. Where data has
data only by been amended user departments must subsequently ensure the correctness and
authorised completeness of all data processed.
support

4.11 Additional Restrictions on Operations Personnel

4.11.1 The introduction of new or amended business input data, transactions and master
Must not files is not permitted into the live operational environment.
initiate new
data

4.11.2 Operators must be restricted to those tasks, facilities and utilities, that their
Normal daily normal daily duties require except in exceptional circumstances, e.g. system or
duties only software failure. In such circumstances, any variation must be logged,
preferably automatically, and reviewed by management.

4.11.3 Utilities and privileged access which provide the means to make uncontrolled
No all-powerful changes to data on the system must not be available to system operators.
utilities or
privilege access

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 13 of 19
Uncontrolled copy if printed
 4.12 Protection of Data Off Group Premises

4.12.1 Any Group data to be used off Group premises must be protected with due
Assess the level regard to its degree of sensitivity; or, the value of and risks to the information
of protection must be assessed to determine the level of protection the data merits (see also
required ITEC 2.10).
Note: Data Owners may decide that customer or Group information in transit
should be protected over and above the minimum security controls required by
ITEC, e.g. through encryption or additional physical controls.

4.12.2 All persons using the data off Group premises must be aware of its classification
All aware of and the level of control required to be exercised, and comply with those
controls requirements.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 14 of 19
Uncontrolled copy if printed
 REMOTE ACCESS

4.13 Remote Working by Staff and Contractors

4.13.1 The use of a PC to process Group information in environments not controlled by

Remote the Group is permitted for flexible working by staff and contractors providing:
Working a) usage is as defined in ITEC 7.2.6.
b) usage is authorised.
c) usage is in the best interests of the Group.
d) the PC is connected to Group resources where necessary.
e) one pre-determined authorised location (e.g. Home Working) or unspecified
locations (e.g. Mobile Working) are agreed.

4.13.2 Staff and contractors may use a Group PC to carry out their normal work
Flexible remotely in environments not controlled by the Group, using a PC connected to
Working Group IT facilities, i.e. Teleworking, or using a PC in a Stand-alone
environment.

4.13.3 The PC and peripherals must be provided by the Group for Teleworking, Home
Group IT Working or Mobile Working. Remote Application Development is only
facilities must permitted in a Home Working environment.
be used

4.13.4 A personally owned PC may only be used in a stand-alone environment and

Own PC only must not be connected to the Group’s network. It must not be used for Support
stand alone or Application Development.

4.14 Remote Supplier Access

4.14.1 Remote Supplier Access to Group IT facilities, from environments not

Remote controlled by the Group, is permitted:
supplier access a) from pre-determined, authorised and ITEC compliant locations.
b) providing access is limited to persons authorised by the Data Custodian.
c) providing connection is enabled by operations management, (see also ITEC
5.4.3).
d) providing positive identification is established before a dial-up connection is
allowed.

Continued on next page

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 15 of 19
Uncontrolled copy if printed
 , Continued

4.14.2 Remote Supplier Access to Group IT facilities is only permitted from untrusted
Remote sites (including when the supplier is mobile) for:
supplier access a) application and System Software Support.
from untrusted b) access to Group internal e-mail systems.
sites

4.15 Remote Support

4.15.1 Remote support of any Group computer system/application must:

Criteria for a) comply with ITEC 4.10, 6.6, 6.9 and 7.2.
remote support b) only take place following a request from on-site operations personnel.
c) have prior approval from the Data Custodian, Group IT Security & Risk and
Group Audit.
d) be in accordance with a defined and documented code of practice which
must be agreed with the Data Custodian, Group IT Security & Risk and
Group Audit before implementation.

4.15.2 Only equipment owned and controlled by the Group may be used by staff and
Restrictions on contractors for Remote Support.
remote support
equipment The use of all equipment for Remote Support will continue to be subject to the
used by staff Group’s and business unit’s rules.

4.15.3 Where the equipment used for Remote Support is not sited on Group premises,
No capability to it must not have the capability to upload/download live data/software to/from
upload live the host environment.
data

4.15.4 All Remote Support activity involving access to live system/application data
Audit of and software must be fully audited and subject to independent review no later
remote support than 10:00 hours the following working day where the support had UPDATE
activities capability and 17:00 hours for READ ONLY capability. (see also ITEC 4.10.1).

4.15.5 Inventories must be kept of all equipment and software issued to staff
Inventories performing Remote Support duties.

Continued on next page

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 16 of 19
Uncontrolled copy if printed
 , Continued

4.15.6 As part of the process for authorising Remote Working from a pre-determined
Authorisation authorised site, including a staff/contractor home, checks must be made to
process for ensure that the site meets all relevant legislation and Group requirements (e.g.
remote workers Human Resources, occupational health and safety, insurance, security and
support). Reasonable access to the premises must therefore be permitted to
relevant managers, in accordance with local legislation.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 17 of 19
Uncontrolled copy if printed
 AUTHENTICATION & CRYPTOGRAPHY

4.16 Integrity and Message Origin Authentication

4.16.1 All integrity and message authentication techniques must comply with the
Information Information Security Standard: Integrity and Message Origin Authentication.
Security
Standard

4.16.2 The integrity techniques applied to information classified as Medium or High

Apply to all Integrity and the message origin authentication applied to High Integrity
parts of information must act on all parts of the information, and prevent modification,
message deletion or replay. Messages which are not authenticated successfully must be
rejected.

4.16.3 Group systems used for the transmission of High Integrity messages across
Audit trail of internal and external networks, must have the capability of recording all
all High messages sent and received. A record of all messages must be written on
Integrity archivable media in chronological order showing the date and time
messages sent/received. Continuity must be demonstrated on the media.

4.16.4 The handling of unapplied/rejected messages must be centrally co-ordinated and

Procedures for defined procedures for unapplied messages must be issued to all users.
unapplied
messages

4.16.5 All High Integrity value messages must be reviewed on a daily basis by an
High Integrity independent member of management or an authorised deputy, in the business
value messages location originating or in receipt of the transaction. Special attention should be
must be given to all outward High Integrity value messages, which must be checked to
reviewed daily ensure that they are bona fide. The review must be completed on the day on
which the value messages were sent. Exceptionally and only when there is
heavy or very late traffic, the review may be completed the following morning
but by no later than 10.00 hrs.

4.16.6 A log must be kept of all High Integrity value messages received showing date
Retain log of all and time of receipt. This may be in the form of copies of all High Integrity
value messages value messages. When such messages are manually distributed, the recipient
must acknowledge receipt on the log or on the message copy constituting the
log.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 18 of 19
Uncontrolled copy if printed
 4.17 Security of Cryptographic Keys

4.17.1 All encryption techniques must comply with the:

Information
 Information Security Standard: Cryptography
Security
Standards  Information Security Standard: Key Management

4.17.2 Cryptographic key information, unless encrypted or held in a tamper resistant

Protection of environment, must be kept in secure conditions under dual control of persons
crypto keys unconnected with the sending and receiving of authenticated messages.

4.17.3 « Encrypted authenticator key information must be held overnight in secure

Stored securely conditions, locked up when not in use and used only in secure areas. This does
not apply to devices, such as Smart cards, which hold the cryptographic keys in
a tamper evident environment.

4.17.4 Where authenticator key information is stored on integral hard disks, that cannot
Encrypt if not be removed from the equipment when not required and locked away, it must be
locked away encrypted.

4.17.5 Where those responsible for the custody or use of authenticator keys suspect that
Replace keys if the integrity of the keys may have been compromised, the keys must be
compromised immediately cancelled and replaced.

4.17.6 There must be documented procedures in place for the cancellation and
Process for key replacement of authenticator keys.
replacement

4.17.7 Encryption and authenticator keys must be changed at regular intervals, as

Keys must be defined in the Information Security Standard: Cryptography and the
changed Information Security Standard: Key Management. The length of the interval
regularly between changes must be agreed by Group IT Security & Risk.

4.17.8 Messages containing data that is classified as Highly Confidential must be

End to end encrypted during transmission. Where such messages pass across a Local Area
encryption Network (LAN) this may be achieved by encrypting the network from end
system to end system.

4.17.9 Where connection is made to systems processing data assessed as Highly

Session keys Confidential or requiring High or Medium Integrity, session keys and/or
‘one-time’ passwords must be used.

Lloyds TSB Bank Plc Internal Use Only Doc ref: 686614048.doc
Version 8.0 Issued: June 2005 19 of 19
Uncontrolled copy if printed