Documente Academic
Documente Profesional
Documente Cultură
Number Question
operations
12A
12A01
1
R-V1
12A01-06 Is there a mandatory and well adapted training course aimed Exist un curs de formare obligatoriu i bine adaptat,
at systems operation personnel?
orientat catre personalul de exploatare a sistemelor?
12A01-07 Are the security policy compliance agreements, signed by
personnel, securely kept (at least in a locked cupboard )?
12A02
12A02-04 Is any new or modified functionality linked to a new system or Este orice funcionalitate nou sau modificat legat de
new version of a system, systematically documented before un sistem nou sau versiune nou a unui sistem,
moving into production?
documentata n mod sistematic nainte de a trece n
producie?
12A02-05 Is such new functionality (or change in functionality), linked to
a new system or new version of a system, formally and
systematically reviewed in conjunction with the IT security
function?
12A02-06 Does this review include an analysis of the risks that may
result from the changes?
12A02-11 Are the security parameters and configuration rules controlled Sunt parametrii de securitate i regulile de configurare
prior to any start of production of a new version?
controlate nainte de orice nceput al produciei unei noi
versiuni?
12A02-12 Has the eventual impact of the systems' changes regarding
the continuity plans been considered?
12A02-13 Are any derogations from the prerequisite risk analysis and
control of security parameters subject to strict procedures,
including a signature from senior management?
12A03
12A04
12A04-04 Does the usage of the remote maintenance line require the
prior agreement (for each usage) of telecommunication
operations personnel (upon request by the manufacturer or
editor specifying the nature, date and time of the
intervention)?
12A05
12A05-04 Is the telecommunications operation Management required to Este managementul operaiunilor de telecomunicaii
approve changes to procedures ?
responsabil a aproba modificri ale procedurilor?
12A05-05 Are these procedures protected from unauthorized
alterations?
12A06
12B
12B01
12B01-07 Is the integrity of system configurations checked, regularly (at Este integritatea configuraiei sistemului verificata, n mod
least weekly) if not at each system start-up, against the
regulat (cel puin sptmnal), daca nu la fiecare start-up
configuration theoretically expected?
al sistemului, in raport cu configuraia ateptata teoretic?
12B01-08 Are regular audits carried out of the compliance to the
specifications for security parameters?
12B01-09 Are regular audits carried out of the exception and escalation Exista audituri regulate efectuate in mod exceptional i o
procedures in the case of difficulty or installation problems? escaladare n cazul unor dificultati sau probleme de
instalare?
12B01-10 Are the development and test environments separated from
the operational environments?
12B02
12B02-02 Is this reference version protected against all possible illicit or Este aceast versiune de referin protejat mpotriva
untimely modification (signed media kept by a senior
oricrei posibile modificri ilicite sau nainte de vreme
manager, electronic sealing, etc.)?
(mass-media semnate inute de un manager senior,
sistemul de nchidere electronic, etc.)?
12B02-03 Is this protection considered to be inviolable (sealing by
Este aceast protecie considerat ca fiind inviolabila
cryptographic algorithm approved by the Information Security (sigilare prin algoritmul de criptare aprobat de ctre
Officer)?
responsabilul cu securitatea informatiei)?
12B02-04 Is the protective seal controlled automatically (otherwise it
may be an authoritative signature) at each new installation?
12B02-05 Is a check made of the proof of origin and integrity of received Este o verificare fcut pentru dovada originii i integrit ii
maintenance module or a new version, from the editor or the modulului de mentenanta primite sau o versiune mai
manufacturer (for operating systems)?
nou, de la editorul sau productorul (pentru sistemele de
operare)?
12B02-06 Are the sealing and sealing control tools protected against
any unauthorized usage?
12B02-07 Does the inhibition of the automatic control of seals trigger an Inhibarea controlului automat al sigiliilor declan eaz o
alarm to a manager?
alarm catre un manager?
12B02-08 Are there regular audits of protection procedures for
reference programs?
12C
Service continuity
Continuitatea serviciilor
12C01
12C01-04 Do the contracts detail the required time slots and days of
intervention (24h/7d for example) compatible with the
requirements of availability?
12C01-05 Do the contracts stipulate the conditions of escalation in case Contractele stipuleaz condiiile de escaladare n caz de
of difficulty?
dificultate?
12C02
12C02-05 Do the contracts detail the required time slots and days of
intervention (24h/7d for example) compatible with the
requirements of availability?
12C02-06 Do the contracts stipulate the conditions of escalation in case Contractele stipuleaz condiiile de escaladare n caz de
of difficulty?
dificultate?
12C02-07 Do the contracts specify specific clauses when hardware
downtime exceeds specific durations stipulated (penalties,
replacement of hardware, etc.)?
It is desirable that these clauses be general and apply to all
cases no matter what the reasons (technical difficulty, staff
strikes, etc.)
12C03
12C04
12C04-02 For each scenario, and in agreement with the users, have a
list and schedule of service resume been defined?
Loss of information, means to reconstruct them and
temporary operational procedures must be considered.
12C04-08 Are above tests able to guarantee that the staff capacity and
the recovery systems can cope, under full operational load,
the minimum service levels required by users?
The tests required to obtain this guarantee are preferably full
scale tests of each variant of scenario, involving all users.
The results of the tests have to be registered and analyzed in
order to improve the capability of the organization to answer
to the situations considered.
12C05
12C05-04 Have variants to the primary solution been considered in case Variante la soluia primar au fost luate n considerare n
it might encounter unforeseen difficulties?
cazul n care s-ar putea ntmpina dificulti neprevzute?
12C05-05 Is there a regular review of critical systems and corrective
solutions envisaged?
12D
Utilizarea echipamentelor de
telecomunicaii de catre utilizatorii finali
12D01
12D01-02 Are these lists protected against untimely or illicit alteration by Sunt aceste liste protejate mpotriva alterrii intempestiv
a robust sealing process?
sau ilicite printr-un proces solid de etanare?
12D01-03 Are the rights provided to users preventing them to modify the Drepturile oferite utilizatorilor i mpiedic pe acestia s
specific telecommunication (telephone, audio or video
modifice telecomunicaiile specifice (telefon, audio sau
conferencing, etc. )configurations of their equipment?
video conferine etc.) configuraiile sau echipamentul lor?
12D01-04 Is the conformity of the telecommunication configurations for Este conformitatea configuraiilor de telecomunicaii
user workstations regularly controlled relatively to the
pentru staiile de lucru ale utilizatorilor n mod regulat
authorized options?
controlate la opiunile autorizate?
12D01-05 Does the inhibition of the control process trigger an alarm to a Inhibarea procesului de control declaneaz o alarm
manager?
catre un manager?
12D01-06 Are the processes of control themselves subject to regular
audits?
12D02
12D03-01
12D03-02
12E
12E01-02 For each profile have the necessary rights and privileges
been defined?
12E01-03 Does the process of attributing special rights require the Procesul de atribuire a drepturilor speciale necesit
formal authorization of management (or the manager autorizarea formal a managementului (sau managerul
responsible for external service providers) at a sufficiently responsabil pentru furnizorii externi de servicii), la un nivel
high level?
suficient de ridicat?
12E01-04 Is the process of attributing special rights allocated only in Este procesul de atribuire a drepturilor speciale alocate
relation to the profile of the holder?
numai n raport cu profilul titularului?
12E01-05 Is the process of granting (modification or revocation) of Este procesul de acordare (modificare sau revocare) a
special rights to an individual strictly controlled?
drepturilor speciale la un individ strict controlat?
A strict control requires a formal recognition of the signature Un control strict necesit o recunoatere formal a
(electronic or not) of the requestor, that there be a tight semnturii (electronic sau nu) a solicitantului, c exist un
control of access in order to attribute or modify such rights control strict al accesului, n scopul de a atribui sau
and that any modification of special rights be logged and modifica astfel de drepturi i care s fie conectat la orice
audited.
modificare a drepturilor speciale i auditate.
12E01-06 Is there a systematic process of removal of special rights at Exist un proces sistematic de eliminare a drepturilor
the time of departure of telecommunication operations staff? speciale la momentul plecrii personalului opera iunilor de
telecomunicaii?
12E01-07 Is there a systematic process of removal of special rights at Exist un proces sistematic de eliminare a drepturilor
the time of rle change of telecommunication operations speciale n momentul schimbrii rolului personalului
staff?
operaiunilor de telecomunicaii?
12E01-08 Is there a regular audit, at least once a year, of all special Exist un audit regulat, cel puin o dat pe an, a tuturor
rights attributed ?
drepturilor speciale atribuite
12E02
12E02-01 Is the authentication protocol used for administrators or Este protocolul de autentificare utilizat pentru
holders of special rights considered to be secure?
administratorii sau deintorii de drepturi speciale
An authentication protocol is considered secure if it is not considerat a fi sigure?
susceptible to being broken by a listening device on the Un protocol de autentificare este considerat sigur n cazul
network or rendered inoperable by specialists tools (in n care nu este susceptibil de a fi rupt de un dispozitiv de
particular password crack tools ). Such security usually uses ascultare n reea sau inoperabil prin instrumente
cryptographic methods.
specializate (n special instrumente parola de crack). O
astfel de securitate utilizeaz de obicei metode
criptografice.
12E02-02 Are the rules, for instance in the case of passwords, Sunt regulile, de exemplu, n cazul parolelor, considerate
considered to be very strict?
a fi foarte stricte?
Strict rules impose the use of tested non-trivial passwords, Reguli stricte impun utilizarea unor parole netriviale
using a mixture of different types of characters and of a testate, folosind un amestec de diferite tipuri de caractere
reasonable length (ten characters). It is desirable that these i cu o lungime rezonabil (zece caractere). Este de dorit
rules have been approved by the Information Security Officer ca aceste norme au fost aprobate de ctre ofierul de
securitate al informatiei.
12E02-03 Is there a consistent control of the administrator's rights, of its Exist
un
control
consecvent
al
drepturilor
context, and of the suitability of this context with the administratorului, a contextului su, precum i a
requested access, as per formal rules of access control?
caracterului adecvat al acestui context, cu accesul
solicitat, conform regulilor formale de control al accesului?
12E02-05 Are the processes that guarantee authentication under strict Sunt procesele care garanteaz autentificarea sub control
control?
strict?
A strict control requires that the software used has been Un control strict impune ca software-ul utilizat a fost
validated and undergoes a regular test for integrity (seal) and validat i este supus unui test regulat pentru
that there is an audit at least once a year of the authentication integritate(sigiliu) i c exist un audit cel pu in o dat pe
procedures and processes.
an, a procedurilor i a proceselor de autentificare.
12E02-06 Is there a regular audit of the security parameters attached to Exist un audit periodic al parametrilor de securitate
protecting profiles and rights?
ataate la protejarea profilurilor i a drepturilor?
12E03
12E03-04 Is there a summary of these records enabling management to Exist un rezumat al acestor evidene care s permit
detect abnormal behavior?
conducerii s detecteze un comportament anormal?
12E03-05 Is there a system enabling the detection of any modification
of recording parameters and to immediately trigger an alarm
to a manager?
12E03-08 Are all records or summary analyses kept for a long period?
variant
R-V2
R-V3 R-V4
E1 9.2.1
E2
E3
E2
E2
E2
R1
R1
C1
E1 10.1.2;
10.3.1
E2 10.3.1
E2 9.2.1
E2 10.3.2
E2
E2 10.3.2
E3
E3
E3 10.3.2
E3 10.3.2;
11.4.4
E3 10.3.2;
11.4.4
E2 10.3.2
R1
E3 6.1.4; 12.4.1
E3 6.1.4; 12.4.1
C1
E2 9.2.4
E2
E3
E3
E3
C1
E2 11.4.4
E2 11.4.4
E3 11.4.4
E3 11.4.4
E2
C1
E2 10.1.1
E2 10.1.1
E2 10.1.1
E2 10.1.1
R1
C1
C1 10.2.1
E2 10.2.1
E1 10.2.2
E2 10.2.2
E2 10.2.2
E3 10.2.3
E2
E1
E2 11.4.4
E2 10.7.4;
12.6.1
E3 10.10.6
R1 10.7.4
E3 15.2.2
R1 15.2.2
R1 15.2.2
C1
R2
E1
R1
R2
R2
E2
R2
E3
C1
E1 9.2.4
E2
E2
E3
R1
E3
E3
C1
E1
E2
E2
E2
E3
R1
E3
C1
E1 10.5.1
E2 10.5.1
E2 10.5.1
E2 10.5.1;
14.1.5
R1 10.5.1
R2 10.5.1
C1
E1 14.1.3
E2 14.1.3
E1 14.1.3
E2 14.1.3
E2 14.1.3
E1 14.1.3
E2 14.1.5
E2 14.1.5
E2
E2
E3
E3
C1
C1
E2
E2
E2
E3
C1
E2
R2
E2
C1
C2
C1
E1
E2
E2
2
E2
4
4
E2
E2
4
E2
E2
4
E2
E1 10.1.3;
11.2.2
E1 10.1.3
E2 10.1.3
E2 10.1.3
3
R1 11.2.2
E2 11.2.4
E2 11.2.4
C1 11.2.4
E2
E2
E2
R1
R1
C1
E2 10.10.4
E2 10.10.4
4
4
E3 10.10.4
3
2
E3 10.10.4
E3 10.10.4
E3 10.10.4
E2 10.10.4
E2 10.10.4
C1 10.10.4