Documente Academic
Documente Profesional
Documente Cultură
Document Information:
1. Developed by Borets’ information security service on June 10, 2015
2. Revision 1.0
Introduction
These guidelines contain organizational and technical requirements for Information Security
relating to Borets’ protected assets when connecting remote automated workstations to the
Company’s corporate data transmission network.
Confidentiality
If these guidelines come into your possession by accident or by error, please delete them from all
storage media or network resources and immediately contact the Borets Information Security
Service.
Requirements
1.1. These guidelines set out the requirements for Information Security for participants of
information exchanges when connecting remote automated workstations to the
Borets’ corporate network.
1.2. Borets and its structural units shall comply with these guidelines upon their adoption.
1.3. These guidelines are required to be used by Borets subsidiaries and affiliated
companies and can be recommended for use by other organizations connected to the
Borets corporate network.
AW - automated workstation.
CDTN (corporate data transmission network) - is an integration of the Company’s (and its units)
information systems, computer, telecommunications and office equipment by connecting them to
a single computer data transmission network using a variety of physical and logical channels.
Company – Borets
Identification – an identifier assigned to access subjects and objects and (or) comparison of the
identifier presented with a list of assigned identifiers.
3. General Provisions
These guidelines are designed to ensure the security of the Company’s information in terms of
requirements and regulations imposed when connecting remote AWs to the Company’s corporate
network.
The initial requirement to connect to the OCCN shall be the execution of a non-disclosure
agreement with the Company.
The following areas should be considered for purposes of ensuring Information Security in the
OCCN:
- Organizational aspects;
- Assets management;
- Personnel-related security;
- Physical security;
- Communications and works management;
- Access control;
- Acquisition, development and operation of INFOS;
- Information Security incidents management; and
- Compliance with the requirements stated herein.
-
The foregoing issues should be addressed in the OCCN by organizational and technical
measures.
Compliance with the requirements of these guidelines shall be controlled by the Company’s
information security service when auditing the OCCN.
4. Organizational Aspects
4.1. Information Security in the OCCN shall be organized and administered by the person
with overall responsibility for IS at the OCCN.
4.2. Taking into account the specific features for purposes of instituting protection in the
OCCN, the following actions shall be undertaken:
4.4. The operation and configuration of security mechanisms, as well as compliance with
the requirements for Information Security, shall be monitored by the IS division
personnel of the OCCN or by its director.
4.5. IS administration in the OCCN shall be aimed at providing established rules for
access to the information infrastructure object and procedures for treating protected
information when processing, storing and transmitting it.
4.6. Employees who operates AWs connected to the CDTN shall be responsible for
preventing unauthorized access to protected information.
4.7. When arranging access for third-party organizations to the Company’s protected
Information Resources, the following IS measures shall be taken:
- determining the Information Security risks associated with providing access for
third party organizations to the protected Information Resources;
- forming an IS measures list based on INFOS risk assessment to ensure
Information Security in providing access for any third party to the protected
Information Resources and their implementation; and
- executing a non-disclosure agreement with the third-party organizations that are
being provided with access to confidential information.
5. Assets Management
5.1. The OCCN shall identify protected objects (AWs, removable media, etc.), determine
the degree of their confidentiality and classify and assign persons responsible for
their secure use.
5.2. Security measures in relation to the protected objects shall be developed on the basis
of the classification of the protected objects and the INFOS risk assessment carried
out.
6. Personnel-Related Security
6.1. In connection with employment, the OCCN must enter into a non-disclosure
agreement with each employee and preserve a copy of such agreement.
6.2. Employees of the OCCN who disclosed protected information or who violate the
procedures for dealing with protected objects, as well as employees through whose
fault there was a loss or corruption of protected information, shall bear responsibility
pursuant to applicable law.
6.5. In case of dismissal of an employee (or modification in the terms and conditions of
his or her employment), the employee’s right of Access to Information Resources
must be canceled immediately (or be adjusted in accordance with their new
employment conditions).
6.6. The personnel department of the OCCN shall promptly notify the company’s IS
division regarding any dismissed employees (or modifications in the terms and
conditions of their employment).
7. Physical Security
7.1. The OCCN shall establish access control to prevent uncontrolled access to its
protected areas, buildings and premises.
7.3. When a third party is carrying out work in the protected areas of the OCCN, their
carrying out of the works must be controlled.
7.4. When using mobile AWs, measures must be taken for the prevention of loss or theft
of equipment or Authentication data.
8.1. Before connecting to the information infrastructure of the CDTN all remote AWs
shall be checked for installed antivirus software and security updates for the
operating system.
8.2. The OCCN shall install protection against malicious software used by the Company.
8.3. Anti-virus software must be installed on all information processing means of the
OCCN exposed to viruses (in particular AWs and server hardware and software
platforms).
8.4. Anti-virus software shall also detect and protect against other forms of malicious
code, including spyware and adware.
8.5. Anti-virus mechanisms shall be current, actively running, and event logs shall be
maintained.
8.6. In order to ensure the recovery of Information Resources in the event of their loss or
corruption, the OCCN shall maintain backup files.
8.7. In order to ensure the smooth functioning of the information infrastructure, the
OCCN shall perform the backup of critical features for information processing,
storage and transmission.
8.8. Network security shall be achieved by protecting the CDTN, LAN and OCCN
network infrastructure.
8.10. If users connect to the protected objects remotely, the remote connection shall be
controlled, including the use of strong Authentication facilities and cryptographic
information protection facilities (virtual private networks).
8.11. Any disposal of unused media should be carried out only with the assured
destruction of all of the Company’s information contained on them.
8.12. The OCCN shall use only licensed software purchased officially.
8.13. All system components and software used in the OCCN shall have the most recent
security updates released by the manufacturer. Security updates must be installed
within one month after the manufacturer releases them.
8.14. When transmitting restricted access information outside controlled areas, including
the use of wireless networks, cryptographic information protection facilities must
be applied. Data transmitted in wireless networks must be encrypted using WPA2
technology, IPSEC VPN, or SSL/TLS.
8.15. Sending clear data containing protected information by e-mail is strictly prohibited.
8.17. When using mobile AWs, restricted access information processed on them must be
protected using cryptographic protection facilities.
9. Access Control
9.1. Users shall be vested with the minimum of access rights and privileges they need to
perform their tasks. Vesting of the users with access rights and privileges must be
based on a formal procedure for granting access rights established in the OCCN.
9.2. The users and administrators shall account for their actions in the corporate data
transmission network.
9.3. Users shall be responsible for complying with the regulations established by the
Company regarding the selection and use of their passwords.
9.4. Users shall not be permitted to work under a different person’s accounts or to provide
their passwords and pass Authentication facilities to other users. When leaving the
AWs, users should take measures to protect them from unauthorized access.
9.5. Users shall work in operating systems under accounts with limited privileges. Access
to the operating system must be provided to users only after passing Identification
and Authentication procedures.
9.6. Access to the applications and the Information Resources shall be provided to users
only after they pass Identification and Authentication procedures. If it is technically
possible, it is advisable to carry out a unified Authentication in the application
systems and operating systems.
10.1. The OCCN shall undertake measures to ensure that information processing,
storage and transmission facilities are used only for their intended purpose.
10.2. Development, testing and software operation frameworks must be separated from
each other.
10.3. Confidential industrial data must not be used for testing and development.
10.4. Program codes for applications that are developed shall be examined for potential
vulnerabilities before transferring them in production mode, such as, in particular:
11.1. The employees of the OCCN are obliged to report to the Company's information
security department any security breaches observed or suspected, as well any
vulnerabilities identified.
11.2. In order to respond to Information Security incidents, the OCCN shall register and
analyze them, as well as take necessary measures to eliminate their recurrence.
11.3. The OCCN shall appoint employees with appropriate qualifications who shall be
responsible for responding to Information Security incidents.
12.1. The OCCN shall protect the restricted access information by establishing CT
mode and protecting the OCCN employees’ personal data.
12.3. The IS shall be controlled by carrying out scheduled (unscheduled) internal and
external inspections, as well as by monitoring, to be performed by Borets’
information security service.
13.2. The OCCN shall hold employees responsible for providing Information Security
for the protected objects they use.
13.3. The employees of the OCCN shall be obliged to fulfill the following general
requirements for Information Security:
- to comply with the requirements stated herein, and of other any other Information
Security-related documents of the Company and the OCCN;
- to use information processing hardware for official purposes only; and
- to report to the direct supervisor of the IS department of the OCCN on
Information Security incidents detected.
13.4. The employees of the OCCN are prohibited from violating the rules established to
ensure Information Security and hiding the occurrences of Information Security
incidents.
13.5. The employees of the OCCN who do not fulfill these requirements or the
requirements of any other Information Security-related documents of the Company
and of the OCCN shall be made accountable in the prescribed manner.