Sunteți pe pagina 1din 33

Information Security

Policy

Version 1.31
- unclassified -
Information Security Policy

Document Attributes

Enacted by Date of Enacting Document Owner


th
IT Board July 25 , 2013 Information Security
Committee

Version Date Change Edited by


nd
1.0 July 22 , 2013 Changes as required by Working Group “1G –
CIOs; final version Information Security”,
before proof reading PMO
st
1.01 July 31 , 2013 Final version after Working Group “1G –
proofreading Information Security”,
PMO
th
1.02 September 10 , 2013 Changes according to Working Group “1G –
alignments with HR staff Information Security”,
Department PMO
th
1.03 October 17 , 2013 Changes according to Working Group “1G –
alignments with HR and Information Security”,
Corporate Data PMO
Protection
nd
1.04 November 22 , 2013 Changes according to Working Group “1G –
alignments with Information Security”,
Corporate Co- PMO
determination
th
1.05 December 19 , 2013 New version after Working Group “1G –
language changes in Information Security”,
the German translation; PMO
No content changes
th
1.06 January 29 , 2014 Changes as required by Working Group “1G –
CISO Information Security”,
PMO
th
1.06b February 7 , 2014 Changes as required by Working Group “1G –
ISC Information Security”,
PMO
th
1.07 February 7 , 2014 Intermediate version for Working Group “1G –
editorial reasons Information Security”,
PMO
th
1.08 February 11 , 2014 Final version Working Group “1G –
Information Security”,
PMO
st
1.10 March 31 , 2015 Approved by ISC Corporate IT Office

Version 1.31 - unclassified - 2/33


Information Security Policy

th
1.20 November 9 , 2015 Changes according to Working Group “Cyber
alignment to “Cyber Security”
Security” requirements
th
1.30 April 4 , 2016 Changes according to Working Group
alignment to “ISO/IEC “ISO/IEC 27002:2013”
27002:2013”
th
1.30 April 5 , 2016 Approved by ISC Working Group
“ISO/IEC 27002:2013”
th
1.30 April 14 , 2016 Approved by IT Board Working Group
“ISO/IEC 27002:2013”
nd
1.31 February 22 , 2018 Minor release approved Corporate IT Office
by ISC

Version 1.31 - unclassified - 3/33


Information Security Policy

Table of Contents
1. Introduction ........................................................................................................ 6
1.1. About this Document .......................................................................................................................... 6
1.2. Objectives ........................................................................................................................................... 7
1.3. Principles ............................................................................................................................................ 7
1.4. Review and Evaluation ....................................................................................................................... 8

2. Scope .................................................................................................................. 9

3. Terms and Definitions ...................................................................................... 10

4. Information Security Management System, Compliance Assessment and


Governance, and Reporting............................................................................. 11
4.1. Information Security Management System (ISMS) ........................................................................... 11
4.2. Information Security Compliance Assessment and Governance ...................................................... 11
4.3. Information Security Reporting ......................................................................................................... 11

5. Information Security Policies .......................................................................... 13


5.1. Management Direction for Information Security................................................................................ 13

6. Organization of Information Security .............................................................. 14


6.1. Internal Organization ........................................................................................................................ 14
6.2. Mobile Devices and Teleworking ...................................................................................................... 14

7. Human Resource Security ............................................................................... 15


7.1. Prior to Employment ......................................................................................................................... 15
7.2. During Employment .......................................................................................................................... 15
7.3. Termination and Change of Employment ......................................................................................... 15

8. Asset Management ........................................................................................... 16


8.1. Responsibility for Assets .................................................................................................................. 16
8.2. Information Classification ................................................................................................................. 16
8.3. Media Handling................................................................................................................................. 16

9. Access Control ................................................................................................. 17


9.1. Business Requirements of Access Control ....................................................................................... 17
9.2. User Access Management ............................................................................................................... 17
9.3. User Responsibilities ........................................................................................................................ 17
9.4. System and Application Access Control ........................................................................................... 17

10. Cryptography .................................................................................................... 18


10.1. Cryptographic Controls ..................................................................................................................... 18

11. Physical and Environmental Security ............................................................. 19

Version 1.31 - unclassified - 4/33


Information Security Policy

11.1. Secure Areas .................................................................................................................................... 19


11.2. Equipment ........................................................................................................................................ 19

12. Operations Security ......................................................................................... 20


12.1. Operational Procedures and Responsibilities ................................................................................... 20
12.2. Protection from Malware ................................................................................................................... 20
12.3. Backup ............................................................................................................................................. 20
12.4. Logging and Monitoring .................................................................................................................... 20
12.5. Control of Operational Software ....................................................................................................... 20
12.6. Technical Vulnerability Management ................................................................................................ 20
12.7. Information Systems Audit Considerations ....................................................................................... 20

13. Communications Security ............................................................................... 21


13.1. Network Security Management......................................................................................................... 21
13.2. Information Transfer ......................................................................................................................... 21

14. System Acquisition, Development and Maintenance .................................... 22


14.1. Security Requirements of Information Systems ................................................................................ 22
14.2. Security in Development and Support Processes............................................................................. 22

15. Supplier Relationships..................................................................................... 23

16. Information Security Incident Management ................................................... 24


16.1. Management of Information Security Incidents and Improvements .................................................. 24

17. Information Security Aspects of Business Continuity Management ............ 25

18. Compliance ....................................................................................................... 26


18.1. Compliance with Legal and Contractual Requirements .................................................................... 26
18.2. Information Security Review ............................................................................................................. 26

19. Business Continuity Management .................................................................. 27

20. Information Security Risk Management.......................................................... 28

A. Appendix ........................................................................................................... 29
A.1. Technical Terms ............................................................................................................................... 29

Version 1.31 - unclassified - 5/33


Information Security Policy

1. Introduction
Information is an asset which, like other important business assets, has value to
Deutsche Post DHL Group (DPDHL) and, consequently, must be suitably
protected. Information Security protects information from a wide range of threats,
in order to ensure business continuity, to minimize business damage, and to
maximize return on investments and business opportunities.
Information can exist in many forms. It can be printed or written on paper, stored
electronically, transmitted by post or electronic means, shown on film, or spoken
in conversation. Whatever form the information takes, or whatever ways it is
shared or stored, it should always be appropriately protected.
Information Security is characterized here as the preservation of:
 Confidentiality: Ensuring that information is accessible to those with
authorized access.
 Integrity: Safeguarding the accuracy and completeness of information, and
processing methods, and ensuring that a transaction cannot be disputed.
 Availability: Ensuring that authorized users have access to information and
associated assets, when required.
This document specifies the control objectives for managing information risks and
risks arising from “Cyber Space”, within DPDHL. The control requirements
describe the minimum technical measures, which must be applied to DPDHL
information, information systems, and data.

1.1. About this Document


As DPDHL made a voluntary commitment (e.g., in the published year-end report)
to operate its Information Security Management System (ISMS), based on ISO-
Information Security Standards, this document is set up according to International
Standards Organization - Standard for Information Security Management (ISO
27002:2013).
Among others, the external standard “Payment Card Industry Data Security
Standard (PCI-DSS)” is not included to this group standard document.
This document, the Information Security policy, is part of the Information Security
target model.
The Information Security target model contains the Information Security policy,
which describes the control objectives for Information Security; the Information
Security control standards, which describe the control requirements for
Information Security; and the Information Security process standards, which
provide the specification of the processes, roles, and entities for the Information
Security Management System processes.

Version 1.31 - unclassified - 6/33


Information Security Policy

Complementary to Information Security, the Information Security target model


addresses control objectives, control requirements and processes which apply to
Cyber Security.

1.2. Objectives
This document details the required minimum practices, which are common across
the organization and replace all other DPDHL Information Security policies and
standards.

1.3. Principles
The underlying principle behind Information Security, within DPDHL, is that
divisions will meet or exceed the International Standards Organization - Standard
for Information Security Management (ISO 27002:2013) control requirements,
unless regulatory requirements or local laws stipulate otherwise. This document
contains, among others, all of the controls specified in ISO 27002:2013 and
describes them in terms relevant and appropriate to DPDHL.
Complementary to Information Security, it includes controls to preserve Cyber
Security within DPDHL Group specified in Cyber Security best practice standards
(e.g. “Framework for Improving Critical Infrastructure Cybersecurity” (NIST)).
Accordingly, Information Security in the sense of this document also covers Cyber
Security.
This group standard establishes basic Information Security principles, criteria, and
practices, and provides guidelines for establishing, planning, carrying out, and
documenting Information Security, within DPDHL. In all cases, legal requirements
for Information Security, such as data protection legislation, banking or postal
secrecy requirements, or other requirements, such as contractual obligations to
third parties, must be complied with fully and unequivocally. Compliance to this
group standard does not need to result in full compliance to local regulation.
The Information Security standards define some recommendations of the ISO
standard as mandatory (i.e., a must). Where there are legal, regulatory,
operational, or technical reasons where this control cannot be complied with, a
formal exception from the DPDHL control requirements, of the DPDHL
Information Security standards, must be documented. This exception must be
approved by the Business Owner of the relevant process, the divisional CIO, and
the respective divisional Chief Information Security Officer (CISO), according to
chapter 20 of these Information Security standards, since exceptions are treated
as risks. Exceptions must be treated as risks, with the respective review cycles.
An Information Security policy document must be approved by the management,
published, and communicated to all employees, and relevant external parties,
according to the requirements stated in chapter 5 of the Information Security
control standards.

Version 1.31 - unclassified - 7/33


Information Security Policy

1.4. Review and Evaluation


The document is based on the latest ISO-Information Security Standards and
takes the latest technical changes into account. To avoid obsolescence, all
documents that pertain to DPDHL Information Security should be reviewed at
regular (not exceeding two years) intervals or if significant changes occur, to
ensure its continuity, suitability, adequacy, and effectiveness, according to the
stated requirements. The document should be reviewed and, if appropriate,
amended, with a view towards identifying relevant changes in organizational or
technical infrastructures, new shortcomings or changes in company policy, and
the current status of the company’s technological solutions. In case of important
changes of standards or external regulations, a timely adjustment within a shorter
time period should be achieved for the adoption.
Compliance with Information Security rules, procedures, and proper fulfillment of
monitoring tasks, on the part of Information Security management, must be
assured by Information Security compliance assessments, at regular intervals,
according to the group-wide standards.

Version 1.31 - unclassified - 8/33


Information Security Policy

2. Scope
The Information Security policy sets forth the requirements for basic Information
Security measures, which must be implemented, within DPDHL. All employees
and third-party operators of information technology systems (IT systems) for
DPDHL and its affiliated companies, as well as the users in these organizations,
are required to comply with the requirements set forth in this document.
The document supports the following strategic goals for Information Security:
 Ensuring the availability of DPDHL computer systems, so they meet the
company’s information technology (IT) and information and communications
technology (ICT) requirements.
 Achieving a high level of confidentiality and availability, for all data processed
in these operative systems.
 Achieving a level of data integrity and confidentiality that meets the
requirements of all DPDHL divisions and subsidiaries.
 Ensuring that Information Security for the DPDHL business operations is
conducted properly.
Protecting information in all relevant business environments is a common interest
of the Information Security functions, as well as the Corporate Security and the
divisional security functions. The Corporate Security and the divisional security
functions are responsible for aspects of Information Security where it concerns
people, physical assets and the public reputation of DPDHL, which is defined in
accordance with the Corporate Security policy and excluded from the scope of
this policy.

The procedures and rules set forth in this policy define the compulsory minimum
protection level, which applies to all assets of DPDHL specified in chapter 8.
However, some customers or applications may require more than the minimum
level of Information Security protection. When this is the case, specific Information
Security procedures should be defined and implemented by the competent
technical department, in cooperation with the Information Security departments of
the respective divisions.

All personnel should be informed of the rules and procedures pertaining to


Information Security and the accurate operation of computer systems.
Supervisory personnel are responsible for ensuring this information flow is
implemented and that their teams are provided with updated information,
regarding Information Security measures.
Information Security management should be notified, as soon as possible, of any
problems that could potentially arise from insufficient familiarity with existing
Information Security rules and procedures, or any new computer-related threats,
so that these problems can be resolved quickly.

Version 1.31 - unclassified - 9/33


Information Security Policy

3. Terms and Definitions


This section defines all general terms, which are used in the document and which
need clarification.
Technical terms are listed in appendix A.1. The roles within the Information
Security organization are specified within chapter 4.1, of the Information Security
process standards.
General terms
Appropriate: “Appropriate” shall mean the level of control or protection is in
line with the value of the data, or the system being protected.

May: “May” shall mean the condition is optional.

Must not: “Must not” shall mean the condition is an absolute prohibition
of the standard (same as “Shall not”).

Must: “Must” shall mean the condition is an absolute requirement of


the standard (same as “Required” and “Mandatory”).

Need-to-know: Information should only be accessible to employees with a


demonstrated (and documented) requirement for access, in
order to perform their day-to-day tasks.

Need-to-use IT systems should only be accessible to employees with a


basis: demonstrated (and documented) requirement for access, in
order to perform their day-to-day tasks.

Regular: “Regular” shall mean a recurring exercise, which is carried out


at a frequency proportional to the risk that the entity is exposed
to.

Should not: “Should not” shall mean there may exist valid reasons, in
particular circumstances, when the particular behavior is
acceptable or even useful, but the full implications should be
understood and the case carefully weighed, before
implementing any behavior described with this label (same as
“Not recommended”).

Should: “Should” shall mean there may exist valid reasons, in particular
circumstances, to ignore a particular item but the full
implication must be understood, and carefully weighed, before
choosing a different course (same as “Recommended”).

Significant “Significant change” shall mean a substantive change to a


change: system or application, including, but not limited to: the
implementation of jumbo patches, service packs, application
upgrades, or architectural changes.

Version 1.31 - unclassified - 10/33


Information Security Policy

4. Information Security Management System, Compliance


Assessment and Governance, and Reporting

4.1. Information Security Management System (ISMS)


A documented, process-based Information Security Management System must
be established, implemented, operated, monitored, reviewed, maintained, and
improved within the context of the organization’s overall business activities, and
the Information Security risks it faces.
All third parties that process assets on behalf of DPDHL must apply a level of
Information Security controls, which are appropriate for the information being
processed.
All divisional and group-wide matters for Information Security must be coordinated
by the management of the divisional organization, the divisional Information
Security organization, the group-wide Information Security organization, or if
relevant other divisional and corporate functions.

4.2. Information Security Compliance Assessment and


Governance
The Information Security compliance assessment plan must ensure that the
implemented controls of its Information Security Management System conform to
its requirements (including legislation and regulations), the controls perform as
expected, and that findings are reported.
The Information Security compliance assessment strategy must specify the
overall parameters for the Information Security compliance assessment process
and the specific parameters, which must be met by an individual Information
Security compliance assessment.
An Information Security compliance assessment process that supports
compliance assessment strategy and planning, Information Security compliance
assessments, Information Security governance, and the follow-up activities of
Information Security compliance assessments, in terms of status reviews and
update of recommendations, must be established.
Those responsible for maintaining the Information Security compliance
assessment should be officially nominated within documented scope. The
responsibilities of this role and all other roles involved within the process must be
assigned.

4.3. Information Security Reporting


An Information Security reporting framework must be established, to ensure
transparency on Information Security risks, Information Security compliance,
Information Security incidents, and Information Security implementation status.

Version 1.31 - unclassified - 11/33


Information Security Policy

To ensure a consistent and complete Information Security reporting process, as


well as roles and responsibilities for both, the divisional Information Security
reporting and the corporate Information Security reporting must be established.
The process support of Information Security reporting must ensure the coherent
definition of templates and tools for data storage.

Version 1.31 - unclassified - 12/33


Information Security Policy

5. Information Security Policies

5.1. Management Direction for Information Security


The management direction and support for Information Security in accordance
with business requirements and relevant laws and regulations must be provided.

Version 1.31 - unclassified - 13/33


Information Security Policy

6. Organization of Information Security

6.1. Internal Organization


Roles for the Information Security organization, including appropriate levels of
resourcing and stakeholder roles, must be established to maintain the Information
Security management framework.

6.2. Mobile Devices and Teleworking


Mobile computing devices must be effectively protected, to ensure they cannot be
compromised when connected to untrusted networks, and that data cannot be
accessed, if the device is lost or stolen. Mechanisms must be implemented to
allow remote wipe or destruction of data, if tampering is detected.

Version 1.31 - unclassified - 14/33


Information Security Policy

7. Human Resource Security

7.1. Prior to Employment


As part of the recruitment process for employees and contractors, relevant
Information Security responsibilities must be defined and documented, and
candidates must be assessed for suitability.

7.2. During Employment


All employees and contractors must receive Information Security awareness
training relevant to their role.

7.3. Termination and Change of Employment


A formal process must be in place, to ensure user access to DPDHL systems is
terminated or adjusted, and that relevant DPDHL assets, including information,
are recovered when an employee or contractor leaves the organization, or
changes his role.

Version 1.31 - unclassified - 15/33


Information Security Policy

8. Asset Management

8.1. Responsibility for Assets


All IT assets, Information Security organizational assets, and information data
assets, according to chapter 8 of the Information Security controls standards,
must be owned by a designated part of DPDHL, which (in most cases) is the
originator of such information or the relevant custodian.

8.2. Information Classification


All information must be classified, based on its value and sensitivity.

8.3. Media Handling


Controls appropriate to the classification must be applied and maintained,
throughout the lifetime of the information.

All media must be effectively managed through its lifetime; this includes
procurement or creation, usage, transportation, storage, and at end of life
irrevocable destruction. Any existing and applicable information management
policy, or document retention guidelines, must be adhered to.

Version 1.31 - unclassified - 16/33


Information Security Policy

9. Access Control

9.1. Business Requirements of Access Control


The business and Information Security requirements for all information,
information-processing systems, and business processes must be defined and
effective controls implemented.

9.2. User Access Management


A formal process that covers the life cycle of all user (including customers,
employees, and partners) and administrator access must be in place, to control
the allocation, change, and removal of access rights to information-processing
systems and services.

9.3. User Responsibilities


All users must be made aware of their responsibilities in protecting DPDHL
information and assets provided to them, and comply with the Information
Security policy.

9.4. System and Application Access Control


All operating systems must have controls, which restrict access to authorized
users and enforce the defined access control policy.

All information-processing systems and applications must have controls, which


restrict access to authorized users and enforce the defined access control policy.

Version 1.31 - unclassified - 17/33


Information Security Policy

10. Cryptography

10.1. Cryptographic Controls


Cryptographic controls must be put in place, to protect the confidentiality,
integrity, and authenticity of high-value and sensitive information processed within
(and outside) DPDHL.

Version 1.31 - unclassified - 18/33


Information Security Policy

11. Physical and Environmental Security

11.1. Secure Areas


All information-processing systems and supporting infrastructure must be located
in facilities, which provide an appropriate level of protection against unauthorized
physical access, damage, and interference.

All physical facilities must have access controls to prohibit unauthorized access.

11.2. Equipment
All equipment used to store, process, and transport DPDHL information must be
protected, during its lifetime. When a device reaches the end of its life, it must be
irrevocably wiped or cleansed, and appropriately disposed of.

Version 1.31 - unclassified - 19/33


Information Security Policy

12. Operations Security

12.1. Operational Procedures and Responsibilities


Effective procedures for the secure management and operation of information-
processing systems and information-processing facilities must be defined and
implemented.

12.2. Protection from Malware


Mechanisms must be in place on all information-processing systems to prevent,
detect, and remove malicious code.

12.3. Backup
Backup and restore procedures, and retention periods, must be sufficient to
maintain the integrity and availability of information, and information-processing
systems.

12.4. Logging and Monitoring


Monitoring and logging must be applied to relevant systems, so that events or
faults can generate alerts, or logs can be analyzed, following the detection of a
fault.

12.5. Control of Operational Software


The Information Security requirements of new systems and system changes
should be established, documented, and tested, prior to their acceptance and
use.

12.6. Technical Vulnerability Management


Technical vulnerability management should be implemented in an effective,
systematic, and repeatable way, to reduce the risk of vulnerabilities being
exploited.

12.7. Information Systems Audit Considerations


Information system compliance assessment and audits must be controlled and
performed by qualified and authorized individuals using formal processes and
procedures.

Version 1.31 - unclassified - 20/33


Information Security Policy

13. Communications Security

13.1. Network Security Management


Controls must be applied to prevent unauthorized access to networked services.

Controls must be applied to networks, systems, and supporting infrastructure, to


ensure that data at rest and data in transit is available, and only accessible to
authorized users and systems.

13.2. Information Transfer


Agreements must be established, where appropriate, for the exchange of
information and software between DPDHL and external parties.

Version 1.31 - unclassified - 21/33


Information Security Policy

14. System Acquisition, Development and Maintenance

14.1. Security Requirements of Information Systems


Information Security controls must be designed into information-processing
systems and business processes, and established as part of the requirements
gathering phase of the project, and documented in an Information Security
concept.

The systems supporting electronic business transactions must have appropriate


Information Security controls, to ensure the confidentiality, integrity, and
availability of such transactions, and provide non repudiation.

Based on the classification of information being processed and based on


business requirements, controls must be designed into applications, which ensure
accuracy of processing, validate input, and prevent errors, loss, unauthorized
modification, or misuse of information.

14.2. Security in Development and Support Processes


To prevent the compromise of the system or operating environment, the project
and development environments should be strictly controlled, and a formal
recognized development, change, and release management process should be
followed.

IT support activities must be conducted in a secure manner and access to system


files, system configuration, and source code must be effectively controlled.

Version 1.31 - unclassified - 22/33


Information Security Policy

15. Supplier Relationships


Where information is processed by third-party systems or in third-party facilities,
effective controls must be implemented, to ensure that relevant DPDHL
Information Security and regulatory requirements are met.

Version 1.31 - unclassified - 23/33


Information Security Policy

16. Information Security Incident Management


As a key part of an organization's overall Information Security strategy, the
organization must put controls and procedures in place, to enable a structured,
well-planned approach to the management of Information Security incidents.
An Information Security incident response team (ISIRT) must be established, with
an ISIRT mission statement that focuses on the team’s core activities.
There must be standards, processes, and controls in place, to manage
Information Security incidents and to mitigate Information Security issues, which
have been identified.
The standards and processes must be kept up-to-date, according to lessons
learned, regarding Information Security incidents.

16.1. Management of Information Security Incidents and


Improvements
There must be a process and responsible persons in place to manage Information
Security incidents, and mitigate Information Security issues, which have been
identified.
From a business perspective, the prime objective to avoid or contain the impact of
Information Security incidents, and to reduce the direct and indirect costs caused
by the incidents, must be supported.
Roles must be involved, as specified in the Information Security incident
management process.
The division as the Risk Owner of business processes must bear the
responsibility and accountability for Information Security incidents.
All Information Security incidents and issues must be reported to a designated
point of contact, so that corrective actions can be taken.
All Information Security incidents must be classified, according to their category
and severity.

Version 1.31 - unclassified - 24/33


Information Security Policy

17. Information Security Aspects of Business Continuity


Management
The Information Security aspects of business continuity requirements for all
information-processing systems and facilities must be determined and
documented.

Version 1.31 - unclassified - 25/33


Information Security Policy

18. Compliance

18.1. Compliance with Legal and Contractual Requirements


The legal requirements for the design, operation, use, or management of
information systems must be established, and controls implemented to enforce
these requirements.

18.2. Information Security Review


All information-processing, systems, and facilities must be reviewed on a regular
basis, to ensure they meet the required Information Security policies and
standards, and technical compliance.

Version 1.31 - unclassified - 26/33


Information Security Policy

19. Business Continuity Management


The business continuity requirements for all information-processing systems and
facilities must be determined and documented.

Version 1.31 - unclassified - 27/33


Information Security Policy

20. Information Security Risk Management


The organization must define the scope and boundaries of Information Security
Risk Management, ensuring all relevant assets and processes are taken into
account.
Information Security risks must be assessed, as defined in the Information
Security Risk Management process.
Impact classes, probability classes, risk classes, risk treatment classes, and the
organizational scope must be applied to all risks.
Risk acceptance criteria must be specified, per division.
The roles involved must be specified in the Information Security Risk
Management process.
The division with nominating dedicated persons as Risk Owners of business
processes must bear the responsibility for managing Information Security risks.
The process must be supported with standardized templates and a reference of
mandatory process triggers.
All Information Security risks must be treated, as defined in the Information
Security Risk Management process.
Information Security risks must be reviewed on a regular basis.

Version 1.31 - unclassified - 28/33


Information Security Policy

A. Appendix
A.1. Technical Terms
Asset: Assets are distinguished in asset types of IT assets, Information
Security organizational assets, and information data assets,
according to chapter 8 of the Information Security control
standards.

Chinese wall: A “Chinese wall” is an information barrier implemented within a


firm, to separate and isolate persons who make investment
decisions from persons who are privy to undisclosed material
information, which may influence those decisions. This is a way
of avoiding conflict of interest problems.

Control1: Measure to modify risks

Cyber Cyber Security is the preservation of confidentiality, integrity and


Security: availability of information in the Cyber Space.

Cyber Space: Cyberspace is a complex environment resulting from the


interaction of people, software and services on the Internet by
means of technology devices and networks connected to it,
which does not exist in any physical form.

Division: Entities referenced as division within the Information Security


policy and standards are PeP, EXPRESS, DGFF, DSC,
GBS&CC, and IT Services.

Event: Occurrence or change of a particular set of circumstances

External External environment, in which the organization seeks to


context: achieve its objectives.
Based on organization-wide context, but including specific
details of legal and regulatory requirements, stakeholder
perceptions, and so forth.
Includes (but is not limited to): social, cultural, political, financial,
technological, and competitive environment from a local to an
international level.

External staff: Individuals who do not have an employee contract with the
company.

Frequency: Refers to the reporting period; the frequency determines how

1
Based on ISO 27005

Version 1.31 - unclassified - 29/33


Information Security Policy

often reports are provided.

Group-level: The term “group-level” is a synonym for “corporate-level”.


Example: A group-level process is carried out on the corporate
level.

Group-wide: Processes or activities, which occur throughout the group, on


the divisional level and which are defined in the same way,
throughout the group.

Impact class: Outcome of an event affecting objectives in discrete classes

Impact: Outcome of an event affecting objectives

Incident Categorizes the Information Security incidents by considering


categories: their causes, behaviors, and results.

Incident Severity classes for Information Security incidents shall be used


severity for classification of each Information Security incident, to
classes: prioritize the incidents, and determine necessary escalation,
communication levels, and structure of the Information Security
incident response team (ISIRT). For consistency, the
Information Security incident severity classes are identical to the
risk assessment and treatment impact classes, as defined in
chapter 20.

Information Identified occurrence of a system, service or network state


Security indicating a possible breach of Information Security policy or
event: failure of controls, or a previously unknown situation that may be
security relevant

Information A single event or a series of unwanted/unexpected Information


Security Security events that have a significant probability of
incident: compromising business operations, and threatening Information
Security.

Information Enables an organization to:


Security
 Improve overall Information Security
incident
management:  Reduce adverse business impact
 Strengthen the Information Security incident prevention
focus
 Strengthen prioritization
 Preserve evidence
 Contribute to budget and resource justifications
 Improve updates to Information Security risk assessment

Version 1.31 - unclassified - 30/33


Information Security Policy

and management results


 Provide enhanced Information Security awareness and
training program material
 Provide input to Information Security policy and related
documentation reviews

Information Information Security process areas are:


Security key
 Information Security Risk Management
process area:
 Information Security Management System
 Information Security compliance assessment and
governance
 Information Security reporting
 Information Security incident management

Information Is the “art of the overall management system, based on a


Security business risk approach, to establish, implement, operate,
Management monitor, review, maintain, and improve Information Security. […]
System The management system includes organizational structure,
(ISMS): policies, planning activities, responsibilities, practices,
procedures, processes, and resources.2”
The ISMS contains an operational structure and an
organizational structure.

Information Group-wide regulation of how to fulfill the objectives, as


Security described in the Information Security policy.
standards:
The Information Security standards consist of Information
Security control standards, which describe the control
requirements and Information Security process standards, which
provide the specification of the processes, roles, and entities, for
the Information Security Management System processes.

Internal Internal environment, in which the organization seeks to achieve


context: its objectives; anything within the organization that can influence
the way in which an organization will manage risk.
Includes (but is not limited to): governance, organizational
structure, policies, objectives, capabilities, organization’s
culture, information systems (formal and informal), and
standards.

Key KPIs are functions of parameters; in other words: KPIs are


performance derived from parameters by a defined algorithm. KPIs measure

2
ISO 27001:2005

Version 1.31 - unclassified - 31/33


Information Security Policy

indicators a process quality (performance). They come along with an


(KPIs): evaluation scheme (i.e., each possible value of the KPI is
assigned one of the three colors: “green”, “amber”, or “red”).

Operators: Technical departments, internal and external IT suppliers, and


providers of IT systems, for DPDHL and its affiliated companies.

Parameters: Provide common and consistent criteria for comparing all risks
to be managed.

Personal Personal data is relating to an identified or identifiable natural


identifying person. Thus, personal data includes, for example, not only
information individual first name/surname, postal address, or e-mail
(Personal address, telephone number and personal or customer number,
data): but also bank accounts, photographs, and IP addresses.

Probability Chance of an event happening, in discrete classes


class:

Probability: Chance of an event happening

RACI - matrix

Responsible: Those who do the work to achieve the task.


The role always includes C and I.

Accountable: Those who approve or have the final approving authority.


The role can include R.

Consulted: Those whose opinions are sought (typically, subject matter


experts) and with whom there is two-way communication.
The role always includes I.

Informed: Those who are kept up-to-date on progress, often only on


completion of the task or deliverable, and with whom there is
one-way communication.

Reporting Several properties, which altogether give the required


attribute: information on the reporting item. These properties define what
must be recorded, for each reporting item.
Attributes have pre-defined data types, such as: free text, string
with value ranges (such as “low”, “medium”, “high”, “very high”),
a date/time string, or a (real or integer) number.

Reporting Information Security incident reporting; Information Security risk


dimensions: reporting; Information Security control compliance monitoring;
Information Security implementation status reporting;
Information Security awareness reporting.

Version 1.31 - unclassified - 32/33


Information Security Policy

Reporting A single object of a reporting dimension; thus, a single incident,


item: like a single risk or control, is an item.

Reporting A reporting attribute (type: number or string), which measures a


parameter: certain property of a single item.
Examples:
(1) The Information Security incident severity class may be
considered as a parameter, in the reporting dimension
“Information Security incident management”.
(2) The Information Security incident description is a reporting
attribute, but not a parameter, since it does not measure
anything.

Risk class: Magnitude of risk, expressed in terms of the combination of


impact and their probability in discrete classes

Risk Handling or risk in discrete classes


treatment:
class:

Risk: Effect of uncertainty, on objectives

Sensitive Attributes such as race, religion, sexual preference.


identifying
information
(SII):

Target Can consist of physical, IT, data, or organizational


Environments: environments, as per the specification of assets, in chapter 8.

Threat3: Potential cause of an unwanted incident, which may result in


harm to an Information Security system or organization.

Threshold: Thresholds are preset filter settings for searching the reporting
item list. Thresholds do not limit any reporting data amount. All
divisional reporting data enter the corporate report.
Note: Thresholds underlie the Information Security management
review process, according to chapter 4.

3
Based on ISO 27000

Version 1.31 - unclassified - 33/33