Security requirements

Last updated: 02/08/2023
Current version effective from: 02/08/2023

Page contents

• 1 Scope and Purpose
• 2 Information Security Governance
• 3 ISMS Requirements
  • 3.1 Organization of Information Security
  • 3.2 Information Asset Management
  • 3.3 Human Resources Security
  • 3.4 Access Control
  • 3.5 Operations Security
  • 3.6 Incident Management
  • 3.7 Physical and Environmental Security
• 4 Security Testing

1 Scope and Purpose

The following information security requirements apply to Signicat’s processing of Customer’s data or otherwise delivery of the operational services delivered to Customer.

These requirements shall ensure that Signicat handles all Customer information with security in mind, and Supplier delivered services are protected to ensure confidentiality, integrity and availability.

2 Information Security Governance

Signicat shall have a documented Information Security Management System (ISMS) aligned with ISO 27001:2013 (or subsequent versions), or a set of policies to that effect.

The ISMS, or set of policies, shall have top level management commitment.

Signicat shall have a documented risk management process, with supporting procedures and controls that are effective and operational.

3 ISMS Requirements

Signicat’s ISMS, or set of policies, shall as a minimum have the following requirements implemented.

3.1 Organization of Information Security

Information security responsibilities must be defined and allocated.

3.2 Information Asset Management

Information assets shall be identified, classified and protected according to their classification.

3.3 Human Resources Security

A background check shall be completed for all full-time, part-time and temporary employees.

3.4 Access Control

The principle of least privilege shall be applied, both in design and implementation of access controls and provisioning of user and system access rights.

Requirements for access control to a system or information shall be aligned with the information classification of the assets to be protected.

A formal process for user registration and de-registration shall be used.

A formal process for user access provisioning shall be used.

User IDs of users who have left the organization shall immediately be disabled or removed.

When a user changes role or responsibilities in the organization, any assigned access rights that are no longer needed, shall be removed.

3.5 Operations Security

There must be written operating procedures for all systems that processes, store or in some other way handles customer’s information. The procedures shall ensure that information is handled and stored in compliance with information security policies, regulatory requirements and contractual obligations.

Changes to the organization, business process, information processing facilities, supplier relationships, internal processes and systems that affect information security shall be controlled.

Development, testing, and operational environments shall be separated, logically or physically.

Backup shall be taken of all information according to availability and integrity requirements, taking confidentiality requirements into account.

There shall be kept event logs of user activities, exceptions, faults and information security events in systems and networks that is, or contains, customers’ information. These logs shall be reviewed regularly.

All changes to operational software, applications and program libraries shall be performed by trained administrators.

All software shall be tested, approved and undergo a risk assessment prior to installation.

All updates and changes to systems, software, application and program libraries shall be recorded.

3.6 Incident Management

There are procedures for incident management.

All employees and contractors shall report information security events and weaknesses to point of contact as quickly as possible.

All information security incidents and weaknesses shall be reported to interested parties as quickly as possible.

The analysis and resolving of all incidents shall be evaluated to reduce the likelihood or impact of future incidents.

All information security incidents, and the response, shall be recorded.

3.7 Physical and Environmental Security

Areas that contain information and information processing facilities shall be defined, classified, and documented.

Windows and doors shall be closed and locked at all times.

Physical access shall be restricted to authorized personnel only and visitors shall always be accompanied.

Physical access during office hours shall be restricted by a personal access card and PIN.

Physical access rights shall be annually reviewed, shall be updated when necessary, and revoked when necessary.

An intruder detection system shall be active when the location is unattended, and this system shall be tested annually.

The intruder detection system shall be connected with a guard central that offers guard dispatch.

An audit trail of access to the area or facilities shall be securely maintained and monitored.

4 Security Testing

Signicat shall conduct relevant periodical security testing of its systems.