Purpose & background
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the operations security policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
Objectives
The objectives of this control are:
To ensure correct and secure operations of information processing facilities (A.12.1).
To ensure that information and information processing facilities are protected against malware (A.12.2).
To protect against loss of data (A.12.3).
To record events and generate evidence (A.12.4).
To ensure the integrity of operational systems (A.12.5).
To prevent exploitation of technical vulnerabilities (A.12.6).
To minimise the impact of audit activities on operational systems (A.12.7).
Scope
The scope of this document corresponds to Clause 4 Context of the organisation.
Availability
This document is:
Norm elements
A.12.1 Operational procedures and responsibilities
A.12.1.1 Documented operating procedures
“Operating procedures shall be documented and made available to all users who need them.”
The operating procedures are described in A.12.1.1 Documented operating procedures. In addition, user manuals are publicly published on the Knowledge Base with version control. Developers have access to their own DevOps wiki with manuals under version control.
A.12.1.2 Change management
“Changes to the organisation, business processes, information processing facilities and systems that affect information security shall be controlled.”
A.12.1.3 Capacity management
“The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.”
Microsoft Azure resource capacity:
If an organisation wishes to work with myDRE, they have to acquire at least two Microsoft Azure subscriptions under their own billing account. Microsoft Azure poses certain quota limits on resources such as (large) Virtual Machines (VMs). The organisation can request a quota increase via their local Research Support Team member who validates the request and forwards the request to anDREa’s Support Team. In case the local Research Support Team member is also the Subscription Owner, they can increase the quota themselves. Be aware that quota for certain VMs might be restricted by Microsoft. The anDREa Support Team will try its best to negotiate an increase with Microsoft in that case.
One tenant’s subscription is configured for workspace deployment. Each subscription can hold up to 100 workspaces. anDREa strongly recommends creating a new subscription well in advance, and also to communicate this so that the subscription can be onboarded in a timely manner to avoid users having to wait longer to get a new Workspace. The new myDRE Admin portal provides a count of Workspace slots left in a subscription to accommodate local Research Support Team members. A second subscription is configured for shared resources among the tenant's subscription (e.g. Bastion, software share, workspace archival).
Human capacity:
anDREa’s development and support team capacity is planned in preparation of the sprints in which the capacity is defined in DevOps. Human capacity is minimally evaluated during the annual budgeting process of anDREa.
A.12.1.4 Separation of development, testing and operational environments
“Development, testing, and operational environments shall be separated to reduce the risks of unauthorised access or changes to the operational environment.”
anDREa has separated the development, testing (acceptance) and production environment. Code is developed locally and with push and pull requests in Github. Code is deployed via pipelines in the development environment for the first phase of testing. After extensive testing, the code is pushed to the acceptance environment for further testing. Lastly, the code is pushed to production and final smoke tests are being performed. Developers do not have access to production. Development and testing is done without touching data in production.
A.12.2 Protection from malware
A.12.2.1 Controls against malware
“Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.”
The use of anti-malware tools are described in A.6.2 Mobile devices and teleworking. Moreover, malware awareness is one of the principles in the Information Security & Data Protection training that has to be completed upon onboarding and then has to be renewed annually.
A.12.3 Backup
A.12.3.1 Information backup
“Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.”
Verification whether the backup has been performed is registered in the appropriate tickets.
A.12.4 Logging and monitoring
A.12.4.1 Event logging
“Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.”
anDREa makes use of extensive logging. For example, user sign-in logs and privileged identity management (PIM) role activations and user sign-ins are reviewed monthly during Information Security Management Board (ISMB) meetings. anDREa has access to extensive event logs in Azure, which are 24x7x365 monitored by a third party.
Access logs for the SaaS applications used by anDREa are periodically reviewed by the Asset Responsible, and registered in a ticket.
A.12.4.2 Protection of log information
“Logging facilities and log information shall be protected against tampering and unauthorised access.”
Logging information in Microsoft Azure is stored in Log Analytics Workspaces. Log entries are immutable.
A.12.4.3 Administrator and operator logs
“System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.”
Logging information for all Software-as-a-Service (SaaS) applications that are used by anDREa are reviewed periodically, including administrator logs. For instance, administrator activities on myDRE require PIM role activation. PIM role activations, eligibility and justifications are reviewed monthly during the ISMB meeting.
A.12.4.4 Clock synchronisation
“The clocks of all relevant information processing systems within the organisation or security domain shall be synchronised to a single reference time source.”
A.12.5 Control of operational software
A.12.5.1 Installation of software on operational systems
“Procedures shall be implemented to control the installation of software on operational systems.”
A.12.6 Technical vulnerability management
A.12.6.1 Management of technical vulnerabilities
“Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”
anDREa uses several channels to acquire information about technical vulnerabilities:
Annual penetration test (pentest).
Annual white box audit pentest.
Alerts and monitoring on events in Microsoft Azure.
Subscription to the Nationaal Cyber Security Centrum RSS feeds.
User reports.
Following websites like bleepingcomputer.com.
Subscription to A51 Security daily newsletters.
A.12.6.2 Restrictions on software installation
“Rules governing the installation of software by users shall be established and implemented.”
Within myDRE workspaces, it is the responsibility of the Workspace Accountable to control the installation and maintenance of the software.
A.12.7.1 Information systems audit controls
“Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.”
Technical audits are described in A.12.7.1 Information systems audit controls.