30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

SMART has a dedicated Information Asset Protection and Assurance (IAPA) Department that identifies and minimizes risks in order to maximize the success of the company by ensuring confidentiality, integrity and availability of information assets within the company, which will include the operations of .SMART registry.

INDEPENDENT ASSESSMENT BY AN EXTERNAL PARTY

SMART, as a wholly owned mobile phone and Internet service subsidiary of the Philippine Long Distance Telephone Company (PLDT) is required to comply with Sarbanes-Oxley Act. Annual assessment is being conducted by an external party, Ernst & Young (E&Y), to accredit SMART as compliant to the said U.S. Federal Law.

As part of Sarbanes-Oxley Act, the assessment by the external party is to ensure User Access Management (UAM) is strictly followed by the company. UAM in SMART is being reviewed based on the following:

· Type of access (i.e. physical and logical access)
· Type of account (e.g. administrator, regular user, system account)
· Access privilege to ensure practice of least privilege and segregation of duties
· Frequency of review (e.g. monthly, quarterly)
· Employee movement (e.g. transfer, resignation)

Also, SMART Money service of SMART is a Payment Card Industry Data Security Standard (PCI-DSS) compliant service being accredited by PCI Council, one of which is MasterCard. In order to be compliant, a PCI Council-accredited Qualified Security Assessor (QSA) is needed to annually assess all involved processes and systems of the said service.

CORPORATE INFORMATION SECURITY POLICY

The Corporate Information Security Policy of SMART is annually reviewed, updated as necessary, and approved by the top level management before being cascaded to different groups or departments. Current security policy is based on the eleven (11) domains and controls of the ISO 27001:

· Security Policy -- the creation, suitability, adequacy and effectiveness of the information security policy shall be ensured by reviewing the policy at planned intervals or after changes which affect the organization’s security requirements are approved and implemented.
· Organization of information security Policy – this policy pertains to the establishment of applicable processes and controls for both internal and external parties of SMART’s.
· Internal – includes the management commitment to Information Security, establishment of Information Security Steering Committee (ISSC) responsible for developing the management for framework for information security, accountability.
· External – addressing security when outsourcing or dealing with clients or contractors.
· Asset Management Policy – this includes the responsibility for assets and classification of assets
· Human Resource Policy – the policy addresses the security concerning employment lifecycle from prior to employment, during employment, termination or change of employment of an employee, contractor, or third party. The security being addressed includes employee terms and conditions, non-disclosure agreement (NDA), declaration of compliance, inclusion of security responsibilities in the performance evaluation, security awareness and training.
· Physical and Environmental Security Policy – this policy addresses security that includes establishment of physical security perimeter, segregation of areas, access restriction and access authorization requirements, logging of physical entry access, monitoring and audit of the logs, establishment of controls against external and environmental threats, protection of equipment.
· Communications and Operations Management Policy – this policy includes the need for documentation of operation procedures, change management, segregation of duties, separation of facilities (i.e. development, testing, operational), third party service delivery management, system planning and acceptance, protection against malicious and mobile code, back-up, different media handling, exchange of information.
· Access Control Policy – this policy includes the need for endorsement and approval of access request, legal contract or agreement by an authorized SMART office with contractor, business partners, or third party. It also requires following user access management, which refers to user registration, privilege management, password management, and review of user access rights. The policy also includes the need for applicable controls on network, server, application, mobile computing and teleworking.
· Information Systems Acquisition, Development and Maintenance Policy – this policy includes the need for security requirements specifications on all business requirements for new or existing information systems, control of internal processing, data validation, use of cryptographic controls, key management, access control to program source code, security in development and support processes, technical vulnerability management.
· Incident Management Policy – this policy includes reporting information security events and weaknesses, management of information security incidents and improvements that refers to development of Security Response Team, collection and handling of evidence.
· Business Continuity Management Policy – this policy includes the need to adopt a program for developing, testing, maintaining, and update as necessary of business continuity plan throughout SMART in case of a disaster.
· Compliance Policy – this policy includes the need for compliance with legal requirements which refers to identification of applicable legislation, intellectual property rights (IPR), regulation of cryptographic controls, data protection and privacy of personal information. It also includes compliance with SMART’s security policies and standards, and audit considerations.


Complementing the 11 policies are sub-policies that touch on detailed security controls covering the following areas:
· Password and Login Control – covers the security of login and passwords that include, but are not limited to, password complexity, password length, password expiration and account locking.
· Network Security – covers network controls that include, but are not limited to, securing internal networks, externally-access networks or DMZs, implementation of firewalls, other network protection systems (i.e. intrusion detection, web filtering, SPAM control, etc.) and network management. It also covers security of Internet access provided to employees that include, but are not limited to, acceptable use, web filtering, provision of access and compliance with Intellectual Property Rights.
· Information Processing Facilities – covers security for Company facilities used to process Company information that include, but are not limited to, facility classification & corresponding security controls, physical access controls, security of physical equipment and environmental security
· Information Asset Classification – covers security of Company information which includes, but not limited to, classification of information, handling of information based on classification, classification labeling, information ownership and roles & responsibilities.
· Security Monitoring & Incident Management – covers monitoring for security events and managing security incidents that include, but are not limited to, management of system logs (i.e. collection, review, protection, etc.), incident reporting, investigation, response & handling and disciplinary process. This also includes the security of email, desktop, and application systems.
· User Access Management – covers security implemented on all systems that manage all levels of accesses (both from users and from systems) to ensure that systems are accessed only by authorized users or systems at any point in time.
· Outsourcing and Third Party – covers security for working Third Party entities for various engagements and for Outsourcing engagements that include, but are not limited to, service level agreements (SLAs), maintenance services, escalation, contract management, acceptance and data confidentiality.

IAPA RESPONSIBILITIES

Technical Standards – IAPA has a list of different technical standards internally available to SMART technical teams to ensure that systems being deployed follow an internationally-accepted settings or configurations. These technical standards are derived from the documents publicly available on:

· Center for Internet Security or CIS (http:⁄⁄www.cisecurity.org)
· National Institute of Standards and Technology or NIST (http:⁄⁄www.nist.gov⁄index.html)
· Other sites that provide security best practices, such as (but not limited to):
· SANS Institute (http:⁄⁄www.sans.org⁄security-resources)
· Information Systems Audit and Control Association or ISACA (http:⁄⁄www.isaca.org)


Enrollment to Control Compliance Tool – this is an activity to ensure that systems are checked as compliant with the existing technical standards. This activity is done before deployment of systems to production, and regularly observed while the systems are in production.

Vulnerability Management – an activity ensuring a regular vulnerability assessment of systems are performed before and after being deployed. As publicly known, it is a cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. IAPA has a commercially-developed tool to conduct the scan in order to identify the vulnerabilities present on a system. After this, a report will be generated and IAPA will classify or assess what vulnerabilities need to be remediated based on the severity. The assessment will then be forwarded to the custodian of the systems for remediation and mitigation. If all vulnerabilities subject for remediation have been addressed, another round of vulnerability scanning will be conducted for validation.

Installation of Intrusion Detection System (IDS) – an activity currently performed on perimeter of SMART’s network. IAPA is using an open-source IDS tool to detect anomaly-based intrusion and then logged to the centralized log tool in real time. Incident management process follows if intrusion is detected.

Incident Management - handled by the Computer Security Incident Response Team (CSIRT) in IAPA with the following roles and responsibilities:
· Available 24⁄7 to respond to alerts corresponding to intrusion detection, intrusion prevention, and file integrity monitoring systems
· Performs initial investigation of the cause of problems encountered
· Ensure immediate system availability
· Tests the incident management plan (annually) in coordination with the other teams
· Performs Security Monitoring activities scanning our environment for vulnerabilities, threats, and abnormal activities from our systems
· Monitors for the presence of rogue wireless access devices

Sample of Incident Management:
· Operating System Event – Switch user to root
· Any attempts seen will notify CSIRT via e-mail.
· CSIRT will file immediately an incident ticket and directly assign it to the respective custodians of the system involved
· Custodians will then investigate why the users switch user to root
· Comment in the incident ticket coming from the user who triggered the event will be required, explaining the event.
· Assessment, including mitigation and sanctions, will be provided as applicable

(2) Security capabilities are consistent with the overall business approach and planned size of the registry.

IAPA has sufficient manpower and funding to ensure security of gTLD systems and processes.

(3) A technical plan adequately resourced in the planned costs detailed in the financial section.

IAPA has the process, technical plan, and roadmap to implement processes and solutions across Smart Communications. IAPA has also ongoing discussions and implementations of security solutions with vendors including, but not limited to:
· IBM
· HP
· ArcSight
· Tripwire
· Cyber-Ark

IAPA has an annual CAPEX budget to cover new technology tools that would increase the protection of information and USD1.0M for OPEX to continue operations of existing tools and implement Service-type (e.g. Consultations, Outsourced services, etc) security controls.

(4) Security measures are consistent with any commitments made to registrants regarding security levels. Registrant information is protected in that .SMART does not rent, sell, or share personal information about the registrant with other people or non-affiliated companies except to provide products or services that the registrant has requested and has given permission (to be shared).

(5) Security measures are appropriate for the applied for gTLD string (For example, applications for strings with unique trust implications, such as financial services-oriented strings, would be expected to provide a commensurate level of security).

Please refer to section 30(a)(2) above.

Similar gTLD applications: (0)