J.nr. 2017-2466
Annex 4 –Requirements on Information Security
[Tender Guidance:
The tenderer shall not complete this Annex 4 in connection with submission of the tender.
This Annex 4 is to be considered a Mandatory Requirement in its entirety. Thus the tenderer may not modify the content of the Annex.
As stipulated in the Instructions to Tenderers, the Mandatory Requirements are fundamental requirements, which shall all unconditionally be complied with.
This tender guidance will be removed by the contracting authority in connection with the conclusion of the Contract.]
Table of Content
Annex 4 –Requirements on Information Security 1
1. Introduction: 4
2. Requirements 4
2.1. Customer’s Requirements for Safety 4
2.1.1. Risk-based management system for information security management 4
2.1.2. Supplier ISMS 5
2.1.3. Information Security Policies 5
2.1.3.1. Guidelines for the Management of Information Security 5
2.1.4. Organizing Information Security 6
2.1.4.1. Internal organization 6
2.1.4.2. Segregation of duties 6
2.1.4.3 Contact with Authorities 7
2.1.4.4. Contact with special interest groups 7
2.1.4.5. Mobile Equipment and teleworking 7
2.1.5. Personnel Safety 8
2.1.5.1. Before joining 8
2.1.5.2. During employment 9
2.1.5.3. Termination of employment or change 10
2.1.6. Management of Assets 10
2.1.6.1. Responsibility for Assets 10
2.1.7. Access Control 11
2.1.7.1. Commercial Requirements for access 11
2.1.7.2. Administration of user access 14
2.1.7.3. User Responsibilities 19
2.1.7.4. Control of system and application access 19
2.1.8. Cryptography 21
2.1.8.1. Cryptographic controls 21
2.1.9. Physical Insurance and Environmental Protection 22
2.1.9.1. Secure areas 22
2.1.9.2. Physical security perimeter 22
2.1.9.3. Physical entry controls 22
2.1.9.4. Securing offices, rooms and facilities 22
2.1.9.5. Protection against external and environmental threats 23
2.1.9.6. Working in secure areas 23
2.1.10. Equipment 23
2.1.10.1. Equipment siting and protection 23
2.1.10.2. Supporting utilities 23
2.1.10.3. Cabling security 23
2.1.10.4. Equipment maintenance 23
2.1.10.5. Secure disposal or reuse of equipment 23
2.1.11. Operation Security 24
2.1.11.1. Operating procedures and responsibilities 24
2.1.11.2. Malware Protection 24
2.1.11.3. Backup 25
2.1.11.4. Logging and Monitoring 26
2.1.11.4.1. Protection of log information 26
2.1.11.4.2. Administrator and operator logs 27
2.1.11.4.3. Clock synchronization 27
2.1.11.5. Control of operating software 28
2.1.11.6. Vulnerability Management 28
2.1.11.7. Considerations in connection with the audit of information systems 28
2.1.12. Communication Security 29
2.1.12.1. Managing Network Security 29
2.1.12.2. Information Transfer 30
2.1.13. Acquisition, development and maintenance of systems 31
2.1.13.1. Safety of the information 31
2.1.13.2. Security in development and support processes 32
2.1.13.3. Test Data 32
2.1.14. Supplier Relationship 33
2.1.14.1. Management of Supplier services 33
2.1.14.2. Addressing security within supplier agreements 33
2.1.14.3. Information and communication technology supply chain 33
2.1.15. Managing Information Security Breaches 33
2.1.15.1. Responsibilities and procedures 33
2.1.15.2. Reporting information security event 34
2.1.15.3. Reporting information security weakness 34
2.1.16. Information Security Aspects of Business Continuity Management 35
2.1.16.1. Redundancies 36
2.1.17. Compliance 36
2.1.17.1. Compliance with legal and contractual requirements 37
2.1.17.2. Appropriate technical and organizational measures 38
1. Introduction:
This Annex 4 specifies the Customer’s requirements on information security.
Security-related terms used in the following are based on the vocabulary used in the ISO27000 standard. The security requirements are generally based on ISO/IEC 27001:2013 and ISO/IEC 27002:2014. In addition, this Annex 4 also includes security requirements based on the controls and implementation guidance provided in ISO/IEC 27017:2015 and ISO/IEC 27018:2014.
2. Requirements
2.1. Customer’s Requirements for Safety
The following security requirements are based on the ISO/IEC 27001:2013, ISO/IEC 27002:2014, ISO/IEC 27017:2015 and ISO/IEC27018:2014 including the CIS Critical Security Controls for Effective Cyber Defense, version 6, of 15 October 2015 (”CSC”).
2.1.1. Risk-based management system for information security management
The Supplier shall in order to continuously ensure the safety requirements related to the provision of ongoing Cloud Services, related support services and consultancy services, maintain a management system for information security management (ISMS) based on the current version of ISO/IEC 27001:2013 or an equivalent (national or international) standard on risk management processes recognized by accredited bodies (see below) and in accordance with the specific requirements regarding the Supplier's ISMS set forth in this section 2.1.1. The Supplier and sub-suppliers shall also continuously adapt its ISMS, if the Supplier updates its risk assessment as required, as well as if the below requirements requires such an update.
The Supplier’s risk management of information security in respect of the Supplier's fulfilment of the Contract shall be based on a documented and regularly updated risk assessment. In relation to the risk assessment, the following applies:
· The risk assessment shall include the Cloud Services, related support services and consultancy services and the parts of the Supplier's business, which may have implications for information security system,
· The Supplier shall update its risk assessment as a minimum one (1) time annually, and in connection with impending changes to the Supplier's own organization, impending changes to any sub-supplier relationship or impending changes to the information security system, which may have implications for the information security,
· The Supplier shall update its risk assessment, when ordered by the Customer, to include a specific threat in the risk assessment, including but not limited to threats identified by the Customer in connection with updates of the Customer's own risk assessment. Such mandatory updates of the Supplier's risk assessment shall be carried out by the Supplier within a reasonable period of time, which shall be determined taking into account the character and nature of the threat,
· The Supplier shall ensure, that the Customer at all times has in his possession the Supplier’s most recent risk assessment.
2.1.2. Supplier ISMS
The Supplier shall ensure that its ISMS as a minimum complies with the specific requirements stated in 2.1.3 – 2.1.16, which is based on the ISO/IEC27001:2013, Annex A, ISO/IEC27002:2014 and SANS CIS Critical Security Controls (version 6.1). The specific requirements shall be fulfilled no matter the implications to the Suppliers compliance of section 2.1.1.
2.1.3. Information Security Policies
2.1.3.1. Guidelines for the Management of Information Security
This requirement is based on ISO/IEC 27001:2013, Annex A, clause 5.
The Supplier shall apply the general information security requirements stated in the information security policy approved by the Supplier’s top management and followed by the Supplier's own organization, in any sub-supplier relationship and/or in respect of impending changes to the management system, which may have implications for the management of information security.
This requirement is based on ISO/IEC 27017:2015 and ISO/IEC 27018:2014:
The Supplier shall augment its information security policy to address the Supplier’s provision and the Customer’s use of the Cloud Services, related support services and consultancy services, taking the following into account:
- the baseline information security requirements applicable to the design and implementation of the Cloud Services, related support services and consultancy services;
- risks from authorized insiders;
- multi-tenancy and cloud service Customer isolation (including virtualization);
- access to cloud service Customer assets by staff of the Supplier;
- access control procedures, e.g. strong authentication for administrative access to the Cloud Services, related support services and consultancy services;
- communication to cloud service Customers during change management;
- virtualization security;
- access to and protection of cloud service Customer’s Data;
- lifecycle management of cloud service Customer’s accounts;
- communication of breaches and information sharing guidelines to aid investigations and forensics.
2.1.4. Organizing Information Security
This section is based on ISO/IEC 27001:2013, Annex A, clause 6 on Organization information security and 27017:2015, clause 6 on the same matter:
2.1.4.1. Internal organization
This requirement is based on ISO/IEC 27002, clause 6.1:
The Supplier shall be accountable for the information security related to the Cloud Services, related support services and consultancy services provided under the Contract. The Supplier shall agree and document an appropriate allocation of information security roles and responsibilities with the Supplier’s organization, its Cloud Services, related support services and consultancy services, and its suppliers.
The security implementation and provisioning shall be made according to the roles and responsibilities determined within the Supplier’s organization.
The ownership of all assets and the party who have responsibilities for operations associated with these assets, such as back and recovery operations, shall be defined and documented by the Supplier.
The Supplier shall provide information to the Customer regarding the circumstances, under which it uses cryptography to protect the information it processes.
For the purposes of encryption of data-at-rest and in transit too, the Customer uses industry standard cryptographic algorithms. The Supplier shall support these algorithms.
The Supplier shall specify responsibilities, in particular:
a) identify and define information assets and information security processes,
b) document the entity responsible for each information asset or information security process and document the information, see clause 2.1.6 below,
c) identify and document the coordination and overview of information safety aspects related to sub-supplier relationships.
2.1.4.2. Segregation of duties
This requirement is based on ISO/IEC 27001:2013, Annex A, control 6.1.2:
The Supplier shall ensure that conflicting functions and responsibilities are separated to reduce the possibility for unauthorized or accidental use, modification or abuse of the information assets relevant to the fulfilment of the Contract.
This requirement is based on ISO/IEC 27002:2014, control 6.1.2:
The Supplier shall ensure that no person can access, modify or use the information assets relevant to the fulfilment of the Contract without authorization and without such access, modification or use being detected.
The Supplier shall ensure that the initiation of an action (access, modification or use) is separated from the approval of such action.
2.1.4.3 Contact with Authorities
This requirement is based on ISO/IEC27001:2013, Annex A, control 6.1.3:
The Supplier shall ensure the maintenance of the appropriate contact with the relevant authorities in order to fulfill the Contract.
This requirement is based on ISO/IEC 27002:2013, control 6.1.3:
The Supplier shall establish procedures, which specify when and by whom authorities (e.g. the police, the inspectorates, the supervisory authorities) shall be contacted, and how identified information security breaches is be reported in a timely manner.
2.1.4.4. Contact with special interest groups
This requirement is based on ISO27001:2013, Annex A, control 6.1.4:
The Supplier shall ensure the maintenance of the appropriate contact with the special group of interest and other professional security forums and professional organizations associated with the fulfilment of the Contract.
2.1.4.5. Mobile Equipment and teleworking
This requirement is based on ISO/IEC 27001:2013, Annex A, control 6.2.1:
The Supplier shall apply a policy and supporting safeguards to control the risks arising from the application of mobile equipment in connection with the fulfilment of the Contract.
The Supplier shall ensure that business information is not compromised, when the Supplier in connection with the fulfilment of the Contract uses mobile equipment.
The Supplier shall take into account the risks of working with mobile equipment in unprotected environments.
This requirement is based on ISO/IEC 27002:2014, clause 6.2:
The Supplier shall ensure the safeguarding of business information, when mobile equipment is used in connection with the fulfilment of the Contract.
The policy concerning such mobile equipment shall as a minimum include:
a) registration of the mobile equipment,
b) physical protection requirements,
c) limitation of the software installations,
d) requirements for the software versions in mobile equipment and the use of patches,
e) limitation of connections to information services,
f) access control,
g) cryptography,
h) malware protection,
i) deactivation, deletion or blocking,
j) backup,
k) use of web services and web apps.
The Supplier shall apply a policy and the supporting security measures in order to protect information that is accessed, processed or stored on remote teleworking in connection with the fulfilment of the Contract.
The Supplier shall ensure the following security requirements as a minimum:
a) requirements to the communications security, taking into account the need for remote access to the organization's internal systems, the sensitivity of the information that is available and transmitted on the communication link and how sensitive the internal system is;
b) access to the virtual desktop, which prevents processing and storage of information on private equipment;
c) assessment of the threat related to unauthorized access to information or resources for other persons using the home, e.g. family and friends;
d) requirements for the use of private networks and requirements or restrictions on the configuration of wireless network services;
e) requirements for malware protection and firewalls;
f) the definition of the tasks, working hours, classification of information that can be accessed, as well as the internal systems and services, which the teleworker is authorized to use;
g) the acquisition of adequate communication equipment, including methods for securing remote access;
h) rules and guidance on family and visitor access to equipment and information;
i) support and maintenance of hardware and software.
2.1.5. Personnel Safety
2.1.5.1. Before joining
This requirement is based on ISO/IEC 27001:2013, Annex A, control 7.1.1
The Supplier shall perform background checks on all the Supplier’s employees and candidates, who participates or will be participating in the fulfilment of the Contract, in accordance with all relevant laws, regulations and ethical rules and taking into account the Supplier’s risk assessment cf. section 2.1.1.
This requirement is based on ISO/IEC 27002:2014, control 7.1.1.
The Supplier’s background checks shall take into account all relevant laws relating to privacy and personal data protection, as well as local employment regulation.
When an employee of the Supplier is assigned to or a candidate is hired for a specific information security role, the Supplier shall ensure that the employee or candidate:
a) possess the necessary skills to fulfill the security role, and
b) can be entrusted with the security role, especially if the security role is critical to the fulfilment of the Contract.
This requirement is based on ISO27001:2013, Annex A, control 7.1.2:
The Supplier shall ensure that the contracts with the Supplier’s employees and sub-suppliers, who participate in the fulfilment of the Contract, include a specification of the individual information security requirements and responsibilities of which the employee and/or sub-supplier shall adhere to.