Statement of Applicability Template

IT Department ISMS Policies Procedures

A.5

A.5.1

A.5.1.1Information security policy

documentYes -ISMS-A-2 ISMS Polcy & Scope

A.5.1.2Review of the information

security policyYes -ISMS-A-2 ISMS Polcy & Scope & SMC Meeting Notes

A.6

A.6.1

A.6.1.1Management commitment to

information securityYes

-ISMS-A-2 ISMS Polcy & Scope & -ISMS-B-1 Internal Information

Security Organisation Policy

A.6.1.2 Information security coordination Yes-ISMS-B-1 Internal Information Security Organisation Policy & -ISMS-B-

4 Information Security Organisation Chart

A.6.1.3Allocation of information security

responsibilitiesYes -ISMS-B-1 Internal Information Security Organisation Policy

A.6.1.4Ahorization process for

information processing facilitiesYes -ISMS-B-1 Internal Information Security Organisation Policy

A.6.1.5 Confidentiality agreements Yes -ISMS-B-1 Internal Information Security Organisation Policy

A.6.1.6 Contact with ahorities Yes -ISMS-B-1 Internal Information Security Organisation Policy

A.6.1.7Contact with special interest

groupsYes -ISMS-B-1 Internal Information Security Organisation Policy

A.6.1.8Independent review of

information securityYes -ISMS-B-1 Internal Information Security Organisation Policy

A.6.2

A.6.2.1Identification of risks related

to external partiesYes -ISMS-B-2 External Information Security Organisation Policy

A.6.2.2Addressing security when

dealing with customersYes -ISMS-B-2 External Information Security Organisation Policy

A.6.2.3Addressing security in third

party agreementsYes -ISMS-B-2 External Information Security Organisation Policy

A.7

A.7.1

A.7.1.1 Inventory of assets Yes -ISMS-C-1 Asset Management Policy

A.7.1.2 Ownership of assets Yes -ISMS-C-1 Asset Management Policy

A.7.1.3 Acceptable use of assets Yes -ISMS-C-1 Asset Management Policy

A.7.2

A.7.2.1 Classification guidelines Yes -ISMS-C-2 Information Classification Policy

A.7.2.2Information labelling and

handlingYes -ISMS-C-2 Information Classification Policy

A.8

A.8.1

A.8.1.1 Roles and responsibilities Yes -ISMS-D-1 Human Resources Security Policy

A.8.1.2 Screening Yes -ISMS-D-1 Human Resources Security Policy

A.8.1.3Terms and conditions of

employmentYes -ISMS-D-1 Human Resources Security Policy

A.8.2.2Information security awareness,

education and trainingYes -ISMS-D-1 Human Resources Security Policy

A.8.2.3 Disciplinary process Yes -ISMS-D-1 Human Resources Security Policy

Implimented

Security policy

Organization of information security

Internal organization

External parties

Control Code # Control Objective Implimented Evidence

Control Code #

Information security policy

Asset management

Responsibility for assets

Information classification

Control Code # Control Objective Implimented

Control Code # Control Objective Implimented

Control Objective Evidence / Remarks

Evidence / Remarks

Evidence

Human resources security

Prior to employment

P&P Number: UT-ISMS-A-5 Originator: CISO

Last Review: August 23, 2007 Pages: 4

Policy Title: Statement of Applicability

Ushus Technologies

Accel Transmatic Ltd Compiled by : CISO





A.8.3

A.8.3.1 Termination responsibilities Yes -ISMS-D-2 Change of Employment Policy

A.8.3.2 Return of assets Yes -ISMS-D-2 Change of Employment Policy

A.8.3.3 Removal of access rights Yes -ISMS-D-2 Change of Employment Policy

A.9

A.9.1

A.9.1.1 Physical security perimeter Yes -ISMS-E-1 Secure Areas Policy

A.9.1.2 Physical entry controls Yes -ISMS-E-1 Secure Areas Policy

A.9.1.3Securing offices, rooms and

facilitiesYes -ISMS-E-1 Secure Areas Policy

A.9.1.4Protecting against external

and environmental threatsYes -ISMS-E-1 Secure Areas Policy

A.9.1.5 Working in secure areas Yes -ISMS-E-1 Secure Areas Policy

A.9.1.6Public access, delivery and

loading areasYes -ISMS-E-1 Secure Areas Policy

A.9.2

A.9.2.1Equipment siting and

protectionYes -ISMS-E-2 Equipment Security Policy

A.9.2.2 Supporting ilities Yes -ISMS-E-2 Equipment Security Policy

A.9.2.3 Cabling security Yes -ISMS-E-2 Equipment Security Policy

A.9.2.4 Equipment maintenance Yes -ISMS-E-2 Equipment Security Policy

A.9.2.5Security of equipment

offpremisesYes -ISMS-E-2 Equipment Security Policy

A.9.2.6Secure disposal or re-use of

equipmentYes -ISMS-E-2 Equipment Security Policy

A.9.2.7 Removal of property Yes -ISMS-E-2 Equipment Security Policy

A.10

A.10.1

A.10.1.1Documented operating

proceduresYes -ISMS-F-1 Secure Operations Policy

A.10.1.2 Change management Yes -ISMS-F-1 Secure Operations Policy

A.10.1.3 Segregation of dies Yes -ISMS-F-1 Secure Operations Policy

A.10.1.4Separation of development, test

and operational facilitiesYes -ISMS-F-1 Secure Operations Policy

A.10.2

A.10.2.1 Service delivery Yes -ISMS-F-2 Service Delivery Management Policy

A.10.2.2Monitoring and review of third

party servicesYes -ISMS-F-2 Service Delivery Management Policy

A.10.2.3Managing changes to third party

servicesYes -ISMS-F-2 Service Delivery Management Policy

A.10.3

A.10.3.1 Capacity management Yes -ISMS-F-3 System Planning Policy

A.10.3.2 System acceptance Yes -ISMS-F-3 System Planning Policy

A.10.4

A.10.4.1 Controls against malicious code YesISMS-F-4 Malicious & Mobile Code Prevention Policy

McAfee anti-virus ent edition

A.10.4.2 Controls against mobile code Yes -ISMS-F-4 Malicious & Mobile Code Prevention Policy


Physical and environmental security

Implimented

Protection against malicious and mobile code


Operational procedures and responsibilities

Third party service delivery management

Communications and operations management

System planning and acceptance

Control Code # Control Objective Evidence

Equipment security

Secure areas

Termination or change of employment

Ushus Technologies






A.10.5

A.10.5.1 Information back-up Yes -ISMS-F-5 Backup Policy

A.10.6

A.10.6.1 Network controls Yes -ISMS-F-6 Network Security Policy

A.10.6.2 Security of network services Yes -ISMS-F-6 Network Security Policy

A.10.7

A.10.7.1 Management of removable media Yes -ISMS-F-7 Media Handling Policy

A.10.7.2 Disposal of media Yes -ISMS-F-7 Media Handling Policy

A.10.7.3 Information handling procedures Yes -ISMS-F-7 Media Handling Policy

A.10.7.4 Security of system documentation Yes -ISMS-F-7 Media Handling Policy

A.10.8

A.10.8.1Information exchange policies

and proceduresYes -ISMS-F-8 Information Exchange Policy

A.10.8.2 Exchange agreements Yes -ISMS-F-8 Information Exchange Policy

A.10.8.3 Physical media in transit Yes -ISMS-F-8 Information Exchange Policy

A.10.8.4 Electronic messaging YesISMS-F-8 Information Exchange Policy

Encrypted email transmissions using PGP

A.10.8.5 Business information systems Yes -ISMS-F-8 Information Exchange Policy

A.10.9

A.10.9.1 Electronic commerce Yes -ISMS-F-9 Electronic Commerce Policy

A.10.9.2 On-line transactions Yes -ISMS-F-9 Electronic Commerce Policy

A.10.9.3 Publicly available information Yes -ISMS-F-9 Electronic Commerce Policy

A.10.10

A.10.10.1 Audit logging Yes -ISMS-F-10 Information Process Monitoring Policy

A.10.10.2 Monitoring system use Yes -ISMS-F-10 Information Process Monitoring Policy

A.10.10.3 Protection of log information Yes -ISMS-F-10 Information Process Monitoring Policy

A.10.10.4 Administrator and operator logs Yes -ISMS-F-10 Information Process Monitoring Policy

A.10.10.5 Fault logging Yes -ISMS-F-10 Information Process Monitoring Policy

A.10.10.6 Clock synchronization Yes -ISMS-F-10 Information Process Monitoring Policy

A.11

A.11.1

A.11.1.1 Access control policy Yes -ISMS-G-1 Access Control Policy

A.11.2

A.11.2.1 User registration Yes -ISMS-G-2 User Access Management Policy

A.11.2.2 Privilege management Yes -ISMS-G-2 User Access Management Policy

A.11.2.3 User password management Yes -ISMS-G-2 User Access Management Policy

A.11.2.4 Review of user access rights Yes -ISMS-G-2 User Access Management Policy

A.11.3.2 Unattended user equipment Yes -ISMS-G-3 User Responsibility Policy

A.11.3.3 Clear desk and clear screen policy Yes -ISMS-G-3 User Responsibility Policy

Network security management

Media handling

Back-up

Exchange of information

Electronic commerce services

Monitoring

Business requirement for access control

Control Code # Evidence

User access management


Access control

Control Objective Implimented

Ushus Technologies






A.11.4

A.11.4.1 Policy on use of network services Yes -ISMS-G-4 Network Access Control Policy

A.11.4.2User ahentication for external

connectionsYes

ISMS-G-4 Network Access Control Policy

Checkpoint VPN connectivity

A.11.4.3Equipment identification in

networksYes -ISMS-G-4 Network Access Control Policy

A.11.4.4Remote diagnostic and

configuration port protectionYes -ISMS-G-4 Network Access Control Policy

A.11.4.5 Segregation in networks Yes -ISMS-G-4 Network Access Control Policy

A.11.4.6 Network connection control Yes -ISMS-G-4 Network Access Control Policy

A.11.4.7 Network roing control Yes -ISMS-G-4 Network Access Control Policy

A.11.5

A.11.5.1 Secure log-on procedures Yes -ISMS-G-5 Operating System Access Control Policy

A.11.5.2User identification and

ahenticationYes -ISMS-G-5 Operating System Access Control Policy

A.11.5.3 Password management system Yes -ISMS-G-5 Operating System Access Control Policy

A.11.5.4 Use of system ilities Yes -ISMS-G-5 Operating System Access Control Policy

A.11.5.5 Session time-o Yes -ISMS-G-5 Operating System Access Control Policy

A.11.5.6 Limitation of connection time Yes -ISMS-G-5 Operating System Access Control Policy

A.11.6

A.11.6.1Information access

restrictionYes -ISMS-G-6 Application & Information Access Control Policy

A.11.6.2 Sensitive system isolation Yes -ISMS-G-6 Application & Information Access Control Policy

A.11.7

A.11.7.1Mobile comping and

communicationsYes -ISMS-G-7 Mobile Comping & Teleworking Policy

A.11.7.2 Teleworking No This organization does not use teleworking for its employees

A.12

A.12.1

A.12.1.1Security requirements analysis

and specificationYes -ISMS-H-1 Security Requirement Policy

A.12.2

A.12.2.1 Inp data validation Yes -ISMS-H-2 Information Validation Policy

A.12.2.2 Control of internal processing Yes -ISMS-H-2 Information Validation Policy

A.12.2.3 Message integrity Yes -ISMS-H-2 Information Validation Policy

A.12.2.4 Op data validation Yes -ISMS-H-2 Information Validation Policy

A.12.3

A.12.3.1Policy on the use of

cryptographic controlsYes -ISMS-H-3 Cryptographic Control Policy

A.12.3.2 Key management Yes -ISMS-H-3 Cryptographic Control Policy

A.12.4

A.12.4.1 Control of operational software Yes -ISMS-G-5 Operating System Access Control Policy

A.12.4.2 Protection of system test data Yes -ISMS-G-5 Operating System Access Control Policy

A.12.4.3Access control to program source

codeYes -ISMS-G-5 Operating System Access Control Policy

A.12.4.4 Control of internal processing Yes -ISMS-G-5 Operating System Access Control Policy

A.12.4.5 Control of internal processing Yes -ISMS-G-5 Operating System Access Control Policy

Operating system access control

Application and information access control

Mobile comping and teleworking

Control Code #

Information systems acquisition, development and maintenance

Security requirements of information systems

Control Objective Implimented Evidence

Correct processing in applications

Cryptographic controls

Security of system files


Network access control

Ushus Technologies






A.12.5

A.12.5.1 Change control procedures Yes -ISMS-H-5 Development & Support Process Security Policy

A.12.5.2Technical review of applications

after operating system changesYes -ISMS-H-5 Development & Support Process Security Policy

A.12.5.3Restrictions on changes to

software packagesYes -ISMS-H-5 Development & Support Process Security Policy

A.12.5.4 Information leakage Yes -ISMS-H-5 Development & Support Process Security Policy

A.12.5.5Osourced software

developmentNo

There is no software development activity in this organization. The

software development activity is not outsourced.

A.12.6

A.12.6.1Control of technical

vulnerabilitiesYes -ISMS-H-6 Technical Vulnerability Management Policy

A.13

A.13.1

A.13.1.1Reporting information security

eventsYes -ISMS-I-1 Information Security Reporting Policy

A.13.1.2 Reporting security weaknesses Yes -ISMS-I-1 Information Security Reporting Policy

A.13.2

A.13.2.1 Responsibilities and procedures Yes-ISMS-I-2 Information Security Management Policy, -ISMS-I-3

Helpdesk Policy & -ISMS-I-4 Incident Response Policy

A.13.2.2Learning from inormation security

incidentsYes

-ISMS-I-2 Information Security Management Policy, -ISMS-I-3


A.13.2.3 Collection of evidence Yes-ISMS-I-2 Information Security Management Policy, -ISMS-I-3


A.14

A.14.1

A.14.1.1Including information security in

the BCM processYes -ISMS-J-1 Business Continuity Management Policy

A.14.1.2Business continuity and risk

assessmentYes -ISMS-J-1 Business Continuity Management Policy

A.14.1.3

Developing & implementing

continuity plans including IS

implementing continuity

Yes -ISMS-J-1 Business Continuity Management Policy

A.14.1.4Business continuity planning

frameworkYes -ISMS-J-1 Business Continuity Management Policy

A.14.1.5Testing, maintaining &

reassessing BC PlansYes -ISMS-J-1 Business Continuity Management Policy

A.15

A.15.1

A.15.1.1Identification of applicable

legislationYes -ISMS-K-1 Legal Compliance Policy

A.15.1.2 Intellectual property rights (IPR) Yes -ISMS-K-1 Legal Compliance Policy

A.15.1.3Protection of organizational

recordsYes -ISMS-K-1 Legal Compliance Policy

A.15.1.4Data protection and privacy of

personal informationYes -ISMS-K-1 Legal Compliance Policy

A.15.1.5Prevention of misuse of

information processing facilitiesYes -ISMS-K-1 Legal Compliance Policy

A.15.1.6Regulation of cryptographic

controlsYes -ISMS-K-1 Legal Compliance Policy

A.15.2

A.15.2.1Compliance with security policies

and standardsYes -ISMS-K-2 Technical Compliance Policy

A.15.2.2 Technical compliance checking Yes -ISMS-K-2 Technical Compliance Policy

A.15.3

A.15.3.1Information systems audit

controlsYes -ISMS-K-3 Information Security Audit Policy

A.15.3.2Protection of information

systems audit toolsYes -ISMS-K-3 Information Security Audit Policy


Implimented Evidence

Control Code # Control Objective

Control Objective Implimented Evidence

Compliance

Compliance with legal requirements

Compliance with security policies and standards, and technical compliance

Information systems audit considerations

Control Code #

Information security incident management

Reporting information security events and weaknesses

Management of information security incidents and improvements

Control Code # Control Objective

Business Continuity Management (BCM)

Information security aspects of business continuity management

Implimented Evidence

Security in development and support processes

Technical Vulnerability Management

Ushus Technologies


Statement of Applicability Template

Documents

Transcript of Statement of Applicability Template