FirstCarbon Solutions Information Security Domains & Controls

FirstCarbon Solutions Information Security Domains & ControlsSecurity Standards & Best PracticesSecurity for Human & Physical ResourcesCommunications & Operations ManagementAccess ControlInformation Systems Acquisition, Development & MaintenanceBusiness Continuity ManagementCompliance021. U.S. Green BUildinG CoUnCil (USGBC) CertifiCation • For the provision of expert consultancy services in green real estate, particularly on: ? Cost-benefit assessments for construction and development of green buildings/properties ? Energy efficiency following the LEED or ENERGY STAR rating systems2. iSo 14001:2004 CertifiCation (through our subsidiary - adeC)• Environmental Management System (EMS)• Identification and Analysis of Environmental Aspects• Establishment of Objective, Targets and Programmes• Management and reduction of Environmental Impacts• Compliance to Applicable Legal and Environmental Regulatory Requirements• Certified as of December 20093. iSo 27001:2005 CertifiCation (through our subsidiary - adeC)• Information Security Management System (ISMS) — for the provision of Business Process Outsourcing (BPO) Services including the following IT–enabled activities: Data receipt/Downloading; Data Research; Evaluation; Analysis and Abstracting (Data Conversion/Entry and Data uploading)• Certified as of March 20074. iSo 9001:2008 CertifiCation (through our subsidiary - adeC)• Quality Management System (QMS) — for the provision of Global Business Process Outsourcing Services• Certified as of November 20055. SeCUritY PoliCY• Documented Information Security Policy in place• Documentation maintained, controlled and managed via an EDMS• Awareness activities are conducted through new employee orientation (ISMS 101), e-learning and classroom type sessions for all new and existing employees.6. orGaniZation of inforMation SeCUritY• Information Security Manager reporting directly to the CEO• Existence of SMCD• Member of external organizations — BPAP, ITAP7. aSSet ManaGeMent• Asset inventory maintenance and monitoring process via an Asset Management System• SAM-certified (BSA) which affirms that all software are licensed• Hardware monitoring (HAMON) & software monitoring (SOMON) systems and real-time monitoring systems for servers• Practices information classification and labeling as per distribution, retention, disclosure and disposal• Data destruction policies and processes existent - Paper disposal/crosscut shredding procedure- Hard drive wiping thru DBAN and if hard drive is unusable, it is physicallydestroyed beyond re-useSecurity Standards & Best Practiceswww.firstcarbonsolutions.comFirstCarbon Solutions Information Security Domains & Controls031. eMPloYMent• Prior to employment- Background checks (criminal history, neighborhood, educational, work history, personal reference) for all new employees and contractuals- More stringent screening process for critical positions such as Dbase and Network Admins- Additional checks (credit) for supervisors and up and critical IT positions• during employment- Information security duties and responsibilities are enumerated in the employment contract and job description- Employees sign confidentiality statements and non-disclosure agreements• termination/Change of employment- Established a resign loop email account informing concerned departments of an employee resignation and corresponding revocation of logical system access (email account, usernames) and physical premise (ID card) entry 2. SeCUre areaS• Compound fenced by a barb-wired perimeter wall with 24-hour on-duty security guards• Premises monitored thru CCTV System with DVR retention of 120 days• Access level-based proximity card system• In-house roving guards• Color-coded ID system• Visitors are escorted and issued color-coded ID’s when inside the premises and sign NDA’s whenever necessary3. eQUiPMent SeCUritY• Access Control procedure• Bag inspections and body frisking during ingress and egress• Temperature-controlled work areas• Fire suppression mechanisms deployed such as extinguishers, fire/smoke detectors• UPS and Automatic Volt Regulators (AVR) with built in surge suppressors• Structured cabling• Regular preventive maintenance recorded and reviewed• No storage device drives and USB ports disabledSecurity for Human & Physical Resourceswww.firstcarbonsolutions.comFirstCarbon Solutions Information Security Domains & Controls04a. Operational Procedures and Responsibilities (Documentation, change management, segregation of duties, separation of development, test & operational facilities) b. Third Party Service Delivery Managementc. System Planning & Acceptance (Capacity management)d. Protection against malicious & mobile codee. Back-upf. Network Security Managementg. Media Handling (Disposal)h. Exchange of Information (Media in transit, electronic messaging, interconnection of systems)i. Electronic Commerce Services (Website hosting)j. Monitoring (Detection of unauthorized activities, audit logging, admin & operators logs)a. Business requirement for Access Control (Access control policy)b. User Access Management (Privilege management)c. User Responsibilities (Password selection and use)d. Network Access Control (External connection authentication)e. Operating System Access Control (Secure log-on, use of utilities, session time-out)f. Application & Information Access Control (Sensitive system isolation)g. Mobile Computing & Teleworkinga. Security Requirements of Information Systemsb. Correct processing in applications (Input/output data validation)c. Cryptographic Controls (Key management)d. Security of System Files (Access to source code)e. Security in Development & Support Processes (Change management)f. Technical Vulnerability ManagementCommunications & Operations ManagementAccess ControlInformation Systems Acquisition, Development & Maintenancewww.firstcarbonsolutions.comFirstCarbon Solutions Information Security Domains & Controls05a. BUSineSS ContinUitY PlanninG• Documented Business Continuity Plan (BCP) is based from the results of a Business Impact Analysis• BCP includes departmental procedures for critical functions that are needed when BCP is activated, a communication and escalation plan, and a list of important people, institutions and entities with corresponding contact details • BCP is regularly tested through desktop audits, confidence tests and back-up integrity tests• Power redundancies; UPS; multiple generator sets • Three times redundant with Internet Service Providers with automatic switchover upon failure of primary connectionB. inforMation SeCUritY inCident ManaGeMent• Documented procedures for reporting and handling IT, physical security, non-IT/Non-security and medical incidents• Incident reporting and data-gathering through Issue Management System• Existence of high-level Information Security Investigation Committee (ISIC) which addresses serious IS breaches• Incidents are consolidated for review and analysis by SMCD on a weekly, monthly and annual basisC. eMerGenCY reSPonSe PlanninG• Established an Emergency Response Team• Existing procedures for different emergency situations such as fire, severe weather, earthquake, bomb threat, etc.• Regularly tested by conducting fire drills and evacuation exercises which are observed and documented for improvement purposesd. diSaSter reCoVerY PlanninG• Has documented procedures on recovery from IT-related disasters (internet connection failure, major power breakdown, network virus outbreak, critical server crash)Business Continuity Managementwww.firstcarbonsolutions.comFirstCarbon Solutions Information Security Domains & Controls06a. CoMPlianCe WitH leGal reQUireMentS• Maintains a matrix of relevant and applicable laws that is reviewed and updated regularly• Adheres to Intellectual Property Rights by prohibiting downloading and unauthorized installation of applications in workstationsB. CoMPlianCe WitH SeCUritY PoliCieS & StandardS, and teCHniCal CoMPlianCe• Documented security manual in our Electronic Document Management System (EDMS) readily accessible to authorized users (employees and third party)• New employees have to take the ISMS 101 course as part of company induction, a module dedicated solely to Information Security within the organization• Third parties with interest (e.g. contracted janitorial services, suppliers, service providers) are also mandated to attend ISMS 101 and sign contracts with inherent information security clausesCompliancewww.firstcarbonsolutions.comFirstCarbon Solutions Information Security Domains & ControlsWorldWide loCationSUSa10 Monument StreetDeposit, New York 13754Tel.: +1 (607) 467 4600USA Toll Free: +1 (888) 826 5814 Email: usa@firstcarbonsolutions.comUnited KinGdoM5th Floor, Hyde Park Hayes 3 11 Millington Road Hayes UB3 4AZ Tel.: +44 (0) 845 165 6245Fax: +44 (0) 20 3070 0890Email: uk@firstcarbonsolutions.co.ukaUStralia13-15 Smith StreetChatswood, NSW 2067Tel.: +61 (02) 9418 7822Email: australia@firstcarbonsolutions.com.auCanada344 Bloor Street West, Suite 401Toronto, Ontario, M5S 3A7Tel.: +1 (416) 784 3509Fax: +1 (866) 205 1485Email: info@formidabletechnologies.comSinGaPore20A Mosque StreetSingapore 059500Tel.: +65 9667 2379 / +65 9639 7243Email: singapore@firstcarbonsolutions.comPHiliPPineS26th Floor Philippine AXA Life CentreSen. Gil Puyat Avenue1200 Makati CityTel.: +63 (2) 775 0632 Email: phils@firstcarbonsolutions.comCHina Jin Yan Long Building, Suite 1608AHui Long Guan, Changping districtBeijing, 100096Tel.: +86 (10) 6203 1420Fax: +86 (10) 6238 2915Email: china@firstcarbonsolutions.com7th Floor (701 & 702)25 Wang Hai RoadXiamen Software ParkXiamen, P.R. ChinaTel: +86 592 2177850 to 59Email: china@firstcarbonsolutions.com