1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

2. Threats Service Orientated Architecture Integration of Best Practices Quality Management Root-cause Analysis Asset Management Risk Management Verification /Validation Business Impact Assessment Availability Management Incident Management Governance Security Response Team BCM Policy *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 4. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 5. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: Computer Security Institute 2013 Survey 6. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: Verizon business 2013 Data Breach Investigations Report 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: 2013 Cloud Security Alliance Threats Tope 10 Cloud Computing Security Risks 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues 8. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: 2013 OWSAP Top 10 Web Application Security Risks Top 10 Web Application Security Risks: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards 9. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: The Risk of Insider Fraud Ponemon Institute 2012 On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months. More than one-third say that employees use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26 percent it is very likely to occur. Sixty-one percent rate the threat of insider risk within their organization as very high or high. Twenty-three percent say insider fraud incidents existed six months or longer before being discovered and nine percent could not determine when they occurred. Fifty-five percent of organizations say their organization does not have the ability/intelligence to determine if the off-site employees non-compliance is due to negligence or fraud. 10. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: Computer Security Institute 2010/11 Survey 11. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 12. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** One of the most effective ways of communicating with the Executive team when it comes to aligning resources and services with strategic and tactical goals is Service Oriented Architecture. Once understood we can begin to consider the impact of these threats on the organization. services 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The SaaS stack is another simple way to drill down on the allocation of resources to identify and communicate potential vulnerabilities and the need for BCP. Properly executed Cloud Computing could lead to a huge BCP cost savings. 14. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 15. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009. In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic. 16. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** ISO27k is the worlds most recognized standard framework for information security and the best to align vendors and suppliers with the BCM program. 17. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** COBiT is one of the worlds most recognized standard for IT Governance and excellent to align vendors and suppliers with the BCM program. 18. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** IITIL is the worlds most recognized standard framework for IT Service Management. This is an excellent best practice to align vendors and suppliers with the BCM program. 19. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** PMIBOK is the worlds most recognized standard framework for Project Management and the best to align vendors and suppliers with the BCM program. Following recovery and restart many projects will be kicked off and it will be much easier to coordinate and created BCM plans following a proven standard that everyone has been trained on. 20. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The workflow between physical boots on the ground activities and infrastructure will need to be coordinated to minimize further outages. Normally The BCM plan will need to be closely coordinated with tier 1, 2 and 3 root-cause analysis and resolution of security events and incidents. The intelligence is also important and will need to be carefully disclosed to authorized persons only. 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 22. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Feedback loops are very important for Quality Management and the plan, do, check, act cycles is an excellent methodology to leverage for this purpose. Every BCM event, incident or training exercise is a chance to learn and improve for the next event. 23. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Traceability Matrix The tractability matrix is very useful when stabilizing a service or product by carefully documenting the specifications concerning what the product or service looks like when after its installed or delivered. This practice can speed up recovery, rollback roll forward activities and root- cause analysis. 24. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 25. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Control Design Control design allows us to identify the assets associated with a service or product delivery and the threats, vulnerabilities and risks associated with that services. This practice allows us to carefully design and select controls that will effectively mitigate risks to specific assets critical to product delivery or service delivery 26. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 27. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The assets that have been allocated to specific services or products that we are protecting with the BCP need to be identified and any associated risk mitigated. Generally there are six major groups of assets that are required to run any operation. 28. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** I have provided examples of the six major groups of assets below for additional clarification: People: "Staff and managers, particularly those in key knowledge management roles such as senior/executive managers, software architects/developers/testers, systems managers, security administrators, operators, legal and regulatory compliance people, etc Information; Personal, financial, legal, research and development, strategic and commercial, email, voicemail, databases, personal and shared drives, backup tapes/CDs/DVDs and digital archives, encryption keys, etc Software: In-house/custom-written systems, client software (including shared or single-user End User Computing desktop applications), commercial off-the-shelf (COTS), ERP, GL , etc Hardware:"Computing and storage devices e.g. desktops, workstations, laptops, handhelds, servers, mainframes, modems and line terminators, communications devices (network nodes), printers/copiers/FAX machines and multifunction devices, etc Telecommunications:"Fiber Internet Connection, DSL Internet Connection, General Packet Radio Service (GPRS)Gateway GPRS Support Node (GGSN)Protocol/PortSummary- UDP 9000 (MO, MT)- UDP 53248 (MT)- FTP 21 (MO)- SSH 22 (MT)- HTTP 8005 (MT)- TCP 1225, etc Facilities:"IT buildings, data centers, server/computer rooms, LAN/wiring closets, offices, desks/drawers/filing cabinets, media storage rooms and safes, security devices (CCTV etc.), Fire alarms/suppression/fire, fighting equipment, uninterruptible power supplies (UPSs), power and network feeds, power conditioners/filters/transient suppressors, air conditioners/chillers/alarms, water alarms." 29. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 30. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Risk Universe is an excellent tool to help management visualize where BCM dependencies might occur are their potential impact on the BCP and Enterprise Risk Management. 31. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A Risk Assessment is necessary once all assets have been identified within the scope of service. These assets are utilized for the product or service delivery and the revenue stream. 32. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with strategic planning, credit, market and financial that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 5 impact a threshold can be added for clarity. These risk are for internal report purposes and probable would not be shared or reviewed with the external party. 33. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with compliance to statutes, regulations and contractual obligations that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 5 impact a threshold can be added for clarity. 34. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with operations are the most common risks that external parties can positively or negatively impact. that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 5 impact a threshold can be added for clarity. 35. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 36. The statement of applicability (SoA) is created following a risk assessment against organizational assets that are in scope for protection from threats and vulnerabilities leading to loss of confidentiality, integrity and availability. Internal and external audits are facilitated against the SoA. The flexibility of the ISMS allows additional security control decks to be added such as SANS CSC 20 if they can be justified. The framework also streamlines any overlapping controls minimizing or eliminating costly overlaps while improving the effectiveness and efficiency of the ISMS. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 37. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 38. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 1.1. Overview: department, function Name, function Owner or subject expert, phone number, Location(s) where function is performed.... 1.2. Description: functional purpose..... 1.3. Critical Times: (a).Does this process have to be performed at a specific time of the day /week /month /year? (b).Specify critical or peak times of the day/week/year. 39. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Catastrophic: Company or department cannot operate without the function - immediate and severe impact to the organization. Moderate: Would experience significant problems but could function in a limited capacity. Minor: Inconvenienced but sufficient alternative methods are in place to reduce the impact. None: No impact would be experienced immediately; the function could be suspended and resumed at a later date. 40. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** With the ISO 27001 ISMS we attempt to identify potential threats and matching vulnerabilities and mitigate these risks before they result is unplanned expenses and damage to an organizations reputation. Security Events are not the same as Security Incidents. Security events normally occur when a vulnerability exists and a threat agent attempts to exploit a vulnerability but is not successful. There is a subtle difference between information security incidents and events and while we may not be able to stop events from occurring we can learn from them and take correction and/or preventive action to mitigate of eliminate the risk. 41. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** If this function were suspended or lost, would the Company experience a loss of revenue? What type of revenue loss (i.e. lost current customers, new customers, recurring business, investment interest, etc.? What would the amount of revenue loss be over time? i.e. 0- 12,12-24,24-48,48-72 hours,35,5-14 days. Could this revenue be recovered, or would it be lost permanently? Explain: Impact Rating: Catastrophic, Moderate, Minor, None 42. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** If the function were suspended or lost, would the Company experience additional expenses? What would be the type of additional expenses (i.e. expenses related to overtime to handle increased workload at alternate sites, necessity to purchase supplies, equipment, temporary staffing, 3rd party service providers, etc.)? Would the expenses be incurred only once or would they be ongoing? 43. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** If the function were suspended or lost, would the Company incur financial fines or penalties (i.e. non-compliance with service level agreements, missed deadlines, interest penalties, sanctions, and penalties for failure to properly provide services or fulfill obligations)? What would the amount of contractual fines or penalties be over time? i.e. 0-12,12-24,24-48,48-72 hours,35,5-14 days. i.e. Impact Rating: Catastrophic, Moderate, Minor, None 44. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Operational Dependency Impact /Risk If the function were suspended or lost, would there be an impact on other operations (i.e. day-to-day ability of other departments to function properly)? i.e. Impact Rating: Catastrophic, Moderate, Minor, None 45. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Customer Impact If the function were suspended or lost, would there be an impact on the customer (i.e. customer dissatisfaction, loss of existing or future business, erosion of customer base, etc.)? i.e. Impact Rating: Catastrophic, Moderate, Minor, None 46. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Legal or Regulatory Impacts If the function were suspended or lost, is it possible that legal or regulatory action may be taken towards the Company? Estimated financial impact $ Occurring within hours/days/weeks and rating: Catastrophic, Moderate, Minor, None 47. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing. 48. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** BC Provincial Statutes Banking: Adult Guardianship Act Business Practices and Consumer Protection Act Company Act Corporation Capital Tax Act Court Order Enforcement Act Credit Union Incorporation Act Election Act Electronic Transactions Act Employment Standards Act Environment Management Act Evidence Act Family Maintenance Enforcement Act Financial Information Act Financial Institutions Act Fraudulent Preference Act Freedom of Information and Protection of Privacy Act Human Rights Code Income Tax Act Insurance (Captive Company) Act Insurance (Vehicle) Act Interpretation Act Land Title Act Land Transfer Form Act Law and Equity Act Limitation Act Negligence Act Occupiers Liability Act Pension Benefits Standards Act Personal Information Protection Act Personal Property Security Act Power of Attorney Act Property Law Act Property Transfer Tax Act Public Guardian and Trustee Act Real Estate Services Act Representation Agreement Act Securities Act Securities (Forged Transfer) Act Social Service Tax Act Unclaimed Property Act Workers Compensation Act 49. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing. Canada Federal Statutes Banking Bills of Exchange Act Canada Elections Act Canada Evidence Act Canada Pension Plan Competition Act Cooperative Credit Associations Act Copyright Act Criminal Code Employment Insurance Act Excise Tax Act Income Tax Act Interest Act Old Age Security Act Pension Benefits Standards Act, 1985 Personal Information Protection and Electronic Documents Act Proceeds of Crime (Money Laundering) and Terrorist Financing Act (we comply voluntarily) Trade-marks Act 50. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing. The PCI Data Security Standard applies to all members, merchants, and service providers that store, process or transmit cardholder data. The standard consists of the following 12 requirements: 1). Install and maintain a firewall configuration to protect data; 2). Do not use vendor-supplied defaults for system passwords and other security parameters; 3). Protect stored data; 4). Encrypt transmission of cardholder data and sensitive information across public networks; 5). Use and regularly update anti-virus software; 6). Develop and maintain secure systems and applications; 7). Restrict access to data by business need to know; 8). Assign a unique ID to each person with computer access; 9). Restrict physical access to cardholder data; 10). Track and monitor all access to network resources and cardholder data; 11). Regularly test security systems and processes; 12). Maintain a policy that addresses information security and an Incident Response plan. 51. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing. On-site reviews Merchants, including e-commerce merchants, with more than 6 million total transactions annually, or merchants who have already experienced an account compromise are required to have an onsite review carried out annually. Any other merchant can also be subjected to an onsite review at the discretion of the payment card institution. The review can be carried out either by the merchants internal audit function or an independent assessor acceptable to the payment card institution. Self-Assessments Merchants with e-commerce transactions between 20,000 and 6 million total transactions annually are required to carry out a Self Assessment annually. For all other merchants, the credit card companies recommend that the Self-Assessment be carried out on an annual basis. For a copy of the Payment Card Industry Self-Assessment Questionnaire. Failure to comply with the new standards could result in a merchant being subjected to a fine or the loss of access to the credit card networks. 52. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing. Implement an incident response plan for the immediate response to a security or privacy breach. Create an incident response plan to be used in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, data backup processes, roles and responsibilities, and communication and contact strategies (for example, informing partners and credit card associations). Test the plan at least annually. Designate specific personnel to be available on a 24/7 basis to respond to alerts. Provide appropriate training to staff with security breach response responsibilities. Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems. Have a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. 53. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Employee / Human Resources Impact If the function were suspended or lost, would there be an impact on employees (i.e. employee productivity, loss of employee support, strike, stress, morale, loss of commissions or other incentives, overwork, HR additional benefits and counselling,)? Explain: Impact Rating: Catastrophic, Moderate, Minor, None 54. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Corporate / Industry Impact If the function were suspended or lost, would the Company experience a loss of image with clients and/or the public at large (i.e. loss of goodwill, loss of client confidence, or embarrassment in the industry, public and shareholder relations, share price, rating agencies. Impact Rating: Catastrophic, Moderate, Minor, None 55. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Management Control and Decision Making If the function were suspended or lost, how would this impact managements ability to maintain control and make effective strategic decisions? i.e. Impact Rating: Catastrophic, Moderate, Minor, None 56. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 57. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** GUIDING PRINCIPLES 1.Availability is at the core of business and User satisfaction 2.Recognizing that when things go wrong, it is still possible to achieve business and User satisfaction 3.Improving Availability can only begin after understanding how the IT Services support the business 58. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** KEY INPUTS The availability requirements for regular business services. Business impact assessment for each vital business function. The identification of assets and percentage of their allocation. The reliability and maintenance requirements of allocated assets. Records of events, incidents and problems of services and assets. Configuration specifications including IQ, OQ, DQ and PQ. Service level reporting against agreed targets. 59. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** KEY OUTPUTS Availability and recovery design criteria for business services. Details of risk mitigation techniques that prevent outages. Rationalization and agreement to availability SLA metrics. Reporting that reflects the business and customer perspectives. The monitoring requirements for assets supporting services. Continuous Improvement roadmap for services and assets. 60. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** CRISIS MANAGEMENT PLAN Overview & Team Responsibilities Crisis Communications Guidelines Crisis Management Plan Maintenance STEP 1: Notify the Crisis Management Team STEP 2: Establish a Command Center STEP 3: Issue a Disaster Alert STEP 4: Monitor the Situation STEP 5: Declare a Disaster STEP 6: Terminate the Incident 61. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** DAMAGE ASSESSMENT Overview & Team Responsibilities Damage Assessment Plan Maintenance STEP 1: Pre-assessment Activities STEP 2: Initial Damage Assessment STEP 3: Detailed Facilities Damage Assessment STEP 4: Detailed Equipment Damage Assessment 62. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 63. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 1. Designated "Single Point of Contact" (SPC) 1.1. Incident Response Team 1.2. Incident Response Team Members 1.3. Incident Response Team Roles and Responsibilities 1.4. Incident Response Team Notification 2. Breach of Personal Information - Overview 2.1. Definition of a Security Breach 3. Requirements 3.1. Information Owner Responsibilities 3.2. Location Manager Responsibilities 3.3. When Notification Is Required 4. Incident Response Breach of Personal Information 4.1. Technology Operation Center 4.2. Office for Central Information Security 4.3. Customer Database Owners 4.4. Web Banking Department 4.5. Credit Payment Systems 4.6. Legal 4.8. Human Resources 4.9. Network Architecture 4.10. Public Relations 4.11. Location Manager 5. Incident Handling Step-by-step 5.1. Documentation Logs 5.2. Determine If It Is Real? 5.3. Scope 5.4. Incident Communications 5.4.1. Explicit Notification 5.4.2. Factual Notification 5.4.3. Choice of Language 5.4.4. Notification of Individuals 5.4.5. Public Relations - Press Releases 5.5. Who Needs to Get Involved? The Incident Management Procedure is fairly standard in most mature organizations. This is important because communication and training for Incident Response Team Members is crucial to the success of any Business Continuity Event or Incident. 5.6. Containment 5.7. Evidence Handling 5.8. Chain of Custody 5.8.1. Collection of Evidence 5.8.2. Collection/Storage of Evidence 5.8.3. Storage of Evidence 5.9. Eradication 5.10. Recovery 5.11. Follow-up 5.12. Legal Affairs 64. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Establishing the Information Security Program is crucial to a consistent, reproducible approach that effective mitigates the risk of threats exploiting vulnerabilities . The Security Program provides the Shareholders, Board of Directors, Executives and Employees with assurance that data, information and knowledge is security and constantly protected. The Security Program is constantly improving and evolving to meet the challenges of modern threats to the agility and resilience of the Enterprise. 65. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 66. TERMS OF REFENCE OVERSIGHT COMMITTEE Purpose: Management shall review the organizations ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained, (ISO27k clause 4.3.3). Goals: The ISMS Management Review Committee has been formed to provide an effective joint forum which will contribute to the following goals: Decision making which supports the CSO program; Balanced and informed review and advisory services contributing to a range of CSO planning, service delivery and issue resolution activities; and Proactive CSO alignment with higher level joint governance functions to improve the effectiveness and efficiency within the CSO domain. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 67. TERMS OF REFENCE OVERSIGHT COMMITTEE Committee Functions: Review input (ISO27k clause 7.2) The input to a management review shall include: a). results of ISMS audits and reviews; b). feedback from interested parties; c). techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; d). status of preventive and corrective actions; e). vulnerabilities or threats not adequately addressed in the previous risk assessment; f). results from effectiveness measurements; g). follow-up actions from previous management reviews; h). any changes that could affect the ISMS; and i). recommendations for improvement. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 68. TERMS OF REFENCE OVERSIGHT COMMITTEE Review output (ISO27k clause 7.3) The output from the management review shall include any decisions and actions related to the following. a). Improvement of the effectiveness of the ISMS. b). Update of the risk assessment and risk treatment plan. c). Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1). business requirements; 2). security requirements; 3). business processes effecting the existing business requirements; 4). regulatory or legal requirements; 5). contractual obligations; and 6). levels of risk and/or criteria for accepting risks. d). Resource needs. e). Improvement on how the effectiveness of controls is being measured *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 69. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Management Oversight Committee sits here in the workflow and meets every quarter or can be convened by the BCM Manager as need during emergence situations. 70. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 71. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 72. SRT Organization CISO Coordinating All Teams Team A Team ETeam DTeam C Technical Operations Team B Team F Team G Divisions or Partner Dept A i.e. HR Dept B i.e. Finance Division or Partner, Service Providers, External SRT MemberDirect Technical Operations Customers & Partners External Organizations. i.e. Law Enforcement, Personal Investigators, Lawyers *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 73. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 74. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 75. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 76. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 77. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The following excerpts from ISO 27001:2013 would be considered a good starting point for a BCM Policy. A.6. Organisation of information security A.6.1. Internal organisation Objective: To establish a management framework to initiate and control the implementation of information security within the organisation. A.6.1.1. Information security roles and responsibilities Control: All information security responsibilities shall be defined and allocated. A.6.1.2. Contact with authorities Control: Appropriate contacts with relevant authorities shall be maintained. A.6.1.3. Contact with special interest groups Control: Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. 78. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A.6.1.4. Information security in project management Control: Information security shall be addressed in project management, regardless of the type of the project. A.6.1.5. Segregation of duties Control: Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organizations assets. A.9 .Access control A.9.1 Business requirements of access control Objective: To restrict access to information and information processing facilities. A.9.1.1.Access control policy Control: An access control policy shall be established, documented and reviewed based on business and security requirements. 79. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A.9.1.2. Policy on the use of network services Control: Users shall only be provided with access to the network and network services that they have been specifically authorized to use. A.9.2. User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1. User registration and de-registration Control: A formal user registration and de-registration procedure shall be implemented for granting and revoking access for all user types to all systems and services. A.9.2.2. Privilege management Control: The allocation and use of privileged access rights shall be restricted and controlled. A.9.2.3. Management of secret authentication information of users Control: The allocation of secret authentication information shall be controlled through a formal management process. 80. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A.9.2.4. Review of user access rights Control: Asset owners shall review users access rights at regular intervals. A.9.2.5. Removal or adjustment of access rights Control: The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. A.9.3 .User responsibilities Objective: To make users accountable for safeguarding their authentication information A.9.3.1 Use of secret authentication information Control: Users shall be required to follow the organizations security practices in the use of secret authentication information. A.9.4. System and application access control Objective: To prevent unauthorized access to systems and applications. A.9.4.1. Information access restriction Control: Access to information and application system functions shall be restricted in accordance with the access control policy. 81. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A.9.4.2. Secure log-on procedures Control: Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure A.9.4.3. Password management system Control: Passwords management systems shall be interactive and shall ensure quality Passwords. A.9.4.4 Use of privileged utility programs Control: The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. A.9.4.5 Access control to program source code Control: Access to program source code shall be restricted. 14. System acquisition, development and maintenance 14.1. Security requirements of information systems Objective: To ensure that security is an integral part of information systems across the Entire lifecycle. This includes in particular specific security requirement for information Systems which provide services over public networks. 82. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 14.1.1. Security requirements analysis and specification Control: The requirements for information security controls should be included in the statements of business and technical requirements for new information systems or enhancements to existing information systems, taking into account all relevant criteria such as the entire lifecycle or whether the application is available over public networks. Implementation guidance For applications systems providing services or transferring information over public networks, the system requirements should also consider the following: a). the level of confidence each party requires in each others claimed identity, e.g. through authentication; d). determining and meeting requirements for confidentiality, integrity, proof of dispatch and receipt of key documents and the non-repudiation of contracts, e.g. associated with tendering and contract processes; e). the level of trust required in the integrity of key documents; f). the confidentiality of any confidential information; g). the confidentiality and integrity of any order transactions, payment information, delivery address details and confirmation of receipts; 83. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** h). the degree of verification appropriate to verify payment information supplied by a customer; i). selecting the most appropriate settlement form of payment to guard against fraud; j). the level of protection required to maintain the confidentiality and integrity of order information; k). avoidance of loss or duplication of transaction information; l). liability associated with any fraudulent transactions; j). the level of protection required to maintain the confidentiality and integrity of order information; k). avoidance of loss or duplication of transaction information; l). liability associated with any fraudulent transactions; m). insurance requirements; n). transaction related requirements such as authenticity, confidentiality and integrity of transaction related data, non-repudiation and protection of any transaction related data. 84. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A.17. Information security aspects of business continuity management (clause A.17.) A.17.1. Information security continuity Objective: Information security continuity shall be embedded in organizations business continuity Management (BCM) to ensure protection of information at any time and to anticipate adverse Occurrences. A.17.1.1. Planning information security continuity Control: The organization shall determine its requirements for information security and Continuity of information security management in adverse situations, e.g. during a crisis or disaster. A.17.1.2. Implementing information security continuity Control: The organization shall establish, document, implement and maintain processes, procedures and controls to guarantee the required level of continuity for information security during an adverse situation. A.17.1.3. Verify, review and evaluate information security continuity Control: The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. 85. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A.17.2. Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1. Availability of information processing facilities Control: Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. A.18. Compliance A.18.1. Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organisational policies and procedures. A.18.1.1. Independent review of information security Control: The organizations approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes to the security implementation occur. A.18.1.2. Compliance with security policies and standards Control: Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. 86. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A.18.1.3. Technical compliance inspection Control: Information systems shall be regularly inspected for compliance with the organisations information security policies and standards. A.18.2 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. A.18.2.1. Identification of applicable legislation and contractual requirements Control: All relevant statutory, regulatory, contractual requirements and the organizations approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. A.18.2.2. Intellectual property rights (IPR) Control: Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products. A.18.2.3. Protection of documented information Control: Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with statutory, regulatory, contractual and business Requirements. 87. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A.18.2.4. Privacy and protection of personally identifiable information Control: Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses A.18.2.5. Regulation of cryptographic controls Control: Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations 88. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Business Continuity planning and Management represents a 4 tier solution, once everything else has failed BCP activation is necessary. Designing a plan and testing that plan is necessary to ensure that it is effective and the supporting resources maintain the capability to respond as intended. Under some circumstances the BCP may be immediately activated placing even more emphasis on BCM. 89. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard