Scribd
Upload
511 views6 pages

Technical Controls Standard Overview

This document outlines technical control standards for Aerospace Technology Institute. It includes requirements for access controls, network security, operations management, system change control, software management, and encryption. Specific controls listed include unique usernames/passwords, disabling default/admin passwords, firewall and antivirus usage, regular patching, encryption of data in transit and at rest, and change control processes. The goal is to ensure compliance with ATI's information security policy and the Cyber Essentials Scheme.

Uploaded by

O Google
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
511 views6 pages

Technical Controls Standard Overview

This document outlines technical control standards for Aerospace Technology Institute. It includes requirements for access controls, network security, operations management, system change control, software management, and encryption. Specific controls listed include unique usernames/passwords, disabling default/admin passwords, firewall and antivirus usage, regular patching, encryption of data in transit and at rest, and change control processes. The goal is to ensure compliance with ATI's information security policy and the Cyber Essentials Scheme.

Uploaded by

O Google
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
  • Revision History
  • Responsibility Matrix
  • Technical Controls Standards

Aerospace Technology Institute

Technical Controls Standard

Aug 2021

G Elliott
G Elliott (Oct 4, 2021 14:09 GMT+1)

Oct 4, 2021
Document Owner: IT Systems Manager

Table of Contents
Revision History .......................................................................................................................... 2
Technical Controls Standards .................................................................................................... 3
1.1 Access Controls ............................................................................................................. 3
1.2 Network security............................................................................................................ 3
1.3 Operations Management ............................................................................................... 3
1.4 System Change Control ................................................................................................ 4
1.5 Software Management .................................................................................................. 4
1.6 Encryption ...................................................................................................................... 4
1.7 Local Data Storage......................................................................................................... 5
1.8 External Cloud Services ................................................................................................ 5
1.9 Protection from Malicious Software ............................................................................. 5
1.10 Vulnerability scanning ............................................................................................... 5
1.11 Data destruction ......................................................................................................... 6

Revision History
Version No. Date Issued Brief Summary of Change Approved by
V1.0 May 2021 Earlier part of Information Security Gary Elliot
Policy, now created into separate
document for easy distribution

Responsibility Matrix
Policy Role ATI Role Title / Organisation
Chief Information Security Officer Chief Operating Officer
Data Protection Compliance Manager Chief Technology Officer
IT Systems Manager IT Systems Manager
IT Administrator Response IT

Technical Controls Standard v1 Page 2 of 6 Internal Use only


Document Owner: IT Systems Manager

Technical Controls Standards


The standard specifies the minimum controls to be exercised by the IT Administrator to ensure
compliance with ATI Information Security Policy and Cyber Essentials Scheme.

1. Access Controls
• All computer hardware and software applications shall have unique usernames and
passwords to log-on.
• All unnecessary operating system or application user IDs not assigned to an individual
user shall be deleted or disabled.
• Default passwords and PINs on computers and all network devices shall be changed.
• All passwords shall be stored or transmitted only in encrypted form.
• Wherever possible, strong passwords and two-factor authentication in accordance with
password guidelines shall be enabled on devices and applications.
• Admin accounts shall be formally recorded and reviewed regularly to ensure only
users who need admin privileges have access to them.
• Administrator-level accounts shall not be used for day-to-day activity.
• Administrative accounts shall not be attached with regular email accounts.
• Users shall be restricted from accessing company data (includes emails) and
resources through ‘rooted’ or ‘jail-broken’ devices.
• The device (including users’ personal device) shall lock itself after 10 mins of inactivity.
• The ATI’s data structures will have explicit user access permissions set by the IT
administrator. Any changes to these access permissions must be made via a Access
Change Request form and authorised by the IT Systems Manager and COO.

2. Network security
• All servers, computers, laptops, mobile phones, and tablets shall have a firewall
enabled, if such a firewall is available and accessible to the device’s operating system.
• All network device passwords shall meet the password complexity and default
password shall be changed.
• All firewalls shall be configured to block all unnecessary incoming connections.
• If a port is required to be opened for a valid business reason, the change will be
authorised following the system change control process. The port is closed when there
is no longer a business reason for it to remain open.
• Firewalls shall be monitored regularly for unusual network traffic. The password will be
changed immediately if a compromise is suspected.
• All services enabled on the firewall shall have a documented and approved business
case. All such services shall be reviewed at regular intervals.
• All other services shall be blocked from being advertised.
• Management Console for firewalls shall not be accessible over the internet unless it is
IP restricted or protected by 2 Factor Authentication.

3. Operations Management
• Management of computers and networks shall be controlled through standard
documented procedures that have been authorised by IT Systems Manager.

Technical Controls Standard v1 Page 3 of 6 Internal Use only


Document Owner: IT Systems Manager

• All new and modified information systems, applications and networks shall include
security provisions.
• ‘Auto-play’, ‘auto-run’ and similar features that allow external peripherals to start
processes without user intervention shall be disabled.
• All equipment shall use operating systems and firmware that still receive support and
regular security patches from their manufacturers. Any unsupported or end-of-life
operating systems and firmware will be immediately upgraded, replaced or de-
commissioned.
• The mobile devices accessing business data and resources shall be always encrypted,
and protected by passwords, PIN or biometric authentication.
• Remote wipe of company information shall be enabled on personal devices. This can
be controlled by the user or the company.
• An audit trail of staff access to company systems and data shall be maintained and
reviewed on a regular basis.

4. System Change Control


• Changes to information systems, applications or networks shall be reviewed and
approved by the Chief Information Security Officer .
• All changes shall be correctly sized, the security requirements shall be identified, it
shall be ensured that they are compatible with existing systems according to an
established systems architecture (as required) and are approved by the IT Systems
Manager before they commence operation.

5. Software Management
• All software used shall be appropriately licensed as per publisher’s recommendations.
• All application software, operating systems and firmware shall be updated on a regular
basis to reduce the risk presented by security vulnerabilities.
• All applicable updates and patches for operating systems, firmware and
applications shall be risk assessed and tested where appropriate. All relevant critical
and high priority updates and patches should be applied within 14 days of release. The
IT Administrator shall monitor patching compliance using security tools and
applications installed on users’ devices.
• Only software which has a valid business reason for its use shall be installed on
devices used for business purposes.
• Users shall be restricted from installing software or other active code on business
systems without permission from the IT Administrator.
• All unnecessary and unused application software shall be removed from any devices
used for business purposes.

6. Encryption
• Information in Transit
▪ All transmission of information over internal and external networks shall be via
approved encryption mechanisms for the sensitivity of the information.
• Information at Rest
▪ All information containing electronic data shall be encrypted via approved
encryption mechanisms for the sensitivity of the information.

Technical Controls Standard v1 Page 4 of 6 Internal Use only


Document Owner: IT Systems Manager

7. Local Data Storage


• All business-critical data shall be backed up regularly and restore tested at appropriate
intervals (at least monthly).
• A backup copy shall be held in a different location/service to the original data.
• Backup copies of data shall be protected and comply with the requirements of this
security policy and shall have the same level of protection as the original data.

8. External Cloud Services


• Where data storage, applications or other services are provided by another business
(e.g. a ‘cloud provider’) the IT Systems Manager shall confirm that the provider uses
data confidentiality, integrity and availability procedures which are the same as, or
more comprehensive than those set out in this policy

9. Protection from Malicious Software


• Software countermeasures, including anti-malware, and management procedures shall
be used to protect against the threat of malicious software.
• All computers, servers, laptops, mobile phones, and tablets have anti-malware
software installed, where such anti-malware is appropriate for the device’s operating
system
• All anti-malware software is set to:
▪ scan files on-access
▪ scan files and data on the device daily (if on-access is not available)
▪ automatically check for, and install, virus definitions and updates to the
software itself daily or more frequently if available
• Users are not permitted to disable, or make changes to, the anti-malware programs
installed on their devices, unless specifically authorised
• ‘On-access’ scan, or similar protection features, shall be always enabled
• The anti-malware software shall be set to update automatically as per publisher’s
guidelines
• Access to malicious websites shall be blocked by using appropriate controls like anti-
malware, web-proxy, or whitelisting

10. Vulnerability scanning


• Regular vulnerability scans on networks and devices shall be carried out
• An annual vulnerability scan of all external IP addresses shall be carried out by a
suitable external company
• ATI shall act on the recommendations of the external company following the
vulnerability scan to reduce the security risk presented by any significant
vulnerabilities
• The results of the scan and any changes made shall be reflected in the ATI risk
assessment and security policy as appropriate

Technical Controls Standard v1 Page 5 of 6 Internal Use only


Document Owner: IT Systems Manager

11. Data destruction


• Hard drives, CDs, classified documents, and other similar items used to process, store
and/or transmit confidential and sensitive data shall properly disposed of securely
• Any storage media that is pending destruction shall be appropriately secured to
prevent unauthorised access
• Electronic media (hard-drives, CDs, flash drives, printer and copier hard-drives etc.)
shall be disposed of by one of the following methods:
▪ Where the media is required to be re-deployed – by overwriting (at least 3
times) with the help of professional tools
▪ In all other cases, the hard-drives and other storage device shall be handed
over to a professional destruction firm and a certificate of destruction will be
obtained
• Printouts and other physical media shall be disposed of by shredding using cross-cut
shredders or other acceptable means that will render the information completely
unrecoverable

Add form or link to authorisation form to change access

Technical Controls Standard v1 Page 6 of 6 Internal Use only

Common questions

Powered by AI

The ATI Technical Controls Standard mandates that firewalls be configured to block all unnecessary incoming connections, and any changes for business reasons must follow the system change control process. Firewall configurations are regularly reviewed, and unusual network traffic monitored to promptly address potential security breaches. By requiring that firewalls not advertise unused services and restricting management console access to IP-restricted or two-factor authentication-enabled access, ATI ensures that firewalls remain effective barriers against unauthorized access, protecting sensitive data from external threats .

The Operations Management section enhances system security by requiring that all operations adhere to documented procedures approved by the IT Systems Manager. This includes ensuring that unsupported operating systems and firmware are upgraded or decommissioned, thereby reducing vulnerabilities from outdated systems. Additionally, it mandates disabling 'auto-play' features, encrypting mobile device data, and enabling remote wipe capabilities to protect data if devices are lost or stolen. Maintaining audit trails of system access further ensures accountability and operational integrity by providing a means to detect unauthorised access and potential breaches .

Data destruction, as outlined by ATI, involves secure disposal of hard drives, CDs, and other media used to store sensitive data. The process requires storing media securely before destruction and using methods like overwriting for redeployment or professional destruction services for complete disposal. This prevents unauthorized access to sensitive data and ensures compliance with data protection standards, thus maintaining the confidentiality and integrity of information even after it is no longer needed .

The Aerospace Technology Institute's Technical Controls Standard specifies various roles such as the Chief Information Security Officer, Chief Operating Officer, Data Protection Compliance Manager, Chief Technology Officer, IT Systems Manager, and IT Administrator. These roles are designed to ensure compliance with ATI Information Security Policy and Cyber Essentials Scheme. Each role has specific responsibilities. For example, the IT Systems Manager is accountable for maintaining and enforcing technical controls, such as access control and network security, while the Chief Information Security Officer reviews and approves system changes to ensure security requirements are met .

The software management practices in the ATI policy are crucial for reducing cybersecurity risks. Regular updates and patching of software, operating systems, and firmware reduce vulnerabilities that could be exploited by cyber threats. Restricting software installations ensures that only necessary and approved applications are used, minimizing the risk of malware. By removing unnecessary applications and requiring risk assessment and testing of patches, the policy maintains system integrity and lowers the potential for security breaches through software vulnerabilities .

The ATI policy addresses protection against malicious software through comprehensive countermeasures, including the installation of anti-malware software on all appropriate devices. This software is required to be kept up to date, automatically scanning files on access and performing daily scans. Additional measures involve blocking access to malicious websites using web-proxies or whitelisting, prohibiting users from disabling security settings, and ensuring devices check automatically for updates. These layers of defense are critical in preventing, detecting, and responding to malicious software threats .

Access control measures such as requiring unique usernames and passwords, deleting unnecessary user IDs, and changing default passwords help secure the network by preventing unauthorized access. Strong passwords and two-factor authentication further enhance security by making it more difficult for unauthorized users to gain access. Additionally, measures such as locking devices after inactivity and ensuring admin accounts are not linked to regular email accounts prevent misuse of access privileges which are crucial for safeguarding network resources .

Regular vulnerability scanning in the ATI policy is a proactive measure to identify security weaknesses in networks and devices. After each scan, any identified vulnerabilities are assessed, and the ATI acts on external recommendations to address significant security risks. This process ensures continuous improvement of the security posture by updating the risk assessment and security policies based on the findings, thereby enhancing overall security and reducing the likelihood of exploitation .

The ATI policy mandates that all data in transit over networks use approved encryption mechanisms, ensuring that sensitive information is protected during transmission. Similarly, data at rest must also be encrypted to protect it from unauthorized access. These protocols ensure that even if data is intercepted or accessed illicitly, it remains unreadable to unauthorized individuals. This robust approach to encryption greatly enhances data confidentiality and prevents data breaches, supporting overall data security within the organization .

The regulations on external cloud services in the ATI policy require that providers implement data confidentiality, integrity, and availability procedures comparable to or exceeding those in the ATI policy. This ensures that any data stored or processed externally is subject to stringent security controls, thereby safeguarding it from unauthorized access and potential loss. By mandating compliance verification from the IT Systems Manager, the policy enforces accountability and ensures that third-party service compliance aligns with ATI’s data protection standards .

You might also like