Professional Documents
Culture Documents
Information Security Summary
Information Security Summary
Information Security Summary
Group
Information Management
Information Management
Summary of Information Security
Standards
Distribution: Publication on the Portal
Information Security Summary Version: 1.7
ã 2005 BG Group page i Date: Nov 2005
BG Group
Information Management
Change History
Philip Colby Revised with updates
10 20.12.04 All 1.5
from Legal Dept.
Updated in line with
11 3.10.05 All 1.6 Philip Colby 2005 version of
ISO 17799
Philip Colby Updated with comments
12 7.11.05 7,11 1.7
from reviewers
Information Security Summary Version: 1.7
ã 2005 BG Group page ii Date: Nov 2005
BG Group
Information Management
Contents
1 SCOPE ........................................................................................................................... 1
2 TERMS AND DEFINITIONS ........................................................................................ 1
3 STRUCTURE OF THIS STANDARD ............................................................................ 1
4 RISK ASSESSMENT AND TREATMENT.................................................................... 1
5 SECURITY POLICY...................................................................................................... 1
6 ORGANISATION OF INFORMATION SECURITY ..................................................... 1
6.1 INTERNAL ORGANISATION ................................................................................................... 1
6.2 EXTERNAL PARTIES ............................................................................................................. 2
7 ASSET MANAGEMENT............................................................................................... 2
7.1 RESPONSIBILITY FOR ASSETS ............................................................................................... 2
7.2 INFORMATION CLASSIFICATION ........................................................................................... 2
8 HUMAN RESOURCES SECURITY .............................................................................. 2
8.1 PRIOR TO EMPLOYMENT....................................................................................................... 2
8.2 DURING EMPLOYMENT ........................................................................................................ 3
8.3 TERMINATION OR CHANGE OF EMPLOYMENT ....................................................................... 3
9 PHYSICAL AND ENVIRONMENTAL SECURITY...................................................... 3
9.1 SECURE AREAS .................................................................................................................... 3
9.2 EQUIPMENT SECURITY ......................................................................................................... 3
10 COMMUNICATIONS AND OPERATIONS MANAGEMENT .................................. 3
10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES ......................................................... 3
10.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT .............................................................. 4
10.3 SYSTEM PLANNING AND ACCEPTANCE .............................................................................. 4
10.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE ...................................................... 4
10.5 BACKUP .......................................................................................................................... 4
10.6 NETWORK SECURITY MANAGEMENT ................................................................................. 4
10.7 MEDIA HANDLING AND SECURITY .................................................................................... 4
10.8 EXCHANGE OF INFORMATION ........................................................................................... 4
10.9 ELECTRONIC COMMERCE SERVICES ................................................................................. 5
10.10 MONITORING ................................................................................................................... 5
11 ACCESS CONTROL .................................................................................................. 5
11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL ............................................................... 5
11.2 USER ACCESS MANAGEMENT ............................................................................................ 5
11.3 USER RESPONSIBILITIES.................................................................................................... 5
Information Security Summary Version: 1.7
ã 2005 BG Group page iii Date: Nov 2005
BG Group
Information Management
Information Security Summary Version: 1.7
ã 2005 BG Group page iv Date: Nov 2005
BG Group
Information Management
1 SCOPE
BG Group’s information security standards require all staff to design, implement, operate and manage
systems in a secure way in accordance with legislation, regulation and standards of good practice.
These standards apply to all information and information systems within the company, whether owned
by the company, or entrusted to it by third parties. The standards set out a code of best practice and
where appropriate identify mandatory requirements for all employees, contractors, consultants and
temporary staff. They are applicable to all BG Group wholly owned subsidiaries and all activities
controlled by the BG Group worldwide. In situations where the Company has a minority interest or
does not have control BG Group seeks to encourage partners to follow an equivalent set of standards.
2 TERMS AND DEFINITIONS
Information security – The preservation of confidentiality, possession, integrity, authenticity,
availability and utility of information.
Confidentiality – Ensuring that information is accessible only to those authorised to have access.
Integrity – Safeguarding the accuracy and completeness of information and processing methods.
Availability – Ensuring that authorised users have access to information and associated assets when
required.
Further definitions can be found in the document “Information Security Terms and Definitions”.
4 RISK ASSESSMENT AND TREATMENT
Information security issues are managed using a risk management approach. Security risks are
identified, evaluated, and quantified where appropriate. An acceptable level of overall risk is
determined, and risks are controlled, reduced and eliminated to achieve that level. Risks are
documented in a risk register.
5 SECURITY POLICY
BG Group’s Security Policy and Security Directive 309 are owned and maintained by the HSSE
function. These are approved by the BG Group Executive.
This information security summary document, and the various standards to which it refers, are the
responsibility of the IM Security and Policies Manager. A list of information security standards and
procedures is maintained in the document “Security Documentation Manifest”. Security standards are
intended to conform to the ISO Standard 17799. Standards are implemented through documented
procedures, and are evidenced by controls.
All documents are reviewed and reissued at least once a year, and the relevant portions published on
the Company portal. As a matter of procedure, new or updated standards documents are reviewed by
all interested parties, including IM technical authorities, relevant business process owners, and
outsourcing service providers where appropriate. The IM Security & Policies team maintains a record
of standards reviews and approvals.
Some further information can be found in Standard 5.1 Information Security Policy.
6 ORGANISATION OF INFORMATION SECURITY
6.1 Internal organisation
Information security issues are managed by the Information Security Steering Group.
Information Security Summary Version: 1.7
ã 2005 BG Group page 1 Date: Nov 2005
BG Group
Information Management
7 ASSET MANAGEMENT
7.1 Responsibility for assets
Records of all BG Group assets must be kept up to date and easily available. Assets include
information (databases, files, procedures, documentation, paper records), software (applications,
operating systems, development tools, utilities) and physical items (computers, printers, modems,
switches, routers, disks, tapes, fax machines, telephones, mobiles, etc.)
All assets must have an identified Owner: the individual within the organisation who is accountable
for its maintenance and security. Further detail is contained in Standard 7.1 Responsibility for Assets,
and in the Data Ownership Standard. BG Group assets are subject to an acceptable use policy.
7.2 Information classification
All assets must be classified and labelled to protect their confidentiality, integrity and availability.
Classification of assets must be derived from a risk assessment carried out by the owner of that asset.
Access and changes to the information must be approved by the designated owner. Further details can
be found in Standard 7.2 Information Classification.
All documents, including computer output, must be classified according to the Company Standard for
Document Classification and Labelling. This is included in the appendix to the HSSE Security
Directive 309.
8 HUMAN RESOURCES SECURITY
8.1 Prior to employment
Potential employee recruits must be screened in accordance with HR procedures.
Information Security Summary Version: 1.7
ã 2005 BG Group page 2 Date: Nov 2005
BG Group
Information Management
As part of their terms and conditions of employment employees of BG Group are required to comply
with the Business Principles and with all Company policies and procedures including the Group
Security Policy.
Further information can be found in Standard 8.1 Human Resources Security: Prior to Employment.
8.2 During employment
It is the responsibility of the Data Owners to ensure that all users have had good security practice
explained to them, are made aware of security risks, information security procedures and policies, and
legal aspects of information security which could result in liability for the user and/or BG Group such as
data protection, misuse of email and the Internet and intellectual property. It is the responsibility of IM to
promote security awareness by undertaking a regular information security awareness programme,
publishing information security information on the Portal, and holding presentations and briefings on
security issues. Further information can be found in Standard 8.2 Human Resources Security: During
Employment.
8.3 Termination or change of employment
When a member of staff resigns or has their employment terminated, their line manager must follow
the appointed leavers’ procedure. The access rights of users must be revoked promptly when they
leave. If the user knows any passwords for other accounts or services that remain active, then these
must be changed. All users are required to return any company equipment, software, documents and
access cards before leaving.
9 PHYSICAL AND ENVIRONMENTAL SECURITY
9.1 Secure areas
IT facilities supporting critical or sensitive business activities must be physically protected from
unauthorised access, damage and interference. Standards for securing sites are to be found in the
Standard 9.1 Physical Security of Sites. This covers perimeter security, physical entry controls, control
of visitors, and the management of secure areas.
9.2 Equipment security
Equipment must be controlled to prevent loss, damage or compromise of assets and interruption to
business activities. IT equipment must be sited or protected to reduce the risk from environmental
hazards and opportunities for unauthorised access in accordance with the Company Standard for
Equipment Security. Equipment security provisions cover emergency power requirements, cabling
security, equipment maintenance, the security of equipment offpremises, and secure disposal of
equipment. Disposal or destruction of equipment may only be carried out in accordance with the
Standard 9.2 Equipment Security. Staff may not remove computer equipment from BG Group’s sites
without prior written permission.
10 COMMUNICATIONS AND OPERATIONS MANAGEMENT
10.1 Operational procedures and responsibilities
All systems operations must be formally planned, authorised and documented. Operations
documentation should include a procedure for incident management. Where facilities are managed
externally, the same obligations must be specified in the contract with the service supplier.
Computer operational procedures should be designed so that functions are divided between
individuals, so that no one person has unrestricted and unsupervised control over system operations.
Development facilities must be separated from operational facilities, and formal approval must be
given before systems are moved from development into production.
Information Security Summary Version: 1.7
ã 2005 BG Group page 3 Date: Nov 2005
BG Group
Information Management
10.2 Third party service delivery management
Where a service is outsourced to an external contractor, there are additional sources of risk. These
should be mitigated through appropriate controls agreed with the contractor and included in the
contractual agreement. Third party services should be monitored to ensure that the information
security requirements are adhered to. Reports and records should be reviewed, and audits carried out
regularly. Further information can be found in Standard 10.2 Third Party Service Delivery
Management.
10.3 System planning and acceptance
New hardware and software systems must be stress tested under peak loading conditions to establish
that they provide the required capacity and resilience. User acceptance testing must be undertaken,
and formal approval must be given, before systems are put into production.
10.4 Protection against malicious and mobile code
Servers and client computers should be hardened against attack wherever possible. This includes the
use of antivirus and personal firewall software, regular updating with vendor patches, and use of
appropriate security settings in browsers and email clients. Mobile code should be controlled to help
prevent the introduction of malicious software. These provisions are covered in the Standard 10.4
Protection against Malicious and Mobile Code.
10.5 Backup
All sites must have systematic procedures for taking backups of important data and application
programs, in accordance with Standard 10.5 Backup. Backup copies must be stored in a secure place,
such as a fireproof safe; the most secure location for backups is an offsite store.
10.6 Network security management
Networks must be managed to ensure the security of data and the protection of connected services
from unauthorised access. The overall responsibility for provision of network services and ensuring
their security, to meet the business need, resides with the IM Service Operations Manager. Where
network services are provided by third parties, it is essential that the contracts between BG and these
service providers specify the necessary security requirements and service levels. Specifications should
include the security technology that will be employed, e.g. the authentication, encryption and
connection controls.
10.7 Media handling and security
Removable media containing confidential information must be managed with the same security
provisions as other information assets. It must be properly labelled and kept under lock and key and
only authorised persons allowed access. Backup tapes of servers are particularly sensitive as their
disclosure could compromise the security of the network. Backup tapes must be kept in a fireproof
safe, and they must be signed for when removed. Disks, tapes or other media that contain confidential
information must be securely erased and/or destroyed when disposed of.
10.8 Exchange of information
In order to ensure that communications are kept secure, all users must be aware of, and comply with,
BG Group’s Internet and Electronic Communications Policy.
Systems that are publicly available, e.g. Internet web servers, must comply with all relevant legislation
(e.g. The Data Protection Act). Also, to avoid accidental or malicious corruption, they should be
protected by integrity checking mechanisms. Websites should only be developed and maintained by
qualified and authorised personnel who are aware of the risks of malicious intrusion and damage by
external persons.
Sensitive or confidential information may only be sent by fax when no other, more secure, method of
communication is available. The transmission must be authorised by the owner of the information and
the recipient. Similarly for any information transmitted over the public telephone network.
Information Security Summary Version: 1.7
ã 2005 BG Group page 4 Date: Nov 2005
BG Group
Information Management
Users should be made aware of the information security risks of making audio and video conference
calls.
Confidential or sensitive information may not be given out over the telephone without verifying the
identity of the recipient.
Users should avoid sending sensitive information unencrypted over the Internet, as it is liable to
interception or even modification. Confidential documents should be communicated using a secure
service such as eRoom, Further information can be found in Standard 10.8 Exchange of Information.
10.9 Electronic Commerce Services
Electronic communication and commerce may be vulnerable to fraudulent activity, contract dispute
and disclosure or modification of information. When commercial information is communicated, or
applications are deployed that involve online transactions, a risk assessment should be conducted to
determine the appropriate level of controls that should be applied to protect against any threats.
10.10 Monitoring
Wherever feasible, logging should be employed to ensure that system security violations can be
examined and traced. Logs should be examined periodically to check for abnormal activity. Where
appropriate, significant systems should incorporate alerts that notify system administrators when there
is a high volume of failed access attempts. Further details can be found in Standard 10.10 Monitoring.
11 ACCESS CONTROL
11.1 Business requirement for access control
Data is a valuable corporate asset; in order to protect it, all data must have a Data Owner, who is the
manager ultimately responsible and accountable for its security. The Data Owner will normally be the
relevant Level 1 manager. The Data Owner may nominate a Data Steward and/or a Business Process
Owner to be responsible for daytoday management tasks. The responsibilities of Data Owners,
Stewards and Business Process Owners are documented in the Data Ownership Standard.
When setting up intranet and extranet access, consideration must be given to ensuring the
confidentiality of Company information published there.
11.2 User access management
To prevent unauthorised access to information systems, all users will employ userids that are created,
amended and deleted in accordance with the BG Group’s standards and procedures. User privileges
must also be managed to ensure security, and should be reviewed regularly by the relevant Data
Stewards. Passwords should also be managed through a formal process. Further details can be found
in Standard 11.2 User Access Management. Administrator privileges are only provided where
necessary and are not supplied to users as standard.
11.3 User responsibilities
Every user is personally responsible for the use of their userid and password in an authorised manner
and in compliance with standards. Users must comply with the Standard 11.3.1 Password Use.
Confidential information and documents must not be left out on desks when not being used.
All computer users must ensure that their screens are clear when not being used. Password protected
screen savers must be set to activate after fifteen minutes of inactivity. Users leaving their desks must
lock access to their computer, or log off. Desks should be left clear of any confidential documents or
media.
11.4 Network access control
External access to BG Group’s networks and information systems must only be permitted by the use
of specific gateways that are themselves protected by an appropriate firewall. Firewalls must be
configured, managed and tested in accordance with Standard 11.4.5 Firewall Management.
Information Security Summary Version: 1.7
ã 2005 BG Group page 5 Date: Nov 2005
BG Group
Information Management
Users on BG Group sites may only connect to network services for which they are authorised.
Network accounts should be managed according to a procedure that includes provisions for account
setup, authorisation, privilege control, monitoring, reporting and audit. Further details can be found in
Standard 11.4 Network Access Control.
Users accessing network services from outside the Company network, e.g. over the Internet, will be
required to authenticate themselves using two different modes of identification. This will usually be a
username/password combination together with a SecurID token. Virtual Private Network (VPN)
connections may be used to connect remote users or remote networks, subject to the requirements of
Standard 11.4.6.4 VPN Security.
The configuration and management of wireless networks must conform to Standard 11.4.6.5 Wireless
Networks.
Personnel from other companies may not attempt to connect to the Company’s networks without prior
authorisation from IM. Third parties providing technical support may log on for diagnostic purposes
provided these users are supervised by qualified network staff.
11.5 Operating system access control
Access to systems must comply with the standards for logon procedures, user authentication, and
password management specified in Standard 11.5 Operating System Access Control.
11.6 Application and information access control
Authentication of users within applications must make use of authentication functions at the operating
system level as far as possible, so as to avoid unnecessary proliferation of usernames and passwords.
Systems that are particularly sensitive, or carry an especially high security risk, should be isolated
from network access.
11.7 Mobile computing and teleworking
Users of mobile computers and mobile phones must be made aware of the security issues and
requirements that relate to their use and accept responsibility for the security of information held on
such devices.
Personnel issued with mobile phones are responsible for using them in a manner that is consistent with
the confidentiality of the conversation.
Further details can be found in Standard 11.7 Mobile Computing and Teleworking.
Information Security Summary Version: 1.7
ã 2005 BG Group page 6 Date: Nov 2005
BG Group
Information Management
12.2 Correct processing in applications
Data must be validated on input to detect invalid, unreasonable, inconsistent or missing data. For
example: out of range values, invalid characters in data fields, values exceeding preset limits. Input
fields must also always be checked for buffer overflows.
Data must be validated during processing to ensure data is not accidentally or deliberately corrupted.
For example: runtorun totals, file update totals, database integrity checks.
12.3 Cryptographic controls
The use of cryptographic technology is subject to the specifications set out in Standard 12.3
Cryptographic Controls. Staff should be aware that the use of encryption is subject to legal restrictions
in many countries. Staff wishing to use encrypted communications should seek advice from the IM
Security & Policies team .
12.4 Security of system files
To ensure that projects and support activities are conducted in a secure manner, the provisions of
Standard 12.4 Security of System Files must be followed when systems are developed, tested and
deployed.
12.5 Security in development and support processes
There must be rigid separation of development, test and production environments. A formal change
control process must be followed when systems are updated. Changes must be subjected to a technical
review before implementation.
12.6 Technical vulnerability management
Software owners should make arrangements to ensure that information on potential technical
vulnerabilities is obtained, monitored and acted upon in a timely manner, e.g. by checking with the
publishers of the software to discover whether important patches are available. Critical patches should
be rolled out within a week of publication.
13 INFORMATION SECURITY INCIDENT MANAGEMENT
13.1 Reporting Information Security Events and Weaknesses
Information security events and incidents of any kind should be reported as soon as possible to the
Service Desk.
13.2 Management of Information Security Incidents and Improvements
Security incidents will be investigated in accordance with the Standard 13.2 Management of
Information Security Incidents and Improvements. Once the incident has been resolved, it will be
closed and a final report produced. A nominated manager will circulate this report to all interested
parties. A schedule of security summary reports will be held in a shared area accessible to BG and its
service provider. The reports shall be reviewed on a monthly basis as part of IM's governance
structure.
14 BUSINESS CONTINUITY MANAGEMENT
14.1 Information security aspects of business continuity management
The owner of every business process and support process is responsible for ensuring that an
appropriate business continuity risk assessment is carried out. Based on current industry standards,
such a risk assessment must be reviewed and updated at least every two years.
The risk assessment must cover all potential risks and include an impact analysis. There must also be a
business continuity plan in place to ensure that systems can be recovered and restored as quickly as is
necessary. Assessments and plans most conform to the Standard 14.1 Information Security Aspects of
Business Continuity Management.
Information Security Summary Version: 1.7
ã 2005 BG Group page 7 Date: Nov 2005
BG Group
Information Management
15 COMPLIANCE
15.1 Compliance with legal requirements
The use of Company computers must comply with all relevant legislation, regulations and the
licensing agreements. In the UK, this includes the Computer Misuse Act 1990, the Data Protection
Act 1998, the Electronic Communications Act 2000, and the Regulation of Investigatory Powers Act
2000.
The use and management of email must meet all of the Company’s business and legal requirements.
Email and documents must be retained for a minimum period in accordance with the document
retention guidelines within the Company’s Records Management Policy.
Personal information about employees, customers, suppliers, or any other third party contacts is
confidential and must be protected against unauthorised access or disclosure. Storage and management
of personal data must comply with the Company’s policy on Data Protection.
15.2 Compliance with security policies and standards, and technical compliance
Technical compliance with security policy must be undertaken periodically by auditing of systems and
procedures, automated sweeping of systems for vulnerabilities such as misconfigured servers, and
internal and external penetration testing.
15.3 System audit considerations
Auditing of systems should be planned and managed to ensure that systems and services are not
disrupted and that data is not compromised. Auditing tools should be secured to protect them from
misuse.
Information Security Summary Version: 1.7
ã 2005 BG Group page 8 Date: Nov 2005