holding and hosting form - bbc€¦ · web view2014/04/22 · 21.2.bbc information policy &...

Technology, Distribution & Archive

BBC Data Holding and Hosting Request FormStatus Approved Request FormContent Authority

Head of Information Security, Governance & Compliance - David Jones

Description This form is to be completed, whenever BBC information is to be hosted away from BBC infrastructure and covers requests, to hold/host both personal and non-personal data, held on an external ISP, or other data processor.

Template Control

Template Version

Date Last Reviewed

5.0 21/04/2014 April 2014

LocationInternal: IS Approval Forms page [explore.gateway.bbc.co.uk]External: DQ Third Party Policies page [bbc.co.uk]

Document historySys Review ID (Syyyy/nnnnn/rr)Division & DeptBBC ISGC OwnerBBC PM (BBC Project Manager Name)

BBC Data OwnerDocument Name

BBC ISGC Holding and Hosting form – Project Name Vver.docx

ProjectSupplierGo Live Date (Planned or actual go live date)

Date Version Author Change / Comments0.1 Initial draft version

Date Approved Version ISGC Approver Comments

V5.0 ©BBC 2014 Confidential When Complete Page

http://www.bbc.co.uk/guidelines/dq/contents/third_parties.shtml

http://explore.gateway.bbc.co.uk/GatewayCMS01Live/information_security/security_approvals.aspx


Contents

1. Purpose of this document..........................................................................11.1. Background.............................................................................................11.2. About this form........................................................................................11.3. Completing and submitting this form......................................................1

2. Summary Information................................................................................23. High Level Details......................................................................................2

3.1. To be completed by BBC staff responsible for this project......................23.2. To be completed by supplier...................................................................3

4. Support Responsibilities Matrix..................................................................45. Information Security Policy........................................................................46. Organisation of Information Security.........................................................57. Human Resource Security..........................................................................58. Asset Management....................................................................................59. Logical Security..........................................................................................510. Cryptography.............................................................................................611. Physical and Environmental Security.........................................................712. Operations Security...................................................................................713. Monitoring and Logging.............................................................................814. Access and Control....................................................................................815. Acquisition, development and maintenance..............................................816. Supplier relationships................................................................................817. Incident Management................................................................................918. Business Continuity....................................................................................919. Compliance................................................................................................920. Appendix A - Personal Data Processing Activities....................................11

20.1. Third Party Data Processing – Data Lifecycle Questionnaire.................1120.2. Eight Data Protection Principles (set out in the Data Protection Act 1998)12

21. Appendix B - Approvals............................................................................1321.1. BBC Information Security, Governance & Compliance..........................1321.2. BBC Information Policy & Compliance (if required)...............................13

22. Appendix C – Contact and help Information.............................................1422.1. BBC Information Security, Governance & Compliance..........................1422.2. BBC Information Policy Compliance.......................................................14



23. Appendix D – Template Version Control...................................................14



1. Purpose of this document1.1. Background

BBC Information Security, is required to assess the adequacy of security controls, for all systems/projects/services that host BBC data, prior to those systems going live. Increasingly, those systems are hosted by third party organisations, away from BBC Infrastructure. Before you start – please be aware, that when looking at a new 3rd party hosted system, or service, you must have first considered, whether existing BBC in-house capabilities, are able to deliver what you need.

1.2. About this formYou’ve been asked to fill in this form, because you are involved in planning a new system, which will process/host BBC data outside of the BBC network, or, are intending to make changes to one that already exists. Where technical expertise is required, we expect relevant technicians to be consulted, to provide accurate answers. The answers should be provided, by a combination of staff from the third parties involved and the internal BBC team responsible for the project, depending on where the necessary understanding resides.Where the system is not affected by questions in this form, you are at liberty to mark these N/A, but please detail why you believe these are not applicable. This document, is used to assess your security capabilities in the context of the system/service being delivered, and in particular, the sensitivity of the data being hosted. Small organisations are not precluded and a single person may be responsible, for many roles that appear to be defined within these questions.There are 2 parts to this form. Part 1 – Information Security Review – Sections 2-19Part 2 – BBC IP&C Review – Section 20 (to be completed where personal data is stored)Once you have completed the form, please submit it to BBC Information Security ([email protected]), who will review the form, distribute to BBC IP&C/BBC PR&C(where required) and ask further questions as required, to complete their review. Based on this review, BBC Information Security may require additional controls/mitigations to be implemented, as a condition for signoff.

1.3. Completing and submitting this formThe BBC Staff managing this project, should fill in the following sections:

Section 2 Section 3.1

The supplier should complete sections 3.2 to 19. If any form of personal data is to be hosted on the solution, section 20 should also be completed by the supplier.The completed form, should only be emailed to the BBC within an encrypted zip file, with the key being sent by sms, to the intended recipient of the email.


mailto:[email protected]


2. Summary InformationSummary information about system/project under review To be completed by BBC staff responsible for this project.

2.1 Please enter your name, contact details and your role with this project or system

(Details, must include email address and mobile number)

2.2 Please detail the name of the third party supplier contact and their details.

(Details)

2.3 If the system, solution, project, or development has a name, please indicate it here.We sometimes encounter systems that have previously been known as something else; if this is the case, please let us know any previous names:

(Details)

(Details)

2.4 If your submission is part of a larger system or project, please give the name of the “parent” system or project. If you have already submitted one of these forms for the parent system, please indicate this here and only answer the rest of the questionnaire, if there is a difference between this child system and its parent.If the submission is replacing an older system – please explain here, how the data / crypto keys on this system, will be securely destroyed/migrated.

(Details)

(Description)

2.5 Please give an indication of how urgent the Information Security approval is –indicate any critical decision dates or project milestones:

(Description)

2.6 If the system were to become non-operationa, as a result of a security event that affected it, (or dependent systems), would this impact broadcast output, or the ability of the BBC to perform its normal business functions? Please explain how:Similarly, if information were to become stolen from the system, or modified/deleted as a result of a security event, would this impact broadcast output, or the ability of the BBC to perform its normal business functions? Please explain how:

(Description)

(Description)

3. High Level Details3.1. To be completed by BBC staff responsible for this project.

3.1.1 Please give a very brief description, of what the system will be for and how it will work

(Description)

3.1.2 Please describe the information/data that will be stored/processed by the system.

(If you are collecting ,or processing ,any personal data (including name, email, address, telephone numbers, DOB, age, bank details, staff number, salary, NI number, next of kin, images, nationality, race, gender, criminal record, religion, sex life, political opinion/affiliations, IP addresses) you must fill out the Data Lifecycle

(Description)



Questionnaire in Section 20)



3.1.3 Is your requirement likely to need a name registered on the Internet?

If yes – you must contact [email protected] [Domain Manager in the GAL] to manage this process.

(Description)

3.1.4 Has any funding been allocated to secure the solution, including Penetration Testing?

(Description)

3.1.5 Who in the BBC, will be responsible for controlling access to the data after go-live? (e.g. who is the data owner)

(Description)

3.1.6 Most systems need to be operated, supported, maintained and repaired. What plans are in place to perform these functions?Which group(s) or suppliers will be responsible?

(Description)

(Name)

3.1.7 What is the contract period for each 3rd party? (Description)

3.1.8 What audit rights will the BBC have, in the contract with the supplier?

(Description)

3.1.9 Will the data be shared with any other third parties? If so, a separate Holding and Hosting forms will be required.

(Description)

3.1.10

If the system were to be affected by an external event, how long could it be unavailable before it causes significant disruption to BBC operations?

(Description)

3.2. To be completed by supplier

3.2.1 Please enter your name, contact details and your role with this project or system

(Details)

3.2.2 Please give a very brief description of what the system will be for and how it will work

(Description)

3.2.3 Please describe the information/data that can be stored/processed by the system.

(If you are collecting or processing any personal data (including name, email, address, telephone numbers, DOB, age, bank details, staff number, salary, NI number, next of kin, images, nationality, race, gender, criminal record, religion, sex life, political opinion/affiliations, IP addresses) you must fill out the Data Lifecycle Questionnaire in Section 20)

(Description)

3.2.4 Please supply us, with a detailed diagram of the information flows within the system and between it and other systems?

(Attached File)

3.2.5 Please supply us, with a high-level system or architectural diagram, showing what equipment will be used, where it will be located, how it will be inter-connected and what Operating, Database and main software components run on each? This should also include Firewalls and any IDS/IPS installed. (This can be the same diagram as above if it covers both clearly.)

(Attached File)

3.2.6 Please supply us,with the high-level System Design Documentation, including details of all

(Attached File)




Information Security requirements and planned implemented InfoSec functionality?

3.2.7 Will the system accept data from another system and if so, what?Will the system send data to another system and if so, what?

(Yes/No and Description)


3.2.8 What will be the principle methods of transporting information? Examples include (but are not limited to): HTTP “get”; SFTP over SSH; HTTPS; email etc.

(Description)

3.2.9 Most systems need to be operated, supported, maintained and repaired. What plans are in place to perform these functions?Which group(s) or suppliers will be responsible?

(Description)

(Name)

3.2.10

Where are your corporate headquarters based?Do you have any subsidiaries, affiliates or parent companies based in the United States of America? (If yes please give details).

(Location)

(Yes/No & Location)

3.2.11

Please indicate whether any vulnerability scanning or penetration testing have been, or are scheduled to be, carried out on the application?If so – please indicate any critical, or significant findings from such reviews and how you have addressed them.

(Description)


4. Support Responsibilities Matrix

INFRASTRUCTURE SUPPORT LAYER NAME OF RESPONSIBLE ORGANISATION/INDIVIDUAL (or N/A)

4.1 Physical Hardware/Data Centre (Computers, Network infrastructure, Power and Cooling)

(Name)

4.2 Virtualisation Layer Support (where applicable) (Name)

4.3 Operating System Support (Name)

4.4 Database Support (DBAs) (Name)

4.5 Application / Web Application Support (Code) (Name)

4.6 Application / Web Application Support (User Admin)

(Name)

5. Information Security Policy

5.1 Does your organisation have in place, a set of Information Security Policies? If so, please provide copies of the policies.

(Yes/No and Attachments)

5.2 Are these policies, approved by the senior management within your organisation, regularly reviewed and communicated to all your staff?

(Yes/No)

5.3 If the organisation who will hold the BBC data, is a subcontractor to your organisation, how will you ensure that their Information Security meets

(Description)



required standards?

6. Organisation of Information Security

6.1 Who has been appointed to take ultimate responsibility, for Information Security within your organisation?

(Name & Role)

6.2 Has all information security responsibilities within your organisation, been defined and allocated, including maintaining appropriate contacts with relevant authorities and groups, ensuring that Information security is addressed in project management and ensuring that conflicting duties and areas of responsibility are segregated?

(Yes/No)

7. Human Resource Security

7.1 Are background checks, Disclosure and Barring Service (DBS, previously CRB) checks, or similar, carried out on staff that will be accessing BBC data or systems?

(Yes/No)

7.2 Have staff members agreed to and signed, the BBC's Acceptable Use Policy?

(Yes/No)

7.3 When a person working with BBC data, no longer performs that role, are their permissions to BBC data revoked?

(Yes/No)

8. Asset Management

8.1 Will an asset register be completed, to log all assets holding BBC data and who is responsible for updating it?


8.2 Will all BBC Data held on removable media, including Back-ups, be encrypted?

(Description)

8.3 Describe how and when, media containing BBC Data, would be securely destroyed?

(Description)

8.4 Will any physical media containing BBC Data, be transferred outside your organisation (e.g. Back-ups) and if so, what procedures will be in place to protect the media from loss?


9. Logical Security



9.1 How will you decide, which of your staff (support, development etc.) need access to the BBC system and data? How will you manage that access and what controls are in place, to ensure that privileged access rights, will be restricted and controlled?

(Description)

9.2 Will the User/Privileged access rights for your staff, be regularly reviewed?

(Yes/No)

9.3 What system functionality will be in place, to enable BBC staff to manage access to the BBC system and data, including, what controls are in place, to ensure that privileged access rights can be restricted and controlled?

(Description)

9.4 Please state what system enforced password settings are active for:

Password Minimum Length/Complexity Password Change Interval Lockout (after incorrect password

entries) Password aging/history

Can you also state, what additional measures will be in place, to secure administrator accounts. (e.g. stronger passwords, 2FA or crypto keys required to access systems)?

Can you confirm all default passwords have been changed?

(Description)

(Description)

(Description)

(Description)

(Description)

(Yes/No)

10. Cryptography

10.1 Will any, or all BBC data,be encrypted at rest within the system?If yes, provide details of what data will be encrypted and of the strength and type of encryption used.

(Yes/No)

(Description)

10.2 Will password hashing be used within the system; if so where, to what standard and will any salting be used?

(Yes/No)(Description)

10.3 Will BBC data be encrypted whilst in transit?If yes, provide details of when data will be encrypted and of the strength and type of encryption used.

(Yes/No)

(Description)

10.4 In the case of web based applications, will users of the application be required to login?Will this login be over a secure link – e.g. HTTPS?

(Yes/No)

(Description)

10.5 Please describe any other planned data transfers / connections, between the users' browsers and the web application?e.g. Cookies, Form submissions etcPlease explain how these data transfers will be secured in transit (e.g. HTTPS - SSL/TLS etc)?

(Description)

(Description)



11. Physical and Environmental Security

11.1 What physical measures will be in place, to protect BBC data that is stored:

At your offices/location? At the data centre?

E.g. CCTV, Coded Locks, Guards.

How will these controls be managed and monitored?

(Description)

(Description)

(Description)

11.2 Where will the servers be located, which will hold the BBC data?

All in the UK Some in the UK (where are the rest?) None in the UK (where are they?)

Will the servers be held in secure Server Rooms?Will any hardware be stored outside of locked server rooms?

(Description)

(Description)

(Description)

12. Operations Security

12.1 Is there a documented standard procedure followed, for building and hardening host machines?


12.2 Are these procedures periodically reviewed and kept in line with current best practice?

(Yes/No)

12.3 Please outline your planned approach, to security patching of operating systems and applications that form part of the system.Please confirm, that critical and important security patches will be up to date.

(Description)

(Yes/No)

12.4 Please outline any anti-malware (antivirus, etc.) tools, that will be used to protect the system.

(Description)

12.5 What firewalls and network/host protection measures, (e.g. IDS or IPS) will be in place to protect BBC data?

Describe how you will configure, maintain the above and monitor alerts generated.

(Description)

(Description)

12.6 Will the application collect, and/or host, any User Generated Content (UGC)?If so – describe the UGC in detail and explain what moderation approach will be applied?

(Yes/No)

(Description)



13. Monitoring and Logging

13.1 Will event logging/audit mechanisms, be turned on at all times for the system.

(Yes/No)

13.2 What information will be contained within logs? (Description)

13.3 Will logs be regularly reviewed? (Yes/No and Description)

13.4 How long will logs be retained? (Description)

14. Access and Control

14.1 Will any form of Remote Access technology be required, if so what? Does this include two factor authentication?


14.2 Please describe, how BBC data will be kept logically and/or physically separated from other users’ data?

(Description)

15. Acquisition, development and maintenance

15.1 Please provide an overview, on your formal methodology for software development and security testing. Including, on how you engineer secure systems.

(Description)

15.2 Is there a formal change control procedure for any application or solution changes, will BBC services be tested and reviewed to ensure there are no adverse impacts on operations and security?How will these changes be communicated to the BBC?


15.3 Will a pen test of the full system be completed? Were there any identified vulnerabilities, if so, what?


15.4 Will a separate test environment be used? Will this include the use of dummy or live BBC data? If Live Data, how will that data be secured?

(Description)

16. Supplier relationships



16.1 Are you planning to use any third parties, to help develop the system, or host or process any BBC data?


16.2 Are you planning to share BBC data with any other third parties?




16.3 If yes to either of the above, have you audited the third parties, to determine whether they have implemented appropriate security measures?

(Description)

17. Incident Management

17.1 Have management responsibilities and procedures been established, to ensure a quick, effective and orderly response, to information security incidents?

(Yes/No)

17.2 How will security incidents relating to BBC data, be reported to the BBC?

(Yes/No)

18. Business Continuity

18.1 Is there a proven, documented, secure Disaster Recovery process, which will be used for BBC data? Please provide an overview, i.e. DR facility site location, testing of restore processes, etc.

(Description)

18.2 What processes and methods will be put in place, to securely back-up the system?

(Description)

18.3 How will the system be restored (i.e. From backup or a rebuild from scratch) to a known working state?

(Description)

18.4 Where will the Back-up data be stored? (Description)

18.5 If the contract with the BBC requires a high availability level, (95% availability or above), how will you meet these requirements? Namely, Power outage, Single points of failure, Unavailability of critical staff, Unsatisfactory maintenance of equipment, Failure of equipment/software.

(Description)

19. Compliance

19.1 Is your organisation ISO/IEC 270001 certified or compliant? Please provide details.

(Certified/Compliant/No & Details)

19.2 Is your organisation’s Information Security Management System (i.e. control objectives, controls, policies, processes and procedures for information security) reviewed and inspected for compliance, independently at planned intervals, or when significant changes to the security implementation occurs?




19.3 Have all relevant statutory, regulatory, contractual requirements, (including: intellectual property rights, protection of records, protection of personally identifiable information and cryptographic controls) and the organisation’s approach to meet these requirements, been explicitly identified, documented and kept up to date, for the/each BBC information system and the organisation as a whole?

(Yes/No)



20. Appendix A - Personal Data Processing Activities20.1. Third Party Data Processing – Data Lifecycle Questionnaire

The below questionnaire, will help the BBC to assess this activity’s compliance with the Data Protection Act 1998 and the BBC’s own internal DP policies. Please over-write the guidance text in the right-hand column, with your responses (the easiest way to do this is by navigating with the TAB key). It is important to complete as much of this as possible. Questions marked with ** indicate areas of increased risk.A separate map should be completed by the BBC, to show the data flow within the BBC.

*Please ensure a contract is in place before any personal data is transferred to a third party supplier*

Supplier :

Activity : [ summary of Personal Data processing activity ]

Key Contact :

[ person who ‘owns’ this process - usually person completing this form ]

BBC Contact :

[ insert team & division ]

1. Preliminaries

1.1 Is a contract with DP clauses in place? (Yes/No)(if yes, please attach a copy)

1.2 Has a BBC Holding & Hosting form previously been completed?

(Yes/No)

2. Data collected

2.1 What BBC data is being processed? (List all personal data fields)

2.2 Is any sensitive personal data being processed? (Yes/No and Description)(Defined as: race, criminal record, religion, sex life, political opinion/affiliations, trade union membership, health status)

2.3 Why do you need to collect the personal data or sensitive personal data?

(Description)

3. Collection process - consent

3.1 How is the data collected? (Description)(e.g. shared by the BBC or collected via webform, application form )

If data is collected by the supplier:

3.2 Have you provided a Privacy Notice? (Yes/No)(If yes, please attach a copy)

3.3 If collecting under-16s data, have you obtained parental consent? **

(Yes/No)(If yes, specify mechanism used – e.g. tick box or verified parental email)

3.4 Did you obtain consent, for the collection of any sensitive personal data?


4. Cookies

4.1 Does this process utilise cookies? (Yes/No)(If yes, specify name of cookie(s))

4.2 What data is stored in the cookie? (Description)



4.3Who sets the cookie – supplier or BBC?

(Description)(If set by supplier, please specify how consent is obtained, if appropriate)

5. Data storage

5.1 Where is the data stored? (Description)(e.g. shared drive, external server)

5.2 Are hard copies taken off-site? ** (Yes/No)(If yes, provide details of where and why)

5.3 Does the data ever leave your network? (for example, the use of third party clouds, and archiving)

(Yes/No)(If yes, please provide details of where and why)

6. Access

6.1Who has access to the data?

(Description)(job title, team (and company, if relevant) for each person with access)

6.2 What access controls are in place for electronic records?

(Description)(e.g. individual login, password protection )

6.3 Do you keep an electronic, auditable record of who has accessed data?


7. Sharing

7.1 Is data shared with another supplier? ** (Yes/No and Description)

7.2 Is there a contract in place with the supplier?

(Yes/No)(if yes, please attach a copy)

7.3 How is the data transferred? (Description)(e.g. by encrypted email)

7.4Is data sent out of the UK? **

(Yes/No)(if yes, specify country)(if US, is the company ‘Safe Harbor’ registered?)

8. Retention & Deletion

8.1 What is the retention policy for this processing? (Description)

8.2 How will you ensure this policy is adhered to? (Description)

8.3 If hard copies are kept, how are hard copies disposed of?

(Description)(e.g. normal waste or shredded)

8.4 How are electronic records deleted? (Description)(e.g. overwritten or secure erasure)

8.5 Do you keep a log of what data is deleted, and when?


20.2. Eight Data Protection Principles (set out in the Data Protection Act 1998)

1. Process fairly and lawfully2. Obtained for specified and lawful purposes3. Adequate, relevant and not excessive4. Accurate and up to date5. Not kept any longer than necessary6. Process in line with the individual’s rights7. Process securely



8. Not transferred outside EU without adequate protection



21. Appendix B - Approvals21.1. BBC Information Security, Governance & Compliance

ApprovalSystem Review ID Syyyy/nnnnn/rrISGC Contact Details

Name:Role: Information Security & Governance SpecialistAddress:Telephone:Email:

ISGC Approval Name – Date

Linked Dispensations

Dispensation ID 1

Dispensation ID 2

Dispensation ID 3

Dispensation ID 4

High Level Risk Assessment

Very Low / Low / Medium / High / Very High

Information ClassificationNext Review Date DateApproval Condition(s)

Details

Comments Comments

21.2. BBC Information Policy & Compliance (if required)

ApprovalIP&C Contact Details

IP&C Approval Name – Date

Approval Condition(s)

Details



Comments Comments

22. Appendix C – Contact and help Information22.1. BBC Information Security, Governance & Compliance

Contact

BBC ISGC Team Email: [email protected] InfoSec Incident Reporting

Email: [email protected]

Daryl Pilgrim (Information Security & Governance Manager)

Email: [email protected]

22.2. BBC Information Policy Compliance

Contact

BBC IP&C Team Email: [email protected]

23. Appendix D – Template Version Control

Date Version Author Change / Comments01 Aug 14 4.1 Bruno Garrancho Initial draft version04 Apr 14 4.2 Paul Finn Review by Team10 Apr 14 4.3 Paul Finn IP&C Section Updated14 Apr 14 4.4 Paul Finn Completed Draft21 Apr 5.0 Daryl Pilgrim Fully approved version






holding and hosting form - bbc€¦ · web view2014/04/22 · 21.2.bbc information policy &...

Documents