Wrk Instructin fr Change Management Wrk Instructin Administratr Jhn De Chief Crpreal Officer Wrk Instructin Authr Benjamin M.A. Rbsn Directr f Operatins IPSec Pty Ltd Date f Last Update 3/05/2011 12 Mrtuary Drive, Adelaide Cmmercial In Cnfidence 3/05/2011
OVERVIEW 3 PURPOSE 3 AFFECTED PARTIES 3 STAFF 3 CONTRACTORS 3 SUPPLIERS 3 PARTNERS 3 AFFECTED SYSTEMS 4 WORK INSTRUCTION STATEMENT 4 ROLES & RESPONSIBILITIES 8 ADMINISTRATOR 8 AUDITOR 8 TRAINER 9 ENFORCEMENT OFFICER 9 TRAINING 9 GENERAL STAFF 9 CONTRACTORS 10 SUPPLIERS 10 PARTNERS 10 CUSTOMERS OR CLIENTS 10 VISITORS 10 ASSET, ASSET GROUP, SYSTEMS & PROCESS ADMINISTRATORS AND OWNERS 10 WORK INSTRUCTION ADMINISTRATOR(S) 10 WORK INSTRUCTION AUDITOR(S) 10 WORK INSTRUCTION ENFORCEMENT OFFICER(S) 11 BREACHES 11 AUDIT & REVIEW 11 CHANGE CONTROL 12 VERSION NUMBERING 12 CHANGE MANAGEMENT 12 MAINTENANCE 12 DEFINITIONS 12 DOCUMENT LINKS 13 REFERENCES 14 DOCUMENT CONTROLS 14 CHANGE REQUEST 14 WORK INSTRUCTION APPROVAL 14 WORK INSTRUCTION AUDIT 14 Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Overview Effective change management ensures that a knwn and stable envirnment is nt altered withut a deliberate, apprved actin with suitable review and rll-back mechanisms t prevent material cst t the rganisatin. Unauthrised changes, r changes that have been prly planned, test, r implemented can lead t the intrductin f failures and vulnerabilities within the peratin f the rganisatin. has determined that t ensure the nging stable peratin f the rganisatin it is necessary t enfrce strict change management requirements. Purpse The purpse f this dcument is t prvide Affected Parties with a clear understanding f what is required f them when changing the peratinal status f any Asset, Asset Grup, System r Prcess. All changes are t be cntrlled accrding t the requirements f this dcument, including all changes t asset status, cnditin, cnfiguratin, lcatin, value, r use; Affected Parties The fllwing grups are subject t this wrk instructin and must adhere t its requirements: Staff All full-time, part-time and casual staff emplyed by are required, as a cnditin f emplyment, t agree t and t cmply with the requirements f this wrk instructin. Acceptance f this wrk instructin must be included as a cnditin f any emplyment agreement. Cntractrs All cntractrs and suppliers engaged by are required, as a cnditin f engagement, t agree t and t cmply with the requirements f this wrk instructin. Acceptance f this wrk instructin must be included as a cnditin f any cntract agreement with cmpliance achieved thrugh agreed terms and cnditins. Suppliers All suppliers f gds and/r services t are required, as a cnditin f trade, t be subject t this wrk instructin. Partners All partners f are required, as a cnditin f partnership, t agree t and t cmply with the requirements f this wrk instructin. Acceptance f this wrk instructin must be included as a cnditin f any partnership agreement with cmpliance achieved thrugh agreed terms and cnditins. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Affected Systems All systems and services that hld, manipulate, transfer r prcess Assets f are required t cmply with the requirements f this wrk instructin. Wrk Instructin Statement The fllwing requirements must be adhered t by all Affected Parties and all Affected Systems and Services: Changes t Assets, Asset Grups, Systems r Prcesses shall be managed accrding t the level f imprtance they have t the rganisatin, as defined by Infrmatin Security Wrk Instructin fr Imprtance Classificatin. Changes shall be managed accrding t the level f impact the change may have n affected Assets, Asset Grups, Systems and/r Prcesses, as defined by Infrmatin Security Wrk Instructin fr Impact Classificatin. The Change Authrity Bard (CAB) shall exist and perate within the fllwing requirements: Members f the CAB shall cnsist f fur (4) executive fficers, and ther members as required frm time t time. The fur executive fficer rles will be filled frm the fllwing rles: IT Infrastructure Manager IT Operatins Manager Technical Services Prgram Manager Technical Services Strategic Planning Manager A qurum shall be n fewer than tw CAB executive fficers and ne ther member. Change requests shall be apprved by the CAB by simple majrity. The CAB shall be chaired by a member f the CAB executive. Taking in t cnsideratin the Imprtance Classificatin f affected Assets, Asset Grups, Systems and Prcesses and the level f impact the change may have n thse Assets, Asset Grups, Systems r Prcesses, all changes will be classified as being ne f the fllwing and will adhere t the requirements stated herein: Level 1 Change Changes must be apprved by the rganisatin s Bard f Directrs prir t implementatin. T receive apprval the prpsed change must meet the fllwing criteria: Prpsed changes must be dcumented prir, describing: Purpse f the change Expected utcme f the change Methd f change verificatin Rll-back plan in the event f a change implementatin failure. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
It must nt change the imprtance classificatin f the Asset, Asset Grup, System r Prcess t the rganisatin. If the risk psed is t be changed the prpsed change must be apprved accrding t the bth the current and new risk level requirements. Changes must be verified as implemented accrding t the prvided prpsed change dcumentatin. If the change cannt be verified the implementer must execute the prvided rll-back plan. Upn cmpletin r rll-back f the change a reprt must be submitted t the Bard f Directrs detailing the results f the requested change. Level 2 Change Changes must be apprved by a majrity vte f members f the CAB and an Executive Officer f the rganisatin prir t implementatin. T receive apprval the prpsed change must meet the fllwing criteria: Prpsed changes must be dcumented prir, describing: Purpse f the change Expected utcme f the change Methd f change verificatin Rll-back plan in the event f a change implementatin failure. It must nt change the imprtance classificatin f the Asset, Asset Grup, System r Prcess t the rganisatin. If the risk psed is t be changed the prpsed change must be apprved accrding t the bth the current and new risk level requirements. Changes must be verified as implemented accrding t the prvided prpsed change dcumentatin. If the change cannt be verified the implementer must execute the prvided rle-back plan. Upn cmpletin r rll-back f the change a reprt must be submitted t the CAB and apprving Executive Officer detailing the results f the requested change. Level 3 Change Changes must be apprved by the CAB prir t implementatin. T receive apprval the prpsed change must meet the fllwing criteria: Prpsed changes must be dcumented prir, describing: Purpse f the change Expected utcme f the change Methd f change verificatin Rll-back plan in the event f a change implementatin failure. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
It must nt change the imprtance classificatin f the Asset, Asset Grup, System r Prcess t the rganisatin. If the risk psed is t be changed the prpsed change must be apprved accrding t the bth the current and new risk level requirements. Changes must be verified as implemented accrding t the prvided prpsed change dcumentatin. If the change cannt be verified the implementer must execute the prvided rle-back plan. Upn cmpletin r rll-back f the change a reprt must be submitted t the CAB detailing the results f the requested change. Level 4 Change Changes must be apprved by the Asset, Asset Grup, System r Prcess wner prir t implementatin. T receive apprval the prpsed change must meet the fllwing criteria: Prpsed changes must be dcumented prir, describing: Purpse f the change Expected utcme f the change Methd f change verificatin Rll-back plan in the event f a change implementatin failure. It must nt change the imprtance classificatin f the Asset, Asset Grup, System r Prcess t the rganisatin. If the risk psed is t be changed the prpsed change must be apprved accrding t the bth the current and new risk level requirements. Where the Asset, Asset Grup, System r Prcess wner is the change requestr, they cannt als act as the change apprver and must seek apprval frm their direct manager. Changes must be verified as implemented accrding t the prvided prpsed change dcumentatin. If the change cannt be verified the implementer must execute the prvided rle-back plan. Upn cmpletin r rll-back f the change a reprt must be submitted t the Asset, Asset Grup, System r Prcess wner detailing the results f the requested change. Changes deemed as having a classificatin f Nne are cnsidered t be incnsequential, and f such lw likelihd f impacting any aspect f peratins that they d nt require any specific change management rules. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Changes will be classified accrding t the fllwing table: Asset, Asset Grup, System r Prcess Imprtance Classificatin Critical High Mderate Lw Ptential Impact Critical Level 1 Level 2 Level 3 Level 4 High Level 1 Level 2 Level 3 Level 4 Mderate Level 2 Level 3 Level 4 Nne Lw Level 2 Level 3 Level 4 Nne Changes deemed t require emergency actining (i.e. changes t be actined mre quickly than nrmal cnditins permit) must adhere t the fllwing change management rules: Apprval fr an emergency change may be granted accrding t the apprval requirements ne change classificatin higher than the nrmal imprtance classificatin f the impacted Assets, Asset Grups, Systems r Prcesses. (e.g. A change t be requested under emergency cnditins that wuld nrmally be classified as a Level 2 change, may received emergency authrisatin accrding t Level 3 requirements). Changes that are apprved accrding t emergency change rules must be retrspectively apprved, after implementatin f the requested change, accrding t the nrmal rules fr the change classificatin. If retrspective apprval is granted the change can be finalised accrding t nrmal practices. If the retrspective apprval is denied the change must be undne accrding t the submitted rll-back plan. All Assets, Asset Grups, Systems and Prcesses classified as being f Mderate, High r Critical Imprtance t the rganisatin shall have their functinal and availability status mnitred accrding t the requirements defined in Infrmatin Security Wrk Instructin fr Mnitring. Adherence t the requirements f this wrk instructin shall be verified peridically accrding t the requirements defined in Infrmatin Security Wrk Instructin fr Auditing. This Wrk Instructin must cmply with Infrmatin Security Plicy. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Rles & Respnsibilities The fllwing rles exist t maintain this wrk instructin. Each rle must be fulfilled by ne, r mre, individual(s) with each individual assigned a rle delegated by the administratr f the wrk instructin. Administratr Name Jhn De Title Chief Crpreal Officer Cmpany Landline Phne 05 555 9876 Mbile Phne 0405 555 556 Email jhn@acme.inf The wrk instructin administratr is respnsible fr the day-t-day aspects f the wrk instructin. This includes respnsibility fr rulings n the wrk instructin fr issues and areas nt clearly cvered r defined by the wrk instructin. Administratrs are als respnsible fr ensuring that all aspects f the wrk instructin are being adhered t, that the wrk instructin reflects the needs f the rganisatin, and fr dcumenting any issues within the wrk instructin that shuld be raised during the audit and review prgram fr the wrk instructin. Auditr Name Mary De Title Chief Nn-Crpreal Officer Cmpany Landline Phne 05 555 9875 Mbile Phne 0405 555 554 Email mary@acme.inf The wrk instructin auditr is respnsible fr cnducting a review f the wrk instructin and its related dcumentatin within the terms f the plicies audit and review requirements. The purpse f this prcess is t ensure that the wrk instructin reflects the rganisatins directinal, legal, technlgical and ther requirements. The wrk instructin s auditr shuld nt carry any ther rles r respnsibilities within this wrk instructin. The wrk instructin s auditr may be a 3 rd party, external, service prvider. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Trainer Name Tny De Title Trainer Cmpany Landline Phne 05 555 9874 Mbile Phne 0405 555 553 Email tny@acme.inf The wrk instructin trainer is respnsible fr ensuring that all staff represented in the Affected Parties sectin f the wrk instructin dcument are adequately trained in the purpse and functin f the wrk instructin, per the Training sectin f the wrk instructin. Enfrcement Officer Name Patch De Title Puppy Dg Cmpany Landline Phne 05 555 9871 Mbile Phne 0405 555 551 Email patch@acme.inf The wrk instructin enfrcement fficer is assigned the respnsibility f making rulings n breaches f the wrk instructin identified by the wrk instructin administratr. They are t act as an independent arbitratr as t the nature and severity f the breach, and t make recmmendatins t the in fault staff member s manager regarding any required disciplinary actins. Training It is a requirement f this wrk instructin that all Affected Parties f this wrk instructin receive training prir t cmmencing that rle and receive refresher training every twelve (12) mnths. It is the respnsibility f the Trainer t ensure that all Affected Parties f this wrk instructin receive training in the cmpliance requirements f this wrk instructin. Training shall be carried ut fr the fllwing grups and individuals accrding t the fllwing requirements: General Staff All staff must receive inductin and refresher training each year. This training must clearly articulate s cmmitment t securing the Assets and systems f the rganisatin and that all staff must cmply with the rganisatin s Infrmatin Security Plicy and assciated Child Plicies. Training must include where t find the plicies fr further reference and hw each wrk instructin is structured such that staff are able t identify when a wrk instructin affects them r an Asset, Asset Grup, System r Prcess they are wrking with. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Cntractrs All cntractrs must be infrmed, prir t their cmmencement, f the need t accept and cmply with the Infrmatin Security Plicy and sub-plicies f the rganisatin. If a cntractr has been engaged t wrk n a particular Asset, Asset Grup, System r Prcess the wner f thse must infrm the cntractr f what is required f them. Suppliers All suppliers wh interact with the Assets, Asset Grups, Systems r Prcesses f must be infrmed, by the wner f thse, f their bligatins t meet the requirements f the assciated plicies. Partners All partners wh interact with the Assets, Asset Grups, Systems r Prcesses f must be infrmed, by the wner f thse, f their bligatins t meet the requirements f the assciated plicies. Custmers r Clients All custmers r clients wh interact with the Assets, Asset Grups, Systems r Prcesses f must be infrmed, by the wner f thse, f their bligatins t meet the requirements f the assciated plicies. Visitrs All visitrs wh interact with the Assets, Asset Grups, Systems r Prcesses f must be infrmed, by the wner f thse, f their bligatins t meet the requirements f the assciated plicies. This includes prviding visitrs t cntrlled envirnments with instructin n what is expected f them as a visitr. Asset, Asset Grup, Systems & Prcess Administratrs and Owners All Asset, Asset Grup, System and Prcess administratrs and wners must be trained in the rganisatin s security wrk instructin requirements fr thse and must accept respnsibility fr ensuring cmpliance f thse with the rganisatin s Security Plicy and assciated Child Plicies. Wrk Instructin Administratr(s) Training shall be prvided upn cmmencement f the rle and every twelve(12) mnths there-after. Training shall ensure that the Wrk Instructin Administratr(s) is(are) capable f ensuring the nging cmpliance with the wrk instructin within the rganisatin and that the wrk instructin remains suitable t the needs f the rganisatin. Wrk Instructin Auditr(s) Training shall be prvided upn cmmencement f the rle and every twelve(12) mnths there-after. Training shall ensure that the Wrk Instructin Auditr(s) is(are) capable f verifying the level f cmpliance with the wrk instructin within the rganisatin. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Wrk Instructin Enfrcement Officer(s) Training shall be prvided upn cmmencement f the rle and every twelve(12) mnths there-after. Training shall ensure the enfrcement fficer is aware f what is required t cmply with the wrk instructin and what is expected f them frm the rganisatin in managing breach situatins, including the apprpriate handling f staff accrding t the wrk instructin breach rules f the rganisatin. Breaches In the event f a breach f this wrk instructin the Wrk Instructin Enfrcement Officer(s) shall investigate the nature and scale f the breach and shall recmmend remediatin and apprpriate disciplinary actins against thse fund t be in breach t the Plicy Administratr and the manager f the Affected Party r Affected System r Service fund t be in breach. Breaches shall be handled accrding t the apprpriate wrk instructin sectin incident handling rules. Audit & Review Cmpliance audits shall be cnducted by the Wrk Instructin Auditr(s) accrding t the fllwing criteria: Perid Methd Purpse Review Audience Every twelve (12) mnths. Reviews shall verify the cmpliance f all Assets, Asset Grups, Systems and Prcesses, and Persnnel with this wrk instructin thrugh cmpliance with its Child Plicies. It is imprtant t t knw that its business security requirements are being maintained t the defined levels. The cmpliance audit reprt shall be prvided t the Wrk Instructin Administratr f this wrk instructin and the executives f the rganisatin. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Change Cntrl Versin Numbering Versins f this wrk instructin shall be labelled with cnsecutive numbers fllwed by either.draft, representing a draft versin f the wrk instructin dcument nt fr frmal acceptance, r.final, representing a versin f the wrk instructin dcument suitable fr frmal adptin by the rganisatin. Change Management All changes t this wrk instructin shall be apprved by the Wrk Instructin Administratr prir t enfrcement within. Requests fr changes t this wrk instructin shall be managed in cmpliance with s Change Cntrl Plicy. Maintenance The wrk instructin shall be reviewed by the Administratr every twelve (12) Mnths t verify its alignment with the rganisatins needs and directin. Definitins The fllwing unique terms are used within this wrk instructin and are defined t mean the fllwing: System(s) is any manipulatr r hlder f infrmatin that invlves the input, transfrmatin, strage, r utput f data. This may r may nt include technlgy. Service(s) is any System that prvides functinality t Users and/r the Organisatin Organisatin is the Cuntry Fire Authrity. Wrk Instructins are nn-wrk Instructin Statements f requirement stipulating the needs f the rganisatin t achieve cmpliance with this plicy and its child plicies. Asset(s) is any persn, physical bject, envirnment r item emplyed, wned r held in trust by the Organisatin. Asset Grup(s) is any cllectin f Assets r Asset Grups. Imprtance Classificatin is an assessment f hw imprtant an Asset, Asset Grup, System r Prcess is t the. The level f imprtance is determined based n the level f impact n the rganisatin as a cnsequence f lss, manipulatin, r unauthrised access, and is determined accrding t the requirements f the Infrmatin Security Wrk Instructin fr Imprtance Classificatin. Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
Impact Classificatin is an assessment f hw significant an event is n any Asset, Asset Grup, System r Prcess. The level f impact is a descriptin f hw much f an affect any event, r grup f events, will have n Assets, Asset Grups, Systems r Prcesses. Partner is any rganisatin r individual with which engages fr any purpse where the ther individual r rganisatin is nt staff, a cntractr, a supplier, r visitr. Where Reasnable is referred t within this plicy, it means what wuld be cnsidered apprpriate by an average persn (laypersn). Affected Party means any persn required t cmply with the requirements f this wrk instructin, as utlined in the sectin titled Scpe Affected Parties. Asset, Asset Grup, System and Prcess Owner means the wner f any Asset, Asset Grup, System r Prcess. Asset, Asset Grup, System and Prcess Administratr means the administratr f any Asset, Asset Grup, System r Prcess. Wrk Instructin Administratr means the individual, r individuals, respnsible fr the administratin f this wrk instructin, as detailed in the sectin titled Delegatins/Authrisatin/Respnsibilities. Wrk Instructin Auditr means the individual, r individuals, respnsible fr the auditing f this wrk instructin, as detailed in the sectin titled Delegatins/Authrisatin/Respnsibilities. Wrk Instructin Enfrcement Officer means the individual, r individuals, respnsible fr the enfrcement f this wrk instructin, as detailed in the sectin titled Delegatins/Authrisatin/Respnsibilities. Change Authrity Bard (CAB) is defined as the bdy f staff r sub-cntractrs charged with cnsidering and apprving all changes t Assets, Asset Grups, Systems and Prcesses. Parent Dcuments This wrk instructin is subrdinate t the fllwing plicies r wrk instructins: Dcument Links Infrmatin Security Wrk Instructin fr Asset Operatin Infrmatin Security Wrk Instructin fr System & Prcess Operatin Child Dcuments The fllwing wrk instructins are sub-rdinate and subject t this wrk instructin: Infrmatin Security Wrk Instructin fr Mnitring Infrmatin Security Wrk Instructin fr Auditing Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011
References The fllwing dcuments were used as reference materials in the develpment f this wrk instructin: AS/NZS ISO/IEC 27001:2006 Infrmatin Security Management Change Request The fllwing changes were prpsed and executed t this wrk instructin. Dcument Cntrls Versin #.(Draft Final) Date Authred by Descriptin f Change Wrk Instructin Apprval The fllwing wrk instructin versins were apprved and frmally adpted by Versin #.(Draft Final) Date Apprved by Signature Wrk Instructin Audit The fllwing wrk instructin audits were cmpleted Versin #.(Draft Final) Date Audited by Cmpliance % Signature Cmmercial In Cnfidence 12 Mrtuary Drive, Adelaide 3/05/2011