So what is behind this update? To put it simply
– significant changes in the IT world. This in-
cludes a massive growth in new technologies,
aligned with new security challenges. The ISO
27001 information security standard comes
with a new version in 2013 and, as Eurogiro
took the decision to use this standard as its
base for EISP, we have included it. We also
added some “low hanging fruits” from the
Payment Card Industry standard – PCI DSS.
Last but not least, we tried to include some
of the feedback, which we received in annual
Self Assessments, during our Site Audits
and visits to members, and also during our
discussions at the Eurogiro conferences such
as the Technical User Group and the Eurogiro
Customer Meeting.
A major change across the whole document
is that recommendation sentences have been
removed (no more “should” phrases). From
now on, there are only requirements in EISP
(“shall”). We also added a new definition for
the statements used.
The latest version of EISP was divided to 6
areas – Organisational, Physical and Envi-
ronmental Security, Access Control, Network
Security, Business Continuity Management,
Security in Development of Software and
Applications and Human Resources Security.
4 more areas are added in the new version
– Asset Management, Operations Security,
Information Security Incident Management
and Compliance. These areas cover existing
requirements in more detail and were created
as new ones for easier use of the document.
Area Development of Software and Appli-
cations is renamed as System Acquisition,
Development and Maintenance, and Network
Security is renamed as Communication
Security.
Update on Eurogiro Information
Security Policy
As of January 1
st
2016, an updated version of the Eurogiro Information Security Policy (EISP) is valid. On
behalf of Eurogiro Security Group (ESG), let me briefly inform you about some major changes in EISP and also
about the reasons for this update.
The Self Assessment for 2016 will be updated
to follow the new structure of the EISP and
include questions relating to the changes and
the new requirements.
3
By Marian Illovsky, Chairman of the Eurogiro
Security Group
ISO 27001 is the base for Euro-
giro Information Security Policy
A brief summary of major changes in
each area is:
Organisational, Physical and Environmental Security
– requirements for use of
mobile devices, for regular testing of backup data, for off-site assets security and for
clear desk and clear screen policies.
Access Control
– the life time of a password shall be minimum 1 day, review of a Log
file with modification in authorisations made by an independent person at least quarter-
ly and reduction of the number of previously used passwords (from 9 to 6).
Communication Security
– requirement of segregation of networks and new require-
ments for information transfer.
Business Continuity Management
– no changes.
System Acquisition, Development and Maintenance
– requirements concerning
implementation of information security within the development lifecycle of information
systems, concerning protection of test data and information involved in application
service transactions.
Human Resources Security
– new requirements for Eurogiro A/S concerning activi-
ties prior to employment and concerning disciplinary process for those employees who
have committed an information security breach.
Asset Management
– requirements for acceptable use of information and assets and
for media handling.
Operations Security
– requirements for protection from malware, for control of instal-
lation of SW and installed SW.
Information Security Incident Management
– requirements concerning procedures
and responsibilities for response to information security incidents, rules for reporting,
classification and evidence of these incidents.
Compliance
- identification of contractual requirements related to information security,
documentation of these requirements and processes for their updates.
Eurogiro News 3
