Visitor Management System
Statement of Applicability
SecuritEase Level 7
Version 0.2
ThoughtLabs Limited
Document Control
| Area | Detail |
|---|---|
| Document Name | Visitor Management System - SoA |
| Document Classification | Internal |
| Creation Date | 19/12/2024 |
| Version | 0.2 |
| Author | Tim Jackson - CSO ThoughtLabs Limited |
| Owner | Bill Tonkin - Director - SecuritEase International |
Introduction
Purpose
SecuritEase International (SecuritEase) is moving into a repurposed and upgraded physical floor at 25 Victoria Street.
The purpose of this document is to provide a mapping of the proposed solution (Solution) to the available topics under the various areas defined within the standard.
This is not designed to provide an assessment of the applicability of topics and Solution controls as this would be done as part of any assessment.
Scope
The following topics and controls are based on the currently available ISO 27001:2022 documentation.
They are only applicable to the scope of this project being the Visitor Management System (VMS), Level 7 Petone.
Stakeholders
The following table is a list of business and service owners.
| Name | Role |
|---|---|
| Tim Jackson | Design lead / implementation lead - VMS |
| James Winskill | Head of Systems and Delivery |
| David Hinkley | Business Owner |
| William Tonkin | Director - SRO |
| Gavin Willbond | Consultant - Governance and ISO lead |
Initial Risk Assessment
| ID | Area | Risk | Likelihood | Impact | Risk Level | Owner |
|---|---|---|---|---|---|---|
| 1 | Cyber Risk | Compromise to systems from external attack | Low | Low | Low | |
| 2 | Vulnerabilities in Devices | Compromise to operation of iPad | Low | Low | Low | James Winskill |
| 3 | Reception iPad compromise | Compromise of iPad leading to network access | Medium | Low | Low | James Winskill |
| 4 | Cloud Security Vulnerabilities | Vulnerabilities in SaaS application | Medium | Medium | Medium | James Winskill |
| 5 | Remote Access Compromise | Access to local console leading to compromise | Low | Low | Low | James Winskill |
| 6 | Configuration Management | Incorrect configuration leading to vulnerability or access control policies. | Medium | Low | Low | James Winskill |
| 7 | Lack of Stakeholder Ownership | No formal business owner documented. | Medium | Medium | Medium | Gavin Willbond |
| 8 | Compromise to wiring | Removal of printer or iPad and connecting to network leading to compromise of network / service | Low | Low | Low | |
| 9 | Lack of Standard Incident Management | Alerts and events are not acted on, and no process followed. Impact is compromise goes unchecked | Medium | Low | Low | William Tonkin |
| 10 | Alerting and Action on Incident inconsistent | With no formal Incident Response process, luck of the draw on actions and investigation | Medium | High | Medium | William Tonkin |
| 11 | Power outage impacts | Power to system causes printer to fail | Low | Low | Low | David Hinkley |
| 12 | In formal Incident Response Plan | Project provided Incident Response activities are not factored into organisation response plan | Medium | Medium | Medium | William Tonkin |
| 13 | No formal change management policy | No current organisational change management policy exists for this type of system or service. | Medium | Medium | Medium | William Tonkin |
| 14 | Staff not trained | Staff unwilling, or unable to be trained to the degree of proficiency required. | High | Medium | Medium | James Winskill |
| 15 | No formal acceptance process | No organisational acceptance and handover process. | High | Medium | Medium | James Winskill |
ISO 27001:2022 Control Selection
Physical Security / Secure Configuration
A10.1 / 11.1
| Category | Topic | Control Justification | Status |
|---|---|---|---|
| 5.37 | Documented operating procedures | The project has created a number of documented procedures relating to the Scope. These would be maintained as evidence in the organisational knowledgebase. | Planned |
| 6.07 | Remote working | Not Applicable in the Scope. | Excluded |
| 7.01 | Physical security perimeters | The physical parameters of the Scope are determined by the use of Zones. This service is located in a public area. Zone 1. | Planned |
| 7.05 | Protecting against physical and environmental threats | The System will prevent unauthorised access to Scope areas from external threats through the use of electronic access control. | Planned |
| 7.08 | Equipment siting and protection | In Scope equipment is protected from unauthorised access using the following controls: - iPad is locked using a metal lock and key - iPad is securely bolted to the desk - Cabling is integrated into desk, and not easily accessable | Planned |
| 7.09 | Security of assets off-premises | Not in Scope | Excluded |
| 7.10 | Storage media | Not in Scope | Excluded |
| 7.11 | Supporting utilities | Within the Scope of Services, this will include power and network access cabling. The power is maintained by the building owner. iPad has a battery backup for 8 hours without external power. | Planned |
| 7.12 | Cabling security | Cables are homerun from the endpoint, and the Hub. The following controls apply to this area: - Cables are in the wall or ceiling - Cables are secured in cable runs or channels with other cables - Cables are not labelled as security control - Cables are point to point with no interconnects or splitters. | Planned |
| 7.13 | Equipment maintenance | Equipment will be maintained according to the Warranty of the vendors. | Planned |
| 7.14 | Secure disposal or reuse of equipment | Any owned equipment will be disposed of according to the appropriate organisational secure disposal policy. | Planned |
Network Security
| Category | Topic | Control | Owner |
|---|---|---|---|
| 5.37 | Documented operating procedures | The project has created a number of documented procedures relating to the Scope. These would be maintained as evidence in the organisational knowledgebase. | James Winskill |
| 6.07 | Remote working | Not in Scope | James Winskill |
| 8.07 | Protection against malware | The iPad will be maintained using Intune and will be set to automatically install new Apple iOS updates. | James Winskill |
| 8.18 | Use of privileged utility programs | Access to the components in the System are controlled via passcodes or using the software access control services. | James Winskill |
| 8.20 | Networks security | All networks are secured using MAC based access control, reducing the impact of compromise. | James Winskill |
| 8.21 | Security of network services | James Winskill | |
| 8.22 | Segregation of networks | The networks are segmented using IETF RFC 2674 Virtual LAN (VLAN) segments for each of the three network security zones: - Visitor Management Service vLAN Device Isolation (ACL) is deployed to limit devices on the same network communicating. | James Winskill |
| 8.23 | Web filtering | Not Applicable in the Scope. | James Winskill |
| 8.25 | Secure development life cycle | Not Applicable in the Scope. | James Winskill |
| 8.26 | Application security requirements | The applications in Scope are listed below: - SigninApp. Portal - SigninApp iPad Application These applications are provided by the vendor. The applications themselves are linked to the System via an Internet cloud based control plane hosted by the vendor. Provision should be undertaken to do a SaaS security risk assessment on this. | |
| 8.27 | Secure system architecture and engineering principles | The system is designed to be secure by default. Existing site policies around secure access in the event of power outage. | James Winskill |
| 8.28 | Secure coding | Not Applicable in the Scope. | |
| 8.29 | Security testing in development and acceptance | Not Applicable in the Scope. No non production environment is in Scope. | |
| 8.30 | Outsourced development | Not Applicable in the Scope. | |
| 8.31 | Separation of development, test and production environments | Not Applicable in the Scope. | |
| 8.32 | Change management | As per the Organisation standards for critical systems. Documentation of this is not in Scope. | James Winskill |
| 8.34 | Protection of information systems during audit testing | Not Applicable in the Scope. |
Identity and Access Management
| Category | Topic | Control | Owner |
|---|---|---|---|
| 5.37 | Documented operating procedures | The project has created a number of documented procedures relating to the Scope. These would be maintained as evidence in the organisational knowledgebase. | James Winskill |
| 8.02 | Privileged access rights | Access to systems is controlled by Policy, with Identities being used to control access. The System uses the following: - Portal Access Control Policies - Role based access to change - Pin Code on iPad Role based access control is enforced in the management and access to change across the following system domains: - Portal Access Control Assignment of rights is done using the principle of least privilege. | James Winskill |
| 8.03 | Information access restriction | This is controlled through the use of access permissions and audit logs. | James Winskill |
| 8.04 | Access to source code | Not Applicable in the Scope. | James Winskill |
| 8.05 | Secure authentication | Authentication to all aspects of the System is controlled using a SignInApp centrally managed Identity. All authentication is encrypted. Authentication between the SignInApp Portal and the end user is maintained with the application. The following controls are deployed: - Complex password - 2MFA required - Restricted set of users Authentication between the Portal and Entra for the synchronisation of Staff is done via Entra App Management and uses: - ClientID / Secret - OAUTH callback - Read Only | James Winskill |
Information Security Event Management
| Category | Topic | Control | Owner |
|---|---|---|---|
| 5.24 | Information security incident management planning and preparation | The Design includes a section called Incident Response Activity design. This provides a method for alerting authorised support users of activities or events that need to be documented, and a response provided. These are not deployed today, and no formal communication of current state provided. The Solution provides a method of formalising the response activities and the assignment of priorities and severities to physical access events. The Scope of this project is not to refine the Organisations Incident Response plan, but provide a solution and process to ensure notification and escalation of good practice is undertaken. | James Winskill |
| 5.25 | Assessment and decision on information security events | Not Applicable in the Scope. | |
| 5.26 | Response to information security incidents | Not Applicable in the Scope. | |
| 5.27 | Learning from information security incidents | Not Applicable in the Scope. | |
| 5.28 | Collection of evidence | Evidence relating to events is recorded in the logs and notifications and audit component of the Portal. | James Winskill |
| 5.37 | Documented operating procedures | The project has created a number of documented procedures relating to the Scope. These would be maintained as evidence in the organisational knowledgebase. | James Winskill |
| 8.16 | Monitoring activities | This is covered in detail in the Design. | James Winskill |
| 8.17 | Clock synchronization | The System provides Network Time Protocol (NTP) services and time sync is enforced to all devices and services. | James Winskill |
Continuity
| Category | Topic | Control | Owner |
|---|---|---|---|
| 5.29 | Information security during disruption | Not Applicable in the Scope. | |
| 5.30 | ICT readiness for business continuity | Not Applicable in the Scope. | |
| 5.37 | Documented operating procedures | The project has created a number of documented procedures relating to the Scope. These would be maintained as evidence in the organisational knowledgebase. | James Winskill |
| 8.06 | Capacity management | The System is managed to capacity limits and has the current capacity deployed: - Single site licensed (no limits documented by the vendor) - Single iPad (no limits documented by the vendor on iPads - not an extra cost if more added.) | James Winskill |
| 8.13 | Information backup | All backups are made automatically to the SignInApp AWS cloud. | James Winskill |
| 8.14 | Redundancy of information processing facilities | The current design has a single local Access Controller and Enterprise Hub. There is no designed redundancy of information processing. | James Winskill |