ncdc security policy template and guidelines for csps v1.4 · web viewncdc security policy template...

NCDC SECURITY POLICY TEMPLATE AND GUIDELINES FOR CERTIFICATION SERVICE

PROVIDERS

Document Classification:

Controlled

Version Number: 1.4

Issue Date: May 19, 2015

Copyright © 2015 National Center for Digital Certification, Kingdom of Saudi Arabia. This document is intended for use only by the National Center for Digital Certification and authorized Saudi National PKI participants. This document shall not be duplicated, used, or disclosed in whole or in part for any purposes without prior consent.

NCDC Security Policy Template and Guidelines for CSPs

Document Reference

Item Description

Document Title: NCDC Security Policy Template and Guidelines for CSPs

Custodian Department: Business Development and Media Department

Owner: Policies and Regulations Department

Version Number: 1.4

Document Status: Approved

Author(s): Phani Shankara, Jaser Alkhazalah, Dr. Deoraj B. M.

Policies and Regulations Department Signature/Date

Official Reviewer: Naif AlOtaibi

Policies and Regulations Department Manager

Signature/Date

Approved by: Dr. Fahad A. AlHoymany

NCDC Director Signature/Date

Version Number: 1.4 of 18 Controlled


Document Revision History

Version Date Author(s) Revision Notes

1.0 8/3/2011 Phani Shankara Initial draft

1.1 2/4/2011 Jaser Alkhazalah Review

1.2 6/4/2011 Chirag Patel Added “Sample Procedure” Annexure-A as suggested by Dr. Deoraj

1.3 5/3/2013Abdulaziz

Alzammam and Dr. Deoraj

Merged “CSP Security Policy Template” with “NCDC Guidelines to CSP”.

1.4 5/19/2015 Saeed Almathami Annual Review

Document Control

This document shall be reviewed annually and an update by NCDC may occur earlier if internal or external influences affect its validity.

Digitally Signed Copy of this document shall be stored at NCDC Document Store.



Table of Contents

1. PURPOSE..........................................................................................................................52. DEFINITIONS....................................................................................................................53. CSP SECURITY GUIDELINES.......................................................................................5

3.1 ACCESS CONTROL GUIDELINES....................................................................................53.2 PHYSICAL AND ENVIRONMENTAL CONTROL GUIDELINES.....................................63.3 PERSONNEL SECURITY GUIDELINES............................................................................73.4 MEDIA CONTROL GUIDELINES......................................................................................83.5 PASSWORD AND PIN MANAGEMENT GUIDELINES..................................................93.6 BUSINESS CONTINUITY PLANNING GUIDELINES....................................................10

4. CSP SECURITY POLICY TEMPLATE..........................................................................124.1 ACCESS CONTROL..........................................................................................................124.2 PHYSICAL AND ENVIRONMENTAL CONTROL............................................................124.3 PERSONNEL SECURITY..................................................................................................134.4 MEDIA CONTROL............................................................................................................134.5 PASSWORD AND PIN MANAGEMENT........................................................................144.6 BUSINESS CONTINUITY PLANNING............................................................................14

APPENDIX – A: SAMPLE PROCEDURE TEMPLATE........................................................15APPENDIX – B: SAMPLE CSP ASSET REGISTER.........................................................17APPENDIX – C: SAMPLE MEDIA MOVEMENT LOG SHEET.........................................17APPENDIX – D: SAMPLE RA ROOM SAFE ACCESS LOG SHEET..............................17APPENDIX – E: SAMPLE RA SAFE INVENTORY LOG SHEET.....................................18APPENDIX – F: SAMPLE RA ROOM ACCESS LOG SHEET.........................................18



1. PURPOSE

The purpose of this policy template and guidelines is to facilitate CSP in developing Security Policy as per NCDC compliance requirements. The CSP can use this document as baseline to understand and draft security policy and guidelines in line with NCDC requirements.

2. DEFINITIONS

The terms used in this document shall have the meanings as defined in NCDC Glossary section which can be found at http://www.ncdc.gov.sa.

3. CSP SECURITY GUIDELINES

3.1 ACCESS CONTROL GUIDELINES

3.1.1SYSTEM ACCESS CONTROLS

All sensitive computer-resident information should be protected via access controls to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable. Access control procedures should not only control access based on the need to know, they should also log which users accessed the sensitive data.

3.1.2NEED TO KNOW

Information should be disclosed only to those people who have a legitimate business need for the information ("need to know").

3.1.3ACCESS APPROVAL PROCESS

A supervisor and/or manager should initiate the access approval process, and the privileges granted should remain in effect only until the employee’s job changes or the employee leaves the employer. When either of these events takes place, the manager and/or supervisor should immediately notify the appropriate access administration. All contractors, consultants, temporaries, outsourcing firms, etc. should also go through a similar access control request and authorization process. The privileges of these contracted resources should be immediately revoked by access administration at the conclusion of the assignment for which they were granted access.

3.1.4GRANTING ACCESS AUTHORITY

The authority to grant access to information should be provided only by the owner of the information or their delegate.

3.1.5DEFAULT ACCESS CONTROL PRIVILEGES

Default access privileges should be set to “deny-all” prior to any specific permissions being granted.


http://www.ncdc.gov.sa/


3.1.6CUSTOM APPLICATION DEVELOPMENT

All custom-developed software intended to create or modify information should have a formal written specification. This specification should include discussion of both security risks and controls (including access control systems and response plans for Security events).

3.1.7RESTRICTED AND MONITORED USE OF SYSTEMS SOFTWARE UTILITIES

Access to systems software utilities should be restricted to authorized users. For production computing resources, a change control process should be in place.

3.1.8DISSEMINATION OF INFORMATION

Unless it has specifically been classified as public, all information should be protected from disclosure. Only the information owners or their delegate may grant permission to disseminate the information. If non-public information is compromised or suspected of being compromised, the information owner and the appropriate security administration should be notified immediately.

3.2 PHYSICAL AND ENVIRONMENTAL CONTROL GUIDELINES

3.2.1PHYSICAL ACCESS CONTROL

The CSP should ensure that the physical security requirements specified as below are implemented for the facility:

Access to the facility is limited to individuals who require access to perform their duties.

The facility should contain a safe vault to store the following information at a minimum:

o Blank smart cards/cryptographic tokens.

o All agreements, contracts.

o Software CDs.

o User registration papers.

It is recommended that the vault used to store all above to be:

o Fire rated.

o With sufficient height and weight.

o With dual authentication mechanism (for example lock- key and/or PIN pad).

The facility area and all entry/exit points should be monitored and recorded 24x7 through CCTV cameras, for unauthorized intrusion at all times.

All access logs of the facility should be maintained and periodically inspected.

All unwanted papers and cards at the facility should be destroyed using shredder.



3.2.2ENVIRONMENTAL CONTROL

The power source from the public distribution system should be passed through an UPS system which shall even out any surge or sag in the power supply.

In case of power failure, emergency power should be provisioned to the CSP facility for uninterrupted power.

Fire extinguisher should be provisioned for safeguarding critical equipment and registration documents. These fire extinguishers should be checked on regular interval for maintenance.

RA workstation should be sited or protected to reduce the risk from environmental threats.

The facility area should be protected with suitable air-conditioning and fire protection systems which includes fire alarms and smoke detectors for safeguarding critical equipment systems.

3.3 PERSONNEL SECURITY GUIDELINES

3.3.1 JOB DESCRIPTION AND SECURITY RESPONSIBILITIES

Job descriptions will identify the degree of access to state information systems, processes and data in addition to normal roles and responsibilities.

Documented annual information security training will be conducted for all employees of the CSP to cover security awareness, updates to security policies or procedures and reporting of incidents and vulnerabilities.

3.3.2EMPLOYEE/CONTRACTOR SCREENING

Verification checks should be conducted as part of the initial employment / engagement process for both full and part-time employees and contractors. Such checks should be repeated periodically in cases of job change, role change, or promotion.

Personnel screening checks should include one or more of the following depending on the particular job duties, responsibilities, and access privileges of the position:

Character references (business and personal, if appropriate).

Training background.

Academic and professional experience.

Identity and background checks.

Credit checks, if appropriate.

The sourcing agency for contractors, consultants, and third-party vendors should use similar screening processes, to include: Initial employment screening.

Job-specific screening, if sensitive areas are to be accessed.

Notification of re-screening, if there is cause for doubt or concern.



3.3.3EMPLOYEE/CONTRACTOR SUPERVISION

Managers and supervisors should evaluate the procedures required for experienced and inexperienced personnel that may be accessing sensitive information. These procedures should be reviewed and updated by senior management or staff, as necessary.

3.3.4CONFIDENTIALITY AGREEMENTS

Confidentiality and non-disclosure agreements indicate that certain information is private or secret. Employees who need to access such information should be required to sign these agreements when initially employed. Third-party users who are not already covered by an existing agreement should also sign such agreements prior to being given access to the information. Confidentiality and non-disclosure agreements should be reviewed regularly, especially when employees leave the organization or when contracts expire.

3.3.5TERMS AND CONDITIONS OF EMPLOYMENT

Terms and conditions of employment should clearly state the employee’s responsibilities for information security. They should include a defined period of time after employment and the actions that will be taken in the event of non-compliance to the agreement.

3.4 MEDIA CONTROL GUIDELINES

3.4.1MEDIA ACCESS

The CSP ensures that only authorized users have access to information in printed form or on digital media removed from the information system.

3.4.2MEDIA LABELING

The CSP marks human-readable output appropriately in accordance with applicable policies and procedures. At a minimum, the organization affixes printed output that is not otherwise appropriately marked, with cover sheets and labels digital media with the distribution limitations, handling caveats and applicable security markings, if any, of the information.

3.4.3MEDIA STORAGE

The CSP protects information system media until they are destroyed or sanitized using approved equipment, techniques and procedures. The organization protects unmarked media at the highest security level for the information system until the media are reviewed and appropriately labeled.

3.4.4MEDIA TRANSPORT

The CSP controls information system media (paper and electronic) and restricts the pickup, receipt, transfer and delivery of such media to authorized personnel.



3.4.5MEDIA SANITIZATION

The CSP sanitizes information system digital media using approved equipment, techniques and procedures. The organization tracks, documents and verifies media sanitization actions and periodically tests sanitization equipment/procedures to ensure correct performance.

3.4.6MEDIA DESTRUCTION AND DISPOSAL

When media is worn, damaged or otherwise no longer required, it should be disposed of in a secure manner. To prevent the compromise of sensitive information through careless or inadequate disposal of computer media, formal procedures should be established for secure media disposal. The following controls should be considered:

The minimum retention period for archive data is established at 10 years. Items which may require secure disposal include: paper documents, recordings,

output reports, magnetic tapes, removable disks or cassettes, optical storage media, program listings, test data, and system documentation.

Media containing sensitive information should be disposed of by secure incineration or shredding.

If the magnetic or optical media is to be reused, it should be completely emptied of data and prepared by special software designed to securely erase and/or reformat the media.

Care should be taken when selecting a media disposal contractor to ensure adequate security control and experience.

A log should be maintained of the disposal of all sensitive items so as to provide an audit trail.

Consideration should be given to the extra risks associated with accumulating a large volume of media prior to disposal. In large quantities, it may be more difficult to detect missing items.

3.5 PASSWORD AND PIN MANAGEMENT GUIDELINES

3.5.1PASSWORD USES

Passwords are used for various purposes for CSP Resources. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once) all users should utilize strong passwords.

3.5.2PHYSICAL PASSWORD SECURITY

Within any specific computing environment the ability of general users to access the files containing passwords should be limited. Access of password files by users should be monitored for unauthorized activity where possible. Best practice features of password management are:

Individual passwords should be unique per user and be accessible for accountability. Provide for creating high quality passwords



Allow users to create their own passwords and include a confirmation method for possible input errors.

3.5.3PASSWORD PROTECTION

All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) should be changed on at least a monthly basis (or with as great a frequency as can be managed without increasing the likelihood that users will write down the password).

All user-level passwords (e.g., email, web, desktop computer, etc.) should be changed at least every XX days (or with as great a frequency as can be managed without increasing the likelihood that users will write down the password).

User accounts that have system-level privileges granted through group memberships or programs should have a unique password from other accounts held by that user.

Passwords should not be inserted into email messages or other forms of electronic communication.

Where possible, users should not use the same password for different access needs. Users should not share passwords with anyone, including administrative assistants

or secretaries. All passwords should be treated as sensitive, confidential information.

Users should not write passwords down and store them anywhere in their office. Users should not use the "Remember Password" feature of applications. If an account or password is suspected of being compromised, the incident should be

reported to the appropriate access administrator and the user should change the password.

Default passwords must be immediately changed after the installation of new systems or software

Users accessing applications should force password change as defined and configured in the respective application.

3.5.4PASSWORD CONSTRUCTION

Strong passwords provide the first line of defense against improper access and compromise of confidential information. Strong passwords typically exhibit the following best practice characteristics:

Passwords require a minimum length of 8 characters. Passwords must contain both numeric and alphabetic characters. Passwords must be changed at least every XX days. Passwords cannot be repeated for up to 4 generations.



3.6 BUSINESS CONTINUITY PLANNING GUIDELINES

3.6.1RISK ASSESSMENT

A risk assessment should be conducted to assess the risks and their potential impacts to the organization. With each risk, an analysis of the likelihood of event should be determined and prioritized in such a manner so that methods of mitigation can be explored.

3.6.2 IMPACT ANALYSIS

An impact analysis will provide an understanding of the effect that an interruption will have on the organization. These should include both long and short-term interruptions of minor and major incidents.

3.6.3ALIGNMENT TO BUSINESS STRATEGY

Business continuity plans should be created to support the organizations business objectives and priorities.

3.6.4ALIGNMENT OF BUSINESS CONTINUITY STRATEGY

A strategy for business continuity should be agreed to by the organization. This will ensure that each part of the organization is supporting one plan and one strategy.

3.6.5TESTING AND UPDATING THE PLAN

Business continuity plans should be regularly tested to determine that they are effective. Schedules and times should be based upon changes to the environment and training needs for the staff involved. Updates to the plans are necessary to keep information and processes accurate.

3.6.6MANAGEMENT OF THE PLAN

Business continuity needs to be supported at the appropriate level in the organization. Responsibilities for the plan will be distributed across the organization and therefore require senior level support. Management should ensure that the organization’s processes are incorporated into the structure of the plan.



4. CSP SECURITY POLICY TEMPLATE

4.1 ACCESS CONTROL

Use of all <<CSP Name>> computing facilities shall require authorization. Controls must be incorporated within applications, and the use of computer and

network facilities, to restrict access to authorized users. System use and activity must be monitored and logged. The <<CSP Name>> should ensure that no access is permitted to system and data

resources without the user being identified. User identifiers should uniquely identify the individual.

Access will not be granted to system and data resources until the individual's identity has been authenticated, and authorized privileges have been confirmed.

Default access privileges should be set to “deny-all” prior to any specific permissions being granted.

Information should be disclosed only to those people who have a legitimate business need for the information ("need to know").

4.2 PHYSICAL AND ENVIRONMENTAL CONTROL

The <<CSP Name>> systems shall be stored in the secured room and secured by (Keyed Door / Punch code door handle / Badge Reader / Biometric Access / Others).

Sensitive CSP operational activity, any activity related to the lifecycle of the certification process such as authentication, verification, and issuance, shall occur within <<CSP Name>> facility.

All <<CSP Name>> user registration papers, agreements, contracts and electronic media shall be stored in safe vault in the facility. ( Refer templates for capturing safe inventory and safe access logs , APPENDIX – D: SAMPLE RA ROOM SAFE ACCESS LOG SHEET and APPENDIX – E: SAMPLE RA SAFE INVENTORY LOG SHEET)

The <<CSP Name>> facility entry & exit points shall be continually monitored on a 7x24x365 basis through CCTV cameras.

Access to the <<CSP Name>> facility is limited to those individuals who require access to perform their duties. ( Refer template for capturing facility access logs APPENDIX – F: SAMPLE RA ROOM ACCESS LOG SHEET)

The power source from the public distribution system shall pass through an UPS system which shall even out any surge or sag in the power supply.

In case of power failure the Emergency power for the <<CSP Name>> facility should be provided.

Suitable air-conditioning, Fire alarms and smoke detectors should be provisioned for safeguarding critical equipment and registration documents in the <<CSP Name>> facility.

Critical equipment, in the <<CSP Name>> facility should be protected from power failures, including mechanisms such as a UPS or backup-up generator(s).



4.3 PERSONNEL SECURITY

All employees, contractors and contracted third party resources must be contractually obliged to adhere to the security requirements of the job being performed.

Employees who need to access such information should be required to sign Non-Disclosure Agreements (NDA) when initially employed.

All employees must be informed of and provided training in the correct use of information processing facilities and security procedures, including monitoring for and responding to security incidents and security weaknesses.

Upon termination of employment, all <<CSP Name>> property must be returned and privileges promptly removed, according to the risk. The individual must recognize any continuing contractual obligations.

<<CSP Name>> staff job descriptions should indicate the appropriate level of access to information and information systems. Such a level should be determined on a "need-to-know" basis in order for the staff member to execute job responsibilities.

Before commencement of duties, the <<CSP Name>> should formally advise employees of:

o their authorized level of security access;o the controls used to enforce security over the <<CSP Name>>’s assets; ando their responsibilities with respect to the security of data.

The <<CSP Name>> shall conduct reference checks, background reviews, credit checks and security clearances for prospective employees, where appropriate. Reference checks should include one or more of the following depending on the particular job duties, responsibilities, and access privileges of the position:

o Character references (business and personal, if appropriate).o Training background.o Academic and professional experience.o Identity and background checks.o Credit checks, if appropriate.o The sourcing agency for contractors, consultants, and third-party vendors

should use similar screening processes, to include initial employment screening.

o Job-specific screening, if sensitive areas are to be accessed.o Notification of re-screening, if there is cause for doubt or concern.

4.4 MEDIA CONTROL

The <<CSP Name>> should ensure that only authorized users have access to information in printed form or on digital media.

The <<CSP Name>> shall maintain inventory of its assets. ( Refer template for maintaining inventory of assets, APPENDIX – B: SAMPLE CSP ASSET REGISTER)

The <<CSP Name>> marks human-readable output appropriately in accordance with applicable policies and procedures.

The <<CSP Name>> should protect unmarked media at the highest security level for the information system until the media are reviewed and appropriately labeled.

The <<CSP Name>> should sanitize digital media using approved equipment, techniques and procedures.



The <<CSP Name>> should maintain logbook for media movement from/to the facility. ( Refer template for capturing logs of media movement, APPENDIX – C: SAMPLE MEDIA MOVEMENT LOG SHEET)

When media is worn, damaged or otherwise no longer required, it should be disposed of in a secure manner

Media containing sensitive information should be disposed of by secure incineration or shredding.

A log should be maintained of the disposal of all sensitive items so as to provide an audit trail.

4.5 PASSWORD AND PIN MANAGEMENT

Individual passwords should be unique per user and be accessible for accountability. Users should be allowed to create their own passwords and include a confirmation

method for possible input errors. All system-level passwords (e.g., root, enable, NT admin, application administration

accounts, etc.) should be changed on at least quarterly basis (3 months) (or with as great a frequency as can be managed without increasing the likelihood that users will write down the password).

All user-level passwords (e.g., email, web, desktop computer, etc.) should be changed at least every 90 days (or with as great a frequency as can be managed without increasing the likelihood that users will write down the password).

User accounts that have system-level privileges granted through group memberships or programs should have a unique password from other accounts held by that user.

Passwords should not be inserted into email messages or other forms of electronic communication.

Where possible, users should not use the same password for different access needs. Users should not write passwords down and store them anywhere in their office. Default passwords must be immediately changed after the installation of new

systems or software. Following best practice should be used during construction of passwords:

o Passwords require a minimum length of 8 characters.o Passwords must contain both numeric and alphabetic characters.o Passwords must be changed at least every 90 days.o Passwords cannot be repeated for up to 4 generations.

4.6 BUSINESS CONTINUITY PLANNING

Business Continuity Plans will include the identification of essential systems, information resources, and personnel.

In cases, <<CSP Name>> may request NCDC to perform revocation of their subscribers due to non-availability of essential systems, information resources, and personnel.

Contingency plans shall be tested annually to the extent practical. Employees required to support an essential level of service will be identified and the

up-to-date list should form part of the contingency plans.


NCDC Security Policy Template and Guidelines for CSPs – Appendices

APPENDIX – A: SAMPLE PROCEDURE TEMPLATE

Note: Though the procedures vary and depends on organizations decisions, below is a sample procedure template, this template should be only used as reference while developing your own procedure, this is just a general procedure that can be associated to any policy and not an actual procedure.

Procedure:

Section 1: Roles and Responsibilities of the Participants in This Procedure:

Note: This section should cover the roles and responsibilities of the participants involved in a particular procedure pertaining to any policy; this section below is an example.

The Operations Manager / IT Manager will be responsible for:o Approving / rejecting the requesto Notifying appropriate personnel about actions taken or instructions to be

carried out.o Terminating request.o Halting the request.o Monitoring the process.

The Supervisor will be responsible for:o Forwarding the approved request to the respective administrator.o Provide instructions to be carried out.o Monitoring the execution of request.o Notifying the Manager about actions taken.

The System/Network/Application/Device Administrator will be responsible for:o Executing the approved request.o Terminating request.o Halting the request.o Escalation.o Notifying supervisor about actions taken.

Section 2: Notification Methods Used to Deliver Notifications in This Procedure:

Note: This section should provide the mode of communicating the request to the respective personnel to carry out the instruction.

All notifications will be communicated through formal emails addressing the particular subject of notification, through tickets of the help desk system, or a combination of both.

Besides email notifications, verbal notifications shall be communicated and formal memos addressing the subject of notification shall be handed, if the staff member



requesting for critical request he should be physically present at the time of notification.

Section 3: Steps to Execute This Procedure:

Note: This section should have detailed steps as to how a particular request/ process is carried out from the initiation to completion of the task.

1. The request from the initiator (user) is received and verified by the respective personnel (IT Manager/ Operations Manager).

2. The respective personnel (IT Manager / Operations Manager )will approve / reject the request based on the nature of the request.

3. The respective personnel (IT Manager / Operations Manager) will Communicate the same to the appropriate personnel (X Administrator )for further action (if approved move further, if rejected cancel and inform the initiator).

4. The personnel (X Administrator) will then carry out the request task to complete the request as per the technical manual.

5. Once the request is completed the personnel (X Administrator) will notify the respective personnel (IT Manager / Operations Manager) about the completion of the task.

6. The requestor will be notified about the completion of the task either by the manager or Administrator depends.



APPENDIX – B: SAMPLE CSP ASSET REGISTER

Note: This register is maintained by the CSP staff for all assets belongs to CSP with information like serial no of the asset, type of the asset, location of the asset, brief description about the asset, whom it is assigned and date.

No. Serial Number Name/Type Location Description Assigned to Date

1 365465465 SafeNet Token RA Safe New XXX XX/XX/XX2 897546656 SafeNet Token With User --- XXX XX/XX/XX3 896454654 RA Machine RA Room Win7 XXX XX/XX/XX

4 256565654 Backup RA Safe Backup of RA Machine XXX XX/XX/XX

APPENDIX – C: SAMPLE MEDIA MOVEMENT LOG SHEET

Note: This log sheet shall be maintained for the movement of the media from the facility or to the facility. The log book shall maintain information about who accessed the media on which date and what time it is gone out /in with reason of media movement.

No.Type of MediaCD/DVD/Tape/

DocumentsMedia Accessed

By (Name) Date Time-out Time-in Reason

1 CD Mohammed XX/XX/XX XX.XX XX.XX2 Tape Bilal XX/XX/XX XX.XX XX.XX3 Documents Mohammed XX/XX/XX XX.XX XX.XX4 Tape Bilal XX/XX/XX XX.XX XX.XX

APPENDIX – D: SAMPLE RA ROOM SAFE ACCESS LOG SHEET

Note: This log sheet shall capture information about the items accessed and purpose of the accessing those items during the safe access activity.

No. Date Item

Accessed RemarksTime-in

(24:00 hours)Time-out

(24:00 hours)Signature

1 XX/XX/XX SafeNet Token Issuance XX.XX XX.XX

2 XX/XX/XX Registration Form Records XX.XX XX.XX

3 XX/XX/XX SafeNet Token Issuance XX.XX XX.XX

4 XX/XX/XX Backup Tape Data Backup XX.XX XX.XX



APPENDIX – E: SAMPLE RA SAFE INVENTORY LOG SHEET

Note: This log sheet shall be maintained for documents and media kept inside and taken out from the safe vault.

No. Type of Document / Media Item description / Label Placed in Date Remarks

1 SafeNet Token Tokens as received XX/XX/XX2 Backup Tape Data Backup tape XX/XX/XX3 Registration Form User Registration records XX/XX/XX4 CD Software CD XX/XX/XX

APPENDIX – F: SAMPLE RA ROOM ACCESS LOG SHEET

Note: This log sheet shall capture information about the facility access by persons, their role, purpose with time in and out and signature.

No. Date Name

Trusted Person or

VisitorEvent

Time-in(24:00 hours)

SignatureTime-out

(24:00 hours)

Signature

1 XX/XX/XX Ahmed Visitor Certificate Issuance XX.XX XX.XX

2 XX/XX/XX Mohammed Trusted Person

RA Operation

XX.XX XX.XX

3 XX/XX/XX Bilal Trusted Person Backup XX.XX XX.XX

4 XX/XX/XX Mohammed Trusted Person

RA Operation

XX.XX XX.XX
