Burglary
Loss Prevention Standard LPS 1224: Issue 2 1999 Requirements for Secure Database Registers
Loss Prevention Standard: Requirements for Secure Database Registers
LPS 1224: Issue 2 December 1999
© LOSS PREVENTION CERTIFICATION BOARD LIMITED
1. SCOPE
2. DEFINITIONS
3. GENERAL
4. PROCEDURES
5. REQUIREMENTS
6. MARKING
7. PUBLICATIONS REFERRED TO
FOREWORD
This standard identifies the Loss Prevention Certification Board's requirements for the operation of Secure Database Registers (SDR's) which may be used as part of Asset Marking Systems certificated to LPS1225 to enable traceability of a marked item to its legal owner.
Certification of a Database Management Company (DMC) to LPS1224 is based on satisfactory service experience and verification by the LPCB of:
The satisfactory operation of the Secure Database Register by the Database Management Company in accordance with the requirements of the LPCB, and the Database Management Company's specifications.
The establishment and maintenance of the Database Management Company's quality management systems in accordance with BS EN ISO 9001: 1994 or BS EN ISO 9002: 1994, as appropriate.
1. SCOPE
This standard specifies requirements for the operation of secure database registers such that, when incorporated in an asset marking system certificated to LPS 1225, a marked item can be traced to its owner.
The standard does not specify any one particular design of database.
This standard does not exclude the use of the database to store data relating to items that are not marked with asset marking devices certificated to LPS 1225.
Requirements relating to asset marking devices to which the database may be linked to form an asset marking system are described in LPS 1225.
2. DEFINITIONS
The following definitions, in addition to those contained in BS EN ISO 9000 and BS 7799, shall apply for the purpose of this standard.
2.1 Asset marking device
A method of securely marking or tagging an asset so as to provide visible information uniquely linking the asset, via a nominated secure database register, to the legal owner of the asset.
2.2 Asset marking system
Coalition of marking devices (either overt or overt and covert) and secure database registers used to provide traceability of a marked asset to its legal owner.
2.3 Asset identification code
Series of at least four alphabetic and/or numeric characters incorporated on an overt marking device and is registered on a nominated database.
2.4 Covert asset marking device
This a method of uniquely identifying legal ownership of an asset via a nominated secure database register, that when applied to an asset, it is:
Secure and hidden from direct view.
Cannot be read with the unaided eye, assuming normal vision and average lighting conditions.
2.5 Database management company
Company operating a secure database register.
2.6 Overt asset marking device
This is a method of uniquely identifying legal ownership of an asset via a nominated secure database, that when applied to an asset, it is:
Secure.
Visible.
Can be read with the unaided eye, assuming average lighting conditions.
Links the asset to the legal owner.
2.7 Secure database register
A system of recording the legal ownership of an asset using the unique asset identification code present on the marking device that is applied to the asset.
3. GENERAL
The Database Management Company shall:
be certificated to ISO9000 by the LPCB.
have an established track record in the field of asset registration of at least one year.
operate the Secure Database Register in accordance with ISO9000, BS7799:Part 2 and the requirements laid down in this standard.
offer a telephone check-line service operated by trained operatives. The check-line service shall be available 24 hours a day, and shall be free of direct charge to the enquirer, e.g. it shall not be chargeable to the enquirer as a premium rate telephone.
The use of third party databases, not wholly under the control of the Database Management Company, however ethically managed and guaranteed, is unacceptable unless the third party Database Management Company itself meets the requirements of LPS1224, and is certificated by the LPCB.
The register shall be managed in accordance with the Data Protection Act.
4. PROCEDURES
The Database Management Company shall establish and maintain documented procedures relating to the effective operation of its management system and the Secure Database Register in accordance with the Database Management Company's policy and scope, and the requirements of this standard together with those of ISO9000 and BS7799: Part 2.
5. REQUIREMENTS
5.1 Registration
5.1.1 The Database Management Company shall ensure that all details relevant to the registered items are recorded on the Secure Database Register. At minimum, these details shall include:
the name and address of the person registering the item
the name and address of the owner if different to (ii) above.
the usual location of the item.
the code or other means of identifying the type(s) of asset marking device applied to the item.
the asset identification code(s) to be found on the asset marking device(s) that have been applied to the asset.
5.1.2 Where the item to be registered is marked with an asset marking system certificated to LPS1225, the Database Management Company shall ensure that the registration cards have been completed in full and that all the details on the registration card are recorded on the database.
5.1.3 A system of data entry validation shall be in place to ensure the correct entry of data on to the Secure Database Register.
5.2 Maintenance
5.2.1 Regular and frequent backups of all data shall be made and the backup copies stored in a fire proof data safe at a location away from that of the secure database register.
5.2.2 Secure Database Register loading shall be monitored to ensure timely action is taken to increase capacity when required. capacity requirements shall be monitored to indicate where action is needed to avoid failures due to inadequate resources.
5.2.3 The Secure Database Register shall be capable of holding a minimum of two million records and shall permit rapid and effective expansion without practical limit.
5.2.4 There shall be adequate fields per data table (nominally one hundred).
5.2.5 Changes to the structure of the Secure Database Register shall be controlled by the Database Management Company through a documented system of test, review and authorisation prior to any such changes being implemented.
5.2.6 The Database Management Company shall undertake documented steps to ensure that the Secure Database Register and the computer system on which the Secure Database Register is operated are 'year 2000 compliant'.
5.3 Personnel
5.3.1 Only authorised personnel shall have access to information held on the Secure Database Register.
5.3.2 Prior to being given access to the Secure Database Register, all personnel shall:
successfully undergo security vetting.
sign a confidentiality agreement preventing the divulgence of information relating to data stored on the database and the method to access such data.
be assigned an individual password (clause 5.4.12)
Personnel who have been in regular employment with the Database Management Company for a period in excess of one year and have an exemplary security record with the company are deemed to meet the requirements of this standard without the need for further security vetting. All new employees and those who have been employed for less than one year must be vetted in accordance with 6.1.2 of BS 7799: Part 1: 1999.
Records of the employee vetting, confidentiality agreement and password issue shall be maintained in a secure environment accessible only by authorised personnel.
5.3.3 The security roles and responsibilities of each of the Database Management Company's employees shall be defined. These should include any general responsibilities for implementing or maintaining security policy, together with specific responsibilities, for example, the protection of particular assets or the execution of particular security processes.
5.3.4 All new employees shall be given security and technical training appropriate to their specific job function and experience.
5.3.5 Security breaches by employees shall be dealt with through a formal disciplinary procedure. Records of all disciplinary action undertaken shall be maintained.
5.4 Control of access to information stored on the secure database register and protection of equipment
5.4.1 General
5.4.1.1 The Secure Database Register shall be located in a secure area within a protected building, manned 24 hours a day.
5.4.1.2 The secure areas, that is the locations where activities such as data entry, enquiry processing and data storage are undertaken, shall have defined security perimeters and strategically located barriers with, where practicable, electronic surveillance and/or alarming systems in place.
5.4.1.3 Entry to the secure area shall be controlled such that only authorised personnel have access.
5.4.1.4 Other areas within the building that hold supporting functions involving sensitive information shall be afforded a similar level of protection to that of the Secure Database Register.
5.4.2 Documentation and computer records
5.4.2.1 All documents relating specifically to information stored on the Secure Database Register or the control of access to the Secure Database Register shall be protected from unauthorised viewing. These include, completed registration forms, hard copies of the database contents and password lists.
Note: Where possible, database management companies should consider storing such documents in secure cabinets that have been certificated to LPS1228.
5.4.2.2 The issue and use of removable computer media such as discs, tapes, printed reports and printer ribbons from the Database Management Company shall be controlled and documented.
5.4.2.3 Computer media and all security sensitive documents shall be securely disposed of when no longer required.
5.4.2.4 The disposal of computer media and security sensitive documents shall only be undertaken by authorised personnel, and shall be recorded.
5.4.2.5 Data shall be permanently erased from all database hardware prior to disposal.
5.4.2.6 Adequate measures to prevent and detect computer viruses shall be in place.
5.4.3 Passwords
5.4.3.1 Access to the Secure Database Register shall be restricted by means of password control.
Note: The use of alternative means of computer access control, such as the use of fingerprint recognition systems, is permitted.
5.4.3.2 Passwords shall be issued in accordance with documented procedures.
5.4.3.3 Each password shall only be issued to one person.
5.4.3.4 The password shall be immediately cancelled if:
the status of the person to which it was issued changes and the change affects that person's entry rights or functions relating to the operation of the database.
the password is divulged to an unauthorised person.
5.4.3.5 The effective cancellation of passwords shall be verified by a nominated management representative.
5.4.3.6 The password issued to a person shall limit that person to only undertaking those operations which they are authorised to carry out.
5.4.3.7 The issue and cancellation of passwords shall be recorded.
5.4.4 System security
5.4.4.1 Operators shall log-out of the Secure Database Register when leaving their terminal for any duration greater than one minute.
Note: This may be achieved via a password activated screensaver or other automatically triggered data access protection device.
5.4.4.2 Audit trails of security events, such as system log-ons and log-outs, shall be recorded.
5.4.4.3 If the Secure Database Register is to be run over a network to a sub-contracted mainframe computer then the data shall be commercially encrypted such that only authorised parties may access the data, and then only on a read-only basis.
5.5 Incident response
5.5.1 A procedure for effectively identifying, reporting, and dealing with any security incidents and potential security weaknesses shall be established and maintained.
5.5.2 A system for reporting and effectively dealing with software malfunctions shall be established and maintained.
5.5.3 The effectiveness of the Secure Database Register access controls shall be reviewed on a regular basis by the management with executive responsibility.
5.6 Contingency
5.6.1 A continuity procedure shall be in place. This shall enable the register to restart operations within a time scale of not greater than 24 hours should disaster overwhelm the Secure Database Register.
5.6.2 The continuity plan shall be tested and reviewed on a regular basis, and updated accordingly to insure it's continued effectiveness.
5.6.3 In the event of the Database Management Company ceasing trading, changing ownership or contact details, such as postal/e-mail address or telephone number, the Database Management Company shall inform all parties affected by the change, including, The Loss Prevention Certification Board (LPCB). Where the Database Management Company is to cease trading it shall confirm the provisions made for future storage and access of the data held on the Secure Database Register. Should it not be possible for assessment of the database to be continued then a client list shall be passed to the approval body on paper and ASCI format.
6. MARKING
Documents relating specifically to the Secure Database Register assessed by the LPCB shall be marked with the Database Management Company's trade name and trademarks under which the Secure Database Register is to be registered.
In addition, where permitted under the LPCB's terms and conditions (P0015) and rules for use of the LPCB marks (P0008), the Database Management Company shall mark documents relating specifically to the Secure Database Register assessed by the LPCB with the relevant LPCB mark, the certification number issued by the LPCB and the standard to which the Secure Database Register is certificated, that is LPS1224: Issue 2.
7. PUBLICATIONS REFERRED TO
Normative references:
BS 7799: Part 2: 1998
Information Security Management
Part 2: Specification of information security management systems.
BS EN ISO 9001: 1994
Quality Systems
Model for quality assurance in design, development, production,
installation and servicing.
BS EN ISO 9002: 1994
Quality Systems
Model for quality assurance in production, installation and
servicing.
Informative references:
BS EN 1143-1: 1997
Secure storage units - Requirements, classification and methods of
test for resistance to burglary. Part 1: safes, strongroom doors
and strongrooms.
LPS 1183: Issue 4
Specification for safe storage units - Part 1: Safes and
strongrooms.
LPS 1225: Issue 3
Specification for testing and classifying asset marketing systems.
LPS 1228: Issue 1
Specification for testing and classifying the burglary resistance
of office furniture - lightweight containers.
Getting a copy
PDF 146KbDate modified: 19 August 2002
Review date: August 2003
Originator: Loss Prevention Certification Board
Last update: 08/09/03