TOWER semiconductor ltd Cheking List N.A.

Security
Accordind to ISO27001

ISO
27001:2005 Title Control
Ref #
5 Security Policy
To provide management direction and support for information security
5.1. Information security policy in accordance with business requirements and relevant laws and
regulations..
An information security policy document shall be approved by management,
5.1.1 Information security policy document and published and communicated to all employees and relevant external
parties.
The information security policy shall be reviewed at planned intervals or if
5.1.2 Review of the information security policy significant changes occur to ensure its continuing suitability, adequacy, and
effectiveness.
6 Organization of information security
6.1 Internal organization To manage information security within the organization.
Management shall actively support security within the organization through
6.1.1 Management commitment to information security clear direction, demonstrated commitment, explicit assignment, and
acknowledgement of information security responsibilities.
Information security activities shall be co-ordinated by representatives from
6.1.2 Information security coordination
different parts of the organization with relevant roles and job functions.
6.1.3 Allocation of information security responsibilities All information security responsibilities shall be clearly defined
Authorization process for information processing A management authorization process for new information processing facilities
6.1.4
facilities shall be defined and implemented.
Requirements for confidentiality or non-disclosure agreements reflecting the
6.1.5 Confidentiality agreements organization's needs for the protection of information shall be identified and
regularly reviewed.
6.1.6 Contact with authorities Appropriate contacts with relevant authorities shall be maintained.
Appropriate contacts with special interest groups or other specialist security
6.1.7 Contact with special interest groups
forums and professional associations shall be maintained.
The organization's approach to managing information security and its
implementation (i.e. control objectives, policies, processes, and procedures
6.1.8 Independent review of information security
for information security) shall be reviewed independently at planned intervals,
or when significant changes to the security implementation occur.
To maintain the security of the organization's information and
6.2 External parties information processing facilities that are accessed processed,
communicated to, or managed by external parties.
The risks to the organization's information and information processing
6.2.1 Identification of risks related to external parties facilities from business processes involving external parties shall be identified
and appropriate controls implemented before granting access.
All identified security requirements shall be addressed before giving
6.2.2 Addressing security when dealing with customers
customers access to the organization's information or assets.
Agreements with third parties involving accessing, processing,
communicating or managing the organization's information or information
6.2.3 Addressing security in third party agreements
processing facilities, or adding products or services to information processing
facilities shall cover all relevant security requirements.

7 Asset management
7.1 Responsibility for assets To achieve and maintain appropriate protection of organizational assets.
All assets shall be clearly identified and an inventory of all important assets
7.1.1 Inventory of assets
drawn up and maintained.
All information and assets associated with information processing facilities
7.1.2 Ownership of assets
shall be owned by a designated part of the organization.
Rules for the acceptable use of information and assets associated with
7.1.3 Acceptable use of assets information processing facilities shall be identified, documented and
implemented.
7.2 Information classification To ensure that information receives an appropriate level of protection.
Information shall be classified in terms of its value, legal requirements,
7.2.1 Classification guidelines
sensitivity, and criticality to the organization.
An appropriate set of procedures for information labeling and handling shall
7.2.2 Information labeling and handling be developed and implemented in accordance with the classification scheme
adopted by the organization.
8 Human resources security
To ensure that employees, contractors and third party users
understand their responsibilities, and are suitable for the roles they are
8.1 Prior to employment
considered for, and to reduce the risk of theft, fraud or misuse of
facilities.
Security roles and responsibilities of employees, contractors and third party
8.1.1 Roles and responsibilities users shall be defined and documented in accordance with the organization's
information security policy.
Background verification checks on all candidates for employment,
contractors, and third party users shall be carried out in accordance with
8.1.2 Screening relevant laws, regulations and ethics, and proportional to the business
requirements, the classification of the information to be accessed, and the
perceived risks.

ISO27001_CheckList_1-2.xls 1/6 1/7/2010

TOWER semiconductor ltd Cheking List N.A. Security
Accordind to ISO27001

ISO
27001:2005 Title Control
Ref #
As part of their contractual obligation, employees, contractors and third party
users shall agree and sign the terms and conditions of their employment
8.1.3 Terms and conditions of employment
contract, which shall state their and the organization's responsibilities for
information security.
To ensure that employees, contractors and third party users are aware
of information security threats and concerns, their responsibilities and
8.2 During employment
liabilities, and are equipped to support organizational security policy in
the course of their normal work, and to reduce the risk of human error.
Management shall require employees, contractors and third party users to
8.2.1 Management responsibilities apply security in accordance with established policies and procedures of the
organization.
All employees of the organization and, where relevant, contractors and third
Information security awareness, education, and
8.2.2 party users shall receive appropriate awareness training and regular updates
training
in organization policies and procedures as relevant for their job function.
There shall be a formal disciplinary process for employees who have
8.2.3 Disciplinary process
committed a security breach.
To ensure that employees, contractors and third party users exit an
8.3 Termination or change of employment
organization or change employment in an orderly manner.
Responsibilities for performing employment termination or change of
8.3.1 Termination responsibilities
employment shall be clearly defined and assigned.
All employees, contractors and third party users shall return all of the
8.3.2 Return of assets organization's assets in their possession upon termination of their
employment, contract or agreement.
The access rights of all employees, contractors and third party users to
information and information processing facilities shall be removed upon
8.3.3 Removal of access rights
termination or their employment, contract or agreement or adjusted upon
change.
9 Physical and environmental security
To prevent unauthorized physical access, damage and interference to
9.1 Secure areas
the organization's premises and information.
Security perimeters (barriers such as walls, card controlled entry gates or
9.1.1 Physical security perimeter manned reception desks) shall be used to protect areas that contain
information and information processing facilities.
Secure areas shall be protected by appropriate entry controls to ensure that
9.1.2 Physical entry controls
only authorized personnel are allowed access.
Physical security for offices, rooms, and facilities shall be designed and
9.1.3 Securing offices, rooms and facilities
applied.
Physical protection against damage from fire, flood, earthquake, explosion,
9.1.4 Protecting against external and environmental threats civil unrest, and other forms of natural or man-made disaster shall be
designed and applied.
Physical protection and guidelines for working in secure areas shall be
9.1.5 Working in secure areas
designed and applied.
Access points such as delivery and loading areas and other points where
unauthorized persons may enter the premises shall be controlled and, if
9.1.6 Public access, delivery, and loading areas
possible, isolated from information processing facilities to avoid unauthorized
access.
To prevent loss, damage, theft or compromise of assets and
9.2 Equipment security
interruption to the organization's activities.
Equipment shall be sited or protected to reduce the risks from environmental
9.2.1 Equipment siting and protection
threats and hazards, and opportunities for unauthorized access.
Equipment shall be protected from power failures and other disruptions
9.2.2 Supporting utilities
caused by failures in supporting utilities.
Power and telecommunications cabling carrying data or supporting
9.2.3 Cabling security
information services shall be protected from interception or damage.
Equipment shall be correctly maintained to ensure its continued availability
9.2.4 Equipment maintenance
and integrity.
Security shall be applied to off-site equipment taking into account the different
9.2.5 Security of equipment off-premises
risks of working outside the organization's premises.
All items of equipment containing storage media shall be checked to ensure
9.2.6 Secure disposal or re-use of equipment that any sensitive data and licensed software has been removed or securely
overwritten prior to disposal.
Equipment, information or software shall not be taken off-site without prior
9.2.7 Removal of property
authorization.
10 Communications and operations management
To ensure the correct and secure operation of information processing
10.1 Operational procedures and responsibilities
facilities.
Operating procedures shall be documented, maintained, and made available
10.1.1 Documented operating procedures
to all users who need them.
10.1.2 Change management Changes to information processing facilities and systems shall be controlled.

ISO27001_CheckList_1-2.xls 2/6 1/7/2010

TOWER semiconductor ltd Cheking List N.A. Security
Accordind to ISO27001

ISO
27001:2005 Title Control
Ref #
Duties and areas of responsibility shall be segregated to reduce opportunities
10.1.3 Segregation of duties for unauthorized or unintentional modification or misuse of the organization's
assets.
Separation of development, test and operational Development, test, and operational facilities shall be separated to reduce the
10.1.4
facilities risks of unauthorized access or changes to the operational system.
To implement and maintain the appropriate level of information security
10.2 Third party service delivery management
and service delivery in line with third party service delivery agreements.
It shall be ensured that the security controls, service definitions and delivery
10.2.1 Service delivery levels included in the third party service delivery agreement are implemented,
operated, and maintained by the third party.
The services, reports and records provided by the third party shall be
10.2.2 Monitoring and review of third party services
regularly monitored and reviewed, and audits shall be carried out regularly.
Changes to the provision of services, including maintaining and improving
existing information security policies, procedures and controls, shall be
10.2.3 Managing changes to third party services
managed, taking account of the criticality of business systems and processes
involved and reassessment of risks.
10.3 System planning and acceptance To minimize the risk of systems failures.
The use of resources shall be monitored, tuned, and projections made of
10.3.1 Capacity management
future capacity requirements to ensure the required system performance.
Acceptance criteria for new information systems, upgrades, and new versions
10.3.2 System acceptance shall be established and suitable tests of the system(s) carried out during
development and prior to acceptance.
10.4 Protection against malicious software To protect the integrity of software and information.
Detection, prevention, and recovery controls to protect against malicious code
10.4.1 Controls against malicious code
and appropriate user awareness procedures shall be implemented.
Where the use of mobile code is authorized, the configuration shall ensure
that the authorized mobile code operates according to a clearly defined
10.4.2 Controls against mobile code
security policy, and unauthorized mobile code shall be prevented from
executing.
To maintain the integrity and availability of information and information
10.5 Back-up
processing facilities.
Back-up copies of information and software shall be taken and tested
10.5.1 Information back-up
regularly in accordance with the agreed backup policy.
To ensure the protection of information in networks and the protection
10.6 Network Security management
of the supporting infrastructure.
Networks shall be adequately managed and controlled, in order to be
10.6.1 Network controls protected from threats, and to maintain security for the systems and
applications using the network, including information in transit.
Security features, service levels, and management requirements of all
10.6.2 Security of network services network services shall be identified and included in any network services
agreement, whether these services are provided in-house or outsourced.
To prevent unauthorized disclosure, modification, removal or
10.7 Media handling
destruction of assets, and interruption to business activities.
10.7.1 Management of removable media There shall be procedures in place for the management of removable media.
Media shall be disposed of securely and safely when no longer required,
10.7.2 Disposal of media
using formal procedures.
Procedures for the handling and storage of information shall be established to
10.7.3 Information handling procedures
protect this information from unauthorized disclosure or misuse.
10.7.4 Security of system documentation System documentation shall be protected against unauthorized access.
To maintain the security of information and software exchanged within
10.8 Exchange of information
an organization and with any external entity.
Formal exchange policies, procedures, and controls shall be in place to
10.8.1 Information exchange policies and procedures protect the exchange of information through the use of all types of
communications facilities.
Agreements shall be established for the exchange of information and
10.8.2 Exchange agreements
software between the organization and external parties.
Media containing information shall be protected against unauthorized access,
10.8.3 Physical media in transit misuse or corruption during transportation beyond the organization's physical
boundaries.
10.8.4 Electronic messaging Information involved in electronic messaging shall be appropriately protected.
Policies and procedures shall be developed and implemented to protect
10.8.5 Business information systems information associated with the interconnection of business information
systems.
To ensure the security of electronic commerce services, and their
10.9 Electronic commerce services
secure use.
Information involved in electronic commerce passing over public networks
10.9.1 Electronic commerce shall be protected from fraudulent activity, contract dispute, and unauthorized
disclosure or modification.

ISO27001_CheckList_1-2.xls 3/6 1/7/2010

TOWER semiconductor ltd Cheking List N.A. Security
Accordind to ISO27001

ISO
27001:2005 Title Control
Ref #
Information involved in on-line transactions shall be protected to prevent
10.9.2 On-Line Transactions incomplete transmission, mis-routing, unauthorized message alteration,
unauthorized disclosure, unauthorized message duplication or replay.
The integrity of information being made available on a publicly available
10.9.3 Publicly available information
system shall be protected to prevent unauthorized modification.
10.1 Monitoring To detect unauthorized information processing activities.
Audit logs recording user activities, exceptions, and information security
10.10.1 Audit logging events shall be produced and kept for an agreed period to assist in future
investigations and access control monitoring.
Procedures for monitoring use of information processing facilities shall be
10.10.2 Monitoring system use
established and the results of the monitoring activities reviewed regularly.
Logging facilities and log information shall be protected against tampering
10.10.3 Protection of log information
and unauthorized access.
10.10.4 Administrator and operator logs System administrator and system operator activities shall be logged.
10.10.5 Fault logging Faults shall be logged, analyzed, and appropriate action taken.
The clocks of all relevant information processing systems within an
10.10.6 Clock synchronization organization or security domain shall be synchronized with an agreed
accurate time source.
11 Access Control
11.1 Business requirement for access control To control access to information.
An access control policy shall be established, documented, and reviewed
11.1.1 Access control policy
based on business and security requirements for access.
To ensure authorized user access and to prevent unauthorized access
11.2 User access management
to information systems.
There shall be a formal user registration and de-registration procedure in
11.2.1 User registration place for granting and revoking access to all information systems and
services.
11.2.2 Privilege management The allocation and use of privileges shall be restricted and controlled.
The allocation of passwords shall be controlled through a formal management
11.2.3 User password management
process.
Management shall review users' access rights at regular intervals using a
11.2.4 Review of user access rights
formal process.
To prevent unauthorized user access, and compromise or theft of
11.3 User responsibilities
information and information processing facilities.
Users shall be required to follow good security practices in the selection and
11.3.1 Password use
use of passwords.
11.3.2 Unattended user equipment Users shall ensure that unattended equipment has appropriate protection.
A clear desk policy for papers and removable storage media and a clear
11.3.3 Clear desk and clear screen policy
screen policy for information processing facilities shall be adopted.
11.4 Network access control To prevent unauthorized access to networked services.
Users shall only be provided with access to the services that they have been
11.4.1 Policy on use of network services
specifically authorized to use.
Appropriate authentication methods shall be used to control access by remote
11.4.2 User authentication for external connections
users.
Automatic equipment identification shall be considered as a means to
11.4.3 Equipment identification in networks
authenticate connections from specific locations and equipment.
Physical and logical access to diagnostic and configuration ports shall be
11.4.4 Remote diagnostic and configuration port protection
controlled.
Groups of information services, users, and information systems shall be
11.4.5 Segregation in networks
segregated on networks.
For shared networks, especially those extending across the organization's
boundaries, the capability of users to connect to the network shall be
11.4.6 Network connection control
restricted, in line with the access control policy and requirements of the
business applications (see 11.1).
Routing controls shall be implemented for networks to ensure that computer
11.4.7 Network routing control connections and information flows do not breach the access control policy of
the business applications.
11.5 Operating system access control To prevent unauthorized access to operating systems.
11.5.1 Secure log-on procedures Access to operating systems shall be controlled by a secure log-on procedure.
All users shall have a unique identifier (user ID) for their personal use only,
11.5.2 User identification and authorization and a suitable authentication technique shall be chosen to substantiate the
claimed identity of a user.
Systems for managing passwords shall be interactive and shall ensure quality
11.5.3 Password management system
of passwords.
The use of utility programs that might be capable of overriding system and
11.5.4 Use of system utilities
application controls shall be restricted and tightly controlled.
11.5.5 Session time-out Interactive sessions shall shut down after a defined period of inactivity.
Restrictions on connection times shall be used to provide additional security
11.5.6 Limitation of connection time
for high-risk applications.
To prevent unauthorized access to information held in application
11.6 Application and information access control
systems.

ISO27001_CheckList_1-2.xls 4/6 1/7/2010

TOWER semiconductor ltd Cheking List N.A. Security
Accordind to ISO27001
ISO
27001:2005 Title Control
Ref #
Access to information and application system functions by users and support
11.6.1 Information access restriction personnel shall be restricted in accordance with the defined access control
policy.
11.6.2 Sensitive system isolation Sensitive systems shall have a dedicated (isolated) computing environment.
To ensure information security when using mobile computing and
11.7 Mobile computing and teleworking
teleworking facilities.
A formal policy shall be in place, and appropriate security measures shall be
11.7.1 Mobile computing and communications adopted to protect against the risks of using mobile computing and
communications facilities.
A policy, operational plans and procedures shall be developed and
11.7.2 Teleworking
implemented for teleworking activities.
Information systems acquisition, development
12
and maintenance
12.1 Security requirements of information systems To ensure that security is an integral part of information systems.
Statements of business requirements for new information systems, or
12.1.1 Security requirements analysis and specification enhancements to existing information systems shall specify the requirements
for security controls.
To prevent errors, loss, unauthorized modification or misuse of
12.2 Correct processing in applications
information in applications.
Data input to applications shall be validated to ensure that this data is correct
12.2.1 Input data validation
and appropriate.
Validation checks shall be incorporated in applications to detect any
12.2.2 Control of internal processing
corruption of information through processing errors or deliberate acts.
Requirements for ensuring authenticity and protecting message integrity in
12.2.3 Message integrity applications shall be identified, and appropriate controls identified and
implemented.
Data output from an application shall be validated to ensure that the
12.2.4 Output data validation processing of stored information is correct and appropriate to the
circumstances.
To protect confidentiality, authenticity or integrity of information by
12.3 Cryptographic controls
cryptographic means.
A policy on the use of cryptographic controls for protection of information shall
12.3.1 Policy on the use of cryptographic controls
be developed and implemented.
Key management shall be in place to support the organization's use of
12.3.2 Key management
cryptographic techniques.
12.4 Security of system files To ensure the security of system files.
There shall be procedures in place to control the installation of software on
12.4.1 Control of operational software
operational systems.
12.4.2 Protection of system test data Test data shall be selected carefully, and protected and controlled.
12.4.3 Access control to program source code Access to program source code shall be restricted.
12.5 Security in development and support processes To maintain the security of application system software and information.
The implementation of changes shall be controlled by the use of formal
12.5.1 Change control procedures
change control procedures.
When operating systems are changed, business critical applications shall be
Technical review of applications after operating
12.5.2 reviewed and tested to ensure there is no adverse impact on organizational
system changes
operations or security.
Modifications to software packages shall be discouraged, limited to necessary
12.5.3 Restrictions on changes to software packages
changes, and all changes shall be strictly controlled.
12.5.4 Information leakage Opportunities for information leakage shall be prevented.
Outsourced software development shall be supervised and monitored by the
12.5.5 Outsourced software development
organization.
To reduce risks resulting from exploitation of published technical
12.6 Technical Vulnerability Management
vulnerabilities.
Timely information about technical vulnerabilities of information systems being
12.6.1 Control of technical vulnerabilities used shall be obtained, the organization's exposure to such vulnerabilities
evaluated, and appropriate measures taken to address the associated risk.
13 Information security incident management
To ensure information security events and weaknesses associated with
Reporting information security events and
13.1 information systems are communicated in a manner allowing timely
weaknesses
corrective action to be taken.
Information security events shall be reported through appropriate
13.1.1 Reporting information security events
management channels as quickly as possible.
All employees, contractors and third party users of information systems and
13.1.2 Reporting security weaknesses. services shall be required to note and report any observed or suspected
security weaknesses in systems or services.
Management of information security incidents To ensure a consistent and effective approach is applied to the
13.2
and improvements management of information security incidents.
Management responsibilities and procedures shall be established to ensure a
13.2.1 Responsibilities and procedures
quick, effective and orderly response to information security incidents.
There shall be mechanisms in place to enable the types, volumes, and costs
13.2.2 Learning from information security incidents
of information security incidents to be quantified and monitored.

ISO27001_CheckList_1-2.xls 5/6 1/7/2010

TOWER semiconductor ltd Cheking List N.A. Security
Accordind to ISO27001

ISO
27001:2005 Title Control
Ref #
Where a follow-up action against a person or organization after an information
security incident involves legal action (either civil or criminal), evidence shall
13.2.3 Collection of evidence
be collected, retained, and presented to conform to the rules for evidence laid
down in the relevant jurisdiction(s).
14 Business continuity management
To counteract interruptions to business activities and to protect critical
Information security aspects of business
14.1 business processes from the effects of major failures of information
continuity management
systems or disasters and to ensure their timely resumption.
A managed process shall be developed and maintained for business
Including information security in the business
14.1.1 continuity throughout the organization that addresses the information security
continuity management process
requirements needed for the organization’s business continuity.
Events that can cause interruptions to business processes shall be identified,
14.1.2 Business continuity and risk assessment along with the probability and impact of such interruptions and their
consequences for information security.
Plans shall be developed and implemented to maintain or restore operations
Developing and implementing continuity plans
14.1.3 and ensure availability of information at the required level and in the required
including information security
time scales following interruption to, or failure of, critical business processes.

A single framework of business continuity plans shall be maintained to ensure

14.1.4 Business continuity planning framework all plans are consistent, to consistently address information security
requirements, and to identify priorities for testing and maintenance.
Testing, maintaining and re-assessing business Business continuity plans shall be tested and updated regularly to ensure that
14.1.5
continuity plans they are up to date and effective.
15 Compliance
To avoid breaches of any law, statutory, regulator or contractual
15.1 Compliance with legal requirements
obligations and of any security requirements.
All relevant statutory, regulatory, and contractual requirements and the
organization's approach to meet theses requirements shall be explicitly
15.1.1 Identification of applicable legislation
defined, documented, and kept up to date for each information system and
the organization.
Appropriate procedures shall be implemented to ensure compliance with
legislative, regulatory, and contractual requirements on the use of material in
15.1.2 Intellectual property rights (IPR)
respect of which there may be intellectual property rights and on the use of
proprietary software products.
Important records shall be protected from loss, destruction, and falsification,
15.1.3 Protection of organizational records in accordance with statutory, regulatory, contractual, and business
requirements.
Data protection and privacy shall be ensured as required in relevant
15.1.4 Data protection and privacy of personal information
legislation, regulations, and, if applicable, contractual clauses.
Prevention of misuse of information processing Users shall be deterred from using information processing facilities for
15.1.5
facilities unauthorized purposes.
Cryptographic controls shall be used in compliance with all relevant
15.1.6 Regulation of cryptographic controls
agreements, laws, and regulations.
Compliance with security policies and standards, To ensure compliance of systems with organizational security policies
15.2
and technical compliance and standards.
Managers shall ensure that all security procedures within their area of
15.2.1 Compliance with security policies and standards responsibility are carried out correctly to achieve compliance with security
policies and standards.
Information systems shall be regularly checked for compliance with security
15.2.2 Technical compliance checking
implementation standards.
To maximize the effectiveness and to minimize interference to/from the
15.3 Information systems audit considerations
information systems audit process.
Audit requirements and activities involving checks to operational systems
15.3.1 Information systems audit controls shall be carefully planned and agreed to minimize the risk of disruptions to
business processes.
Access to information systems audit tools shall be protected to prevent any
15.3.2 Protection of information systems audit tools
possible misuse or compromise.

ISO27001_CheckList_1-2.xls 6/6 1/7/2010