Summary of ISO17799
Asset Classification and Control (ISO17799 Section 3)
Information should be classified to indicate the need, priorities and degree of protection.
Security classifications remain with the document’s author
“Classified data … should be labeled in terms of its value and sensitivity…” and if it is sensitive or critical, it should carry an appropriate classification label.
“Physical labels are most appropriate”
Personnel Security (ISO17799 Section 4)
“Should be addressed at the recruitment stage”
Security policies should be included in job descriptions
Checks on permanent as well as temporary staff should always be carried out
IT workers should sign a ND agreement and should continue after the employee leaves
Security breaches should be reported as quickly as possible
Users should be required to report observed or suspected weaknesses
Report software malfunctions
Violations of company security policy should be disciplined
Users should be trained on proper security procedures, legal issues and business controls
Physical Security (ISO17799 Section 5)
Critical or sensitive facilities should be located in secure locations
Perimeter security must be overlapping and complementary
Other people should not be made aware of the activities within a secure location
In-house computer equipment should be housed separately from 3rd party managed equipment
Visitors to secure locations should be supervised and time in and time out should be noted
Access to computer and communications rooms “must be restricted to authorized staff only”
Visible ID should be worn
Immediate revocation of access rights for employees who no longer work in that area
Access rights should be reviewed
An isolated area should exist for loading; should have an inner and outer door
Employees should not take software, data or equipment offsite
Equipment should be physically protected from threats (fire, EMF, dust, water, etc)
Equipment with sensitive data should be located away from high movement areas and situated
to minimize the risk of “shoulder surfing”
Equipment should be protected from electric power fluctuations and outages
Power cables should be separated from data cables to prevent interference
Network data cables should be run inside conduit to prevent interception and cable runs should
avoid public areas whenever possible
For extremely sensitive areas: armored conduit, fiber, data encryption (?), sweeps for rogue
devices
Adequate insurance coverage should be in place
Storage media should be physically destroyed
Communications (ISO17799 Section 6)
Procedures and appropriate responsibilities should be in place for IT
Procedures should include detailed steps for each job function
Incident management procedures should be established
Segregation of duties
Separate development and operational facilities
If external contractors will be used, determine beforehand which processes to handle in-house
Advanced planning is needed to prepare for system availability
Prepare carefully for system capacity with especial concern for mainframes
A mechanism for system acceptance is important to have in place
“Precautions are required to prevent and detect … malicious software.”
“…prevention is better than cure”
A formal policy regarding licenses and unauthorized software
** “The organization should consider conducting regular reviews of the software and data content
of systems supporting critical business processes.” 6.3.1d
Data backups should be located at a remote location
The security management of data that may pass organizational boundaries requires special
attention.”
Separate network from computer ops
Electronic media should be protected and physically protected
“The data should not be identifiable from its label.”
“Require a written authorization for all media removed form the organization…”
“Media should be physically locked in sturdy cabinets.”
Dist lists for system docs should be kept to a minimum
Clear procedures for the destruction of media should be established
Electronic messaging should be controlled
Access Control (ISO17799 Section 7)
Access to computer resources should be restricted based on business needs
Access controls should be defined and documented
Concept of “business application owner” ultimately responsible
“Mandatory access control” vs. “Discretionary access control”
Everything generally forbidden unless specifically permitted
Formal procedures should be in place to protect assess rights to sensitive information
Procedure to “register” and “deregister” users
Give users a written statement of their access rights and require users to sign them
Issue temporary passwords which users are required to change immediately
Passwords should be conveyed to users in a secure manner
Connections to network services should be controlled (users should only be able to access
Services which they have specifically been authorized to use)
The path from the users computer to appropriate resources may need to be controlled
Divide large networks into smaller ones using a firewall and router
Access to computer facilities should be controlled
User identification, terminal identification, user authentication, password management
Connection times should be limited
Use of system utilities should be highly controlled
Sensitive computer systems may require isolation from regular computers and networks
Systems should be monitored
Logging and clock sync are important
Mobil computing and tele-commuting create special security concerns
System Development and Maintenance (ISO17799 Section 8)
Security should be built in to computer systems and reflect the value of the asset
The CIA model
Different controls to prevent, detect and recover from major failures or incidents
Audit trails are important
Comply with regulatory requirements
“Input data validation”; “Internal process validation”; “Output data validation”
Encryption should be considered for sensitive and critical data
Authentication, non-repudiation, integrity and confidentiality
Project, development and support environments should be strictly controlled
Change controls
Buy only source code so it can be inspected
Be very careful about Trojans and Covert channels
Business Continuity Planning (ISO17799 Section 9)
Minimizes the disruption causes by natural as well as man made disasters and incidents
BCP should consider the threat and potential of occurrence along with the potential loss
The Plan should minimize downtime
Should be only 1 BCP, written as simply as possible
Test, maintain and reassess the BCP
Asset Classification and Control (ISO17799 Section 3)
Information should be classified to indicate the need, priorities and degree of protection.
Security classifications remain with the document’s author
“Classified data … should be labeled in terms of its value and sensitivity…” and if it is sensitive or critical, it should carry an appropriate classification label.
“Physical labels are most appropriate”
Personnel Security (ISO17799 Section 4)
“Should be addressed at the recruitment stage”
Security policies should be included in job descriptions
Checks on permanent as well as temporary staff should always be carried out
IT workers should sign a ND agreement and should continue after the employee leaves
Security breaches should be reported as quickly as possible
Users should be required to report observed or suspected weaknesses
Report software malfunctions
Violations of company security policy should be disciplined
Users should be trained on proper security procedures, legal issues and business controls
Physical Security (ISO17799 Section 5)
Critical or sensitive facilities should be located in secure locations
Perimeter security must be overlapping and complementary
Other people should not be made aware of the activities within a secure location
In-house computer equipment should be housed separately from 3rd party managed equipment
Visitors to secure locations should be supervised and time in and time out should be noted
Access to computer and communications rooms “must be restricted to authorized staff only”
Visible ID should be worn
Immediate revocation of access rights for employees who no longer work in that area
Access rights should be reviewed
An isolated area should exist for loading; should have an inner and outer door
Employees should not take software, data or equipment offsite
Equipment should be physically protected from threats (fire, EMF, dust, water, etc)
Equipment with sensitive data should be located away from high movement areas and situated
to minimize the risk of “shoulder surfing”
Equipment should be protected from electric power fluctuations and outages
Power cables should be separated from data cables to prevent interference
Network data cables should be run inside conduit to prevent interception and cable runs should
avoid public areas whenever possible
For extremely sensitive areas: armored conduit, fiber, data encryption (?), sweeps for rogue
devices
Adequate insurance coverage should be in place
Storage media should be physically destroyed
Communications (ISO17799 Section 6)
Procedures and appropriate responsibilities should be in place for IT
Procedures should include detailed steps for each job function
Incident management procedures should be established
Segregation of duties
Separate development and operational facilities
If external contractors will be used, determine beforehand which processes to handle in-house
Advanced planning is needed to prepare for system availability
Prepare carefully for system capacity with especial concern for mainframes
A mechanism for system acceptance is important to have in place
“Precautions are required to prevent and detect … malicious software.”
“…prevention is better than cure”
A formal policy regarding licenses and unauthorized software
** “The organization should consider conducting regular reviews of the software and data content
of systems supporting critical business processes.” 6.3.1d
Data backups should be located at a remote location
The security management of data that may pass organizational boundaries requires special
attention.”
Separate network from computer ops
Electronic media should be protected and physically protected
“The data should not be identifiable from its label.”
“Require a written authorization for all media removed form the organization…”
“Media should be physically locked in sturdy cabinets.”
Dist lists for system docs should be kept to a minimum
Clear procedures for the destruction of media should be established
Electronic messaging should be controlled
Access Control (ISO17799 Section 7)
Access to computer resources should be restricted based on business needs
Access controls should be defined and documented
Concept of “business application owner” ultimately responsible
“Mandatory access control” vs. “Discretionary access control”
Everything generally forbidden unless specifically permitted
Formal procedures should be in place to protect assess rights to sensitive information
Procedure to “register” and “deregister” users
Give users a written statement of their access rights and require users to sign them
Issue temporary passwords which users are required to change immediately
Passwords should be conveyed to users in a secure manner
Connections to network services should be controlled (users should only be able to access
Services which they have specifically been authorized to use)
The path from the users computer to appropriate resources may need to be controlled
Divide large networks into smaller ones using a firewall and router
Access to computer facilities should be controlled
User identification, terminal identification, user authentication, password management
Connection times should be limited
Use of system utilities should be highly controlled
Sensitive computer systems may require isolation from regular computers and networks
Systems should be monitored
Logging and clock sync are important
Mobil computing and tele-commuting create special security concerns
System Development and Maintenance (ISO17799 Section 8)
Security should be built in to computer systems and reflect the value of the asset
The CIA model
Different controls to prevent, detect and recover from major failures or incidents
Audit trails are important
Comply with regulatory requirements
“Input data validation”; “Internal process validation”; “Output data validation”
Encryption should be considered for sensitive and critical data
Authentication, non-repudiation, integrity and confidentiality
Project, development and support environments should be strictly controlled
Change controls
Buy only source code so it can be inspected
Be very careful about Trojans and Covert channels
Business Continuity Planning (ISO17799 Section 9)
Minimizes the disruption causes by natural as well as man made disasters and incidents
BCP should consider the threat and potential of occurrence along with the potential loss
The Plan should minimize downtime
Should be only 1 BCP, written as simply as possible
Test, maintain and reassess the BCP
90314-060524-820274-61
© 2006 All Rights Reserved.
posted by Chaz at 4:34 AM
0 Comments:
Post a Comment
<< Home