Search in ISMS Guides


Wednesday, December 19, 2007

Information Security Management Handbook [Sixth Edition]

Information Security Management Handbook [Sixth Edition]
Book Details
- Hardcover: 3280 pages
- Publisher: AUERBACH; 6 edition (May 14, 2007)
- Language: English
- ISBN-10: 0849374952
- ISBN-13: 978-0849374951

Book Description

Never before have there been so many laws designed to keep corporations honest. New laws and regulations force companies to develop stronger ethics policies and the shareholders themselves are holding publicly traded companies accountable for their practices. Consumers are also concerned over the privacy of their personal information and current and emerging legislation is reflecting this trend. Under these conditions, it can be difficult to know where to turn for reliable, applicable advice.

The sixth edition of the Information Security Management Handbook addresses up-to-date issues in this increasingly important area. It balances contemporary articles with relevant articles from past editions to bring you a well grounded view of the subject. The contributions cover questions important to those tasked with securing information assets including the appropriate deployment of valuable resources as well as dealing with legal compliance, investigations, and ethics. Promoting the view that the management ethics and values of an organization leads directly to its information security program and the technical, physical, and administrative controls to be implemented, the book explores topics such as risk assessments; metrics; security governance, architecture, and design; emerging threats; standards; and business continuity and disaster recovery. The text also discusses physical security including access control and cryptography, and a plethora of technology issues such as application controls, network security, virus controls, and hacking.

US federal and state legislators continue to make certain that information security is a board-level conversation and the Information Security Management Handbook, Sixth Edition continues to ensure that there you have a clear understanding of the rules and regulations and an effective method for their implementation.

Book Info
Handbook includes chapters that correspond to the 10 domains of the Certified Information System Security Professional (CISSP) examination. Previous edition: c1999. DLC: Computer security--Management--Handbooks, manuals, etc. --This text refers to an out of print or unavailable edition of this title.

IT Auditing: Using Controls to Protect Information Assets [Book]

IT Auditing: Using Controls to Protect Information Assets
Book Details :

- Paperback: 387 pages
- Publisher: McGraw-Hill Osborne Media; 1 edition (December 22, 2006)
- Language: English
- ISBN-10: 0072263431
- ISBN-13: 978-0072263435

Book Description
Protect Your Systems with Proven IT Auditing Strategies

"A must-have for auditors and IT professionals." -Doug Dexter, CISSP-ISSMP, CISA, Audit Team Lead, Cisco Systems, Inc.

Plan for and manage an effective IT audit program using the in-depth information contained in this comprehensive resource. Written by experienced IT audit and security professionals, IT Auditing: Using Controls to Protect Information Assets covers the latest auditing tools alongside real-world examples, ready-to-use checklists, and valuable templates. Inside, you'll learn how to analyze Windows, UNIX, and Linux systems; secure databases; examine wireless networks and devices; and audit applications. Plus, you'll get up-to-date information on legal standards and practices, privacy and ethical issues, and the CobiT standard.

Build and maintain an IT audit function with maximum effectiveness and value

-Implement best practice IT audit processes and controls
-Analyze UNIX-, Linux-, and Windows-based operating systems
-Audit network routers, switches, firewalls, WLANs, and mobile devices
-Evaluate entity-level controls, data centers, and disaster recovery plans
-Examine Web servers, platforms, and applications for vulnerabilities
-Review databases for critical controls
-Use the COSO, CobiT, ITIL, ISO, and NSA INFOSEC methodologies
-Implement sound risk analysis and risk management practices
-Drill down into applications to find potential control weaknesses

About the Author

Chris Davis, CISA, CISSP, shares his experience from architecting, hardening, and auditing systems. He has trained auditors and forensic analysts. Davis is the coauthor of the bestselling Hacking Exposed: Computer Forensics.

Mike Schiller, CISA, has 14 years of experience in the IT audit field, most recently as the worldwide IT Audit Manager at Texas Instruments.

Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense and has over ten years of IT security experience.

Wednesday, December 5, 2007

Thinking Through Your 2008 Security Budget

By Ed Moyle
E-Commerce Times

For some people, November is all about festivity: turkey, cranberry sauce and the start of the long ramp-up to the December holidays.

However, that's not always the case if you happen to be in IT security Webroot AntiSpyware 30-Day Free Trial. Click here..

If you are, you know that November can be anything but festive -- unless your idea of "festive" includes end-of-the-year network See the HP StorageWorks All-in-One Storage System. Click here. freezes, the inevitable holiday malware, spam out the wazoo, and (worst of all) the 2008 budget. Yup, 'tis the season -- the season for guessing at what you might need in the future and (most likely) won't get.

Every year, we're asked to do the same thing: Request the funding that we need for the upcoming year to keep the organization "secure." Like programming a universal remote control, it's one of those things that sounds simple enough until you actually try to do it.

Aside from being impossible (there's no such thing as "secure" -- just "secure enough"), there's also the fact that we're being asked to foresee the unforeseeable. How much malware will there be next year? How many application vulnerabilities will we find in the new accounting system See the HP Proliant DL380 G5 Server with Systems Insight Manager – Click here.? How many patches will come out for the hundreds of software products we support? These are just a few of the myriad things impacting budgetary requirements which simply cannot be precisely determined ahead of time.

However, rather than give up and submit another year's budget dripping with irony, let's look to see if there aren't a few strategies that we can use to help us bring some sanity to an otherwise insane process.
Planning for the Unforeseeable

When it comes to planning for your security operations budget, there are two types of information security organizations: those that have usable metrics and those that don't. If you're in the first category, you probably have a historical record of past events -- and you probably have some idea of what each of those events costs.

For example, you might know the number of malware events that occurred over the past 12 months and (depending on how long you've been keeping track) you might have some idea about the relative rate of increase of those events year-over-year. The same is true of security incidents, forensic investigations, IDS (intrusion detection system) alerts, applications reviewed, etc.

Now, I don't mean to suggest that metrics are the complete solution to your budgetary woes, but the budgeting process is the one area where you're likely to see quite a bit of return on your metrics initiative. If you're measuring, you can come up with a reasonable (or at least logical) estimate of future activity based on historical trends. Add in a margin of error and it's not unreasonable to put together a ballpark figure for what those future events might cost. Heck, you can even create milestones of how much you expect to spend month-over-month and use unspent dollars to invest in making everything more efficient. Of course, times being what they are, you might not get everything you ask for, but at least you'll know the impact of that ahead of time.

If you don't have metrics yet but you think they might help you with your budget, the challenge is to get them in place so that you can use them. Since you probably won't get any reliable metrics in place in time to use them in planning for this year's budget (hats off to you if you decide to try), the goal is to get them there in time to use them next year.

Don't assume that obtaining this information is going to be "free" though -- it won't be. So plan for the expense and account for the spending in your 2008 spending (after all, now's the time). If your decision-making process isn't currently based on some kind of concrete information like realistic metrics, one of your strategic goals (maybe your No. 1 strategic goal) should be improving the data coming in and making use of it.
Investing in the Program

So, maybe you have a reasonable idea about what operations spending looks like for 2008 -- or if you don't, you at least have it as a goal to get to a point where you can estimate (more) accurately. How about overall spending? After all, keeping to the "status quo" -- estimating what it'll cost next year to do the same thing as last year -- shouldn't be your final goal. Even if you're getting more efficient over time, there are still more things that you could be doing. No, there's another piece to the puzzle: Where should you invest in 2008 to operate in a more repeatable, organized and "mature" way? That's where program maturity comes in.

Your information security "program," or -- depending on the terminology you choose -- your ISMS (information security management system) is something to be thinking about as well when putting together your 2008 budget. Your ISMS should be your overarching framework for managing information security within your organization -- it's your opportunity to think about how you'll move away from tactical decision-making ("putting out fires") and move toward a model based on analyzing and treating risk, keeping track of your security processes and how they perform, both in terms of efficiency as well as effectiveness.

In other words, think about having a structured, well thought-out program as your road map to a better life.

Assuming that you want to come up with a more structured way of doing things, how can you get there? First, start by analyzing what your program does and doesn't already account for -- tools like ISO 27001 (International Organization for Standardization) help you identify what your program should have in place and areas that you should be looking into for program management.

Need to do a gap analysis to see where your program falls short? Account for that in your budget.

Already have a gap analysis that tells you where you need to improve? Account for those areas in your budget.

Granted, you might not get everything on your request list, but if you can demonstrate why this is valuable and candidly discuss with your management how you'd like to improve, you're probably likely to get some funding for doing this. Especially if you believe (as I do) that a structured, repeatable and mature program saves money over the long term.

Source :

Demand for ISO 27001 Grows

For the first time the survey collected information on ISO 27001, a standard for assessing information security management systems (ISMS).

The survey reports 5,800 certificates issued in 64 countries. Japan accounts for 65% of these certificates.

Australia ranked 9th with 59 ISMS certificates. New Zealand recorded just one certificate.

Wednesday, November 28, 2007

How to Establish an ISMS Management Framework

In ISMS requirements, an organization is required to establish, implement and continually maintain its documented ISMS, taking into consideration its overall business activities and risks.

In establishing an ISMS, the scope of the ISMS is determined (STEP 1), and an information security policy is defined (STEP 2). On the basis of this security policy, a systematic approach to risk assessment is defined (STEP 3), and risks to the information assets that must be protected are identified (STEP 4). Risk assessment is then carried out (STEP 5). If, as a result of the risk assessment, unacceptable risks are found, possible ways to treat the risks should be identified and examined (STEP 6). Based on the risk treatment, controls to be implemented are selected (STEP 7).

Detailed Controls
1. Information Security policy
2. Organizational security
3. Assets classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Systems development and maintenance
9. Business continuity management
10. Compliance

Not all controls described in "detailed controls" shall be enforced, but an organization may select the controls to be implemented from the "detailed controls" on the basis of the risk assessment. In addition to the controls mentioned above, the organization shall add more effective controls that appear to be necessary as a result of risk assessment or risk management. What kind of and how many residual risks the organization has shall be identified. Through the risk management, these residual risks shall be approved by the Management (STEP 8), and also the introduction of the ISMS shall be permitted by the Management (STEP 9). It is particularly important to specify the selection of controls in the statement of applicability (STEP 10).

Source :

Implementing an Information Security Management System (ISMS) — LRQA Guidance

Type : White Paper
Length : 5
Format : PDF

Overview Implementing an Information Security Management System (ISMS) — LRQA Guidance

- Why is ISO/IEC 27001 good for you?
- Introduction to Implementing an ISMS
The OECD (Organization for Economic Co-operation and Development) Guidelines
- Getting started
- Planning for success
- Understanding the standard
- Where next...?
- Management processes
- Define the scope
- ISMS policy
- Risk assessment and risk management
- Risk treatment
- Certification

View This White Paper

Thursday, November 15, 2007

[PDF] Analyzing Network Security using Malefactor Action Graphs

The approach to network security analysis is suggested. It is based on simulation of malefactor’s behavior, generating attack graph and calculating different security metrics. The graph represents all possible attack scenarios taking into account network configuration, security policy, malefactor’s location, knowledge level and strategy. The security metrics describe computer network security at different levels of detail and take into account various aspects of security. The generalized architecture of security analysis system is presented. Attack scenarios model, common attack graph building procedures, used security metrics, and general security level evaluation are defined. The implemented version of security analysis system is described, and examples of express-evaluations of security level are considered.

Read This Paper :

[PDF] The Simple Information Security Audit Process: SISAP

The SISAP (Simple Information Security Audit Process) is a dynamic security audit methodology fully compliant with the ISO 17799 and BS 7799.2, and conformant with the ISO 14508 in terms of its functionality guidelines. The SISAP employs a simulation-based rule base generator that balances risks and business value generation capabilities using the Plan-Do-Check-Act cycle imposed in BS 7799.2. The SISAP employs a concept proof approach based on 10 information security best practices investigation sections, 36 information security objectives, and 127 information security requirements, as specified in the ISO 17799. The auditor may apply, for collecting, analyzing, and fusing audit evidence obtained at various audit steps, selected analytical models like certainty factors, probabilities, fuzzy sets, and basic belief assignments. The SISAP adopts fully automated elicitation worksheets, as in SASA (Standard Analytic Security Audit), COBRA, and others.

Read This File :

Friday, November 2, 2007

Certification : BS 7799

In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.

The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.

In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.

In this final session we would attempt to understand the structure and steps involved in certification for BS7799.

A quick recap

Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"

BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Domains on which one would be assessed:

As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:

Security policy

Security organisation

Asset classification and control

Personnel security

Physical and environmental security

Communications and operations management

Access control

Systems development and maintenance

Business continuity management


Statement of applicability

BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.

You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.

Preparing oneself for Certification:

The traditional formula of PLAN …DO …CHECK and ACT works well with BS 7799 too and this is a good place to either start or review the progress of the implementation team.


While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.


While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.

Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.


Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.

The audit team would check for appropriate controls and evidence of implementation.

For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.

Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.


After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.

Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.

Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.

Creative techniques like designing

posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.

The 4 Step method of Certification

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.

We now come to Specifics of Certification Process

Step One

Desktop Review:

All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.

One important check on documentation will be its validity and relevance to BS7799 controls.

The following documents needs to be presented

ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two

Technical Review

The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.

The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.

Step Three

Internal Audit

The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.

This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.

Step Four

External Audit- Certification

Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.

The company consultants and internal team would not be allowed to be part of the audit team.

They can assist and help auditors find relevant material.

The auditors check for documentation and objective evidence with the following intention.

  • Are records Correct and Relevant?
  • Are polices Known and Tested?
  • Are policies Communicated?
  • Are controls Implemented?
  • Are Polices Followed up?
  • Are preventive Actions taken?

The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.


After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.

To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:

  • Heighten security awareness within the organisation
  • Identify critical assets via the Business Risk Assessment
  • Provide a structure for continuous improvement
  • Be a confidence factor internally as well as externally
  • Enhance the knowledge and importance of security-related issues at the management level
  • Ensure that "knowledge capital" will be "stored" in a business management system
  • Enable future demands from clients, stockholders and partners to be met

Recommended Reading

  • Information Security Management: An introduction (PD3000)
  • Preparing for BS7799 Certification (PD3001)
  • The Guide to BS7799 Risk Assessment and Risk Management (PD3002)
  • Are you Ready for a BS7799 Audit? (PD3003)
  • Guide to BS7799 Auditing (PD3004)
  • Guide on selection of BS 7799 controls (PD3005)
  • BS7799 : Part 1: 1999 Code of Practice for information security management
  • BS7799 : Part 2: 1999 Specification for information security management systems
  • EA Guidelines 7/03

BS7799 Interpretation Guide (Free Download):

Det Norske Veritas (DNV) is an independent autonomous foundation with the objective of safeguarding life, property and the environment. Established in 1864, DNV provides an extensive range of technical services to the land, offshore and marine industries worldwide. The organization comprises of over 300 offices in 100 countries, with a total of 5,500 employees of 75 different nationalities.

DNV started their operations in Region India in 1972 and have established itself as a Leading Classification Society. DNV has been providing Classification, Certification, Consultancy and Verification Services for the Marine, Offshore and Land based process industries ever since both for Public and Private Sectors.

DNV is accredited in 21 countries for the Certification of Quality Management Systems and in 14 countries for Environmental Management System and is a leading Certification Body in India for both Quality & Environment Management System Certification having issued over 2500 certificates under ISO 9000 Standards and over 250 certificates under ISO 14000 Standards. DNV, in India, is also involved in Tick-IT, QS 9000, BS 7799, Risk Based Inspection (RBI), OHSMS, SA 8000 Systems Certification and CE Marking.

Key advisory services include Risk / Reliability Assessment and Loss Control Management Services. DNV is recognized by the Chief Controller of Explosives both as an Inspection Authority and Competent Person and DNV is also approved by Indian Boiler Regulations (IBR) as Competent Inspection Authority in 22 countries world-wide.

Source :

Implementation : BS7799

Part 1 mainly dealt with the structure of the standard and its relevance to the Indian IT environment. Readers need to have a clear understanding that BS7799 has been designed by Security Experts who were the forerunners in the field of Information Security and were working in live business environment. Thus the standard is business driven and has a perfect co-relation to business units. This standard has to be interpreted for individual business units and has the flexibility to accommodate every possible IT environment.

This article would discuss the interpretation of the standard and some of the key areas in its implementation.

While interpreting the standard one has to consider and evaluate the human, procedural, environmental, technical and cultural aspects of the business unit. While implementing the standard, one has to weigh its own technical strength as far as Information Security Professionals are concerned. Without, a through technical assessment the results of the Implementation would not lead to certification. Thus a word of caution to readers would be that identification and management of risk to IT systems is a specialized activity and needs to be conducted in a controlled environment using professional assistance.

Where do you begin?

Understand the Importance of Information Security:

Every organization is unique with its own set of requirements and concerns. The company IT-Assets are exposed to various threats. More than 70% of the threat comes from Internal Sources.

Other threat agents can be Hackers, Former Employees, Contractors, Suppliers, Competitors and Customers.

Management is tight lipped about incidents and push matters under the carpet due to the fear of losing credibility among investors and customers.

In competitive environment where IT systems become Business Enhancers, one cannot afford to loose data and have a break down.

Building awareness is the starting point for a stronger Information Security Culture.

Educating top management for the need of an effective Information Security Management and the possible benefits to do the same is crucial for the success of a project.

Get Yourself Trained:

While selecting appropriate products and vendors for doing a technical risk assessment one has to understand, implement, maintain and sustain the investments made on Information security.

The Internet serves as a huge repository of material for beginners to advanced users. The best method is to work in live environments with security professionals and get hands-on experience on various products and process. Those who are fortunate enough to work on live sites can use Internet resources like mail lists and websites on security, study for certifications on security or even attend training programs conducted by Security Institutes.

Understand your Business Need:

Security is always a Business led activity. The investments made on Security should reflect the need for security measures, criticality of IT Resources and processes in the day-to-day functioning of business. To implement strong security systems one has to grasp the core need of Information Security in the Business and identify the critical business factors.

For Example: If a Financial Organisation has to heavily depend on IT resources to assimilate, calculate, interpret and present data on a hourly basis then the level of security would be higher than a company using IT resources for maintaining accounts and downloading company mail. To remain competitive the company cannot afford a down time of its Systems.

Assigning Responsibility:

The security organization structure is important to help give direction and a solid foundation to the implementation of a project. A designated Security Officer with a team of technical and procedural security professionals would make it a perfect mix for implementation. If the company chooses to use an external security company for consulting, the Security team could work hand in hand with the security company professionals. This will help companies maintain the systems and procedures drafted and implemented by the security team.

Choosing a vendor:

Various security consultants in the market have their own set of methodology and approach. Some of the parameters of selecting a vendor would be, firstly, the vendor should be an expert only on Information Security. One cannot boast of having a shop for software development, hardware sales and also Information Security. The field on Information Security is vast and complex and needs to have a focused approach. Secondly, the vendor needs to have done live assignments in India. We cannot have Polices for Indian companies based on US firms. Thirdly, the vendor needs to have a Quantitative Risk Assessment approach which takes into consideration technical and procedural checklists and lastly, the vendor should be willing to work with the team and share knowledge, which is important for the team to sustain the project even after the assignment is over.

Importance of Risk Assessment:

While designing and deploying a security strategy one has to ask two very important questions. One, What to protect and second, How much to protect? In simpler words what and how much risk is the business is exposed to?

To define risk:

Business risk is the threat that an event or action, which can adversely affect an organisation's ability to successfully, achieve its business objectives and execute its strategies.

The key success factor of IT systems is a through risk assessment and effective risk management. Risk assessment prepares the base on which one would build the ISMS (Information Security Management System)

The entire exercise starts with Asset Identification:

An important step towards achieving BS 7799 Certification is to identify and classify assets. BS779 Defines Risk Assessment as - assessment of threats to information, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.

Every department would have assets, which they would consider important, without which one cannot continue work and achieve results. There could be assets, which would have higher or lesser value. Thus the most important asset would be need more protection and the lesser ones would require lower level of protection.

All assets in the company can be classified as:

People Assets: The number of professionals who are a part of the organisation.

Information Assets: Databases, data files, system documentation, user manuals, training material, operational and support procedures, intellectual property, continuity plans.

Paper Documents: Contacts, Company documentation, business results, HR records, Purchase documents invoices.

Software Assets: Application systems, development tools, and utilities.

Physical Assets: computers, servers, routers, hubs, firewalls, communication equipment, magnetic media, other equipment, cabinets, safes

Services: Computing, telecommunications, air-conditioning, water etc

Company Image and Reputation: Adverse publicity, Failure to deliver, Website defacement, Unable to provide connectivity to web server

Asset Classification:

Once the list of assets are identified the criticality of every asset has to be classified as

Unclassified: Considered publicly accessible. There are no requirements for access control or confidentiality.

Shared: Resources that are shared within groups or with people outside the organization.

Company Only: Access to be restricted to the internal employees only.

Confidential: Access to be restricted to a specific list of people.

This gets us to answer for "What to Protect"?

Now lets Understand How to Protect?

Technical Risk Assessment:

Penetration testing: After performing the Asset Identification exercise one has to move on testing specific devices which are critical to the running of the organisation. The first step towards doing testing is to find out if any external person can have access to the company information through the Internet. This is a specialized exercise, which requires a security professional abreast with the latest exploit and vulnerabilities from published and open sources. The professional needs to run various tests that would test the Internet Point of presence (i.e. Website) and security devices which protect these sites.

He would assume the role of a possible intruder and do all that he would do if he would like to break systems and cause harm.

The result of these tests would help one get an idea of the possible vulnerabilities on various servers.

Vulnerability Assessment: After performing an external test one needs to test the strength of various servers and operating systems available internally. This works as a second level of defense. Even if an intruder breaks the entry points he should be stopped at the internal points. Internal testing also facilitates the design of the Security Architecture.

A word of caution would be to allow only qualified and experienced professionals to operate these systems. All legal documents need to be signed before one has to complete the assignment.

Procedural Risk Assessment:

After conducting the technical risk assessment one needs to find out formal and informal polices and procedures followed in the company. This can be done with detailed questionnaires, which can help find out concerns of IT managers, IT users, Operations staff, Top Management, Divisional Heads and Technical Team.

A Gap Analysis Document can be created once the

Procedural Risk Assessment exercise completed.. This would help companies have a clear understanding of where they stand as far as acquiring the Certification is concerned.

Risk Management

Once the gaps in the systems are identified, one has to manage these risks and make sure that the possibility of these risks affecting the company is very low or in some cases totally eliminated. BS 7799 has been designed in such a manner that its 127 Control Clauses have addressed almost every Conceivable risk known to Information Systems.

The standard Defines Risk Management as -process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost

For Example: While conducting the procedural risk assessment one finds that while disposing old computer systems one does not erase or format the hard disk which goes along with the machine. So the risk is potential leakage of information, which is stored on the Hard Disk. This risk is addressed by Domain 8 Communications and operations management 8. which states that Media shall be disposed of securely and safely when no longer required.(

Creating of Security Policies and Procedures to Manage Risks Effectively

As in every Management System Security, Management is Policy driven and has to be driven and pushed in to an organisation. One has to take utmost care to address every concern expressed during the technical and

Procedural risk management exercise and prepare the documentation of the required polices (The list is only indicative and differs from organisation to organisation)

Logical Access Controls, Password Security & Controls, Network &

Telecommunication Security, Application Software Security, Program

Change Controls, Version Controls, Disaster Recovery Plan, Electronic Mail Security, Backup & Recovery, Internet access and security, Operating Systems Security, Incident Response and Management, Third Party Security, Data Classification, Web server Security, Intranet Security, Punitive Actions, Firewall Security, Use Of Cryptography, Digital Signature Security, Database Security, Virus Protection

Implementation of a effective risk management has various benefits and some of which could be enhanced understanding of business aspects, Reductions in security breaches and/or claims, Reductions in adverse publicity, Improved insurance liability rating, Identify critical assets via the Business Risk Assessment, Provide a structure for continuous improvement, Be a Confidence factor internally as well as externally, Enhance the knowledge and importance of security-related issues at the management level, Ensure that "knowledge capital" will be "stored" and managed in a business management systems.

Source :

Key Components of the Standard : BS 7799 (ISO 17799)

The Standard is divided in two parts:

BS 7799 Part 1 (ISO 17799.2000 Standard) Code of Practice for Information Security Management

BS 7799 Part II Specifies requirements for establishing, implementing and documenting Information Security Management System (ISMS)

The standard has 10 Domains, which address key areas of Information Security Management.

  1. Information Security Policy for the organization.
  2. This activity involves a thorough understanding of the organization business goals and its dependence on information security. This entire exercise begins with creation of the IT Security Policy. This is an extremely important task and should convey total commitment of top management-. The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It should be implementable, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural and technical.

  3. Creation of information security infrastructure
  4. A management framework needs to be established to initiate, implement and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles and coordination of security across the organization.

  5. Asset classification and control
  6. One of the most laborious but essential task is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services. These information assets need to be classified to indicate the degree of protection. The classification should result into appropriate information labeling to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, transmit or destruction of the information asset.

  7. Personnel Security
  8. Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities. Various proactive measures that should be taken are, to make personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education and training.

    Alert and well-trained employees who are aware of what to look for can prevent future security breaches.

  9. Physical and Environmental Security
  10. Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves physical security perimeter, physical entry control, creating secure offices, rooms, facilities, providing physical access controls, providing protection devices to minimize risks ranging from fire to electromagnetic radiation, providing adequate protection to power supplies and data cables are some of the activities. Cost effective design and constant monitoring are two key aspects to maintain adequate physical security control.

  11. Communications and Operations Management
  12. Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures.

    Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services.

    Exchange of information and software between external organizations should be controlled, and should be compliant with any relevant legislation. There should be proper information and software exchange agreements, the media in transit need to be secure and should not be vulnerable to unauthorized access, misuse or corruption.

    Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.

  13. Access control
  14. Access to information and business processes should be controlled on the business and security requirements. This will include defining access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use and ensuring information security when using mobile computing and tele-working facilities.

  15. System development and maintenance
  16. Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography.

    A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation.

  17. Business Continuity Management
  18. A business continuity management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and depending on the risk assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances.

  19. Compliance
  20. It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls and collection of evidence.

Information Technology’s use in business has also resulted in enacting of laws that enforce responsibility of compliance. All legal requirements must be complied with to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:

Although Indian companies and the Government have invested in IT, facts of theft and attacks on Indian sites and companies are alarming. 261 Indian Government sites were hacked in 2001* * Attacks and theft that happen on corporate websites are high and is usually kept under "strict" secrecy to avoid embarrassment from business partners, investors, media and customers.

Huge losses are some times un-audited and the only solution is to involve a model where one can see a long run business led approach to Information Security Management.

BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed above) which Indian companies can adopt to build their Security Infrastructure. Even if a company decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security through ongoing, integrated management of policies and procedures, personnel training, selecting and implementing effective controls, reviewing their effectiveness and improvement. Additional benefits of an ISMS are improved customer confidence, a competitive edge, better personnel motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.

Source :

Monday, October 15, 2007

Sample Security Policies

HSPD-12 Privacy Policy -
Sample privacy policy including Privacy Act systems of records notices, Privacy Act statements and a privacy impact assessment, designed to satisfy the requirements of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”
Information Security Policies -
Electronic resource usage and security policies from the University of Pennsylvania.
Information Security Policies -
SANS consensus research project offering around 30 editable information security policies.
Information Security Policies -
Set of acceptable use and technical policies from the University of Auckland covering common information security issues.
ISO 27001 Policies -
Typical headings for a security policy aligned broadly with the ISO/IEC standard for information security management systems.
Network Security Policy -
Example security policy for a data network from the University of Toronto.
Information Security Policies -
NIST's extensive collection of well over 100 security policies and related awareness materials, mostly from US Government bodies.
Information Security Policy -
An information security policy from the University of Illinois.
Email Policy -
A menu of clauses suitable for email acceptable use policies.
Security Policy Primer -
General advice for those new to writing information security policies.
IT Security Policy -
Information technology security policy at Murdoch University, complete wth supporting standards and guidelines.
Modem Policy -
Sample policy from Sandstorm, designed as an addition to an existing Remote Access Policy, if one exists, or simply to stand alone.
Information Security Policies -
Policies on information security and other topics from ePolicy Institute.
K-20 Network Acceptable Use Policy -
Policy on acceptable use of a school network, along with information for parents and an informed consent form. Developed in Washington State.
Network Security Policy Guide -
Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies.
Audit Policy -
Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.
IP Network Security Policy -
Example security policy to demonstrate policy writing techniques introduced in three earlier articles.
Email Retention Policy -
Sample policy to help employees determine which emails should be retained and for how long.
Internet DMZ Equipment Policy -
Sample policy defining the minimum requirement for all equipment located outside the corporate firewall.
Information Sensitivity Policy -
Sample policy defining the assignment of sensitivity levels to information.
Password Policy -
Defines standards for creating, protecting and changing strong passwords. [MS Word]
Internet Acceptable Use Policy -
One page Acceptable Use Policy example.
Acceptable Use Policy -
Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]
Information Security Policies -
Collection of policies relating to SOX, GLBA, HIPAA and the ISO/IEC 27000-series on the HORSE (Holistic Operational Readiness Security Evaluation) wiki.
Information Security Policies -
Templates for information security policies, guidelines, checklists and procedures by Walt Kobus.
Risk Assessment Policy -
Defines requirements and authorizes the information security team to identify, assess and remediate risks to the organization's information infrastructure. [MS Word]
Information Security Policies -
111-page security policy manual from the Australian New South Wales Department of Commerce, based on ISO 27001.
Personnel Security Policy -
Example policy covering pre-employment screening, security policy training etc.
Information Security Policies -
US Postal Service's information security policy manual. 264 pages of security controls, broadly similar in structure to ISO 17799.
Analog/ISDN Line Policy -
Defines policy for analog/ISDN lines used for FAXing and data connections.
Anti-Virus Policy -
Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]
Acquisition Assessment Policy -
Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]
Dial-in Access Policy -
Policy regarding the use of dial-in connections to corporate networks. [MS Word]
Ethics Policy -
Sample policy intended to 'establish a culture of openness, trust and integrity'.
Extranet Policy -
Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement. [MS Word]
Privacy Policy -
Generic policy for websites offering goods and services, with an important warning to seek qualified legal advice in this area.
Cryptography Policy -
Cryptographic policy template by Walt Kobus.
Communications Policy -
Datacommunications security policy template by Walt Kobus defines network security control requirements.
Physical Security Policy -
Policy template by Walt Kobus defines requirements for physical access control to sensitive facilities and use of ID badges.
Data Classification Policy -
Policy template by Walt Kobus describes the classification of information according to sensitivity (primarily confidentiality).
User Data Protection Policy -
Policy template by Walt Kobus defines requirements for access controls, least privilege, integrity etc. to secure personal data.
Information Data Ownership Policy -
Policy template by Walt Kobus defines the roles and responsibilities of owners, custodians and users of information systems.
Resource Utilization Policy -
Poilicy template by Walt Kobus defines requirements for resilience, redundancy and fault tolerance in information systems.
Security Audit Policy -
Audit policy template by Walt Kobus.
Security Management Policy -
General information security policy template by Walt Kobus.
Router Security Policy -
Sample policy establishing the minimum security requirements for all routers and switches connecting to production networks. [MS Word]
Remote Access Policy -
Defines standards for connecting to a corporate network from any host. [MS Word]
IT Security Policy -
IT security policy example/how-to guide from Enterprise Ireland.
Database Password Policy -
Defines requirements for securely storing and retrieving database usernames and passwords. [MS Word]
DMZ Security Policy -
Sample policy establishing security requirements of equipment to be deployed in the corporate De-Militarized Zone. [MS Word]
Government Security Policy -
The New Zealand Government's information security policy, based on the 2000 version of ISO/IEC 17799. [ZIP file containing PDF and MS Word versions]
Identification and Authentication Policy -
I&A policy template by Walt Kobus defines requirements for access control.
Certification and Accreditation Policy -
Policy template by Walt Kobus defines requirements and responsibilities for security assurance throughout the system development process.
Laboratory Security Policy -
Policy to secure confidential information and technologies in the labs and protect production services and the rest of the organization from lab activities. [MS Word]
Encryption Policy -
Defines encryption algorithms that are suitable for use within the organization. [MS Word]
Password Policy -
A password policy presented in the form of a security awareness poster. "Passwords are like underwear ..."
Telecommuting/Teleworking Policy -
Sample policy on teleworking covering employment as well as information security issues.
Information Security Policies -
Collection of information security policy samples covering PKI, antivirus, ethics, email and several other topics, from AttackPrevention.
Email Policy -
Policy from the University of Colorado on the use of, access to, and disclosure of electronic mail.
Server Security Policy -
Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.
Application Service Provider Policy -
Security criteria for an ASP.
Virtual Private Network Policy -
Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.
Email Forwarding Policy -
Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.
Third Party Connection Agreement -
Sample agreement for establishing a connection to an external party.
Wireless Communication Policy -
Sample policy concerning the use of unsecured wireless communications technology.

Source :