GIAC ISO-17799 Certification (G7799)
Practical Assignment –Version 1.1
SANS 2004 (Orlando, FL)
Joseph McComb
October 28th, 2004
File Type : PDF
Page : 88 Page
Source : http://www.giac.org/certified_professionals/practicals/g7799/0019.php
Table of Contents
Abstract ..................................................................................................................................................3I. The System Defined .............................................................................................................................3
The Company .....................................................................................................................................3
The Origin of the Environment ..............................................................................................................6
The Current Environment .....................................................................................................................7
Current Web Applications and Sites in the Environment .....................................................................10
Current State of Security ....................................................................................................................12
Scope of Information Security Management System (ISMS) ...............................................................15
II. Planning the Implementation of the Information Security Management System (ISMS).......................15
Management Structure .......................................................................................................................15
The Asset Inventory ...........................................................................................................................18
Policies .............................................................................................................................................21
Risk Identification and Analysis Process.............................................................................................23
Plans for Risk Management................................................................................................................24
III. Implementation (the “Do” phase).......................................................................................................33
Correcting the Problems Identified in the Risk Management Plan .......................................................33
Statements Of Applicability.................................................................................................................43
IV. Check –System Auditing..................................................................................................................44
V. Continuous Improvement (“Act” Phase).............................................................................................51
Improving the System Through Lessons Learned from Incident Handling ...........................................51
Improving the System through Auditing ..............................................................................................51
Bibliography..........................................................................................................................................52
Appendix A –Extended Asset Classification ..........................................................................................53
Appendix B –Policies...........................................................................................................................62
Policy –System and Application Access Control (section 9.1 of the ISO 17799 standard)...................62
Policy –Business Continuity Planning (section 11.1 of the ISO 17799 standard) ................................63
Policy –Security Engineering in the Systems Development Life Cycle (section 10.1 of the ISO 17799
standard)...........................................................................................................................................64
Appendix C –Fault Tree Analysis ..........................................................................................................65
Appendix D –Flagged System Events .................................................................................................657
Appendix E –High Level Plan for Risk Management ..............................................................................81
Appendix F –Extended Audit Checklist..................................................................................................82
Table of Figures
Figure 1. Overview of the Drug Development Stages ...............................................................................5
Figure 2. Diagram of the Web Server Environment...................................................................................8
Figure 3. Overview of the Systems Development Life Cycle...................................................................10
Figure 4. Information Flow in the Data Center Environment ....................................................................11
Figure 5. Information Flow in the Development Environment ..................................................................12
Table of Tables
Table 1. Plan for Risk Management .......................................................................................................26
Table 2. Documentation of System Problems. ........................................................................................33
Table 3. Audit Checklist for User Access Management...........................................................................45