Search in ISMS Guides

Google
 

Friday, August 31, 2007

Implementing an Information Security Management System in an Internal Web Development Environment (Ebook)

Implementing an Information Security Management System in an Internal Web Development Environment

GIAC ISO-17799 Certification (G7799)
Practical Assignment –Version 1.1
SANS 2004 (Orlando, FL)

Joseph McComb
October 28th, 2004

File Type : PDF
Page : 88 Page
Source : http://www.giac.org/certified_professionals/practicals/g7799/0019.php

Table of Contents

Abstract ..................................................................................................................................................3
I. The System Defined .............................................................................................................................3
The Company .....................................................................................................................................3
The Origin of the Environment ..............................................................................................................6
The Current Environment .....................................................................................................................7
Current Web Applications and Sites in the Environment .....................................................................10
Current State of Security ....................................................................................................................12
Scope of Information Security Management System (ISMS) ...............................................................15
II. Planning the Implementation of the Information Security Management System (ISMS).......................15
Management Structure .......................................................................................................................15
The Asset Inventory ...........................................................................................................................18
Policies .............................................................................................................................................21
Risk Identification and Analysis Process.............................................................................................23
Plans for Risk Management................................................................................................................24
III. Implementation (the “Do” phase).......................................................................................................33
Correcting the Problems Identified in the Risk Management Plan .......................................................33
Statements Of Applicability.................................................................................................................43
IV. Check –System Auditing..................................................................................................................44
V. Continuous Improvement (“Act” Phase).............................................................................................51
Improving the System Through Lessons Learned from Incident Handling ...........................................51
Improving the System through Auditing ..............................................................................................51
Bibliography..........................................................................................................................................52
Appendix A –Extended Asset Classification ..........................................................................................53
Appendix B –Policies...........................................................................................................................62
Policy –System and Application Access Control (section 9.1 of the ISO 17799 standard)...................62
Policy –Business Continuity Planning (section 11.1 of the ISO 17799 standard) ................................63
Policy –Security Engineering in the Systems Development Life Cycle (section 10.1 of the ISO 17799
standard)...........................................................................................................................................64
Appendix C –Fault Tree Analysis ..........................................................................................................65
Appendix D –Flagged System Events .................................................................................................657
Appendix E –High Level Plan for Risk Management ..............................................................................81
Appendix F –Extended Audit Checklist..................................................................................................82
Table of Figures
Figure 1. Overview of the Drug Development Stages ...............................................................................5
Figure 2. Diagram of the Web Server Environment...................................................................................8
Figure 3. Overview of the Systems Development Life Cycle...................................................................10
Figure 4. Information Flow in the Data Center Environment ....................................................................11
Figure 5. Information Flow in the Development Environment ..................................................................12
Table of Tables
Table 1. Plan for Risk Management .......................................................................................................26
Table 2. Documentation of System Problems. ........................................................................................33
Table 3. Audit Checklist for User Access Management...........................................................................45

Understanding HIPAA Security Implications Of a Wireless LAN Subsystem Using the ISO/IEC 17799 ISMS Standard (Ebook)

Understanding HIPAA Security Implications Of a Wireless LAN Subsystem Using the ISO/IEC 17799 ISMS Standard
By: Frederick Hawkes

File Type : Pdf

Page : 49 Page
Read This Ebook :
http://www.giac.org/certified_professionals/practicals/g7799/0012.php


Table of Contents
Define the System ....................................................................................................................4
Project Summary ....................................................................................................................4
Organization ...........................................................................................................................4
System Description.................................................................................................................6
Current Security Structure.......................................................................................................8
Plan-Do-Check-Act (PDCA) Process ......................................................................................9
ISMS Project Plan (PDCA … Plan)...............................................................................10
Project Scope .......................................................................................................................10
Project Timeline....................................................................................................................11
Organizational Structure and Responsibilities .......................................................................12
Policies, Guidelines, Standards or Procedures Requirements ..............................................14
Risk Identification Process ....................................................................................................16
Risks to the System..............................................................................................................19
Plans for Addressing the Risks .............................................................................................20
Selected ISO17799 Controls.................................................................................................21
ISMS Implementation Plan (PDCA … Do).....................................................................23
Overview..............................................................................................................................23
Creation and Staffing of the Security Management Team.....................................................23
Identification and Processing of Applicable Legislation .........................................................24
Data Protection and Privacy of Personal Information ............................................................25
Information Security Policy Document ..................................................................................25
Information Security Education and Training.........................................................................26
WLAN Access Control ..........................................................................................................27
Statements of Applicability....................................................................................................27
ISO 17799 Section 12.1.4 … Data Protection and Privacy of Personal Information..............28
ISO 17799 Section 12.1.2 … Intellectual Property Rights.....................................................28
ISMS Audit Plan (PDCA … Check)...............................................................................29
ISO 17799 Section 4.1.1 … Management Information Security Forum.................................29
ISO 17799 Section 12.1.1 … Identification of Applicable Legislation.....................................30
ISO 17799 Section 12.1.4 … Data Protection and Privacy of Personal Information..............31
ISO17799 Section 9.4.3 … User Authentication for External Connections............................32
ISO 17799 Section 3.1.1 … Information Security Policy Document.......................................34