tag:blogger.com,1999:blog-28846219627786203742024-03-15T18:10:08.242-07:00Information Security Management SystemISMS / ISO 27001/ ISO 27002 (17799) Knowledgeforfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.comBlogger257125tag:blogger.com,1999:blog-2884621962778620374.post-26971709971675282582008-07-06T19:30:00.000-07:002008-07-06T20:41:36.045-07:00ISMS Auditing Guideline [ Pdf File ]Introduction<br />This guideline has been written by members of the ISO27k Implementers' Forum, an international online community of neatly 1,000 practitioners actively using the ISO/IEC 27000-family of Information Security Management System (ISMS) standards known colloquially as "ISO27k", and base at ISO27001security.com. Our primary aim is to contribute to the development of the new standard ISO/IEC 27007 by providing what we, as experienced ISMS implementers and IT/ISMS auditors, believe is worthwhile content. A secondary aim to provide a pragmatic and useful guideline for those involved in auditing ISMSs.<br /><br />At the time of first writing this guideline (February-March 2008). ISO/IEC 27007 is currently at the first Working Draft stage ("ISO/IEC WD 27007") and has been circulated to ISO member bodies for study and comment by March 14 2008. Its working title is "Information Technology - Security techniques - Guidelines for information security management systems auditing".<br /><br />The Proposed outline structure of ISO/IEC WD 27007 is presently as follows:<br />- Foreword and introduction<br />1. Scope<br />2. Normative references<br />3. Terms and definitions<br />4. Principles of auditing<br />5. Managing an audit programme<br />6. Audit activities<br />7. Competence and evaluation of auditors<br />- Bibliography<br /><br />In the proposed structure, section 6 should presumably explain how to go about auditing an ISMS. The current working draft has headings for a guide to audit process but little content on the actual audit tests to be performed, although in section 6.3.1 it identifies a list of items that are required by ISO/IEC 27001 and says that "Auditors should check that all these documents exist and conform to the requirements in ISO/IEC 27001"2005". This is probably the most basic type of ISMS audit test: are the specified ISMS documents present? We feel that a generic ISMS audit checklist (often called an "Internal Controls Questionnaire" by IT auditors) would be a very useful addition to the standard and producing one was a key aim of this guideline - in fact we have produced two (see the appendices). We also aim to contribute content draft 27007 and hope to track its development through future revisions.<br /><br /><div style="text-align: center;"><a href="http://www.iso27001security.com/ISMS_Auditing_Guideline_release_1.pdf">Read This PDF File</a> </div>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com14tag:blogger.com,1999:blog-2884621962778620374.post-27175252855181153762008-07-03T18:39:00.000-07:002008-07-03T18:41:47.005-07:00ISO/IEC 27005 Information technology -- Security techniques -- Information security risk managementThis standard was published in June 2008.<br /><br />“ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.”<br /><br />ISO/IEC 27005 revises the Management of Information and Communications Technology Security (MICTS) standards ISO/IEC TR 13335-3:1998 plus ISO/IEC TR 13335-4:2000. <br />Some personal comments on ’27005<br /><br />[These are just my personal perspective. They inevitably reflect my own prejudices and limited experience with information security risk management.]<br /><br />At around 60 sides, ISO/IEC 27005 is a heavyweight standard although the main part is just 24 pages, the rest being mostly annexes with examples and further information for users. There is quite a lot of meat on the bones, reflecting the complexities in this area.<br /><br />Although the standard defines risk as “a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event”, the risk analysis process outlined in the standard indicates the need to identify information assets at risk, the potential threats or threat sources, the potential vulnerabilities and the potential consequences (impacts) if risks materialize. Examples of threats, vulnerabilities and impacts are tabulated in the annexes; although incomplete, these may prove useful for brainstorming risks relating to information assets under evaluation. It is clearly implied that automated system security vulnerability assessment tools are insufficient for risk analysis without taking into account other vulnerabilities plus the threats and impacts.<br /><br />The standard includes a section and annex on defining the scope and boundaries of information security risk management which should, I guess, be no less than the scope of the ISMS.<br /><br />The standard deliberately remains agnostic about quantitative and qualitative risk assessment methods, essentially recommending that users choose whatever methods suit them best, and noting that they are both methods of estimating, not defining, risks. Note the plural - 'methods' - the implication being that different methods might be used for, say, a high-level risk assessment followed by more in-depth risk analysis on the high risk areas. The pros and cons of quantitative vs qualitative methods do get a mention.<br /><br />The steps in the process are (mostly) defined to the level of inputs -> actions -> outputs, with additional “implementation guidance” in similar style to ISO/IEC 27002.<br /><br />The standard incorporates some iterative elements e.g. if the results of an assessment are unsatisfactory, you loop-back to the inputs and have another run through. For those of us who think in pictures, there are useful figures giving an overview of the whole process and more detail on the risk assessment -> risk treatment -> residual risk bit.<br /><br /><span style="font-weight:bold;">From:iso27001security.com</span>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com19tag:blogger.com,1999:blog-2884621962778620374.post-60344049566204903662008-07-03T18:21:00.000-07:002008-07-03T18:24:19.014-07:00AMS9000 Audit Management SoftwareThe value of information within an organisation is enormous. But there are lots of threats that put this value at risk. How to protect it best? Typically individual solutions are used to respond to specific threats. However, to be successful you need a framework for information security. This is a management system as it is described in ISO 17799 and BS 7799. It allows to integrate individual solutions into one concept.<br /><br />The PDCA model is already used in other management systems like quality management. And it works fine within the information security management system (ISMS):<br /><br /> * Plan: Establish the information security management system (ISMS).<br /> * Do: Implement and operate the ISMS.<br /> * Check: Monitor and review the ISMS.<br /> * Act: Maintain and improve the ISMS.<br /><br />Close the gaps with AMS9000 and protect the value of your information<br /><br />AMS9000 assists you in establishing and maintaining your ISMS<br /><br />As part of the JKT9000 family of management software modules, AMS9000 is the audit management software. This programme is designed to handle all aspects of an internal audit programme, from planning audits to the follow-up of corrective actions against deficiencies found.<br /><br />AMS9000 can be used to verify compliance with any kind of standards including ISO 17799 or ISO 27001. Further you can use it to audit e.g. your quality management system (ISO 9000) or your environmental management system (ISO 14000).<br />The Workflow of the AMS9000-Navigator, ISMS Audit Software<br /><br />AMS9000 uses a Navigator which includes a brief workflow of the steps being subject to audit management. To enter any of these steps the users just clicks the icon.<br /><center><img style="width: 768px; height: 275px;" src="http://www.noweco.com/amse.gif" alt="audi tmanagement software" border="0" /></center><br /><br />Functions of AMS9000, Audit Management Software<br /><br /> * maintains the audit schedule, checklist preparation and all audit info.<br /> * allows to enter own checklist items and/or text directly from own procedures.<br /> * comes with checklist requirements derived directly from the 1994 and 2000 ISO9001 Standards<br /> * stores pending files for follow-up items to be considered in future audits<br /> * allows to take containment, corrective and preventive actions against deficiencies found in the audit<br /> * tracks all nonconformances, including actions and verification<br /> * comprises reports covering trend analysis and audit summaries and 'reminder' reports to track corrective action and implementations.<br /> * Field names of the screens can be altered to suit your individual company language.<br /> * provides user-definable fields.<br /> * all users get their information relevant to their needs by email.<br /><br />Reports in AMS9000, Audit Management Software<br /><br />All reports mentioned below can be filtered by further criteria to meet the user's information needs.<br /><br /> * audit schedules<br /> * audit history report<br /> * print checklists<br /> * internal audit Corrective Action Summary<br /> * supplier audit Corrective Action Summary<br /> * Corrective Actions not responded to yet<br /> * NCs vs. ISO clause x-tab<br /> * past due Corrective Action responses<br /> * pending Corrective Action implementations.<br /><br />Next to these standard system reports which might cover the basic needs the user has the option to create 'custom reports'.<br /><br />When printing Corrective Action reports, there are the following options:<br /><br /> * prints Corrective Action Request on a single page<br /> * prints Corrective Action Request on 3 pages minimum, but expands as required<br /> * prints Corrective Action Request summary and attaches all activity logs.<br /> * prints Corrective Action Request summary and attaches all subcase activity.<br /> * prints blank page for manual use<br /> * completed Corrective Action Request form shows more details on one page<br /> * Corrective Action Request 7 Step (Chrysler) Style form<br /> * Corrective Action Request 8D style single page form.<br /><br />Module types of AMS9000, Audit Management Software<br /><br /> * Standalone & LAN Configurations<br /> * WAN & Client Server Configurations<br /> * Web-based Configuration<br /><br />The standards ISO 17799/ISO27001 and BS 7799<br /><br />ISO 17799 (ISO 27001 or BS 7799-1) is a code of practice for information security management. It gives recommendations for information security management, i.e. for initiating, implementing or maintaining security. ISO 17799 provides a comprehensive set of controls comprising best practices in information security. It is intended to provide a common basis for developing organisational security standards and effective security management practice. It provides recommendations and guidance that usually an organisation should address. This means that an organisation is requested to go ahead from this starting point or common basis. This has to be kept in mind when using general checklists to audit an ISMS. The specifics of an organisation always have to shine through the design of the ISMS including the audit checklist and audit procedures.<br /><br />BS 7799-2 is concerned with the management system. The standard mentions four major areas:<br /><br /> * Information Security Management System (ISMS)<br /> * Management Responsibility<br /> * Management Review<br /> * ISMS Improvement<br /><br />Benefits for your information security management system<br /><br />AMS9000 is an audit software tool to audit an information security management system. It supports the entire audit process.<br /><br />It can be used to audit compliance with standards such as ISO 17799 / ISO 27001 and BS 7799.<br /><br />Further benefits are:<br /><br /> * AMS9000 kann zum Auditieren nach ISO 17799 / SO 27001, BS 7799 und anderer Standards zur Informationssicherheit benutzt werden. Darüber hinaus kann es für andere Audit benutzt werden, wie sie etwa aus dem Qualitätsmanagement bekannt sind. Sie brauchen nicht für jeweils verschiedene Audits eine andere Auditsoftware.<br /> * AMS9000 can be used to audit against ISO 17799 and BS 7799 or any other information security management standard. However, it can be used for other audits as well known from quality management. You do not need a different audit tool for each kind of audit.<br /> * Get evidence of conformance with ISO 17799 or whatever checklist you apply. This can be helpful when you like to register to BS 7799 part 2.<br /> * Efficient and quick analysis and report significantly reduces time and resources necessary.<br /> * Low training needs through ease to use and intuitive handling of the software.<br /> * Management of corrective actions assists you in improving your information security management.<br /><br />AMS9000, Audit Management Software, is developed by<br /><br /><center><img src="http://www.noweco.com/jktsymb.gif" alt="auditmanagement software" border="0" height="94" width="119" /><br /><br />www.noweco.com<br /></center>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com7tag:blogger.com,1999:blog-2884621962778620374.post-32743794007522201602008-06-30T00:08:00.000-07:002008-06-30T00:10:17.632-07:00ISO 27001 Certification FAQ<span style="font-weight: bold;">What is certification?</span><br />ISO/IEC 27001 certification is the process by which an organization’s ISMS is examined against the ISO/IEC 27001 specification by an accredited certification body.<br /><br /><span style="font-weight: bold;">What is a certification body?</span><br />A certification body (also called a registration body, assessment and registration body, or registrar) is a third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.<br /><br /><span style="font-weight: bold;">Who accredits certification bodies?</span><br />Accreditation organizations accredit the competence of certification bodies to perform services in the areas of product and management system approval. These accreditation organizations are often, but not always national in scope.<br /><br /><span style="font-weight: bold;">What is the certification process?</span><br />The certification process includes:<br /><br /> 1. Part 1 audit (also known as a desktop audit). Here the CB auditor examines the pertinent documentation.<br /> 2. Taking action on the results of the part 1 audit.<br /> 3. Part 2 audit (on site audit). Here the CB sends an audit team to examine your implementation of the reviewed, documented ISMS.<br /> 4. Correction of audit findings. Agreeing to a surveillance schedule.<br /> 5. Issuance of certificate. (Depending on the CB this can take a few weeks to several months.)<br /><br />Following initial certification, the ISMS is subject to surveillance as specified by the CB, and then requires re-certification after three years.<br /><br /><span style="font-weight: bold;">From: www.atsec.com</span>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com47tag:blogger.com,1999:blog-2884621962778620374.post-30844301434707837682008-06-30T00:05:00.000-07:002008-12-09T15:46:41.601-08:00ISO 27001 CERTIFICATION EXPLAINEDContrary to common belief, certification is applicable against ISO 27001, rather than ISO 17799. The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard.<br /><br />Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.<br /><br />To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.<br /><br />A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).<br /><br />The following diagram may clarify this process:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnMD-J86NLU7Sotq3jJisrfZZQtey5c-M-GiqW3aLwa4m1ZwZ0P0rhkV2nST1Rt8bswDekCqHc_a9e6tvhQ7vsLmb9-tx1BujBb4BxDNhM-qg_TDzTUmqO1ObYy3GQ1ELyVtU8x-Ul7o4/s1600-h/iso+27001+certification+process.gif"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnMD-J86NLU7Sotq3jJisrfZZQtey5c-M-GiqW3aLwa4m1ZwZ0P0rhkV2nST1Rt8bswDekCqHc_a9e6tvhQ7vsLmb9-tx1BujBb4BxDNhM-qg_TDzTUmqO1ObYy3GQ1ELyVtU8x-Ul7o4/s320/iso+27001+certification+process.gif" alt="" id="BLOGGER_PHOTO_ID_5217567524380401490" border="0" /></a><br /><br />Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:<br /><br />1 - Questionnaire (the Certification Body obtains details of your requirements)<br />2 - Application for Assessment (you complete the application form)<br />3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).<br />4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.<br />5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)<br />6 – Ongoing Auditsforfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com21tag:blogger.com,1999:blog-2884621962778620374.post-10357219594161504272008-06-09T02:22:00.000-07:002008-06-09T02:23:16.929-07:00How to apply ISO 27002 to PCI DSS complianceThis tip is part of SearchSecurity.com's Compliance School lesson, Building a risk-based compliance program. Visit the Building a risk-based compliance program main page for related materials, or check out the Security School Course Catalog for more learning content.<br /><br />The PCI Data Security Standard (PCI DSS) consists of 12 mandatory high-level requirements for all organizations that store, transmit, or process payment cards. These 12 requirements are further subdivided into sections, describing activities that organizations must engage in while managing their networks, administering their systems, and, in general protecting the payment card data with which they have been entrusted.<br /><br />While PCI DSS details compliance requirements in most areas, its directives make only passing reference (if at all) to an overall security framework into which the required actions must fit. If organizations simply follow the PCI DSS blindly, they may not achieve the overall security goals.<br /><br />ISO 27002, also known as ISO 17799, is a security standard of practice. In other words, it is a comprehensive list of security practices that can be applied -- in varying degrees -- to all organizations. The benefit of such a standard to organizations attempting to comply with the PCI-DSS is twofold. First, it provides a framework that allows organizations to achieve their PCI security goals along with those from other sources, like industry or governmental regulations. Second, it provides guidance on how to fit some of PCI's governance and policy requirements into an organization's compliance program.<br /><br />For example, ISO 27002 discusses the necessity of involving business, management, human resources and technology representatives in the security program. It also provides references for high-level policies for important areas such as data classification, data handling and access control. While PCI DSS describes specific technical practices and organizational activities, it doesn't talk about the overall program in which these activities exist or the specific policies that require these activities.<br /><br />When a company establishes a program based on a broad standard like ISO 27002, it can treat the PCI-DSS requirements as a subset of those required by the ISO. Further, a program structured according to ISO 27002 will require organizations to employ critical support systems required by many regulations (and PCI DSS in particular). For example, ISO 27002 requires change control in network administration, system configuration, policy management, procedure management and software development. PCI DSS calls out the need for accurate diagrams and documentation for its network and systems as well as change control processes to ensure discipline in administration of the PCI DSS-related components.<br /><br />ISO 27002's broad requirements for change control associated with all aspects of administration encourage a consistent approach across an enterprise. This kind of approach, when applied to PCI DSS, would help improve both the consistency, effectiveness and efficiency of change control across a company and increase the likelihood that an auditor would find a company's practices acceptable.<br /><br />Another benefit of combining the structure of ISO 27002 and the specific requirements of PCI DSS is that the PCI DSS helps organizations define three of the most challenging aspects of ISO compliance: scope of compliance, data classification and data handling. Armed with these constraining requirements, organizations can define policies and procedures that are consistent with best practice as specified by ISO and directly address PCI DSS compliance. For example, PCI DSS defines what aspects of credit card data are sensitive. It describes access control requirements for credit card information, encryption requirements for transmission and storage, and even the testing necessary to verify effectiveness of controls. These specific requirements allow organizations to state how systems must be configured, how employees must treat data and how an organization monitors the effectiveness of its controls.<br /><br />A growing number of organizations are building security programs according to standard frameworks like ISO 27002. These frameworks are allowing organizations to factor compliance with multiple regulations and contracts into their security programs in a consistent and effective manner.<br /><br />The beauty of using the ISO standard with specific regulations is that the regulations fill in the necessary details that the framework lacks while the framework provides structure to address multiple sets of requirements consistently. The two concepts work hand in hand and provide effectiveness, efficiency and auditability.<br /><br />About the author:<br />Richard E. "Dick" Mackey is regarded as one of the industry's foremost authorities on security and compliance. He is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA and SOX. He has also provided guidance to a wide range of companies on enterprise security architectures, identity and access management and security policy and governance.forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com3tag:blogger.com,1999:blog-2884621962778620374.post-22639617206584751162008-06-09T02:07:00.000-07:002008-06-09T02:09:08.428-07:00New Risk Assessment Tool for ISO27001 Consultants Simplifies and Accelerates Compliance Process for ClientsFollowing the successful launch of the vsRisk ISO27001 compliance tool at Infosecurity Europe 2007, Vigilant Software has launched a complementary software tool for IT consultants and information security specialists. vsRisk Consultant Edition (vsRCE) is a powerful new software product that will enable information security consultants to deploy vsRisk as their preferred risk assessment tool in up to 10 different clients.<br /><br />Targeted at specialist consultants dealing with ISO27001 compliance, vsRCE is an affordable and intuitive risk assessment management tool for the IT consultant community that allows consultants the ability to directly support their clients' risk assessment activity from an off-site location. vsRCE allows clients to create and export risk assessment files that can be analysed on the consultants' own workstations or laptops, and then re-imported into the client's own software.<br /><br />vsRCE allows IT consultants to manage up to ten separate risk assessments or risk assessment in up to ten different organisations, each of which must have purchased its own copy of vsRisk. By working in harmony with its sister application vsRisk, vsRCE will dramatically reduce the time and effort it takes for companies to achieve ISO27001 compliance, transferring an important element of the work to the consultant and ensuring that the work of the project team can be monitored more closely.<br /><br />In addition to supporting ISO/IEC27001, vsRCE supports ISO/IEC27002 (17799); complies with BS7799-3:2006; conforms to ISO/IEC TR 13335-3:1998 and NIST SP 800-30; and complies with the UK's Risk Assessment Standard.<br /><br />Vigilant Software is a joint venture between IT Governance Limited, the one-stop-shop for books, tools and information on ISO27001 compliance, and Top Solutions (UK) Limited, an award-winning developer of risk management software tools.<br /><br />Alan Calder, Chief Executive of IT Governance, commented, "vsRCE is the perfect complement to vsRisk and offers a major enhancement to vsRisk users. By employing a consultant who uses vsRCE, companies can simplify and speed the process of achieving ISO27001 compliance. For consultants, it offers a means of providing greater added value and is therefore a powerful competitive advantage."<br /><br /><span style="font-weight: bold;">Source: compliancehome.com</span>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com14tag:blogger.com,1999:blog-2884621962778620374.post-21270396918728773082008-01-19T05:23:00.000-08:002008-01-19T05:26:46.471-08:00Information Security Management Risks<span style="font-weight: bold;">By Anna Woodward</span><br /><br />Of course, it is always clear that “risk” is a possibility that something unsuitable happens. What is not clear is how probable it is, what nature it has, and what harm it can do to an organization.<br /><br />Betting on some event means the chance of financial loss: the unsuitable outcome. To decide if we want to take on this risk means calculating the chances of winning or the odds of losing. We can implement measures to reduce the chance of the danger, and put strategies in place to handle possible unpleasant outcomes.<br /><br />Information security management is being aware of all elements involved in a specific risk and their relationship with your enterprise (company, web presence, etc). This is an essential basis for calculating the risk. Knowing about the threat means being able to assess it: we can choose if we want to accept it, wait and see, or plainly avoid taking it at all.<br /><br />In the field of information security management, professionals should answer four main questions:<br /><br />1. What can happen (threat)? Client private information (especially, but not only, credit card numbers) can be stolen through an insecure network, through cracked passwords, through flawed cryptography or through non-dependable employees.<br /><br />Web-pages can be hacked and inappropriate content could be displayed. Business processes could be disrupted through web-attacks, blocking the normal operations of the company.<br /><br />Identifying risk spots is the primary task for information security management professionals. Normally, due to the technical background of most professionals, there is a bias for focusing on technical problems. In fact, there are often a myriad of possibilities of attacking a computer system.<br /><br />2. How bad can it get (impact)? Companies are responsible for keeping private information secure. Negligence in keeping this information secure can result in costly claims. Revealing intellectual property through negligence in security can result in an unduly competitive disadvantage.<br /><br />The company’s reputation can be seriously damaged. Cash-flow can drop the entire time of a web-attack on the servers of the company and usually, for some time after the fact.<br /><br />3. How often can it happen (frequency)? The short answer is: much more often than you believe. The absence of bad news in the newspapers should not allow you to a false sense of security.<br /><br />Sometimes the victim doesn’t know that the company has been hacked. Of course, if some credit card has been charged without authorization, the holder will demand a refund. However, it is not always clear where the flaw in the security exists.<br /><br />In some further cases, intellectual property of a company has been illegally copied and is used without consent. The lawful owner will in many cases not even have a hint of this problem.<br /><br />4. How dependable are the answers to these three questions (uncertainty)? Although you can be sure that the risk exists, there is no simple way of calculating how often it happens. You can be sure that it happens, you cannot know when and where.<br /><br />Consider the safety of your company’s virtual data, and have the flaws assessed by an information security management professional. If you take a “wait and see” approach, you risk an attack on your company’s documentation, private information databases, and perhaps, intellectual property.<br /><br />Excel Partnership, Inc. wants to help your company review your information security management and tailor programs to secure your virtual data. Visit http://www.xlp.com for more information on preventing attack on your documentation, private information databases, and intellectual property.<br /><br /><span style="font-weight: bold;">Source:</span> <a href="http://ezinearticles.com/?Information-Security-Management-Risks&id=712777">http://ezinearticles.com/?Information-Security-Management-Risks&id=712777</a>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com1tag:blogger.com,1999:blog-2884621962778620374.post-65638075860649430672008-01-19T05:17:00.000-08:002008-01-19T05:21:51.151-08:00Managing Risk in Information TechnologyAs information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives.<br /><br />There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization’s strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.<br /><br />Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.<br /><br />ITIL has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove - to its management, let alone an external third party - that it has taken the risk-reduction step of implementing best practice.<br /><br />More than that, ITIL is particularly weak where information security management is concerned - the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.<br /><br />The emergence of the international IT Service Management ISO 27001 and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate - to customers and potential customers - the quality and security of their IT services and information security processes achieve significant competitive advantages.<br /><br /><span style="font-weight: bold;">Information Security Risk</span><br /><br />The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.<br /><br /><span style="font-weight: bold;">IT Process Risk</span><br /><br />IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes - and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000Regulatory and Compliance Risk<br /><br />All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:<br /><br />- Combined Code and Turnbull Guidance (UK)<br />- Basel2<br />- EU data protection, privacy regimes<br />- Sectoral regulation: FSA (1) , MiFID (2) , AML (3)<br />- Human Rights Act, Regulatation of Investigatory Powers Act<br />- Computer misuse regulation<br /><br />Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.<br /><br />Many of these regulations have emerged only recently and most have not yet been adequately tested in the courts. There has been no co-ordinated national or international effort to ensure that many of these regulations - particularly those around personal privacy and data protection - are effectively co-ordinated. As a result, there are overlaps and conflicts between many of these regulations and, while this is of little importance to organizations trading exclusively within one jurisdiction, the reality is that many enterprises today are trading on an international basis, particularly if they have a website or are connected to the Internet.<br /><br /><span style="font-weight: bold;">Management Systems</span><br /><br />A management system is a formal, organized approach used by an organization to manage one or more components of their business, including quality, the environment and occupational health and safety, information security and IT service management. Most organizations - particularly younger, less mature ones, have some form of management system in place, even if they’re not aware of it. More developed organizations use formal management systems which they have certified by a third party for conformance to a management system standard. Organizations that use formal management systems today include corporations, medium- and small-sized businesses, government agencies, and non-governmental organizations (NGOs).<br /><br /><span style="font-weight: bold;">Standards and Certifications</span><br /><br />Formal standards provide a specification against which aspects of an organization’s management sytsem can be independently audited by an accredited certification body and, if the management system is found to conform to the specification, the organization can be issued with a formal certificate confirming this. Organizations that are certificated to ISO 9000 will already be familiar with the certification process.<br /><br /><span style="font-weight: bold;">Integrated Management Systems</span><br /><br />Organizations can choose to certify their management systems to more than one standard. This enables them to integrate the processes that are common - management review, corrective and preventative action, control of documents and records, and internal quality audits - to each of the standards in which they are interested. There is already an alignment of clauses in ISO 9000, ISO 14001 (the environmental management system standard) and OHSAS 18001 (the health and safety management standard) that supports this integration, and which enables organizations to benefit from lower cost initial audits, fewer surveillance visits and which, most importantly, allows organizations to ‘join up’ their management systems.<br /><br />The emergence of these international standards now enables organizations to develop an integrated IT management system that is capable of multiple certification and of external, third party audit, while drawing simultaneously on the deeper best-practice contained in ITIL. This is a huge step forward for the ITIL world.<br /><br /><span style="font-weight: bold;">Sources:</span><br /><br /> (1) Financial Services Authority<br /> (2) Markets in Financial Instruments Directive<br /> (3) Anti-money laundering regulations<br /> (4) Gramm-Leach-Bliley Act<br /> (5) Health Insurance Portability and Accountability Act<br /> (6) Online Personal Privacy Act<br /><span style="font-weight: bold;"><br />About the Author</span><br /><br />Alan Calder is an international authority on IT Governance and information security management. He led the world’s first successful implementation of BS 7799, the information security management standard upon which ISO 27001 is based, and wrote the definitive compliance guide for this standard, IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799. The 3rd edition of this book is the basis for the UK Open University’s postgraduate course on Information Security. He has just written, for BSI, a management guide on integrating ISO 27001 and ISO 20000 Management Systems, drawing heavily on ITIL best practice. He is a consultant to companies around the world, including Cisco. as in ITIL, as the “service provider”) exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-47858277653639045702008-01-10T22:38:00.000-08:002008-01-10T22:39:23.072-08:00Create Your Own Security AuditEvery business, including yours, has valuable IT assets such as computers, networks, and data. And protecting those assets, requires that companies big and small conduct their own <a href="http://www.itsecurity.com/security-audit/" target="_blank">IT security audits</a> in order to get a clear picture of the security risks they face and how to best deal with those threats.<br /><br />The following are 10 steps to conducting your own basic IT security audit. While these steps won't be as extensive as audits provided by professional consultants, this DIY version will get you started on the road to protecting your own company.<br /> <h3>1. Defining the Scope of Your Audit: Creating Asset Lists and a Security Perimeter</h3> The first step in conducting an audit is to create a master list of the assets your company has, in order to later decide upon what needs to be protected through the audit. While it is easy to list your tangible assets, things like computers, servers, and files, it becomes more difficult to list intangible assets. To ensure consistency in deciding which intangible company assets are included, it is helpful to draw a "security perimeter" for your audit.<br /><br /><strong>What is the Security Perimeter?</strong><br />The security perimeter is both a conceptual and physical boundary within which your security audit will focus, and outside of which your audit will ignore. You ultimately decide for yourself what your security perimeter is, but a general rule of thumb is that the security perimeter should be the <em>smallest</em> boundary that contains the assets that you own and/or need to control for your own company's security.<br /><br /> <strong>Assets to Consider</strong><br />Once you have drawn up your security perimeter, it is time to complete your asset list. That involves considering every potential company asset and deciding whether or not it fits within the "security perimeter" you have drawn. To get you started, here is a list of common sensitive assets:<br /> <ol><li>Computers and laptops</li><li><a href="http://www.dailywireless.com/comparison-guides/80211n-router-comparison-guide/" target="_blank">Routers</a> and networking equipment</li><li>Printers</li><li>Cameras, digital or analog, with company-sensitive photographs </li><li>Data - sales, customer information, employee information</li><li>Company smartphones/ PDAs </li><li><a target="_blank" href="http://www.voip-news.com/">VoIP</a> phones, <a target="_blank" href="http://www.voip-news.com/pbx/">IP PBXs</a> (digital version of phone exchange boxes), related servers </li><li>VoIP or regular phone call recordings and records</li><li>Email</li><li>Log of employees daily schedule and activities</li><li>Web pages, especially those that ask for customer details and those that are backed by web scripts that query a database</li><li>Web server computer</li><li>Security cameras</li><li>Employee access cards.</li><li>Access points (i.e., any scanners that control room entry) </li></ol> This is by no means an exhaustive list, and you should at this point spend some time considering what other sensitive assets your company has. The more detail you use in listing your company's assets (e.g., "25 Dell Laptops Model D420 Version 2006", instead of "25 Computers") the better, because this will help you recognize more clearly the <em>specific</em> threats which face each particular company asset.<br /> <h3>2. Creating a 'Threats List'</h3> You can't protect assets simply by knowing what they are, you also have to understand how each individual asset is threatened. So in this stage you will compile an overall list of threats which currently face your assets.<br /><br /><strong>What Threats to Include?</strong><br />If your threat list is too broad, your security audit will end up getting focused on threats which are extremely small or remote. When deciding whether to include a particular threat on your 'Threat List' keep in mind that your test should follow a sliding scale. For example, if you are considering whether the possibility of a hurricane flooding out your servers you should consider both, how remote the threat is, but also how devastating the harm would be if it occurred. A moderately remote harm can still be reasonably included in your threat list if the potential harm it would bring is large enough to your company.<br /><br /><strong>Common 'Threats' to Get you Started?</strong><br />Here are some relatively common security threats to help you get started in creating your company's threat list:<br /> <ol><li><strong>Computer and network passwords</strong>. Is there a log of all people with passwords (and what type). How secure is this ACL list, and how strong are the passwords currently in use?<br /><br /></li><li><strong>Physical assets</strong>. Can computers or laptops be picked up and removed from the premises by visitors or even employees?<br /><br /></li><li><strong>Records of physical assets</strong>. Do they exist? Are they backed up?<br /><br /></li><li><strong>Data backups</strong>. What backups of virtual assets exist, how are they backed up, where are the backups kept, and who conducts the backups?<br /><br /> </li><li><strong>Logging of data access</strong>. Each time someone accesses some data, is this logged, along with who, what, when, where, etc.?<br /><br /></li><li><strong>Access to sensitive customer data, e.g., credit card info</strong>. Who has access? How can access be controlled? Can this information be accessed from outside the company premises?<br /><br /></li><li><strong>Access to client lists</strong>. Does the website allow <a href="http://www.itsecurity.com/features/trapdoors-backdoors-103007/" target="_blank">backdoor</a> access into the client database? Can it be <a href="http://www.itsecurity.com/features/top-10-famous-hackers-042407/" target="_blank">hacked</a>?<br /><br /></li><li><strong>Long-distance calling</strong>. Are long-distance calls restricted, or is it a free-for-all? Should it be restricted?<br /><br /></li><li><strong>Emails</strong>. Are spam filters in place? Do employees need to be educated on how to spot potential <a href="http://www.itsecurity.com/features/email-inbox-security-011107/" target="_blank">spam</a> and <a href="http://www.networksecurityjournal.com/features/44-ways-protect-phishing/" target="_blank">phishing</a> emails? Is there a company policy that outgoing emails to clients not have certain types of hyperlinks in them? </li></ol> <h3>3. Past Due Diligence & Predicting the Future</h3> At this point, you have compiled a list of <em>current</em> threats, but what about security threats that have not come on to your radar yet, or haven't even been developed? A good security audit should account not just for those security threats that face your company today, but those that will arise in the future.<br /><br /><strong>Examining Your Threat History</strong><br />The first step towards predicting future threats is to examine your company's records and speak with long-time employees about past security threats that the company has faced. Most threats repeat themselves, so by cataloging your company's past experiences and including the relevant threats on your threat list you'll get a more complete picture of your company's vulnerabilities.<br /><br /><strong>Checking Security Trends</strong><br />In addition to checking for security threats specific to your particular industry, <a href="http://www.itsecurity.com/whitepaper/malware-trends-ironport/">ITSecurity.com's</a> recent white paper covers trends for 2007 as well as offering a regularly updated <a href="http://www.itsecurity.com/blog/">blog</a> which will keep you abreast of all new security threat developments. Spend some time looking through these resources and consider how these trends are likely to affect your business in particular. If you're stumped you may want to <a href="http://www.itsecurity.com/expert/ask-a-question/">Ask the IT Security Experts</a> directly. <br /><br /><strong>Checking with your Competition</strong><br />When it comes to outside security threats, companies that are ordinarily rivals often turn into one another's greatest asset. By developing a relationship with your competition you can develop a clearer picture of the future threats your company will face by sharing information about security threats with one another.<br /> <h3>4. Prioritizing Your Assets & Vulnerabilities</h3> You have now developed a complete list of all the assets and security threats that your company faces. But not every asset or threat has the same priority level. In this step, you will prioritize your assets and vulnerabilities in order to know your company's greatest security risks, and so that you can allocate your company's resources accordingly.<br /><br /><strong>Perform a Risk Calculation/ Probability Calculation</strong><br />The bigger the risk, the higher priority dealing with the underlying threat is. The formula for calculating risk is:<br /><br />Risk = Probability x Harm<br /><br />The risk formula just means that you multiply the likelihood of a security threat actually occurring (probability) times the damage that would occur to your company if the threat actually did occur (harm). The number that comes out of that equation, is the risk that threat poses to your company.<br /><br /><strong>Calculating Probability</strong><br />Probability is simply the chance that a particular threat will actually occur. Unfortunately, there isn't a book that lists the probability that your website will be hacked this year, so you have to come up with those figures yourself.<br /><br />Your first step in calculating probability should be to do some research into your company's history with this threat, your competitors' history, and any empirical studies on how often most companies face this threat. Any probability figure that you ultimately come up with is an estimate, but the more accurate the estimate, the better your risk calculation will be.<br /><br /><strong>Calculating Harm</strong><br />How much damage would a particular threat cause if it occurred? Calculating the potential harm of a threat can be done in a number of different ways. You might count up the cost in dollars that replacing the lost revenue or asset would cost the company. Or instead you might calculate the harm as the number of man-hours which would be lost trying to remedy the damage once it has occurred. But whatever method you use, it is important that you stay consistent throughout the audit in order to get an accurate priorities list. <h3>Developing Your Security Threat Response Plan</h3> When working down your newly developed priority list, there will be a number of potential responses you could make to any particular threat. The remaining six points in this article cover the primary responses a company can make to a particular threat. While these security responses are by no means the only appropriate ways to deal with a security threat, they will cover the vast majority of the threats your company faces, and as a result you should go through this list of potential responses before considering any alternatives.<br /><h3>5. Implementing Network Access Controls</h3> Network Access Controls, or <a href="http://www.itsecurity.com/features/introduction-network-access-control-120506/">NACs</a>, check the security of any user trying to access a network. So, for example, if you are trying to come up with a solution for the security threat of your competition stealing company information from private parts of the company's website, applying network access controls or NACs is an excellent solution.<br />Part of implementing effective NAC is to have an <a target="_blank" href="http://en.wikipedia.org/wiki/Access_control">ACL</a> (Access Control List), which indicates user permissions to various assets and resources. Your NAC might also include steps such as; encryption, digital signatures, ACLs, verifying IP addresses, user names, and checking cookies for web pages.<br /> <h3>6. Implementing Intrusion Prevention</h3><p> While a Network Access Control deals with threats of unauthorized people accessing the network by taking steps like password protecting sensitive data, an <a href="http://www.networksecurityjournal.com/intrusion-prevention/" target="_blank">Intrustion Prevention System</a> (IPS) prevents more malicious attacks from the likes of hackers.</p><p> The most common form of an IPS is a second generation <a href="http://www.itsecurity.com/firewalls/" target="_blank">firewall</a>. Unlike first generation firewalls, which were merely content based filters, a second generation firewall adds to the content filter a 'Rate-based filter'.<br /></p><ul><li><strong>Content-based</strong>. The firewall does a <a target="_blank" href="http://en.wikipedia.org/wiki/Deep_packet_inspection">deep pack inspection</a>, which is a thorough look at actual application content, to determine if there are any risks.<br /><br /></li><li><strong>Rate-based</strong>. Second generation firewalls perform advanced analyses of either web or network traffic patterns or inspection of application content, flagging unusual situations in either case.<br /></li></ul> <h3>7. Implementing Identity & Access Management</h3> <a target="_blank" href="http://www.websitesource.com/blog/index.php/2006/10/30/securing_data">Identity and</a> <a target="_blank" href="http://www.cafesoft.com/products/cams/access-management-white-paper.html">Access Management</a> (<a target="_blank" href="http://en.wikipedia.org/wiki/Identity_and_Access_Management">IAM</a>) simply means controlling users' access to specific assets. Under an IAM, users have to manually or automatically identify themselves and be authenticated. Once authenticated, they are given access to those assets to which they are authorized.<br /><br />An IAM is a good solution when trying to keep employees from accessing information they are not authorized to access. So, for instance, if the threat is that employees will steal customers credit card information, an IAM solution is your best bet.<br /> <h3>8. Creating Backups</h3> When we think of IT security threats, the first thing that comes to mind is hacking. But a far more common threat to most companies is the accidental loss of information. Although it's not sexy, the most common way to deal with threats of information loss is to develop a plan for regular backups. These are a few of the most common backup options and questions you should consider when developing your own backup plan:<br /> <ul><li><strong>Onsite storage</strong>. Onsite storage can come in several forms, including removable hard drives or tape backups stored in a fireproofed, secured-access room. The same data can be stored on hard drives which are networked internally but separated by a DMZ (demilitarized zone) from the outside world.<br /><br /></li><li><strong>Offsite storage</strong>. Mission-critical data could be stored offsite, as an extra backup to onsite versions. Consider worst-case scenarios: If a fire occurred, would your hard-drives or digital tapes be safe? What about in the event of a hurricane or earthquake? Data can be moved offsite manually on removable media, or through a <a href="http://www.itsecurity.com/whitepaper/ssl-vpn-vs-ipsec-vpn-nsj/" target="_blank">VPN</a> (Virtual Private Network) over the Internet.<br /><br /></li><li><strong>Secured access to backups</strong>. Occasionally, the need to access data backups will arise. Access to such backups, whether to a fireproofed room or vault, or to an offsite data center, physically or through a VPN, must be secure. This could mean issuing keys, RFID-enabled "smart pass cards", VPN passwords, safe combinations, etc.<br /><br /></li><li><strong>Scheduling backups</strong>. Backups should be automated as much as possible, and scheduled to cause minimum disruption to your company. When deciding on the frequency of backups, be aware that if your backups aren't frequent enough to be relevant when called upon, they are not worth conducting at all. </li></ul> <h3>9. Email Protection & Filtering</h3><p> Each day, <a target="_blank" href="http://en.wikipedia.org/wiki/E-mail_spam">55 billion spam messages</a> are sent by email throughout the world. To limit the security risk that unwanted emails pose, spam filters and an educated workforce are a necessary part of every company's security efforts. So, if the threat you are confronting is spam emails, the obvious (and correct) response is to implement an email security and filtering system for your company. </p><p> While the specific <a href="http://w.on24.com/r.htm?e=31330&s=1&k=4F3C9E916ADB0DC0C1C2A628F11D20BC&partnerref=it-security-audit" target="_blank">email security threats</a> confronting your company will determine the appropriate email protections you choose, here are a few common features:<br /></p><ul><li><strong>Encrypt emails</strong>. When sending sensitive emails to other employees at other locations, or to clients, <a href="http://www.itsecurity.com/features/five-steps-email-security-092106/">emails should be encrypted</a>. If you have international clients, make sure that you use encryption allowed outside of the United States and Canada.<br /><br /></li><li><strong>Try steganography</strong>. <a target="_blank" href="http://en.wikipedia.org/wiki/Steganography">Steganography</a> is a technique for hiding information discreetly in the open, such as within a digital image. However, unless combined with something like encryption, it is not secure and could be detected.<br /><br /></li><li><strong>Don't open unexpected attachments</strong>. Even if you know the sender, if you are not expecting an email attachment, don't open it, and teach your employees to do the same.<br /><br /></li><li><strong>Don't open unusual email</strong>. No spam filter is perfect. But if your employees are educated about common spam techniques, you can help keep your company assets free of viruses.<br /></li></ul> <h3>10. Preventing Physical Intrusions</h3> Despite the rise of new generation threats like hacking and email spam, old threats still imperil company assets. One of the most common threats is physical intrusions. If, for example, you are trying to deal with the threat of a person breaking into the office and stealing company laptops, and along with them valuable company information, then a plan for dealing with physical intrusions is necessary.<br /><br />Here are some common physical threats along with appropriate solutions for dealing with them:<br /> <ul><li><strong>Breaking into the office: Install a detection system</strong>. Companies like ADT have a <a target="_blank" href="http://www.adt.com/smbiz/">variety of solutions</a> for intrusion detection and prevention, including video surveillance systems.<br /><br /></li><li><strong>Stolen laptop: Encrypt hard drive</strong>. <a href="http://www.itsecurity.com/vendors/microsoft-corporation/" target="_blank">Microsoft</a> offers an Encrypt File System, or <a target="_blank" href="http://www.microsoft.com/technet/security/smallbusiness/topics/cryptographyetc/protect_data_efs.mspx">EFS</a>, which can be used to encrypt sensitive files on a laptop.<br /><br /></li><li><strong>Stolen screaming smart phones</strong>. A new service from <a target="_blank" href="http://synchronica.com/press/releases/061018-synchronica-gets-symbian-smartphones-screaming-with-mobile-manager.html">Synchronica</a> protect smartphones and PDAs, should they be stolen. Once protected, a stolen phone cannot be used without an authorization code. If this is not given correctly, all data is wiped from the phone and a high-pitch "scream" is emitted. Once your phone is recovered, the data can be restored from remote servers. Currently, this particular service is limited to the UK, but comparable services are available throughout the world.<br /><br /></li><li><strong>Kids + Pets = Destruction: Prevent unauthorized access</strong>. For many small-business owners, the opportunity to work from home is an important perk. But having children and/or pets invading office space and assets can often be a greater risk that that posed by hackers. By creating an appropriate-use policy and sticking with it small business owners can quickly deal with one of their most significant threats.<br /><br /></li><li><strong>Internal Click Fraud: Education and Blocks</strong>. Many web-based businesses run advertising such as <a href="http://www.google.com/adsense/">Google AdSense</a> or <a target="_blank" href="http://www.chitika.com/">Chitika</a> to add an extra revenue stream. However, inappropriate clicking of the ads by employees or family can cause your account to be suspended. Make employees aware of such things, and prevent the company's live website from being viewed internally. </li></ul> <h3>Conclusion</h3><p> These 10 steps to conducting your own IT Security Audit will take you a long way towards becoming more aware of the security threats facing your company as well as help you begin to develop a plan for confronting those threats. But it is important to remember that security threats are always changing, and keeping your company safe will require that you continually assess new threats and revisit your response to old ones.</p><p>For further research, visit IT Security's <a href="http://www.itsecurity.com/security-audit/">Security Audit Resource Center</a>. </p>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com1tag:blogger.com,1999:blog-2884621962778620374.post-50828953300762096612008-01-10T22:18:00.000-08:002008-01-10T22:30:05.104-08:00BS7799-2 - the ISMS concept<a name="BS7799 - the ISMS concept" class="H2" id="BS7799 - the ISMS concept"></a>An idealised structured for an ISMS is shown in opposite. It shows the traditional approach to risk management augmented by the addition of a new feedback loop. In scoping the problem, BS7799-2 implies an "information-centric" view of the world, to avoid the trap of failing to take account of less obvious vulnerabilities such as people, cell phones and laptops. It further implies information policies that clearly identify the business priorities concerning information, and why, and in addition, risk assessments that identify what networks really are, not what people think they are! <p> <img src="http://www.gammassl.co.uk/images/riskman.gif" alt="Diagram of the original (1999) concept of an ISMS showing that a feedback loop is required from the step called "managing the risks" to the previous step called "perform the risk assessment". Dr. Brewer referred to the original ISMS specification as a weak specification because this feedback loop was missing. The 2002 revision (as in the case of the 2005 ISO/IEC standard) this feedback loop is included by adoption of the Deming cycle (plan-do-check-act)." height="262" width="441" /></p> <p>BS7799-2 requires management to identify vulnerabilities and select the safeguards with a priority that matches the business priorities specified in the security policy. Reiteration is encouraged, choosing alternate safeguards until management is satisfied with the residual risks and costs involved. Once the chosen safeguards have been implemented, the ideal ISMS monitors their effectiveness; it does not assume that they will work as intended. Management should regularly re-appraise the situation. Even if nothing is supposed to have changed, the risk assessment should be regularly repeated (this is the new feedback loop). Management should assume, for example, that their networks have changed - most networks do with time! In any case, doubtless someone will have identified new vulnerabilities. Of course, if the business requirements have changed, there will be a need to re-scope the problem and revise the security policy accordingly.</p><span style="font-weight: bold;">Source : http://www.gammassl.co.uk/inforisk/riskpart4.html</span>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-70796589705643565032008-01-10T22:06:00.000-08:002008-01-10T22:17:58.216-08:00ISMS Implementation Guide [White Paper]ISMS Implementation Guide<br /><br />Usage note<br />Note: The intent of this document is to help you recognize the activities related to establishing an ISMS. This document should not be considered as professional consulting for establishing or implementing an ISMS. Use of this guide does not guarantee a successful implementation nor an implementation that is ready for certification. If you want to implement an ISMS, consider hiring a professional consultant who specializes in ISMS implementation.<br /><br /><span style="font-weight:bold;">Table of contents</span><br />Overview of an ISMS ............................................................................................................................. 4<br />1 Purchase a copy of the ISO/IEC standards .................................................................................. 5<br />2 Obtain management support ......................................................................................................... 5<br />3 Determine the scope of the ISMS .................................................................................................. 7<br />4 Identify applicable legislation........................................................................................................ 8<br />5 Define a method of risk assessment............................................................................................. 9<br />6 Create an inventory of information assets to protect ............................................................... 12<br />7 Identify risks ................................................................................................................................. 13<br />8 Assess the risks........................................................................................................................... 14<br />9 Identify applicable objectives and controls ............................................................................... 16<br />10 Set up policy and procedures to control risks .......................................................................... 20<br />11 Allocate resources and train the staff......................................................................................... 21<br />12 Monitor the implementation of the ISMS.................................................................................... 22<br />13 Prepare for certification audit...................................................................................................... 23<br />14 Ask for help .................................................................................................................................. 24<br />Appendix A Documents and Records........................................................................................... 25<br /><br />Overview of an ISMS<br />Information security is the protection of information to ensure:<br />• Confidentiality: ensuring that the information is accessible only to those authorized to access it.<br />• Integrity: ensuring that the information is accurate and complete and that the information is not<br />modified without authorization.<br />• Availability: ensuring that the information is accessible to authorized users when required.<br />Information security is achieved by applying a suitable set of controls (policies, processes, procedures,<br />organizational structures, and software and hardware functions).<br />An Information Security Management System (ISMS) is way to protect and manage information based on<br />a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and<br />improve information security. It is an organizational approach to information security.<br />ISO/IEC publishes two standards that focus on an organization’s ISMS:<br />• The code of practice standard: ISO/IEC 27002 (ISO/IEC 17799). This standard can be used as a<br />starting point for developing an ISMS. It provides guidance for planning and implementing a program<br />to protect information assets. It also provides a list of controls (safeguards) that you can consider<br />implementing as part of your ISMS.<br />• The management system standard: ISO/IEC 27001. This standard is the specification for an ISMS.<br />It explains how to apply ISO/IEC 27002 (ISO/IEC 17799). It provides the standard against which<br />certification is performed, including a list of required documents. An organization that seeks<br />certification of its ISMS is examined against this standard.<br />These standards are copyright protected text and must be purchased. (For purchasing information, refer to<br />section 1, “Purchase ISO standards.”)<br />The standards set forth the following practices:<br />• All activities must follow a method. The method is arbitrary but must be well defined and<br />documented.<br />• A company or organization must document its own security goals. An auditor will verify whether these<br />requirements are fulfilled.<br />• All security measures used in the ISMS shall be implemented as the result of a risk analysis in order<br />to eliminate or reduce risks to an acceptable level.<br />• The standard offers a set of security controls. It is up to the organization to choose which controls to<br />implement based on the specific needs of their business.<br />• A process must ensure the continuous verification of all elements of the security system through<br />audits and reviews.<br />• A process must ensure the continuous improvement of all elements of the information and security<br />management system. (The ISO/IEC 27001 standard adopts the Plan-Do-Check-Act [PDCA] model as<br />its basis and expects the model will be followed in an ISMS implementation.)<br />These practices form the framework within which you<br /><br /><a href="http://www.atsec.com/downloads/pdf/iso-27001/ISMS-Implementation-Guide-and-Examples.pdf">Read This White Paper</a>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-63934761650811931442008-01-10T21:04:00.000-08:002008-01-10T22:06:17.200-08:00Protecting your information assets<p>In a world where information is both the currency and the key asset of many major organisations, effective information security is well-recognised as both a business and risk management priority. </p><p>What is less well understood – in particular in an environment characterised by constant change and an ever-expanding web of critical interdependencies – is how best to achieve information security. </p><p>According to SAI Global Information Security Management Systems Program Manager, Mr Brahman Thiyagalingham: “Within many leading corporates there is a fair understanding that the failure to maintain the confidentiality of information, the integrity of information and the availability of information may present an unacceptable risk.” </p><p>According to Mr Thiyagalingham, fast-moving technology, the emergence of relatively new information-based businesses and, until recently, a lack of widely accepted information security management guidelines, has led to something of an ad hoc approach to information security management. </p><p>One common approach taken by major corporates has been to have their information security needs addressed by external consultants, who also assist with the maintenance and assessment of the systems. </p><p>“Certainly there are merits to this approach in terms of creating and implementation of a management system,” said Mr Thiyagalingham. “Where a system can fall down, however is when the management system developer and implementer is also the person who carries out regular assessments (internal audits) to determine compliance with information security objectives. If we have learned anything from some of the more spectacular collapses and corporate scandals of recent years, it is that the integrity of governance arrangements must be beyond reproach to preserve the integrity of the whole. When information integrity is such a critical resource, the same principles should apply. And, as is the case with corporate governance, meaningful assurance is best provided by independent, arm’s length assessors such as an independent accredited certification body.” </p><p>According to Mr Thiyagalingham, a number of recent developments would indicate that major corporations will soon be travelling the independent assurance route to information security. </p><p>One is the release of the most recent Standard for Information Security Management, AS/NZ 7799.2:2003, providing an internationally recognised framework for developing an effective Information Security Management System (ISMS). </p><p>“The latest release enhances the original 2000 Standard,” said Mr Thiyagalingham. “It has now been around long enough for business to be aware of it and get their heads around it. It’s an invaluable tool that can help navigate a notoriously difficult terrain. The fact that a resulting ISMS can be assessed by independent experts, and that the resulting certification is internationally recognised offers businesses major advantages that they are coming to appreciate.” </p><p>Another indicator of the growing emergence of – and demand for – certified information security management systems is its increased uptake by the telecommunications, banking, data management and public sectors. </p><p>“This will necessarily have a flow-on effect for suppliers, tenders and partnership relationships. The integrity of interdependent systems is only as sound as its weakest link: there’s no point safeguarding your own information if the next link, or the previous link, were not secure. Organisations are beginning to understand and come to grips with this fact, and to see the value of using certified ISMS' along the chain.” </p><p><b>Information Security Management Systems: the bare facts</b> </p><p>The world of information security management is coming out of the too-hard basket and landing in the in-boxes of a wide range of business and other organisations. </p><p>This brief guide answers some of the more frequently asked questions about information security management systems, and outlines the steps involved in establishing an ISMS. </p><p>A more extensive fact sheet is also available from SAI Global. </p><p>Q: What types of organisations need an ISMS? </p><p>An ISMS is needed wherever inappropriate use, disposal or disclosure of organisational information may negatively impact on the privacy of customers or other stakeholders, diminish the standing of the organisation or its stakeholders, reveal critical competitor or trading partner information or cause liability under regulation or legislation. </p><p>As the availability, volume and interdependencies of information within and between different organisations expands, so does the risk of the above occurring. That’s why demand for a certified ISMS is no longer confined to information technology or records-keeping organisations: it can benefit any industry sector that is subject to risk. </p><p>Q: Which part of an organisations should take ownership of the ISMS? </p><p>The team managing and implementing an ISMS should be drawn from all levels of management identified as custodians of critical information. Although this will usually integrally involve members of the IT team, an ISMS is emphatically not the sole responsibility of IT. </p><p>Q: How do I define the scope of an ISMS? </p><p>This is a critical component of creating an effective ISMS. The first step when considering the implementation of an information security system is to define the ‘scope’ of the system. As a starting point, draw a circle around the assets you think should be included, then review what is out of scope. </p><p>The test as to scope is whether the organisations can continue operations and maintain an adequate level of security even without the entities out of scope. If this is not possible, it may be wise to rework the scope to include that entity. </p><p>The scope of an ISMS can be based around physical sites, functional units (such as IT, HR etc.) or by systems. Wherever a specific scope is drawn, the unit, site or system concerned must be able to demonstrate that they are complying with all the requirements of the broader ISMS. </p><p>For a visual explanation of this process refer to the diagram entitled, ‘<i>Scoping your ISMS System’.</i> </p><p>Q: How do I determine which clients and suppliers should also operate within the scope of an ISMS? </p><p>In the inextricably linked supply chain environment that defines so many business relationships, reliance and sharing of information assets is common place. Information Security Manages must then determine how these ‘partners’ fit in the ISMS equation. Essentially, the ‘scoping’ test is a matter of risk. If suppliers’ or clients’ activities come into the primary scope, the security of the information at hand is at unacceptable risk unless they too can demonstrate their compliance. The integrity of the information concerned is only as sound as the weakest link in the chain. </p><p>Q: What are the usual steps to implement an ISMS? </p><p>In the context of AS/NZS 7799.2:2003 an organisations should consider nine specific steps when implementing and ISMS. These include: </p><ul class="L1star"><li>determining the scope of the system</li></ul><ul class="L1star"><li>identifying key information assets</li></ul><ul class="L1star"><li>conducting an asset risk assessment</li></ul><ul class="L1star"><li>developing a risk mitigation strategy</li></ul><ul class="L1star"><li>developing a Statement of Applicability</li></ul><ul class="L1star"><li>preparing a security policy, procedures and work instructions</li></ul><ul class="L1star"><li>implementing the policies and procedures and ensuring compliance</li></ul><ul class="L1star"><li>conducting continual maintenance and improvements on the system</li></ul><ul class="L1star"><li>seeking independent assessment by an ISMS accredited certification body</li></ul><p>In operational terms these nine steps could be summarised into four documents: </p><ul class="L1star"><li>Asset Register</li></ul><ul class="L1star"><li>Risk Assessment Documentation</li></ul><ul class="L1star"><li>Statement of Applicability</li></ul><ul class="L1star"><li>Security Policy</li></ul><p>Refer to the flowchart entitled ‘<i>ISMS: Steps to Implementation’</i> which outlines some of these key stages when developing and implementing an ISMS. </p><p><b>Want to know more?</b> </p>SAI Global is Australia’s leading ISMS certification specialist. It has been accredited to deliver ISMS certification services by JAS-ANZ. To find out more about the SAI Global ISMS program, or for more detailed information about the steps involved in setting up an ISMS, including gap analysis and self evaluation, auditing, costs, copies of the particular standards involved and so forth email: infosecurity@sai-global.com or visit www.sai-global.comforfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-85931265533197841572007-12-19T18:04:00.000-08:002008-12-09T15:46:41.911-08:00Information Security Management Handbook [Sixth Edition]<div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5pwt_SqejUhkxZgKI9aReMPkwjFLXyC3vVw2XpGwt1_rxKzTtmJ6YF_i5nkDmfWFPeh5t52ir2RrcfUJWm-7LEPun_kTXB0_BviCFNkYLwayZXfvOZLGE8iHRbotBXwdDyYTzbphJLlk/s1600-h/Information-Security-Management-Handbook.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5pwt_SqejUhkxZgKI9aReMPkwjFLXyC3vVw2XpGwt1_rxKzTtmJ6YF_i5nkDmfWFPeh5t52ir2RrcfUJWm-7LEPun_kTXB0_BviCFNkYLwayZXfvOZLGE8iHRbotBXwdDyYTzbphJLlk/s320/Information-Security-Management-Handbook.jpg" alt="" id="BLOGGER_PHOTO_ID_5145871905751863218" border="0" /></a><br /><a href="http://www.amazon.com/Information-Security-Management-Handbook-Sixth/dp/0849374952&tag=forfin-20"><span style="font-weight: bold;">Buy Save With Amazon Book Store</span></a><br /></div><br /><span style="font-weight: bold;">Information Security Management Handbook [Sixth Edition] </span><br /><span style="font-weight: bold;">Book Details</span><br />- Hardcover: 3280 pages<br />- Publisher: AUERBACH; 6 edition (May 14, 2007)<br />- Language: English<br />- ISBN-10: 0849374952<br />- ISBN-13: 978-0849374951<br /><span style="font-weight: bold;"><br />Book Description</span><br />Never before have there been so many laws designed to keep corporations honest. New laws and regulations force companies to develop stronger ethics policies and the shareholders themselves are holding publicly traded companies accountable for their practices. Consumers are also concerned over the privacy of their personal information and current and emerging legislation is reflecting this trend. Under these conditions, it can be difficult to know where to turn for reliable, applicable advice.<br /><br />The sixth edition of the Information Security Management Handbook addresses up-to-date issues in this increasingly important area. It balances contemporary articles with relevant articles from past editions to bring you a well grounded view of the subject. The contributions cover questions important to those tasked with securing information assets including the appropriate deployment of valuable resources as well as dealing with legal compliance, investigations, and ethics. Promoting the view that the management ethics and values of an organization leads directly to its information security program and the technical, physical, and administrative controls to be implemented, the book explores topics such as risk assessments; metrics; security governance, architecture, and design; emerging threats; standards; and business continuity and disaster recovery. The text also discusses physical security including access control and cryptography, and a plethora of technology issues such as application controls, network security, virus controls, and hacking.<br /><br />US federal and state legislators continue to make certain that information security is a board-level conversation and the Information Security Management Handbook, Sixth Edition continues to ensure that there you have a clear understanding of the rules and regulations and an effective method for their implementation.<br /><br /><span style="font-weight: bold;">Book Info</span><br />Handbook includes chapters that correspond to the 10 domains of the Certified Information System Security Professional (CISSP) examination. Previous edition: c1999. DLC: Computer security--Management--Handbooks, manuals, etc. --This text refers to an out of print or unavailable edition of this title.forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com1tag:blogger.com,1999:blog-2884621962778620374.post-50447843177633201772007-12-19T17:45:00.000-08:002008-12-09T15:46:42.024-08:00IT Auditing: Using Controls to Protect Information Assets [Book]<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF5q_CqFuvQ3MYrUsTcZyBCPRA-KNB_RqJGw6KeW7sKNEWopMId74p65afuDmCUOf1Frm7EHWCAf5ci0Y-iAp6VKhCRapaDHBRZsJf5qoHsaDgXJF6Q-dYPjBuiDQL-Bu4ljJHV79cVQs/s1600-h/IT-Auditing-Using-Controls-to-Protect-Information-Assets+.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF5q_CqFuvQ3MYrUsTcZyBCPRA-KNB_RqJGw6KeW7sKNEWopMId74p65afuDmCUOf1Frm7EHWCAf5ci0Y-iAp6VKhCRapaDHBRZsJf5qoHsaDgXJF6Q-dYPjBuiDQL-Bu4ljJHV79cVQs/s320/IT-Auditing-Using-Controls-to-Protect-Information-Assets+.jpg" alt="" id="BLOGGER_PHOTO_ID_5145866270754770850" border="0" /></a><br /><div style="text-align: center;"><a href="http://www.amazon.com/Auditing-Controls-Protect-Information-Assets/dp/0072263431&tag=forfin-20"><span style="font-weight: bold;">Save 37% On Amazon Book Store</span></a><br /></div><span style="font-weight: bold;"><br />IT Auditing: Using Controls to Protect Information Assets<br />Book Details :</span><br /><br />- Paperback: 387 pages<br />- Publisher: McGraw-Hill Osborne Media; 1 edition (December 22, 2006)<br />- Language: English<br />- ISBN-10: 0072263431<br />- ISBN-13: 978-0072263435<br /><br /><span style="font-weight: bold;">Book Description</span><br />Protect Your Systems with Proven IT Auditing Strategies<br /><br />"A must-have for auditors and IT professionals." -Doug Dexter, CISSP-ISSMP, CISA, Audit Team Lead, Cisco Systems, Inc.<br /><br />Plan for and manage an effective IT audit program using the in-depth information contained in this comprehensive resource. Written by experienced IT audit and security professionals, IT Auditing: Using Controls to Protect Information Assets covers the latest auditing tools alongside real-world examples, ready-to-use checklists, and valuable templates. Inside, you'll learn how to analyze Windows, UNIX, and Linux systems; secure databases; examine wireless networks and devices; and audit applications. Plus, you'll get up-to-date information on legal standards and practices, privacy and ethical issues, and the CobiT standard.<br /><br />Build and maintain an IT audit function with maximum effectiveness and value<br /><br />-Implement best practice IT audit processes and controls<br />-Analyze UNIX-, Linux-, and Windows-based operating systems<br />-Audit network routers, switches, firewalls, WLANs, and mobile devices<br />-Evaluate entity-level controls, data centers, and disaster recovery plans<br />-Examine Web servers, platforms, and applications for vulnerabilities<br />-Review databases for critical controls<br />-Use the COSO, CobiT, ITIL, ISO, and NSA INFOSEC methodologies<br />-Implement sound risk analysis and risk management practices<br />-Drill down into applications to find potential control weaknesses<br /><br /><span style="font-weight: bold;">About the Author</span><br /><br />Chris Davis, CISA, CISSP, shares his experience from architecting, hardening, and auditing systems. He has trained auditors and forensic analysts. Davis is the coauthor of the bestselling Hacking Exposed: Computer Forensics.<br /><br />Mike Schiller, CISA, has 14 years of experience in the IT audit field, most recently as the worldwide IT Audit Manager at Texas Instruments.<br /><br />Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense and has over ten years of IT security experience.forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com1tag:blogger.com,1999:blog-2884621962778620374.post-52991404453007318902007-12-05T17:56:00.000-08:002007-12-05T17:58:23.173-08:00Thinking Through Your 2008 Security BudgetBy Ed Moyle<br />E-Commerce Times<!--/byline--><br /><br />For some people, November is all about festivity: turkey, cranberry sauce and the start of the long ramp-up to the December holidays.<br /><br />However, that's not always the case if you happen to be in IT security Webroot AntiSpyware 30-Day Free Trial. Click here..<br /><br />If you are, you know that November can be anything but festive -- unless your idea of "festive" includes end-of-the-year network See the HP StorageWorks All-in-One Storage System. Click here. freezes, the inevitable holiday malware, spam out the wazoo, and (worst of all) the 2008 budget. Yup, 'tis the season -- the season for guessing at what you might need in the future and (most likely) won't get.<br /><br />Every year, we're asked to do the same thing: Request the funding that we need for the upcoming year to keep the organization "secure." Like programming a universal remote control, it's one of those things that sounds simple enough until you actually try to do it.<br /><br />Aside from being impossible (there's no such thing as "secure" -- just "secure enough"), there's also the fact that we're being asked to foresee the unforeseeable. How much malware will there be next year? How many application vulnerabilities will we find in the new accounting system See the HP Proliant DL380 G5 Server with Systems Insight Manager – Click here.? How many patches will come out for the hundreds of software products we support? These are just a few of the myriad things impacting budgetary requirements which simply cannot be precisely determined ahead of time.<br /><br />However, rather than give up and submit another year's budget dripping with irony, let's look to see if there aren't a few strategies that we can use to help us bring some sanity to an otherwise insane process.<br />Planning for the Unforeseeable<br /><br />When it comes to planning for your security operations budget, there are two types of information security organizations: those that have usable metrics and those that don't. If you're in the first category, you probably have a historical record of past events -- and you probably have some idea of what each of those events costs.<br /><br />For example, you might know the number of malware events that occurred over the past 12 months and (depending on how long you've been keeping track) you might have some idea about the relative rate of increase of those events year-over-year. The same is true of security incidents, forensic investigations, IDS (intrusion detection system) alerts, applications reviewed, etc.<br /><br />Now, I don't mean to suggest that metrics are the complete solution to your budgetary woes, but the budgeting process is the one area where you're likely to see quite a bit of return on your metrics initiative. If you're measuring, you can come up with a reasonable (or at least logical) estimate of future activity based on historical trends. Add in a margin of error and it's not unreasonable to put together a ballpark figure for what those future events might cost. Heck, you can even create milestones of how much you expect to spend month-over-month and use unspent dollars to invest in making everything more efficient. Of course, times being what they are, you might not get everything you ask for, but at least you'll know the impact of that ahead of time.<br /><br />If you don't have metrics yet but you think they might help you with your budget, the challenge is to get them in place so that you can use them. Since you probably won't get any reliable metrics in place in time to use them in planning for this year's budget (hats off to you if you decide to try), the goal is to get them there in time to use them next year.<br /><br />Don't assume that obtaining this information is going to be "free" though -- it won't be. So plan for the expense and account for the spending in your 2008 spending (after all, now's the time). If your decision-making process isn't currently based on some kind of concrete information like realistic metrics, one of your strategic goals (maybe your No. 1 strategic goal) should be improving the data coming in and making use of it.<br />Investing in the Program<br /><br />So, maybe you have a reasonable idea about what operations spending looks like for 2008 -- or if you don't, you at least have it as a goal to get to a point where you can estimate (more) accurately. How about overall spending? After all, keeping to the "status quo" -- estimating what it'll cost next year to do the same thing as last year -- shouldn't be your final goal. Even if you're getting more efficient over time, there are still more things that you could be doing. No, there's another piece to the puzzle: Where should you invest in 2008 to operate in a more repeatable, organized and "mature" way? That's where program maturity comes in.<br /><br />Your information security "program," or -- depending on the terminology you choose -- your ISMS (information security management system) is something to be thinking about as well when putting together your 2008 budget. Your ISMS should be your overarching framework for managing information security within your organization -- it's your opportunity to think about how you'll move away from tactical decision-making ("putting out fires") and move toward a model based on analyzing and treating risk, keeping track of your security processes and how they perform, both in terms of efficiency as well as effectiveness.<br /><br />In other words, think about having a structured, well thought-out program as your road map to a better life.<br /><br />Assuming that you want to come up with a more structured way of doing things, how can you get there? First, start by analyzing what your program does and doesn't already account for -- tools like ISO 27001 (International Organization for Standardization) help you identify what your program should have in place and areas that you should be looking into for program management.<br /><br />Need to do a gap analysis to see where your program falls short? Account for that in your budget.<br /><br />Already have a gap analysis that tells you where you need to improve? Account for those areas in your budget.<br /><br />Granted, you might not get everything on your request list, but if you can demonstrate why this is valuable and candidly discuss with your management how you'd like to improve, you're probably likely to get some funding for doing this. Especially if you believe (as I do) that a structured, repeatable and mature program saves money over the long term.<br /><br /><span style="font-weight: bold;">Source : <a href="http://www.ecommercetimes.com/story/Thinking-Through-Your-2008-Security-Budget-60445.html">http://www.ecommercetimes.com/story/Thinking-Through-Your-2008-Security-Budget-60445.html</a></span>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com1tag:blogger.com,1999:blog-2884621962778620374.post-26242261423173313782007-12-05T17:51:00.000-08:002007-12-05T17:54:49.825-08:00Demand for ISO 27001 GrowsFor the first time the survey collected information on ISO 27001, a standard for assessing information security management systems (ISMS).<p>The survey reports 5,800 certificates issued in 64 countries. Japan accounts for 65% of these certificates.</p><p>Australia ranked 9th with 59 ISMS certificates. New Zealand recorded just one certificate.</p>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-41392873272194629342007-11-28T20:18:00.001-08:002007-11-28T20:19:50.261-08:00How to Establish an ISMS Management FrameworkIn ISMS requirements, an organization is required to establish, implement and continually maintain its documented ISMS, taking into consideration its overall business activities and risks. <p> In establishing an ISMS, the scope of the ISMS is determined (STEP 1), and an information security policy is defined (STEP 2). On the basis of this security policy, a systematic approach to risk assessment is defined (STEP 3), and risks to the information assets that must be protected are identified (STEP 4). Risk assessment is then carried out (STEP 5). If, as a result of the risk assessment, unacceptable risks are found, possible ways to treat the risks should be identified and examined (STEP 6). Based on the risk treatment, controls to be implemented are selected (STEP 7).</p> <p> </p><table align="center" border="1" width="500"> <tbody><tr><td align="center" width="600">Detailed Controls</td></tr> <tr><td width="600"> 1. Information Security policy<br /> 2. Organizational security<br /> 3. Assets classification and control<br /> 4. Personnel security<br /> 5. Physical and environmental security<br /> 6. Communications and operations management<br /> 7. Access control<br /> 8. Systems development and maintenance<br /> 9. Business continuity management<br /> 10. Compliance </td></tr> </tbody></table> <p> Not all controls described in "detailed controls" shall be enforced, but an organization may select the controls to be implemented from the "detailed controls" on the basis of the risk assessment. In addition to the controls mentioned above, the organization shall add more effective controls that appear to be necessary as a result of risk assessment or risk management. What kind of and how many residual risks the organization has shall be identified. Through the risk management, these residual risks shall be approved by the Management (STEP 8), and also the introduction of the ISMS shall be permitted by the Management (STEP 9). It is particularly important to specify the selection of controls in the statement of applicability (STEP 10). </p><br /><p> <img src="http://www.isms.jipdec.jp/en/isms/frame.gif" /></p><p><span style="font-weight: bold;">Source : <a href="http://www.isms.jipdec.jp/en/isms/frame.html">http://www.isms.jipdec.jp/en/isms/frame.html</a></span><br /> </p>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-27213954624783837552007-11-28T19:49:00.000-08:002007-11-28T19:58:03.839-08:00Implementing an Information Security Management System (ISMS) — LRQA GuidanceType : White Paper<br />Length : 5<br />Format : PDF<br />By : LRQA<br /><br /><span style="font-weight: bold;">Overview Implementing an Information Security Management System (ISMS) — LRQA Guidance<br /><br />- Why is ISO/IEC 27001 good for you?<br />- Introduction to Implementing an ISMS<br />The OECD (Organization for Economic Co-operation and Development) Guidelines<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Getting started<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Planning for success<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Understanding the standard<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Where next...?<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Management processes<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Define the scope<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">ISMS policy<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Risk assessment and risk management<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Risk treatment<br /></span><span style="font-weight: bold;">- </span><span style="font-weight: bold;">Certification<br /><br /><a href="http://lrqausa.com/documents/Guidance_5bImplementinganISMS-LRQA.pdf">View This White Paper</a><br /><br /></span>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-71924868489165059222007-11-15T00:49:00.000-08:002007-11-15T00:51:26.258-08:00[PDF] Analyzing Network Security using Malefactor Action Graphs<span style="font-weight: bold;">Abstract</span><br />The approach to network security analysis is suggested. It is based on simulation of malefactor’s behavior, generating attack graph and calculating different security metrics. The graph represents all possible attack scenarios taking into account network configuration, security policy, malefactor’s location, knowledge level and strategy. The security metrics describe computer network security at different levels of detail and take into account various aspects of security. The generalized architecture of security analysis system is presented. Attack scenarios model, common attack graph building procedures, used security metrics, and general security level evaluation are defined. The implemented version of security analysis system is described, and examples of express-evaluations of security level are considered.<br /><br />Read This Paper :<a href="http://paper.ijcsns.org/07_book/200606/200606C15.pdf"> http://paper.ijcsns.org/07_book/200606/200606C15.pdf</a>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-31555092795412643742007-11-15T00:39:00.000-08:002007-11-15T00:45:56.870-08:00[PDF] The Simple Information Security Audit Process: SISAP<span style="font-weight: bold;">Summary</span><br />The SISAP (Simple Information Security Audit Process) is a dynamic security audit methodology fully compliant with the ISO 17799 and BS 7799.2, and conformant with the ISO 14508 in terms of its functionality guidelines. The SISAP employs a simulation-based rule base generator that balances risks and business value generation capabilities using the Plan-Do-Check-Act cycle imposed in BS 7799.2. The SISAP employs a concept proof approach based on 10 information security best practices investigation sections, 36 information security objectives, and 127 information security requirements, as specified in the ISO 17799. The auditor may apply, for collecting, analyzing, and fusing audit evidence obtained at various audit steps, selected analytical models like certainty factors, probabilities, fuzzy sets, and basic belief assignments. The SISAP adopts fully automated elicitation worksheets, as in SASA (Standard Analytic Security Audit), COBRA, and others.<br /><br />Read This File :<a href="http://paper.ijcsns.org/07_book/200606/200606C10.pdf"> http://paper.ijcsns.org/07_book/200606/200606C10.pdf</a>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-63844748883671300772007-11-02T02:51:00.000-07:002007-11-02T02:52:22.360-07:00Certification : BS 7799<p align="justify">In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date. </p> <p align="justify">The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor. </p> <p align="justify">In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management. </p> <p align="justify">In this final session we would attempt to understand the structure and steps involved in certification for BS7799.</p> <b><p align="justify">A quick recap</p> </b> <p align="justify">Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:</p> <p align="justify">ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security" </p> <p align="justify">BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements. </p> <p align="justify"><b><i>Please note that certification is against BS7799-2:1999.</i></b></p> <p align="justify">In order to be awarded a certificate, <i> </i>a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a <i>Certification Body</i> (such as Det Norske Veritas and BSI Assessment Services Limited).</p> <p align="justify">The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.</p> <p align="justify">The assessor will return periodically to check that your ISMS is working as intended.</p> <p align="justify"> </p> <b><p align="justify">Domains on which one would be assessed:</p> </b><p align="justify">As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:</p> <b> </b><p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Security policy</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Security organisation</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Asset classification and control</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Personnel security</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Physical and environmental security</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Communications and operations management</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Access control</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Systems development and maintenance</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Business continuity management</span></p> <p align="justify"><span style="font-size:78%;">•</span><span style="font-size:100%;">Compliance</span></p> <b><p align="justify"> </p> <p align="justify">Statement of applicability</p> </b><p align="justify">BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.</p> <p align="justify">You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant. </p> <p align="justify"> </p> <b><p align="justify">Preparing oneself for Certification:</p> </b><p align="justify">The traditional formula of <b>PLAN …DO …CHECK and ACT</b> works well with BS 7799 too and this is a good place to either start or review the progress of the implementation team.</p> <b><p align="justify">Plan </p> </b><p align="justify">While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.</p> <b><p align="justify">Do</p> </b><p align="justify">While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification. </p> <p align="justify">Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.</p> <b><p align="justify">Check </p> </b><p align="justify">Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.</p> <p align="justify">The audit team would check for appropriate controls and evidence of implementation.</p> <p align="justify">For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.</p> <p align="justify">Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.</p> <b><p align="justify">Act</p> </b><p align="justify">After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.</p> <p align="justify">Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.</p> <p align="justify">Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.</p> <p align="justify">Creative techniques like designing </p> <p align="justify">posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.</p> <p align="justify"> </p> <b><p align="justify">The 4 Step method of Certification</p> </b> <p align="justify">The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.</p> <b><p align="justify"><i>We now come to Specifics of Certification Process</i></p> <p align="justify"><i><u>Step One</u></i></p> <p align="justify">Desktop Review:</p> </b> <p align="justify">All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.</p> <p align="justify">One important check on documentation will be its validity and relevance to BS7799 controls.</p> <p align="justify">The following documents needs to be presented</p> <p align="justify">ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.</p> <i><u><b><p align="justify">Step Two</p></b> </u></i><b> <p align="justify">Technical Review</p> </b> <p align="justify">The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.</p> <p align="justify">The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take. </p> <b><p align="justify"><i><u>Step Three</u></i></p> <p align="justify">Internal Audit</p> </b> <p align="justify">The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.</p> <p align="justify">This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.</p> <b><p align="justify"><i><u>Step Four</u></i></p> <p align="justify">External Audit- Certification</p> </b><p align="justify">Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.</p> <p align="justify">The company consultants and internal team would not be allowed to be part of the audit team.</p> <p align="justify">They can assist and help auditors find relevant material.</p> <p align="justify">The auditors check for documentation and objective evidence with the following intention.</p> <ul><li>Are records Correct and Relevant?</li><li>Are polices Known and Tested?</li><li>Are policies Communicated?</li></ul> <ul><li>Are controls Implemented?</li><li>Are Polices Followed up?</li><li>Are preventive Actions taken?</li></ul> <p align="justify">The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.</p> <p align="justify"> </p> <b><p align="justify">Conclusion</p> </b> <p align="justify">After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.</p> <p align="justify">To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:</p> <ul><li>Heighten security awareness within the organisation</li><li>Identify critical assets via the Business Risk Assessment</li><li>Provide a structure for continuous improvement</li><li>Be a confidence factor internally as well as externally</li><li>Enhance the knowledge and importance of security-related issues at the management level</li><li>Ensure that "knowledge capital" will be "stored" in a business management system</li><li>Enable future demands from clients, stockholders and partners to be met</li></ul> <span style="font-family:Arial Unicode MS;"> <p align="justify"> </p> <p align="justify">Recommended Reading </p> </span> <ul><li>Information Security Management: An introduction (PD3000)</li><li>Preparing for BS7799 Certification (PD3001)</li><li>The Guide to BS7799 Risk Assessment and Risk Management (PD3002)</li><li>Are you Ready for a BS7799 Audit? (PD3003)</li><li>Guide to BS7799 Auditing (PD3004)</li><li>Guide on selection of BS 7799 controls (PD3005)</li><li>BS7799 : Part 1: 1999 Code of Practice for information security management</li><li>BS7799 : Part 2: 1999 Specification for information security management systems</li><li>EA Guidelines 7/03</li></ul> <span style="font-family:Arial Unicode MS;"> </span><p align="justify"> </p> <p align="justify">BS7799 Interpretation Guide (Free Download): www.dnv.com<span style="font-family:Arial Unicode MS;"> </span></p> <p>Det Norske Veritas (DNV) is an independent autonomous foundation with the objective of safeguarding life, property and the environment. Established in 1864, DNV provides an extensive range of technical services to the land, offshore and marine industries worldwide. The organization comprises of over 300 offices in 100 countries, with a total of 5,500 employees of 75 different nationalities.</p> <p>DNV started their operations in Region India in 1972 and have established itself as a Leading Classification Society. DNV has been providing Classification, Certification, Consultancy and Verification Services for the Marine, Offshore and Land based process industries ever since both for Public and Private Sectors. </p> <p>DNV is accredited in 21 countries for the Certification of Quality Management Systems and in 14 countries for Environmental Management System and is a leading Certification Body in India for both Quality & Environment Management System Certification having issued over 2500 certificates under ISO 9000 Standards and over 250 certificates under ISO 14000 Standards. DNV, in India, is also involved in Tick-IT, QS 9000, BS 7799, Risk Based Inspection (RBI), OHSMS, SA 8000 Systems Certification and CE Marking.</p> <p>Key advisory services include Risk / Reliability Assessment and Loss Control Management Services. DNV is recognized by the Chief Controller of Explosives both as an Inspection Authority and Competent Person and DNV is also approved by Indian Boiler Regulations (IBR) as Competent Inspection Authority in 22 countries world-wide.</p><br />Source : <a href="http://www.computersecuritynow.com/7799part3.htm">http://www.computersecuritynow.com/7799part3.htm</a>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com1tag:blogger.com,1999:blog-2884621962778620374.post-65951933850655485882007-11-02T02:50:00.000-07:002007-11-02T02:51:21.786-07:00Implementation : BS7799<p align="justify">Part 1 mainly dealt with the structure of the standard and its relevance to the Indian IT environment. Readers need to have a clear understanding that BS7799 has been designed by Security Experts who were the forerunners in the field of Information Security and were working in live business environment. Thus the standard is business driven and has a perfect co-relation to business units. This standard has to be interpreted for individual business units and has the flexibility to accommodate every possible IT environment.</p> <p align="justify">This article would discuss the interpretation of the standard and some of the key areas in its implementation.</p> <p align="justify">While interpreting the standard one has to consider and evaluate the human, procedural, environmental, technical and cultural aspects of the business unit. While implementing the standard, one has to weigh its own technical strength as far as Information Security Professionals are concerned. Without, a through technical assessment the results of the Implementation would not lead to certification. Thus a word of caution to readers would be that identification and management of risk to IT systems is a specialized activity and needs to be conducted in a controlled environment using professional assistance.</p> <b><p align="justify">Where do you begin?</p> </b> <b><p align="justify">Understand the Importance of Information Security: </p> </b><p align="justify">Every organization is unique with its own set of requirements and concerns. The company IT-Assets are exposed to various threats. More than 70% of the threat comes from Internal Sources.</p> <p align="justify">Other threat agents can be Hackers, Former Employees, Contractors, Suppliers, Competitors and Customers<span style="color:#00ffff;">.</span></p> <p align="justify">Management is tight lipped about incidents and push matters under the carpet due to the fear of losing credibility among investors and customers.</p> <p align="justify">In competitive environment where IT systems become Business Enhancers, one cannot afford to loose data and have a break down.</p> <p align="justify">Building awareness is the starting point for a stronger Information Security Culture.</p> <p align="justify">Educating top management for the need of an effective Information Security Management and the possible benefits to do the same is crucial for the success of a project.</p> <b> </b><p align="justify"><b>Get Yourself Trained:</b> </p><p> While selecting appropriate products and vendors for doing a technical risk assessment one has to understand, implement, maintain and sustain the investments made on Information security. </p> <p align="justify">The Internet serves as a huge repository of material for beginners to advanced users. The best method is to work in live environments with security professionals and get hands-on experience on various products and process. Those who are fortunate enough to work on live sites can use Internet resources like mail lists and websites on security, study for certifications on security or even attend training programs conducted by Security Institutes.</p> <b><p align="justify">Understand your Business Need: </p> </b><p align="justify">Security is always a Business led activity. The investments made on Security should reflect the need for security measures, criticality of IT Resources and processes in the day-to-day functioning of business. To implement strong security systems one has to grasp the core need of Information Security in the Business and identify the critical business factors.</p> <p align="justify">For Example: If a Financial Organisation has to heavily depend on IT resources to assimilate, calculate, interpret and present data on a hourly basis then the level of security would be higher than a company using IT resources for maintaining accounts and downloading company mail. To remain competitive the company cannot afford a down time of its Systems. </p> <p align="justify"><b>Assigning Responsibility</b>:</p> <p align="justify">The security organization structure is important to help give direction and a solid foundation to the implementation of a project. A designated Security Officer with a team of technical and procedural security professionals would make it a perfect mix for implementation. If the company chooses to use an external security company for consulting, the Security team could work hand in hand with the security company professionals. This will help companies maintain the systems and procedures drafted and implemented by the security team.</p> <p align="justify"><b>Choosing a vendor</b>:</p> <p align="justify">Various security consultants in the market have their own set of methodology and approach. Some of the parameters of selecting a vendor would be, firstly, the vendor should be an expert only on Information Security. One cannot boast of having a shop for software development, hardware sales and also Information Security. The field on Information Security is vast and complex and needs to have a focused approach. Secondly, the vendor needs to have done live assignments in India. We cannot have Polices for Indian companies based on US firms. Thirdly, the vendor needs to have a Quantitative Risk Assessment approach which takes into consideration technical and procedural checklists and lastly, the vendor should be willing to work with the team and share knowledge, which is important for the team to sustain the project even after the assignment is over.</p> <p align="justify"><b>Importance of Risk Assessment</b>:</p> <p align="justify">While designing and deploying a security strategy one has to ask two very important questions. One, What to protect and second, How much to protect? In simpler words what and how much risk is the business is exposed to? </p> <p align="justify">To define risk:</p> <p align="center"><b><i>Business risk is the threat that an event or action, which can adversely affect an organisation's ability to successfully, achieve its business objectives and execute its strategies.</i></b></p> <p align="justify">The key success factor of IT systems is a through risk assessment and effective risk management. Risk assessment prepares the base on which one would build the ISMS (Information Security Management System) </p> <p align="justify">The entire exercise starts with <b>Asset Identification:</b></p> <p align="justify">An important step towards achieving BS 7799 Certification is to identify and classify assets. BS779 Defines Risk Assessment as - assessment of threats to information, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.</p> <p align="justify">Every department would have assets, which they would consider important, without which one cannot continue work and achieve results. There could be assets, which would have higher or lesser value. Thus the most important asset would be need more protection and the lesser ones would require lower level of protection.</p> <p align="justify">All assets in the company can be classified as: </p> <p align="justify"><b><i>People Assets</i></b>: The number of professionals who are a part of the organisation. </p> <p align="justify"><b><i>Information Assets:</i></b> Databases, data files, system documentation, user manuals, training material, operational and support procedures, intellectual property, continuity plans.</p> <p align="justify"><b><i>Paper Documents:</i></b> Contacts, Company documentation, business results, HR records, Purchase documents invoices. </p> <p align="justify"><b><i>Software Assets:</i></b> Application systems, development tools, and utilities. </p> <p align="justify"><b><i>Physical Assets:</i></b> computers, servers, routers, hubs, firewalls, communication equipment, magnetic media, other equipment, cabinets, safes </p> <p align="justify"><b><i>Services:</i></b> Computing, telecommunications, air-conditioning, water etc </p> <p align="justify"><b><i>Company Image and Reputation:</i></b> Adverse publicity, Failure to deliver, Website defacement, Unable to provide connectivity to web server</p> <b><p align="justify">Asset Classification:</p> </b><p align="justify">Once the list of assets are identified the criticality of every asset has to be classified as </p> <p align="justify"><b><i>Unclassified</i></b>: Considered publicly accessible. There are no requirements for access control or confidentiality.</p> <p align="justify"><b><i>Shared:</i></b> Resources that are shared within groups or with people outside the organization.</p> <p align="justify"><b><i>Company Only:</i></b> Access to be restricted to the internal employees only.</p> <p align="justify"><b><i>Confidential:</i></b> Access to be restricted to a specific list of people.</p> <b><i><p align="center">This gets us to answer for "What to Protect"?</p> <p align="center">Now lets Understand How to Protect?</p> </i></b><p align="justify"><b>Technical Risk Assessment</b>:</p> <p align="justify">Penetration testing: After performing the Asset Identification exercise one has to move on testing specific devices which are critical to the running of the organisation. The first step towards doing testing is to find out if any external person can have access to the company information through the Internet. This is a specialized exercise, which requires a security professional abreast with the latest exploit and vulnerabilities from published and open sources. The professional needs to run various tests that would test the Internet Point of presence (i.e. Website) and security devices which protect these sites.</p> <p align="justify">He would assume the role of a possible intruder and do all that he would do if he would like to break systems and cause harm.</p> <p align="justify">The result of these tests would help one get an idea of the possible vulnerabilities on various servers.</p> <p align="justify"><b>Vulnerability Assessment:</b> After performing an external test one needs to test the strength of various servers and operating systems available internally. This works as a second level of defense. Even if an intruder breaks the entry points he should be stopped at the internal points. Internal testing also facilitates the design of the Security Architecture.</p> <p align="justify">A word of caution would be to allow only qualified and experienced professionals to operate these systems. All legal documents need to be signed before one has to complete the assignment.</p> <b><p align="justify">Procedural Risk Assessment:</p> </b> <p align="justify">After conducting the technical risk assessment one needs to find out formal and informal polices and procedures followed in the company. This can be done with detailed questionnaires, which can help find out concerns of IT managers, IT users, Operations staff, Top Management, Divisional Heads and Technical Team.</p> <p align="justify">A Gap Analysis Document can be created once the </p> <p align="justify">Procedural Risk Assessment exercise completed.. This would help companies have a clear understanding of where they stand as far as acquiring the Certification is concerned.</p> <b><p align="justify">Risk Management</p> </b> <p align="justify">Once the gaps in the systems are identified, one has to manage these risks and make sure that the possibility of these risks affecting the company is very low or in some cases totally eliminated. BS 7799 has been designed in such a manner that its 127 Control Clauses have addressed almost every Conceivable risk known to Information Systems.</p> <p align="justify">The standard Defines Risk Management as -process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost</p> <p align="justify">For Example: While conducting the procedural risk assessment one finds that while disposing old computer systems one does not erase or format the hard disk which goes along with the machine. So the risk is potential leakage of information, which is stored on the Hard Disk. This risk is addressed by <i>Domain 8 Communications and operations management</i> 8. which states that <i>Media shall be disposed of securely and safely when no longer required.(4.6.6.2)</i></p> <b><p align="justify">Creating of Security Policies and Procedures to Manage Risks Effectively</p> </b> <p align="justify">As in every Management System Security, Management is Policy driven and has to be driven and pushed in to an organisation. One has to take utmost care to address every concern expressed during the technical and </p> <p align="justify">Procedural risk management exercise and prepare the documentation of the required polices (The list is only indicative and differs from organisation to organisation)</p> <p align="justify">Logical Access Controls, Password Security & Controls, Network &</p> <p align="justify">Telecommunication Security, Application Software Security, Program </p> <p align="justify">Change Controls, Version Controls, Disaster Recovery Plan, Electronic Mail Security, Backup & Recovery, Internet access and security, Operating Systems Security, Incident Response and Management, Third Party Security, Data Classification, Web server Security, Intranet Security, Punitive Actions, Firewall Security, Use Of Cryptography, Digital Signature Security, Database Security, Virus Protection</p> <p align="justify">Implementation of a effective risk management has various benefits and some of which could be enhanced understanding of business aspects, Reductions in security breaches and/or claims, Reductions in adverse publicity, Improved insurance liability rating, Identify critical assets via the Business Risk Assessment, Provide a structure for continuous improvement, Be a Confidence factor internally as well as externally, Enhance the knowledge and importance of security-related issues at the management level, Ensure that "knowledge capital" will be "stored" and managed in a business management systems.</p><p align="justify">Source : <a href="http://www.computersecuritynow.com/7799part2.htm">http://www.computersecuritynow.com/7799part2.htm</a><br /></p>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0tag:blogger.com,1999:blog-2884621962778620374.post-49233466511537168392007-11-02T02:48:00.000-07:002007-11-02T02:50:05.511-07:00Key Components of the Standard : BS 7799 (ISO 17799)<p align="justify">The Standard is divided in two parts:</p> <p align="justify">BS 7799 Part 1 (ISO 17799.2000 Standard) Code of Practice for Information Security Management</p> <p align="justify">BS 7799 Part II Specifies requirements for establishing, implementing and documenting Information Security Management System (ISMS)</p> <p align="justify">The standard has 10 Domains, which address key areas of Information Security Management.</p> <ol><li><b>Information Security Policy for the organization.</b></li><p align="justify">This activity involves a thorough understanding of the organization business goals and its dependence on information security. This entire exercise begins with creation of the IT Security Policy. This is an extremely important task and should convey total commitment of top management-. The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It should be implementable, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural and technical. </p><b> </b><li><b>Creation of information security infrastructure</b></li><p align="justify">A management framework needs to be established to initiate, implement and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles and coordination of security across the organization. </p><b> </b><li><b>Asset classification and control</b></li><p align="justify">One of the most laborious but essential task is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services. These information assets need to be classified to indicate the degree of protection. The classification should result into appropriate information labeling to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, transmit or destruction of the information asset.</p><li><b>Personnel Security</b></li><p align="justify">Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities. Various proactive measures that should be taken are, to make personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education and training. </p><p align="justify">Alert and well-trained employees who are aware of what to look for can prevent future security breaches. </p><b> </b><li><b>Physical and Environmental Security</b></li><p align="justify">Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves physical security perimeter, physical entry control, creating secure offices, rooms, facilities, providing physical access controls, providing protection devices to minimize risks ranging from fire to electromagnetic radiation, providing adequate protection to power supplies and data cables are some of the activities. Cost effective design and constant monitoring are two key aspects to maintain adequate physical security control.</p><li><b>Communications and Operations Management</b></li><p align="justify">Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures. </p><p align="justify">Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services. </p><p align="justify">Exchange of information and software between external organizations should be controlled, and should be compliant with any relevant legislation. There should be proper information and software exchange agreements, the media in transit need to be secure and should not be vulnerable to unauthorized access, misuse or corruption. </p><p align="justify">Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.</p><li><b>Access control</b></li><p align="justify">Access to information and business processes should be controlled on the business and security requirements. This will include defining access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use and ensuring information security when using mobile computing and tele-working facilities.</p><li><b>System development and maintenance</b></li><p align="justify">Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography. </p><p align="justify">A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation. </p><li><b>Business Continuity Management</b></li><p align="justify">A business continuity management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and depending on the risk assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances. </p><li><b>Compliance</b></li><p align="justify">It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls and collection of evidence.</p></ol> <p align="justify">Information Technology’s use in business has also resulted in enacting of laws that enforce responsibility of compliance. All legal requirements must be complied with to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. </p> <p align="justify"> </p> <b><p align="justify">BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:</p> </b> <p align="justify">Although Indian companies and the Government have invested in IT, facts of theft and attacks on Indian sites and companies are alarming. 261 Indian Government sites were hacked in 2001* <sup>*</sup> Attacks and theft that happen on corporate websites are high and is usually kept under "strict" secrecy to avoid embarrassment from business partners, investors, media and customers. </p> <p align="justify">Huge losses are some times un-audited and the only solution is to involve a model where one can see a long run business led approach to Information Security Management.</p> <p align="justify">BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed above) which Indian companies can adopt to build their Security Infrastructure. Even if a company decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security through ongoing, integrated management of policies and procedures, personnel training, selecting and implementing effective controls, reviewing their effectiveness and improvement. Additional benefits of an ISMS are improved customer confidence, a competitive edge, better personnel motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.</p> <p>Source : <a href="http://www.computersecuritynow.com/7799part1.htm">http://www.computersecuritynow.com/7799part1.htm</a><br /></p>forfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com1tag:blogger.com,1999:blog-2884621962778620374.post-45443346714844684342007-10-15T20:54:00.000-07:002007-10-15T20:55:40.470-07:00Sample Security Policies<table border="0" cellpadding="1" cellspacing="0" width="100%"><tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="27" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="13" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.whitehouse.gov/omb/memoranda/fy2006/m06-06_att.doc">HSPD-12 Privacy Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.whitehouse.gov/omb/memoranda/fy2006/m06-06_att.doc</span></span><br /><span style="font-size:-1;"> Sample privacy policy including Privacy Act systems of records notices, Privacy Act statements and a privacy impact assessment, designed to satisfy the requirements of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="27" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="13" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.upenn.edu/computing/policy/">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.upenn.edu/computing/policy/</span></span><br /><span style="font-size:-1;"> Electronic resource usage and security policies from the University of Pennsylvania.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="27" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="13" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/</span></span><br /><span style="font-size:-1;"> SANS consensus research project offering around 30 editable information security policies.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="27" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="13" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.auckland.ac.nz/security/PoliciesandStatutes.htm">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.auckland.ac.nz/security/PoliciesandStatutes.htm</span></span><br /><span style="font-size:-1;"> Set of acceptable use and technical policies from the University of Auckland covering common information security issues.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="22" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="18" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.27001-online.com/secpols.htm">ISO 27001 Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.27001-online.com/secpols.htm</span></span><br /><span style="font-size:-1;"> Typical headings for a security policy aligned broadly with the ISO/IEC standard for information security management systems.</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="22" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="18" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.utoronto.ca/security/documentation/policies/policy_5.htm">Network Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.utoronto.ca/security/documentation/policies/policy_5.htm</span></span><br /><span style="font-size:-1;"> Example security policy for a data network from the University of Toronto.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="22" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="18" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://csrc.nist.gov/fasp/jump.html">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://csrc.nist.gov/fasp/jump.html</span></span><br /><span style="font-size:-1;"> NIST's extensive collection of well over 100 security policies and related awareness materials, mostly from US Government bodies.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="22" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="18" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.obfs.uillinois.edu/manual/central_p/sec19-5.html">Information Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.obfs.uillinois.edu/manual/central_p/sec19-5.html</span></span><br /><span style="font-size:-1;"> An information security policy from the University of Illinois.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="22" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="18" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.cli.org/emailpolicy/top.html">Email Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.cli.org/emailpolicy/top.html</span></span><br /><span style="font-size:-1;"> A menu of clauses suitable for email acceptable use policies.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="22" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="18" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Policy_Primer.pdf">Security Policy Primer</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Policy_Primer.pdf</span></span><br /><span style="font-size:-1;"> General advice for those new to writing information security policies.</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.murdoch.edu.au/admin/policies/itsecurity/policy.html">IT Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.murdoch.edu.au/admin/policies/itsecurity/policy.html</span></span><br /><span style="font-size:-1;"> Information technology security policy at Murdoch University, complete wth supporting standards and guidelines.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sandstorm.net/products/phonesweep/modempolicy.php">Modem Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sandstorm.net/products/phonesweep/modempolicy.php</span></span><br /><span style="font-size:-1;"> Sample policy from Sandstorm, designed as an addition to an existing Remote Access Policy, if one exists, or simply to stand alone.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.epolicyinstitute.com/">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.epolicyinstitute.com</span></span><br /><span style="font-size:-1;"> Policies on information security and other topics from ePolicy Institute.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.k12.wa.us/K-20/AUPSchBoardNetworkUse.aspx">K-20 Network Acceptable Use Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.k12.wa.us/K-20/AUPSchBoardNetworkUse.aspx</span></span><br /><span style="font-size:-1;"> Policy on acceptable use of a school network, along with information for parents and an informed consent form. Developed in Washington State.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf">Network Security Policy Guide</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf</span></span><br /><span style="font-size:-1;"> Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies.</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Audit_Policy.pdf">Audit Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Audit_Policy.pdf</span></span><br /><span style="font-size:-1;"> Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.securityfocus.com/infocus/1497">IP Network Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.securityfocus.com/infocus/1497</span></span><br /><span style="font-size:-1;"> Example security policy to demonstrate policy writing techniques introduced in three earlier articles.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/email_retention.doc">Email Retention Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/email_retention.doc</span></span><br /><span style="font-size:-1;"> Sample policy to help employees determine which emails should be retained and for how long.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Internet_DMZ_Equipment_Policy.pdf">Internet DMZ Equipment Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Internet_DMZ_Equipment_Policy.pdf</span></span><br /><span style="font-size:-1;"> Sample policy defining the minimum requirement for all equipment located outside the corporate firewall.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Information_Sensitivity_Policy.pdf">Information Sensitivity Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Information_Sensitivity_Policy.pdf</span></span><br /><span style="font-size:-1;"> Sample policy defining the assignment of sensitivity levels to information.</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="16" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="24" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Password_Policy.doc">Password Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Password_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines standards for creating, protecting and changing strong passwords. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.ruskwig.com/docs/internet_policy.pdf">Internet Acceptable Use Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.ruskwig.com/docs/internet_policy.pdf</span></span><br /><span style="font-size:-1;"> One page Acceptable Use Policy example.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Acceptable_Use_Policy.doc">Acceptable Use Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Acceptable_Use_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.lazarusalliance.com/horsewiki/index.php/Documents">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.lazarusalliance.com/horsewiki/index.php/Documents</span></span><br /><span style="font-size:-1;"> Collection of policies relating to SOX, GLBA, HIPAA and the ISO/IEC 27000-series on the HORSE (Holistic Operational Readiness Security Evaluation) wiki.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/TESS-DOR-EXAMPLES.htm">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/TESS-DOR-EXAMPLES.htm</span></span><br /><span style="font-size:-1;"> Templates for information security policies, guidelines, checklists and procedures by Walt Kobus.</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Risk_Assessment_Policy.doc">Risk Assessment Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Risk_Assessment_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines requirements and authorizes the information security team to identify, assess and remediate risks to the organization's information infrastructure. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.gcio.nsw.gov.au/documents/Information%20Security%20Guideline%20V1.1.pdf">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.gcio.nsw.gov.au/documents/Information%20Security%20Guideline%20V1.1.pdf</span></span><br /><span style="font-size:-1;"> 111-page security policy manual from the Australian New South Wales Department of Commerce, based on ISO 27001.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.datasecuritypolicies.com/wp-content/uploads/2007/04/generic-personnel-security-policy.pdf">Personnel Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.datasecuritypolicies.com/wp-content/uploads/2007/04/generic-personnel-security-policy.pdf</span></span><br /><span style="font-size:-1;"> Example policy covering pre-employment screening, security policy training etc.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.apwu.org/dept/ind-rel/USPS_hbks/AS-Series/AS-805%20Information%20Security%209-05%20%281.21%20MB%29.pdf">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.apwu.org/dept/ind-rel/USPS_hbks/AS-Series/AS-805%20Information%20Security%209-05%20(1.21%20MB).pdf</span></span><br /><span style="font-size:-1;"> US Postal Service's information security policy manual. 264 pages of security controls, broadly similar in structure to ISO 17799.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Analog_Line_Policy.doc">Analog/ISDN Line Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Analog_Line_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines policy for analog/ISDN lines used for FAXing and data connections.</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Lab_Anti-Virus_Policy.doc">Anti-Virus Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Lab_Anti-Virus_Policy.doc</span></span><br /><span style="font-size:-1;"> Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Aquisition_Assessment_Policy.doc">Acquisition Assessment Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Aquisition_Assessment_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Dial-in_Access_Policy.doc">Dial-in Access Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Dial-in_Access_Policy.doc</span></span><br /><span style="font-size:-1;"> Policy regarding the use of dial-in connections to corporate networks. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Ethics_Policy.doc">Ethics Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Ethics_Policy.doc</span></span><br /><span style="font-size:-1;"> Sample policy intended to 'establish a culture of openness, trust and integrity'.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="11" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="29" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Extranet_Policy.doc">Extranet Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Extranet_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement. [MS Word]</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.cbe.uidaho.edu/wegman/404/PRIVACY%20POLICY%20IVI%20Generic.htm">Privacy Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.cbe.uidaho.edu/wegman/404/PRIVACY%20POLICY%20IVI%20Generic.htm</span></span><br /><span style="font-size:-1;"> Generic policy for websites offering goods and services, with an important warning to seek qualified legal advice in this area.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Cryptography%20PolicyV4.pdf">Cryptography Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Cryptography%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Cryptographic policy template by Walt Kobus.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Communications%20PolicyV4.pdf">Communications Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Communications%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Datacommunications security policy template by Walt Kobus defines network security control requirements.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Physical%20Security%20PolicyV4.pdf">Physical Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Physical%20Security%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Policy template by Walt Kobus defines requirements for physical access control to sensitive facilities and use of ID badges.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Data%20Classification%20PolicyV4.pdf">Data Classification Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Data%20Classification%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Policy template by Walt Kobus describes the classification of information according to sensitivity (primarily confidentiality).</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/User%20Data%20Protection%20PolicyV4.pdf">User Data Protection Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/User%20Data%20Protection%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Policy template by Walt Kobus defines requirements for access controls, least privilege, integrity etc. to secure personal data.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Information%20Data-Ownership%20PolicyV4.pdf">Information Data Ownership Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Information%20Data-Ownership%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Policy template by Walt Kobus defines the roles and responsibilities of owners, custodians and users of information systems.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Resource%20Utilization%20PolicyV4.pdf">Resource Utilization Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Resource%20Utilization%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Poilicy template by Walt Kobus defines requirements for resilience, redundancy and fault tolerance in information systems.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Security%20Audit%20PolicyV4.pdf">Security Audit Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Security%20Audit%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Audit policy template by Walt Kobus.</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Security%20Mngt%20PolicyV4.pdf">Security Management Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Security%20Mngt%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> General information security policy template by Walt Kobus.</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Router_Security_Policy.doc">Router Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Router_Security_Policy.doc</span></span><br /><span style="font-size:-1;"> Sample policy establishing the minimum security requirements for all routers and switches connecting to production networks. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Remote_Access_Policy.doc">Remote Access Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Remote_Access_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines standards for connecting to a corporate network from any host. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <nobr><a href="http://www.google.com/intl/en/dirhelp.html#pagerank"><img src="http://directory.google.com/images/pos.gif" alt="" align="absmiddle" border="0" height="4" width="5" /><img src="http://directory.google.com/images/neg.gif" alt="" align="absmiddle" border="0" height="4" width="35" /></a></nobr></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.enterprise-ireland.com/ebusinesssite/guides/internal_security/internal_security_index.asp">IT Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.enterprise-ireland.com/ebusinesssite/guides/internal_security/internal_security_index.asp</span></span><br /><span style="font-size:-1;"> IT security policy example/how-to guide from Enterprise Ireland.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/DB_Credentials_Policy.doc">Database Password Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/DB_Credentials_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines requirements for securely storing and retrieving database usernames and passwords. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/DMZ_Lab_Security_Policy.doc">DMZ Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/DMZ_Lab_Security_Policy.doc</span></span><br /><span style="font-size:-1;"> Sample policy establishing security requirements of equipment to be deployed in the corporate De-Militarized Zone. [MS Word]</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.security.govt.nz/sigs/sigs.zip">Government Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.security.govt.nz/sigs/sigs.zip</span></span><br /><span style="font-size:-1;"> The New Zealand Government's information security policy, based on the 2000 version of ISO/IEC 17799. [ZIP file containing PDF and MS Word versions]</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Identification%20&%20Authentication%20PolicyV4.pdf">Identification and Authentication Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Identification%20&%20Authentication%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> I&A policy template by Walt Kobus defines requirements for access control.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf">Certification and Accreditation Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf</span></span><br /><span style="font-size:-1;"> Policy template by Walt Kobus defines requirements and responsibilities for security assurance throughout the system development process.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Internal_Lab_Security_Policy.doc">Laboratory Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Internal_Lab_Security_Policy.doc</span></span><br /><span style="font-size:-1;"> Policy to secure confidential information and technologies in the labs and protect production services and the rest of the organization from lab activities. [MS Word]</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/resources/policies/Acceptable_Encryption_Policy.doc">Encryption Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/resources/policies/Acceptable_Encryption_Policy.doc</span></span><br /><span style="font-size:-1;"> Defines encryption algorithms that are suitable for use within the organization. [MS Word]</span></span></td></tr> </tbody></table><table border="0" cellpadding="1" cellspacing="0" width="100%"> <tbody><tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://ww2.umflint.edu/its/helpdesk/security/passwords/passwords.pdf">Password Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://ww2.umflint.edu/its/helpdesk/security/passwords/passwords.pdf</span></span><br /><span style="font-size:-1;"> A password policy presented in the form of a security awareness poster. "Passwords are like underwear ..."</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.womans-work.com/teleworking_policy.htm">Telecommuting/Teleworking Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.womans-work.com/teleworking_policy.htm</span></span><br /><span style="font-size:-1;"> Sample policy on teleworking covering employment as well as information security issues.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.attackprevention.com/Policies_and_Procedures/Sample_Policies">Information Security Policies</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.attackprevention.com/Policies_and_Procedures/Sample_Policies</span></span><br /><span style="font-size:-1;"> Collection of information security policy samples covering PKI, antivirus, ethics, email and several other topics, from AttackPrevention.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.cusys.edu/%7Epolicies/General/email.html">Email Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.cusys.edu/~policies/General/email.html</span></span><br /><span style="font-size:-1;"> Policy from the University of Colorado on the use of, access to, and disclosure of electronic mail.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Server_Security_Policy.pdf">Server Security Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Server_Security_Policy.pdf</span></span><br /><span style="font-size:-1;"> Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.</span></span></td></tr> </tbody></table> <table border="0" cellpadding="1" cellspacing="0" width="100%"><tbody><tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Application_Service_Providers.pdf">Application Service Provider Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Application_Service_Providers.pdf</span></span><br /><span style="font-size:-1;"> Security criteria for an ASP.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Virtual_Private_Network.pdf">Virtual Private Network Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Virtual_Private_Network.pdf</span></span><br /><span style="font-size:-1;"> Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Automatically_Forwarded_Email_Policy.pdf">Email Forwarding Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Automatically_Forwarded_Email_Policy.pdf</span></span><br /><span style="font-size:-1;"> Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Third_Party_Agreement.pdf">Third Party Connection Agreement</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Third_Party_Agreement.pdf</span></span><br /><span style="font-size:-1;"> Sample agreement for establishing a connection to an external party.</span></span></td></tr> <tr valign="top"><td width="6%"> <img src="http://directory.google.com/images/cleardot.gif" alt="" align="absmiddle" border="0" height="4" width="40" /></td> <td><span style="font-family:arial,sans-serif;"><a href="http://www.sans.org/newlook/resources/policies/Wireless_Communication_Policy.pdf">Wireless Communication Policy</a> <span style="font-size:-1;color:#6f6f6f;">- <span>http://www.sans.org/newlook/resources/policies/Wireless_Communication_Policy.pdf</span></span><br /><span style="font-size:-1;"> Sample policy concerning the use of unsecured wireless communications technology.</span></span></td></tr></tbody></table><br /><br /><br />Source : directory.google.comforfinhttp://www.blogger.com/profile/13530022499230350845noreply@blogger.com0