Information Security Management System

ISMS Auditing Guideline [ Pdf File ]

2008-07-06T19:30:00.000-07:00

Introduction
This guideline has been written by members of the ISO27k Implementers' Forum, an international online community of neatly 1,000 practitioners actively using the ISO/IEC 27000-family of Information Security Management System (ISMS) standards known colloquially as "ISO27k", and base at ISO27001security.com. Our primary aim is to contribute to the development of the new standard ISO/IEC 27007 by providing what we, as experienced ISMS implementers and IT/ISMS auditors, believe is worthwhile content. A secondary aim to provide a pragmatic and useful guideline for those involved in auditing ISMSs.

At the time of first writing this guideline (February-March 2008). ISO/IEC 27007 is currently at the first Working Draft stage ("ISO/IEC WD 27007") and has been circulated to ISO member bodies for study and comment by March 14 2008. Its working title is "Information Technology - Security techniques - Guidelines for information security management systems auditing".

The Proposed outline structure of ISO/IEC WD 27007 is presently as follows:
- Foreword and introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Principles of auditing
5. Managing an audit programme
6. Audit activities
7. Competence and evaluation of auditors
- Bibliography

In the proposed structure, section 6 should presumably explain how to go about auditing an ISMS. The current working draft has headings for a guide to audit process but little content on the actual audit tests to be performed, although in section 6.3.1 it identifies a list of items that are required by ISO/IEC 27001 and says that "Auditors should check that all these documents exist and conform to the requirements in ISO/IEC 27001"2005". This is probably the most basic type of ISMS audit test: are the specified ISMS documents present? We feel that a generic ISMS audit checklist (often called an "Internal Controls Questionnaire" by IT auditors) would be a very useful addition to the standard and producing one was a key aim of this guideline - in fact we have produced two (see the appendices). We also aim to contribute content draft 27007 and hope to track its development through future revisions.

Read This PDF File

ISO/IEC 27005 Information technology -- Security techniques -- Information security risk management

2008-07-03T18:39:00.000-07:00

This standard was published in June 2008.

“ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.”

ISO/IEC 27005 revises the Management of Information and Communications Technology Security (MICTS) standards ISO/IEC TR 13335-3:1998 plus ISO/IEC TR 13335-4:2000.
Some personal comments on ’27005

[These are just my personal perspective. They inevitably reflect my own prejudices and limited experience with information security risk management.]

At around 60 sides, ISO/IEC 27005 is a heavyweight standard although the main part is just 24 pages, the rest being mostly annexes with examples and further information for users. There is quite a lot of meat on the bones, reflecting the complexities in this area.

Although the standard defines risk as “a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event”, the risk analysis process outlined in the standard indicates the need to identify information assets at risk, the potential threats or threat sources, the potential vulnerabilities and the potential consequences (impacts) if risks materialize. Examples of threats, vulnerabilities and impacts are tabulated in the annexes; although incomplete, these may prove useful for brainstorming risks relating to information assets under evaluation. It is clearly implied that automated system security vulnerability assessment tools are insufficient for risk analysis without taking into account other vulnerabilities plus the threats and impacts.

The standard includes a section and annex on defining the scope and boundaries of information security risk management which should, I guess, be no less than the scope of the ISMS.

The standard deliberately remains agnostic about quantitative and qualitative risk assessment methods, essentially recommending that users choose whatever methods suit them best, and noting that they are both methods of estimating, not defining, risks. Note the plural - 'methods' - the implication being that different methods might be used for, say, a high-level risk assessment followed by more in-depth risk analysis on the high risk areas. The pros and cons of quantitative vs qualitative methods do get a mention.

The steps in the process are (mostly) defined to the level of inputs -> actions -> outputs, with additional “implementation guidance” in similar style to ISO/IEC 27002.

The standard incorporates some iterative elements e.g. if the results of an assessment are unsatisfactory, you loop-back to the inputs and have another run through. For those of us who think in pictures, there are useful figures giving an overview of the whole process and more detail on the risk assessment -> risk treatment -> residual risk bit.

From:iso27001security.com

AMS9000 Audit Management Software

2008-07-03T18:21:00.000-07:00

The value of information within an organisation is enormous. But there are lots of threats that put this value at risk. How to protect it best? Typically individual solutions are used to respond to specific threats. However, to be successful you need a framework for information security. This is a management system as it is described in ISO 17799 and BS 7799. It allows to integrate individual solutions into one concept.

The PDCA model is already used in other management systems like quality management. And it works fine within the information security management system (ISMS):

* Plan: Establish the information security management system (ISMS).
* Do: Implement and operate the ISMS.
* Check: Monitor and review the ISMS.
* Act: Maintain and improve the ISMS.

Close the gaps with AMS9000 and protect the value of your information

AMS9000 assists you in establishing and maintaining your ISMS

As part of the JKT9000 family of management software modules, AMS9000 is the audit management software. This programme is designed to handle all aspects of an internal audit programme, from planning audits to the follow-up of corrective actions against deficiencies found.

AMS9000 can be used to verify compliance with any kind of standards including ISO 17799 or ISO 27001. Further you can use it to audit e.g. your quality management system (ISO 9000) or your environmental management system (ISO 14000).
The Workflow of the AMS9000-Navigator, ISMS Audit Software

AMS9000 uses a Navigator which includes a brief workflow of the steps being subject to audit management. To enter any of these steps the users just clicks the icon.

Functions of AMS9000, Audit Management Software

* maintains the audit schedule, checklist preparation and all audit info.
* allows to enter own checklist items and/or text directly from own procedures.
* comes with checklist requirements derived directly from the 1994 and 2000 ISO9001 Standards
* stores pending files for follow-up items to be considered in future audits
* allows to take containment, corrective and preventive actions against deficiencies found in the audit
* tracks all nonconformances, including actions and verification
* comprises reports covering trend analysis and audit summaries and 'reminder' reports to track corrective action and implementations.
* Field names of the screens can be altered to suit your individual company language.
* provides user-definable fields.
* all users get their information relevant to their needs by email.

Reports in AMS9000, Audit Management Software

All reports mentioned below can be filtered by further criteria to meet the user's information needs.

* audit schedules
* audit history report
* print checklists
* internal audit Corrective Action Summary
* supplier audit Corrective Action Summary
* Corrective Actions not responded to yet
* NCs vs. ISO clause x-tab
* past due Corrective Action responses
* pending Corrective Action implementations.

Next to these standard system reports which might cover the basic needs the user has the option to create 'custom reports'.

When printing Corrective Action reports, there are the following options:

* prints Corrective Action Request on a single page
* prints Corrective Action Request on 3 pages minimum, but expands as required
* prints Corrective Action Request summary and attaches all activity logs.
* prints Corrective Action Request summary and attaches all subcase activity.
* prints blank page for manual use
* completed Corrective Action Request form shows more details on one page
* Corrective Action Request 7 Step (Chrysler) Style form
* Corrective Action Request 8D style single page form.

Module types of AMS9000, Audit Management Software

* Standalone & LAN Configurations
* WAN & Client Server Configurations
* Web-based Configuration

The standards ISO 17799/ISO27001 and BS 7799

ISO 17799 (ISO 27001 or BS 7799-1) is a code of practice for information security management. It gives recommendations for information security management, i.e. for initiating, implementing or maintaining security. ISO 17799 provides a comprehensive set of controls comprising best practices in information security. It is intended to provide a common basis for developing organisational security standards and effective security management practice. It provides recommendations and guidance that usually an organisation should address. This means that an organisation is requested to go ahead from this starting point or common basis. This has to be kept in mind when using general checklists to audit an ISMS. The specifics of an organisation always have to shine through the design of the ISMS including the audit checklist and audit procedures.

BS 7799-2 is concerned with the management system. The standard mentions four major areas:

* Information Security Management System (ISMS)
* Management Responsibility
* Management Review
* ISMS Improvement

Benefits for your information security management system

AMS9000 is an audit software tool to audit an information security management system. It supports the entire audit process.

It can be used to audit compliance with standards such as ISO 17799 / ISO 27001 and BS 7799.

Further benefits are:

* AMS9000 kann zum Auditieren nach ISO 17799 / SO 27001, BS 7799 und anderer Standards zur Informationssicherheit benutzt werden. Darüber hinaus kann es für andere Audit benutzt werden, wie sie etwa aus dem Qualitätsmanagement bekannt sind. Sie brauchen nicht für jeweils verschiedene Audits eine andere Auditsoftware.
* AMS9000 can be used to audit against ISO 17799 and BS 7799 or any other information security management standard. However, it can be used for other audits as well known from quality management. You do not need a different audit tool for each kind of audit.
* Get evidence of conformance with ISO 17799 or whatever checklist you apply. This can be helpful when you like to register to BS 7799 part 2.
* Efficient and quick analysis and report significantly reduces time and resources necessary.
* Low training needs through ease to use and intuitive handling of the software.
* Management of corrective actions assists you in improving your information security management.

AMS9000, Audit Management Software, is developed by

www.noweco.com

ISO 27001 Certification FAQ

2008-06-30T00:08:00.000-07:00

What is certification?
ISO/IEC 27001 certification is the process by which an organization’s ISMS is examined against the ISO/IEC 27001 specification by an accredited certification body.

What is a certification body?
A certification body (also called a registration body, assessment and registration body, or registrar) is a third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.

Who accredits certification bodies?
Accreditation organizations accredit the competence of certification bodies to perform services in the areas of product and management system approval. These accreditation organizations are often, but not always national in scope.

What is the certification process?
The certification process includes:

1. Part 1 audit (also known as a desktop audit). Here the CB auditor examines the pertinent documentation.
2. Taking action on the results of the part 1 audit.
3. Part 2 audit (on site audit). Here the CB sends an audit team to examine your implementation of the reviewed, documented ISMS.
4. Correction of audit findings. Agreeing to a surveillance schedule.
5. Issuance of certificate. (Depending on the CB this can take a few weeks to several months.)

Following initial certification, the ISMS is subject to surveillance as specified by the CB, and then requires re-certification after three years.

From: www.atsec.com

ISO 27001 CERTIFICATION EXPLAINED

2008-06-30T00:05:00.000-07:00

Contrary to common belief, certification is applicable against ISO 27001, rather than ISO 17799. The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard.

Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.

To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.

A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).

The following diagram may clarify this process:

Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:

1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits

How to apply ISO 27002 to PCI DSS compliance

2008-06-09T02:22:00.000-07:00

This tip is part of SearchSecurity.com's Compliance School lesson, Building a risk-based compliance program. Visit the Building a risk-based compliance program main page for related materials, or check out the Security School Course Catalog for more learning content.

The PCI Data Security Standard (PCI DSS) consists of 12 mandatory high-level requirements for all organizations that store, transmit, or process payment cards. These 12 requirements are further subdivided into sections, describing activities that organizations must engage in while managing their networks, administering their systems, and, in general protecting the payment card data with which they have been entrusted.

While PCI DSS details compliance requirements in most areas, its directives make only passing reference (if at all) to an overall security framework into which the required actions must fit. If organizations simply follow the PCI DSS blindly, they may not achieve the overall security goals.

ISO 27002, also known as ISO 17799, is a security standard of practice. In other words, it is a comprehensive list of security practices that can be applied -- in varying degrees -- to all organizations. The benefit of such a standard to organizations attempting to comply with the PCI-DSS is twofold. First, it provides a framework that allows organizations to achieve their PCI security goals along with those from other sources, like industry or governmental regulations. Second, it provides guidance on how to fit some of PCI's governance and policy requirements into an organization's compliance program.

For example, ISO 27002 discusses the necessity of involving business, management, human resources and technology representatives in the security program. It also provides references for high-level policies for important areas such as data classification, data handling and access control. While PCI DSS describes specific technical practices and organizational activities, it doesn't talk about the overall program in which these activities exist or the specific policies that require these activities.

When a company establishes a program based on a broad standard like ISO 27002, it can treat the PCI-DSS requirements as a subset of those required by the ISO. Further, a program structured according to ISO 27002 will require organizations to employ critical support systems required by many regulations (and PCI DSS in particular). For example, ISO 27002 requires change control in network administration, system configuration, policy management, procedure management and software development. PCI DSS calls out the need for accurate diagrams and documentation for its network and systems as well as change control processes to ensure discipline in administration of the PCI DSS-related components.

ISO 27002's broad requirements for change control associated with all aspects of administration encourage a consistent approach across an enterprise. This kind of approach, when applied to PCI DSS, would help improve both the consistency, effectiveness and efficiency of change control across a company and increase the likelihood that an auditor would find a company's practices acceptable.

Another benefit of combining the structure of ISO 27002 and the specific requirements of PCI DSS is that the PCI DSS helps organizations define three of the most challenging aspects of ISO compliance: scope of compliance, data classification and data handling. Armed with these constraining requirements, organizations can define policies and procedures that are consistent with best practice as specified by ISO and directly address PCI DSS compliance. For example, PCI DSS defines what aspects of credit card data are sensitive. It describes access control requirements for credit card information, encryption requirements for transmission and storage, and even the testing necessary to verify effectiveness of controls. These specific requirements allow organizations to state how systems must be configured, how employees must treat data and how an organization monitors the effectiveness of its controls.

A growing number of organizations are building security programs according to standard frameworks like ISO 27002. These frameworks are allowing organizations to factor compliance with multiple regulations and contracts into their security programs in a consistent and effective manner.

The beauty of using the ISO standard with specific regulations is that the regulations fill in the necessary details that the framework lacks while the framework provides structure to address multiple sets of requirements consistently. The two concepts work hand in hand and provide effectiveness, efficiency and auditability.

About the author:
Richard E. "Dick" Mackey is regarded as one of the industry's foremost authorities on security and compliance. He is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA and SOX. He has also provided guidance to a wide range of companies on enterprise security architectures, identity and access management and security policy and governance.

New Risk Assessment Tool for ISO27001 Consultants Simplifies and Accelerates Compliance Process for Clients

2008-06-09T02:07:00.000-07:00

Following the successful launch of the vsRisk ISO27001 compliance tool at Infosecurity Europe 2007, Vigilant Software has launched a complementary software tool for IT consultants and information security specialists. vsRisk Consultant Edition (vsRCE) is a powerful new software product that will enable information security consultants to deploy vsRisk as their preferred risk assessment tool in up to 10 different clients.

Targeted at specialist consultants dealing with ISO27001 compliance, vsRCE is an affordable and intuitive risk assessment management tool for the IT consultant community that allows consultants the ability to directly support their clients' risk assessment activity from an off-site location. vsRCE allows clients to create and export risk assessment files that can be analysed on the consultants' own workstations or laptops, and then re-imported into the client's own software.

vsRCE allows IT consultants to manage up to ten separate risk assessments or risk assessment in up to ten different organisations, each of which must have purchased its own copy of vsRisk. By working in harmony with its sister application vsRisk, vsRCE will dramatically reduce the time and effort it takes for companies to achieve ISO27001 compliance, transferring an important element of the work to the consultant and ensuring that the work of the project team can be monitored more closely.

In addition to supporting ISO/IEC27001, vsRCE supports ISO/IEC27002 (17799); complies with BS7799-3:2006; conforms to ISO/IEC TR 13335-3:1998 and NIST SP 800-30; and complies with the UK's Risk Assessment Standard.

Vigilant Software is a joint venture between IT Governance Limited, the one-stop-shop for books, tools and information on ISO27001 compliance, and Top Solutions (UK) Limited, an award-winning developer of risk management software tools.

Alan Calder, Chief Executive of IT Governance, commented, "vsRCE is the perfect complement to vsRisk and offers a major enhancement to vsRisk users. By employing a consultant who uses vsRCE, companies can simplify and speed the process of achieving ISO27001 compliance. For consultants, it offers a means of providing greater added value and is therefore a powerful competitive advantage."

Source: compliancehome.com

Information Security Management Risks

2008-01-19T05:23:00.000-08:00

By Anna Woodward

Of course, it is always clear that “risk” is a possibility that something unsuitable happens. What is not clear is how probable it is, what nature it has, and what harm it can do to an organization.

Betting on some event means the chance of financial loss: the unsuitable outcome. To decide if we want to take on this risk means calculating the chances of winning or the odds of losing. We can implement measures to reduce the chance of the danger, and put strategies in place to handle possible unpleasant outcomes.

Information security management is being aware of all elements involved in a specific risk and their relationship with your enterprise (company, web presence, etc). This is an essential basis for calculating the risk. Knowing about the threat means being able to assess it: we can choose if we want to accept it, wait and see, or plainly avoid taking it at all.

In the field of information security management, professionals should answer four main questions:

1. What can happen (threat)? Client private information (especially, but not only, credit card numbers) can be stolen through an insecure network, through cracked passwords, through flawed cryptography or through non-dependable employees.

Web-pages can be hacked and inappropriate content could be displayed. Business processes could be disrupted through web-attacks, blocking the normal operations of the company.

Identifying risk spots is the primary task for information security management professionals. Normally, due to the technical background of most professionals, there is a bias for focusing on technical problems. In fact, there are often a myriad of possibilities of attacking a computer system.

2. How bad can it get (impact)? Companies are responsible for keeping private information secure. Negligence in keeping this information secure can result in costly claims. Revealing intellectual property through negligence in security can result in an unduly competitive disadvantage.

The company’s reputation can be seriously damaged. Cash-flow can drop the entire time of a web-attack on the servers of the company and usually, for some time after the fact.

3. How often can it happen (frequency)? The short answer is: much more often than you believe. The absence of bad news in the newspapers should not allow you to a false sense of security.

Sometimes the victim doesn’t know that the company has been hacked. Of course, if some credit card has been charged without authorization, the holder will demand a refund. However, it is not always clear where the flaw in the security exists.

In some further cases, intellectual property of a company has been illegally copied and is used without consent. The lawful owner will in many cases not even have a hint of this problem.

4. How dependable are the answers to these three questions (uncertainty)? Although you can be sure that the risk exists, there is no simple way of calculating how often it happens. You can be sure that it happens, you cannot know when and where.

Consider the safety of your company’s virtual data, and have the flaws assessed by an information security management professional. If you take a “wait and see” approach, you risk an attack on your company’s documentation, private information databases, and perhaps, intellectual property.

Excel Partnership, Inc. wants to help your company review your information security management and tailor programs to secure your virtual data. Visit http://www.xlp.com for more information on preventing attack on your documentation, private information databases, and intellectual property.

Source: http://ezinearticles.com/?Information-Security-Management-Risks&id=712777

Managing Risk in Information Technology

2008-01-19T05:17:00.000-08:00

As information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives.

There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization’s strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.

Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.

ITIL has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove - to its management, let alone an external third party - that it has taken the risk-reduction step of implementing best practice.

More than that, ITIL is particularly weak where information security management is concerned - the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.

The emergence of the international IT Service Management ISO 27001 and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate - to customers and potential customers - the quality and security of their IT services and information security processes achieve significant competitive advantages.

Information Security Risk

The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.

IT Process Risk

IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes - and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000Regulatory and Compliance Risk

All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:

- Combined Code and Turnbull Guidance (UK)
- Basel2
- EU data protection, privacy regimes
- Sectoral regulation: FSA (1) , MiFID (2) , AML (3)
- Human Rights Act, Regulatation of Investigatory Powers Act
- Computer misuse regulation

Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.

Many of these regulations have emerged only recently and most have not yet been adequately tested in the courts. There has been no co-ordinated national or international effort to ensure that many of these regulations - particularly those around personal privacy and data protection - are effectively co-ordinated. As a result, there are overlaps and conflicts between many of these regulations and, while this is of little importance to organizations trading exclusively within one jurisdiction, the reality is that many enterprises today are trading on an international basis, particularly if they have a website or are connected to the Internet.

Management Systems

A management system is a formal, organized approach used by an organization to manage one or more components of their business, including quality, the environment and occupational health and safety, information security and IT service management. Most organizations - particularly younger, less mature ones, have some form of management system in place, even if they’re not aware of it. More developed organizations use formal management systems which they have certified by a third party for conformance to a management system standard. Organizations that use formal management systems today include corporations, medium- and small-sized businesses, government agencies, and non-governmental organizations (NGOs).

Standards and Certifications

Formal standards provide a specification against which aspects of an organization’s management sytsem can be independently audited by an accredited certification body and, if the management system is found to conform to the specification, the organization can be issued with a formal certificate confirming this. Organizations that are certificated to ISO 9000 will already be familiar with the certification process.

Integrated Management Systems

Organizations can choose to certify their management systems to more than one standard. This enables them to integrate the processes that are common - management review, corrective and preventative action, control of documents and records, and internal quality audits - to each of the standards in which they are interested. There is already an alignment of clauses in ISO 9000, ISO 14001 (the environmental management system standard) and OHSAS 18001 (the health and safety management standard) that supports this integration, and which enables organizations to benefit from lower cost initial audits, fewer surveillance visits and which, most importantly, allows organizations to ‘join up’ their management systems.

The emergence of these international standards now enables organizations to develop an integrated IT management system that is capable of multiple certification and of external, third party audit, while drawing simultaneously on the deeper best-practice contained in ITIL. This is a huge step forward for the ITIL world.

Sources:

(1) Financial Services Authority
(2) Markets in Financial Instruments Directive
(3) Anti-money laundering regulations
(4) Gramm-Leach-Bliley Act
(5) Health Insurance Portability and Accountability Act
(6) Online Personal Privacy Act

About the Author

Alan Calder is an international authority on IT Governance and information security management. He led the world’s first successful implementation of BS 7799, the information security management standard upon which ISO 27001 is based, and wrote the definitive compliance guide for this standard, IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799. The 3rd edition of this book is the basis for the UK Open University’s postgraduate course on Information Security. He has just written, for BSI, a management guide on integrating ISO 27001 and ISO 20000 Management Systems, drawing heavily on ITIL best practice. He is a consultant to companies around the world, including Cisco. as in ITIL, as the “service provider”) exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.

Create Your Own Security Audit

2008-01-10T22:38:00.000-08:00

Every business, including yours, has valuable IT assets such as computers, networks, and data. And protecting those assets, requires that companies big and small conduct their own IT security audits in order to get a clear picture of the security risks they face and how to best deal with those threats.

The following are 10 steps to conducting your own basic IT security audit. While these steps won't be as extensive as audits provided by professional consultants, this DIY version will get you started on the road to protecting your own company.

1. Defining the Scope of Your Audit: Creating Asset Lists and a Security Perimeter

The first step in conducting an audit is to create a master list of the assets your company has, in order to later decide upon what needs to be protected through the audit. While it is easy to list your tangible assets, things like computers, servers, and files, it becomes more difficult to list intangible assets. To ensure consistency in deciding which intangible company assets are included, it is helpful to draw a "security perimeter" for your audit.

What is the Security Perimeter?
The security perimeter is both a conceptual and physical boundary within which your security audit will focus, and outside of which your audit will ignore. You ultimately decide for yourself what your security perimeter is, but a general rule of thumb is that the security perimeter should be the smallest boundary that contains the assets that you own and/or need to control for your own company's security.

Assets to Consider
Once you have drawn up your security perimeter, it is time to complete your asset list. That involves considering every potential company asset and deciding whether or not it fits within the "security perimeter" you have drawn. To get you started, here is a list of common sensitive assets:

Computers and laptops
Routers and networking equipment
Printers
Cameras, digital or analog, with company-sensitive photographs
Data - sales, customer information, employee information
Company smartphones/ PDAs
VoIP phones, IP PBXs (digital version of phone exchange boxes), related servers
VoIP or regular phone call recordings and records
Email
Log of employees daily schedule and activities
Web pages, especially those that ask for customer details and those that are backed by web scripts that query a database
Web server computer
Security cameras
Employee access cards.
Access points (i.e., any scanners that control room entry)

This is by no means an exhaustive list, and you should at this point spend some time considering what other sensitive assets your company has. The more detail you use in listing your company's assets (e.g., "25 Dell Laptops Model D420 Version 2006", instead of "25 Computers") the better, because this will help you recognize more clearly the specific threats which face each particular company asset.

2. Creating a 'Threats List'

You can't protect assets simply by knowing what they are, you also have to understand how each individual asset is threatened. So in this stage you will compile an overall list of threats which currently face your assets.

What Threats to Include?
If your threat list is too broad, your security audit will end up getting focused on threats which are extremely small or remote. When deciding whether to include a particular threat on your 'Threat List' keep in mind that your test should follow a sliding scale. For example, if you are considering whether the possibility of a hurricane flooding out your servers you should consider both, how remote the threat is, but also how devastating the harm would be if it occurred. A moderately remote harm can still be reasonably included in your threat list if the potential harm it would bring is large enough to your company.

Common 'Threats' to Get you Started?
Here are some relatively common security threats to help you get started in creating your company's threat list:

Computer and network passwords. Is there a log of all people with passwords (and what type). How secure is this ACL list, and how strong are the passwords currently in use?
Physical assets. Can computers or laptops be picked up and removed from the premises by visitors or even employees?
Records of physical assets. Do they exist? Are they backed up?
Data backups. What backups of virtual assets exist, how are they backed up, where are the backups kept, and who conducts the backups?
Logging of data access. Each time someone accesses some data, is this logged, along with who, what, when, where, etc.?
Access to sensitive customer data, e.g., credit card info. Who has access? How can access be controlled? Can this information be accessed from outside the company premises?
Access to client lists. Does the website allow backdoor access into the client database? Can it be hacked?
Long-distance calling. Are long-distance calls restricted, or is it a free-for-all? Should it be restricted?
Emails. Are spam filters in place? Do employees need to be educated on how to spot potential spam and phishing emails? Is there a company policy that outgoing emails to clients not have certain types of hyperlinks in them?

3. Past Due Diligence & Predicting the Future

At this point, you have compiled a list of current threats, but what about security threats that have not come on to your radar yet, or haven't even been developed? A good security audit should account not just for those security threats that face your company today, but those that will arise in the future.

Examining Your Threat History
The first step towards predicting future threats is to examine your company's records and speak with long-time employees about past security threats that the company has faced. Most threats repeat themselves, so by cataloging your company's past experiences and including the relevant threats on your threat list you'll get a more complete picture of your company's vulnerabilities.

Checking Security Trends
In addition to checking for security threats specific to your particular industry, ITSecurity.com's recent white paper covers trends for 2007 as well as offering a regularly updated blog which will keep you abreast of all new security threat developments. Spend some time looking through these resources and consider how these trends are likely to affect your business in particular. If you're stumped you may want to Ask the IT Security Experts directly.

Checking with your Competition
When it comes to outside security threats, companies that are ordinarily rivals often turn into one another's greatest asset. By developing a relationship with your competition you can develop a clearer picture of the future threats your company will face by sharing information about security threats with one another.

4. Prioritizing Your Assets & Vulnerabilities

You have now developed a complete list of all the assets and security threats that your company faces. But not every asset or threat has the same priority level. In this step, you will prioritize your assets and vulnerabilities in order to know your company's greatest security risks, and so that you can allocate your company's resources accordingly.

Perform a Risk Calculation/ Probability Calculation
The bigger the risk, the higher priority dealing with the underlying threat is. The formula for calculating risk is:

Risk = Probability x Harm

The risk formula just means that you multiply the likelihood of a security threat actually occurring (probability) times the damage that would occur to your company if the threat actually did occur (harm). The number that comes out of that equation, is the risk that threat poses to your company.

Calculating Probability
Probability is simply the chance that a particular threat will actually occur. Unfortunately, there isn't a book that lists the probability that your website will be hacked this year, so you have to come up with those figures yourself.

Your first step in calculating probability should be to do some research into your company's history with this threat, your competitors' history, and any empirical studies on how often most companies face this threat. Any probability figure that you ultimately come up with is an estimate, but the more accurate the estimate, the better your risk calculation will be.

Calculating Harm
How much damage would a particular threat cause if it occurred? Calculating the potential harm of a threat can be done in a number of different ways. You might count up the cost in dollars that replacing the lost revenue or asset would cost the company. Or instead you might calculate the harm as the number of man-hours which would be lost trying to remedy the damage once it has occurred. But whatever method you use, it is important that you stay consistent throughout the audit in order to get an accurate priorities list.

Developing Your Security Threat Response Plan

When working down your newly developed priority list, there will be a number of potential responses you could make to any particular threat. The remaining six points in this article cover the primary responses a company can make to a particular threat. While these security responses are by no means the only appropriate ways to deal with a security threat, they will cover the vast majority of the threats your company faces, and as a result you should go through this list of potential responses before considering any alternatives.

5. Implementing Network Access Controls

Network Access Controls, or NACs, check the security of any user trying to access a network. So, for example, if you are trying to come up with a solution for the security threat of your competition stealing company information from private parts of the company's website, applying network access controls or NACs is an excellent solution.
Part of implementing effective NAC is to have an ACL (Access Control List), which indicates user permissions to various assets and resources. Your NAC might also include steps such as; encryption, digital signatures, ACLs, verifying IP addresses, user names, and checking cookies for web pages.

6. Implementing Intrusion Prevention

While a Network Access Control deals with threats of unauthorized people accessing the network by taking steps like password protecting sensitive data, an Intrustion Prevention System (IPS) prevents more malicious attacks from the likes of hackers.

The most common form of an IPS is a second generation firewall. Unlike first generation firewalls, which were merely content based filters, a second generation firewall adds to the content filter a 'Rate-based filter'.

Content-based. The firewall does a deep pack inspection, which is a thorough look at actual application content, to determine if there are any risks.
Rate-based. Second generation firewalls perform advanced analyses of either web or network traffic patterns or inspection of application content, flagging unusual situations in either case.

7. Implementing Identity & Access Management

Identity and Access Management (IAM) simply means controlling users' access to specific assets. Under an IAM, users have to manually or automatically identify themselves and be authenticated. Once authenticated, they are given access to those assets to which they are authorized.

An IAM is a good solution when trying to keep employees from accessing information they are not authorized to access. So, for instance, if the threat is that employees will steal customers credit card information, an IAM solution is your best bet.

8. Creating Backups

When we think of IT security threats, the first thing that comes to mind is hacking. But a far more common threat to most companies is the accidental loss of information. Although it's not sexy, the most common way to deal with threats of information loss is to develop a plan for regular backups. These are a few of the most common backup options and questions you should consider when developing your own backup plan:

Onsite storage. Onsite storage can come in several forms, including removable hard drives or tape backups stored in a fireproofed, secured-access room. The same data can be stored on hard drives which are networked internally but separated by a DMZ (demilitarized zone) from the outside world.
Offsite storage. Mission-critical data could be stored offsite, as an extra backup to onsite versions. Consider worst-case scenarios: If a fire occurred, would your hard-drives or digital tapes be safe? What about in the event of a hurricane or earthquake? Data can be moved offsite manually on removable media, or through a VPN (Virtual Private Network) over the Internet.
Secured access to backups. Occasionally, the need to access data backups will arise. Access to such backups, whether to a fireproofed room or vault, or to an offsite data center, physically or through a VPN, must be secure. This could mean issuing keys, RFID-enabled "smart pass cards", VPN passwords, safe combinations, etc.
Scheduling backups. Backups should be automated as much as possible, and scheduled to cause minimum disruption to your company. When deciding on the frequency of backups, be aware that if your backups aren't frequent enough to be relevant when called upon, they are not worth conducting at all.

9. Email Protection & Filtering

Each day, 55 billion spam messages are sent by email throughout the world. To limit the security risk that unwanted emails pose, spam filters and an educated workforce are a necessary part of every company's security efforts. So, if the threat you are confronting is spam emails, the obvious (and correct) response is to implement an email security and filtering system for your company.

While the specific email security threats confronting your company will determine the appropriate email protections you choose, here are a few common features:

Encrypt emails. When sending sensitive emails to other employees at other locations, or to clients, emails should be encrypted. If you have international clients, make sure that you use encryption allowed outside of the United States and Canada.
Try steganography. Steganography is a technique for hiding information discreetly in the open, such as within a digital image. However, unless combined with something like encryption, it is not secure and could be detected.
Don't open unexpected attachments. Even if you know the sender, if you are not expecting an email attachment, don't open it, and teach your employees to do the same.
Don't open unusual email. No spam filter is perfect. But if your employees are educated about common spam techniques, you can help keep your company assets free of viruses.

10. Preventing Physical Intrusions

Despite the rise of new generation threats like hacking and email spam, old threats still imperil company assets. One of the most common threats is physical intrusions. If, for example, you are trying to deal with the threat of a person breaking into the office and stealing company laptops, and along with them valuable company information, then a plan for dealing with physical intrusions is necessary.

Here are some common physical threats along with appropriate solutions for dealing with them:

Breaking into the office: Install a detection system. Companies like ADT have a variety of solutions for intrusion detection and prevention, including video surveillance systems.
Stolen laptop: Encrypt hard drive. Microsoft offers an Encrypt File System, or EFS, which can be used to encrypt sensitive files on a laptop.
Stolen screaming smart phones. A new service from Synchronica protect smartphones and PDAs, should they be stolen. Once protected, a stolen phone cannot be used without an authorization code. If this is not given correctly, all data is wiped from the phone and a high-pitch "scream" is emitted. Once your phone is recovered, the data can be restored from remote servers. Currently, this particular service is limited to the UK, but comparable services are available throughout the world.
Kids + Pets = Destruction: Prevent unauthorized access. For many small-business owners, the opportunity to work from home is an important perk. But having children and/or pets invading office space and assets can often be a greater risk that that posed by hackers. By creating an appropriate-use policy and sticking with it small business owners can quickly deal with one of their most significant threats.
Internal Click Fraud: Education and Blocks. Many web-based businesses run advertising such as Google AdSense or Chitika to add an extra revenue stream. However, inappropriate clicking of the ads by employees or family can cause your account to be suspended. Make employees aware of such things, and prevent the company's live website from being viewed internally.

Conclusion

These 10 steps to conducting your own IT Security Audit will take you a long way towards becoming more aware of the security threats facing your company as well as help you begin to develop a plan for confronting those threats. But it is important to remember that security threats are always changing, and keeping your company safe will require that you continually assess new threats and revisit your response to old ones.

For further research, visit IT Security's Security Audit Resource Center.

BS7799-2 - the ISMS concept

2008-01-10T22:18:00.000-08:00

An idealised structured for an ISMS is shown in opposite. It shows the traditional approach to risk management augmented by the addition of a new feedback loop. In scoping the problem, BS7799-2 implies an "information-centric" view of the world, to avoid the trap of failing to take account of less obvious vulnerabilities such as people, cell phones and laptops. It further implies information policies that clearly identify the business priorities concerning information, and why, and in addition, risk assessments that identify what networks really are, not what people think they are!

BS7799-2 requires management to identify vulnerabilities and select the safeguards with a priority that matches the business priorities specified in the security policy. Reiteration is encouraged, choosing alternate safeguards until management is satisfied with the residual risks and costs involved. Once the chosen safeguards have been implemented, the ideal ISMS monitors their effectiveness; it does not assume that they will work as intended. Management should regularly re-appraise the situation. Even if nothing is supposed to have changed, the risk assessment should be regularly repeated (this is the new feedback loop). Management should assume, for example, that their networks have changed - most networks do with time! In any case, doubtless someone will have identified new vulnerabilities. Of course, if the business requirements have changed, there will be a need to re-scope the problem and revise the security policy accordingly.

Source : http://www.gammassl.co.uk/inforisk/riskpart4.html

ISMS Implementation Guide [White Paper]

2008-01-10T22:06:00.000-08:00

ISMS Implementation Guide

Usage note
Note: The intent of this document is to help you recognize the activities related to establishing an ISMS. This document should not be considered as professional consulting for establishing or implementing an ISMS. Use of this guide does not guarantee a successful implementation nor an implementation that is ready for certification. If you want to implement an ISMS, consider hiring a professional consultant who specializes in ISMS implementation.

Table of contents
Overview of an ISMS ............................................................................................................................. 4
1 Purchase a copy of the ISO/IEC standards .................................................................................. 5
2 Obtain management support ......................................................................................................... 5
3 Determine the scope of the ISMS .................................................................................................. 7
4 Identify applicable legislation........................................................................................................ 8
5 Define a method of risk assessment............................................................................................. 9
6 Create an inventory of information assets to protect ............................................................... 12
7 Identify risks ................................................................................................................................. 13
8 Assess the risks........................................................................................................................... 14
9 Identify applicable objectives and controls ............................................................................... 16
10 Set up policy and procedures to control risks .......................................................................... 20
11 Allocate resources and train the staff......................................................................................... 21
12 Monitor the implementation of the ISMS.................................................................................... 22
13 Prepare for certification audit...................................................................................................... 23
14 Ask for help .................................................................................................................................. 24
Appendix A Documents and Records........................................................................................... 25

Overview of an ISMS
Information security is the protection of information to ensure:
• Confidentiality: ensuring that the information is accessible only to those authorized to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not
modified without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.
Information security is achieved by applying a suitable set of controls (policies, processes, procedures,
organizational structures, and software and hardware functions).
An Information Security Management System (ISMS) is way to protect and manage information based on
a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and
improve information security. It is an organizational approach to information security.
ISO/IEC publishes two standards that focus on an organization’s ISMS:
• The code of practice standard: ISO/IEC 27002 (ISO/IEC 17799). This standard can be used as a
starting point for developing an ISMS. It provides guidance for planning and implementing a program
to protect information assets. It also provides a list of controls (safeguards) that you can consider
implementing as part of your ISMS.
• The management system standard: ISO/IEC 27001. This standard is the specification for an ISMS.
It explains how to apply ISO/IEC 27002 (ISO/IEC 17799). It provides the standard against which
certification is performed, including a list of required documents. An organization that seeks
certification of its ISMS is examined against this standard.
These standards are copyright protected text and must be purchased. (For purchasing information, refer to
section 1, “Purchase ISO standards.”)
The standards set forth the following practices:
• All activities must follow a method. The method is arbitrary but must be well defined and
documented.
• A company or organization must document its own security goals. An auditor will verify whether these
requirements are fulfilled.
• All security measures used in the ISMS shall be implemented as the result of a risk analysis in order
to eliminate or reduce risks to an acceptable level.
• The standard offers a set of security controls. It is up to the organization to choose which controls to
implement based on the specific needs of their business.
• A process must ensure the continuous verification of all elements of the security system through
audits and reviews.
• A process must ensure the continuous improvement of all elements of the information and security
management system. (The ISO/IEC 27001 standard adopts the Plan-Do-Check-Act [PDCA] model as
its basis and expects the model will be followed in an ISMS implementation.)
These practices form the framework within which you

Read This White Paper

Protecting your information assets

2008-01-10T21:04:00.000-08:00

In a world where information is both the currency and the key asset of many major organisations, effective information security is well-recognised as both a business and risk management priority.

What is less well understood – in particular in an environment characterised by constant change and an ever-expanding web of critical interdependencies – is how best to achieve information security.

According to SAI Global Information Security Management Systems Program Manager, Mr Brahman Thiyagalingham: “Within many leading corporates there is a fair understanding that the failure to maintain the confidentiality of information, the integrity of information and the availability of information may present an unacceptable risk.”

According to Mr Thiyagalingham, fast-moving technology, the emergence of relatively new information-based businesses and, until recently, a lack of widely accepted information security management guidelines, has led to something of an ad hoc approach to information security management.

One common approach taken by major corporates has been to have their information security needs addressed by external consultants, who also assist with the maintenance and assessment of the systems.

“Certainly there are merits to this approach in terms of creating and implementation of a management system,” said Mr Thiyagalingham. “Where a system can fall down, however is when the management system developer and implementer is also the person who carries out regular assessments (internal audits) to determine compliance with information security objectives. If we have learned anything from some of the more spectacular collapses and corporate scandals of recent years, it is that the integrity of governance arrangements must be beyond reproach to preserve the integrity of the whole. When information integrity is such a critical resource, the same principles should apply. And, as is the case with corporate governance, meaningful assurance is best provided by independent, arm’s length assessors such as an independent accredited certification body.”

According to Mr Thiyagalingham, a number of recent developments would indicate that major corporations will soon be travelling the independent assurance route to information security.

One is the release of the most recent Standard for Information Security Management, AS/NZ 7799.2:2003, providing an internationally recognised framework for developing an effective Information Security Management System (ISMS).

“The latest release enhances the original 2000 Standard,” said Mr Thiyagalingham. “It has now been around long enough for business to be aware of it and get their heads around it. It’s an invaluable tool that can help navigate a notoriously difficult terrain. The fact that a resulting ISMS can be assessed by independent experts, and that the resulting certification is internationally recognised offers businesses major advantages that they are coming to appreciate.”

Another indicator of the growing emergence of – and demand for – certified information security management systems is its increased uptake by the telecommunications, banking, data management and public sectors.

“This will necessarily have a flow-on effect for suppliers, tenders and partnership relationships. The integrity of interdependent systems is only as sound as its weakest link: there’s no point safeguarding your own information if the next link, or the previous link, were not secure. Organisations are beginning to understand and come to grips with this fact, and to see the value of using certified ISMS' along the chain.”

Information Security Management Systems: the bare facts

The world of information security management is coming out of the too-hard basket and landing in the in-boxes of a wide range of business and other organisations.

This brief guide answers some of the more frequently asked questions about information security management systems, and outlines the steps involved in establishing an ISMS.

A more extensive fact sheet is also available from SAI Global.

Q: What types of organisations need an ISMS?

An ISMS is needed wherever inappropriate use, disposal or disclosure of organisational information may negatively impact on the privacy of customers or other stakeholders, diminish the standing of the organisation or its stakeholders, reveal critical competitor or trading partner information or cause liability under regulation or legislation.

As the availability, volume and interdependencies of information within and between different organisations expands, so does the risk of the above occurring. That’s why demand for a certified ISMS is no longer confined to information technology or records-keeping organisations: it can benefit any industry sector that is subject to risk.

Q: Which part of an organisations should take ownership of the ISMS?

The team managing and implementing an ISMS should be drawn from all levels of management identified as custodians of critical information. Although this will usually integrally involve members of the IT team, an ISMS is emphatically not the sole responsibility of IT.

Q: How do I define the scope of an ISMS?

This is a critical component of creating an effective ISMS. The first step when considering the implementation of an information security system is to define the ‘scope’ of the system. As a starting point, draw a circle around the assets you think should be included, then review what is out of scope.

The test as to scope is whether the organisations can continue operations and maintain an adequate level of security even without the entities out of scope. If this is not possible, it may be wise to rework the scope to include that entity.

The scope of an ISMS can be based around physical sites, functional units (such as IT, HR etc.) or by systems. Wherever a specific scope is drawn, the unit, site or system concerned must be able to demonstrate that they are complying with all the requirements of the broader ISMS.

For a visual explanation of this process refer to the diagram entitled, ‘Scoping your ISMS System’.

Q: How do I determine which clients and suppliers should also operate within the scope of an ISMS?

In the inextricably linked supply chain environment that defines so many business relationships, reliance and sharing of information assets is common place. Information Security Manages must then determine how these ‘partners’ fit in the ISMS equation. Essentially, the ‘scoping’ test is a matter of risk. If suppliers’ or clients’ activities come into the primary scope, the security of the information at hand is at unacceptable risk unless they too can demonstrate their compliance. The integrity of the information concerned is only as sound as the weakest link in the chain.

Q: What are the usual steps to implement an ISMS?

In the context of AS/NZS 7799.2:2003 an organisations should consider nine specific steps when implementing and ISMS. These include:

determining the scope of the system

identifying key information assets

conducting an asset risk assessment

developing a risk mitigation strategy

developing a Statement of Applicability

preparing a security policy, procedures and work instructions

implementing the policies and procedures and ensuring compliance

conducting continual maintenance and improvements on the system

seeking independent assessment by an ISMS accredited certification body

In operational terms these nine steps could be summarised into four documents:

Asset Register

Risk Assessment Documentation

Statement of Applicability

Security Policy

Refer to the flowchart entitled ‘ISMS: Steps to Implementation’ which outlines some of these key stages when developing and implementing an ISMS.

Want to know more?

SAI Global is Australia’s leading ISMS certification specialist. It has been accredited to deliver ISMS certification services by JAS-ANZ. To find out more about the SAI Global ISMS program, or for more detailed information about the steps involved in setting up an ISMS, including gap analysis and self evaluation, auditing, costs, copies of the particular standards involved and so forth email: infosecurity@sai-global.com or visit www.sai-global.com

Information Security Management Handbook [Sixth Edition]

2007-12-19T18:04:00.000-08:00

Buy Save With Amazon Book Store

Information Security Management Handbook [Sixth Edition]
Book Details
- Hardcover: 3280 pages
- Publisher: AUERBACH; 6 edition (May 14, 2007)
- Language: English
- ISBN-10: 0849374952
- ISBN-13: 978-0849374951

Book Description
Never before have there been so many laws designed to keep corporations honest. New laws and regulations force companies to develop stronger ethics policies and the shareholders themselves are holding publicly traded companies accountable for their practices. Consumers are also concerned over the privacy of their personal information and current and emerging legislation is reflecting this trend. Under these conditions, it can be difficult to know where to turn for reliable, applicable advice.

The sixth edition of the Information Security Management Handbook addresses up-to-date issues in this increasingly important area. It balances contemporary articles with relevant articles from past editions to bring you a well grounded view of the subject. The contributions cover questions important to those tasked with securing information assets including the appropriate deployment of valuable resources as well as dealing with legal compliance, investigations, and ethics. Promoting the view that the management ethics and values of an organization leads directly to its information security program and the technical, physical, and administrative controls to be implemented, the book explores topics such as risk assessments; metrics; security governance, architecture, and design; emerging threats; standards; and business continuity and disaster recovery. The text also discusses physical security including access control and cryptography, and a plethora of technology issues such as application controls, network security, virus controls, and hacking.

US federal and state legislators continue to make certain that information security is a board-level conversation and the Information Security Management Handbook, Sixth Edition continues to ensure that there you have a clear understanding of the rules and regulations and an effective method for their implementation.

Book Info
Handbook includes chapters that correspond to the 10 domains of the Certified Information System Security Professional (CISSP) examination. Previous edition: c1999. DLC: Computer security--Management--Handbooks, manuals, etc. --This text refers to an out of print or unavailable edition of this title.

IT Auditing: Using Controls to Protect Information Assets [Book]

2007-12-19T17:45:00.000-08:00

Save 37% On Amazon Book Store

IT Auditing: Using Controls to Protect Information Assets
Book Details :

- Paperback: 387 pages
- Publisher: McGraw-Hill Osborne Media; 1 edition (December 22, 2006)
- Language: English
- ISBN-10: 0072263431
- ISBN-13: 978-0072263435

Book Description
Protect Your Systems with Proven IT Auditing Strategies

"A must-have for auditors and IT professionals." -Doug Dexter, CISSP-ISSMP, CISA, Audit Team Lead, Cisco Systems, Inc.

Plan for and manage an effective IT audit program using the in-depth information contained in this comprehensive resource. Written by experienced IT audit and security professionals, IT Auditing: Using Controls to Protect Information Assets covers the latest auditing tools alongside real-world examples, ready-to-use checklists, and valuable templates. Inside, you'll learn how to analyze Windows, UNIX, and Linux systems; secure databases; examine wireless networks and devices; and audit applications. Plus, you'll get up-to-date information on legal standards and practices, privacy and ethical issues, and the CobiT standard.

Build and maintain an IT audit function with maximum effectiveness and value

-Implement best practice IT audit processes and controls
-Analyze UNIX-, Linux-, and Windows-based operating systems
-Audit network routers, switches, firewalls, WLANs, and mobile devices
-Evaluate entity-level controls, data centers, and disaster recovery plans
-Examine Web servers, platforms, and applications for vulnerabilities
-Review databases for critical controls
-Use the COSO, CobiT, ITIL, ISO, and NSA INFOSEC methodologies
-Implement sound risk analysis and risk management practices
-Drill down into applications to find potential control weaknesses

About the Author

Chris Davis, CISA, CISSP, shares his experience from architecting, hardening, and auditing systems. He has trained auditors and forensic analysts. Davis is the coauthor of the bestselling Hacking Exposed: Computer Forensics.

Mike Schiller, CISA, has 14 years of experience in the IT audit field, most recently as the worldwide IT Audit Manager at Texas Instruments.

Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense and has over ten years of IT security experience.

Thinking Through Your 2008 Security Budget

2007-12-05T17:56:00.000-08:00

By Ed Moyle
E-Commerce Times

For some people, November is all about festivity: turkey, cranberry sauce and the start of the long ramp-up to the December holidays.

However, that's not always the case if you happen to be in IT security Webroot AntiSpyware 30-Day Free Trial. Click here..

If you are, you know that November can be anything but festive -- unless your idea of "festive" includes end-of-the-year network See the HP StorageWorks All-in-One Storage System. Click here. freezes, the inevitable holiday malware, spam out the wazoo, and (worst of all) the 2008 budget. Yup, 'tis the season -- the season for guessing at what you might need in the future and (most likely) won't get.

Every year, we're asked to do the same thing: Request the funding that we need for the upcoming year to keep the organization "secure." Like programming a universal remote control, it's one of those things that sounds simple enough until you actually try to do it.

Aside from being impossible (there's no such thing as "secure" -- just "secure enough"), there's also the fact that we're being asked to foresee the unforeseeable. How much malware will there be next year? How many application vulnerabilities will we find in the new accounting system See the HP Proliant DL380 G5 Server with Systems Insight Manager – Click here.? How many patches will come out for the hundreds of software products we support? These are just a few of the myriad things impacting budgetary requirements which simply cannot be precisely determined ahead of time.

However, rather than give up and submit another year's budget dripping with irony, let's look to see if there aren't a few strategies that we can use to help us bring some sanity to an otherwise insane process.
Planning for the Unforeseeable

When it comes to planning for your security operations budget, there are two types of information security organizations: those that have usable metrics and those that don't. If you're in the first category, you probably have a historical record of past events -- and you probably have some idea of what each of those events costs.

For example, you might know the number of malware events that occurred over the past 12 months and (depending on how long you've been keeping track) you might have some idea about the relative rate of increase of those events year-over-year. The same is true of security incidents, forensic investigations, IDS (intrusion detection system) alerts, applications reviewed, etc.

Now, I don't mean to suggest that metrics are the complete solution to your budgetary woes, but the budgeting process is the one area where you're likely to see quite a bit of return on your metrics initiative. If you're measuring, you can come up with a reasonable (or at least logical) estimate of future activity based on historical trends. Add in a margin of error and it's not unreasonable to put together a ballpark figure for what those future events might cost. Heck, you can even create milestones of how much you expect to spend month-over-month and use unspent dollars to invest in making everything more efficient. Of course, times being what they are, you might not get everything you ask for, but at least you'll know the impact of that ahead of time.

If you don't have metrics yet but you think they might help you with your budget, the challenge is to get them in place so that you can use them. Since you probably won't get any reliable metrics in place in time to use them in planning for this year's budget (hats off to you if you decide to try), the goal is to get them there in time to use them next year.

Don't assume that obtaining this information is going to be "free" though -- it won't be. So plan for the expense and account for the spending in your 2008 spending (after all, now's the time). If your decision-making process isn't currently based on some kind of concrete information like realistic metrics, one of your strategic goals (maybe your No. 1 strategic goal) should be improving the data coming in and making use of it.
Investing in the Program

So, maybe you have a reasonable idea about what operations spending looks like for 2008 -- or if you don't, you at least have it as a goal to get to a point where you can estimate (more) accurately. How about overall spending? After all, keeping to the "status quo" -- estimating what it'll cost next year to do the same thing as last year -- shouldn't be your final goal. Even if you're getting more efficient over time, there are still more things that you could be doing. No, there's another piece to the puzzle: Where should you invest in 2008 to operate in a more repeatable, organized and "mature" way? That's where program maturity comes in.

Your information security "program," or -- depending on the terminology you choose -- your ISMS (information security management system) is something to be thinking about as well when putting together your 2008 budget. Your ISMS should be your overarching framework for managing information security within your organization -- it's your opportunity to think about how you'll move away from tactical decision-making ("putting out fires") and move toward a model based on analyzing and treating risk, keeping track of your security processes and how they perform, both in terms of efficiency as well as effectiveness.

In other words, think about having a structured, well thought-out program as your road map to a better life.

Assuming that you want to come up with a more structured way of doing things, how can you get there? First, start by analyzing what your program does and doesn't already account for -- tools like ISO 27001 (International Organization for Standardization) help you identify what your program should have in place and areas that you should be looking into for program management.

Need to do a gap analysis to see where your program falls short? Account for that in your budget.

Already have a gap analysis that tells you where you need to improve? Account for those areas in your budget.

Granted, you might not get everything on your request list, but if you can demonstrate why this is valuable and candidly discuss with your management how you'd like to improve, you're probably likely to get some funding for doing this. Especially if you believe (as I do) that a structured, repeatable and mature program saves money over the long term.

Source : http://www.ecommercetimes.com/story/Thinking-Through-Your-2008-Security-Budget-60445.html

Demand for ISO 27001 Grows

2007-12-05T17:51:00.000-08:00

For the first time the survey collected information on ISO 27001, a standard for assessing information security management systems (ISMS).

The survey reports 5,800 certificates issued in 64 countries. Japan accounts for 65% of these certificates.

Australia ranked 9th with 59 ISMS certificates. New Zealand recorded just one certificate.

How to Establish an ISMS Management Framework

2007-11-28T20:18:00.001-08:00

In ISMS requirements, an organization is required to establish, implement and continually maintain its documented ISMS, taking into consideration its overall business activities and risks.

In establishing an ISMS, the scope of the ISMS is determined (STEP 1), and an information security policy is defined (STEP 2). On the basis of this security policy, a systematic approach to risk assessment is defined (STEP 3), and risks to the information assets that must be protected are identified (STEP 4). Risk assessment is then carried out (STEP 5). If, as a result of the risk assessment, unacceptable risks are found, possible ways to treat the risks should be identified and examined (STEP 6). Based on the risk treatment, controls to be implemented are selected (STEP 7).

Detailed Controls

1. Information Security policy
2. Organizational security
3. Assets classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Systems development and maintenance
9. Business continuity management
10. Compliance

Not all controls described in "detailed controls" shall be enforced, but an organization may select the controls to be implemented from the "detailed controls" on the basis of the risk assessment. In addition to the controls mentioned above, the organization shall add more effective controls that appear to be necessary as a result of risk assessment or risk management. What kind of and how many residual risks the organization has shall be identified. Through the risk management, these residual risks shall be approved by the Management (STEP 8), and also the introduction of the ISMS shall be permitted by the Management (STEP 9). It is particularly important to specify the selection of controls in the statement of applicability (STEP 10).

Source : http://www.isms.jipdec.jp/en/isms/frame.html

Implementing an Information Security Management System (ISMS) — LRQA Guidance

2007-11-28T19:49:00.000-08:00

Type : White Paper
Length : 5
Format : PDF
By : LRQA

Overview Implementing an Information Security Management System (ISMS) — LRQA Guidance

- Why is ISO/IEC 27001 good for you?
- Introduction to Implementing an ISMS
The OECD (Organization for Economic Co-operation and Development) Guidelines
- Getting started
- Planning for success
- Understanding the standard
- Where next...?
- Management processes
- Define the scope
- ISMS policy
- Risk assessment and risk management
- Risk treatment
- Certification

View This White Paper

[PDF] Analyzing Network Security using Malefactor Action Graphs

2007-11-15T00:49:00.000-08:00

Abstract
The approach to network security analysis is suggested. It is based on simulation of malefactor’s behavior, generating attack graph and calculating different security metrics. The graph represents all possible attack scenarios taking into account network configuration, security policy, malefactor’s location, knowledge level and strategy. The security metrics describe computer network security at different levels of detail and take into account various aspects of security. The generalized architecture of security analysis system is presented. Attack scenarios model, common attack graph building procedures, used security metrics, and general security level evaluation are defined. The implemented version of security analysis system is described, and examples of express-evaluations of security level are considered.

Read This Paper : http://paper.ijcsns.org/07_book/200606/200606C15.pdf

[PDF] The Simple Information Security Audit Process: SISAP

2007-11-15T00:39:00.000-08:00

Summary
The SISAP (Simple Information Security Audit Process) is a dynamic security audit methodology fully compliant with the ISO 17799 and BS 7799.2, and conformant with the ISO 14508 in terms of its functionality guidelines. The SISAP employs a simulation-based rule base generator that balances risks and business value generation capabilities using the Plan-Do-Check-Act cycle imposed in BS 7799.2. The SISAP employs a concept proof approach based on 10 information security best practices investigation sections, 36 information security objectives, and 127 information security requirements, as specified in the ISO 17799. The auditor may apply, for collecting, analyzing, and fusing audit evidence obtained at various audit steps, selected analytical models like certainty factors, probabilities, fuzzy sets, and basic belief assignments. The SISAP adopts fully automated elicitation worksheets, as in SASA (Standard Analytic Security Audit), COBRA, and others.

Read This File : http://paper.ijcsns.org/07_book/200606/200606C10.pdf

Certification : BS 7799

2007-11-02T02:51:00.000-07:00

In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.

The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.

In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.

In this final session we would attempt to understand the structure and steps involved in certification for BS7799.

A quick recap

Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"

BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Domains on which one would be assessed:

As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:

•Security policy

•Security organisation

•Asset classification and control

•Personnel security

•Physical and environmental security

•Communications and operations management

•Access control

•Systems development and maintenance

•Business continuity management

•Compliance

Statement of applicability

BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.

You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.

Preparing oneself for Certification:

The traditional formula of PLAN …DO …CHECK and ACT works well with BS 7799 too and this is a good place to either start or review the progress of the implementation team.

Plan

While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.

While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.

Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.

Check

Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.

The audit team would check for appropriate controls and evidence of implementation.

For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.

Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.

Act

After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.

Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.

Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.

Creative techniques like designing

posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.

The 4 Step method of Certification

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.

We now come to Specifics of Certification Process

Step One

Desktop Review:

All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.

One important check on documentation will be its validity and relevance to BS7799 controls.

The following documents needs to be presented

ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two

Technical Review

The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.

The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.

Step Three

Internal Audit

The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.

This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.

Step Four

External Audit- Certification

Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.

The company consultants and internal team would not be allowed to be part of the audit team.

They can assist and help auditors find relevant material.

The auditors check for documentation and objective evidence with the following intention.

Are records Correct and Relevant?
Are polices Known and Tested?
Are policies Communicated?

Are controls Implemented?
Are Polices Followed up?
Are preventive Actions taken?

The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.

Conclusion

After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.

To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:

Heighten security awareness within the organisation
Identify critical assets via the Business Risk Assessment
Provide a structure for continuous improvement
Be a confidence factor internally as well as externally
Enhance the knowledge and importance of security-related issues at the management level
Ensure that "knowledge capital" will be "stored" in a business management system
Enable future demands from clients, stockholders and partners to be met

Implementation : BS7799

2007-11-02T02:50:00.000-07:00

Part 1 mainly dealt with the structure of the standard and its relevance to the Indian IT environment. Readers need to have a clear understanding that BS7799 has been designed by Security Experts who were the forerunners in the field of Information Security and were working in live business environment. Thus the standard is business driven and has a perfect co-relation to business units. This standard has to be interpreted for individual business units and has the flexibility to accommodate every possible IT environment.

This article would discuss the interpretation of the standard and some of the key areas in its implementation.

While interpreting the standard one has to consider and evaluate the human, procedural, environmental, technical and cultural aspects of the business unit. While implementing the standard, one has to weigh its own technical strength as far as Information Security Professionals are concerned. Without, a through technical assessment the results of the Implementation would not lead to certification. Thus a word of caution to readers would be that identification and management of risk to IT systems is a specialized activity and needs to be conducted in a controlled environment using professional assistance.

Where do you begin?
Understand the Importance of Information Security:

Every organization is unique with its own set of requirements and concerns. The company IT-Assets are exposed to various threats. More than 70% of the threat comes from Internal Sources.

Other threat agents can be Hackers, Former Employees, Contractors, Suppliers, Competitors and Customers.

Management is tight lipped about incidents and push matters under the carpet due to the fear of losing credibility among investors and customers.

In competitive environment where IT systems become Business Enhancers, one cannot afford to loose data and have a break down.

Building awareness is the starting point for a stronger Information Security Culture.

Educating top management for the need of an effective Information Security Management and the possible benefits to do the same is crucial for the success of a project.

Get Yourself Trained:

While selecting appropriate products and vendors for doing a technical risk assessment one has to understand, implement, maintain and sustain the investments made on Information security.

The Internet serves as a huge repository of material for beginners to advanced users. The best method is to work in live environments with security professionals and get hands-on experience on various products and process. Those who are fortunate enough to work on live sites can use Internet resources like mail lists and websites on security, study for certifications on security or even attend training programs conducted by Security Institutes.

Understand your Business Need:

Security is always a Business led activity. The investments made on Security should reflect the need for security measures, criticality of IT Resources and processes in the day-to-day functioning of business. To implement strong security systems one has to grasp the core need of Information Security in the Business and identify the critical business factors.

For Example: If a Financial Organisation has to heavily depend on IT resources to assimilate, calculate, interpret and present data on a hourly basis then the level of security would be higher than a company using IT resources for maintaining accounts and downloading company mail. To remain competitive the company cannot afford a down time of its Systems.

Assigning Responsibility:

The security organization structure is important to help give direction and a solid foundation to the implementation of a project. A designated Security Officer with a team of technical and procedural security professionals would make it a perfect mix for implementation. If the company chooses to use an external security company for consulting, the Security team could work hand in hand with the security company professionals. This will help companies maintain the systems and procedures drafted and implemented by the security team.

Choosing a vendor:

Various security consultants in the market have their own set of methodology and approach. Some of the parameters of selecting a vendor would be, firstly, the vendor should be an expert only on Information Security. One cannot boast of having a shop for software development, hardware sales and also Information Security. The field on Information Security is vast and complex and needs to have a focused approach. Secondly, the vendor needs to have done live assignments in India. We cannot have Polices for Indian companies based on US firms. Thirdly, the vendor needs to have a Quantitative Risk Assessment approach which takes into consideration technical and procedural checklists and lastly, the vendor should be willing to work with the team and share knowledge, which is important for the team to sustain the project even after the assignment is over.

Importance of Risk Assessment:

While designing and deploying a security strategy one has to ask two very important questions. One, What to protect and second, How much to protect? In simpler words what and how much risk is the business is exposed to?

To define risk:

Business risk is the threat that an event or action, which can adversely affect an organisation's ability to successfully, achieve its business objectives and execute its strategies.

The key success factor of IT systems is a through risk assessment and effective risk management. Risk assessment prepares the base on which one would build the ISMS (Information Security Management System)

The entire exercise starts with Asset Identification:

An important step towards achieving BS 7799 Certification is to identify and classify assets. BS779 Defines Risk Assessment as - assessment of threats to information, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.

Every department would have assets, which they would consider important, without which one cannot continue work and achieve results. There could be assets, which would have higher or lesser value. Thus the most important asset would be need more protection and the lesser ones would require lower level of protection.

All assets in the company can be classified as:

People Assets: The number of professionals who are a part of the organisation.

Information Assets: Databases, data files, system documentation, user manuals, training material, operational and support procedures, intellectual property, continuity plans.

Paper Documents: Contacts, Company documentation, business results, HR records, Purchase documents invoices.

Software Assets: Application systems, development tools, and utilities.

Physical Assets: computers, servers, routers, hubs, firewalls, communication equipment, magnetic media, other equipment, cabinets, safes

Services: Computing, telecommunications, air-conditioning, water etc

Company Image and Reputation: Adverse publicity, Failure to deliver, Website defacement, Unable to provide connectivity to web server

Asset Classification:

Once the list of assets are identified the criticality of every asset has to be classified as

Unclassified: Considered publicly accessible. There are no requirements for access control or confidentiality.

Shared: Resources that are shared within groups or with people outside the organization.

Company Only: Access to be restricted to the internal employees only.

Confidential: Access to be restricted to a specific list of people.

This gets us to answer for "What to Protect"?

Now lets Understand How to Protect?

Technical Risk Assessment:

Penetration testing: After performing the Asset Identification exercise one has to move on testing specific devices which are critical to the running of the organisation. The first step towards doing testing is to find out if any external person can have access to the company information through the Internet. This is a specialized exercise, which requires a security professional abreast with the latest exploit and vulnerabilities from published and open sources. The professional needs to run various tests that would test the Internet Point of presence (i.e. Website) and security devices which protect these sites.

He would assume the role of a possible intruder and do all that he would do if he would like to break systems and cause harm.

The result of these tests would help one get an idea of the possible vulnerabilities on various servers.

Vulnerability Assessment: After performing an external test one needs to test the strength of various servers and operating systems available internally. This works as a second level of defense. Even if an intruder breaks the entry points he should be stopped at the internal points. Internal testing also facilitates the design of the Security Architecture.

A word of caution would be to allow only qualified and experienced professionals to operate these systems. All legal documents need to be signed before one has to complete the assignment.

Procedural Risk Assessment:

After conducting the technical risk assessment one needs to find out formal and informal polices and procedures followed in the company. This can be done with detailed questionnaires, which can help find out concerns of IT managers, IT users, Operations staff, Top Management, Divisional Heads and Technical Team.

A Gap Analysis Document can be created once the

Procedural Risk Assessment exercise completed.. This would help companies have a clear understanding of where they stand as far as acquiring the Certification is concerned.

Risk Management

Once the gaps in the systems are identified, one has to manage these risks and make sure that the possibility of these risks affecting the company is very low or in some cases totally eliminated. BS 7799 has been designed in such a manner that its 127 Control Clauses have addressed almost every Conceivable risk known to Information Systems.

The standard Defines Risk Management as -process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost

For Example: While conducting the procedural risk assessment one finds that while disposing old computer systems one does not erase or format the hard disk which goes along with the machine. So the risk is potential leakage of information, which is stored on the Hard Disk. This risk is addressed by Domain 8 Communications and operations management 8. which states that Media shall be disposed of securely and safely when no longer required.(4.6.6.2)

Creating of Security Policies and Procedures to Manage Risks Effectively

As in every Management System Security, Management is Policy driven and has to be driven and pushed in to an organisation. One has to take utmost care to address every concern expressed during the technical and

Procedural risk management exercise and prepare the documentation of the required polices (The list is only indicative and differs from organisation to organisation)

Logical Access Controls, Password Security & Controls, Network &

Telecommunication Security, Application Software Security, Program

Change Controls, Version Controls, Disaster Recovery Plan, Electronic Mail Security, Backup & Recovery, Internet access and security, Operating Systems Security, Incident Response and Management, Third Party Security, Data Classification, Web server Security, Intranet Security, Punitive Actions, Firewall Security, Use Of Cryptography, Digital Signature Security, Database Security, Virus Protection

Implementation of a effective risk management has various benefits and some of which could be enhanced understanding of business aspects, Reductions in security breaches and/or claims, Reductions in adverse publicity, Improved insurance liability rating, Identify critical assets via the Business Risk Assessment, Provide a structure for continuous improvement, Be a Confidence factor internally as well as externally, Enhance the knowledge and importance of security-related issues at the management level, Ensure that "knowledge capital" will be "stored" and managed in a business management systems.

Source : http://www.computersecuritynow.com/7799part2.htm

Key Components of the Standard : BS 7799 (ISO 17799)

2007-11-02T02:48:00.000-07:00

The Standard is divided in two parts:

BS 7799 Part 1 (ISO 17799.2000 Standard) Code of Practice for Information Security Management

BS 7799 Part II Specifies requirements for establishing, implementing and documenting Information Security Management System (ISMS)

The standard has 10 Domains, which address key areas of Information Security Management.

Information Security Policy for the organization.

This activity involves a thorough understanding of the organization business goals and its dependence on information security. This entire exercise begins with creation of the IT Security Policy. This is an extremely important task and should convey total commitment of top management-. The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It should be implementable, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural and technical.

Creation of information security infrastructure

A management framework needs to be established to initiate, implement and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles and coordination of security across the organization.

Asset classification and control

One of the most laborious but essential task is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services. These information assets need to be classified to indicate the degree of protection. The classification should result into appropriate information labeling to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, transmit or destruction of the information asset.

Personnel Security

Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities. Various proactive measures that should be taken are, to make personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education and training.

Alert and well-trained employees who are aware of what to look for can prevent future security breaches.

Physical and Environmental Security

Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves physical security perimeter, physical entry control, creating secure offices, rooms, facilities, providing physical access controls, providing protection devices to minimize risks ranging from fire to electromagnetic radiation, providing adequate protection to power supplies and data cables are some of the activities. Cost effective design and constant monitoring are two key aspects to maintain adequate physical security control.

Communications and Operations Management

Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures.

Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services.

Exchange of information and software between external organizations should be controlled, and should be compliant with any relevant legislation. There should be proper information and software exchange agreements, the media in transit need to be secure and should not be vulnerable to unauthorized access, misuse or corruption.

Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.

Access control

Access to information and business processes should be controlled on the business and security requirements. This will include defining access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use and ensuring information security when using mobile computing and tele-working facilities.

System development and maintenance

Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography.

A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation.

Business Continuity Management

A business continuity management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and depending on the risk assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances.

Compliance

It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls and collection of evidence.

Information Technology’s use in business has also resulted in enacting of laws that enforce responsibility of compliance. All legal requirements must be complied with to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:

Although Indian companies and the Government have invested in IT, facts of theft and attacks on Indian sites and companies are alarming. 261 Indian Government sites were hacked in 2001* ^* Attacks and theft that happen on corporate websites are high and is usually kept under "strict" secrecy to avoid embarrassment from business partners, investors, media and customers.

Huge losses are some times un-audited and the only solution is to involve a model where one can see a long run business led approach to Information Security Management.

BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed above) which Indian companies can adopt to build their Security Infrastructure. Even if a company decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security through ongoing, integrated management of policies and procedures, personnel training, selecting and implementing effective controls, reviewing their effectiveness and improvement. Additional benefits of an ISMS are improved customer confidence, a competitive edge, better personnel motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.

Source : http://www.computersecuritynow.com/7799part1.htm

Sample Security Policies

2007-10-15T20:54:00.000-07:00

	HSPD-12 Privacy Policy - http://www.whitehouse.gov/omb/memoranda/fy2006/m06-06_att.doc Sample privacy policy including Privacy Act systems of records notices, Privacy Act statements and a privacy impact assessment, designed to satisfy the requirements of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”
	Information Security Policies - http://www.upenn.edu/computing/policy/ Electronic resource usage and security policies from the University of Pennsylvania.
	Information Security Policies - http://www.sans.org/resources/policies/ SANS consensus research project offering around 30 editable information security policies.
	Information Security Policies - http://www.auckland.ac.nz/security/PoliciesandStatutes.htm Set of acceptable use and technical policies from the University of Auckland covering common information security issues.
	ISO 27001 Policies - http://www.27001-online.com/secpols.htm Typical headings for a security policy aligned broadly with the ISO/IEC standard for information security management systems.

	Network Security Policy - http://www.utoronto.ca/security/documentation/policies/policy_5.htm Example security policy for a data network from the University of Toronto.
	Information Security Policies - http://csrc.nist.gov/fasp/jump.html NIST's extensive collection of well over 100 security policies and related awareness materials, mostly from US Government bodies.
	Information Security Policy - http://www.obfs.uillinois.edu/manual/central_p/sec19-5.html An information security policy from the University of Illinois.
	Email Policy - http://www.cli.org/emailpolicy/top.html A menu of clauses suitable for email acceptable use policies.
	Security Policy Primer - http://www.sans.org/resources/policies/Policy_Primer.pdf General advice for those new to writing information security policies.

	IT Security Policy - http://www.murdoch.edu.au/admin/policies/itsecurity/policy.html Information technology security policy at Murdoch University, complete wth supporting standards and guidelines.
	Modem Policy - http://www.sandstorm.net/products/phonesweep/modempolicy.php Sample policy from Sandstorm, designed as an addition to an existing Remote Access Policy, if one exists, or simply to stand alone.
	Information Security Policies - http://www.epolicyinstitute.com Policies on information security and other topics from ePolicy Institute.
	K-20 Network Acceptable Use Policy - http://www.k12.wa.us/K-20/AUPSchBoardNetworkUse.aspx Policy on acceptable use of a school network, along with information for parents and an informed consent form. Developed in Washington State.
	Network Security Policy Guide - http://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies.

	Audit Policy - http://www.sans.org/newlook/resources/policies/Audit_Policy.pdf Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.
	IP Network Security Policy - http://www.securityfocus.com/infocus/1497 Example security policy to demonstrate policy writing techniques introduced in three earlier articles.
	Email Retention Policy - http://www.sans.org/resources/policies/email_retention.doc Sample policy to help employees determine which emails should be retained and for how long.
	Internet DMZ Equipment Policy - http://www.sans.org/newlook/resources/policies/Internet_DMZ_Equipment_Policy.pdf Sample policy defining the minimum requirement for all equipment located outside the corporate firewall.
	Information Sensitivity Policy - http://www.sans.org/newlook/resources/policies/Information_Sensitivity_Policy.pdf Sample policy defining the assignment of sensitivity levels to information.

	Password Policy - http://www.sans.org/resources/policies/Password_Policy.doc Defines standards for creating, protecting and changing strong passwords. [MS Word]
	Internet Acceptable Use Policy - http://www.ruskwig.com/docs/internet_policy.pdf One page Acceptable Use Policy example.
	Acceptable Use Policy - http://www.sans.org/resources/policies/Acceptable_Use_Policy.doc Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]
	Information Security Policies - http://www.lazarusalliance.com/horsewiki/index.php/Documents Collection of policies relating to SOX, GLBA, HIPAA and the ISO/IEC 27000-series on the HORSE (Holistic Operational Readiness Security Evaluation) wiki.
	Information Security Policies - http://www.tess-llc.com/TESS-DOR-EXAMPLES.htm Templates for information security policies, guidelines, checklists and procedures by Walt Kobus.

	Risk Assessment Policy - http://www.sans.org/resources/policies/Risk_Assessment_Policy.doc Defines requirements and authorizes the information security team to identify, assess and remediate risks to the organization's information infrastructure. [MS Word]
	Information Security Policies - http://www.gcio.nsw.gov.au/documents/Information%20Security%20Guideline%20V1.1.pdf 111-page security policy manual from the Australian New South Wales Department of Commerce, based on ISO 27001.
	Personnel Security Policy - http://www.datasecuritypolicies.com/wp-content/uploads/2007/04/generic-personnel-security-policy.pdf Example policy covering pre-employment screening, security policy training etc.
	Information Security Policies - http://www.apwu.org/dept/ind-rel/USPS_hbks/AS-Series/AS-805%20Information%20Security%209-05%20(1.21%20MB).pdf US Postal Service's information security policy manual. 264 pages of security controls, broadly similar in structure to ISO 17799.
	Analog/ISDN Line Policy - http://www.sans.org/resources/policies/Analog_Line_Policy.doc Defines policy for analog/ISDN lines used for FAXing and data connections.

	Anti-Virus Policy - http://www.sans.org/resources/policies/Lab_Anti-Virus_Policy.doc Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]
	Acquisition Assessment Policy - http://www.sans.org/resources/policies/Aquisition_Assessment_Policy.doc Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]
	Dial-in Access Policy - http://www.sans.org/resources/policies/Dial-in_Access_Policy.doc Policy regarding the use of dial-in connections to corporate networks. [MS Word]
	Ethics Policy - http://www.sans.org/resources/policies/Ethics_Policy.doc Sample policy intended to 'establish a culture of openness, trust and integrity'.
	Extranet Policy - http://www.sans.org/resources/policies/Extranet_Policy.doc Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement. [MS Word]

	Privacy Policy - http://www.cbe.uidaho.edu/wegman/404/PRIVACY%20POLICY%20IVI%20Generic.htm Generic policy for websites offering goods and services, with an important warning to seek qualified legal advice in this area.
	Cryptography Policy - http://www.tess-llc.com/Cryptography%20PolicyV4.pdf Cryptographic policy template by Walt Kobus.
	Communications Policy - http://www.tess-llc.com/Communications%20PolicyV4.pdf Datacommunications security policy template by Walt Kobus defines network security control requirements.
	Physical Security Policy - http://www.tess-llc.com/Physical%20Security%20PolicyV4.pdf Policy template by Walt Kobus defines requirements for physical access control to sensitive facilities and use of ID badges.
	Data Classification Policy - http://www.tess-llc.com/Data%20Classification%20PolicyV4.pdf Policy template by Walt Kobus describes the classification of information according to sensitivity (primarily confidentiality).

	User Data Protection Policy - http://www.tess-llc.com/User%20Data%20Protection%20PolicyV4.pdf Policy template by Walt Kobus defines requirements for access controls, least privilege, integrity etc. to secure personal data.
	Information Data Ownership Policy - http://www.tess-llc.com/Information%20Data-Ownership%20PolicyV4.pdf Policy template by Walt Kobus defines the roles and responsibilities of owners, custodians and users of information systems.
	Resource Utilization Policy - http://www.tess-llc.com/Resource%20Utilization%20PolicyV4.pdf Poilicy template by Walt Kobus defines requirements for resilience, redundancy and fault tolerance in information systems.
	Security Audit Policy - http://www.tess-llc.com/Security%20Audit%20PolicyV4.pdf Audit policy template by Walt Kobus.
	Security Management Policy - http://www.tess-llc.com/Security%20Mngt%20PolicyV4.pdf General information security policy template by Walt Kobus.

	Router Security Policy - http://www.sans.org/resources/policies/Router_Security_Policy.doc Sample policy establishing the minimum security requirements for all routers and switches connecting to production networks. [MS Word]
	Remote Access Policy - http://www.sans.org/resources/policies/Remote_Access_Policy.doc Defines standards for connecting to a corporate network from any host. [MS Word]
	IT Security Policy - http://www.enterprise-ireland.com/ebusinesssite/guides/internal_security/internal_security_index.asp IT security policy example/how-to guide from Enterprise Ireland.
	Database Password Policy - http://www.sans.org/resources/policies/DB_Credentials_Policy.doc Defines requirements for securely storing and retrieving database usernames and passwords. [MS Word]
	DMZ Security Policy - http://www.sans.org/resources/policies/DMZ_Lab_Security_Policy.doc Sample policy establishing security requirements of equipment to be deployed in the corporate De-Militarized Zone. [MS Word]

	Government Security Policy - http://www.security.govt.nz/sigs/sigs.zip The New Zealand Government's information security policy, based on the 2000 version of ISO/IEC 17799. [ZIP file containing PDF and MS Word versions]
	Identification and Authentication Policy - http://www.tess-llc.com/Identification%20&%20Authentication%20PolicyV4.pdf I&A policy template by Walt Kobus defines requirements for access control.
	Certification and Accreditation Policy - http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf Policy template by Walt Kobus defines requirements and responsibilities for security assurance throughout the system development process.
	Laboratory Security Policy - http://www.sans.org/resources/policies/Internal_Lab_Security_Policy.doc Policy to secure confidential information and technologies in the labs and protect production services and the rest of the organization from lab activities. [MS Word]
	Encryption Policy - http://www.sans.org/resources/policies/Acceptable_Encryption_Policy.doc Defines encryption algorithms that are suitable for use within the organization. [MS Word]

	Password Policy - http://ww2.umflint.edu/its/helpdesk/security/passwords/passwords.pdf A password policy presented in the form of a security awareness poster. "Passwords are like underwear ..."
	Telecommuting/Teleworking Policy - http://www.womans-work.com/teleworking_policy.htm Sample policy on teleworking covering employment as well as information security issues.
	Information Security Policies - http://www.attackprevention.com/Policies_and_Procedures/Sample_Policies Collection of information security policy samples covering PKI, antivirus, ethics, email and several other topics, from AttackPrevention.
	Email Policy - http://www.cusys.edu/~policies/General/email.html Policy from the University of Colorado on the use of, access to, and disclosure of electronic mail.
	Server Security Policy - http://www.sans.org/newlook/resources/policies/Server_Security_Policy.pdf Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.

	Application Service Provider Policy - http://www.sans.org/newlook/resources/policies/Application_Service_Providers.pdf Security criteria for an ASP.
	Virtual Private Network Policy - http://www.sans.org/newlook/resources/policies/Virtual_Private_Network.pdf Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.
	Email Forwarding Policy - http://www.sans.org/newlook/resources/policies/Automatically_Forwarded_Email_Policy.pdf Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.
	Third Party Connection Agreement - http://www.sans.org/newlook/resources/policies/Third_Party_Agreement.pdf Sample agreement for establishing a connection to an external party.
	Wireless Communication Policy - http://www.sans.org/newlook/resources/policies/Wireless_Communication_Policy.pdf Sample policy concerning the use of unsecured wireless communications technology.

Source : directory.google.com

Sample Security Policies

2007-10-15T20:51:00.000-07:00

Acceptable Use Policy - Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]
Acquisition Assessment Policy - Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]
Analog/ISDN Line Policy - Defines policy for analog/ISDN lines used for FAXing and data connections.
Anti-Virus Policy - Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]
Application Service Provider Policy - Security criteria for an ASP.
Audit Policy - Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.
Certification and Accreditation Policy - Policy template by Walt Kobus defines requirements and responsibilities for security assurance throughout the system development process. [PDF]
Communications Policy - Datacommunications security policy template by Walt Kobus defines network security control requirements. [PDF]
Company Email Policy - A menu of clauses suitable for email acceptable use policies.
Cryptography Policy - Cryptographic policy template by Walt Kobus. [PDF]
Data Classification Policy - Policy template by Walt Kobus describes the classification of information according to sensitivity (primarily confidentiality). [PDF]
Database Password Policy - Defines requirements for securely storing and retrieving database usernames and passwords. [MS Word]
Dial-in Access Policy - Policy regarding the use of dial-in connections to corporate networks. [MS Word]
DMZ Security Policy - Sample policy establishing security requirements of equipment to be deployed in the corporate De-Militarized Zone. [MS Word]
Email Forwarding Policy - Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.
Email Retention Policy - Sample policy to help employees determine which emails should be retained and for how long.
Encryption Policy - Defines encryption algorithms that are suitable for use within the organization. [MS Word]
Ethics Policy - Sample policy intended to 'establish a culture of openness, trust and integrity'.
Extranet Policy - Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement. [MS Word]
Government Security Policy - The New Zealand Government's information security policy, based on the 2000 version of ISO/IEC 17799. [ZIP file containing PDF and MS Word versions]
HSPD-12 Privacy Policy - Sample privacy policy including Privacy Act systems of records notices, Privacy Act statements and a privacy impact assessment, designed to satisfy the requirements of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”
Identification and Authentication Policy - I&A policy template by Walt Kobus defines requirements for access control. [PDF]
Information Data Ownership Policy - Policy template by Walt Kobus defines the roles and responsibilities of owners, custodians and users of information systems. [PDF]
Information Security Policies - Templates for information security policies, guidelines, checklists and procedures by Walt Kobus.
Information Security Policies - Collection of information security policy samples covering PKI, antivirus, ethics, email and several other topics, from AttackPrevention.
Information Security Policies - NIST's extensive collection of well over 100 security policies and related awareness materials, mostly from US Government bodies.
Information Security Policies - Electronic resource usage and security policies from the University of Pennsylvania.
Information Security Policies - US Postal Service's information security policy manual. 264 pages of security controls, broadly similar in structure to ISO/IEC 27002. [PDF]
Information Security Policies - Policies on information security and other topics from ePolicy Institute.
Information Security Policies - The Information Security Toolkit from UCISA (University Colleges and Information Systems Association) contains a suite of security policy and guidance documents reflecting and cross-referenced against BS7799. [PDF documents]
Information Security Policies - 111-page security policy manual from the Australian New South Wales Department of Commerce, based on ISO/IEC 27001. [PDF]
Information Security Policies - Set of acceptable use and technical policies from the University of Auckland covering common information security issues.
Information Security Policies - SANS consensus research project offering around 30 editable information security policies.
Information Security Policy - An information security policy from the University of Illinois.
Information Sensitivity Policy - Sample policy defining the assignment of sensitivity levels to information.
Internet Acceptable Use Policy - One page Acceptable Use Policy example. [PDF]
Internet DMZ Equipment Policy - Sample policy defining the minimum requirement for all equipment located outside the corporate firewall.
IP Network Security Policy - Example security policy to demonstrate policy writing techniques introduced in three earlier articles.
ISO 27001 Policies - Typical headings for a security policy aligned broadly with the ISO/IEC standard for information security management systems.
IT Security Policy - Information technology security policy at Murdoch University, complete wth supporting standards and guidelines.
IT Security Policy - IT security policy example/how-to guide from Enterprise Ireland.
K-20 Network Acceptable Use Policy - Policy on acceptable use of a school network, along with information for parents and an informed consent form. Developed in Washington State.
Laboratory Security Policy - Policy to secure confidential information and technologies in the labs and protect production services and the rest of the organization from lab activities. [MS Word]
Modem Policy - Sample policy from Sandstorm, designed as an addition to an existing Remote Access Policy, if one exists, or simply to stand alone.
Network Security Policy - Example security policy for a data network from the University of Toronto.
Network Security Policy Guide - Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies. [PDF]
Password Policy - A password policy presented in the form of a security awareness poster. "Passwords are like underwear ..." [PDF]
Password Policy - Defines standards for creating, protecting and changing strong passwords. [MS Word]
Personnel Security Policy - Example policy covering pre-employment screening, security policy training etc. [PDF]
Physical Security Policy - Policy template by Walt Kobus defines requirements for physical access control to sensitive facilities and use of ID badges. [PDF]
Privacy Policy - Generic policy for websites offering goods and services, with an important warning to seek qualified legal advice in this area.
Remote Access Policy - Defines standards for connecting to a corporate network from any host. [MS Word]
Resource Utilization Policy - Poilicy template by Walt Kobus defines requirements for resilience, redundancy and fault tolerance in information systems. [PDF]
Risk Assessment Policy - Defines requirements and authorizes the information security team to identify, assess and remediate risks to the organization's information infrastructure. [MS Word]
Router Security Policy - Sample policy establishing the minimum security requirements for all routers and switches connecting to production networks. [MS Word]
Security Audit Policy - Audit policy template by Walt Kobus. [PDF]
Security Management Policy - General information security policy template by Walt Kobus. [PDF]
Security Policy Primer - General advice for those new to writing information security policies. [PDF]
Server Security Policy - Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.
Telecommuting/Teleworking Policy - Sample policy on teleworking covering employment as well as information security issues.
Third Party Connection Agreement - Sample agreement for establishing a connection to an external party.
Use of Electronic Mail - Policy from the University of Colorado on the use of, access to, and disclosure of electronic mail.
User Data Protection Policy - Policy template by Walt Kobus defines requirements for access controls, least privilege, integrity etc. to secure personal data. [PDF]
Virtual Private Network Policy - Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.
Wireless Communication Policy - Sample policy concerning the use of unsecured wireless communications technology.

Source : www.dmoz.org

Network Security Audit Case Study

2007-10-07T21:50:00.000-07:00

This is a case study of Dionach carrying out a network security audit on an insurance company based in the UK. The audit comprised of an internal security audit and an external perimeter security audit. Some of the information has been changed or omitted to maintain confidentiality.

Background

The organisation carries out much of its business online, and felt that an independent view of their internal and external network security was required. The organisation selected Dionach to carry out the auditing. Dionach carried out an external penetration test, and then the on-site audit.

Internal Audit

Three Dionach consultants carried out the internal audit, with one of them nominated as the lead auditor. This lead auditor liaised with the organisation's information security officer I(ISO).

The ISO was interviewed to gain an understanding of the setup of the network, servers and LAN, along with other staff with the appropriate knowledge. This allowed an up-to-date network diagram to be created. Copies of existing network diagrams and the security policy were also taken.

The lead auditor then assigned consultants to audit the configuration of firewalls, routers, web servers, database servers and domain controllers, and samples of other workstations. Antivirus, email, network topology and physical security were also areas that were examined.

Throughout the process, the organisation's staff responsible for each area being audited were interviewed further as required; however, the purpose of the audit was to determine the actual, technical setup and compare it to best practice.

At the end of the on-site process, the lead auditor held a meeting with the ISO to provide an initial oral report of findings. The audit team's task was then to produce the final report.

Report

The report produced was a comprehensive, detailed report with an executive summary, a section for the external audit, and on-site internal audit. There was finally a technical summary of conclusions.

The executive summary first specified that the security of the network represented medium risk. Most elements of the network were configured securely, and the recent introduction of a group security policy would reinforce and improve security awareness.

The executive summary also listed the following issues:

The external security risk was low, although one of the firewall configurations would allow outbound connections if a server was vulnerable, an attacker could more easily compromise it.
Although external, email and server anti-virus was in place, the individual user workstations were not protected. There was also no patching for workstations, so if a virus or worm found its way onto the internal network it would spread unhindered.
There was no intrusion detection system (IDS) in place; the external penetration test was not noticed by the organisation, and the organisation being dependent on online business meant that Dionach highly recommended the implementation of a network IDS, that would be monitored.
A domain users password audit showed that many users had simple passwords, although the security policy gave guidance on choosing strong passwords. There was no mechanism enforcing strong passwords.
A number of internal SQL Server databases had blank administrator passwords and service pack levels that were not up-to-date.

Further detail and recommendations was provided in the rest of the report.

The external audit section listed the external test results in detail, with a technical summary of issues and recommendations, for which there were few.

The internal audit section listed the areas audited, good security practices, and areas where security could be improved: antivirus protection, physical security, information security, wireless connectivity, database servers, firewall configurations, DMZs and perimeter security.

The internal audit section presented the audit findings, including diagrams and tables, such as the network topology.

Finally, the report showed a summary of conclusions with issues listed in order of risk, with the most critical first.

Presentation

The report was then agreed with the organisation, and presented to them in a meeting to ensure that the organisation gained the most value from the audit and the report.

The organisation then proceeded to prioritise and resolve the issues.

Source : www.dionach.com

ISO 27001 Internal Audit Case Study

2007-10-07T21:48:00.000-07:00

This is a case study of Dionach carrying out an ISO 27001 internal audit for a public organisation based in the Republic of Ireland. Some of the information has been changed or omitted to maintain confidentiality.

Background

The client is certified to the international standard ISO 27001. Part of the standard specifies that planned, objective and impartial internal ISMS audits should take place. The audits shall determine whether the ISMS:

Conforms to the standard
Conforms to the information security requirements specified
Is effective and well maintained
Performs as expected

The organisation felt that it could not resource the audit personnel from within the organisation, and so commissioned Dionach to carry out the internal audits.

Internal Audit

The organisation decided to split the auditing of the ISMS into several stages throughout the year. The scope of the initial audit was the following areas:

Risk Assessment
Information Handling
Physical Security and Incident Reporting

Prior to the audit, Dionach requested relevant copies of the ISMS and other related documentation from the organisation. Dionach consultants spent a significant amount of familiarising themselves with the organisation's documentation, and finding out more about the organisation in general. Dionach produced a detailed schedule of tasks and interviews over four days to spend with the organisation, providing two consultants to carry out the audit. The schedule was agreed with the organisation.

On site at the organisation, the consultants liaised with the organisation's ISMS Manager, starting with a tour of the site. The tour also gave a preview of the physical security of the site, and a chance to meet some of the staff.

The Dionach consultants followed guidelines for auditing as specified in ISO19011 during the course of the audit, using the following principles: ethical conduct, fair presentation, due professional care, independence, and an evidence-based approach.

After taking notes from documentation, observations and interviews, the consultants gave feedback at the end of every day to the organisation's ISMS Manager on any likely non-conformances or comments.

On the last day in the closing meeting, Dionach presented a draft report with non-conformances; each graded either as major, minor or just a comment. There were no major non-conformances within the scope of the audit, several minor non-conformances, and two comments. The minor non-conformances ranged from easily corrected ISMS documentation inconsistencies, to issues that would need to be discussed at length in the organisation's Information Security Forum.

In the closing meeting the organisation agreed to have a list of corrective actions for each of the non-conformances by a certain date.

Dionach provided the organisation with a final version of the audit report, and now looks forward to carrying out the next part of the internal audit process.

Source : www.dionach.com

Executive Briefing On ISO 17799:2005 & ISO 27001:2005

2007-10-03T19:29:00.000-07:00

Pdf File
22 Page
Source : http://sqm-advisors.com
http://sqm-advisors.com/downloads/Executive_Briefing_on_ISO_27001_3_07.pdf

• What is Information Security?
• What is Information Security Management?
• Why is Information Security Management Needed?
• What is an Information Security Management System?
• How does ISO 17799 and IS0 27001 fit into the picture?
• ISO 17799 & ISO 27001 summarized
• What are the benefits of ISO 27001 certification?
• ISO 27001 certification scheme
• How does an organization achieve certification?
• Worldwide trends in ISO 27001 certification
• Market considerations
• Where to go from here?
• The bottom line
• More Information

The benefits of ISO 27001:2005

2007-10-03T19:17:00.000-07:00

The reputation of ISO and the certification against the internationally recognized ISO 27001:2005 enhances any company’s credibility. It clearly demonstrates the validity of your information and a real commitment to upholding information security. The set up and certification of an ISMS can also transform your corporate culture both internally and externally, opening up new business opportunities with security conscious customers/clients, in addition to improving employee ethics and the notion of confidentiality throughout the workplace. What’s more, it allows you to enforce information security and reduce the possible risk of fraud, information loss and disclosure.

Source : www.itworks.lu

Information Technology Risk Assessment

2007-10-03T19:13:00.000-07:00

Information Technology Risk Assessment
An Information technology risk assessment tries to identify the risks, human and natural, that an information technology asset is exposed to. These range from earthquake, storms, and fire to human error, fraud, disgruntled employees, and external intrusion. In addition, an ESTec information technology risk assessment assesses the vulnerabilities and countermeasures already in place. The examination will then rank the threats and vulnerabilities, and identify additional countermeasures appropriate to protect the sensitivity, criticality, and reliability associated with the information technology asset.

To keep your expenses to a minimum and your protection to a maximum, ESTec establishes a cost value for every type of impact on your information technology asset. The event probability gives management an insurance value for each type of event and each asset involved, allowing your management to justify the expenditures for the countermeasures for potential events and interruptions of service. That way, you get the most bang for your buck.

Information Technology Risk assessment is an integral part of ISO 17799 / ISO 27001 information security management systems. ESTec can provide training for internal information technology risk assessment and risk management personnel as well as outside information technology risk assessment services. A standards based information security management system includes a formal risk management plan for the organization. Risks must be identified, and dealt with by countermeasures, or contracted out to a third party or in some cases accepted by the organization as part of the normal business risk.

Sample Case Risk Assessment
Customer: West Coast Utility
Services: Information Technology Risk Assessment
Problem: A new client information system was to be implemented. Management wanted a justification for the budget requests for the project.
Solution: An ESTec consultant worked with the IT department to develop a detailed risk assessment for the project's assets.
Results: The company was able to control and direct expenses to do the greatest good, and ended up saving a high percentage of the original allocation of funding for this protection.

Source : www.security.estec.com

A Business Case for ISO 27001 / ISO 17799 / BS 7799

2007-10-03T19:01:00.000-07:00

The business value of ISO17799

A case study by
Dr Gary Hinson CISSP CISM CISA MBA
Introduction

This case study concerns an IT services company that decided to implement ISO17799, the Code of Practice for Information Security Management, and gained significant business advantages as a result. The case reveals some surprising linkages between information security management and general business management, and several indirect benefits that are seldom mentioned.

Business situation
“ServiceCo” [not its real name] is a supplier of IT services, hardware and software to corporate clients. Having gained its ISO 9002 certificate nearly ten years ago, staff were used to working in a consistent manner using documented quality procedures and guidelines. A couple of years ago, however, the atmosphere within the company had turned sour. Management decisions were mostly being made instinctively on “gut-feel” with little real analysis. With staff turnover increasing, senior management recognised the need to change and took a long hard look at the organization’s strengths and weaknesses.

ServiceCo management decided to implement ISO17799. According to a senior ServiceCo director, “Implementing ISO17799 made business sense. Securing ServiceCo’s internal information would reduce the risk and hence the cost of serious breaches. ISO17799 is a known security framework developed by some of the worlds leading companies (BT, HSBC, Shell International and Unilever, amongst others), so it gave us the means to implement best practice security controls.”

Benefits of implementing ISO17799
The director told us “ISO17799 is not just about information security or IT – it actually helps the organisation save and make money.” He identified the following business benefits of ISO17799:
Direct benefits

Increased reliability and security of systems:
“Like all businesses ServiceCo is reliant upon information systems. ISO17799 has ensured that we now have controls in place that maintain system availability and reduce the risk of vulnerabilities being exploited. Post-certification ‘surveillance visits’ and re-certification audits to ISO17799 ensure the business keeps up-to-date with the latest vulnerabilities and best practices.”

Increased profits:
“Sales and margins are up, and clients’ perceptions of our business have improved. Our BS7799 Part 2 certificate demonstrates that we can be trusted to secure our customers’ data, as well as our own. Our customers not only understand that our investment in ISO17799 has given them benefits, but they are prepared to spend a little more for a secure IT infrastructure. Since gaining ISO17799, we have already seen a marked increase in our bottom line profit and some new customers are telling us they prefer to trade with companies who have a recognised security certification. Additionally, we are now seeing more Invitations To Tender from business that list ISO17799-compliance as a pre-requisite. And, by the way, our employees are wasting less time surfing the Internet for sites not related to work!”

Cost-effective and consistent information security:
“We have implemented cost-effective security matched to our business needs. ServiceCo had many technical safeguards throughout the organisation, but the risk assessment highlighted that some of our safeguards offered little or no business benefit and would provide a better return off investment if they were reconfigured to protect assets that required a higher level of protection. All divisions and departments within ServiceCo had previously developed their own security guidelines. ISO17799 helped us develop a consistent approach to security by creating uniform policies incorporating industry best practise. Where necessary, employee compliance with the policies is supported by an enforceable disciplinary process.”

Systems rationalisation:
“Analysing our information and information security requirements properly means we spend our money wisely. We were able to cut about 50% of our systems and data when we realised they were not worth keeping, and we actually relaxed controls on some low-risk systems.”

Compliance with legislation:
“Implementing ISO17799 forced us to comply with UK legislation in areas such as data protection and software copyright.”
Indirect benefits

Improved management control:
“Managers have more control over the organisation, and better quality information with which to manage it - management effort is therefore reduced.”

Better human relations:
“Clear policies, procedures and guidelines make things easier for our staff – the atmosphere has improved and staff turnover has reduced. ISO17799 has made ServiceCo different from our competitors and provided the company with a unique selling point, leading to a better working environment for all of our staff. Employees now recognise that their earning potential is dependant on how customers perceive the company brand and that any negative publicity could affect them. Professionalism has improved throughout the company. Given that so much of security relies on internal controls, we needed to look more carefully at who we were employing. Through ISO17799 we introduced more through recruitment processes that reduce the risk of employing people unsuitable to the position or who could potentially put our business at risk. We now know who is working for us!”

Improved risk management and contingency planning:
“Through the ISO17799 certification process, ServiceCo identified its vulnerabilities, threats and potential impacts to the business. As a result of this and implementing controls from ISO17799, ServiceCo now has a more structured approach to risk management. For example, we now have a rational process to decide which risks to transfer to our insurers. We also now have a business continuity plan that suits the business, not just the IT department. The risk assessment identified information assets that are critical to the success of the business. This enabled us to produce a business continuity plan that prioritised these assets and reduces our potential exposure to financial loss or negative publicity.”

Enhanced customer and trading partner confidence:
“With the heightened sensitivity to security breaches, trading partners, customers and vendors were looking evidence of security. ISO17799 certification has provided this assurance. In any industry you have to stand out from your competitors. Being the first IT Value Added Reseller in the world to obtain ISO17799 is a bold statement that will always be unique to ServiceCo. Having the ISO17799 logos on our company literature is a continual reminder to potential and existing customers that we are a professionally-run organisation who take the confidentially, integrity and availability of their and our information seriously.”

Costs
“Despite what people say, the costs of implementing ISO17799 are very modest. The main cost element was the pain of cultural change (we had to ‘let a couple of our people go’ for not complying with our policies and procedures). The regular compliance reviews to maintain our certification only costs us about £3k [$5k] p.a. so ISO17799 is very cost-effective. We are now talking to our assessors about combining the ISO17799 and ISO 9002 reviews to save time and money.”

For more information
To find out more about this case study or for help to assess the business value of ISO17799 to your organization, contact IsecT Ltd. info@isect.com

Source : www.security.estec.com

Sample ISMS Policies & Guidelines Document

2007-10-02T02:11:00.000-07:00

Sample Policies Document
ISMS Policy
Giving Access to Files and Documents
Retaining or Deleting Electronic Mail (Email)
Securing Against Unauthorized Physical Access

Sample Guidelines Document
How to define ISMS scope
BCM Guideline
Online shopping
Online banking

Download ISMS Policies & Guidelines Sample Document : www.cybersecurity.org.my

ISMS Implementation Guide

2007-10-02T01:56:00.000-07:00

By Vinod Kumar Puthuseeri
Information Security Consultant

Objective
This paper can serve as a guideline for the implementation of ISMS practices using BS7799 / ISO 27001 standards. To give an insight and help those who are implementing this for the first time and for those who will be coordinating with external consultants for ISMS implementations in their organizations.

Scope
This document will cover the requirements from an audit point of view, methods and tips on implementing ISMS practices.

Standard
BS7799 / ISO 27001
BS7799 is a British Standard that addresses Information Security in all areas including Physical Security. BS7799 was incorporated with some of the controls from ISO 9000 and the latest version is called ISO 27001.

There are 11 chapters in the ISO 27001 version.

Table of Contents

Objective
Scope
Standard
- BS7799 / ISO 27001
- The CIA triad
- PDCA Model
- Benefits
Management
- Management Commitment
- Case Study
Implementation Process
- The team
- Define the Scope
- Risk Assessment
Asset e Inventory
Asset e Value
Risk Value
Business Impact Analysis (BIA)
Probability of Occurrence
Risk Assessment Tools
Why identify the risk value
- Risk Management
Deciding Assets for Risk Mitigation
Different Methods of Handling Risks
- Statement of Applicability (SOA)
Business Continuity Plan & Disaster Recovery (BCP & DR)
- Process
- Business Impact Analysis
Audit
- Pre-Assessment Audit (Adequacy Audit)
- Document Review
- On Floor Audit
- Internal Audit
Desktop Audit
User Awareness Audit
Technical a Audit
Social a Engineering
Physical Security
Post Audit Check
User Awareness
- Train the trainer approach
- Without train the trainer approach
- Training Materials
Reference
Declaration
Disclaimer
Copyright
Contact
GNU Free Documentation License

Link : http://www.infosecwriters.com/text_resources/pdf/ISMS_VKumar.pdf

Information Security : Design, Implementation, Measurement, and Compliance

2007-09-25T21:38:00.000-07:00

ORDER THIS BOOK

Author : Timothy P. Layton
Product Details
Hardcover : 222 pages
Publisher : AUERBACH; 1 edition (July 20, 2006)
Language : English
ISBN-10 : 0849370876
ISBN-13 : 978-0849370878

Table of Contents
EVALUATING AND MEASURING AN INFORMATION SECURITY PROGRAM
INFORMATION SECURITY RISK ASSESSMENT MODEL (ISRAM�)
. Background
. Linkage
. Risk Assessment Types
. Relationship to Other Models and Standards
. Terminology
. Risk Assessment Relationship
. Information Security Risk Assessment Model (ISRAM)
. References
GLOBAL INFORMATION SECURITY ASSESSMENT METHODOLOGY (GISAM�)
. GISAM and ISRAM Relationship
. GISAM Design Criteria
. General Assessment Types
. GISAM Components
. References
DEVELOPING AN INFORMATION SECURITY EVALUATION (ISE�) PROCESS
. The Culmination of ISRAM and GISAM
. Business Process
A SECURITY BASELINE
. KRI Security Baseline Controls
. Security Baseline
. Information Security Policy Document
. Management Commitment to Information Security
. Allocation of Information Security Responsibilities
. Independent Review of Information Security
. Identification of Risks Related to External Parties
. Inventory of Assets
. Classification Guidelines
. Screening
. Information Security Awareness, Education, and Training
. Removal of Access Rights
. Physical Security Perimeter
. Protecting Against External and Environmental Threats
. Secure Disposal or Reuse of Equipment
. Documented Operating Procedures
. Change Management
. Segregation of Duties
. System Acceptance
. Controls against Malicious Code
. Management of Removable Media
. Information Handling Procedures
. Physical Media in Transit
. Electronic Commerce
. Access Control Policy
. User Registration
. Segregation in Networks
. Teleworking
. Security Requirements Analysis and Specification
. Policy on the Use of Cryptographic Controls
. Protection of System Test Data
. Control of Technical Vulnerabilities
. Reporting Information Security Events
. Including Information Security in the Business Continuity Process
. Identification of Applicable Legislation
. Data Protection and Privacy of Personal Information
. Technical Compliance Checking
. References
BACKGROUND OF THE ISO/IEC 17799 STANDARD
. History of the Standard
. Internals of the Standard
. Guidance for Use
. High-Level Objectives
. ISO/IEC Defined
. References
ISO/IEC 17799:2005 GAP ANALYSIS
. Overview
. Guidance for Use
. General Changes
. Security Policy
. Organization of Information Security
. Asset Management
. Human Resources Security
. Physical and Environmental Security
. Communications and Operations Management
. Access Control
. Information Systems Acquisition, Development, and Maintenance
. Information Security Incident Management
. Business Continuity Management
. Compliance
. References

ANALYSIS OF ISO/IEC 17799:2005 (27002) CONTROLS
SECURITY POLICY
. Information Security Policy
. Summary
. References
ORGANIZATION OF INFORMATION SECURITY
. Internal Organization
. External Parties
. Summary
. References
ASSET MANAGEMENT
. Responsibility for Assets
. Information Classification
. Summary
. References
HUMAN RESOURCES SECURITY
. Prior to Employment
. During Employment
. Termination or Change of Employment
. Summary
. References
PHYSICAL AND ENVIRONMENTAL SECURITY
. Secure Areas
. Equipment Security
. Summary
. References
COMMUNICATIONS AND OPERATIONS MANAGEMENT
. Operational Procedures and Responsibilities
. Third-Party Service Delivery Management
. System Planning and Acceptance
. Protection against Malicious and Mobile Code
. Backup
. Network Security Management
. Media Handling
. Exchange of Information
. Electronic Commerce Services
. Monitoring
. Summary
. References
ACCESS CONTROL
. Business Requirements for Access Control
. User Access Management
. User Responsibilities
. Network Access Control
. Operating System Access Control
. Application and Information Access Control
. Mobile Computing and Teleworking
. Summary
. References
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE
. Security Requirements of Information Systems
. Correct Processing in Applications
. Cryptographic Controls
. Security of System Files
. Security in Development and Support Processes
. Technical Vulnerability Management
. Summary
. References
INFORMATION SECURITY INCIDENT MANAGEMENT
. Reporting Information Security Events and Weaknesses
. Management of Information Security Incidents and Improvements
. Summary
. References
BUSINESS CONTINUITY MANAGEMENT
. Information Security Aspects of Business Continuity Management
. Summary
. References
COMPLIANCE
. Compliance with Legal Requirements
. Compliance with Security Policies and Standards, and Technical Compliance
. Information Systems Audit Considerations
. Summary
. References
APPENDIX A: ISO STANDARDS CITED IN ISO/IEC 17799:2005 APPENDIX B: GENERAL REFERENCES INDEX

-------------------------------------------------------------

Editorial Reviews
I have had the pleasure of working with Tim on several large risk assessment projects and I have tremendous respect for his knowledge and experience as an information security practitioner. … Risk assessment is the cornerstone of an effective information security program. … striving to achieve compliance in the absence of a risk-based security strategy can only lead to failure. … Implement an effective risk assessment program and take control of the compliance monster. … This book will help you do just that. I know you will benefit from Tim's guidance on how to get the most from your risk assessment efforts. For today's information security leaders, there is not a topic more important.
-From the Foreword by Gary Geddes, CISSP, Strategic Security Advisor, Microsoft Corporation

-------------------------------------------------------------

Book Description
Organizations rely on digital information today more than ever before. Unfortunately, that information is equally sought after by criminals. New security standards and regulations are being implemented to deal with these threats, but they are very broad and organizations require focused guidance to adapt the guidelines to their specific needs. Fortunately, Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, covering systematically the 133 controls within the 39 control objectives. Tim Layton's Information Security is a practical tool to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context.

-------------------------------------------------------------

Information Security Ebook: Protecting Your Business Assets

2007-09-25T21:16:00.000-07:00

Type : Pdf File
Page : 11 Page
Source : www.connectingsomerset.co.uk

Read This Ebook

The information created, used, stored and transmitted by your organisation forms one of its most important assets. This document shows how you can use good practice to protect this information from being maliciously or unintentionally changed (integrity); make it available when and where needed (availability); and ensure that only those with a legitimate right can access it (confidentiality).

This document should be regarded as a starting point for developing organisation-specific controls and guidance for the classification and protection of information assets. Not all the guidance provided in this document may be applicable to an organisation's specific needs. It is therefore important to understand the organisation's business requirements and to apply this guidance appropriately. The document provides general guidance only and, if fully
implemented, can only reduce, not eliminate, your vulnerability.
Organisations which regularly handle UK government protectively-marked information must continue to follow the procedures agreed with the appropriate UK security authorities. However, this guidance has been developed in conjunction with them, and similar security procedures can therefore be applied to commercial and protectively-marked information. Who this document is for: those responsible for initiating, implementing or maintaining information security in their organisation as well as those who use and process their organisation's information.

DEFINITIONS
For the purposes of this booklet the following definitions apply:
- Information Security
Information security involves the preservation of confidentiality, integrity and availability of information (reference ISO/IEC 17799:2000).
- Risk assessment
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation (ISO Guide 73:2002).
- Risk management
Risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication (exchange or sharing of information about risk between the decisionmaker and other stakeholders) (ISO Guide 73:2002).

The CB Audit process

2007-09-25T01:49:00.000-07:00

In order to become a certified organization, you needs to start off correctly at the beginning and determine which CB you are going to engage to provide BS 7799 Certification services.
If you have any other certifications in the organization, it makes sense to use the same CB for BS 7799 (assuming that they are Accredited to provide BS 7799 Certification services). This is called integrated auditing and allows the number of days to be spent by the CB on site to be reduced as they use the same auditor to audit more than one standard.
In my case, I have the same auditor do ISO 9001 and BS 7799 as he is dual qualified and it saves me at least an audit day per year. Additionally I have only one visit so my routine is not disturbed twice.
If you have no existing certificates, then make a list of all of the CBs that are available, ring each of them and get some idea of costs and services and then them to send you the relevant forms to fill in.
The actual Certification process is a six step one:

*** Note: Not all CBs follow this process exactly – when investigating them determine the discrepancies from this generic approach and ensure that you are happy with them.

Step 1 - Questionnaire
Typically the chosen CBs will send out a questionnaire for you to fill in. The certification process starts when you complete a questionnaire giving details of your requirements. This provides the CB with the information needed to send you a quotation.

Step 2 - Application for Assessment
If you decide to proceed with certification with the chosen CB, then you fill in an application form must be filled in. Once this has been done it is returned to the CB. On receipt, an initial visit by a BS 7799 Auditor is arranged

An initial visit allows you to meet the Auditor who will assess the ISMS for BS 7799 certification. The Auditor will explain the assessment process and carry out a review of the existing documented management system. An assessment date and an audit programme will be agreed.

Step 3 - Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap Analysis’.
This is an optional stage, but if you can afford it, I always recommend it
You should do this after you have implemented the Information Security Management System (ISMS) and developed the Statement of Applicability (SoA) and may have some controls in place and documented and may have some records available.
If you are doing this in house, it is a way of demonstrating to your management that you are on track and doing the job correctly and that your management can have confidence in that.
It also can show management where they fail as well, as non-conformances are written up as part of the audit.
Typical management failures that I see at this stage are usually lack of management commitment (5.1), inadequate resource management (5.2) or any other management type failure.
If you are using consultants, more or less the same applies, and passing this audit can be a useful pay point in their remuneration cycle or indicate the need to get a different consultancy!
Whilst this audit cannot be relied on to support a Stage 1 or2 CB Audit, it would be difficult for an Auditor to later find major non-conformances in the ISMS unless something dramatic had occurred in the organization to warrant this.

This step provides a sanity check.

Step 4 – the Stage 1 Audit (otherwise called a ‘Document Review’)
This is the first part of the audit proper.

This stage looks to see if the SoA has been implemented by selection of controls and documenting all the policies and procedures that surround their use. The auditor will also look to see that there is evidence of records being collected for implemented controls, though the full audit for this is the Stage 2 Audit. At this time also the auditor will plan the Stage 2 audit.

Typically, the auditor reviews documented ISMS – looking at:
- Policy
- Scope
- Asset Registers
- Roles and Responsibilities
- Risk process/treatment and acceptance
- SoA
- Documented processes and procedures supporting the ISMS
- Compliance, contractual and other regulatory issues.
If there are any audit failures, i.e. non-conformances then they will be written up on the Corrective Action Plan (CAP). It is then up to you, the client, to document how they are going to address these and return to the CB for agreement.

Typically, you have 20 days to respond to the raising of a CAP, and once agreed, 3 months to address issues raised on a CAP.

Failure to either respond or carry out the agreed work in the time limit can prejudice the granting (retaining) of a certificate. When the next audit occurs, the CAPs are the first items reviewed to ensure that they have been suitably addressed.

Step 5 - Stage 2 Audit (otherwise called the ‘Compliance Audit’)
During the Stage 2 Audit, an objective assessment of the organizational procedures and practice will be carried out against the documented ISMS (reviewed in the Stage 1 Audit).

The Auditor will be looking for records (i.e. proof) that the ISMS is operated as the documented ISMS says it should be.

On completion of the assessment the Auditor will present the findings of the assessment in a written report to you and CAPs will be raised if appropriate.

Following a successful Stage 2 Audit and the decision to grant registration, a certificate of registration is awarded and the organization is permitted to use the CB Certification Mark and the relevant BS 7799 certification mark.

Step 6 – Ongoing audits
A program of regular surveillance visits is agreed with you to verify that the requirements of the BS 7799 standard continue to be met and again CAPs will be raised if appropriate.

There are two types of ongoing audits, each is covered in turn below:

Surveillance Audit

A programme of ‘surveillance audits’ is undertaken over a three year cycle to ensure that the ISMS is working properly. This is performed in addition to the internal audits and ongoing monitoring and management that you perform internally (4.2., 4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of the requirements you must meet on an ongoing basis).

The actual frequency of these will vary on the CB, but typically the following will occur:

l Surveillance audits are carried out regularly (either annually, 9 monthly or 6 monthly);

l The first one is usually 3 months after the Stage 2 Audit to check for any CAPs outstanding since that audit;

l At every audit any outstanding CAPs are audited for completeness;

l Audit all mandatory requirements;

l Audit a representative sample of all other controls (so that all controls in the ISMS are reviewed in the surveillance cycle).

Triennial Audits

The Triennial audit, as the name suggests, is carried out every three years.
This audit is similar to the original Stage 2 or Certification Audit, but it should take less time as the CB Auditor now knows your systems, unless a scope or other change has occurred.
All controls are evaluated to ensure that the ISMS is operating properly and assuming it is, your certificate is renewed for another 3 years.
If not, CAPs are raised and you have to address them

The three year surveillance audit process starts all over again.

Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

What Documents can I read to help me prepare for BS7799?

2007-09-25T01:46:00.000-07:00

There are a number of documents that are available, in addition to the BS 7799 and ISO17799 standards themselves, and these include:

From BSI

- Information Security Management: An Introduction (PD 3000);
- Preparing for BS 7799 Certification (PD 3001);
- Guide to BS 7799 Risk Assessment and Risk Management (PD 3002);
- Are you ready for a BS 7799 Audit? (PD 3003);
- Guide to BS7799 Auditing (PD 3004);
- Guide on the Selection of BS 7799 Controls (PD 3005).

Other publishers

- ISO Guide 62 – General Requirements for Bodies Operating Assessment / Registration of Quality Systems (to merge with ISO Guide 66 to become ISO 17021);
- EA-7/03 – Guidelines for the Accreditation of Bodies Operating Certification/ Registration of Information Security Management Systems;
- ISO 19011 – Guidelines for Quality and / or Environmental Management Systems Auditing.

A number of books have been published on the BS 7799 process, a check of the local IT Bookshop or Amazon should provide numerous titles from which to choose.

The types of Audit that may be undertaken in an organization

There are a number of audits that may be undertaken in an organisation, and these include:

- First Party (Internal Audit) – Within an organisation, internal review etc;

- Second Party (Supplier Audit) – Of a supplier or contractor

- Third Party Audit – By a CB

Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

What is a CB Audit, and why should I undergo one?

2007-09-25T01:40:00.000-07:00

Auditing by a third party (an Accredited CB) is an assurance of an acceptable and risk based level of information security being implemented that is regularly reviewed.
There are a number of reasons to obtain certification, these include:
- Organizational assurance;
- Service provider assurance;
- Business trading partner assurance;
- Demonstrable and effective way of showing appropriate information security in place;
- Competitive advantage;
- Reduce trade barriers – international acceptance;
-Reduce costs of regulation, corporate governance etc.

So who can do this Certification?

The only body who can carry out this certification is a CB that has been Accredited by the ‘national accreditation service’ (in the UK this is the United Kingdom Accreditation Service – UKAS).

This ensures that CBs meet national and international standards for services they are offering. This is typically EA-7/03, which is the ‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’. EA-7/03 can be found at http://www.european-accreditation.org/Docs/0002_Application/0005_Application%20documents%20for%20Certification%20of%20Management%20System/00300_EA-7-03.pdf

This harmonises use of Guide 62 for ISMS’s and was approved by Europeans Co-operation for Accreditation (EA) in Nov 1999.

Guide 62 is the ‘General requirements for bodies operating assessment and certification / registration of quality systems’.
A CB uses auditors who are totally independent of the organization being audited.
The CB is regularly audited by the National Accreditation Service to ensure that the CB processes are appropriate and correct. This means that all work is to the standard required by EA-7/03 and allows’ mutual recognition’ between the National Accreditation Services.

So am I certified against BS 7799 Part 2 (2002) or ISO 17799 (2000)

Certification is carried out against (currently) BS 7799 Part 2 (2002). This contains the requirements for the ISMS in terms of the PDCA (Plan, Do, Check, Act or Deming Cycle) and the old Annex A (Updated) from BS 7799 Part 1 (1995).

BS 7799 Part 2 (2002) is a Specification.

ISO 17799 is a Code of Practice.

Back To : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

How does the BS7799 / ISO 27001 certification audit process actually work?

2007-09-25T00:46:00.000-07:00

Before the audit:
The greatest mistake that organizations ever make is that they are not properly prepared for an audit. Many organizations who want to undergo a certification audit fail at the first stage because they have not properly prepared for it.

Some examples I have encountered are below:
A classic case of this was the organization that desk dropped their approved information security policy on all staff desks on the weekend before our audit started on the Monday. Somehow the words ‘published and communicated, as appropriate, to all employees’ (A.3.1.1.) did not spring to mind.

Likewise failure to perform a risk assessment would not give the auditor a warm and comforting feeling of a risk assessment being carried out on the ‘assets within the scope’ (4.2.1).

Any organization that cannot demonstrate that the ISMS works by undertaking internal ISMS audits (6.4) will not be looked upon favourably for passing a certification audit.

Another major failure at the outset of the certification or implementation project is the failure to have demonstrable management commitment. This means something more than saying ‘yes –go do it’ by the CEO or MD. There needs to be management commitment to the process as well as ring fencing resources. (5.1 and 5.2).

What is a CB Audit
What Documents can I read to help me prepare for BS7799?
The CB Audit process

Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

BS 7799 Certification

2007-09-23T23:26:00.000-07:00

In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.

In this final session we would attempt to understand the structure and steps involved in certification for BS7799.

A quick recap

Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"

Please note that certification is against BS7799-2:1999.

The assessor will return periodically to check that your ISMS is working as intended.

Domains on which one would be assessed:

As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:

•Security policy

•Security organisation

•Asset classification and control

•Personnel security

•Physical and environmental security

•Communications and operations management

•Access control

•Systems development and maintenance

•Business continuity management

•Compliance

Statement of applicability

You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.

Preparing oneself for Certification:

The traditional formula of PLAN DO CHECK and ACT (PDCA CYCLE) works well with BS- 7799 too and this is a good place to either start or review the progress of the implementation team.

Plan

Check

The audit team would check for appropriate controls and evidence of implementation.

Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.

Act

After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.

Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.

Creative techniques like designing

posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.

The 4 Step method of Certification

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.

We now come to Specifics of Certification Process

Step One

Desktop Review:

All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.

One important check on documentation will be its validity and relevance to BS7799 controls.

The following documents needs to be presented

ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two

Technical Review

The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.

The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.

Step Three

Internal Audit

The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.

This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.

Step Four

External Audit- Certification

Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.

The company consultants and internal team would not be allowed to be part of the audit team.

They can assist and help auditors find relevant material.

The auditors check for documentation and objective evidence with the following intention.

Are records Correct and Relevant?
Are polices Known and Tested?
Are policies Communicated?

Are controls Implemented?
Are Polices Followed up?
Are preventive Actions taken?

The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.

Conclusion

To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:

Heighten security awareness within the organisation
Identify critical assets via the Business Risk Assessment
Provide a structure for continuous improvement
Be a confidence factor internally as well as externally
Enhance the knowledge and importance of security-related issues at the management level
Ensure that "knowledge capital" will be "stored" in a business management system
Enable future demands from clients, stockholders and partners to be met

Information Security Principles (ISO/IEC 17799)

2007-09-23T22:57:00.000-07:00

Security policy
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies

Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts

Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection

Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy

Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism

Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse

Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job

Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled

Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters

Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts

Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm

Eight Tips for Working with a Consultant

2007-09-20T01:27:00.000-07:00

Jul/Aug 2007

by Gable Julie

Top consultants offer suggestions for identifying, hiring, and working with consultants to produce a successful experience and end result for all involved.

New regulations, changes in legal discovery, and the productivity drain of uncontrolled records all compel businesses and government to seek outside assistance from records and information management (RIM) consultants, content management experts, and others who offer fee-based services. Faced with an accelerating transition from paper to electronic recordkeeping, organizations want help in plotting their present course and positioning themselves for the future - areas in which consultants excel.

Yet, many entrusted with finding and using consulting talent don't make the best use of their budget dollars, usually because they have only vague ideas about how consultants - and the consulting business - work. Here, then, is the best advice culled from several consultants (see sidebar, "Contributors to this Article") whose organizations offer a cross-section of RIM consulting services. Knowing what to watch for (and what to watch out for) can make the experience of identifying, hiring, and collaborating with consultants more productive and rewarding for everyone involved.

1 Understand What Consultants Do

The most common reason to hire a consultant is to get expertise not available in-house. Consultants provide analyses based on data and facts they gather from various sources within the client's organization. Consultants review this data and bring insights to it based on their knowledge and experience. The resulting deliverables may include:

* Strategic planning and direction what to do in what order to move from the current situation to a desired situation. For example, a consultant might develop an enterprise strategy for managing electronic records in phases.

* Advice, guidance, and work plans-ë set of recommendations for how to solve particular problems along with estimated resources, time frame, and costs to do so. For example, a consultant may advise what must be done to replace existing RIM software.

* Tangible work product - this may include such things as retention schedules, file plans, taxonomies, software specifications, and other tools needed to advance organizalions' information management efforts.

Typical consulting projects include a mix of services delivered in phases to achieve an objective. Common projects include:

* Developing or revising records management program components - retention schedules, policies, procedures, training materials, or auditing

* Identifying functional and technical specifications for technology to be acquired

* Developing integrated information management strategies for how content will be captured, stored, shared, and managed

Sometimes, consultants are sought to validate internally developed opinions or approaches. Smaller firms may want the consultant to act as a "coach" for their own do-it-yourself effort, where internal personnel will do most of the work.

What consultants deliver depends on how the project is defined. This is principally done in writing through a documented scope of work.

2 Define the Project's Scope

Consultants unanimously agree that a scope of work statement is essential for any project. The scope document shows what the project's objeclives are, what is included (and what is not), as well as what the client expects to have at the end of the engagement. For example, a project described as "an assessment of the current records management program" can be a request for:

(1) An opinion regarding the RIM program's adaptability for use with electronic records

(2) A comparison of the RIM program to other companies' RIM practices in a specific industry

(3) A review of whether the program has adequate staffing levels

(4) An examination of whether the RIM program's workflows are efficient

Any of these could factor into the review of a records management program, but the potential disconnect is where the client expected item (1) but got (4) or, worse, where the client thought it would get not just a RIM program assessment and recommendations for change, but the actual remedial work - the new policies, procedures, and retention schedules, too.

"Scope should focus on achievable goals. Understanding clearly what RIM consultants offer and what the organization needs are important," explained Priscilla Emery of e-Nterprise Advisors. Scope is not a description of the current situation, but a clear definition of what the client wants to have accomplished at the end of the project. Recognize that the scope of work many require input from many sources, including IT, the legal department, and others.

For firms without prior experience in scoping information management projects, it can help to engage a consultant to do a needs analysis. This exercise ensures that requirements are defined as clearly as possible before any bidding process begins and that project aspects are not left open to interpretation. A needs analysis can also break a large project into smaller activities by determining how much of the organization will be part of the project. For example, are all divisions included, or only a specified group? What about international locations?

"Take the time to nail the project scope down," advised Jesse Wilkins, CDIA+, of Access Sciences. "No matter what fee structure is in place, the time you spend on specifying the scope will pay for itself and then some." Consultants also caution that project scope may change as a project progresses, so a clear change control or amendment process is a must.

3 Find the Right Fit

These days, law firms, accounting firms, management consultants, storage companies, software companies, and others have all entered the records consulting marketplace. Also available are independent firms that specialize in records management issues, often with deep expertise in particular industries such as financial services, energy companies, or pharmaceuticals. Several sources of reputable consultants are available. (see sidebar, "Finding Consultants.") To find the right firm for the job:

* Evaluate the consultant's knowledge of the organization's industry. "Shop for deep and applicable expertise, experience with current and emerging RIM practices and legal issues," suggested George Cunningham of PelliGroup.

* Verify the consultant's track record. "see if others in the sector have used consultants and find out what their experience has been," offered J. Michael Pemberton, Ph.D., CRM, FAI, of Information Management Associates Inc.

* Match the consultants' skills and expertise to the specific needs of the project, particularly where technology is involved. Noted Art Mansky of Miria Systems: "Consider the consultants' experience in technologies associated with your line of business as well as their technical and project management depth."

* Realize that big is not necessarily better. "A large project can be undertaken by a group of smaller companies who come together with specific skill sets required to meet the project requirements," advised Christine Ardern, CRM, FAI, of Entium Technology Partners.

* Never underestimate the value of hands-on experience. "It's one thing for consultants to advise how something ought to be done, but have they actually done it in a realworld situation?" said Bruce Miller of RIMtech Inc.

To get more information about specific consultants, many organizations prepare a request for information, usually a form that requests specifics about the consulting firm's:

* Years in business

* Location, management, and ownership

* Services provided

* Staff and their qualifications, including certifications such as CRM, CDIA, ERM

* Similar clients and past projects

Choosing from among qualified consultants may be a matter of personal interviews or a formalized request for proposal (RFP) process. An RFP generally includes as much detail about the contemplated project as possible, as well as a clear picture of what kind of work product the consultant must deliver in a specified time frame. The RFP allows consultants to clarify their approach and detail the activities that will take place to accomplish the project objective.

RFP responses will also clearly outline responsibilities, including the client's responsibilities, regarding project management, regular communications, scheduling of interviews, review sessions, approval of submitted work, and expectations for knowledge transfer and management concurrence for the duration of the project. Like the project scope document, the successful consultant proposal becomes part of the contract between client and consultant.

4 Understand Fees, Pay for Quality

Consultants may charge on a time and materials (T&M) basis, such as an hourly or daily rate plus all expenses associated with the project. T&M puts the onus on the client to make sure that the work is progressing at the speed expected. T&M pricing may also be negotiated with a cap or set limit that is not to be exceeded. T&M prices can range from $150 to $300 or more per hour, or $1,200 to $2,400 per day.

Where project scope is well-defined and understood, consultants may charge a firm, fixed price for the deliverables identified. However, don't expect a fixed price for hands-on work if the consultant hasn't actually seen the environment. While it is possible to estimate time per file drawer for an extensive records inventory, it is not possible to know that folders in the drawers are so old that they crumble on contact - a fact that will slow the process and likely increase the price.

Fees should not be the sole criterion for consultant selection. According to PelliGroup's Cunningham, "Shop for quality and value; cheap does not mean competent. A small amount of highquality assistance is a much better investment than a lot of bad advice."

5 Spell out the Details

The contract formalizes understanding between client and consultant. No matter how cordial the relationship or how relatively small the project, most consultants prefer to have a contract in place.

Like their clients, consultants generally don't like surprises. "Whenever possible, let consultants know standard contracting and procurement procedures up front," said e-Nterprise's Emery.

"Standard contract clauses may not be applicable," cautioned Entium's Ardern. One example is local government contracts, where liability insurance clauses written for heavy construction work are not relevant to information management projects. These can be nasty surprises for consultants that have already quoted a fixed price in their proposals. Such unexpected terms can slow the project's start while they are re-negotiated.

The contract should also represent the interests of both parties. "Consultants have the right to protect intellectual property developed and owned by the consultant," says Naremco Services Inc.'s Alan A. Andolsen, CRM, CMC.

Other clauses to include:

* Confidentiality of client and consultant information. Clients stipulate that their information should not be disclosed to others; consultants stipulate that their work product must not be shared with others outside the contracting organization.

* "Out clauses" that can be invoked by either side for project cancellation, These typically deal with payment for services rendered up to the time of cancellation.

* Estimated travel requirements, including the amount of time consultants are required or expected to be onsite.

* Acceptable expenses and how these will be reimbursed

* Clear payment schedule and payment terms. If invoices are paid net 45 days, the contract should state this. Deductions taken for prompt payment - e.g., 2 percent within 10 days - should be made clear. Required deductions for local taxes or license fees should also be spelled out.

* Additional work or addendum clauses. These describe the process for scoping, estimating, and approving costs for additional work that was not specifically identified in the initial scope of work.

6 Expect to Participate

Consultants unanimously emphasize that clients should expect to be active project participants and that such involvement is critical to project success.

"Clients must be involved in all aspects of the engagement. The client knows his or her organization and is an ongoing resource about operations, people, practices, culture, and a multitude of other issues," Cunningham said. Andolsen elaborated: "Because many elements in our projects have serious legal repercussions, it is essential that the client participate in their development and understand their ramifications."

According to Ernst & Young's Mark Lagodinski, CRM, "Client participation can be significant depending on engagement type. Clients should expect to spend time handling logistics, attending status meetings, and handling internal communications with stakeholders, interviewees, and others."

Mansky stated, "Client participation is critical to the success of an ECM engagement." Emery concurred, "The best projects are the ones where the affected parities are participating willingly."

Clients should also expect:

* Projects conducted in accord with clear and stated ethical principles and an atmosphere of trust, openness, and integrity in all consultant dealings

* Work product that is tailored to their organization's situation, not a cookie-cutter solution or a one-sizefits-all approach

* Open, honest, and frequent communication regarding project status, including risks for project completion and what can be done about them

Consultants expect that ethical behavior is a two-way street. This means that clients and potential clients will also act in good faith and respect the fact that for consultants, time really is money. Some expectations, and some behaviors, are simply unreasonable and can impede rather than foster a strong sense of partnership and collaboration (see sidebar, "What Not To Do.")

7 Remember, It's a Business

Consulting is a business. Most consultants don't want to make a killing; they simply want to make a living. Consultants have basically two things to sell: their time and their expertise, which consists of experience and knowledge. All consultants spend significant time honing their skills and keeping their knowledge up-to-date, so it is unreasonable to expect them to simply give these away. Consultants offer services in exchange for fees, the same as any other business, and they depend on prompt payment of those fees to sustain their enterprises. While most consultants don't mind a quick question, they do resent those looking for free consultation. They also don't like potential clients who presume that consultants will do anything to get their business.

8 Commit to a Successful Collaboration

The best way to work with a consultant is to be specific about what is needed, in what time frame, and what the finished product should look like. Realize that it will take time, money, and other resources to achieve the desired result, and be prepared for a commitment of all three. Consultants are partners and collaborators who genuinely want to help their clients succeed. As with all good relationships, successful consulting projects require mutual respect, ethical behavior, and willingness to work together toward specific goals.

Julie Gable, CRM, CDIA, FAI

Julie Gable, CRM, CDIA, FAI, is the associate executive editor of The Information Management Journal. For the past 18 years, she has been president of Gable Consulting LlC, an independent RIM consulting firm based in Philadelphia. She may be contacted afjuliegable@verizon.net or www.gableconsulting.com.

Source : http://findarticles.com/p/articles/mi_qa3937/is_200707/ai_n19434434/pg_1

ISO 17799: Standard for Security

2007-09-20T01:23:00.000-07:00

Nov/Dec 2006

by Myler Ellie, Broadbent George

Organizations can use ISO 17799 as a model for creating information security policies and procedures, assigning roles and responsibilities, documenting operational procedures, preparing for incident and business continuity management, and complying with legal requirements and audit controls.

Pretexting. Zero Day Attacks. SQL Injections. Bots and Botnets. Insider Infractions. Click Fraud. Database Hacking. Identity Theft. Lost Laptops and Handhelds. According to Ted Humphreys, in a recent International Organization for Standardization (ISO) press release, "It is estimated that intentional attacks on information systems are costing businesses worldwide around $15 billion each year and the cost is rising."

Today's information professionals need to address an ever-increasing number of internal and external threats to their systems' stability and security, while maintaining access to critical information systems. As the e-commerce space continues to grow and new tools allow organizations to conduct more business online, they must have controls in place to curtail cyber crimes' malicious mayhem, tampering, and wrongdoing.

Organizations need to address information security from legal, operational, and compliance perspectives. The risk of improper use and inadequate documentation abounds, and the penalties are greater than ever. By combining best practices outlined in the international standard ISO/IEC 17799 Information Technology - Security Techniques - Code of Practice for Information security Management (ISO 17799) with electronic records management processes and principles, organizations can address their legal and compliance objectives. This article explores the opportunity to bridge the gaps and bring together information security, intellectual property rights, protection and classification of organizational records, and audit controls.

ISO 17799 Components, Applications, Implications

ISO 17799 provides a framework to establish risk assessment methods; policies, controls, and countermeasures; and program documentation. The standard is an excellent model for organizations that need to:

* Create information security policies and procedures

* Assign roles and responsibilities

* Provide consistent asset management

* Establish human and physical security mechanisms

* Document communications and operational procedures

* Determine access control and associated systems

* Prepare for incident and business continuity management

* Comply with legal requirements and audit controls

Information security can be defined as a program that allows an organization to protect a continuously interconnected environment from emerging weaknesses, vulnerabilities, attacks, threats, and incidents. The program must address tangibles and intangibles. Information assets are captured in multiple and diverse formats, and policies, processes, and procedures must be created accordingly.

Organizations can use this standard not only to set up an information security program but also to establish distinct guidelines for certification, compliance, and audit purposes. The standard provides various terms and definitions that can be adopted as well as the rationale, the importance, and the reasons for establishing programs to protect an organization's information assets and resources. Figure 1 depicts the suggested steps and tasks associated with establishing and implementing an information security program.

This ISO framework is methodically organized into 11 security control clauses. Each clause contains 39 main security categories, each with a control objective and one or more controls to achieve that objective. The control descriptions have the definitions, implementation guidance, and other information to enable an organization to set up its program objectives according to the standard methodology.

Step 1: Conduct Risk Assessments

This component of the standard applies to activities that should be completed before security policies and procedures are formulated.

Risk is defined as anything that causes exposure to possible loss or injury. Risk analysis is defined as a process of identifying the risks to an organization and often involves an evaluation of the probabilities of a particular event or an assessment of potential hazards. Loss potentials should be understood to determine an organization's vulnerability to such loss potentials.

Risk categories are both internal and external and can include:

* Natural: Significant weather events such as hurricanes, flooding, and blizzards

* Human: Fire, chemical spills, vandalism, power outages, and virus/hackers

* Political: Terrorist attacks, bomb threats, strikes, and riots

Conduct risk assessments to understand, analyze, evaluate, and determine what risks organizations feel are likely to occur in their environment. Risk assessment activities involve information technology (IT) and information processing facilities, facilities management and building security, human resources (HR), records management (RM) and vital records protection, and compliance and risk management groups. These groups must collectively determine what the risks are, the level of acceptance or non-acceptance of that risk, and the controls selected to counteract or minimize these risks.

Risk analysis is conducted to isolate specific and typical events that would likely affect an organization; considering its geography and the nature of its business activities will help to identify risks. Loss potential from any of these events can result in prohibited access, disrupted power supplies, fires from gas or electricity interruptions, water damage, mildew or mold to paper collections, smoke damage, chemical damage, and total loss (with the destruction of the entire building).

Regularly monitor emerging threats and evaluate their impacts, as this is a constant, moving target. For example, according to an IMlogic article, "IM [instant messaging] worms are the most prevalent form of IM malware, representing 90 percent of all unique attacks in 2005. These attacks frequently utilized social engineering techniques to lure end users into clicking on suspicious links embedded inside IM messages, enabling the activation of malicious code that compromised the security of host operating systems or applications."

Although threats are increasingly sophisticated in the virtual sphere, the simple occurrence of employees stealing company information on paper is still very real and prevalent in today's work space.

Step 2: Establish a security Policy

These components of the standard provide the content that should be included as well as implementation guidance to set the foundation and authorization of the program.

To set its precedence, an information security policy should be developed, authorized by management, published, and communicated. It should apply to all information assets and must demonstrate management's commitment to the program. Explain implications on work processes and associated responsibilities and outline them in employee job descriptions.

The security policy should be administered, documented, and periodically evaluated and updated to reflect organizational goals and lines of business. This is captured under clause 6.0 for organizing information security. It reflects administrative and management activities to implement the security policy. All activities must identify authorities, responsibilities, agreements, and external security requirements. This has an impact on information processing facilities, external parties, access issues, and problem resolution measures. Keep a record of all policy administration activities to create historical relevance for the information security program.

Step 3: Compile an Asset Inventory

This component of the standard addresses asset management, controls, and the protection thereof. It applies to all assets in tangible and intangible form.

Identify the organization's intellectual property (IP), tools to create and manage IP, and physical assets with a detailed inventory so the organization knows what type of resources it has, where they are located, and who has responsibility for them. Identifying how assets are to be used, classified, labeled, and handled is necesk sary to establish an asset management inventory.

This inventory should also distinguish the types, formats, and ownership control issues. Implement associated rules for the use of assets including e-mail, Internet usage, and mobile devices. Classifying assets and establishing procedures for labeling and handling according to the classification scheme are also important. Documents in electronic form will lend themselves to being identified through metadata and document properties completion. However, these processes must all be completed by resources. Although automation of these processes is a possibility, an organization still faces extensive costs and resource coordination to address this piece.

Step 4: Define Accountability

This component of the standard addresses the human aspect of security; it applies to the level of accountability that employees, contractors, and third-party users have to use to protect an organization's information assets.

An information security program will not be implemented unless roles and responsibilities are clearly articulated and understood by those having ownership in the program. Ideally, these roles and responsibilities should be outlined in job descriptions and documented in terms and conditions of employment.

Employees are part of the overall information security landscape and often they are the closest and best able to prevent certain incidents from occurring. HR is typically in charge of these issues, but they must collaborate with IT and RM to ensure that all information assets are addressed accordingly.

Define roles and responsibilities during pre-employment and screening processes, and perform background checks to support the hiring process. If the job mandates working with highly sensitive information, an organization must be on guard to hire the most qualified person to perform these tasks. These employees must possess a great deal of integrity, pay attention to detail, and take their responsibilities seriously.

Information security awareness, education, and training must be a routine activity to keep employees informed, to communicate expectations, and to provide updates on their responsibilities. Standardize a disciplinary process for security breaches.

When employees leave or change jobs, it is essential that HR, in collaboration with other stakeholders, follows through with a return of assets process and removal of access rights, which can be captured in HR exit processes and procedures. This often is not a coordinated process, which allows employees to walk off with information or leave behind on servers and in physical work spaces masses of orphaned and unidentified information. Redesign the HR exit interview to ensure that information return or transfer is a coordinated process.

Step 5: Address Physical security

This component of the standard outlines all the requirements for physical security perimeters and authorized entry controls; measures for protecting against external and environmental threats; equipment security, utilities, and cabling considerations; and secure disposal or removal of storage equipment media.

An organization's building and premises, equipment, and informationprocessing facilities must be fail proof to prevent unauthorized intrusions and access, and possible theft issues. This applies mostly to facilities management and IT, although risk management should also participate to provide environmental risk protection measures.

Include guidelines for physical security perimeters, entry controls, environmental threats, and access patterns in this section. Also address supporting utilities, power, and telecommunication networks. Finally, secure the disposal and removal of equipment that holds information so that information is truly deleted or "wiped" clean from the slate.

Step 6: Document Operating Procedures

Procedures for system activities, change management controls, and segregation of duties are included in this component.

Any organizational program will be more established when program administration, policies, procedures, and related processes are formally documented. This component sets out to define operating procedures, instructions for the detailed execution thereof, and the management of audit trail and system log information. It applies to all facets of an information security program.

Formally documenting program activities will allow an organization to keep track of the development, implementation, and associated documentation for the program. Keep in mind that documentation does not magically appear through word processing programs. It takes resources, good writing skills, and an ability to change documentation when necessary.

Address the separation of development, test, and operational facilities to reduce the risk of unauthorized actions. Monitor and review thirdparty service delivery requirements to ensure that actions are carried out as mandated. Plan for, monitor, and update system resources, capacity management, and acceptance criteria, as necessary.

Constantly monitor and prepare to protect against malicious and mobile code to guard the integrity of system software and information. This especially pertains to intelligent cybercrime activities such as structured query language injections and application to mobile devices, which are increasingly becoming more sophisticated. This should also focus on incoming e-mails and downloadable attachments, as well as a review of webpages.

Backup and restoration procedures must provide for the replication of information and methods for dispersal and testing, meeting business continuity requirements. This should also address retention periods for archival information or those with long-term retention requirements. Address media preservation issues to ensure the longevity of media that have long-term retention requirements.

Address network infrastructure through network controls and management. This includes:

* Remote equipment and connections

* Public and wireless networks

* Authentication and encryption controls

* Firewalls and intrusion detection systems

* Media handling and transit methods

* Information classification, retention, and distribution policies and procedures

Although mobile devices have helped organizations stay better connected, employees must use more discretion when using them. Alert employees to proper etiquette for relaying information so they will not be overheard in elevators, airports, or on other public transportation.

Address electronic data interchange, e-commerce, online transactions, electronic signatures, electronic publishing systems, and electronic communication methods such as e-mail and IM. Their secure use and associated procedures must demonstrate accuracy, integrity, and reliability. For organizations using e-commerce, this is not an option, as current regulations are pushing this into the forefront of IT agendas. Organizations should also monitor their systems and record security events through audit logs. Also address records retention policies for archival or evidence requirements.

Step 7: Determine Access Controls

This component of the standard includes guidelines for establishing policies and rules for information and system access.

Practice standard methods for all users and system administrators to control access to and distribution of information. Policies should apply to users, equipment, and network services. Newer technologies, such as those that have passwords connected to fingerprint digital touch pads, come at a cost, but they should be evaluated as a password management tool.

Access control measures should include:

* Setting up user registration and deregistration procedures

* Allocating privileges and passwords

* Implementing a "clear desk and clear screen policy"

* Managing:

- Unattended equipment

- Virtual private network solutions

- Wireless networks and authentications

- Network service issues such as routing and connections

- Telecommuting virtual spaces and intellectual property rights

- Cryptographic keys and procedures

- Software development, testing, and production environments

- Program source code and libraries

- Change control procedures and documentation

- Patches, updates, and service packs

Any information system that an organization procures or develops must also include security requirements for valid data input, internal processing controls, and encryption protection methods. Document the integrity, authenticity, and completeness of transactions through checks and balances. Retain and archive system documentation for configurations, implementations, audits, and older versions. This is further detailed in clause 12 of the standard.

Step 8: Coordinate Business Continuity

This component of the standard includes reporting requirements, response and escalation procedures, and business continuity management.

As organizations increasingly come under attack and suffer security breaches, they must have some formalized manner of responding to these events.

Business continuity management addresses unexpected interruptions in business activities or counters those events that impede an organization's critical business functions. This process should include:

* Identifying risks and possible occurrences

* Conducting business impact analyses

* Prioritizing critical business functions

* Developing countermeasures to mitigate and minimize the impact of occurrences

* Compiling business continuity plans and setting up regular testing methods for plan evaluation and update

A business continuity management framework also includes emergency or crisis management tasks, resumption plans, recovery and restoration procedures, and training programs. Testing the plan is an absolute must to determine its validity. Tests can include a variety of methods to simulate and rehearse real-life situations. Develop calling trees, hot- and cold-site configurations, and third-party contractors, depending on the organization's priority of critical business functions.

Report information security incidents or breaches as soon as possible to ensure that all relevant information can be remembered. This requires having feedback processes in place as well as establishing a list of contacts that are available around the clock to manage this process. Procedures should be consistent and effective to ensure orderly responses to not only manage the immediate process but also to collect evidence for legal proceedings.

Step 9: Demonstrate Compliance

This component of the standard provides standards for intellectual property rights, RM requirements, and compliance measures. These apply to everything from an organization's information processing systems to the granular data and transactional records contained within those systems.

There is an increased scrutiny on organizations to demonstrate compliance with applicable laws, regulations, and legislative requirements for all aspects of their business transactions. Adherence to rules and regulations are an integral part of the information security program and will contribute to demonstrating corporate accountability.

Address identification, categorization, retention, and stability of media for long-term retention requirements according to business and regulatory requirements. Document retention periods and associated storage media as part of managing the organization's records. Address privacy and personal data requirements, which can vary from one country to the next. Address transborder data flow and movement, and associated encryption methods as related to import and export issues depending on federal laws and regulations.

Follow up on and evaluate compliance with established policies and procedures to determine implementation effectiveness and possible shortcomings. Clearly delineate audit controls and tools to determine areas for improvement. Again, it is critical to take time to document all information related to the development and establishment of compliance and audit, including decisions made, resources involved, and other source documentation cited.

Data Breach Reporting Issues

New information security requirements are emerging as a result of organizations' negligence to protect sensitive data and impose adequate controls on employees using mobile technology to house such data. Information security issues are constantly in the media, as with the recent case when the U.S. Department of Veterans Affairs (VA) lost control of the personal information of 28 million veterans when a laptop containing the information was stolen from an employee's home. The VA was criticized for its delay in disclosing the loss and notifying those affected.

California Senate Bill (SB) 1386 is setting the precedent for reporting and disclosing data security breaches and declarations for privacy and financial security. (See Figure 2 "California SB 1386 Excerpts, Source and Language Summary.") Other states are now adopting laws allowing consumers to "freeze" their credit files, even if they have not been a victim of identity theft. If passed, pending bills in the U.S. Congress, including S.1408: Identity Theft Protec-tion Act and H.R. 4127: The Data Accountability and Trust Act, would also force organizations to be more accountable for the vast amount of personal information that they may have.

Organizations should take heed of these legislative efforts and proactively plan for them by updating their information security practices. Any organization that uses e-commerce in its business practices must align its systems and databases for the protection of information content. Organizations that are subject to these laws should structure their reporting measures according to the following components of the ISO 17799 standard:

* Clause 10.9 establishes electronic commerce countermeasures and cryptographic controls to protect sensitive customer information and all associated electronic records databases.

* Clause 13.1 provides a methodology for reporting incidents supported by timely procedures with appropriate behavior mechanisms and disciplinary processes.

Information Security Objectives and Records Management Components

Although information security is now in the limelight and is being brought to the attention of the executive-level audience, RM is still the basic foundation that branches out into all the various new compliance areas. Records managers need to work with IT to ensure that retention and vital records requirements are addressed and are part of the many inventories that the ISO standard suggests. They must also update their programs to be in line with an information security program's objectives as outlined in the controls and implementation guidance of the ISO 17799 standard.

Maintenance, retention, and protection requirements of data, information, and IP are addressed in the ISO clauses in Figure 3.

Vital records are those records that are needed to resume and continue business operations after a disaster and are necessary to recreate an organization's legal and financial position in preserving the rights of an organization's employees, customers, and stockholders. If vital records protection methods exist before an information security program is established, they should be integrated or referred to as part of the larger information security scheme. IP and the management and protection thereof have long been addressed by organizations through a vital records program. When electronic records were not prevalent, vital records protection methods included the same premises, such as:

* Appraisal and identification of those records that are deemed vital

* Duplication and dispersal processes

These methods can apply to any electronic environment but the inventories of such records must include not only the paper versions but also their electronic counterparts captured in other media or systems within the organization.

The objective to protect electronic vital records must focus on:

* Newly created records

* Work in progress

* Other information that is not stored on servers and is typically found on users' desktops

Although it can be argued that many electronic records are captured in enterprise resource planning systems, routine backups of this data may be re-circulated so that long-term retention and protection requirements are not addressed.

Initially, allowing employees to transport laptops and other devices with large amounts of data away from the corporate environment was seen as a way to increase productivity. That is still the case, but controls in the form of policies as to what can and cannot be taken must be established and consistently enforced. As technology offers more ways to compact large amounts of data on very small devices, it is crucial to monitor and correct employees to prevent their actions from compromising the organization's responsibilities for keeping information safe. Establish, fund, and monitor training, support, and compliance to ensure that employees receive appropriate training before turning them loose with the tools.

Compliance also applies to information systems and their audit considerations. Administrators running an organization's information systems must be just as closely scrutinized as the employees within the organization and in virtual spaces.

Stay Ahead of the Curve to Stay Secure

While information security is the newest flavor of the month, chances are that many organizations have no program in place and, therefore, no control over how their employees manage information.

Organizations cannot continue to practice their business in an irresponsible manner. Using the ISO standard to structure their programs is the foundation, but they must also stay ahead of the curve, outguessing and outsmarting potential incidents and occurrences. Websites for information security are pervasive and provide both written materials and podcasts to help keep information professionals informed. Records managers and IT professionals can also help each other achieve a best practices program for information security.

However, any program that an organization initiates will need management support and resources to accomplish it. Collaboration by all parties, including senior management, is essential to achieve compliance in the space of information security.

References

ARMA International. "VA IG Slams Top Officials in VA Data Theft Incident." Washington Policy Brief, July 2006. Available at www.arma.org/news/policybrief/index.cfm?BriefID=1335 (accessed 26 September 2006).

Bartholomew, Doug. "Responding to Risk: Invisible Enemies." Industry Week, 1 March 2006. Available at www.industryweek.com/ReadArticle.aspx?ArticleID=11440 (accessed 26 September 2006).

Greenemeier, Larry. "The Next Data Breach Could Mean Your IT Job." Information Week 17 July 2006. Available at www.informationweek.com/security/showArticle.jhtml?artideID= 190400266. (accessed 26 September 2006).

IMlogic. IMlogic Threat Center - 2005 Real-Time Communication Security: The Year in Review. Accessed 12 July, 2006 at www.imlogic.com/pdf/2005ThreatCenter_report.pdg. No longer available.

International Organization for Standardization. ISO/IEC 17799: 2005, Information Technology - Security Techniques - Code of Practice for Information Security Management, Geneva, Switzerland: International Organization for Standardization, 2005.

_____. ISO/IEC 18043:2006, Information Technology - Security Techniques Selection, Deployment and Operations of Intrusion Detection System, Geneva, Switzerland: International Organization for Standardization, 2006.

_____. "New ISO/IEC Standard to Help Detect IT Intruders." Available at www.iso.org/iso/en/commcentre/pressreleases/2006/Ref1017.html (accessed 26 September 2006).

U.S. House. Data Accountability and Trust Act, 109th Congress, H.R. 4127. Available at www.govtrack.us/congress/bill.xpd?bill=h109-4127 (accessed 26 September 2006).

U.S. Senate. Identity Theft Protection Act, 109th Congress, S.1408. Available at www.govtrack.us/congress/bill.xpd?bill=s109-1408 (accessed 26 September 2006).

Ellie Myler, CRM, and George Broadbent

Elite Myler is a Certified Records Manager and Certified Business Continuity Professional and a 17-year veteran of the records management industry. A Senior Records Management Analyst with Entium Technology Partners LLC, Myler has previously served as a consultant to Fortune 500 companies in a wide spectrum of industries. She designs and customizes corporate governance programs for records management and business continuity program initiatives and writes and lectures frequently on information management and technology topics. She may be reached at emyler@entium.com.

George Broadbent has more than 17 years of diversified system architecture, network design and implementation, and application development experience, including network management of Novell NetWare and Microsoft Windows 2000/2003 networks. He has designed and built local and wide area networks (LANs/WANs) that include the use of high-availability systems, real-time data replication and hierarchical storage solutions for large multi-site organizations. He has performed the architecture, design, implementation, deployment, and/or support of enterprise electronic mail systems with integrated electronic archiving solutions for Microsoft Exchange-based systems. He can be reached at gbroadbent@entium.com.

Source : http://findarticles.com/p/articles/mi_qa3937/is_200611/ai_n16871475

SystemExperts Launches Security Standard Compliance Offering

2007-09-20T01:18:00.000-07:00

July 9 2007

ISO 17799/27002 Compliance Program Helps Organizations Achieve and Demonstrate Security Best Practice

SUDBURY, Mass. -- SystemExperts (www.systemexperts.com), a premier provider of IT compliance and network security consulting services, today announced the launch of its enhanced ISO 17799/27002 Compliance Program. Designed to help companies build effective security organizations, policies and practices, SystemExperts's ISO 17799/27002 Compliance Program will be of value to organizations looking to measure or demonstrate the use of security best practices to prospective partners, ensure that security resources are applied wisely, and focus their efforts on activities that will address real business risk. The ISO 17799/27002 Compliance Program provides a cost effective method for identifying weakness in security policies, practices, and mechanisms and addressing them through a structured program.

ISO 17799/27002 is an international standard that defines a comprehensive security framework. This balanced framework serves as the basis for both measuring organization's effectiveness in addressing risk and structuring an organization's overall security program.

The ISO 17799/27002 Compliance Program consists of three parts: education, assessment, and remediation. The education phase (Study Session) allows organizations to understand how the standard applies in the context of their unique business environment and risks. The assessment compares the company's practices to those specified in the standard. Next, the remediation phase allows companies to implement recommendations resulting from the assessment and achieve a level of compliance with the standard. After remediation is complete, SystemExperts provides a Compliance Statement. At each step, SystemExperts helps the organization identify security measures that address risks in a cost-effective manner.

"SystemExperts's ISO 17799/27002 Compliance Program has given Harvard Management Company a clear sense of what we are doing well, what we need to improve, and what we weren't doing at all. The preliminary Study Session helped us to understand what the standard is all about and how to apply it to our business," said John Bergen, Chief Information Officer of Harvard Management Company, the organization responsible for managing Harvard University's $30 billion endowment.

"The ISO 17799/27002 Compliance Program has proven useful to organizations looking for a cost effect way of demonstrating compliance with an objective security standard. This enables organizations to eliminate the burden of repeatedly performing security reviews for prospective customers or business partners. In addition, SystemExperts's ISO 17799/27002 Compliance Statement makes it easy for organizations to communicate that they have a comprehensive security program in place," said Richard Mackey, vice president of SystemExperts.

Pricing and Availability:

SystemExperts's ISO Compliance Programs are tailored to meet an organization's specific needs. Base level pricing begins at $33,000.

About SystemExperts

Founded in 1994, SystemExperts(TM) Corporation (www.systemexperts.com) is the premier provider of IT compliance and network security consulting services. The company's clients include many of the leading Wall Street firms, top-tier online retailers, major manufacturers, as well as small businesses in a wide range of industries.

SystemExperts's consultants are world-renowned authorities who bring to every engagement a unique combination of business experience and technical expertise. Through a range of consulting services, based on signature methodologies, SystemExperts develops security architectures, performs network penetration and application vulnerability testing, develops security policies, provides emergency response to hacker attacks, and assesses compliance with relevant regulations and standards (ISO 17799/27002, PCI, SOX and HIPAA). Further information about SystemExperts can be found at www.systemexperts.com or by calling 1 888-749-9800.

COPYRIGHT 2007 Business Wire
COPYRIGHT 2007 Gale Group

Source : http://findarticles.com/p/articles/mi_m0EIN/is_2007_July_9/ai_n19345695

Protection of sensitive information and improving IT control by implementing Six Sigma approach

2007-09-12T02:51:00.000-07:00

by Kaskyrbekova Aigerim

Table of contents
Abstract
Introduction (purpose of the project, problem statement, motivation, significance of the
project etc)
I Data loss results: confirmed losses of sensitive data
· Which data are most sensitive?
II Leading causes of data loss.
· The primary channels for sensitive data loss
III Strategic actions to protect sensitive data
· More monitoring and measurement
· IT controls and sensitive data losses
· Lost data: lost revenues, lost customers and additional expenses
· Benefits of protecting sensitive data
IV Implementing Six Sigma approach in IT control.
· Case Studies/Applications Motorola company
· Six Sigma Methodologies
· Six Sigma’s Role in Information Technology
Conclusion
· Reference

Introduction
It’s hard to imagine what businesses would do without technology. With most commercial interactions (and transactions) riding on multiple internal and external electronic environments—and ever-mounting mandates for demonstrating accountability—organizations have more incentive than ever to keep core business data safe and secure. What are companies doing to protect their data, and are these efforts successful? My project provides a clearer understanding of the state of data protection across many different industries, and compares the characteristics, strategic and tactical Actions for improving results. Due to the under-reported nature of the issue—no organization wants to be featured on the front-page of the business press for losing customer data—the findings and numbers are enlightening, compelling, and hopefully will act as a diagnostic framework for taking action that will help to reduce data loss, customer loss, revenue loss and hence improve results.

Nowadays, protection of information became more crucial issue than two, three decades ago. The mass circulation of information allows people to find all the necessary information through internet. Therefore, protection of sensitive information such personal, financial, customers and employee information are becoming more difficult especially for big companies where from Customer Lists, to Merger and Acquisition information, emails and electronic documents companies hold most valuable and sensitive data. In high competitive world, companies are trying be most innovative in order to be profitable and sustain which come being different by creating unique products. Nevertheless, to make it so companies should protect their internal privacy this can be attack as well by external for example hackers as internal by employees and customers. In world of information overflow, each can easily gather electronic documents of most valuable and sensitive information some are trying to be benefit from selling stolen information. According to the Privacy Rights Clearinghouse (PRC) from February 15 2005 to January 19 2007 453 separate incident of data lost was recorded where almost 100 million sensitive, personally identifiable information was unprotected and stolen or lost. Based on information of stolen or lost data which was made public, it becomes clear that different industries are faced and have experienced with sensitive data lost where some companies affected more than others due to kind of industry and size of organization. In the list of organizations, which was announced as data lose, were widely known companies where trust hood is playing a big role. Thus, protecting the sensitive electronic information is a huge challenge, which can be improved by leveraging Six Sigma program by eliminating defect in order to meet customer and employees satisfaction. This report will help understand Six Sigma theory, Six Sigma tools that are available, and the ways in which Six Sigma can be applied to IT.

Read More : http://citebm.business.uiuc.edu/TWC%20Class/Project_reports_Spring2007/Information%20Trust%20and%20Compliance/kaskyrbe/kaskyrbe.pdf

HIPAA: The Application and Challenges of Implementing Healthcare Information Technology

2007-09-11T23:28:00.000-07:00

by Eric Kolman
May 2007

1. Introduction
2. Overview: Key Terms
3. Overview: What is HIPAA?
3.1. Title I
3.2. Title II
4. Review of Technology
5. Issues with Technology
5.1 Implementation status of clinical IT
6. Case Study: HIPAA Compliance Survey Results, Winter 2006
7. Conclusion
8. References

Introduction

The Healthcare Industry has been undergoing radical transformations and has been rapidly changing to adopt information technology solutions to meet the challenges of regulatory burdens, cost reduction, and patient care. A few examples of the solutions being implemented are computerized physician order entry initiatives (CPOE), electronic medical records (EMR), and electronic claims processing. A recently study has shown that healthcare providers in the United States will increase IT spending from $15.1 billion in 2002 to $17.3 billion in 2007 (Rotbert Law Group).The demand for healthcare technology has significantly increased and has created remarkable opportunities for health care solution providers. The expanding use of IT though has also created numerous challenges for organizations. As information in the healthcare industry moves to becoming completely electronic, privacy and security concerns are increasing. The foremost concerns hospitals and healthcare systems face are protecting the patients’ information and making sure it is secure and preventing people from accessing the information who should not have access. Healthcare organizations look to IT to help them solve this problem but fulfilling the promise of technology is an ongoing and daunting task due to limited budgets, the need for legacy system migration and new technology insertion. A regulatory framework has been put into place in order to respond to these rising concerns. Part of this regulatory framework is the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. Health plans and health care providers who transmit health information in electronic form must be in compliance with HIPAA or face the possibility of significant fines or even jail time.

Read more : http://citebm.business.uiuc.edu/TWC%20Class/Project_reports_Spring2007/HIPAA/ekolman/eKolman.pdf

It security and Risk Management : ISO 17799 [PDF]

2007-09-11T23:15:00.000-07:00

Madina Nurguzhina

Table of contents

1. Introduction
2. COBIT versus ISO 17799 in IT Governance
2.1. COBIT 4.0
2.2. ISO 17799
3. Implementation of ISO 17799
3.1. ISO 17799’s implementation example
3.2. Benefits of ISO17799
4. Conclusion
Reference

Introduction

In order to be compliant with current laws and regulations, to be competitive and successful a company in the big world must consider not only such things as profit, personnel, supply chain management, and so on, but also information technologies that play a very high role in aforementioned processes. Information is a very important element of every process within a company. If a company can successfully protect and manage information, it would contribute a lot into its business purposes as a whole.

In the global community there are many different types of standards and frameworks that help a company to manage and secure IT such as COSO, COBIT, ISO, ITIL and many others. In order to have a strong and sound IT governance, a company has to implement appropriate IT frameworks that would fit a company’s main processes.

COSO is a very broad group of standards that includes different financial and auditing institutions’ functions, while COBIT, ISO and ITIL are more specific and focuses more on IT security and risk management. As a part of my individual project, I want to narrow my search to COBIT and ISO standards. ISO standards are used globally more often than COBIT due to the fact that ISO fits more smoothly into different frameworks of most of the countries in terms of business processes since COBIT addresses standards only, while ISO concerns about both standards and processes (e.g. organizational security, personnel security, communications and operations management, business continuity management, and so on). I will show it in my report supporting my ideas with relevant cases and examples from certain companies.

Let us talk a little bit about COSO (the Committee of Sponsoring Organizations of the Treadway Commission) and its role in IT Governance. As was mentioned earlier COSO is a very broad set of standards (to be precise a private sector organization) that focuses not only on IT Governance control and improvement, but also and mostly focuses on financial reporting’ quality, internal control and corporate governance. This organization was formed in order to find out factors that lead to frauds in financial reporting as well as give recommendations how to prevent these factors for companies, auditors, educational institutions and so on. Among sponsoring organizations within the Committee there are “five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants)” (1). In spite of the fact that there is a sponsorship deal, the Commission is independent from all of the sponsoring organizations, and has representatives from industry, public accounting, the New York Stock Exchange, and different investment firms.

COSO defines Internal Control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in such categories as effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. IT Governance is part of internal control within the COSO framework. Therefore, different frameworks for IT security and management (COBIT, ITIL, ISO, and so on) should comply with COSO organization’s rules and requirements. While COSO is generally accepted as the internal control framework for enterprises, COBIT, ISO and other similar frameworks are the generally accepted internal control frameworks for IT.

Read More : http://citebm.business.uiuc.edu

ISO 17799 It's a control, not a standard

2007-09-11T23:01:00.000-07:00

By Patrick Lamphere
April 29, 2007
Computerworld

Im always interested when I learn that things arent the way I thought
they were. Mom put "Santa's" presents under the Christmas tree.
Columbus didnt discover America. Lee, Lifeson, and Peart arent equal to
the Father, Son, and Holy Spirit. And, most recently, ISO 17799:2005
shouldnt be used as a list of required controls for organizations to
deploy.

Dont get me wrong. For something written by committee, the
International Standards Organization and International Electrotechnical
Commission - Code of Practice for Information Security Management
Reference Number 17799:2005 (from here on out ISO 17799) isnt half bad.
As anyone familiar with it knows, its a fairly exhaustive list of
controls covering 11 major domains of information security (more on that
later), from policy to compliance.

Its not perfect. Aside from the Briticisms (it is their language, after
all), there are some areas where it doesnt give enough depth or detail,
others where it goes a little overboard, and some terminology that is
just plain odd ("Threat Vulnerability Management," anyone?). But these
relatively minor shortcomings are outweighed by the overall benefits for
those companies that turn to it for guidance.

If your company is adopting ISO 17799 as a "standard," however, youre
missing the point. ISO 17799 is a list of controls -- nothing more,
nothing less. Notice the ample use of the word should throughout the
document. Nowhere are there any requirements that an organization do
anything. No shall or shall not, no do or do not -- ISO 17799 is a list
of guidelines, not requirements.

This is a good thing.

ISO 17799 was originally British Standard 7799-1, and meant to be
adopted along with the other parts of the 7799 series, namely 7799-2
(Information Security Management Systems) and 7799-3 (Guidelines for
Information Security Risk Management. Further muddying the waters, BS
7799-2 was recently adopted as ISO 27001. BS 7799-1/ISO 17799 will
eventually be renumbered as ISO 27002 (PDF format).

So whats the point? Thats where ISO 27001 comes in. ISO 27001:2005 is
a specification for an Information Security Management System (ISMS):
These are things you must do to set up an ISMS. But what is an ISMS?
The ISMS is the framework you need to have in place to define, implement
and monitor the controls needed to protect the information in your
company.

And here we get back to information security. ISOs 17799 and 27001 arent
just concerned with the data sitting on your companys collection of hard
drives. They cover how your company protects its information in all its
forms, from bits on disks to black marks on dead trees and piles of
sentient meat.

This is also a good thing.

Getting started ISO 27001-style

There are 5 main clauses of the ISO 27001 standard (8 total, but 1-3 are
definitions and overview), plus an annex that maps directly to
17799/27002. Clause 4 is the meat of the standard. It outlines the
requirements for the ISMS.

First you establish the scope -- what is it going to cover? Your entire
organization? A smaller portion (like a datacenter or subsidiary)?
The scope is up to you, but needs to be reasonable -- if youre an online
backup firm, for instance, excluding the servers used to perform those
backups but leaving everything else in wouldnt make sense.

Once youve got scope defined, you create the policy to govern the ISMS.
This includes the usual high-level policy stuff such as management
support and alignment with the business; along with the interesting
parts that make ISO 27001 unique and more useful than any of the other
frameworks out there: contractual (PCI), business, legal and regulatory
(eg., SOX or HIPAA) requirements; and the risk management context,
including risk assessment and acceptance criteria.

After youve got your scope and policy, its time to get down to work
figuring out what information assets you have, and doing a risk
assessment of each of those assets. The assets can be as granular as is
reasonable for your business, though its easier to lump things together
(for example, one asset type defined as employee personal information
instead of separate categories for W-2, I-9, 1099, 401k, and so forth).
Once the assets are figured out, you can then choose your favorite risk
assessment methodology (OCTAVE, NIST 800-30 [PDF format], BS 7799-3,
Tarot) to determine the risks that apply to your defined information
assets.

Suggestions, not requirements

Now that youve determined your risks, its time to pick controls. And
heres the best part: while you do need to address the control areas
outlined in Annex A, the controls you select dont have to be as
stringent as whats outlined in ISO 17799/27002. The controls in ISO
17799/27002 are suggestions. Its up to you to pick the controls that
provide an appropriate level of mitigation for your business. Granted,
you still need to take into account the realities of your regulatory
environment (no 4 character passwords and ROT13 encryption for PCI), but
the controls beyond that, as long as they are reasonable for the defined
levels of risk, are entirely up to your business

A side note on risk -- as part of any risk assessment program, you
should have guidelines for how risks are going to be handled --
mitigation (the application of controls), acknowledged and deferred (we
know about that, we just cant afford to do anything about it right now,
hold off until the next budget cycle), transferred (insurance), and
acceptance (the level of risk that the business is able to live with).

The remainder of clauses 4-8 deal with the management acknowledgement
and acceptance of any residual risk, ensuring that the ISMS is kept up
to date through periodic management review, internal audit, and process
improvement; and of course proper documentation (if its not on paper, it
doesnt exist).

And the benefits?

So once youve gone through this long (18-30 months) and admittedly
difficult-at-times process, whats the benefit?

Controls that align with the business. No longer are your information
security controls applied based on the whims of management and
proclivities of your IT staff. Risk is managed as a whole -- no more
chasing down the rat-hole of SOX only to finally crawl back out again,
bruised, bloodied, and battered, to repeat the experience with HIPAA,
then with SB 1386, then PCI, USA PATRIOT (PDF format), FinCEN, OFAC,
PIPEDA, ad infinitum.

Best of all? You can get your business certified to the fact that you
have a functioning ISMS that incorporates the requirements of all the
legal, contractual, and regulatory requirements that you have included
in your scope. Its the closest thing out there to being certified
compliant to HIPAA or SOX. And the cost of certification is surprisingly
cheap -- $15K to $50K for three years, depending on the size and scope
of your ISMS. And despite what the security community is more than
willing to sell at the moment, you cant certify to ISO 17799/27002. The
controls outlined in ISO 17799 are simply guidelines, not requirements.

This isnt to say that an organization cant decide to use those
guidelines as the basis of their control framework, and then perform a
gap analysis against those controls. Its just by deploying ISO
17799/27002 and ignoring 27001, youre missing a fantastic opportunity to
bring your Information Security and IT Departments to a level of
maturity that is fully aligned with the realities your business faces.

-=-

Patrick Lamphere is a professional cynic, skeptic, and tubist who amuses
himself working as an information security consultant.

Article Source : http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018158

Information Security Management Handbook, Fifth Edition, Volume 2 (Information Security Management Handbook) (Hardcover)

2007-09-09T21:23:00.000-07:00

Buy This Book
Amazon.com

Details
- Hardcover: 578 pages
- Publisher: AUERBACH; 5 edition (December 28, 2004)
- Language: English
- ISBN-10: 0849332109
- ISBN-13: 978-0849332104

Book Description

Since 1993, the Information Security Management Handbook has served not only as an everyday reference for information security practitioners but also as an important document for conducting the intense review necessary to prepare for the Certified Information System Security Professional (CISSP) examination. Now completely revised and updated and in its fifth edition, the handbook maps the ten domains of the Information Security Common Body of Knowledge and provides a complete understanding of all the items in it. This is a "must have" book, both for preparing for the CISSP exam and as a comprehensive, up-to-date reference.

Book Info
Handbook includes chapters that correspond to the 10 domains of the Certified Information System Security Professional (CISSP) examination. Previous edition: c1999. DLC: Computer security--Management--Handbooks, manuals, etc. --This text refers to an out of print or unavailable edition of this title.

White Paper on Information Security Auditing / Implementation Procedures

2007-09-06T01:57:00.000-07:00

Today, information is the lifeblood of most organizations. With the increase in global Internet access, the possibility of security risks has increased significantly. With the advent of the Gramm-Leach-Bliley Act ("GLB") in 1999, safeguarding client and consumer information has become the primary focus of many regulatory commissions like the FTC, FDIC/OCC, SEC, NCUA, and HIPPA.
Information security is an ever-evolving challenge, requiring proper attention and due
diligence to maintain. Within this white paper, we will discuss Information Technology
(IT) auditing techniques and secure network implementation methodologies.

View This White Paper : Information_Security_Auditing_White_Paper_v3
Source : www.allstatestech.com

INDEX

1. The Auditing Process Page 3
· Black Hat Method
· White Hat Method

2. Post Audit Page 5
· Costs Associated with Security
Breaches

3. Designing a Security Policy Page 6

4. Designing a Secure Architecture Page 7

5. Remediations & Migrations Page 8

6. Final Audit Page 8

7. Staying Secure Page 9

8. Credentials Page 10

Information Security Plan (Example)

2007-09-06T01:25:00.000-07:00

.010 Introduction

This Information Security Plan ("Plan") describes Kansas State University's safeguards to protect covered data and information. Covered data and Information for the purpose of this policy includes student financial information (defined below) required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required under federal law, KSU chooses as a matter of policy to also include in this definition any credit card information received in the course of business by the University, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student financial information is that information that KSU has obtained from a customer in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

These safeguards are provided to:

Ensure the security and confidentiality of covered data and information;
Protect against anticipated threats or hazards to the security or integrity of such information; and
Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.

This Information Security Plan also provides for mechanisms to:

Identify and assess the risks that may threaten covered data and information maintained by KSU;
Develop written policies and procedures to manage and control these risks;
Implement and review the plan; and
Adjust the plan to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.

.020 Identification and Assessment of Risk to Customer Information

KSU recognizes that it has both internal and external risks. These risks include, but are not limited to:

Unauthorized access of covered data and information by someone other than the owner of the covered data and information
Compromised system security as a result of system access by an unauthorized person
Interception of data during transmission
Loss of data integrity
Physical loss of data in a disaster
Errors introduced into the system
Corruption of data or systems
Unauthorized access of covered data and information by employees
Unauthorized requests for covered data and information
Unauthorized access through hardcopy files or reports
Unauthorized transfer of covered data and information through third parties

KSU recognizes that this may not be a complete list of the risks associated with the protection of covered data and information. Since technology growth is not static, new risks are created regularly. Accordingly, the Security Incident Response Team will actively participate and monitor advisory groups for identification of new risks.

KSU believes current information technology safeguards are reasonable and, in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information described above maintained by the central University units. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.

.030 Information Security Plan Coordinator

The Chair of the Security Information Response Team (SIRT) has been appointed as the coordinator of this Plan. The Chair is responsible for assessing the risks associated with unauthorized transfers of covered data and information and implementing procedures to minimize those risks to KSU. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that KSU departments comply with the requirements of this policy.

.040 Design and Implementation of Safeguards Program

Employee Management and Training

References of new employees working in areas that regularly work with covered data and information (Cashier's Office, Registrar, and Student Financial Assistance) are checked. During employee orientation, each new employee in these departments will receive proper training on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Each new employee is also trained in the proper use of computer information and passwords.

Training also includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, including "pretext calling" and how to properly dispose of documents that contain covered data and information. "Pretext calling" occurs when an individual improperly obtains personal information of university customers so as to be able to commit identity theft. It is accomplished by contacting the University, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit, convincing as employee of the University to release customer identifying information.

Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. Further, each department responsible for maintaining covered data and information should ensure, on an annual basis, the coordination and review of additional privacy training appropriate to the department. These training efforts should help minimize risk and safeguard covered data and information security.

Physical Security

KSU has addressed the physical security of covered data and information by limiting access to only those employees who have a business reason to know such information. For example, personal customer information, accounts, balances and transactional information are available only to KSU employees with an appropriate business need for such information.

Loan files, account information and other paper documents are kept in file cabinets, rooms or vaults that are locked each night. Only authorized employees know combinations and the location of keys. Paper documents that contain covered data and information are shredded at time of disposal.

Information Systems

Access to covered data and information via KSU's computer information system is limited to those employees who have a business reason to know such information. Each employee selects an eID and password. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, are available only to KSU employees in appropriate departments and positions.

Systems requiring passwords will specify that they must be changed twice annually, on the first of September and February. Passwords must conform to edits specified in the CNS Policy on User ID & Passwords. Systems that allow remote log-ins over the campus network must have passwords on all accounts. Checking passwords for conformance is the responsibility of the IT Security Coordinator.

KSU will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission. The Vice Provost for Academic Services and Technology (VPAST) requires that all servers must be registered before being allowed through KSU's firewall, thereby allowing SIRT to verify that the system meets necessary security requirements as defined by information technology policies. These requirements include maintaining the operating system and applications, including application of appropriate patches and updates in a timely fashion. User and system passwords are also required to comply with the KSU IT Policy.

In addition, an intrusion detection system has been implemented to detect and stop certain external threats, along with incident response procedures defined by SIRT for occasions where intrusions do occur.

When commercially reasonable, encryption technology will be utilized for both storage and transmission. All covered data and information will be maintained on servers that are behind KSU's firewall. All firewall software and hardware maintained by Computing and Network Services will be kept current. The University has a number of policies and procedures in place to provide security to KSU's information systems. These policies are available in the University's Policy and Procedures Manual at www.ksu.edu/policies/ppm.

The University presently maintains a secure firewall for protecting the social security numbers of its students and employees. The University expects by the end of 2007 to have in place information systems for student records and employee records which will identify its students and employees without use of social security numbers.

Management of System Failures

The Security Incident Response Team is developing written plans and procedures to detect any actual or attempted attacks on KSU systems and has defined procedures for responding to an actual or attempted unauthorized access to covered data and information.

.050 Selection of Appropriate Service Providers

Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that KSU determines not to provide on its own. In the process of choosing a service provider that will maintain or regularly access covered data and information, the evaluation process shall include the ability of the service provider to safeguard confidential financial information. Contracts with service providers may include the following provisions:

An explicit acknowledgment that the contract allows the contract partner access to confidential information;
A specific definition or description of the confidential information being provided;
A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
An assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own confidential information;
A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles KSU to terminate the contract without penalty; and
A provision ensuring that the contract's confidentiality requirements shall survive any termination of the agreement.

.060 Continuing Evaluation and Adjustment

This Information Security Plan will be subject to periodic review and adjustment. The most frequent of these reviews will occur within the SIRT, where constantly changing technology and evolving risks mandate increased vigilance. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Plan Coordinator who will assign specific responsibility for implementation and administration as appropriate. The Coordinator, in consultation with the University Attorney's Office and VPAST, will review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.

.070 Questions

Questions regarding this policy should be sent to the Director of Academic Services at academicservices@k-state.edu

Source : http://www.k-state.edu/policies/ppm/3415.html

Information Security Policy - The University of Illinois (Example)

2007-09-06T01:17:00.000-07:00

INTRODUCTION

Storage of university data on computers and transfer across the network eases use and expands our functionality. Commensurate with that expansion is the need for the appropriate security measures. Security is not distinct from the functionality. The Information Security Policy (Policy) recognizes that not all communities within the University are the same and that data are used differently by various units within the University. The principles of academic freedom and free exchange of ideas apply to this policy, and this policy is not intended to limit or restrict those principles. These policies apply to all units within the University. Each unit within the University should apply this policy to meet their information security needs. The Policy is written to incorporate current technological advances. The technology installed at some units may limit immediate compliance with the Policy. Instances of non-compliance must be reviewed and approved by the chief information officer or the equivalent officer(s). Throughout the document the term must and should are used carefully. "Musts" are not negotiable; "shoulds" are goals for the university. The terms data and information are used interchangeably in the document. The terms system and network administrator are used in this document. These terms are generic and pertain to any person who performs those duties, not just those with that title or primary job duty. Many students, faculty and staff member are the system administrators for their own machines.

PURPOSE OF THIS POLICY

By information security we mean protection of the University's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction.

The purpose of the information security policy is:

To establish a University-wide approach to information security.
To prescribe mechanisms that help identify and prevent the compromise of information security and the misuse of University data, applications, networks and computer systems.
To define mechanisms that protect the reputation of the University and allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to worldwide networks.
To prescribe an effective mechanism for responding to external complaints and queries about real or perceived non-compliance with this policy.

RESPONSIBILITY

The chair of the University Technology Management Team (UTMT) is responsible for implementing the policy. UTMT, chaired by the Vice President for Administration, is a coordinating group comprised of chief information officers from the three campuses, the university administration, and the hospital. UTMT must see to it that:

The information security policy is updated on a regular basis and published as appropriate.
Appropriate training is provided to data owners, data custodians, network and system administrators, and users.
Each unit appoints a person to be responsible for security implementation, incident response, periodic user access reviews, and education of information security policies including, for example, information about virus infection risks.

Members of UTMT are each responsible for establishing procedures to implement these policies within their areas of responsibility, and for monitoring compliance.

GENERAL POLICY

Required Policies

The University will use a layered approach of overlapping controls, monitoring and authentication to ensure overall security of the University's data, network and system resources.
Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a regular basis. These reviews must include monitoring access logs and results of intrusion detection software, where it has been installed.

Recommended Practices

Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. At a minimum, testing should be performed annually, but the sensitivity of the information secured may require that these tests be done more often.
Education should be implemented to ensure that users understand data sensitivity issues, levels of confidentiality, and the mechanisms to protect the data. This should be tailored to the role of the individual, network administrator, system administrator, data custodian, and users.
Violation of the Information Security Policy may result in disciplinary actions as authorized by the University in accordance with University and campus disciplinary policies, procedures, and codes of conduct.

DATA CLASSIFICATION POLICY

It is essential that all University data be protected. There are however gradations that require different levels of security. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance. We have specified three classes below:

High Risk - Information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure. Data covered by federal and state legislation, such as FERPA, HIPAA or the Data Protection Act, are in this class. Payroll, personnel, and financial information are also in this class because of privacy requirements. This policy recognizes that other data may need to be treated as high risk because it would cause severe damage to the University if disclosed or modified. The data owner should make this determination. It is the data owner's responsibility to implement the necessary security requirements. Confidential - Data that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. It is the data owner's responsibility to implement the necessary security requirements. Public - Information that may be freely disseminated All information resources should be categorized and protected according to the requirements set for each classification. The data classification and its corresponding level of protection should be consistent when the data is replicated and as it flows through the University.

Data owners must determine the data classification and must ensure that the data custodian is protecting the data in a manner appropriate to its classification.
No University-owned system or network subnet can have a connection to the Internet without the means to protect the information on those systems consistent with its confidentiality classification.
Data custodians are responsible for creating data repositories and data transfer procedures which protect data in the manner appropriate to its classification.
High risk data must be encrypted during transmission over insecure channels.
Confidential data should be encrypted during transmission over insecure channels.
All appropriate data should be backed up, and the backups tested periodically, as part of a documented, regular process.
Backups of data must be handled with the same security precautions as the data itself. When systems are disposed of, or repurposed, data must be certified deleted or disks destroyed consistent with industry best practices for the security level of the data.

ACCESS CONTROL POLICY

Data must have sufficient granularity to allow the appropriate authorized access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. This balance should be recognized.
Where possible and financially feasible, more than one person must have full rights to any university owned server storing or transmitting high risk data. The campuses and University Administration (UA) must have a standard policy that applies to user access rights. This will suffice for most instances. Data owners or custodians may enact more restrictive policies for end-user access to their data.
Access to the network and servers and systems should be achieved by individual and unique logins, and should require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication.
As stated in the current campus policies on appropriate and acceptable use, users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. When limited access to university-related documents or files is required specifically and solely for the proper operation of University units and where available technical alternatives are not feasible, exceptions are allowed under an articulated unit policy that is available to all affected unit personnel. Each such policy must be reviewed by the unit executive officer and submitted to the CIO for approval. All users must secure their username or account, password, and system access from unauthorized use.
All users of systems that contain high risk or confidential data must have a strong password- the definition of which will be established and documented by UTMT after consultation with the community. Empowered accounts, such as administrator, root or supervisor accounts, must be changed frequently, consistent with guidelines established by UTMT.
Passwords must not be placed in emails unless they have been encrypted.
Default passwords on all systems must be changed after installation. All administrator or root accounts must be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured.
Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure.
Users are responsible for safe handling and storage of all University authentication devices. Authentication tokens (such as a SecureID card) should not be stored with a computer that will be used to access the University's network or system resources. If an authentication device is lost or stolen, the loss must be immediately reported to the appropriate individual in the issuing unit so that the device can be disabled.
Terminated employee access must be reviewed and adjusted as found necessary. Terminated employees should have their accounts disabled upon transfer or termination. Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted by the unit security person.
Transferred employee access must be reviewed and adjusted as found necessary.
Monitoring must be implemented on all systems including recording logon attempts and failures, successful logons and date and time of logon and logoff.
Activities performed as administrator or superuser must be logged where it is feasible to do so.
Personnel who have administrative system access should use other less powerful accounts for performing non-administrative tasks. There should be a documented procedure for reviewing system logs.

VIRUS PREVENTION POLICY

The willful introduction of computer viruses or disruptive/destructive programs into the University environment is prohibited, and violators may be subject to prosecution.
All desktop systems that connect to the network must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor's recommendations.
All servers and workstations that connect to the network and that are vulnerable to virus or worm attack must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor's recommendations.
Headers of all incoming data including electronic mail must be scanned for viruses by the email server where such products exist and are financially feasible to implement. Outgoing electronic mail should be scanned where such capabilities exist.
Where feasible, system or network administrators should inform users when a virus has been detected.
Virus scanning logs must be maintained whenever email is centrally scanned for viruses.

INTRUSION DETECTION POLICY

Intruder detection must be implemented on all servers and workstations containing data classified as high risk.
Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled.
Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected.
Intrusion tools should be installed where appropriate and checked on a regular basis.

INTERNET SECURITY POLICY

All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the data is classified high risk.
All connections to the Internet should go through a properly secured connection point to ensure the network is protected when the data is classified confidential.

SYSTEM SECURITY POLICY

All systems connected to the Internet should have a vendor supported version of the operating system installed.
All systems connected to the Internet must be current with security patches.
System integrity checks of host and server systems housing high risk University data should be performed.

ACCEPTABLE USE POLICY

Each Campus and UA must have a policy on appropriate and acceptable use that includes these requirements:

University computer resources must be used in a manner that complies with University policies and State and Federal laws and regulations. It is against University policy to install or run software requiring a license on any University computer without a valid license.
Use of the University's computing and networking infrastructure by University employees unrelated to their University positions must be limited in both time and resources and must not interfere in any way with University functions or the employee's duties. It is the responsibility of employees to consult their supervisors, if they have any questions in this respect.
Uses that interfere with the proper functioning or the ability of others to make use of the University's networks, computer systems, applications and data resources are not permitted.
Use of University computer resources for personal profit is not permitted except as addressed under other University policies.
Decryption of passwords is not permitted, except by authorized staff performing security reviews or investigations. Use of network sniffers shall be restricted to system administrators who must use such tools to solve network problems. Auditors or security officers in the performance of their duties may also use them. They must not be used to monitor or track any individual's network activity except under special authorization as defined by campus policy that protects the privacy of information in electronic form.

EXCEPTIONS

In certain cases, compliance with specific policy requirements may not be immediately possible. Reasons include, but are not limited to, the following:

Required commercial or other software in use is not currently able to support the required features;
Legacy systems are in use which do not comply, but near-term future systems will, and are planned for;
Costs for reasonable compliance are disproportionate relative to the potential damage.

In such cases, units must develop a written explanation of the compliance issue and a plan for coming into compliance with the University's Information Security Policy in a reasonable amount of time. Explanations and plans must be submitted to the campus CIO or the equivalent officer(s).

Source : http://www.obfs.uillinois.edu/manual/central_p/sec19-5.html

E-Governance Information Security Standard

2007-09-05T21:19:00.000-07:00

Draft document, Version 01, 12 Oct 2006

0. Introduction
0.1 General
This Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution.
This Standard can be used in order to assess conformance by interested internal and external parties.

0.2 Process approach
This Standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's ISMS.
An organization must identify and manage many activities in order to function effectively. Any activity using resources and managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the following process.
The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “process approach”.

View All Information : E-Governance Information Security Standard

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

2007-09-05T21:10:00.000-07:00

The new ISO 27001 standard (based on BS 7799-1 and ISO17799:2000) has been released in the fourth quarter of 2005. To assist in comparing the
new version of the standard to the previous version, a list of the controls is presented in http://www.cccure.org/Documents/ISO17799/ISO_%2027001_to_17799_mapping.pdf