ISO 17799 : Information Security Management System

Showing posts with label ISO 17799. Show all posts

Thursday, November 15, 2007

[PDF] The Simple Information Security Audit Process: SISAP

Summary
The SISAP (Simple Information Security Audit Process) is a dynamic security audit methodology fully compliant with the ISO 17799 and BS 7799.2, and conformant with the ISO 14508 in terms of its functionality guidelines. The SISAP employs a simulation-based rule base generator that balances risks and business value generation capabilities using the Plan-Do-Check-Act cycle imposed in BS 7799.2. The SISAP employs a concept proof approach based on 10 information security best practices investigation sections, 36 information security objectives, and 127 information security requirements, as specified in the ISO 17799. The auditor may apply, for collecting, analyzing, and fusing audit evidence obtained at various audit steps, selected analytical models like certainty factors, probabilities, fuzzy sets, and basic belief assignments. The SISAP adopts fully automated elicitation worksheets, as in SASA (Standard Analytic Security Audit), COBRA, and others.

Read This File : http://paper.ijcsns.org/07_book/200606/200606C10.pdf

Wednesday, October 3, 2007

A Business Case for ISO 27001 / ISO 17799 / BS 7799

The business value of ISO17799

A case study by
Dr Gary Hinson CISSP CISM CISA MBA
Introduction

This case study concerns an IT services company that decided to implement ISO17799, the Code of Practice for Information Security Management, and gained significant business advantages as a result. The case reveals some surprising linkages between information security management and general business management, and several indirect benefits that are seldom mentioned.

Business situation
“ServiceCo” [not its real name] is a supplier of IT services, hardware and software to corporate clients. Having gained its ISO 9002 certificate nearly ten years ago, staff were used to working in a consistent manner using documented quality procedures and guidelines. A couple of years ago, however, the atmosphere within the company had turned sour. Management decisions were mostly being made instinctively on “gut-feel” with little real analysis. With staff turnover increasing, senior management recognised the need to change and took a long hard look at the organization’s strengths and weaknesses.

ServiceCo management decided to implement ISO17799. According to a senior ServiceCo director, “Implementing ISO17799 made business sense. Securing ServiceCo’s internal information would reduce the risk and hence the cost of serious breaches. ISO17799 is a known security framework developed by some of the worlds leading companies (BT, HSBC, Shell International and Unilever, amongst others), so it gave us the means to implement best practice security controls.”

Benefits of implementing ISO17799
The director told us “ISO17799 is not just about information security or IT – it actually helps the organisation save and make money.” He identified the following business benefits of ISO17799:
Direct benefits

Increased reliability and security of systems:
“Like all businesses ServiceCo is reliant upon information systems. ISO17799 has ensured that we now have controls in place that maintain system availability and reduce the risk of vulnerabilities being exploited. Post-certification ‘surveillance visits’ and re-certification audits to ISO17799 ensure the business keeps up-to-date with the latest vulnerabilities and best practices.”

Increased profits:
“Sales and margins are up, and clients’ perceptions of our business have improved. Our BS7799 Part 2 certificate demonstrates that we can be trusted to secure our customers’ data, as well as our own. Our customers not only understand that our investment in ISO17799 has given them benefits, but they are prepared to spend a little more for a secure IT infrastructure. Since gaining ISO17799, we have already seen a marked increase in our bottom line profit and some new customers are telling us they prefer to trade with companies who have a recognised security certification. Additionally, we are now seeing more Invitations To Tender from business that list ISO17799-compliance as a pre-requisite. And, by the way, our employees are wasting less time surfing the Internet for sites not related to work!”

Cost-effective and consistent information security:
“We have implemented cost-effective security matched to our business needs. ServiceCo had many technical safeguards throughout the organisation, but the risk assessment highlighted that some of our safeguards offered little or no business benefit and would provide a better return off investment if they were reconfigured to protect assets that required a higher level of protection. All divisions and departments within ServiceCo had previously developed their own security guidelines. ISO17799 helped us develop a consistent approach to security by creating uniform policies incorporating industry best practise. Where necessary, employee compliance with the policies is supported by an enforceable disciplinary process.”

Systems rationalisation:
“Analysing our information and information security requirements properly means we spend our money wisely. We were able to cut about 50% of our systems and data when we realised they were not worth keeping, and we actually relaxed controls on some low-risk systems.”

Compliance with legislation:
“Implementing ISO17799 forced us to comply with UK legislation in areas such as data protection and software copyright.”
Indirect benefits

Improved management control:
“Managers have more control over the organisation, and better quality information with which to manage it - management effort is therefore reduced.”

Better human relations:
“Clear policies, procedures and guidelines make things easier for our staff – the atmosphere has improved and staff turnover has reduced. ISO17799 has made ServiceCo different from our competitors and provided the company with a unique selling point, leading to a better working environment for all of our staff. Employees now recognise that their earning potential is dependant on how customers perceive the company brand and that any negative publicity could affect them. Professionalism has improved throughout the company. Given that so much of security relies on internal controls, we needed to look more carefully at who we were employing. Through ISO17799 we introduced more through recruitment processes that reduce the risk of employing people unsuitable to the position or who could potentially put our business at risk. We now know who is working for us!”

Improved risk management and contingency planning:
“Through the ISO17799 certification process, ServiceCo identified its vulnerabilities, threats and potential impacts to the business. As a result of this and implementing controls from ISO17799, ServiceCo now has a more structured approach to risk management. For example, we now have a rational process to decide which risks to transfer to our insurers. We also now have a business continuity plan that suits the business, not just the IT department. The risk assessment identified information assets that are critical to the success of the business. This enabled us to produce a business continuity plan that prioritised these assets and reduces our potential exposure to financial loss or negative publicity.”

Enhanced customer and trading partner confidence:
“With the heightened sensitivity to security breaches, trading partners, customers and vendors were looking evidence of security. ISO17799 certification has provided this assurance. In any industry you have to stand out from your competitors. Being the first IT Value Added Reseller in the world to obtain ISO17799 is a bold statement that will always be unique to ServiceCo. Having the ISO17799 logos on our company literature is a continual reminder to potential and existing customers that we are a professionally-run organisation who take the confidentially, integrity and availability of their and our information seriously.”

Costs
“Despite what people say, the costs of implementing ISO17799 are very modest. The main cost element was the pain of cultural change (we had to ‘let a couple of our people go’ for not complying with our policies and procedures). The regular compliance reviews to maintain our certification only costs us about £3k [$5k] p.a. so ISO17799 is very cost-effective. We are now talking to our assessors about combining the ISO17799 and ISO 9002 reviews to save time and money.”

For more information
To find out more about this case study or for help to assess the business value of ISO17799 to your organization, contact IsecT Ltd. info@isect.com

Source : www.security.estec.com

Tuesday, September 25, 2007

Information Security : Design, Implementation, Measurement, and Compliance

ORDER THIS BOOK

Author : Timothy P. Layton
Product Details
Hardcover : 222 pages
Publisher : AUERBACH; 1 edition (July 20, 2006)
Language : English
ISBN-10 : 0849370876
ISBN-13 : 978-0849370878

Table of Contents
EVALUATING AND MEASURING AN INFORMATION SECURITY PROGRAM
INFORMATION SECURITY RISK ASSESSMENT MODEL (ISRAM�)
. Background
. Linkage
. Risk Assessment Types
. Relationship to Other Models and Standards
. Terminology
. Risk Assessment Relationship
. Information Security Risk Assessment Model (ISRAM)
. References
GLOBAL INFORMATION SECURITY ASSESSMENT METHODOLOGY (GISAM�)
. GISAM and ISRAM Relationship
. GISAM Design Criteria
. General Assessment Types
. GISAM Components
. References
DEVELOPING AN INFORMATION SECURITY EVALUATION (ISE�) PROCESS
. The Culmination of ISRAM and GISAM
. Business Process
A SECURITY BASELINE
. KRI Security Baseline Controls
. Security Baseline
. Information Security Policy Document
. Management Commitment to Information Security
. Allocation of Information Security Responsibilities
. Independent Review of Information Security
. Identification of Risks Related to External Parties
. Inventory of Assets
. Classification Guidelines
. Screening
. Information Security Awareness, Education, and Training
. Removal of Access Rights
. Physical Security Perimeter
. Protecting Against External and Environmental Threats
. Secure Disposal or Reuse of Equipment
. Documented Operating Procedures
. Change Management
. Segregation of Duties
. System Acceptance
. Controls against Malicious Code
. Management of Removable Media
. Information Handling Procedures
. Physical Media in Transit
. Electronic Commerce
. Access Control Policy
. User Registration
. Segregation in Networks
. Teleworking
. Security Requirements Analysis and Specification
. Policy on the Use of Cryptographic Controls
. Protection of System Test Data
. Control of Technical Vulnerabilities
. Reporting Information Security Events
. Including Information Security in the Business Continuity Process
. Identification of Applicable Legislation
. Data Protection and Privacy of Personal Information
. Technical Compliance Checking
. References
BACKGROUND OF THE ISO/IEC 17799 STANDARD
. History of the Standard
. Internals of the Standard
. Guidance for Use
. High-Level Objectives
. ISO/IEC Defined
. References
ISO/IEC 17799:2005 GAP ANALYSIS
. Overview
. Guidance for Use
. General Changes
. Security Policy
. Organization of Information Security
. Asset Management
. Human Resources Security
. Physical and Environmental Security
. Communications and Operations Management
. Access Control
. Information Systems Acquisition, Development, and Maintenance
. Information Security Incident Management
. Business Continuity Management
. Compliance
. References

ANALYSIS OF ISO/IEC 17799:2005 (27002) CONTROLS
SECURITY POLICY
. Information Security Policy
. Summary
. References
ORGANIZATION OF INFORMATION SECURITY
. Internal Organization
. External Parties
. Summary
. References
ASSET MANAGEMENT
. Responsibility for Assets
. Information Classification
. Summary
. References
HUMAN RESOURCES SECURITY
. Prior to Employment
. During Employment
. Termination or Change of Employment
. Summary
. References
PHYSICAL AND ENVIRONMENTAL SECURITY
. Secure Areas
. Equipment Security
. Summary
. References
COMMUNICATIONS AND OPERATIONS MANAGEMENT
. Operational Procedures and Responsibilities
. Third-Party Service Delivery Management
. System Planning and Acceptance
. Protection against Malicious and Mobile Code
. Backup
. Network Security Management
. Media Handling
. Exchange of Information
. Electronic Commerce Services
. Monitoring
. Summary
. References
ACCESS CONTROL
. Business Requirements for Access Control
. User Access Management
. User Responsibilities
. Network Access Control
. Operating System Access Control
. Application and Information Access Control
. Mobile Computing and Teleworking
. Summary
. References
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE
. Security Requirements of Information Systems
. Correct Processing in Applications
. Cryptographic Controls
. Security of System Files
. Security in Development and Support Processes
. Technical Vulnerability Management
. Summary
. References
INFORMATION SECURITY INCIDENT MANAGEMENT
. Reporting Information Security Events and Weaknesses
. Management of Information Security Incidents and Improvements
. Summary
. References
BUSINESS CONTINUITY MANAGEMENT
. Information Security Aspects of Business Continuity Management
. Summary
. References
COMPLIANCE
. Compliance with Legal Requirements
. Compliance with Security Policies and Standards, and Technical Compliance
. Information Systems Audit Considerations
. Summary
. References
APPENDIX A: ISO STANDARDS CITED IN ISO/IEC 17799:2005 APPENDIX B: GENERAL REFERENCES INDEX

-------------------------------------------------------------

Editorial Reviews
I have had the pleasure of working with Tim on several large risk assessment projects and I have tremendous respect for his knowledge and experience as an information security practitioner. … Risk assessment is the cornerstone of an effective information security program. … striving to achieve compliance in the absence of a risk-based security strategy can only lead to failure. … Implement an effective risk assessment program and take control of the compliance monster. … This book will help you do just that. I know you will benefit from Tim's guidance on how to get the most from your risk assessment efforts. For today's information security leaders, there is not a topic more important.
-From the Foreword by Gary Geddes, CISSP, Strategic Security Advisor, Microsoft Corporation

-------------------------------------------------------------

Book Description
Organizations rely on digital information today more than ever before. Unfortunately, that information is equally sought after by criminals. New security standards and regulations are being implemented to deal with these threats, but they are very broad and organizations require focused guidance to adapt the guidelines to their specific needs. Fortunately, Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, covering systematically the 133 controls within the 39 control objectives. Tim Layton's Information Security is a practical tool to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context.

-------------------------------------------------------------

Information Security Ebook: Protecting Your Business Assets

Type : Pdf File
Page : 11 Page
Source : www.connectingsomerset.co.uk

Read This Ebook

The information created, used, stored and transmitted by your organisation forms one of its most important assets. This document shows how you can use good practice to protect this information from being maliciously or unintentionally changed (integrity); make it available when and where needed (availability); and ensure that only those with a legitimate right can access it (confidentiality).

This document should be regarded as a starting point for developing organisation-specific controls and guidance for the classification and protection of information assets. Not all the guidance provided in this document may be applicable to an organisation's specific needs. It is therefore important to understand the organisation's business requirements and to apply this guidance appropriately. The document provides general guidance only and, if fully
implemented, can only reduce, not eliminate, your vulnerability.
Organisations which regularly handle UK government protectively-marked information must continue to follow the procedures agreed with the appropriate UK security authorities. However, this guidance has been developed in conjunction with them, and similar security procedures can therefore be applied to commercial and protectively-marked information. Who this document is for: those responsible for initiating, implementing or maintaining information security in their organisation as well as those who use and process their organisation's information.

DEFINITIONS
For the purposes of this booklet the following definitions apply:
- Information Security
Information security involves the preservation of confidentiality, integrity and availability of information (reference ISO/IEC 17799:2000).
- Risk assessment
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation (ISO Guide 73:2002).
- Risk management
Risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication (exchange or sharing of information about risk between the decisionmaker and other stakeholders) (ISO Guide 73:2002).

Sunday, September 23, 2007

BS 7799 Certification

In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.

The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.

In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.

In this final session we would attempt to understand the structure and steps involved in certification for BS7799.

A quick recap

Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"

BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Domains on which one would be assessed:

As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:

•Security policy

•Security organisation

•Asset classification and control

•Personnel security

•Physical and environmental security

•Communications and operations management

•Access control

•Systems development and maintenance

•Business continuity management

•Compliance

Statement of applicability

BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.

You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.

Preparing oneself for Certification:

The traditional formula of PLAN DO CHECK and ACT (PDCA CYCLE) works well with BS- 7799 too and this is a good place to either start or review the progress of the implementation team.

Plan

While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.

While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.

Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.

Check

Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.

The audit team would check for appropriate controls and evidence of implementation.

For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.

Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.

Act

After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.

Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.

Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.

Creative techniques like designing

posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.

The 4 Step method of Certification

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.

We now come to Specifics of Certification Process

Step One

Desktop Review:

All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.

One important check on documentation will be its validity and relevance to BS7799 controls.

The following documents needs to be presented

ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two

Technical Review

The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.

The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.

Step Three

Internal Audit

The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.

This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.

Step Four

External Audit- Certification

Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.

The company consultants and internal team would not be allowed to be part of the audit team.

They can assist and help auditors find relevant material.

The auditors check for documentation and objective evidence with the following intention.

Are records Correct and Relevant?
Are polices Known and Tested?
Are policies Communicated?

Are controls Implemented?
Are Polices Followed up?
Are preventive Actions taken?

The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.

Conclusion

After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.

To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:

Heighten security awareness within the organisation
Identify critical assets via the Business Risk Assessment
Provide a structure for continuous improvement
Be a confidence factor internally as well as externally
Enhance the knowledge and importance of security-related issues at the management level
Ensure that "knowledge capital" will be "stored" in a business management system
Enable future demands from clients, stockholders and partners to be met

Information Security Principles (ISO/IEC 17799)

Security policy
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies

Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts

Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection

Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy

Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism

Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse

Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job

Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled

Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters

Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts

Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm

Thursday, September 20, 2007

ISO 17799: Standard for Security

Nov/Dec 2006

by Myler Ellie, Broadbent George

Organizations can use ISO 17799 as a model for creating information security policies and procedures, assigning roles and responsibilities, documenting operational procedures, preparing for incident and business continuity management, and complying with legal requirements and audit controls.

Pretexting. Zero Day Attacks. SQL Injections. Bots and Botnets. Insider Infractions. Click Fraud. Database Hacking. Identity Theft. Lost Laptops and Handhelds. According to Ted Humphreys, in a recent International Organization for Standardization (ISO) press release, "It is estimated that intentional attacks on information systems are costing businesses worldwide around $15 billion each year and the cost is rising."

Today's information professionals need to address an ever-increasing number of internal and external threats to their systems' stability and security, while maintaining access to critical information systems. As the e-commerce space continues to grow and new tools allow organizations to conduct more business online, they must have controls in place to curtail cyber crimes' malicious mayhem, tampering, and wrongdoing.

Organizations need to address information security from legal, operational, and compliance perspectives. The risk of improper use and inadequate documentation abounds, and the penalties are greater than ever. By combining best practices outlined in the international standard ISO/IEC 17799 Information Technology - Security Techniques - Code of Practice for Information security Management (ISO 17799) with electronic records management processes and principles, organizations can address their legal and compliance objectives. This article explores the opportunity to bridge the gaps and bring together information security, intellectual property rights, protection and classification of organizational records, and audit controls.

ISO 17799 Components, Applications, Implications

ISO 17799 provides a framework to establish risk assessment methods; policies, controls, and countermeasures; and program documentation. The standard is an excellent model for organizations that need to:

* Create information security policies and procedures

* Assign roles and responsibilities

* Provide consistent asset management

* Establish human and physical security mechanisms

* Document communications and operational procedures

* Determine access control and associated systems

* Prepare for incident and business continuity management

* Comply with legal requirements and audit controls

Information security can be defined as a program that allows an organization to protect a continuously interconnected environment from emerging weaknesses, vulnerabilities, attacks, threats, and incidents. The program must address tangibles and intangibles. Information assets are captured in multiple and diverse formats, and policies, processes, and procedures must be created accordingly.

Organizations can use this standard not only to set up an information security program but also to establish distinct guidelines for certification, compliance, and audit purposes. The standard provides various terms and definitions that can be adopted as well as the rationale, the importance, and the reasons for establishing programs to protect an organization's information assets and resources. Figure 1 depicts the suggested steps and tasks associated with establishing and implementing an information security program.

This ISO framework is methodically organized into 11 security control clauses. Each clause contains 39 main security categories, each with a control objective and one or more controls to achieve that objective. The control descriptions have the definitions, implementation guidance, and other information to enable an organization to set up its program objectives according to the standard methodology.

Step 1: Conduct Risk Assessments

This component of the standard applies to activities that should be completed before security policies and procedures are formulated.

Risk is defined as anything that causes exposure to possible loss or injury. Risk analysis is defined as a process of identifying the risks to an organization and often involves an evaluation of the probabilities of a particular event or an assessment of potential hazards. Loss potentials should be understood to determine an organization's vulnerability to such loss potentials.

Risk categories are both internal and external and can include:

* Natural: Significant weather events such as hurricanes, flooding, and blizzards

* Human: Fire, chemical spills, vandalism, power outages, and virus/hackers

* Political: Terrorist attacks, bomb threats, strikes, and riots

Conduct risk assessments to understand, analyze, evaluate, and determine what risks organizations feel are likely to occur in their environment. Risk assessment activities involve information technology (IT) and information processing facilities, facilities management and building security, human resources (HR), records management (RM) and vital records protection, and compliance and risk management groups. These groups must collectively determine what the risks are, the level of acceptance or non-acceptance of that risk, and the controls selected to counteract or minimize these risks.

Risk analysis is conducted to isolate specific and typical events that would likely affect an organization; considering its geography and the nature of its business activities will help to identify risks. Loss potential from any of these events can result in prohibited access, disrupted power supplies, fires from gas or electricity interruptions, water damage, mildew or mold to paper collections, smoke damage, chemical damage, and total loss (with the destruction of the entire building).

Regularly monitor emerging threats and evaluate their impacts, as this is a constant, moving target. For example, according to an IMlogic article, "IM [instant messaging] worms are the most prevalent form of IM malware, representing 90 percent of all unique attacks in 2005. These attacks frequently utilized social engineering techniques to lure end users into clicking on suspicious links embedded inside IM messages, enabling the activation of malicious code that compromised the security of host operating systems or applications."

Although threats are increasingly sophisticated in the virtual sphere, the simple occurrence of employees stealing company information on paper is still very real and prevalent in today's work space.

Step 2: Establish a security Policy

These components of the standard provide the content that should be included as well as implementation guidance to set the foundation and authorization of the program.

To set its precedence, an information security policy should be developed, authorized by management, published, and communicated. It should apply to all information assets and must demonstrate management's commitment to the program. Explain implications on work processes and associated responsibilities and outline them in employee job descriptions.

The security policy should be administered, documented, and periodically evaluated and updated to reflect organizational goals and lines of business. This is captured under clause 6.0 for organizing information security. It reflects administrative and management activities to implement the security policy. All activities must identify authorities, responsibilities, agreements, and external security requirements. This has an impact on information processing facilities, external parties, access issues, and problem resolution measures. Keep a record of all policy administration activities to create historical relevance for the information security program.

Step 3: Compile an Asset Inventory

This component of the standard addresses asset management, controls, and the protection thereof. It applies to all assets in tangible and intangible form.

Identify the organization's intellectual property (IP), tools to create and manage IP, and physical assets with a detailed inventory so the organization knows what type of resources it has, where they are located, and who has responsibility for them. Identifying how assets are to be used, classified, labeled, and handled is necesk sary to establish an asset management inventory.

This inventory should also distinguish the types, formats, and ownership control issues. Implement associated rules for the use of assets including e-mail, Internet usage, and mobile devices. Classifying assets and establishing procedures for labeling and handling according to the classification scheme are also important. Documents in electronic form will lend themselves to being identified through metadata and document properties completion. However, these processes must all be completed by resources. Although automation of these processes is a possibility, an organization still faces extensive costs and resource coordination to address this piece.

Step 4: Define Accountability

This component of the standard addresses the human aspect of security; it applies to the level of accountability that employees, contractors, and third-party users have to use to protect an organization's information assets.

An information security program will not be implemented unless roles and responsibilities are clearly articulated and understood by those having ownership in the program. Ideally, these roles and responsibilities should be outlined in job descriptions and documented in terms and conditions of employment.

Employees are part of the overall information security landscape and often they are the closest and best able to prevent certain incidents from occurring. HR is typically in charge of these issues, but they must collaborate with IT and RM to ensure that all information assets are addressed accordingly.

Define roles and responsibilities during pre-employment and screening processes, and perform background checks to support the hiring process. If the job mandates working with highly sensitive information, an organization must be on guard to hire the most qualified person to perform these tasks. These employees must possess a great deal of integrity, pay attention to detail, and take their responsibilities seriously.

Information security awareness, education, and training must be a routine activity to keep employees informed, to communicate expectations, and to provide updates on their responsibilities. Standardize a disciplinary process for security breaches.

When employees leave or change jobs, it is essential that HR, in collaboration with other stakeholders, follows through with a return of assets process and removal of access rights, which can be captured in HR exit processes and procedures. This often is not a coordinated process, which allows employees to walk off with information or leave behind on servers and in physical work spaces masses of orphaned and unidentified information. Redesign the HR exit interview to ensure that information return or transfer is a coordinated process.

Step 5: Address Physical security

This component of the standard outlines all the requirements for physical security perimeters and authorized entry controls; measures for protecting against external and environmental threats; equipment security, utilities, and cabling considerations; and secure disposal or removal of storage equipment media.

An organization's building and premises, equipment, and informationprocessing facilities must be fail proof to prevent unauthorized intrusions and access, and possible theft issues. This applies mostly to facilities management and IT, although risk management should also participate to provide environmental risk protection measures.

Include guidelines for physical security perimeters, entry controls, environmental threats, and access patterns in this section. Also address supporting utilities, power, and telecommunication networks. Finally, secure the disposal and removal of equipment that holds information so that information is truly deleted or "wiped" clean from the slate.

Step 6: Document Operating Procedures

Procedures for system activities, change management controls, and segregation of duties are included in this component.

Any organizational program will be more established when program administration, policies, procedures, and related processes are formally documented. This component sets out to define operating procedures, instructions for the detailed execution thereof, and the management of audit trail and system log information. It applies to all facets of an information security program.

Formally documenting program activities will allow an organization to keep track of the development, implementation, and associated documentation for the program. Keep in mind that documentation does not magically appear through word processing programs. It takes resources, good writing skills, and an ability to change documentation when necessary.

Address the separation of development, test, and operational facilities to reduce the risk of unauthorized actions. Monitor and review thirdparty service delivery requirements to ensure that actions are carried out as mandated. Plan for, monitor, and update system resources, capacity management, and acceptance criteria, as necessary.

Constantly monitor and prepare to protect against malicious and mobile code to guard the integrity of system software and information. This especially pertains to intelligent cybercrime activities such as structured query language injections and application to mobile devices, which are increasingly becoming more sophisticated. This should also focus on incoming e-mails and downloadable attachments, as well as a review of webpages.

Backup and restoration procedures must provide for the replication of information and methods for dispersal and testing, meeting business continuity requirements. This should also address retention periods for archival information or those with long-term retention requirements. Address media preservation issues to ensure the longevity of media that have long-term retention requirements.

Address network infrastructure through network controls and management. This includes:

* Remote equipment and connections

* Public and wireless networks

* Authentication and encryption controls

* Firewalls and intrusion detection systems

* Media handling and transit methods

* Information classification, retention, and distribution policies and procedures

Although mobile devices have helped organizations stay better connected, employees must use more discretion when using them. Alert employees to proper etiquette for relaying information so they will not be overheard in elevators, airports, or on other public transportation.

Address electronic data interchange, e-commerce, online transactions, electronic signatures, electronic publishing systems, and electronic communication methods such as e-mail and IM. Their secure use and associated procedures must demonstrate accuracy, integrity, and reliability. For organizations using e-commerce, this is not an option, as current regulations are pushing this into the forefront of IT agendas. Organizations should also monitor their systems and record security events through audit logs. Also address records retention policies for archival or evidence requirements.

Step 7: Determine Access Controls

This component of the standard includes guidelines for establishing policies and rules for information and system access.

Practice standard methods for all users and system administrators to control access to and distribution of information. Policies should apply to users, equipment, and network services. Newer technologies, such as those that have passwords connected to fingerprint digital touch pads, come at a cost, but they should be evaluated as a password management tool.

Access control measures should include:

* Setting up user registration and deregistration procedures

* Allocating privileges and passwords

* Implementing a "clear desk and clear screen policy"

* Managing:

- Unattended equipment

- Virtual private network solutions

- Wireless networks and authentications

- Network service issues such as routing and connections

- Telecommuting virtual spaces and intellectual property rights

- Cryptographic keys and procedures

- Software development, testing, and production environments

- Program source code and libraries

- Change control procedures and documentation

- Patches, updates, and service packs

Any information system that an organization procures or develops must also include security requirements for valid data input, internal processing controls, and encryption protection methods. Document the integrity, authenticity, and completeness of transactions through checks and balances. Retain and archive system documentation for configurations, implementations, audits, and older versions. This is further detailed in clause 12 of the standard.

Step 8: Coordinate Business Continuity

This component of the standard includes reporting requirements, response and escalation procedures, and business continuity management.

As organizations increasingly come under attack and suffer security breaches, they must have some formalized manner of responding to these events.

Business continuity management addresses unexpected interruptions in business activities or counters those events that impede an organization's critical business functions. This process should include:

* Identifying risks and possible occurrences

* Conducting business impact analyses

* Prioritizing critical business functions

* Developing countermeasures to mitigate and minimize the impact of occurrences

* Compiling business continuity plans and setting up regular testing methods for plan evaluation and update

A business continuity management framework also includes emergency or crisis management tasks, resumption plans, recovery and restoration procedures, and training programs. Testing the plan is an absolute must to determine its validity. Tests can include a variety of methods to simulate and rehearse real-life situations. Develop calling trees, hot- and cold-site configurations, and third-party contractors, depending on the organization's priority of critical business functions.

Report information security incidents or breaches as soon as possible to ensure that all relevant information can be remembered. This requires having feedback processes in place as well as establishing a list of contacts that are available around the clock to manage this process. Procedures should be consistent and effective to ensure orderly responses to not only manage the immediate process but also to collect evidence for legal proceedings.

Step 9: Demonstrate Compliance

This component of the standard provides standards for intellectual property rights, RM requirements, and compliance measures. These apply to everything from an organization's information processing systems to the granular data and transactional records contained within those systems.

There is an increased scrutiny on organizations to demonstrate compliance with applicable laws, regulations, and legislative requirements for all aspects of their business transactions. Adherence to rules and regulations are an integral part of the information security program and will contribute to demonstrating corporate accountability.

Address identification, categorization, retention, and stability of media for long-term retention requirements according to business and regulatory requirements. Document retention periods and associated storage media as part of managing the organization's records. Address privacy and personal data requirements, which can vary from one country to the next. Address transborder data flow and movement, and associated encryption methods as related to import and export issues depending on federal laws and regulations.

Follow up on and evaluate compliance with established policies and procedures to determine implementation effectiveness and possible shortcomings. Clearly delineate audit controls and tools to determine areas for improvement. Again, it is critical to take time to document all information related to the development and establishment of compliance and audit, including decisions made, resources involved, and other source documentation cited.

Data Breach Reporting Issues

New information security requirements are emerging as a result of organizations' negligence to protect sensitive data and impose adequate controls on employees using mobile technology to house such data. Information security issues are constantly in the media, as with the recent case when the U.S. Department of Veterans Affairs (VA) lost control of the personal information of 28 million veterans when a laptop containing the information was stolen from an employee's home. The VA was criticized for its delay in disclosing the loss and notifying those affected.

California Senate Bill (SB) 1386 is setting the precedent for reporting and disclosing data security breaches and declarations for privacy and financial security. (See Figure 2 "California SB 1386 Excerpts, Source and Language Summary.") Other states are now adopting laws allowing consumers to "freeze" their credit files, even if they have not been a victim of identity theft. If passed, pending bills in the U.S. Congress, including S.1408: Identity Theft Protec-tion Act and H.R. 4127: The Data Accountability and Trust Act, would also force organizations to be more accountable for the vast amount of personal information that they may have.

Organizations should take heed of these legislative efforts and proactively plan for them by updating their information security practices. Any organization that uses e-commerce in its business practices must align its systems and databases for the protection of information content. Organizations that are subject to these laws should structure their reporting measures according to the following components of the ISO 17799 standard:

* Clause 10.9 establishes electronic commerce countermeasures and cryptographic controls to protect sensitive customer information and all associated electronic records databases.

* Clause 13.1 provides a methodology for reporting incidents supported by timely procedures with appropriate behavior mechanisms and disciplinary processes.

Information Security Objectives and Records Management Components

Although information security is now in the limelight and is being brought to the attention of the executive-level audience, RM is still the basic foundation that branches out into all the various new compliance areas. Records managers need to work with IT to ensure that retention and vital records requirements are addressed and are part of the many inventories that the ISO standard suggests. They must also update their programs to be in line with an information security program's objectives as outlined in the controls and implementation guidance of the ISO 17799 standard.

Maintenance, retention, and protection requirements of data, information, and IP are addressed in the ISO clauses in Figure 3.

Vital records are those records that are needed to resume and continue business operations after a disaster and are necessary to recreate an organization's legal and financial position in preserving the rights of an organization's employees, customers, and stockholders. If vital records protection methods exist before an information security program is established, they should be integrated or referred to as part of the larger information security scheme. IP and the management and protection thereof have long been addressed by organizations through a vital records program. When electronic records were not prevalent, vital records protection methods included the same premises, such as:

* Appraisal and identification of those records that are deemed vital

* Duplication and dispersal processes

These methods can apply to any electronic environment but the inventories of such records must include not only the paper versions but also their electronic counterparts captured in other media or systems within the organization.

The objective to protect electronic vital records must focus on:

* Newly created records

* Work in progress

* Other information that is not stored on servers and is typically found on users' desktops

Although it can be argued that many electronic records are captured in enterprise resource planning systems, routine backups of this data may be re-circulated so that long-term retention and protection requirements are not addressed.

Initially, allowing employees to transport laptops and other devices with large amounts of data away from the corporate environment was seen as a way to increase productivity. That is still the case, but controls in the form of policies as to what can and cannot be taken must be established and consistently enforced. As technology offers more ways to compact large amounts of data on very small devices, it is crucial to monitor and correct employees to prevent their actions from compromising the organization's responsibilities for keeping information safe. Establish, fund, and monitor training, support, and compliance to ensure that employees receive appropriate training before turning them loose with the tools.

Compliance also applies to information systems and their audit considerations. Administrators running an organization's information systems must be just as closely scrutinized as the employees within the organization and in virtual spaces.

Stay Ahead of the Curve to Stay Secure

While information security is the newest flavor of the month, chances are that many organizations have no program in place and, therefore, no control over how their employees manage information.

Organizations cannot continue to practice their business in an irresponsible manner. Using the ISO standard to structure their programs is the foundation, but they must also stay ahead of the curve, outguessing and outsmarting potential incidents and occurrences. Websites for information security are pervasive and provide both written materials and podcasts to help keep information professionals informed. Records managers and IT professionals can also help each other achieve a best practices program for information security.

However, any program that an organization initiates will need management support and resources to accomplish it. Collaboration by all parties, including senior management, is essential to achieve compliance in the space of information security.

References

ARMA International. "VA IG Slams Top Officials in VA Data Theft Incident." Washington Policy Brief, July 2006. Available at www.arma.org/news/policybrief/index.cfm?BriefID=1335 (accessed 26 September 2006).

Bartholomew, Doug. "Responding to Risk: Invisible Enemies." Industry Week, 1 March 2006. Available at www.industryweek.com/ReadArticle.aspx?ArticleID=11440 (accessed 26 September 2006).

Greenemeier, Larry. "The Next Data Breach Could Mean Your IT Job." Information Week 17 July 2006. Available at www.informationweek.com/security/showArticle.jhtml?artideID= 190400266. (accessed 26 September 2006).

IMlogic. IMlogic Threat Center - 2005 Real-Time Communication Security: The Year in Review. Accessed 12 July, 2006 at www.imlogic.com/pdf/2005ThreatCenter_report.pdg. No longer available.

International Organization for Standardization. ISO/IEC 17799: 2005, Information Technology - Security Techniques - Code of Practice for Information Security Management, Geneva, Switzerland: International Organization for Standardization, 2005.

_____. ISO/IEC 18043:2006, Information Technology - Security Techniques Selection, Deployment and Operations of Intrusion Detection System, Geneva, Switzerland: International Organization for Standardization, 2006.

_____. "New ISO/IEC Standard to Help Detect IT Intruders." Available at www.iso.org/iso/en/commcentre/pressreleases/2006/Ref1017.html (accessed 26 September 2006).

U.S. House. Data Accountability and Trust Act, 109th Congress, H.R. 4127. Available at www.govtrack.us/congress/bill.xpd?bill=h109-4127 (accessed 26 September 2006).

U.S. Senate. Identity Theft Protection Act, 109th Congress, S.1408. Available at www.govtrack.us/congress/bill.xpd?bill=s109-1408 (accessed 26 September 2006).

Ellie Myler, CRM, and George Broadbent

Elite Myler is a Certified Records Manager and Certified Business Continuity Professional and a 17-year veteran of the records management industry. A Senior Records Management Analyst with Entium Technology Partners LLC, Myler has previously served as a consultant to Fortune 500 companies in a wide spectrum of industries. She designs and customizes corporate governance programs for records management and business continuity program initiatives and writes and lectures frequently on information management and technology topics. She may be reached at emyler@entium.com.

George Broadbent has more than 17 years of diversified system architecture, network design and implementation, and application development experience, including network management of Novell NetWare and Microsoft Windows 2000/2003 networks. He has designed and built local and wide area networks (LANs/WANs) that include the use of high-availability systems, real-time data replication and hierarchical storage solutions for large multi-site organizations. He has performed the architecture, design, implementation, deployment, and/or support of enterprise electronic mail systems with integrated electronic archiving solutions for Microsoft Exchange-based systems. He can be reached at gbroadbent@entium.com.

Source : http://findarticles.com/p/articles/mi_qa3937/is_200611/ai_n16871475

SystemExperts Launches Security Standard Compliance Offering

July 9 2007

ISO 17799/27002 Compliance Program Helps Organizations Achieve and Demonstrate Security Best Practice

SUDBURY, Mass. -- SystemExperts (www.systemexperts.com), a premier provider of IT compliance and network security consulting services, today announced the launch of its enhanced ISO 17799/27002 Compliance Program. Designed to help companies build effective security organizations, policies and practices, SystemExperts's ISO 17799/27002 Compliance Program will be of value to organizations looking to measure or demonstrate the use of security best practices to prospective partners, ensure that security resources are applied wisely, and focus their efforts on activities that will address real business risk. The ISO 17799/27002 Compliance Program provides a cost effective method for identifying weakness in security policies, practices, and mechanisms and addressing them through a structured program.

ISO 17799/27002 is an international standard that defines a comprehensive security framework. This balanced framework serves as the basis for both measuring organization's effectiveness in addressing risk and structuring an organization's overall security program.

The ISO 17799/27002 Compliance Program consists of three parts: education, assessment, and remediation. The education phase (Study Session) allows organizations to understand how the standard applies in the context of their unique business environment and risks. The assessment compares the company's practices to those specified in the standard. Next, the remediation phase allows companies to implement recommendations resulting from the assessment and achieve a level of compliance with the standard. After remediation is complete, SystemExperts provides a Compliance Statement. At each step, SystemExperts helps the organization identify security measures that address risks in a cost-effective manner.

"SystemExperts's ISO 17799/27002 Compliance Program has given Harvard Management Company a clear sense of what we are doing well, what we need to improve, and what we weren't doing at all. The preliminary Study Session helped us to understand what the standard is all about and how to apply it to our business," said John Bergen, Chief Information Officer of Harvard Management Company, the organization responsible for managing Harvard University's $30 billion endowment.

"The ISO 17799/27002 Compliance Program has proven useful to organizations looking for a cost effect way of demonstrating compliance with an objective security standard. This enables organizations to eliminate the burden of repeatedly performing security reviews for prospective customers or business partners. In addition, SystemExperts's ISO 17799/27002 Compliance Statement makes it easy for organizations to communicate that they have a comprehensive security program in place," said Richard Mackey, vice president of SystemExperts.

Pricing and Availability:

SystemExperts's ISO Compliance Programs are tailored to meet an organization's specific needs. Base level pricing begins at $33,000.

About SystemExperts

Founded in 1994, SystemExperts(TM) Corporation (www.systemexperts.com) is the premier provider of IT compliance and network security consulting services. The company's clients include many of the leading Wall Street firms, top-tier online retailers, major manufacturers, as well as small businesses in a wide range of industries.

SystemExperts's consultants are world-renowned authorities who bring to every engagement a unique combination of business experience and technical expertise. Through a range of consulting services, based on signature methodologies, SystemExperts develops security architectures, performs network penetration and application vulnerability testing, develops security policies, provides emergency response to hacker attacks, and assesses compliance with relevant regulations and standards (ISO 17799/27002, PCI, SOX and HIPAA). Further information about SystemExperts can be found at www.systemexperts.com or by calling 1 888-749-9800.

COPYRIGHT 2007 Business Wire
COPYRIGHT 2007 Gale Group

Source : http://findarticles.com/p/articles/mi_m0EIN/is_2007_July_9/ai_n19345695

Tuesday, September 11, 2007

It security and Risk Management : ISO 17799 [PDF]

Madina Nurguzhina

Table of contents

1. Introduction
2. COBIT versus ISO 17799 in IT Governance
2.1. COBIT 4.0
2.2. ISO 17799
3. Implementation of ISO 17799
3.1. ISO 17799’s implementation example
3.2. Benefits of ISO17799
4. Conclusion
Reference

Introduction

In order to be compliant with current laws and regulations, to be competitive and successful a company in the big world must consider not only such things as profit, personnel, supply chain management, and so on, but also information technologies that play a very high role in aforementioned processes. Information is a very important element of every process within a company. If a company can successfully protect and manage information, it would contribute a lot into its business purposes as a whole.

In the global community there are many different types of standards and frameworks that help a company to manage and secure IT such as COSO, COBIT, ISO, ITIL and many others. In order to have a strong and sound IT governance, a company has to implement appropriate IT frameworks that would fit a company’s main processes.

COSO is a very broad group of standards that includes different financial and auditing institutions’ functions, while COBIT, ISO and ITIL are more specific and focuses more on IT security and risk management. As a part of my individual project, I want to narrow my search to COBIT and ISO standards. ISO standards are used globally more often than COBIT due to the fact that ISO fits more smoothly into different frameworks of most of the countries in terms of business processes since COBIT addresses standards only, while ISO concerns about both standards and processes (e.g. organizational security, personnel security, communications and operations management, business continuity management, and so on). I will show it in my report supporting my ideas with relevant cases and examples from certain companies.

Let us talk a little bit about COSO (the Committee of Sponsoring Organizations of the Treadway Commission) and its role in IT Governance. As was mentioned earlier COSO is a very broad set of standards (to be precise a private sector organization) that focuses not only on IT Governance control and improvement, but also and mostly focuses on financial reporting’ quality, internal control and corporate governance. This organization was formed in order to find out factors that lead to frauds in financial reporting as well as give recommendations how to prevent these factors for companies, auditors, educational institutions and so on. Among sponsoring organizations within the Committee there are “five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants)” (1). In spite of the fact that there is a sponsorship deal, the Commission is independent from all of the sponsoring organizations, and has representatives from industry, public accounting, the New York Stock Exchange, and different investment firms.

COSO defines Internal Control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in such categories as effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. IT Governance is part of internal control within the COSO framework. Therefore, different frameworks for IT security and management (COBIT, ITIL, ISO, and so on) should comply with COSO organization’s rules and requirements. While COSO is generally accepted as the internal control framework for enterprises, COBIT, ISO and other similar frameworks are the generally accepted internal control frameworks for IT.

Read More : http://citebm.business.uiuc.edu

ISO 17799 It's a control, not a standard

By Patrick Lamphere
April 29, 2007
Computerworld

Im always interested when I learn that things arent the way I thought
they were. Mom put "Santa's" presents under the Christmas tree.
Columbus didnt discover America. Lee, Lifeson, and Peart arent equal to
the Father, Son, and Holy Spirit. And, most recently, ISO 17799:2005
shouldnt be used as a list of required controls for organizations to
deploy.

Dont get me wrong. For something written by committee, the
International Standards Organization and International Electrotechnical
Commission - Code of Practice for Information Security Management
Reference Number 17799:2005 (from here on out ISO 17799) isnt half bad.
As anyone familiar with it knows, its a fairly exhaustive list of
controls covering 11 major domains of information security (more on that
later), from policy to compliance.

Its not perfect. Aside from the Briticisms (it is their language, after
all), there are some areas where it doesnt give enough depth or detail,
others where it goes a little overboard, and some terminology that is
just plain odd ("Threat Vulnerability Management," anyone?). But these
relatively minor shortcomings are outweighed by the overall benefits for
those companies that turn to it for guidance.

If your company is adopting ISO 17799 as a "standard," however, youre
missing the point. ISO 17799 is a list of controls -- nothing more,
nothing less. Notice the ample use of the word should throughout the
document. Nowhere are there any requirements that an organization do
anything. No shall or shall not, no do or do not -- ISO 17799 is a list
of guidelines, not requirements.

This is a good thing.

ISO 17799 was originally British Standard 7799-1, and meant to be
adopted along with the other parts of the 7799 series, namely 7799-2
(Information Security Management Systems) and 7799-3 (Guidelines for
Information Security Risk Management. Further muddying the waters, BS
7799-2 was recently adopted as ISO 27001. BS 7799-1/ISO 17799 will
eventually be renumbered as ISO 27002 (PDF format).

So whats the point? Thats where ISO 27001 comes in. ISO 27001:2005 is
a specification for an Information Security Management System (ISMS):
These are things you must do to set up an ISMS. But what is an ISMS?
The ISMS is the framework you need to have in place to define, implement
and monitor the controls needed to protect the information in your
company.

And here we get back to information security. ISOs 17799 and 27001 arent
just concerned with the data sitting on your companys collection of hard
drives. They cover how your company protects its information in all its
forms, from bits on disks to black marks on dead trees and piles of
sentient meat.

This is also a good thing.

Getting started ISO 27001-style

There are 5 main clauses of the ISO 27001 standard (8 total, but 1-3 are
definitions and overview), plus an annex that maps directly to
17799/27002. Clause 4 is the meat of the standard. It outlines the
requirements for the ISMS.

First you establish the scope -- what is it going to cover? Your entire
organization? A smaller portion (like a datacenter or subsidiary)?
The scope is up to you, but needs to be reasonable -- if youre an online
backup firm, for instance, excluding the servers used to perform those
backups but leaving everything else in wouldnt make sense.

Once youve got scope defined, you create the policy to govern the ISMS.
This includes the usual high-level policy stuff such as management
support and alignment with the business; along with the interesting
parts that make ISO 27001 unique and more useful than any of the other
frameworks out there: contractual (PCI), business, legal and regulatory
(eg., SOX or HIPAA) requirements; and the risk management context,
including risk assessment and acceptance criteria.

After youve got your scope and policy, its time to get down to work
figuring out what information assets you have, and doing a risk
assessment of each of those assets. The assets can be as granular as is
reasonable for your business, though its easier to lump things together
(for example, one asset type defined as employee personal information
instead of separate categories for W-2, I-9, 1099, 401k, and so forth).
Once the assets are figured out, you can then choose your favorite risk
assessment methodology (OCTAVE, NIST 800-30 [PDF format], BS 7799-3,
Tarot) to determine the risks that apply to your defined information
assets.

Suggestions, not requirements

Now that youve determined your risks, its time to pick controls. And
heres the best part: while you do need to address the control areas
outlined in Annex A, the controls you select dont have to be as
stringent as whats outlined in ISO 17799/27002. The controls in ISO
17799/27002 are suggestions. Its up to you to pick the controls that
provide an appropriate level of mitigation for your business. Granted,
you still need to take into account the realities of your regulatory
environment (no 4 character passwords and ROT13 encryption for PCI), but
the controls beyond that, as long as they are reasonable for the defined
levels of risk, are entirely up to your business

A side note on risk -- as part of any risk assessment program, you
should have guidelines for how risks are going to be handled --
mitigation (the application of controls), acknowledged and deferred (we
know about that, we just cant afford to do anything about it right now,
hold off until the next budget cycle), transferred (insurance), and
acceptance (the level of risk that the business is able to live with).

The remainder of clauses 4-8 deal with the management acknowledgement
and acceptance of any residual risk, ensuring that the ISMS is kept up
to date through periodic management review, internal audit, and process
improvement; and of course proper documentation (if its not on paper, it
doesnt exist).

And the benefits?

So once youve gone through this long (18-30 months) and admittedly
difficult-at-times process, whats the benefit?

Controls that align with the business. No longer are your information
security controls applied based on the whims of management and
proclivities of your IT staff. Risk is managed as a whole -- no more
chasing down the rat-hole of SOX only to finally crawl back out again,
bruised, bloodied, and battered, to repeat the experience with HIPAA,
then with SB 1386, then PCI, USA PATRIOT (PDF format), FinCEN, OFAC,
PIPEDA, ad infinitum.

Best of all? You can get your business certified to the fact that you
have a functioning ISMS that incorporates the requirements of all the
legal, contractual, and regulatory requirements that you have included
in your scope. Its the closest thing out there to being certified
compliant to HIPAA or SOX. And the cost of certification is surprisingly
cheap -- $15K to $50K for three years, depending on the size and scope
of your ISMS. And despite what the security community is more than
willing to sell at the moment, you cant certify to ISO 17799/27002. The
controls outlined in ISO 17799 are simply guidelines, not requirements.

This isnt to say that an organization cant decide to use those
guidelines as the basis of their control framework, and then perform a
gap analysis against those controls. Its just by deploying ISO
17799/27002 and ignoring 27001, youre missing a fantastic opportunity to
bring your Information Security and IT Departments to a level of
maturity that is fully aligned with the realities your business faces.

-=-

Patrick Lamphere is a professional cynic, skeptic, and tubist who amuses
himself working as an information security consultant.

Article Source : http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018158

Wednesday, September 5, 2007

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

The new ISO 27001 standard (based on BS 7799-1 and ISO17799:2000) has been released in the fourth quarter of 2005. To assist in comparing the
new version of the standard to the previous version, a list of the controls is presented in http://www.cccure.org/Documents/ISO17799/ISO_%2027001_to_17799_mapping.pdf

Sunday, September 2, 2007

IMPLEMENTING ISO 17799

It is becoming increasingly critical that information security is given the attention and level of importance it deserves. Most organizations are now totally dependent upon their information and business systems, so much so that serious disruption to those systems and the business information they contain can mean disaster or critical loss.

ISO17799 is the only internationally accepted worldwide standard/code dealing comprehensively with these issues. Purchasing this standard is a good first step, but as the standard is by necessity a comprehensive and therefore a fairly complex document, guidance is often necessary to help organizations decide where to start and what priorities should be applied to the implementation process.

The ISO17799 Toolkit was of course introduced to solve many of these issues in one step. As well as containing both parts of the standard, it also includes a full set of compliant policies ready for implementation, a road map for potential certification of the organization, an audit kit for network based systems, a business impact analysis questionnaire together with many other supportive items (eg: a disaster recovery kit, a management presentation and an IS glossary). This toolkit represents extremely good value as it can enable organizations to commence work with the introduction of vital security aids without reference to expensive external consulting resources.

However, even armed with a support kit like this, it is important to understand that the key to the standard is PROCESS... the creation and maintenance of a robust ISMS. This is occasionally overlooked, as some organizations simply adopt a tick list from the first part of the standard (ISO 17799). This is certainly a good stride forward, but is by no means the end of the journey.

When first considering the standard, therefore, it should be understood that the path forward will certainly include enhancement and improvement of security, but it will largely be driven via the creation and maintenance of information security management systems and supporting procedures.

Source : http://www.17799central.com/news.htm

Friday, August 31, 2007

Understanding HIPAA Security Implications Of a Wireless LAN Subsystem Using the ISO/IEC 17799 ISMS Standard (Ebook)

Understanding HIPAA Security Implications Of a Wireless LAN Subsystem Using the ISO/IEC 17799 ISMS Standard
By: Frederick Hawkes

File Type : Pdf
Page : 49 Page
Read This Ebook : http://www.giac.org/certified_professionals/practicals/g7799/0012.php

Table of Contents

Define the System ....................................................................................................................4
Project Summary ....................................................................................................................4
Organization ...........................................................................................................................4
System Description.................................................................................................................6
Current Security Structure.......................................................................................................8
Plan-Do-Check-Act (PDCA) Process ......................................................................................9
ISMS Project Plan (PDCA … Plan)...............................................................................10
Project Scope .......................................................................................................................10
Project Timeline....................................................................................................................11
Organizational Structure and Responsibilities .......................................................................12
Policies, Guidelines, Standards or Procedures Requirements ..............................................14
Risk Identification Process ....................................................................................................16
Risks to the System..............................................................................................................19
Plans for Addressing the Risks .............................................................................................20
Selected ISO17799 Controls.................................................................................................21
ISMS Implementation Plan (PDCA … Do).....................................................................23
Overview..............................................................................................................................23
Creation and Staffing of the Security Management Team.....................................................23
Identification and Processing of Applicable Legislation .........................................................24
Data Protection and Privacy of Personal Information ............................................................25
Information Security Policy Document ..................................................................................25
Information Security Education and Training.........................................................................26
WLAN Access Control ..........................................................................................................27
Statements of Applicability....................................................................................................27
ISO 17799 Section 12.1.4 … Data Protection and Privacy of Personal Information..............28
ISO 17799 Section 12.1.2 … Intellectual Property Rights.....................................................28
ISMS Audit Plan (PDCA … Check)...............................................................................29
ISO 17799 Section 4.1.1 … Management Information Security Forum.................................29
ISO 17799 Section 12.1.1 … Identification of Applicable Legislation.....................................30
ISO 17799 Section 12.1.4 … Data Protection and Privacy of Personal Information..............31
ISO17799 Section 9.4.3 … User Authentication for External Connections............................32
ISO 17799 Section 3.1.1 … Information Security Policy Document.......................................34

Information Security Management System

Search in ISMS Guides