Information Security Management BS 7799.2:2002 Audit Check List

Information Security Management BS 7799.2:2002 Audit Check List for SANS

Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS

Table of Contents

Security Policy
Information security policy
Information security policy document
Review and evaluation

Organisational Security
Information security infrastructure
Management information security forum
Information security coordination
Allocation of information security responsibilities
Authorisation process for information processing facilities
Specialist information security advise
Co-operation between organisations
Independent review of information security
Security of third party access
Identification of risks from third party access
Security requirements in third party contracts
Outsourcing
Security requirements in outsourcing contracts

Asset classification and control
Accountability of assets
Inventory of assets
Information classification
Classification guidelines
Information labelling and handling

Personnel security
Security in job definition and Resourcing
Including security in job responsibilities
Personnel screening and policy
Confidentiality agreements
Terms and conditions of employment
User training
Information security education and training
Responding to security incidents and malfunctions
Reporting security incidents
Reporting security weaknesses
Reporting software malfunctions
Learning from incidents
Disciplinary process

Physical and Environmental Security
Secure Area
Physical Security Perimeter
Physical entry Controls
Securing Offices, rooms and facilities
Working in Secure Areas
Isolated delivery and loading areas
Equipment Security
Equipment siting protection
Power Supplies
Cabling Security
Equipment Maintenance
Securing of equipment off-premises
Secure disposal or re-use of equipment
General Controls
Clear Desk and clear screen policy
Removal of property

Communications and Operations Management
Operational Procedure and responsibilities
Documented Operating procedures
Operational Change Control
Incident management procedures
Segregation of duties
Separation of development and operational facilities
External facilities management
System planning and acceptance
Capacity Planning
System acceptance
Protection against malicious software
Control against malicious software
Housekeeping
Information back-up
Operator logs
Fault Logging
Network Management
Network Controls
Media handling and Security
Management of removable computer media
Disposal of Media
Information handling procedures
Security of system documentation
Exchange of Information and software
Information and software exchange agreement
Security of Media in transit
Electronic Commerce security
Security of Electronic email
Security of Electronic office systems
Publicly available systems
Other forms of information exchange

Access Control
Business Requirements for Access Control
Access Control Policy
User Access Management
User Registration
Privilege Management
User Password Management
Review of user access rights
User Responsibilities
Password use
Unattended user equipment
Network Access Control
Policy on use of network services
Enforced path
User authentication for external connections
Node Authentication
Remote diagnostic port protection
Segregation in networks
Network connection protocols
Network routing control
Security of network services
Operating system access control
Automatic terminal identification
Terminal log-on procedures
User identification and authorisation
Password management system
Use of system utilities
Duress alarm to safeguard users
Terminal time-out
Limitation of connection time
Application Access Control
Information access restriction
Sensitive system isolation
Monitoring system access and use
Event logging
Monitoring system use
Clock synchronisation
Mobile computing and teleworking
Mobile computing
Teleworking

System development and maintenance
Security requirements of systems
Security requirements analysis and specification
Security in application system
Input data validation
Control of internal processing
Message authentication
Output data validation
Cryptographic controls
Policy on use of cryptographic controls
Encryption
Digital Signatures
Non-repudiation services
Key management
Security of system files
Control of operational software
Protection of system test data
Access Control to program source library
Security in development and support process
Change control procedures
Technical review of operating system changes
Technical review of operating system changes
Covert channels and Trojan code
Outsourced software development

Business Continuity Management
Aspects of Business Continuity Management
Business continuity management process
Business continuity and impact analysis
Writing and implementing continuity plan
Business continuity planning framework
Testing, maintaining and re-assessing business continuity plan

Compliance
Compliance with legal requirements
Identification of applicable legislation
Intellectual property rights (IPR)
Safeguarding of organisational records
Data protection and privacy of personal information
Prevention of misuse of information processing facility
Regulation of cryptographic controls
Collection of evidence
Reviews of Security Policy and technical compliance
Compliance with security policy
Technical compliance checking
System audit considerations
System audit controls
Protection of system audit tools

References

Source : www.sans.org
View Full Information Security Management BS 7799.2:2002 Audit Check List for SANS