Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
5.4. Change control procedures [10.5.1]<br />
Formal change control procedures should be enforced according <strong>to</strong> the standard. By<br />
locking the current configuration <strong>with</strong> regard <strong>to</strong> existing executable code, PSG<br />
achieves this enforcement.<br />
To aid systems maintenance, PSG has the ability <strong>to</strong> be instructed <strong>to</strong> allow certain<br />
processes exemption from its control. In this way, a system administra<strong>to</strong>r can use<br />
software deployment <strong>to</strong>ols <strong>to</strong> update existing software or install new packages whilst<br />
PSG is active.<br />
5.5. Covert channels and Trojan code [10.5.4 (e)]<br />
The standard requires control of installed code <strong>to</strong> prevent modification of this code<br />
and checks <strong>to</strong> be in place for covert channels where Trojan code may be introduced.<br />
PSG can be used again <strong>to</strong> afford a level of assurance that existing executable code<br />
cannot be modified, and since the introduction on new executable code is also<br />
blocked, even a covert route for Trojan introduction will be blocked.<br />
6. <strong>Compliance</strong> [12]<br />
This clause covers compliance <strong>with</strong> any criminal and civil law, statu<strong>to</strong>ry, regula<strong>to</strong>ry or<br />
contractual.<br />
6.1. Software copyright [12.1.2.2]<br />
Maintaining software licenses can be an onerous task unless there are measures in<br />
place <strong>to</strong> prevent users from installing software. The task of auditing what is actually<br />
installed across an organisation’s PCs can be never ending.<br />
By utilising the PSG module <strong>with</strong>in RDP, an organisation can be certain that users<br />
are unable <strong>to</strong> introduce any new software <strong>with</strong>out the permission of the system<br />
administra<strong>to</strong>r.<br />
6.2. <strong>Compliance</strong> <strong>with</strong> security policy [12.2.1 (d)]<br />
Ensuring compliance <strong>with</strong> this standard is for the most part a procedural one, unless<br />
some form of enforcement can be utilised.<br />
This document has sought <strong>to</strong> show how <strong>Reflex</strong> <strong>Disknet</strong> <strong>Pro</strong> software can be used <strong>to</strong><br />
enforce policy. It is not a replacement for that policy and cannot be correctly installed<br />
and configured <strong>with</strong>out reference <strong>to</strong> a security policy. However, having both a policy<br />
and an enforcement element ensures not just compliance but also an uniformed<br />
approach.<br />
Summary<br />
The desire <strong>to</strong> meet <strong>ISO</strong>/<strong>IEC</strong> 1<strong>7799</strong>:2000 is a very worthy one. The challenge is that<br />
once an organisation achieves this standard, how best <strong>to</strong> maintain it. The policy that<br />
you have written will go a long way <strong>to</strong> helping you but it is the nature of human<br />
© <strong>Reflex</strong> Magnetics Ltd 15