Information Security Management: Understanding ISO 17799 - GTA

More documents

Recommendations

Info

Communications and Operations ManagementCommunication and Operations Management control addresses an organization’s ability to ensure correctand secure operation of its assets, including:Operational procedures – comprehensive set of procedures, in support of organizational standards andpolicies.Change control – process to manage change and configuration control, including change management ofthe Information Security Management System.Incident management – mechanism to ensure timely and effective response to any security incidents.Segregation of duties – segregation and rotation of duties minimize the potential for collusion anduncontrolled exposure.Capacity planning – mechanism to monitor and project organizational capacity to ensure uninterruptedavailability.System acceptance – methodology to evaluate system changes to ensure continued confidentiality, integrity,and availability.Malicious code - controls to mitigate risk from introduction of malicious code.Housekeeping – policies, standards, guidelines, and procedures to address routine housekeeping activitiessuch as backup schedules and logging.Network management - controls to govern the secure operation of the networking infrastructure.Media handling – controls to govern secure handling and disposal of information storage media anddocumentation.Information exchange – controls to govern information exchange including end user agreements, useragreements, and information transport mechanisms.Access ControlAccess Control addresses an organization’s ability to control access to assets based on business and securityrequirements, including:Business requirements – policy controlling access to organizational assets based on business requirementsand “need to know.”User management – mechanisms to:Register and deregister usersControl and review access and privilegesManage passwordsUser responsibilities – informing users of their access control responsibilities, including passwordstewardship and unattended equipment.Network access control – policy on usage of network services, including mechanisms (when appropriate)to:Authenticate nodesAuthenticate external usersDefine routingControl network device securityInfo Security Mgmt.: ISO 17799 October 2001 INS Whitepaper • 6
Maintain network segregation or segmentationControl network connectionsMaintain the security of network servicesHost access control – mechanisms (when appropriate) to:Automatically identify terminalsSecurely log-onAuthenticate usersManage passwordsSecure system utilitiesFurnish user duress capability, such as “panic buttons”Enable terminal, user, or connection timeoutsApplication access control – limits access to applications based on user or application authorization levels.Access monitoring – mechanisms to monitor system access and system use to detect unauthorized activities.Mobile computing – policies and standards to address asset protection, secure access, and userresponsibilities.System Development and MaintenanceSystem Development and Maintenance control addresses an organization’s ability to ensure that appropriateinformation system security controls are both incorporated and maintained, including:System security requirements – incorporates information security considerations in the specifications of anysystem development or procurement.Application security requirements – incorporates information security considerations in the specification ofany application development or procurement.Cryptography – policies, standards, and procedures governing the usage and maintenance of cryptographiccontrols.System Integrity – mechanisms to control access to, and verify integrity of, operational software and data,including a process to track, evaluate, and incorporate asset upgrades and patches.Development security – integrates change control and technical reviews into development process.Business Continuity ManagementBusiness Continuity Management control addresses an organization’s ability to counteract interruptions tonormal operations, including:Business continuity planning – business continuity strategy based on a business impact analysis.Business continuity testing – testing and documentation of business continuity strategy.Business continuity maintenance – identifies ownership of business continuity strategy as well as ongoingre-assessment and maintenance.Info Security Mgmt.: ISO 17799 October 2001 INS Whitepaper • 7
Page 1 and 2: The knowledgebehind the network. ®
Page 3 and 4: BackgroundISO 17799 is a direct des
Page 8 and 9: ComplianceCompliance control addres
Page 10 and 11: Step 6: Select and Implement Contro
Page 12 and 13: Information System Security Officer
Page 14 and 15: Security maintenanceGuidelines - es
Page 16 and 17: Figure 5: Risk ScaleRisk calculatio
Page 18: We expect to see an ever-increasing

Information Security Management: Understanding ISO 17799 - GTA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?