Transcript iso-17799
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina Introduction • Information professionals need to address an ever increasing number of threats. • Organizations need to address information security from legal, operational and compliance perspectives. • By combining industry best practices and standards one can implement a information security program. • This article describes the components of ISO 17799 and provides a step-by-step method for using it as the framework for an information security program. 2 ISO 17799 Components, Applications, Implications • ISO 17799 provides framework to establish – risk assessment methods – policies, controls and countermeasures – program documentation • Organizations can use this standard not only to set up an information security program but also to establish distinct guidelines for certification, compliance, and audit purposes. 3 ISO 17799 Components, Applications, Implications (continued ..) • This ISO framework is organized into 11 security control areas. • Each area contains about 39 main security categories, each with a control objective and one or more controls to achieve that objective. 4 ISO 17799 Components, Applications, Implications (continued ..) Figure 1 : Steps for establishing and implementing ISO 17799 5 1. Conduct Risk Assessments • This component of the standard applies to activities that should be completed before security policies and procedures are formulated. • Risk categories, both internal and external are to be considered. • Risk analysis is to be conducted to isolate specific & typical events that would likely affect an organization 6 2. Establish a Security Policy • This component of the standard provides the content and implementation guidance to set the foundation and authorization of the program. • It involves development, authorization and communication of security policy. • It also involves organizing information security. 7 3. Compile an Asset Inventory • This component of the standard addresses asset management and asset protection using controls. • It applies to all assets in tangible and intangible form. • Identify the organization's intellectual property (IP), toots to create and manage IP, and physical assets to build a detailed inventory. • The inventory should distinguish the types, formats, and ownership control issues. • Asset classification and usage rules must be defined. 8 4. Define Accountability • This component of the standard addresses the human aspect of security. • Define roles and responsibilities during preemployment and screening processes. • Conduct security awareness, education & training to communicate expectations & responsibility updates • When employees leave or change jobs, follow through with return of assets process and removal of access rights. 9 5. Address Physical Security • This component of the standard outlines all the requirements for physical security. • Include guidelines for physical security perimeters, entry controls, environmental threats, and access patterns. • Address supporting utilities, power, and telecommunication networks. • Secure the disposal and removal of equipment that hold information. 10 6. Document Operating Procedures • This component of the standard includes operations management and communication management. • Define operating procedures. • Address the separation of duties. • Address network infrastructure through network controls and management. • Address electronic data interchange. 11 7. Determine Access Controls • This component of the standard includes guidelines for establishing rules for information and system access. • Apply policies to users, equipment, and network services. • Document the integrity, authenticity, and completeness of transactions. 12 7. Determine Access Controls (continued..) • Access control measures include: – setting up user registration and de-registration procedures – allocating privileges and passwords – managing development and maintenance of system and system activities 13 8. Coordinate Business Continuity • This component of the standard includes reporting requirements, response & escalation procedures, and business continuity management. • This process should include: – Incident Management • • • • identifying risks and possible occurrences conducting business impact analyses prioritizing critical business functions developing countermeasures to mitigate & minimize the impact of occurrences 14 8. Coordinate Business Continuity (continued..) – Business continuity management • • • • emergency or crisis management tasks resumption plans recovery & restoration procedures training programs • Testing the plan is an absolute must 15 9. Demonstrate Compliance • This component of the standard provides standards for records management and compliance measures. • Address identification, categorization, retention, and stability of media for long-term retention requirements. • Evaluate compliance with established policies & procedures. • Delineate audit controls and tools to determine areas for improvement. 16 Conclusions • Using the ISO standard to structure the information security program is the foundation. • Senior management support is essential. 17 Thank You! • Questions and comments are welcome 18