Transcript iso-17799
ISO 17799: Standard for Security
Ellie Myler & George Broadbent,
The Information Management Journal, Nov/Dec ‘06
Presented by
Bhavana Reshaboina
Introduction
• Information professionals need to address an ever
increasing number of threats.
• Organizations need to address information security
from legal, operational and compliance perspectives.
• By combining industry best practices and standards
one can implement a information security program.
• This article describes the components of ISO 17799
and provides a step-by-step method for using it as
the framework for an information security program.
2
ISO 17799 Components, Applications,
Implications
• ISO 17799 provides framework to establish
– risk assessment methods
– policies, controls and countermeasures
– program documentation
• Organizations can use this standard not only to set
up an information security program but also to
establish distinct guidelines for certification,
compliance, and audit purposes.
3
ISO 17799 Components, Applications,
Implications (continued ..)
• This ISO framework is organized into 11 security
control areas.
• Each area contains about 39 main security
categories, each with a control objective and one or
more controls to achieve that objective.
4
ISO 17799 Components, Applications,
Implications (continued ..)
Figure 1 : Steps for establishing and implementing ISO 17799
5
1.
Conduct Risk Assessments
• This component of the standard applies to activities
that should be completed before security policies and
procedures are formulated.
• Risk categories, both internal and external are to be
considered.
• Risk analysis is to be conducted to isolate specific &
typical events that would likely affect an organization
6
2.
Establish a Security Policy
• This component of the standard provides the content
and implementation guidance to set the foundation
and authorization of the program.
• It involves development, authorization and
communication of security policy.
• It also involves organizing information security.
7
3.
Compile an Asset Inventory
• This component of the standard addresses asset
management and asset protection using controls.
• It applies to all assets in tangible and intangible form.
• Identify the organization's intellectual property (IP),
toots to create and manage IP, and physical assets to
build a detailed inventory.
• The inventory should distinguish the types, formats,
and ownership control issues.
• Asset classification and usage rules must be defined.
8
4.
Define Accountability
• This component of the standard addresses the
human aspect of security.
• Define roles and responsibilities during preemployment and screening processes.
• Conduct security awareness, education & training to
communicate expectations & responsibility updates
• When employees leave or change jobs, follow
through with return of assets process and removal of
access rights.
9
5.
Address Physical Security
• This component of the standard outlines all the
requirements for physical security.
• Include guidelines for physical security perimeters,
entry controls, environmental threats, and access
patterns.
• Address supporting utilities, power, and
telecommunication networks.
• Secure the disposal and removal of equipment that
hold information.
10
6.
Document Operating Procedures
• This component of the standard includes operations
management and communication management.
• Define operating procedures.
• Address the separation of duties.
• Address network infrastructure through network
controls and management.
• Address electronic data interchange.
11
7.
Determine Access Controls
• This component of the standard includes guidelines
for establishing rules for information and system
access.
• Apply policies to users, equipment, and network
services.
• Document the integrity, authenticity, and
completeness of transactions.
12
7.
Determine Access Controls (continued..)
• Access control measures include:
– setting up user registration and de-registration procedures
– allocating privileges and passwords
– managing development and maintenance of system and
system activities
13
8.
Coordinate Business Continuity
• This component of the standard includes reporting
requirements, response & escalation procedures, and
business continuity management.
• This process should include:
– Incident Management
•
•
•
•
identifying risks and possible occurrences
conducting business impact analyses
prioritizing critical business functions
developing countermeasures to mitigate & minimize the impact of
occurrences
14
8.
Coordinate Business Continuity
(continued..)
– Business continuity management
•
•
•
•
emergency or crisis management tasks
resumption plans
recovery & restoration procedures
training programs
• Testing the plan is an absolute must
15
9.
Demonstrate Compliance
• This component of the standard provides standards
for records management and compliance measures.
• Address identification, categorization, retention, and
stability of media for long-term retention
requirements.
• Evaluate compliance with established policies &
procedures.
• Delineate audit controls and tools to determine areas
for improvement.
16
Conclusions
• Using the ISO standard to structure the information
security program is the foundation.
• Senior management support is essential.
17
Thank You!
• Questions and comments are welcome
18