ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina
Introduction Information professionals need to address an ever increasing number of threats. Organizations need to address information security from legal, operational and compliance perspectives. By combining industry best practices and standards one can implement a information security program. This article describes the components of ISO and provides a step-by-step method for using it as the framework for an information security program. 2
ISO Components, Applications, Implications ISO provides framework to establish – risk assessment methods – policies, controls and countermeasures – program documentation Organizations can use this standard not only to set up an information security program but also to establish distinct guidelines for certification, compliance, and audit purposes. 3
ISO Components, Applications, Implications (continued..) This ISO framework is organized into 11 security control areas. Each area contains about 39 main security categories, each with a control objective and one or more controls to achieve that objective. 4
ISO Components, Applications, Implications (continued..) 5 Figure 1 : Steps for establishing and implementing ISO 17799
1.Conduct Risk Assessments This component of the standard applies to activities that should be completed before security policies and procedures are formulated. Risk categories, both internal and external are to be considered. Risk analysis is to be conducted to isolate specific & typical events that would likely affect an organization 6
2.Establish a Security Policy This component of the standard provides the content and implementation guidance to set the foundation and authorization of the program. It involves development, authorization and communication of security policy. It also involves organizing information security. 7
3.Compile an Asset Inventory This component of the standard addresses asset management and asset protection using controls. It applies to all assets in tangible and intangible form. Identify the organization's intellectual property (IP), toots to create and manage IP, and physical assets to build a detailed inventory. The inventory should distinguish the types, formats, and ownership control issues. Asset classification and usage rules must be defined. 8
4.Define Accountability This component of the standard addresses the human aspect of security. Define roles and responsibilities during pre- employment and screening processes. Conduct security awareness, education & training to communicate expectations & responsibility updates When employees leave or change jobs, follow through with return of assets process and removal of access rights. 9
5.Address Physical Security This component of the standard outlines all the requirements for physical security. Include guidelines for physical security perimeters, entry controls, environmental threats, and access patterns. Address supporting utilities, power, and telecommunication networks. Secure the disposal and removal of equipment that hold information. 10
6.Document Operating Procedures This component of the standard includes operations management and communication management. Define operating procedures. Address the separation of duties. Address network infrastructure through network controls and management. Address electronic data interchange. 11
7.Determine Access Controls This component of the standard includes guidelines for establishing rules for information and system access. Apply policies to users, equipment, and network services. Document the integrity, authenticity, and completeness of transactions. 12
7.Determine Access Controls (continued..) Access control measures include: – setting up user registration and de-registration procedures – allocating privileges and passwords – managing development and maintenance of system and system activities 13
8.Coordinate Business Continuity This component of the standard includes reporting requirements, response & escalation procedures, and business continuity management. This process should include: – Incident Management identifying risks and possible occurrences conducting business impact analyses prioritizing critical business functions developing countermeasures to mitigate & minimize the impact of occurrences 14
8.Coordinate Business Continuity (continued..) – Business continuity management emergency or crisis management tasks resumption plans recovery & restoration procedures training programs Testing the plan is an absolute must 15
9.Demonstrate Compliance This component of the standard provides standards for records management and compliance measures. Address identification, categorization, retention, and stability of media for long-term retention requirements. Evaluate compliance with established policies & procedures. Delineate audit controls and tools to determine areas for improvement. 16
Conclusions Using the ISO standard to structure the information security program is the foundation. Senior management support is essential. 17
Thank You! Questions and comments are welcome 18