ISO 17799. InfoSec: Can you dig it?. Agenda. Introduction and Purpose Risk Assessment, Controls and Guiding Principles Success Factors Examples of it in terms of InfoSec Policy and Organizational Security Implementing an Information Security Management Systems Environment
InfoSec: Can you dig it?
Code of Practice For Information Security Management
Best practices framework
From 7.2.1, Equipment siting and protection: Equipment should be sited or protected to reduce the risks from environmental threats….
Information Security Management Systems Specification With Guidance For Use
From 7.2.1, Equipment shall be sited or protected….
ISO has begun the study period of BS 7799-2:2002 towards adoption
*Note: These are suggestions and should only be implemented based upon the risk assessment.
*Most important factors.
Sections of a code-of-practice will be classified in this class if no effort was made by the organization to implement any of the recommended controls for their specific requirements. This is the lowest class. Certified products Do not have any influence on the classification of sections on this level.
If minimal effort was put into implementing some of the recommended controls, it will be possible to classify some sections in this class. The same requirement as for Class 1 is applicable for the code-of-practice controls in some of the sections. Certified products do not have any influence on the classification of sections on this level either.
The same requirement as for Class 2 is applicable for the code-of-practice controls in some of the sections. The majority of the sections must satisfy additional requirements based on implemented processes and procedures to prove that the recommended controls from the code-of-practice are implemented on a reasonable level. Some sections have an additional requirement for certified products to be used.
For a section to be classified as adequately protected, it must be verifiable that considerable effort was made to implement the complete set of recommended controls for the section. This implies full compliance to a code-of practice for that specific section. Furthermore, the majority of sections have an additional requirement that certified products, in all the product categories, must be implemented to illustrate adequate protection. If there are no related product categories for an ISO17799 section, it is possible for that section to advance to this class in the absence of certified products.
Client board decides to implement
Senior Management must visually commit to adopting the standard
Decide InfoSec Policy
InfoSec policy once adopted must be furnished to all trained employees
Senior Mngmt then decides which business units will be offered up for certification
The orgs scope fo rthis project produces an SMS Scope Doc
The Risk Assessment (RA) is carried out for the Scope Doc(ID asset , threat , vuln.).= RA doc
Org decides risk approach and determines acceptable degree of risk
Org must decide to how to manage the id’d risk so that residual deg. of risk is within acceptable limits.
Once action, accountability and ownership are established, it is documented
Controls to required to reduce risk to acceptable levels are identified.
Controls selected from ISO17799 and documented
Selected controls must be traceable to the risk they address. This is documented in the Statement of Acceptibality (SoA)