Information Security Standard - MCAST Institute of Information ...

INFORMATION SECURITY
STANDARD

MSA / ISO 17799

BS 7799
–

ISO 17799

ISO/IEC 27002

1

Historical Developments


ISO/IEC 27002

is an
Information Security Standard
published by the
International Standards for
Organisation

(ISO) and by the
International
Electrotechnical Commission

(IEC)


It was originally published
as
ISO/IEC 17799:2000
.
Then i
t
has been
subsequently renumbered ISO/IEC
27002:2005 in July 2007, bringing it into line with
the other

ISO/IEC 27000 series

of

standards.



2

Historical Developments


It is entitled
Information technology
-

Security
techniques
-

Code of practice for information security
management
.


The current standard is a revision of the version first
published by ISO/IEC in

2000
, which was a word
-
for
-
word copy of the British Standard (BS) 7799
-
1:1999


The Malta Standards Authority adopted the BS
7799 as is (MSA/ISO
–

17799)

3

Introduction


ISO/IEC 27002 provides
best practice
recommendations on information security
management for use by those responsible for
initiating, implementing or maintaining
Information
Security Management Systems
(ISMS).


4

Contents of the Standard
-

1


The
standard contains the following twelve main sections:

1.
Risk Assessment

2.
Security Policy

-

M
anagement

direction

3.
Organi
s
ation

of
I
nformation

S
ecurity

-

G
overnance

of
I
nformation

S
ecurity

4.
Asset Management

-

I
nventory

and
C
lassification

of
I
nformation

A
ssets


5.
Human
R
esources

S
ecurity

-

S
ecurity

A
spects

for
E
mployees

J
oining
,
M
oving

and
L
eaving

an
O
rgani
s
ation


6.
Physical and Environmental

-

P
rotection

of
C
omputer

F
acilities


7.
Communications and
O
perations

M
anagement

-

management of technical security controls in systems and networks


5

Contents of the Standard
-

2

8.
Access Control

-

R
estriction

of access rights to
networks, systems, applications, functions and data
;

9.
Information Systems Acquisition, Development and
Maintenance

-

B
uilding

security into applications
;

10.
Information security incident management

-

A
nticipating

and responding appropriately to
information security breaches
;

11.
Business Continuity Management

-

P
rotecting
,
maintaining and recovering business
-
critical processes
and systems
;

12.
Compliance

-

ensuring conformance with

Information
Security Policies
, standards, laws and regulations
.


6

Section 4
–

Security Organisation

4.1
Information Security Infrastructure

4.2
Security and Third Party
Access

4.3 Outsourcing

7

Section 5 Asset Classification and
Control

5.1
Accountability for
assets

5.2
Information Classification

8

Section 6
–

Presonnel Security

6.1
Security in Job Definition and
Resourcing

6.2
User
Training

6.3
Responding to Security Incidents and Malfunctions

9

Section 7
–

Physical and Environmental
Security

7.1
Secure
Areas

7.2
Equipment
Security

7.3
General Controls

10

Section 8
-

Communications and
Operations Management

8.1
Operational Procedures and
Responsibility

8.2
System Planning and
Acceptance

8.3
Protection Against Malicious
Software

8.4 Housekeeping

8.5
Network
Management

8.6
Media Handling and
Security

8.7
Exchanges of Information and Software

11

Section 9
–

Access Control

9.1
Business Requirement for Access
Control

9.2
User Access
Management

9.3
User
Responsibilities

9.4
Network Access
Control

9.5
Operating System Access
Control

9.6
Application Access
Management

9.7
Monitoring System Access and
Use

9.8
Mobile Computing and
Telenetworking

12

Section 10
-

System Development and
Maintenance

1
0.1
Security Requirements of
Systems

1
0.2
Security in Application
Systems

1
0.3
Cryptographic
Controls

1
0.4
Security of System
Files

1
0.5
Security in Development and Support Processes

13

Section 11
-

Business Continuity
Management

1
1.1
Aspects of Business Continuity Management


14

Section 12
-

Compliance

12.1 Compliance with Legal Requirements

1
2.2 Reviews of Security Policy and Technical
Compliance

12.3 System Audit Considerations


15

Part 2
-

Introduction


This is the 'specification' for an Information Security
Management System (ISMS). It is the means to
measure, monitor and control security management
from a top down perspective. It essentially explains
how to apply ISO 17799 and it is this part that can
currently be certified against.

16

Part 2
-

Contents


Part 2 defines a six part 'process', roughly as
follows:


-

Define a security policy

-

Define the scope of the ISMS

-

Undertake a risk assessment

-

Manage the risk

-

Select control objectives and controls to be
implemented

-

Prepare a statement of applicability.

17

Question Time


18