ISO 17799 and 27001: Setting the Standards for Information Security

ISO 17799 and 27001: Setting the Standards for Information Security Реферат

Availability

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

Bibliography

  • Allen, Julia H. (2001). The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley. ISBN 0-201-73723-X. 
  • Krutz, Ronald L.; Russell Dean Vines (2003). The CISSP Prep Guide (Gold Edition ed.). Indianapolis, IN: Wiley. ISBN 0-471-26802-X. 
  • Layton, Timothy P. (2007). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach publications. ISBN 978-0-8493-7087-8. 
  • McNab, Chris (2004). Network Security Assessment. Sebastopol, CA: O’Reilly. ISBN 0-596-00611-X. 
  • Peltier, Thomas R. (2001). Information Security Risk Analysis. Boca Raton, FL: Auerbach publications. ISBN 0-8493-0880-1. 
  • Peltier, Thomas R. (2002). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Boca Raton, FL: Auerbach publications. ISBN 0-8493-1137-3. 
  • White, Gregory (2003). All-in-one Security Certification Exam Guide. Emeryville, CA: McGraw-Hill/Osborne. ISBN 0-07-222633-1. 
  • Dhillon, Gurpreet (2007). Principles of Information Systems Security: text and cases. NY: John Wiley & Sons. ISBN 978-0471450566. 

Change management

Change management is a formal process for directing and controlling alterations to the information processing environment. This includes alterations to desktop computers, the network, servers and software. The objectives of change management are to reduce the risks posed by changes to the information processing environment and improve the stability and reliability of the processing environment as changes are made. It is not the objective of change management to prevent or hinder necessary changes from being implemented.

Any change to the information processing environment introduces an element of risk. Even apparently simple changes can have unexpected effects. One of Managements many responsibilities is the management of risk. Change management is a tool for managing the risks introduced by changes to the information processing environment.

Confidentiality

Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit cardtransaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network.

The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.

Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company’s employees is stolen or sold, it could result in a breach of confidentiality.

Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.[citation needed]

Рефераты:  Недвижимое имущество как объект гражданских прав. Курсовая работа (т). Основы права. 2012-07-18

Controls

When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls.

Defense in depth

Information security must protect information throughout the life span of the information, from the initial creation of the information on through to the final disposal of the information. The information must be protected while in motion and while at rest.

During its lifetime, information may pass through many different information processing systems and through many different parts of information processing systems. There are many different ways the information and information systems can be threatened.

To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms. The building up, layering on and overlapping of security measures is called defense in depth. The strength of any system is no greater than its weakest link.

Disaster recovery planning

While a business continuity plan (BCP) takes a broad approach to dealing with organizational-wide effects of a disaster, a disaster recovery plan (DRP), which is a subset of the business continuity plan, is instead focused on taking the necessary steps to resume normal business operations as quickly as possible.

A disaster recovery plan is executed immediately after the disaster occurs and details what steps are to be taken in order to recover critical information technology infrastructure.[12]

Further reading

  • Anderson, K., “IT Security Professionals Must Evolve for Changing Market“, SC Magazine, October 12, 2006.
  • Aceituno, V., “On Information Security Paradigms“,ISSA Journal, September, 2005.
  • Dhillon, G., “Principles of Information Systems Security: text and cases”, John Wiley & Sons, 2007.
  • Lambo, T.”ISO/IEC 27001: The future of infosec certification“,ISSA Journal, November, 2006.

History

Since the early days of writing, heads of state and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of written correspondence and to have some means of detecting tampering.

Julius Caesar is credited with the invention of the Caesar cipher ca. 50 B.C., which was created in order to prevent his secret messages from being read should a message fall into the wrong hands.

World War II brought about many advancements in information security and marked the beginning of the professional field of information security.

Incident response plans

1 to 3 paragraphs (non technical) that discuss:

  • Selecting team members
  • Define roles, responsibilities and lines of authority
  • Define a security incident
  • Define a reportable incident
  • Training
  • Detection
  • Classification
  • Escalation
  • Containment
  • Eradication
  • Documentation

Integrity

In information security, integrity means that data cannot be modified undetectably.[citation needed] This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing.

Iso 17799 and 27001: setting the standards for information security

Financial institutions are subject to a slew of laws and regulations aimed at information security. There’s Gramm-Leach-Bliley (privacy), Federal Financial Institutions Examination Council (authentication and online banking), and Payment Card Industry (card security). There’s also California’s and other states’ data breach disclosure laws, and the Sarbanes-Oxley Act, which requires IT to test the effectiveness of controls over financial-reporting systems. And the European Union’s privacy laws, etc.

While these laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management, they have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that, and by adhering to them banks can go a long way toward satisfying regulatory compliance requirements.

Рефераты:  Особенности организации асинхронного обучения студентов вуза в электронной среде – тема научной статьи по наукам об образовании читайте бесплатно текст научно-исследовательской работы в электронной библиотеке КиберЛенинка

See Also:A Guide to Passwordless Anywhere

The two standards, ISO 17799 and ISO 27001, together provide a set of best practices and a certification standard for information security. The standards are both derived from a British standard, BS7799, which for many years served as the authority for information security. BS7799 came in two parts; part one, BS7799:1, became ISO 17799, while BS7799:2 became ISO 27001.

ISO 17799 provides best practice recommendations for initiating, implementing, or maintaining information security management systems. Information security is defined within the standard as the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).

The standard contains 12 sections: risk assessment and treatment; security policy; organization of information security; asset management; access control; information security incident management; human resources security; physical and environmental security; communications and operations management; information systems acquisition, development and maintenance; business continuity management; and compliance.

Within each section, information security control objectives are specified and a range of controls are outlined that are generally regarded as best practices. For each control, implementation guidance is provided. Each organization is expected to perform an information security risk assessment prior to implementing controls.

The second standard, ISO 27001, specifies requirements for establishing, implementing, maintaining, and improving an information security management system consistent with the best practices outlined in ISO 17799. Previously, organizations could only be officially certified against the British Standard (or national equivalents) by certification/registration bodies accredited by the relevant national standards organizations. Now the international standard can be used for certification.

ISO 27001 is the first standard in a proposed series of information security standards which will be assigned numbers within the ISO 27000 series. ISO 17799 is expected to be renamed ISO 27002 in 2007. In the works is ISO 27004 – Information Security Management Metrics and Measurement – currently in draft mode.

ISO 27001 is the formal standard against which organizations may seek independent certification of their information security management systems. It contains a total of 133 controls in eleven sections. Controls from ISO 17799 are noted in an appendix to ISO 27001. Organizations adopting ISO 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations.

Certification is entirely voluntary but is increasingly being demanded from suppliers and business partners who are concerned about information security. Certification against ISO 27001 brings a number of benefits. Independent assessment brings rigor and formality to the implementation process, implying improvements to information security and associated risk reduction, and requires management approval, which promotes security awareness.

Perhaps most significantly, by implementing ISO 27001, financial institutions can go a long way toward meeting their compliance requirements and satisfying auditors and regulators. Says Martin Smith, senior consultant at Insight Consulting, “It should provide assurance for an organization, both to itself and its external partners and competitors, that information security is taken seriously.”

The management processes implemented for ISO 27001 are based on the Deming cycle of continuous improvement: Plan-Do-Check-Act. Measuring effectiveness is a critical element of improving information security management, and hence realizing business benefit and flexibility in a changing environment.

Рефераты:  Средства и методы развития силовых способностей. Курсовая работа (т). Туризм. 2017-07-04

Key concepts

For over twenty years, information security has held confidentiality, integrity and availability (known as the CIA triad) to be the core principles of information security.[citation needed]

There is continuous debate about extending this classic trio.[citation needed] Other principles such as Accountability[2] have sometimes been proposed for addition – it has been pointed out[citation needed] that issues such as Non-Repudiation do not fit well within the three core concepts, and as regulation of computer systems has increased (particularly amongst the Western nations)

In 1992 and revised in 2002 the OECD’s Guidelines for the Security of Information Systems and Networks[3] proposed the nine generally accepted principles: Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment.

Building upon those, in 2004 the NIST’s Engineering Principles for Information Technology Security[4] proposed 33 principles. From each of these derived guidelines and practices.

In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility.

The merits of the Parkerian hexad are a subject of debate amongst security professionals.[citation needed]

Logical

Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.

Non-repudiation

In law, non-repudiation implies one’s intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.

Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation.

Physical

Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls.

Professionalism

Information security professionalism is the set of knowledge that people working in Information security and similar fields (Information Assurance and Computer security) should have and eventually demonstrate through certifications from well respected organizations. It also encompasses the education process required to accomplish different tasks in these fields.

Security governance

The Software Engineering Institute at Carnegie Mellon University, in a publication titled “Governing for Enterprise Security (GES)”, defines characteristics of effective security governance. These include:

  • An enterprise-wide issue
  • Leaders are accountable
  • Viewed as a business requirement
  • Risk-based
  • Roles, responsibilities, and segregation of duties defined
  • Addressed and enforced in policy
  • Adequate resources committed
  • Staff aware and trained
  • A development life cycle requirement
  • Planned, managed, measurable, and measured
  • Reviewed and audited

Conclusion

Information security is the ongoing process of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution. The never ending process of information security involves ongoing training, assessment, protection, monitoring & detection, incident response & repair, documentation, and review. This makes information security an indispensable part of all the business operations across different domains.

Оцените статью
Реферат Зона
Добавить комментарий