For anyone interested, the latest ISO17799/ISO27001 Newsletter has
just arrived today. Copied in full below (with permission).
Laura
______________________________________________________
THE ISO 27001 and ISO 17799 NEWSLETTER - EDITION 12
______________________________________________________
Welcome to the Issue 12 of the ISO27001/ISO17799 newsletter, designed
to provide news and information with respect to the ISO information
security standards. The information contained within newsletter is
absolutely free to our subscribers and provides guidance on various
practical issues, plus commentary on recent Information Security
incidents.
Covered in this edition are the following topics:
1) Obtaining the Standards
2) BS7799 Emerges... Again
3) Information Security News
4) ISO 17799 and COBIT
5) A World Wide Phenomenon
6) ISO17799 Section 14: Terrorist Plot Reveals Continuity Weakness
7) More Frequently Asked ISO17799/ISO27001 Questions
8) Protecting Confidentiality Using An SLA
9) More ISO 17799 Related Terms and Definitions
10) It Couldn't Happen Here.... Could It?
11) Contributions
12) Subscription Information
OBTAINING ISO 17799 AND ISO 27001
=================================
The first question we often field is "Where can I obtain a copy of the
standard?" The standard itself is available from:
http://www.17799-toolkit.com
This is the web site for the ISO 17799 and ISO 27001 Toolkit. This
downloadable package was created to help those taking the first steps
towards addressing the standards. It includes both parts of the
standard, audit checklists, a roadmap, a set of ISO compliant security
policies, and a range of other items and materials.
http://17799.standardsdirect.org
This is the BSI Online Shop, a vending site for downloadable copies of
the standards.
BS7799 EMERGES... AGAIN!
========================
BS7799-1 became ISO 17799. Then, BS7799-2 emerged, to evolve into ISO
27001. Now: BS7799-3 has been born.
It is titled "Information security management systems - Part 3:
Guidelines for information security risk management", and is intended
to provide guidance and support for the implementation of ISO27001. It
is mooted that it too will eventually become an ISO standard: ISO
27005.
Risk management of course is part and parcel of information security,
and also of the security standards. That BSI should introduce a
standard embracing it is therefore no surprise. It can of course be
obtained via BSI's online outlet, Standards Direct: http://17799.
standardsdirect.org/bs7799.htm
INFORMATION SECURITY NEWS
=========================
1) The creators of the Zotob worm, which disrupted networks at a
number of media outlets, have been jailed in Morocco for between one
and two years. The worm is estimated to have caused $400 million in
damages.
2) AT&T have admitted that the personal information of about 19,000
customers has been accessed by hackers via the company's online store.
The company is working with the law enforcement agencies to track down
the perpetrators.
3) Telecom provider Verizon is also in the news, having admitted that
an employee accidentally sent an email attachment containing
information on about 5,000 customers to 1,800 of its customers.
4) A study of prosecutions by the US Dept of Justice has revealed that
corporations attacked by cybercriminals over the last few years lost
an average of $3 million per case.
5) A survey of 132 senior executives, conducted by ControlPath (http:
//www.controlpath.com), has revealed that 72% are not confident that
they are complying with applicable regulations.
ISO 17799 AND COBIT
===================
COBIT 4.0 complements the guidance within ISO/IEC 17799:2005, and is
proving to be a significant Sarbanes-Oxley Act compliance aid.
Whereas the ISO/IEC 17799:2005 standard covers the wider spectrum of
information security requirements, the COBIT guidelines provide
in-depth control objectives and supportive management guidelines
focusing specifically on information technology issues. The COBIT
guidelines (Control Objectives for Information and related Technology)
are issued by the Institute for IT Governance (http://www.itgi.org)
and the Information Systems Audit and Control Association (http://www.
isaca.org), and are fast becoming a key SOX compliance tool, following
the recognition that IT controls represent important components in
ensuring financial reporting accuracy and disclosure.
The ISO/IEC 17799:2005 standard comprises the following:
Introductory Sections
1 Scope
2 Terms and definitions
3 Structure of the standard
Information Security Guidance Sections
4 Risk assessment and treatment
5 Security policy
6 Organizing information security
7 Asset management
8 Human resource security
9 Physical and environmental security
10 Communications and operations management
11 Access control
12 Information systems acquisition, development and maintenance
13 Information security incident management
14 Business continuity management
15 Compliance
COBIT, however, is organized into 4 domains containing 34 sections as
follows:
Domain PO - Plan & Organize
PO1 Define a strategic plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define the IT processes, organization and relationship
PO5 Manage the IT investment
PO6 Communicate management aims and relationships
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage Projects
Domain AI ? Acquire and Implement
AI1 Identify automated solutions
AI2 Acquire and maintain application software
AI3 Acquire and maintain technology infrastructure
AI4 Enable operation and use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install and accredit solutions and changes
Domain DS ? Deliver and Support
DS1 Define and manage service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and allocate costs
DS7 Educate and train users
DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
Domain ME ? Monitor and Evaluate
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
ME3 Ensure regulatory compliance
ME4 Provide IT governance
COBIT 4.0 (the latest version) maps to ISO/IEC 17799:2005 in the
following manner.
ISO 17799 Chapter No.
4 5 6 7 8 9 10 11
12 13
14 15
COBIT 4.0 DOMAINS
Plan and Organize (PO)
L H L L H H H H
L L M
L
Acquire and implement (AI)
H M M L M H L L L
L L
L
Deliver and support (DS)
L H M H H L H M M
M H
M
Monitor and evaluate (ME)
L M L M L L L L L
L L
L
Key to level of matching between COBIT 4.0 and ISO 17799:2005
H = Reasonably good match
M = Some matching
L = Low level or no matching
The above matrix will hopefully prove to be useful for those also
embracing COBIT within their ISO 17799 / ISO 27001 remit. Reference:
http://www.controlit.org (The COBIT User Group).
ISO17799: THE WORLD WIDE PHENOMENON
===================================
Our source list for recent purchases of the standard always proves to
be a popular talking point. The most recent thousand or so is as
follows:
Argentina 3
Australia 19
Austria 7
Barbados 1
Belgium 14
Bermuda 2
Bosnia and Herzegovina 2
Brasil 11
Canada 101
Cayman Islands 1
Chile 5
China 8
Colombia 11
Costa Rica 1
Croatia 1
Cyprus 3
Denmark 15
Egypt 6
Estonia 1
France 14
Germany 51
Gibraltar 1
Greece 5
Guatemala 1
Hong Kong 11
Hungary 5
Iceland 2
India 14
Indonesia 3
Ireland 27
Israel 3
Italy 31
Jamaica 3
Japan 9
Jordan 1
Korea 2
Lebanon 1
Luxembourg 2
Malaysia 9
Malta 2
México 19
Netherlands 32
New Zealand 7
Norway 19
Panama 1
Peru 1
Philippines 3
Poland 4
Portugal 4
R.O.C. 2
ROMANIA 2
Russia 6
Saudi Arabia 7
Singapore 16
Slovak Republic 1
Slovenia 2
South Africa 11
Spain 24
Sultanate of Oman 1
Sweden 12
Switzerland 43
Taiwan 4
Thailand 1
Tunisia 1
Turkey 4
UK 341
United Arab Emirates 7
USA 492
Venezuela 1
The same health warnings as usual apply: these are online credit card
sales. Consequently, those cultures that are less familiar with this
form of ecommerce will be under represented.
ISO 17799 SECTION 14: CONTINUITY WEAKNESS EXPOSED BY TERRORIST PLOT
===================================================================
The recently foiled terrorist plot, that averted potential disaster on
targeted US airlines flying out of UK airports, has focused attention
on the lack of quality in the procedures and processes in place to
maintain acceptable levels of airport baggage handling. The
governments handling of the crisis is also being criticized with
British Airways alone rumored to have lost over £50 million.
There was clearly a lack of preparation for this type of emergency at
some UK airports. In particular it has been reported that Ryan Air are
considering taking action over apparent BAA emergency staffing
shortages, which Ryan Air considers exacerbated the problem and
resulted in additional cancellations.
When preparing business continuity plans for emergencies that can
potentially disrupt normal operations, the business continuity
planning team will identify "what if" scenarios that examine the
potential impact of a failure, or removal of one or more critical
components within the business or operational processes. Perhaps it
could be said that it was difficult to predict that permitted carry-on
luggage could be suddenly be reduced to just travel documents,
essential medicines and other emergency items, but this should have
been a recognizable scenario identified during the planning process,
no matter how low the perceived probability of it actually happening
was.
Once the possibility that this disruptive event could occur has been
accepted, the impact on the operations as a whole must be assessed and
the level of ensuing crisis predicted. Although assessing probability
is an important part of the process, and can provide a yardstick for
the financial and other resources you make available to safeguard
against this event, if the chances of such a scenario occurring is a
real possibility then you must examine the impact of the event
actually occurring, and not dismiss the scenario based on a low
probability factor.
After the potentially disruptive scenario has been identified,
probabilities assessed, and the business, financial and public impacts
predicted, suitable strategies should be formulated for mitigating the
impact. Emergency procedures will also be developed to ensure that
the impact on the business and the customers is minimized.
Responsible management must also consider how they are going to
resource these emergency procedures during the crisis and ensure that
these emergency resources are always available.
When developing your business continuity plan it is important to
ensure that adequate time is allocated to identifying and examining
all the potential scenarios that could disrupt your business. More
information is available from: http://www.disasterrecoveryforum.com
and http://www.baa.co.uk
ISO17799 - MORE FREQUENTLY ASKED QUESTIONS
==========================================
1) What is ISO 27000?
This doesn't really exist as such. It is essentially a generic name
given to standards of the form ISO 27nnn. Currently there is only one:
ISO 27001. However, it is envisaged that ultimately ISO 17799 may
become ISO 27002, and other information security standards may be
numbered similarly within the 27000 series. More information: http:
//www.27000.org
2) Where can I find old copies of ISO 17799 / ISO 27001 News?
The archive site is now located at: http://www.molemag.net
3) Can I re-publish articles from this newsletter internally, on our
company intranet, or even on our external website?
Yes, subject to a link to the newsletters archive web site above.
4) How do I become an ISO 27001 Lead Auditor?
Certification bodies, such as BSI, conduct a five day workshop
followed by an examination. Thereafter, different certification bodies
have different requirements (eg: number of years security experience)
and different procedures (eg: on the job observation).
5) What is an Accreditation Body?
An accreditation body is an organization which bestows the authority
to 'certify' (issue certificates) upon another body. Examples include
ANAB (http://www.anab.org), UKAS (http://www.ukas.com) and the SCC
(http://www.scc.ca).
PROTECTING CONFIDENTIALITY USING AN SLA
=======================================
The confidentiality of information, data and records can be a
particularly critical issue with respect to formal agreements. Within
these, the two parties are usually referred to either as the "Client"
and the "Supplier" or the "disclosing party" and the "receiving
party".
In a Service Delivery relationship, both the supplier and the client
are likely to become aware of proprietary or trade secret information
about the other party which should be treated in a confidential
manner.
To cover this scenario, within the SLA, a basic wording could be used
as follows:
"Both parties agree to keep confidential all information concerning
the other party's business or its ideas, products, customers or
services that could be considered to be "confidential information".
"Confidential information" is any information belonging to or in the
possession or control of a party that is of a confidential,
proprietary or trade secret nature that is furnished or disclosed to
the other party. Confidential information will remain the property of
the disclosing party and the receiving party will not acquire any
rights to that confidential information."
Should this wording not be suitable for either the supplier or the
client, then the two parties should formally agree on an alternative
wording. Source: The SLA Toolkit (http://www.service-level-agreement.
net).
Important Note: If you haven't got a formal service level agreement in
place for your critical services... you should have!
ISO 17799 RELATED TERMS AND DEFINITIONS
=======================================
In each ISO 17799 and ISO 27001 Newsletter we will include a selection
of terms and definitions to unravel and explain some of the jargon and
strange language used by Information Security professionals. In this
edition, we have provided a selection of terms that all start with the
letter `A'.
ACCESS
Two types of access ? Physical and Logical.
Physical Access. The process of obtaining use of a computer system, -
for example by sitting down at a keyboard, - or of being able to
enter specific area(s) of the organization where critical information
or systems are located.
Logical Access. The process of being able to enter, modify, delete, or
inspect, records and data held on a computer system by means of
providing an ID and password (if required). The view that restricting
physical access relieves the need for logical access restrictions is
misleading. Any organization with communications links to the outside
world has a security risk of logical access. Hackers do not,
generally, visit the sites they are hacking in person.- they do it
from a distance!
ACCESS RIGHTS
The powers granted to users to create, change, delete, or simply view
data and files within a system, according to a set of rules defined by
IT and business management. It is not necessarily true that the more
senior a person, the more power is granted. For example, most data
capture - essentially creating new files or transactions, is performed
at relatively junior level, and it is not uncommon for senior
management to have access rights only to view data with no power to
change it. There are very good Internal Control and Audit reasons for
adopting this approach.
ADMISSIBLE EVIDENCE
Admissible Evidence is `evidence' that is accepted as legitimate in a
court of law. From an Information Security perspective, the types of
`evidence' will often involve the production of a system's log files.
The log file will usually identify the fact that a login took place;
and certain functions were performed. The issue as to whether or not
such a log file is legally admissible, is not clear cut. However,
opinion appears to be that as long as a computer record is generated
as a normal part of business processing, and the computer and software
were working as designed and expected, then it may be admissible.
Advice from a lawyer is always recommended.
AI ARTIFICIAL INTELLIGENCE
The holy grail of IT folk, the concept of a machine thinking for
itself. Despite the success of the recent blockbuster film starring
Jute Law - don't hold your breath.
ALPHA GEEK
The most knowledgeable, technically proficient, person in an office,
work group, or other, usually non-IT, environment. Born `fiddlers'
and `tinkerers', they tend to ignore the basic rule of `If it ain't
broke don't fix it' preferring to operate on the basis of `Fix it,
until it is broke'. Such people can be a considerable security risk -
like ordinary Geeks, Anoraks, and Tech-heads, - only more so.
ANORAKS
Whimsical term for computer enthusiasts - usually, but not
exclusively, young and lacking in social skills. The term derives from
the preferred item of apparel for attending computer exhibitions, it
being equipped with numerous sizeable pockets ready to be stuffed with
all manner of obscure electronic gizmos.
Some anoraks tend more to the software side of IT and may graduate to
being Hackers. Anoraks certainly have their uses but, in many ways,
are a security risk. Such persons are inclined to do things with, and
to, organization IT systems simply for the technical and intellectual
challenge, rather than for any business benefit to the organization.
Also known as Nerds, Geeks, and Tech-heads, the term is acquiring
wider usage to describe any enthusiastic follower of obscure sports,
hobbies, pastimes, etc.
ARCHIVE
An area of data storage set aside for non-current (old or historical)
records in which the information can be retained under a restricted
access regime until no longer required by law or organization record
retention policies. This is a field in which computers have distinct
advantages over older paper files, in that computer files can be
`compressed' when archived to take up far less space on the storage
media. Paper records can only be compressed by using microfilm,
microfiche, or, more recently, by scanning into a computer system.
Whichever system is chosen, care must be exercised to ensure that the
records retained meet legal requirements should it ever be necessary
to produce these records in a court of law.
IT COULDN'T HAPPEN HERE....COULD IT?
===================================
Every edition of The ISO17799/ISO27001 Newsletter features at least
one TRUE story of an information security breach and its consequences:
1) Testing Back-Up Systems: Properly!
A company in Houston regularly tested its back-up generator then
discovered during an actual power failure that the motor required to
start the generator was actually connected to the mains! The problem
cost the business an estimated US$ 145,000.
The lesson: Make sure you test any back-up system thoroughly and under
simulated conditions.
2) Lack of Emergency Procedures
A consultant checking on a New York organization's disaster recovery
arrangements asked to see their back-up generator and related
procedures. He was introduced to George who had all the answers on how
the process worked but could not produce any written procedures. Two
weeks later gales tore down power cables and the customers could not
get the generators started ? George was away on holiday! Fortunately
the organization survived and have now developed WRITTEN emergency
procedures.
The lesson: Make sure your emergency procedures are up to date and
staff properly trained in their execution..
3) Fire at Chemical Warehouse
Two trainee auditors who work for an accounting firm were involved in
a year-end audit at a chemical warehouse in Sheffield UK. A fire broke
out in the warehouse and toxic fumes quickly spread throughout the
facility. The evacuation procedures were known to the permanent staff
who immediately left on cue. The two auditors who were working alone
in one of the basement offices where records where stored were not
briefed on these procedures and their presence on-site was overlooked
during the panic. They very nearly got trapped in an area that was
gutted by the fire shortly afterwards, and were lucky to escape. They
both spent a week off work due to inhaling toxic fumes but it could
easily have been very much worse.
The lesson: Make sure you set up an effective buddy system to cater
for such events and make sure you include any temporary staff or third
parties who may be visiting or working on the premises.
4) Your Favorite "It Couldn't Happen Here" Story
Our poll of stories from previous issues revealed the following
results:
1. The 'Perfect' Business Continuity Plan (Issue 9) 31.1%
2. Answering Machines Have No Loyalty (Issue 7) 26.7%
3. Who Audits the Auditor (issue 10) 17.8%
4. The Disgruntled Employee Strikes Again (Issue 10) 7.8%
5. The Old Duplication Trick (Issue 5) 5.6%
6. When is Disposal is Not Disposal (Issue 8) 3.3%
7. Intellectual Property Rights (Issue 10) 3.3%
8. A Simple One - But A common One (Issue 9) 2.2%
9. Confidential User-Ids (Issue 8) 2.2%
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/CISSP-Discuss/join
(Yahoo! ID required)
<*> To change settings via email:
mailto:CISSP-Discuss-digest@yahoogroups.com
mailto:CISSP-Discuss-fullfeatured@yahoogroups.com
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
