The latest edition has just hit my inbox. An interesting read for
anyone into this aspect:
______________________________________________________
THE ISO 27001 and ISO 17799 NEWSLETTER - EDITION 14
______________________________________________________
Welcome to the Issue 14 of the ISO27001/ISO17799 newsletter, designed
to provide news and information with respect to the ISO information
security standards. The information contained within newsletter is
absolutely free to our subscribers and provides guidance on various
practical issues, plus commentary on recent Information Security
incidents.
Covered in this edition are the following topics:
1) ISO 17799/27001 Toolkit Versions
2) Recruitment and Security Risks
3) BS25999 Published
4) User Acceptance Testing: The Basics
5) Information Security News
6) More ISO 17799/27001 Frequently Asked Questions
7) ISO17799 And SOX
8) More Advice On SLAs
9) ISO 17799: The World Wide Phenomenon
10) The Development of a Business Continuity Plan
11) ISO 17799 Related Definitions
12) Contributions
Appendix: Subscription Information
ISO 17799/27001 Toolkit Versions
================================
We occasionally encounter confusion regarding different 'versions' of
the support toolkit for the standards. Hopefully we can clear this up.
There is only ONE version of the toolkit. The core elements are
described here: http://www.17799-toolkit.com
The only variance to this statement is that it is possible to get this
toolkit inclusive of the BS7799-3 security risk assessment standard.
This is obviously slightly more expensive, and is sold from this page
on BSI's Standards Direct outlet:
http://17799.standardsdirect.org/bs7799.htm
Perhaps the cause of the confusion is that the toolkit is also sold
via a number of resellers. These own their own websites, but are
essentially affiliates to the main source.
Recruitment and Security Risks
==============================
Obvious potential weak links in your information security profile are
the new recruits that have recently joined your organization. If you
do not advise them about your information security requirements and
train them in your critical information security procedures in a
timely fashion, then they collectively may create a significant risk
to the organization and its information assets.
ALL management and staff are responsible for Information Security,
including those new to the organization. It is vital therefore that
they are brought 'up to speed' quickly to avoid unnecessary
Information Security breaches and related risks.
Information Security issues to be considered when addressing this
requirement include the following:
- Confidential data may be lost, damaged or compromised by staff
with insufficient training.
- Data may be lost in error or through negligence because staff do
not fully understand the risks involved.
- Data may be lost because Information Security measures have been
installed incorrectly and their alarms and messages are misinterpreted.
- Confidential information may be compromised if new staff are not
made aware of the scope of the organisation's Information Security
policies.
To overcome this potential weakness, we recommend that you set out the
critical security issues and procedures in an easy-to-understand
document or booklet and provide induction training immediately upon
the new recruit's arrival. Time is very much of the essense. The
recruits should also be obliged to sign a formal statement confirming
that they have read, and understand, this document.
BS25999 Published
=================
The long awaited standard for business continuity, which supports ISO
17799 and ISO 27001, has been published. As with many international
standards, BS25999 will comprise two parts: a code of practice
(equating to ISO 17799) and a specification (equating to ISO 27001).
The first of these was published by BSI at the end of 2006. The
specification will appear later in the year.
The standard is designed to dovetail with the BCM section within ISO
17799. It covers topics as diverse as strategy and plan maintenance,
and even how to embed business continuity management into the
organizational culture.
BS25999 is bound to have a significant impact upon the whole area of
business continuity and disaster recovery planning. As the first
credible standard developed to provide objective metrics, it is not
hard to see why predictions are rife regarding positive insurance
implications, and marketing leverage for continuity sensitive services.
The standard can be obtained from BSI's Standards Direct online store
(http://pas56.standardsdirect.org), or as part of the introductory BS
25999 Toolkit (http://www.25999continuity.com/). For up to date news
on this standard a dedicated site has emerged: http://www.bs25999.net
More ISO 17799/27001 Frequently Asked Questions
===============================================
1) What Is ISO 27000 All About?
This is ISO's projected series of information security related
standards. ISO 27001 already exists, and it is proposed that ISO 17799
may be renamed to ISO 27002 later this year. For full and emerging
details we have identified a specific ISO 27000 news website:
http://www.27000.org
2) Where Does COBIT Fit Into The Equation?
The last issue of this newsletter explained the mapping between ISO
17799 and COBIT in detail: http://www.molemag.net/latest.htm
3) Has BS7799 Now Been Replaced?
BS7799-1 has evolved into ISO 17799. BS7799-2 has evolved into ISO
27001. However, BS7799-3 was published last year. This offers
guidelines for information security risk management, and it is
expected that it too will become an ISO standard in due course.
4) Is There A User Group For The Standards?
Yes. The international online user group for the standards can be
found at http://www.17799.com
5) What is IRCA?
IRCA (http://www.irca.org) is the International Register of Certified
Auditors, offering professional recognition of auditing competence.
Essentially, IRCA is the body which certifies auditors to audit
against the security standards.
User Acceptance Testing: The Basics
===================================
User acceptance testing is a critical phase of any 'systems' project
and requires significant participation by the 'End Users'. To be of
real use, an Acceptance Test Plan should be developed in order to plan
precisely, and in detail, the means by which 'Acceptance' will be
achieved. The final part of the UAT can also include a parallel run to
prove the system against the current system.
The User acceptance test plan will vary from system to system but, in
general, the testing should be planned in order to provide a realistic
and adequate exposure of the system to all reasonably expected events
and threats. The testing can be based upon the User Requirements
Specification to which the system should conform.
As in any system though, problems will arise, and it is important to
have determined what should be the expected and required responses
from the various parties concerned; including Users; Project Team;
Vendors and possibly Consultants / Contractors.
In order to agree what such responses should be, the end users and the
project team need to develop and agree a range of 'severity levels'.
These levels will range from (say) 1 to 5 and will represent the
relative severity, in terms of business / commercial impact, of a
problem with the system, found during testing. Here is an example
which has been used successfully - '1' is the least severe; and '5'
has the most impact :-
1. Cosmetic Problem; e.g. colors; fonts; pitch size.
2. Minor Problem; both testing and live operations may progress. This
problem should be corrected, but little or no changes to business
processes are envisaged
3. Major Problem; testing can continue but this feature will cause
severe disruption to business processes in live operation
4. Critical Problem; testing can continue but we cannot go into
production (live) with this problem
5. Show Stopper i.e. it is impossible to continue with the testing
because of the severity of this error / bug
The users of the system, in consultation with the executive sponsor of
the project, must then agree upon the responsibilities and required
actions for each category of problem. For example, you may demand that
any problems in severity level 4, receive priority response and that
all testing will cease until such problems are resolved.
Even where the severity levels and the responses to each have been
agreed by all parties; the allocation of a problem into its
appropriate severity level can be subjective and open to question. To
avoid the risk of lengthy and protracted exchanges over the
categorization of problems; we strongly advised that a range of
examples are agreed in advance to ensure that there are no fundamental
areas of disagreement; or, if there are, that these will be known in
advance and your organization is forewarned.
Information Security News
=========================
1) A host of Google related vulnerabilities have recently been
discovered. These have largely focused around cookies, and have
exposed user documents, emails (via Googlemail or Gmail) and search
histories. All those so far identified have now been fixed, but this
does illustrate the increasing risks which are liable to occur as the
search company integrates more and more functions into its portfolio.
2) McAfee (http://www.mcafee.com/us/) are reporting that once again
the nature of spam is changing. Whereas text based spam used to be the
order of the day, increasingly image spam is becoming the norm. Their
latest figures illustrate that this now accounts for around 65% of all
spam. Image spam uses images rather than text to deliver the usual
message types. This of course poses different types of challenges to
the anti-virus firms, but they are rapidly adapting. Yet another
reason to ensure that your AV software is bang up to date!
On a related note, and to make matters worse, the overall volume of
spam continues to increase, with message management firm Postini
(http://www.postini.com) reporting that it now comprises 94% of all
email.
3) Two traffic engineers in Los Angeles have been charged with hacking
a computer system to... disable traffic lights! It is alleged that
this was motivated as a result of an ongoing labour dispute.
4) OpenDNS (http://www.opendns.com) report that the top five most
targetted phishing firms are: PayPal, Barclays Bank, eBay, Fifth Third
Bank and Bank of America, in that order. Unfortunately, phishing is
yet another area of increase in terms of volume, and enhanced
sophistication of attack techniques.
5) The importance of protecting your online identity has been
highlighted again this month by McAfee. They are reporting that online
identity theft has increased by 250% since the beginning of 2004. The
cost of the to the US economy is believe to be of the order of $40
billion per year, with the UK figure being about £600 million per year.
ISO17799 And SOX
================
The impact of the Sarbanes-Oxley Act 2002 (the Act) has been
significant, not only on corporate America, but globally. Countless
internet pages have been devoted to understanding the Act and
developing and implementing the operational internal controls that are
necessary to meet its stringent requirements. As a result, many
organizations are using a variety of standards and guidelines to help
to meet a minimum level of compliance.
A key issue in implementing the SOX requirements is in measuring and
planning acceptable levels of compliance for the IT systems so that
CEOs, CFOs and CIOs are able to comfortably certify that the levels of
controls over the financial reporting processes are adequate. The main
three standards and guidelines available are considered to be
ISO17799, COSO and COBIT.
ISO17799 offers a structured range of policy driven controls to manage
the business process including in-depth coverage of technology based
systems. COSO focuses on internal controls required across the
organization to manage the financial and operational processes so that
the financial reporting processes can be relied upon. COBIT provides a
detailed range of control objectives that enables the organization to
manage its technological processes and provides additional guidance to
measure the level of compliance with each aspect of the process
through the provision of a series of benchmarks.
The Act requires that a suitable level of compliance is achieved
across a range of critical processes and this level of compliance has
to be effectively reconfirmed every 90 days. Each critical process
should be subject to ongoing measurement against an agreed benchmark
and compliance should be targeted within an agreed range that
accurately reflects the corporate governance requirements.
ISO17799 is now widely seen as an international standard that is able
to provide practical benefits towards achieving an acceptable level of
corporate compliance with respect to this, and is increasingly
becoming an integral part of the corporate necessity to demonstrate
commitment via a metrics related position.
More Advice On SLAs
===================
Excellent sources of data that can be used for upgrading your service
level agreements are complaints received from customers, and issues
raised within customer satisfaction and employee opinion surveys.
A well designed customer satisfaction survey should encourage
customers to provide comments about areas where the performance does
not meet their expectations. You should attempt to elicit additional
information about such problems so that these comments can be followed
up and perceived problems examined and corrected. Very often these
expectations can be created from misleading wording of clauses in the
service level agreement and it is important to ensure that this
wording reflects the realistic situation and creates acceptable and
attainable targets.
For perceived problems to be turned into useful information that can
be analyzed and corrected, it is necessary to ask the right questions
in the survey and provide effective follow-up. Complaints should
always be recorded, analyzed, reviewed and reported to management who
are ultimately responsible for performance and customer satisfaction
levels.
The service level agreement should contain clear information on what
is the expected level of performance that the organization is
committing to. The last thing the customer wants is a nasty surprise
on performance levels. Be both open and transparent on performance
level targets or you will likely end up with an unhappy customer and a
tarnished reputation.
Note: This article was supplied by the authors of the Service Level
Agreement Toolkit (http://www.sla-world.com), which offers guidelines
and templates to manage the creation of a professional SLA.
ISO 17799: The World Wide Phenomenon
====================================
Our source list for recent purchases of the standard always proves to
be a popular talking point. The most recent thousand or so is as follows:
Argentina 5
Australia 23
Austria 11
Barbados 2
Belgium 11
Bermuda 1
Bosnia and Herzegovina 1
Brasil 15
Canada 112
Cayman Islands 1
Chile 6
China 11
Colombia 12
Costa Rica 1
Croatia 1
Cyprus 2
Denmark 16
Egypt 5
Estonia 1
France 12
Germany 59
Gibraltar 1
Greece 6
Guatemala 1
Hong Kong 14
Hungary 8
Iceland 2
India 23
Indonesia 4
Ireland 26
Israel 2
Italy 32
Jamaica 2
Japan 15
Jordan 1
Korea 3
Lebanon 1
Luxembourg 1
Malaysia 14
Malta 3
México 24
Netherlands 41
New Zealand 12
Norway 18
Panama 1
Peru 1
Philippines 6
Poland 9
Portugal 8
R.O.C. 3
ROMANIA 4
Russia 7
Saudi Arabia 10
Singapore 18
Slovak Republic 1
Slovenia 2
South Africa 15
Spain 29
Sultanate of Oman 1
Sweden 14
Switzerland 49
Taiwan 5
Thailand 2
Tunisia 1
Turkey 7
UK 351
United Arab Emirates 11
USA 512
Venezuela 1
The usual health warnings apply: these are online card sales, so those
cultures that are less familiar with this form of commerce will be
under represented.
The Development of a Business Continuity Plan
=============================================
Despite the undoubted strides being made by some well resourced
organizations towards an acceptable level of compliance with
international standards such as ISO 17799 and BS 25999, for the
majority of companies the approach to business continuity remains
rather haphazard. Part of the reason for this is a lack of expertise
and experience in developing the relatively complex documentation
which is to be followed in the event of a serious incident, and part
due to an ongoing lack of resources and time.
One of the first tasks we undertake when clients ask us to assist them
with their business continuity planning project is to review their
current level of documentation that is to be used for dealing with
emergencies. Some of the basics are usually in place including support
and back-up arrangements for most of the critical systems, health and
safety procedures, and some form of escalation process. The first
process that we usually find to be missing is a formally structured
management led risk assessment of the vulnerabilities to particular
threats, and a measurement of the potential impact that a loss of a
critical system or process would have on the organization's bottom
line and customer loyalty. Without this management led risk analysis
to drive the continuity process, any recovery procedures are unlikely
to focus on the most important issues for survival.
To persuade scarce management resources to become positively involved
in the business continuity planning process, you probably have to
firstly achieve buy-in and commitment from the Board and senior
executive management. Once you have commitment from the top of the
organization to put proper risk led procedures in place to ensure
continuity, then the overall process becomes much easier to sell to
other levels of management. This is important, as there is a lot of
hard work in developing a well structured and coherent plan that is
capable of minimizing the impact of all serious disruptive events.
Business continuity is not a process that should be led by the
technical areas, but one that must be led by management. The technical
areas will contribute significantly to the overall process but the
ultimate impact of a disruption to the business process will fall on
senior management, and they therefore should be responsible for
ensuring that the recovery process meets the underlying business needs.
Of course, using tools that make the whole process easier and
therefore less resource hungry can be a very cost effective method of
putting the process on a more professional footing. The BCP Generator
(http://www.bcpgenerator.com) is the most well known product on the
market for simplifying the whole planning approach. With its
inter-active guidance and comprehensive templates, which cover each
stage of the process, it is without doubt the most popular BCP
solution currently available. It is in fact used by over 7,000
organizations, in over 120 countries, which are remarkable statistics.
Using a combination of recognized standards, methods and tools will
not only significantly aid continuity and reduce risks, but will
actually produce a substantial range of other tangental benefits.
These will be explored in a future edition.
ISO 17799 RELATED TERMS AND DEFINITIONS
=======================================
In each ISO 17799 and ISO 27001 Newsletter we will include a selection
of terms and definitions to unravel and explain some of the jargon and
strange language used by Information Security professionals. In this
edition, we have provided a selection of terms that all start with the
letter `H'.
Handshake
An electronic exchange of signals between pieces of equipment (fax
machines, computers, computers and printers, etc.,) to establish that
each has the necessary protocols installed to allow communication
between the units; sometimes, also to confirm identities so that
transmissions are routed to the correct destination.
An extension of the normal confirmation routine is the Challenge
Handshake that is a demand for proof of identity and authorization.
Hose and Close
An off-putting practice of some Technical Support/Help Desk staff. In
response to a question from a distressed user, Support responds with a
deluge of technobabble which the user doesn't understand, issues a
series of abstruse command instructions, which the user cannot follow,
and then hangs up before the user can come back with a request for a
simple explanation.
The tech support staff can mark another tick on the 'support provided'
sheet, but the user is not only no further forward, but may also have
been charged a premium rates per minute - just to be made to feel
foolish.
Happily, there are a growing number of Tech Support hotlines which do
communicate in plain language.
Housekeeping
Routine care of a computer system to ensure that it is kept running in
the most efficient manner. Housekeeping will normally include:
routines to delete items such as temporary files (which are no longer
required), identify and remove duplicates of files, check the
integrity of the disk records and the magnetic coatings on the disk
surfaces, and generally tidy up the filing system.
Housekeeping should not be restricted to the main system. It is just
as useful for desktop machines and laptops - considering the
circumstances under which they are used!
Hot Desking
A relatively new approach to working whereby staff do not have their
own, dedicated facilities, but share them with other workers - i.e.
there are fewer desks and computers than there are staff.
Two kinds of situation are common :-
1. Call centers and similar functions which run 24x7 on shifts. As one
staff member logs off and leaves, another takes over, logging on with
a new ID and password.
2. 'Field' staff such as sales representatives check in to base to
complete paperwork, upload/download files, etc.. Such staff will use
any desk/computer that happens to be free.
In either case, password control systems and audit trails are
essential to monitor which user is doing what, with which machine.
Hardware Inventory
Master Hardware Inventory - A detailed list of all hardware owned by
the organization, showing, amongst other things:- type, make, model,
specifications, cost, location, user(s), and asset reference number.
Unit Hardware Inventory - an equally detailed list of hardware in
order of user (individual or department). This sheet may be used for
Audit checks to confirm that any given user still has the equipment
detailed and no unauthorized additions, removals, or modifications
have been made.
CONTRIBUTIONS
=============
Have you got something to say on the standards, or a fresh insight or
some information which might benefit others? If so, please feel free
to submit your contribution to us. Sponsors are also welcome.
NEWSLETTER REMINDER
===================
We hope that you have found this issue to be informative and useful.
Subscription is entirely free (although 'opt-in' only). Please feel
free to pass this copy on to your friends and colleagues. If you do
not wish to receive further copies, simply email us at the address
below with a title of 'Un-subscribe'.
If your friends or colleagues wish to receive the newsletter directly,
they should simply send an email to: news@27005.com with a title of
'subscibe'.
ISO 17799 and ISO 27001 Newsletter
Http://www.molemag.net
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/CISSP-Discuss/join
(Yahoo! ID required)
<*> To change settings via email:
mailto:CISSP-Discuss-digest@yahoogroups.com
mailto:CISSP-Discuss-fullfeatured@yahoogroups.com
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
