Dear Alan Willcox (and anyone familiar with the ISF standard),
Following your advice I read the ISF standard and indeed it is
comprehensive in scope and offers great help.
It will be great if you can clarify this matter:
In simple words, ISF divides the IT production environment to 3
"Aspects" - "critical business applications - CB", that are supported by
underlying "computer installations - CI" and "networks - NW". ISF than
calls for assigning security owners to each CB, CI, and NW environment,
and for separate policies\procedures\controls for each. The ISO standard
is not doing this division to "Aspects", and talks about the various
topics (e.g. access control, incident handling, etc.) in a broad IT
system manner.
I agree that the ISF division to Aspects makes a lot of sense and fits
real life management of IT environments (application owners are usually
business oriented and their apps sometimes span several geographic
locations, installation owners supervises computational centers that
sometimes support multiple applications, etc.). However, there are some
major overlaps between the three Aspects.
My question - how do you resolve process\people conflicts that arise
from the overlap between the three Aspects. In many cases it will be
hard to decide who is responsible. For example, ISF requires back-up in
all 3 Aspects - if an app is using a DB to store information - whos
responsibility is it to back-up this DB - the application owner or the
installation owner? This is only an example - do you have some basic
principle\guideline you use to solve this kind of conflicts? Maybe I'm
not understanding something?
Thanks,
Nimrod Steinbock
-----Original Message-----
From: alan_willcox@vanguard.com [mailto:alan_willcox@vanguard.com]
Sent: ג 19 אוקטובר 2004 14:34
To: Sharon Steinbock
Cc: security-management@securityfocus.com
Subject: Re: Policy-Procedure connection
Again, I recommend the ISF Standard of Good Practice, which encompasses
ISO 17799 (it's a great complement to the ISO standard), and gives
specific implementation specifications with regard to ownership review,
etc. Based on our experience over the past year, I highly recommend it.
It's available for no charge at http://www.isfsecuritystandard.com/
--- Alan Willcox
The Vanguard Group
("The views expressed here are mine and do not reflect the official
opinion of my employer or the organization through which the Internet
was accessed".)
"Sharon Steinbock" <sharon@mimransteinbock.com>
10/18/2004 04:07 AM
To: <security-management@securityfocus.com>
cc:
Subject: Policy-Procedure connection
Hello,
I am looking at implementing an ISO 17799 framework.
Getting the policies right is not an easy task, but I find the topic
well documented, with many sample policies I can use.
However, when it comes down to "translating" my policies to specific
procedures I am lost. Some questions:
- Who should write each procedure? The procedure owner, his boss,
someone higher up?
- Where can I find some sample procedures?
Any other insight regarding the policy-procedure gap will be highly
appreciated.
Thanks,
Sharon
