• Choose a category
• All
• Classic-Fiction

Guidelines help an organization in several different ways. First, if a process or set of steps isn’t performed routinely, experienced support and security staff will forget how to do them; guidelines will help refresh their memory. Second, when you’re trying to train someone to do something new, written guidelines can improve the new person’s learning curve. Third, when a crisis or high-stress situation occurs, guidelines can keep you from coming unglued.

Working with Security Standards and ISO 17799

Many companies are adopting comprehensive security standards for their organizations. If your organization is involved in government-related work, a standard is probably already in place and you’ll be expected to follow it. The consequences can be dire if a policy violation occurs.

Increasingly, the need for security standards is being recognized worldwide. One of the security standards that is gaining acceptance is ISO 17799. This section briefly discusses this standard.

The International Organization for Standardization (ISO) published the ISO 17799 standard, which is referred to as the Code of Practice for Information Security Management. The most recent version of the standard was published in June 2005. ISO 17799 identifies the major steps necessary to secure the IT environment.

This material is provided only for background. You won’t be tested on the ISO 17799 standard. Information about ISO 17799 is available in written form and online. A good place to get more information is http://csrc.nist.gov/publications/PubsSPs.html (the Code of Practice can be found at http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards_other/information_security.htm).

The standard document outlines 11 areas of focus. An organization that successfully completes the work necessary to address these 11 areas can apply for certification. Auditors are brought in to verify that the areas are covered; this audit is comprehensive, and it requires advanced preparation.

Here are the 11 areas:

Security policy The security policy includes the process for evaluating expectations, and it demonstrates management’s support for and commitment to security.

Organization of information security The organization area provides a structure to show who is responsible for security. This includes security coordinators, appropriate management delegation, and incident response processes.

Asset management This area deals with assessment and inventory of the organization’s information infrastructure and assets to determine whether an appropriate level of security is in place.

Human resources security This area evaluates the human resources aspects of the business operation. Clear outlines of security expectations, screening processes, and confidentiality agreements are evaluated. This section also deals with how incident reporting occurs and who is responsible for dealing with incidents.

Physical and environmental security This area deals with the policies and methods used to protect the IT infrastructure, physical plant, and employees. Aspects of backup power, routine maintenance, and onsite security are covered in this section.

Communications and operations management Preventive measures (such as antivirus protection, monitoring system logs, remote communications security, and incident response procedures) are evaluated in this section.

Access control This area evaluates mechanisms that protect an organization from internal and external intrusions. Issues such as password management, authentication systems, and event logging are part of this section.

Information systems acquisition, development, and maintenance This area evaluates the measures that are taken in system development and software maintenance activities, including network deployment and expansion.

Information security incident management This area deals with how the organization responds to an incident and the escalation procedures.

Business continuity management (BCM)