ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

4.1 ESTABLISH A SECURITY INFRASTRUCTURE

Establish a management framework to control how
your organization implements information security.

Establish a management forum that you can use to
review and approve your information security policy.

Establish a management forum to co‑ordinate and control the implementation of your organization’s information security program.

Establish a management forum that you can use to
assign information security roles and responsibilities.

Make sure that you have access to information security
experts and advisors within your own organization.

Make sure that your internal experts are able
to provide specialized information security advice.

Make sure that you have access to external
information security experts and advisors.

Make sure that your external advisors help you to monitor
changes in information security standards and methods.

Make sure that your external information security experts
and advisors help you to deal with security incidents.

Make sure that your organization encourages the use
of a multi‑disciplinary approach to information security.

4.1.1 SET UP A MANAGEMENT INFORMATION SECURITY FORUM

Assign the responsibility for information security
to a single manager within your organization.

Establish a management forum that you can
use to support information security initiatives.

Make sure that your security management forum
promotes the importance of information security.

Make sure that your security management forum ensures
that adequate resources are provided to support security.

Make sure that your security management forum
reviews and approves your information security policy.

Make sure that your security management forum reviews
and approves information security responsibilities.

Make sure that your security management forum
monitors major security threat changes and trends.

Make sure that your security management forum
monitors how exposed your information assets are.

Make sure that your security management forum
monitors and reviews information security incidents.

Make sure that your security management forum reviews
and approves improvements in information security.

4.1.2 CO-ORDINATE INFORMATION SECURITY IMPLEMENTATION

Establish a management forum that you can use to
co‑ordinate the implementation of security controls.

Make sure that management forum members
represent all relevant areas of your organization.

Make sure that your security management forum distributes information security roles and responsibilities throughout your organization.

Make sure that your security management forum reviews
and approves information security methods and techniques.

Make sure that your security management forum
approves and supports information security initiatives.

Make sure that your security management forum ensures that
security is considered during the information planning process.

Make sure that your security forum evaluates the adequacy of security controls that will be used to protect new information systems or services.

Make sure that your security management forum co‑ordinates the implementation of security controls that will be used to protect new information systems and services.

Make sure that your security management forum
reviews and evaluates information security incidents.

Make sure that your forum promotes the importance
of information security throughout your organization.

4.1.3 ALLOCATE INFORMATION SECURITY RESPONSIBILITIES

Define the responsibilities that control how
individual information assets should be protected.

Define the responsibilities that control how your
information security processes should be carried out.

Make sure that your information security policy describes how security roles and responsibilities are distributed throughout your organization.

Define how specific information security roles and
responsibilities are distributed amongst various sites.

Define how specific information security roles and
responsibilities are distributed amongst systems.

Define how specific information security roles and
responsibilities are distributed amongst services.

Define how the responsibility for individual
physical assets are allocated at the local level.

Define how the responsibility for individual
information assets are allocated at the local level.

Define how the responsibility for individual
security processes are allocated at the local level.

Appoint an information security manager.

Make sure that your information security manager has been
given the responsibility for developing your security program.

Make sure that your information security manager has been
given the responsibility for implementing your security program.

Make sure that your information security manager has been
given the responsibility for identifying security controls.

Appoint an owner for each information asset.

Make sure that asset owners have been given the
responsibility for the security of their information assets.

Make sure that your asset owners delegate specific security responsibilities to other managers or service providers.

Make sure that asset owners ensure that delegated
security responsibilities are clearly and completed stated.

Make sure that delegated responsibilities for security assets
and processes have been clearly and completely defined.

Make sure that you document all delegated responsibilities
for information security assets and processes.

Make sure that you define and document all delegated
authorization levels for security assets and processes.

Make sure that your asset owners ensure that delegated
security responsibilities are properly carried out.

4.1.4 ESTABLISH AUTHORIZATION PROCESS FOR NEW FACILITIES

Establish a management authorization process
to control new information processing facilities.

Make sure that user managers approve of the purpose and
authorize the use of all new information processing facilities.

Make sure that your information security maintenance
manager authorizes new information processing facilities.

Make sure that your information security maintenance manager
ensures that your new information processing facilities meet
all security requirements and policies.

Check new hardware to ensure that it will be
compatible with existing system components.

Check new software to ensure that it will be
compatible with existing system components.

Control the business use of personal
information processing facilities.

Evaluate personal information processing facilities
before they are used to process business information.

Authorize the use of personal processing facilities
before they are used to process business information.

4.1.5 IDENTIFY SPECIALIZED INFORMATION SECURITY ADVISORS

Identify an in‑house information security advisor.

Make sure that your in‑house security advisor accumulates and co‑ordinates your information security knowledge and experience.

Make sure that your in‑house information security advisor
helps your organization to make information security decisions.

Make sure that your in‑house information security advisor
has access to external security experts and advisors.

Make sure that your information security advisors are asked
to provide advice on all aspects of information security.

Make sure that information security advisors are asked to
assess security problems that threaten your organization.

Make sure that your information security advisors have been
asked to assess your organization’s information security controls.

Make sure that your information security advisors have
direct access to your organization’s management personnel.

Consult your information security advisors
whenever you have a security incident or breach.

Ask information security advisors to
investigate security incidents or breaches.

4.1.6 MAINTAIN RELATIONSHIPS WITH OTHER ORGANIZATIONS

Maintain relationships with organizations that could
help you to cope with security incidents and breaches.

Make sure that you have a co‑operative
relationship with law enforcement authorities.

Make sure that you have a co‑operative
relationship with relevant regulatory bodies.

Make sure that you have a co‑operative
relationship with information service providers.

Make sure that you have a co‑operative
relationship with telecommunications operators.

Make sure that you belong to security groups and associations.

Make sure that you participate in security oriented industry forums.

Make sure that confidential information is not
accidentally passed on to unauthorized outsiders.

4.1.7 PERFORM INDEPENDENT SECURITY POLICY REVIEWS

Perform independent reviews of your information security policy.

Make sure that your independent policy reviews examine whether or
not your practices are consistent with your information security policy.

Make sure that your independent policy reviews examine
whether or not your information security policy is feasible.

Make sure that your independent policy reviews examine
whether or not your information security policy is effective.

Make sure that security policy reviews are performed
by independent managers, auditors, or organizations.

Make sure that your information security policy
reviewers have the necessary skills and experience.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

4.2 CONTROL THIRD PARTY ACCESS TO FACILITIES

Control third party access to your information
processing facilities and information assets.

Maintain security while third parties access your
information processing facilities and information assets.

Carry out a risk assessment whenever third party
access to processing facilities and assets is required.

Make sure that your assessments examine the security
risks that you take whenever you allow third party access
to your information processing facilities and assets.

Make sure that your assessments identify the controls
that should be used to regulate third party access to
your information processing facilities and assets.

Make sure that your access control restrictions
and requirements are written into your contracts
with third parties.

Make sure that your third party access control contracts
define the conditions that must be met before other
unspecified participants are allowed access to your
information processing facilities and information assets.

4.2.1 IDENTIFY THIRD PARTY ACCESS RISKS

4.2.1.1 CONSIDER TYPES OF THIRD PARTY ACCESS

Examine the risks that you take whenever
you allow physical access to third parties.

Examine the risks that you take whenever
you allow third party access to your offices.

Examine the risks that you take whenever you
allow third party access to your computer rooms.

Examine the risks that you take whenever you
allow third party access to your filing cabinets.

Examine the risks that you take whenever
you allow logical access to third parties.

Examine the risks that you take whenever
you allow third party access to your databases.

Examine the risks that you take whenever you
allow third party access to your information systems.

4.2.1.2 ESTABLISH SPECIAL INFORMATION ACCESS CONTROLS

Carry out a risk assessment whenever third parties
have a special or unique business need to have physical
or logical access to your organization’s information.

Establish special access controls whenever third parties have a unique business need to have special access to your organization’s information.

Make sure that your special access controls limit and regulate
the type of access that third parties can have to your information.

Make sure that your special access controls consider
the controls used by third parties who have access
to your information.

Make sure that your special access controls reflect
the value of your organization’s information.

Make sure that you have special controls that regulate the
access that hardware specialists can have to your information.

Make sure that you have special controls that regulate the
access that software specialists can have to your information.

Make sure that you have special controls that regulate
the access that your trading partners or joint ventures
can have to your organization’s information.

Make sure that you have special controls that regulate the access
that your trading partners or joint ventures can have to your organization’s information systems and databases.

4.2.1.3 CONTROL ON‑SITE CONTRACTOR INFORMATION ACCESS

Use contracts to define all security requirements and to restrict
on‑site contractor access to your organization’s information
and information processing facilities.

Ensure that information access contracts are signed
before you allow on‑site contractors to have access
to your information and information processing facilities.

Make sure that you implement access controls before
you allow on‑site contractors to access your information
or information processing facilities.

Make sure that you control consultant access to your
information and information processing facilities.

Make sure that you control hardware and software
maintenance contractor access to your organization’s
information and information processing facilities.

Make sure that you control cleaning, catering, and security guard access to your organization’s information and information processing facilities.

Make sure that you control student and other short term contractor access to your information and information processing facilities.

4.2.2 USE CONTRACTS TO CONTROL THIRD PARTY ACCESS

Use contracts to help control third party access
to your organization’s information processing facilities.

Make sure that your third party contracts specify
or refer to all your information security requirements.

Make sure that your third party contracts specify or refer
to your organization’s security policies and standards.

Make sure that your third party contracts include procedures
that should be used to protect your organization’s assets.

Make sure that your third party contracts include procedures that
would be used to find out whether your organization’s assets
have been damaged or compromised.

Make sure that your third party contracts specify when
your organization’s assets should be returned or destroyed.

Make sure that your third party contracts specify limits on
the use and duplication of your organization’s information.

Make sure that your third party contracts specify the services that
third parties are expected to provide to your organization.

Make sure that third party contracts specify the standard
of service that third parties are expected to provide.

Make sure that your third party contracts identify statutory or regulatory roles and responsibilities that control how obligations should be met.

Make sure that your third party contracts clarify intellectual
property rights, obligations, assignments, and protections.

Make sure that third party contracts define access methods.

Make sure that your organization’s third party
contracts control user IDs and passwords.

Make sure that your third party contracts define the
access authorization process that must be followed.

Make sure that your third party contracts expect contractors
to keep track of who has what access rights and privileges.

Make sure that your third party
contracts define performance criteria.

Make sure that your third party contracts define how
contractor performance will be monitored and reported.

Make sure that your third party contracts reserve the
right to monitor user activity and revoke user access.

Make sure that your third party contracts reserve
the right to audit contractor activities and results.

Make sure that third party contracts define an escalation
process that must be followed to resolve problems.

Make sure that third party contracts define contingency
plans that would be followed if contractors fail to perform.

Make sure that your third party contracts define responsibilities
for hardware installation and maintenance.

Make sure that your third party contracts define responsibilities
for software installation and maintenance.

Make sure that third party contracts define reporting structures.

Make sure that third party contracts define reporting formats.