ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

8.1 ESTABLISH OPERATIONAL PROCEDURES

Establish procedures to manage your
information processing facilities.

Assign responsibilities that govern the management
of your organization’s information processing facilities.

Establish procedures to operate your
organization’s information processing facilities.

Assign responsibilities that govern the operation of
your organization’s information processing facilities.

8.1.1 DOCUMENT YOUR OPERATING PROCEDURES

Develop operating procedures that
comply with your security policy.

Document your operating procedures.

Control your operating procedure documents.

Make sure that all changes to your operating procedure
documents are authorized and controlled by management.

Make sure that operating procedures explain
how each job or task should be performed.

Make sure that your operating procedures
explain how information should be processed.

Make sure that your operating procedures
explain how information should be handled.

Make sure that operating procedures explain
how job scheduling should be performed.

Make sure that your operating procedures expect
your schedules to specify start and finish dates.

Make sure that operating procedures describe the systemic interdependencies that influence how jobs are done.

Make sure that your operating procedures explain
how job performance errors should be handled.

Make sure that your operating procedures explain how
restrictions on the use of system utilities should be handled.

Make sure that your operating procedures identify
people who can be contacted when operational
or technical problems occur.

Make sure that your operating procedures
explain how output should be handled.

Make sure that your operating procedures explain
how confidential output should be handled.

Make sure that your operating procedures explain
how output from failed jobs should be disposed of.

Make sure that operating procedures explain
how system failures should be handled.

Make sure that operating procedures
explain how to restart your systems.

Make sure that operating procedures
describe system recovery procedures.

Develop operational housekeeping procedures
for your information processing facilities.

Develop operational housekeeping
procedures for communication facilities.

Develop computer startup and shutdown procedures.

Develop computer backup procedures.

Develop equipment maintenance procedures.

Develop computer room procedures.

Develop mail handling management procedures.

Develop mail handling safety procedures.

8.1.2 CONTROL CHANGES TO FACILITIES AND SYSTEMS

Control changes to information processing facilities.

Control changes to your information systems.

Assign management responsibility
for the control of changes to equipment.

Assign management responsibility
for the control of changes to software.

Assign management responsibility
for the control of changes to procedures.

Develop procedures to control changes to equipment.

Develop procedures to control changes to software.

Develop procedures to control changes to procedures.

Control all changes to operational programs.

Use audit logs to track changes to programs.

Identify all significant changes to your organization’s
information processing facilities and systems.

Record all significant changes to your organization’s
information processing facilities and systems.

Assess the potential impact before you make changes
to your information processing facilities and systems.

Use a formal procedure to authorize proposed
changes to your facilities and systems.

Ensure that the details of all changes to facilities and
systems are communicated to all relevant persons.

Use a procedure to control how unsuccessful
changes should be aborted and resolved.

8.1.3 ESTABLISH INCIDENT MANAGEMENT PROCEDURES

Establish procedures that must be used to
manage and respond to all security incidents.

Assign incident management responsibilities.

Develop procedures to handle all types of security incidents.

Develop procedures to handle information system failures.

Develop procedures to handle the loss of service.

Develop procedures to handle the denial of service.

Develop procedures to handle incomplete data.

Develop procedures to handle inaccurate data.

Develop procedures to handle confidentiality breakdowns.

Make sure that your procedures expect people to identify
and analyze the causes of your security incidents.

Make sure that your procedures expect people to figure
out how to prevent a recurrence of your security incidents.

Make sure that procedures expect people to communicate
with those who are affected by security incidents.

Make sure that your procedures expect people to report the
security incident and response to the appropriate authority.

Make sure that your procedures expect people to study 
trails and collect evidence about your security incidents.

Use evidence to analyze your security incidents.

Collect evidence for breach of contract purposes.

Collect evidence to address regulatory violations.

Collect evidence to support legal proceedings.

Collect evidence to support your requests for
compensation from software and service suppliers.

Develop procedures to control how you
correct and recover from security failures.

Make sure that your recovery procedures ensure
that only authorized persons are allowed access
to live systems and data.

Make sure that your recovery procedures
expect people to document all the actions
that were taken during the emergency.

Make sure that your recovery procedures expect
people to report emergency actions to management.

Make sure that your recovery procedures expect management
to carry out an orderly review of emergency actions taken.

Make sure that your recovery procedures ensure that the
integrity of all vulnerable business systems is verified.

Make sure that your recovery procedures ensure
that all relevant business controls are still effective.

8.1.4 SEGREGATE CONTROL OVER KEY RESPONSIBILITIES

Make it difficult to modify information or services without
authorization by ensuring that associated duties and
responsibilities are not controlled by a single person.

Make it difficult to misuse information or services by
ensuring that associated duties and responsibilities
are not entirely controlled by a single person.

Reduce the chances that people will accidentally or intentionally modify or misuse information or services by separating duties and responsibilities.

Ensure that responsibility for initiating and authorizing
actions are not controlled by the same person.

Reduce the chances that fraud will be perpetrated
by reducing the opportunity for collusion.

Reduce the opportunity for collusion by ensuring that
sensitive work is not carried out by a single person.

Take steps to ensure that fraud can be detected
whenever key areas are controlled by a single person.

Supervise work activities more closely whenever the security
of information and services cannot be controlled through the
separation of duties and responsibilities.

Use audit trails whenever the security of your information
and services cannot be adequately controlled through
the separation of duties and responsibilities.

8.1.5 SEPARATE SYSTEMS DEVELOPMENT AND OPERATIONS

Separate the responsibility for software
development, testing, and operational facilities.

Separate development and testing activities.

Develop and document rules to control the transfer of software
from the development and testing phase to operational facilities.

Run developmental software and operational
software on different computer processors.

Run developmental software and operational
software in different directories or domains.

Prevent unauthorized access to editors, compilers, and
other system utilities from your operational systems.

Make sure that test systems and operational
systems use different log‑on procedures.

Expect users to use different passwords
for test systems and operational systems.

Make sure that it is easy for users to distinguish between
test system menus and operational system menus.

Control how operational system passwords are
issued to system development and testing staff.

8.1.6 CONTROL THE MANAGEMENT OF EXTERNAL FACILITIES

Make sure that external contractors have
done everything necessary to protect your
information and secure their sites.

Make sure that your contracts specify the
controls that external contractors must
use in order to protect your information.

Make sure that your contracts specify
the business continuity requirements
that must be met by external contractors.

Make sure that your contracts specify the security
standards that external contractors must comply with.

Make sure that your contracts specify how compliance
with security standards should be measured.

Make sure that your contracts allocate specific
security monitoring responsibilities to contractors.

Make sure that your contracts identify the
procedures that should be used to monitor
how well security measures are applied.

Make sure that your contracts allocate the responsibility
for reporting security incidents to the contractor.

Make sure that your contracts define the procedures that
should be used to handle and report all security incidents.

Keep your most sensitive applications in‑house.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

8.2 DEVELOP PLANS TO PROVIDE FUTURE CAPACITY

Develop plans to ensure that adequate information processing
capacity and resources will be available in the future.

Project what your information processing capacity
and resource requirements will be in the future.

Establish the operational requirements of new
systems prior to their acceptance and use.

Document the operational requirements of new
systems prior to their acceptance and use.

Test the operational requirements of new
systems prior to their acceptance and use.

8.2.1 MONITOR USAGE AND MEET FUTURE REQUIREMENTS

Monitor the demands that are being placed on your
current information storage and processing resources.

Figure out what your future information storage
and processing capacity requirements will be.

Develop plans to ensure that future storage
and processing power needs will be met.

Make sure that your plans consider the burden
that new business will place on your existing
storage and processing resources.

Make sure that your plans respect
current information processing trends.

Figure out what your mainframe computing capacity
requirements will probably be in the future.

Monitor mainframe computer processor usage.

Monitor mainframe computer storage usage.

Monitor mainframe computer output device usage.

Monitor mainframe communication system usage.

Identify trends in mainframe computer usage.

Make sure that managers use trend information to identify
potential bottlenecks that could undermine your security.

Make sure that managers use trend
information to avoid bottlenecks.

Make sure that managers use trend
information to plan remedial action.

8.2.2 USE ACCEPTANCE CRITERIA TO TEST SYSTEMS

Use acceptance criteria to test new information
systems before they are accepted for actual use.

Use acceptance criteria to test information system
upgrades before they are accepted for actual use.

Use acceptance criteria to test new versions of
information systems before they are accepted for use.

Make sure that managers ensure that new information
system acceptance criteria are clearly defined.

Make sure that managers ensure that new information
system acceptance criteria are documented.

Make sure that managers ensure that new information
system acceptance criteria are tested prior to use.

Make sure that your acceptance criteria consider
the computer capacity and performance requirements
that new systems must meet.

Make sure that your acceptance criteria consider
the need for new systems to facilitate error recovery.

Make sure that your acceptance criteria consider
the need for new systems to have restart procedures.

Make sure that acceptance criteria consider the need to
have contingency plans to deal with potential system failures.

Make sure that acceptance criteria consider the need to
test new system operating procedures against standards.

Make sure that your acceptance criteria consider the
security controls that new information systems must have.

Make sure that your acceptance criteria consider the need
for new systems to have effective manual procedures.

Make sure that acceptance criteria consider the need to
have business continuity arrangements to deal with disasters.

Make sure that your acceptance criteria consider the need
to prove that new systems will not harm existing systems.

Make sure that your acceptance criteria consider the need