ISO IEC 17799 2000*
|
|
*ISO/IEC 17799 2000 is now
OBSOLETE.
Please see ISO/IEC 27002 2005! |
| We’ve used a task oriented approach to
translate the ISO 17799 2000 information security practices into plain
English. This means that our plain English standard consists entirely of
tasks or actions. So if you want to implement the ISO 17799
standard, all you have to do is carry out the tasks that we have listed.
However, you don’t have to perform every task. These are recommended
tasks, not compulsory tasks.
In order to give you the freedom to choose whether or not you wish to carry out a recommended task, we offer three response options for each task: DO, DONE, or N/A. If you haven’t done the task and you feel it needs to be done, select DO. Select DO if the task addresses one of your information security risks or needs. If you’ve already done the task, select DONE. If the task is not applicable in your situation or does not address your information security risks and needs, then answer N/A (not applicable). |
ISO IEC 17799 2000
|
| 8. COMMUNICATIONS AND OPERATIONS MANAGEMENT |
| 8.1 ESTABLISH OPERATIONAL PROCEDURES | COMMENTS | |||||
| 1 | Establish
procedures to manage your information processing facilities. |
DO | DONE | N/A | ||
| 2 | Assign
responsibilities that govern the management of your organization’s information processing facilities. |
DO | DONE | N/A | ||
| 3 | Establish
procedures to operate your information processing facilities. |
DO | DONE | N/A | ||
| 4 | Assign
responsibilities that govern the operation of your organization’s information processing facilities. |
DO | DONE | N/A | ||
| 8.1.1 DOCUMENT YOUR OPERATING PROCEDURES | COMMENTS | |||||
| 5 | Develop
operating procedures that comply with your security policy. |
DO | DONE | N/A | ||
| 6 | Document your operating procedures. | DO | DONE | N/A | ||
| 7 | Control your operating procedure documents. | DO | DONE | N/A | ||
| 8 | Make sure
that all changes to your operating procedure documents are authorized and
controlled by management. |
DO | DONE | N/A | ||
| 9 | Make sure
that operating procedures explain how each job or task should be performed. |
DO | DONE | N/A | ||
| 10 | Make sure
that your operating procedures explain how information should be processed. |
DO | DONE | N/A | ||
| 11 | Make sure
that your operating procedures explain how information should be handled. |
DO | DONE | N/A | ||
| 12 | Make sure
that operating procedures explain how job scheduling should be performed. |
DO | DONE | N/A | ||
| 13 | Make sure that your operating procedures expect your schedules to specify start and finish dates. | DO | DONE | N/A | ||
| 14 | Make sure
that operating procedures describe the systemic interdependencies that influence how jobs are done. |
DO | DONE | N/A | ||
| 15 | Make sure that your operating procedures explain how job performance errors should be handled. | DO | DONE | N/A | ||
| 16 | Make sure
that your operating procedures explain how restrictions on the use of system utilities should be handled. |
DO | DONE | N/A | ||
| 17 | Make sure
that your operating procedures identify people who can be contacted when
operational or technical problems occur. |
DO | DONE | N/A | ||
| 18 | Make sure
that your operating procedures explain how output should be handled. |
DO | DONE | N/A | ||
| 19 | Make sure that your operating procedures explain how confidential output should be handled. | DO | DONE | N/A | ||
| 20 | Make sure that your operating procedures explain how output from failed jobs should be disposed of. | DO | DONE | N/A | ||
| 21 | Make sure
that operating procedures explain how system failures should be handled. |
DO | DONE | N/A | ||
| 22 | Make sure
that operating procedures explain how to restart your systems. |
DO | DONE | N/A | ||
| 23 | Make sure
that operating procedures describe system recovery procedures. |
DO | DONE | N/A | ||
| 24 | Develop
operational housekeeping procedures for your information processing facilities. |
DO | DONE | N/A | ||
| 25 | Develop
operational housekeeping procedures for communication facilities. |
DO | DONE | N/A | ||
| 26 | Develop computer startup and shutdown procedures. | DO | DONE | N/A | ||
| 27 | Develop computer backup procedures. | DO | DONE | N/A | ||
| 28 | Develop equipment maintenance procedures. | DO | DONE | N/A | ||
| 29 | Develop computer room procedures. | DO | DONE | N/A | ||
| 30 | Develop mail handling management procedures. | DO | DONE | N/A | ||
| 31 | Develop mail handling safety procedures. | DO | DONE | N/A | ||
| 8.1.2 CONTROL CHANGES TO FACILITIES AND SYSTEMS | COMMENTS | |||||
| 32 | Control changes to information processing facilities. | DO | DONE | N/A | ||
| 33 | Control changes to your information systems. | DO | DONE | N/A | ||
| 34 | Assign
management responsibility for the control of changes to equipment. |
DO | DONE | N/A | ||
| 35 | Assign
management responsibility for the control of changes to software. |
DO | DONE | N/A | ||
| 36 | Assign
management responsibility for the control of changes to procedures. |
DO | DONE | N/A | ||
| 37 | Develop procedures to control changes to equipment. | DO | DONE | N/A | ||
| 38 | Develop procedures to control changes to software. | DO | DONE | N/A | ||
| 39 | Develop procedures to control changes to procedures. | DO | DONE | N/A | ||
| 40 | Control all changes to operational programs. | DO | DONE | N/A | ||
| 41 | Use audit logs to track changes to programs. | DO | DONE | N/A | ||
| 42 | Identify
all significant changes to your organization’s information processing facilities and systems. |
DO | DONE | N/A | ||
| 43 | Record
all significant changes to your organization’s information processing facilities and systems. |
DO | DONE | N/A | ||
| 44 | Assess
the potential impact before you make changes to your information processing facilities and systems. |
DO | DONE | N/A | ||
| 45 | Use a formal procedure to authorize proposed changes to your facilities and systems. | DO | DONE | N/A | ||
| 46 | Ensure that the details of changes to facilities and systems are communicated to all relevant persons. | DO | DONE | N/A | ||
| 47 | Use a procedure to control how unsuccessful changes should be aborted and resolved. | DO | DONE | N/A | ||
| 8.1.3 ESTABLISH INCIDENT MANAGEMENT PROCEDURES | COMMENTS | |||||
| 48 |
Establish procedures that must be used to
manage and respond to all security incidents. |
DO | DONE | N/A | ||
| 49 | Assign incident management responsibilities. | DO | DONE | N/A | ||
| 50 | Develop
procedures to handle all types of security incidents. |
DO | DONE | N/A | ||
| 51 | Develop
procedures to handle information system failures. |
DO | DONE | N/A | ||
| 52 | Develop procedures to handle the loss of service. | DO | DONE | N/A | ||
| 53 | Develop procedures to handle the denial of service. | DO | DONE | N/A | ||
| 54 | Develop procedures to handle incomplete data. | DO | DONE | N/A | ||
| 55 | Develop procedures to handle inaccurate data. | DO | DONE | N/A | ||
| 56 |
Develop procedures to handle confidentiality breakdowns. |
DO | DONE | N/A | ||
| 57 |
Make sure that your procedures expect people to identify and analyze the causes of your security incidents. |
DO | DONE | N/A | ||
| 58 | Make sure
that your procedures expect people to figure out how to prevent a recurrence of your security incidents. |
DO | DONE | N/A | ||
| 59 | Make sure
that procedures expect people to communicate with those who are affected by security incidents. |
DO | DONE | N/A | ||
| 60 | Make sure
that your procedures expect people to report the security incident and response to the appropriate authority. |
DO | DONE | N/A | ||
| 61 | Make sure
that your procedures expect people to study trails and collect evidence about your security incidents. |
DO | DONE | N/A | ||
| 62 | Use evidence to analyze your security incidents. | DO | DONE | N/A | ||
| 63 | Collect evidence for breach of contract purposes. | DO | DONE | N/A | ||
| 64 | Collect evidence to address regulatory violations. | DO | DONE | N/A | ||
| 65 | Collect evidence to support legal proceedings. | DO | DONE | N/A | ||
| 66 | Collect evidence to support your requests for compensation from software and service suppliers. | DO | DONE | N/A | ||
| 67 |
Develop procedures to control how you correct and recover from security failures. |
DO | DONE | N/A | ||
| 68 | Make sure
that your recovery procedures ensure that only authorized persons are allowed access to live systems and data. |
DO | DONE | N/A | ||
| 69 | Make sure
that your recovery procedures expect people to document all the actions that were taken during the emergency. |
DO | DONE | N/A | ||
| 70 | Make sure that your recovery procedures expect people to report emergency actions to management. | DO | DONE | N/A | ||
| 71 | Make sure that your recovery procedures expect management to carry out an orderly review of emergency actions taken. | DO | DONE | N/A | ||
| 72 | Make sure
that your recovery procedures ensure that the integrity of all vulnerable business systems is verified. |
DO | DONE | N/A | ||
| 73 | Make sure
that your recovery procedures ensure that all relevant business controls are still effective. |
DO | DONE | N/A | ||
| Etcetera ... | DO | DONE | N/A | |||
| ORGANIZATION: | YOUR LOCATION: |
| COMPLETED BY: | DATE COMPLETED: |
| REVIEWED BY: | DATE REVIEWED: |
|
OCT 2004 |
COPYRIGHT Ó PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. |
VER 1.0 |
|
PART 8 |
COMMUNICATIONS AND OPERATIONS MANAGEMENT |
PAGE 48 |
|
ISO/IEC 17799 2000 is now
OBSOLETE.
See ISO/IEC 27002 2005 (17799 2005)! |
| CONTACT INFORMATION |
| Praxiom Research Group Limited 9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada Phone: (780)461-4514 Fax: (780)463-6034 info@praxiom.com |
| Home Page | Table of Contents | Alphabetical Index | Site Map |
| How to Order | Our Products | Our Prices | Our Guarantee |
|
|
Legal
Restrictions on the Use of this Page
Thank
you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you
keep intact
all copyright notices, you are also welcome to print or make one
copy of this
page for your own personal, noncommercial, home use.
But, you are not
legally authorized to print or produce additional copies, or to
copy and paste
any of our material onto another web site. If you would like
to purchase our
material, please contact our Sales Desk. Our staff would be very
pleased to
take your order or to answer any questions you might have.
Copyright © 2005 - 2007 by Praxiom Research Group Limited. All Rights Reserved.
This web page was updated on October 3, 2007
On the Web since May
25, 1997