ISO IEC 17799 2000 ARCHIVE

3.1.1 Develop an information security policy document.

• Document your organization's information security policy.

• Publish your organization's information security policy.

3.1.2 Review and evaluate your information security policy.

• Clarify who owns your information security policy.

• Define a security policy review and evaluation process.

• Carry out periodic information security policy reviews.

4.1.1 Set up a management information security forum.

• Assign the responsibility for information security to one manager.

• Establish a management forum to support information security.

4.1.2 Co-ordinate information security implementation.

• Establish a management forum to implement security controls.

4.1.3 Allocate information security responsibilities.

• Allocate responsibility for the protection of information assets.

• Appoint a manager to protect your information assets.

• Appoint an owner for each information asset.

4.1.4 Establish an authorization process for new facilities.

• Set up authorization process to control new information facilities.

• Control business use of personal information processing facilities.

4.1.5 Identify specialized information security advisors.

• Identify in-house information security advisors.

• Consult security advisors when security incidents occur.

4.1.6 Maintain relationships with other organizations.

• Maintain relationships with security agencies and groups.

4.1.7 Perform independent security policy reviews.

• Perform independent reviews of your information security policy.

4.2.1 Identify third party access risks.

4.2.1.1 Consider types of third party access.

• Examine the risks associated with allowing third party access.

4.2.1.2 Establish special information access controls.

• Carry out risk assessments to evaluate third party access.

• Set up special access controls to regulate third party access.

4.2.1.3 Control on-site contractor information access.

• Use contracts to define contractor access to information.

4.2.2 Use contracts to control third party access.

• Use contracts to control access to your information processing facilities.

4.3.1 Use contracts to control outsourced services.

• Use contracts to specify how legal requirements should be met.

• Use contracts to specify the security requirements that must be met.

5.1.1 Compile an inventory of all information assets.

• Identify all of your organization's information assets.

• Define levels of protection for your information assets.

• Assign a security classification to all information assets.

5.2.1 Develop information classification guidelines.

• Give responsibility for classification to the originator or owner of information.

• Classify information according to sensitivity and how much protection is required.

• Apply your classification system to documents, records, data files, and disks.

5.2.2 Use information handling and labeling procedures.

• Develop information handling procedures for each class of information.

• Develop information labeling procedures for each class of information.

6.1.1 Include security in your job descriptions.

• Prevent personnel from misusing your information processing facilities.

• Monitor how well personnel comply with contractual security provisions.

6.1.2 Check the backgrounds of your job applicants.

• Check the character references provided by job applicants.

• Confirm the personal identity of people who apply for employment.

• Verify the professional and academic qualifications of job applicants.

• Perform credit checks for those with access to information processing facilities.

6.1.3 Use confidentiality or non-disclosure agreements.

• Ask new employees to sign confidentiality or non-disclosure agreements.

6.1.4 Use employment contracts to protect information.

• Make sure employee contracts define information security responsibilities.

6.2.1 Control your information security training.

• Teach employees about your security requirements.

• Teach employees about their legal responsibilities.

• Teach employees about your business controls.

6.3.1 Report information security incidents.

• Make sure that incidents are reported to management.

• Develop a formal security incident reporting procedure.

• Establish a formal security incident response procedure.

6.3.2 Report security threats and weaknesses.

• Make sure that personnel report all information security threats.

• Make sure that personnel report all information security weaknesses.

6.3.3 Control your software malfunctions.

• Develop a procedure for reporting software malfunctions.

• Develop a procedure for responding to software malfunctions.

6.3.4 Learn from your security incidents.

• Monitor and quantify the types of security incidents.

• Monitor and quantify the costs of security incidents.

6.3.5 Develop a disciplinary process.

• Develop a process to discipline people who violate your security procedures.

7.1.1 Use perimeters to protect facilities.

• Use security perimeters and barriers to protect facilities.

• Restrict building access to authorized personnel.

7.1.2 Use entry controls to protect secure areas.

• Record the date and time visitors enter and leave secure areas.

• Use physical controls to restrict access to information processing facilities.

7.1.3 Use design strategies to protect secure areas.

• Design your secure areas to withstand natural and man-made disasters.

• Use intruder detection systems to prevent access to secure areas.

7.1.4 Use work guidelines to protect secure areas.

• Use guidelines to control the work done in secure areas.

• Supervise all work performed in secure areas.

7.1.5 Use holding areas to protect secure areas.

• Control the use of your organization's delivery and holding areas.

• Separate delivery and holding areas from information processing facilities.

7.2.1 Safeguard your equipment.

• Isolate all equipment that requires an extra level of protection.

• Adopt security measures to protect your equipment.

7.2.2 Protect your power supplies.

• Protect your equipment from power failures.

• Protect your equipment from electrical anomalies.

7.2.3 Secure your cables.

• Protect power lines from unauthorized interception or damage.

• Protect communication cables from unauthorized interception or damage.

7.2.4 Maintain your equipment.

• Maintain your equipment to ensure that it functions properly.

• Allow only authorized personnel to service your equipment.

7.2.5 Control off-site equipment.

• Make sure that all off-site use of equipment is authorized.

• Take additional security measures to deal with off-site risks.

7.2.6 Control equipment disposal.

• Control the disposal of old or obsolete information processing equipment.

• Control the re-use of old or obsolete information processing equipment.

7.3.1 Establish a clear-desk and clear-screen policy.

• Establish a clear-desk policy to protect information processing facilities.

• Establish a clear-screen policy to protect information processing facilities.

7.3.2 Control the removal of property.

• Get management authorization to take equipment off-site.

• Get management authorization to take information off-site.

• Get management authorization to take software off-site.

8.1.1 Document your operating procedures.

• Develop operating procedures that comply with your security policy.

• Develop housekeeping procedures for information processing facilities.

• Develop housekeeping procedures for communication facilities.

8.1.2 Control changes to facilities and systems.

• Control changes to your information processing facilities.

• Control changes to your information systems.

8.1.3 Establish incident management procedures.

• Develop procedures to handle all types of security incidents.

• Develop procedures to handle information security failures.

• Develop procedures to handle confidentiality breakdowns.

• Develop procedures to handle the denial of service.

• Develop procedures to handle the loss of service.

• Develop procedures to handle incomplete data.

• Develop procedures to handle inaccurate data.

8.1.4 Segregate control over key responsibilities.

• Prevent misuse of information or services by segregating duties.

• Prevent unauthorized modification of information by segregating duties.

• Reduce the probability of fraud by reducing the opportunity for collusion.

• Supervise work more closely whenever responsibilities can't be separated.

8.1.5 Separate systems development and operations.

• Separate responsibility for software development, testing, and operations.

• Control the transfer of software from development and testing to operations.

8.1.6 Control the management of external facilities.

• Make sure that external contractors protect your information.

• Make sure that contracts define controls that contractors must use.

• Make sure that contracts specify business continuity requirements.

8.2.1 Monitor usage and meet future requirements.

• Monitor your information storage and processing resource demands.

• Identify your future information storage and processing requirements.

• Develop plans to ensure future storage and processing needs will be met.

8.2.2 Use acceptance criteria to test systems.

• Use acceptance criteria to test new systems before they are used.

• Use acceptance criteria to test system upgrades before they are used.

8.3.1 Detect and prevent malicious software.

• Implement controls to protect your systems against malicious software.

• Implement controls to detect the introduction of malicious software.

• Implement controls to prevent the introduction of malicious software.

8.4.1 Back-up your information and software.

• Make regular back-ups of all essential information.

• Make regular back-ups of all essential software.

8.4.2 Maintain a log of operator activities.

• Make sure that operators maintain a log of their activities.

• Make sure that records can confirm that files are handled correctly.

• Make sure that records can confirm that output is handled properly.

• Make sure that log checks are performed by an independent person.

8.4.3 Report and log system faults.

• Make sure that users report all system faults.

• Make sure that you log all system fault reports.

• Establish rules for handling reported faults.

8.5.1 Establish network security controls.

• Establish controls to secure the information in computer networks.

• Establish controls to protect connected services from unauthorized access.

• Establish procedures to protect systems connected to public networks.

• Establish procedures to manage and control remote equipment.

8.6.1 Manage removable computer media.

• Establish procedures to manage and control removable computer media.

8.6.2 Control the disposal of your media.

• Establish procedures to control the secure disposal of computer media.

8.6.3 Control information handling and storage.

• Establish procedures to control information handling and storage.

8.6.4 Protect your system documentation.

• Develop controls to protect your system documentation.

8.7.1 Develop information exchange agreements.

• Establish security agreements to control the exchange of information.

• Establish security agreements to control the exchange of software.

8.7.2 Safeguard the transportation of computer media.

• Establish controls to safeguard the physical transportation of media.

• Establish special controls to safeguard sensitive information during transit.

8.7.3 Create controls to protect ecommerce.

• Establish controls to protect online transactions.

• Establish controls to protect electronic data interchange activities.

8.7.4 Establish controls to protect email.

8.7.4.1 Control the use of email.

• Establish controls to make email less vulnerable to tampering.

• Establish controls to make email less vulnerable to unauthorized access.

• Establish controls to increase the reliability of your email service.

8.7.4.2 Develop an email policy.

• Ensure that policy explains how email attacks should be handled.

• Ensure that policy explains how email viruses should be handled.

• Ensure that policy explains how email attachments should be handled.

• Ensure that policy explains when cryptographic techniques must be used.

• Ensure that policy explains when email should not be used.

8.7.5 Protect your electronic office systems.

• Establish policies to protect your electronic office systems and facilities.

• Reduce the vulnerability of information in your electronic office systems.

• Control information sharing within and between electronic office systems.

• Make arrangements that allow you to continue operating when systems fail.

8.7.6 Control your public information systems.

• Establish a process to authorize publication of electronic documents.

• Protect the integrity of information that is published electronically.

• Establish a process to control how public feedback should be handled.

8.7.7 Regulate external communications.

• Establish procedures to control voice communications.

• Establish procedures to control mobile phone communications.

• Establish procedures to control answering machine messages.

• Establish procedures to control dial-in voice-mail systems.

• Establish procedures to control video communications.

• Establish procedures to control fax communications.

9.1.1 Develop a policy and rules to control access.

9.1.1.1 Develop a policy to control information access.

• Define the business requirements that your access controls must meet.

• Establish an access policy that meets your business requirements.

9.1.1.2 Develop information access control rules.

• Develop rules to control access to information.

9.2.1 Establish a user registration procedure.

• Develop a procedure to control the registration and de-registration of users.

9.2.2 Control the authorization of system privileges.

• Establish an authorization process to control the allocation of special privileges.

• Specify which staff members should have what kind of privileges.

9.2.3 Establish a process to manage passwords.

• Establish a process to manage and control the allocation of passwords.

• Store your organization's passwords on a secure computer system.

9.2.4 Review user access rights and privileges.

• Make sure that managers review user access rights and privileges.

9.3.1 Encourage users to protect passwords.

• Make sure that password selection follows best information security practices.

9.3.2 Encourage users to protect equipment.

• Make sure that users know how to protect unattended equipment.

• Make sure that users understand their equipment protection responsibilities.

9.4.1 Formulate a network use policy.

• Establish a policy to control the use of networks and network services.

9.4.2 Use enforced paths to control access.

• Reduce the opportunity for unauthorized access by using enforced paths.

9.4.3 Authenticate remote user connections.

• Use authentication methods to prevent unauthorized access by remote users.

• Carry out risk assessments to determine what level of protection is required.

• Use cryptographic methods when strong protection is required.

9.4.4 Use node authentication to control remote users.

• Use node authentication methods to authenticate remote users.

• Use node authentication to prevent unauthorized access to applications.

9.4.5 Control remote access to diagnostic ports.

• Control access to the diagnostic ports found in computers and systems.

• Use procedures and key locks to control access to diagnostic ports.

9.4.6 Segregate internal and external networks.

• Segregate your internal networks from your business partners' networks.

9.4.7 Restrict connection to shared networks.

• Establish controls to restrict the users' ability to connect to shared networks.

• Review and update shared network connection restrictions on a regular basis.

9.4.8 Establish shared network routing controls.

• Use routing controls to ensure that information flows comply with access policy.

• Use routing controls to ensure that computer connections comply with your policy.

9.4.9 Verify the security of network services.

• Establish a description of the security features used by each network service.

• Verify the security features of all network services used by your organization.

9.5.1 Use automatic terminal identification techniques.

• Use automatic terminal identification techniques to authenticate connections.

9.5.2 Establish terminal log-on procedures.

• Establish terminal log-on procedures to control access to information services.

9.5.3 Identify and authenticate all users.

• Assign a unique identifier (ID) to each user.

• Establish controls to limit assignment of IDs to groups.

• Establish authentication procedures to verify the identity of users.

9.5.4 Set up a password management system.

• Make sure that password system requires the use of "good quality" passwords.

• Make sure that your password management system facilitates accountability.

9.5.5 Control the use of all system utilities.

• Restrict the use of system utilities that could be used to override your controls.

• Define authorization levels that are used to restrict the use of system utilities.

9.5.6 Provide duress alarms to protect users.

• Provide duress alarms to users who could be the target of coercion or violence.

• Carry out a risk assessment to determine who should have duress alarm systems.

• Develop procedures that describe how people should respond to duress alarms.

9.5.7 Use time-outs to protect inactive terminals.

• Use time-outs to prevent unauthorized access to inactive terminals.

• Use time-outs to prevent unauthorized access to terminals in high risk areas.

9.5.8 Restrict terminal connection times.

• Reduce the opportunity for unauthorized access by limiting connection times.

9.6.1 Regulate access to applications and information.

• Use an access control policy to control access to functions and information.

• Make sure that your business requirements determine your access restrictions.

9.6.2 Isolate sensitive application systems.

• Isolate your organization's sensitive application systems.

• Use dedicated computers to run your most sensitive applications.

9.7.1 Establish and maintain system logs.

• Establish information system audit logs to record exceptions and events.

9.7.2 Monitor information processing facilities.

9.7.2.1 Establish procedures to monitor facilities.

• Establish procedures to monitor the use of information processing facilities.

• Carry out a risk assessment to identify what level of monitoring is needed.

• Monitor authorized access to your information processing facilities.

• Monitor unauthorized access to information processing facilities.

9.7.2.2 Review the results of monitoring activities.

• Review high risk processing facility monitoring results more often.

• Review the most critical application monitoring results more often.

• Review the results that monitor the use of critical information.

9.7.2.3 Study logs to identify security events.

• Review logs in order to identify possible security threats and incidents.

• Ensure that log reviewers are independent of the people being reviewed.

9.7.3 Protect logs by synchronizing clocks.

• Protect the credibility of logs by ensuring that computer clocks are accurate.

• Establish a procedure to check computer clocks and correct time variations.

9.8.1 Protect mobile equipment and information.

• Protect the information processed by mobile computing equipment.

• Establish a policy to address the risk of using mobile computing equipment.

9.8.2 Protect teleworking equipment and information.

• Secure your organization's remote teleworking sites.

• Develop a policy to control teleworking activities.

10.1.1 Specify security controls and requirements.

• Specify the security controls that new information systems must meet.

• Specify the security requirements that new information systems must meet.

10.2.1 Build input data validation in your systems.

• Build input data validation controls into your application systems.

• Develop procedures to respond to data validation errors.

• Define the responsibilities of all data input personnel.

10.2.2 Build processing controls into your systems.

10.2.2.1 Design processing controls to minimize risk.

• Build internal processing controls into your application systems.

• Ensure that processing controls can detect data corruption.

10.2.2.2 Incorporate processing checks and controls.

• Incorporate internal processing checks and controls into your systems.

• Ensure that checks and controls can detect and prevent data corruption.

10.2.3 Build message authentication into your systems.

• Protect electronic messages by building message authentication in systems.

• Assess security risks before you decide how to use message authentication.

10.2.4 Build output data validation into your systems.

• Ensure that output data is correct by building data validation into your systems.

• Define the responsibilities of the people who manage and process output data.

• Develop procedures to interpret and respond to output validation tests.

10.3.1 Develop a policy on the use of cryptography.

• Make sure that cryptography policy explains how cryptography should be used.

• Make sure that cryptography policy describes general encryption principles.

• Make sure that cryptography policy describes roles and responsibilities.

10.3.2 Encrypt sensitive or critical information.

• Do a risk assessment to identify the level of cryptographic protection needed.

• Use cryptography specialists to help you develop cryptographic solutions.

• Use legal experts to ensure that you comply with cryptography laws.

10.3.3 Protect documents with digital signatures.

• Use digital signatures to protect integrity and authenticity of digital documents.

10.3.4 Use non-repudiation services to resolve disputes.

• Use non-repudiation services to prove that an action or event has taken place.

10.3.5 Establish a key management system.

10.3.5.1 Protect your cryptographic keys.

• Establish a management system to protect your cryptographic keys.

10.3.5.2 Use secure methods to manage keys.

• Make sure that your key management system uses secure methods.

10.4.1 Control the implementation of software.

• Control the implementation of software on your operational systems.

• Maintain an audit log of all updates to operational program libraries.

10.4.2 Control the use of system data for testing.

• Control the use of operational data for system and acceptance testing.

• Protect operational data while it is being used for testing purposes.

10.4.3 Control access to program source library.

• Prevent program corruption by controlling access to program source libraries.

• Appoint a program librarian for each one of your organization's applications.

• Establish change control procedures to manage program source libraries.

10.5.1 Establish change control procedures.

• Establish procedures to control changes to your information systems.

• Segregate software testing from software development and production.

10.5.2 Review changes to operating system.

• Review and test application systems whenever operating system changes.

• Make sure that operating system changes do not adversely effect applications.

10.5.3 Restrict changes to software packages.

• Make sure people do not modify vendor-supplied software without approval.

• Test all changes to vendor-supplied software before you implement them.

• Document all changes to vendor-supplied software packages.

10.5.4 Safeguard against covert channels and Trojans.

• Purchase programs from reputable sources.

• Inspect all source code before you use it.

• Control access to code once it's been installed.

• Use trustworthy staff to work on important systems.

10.5.5 Control outsourced software development.

• Manage and control your outsourced software development projects.

11.1.1 Establish your continuity management process.

• Identify the risks that threaten the security of your business processes.

• Estimate the likelihood that you will be exposed to security risks and threats.

• Analyze the impact that serious threats could have on your business processes.

• Analyze the impact that serious disruptions could have on your organization.

• Formulate business continuity plans for information processing facilities.

11.1.2 Perform threat analysis and impact analysis.

• Carry out a threat analysis to identify the events that could interrupt business.

• Carry out a risk assessment to identify the impact that interruptions could have.

• Use the results of your analyses to define your approach to business continuity.

11.1.3 Develop your business continuity plans.

• Develop plans to restore and continue operations after processes have failed.

• Ensure that business continuity plans assign emergency management duties.

• Ensure that business continuity plans define emergency response procedures.

• Teach your staff about your crisis management methods and procedures.

11.1.4 Maintain a continuity planning framework.

• Establish a single framework of continuity plans to ensure consistency.

• Use business continuity framework to determine plan testing priorities.

• Use business continuity framework to determine plan maintenance priorities.

• Amend your business continuity plans whenever new security threats emerge.

• Make sure that each continuity plan specifies when each plan is activated.

11.1.5 Test and update continuity management plans.

11.1.5.1 Test business continuity management plans.

• Test the effectiveness of your business continuity plans regularly.

• Make sure that all business continuity plans are up-to-date.

11.1.5.2 Update business continuity management plans.

• Use regular reviews to maintain the effectiveness of continuity plans.

• Update business continuity plans whenever business practices change.

• Update business continuity plans whenever risk factors change.

• Update business continuity plans whenever facilities change.

12.1.1 Identify all relevant legal requirements.

• Identify all legal requirements for each one of your information systems.

• Identify the controls that you need in order to comply with legal requirements.

• Identify the responsibilities that must be met to comply with legal requirements.

12.1.2 Respect intellectual property rights.

12.1.2.1 Create intellectual property procedures.

• Set up procedures to ensure compliance with intellectual property rights.

12.1.2.2 Comply with all software copyrights.

• Develop a software copyright compliance policy.

• Develop policies to control software purchases.

• Maintain a registry of proprietary software assets.

12.1.3 Safeguard your organization's records.

• Implement controls to protect records and information from loss.

• Implement controls to protect records and information from destruction.

• Implement controls to protect records and information from falsification.

12.1.4 Protect the privacy of personal information.

• Comply with all relevant legislation related to the use of personal data.

• Appoint a data protection officer to provide advice on personal data issues.

12.1.5 Prevent misuse of data processing facilities.

• Ensure that data processing facilities are not used for non-business purposes.

• Monitor the use of data processing facilities to detect unauthorized use.

12.1.6 Control the use of cryptographic controls.

• Ensure that use of cryptographic controls complies with all legal requirements.

12.1.7 Collect evidence to support your actions.

12.1.7.1 Comply with appropriate rules of evidence.

• Collect evidence to support potential legal actions.

• Collect evidence to support potential disciplinary actions.

• Develop procedures that specify what kind of evidence is needed.

• Make sure that your evidence will comply with legal rules of evidence.

12.1.7.2 Gather evidence that is admissible in court.

• Ensure that your evidence would be admissible in a court of law.

• Ensure that your information systems can produce legal evidence.

12.1.7.3 Protect the quality of your evidence.

• Establish a strong trail of evidence whenever an illegal incident occurs.

• Protect your evidence whenever a potentially illegal incident occurs.

12.2.1 Review compliance with security policy.

• Review how well your organization follows its own security policies.

• Review how well your organization follows its own security procedures.

• Review how well your organization complies with official security standards.

12.2.2 Review technical security compliance.

• Check systems to ensure compliance with technical security standards.

• Carry out penetration tests to detect information security vulnerabilities.

12.3.1 Plan the audit of operational systems.

• Plan operational audit activities in order to minimize disruption.

• Log all access to operational systems in order to product a reference trail.

• Perform regular audits of your operational systems.

12.3.2 Protect your system tools.

• Protect your system audit tools to prevent any possible misuse of these tools.

• Segregate your system audit tools from operational and development systems.