10/14/05

ISOIEC 17799 2005

Pre Review Notes:
I obtained this document in pdf format and alas it has the following properties
  • Printing : Allowed

  • Changing the Document: Not Allowed

  • Document Assembly: Not Allowed

  • Content Copying & Extraction: Allowed

  • Content Extraction for Accessibility: Allowed

  • Commenting: Not Allowed

  • Filling of form fields: Not Allowed

  • Signing: Not Allowed

  • Creation of Template Pages: Not Allowed

Enabling printing is a matter of expedience as many users will prefer to read printed materials (I wonder why a printed version is sold at all). Content extraction? Okay maybe for the sake of quoting the document, but the editor must have a funny sense of humor. They do not permit commenting!!! How in the world will you deny commenting of a reference text but allow copy and pasting? The copy and pasting and the printing permissions defeat any other controls in the documents.

The controls in this document are not un-similar to controls in many organizations today. They are a nuisance to the average users but just a twig for the real malicious (pirate in this case) users.

There is a foot note identifying to whom the document has been licensed, but for the $190 or so the book cost (It was purchased for me), a document pirate sure has enough motivation to copy it into word, reformat it appropriately and resell!!!

I have sent an email to copyright@iso.org and hope they will make appropriate adjustment and even issue apology to those who already own the document.

Ok, now the document review. This is not a framework document nor is it a standard, rather the ISO 17799-2005 like its predecessors which it obsoletes (ISO 17799-2002), it is a collection of best practices and a work in progress. Since the 2002 release of the ISO 17799 as an expanded and internationalized offshoot of the United Kingdom BS 7799, the ISO/IEC have established various mechanisms including Joint Technical Committees (JTC) on various aspects of information security including risk assessments, metrics (!) and measurement, implementation guidance as well as management requirements. Surely one key ingredient is missing in their thinking, an architectural framework. Anyhow, the efforts of the ISO/IEC collaboration are yielding some standardized process for managing information security and maybe spawning a new industry (!).Three basis for determining security requirements are quite intuitive i.e.; risk-assessment ( a formal analysis of business risks and management of these risk resulting into specific security requirements), regulatory or compliance requirements, organizational business requirements.
The last basis considers security as a critical business enabler and in my opinion should be the main motivation for security requirements. Security should be a core business objective and enabler. In the opening paragraph of the forward to the ISO 17799, Information was described as a business asset.

I will expand on it and define Information as “Any data or collection of data in any format that has value to some entity either in their primitive form or as an aggregate".

Entity here could be individuals, businesses of any size and nature, and or government. This is a more general and all encompassing definition than the ISO/IEC document portends and covers many more basis for securing the information.

The document is arranged as a collection of clauses and categories (or sub-clauses). In all there are 12 clauses (11 main clauses and an introductory clause). The main clauses are further broken into 39 categories.

The Introductory Clauses (since it is new in this document) is Risk Assessment & Treatment. The main clauses are:

  1. Security Policies

  2. Organizing Information Security

  3. Asset Management

  4. Human Resources Security

  5. Physical & Environmental Security

  6. Communication and Operations Management

  7. Access Control

  8. Information Systems Acquisition, Development & Maintenance

  9. Information Security Incident Management

  10. Business Continuity Management

  11. Compliance

  • Number of categories per clause was listed in the original document, but I'll skip that here for clarity

The document describes controls for each category, recommends implementation guidance and provides additional information that may be relevant to that category. Each category basically contains an objective and mechanisms to achieve those objectives. It should be noted that this document is a work in progress and the content are collection of best practices and suggestions. It is by no means a standard and should not be treated as if it is. Also, the identified clauses should by no means be considered holy grail or even complete. Each organization (or Enterprise as I prefer to call it) will have to determine its own adaptation of this guide and define its own controls. A mapping of main clauses and their accompanying categories is listed bellow:

  • Security Policy
  1. Information Security Policy
  • Organization of Information Security
  1. Internal Organization

  2. External Organization
  • Asset Management
  1. Responsibility for Assets

  2. Information Classification
  • Human Resources Security
  1. Prior to Employment

  2. During Employment

  3. Termination or Change of Employment
  • Physical and Environmental Security
  1. Secure Areas

  2. Equipment Security
  • Communication and Operations Management
  1. Operational Procedures and Responsibilities

  2. Third Party Service Delivery Management

  3. System Planning & Acceptance

  4. Protection Against Malicious & Mobile Codes

  5. Back-Up

  6. Network Security Management

  7. Media Handling

  8. Exchange of Information

  9. Electronic Commerce Services

  10. Monitoring
  • Access Control
  1. Business Requirements for Access Control

  2. User Access Management

  3. User Responsibilities

  4. Network Access Control

  5. Operating System Access Control

  6. Application and Information Access Control

  7. Mobile Computing & Teleworking
  • Information Systems Acquisition, Development and Maintenance
  1. Security Requirements for Information Systems

  2. Correct Processing in Application

  3. Cryptographic Controls

  4. Security of System Files

  5. Security Development and Support Process

  6. Technical Vulnerability Management
  • Information Security Incident Management
  1. Reporting Information Security Events and Weaknesses

  2. Management of Information Security Incidents and Improvements
  • Business Continuity Management
  1. Information Security Aspects of Business Continuity Management
  • Compliance
  1. Compliance with Legal Requirements

  2. Compliance with Security Policies and Standards, and Technical Compliance

  3. Information Systems Audit Considerations

If you’re still wondering if you should get a copy of 17799-2005, then please read the following additional comments and review of the rest of the document. I will make all efforts not to regurgitate the text, rather, I will present you with a view of the document that could assist you in determining its ultimate utility for your use. I most let you know though that I will advice all security system coordinators, and students of information system security courses or programs to get a copy. CSO and CIO must consider this a must have as, should every GAIC, CISSP and even CCIE-Security candidates and affiliates. Reason? Because this is the work of many years by people in the trenches and even though they have a penchant for being vague on many occasions, you will benefit from the advice and recommendations in this volume. Ok, now my take:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)