Re: ISO IEC 27002 (ISO-17799) assistance please.

["Sheldon Malm" <smalm () ncircle com>]

Go to the mitre site and check out the CCE list.  They have done some good work mapping multiple standards to the 
Common Configuration Enumeration standard.

This is the equivalent to CVE for configuration items.

--------------------------
Sheldon Malm
Director 
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld


----- Original Message -----
From: listbounce () securityfocus com <listbounce () securityfocus com>
To: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Thu Jan 10 18:36:02 2008
Subject: ISO IEC 27002 (ISO-17799) assistance please.

I am hoping that the experts on this list might be able to assist me
with problem.  I have a consultant who is doing some audit work for
the company I work for.  This consultant has been quoting information
about best business practice and standards and has my managment in a
bit of a tizzy.  So far I have been able to prove or disprove most
things that he has been telling my managment, but I am stuck one and
it seems that this item has struck a nerve.

The consultant has claimed that both NIST and ISO-17799 recomend the
use of automated workstation locking after X minutes.  I have found
information on the NIST Standard but have not been able to find
anything on the ISO-17799 standard (or atleast not without buying it).
 Does anyone on the list happen to have a copy of ISO-17799, if so
could you help me prove or disprove this comment?

I have done several google searches and all of the links I get end up
asking me to purchase the Standard.  I think having it would be a good
thing, just that I do not have money in my budget to purchase it.

Many thanks in advance,

Chris.