RE: ISO IEC 27002 (ISO-17799) assistance please.

["Beryl Podoll" <Beryl.Podoll () ncanet com>]

Chris,

I'm a consultant for a security firm and we follow a ISO 27001:2005
approach for implementing a security management system. We are currently
the only security consulting firm in North America with our own ISO
27001 certified ISMS.

If you didn't know, ISO 17799 is the guidance document for ISO 27001.
ISO 2700 is the standard that you get certified towards, and ISO 17799
is a guidance document. It is only guidance, and is not what needs to be
implemented to be ISO 27001 certified. Maybe consultants get this wrong
and frankly do not understand the ISO standards. ISO 27001 is about
building a managment system that is appropriate for your company, in a
manner that makes sense.

I would suggest that if implementing workstation lockout (session
time-out) is not appropriate for your company, you conduct a risk
analysis and a cost benefit analysis on this control. Then if the cost
of the control out ways the risk, have your management accept the risk
of not having  a session-time out implemented and use other
administrative (policies, procedures) and physical (controlled areas for
work stations, security cameras) controls to compensate. There is not an
auditor in the world that would not accept this, if you show your due
diligence and that this control would be hindering to your business.
Security should be an enabler, not an inhibitor.

The control objective they are talking about is:

ISO 27001:2005 - (Certifiable Standard)

Annex A:
A.11 Access control
A.11.5 Operating system access control
A.11.5.5 Session time-out
Control - Inactive sessions shall shut down after a defined period of
inactivity.

ISO 17799:2005 - (Implementation Guidance)
11 Access control
11.5 Operating system access control
11.5.5 Session time-out
Control - Inactive sessions shall shut down after a defined period of
inactivity.
Implementation guidance - A time-out facility should clear the session
screen and also, possibly later, close both application and network
sessions after a defined period of inactivity. The time-out delay should
reflect the security risks of the area, the classification of the
information being handled and the applications being used, and the risks
related to the users of the equipment.

A limited form of time-out facility can be provided for some systems,
which clears the screen and prevents unauthorized access but does not
close down the application or network sessions.

Other Information - The control is particularly important in high risk
locations, which include public or external areas outside the
organization's security management. The sessions should be shut down to
prevent access by unauthorized persons and denial of service attacks.

Hope it helps..... 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Roch
Sent: Friday, January 11, 2008 8:11 AM
To: Chris Barber
Cc: security-basics () securityfocus com
Subject: Re: ISO IEC 27002 (ISO-17799) assistance please.

Yes, it's under section 11.3.2 Unattended User Equipment of ISO27002.

On 11/01/2008, Chris Barber <cmbarber () gmail com> wrote:
> I am hoping that the experts on this list might be able to assist me 
> with problem.  I have a consultant who is doing some audit work for 
> the company I work for.  This consultant has been quoting information 
> about best business practice and standards and has my managment in a 
> bit of a tizzy.  So far I have been able to prove or disprove most 
> things that he has been telling my managment, but I am stuck one and 
> it seems that this item has struck a nerve.
>
> The consultant has claimed that both NIST and ISO-17799 recomend the 
> use of automated workstation locking after X minutes.  I have found 
> information on the NIST Standard but have not been able to find 
> anything on the ISO-17799 standard (or atleast not without buying it).
>  Does anyone on the list happen to have a copy of ISO-17799, if so 
> could you help me prove or disprove this comment?
>
> I have done several google searches and all of the links I get end up 
> asking me to purchase the Standard.  I think having it would be a good

> thing, just that I do not have money in my budget to purchase it.
>
> Many thanks in advance,
>
> Chris.