Security Basics mailing list archives
RE: ISO IEC 27002 (ISO-17799) assistance please.
From: "Beryl Podoll" <Beryl.Podoll () ncanet com>
Date: Fri, 11 Jan 2008 08:48:53 -0800
Chris, I'm a consultant for a security firm and we follow a ISO 27001:2005 approach for implementing a security management system. We are currently the only security consulting firm in North America with our own ISO 27001 certified ISMS. If you didn't know, ISO 17799 is the guidance document for ISO 27001. ISO 2700 is the standard that you get certified towards, and ISO 17799 is a guidance document. It is only guidance, and is not what needs to be implemented to be ISO 27001 certified. Maybe consultants get this wrong and frankly do not understand the ISO standards. ISO 27001 is about building a managment system that is appropriate for your company, in a manner that makes sense. I would suggest that if implementing workstation lockout (session time-out) is not appropriate for your company, you conduct a risk analysis and a cost benefit analysis on this control. Then if the cost of the control out ways the risk, have your management accept the risk of not having a session-time out implemented and use other administrative (policies, procedures) and physical (controlled areas for work stations, security cameras) controls to compensate. There is not an auditor in the world that would not accept this, if you show your due diligence and that this control would be hindering to your business. Security should be an enabler, not an inhibitor. The control objective they are talking about is: ISO 27001:2005 - (Certifiable Standard) Annex A: A.11 Access control A.11.5 Operating system access control A.11.5.5 Session time-out Control - Inactive sessions shall shut down after a defined period of inactivity. ISO 17799:2005 - (Implementation Guidance) 11 Access control 11.5 Operating system access control 11.5.5 Session time-out Control - Inactive sessions shall shut down after a defined period of inactivity. Implementation guidance - A time-out facility should clear the session screen and also, possibly later, close both application and network sessions after a defined period of inactivity. The time-out delay should reflect the security risks of the area, the classification of the information being handled and the applications being used, and the risks related to the users of the equipment. A limited form of time-out facility can be provided for some systems, which clears the screen and prevents unauthorized access but does not close down the application or network sessions. Other Information - The control is particularly important in high risk locations, which include public or external areas outside the organization's security management. The sessions should be shut down to prevent access by unauthorized persons and denial of service attacks. Hope it helps..... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Roch Sent: Friday, January 11, 2008 8:11 AM To: Chris Barber Cc: security-basics () securityfocus com Subject: Re: ISO IEC 27002 (ISO-17799) assistance please. Yes, it's under section 11.3.2 Unattended User Equipment of ISO27002. On 11/01/2008, Chris Barber <cmbarber () gmail com> wrote:
I am hoping that the experts on this list might be able to assist me with problem. I have a consultant who is doing some audit work for the company I work for. This consultant has been quoting information about best business practice and standards and has my managment in a bit of a tizzy. So far I have been able to prove or disprove most things that he has been telling my managment, but I am stuck one and it seems that this item has struck a nerve. The consultant has claimed that both NIST and ISO-17799 recomend the use of automated workstation locking after X minutes. I have found information on the NIST Standard but have not been able to find anything on the ISO-17799 standard (or atleast not without buying it). Does anyone on the list happen to have a copy of ISO-17799, if so could you help me prove or disprove this comment? I have done several google searches and all of the links I get end up asking me to purchase the Standard. I think having it would be a good
thing, just that I do not have money in my budget to purchase it. Many thanks in advance, Chris.
Current thread:
- ISO IEC 27002 (ISO-17799) assistance please. Chris Barber (Jan 11)
- Re: ISO IEC 27002 (ISO-17799) assistance please. Roch (Jan 11)
- RE: ISO IEC 27002 (ISO-17799) assistance please. Beryl Podoll (Jan 14)
- RE: ISO IEC 27002 (ISO-17799) assistance please. Abimbola, Abiola (Jan 11)
- Re: ISO IEC 27002 (ISO-17799) assistance please. Tima Soni (Jan 16)
- Re: ISO IEC 27002 (ISO-17799) assistance please. Tima Soni (Jan 17)
- <Possible follow-ups>
- Re: ISO IEC 27002 (ISO-17799) assistance please. chief (Jan 12)
- Re: ISO IEC 27002 (ISO-17799) assistance please. anirudh vidolkar (Jan 14)
- Re: ISO IEC 27002 (ISO-17799) assistance please. jenna (Jan 14)
- Re: ISO IEC 27002 (ISO-17799) assistance please. WALI (Jan 21)
- Re: ISO IEC 27002 (ISO-17799) assistance please. Sheldon Malm (Jan 14)
- RE: ISO IEC 27002 (ISO-17799) assistance please. Thyago Braga da Silva (Jan 14)
- RE: ISO IEC 27002 (ISO-17799) assistance please. Ardian Silvano (Jan 15)
- Re: ISO IEC 27002 (ISO-17799) assistance please. Roch (Jan 11)