Security News - ISO17799

[InfoSec News <isn () c4i org>]

Forwarded from: Sarah Hollins <sara () iec17799 com>

http://www.iso17799-web.com

______________________________________________________ 

THE ISO17799 NEWSLETTER - EDITION 6
______________________________________________________ 


Welcome to the sixth edition of the ISO17799 newsletter, designed to keep you 
abreast of news and developments with respect to ISO17799 and information 
security. 

The information contained in this newsletter is absolutely free to our 
subscribers and provides guidance on various practical issues, plus commentary 
on recent Information Security incidents. 

In this issue we focus on the need to encompass agreements and policies to 
cover key areas. Included are the following topics: 

1)  Obtaining ISO17799
2)  Information Classification Criteria
3)  ISO17799 and Software
4)  Third Party Cyber Crime Attacks
5)  ISO17799: a World Wide Phenomena
6)  Employee Internet Abuse
7)  More Frequently Asked ISO17799 Questions
8)  My Favorite Web Sites
9)  Continuity Backup and Recovery Strategy (ISO17799 Section 11)
10) BSI Certifications
11) Employee Confidentiality Undertakings
12) More on Service Level Agreements (ISO17799 Section 4)
13) It Couldn't Happen Here.... Could It?
14) Contributions 
15) Subscription Information




OBTAINING ISO 17799
===================

The standard itself is available from:

http://www.iso17799-made-easy.com
This is the home page for the ISO17799 Toolkit. This package was put together 
to help those taking the first steps towards addressing ISO17799. It includes 
both parts of the standard, audit checklists, a roadmap, ISO17799 compliant 
security policies, and a range of other items.

http://www.iso17799.net 
This is the ISO17799/BS7799 Electronic Shop. Essentially it is an online 
vending site for downloadable copies of the standard.





INFORMATION CLASSIFICATION CRITERIA
===================================

An important task for the Information Security Officer (or the person who is 
assigned these duties) is to establish a system to classify the organization's 
information with respect to its level of confidentiality and importance.  

It is advisable to restrict the number of information classification levels in 
your organization to a manageable number, as having too many makes maintenance 
and compliance difficult. For those currently without a structure, we suggest 
a five point system: 
 
- Top Secret: Highly sensitive internal documents, e.g. impending mergers or 
acquisitions, investment strategies, plans or designs that could seriously 
damage the organization if lost or made public. Information classified as Top 
Secret has very restricted distribution and must be protected at all times. 
Security at this level is the highest possible. 

- Highly Confidential: Information that is considered critical to the 
organization's ongoing operations and could seriously impede them if made 
public or shared internally. Such information includes accounting information, 
business plans, sensitive information of customers of banks, solicitors, or 
accountants etc.; patients' medical records, and similar highly sensitive 
data. Such information should not be copied or removed from the organization's 
operational control without specific authority. Security should be very high. 

- Proprietary: Procedures, operational work routines, project plans, designs 
and specifications that define the way in which the organization operates. 
Such information is normally for proprietary use by authorized personnel only. 
Security at this level is high. 

- Internal Use Only: Information not approved for general circulation outside 
the organization where its disclosure would inconvenience the organization or 
management, but is unlikely to result in financial loss or serious damage to 
credibility. Examples include: internal memos, minutes of meetings, internal 
project reports. Security at this level is controlled but normal. 

- Public Documents: Information in the public domain: annual reports, press 
statements etc. which have been approved for public use. Security at this 
level is minimal. 

Care should always be applied regarding a user's tendency to over classify 
their own work. It can sometimes be erroneously surmised that the 
classification level assigned to a user's work can reflect directly on the 
individual's own level of importance within the organization. 





ISO17799 AND SOFTWARE
=====================

We are sometimes asked about the role of software/products with respect to 
ISO17799, particularly the two most well known offerings, COBRA and The 
ISO17799 Toolkit. Where do they fit in? Are they competitor products or do 
they compliment each other? How do they help? 

The truth is that they fulfill completely different needs: 

A) The ISO17799 Toolkit comprises the basic building blocks: the standard 
itself (both parts), 17799 cross referenced security policies, and so on. It 
is intended to 'get you going' on the right path straight away, by providing 
some basics, as well as guidance and explanations by way of a presentations, 
glossary, roadmap, etc. It can basically be seen as an introduction and 
starting pack for compliance with the standard. 

B) COBRA on the other hand is designed to help you manage that compliance. It 
takes you through the standard and ultimately measures your compliance level, 
pointing out where you fall short. Quite apart from this it is one of the most 
widely used (possibly THE most widely used) risk analysis systems in the 
world... and bear in mind that risk analysis is integral to the requirements 
of the standard... references to 'as determined by risk assessment' are almost 
interwoven. 

In essence therefore, one product gets you started, the other helps you 
manage. 

SOURCES 

For further information on the ISO17799 Toolkit, and to obtain a copy, see: 
http://www.iso17799-made-easy.com 

For COBRA, see: http://www.security-risk-analysis.com 


[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.