Académique Documents
Professionnel Documents
Culture Documents
ISO 27001
Provides implementation details using plan do check act
Major sections include
Introduction
Scope
Terms and definitions
ISMS
Management responsibility
Management review
ISMS improvement
Proposed use
Use in company to get security requirements and objectives
Manage risks cost effectively
Ensure compliance with laws
Use to implement and maintain controls to achieve security objectives
5 books
SP800-12
Computer security handbook
Reference guide routine management if IS
Controls in 3 categories:
Management Controls
Operation Controls
Technical Controls
SP800-14
Best Practises of security
Key points
Security support mission of company
Security is integral to sound management
Security should be cost effective
Systems owners’ responsibilities out of company
Accountability and responsibility should be made explicit
Security needs comprehensive and integrated approach
Security periodically assessed
Security constrained by social factor
Principles
Establish security policy as foundation for design
Treat security as integral part of system design
Clearly define physical and logical boundaries
Reduce risk to acceptable level
Assume external systems are insecure
SP800 – 18
Guide to develop security plans
Has methods for controls and plans
Has templates for major security plans
SP800-26
Security self assessment guide – IT systems
SP800-30
Risk Management foundation for IT systems
Has definitions and practical guides
Site Security Handbook has discussion of security issues and development and
implementation details
Covers security policies, technical security architecture, services and incident
handling
COBIT provides control objectives and control advice
Plan organise – recommendations to achieve goals via IT
Acquire implement – focuses on specific requirements
Acquire needed components
Integrate components
Examine maintenance and change requirements
Deliver support
System functionality and use to end users
Examine system applications input processing and output
Examine efficiency of processes
Monitor and Evaluate
Compare IT system usage and organizational strategy
Identify regulatory controls that need IT systems
How efficient IT systems are against organizations control processes
IT resources managed by IT processes to achieve IT goals that respond to business
requirements
2 categories benchmarks:
Standards of due care/diligence
Best Practices
Gold Standard
Balances access needs with protection
Selecting Best Practices can be challenging
Industries regulated by government, government guidelines often requirements
Compile Inventory
Once inventory is compiled, decide if asset categories are meaningful