ISO 27001 is the first of a planned series of standards covering information security. It was published by the International Organization for Standardization (ISO) on 15 October 2005 essentially replacing the old BS7799-2 standard. It is the specification for Information Security Management System, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.
ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme has been introduced by various certification bodies for conversion from BS7799 certification to ISO27001 certification. Essentially, ISO/IEC 27001 defines an Information Security Management System (ISMS) and complements the ISO/IEC 17799 'code of practice' standard, itself first published as BS7799-1.
Series Of ISO Models As Following :
TIERS OF AN ISMS (TYPICALLY)
Policy & Guidance-Applies to all staff
Email & internet
Handling information
Reporting incidents/weaknesses
Controls & Procedures - Applies to specific functions
Data back up, AV, build, change control, firewalls-IT
Recruitment, training, staff starter/leaver-HR
Compliance with contracts/SLA’s, legislation-Legal
Maintaining & monitoring ISMS.
Security Forum-Each function/Dept represented
Internal audits
Investigating and learning from security incidents/weaknesses
Security Officer
The ISMS will change organically with the organization to ensure continual improvement.
LOGICAL SECURITY AUDIT
The first step in an audit of any system is to seek to understand its components and its structure. When auditing logical security the auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security :
1) PASSWORDS : Every company should have written policies regarding passwords, and employee's use of them. Passwords should not be shared and employees should have mandatory scheduled changes. Employees should have user tights that are in line with their job functions. They should also be aware of proper log on/log off procedures. Also helpful are security token, small devices that authorized users of computer programs or networks carry to assist in identity confirmation. They can also store cryptographic keys and biometric data. The most popular type of security token [RSA's SecurID] displays a number which changes every minute. Users are authenticated by entering a personal identification number and the number on the token.
2) TERMINATION PROCEDURES : Proper termination procedures so that old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted for.
3) SPECIAL USER ACCOUNTS : Special User Accounts and other privileged accounts should be monitored and have proper control in place.
4) REMOTE ACCESS : Remote Access is often a point where intruders can enter a system. The Logical security tools used for remote access should be very strict. Remote access should be logged.
0 Comments