 |
General: Computer Security News - ISO17799 |
 |
|
Anonymous writes "Issue 6 of the ISO17799 Security Newsletter has just been released. The full issue is re-produced below.
For back issues, visit the dedicated web site of the newsletter: The ISO17799 Newsletter:
______________________________________________________
THE ISO17799 NEWSLETTER - EDITION 6
______________________________________________________
Welcome to the sixth edition of the ISO17799 newsletter,
designed to keep you abreast of news and developments with respect to ISO17799
and information security. In this issue we focus on the need to encompass
agreements and policies to cover key areas. Included are the following topics:
1) Obtaining
ISO17799
2) Information
Classification Criteria
3) ISO17799 and
Software
4) Third Party
Cyber Crime Attacks
5) ISO17799: a
World Wide Phenomena
6) Employee
Internet Abuse
7) More Frequently
Asked ISO17799 Questions
8) My Favorite Web
Sites
9) Continuity
Backup and Recovery Strategy (ISO17799 Section 11)
10) BSI Certifications
11) Employee Confidentiality Undertakings
12) More on Service Level Agreements (ISO17799 Section 4)
13) It Couldn't Happen Here.... Could It?
14) Contributions
15) Subscription Information
OBTAINING ISO 17799
===================
The standard itself is available from:
ISO17799
Made Easy - http://www.iso17799-made-easy.com
This is the home page for the ISO17799 Toolkit. This
package was put together to help those taking the first steps towards
addressing ISO17799. It includes both parts of the standard, audit checklists,
a roadmap, ISO17799 compliant security policies, and a range of other items.
The ISO17799 Shop -
http://www.iso17799.net
This is the ISO17799/BS7799 Electronic Shop. Essentially
it is an online vending site for downloadable copies of the standard.
INFORMATION CLASSIFICATION CRITERIA
===================================
An important task for the Information Security Officer
(or the person who is assigned these duties) is to establish a system to
classify the organization's information with respect to its level of
confidentiality and importance.
It is advisable to restrict the number of information
classification levels in your organization to a manageable number, as having
too many makes maintenance and compliance difficult. For those currently
without a structure, we suggest a five point system:
- Top Secret: Highly sensitive internal documents, e.g.
impending mergers or acquisitions, investment strategies, plans or designs that
could seriously damage the organization if lost or made public. Information
classified as Top Secret has very restricted distribution and must be protected
at all times. Security at this level is the highest possible.
- Highly Confidential: Information that is considered
critical to the organization's ongoing operations and could seriously impede
them if made public or shared internally. Such information includes accounting
information, business plans, sensitive information of customers of banks,
solicitors, or accountants etc.; patients' medical records, and similar highly
sensitive data. Such information should not be copied or removed from the
organization's operational control without specific authority. Security should
be very high.
- Proprietary: Procedures, operational work routines,
project plans, designs and specifications that define the way in which the
organization operates. Such information is normally for proprietary use by
authorized personnel only. Security at this level is high.
- Internal Use Only: Information not approved for general
circulation outside the organization where its disclosure would inconvenience
the organization or management, but is unlikely to result in financial loss or
serious damage to credibility. Examples include: internal memos, minutes of
meetings, internal project reports. Security at this level is controlled but
normal.
- Public Documents: Information in the public domain:
annual reports, press statements etc. which have been approved for public use.
Security at this level is minimal.
Care should always be applied regarding a user's tendency
to over classify their own work. It can sometimes be erroneously surmised that
the classification level assigned to a user's work can reflect directly on the
individual's own level of importance within the organization.
ISO17799 AND SOFTWARE
=====================
We are sometimes asked about the role of
software/products with respect to ISO17799, particularly the two most well
known offerings, COBRA and The ISO17799 Toolkit. Where do they fit in? Are they
competitor products or do they compliment each other? How do they help?
The truth is that they fulfill completely different
needs:
A) The ISO17799 Toolkit comprises the basic building
blocks: the standard itself (both parts), 17799 cross referenced security policies,
and so on. It is intended to 'get you going' on the right path straight away,
by providing some basics, as well as guidance and explanations by way of a
presentations, glossary, roadmap, etc. It can basically be seen as an
introduction and starting pack for compliance with the standard.
B) COBRA on the other hand is designed to help you manage
that compliance. It takes you through the standard and ultimately measures your
compliance level, pointing out where you fall short. Quite apart from this it
is one of the most widely used (possibly THE most widely used) risk analysis
systems in the world... and bear in mind that risk analysis is integral to the
requirements of the standard... references to 'as determined by risk
assessment' are almost interwoven.
In essence therefore, one product gets you started, the
other helps you manage.
SOURCES
For further information on the ISO17799 Toolkit, and to
obtain a copy, see: ISO17799 Made
Easy - http://www.iso17799-made-easy.com
For COBRA, see: Security Risk Analysis - http://www.security-risk-analysis.com
THIRD PARTY CYBER CRIME ATTACKS
===============================
This critical topic is covered in ISO/IEC 17799 under
Section 9.4 Network Access Controls.
There is, of course, a high risk of external security
breach where network security is inadequate. It is extremely important to have
an effective policy statement covering this risk area... for the following
reasons:
· Criminals may target your organization's information
systems, resulting in serious financial loss and damage to your business
operations and reputation.
· Cyber crime is an ever-increasing area of concern, and
suitable training must be given to those persons responsible for network
security to minimize such risks.
A suitable high level policy statement covering this
could be as follows:
Security on the network is to be maintained at the
highest level. Those responsible for the network and external communications
are to receive proper training in risk assessment and how to build secure systems
which minimize the threats from cyber crime.
It is necessary to build adequate defences against such
attacks. The following areas are among those that should be considered:
· Verify that the primary safeguards of your network and
those of your individual systems are in place.
· Identify the access points of your network layout, and
verify that the current safeguards are operational.
· Consider the following network protection facilities,
some of which offer multiple features:-
- Intrusion
detection software that records attempted and successful access to your
systems.
- Pattern
(usage) analysis, which identifies changes in on-line activity that may
indicate a criminal attack.
- Access
control lists and facilities, which record certain activities for specific
files, such as: read, write, execute, delete.
- System based
accounting records.
- Network
usage analysis, which identifies application access and reports on user
authorization levels.
- Network
packet sniffing software to detect attack origins.
- URL
blockers, (e.g. your firewall) that can prevent connection from specific,
untrustworthy web sites and / or other computers.
- Word pattern
usage analysis that can help e-mail system administrators track down breaches
in e-mail policies.
Further advice on this risk area and all others covered
within ISO/IEC 17799 can be obtained from: the RUSecure Security Policies On-line
System at: http://www.yourwindow.to/security-policies/
ISO17799 - A WORLD WIDE PHENOMINA
=================================
Our source list for purchases of ISO17799 has proved a
popular talking point in previous editions of ISO17799 News, so here is the up
to date version of the most recent:
Argentina 2
Australia 7
Austria 7
Barbados 2
Belgium 9
Bermuda 1
Bosnia and Herzegovina 1
Brazil 6
Brunei 1
Canada 68
Cayman Islands 1
Chile 4
China 3
Colombia 6
Costa Rica 1
Croatia 1
Cyprus 1
Denmark 11
Egypt 4
France 6
Germany 31
Gibraltar 1
Greece 4
Guatemala 1
Hong Kong 9
Hungary 2
India 6
Indonesia 4
Ireland 14
Isle of Man 1
Israel 1
Italy 26
Japan 6
Malaysia 5
Mexico 12
Netherlands 18
New Zealand 3
Norway 12
Panama 1
Portugal 2
Russia 4
Saudi Arabia 2
Singapore 10
Slovak Republic 1
Slovenia 2
South Africa 6
Spain 17
Sultanate of Oman 1
Sweden 8
Switzerland 24
Taiwan 3
Thailand 2
Tunisia 1
Turkey 2
UAE 4
UK 298
USA 326
Venezuela 2
The same health warnings apply as always - these are
online credit card sales from one source. As a consequence, those cultures that
are less familiar with this form of commerce will be under represented.
EMPLOYEE INTERNET ABUSE
=======================
Although employers are placing increased emphasis on
setting up policies covering internet and email abuse, the message is not
always getting across to the employees. According to Eric Jacksch, who is president of a leading Canadian IT security
firm, employees are continuing to put their employers at risk and also wasting
significant levels of corporate resources. These abuses include inappropriate
email abuse, loss of productivity through slow web access, and downloading of
music, games and pornography.
It is suggested that the first steps to address this are
as follows:
- The first step is to ensure that your organization has
a clear policy on the acceptable use of the organization's information
resources
- Secondly, ensure that this (and other information
security policies) is delivered effectively to the employee either through the
PC or workstation/desktop, or through the organization's intranet. Also, ensure
that the employee is made fully aware of the consequences of non-compliance.
- Thirdly, ensure that the employee is made aware of the
organization's right to monitor all email and internet traffic in and out of
the organization.
These steps alone should reduce the scale of the problem,
but equally importantly, they lay a solid foundation should further action be
required. For more policies see the address above.
ISO17799 - MORE FREQUENTLY ASKED QUESTIONS
==========================================
1) Where can I find back issues of the ISO17799
Newsletter?
All back issues are posted to: ISO17799
News - http://www.iso17799-web.com
2) Who published ISO 17799? BSI or ISO?
Both... sort of. ISO 17799 is an ISO standard of course.
However, there is a Part 2 to cover security management systems. This is
published by BSI as BS7799 Part 2.
3) Where can I find a consultant specifically for ISO
17799?
Email [email protected] or see The ISO17799 Consultants
Directory at: ISO 17799 World - http://www.iso17799world.com
4) Can I discuss ISO17799 with people online?
A new forum has recently been created at: http://groups.yahoo.com/group/iso17799security/.
5) Can I re-publish parts or all of ISO17799 News on our
company intranet or via internal communication?
Subject to reference to the source web site (see Question
1) permission is almost always granted.
6) What is the difference between accreditation and
certification?
Essentially an accreditation body is an organization
(usually national) that grants third parties the authority to issue
certificates (to certify). It is the latter, therefore, that issues
certificates (certifies) against standards/etc. The former confers the right to
do this on the certification company.
7) What are the 10 sections of ISO17799?
- Security Policy
- Security Organization
- Asset Classification and Control
- Personnel Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Systems Development and Maintenance
- Business Continuity Management
- Compliance
MY FAVORITE WEB SITES
=====================
From time to time we will invite a well known information
security figure to nominate their favorite IS related web sites. For this issue
we present the favorites of Jenni Harrison of the ISO17799 Directory.
a) Your Window To...
This is a little known portal with a wealth of free to
access resources. (http://www.yourwindow.to)
b) BBC...
Not just news, almost an encyclopedia of resources. (http://www.bbc.com)
c) CCCure...
A rich source of information for CISSP. (http://www.cccure.org)
ISO17799 SECTION 11: CONTINUITY BACK-UP AND RECOVERY
STRATEGY
=============================================================
One of the most important aspects of Business Continuity
Planning for the majority of organizations is in choosing an appropriate
strategy for the back-up and recovery of the IT based systems.
In this section of the planning process, the key business
processes are normally matched against the IT systems and an appropriate speed
of recovery strategy is chosen. This may
require some in-depth research to determine the relevant costs of each
strategy. It may also be necessary to
prepare a detailed Request for Proposal for vendors to establish the viability
and cost of the preferred strategic approach and related support.
Consideration should also be given to the impact of
potential severe damage to both premises and communication systems which could
have a significant impact on the organization's IT services and systems.
There are a number of strategic options to be
investigated when considering IT systems back up and recovery processes. The two most important factors to be
considered are the criticality of the IT systems to the business process itself
(the speed of recovery needed), and the amount of money available for IT back
up and recovery strategies. The options,
in order of cost, are as follows:
Fully mirrored recovery site
This strategy entails the maintenance of a fully mirrored
duplicate site which would enable instantaneous switching between the live site
and the back up site. This is normally the
most expensive option.
Switchable hot site
This strategy involves the establishment of a commercial
arrangement with a vendor who will guarantee to maintain an identical site with
communications to enable you to switch your IT operations to his site within an
agreed time period, usually less than one to two hours.
Hot site
This strategy involves the establishment of a commercial
arrangement with a vendor who will guarantee to maintain a compatible site to
enable you to switch your IT operations to his site within an agreed time
period, usually less than six to twelve hours.
Cold site
This strategy involves the setting up of an emergency
site once the crisis has occurred and has a standby arrangement with a vendor
to deliver the minimum configuration urgently.
This option usually enables the organization to be operational within
two to three days.
Relocate and restore
This strategy involves the identification of a suitable
location, hardware and peripherals and re-installing the systems and backed up
software and data after an emergency has occurred. This strategy is often considered to be
inadequate for the needs of today's business.
No effective back-up strategy
This at first glance appears to be the cheapest strategy
but it also carries the highest risk as it will often involve no effective
off-site back up of systems or data. As
you would expect, this strategic option usually ends up with the organization
eventually going out of business as they are not prepared for any unexpected emergencies
occurring. You would be surprised at the number of businesses that adopt this
approach to Business Continuity and Disaster Recovery. It often ends up being
the most expensive strategy of all.
Finally, if you do decide to outsource some or all of
these IT disaster recovery back-up processes don’t forget to insist that your
supplier also has adequate business continuity planning processes in place that
are up-to-date and fully tested!
Additional advice and guidance on Business Continuity and
Disaster Recovery Planning can be found at: The Disaster Recovery Guide
- http://www.disaster-recovery-guide.com
BSI - CERTIFICATIONS
====================
We are pleased to add the following to the list produced
in Issues 4 and 5, of those who have been certified by BSI with respect to
BS7799 Part2 for at least one system in at least one location:
MetroMail Ltd, NTT Communications Corporation, Solution
Business Division (Japan), Miles Smith, Global Security Experts Inc, Marine
Systems Associates Co. Ltd (Japan), Broadfern, NEXOR, e-Solutions Create
Corporation, Systems Software Solutions, IT Frontier Corporation.
A number of organizations are now re-registering their
original certificates (which are valid for 3 years). Successful organizations
include: Cadweb Limited, DBI Consulting and Camelot Group Plc.
Congratulations to all these organizations.
In the next issue, we will also produce some sample
scopes of registration from existing certificates.
EMPLOYEE CONFIDENTIALITY UNDERTAKINGS
=====================================
It is increasingly important that employees are required
to sign confidentiality undertakings to their employers. The following guidance
is given for consideration, although organizations are recommended to seek
further expert opinion on the suitability of such statements to their own
contracts of employment:
'Confidential Information' normally means any information
which is not generally known in the relevant trade or industry, and belongs to
the Organization, or is learned, discovered, developed, conceived, originated
or prepared during, as a result of, or in connection with, the Employees work,
or relates to the Organization's customers of clients, including but not
limited to :
- Information which is unique to the Organization
- Information relating to the existing or contemplated
products, services, technology, designs, processes, formulae, computer systems,
computer software, algorithms, research or development of the organization;
- Information relating to the business plans, sales or
marketing methods, methods of doing business, customer lists, customer
requirements or supplier information of the Organization;
- Information relating to proprietary products or
services;
- Any proprietary information not generally known to the
public;
- Any information which the Organization or their clients
or customers may wish to protect by patent or copyright, or by keeping it
secret or confidential; and
- Information which may affect the value of the shares in
the Organization and (where relevant) any price sensitive information
The Employees should be asked to acknowledge that the
Organization:
- Is (inter alia) in the business or providing
- Has and will invest significantly in terms of money and
time in developing their business and products;
- Has and will expect to develop confidential proprietary
information relating to their business; and
- Operates a highly competitive commercial arena.
The Employees should acknowledge that during their
employment they may have access to, gain knowledge of, be entrusted with and be
involved in the creation of Confidential Information, improper disclosure of
which could :
- Result in the Organization losing its competitive edge;
- Cause the Organization to suffer financial loss; and
- Be otherwise detrimental to the Organization.
The Employees should undertake that both during
employment or thereafter, they will:
- Not disclose, divulge or communicate to any person any
Confidential Information, save to those officials of the Organization whose
proper province it is to know such information or with the written consent of
the Board;
- Do everything reasonably within his power to protect
the confidentiality of all Confidential Information;
- Not use any Confidential Information for his/her own
benefit or for the benefit of any third party or in a manner which could be
detrimental to the Organization;
The Employees should also undertake that on leaving the company
they will:
- Deliver up to the Organization all copies and originals
of documents, computer disks, tapes, accounts, data, records, papers, designs,
specifications, price lists, lists of customers and all other information,
whether written or electronically stored, which belongs to the Organization or
relates in any way to their business or affairs or the business or affairs of
any of their suppliers, agents, distributors or customers, or contain any
Confidential Information, and are in the Employees' possession or under his
control.
- Upon request supply the Organization with a signed
statement confirming that the Employee has complied with this undertaking.
Again, further guidance on this and similar topics is
included in the Security Policies
On-line Support System (http://www.yourwindow.to/security-policies/).
MORE ON SERVICE LEVEL AGREEMENTS
================================
Service Level Agreements (SLAs) are covered in Section 4
of ISO/IEC 17799 and it is important that both the Supplier and the
Purchaser/User of IT and other services fully understand the implications and
responsibilities inherent in such agreements.
An SLA is effectively a proxy contract that the two
parties have negotiated and signed, specifying the terms and conditions under
which the service delivery is to be effected.
Both parties must clearly understand their respective
roles and responsibilities in respect of the delivery of these services and
this information is usually included the SLA.
The Supplier and the Purchaser/User are identified together with a
statement of expectations and abilities. The Purchaser/User should also fully
understand the cost of receiving these services and the basis for the
calculation of those costs. The Supplier is accountable for the quality and
performance levels of the services and the service availability.
A comprehensive and interactive electronic guide to
simplify the preparation and understanding of SLAs is now available. Further
information can be found at:
Service
Level Agreement - http://www.service-level-agreement.net
IT COULDN'T HAPPEN HERE....COULD IT?
====================================
Every issue of The ISO17799 Newsletter features at least
one TRUE story of an information security breach and its consequences:
1) The Long Goodbye
After a series of serious disagreements with his fellow
directors, a director left the UK branch of an international network services
company. As the service was used by a number of international banking groups,
he decided to extract revenge.
Some time after his departure, he was still able to
access the system... because the company's termination/departure procedures did
not immediately revoke access rights.
The banking groups found to their horror that extremely
rude messages began to appear on their terminal links with other banks for no
apparent reason. Transfers were delayed and some messages had parts missing.
It took some time to identify the cause. Although the
cost was impossible to quantify, there was certainly serious damage in terms of
the company's goodwill and reputation.
2) Remember The Obvious
Remote or dial-in access can be a real Achilles heel if
not properly controlled.
In a recent case, a young hacker gained access to a major
corporation's computer system by using the default password of a system
engineer. It had never been changed from installation. This actually gave him considerable scope and
powers of access.
To cover for himself, he semi-disabled the machine log,
changed a number of user passwords, created several fictitious privileged users
and tampered with the dial back system code. Getting more ambitious he
established a communication link with another computer and ended up making it
crash. All this took place over just two
evenings.
Despite the fact that the hacker was not maliciously
causing damage or attempting to make financial gain, his actions caused havoc.
The installation ultimately had to closedown its prime computer and restore
from the previous weeks back-up, at considerable cost.
CONTRIBUTIONS
=============
Have you got something to say on the topic of ISO17799...
a fresh insight or some information which might benefit others? If so, please
feel free to contribute your submission to us.
The ISO17799 Newsletter
"
|
|
|
|
Posted on Sunday, 19 January 2003 @ 17:34:29 EST by Paul
|
 |
|
|
|
Login |
|
 |
|
|
|
· New User? ·
Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
