Professional Documents
Culture Documents
Information is a vital asset to success and continuity in the market for any org
anisation. The security of that information, and those systems that process it,
are therefore a prime target for all organisations.
For the proper management of information security, there must exist an informati
on security management system that addresses this task in a methodical, document
ed way and is based on clear objectives of security and risk assessment.
ISO/IEC 27000 is a set of standards developed by ISO (International Organization
for Standardization) and IEC (International Electrotechnical Commission), which
provide a framework for the management of information security that can be used
by any organisation, public or private, large or small.
As of the publication date, the current standards include:
Policy Development and Updates in Light of New Business, Technology, Risks, and
Environment Changes
Image
Business changes are changes dictated by the nature of an organizations business
and are often driven by consumer demands. Technology changes are driven by new t
echnological developments that force organizations to adopt new technologies. Ri
sk changes occur because attackers are constantly upgrading their skills and fin
ding new ways to attack organizations. Environment changes are divided into two
categories: those motivated by the culture that resides within an organization a
nd those motivated by the environment of the industry. As these changes occur, o
rganizations must ensure that they understand the changes and their implications
to the security posture of the organization. Organizations should take a proact
ive stance when it comes to these changes. Dont wait for a problem. Anticipate th
e changes and deploy mitigation techniques to help prevent them!
In a top-down approach, management initiates, supports, and directs the security
program. In a bottom-up approach, staff members develop a security program prio
r to receiving direction and support from management. A top-down approach is muc
h more efficient than a bottom-up approach because managements support is one of
the most important components of a security program. Using the top-down approach
can help ensure that the organizations policies align with its strategic goals.
Policies should be reviewed often and on a regular schedule. Certain business, t
echnology, risk, and environment changes should always trigger a review of polic
ies, including adoption of a new technology, merger with another organization, a
nd identification of a new attack method.
As an example, suppose that employees request remote access to corporate email a
nd shared drives. If remote access has never been offered but the need to improv
e productivity and rapidly responding to customer demands means staff now requir
e remote access, the organization should analyze the need to determine whether i
t is valid. Then, if the organization decides to allow remote access, the organi
zations security professionals should plan and develop security policies based on
the assumption that external environments have active hostile threats.
Policies that should be considered include password policies, data classificatio
n policies, wireless and VPN policies, remote access policies, and device access
policies. Most organizations develop password and data classification policies
first.
The International Organization for Standardization (ISO) has developed a series
of standards that are meant to aid organizations in the development of security
policies.
ISO/IEC 27000 Series
The International Organization for Standardization (ISO), often incorrectly refe
rred to as the International Standards Organization, joined with the Internation
al Electrotechnical Commission (IEC) to standardize the British Standard 7799 (B
S7799) to a new global standard that is now referred to as ISO/IEC 27000 series.
ISO 27000 is a security program development standard on how to develop and main
tain an information security management system (ISMS).
The 27000 series includes a list of standards, each of which addresses a particu
lar aspect of ISMS. These standards are either published or in development. The
following standards are included as part of the ISO/IEC 27000 series at the time
of this writing:
Image 27000: Published overview of ISMS and vocabulary
Image 27001: Published ISMS requirements
Image 27002: Published code of practice for information security management
Image 27003: Published ISMS implementation guidelines
Image 27004: Published ISMS measurement guidelines
Image 27005: Published information security risk management guidelines
Image 27006: Published requirements for bodies providing audit and certification
of ISMS
Image 27007: Published ISMS auditing guidelines
Image 27008: Guidance for auditors on ISMS controls
Image 27010: Published information security management for inter-sector and inte
rorganizational communications guidelines
Image 27011: Published telecommunications organizations information security man
agement guidelines
Image 27013: Published integrated implementation of ISO/IEC 27001 and ISO/IEC 20
000-1 guidance
Image 27014: Published information security governance guidelines
Image 27015: Published financial services information security management guidel
ines
Image 27016: Published ISMS organizational economics guidelines
Image 27017: In-development cloud computing services information security contro
l guidelines based on ISO/IEC 27002
Image 27018: In-development code of practice for public cloud computing services
data protection controls
Image 27019: Published energy industry process control system ISMS guidelines ba
sed on ISO/IEC 27002
Image 27031: Published information and communication technology readiness for bu
siness continuity guidelines
Image 27032: Published cyber security guidelines
Image 27033-1: Published network security overview and concepts
Image 27033-2: Published network security design and implementation guidelines
Image 27033-3: Published network security threats, design techniques, and contro
l issues guidelines
Image 27034-1: Published application security overview and concepts
Image 27034-2: In-development application security organization normative framew
ork guidelines
Image 27034-3: In-development application security management process guidelines
Image 27034-4: In-development application security validation guidelines
Image 27034-5: In-development application security protocols and controls data s
tructure guidelines
Image 27034-6: In-development security guidance for specific applications
Image 27035: Published information security incident management guidelines
Image 27035-1: In-development information security incident management principle
s
Image 27035-2: In-development information security incident response readiness g
uidelines
Image 27035-3: In-development computer security incident response team (CSIRT) o
perations guidelines
Image 27036-1: Published information security for supplier relationships overvie
w and concepts
Image 27036-2: In-development information security for supplier relationships co
mmon requirements guidelines
Image 27036-3: Published information and communication technology (ICT) supply c
hain security guidelines
Image 27036-4: In-development information security for supplier relationships ou
tsourcing security guidelines
Image 27037: Published digital evidence identification, collection, acquisition,
and preservation guidelines
Image 27038: Published information security digital redaction specification
Image 27039: In-development intrusion detection systems (IDS) selection, deploym
ent, and operations guidelines
Image 27040: In-development storage security guidelines
Image 27041: In-development standard on assuring suitability and adequacy of inc
ident investigative methods
Image 27042: In-development digital evidence analysis and interpretation guideli
nes
Image 27043: In-development incident investigation principles and processes
Image 27044: In-development security information and event management (SIEM) gui
delines
Image 27799: Published information security in health organizations guidelines
These standards are developed by the ISO/IEC bodies, but certification or confor
mity assessment is provided by third parties.
Note
For testing purposes, it is not necessary to memorize all of these standards and
where they apply. Instead, you need to have a general understanding of the area
s of security that are addressed.
Lets look at an example. Suppose an organization is rewriting its security polici
es and has halted the rewriting progress because the organizations executives bel
ieve that its major vendors have a good handle on compliance and regulatory stan
dards. The executive-level managers are allowing vendors to play a large role in
writing the organizations policy. However, the IT director decides that while ve
ndor support is important, it is critical that the company write the policy obje
ctively because vendors may not always put the organizations interests first. The
IT director should make the following recommendations to senior staff:
Image Consult legal and regulatory requirements.
Image Draft a general organizational policy.
Image Specify functional implementing policies.
Image Establish necessary standards, procedures, baselines, and guidelines.
As you can see from this example, you dont have to memorize the specific standard
s. However, you need to understand how organizations apply them, how they are re
vised, and how they can be customized to fit organizational needs.