Solved

Security Policy ISO 17799:2000

Posted on 2004-08-28
12
495 Views
Last Modified: 2010-04-11
I am working on trying to create some security policies and find references to ISO 17799:2000, but can't find the actual documents for review.  Is it only for sale?

Also, I see some tools listed as ISO17799 tools.  Anyone with experience on 17799 tools and their success or dislike of them?  Looking for more info and trying to avoid recreating wheel to create Security Policies.

Thanks for any input.

Steve  
0
Comment
Question by:smeek
  • 5
  • 2
  • 2
  • +3
12 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
ISO/IEC 17799 is a code of practice. as such, it offers guidelines and voluntary directions for information security management. it is meant to provide a high level, general description of the areas currently considered important when initiating, implementing or maintaining information security in an organization, not the actual detailed documents you are looking for.

i am not sure if you have been the following sites before:

How 7799 Works
http://www.gammassl.co.uk/bs7799/works.html

ISO17799 Downloads
http://www.iso-17799.com/evaluate.htm

hope it helps,
bbao
0
 
LVL 2

Accepted Solution

by:
Scorp888 earned 500 total points
Comment Utility
You have to buy, to get a legitimate copy of the ISO17799 Standards documents, or else you'll be downloading someone elses copy via file sharing.

ISO 17799 is more of a shopping list, to which you can then choose what is relevant to your company and then apply that.


Remember that it must be independantly auditted, so have a chat with your auditors, as they may have copies of the documentation that can be provided to you.

Most of the ISO17799 web sites will just try and sell you the document, and some very basic tools for applying it.

Speak to someone who's done it (I have) or speak to your auditors as a first port of call.
0
 
LVL 8

Author Comment

by:smeek
Comment Utility
bbao,

Yes, I visited those sites.

Scorp888,

I guess I am trying to get a sense of the tools available and how helpful they might be.  I have read lots of docs including RFCs, samples and such, but 17799 keeps coming up as the most comprehensive.

What would be your starting suggestions?

Steve
0
 
LVL 2

Expert Comment

by:Scorp888
Comment Utility
Ok.

Think for the moment in terms of security, as purely physical, and what we are securing as a 3 bedroom house, in a relatively safe neighbourhood.

Now the standard will cover.

Door security, fine, we've got doors, so in the requirements document, we put down the requirements that the standard makes for doors. We then look at what the business requires in the way of door security, and we have our requirements for the standard, and what must be done.

Now the standard will cover highly secure areas. Now we don't have those on the house, so we ignore it, and move onto windows, which we have and cover the same way as doors.

When the standard covers garages, we again move on, as the house we're looking at doesn't have a garage.


Now if you think of the same process, but covering.

Key Management.
Data Centres.
Host and Perimeter Based Access Controls.
Identity Management.



So, lets just take key management. If you're a fortune 500 telecoms company, then your key management, for things like the 2G and 3G keys for your networks, are likely to be very very secure, and you've probably got business requirements that far exceed the basic requiredments of the 17799 standard which say you must keep them secure, and have a procedure, for what to do if you think they've been compromised.

So, in summary, Iso 17799 normally drives a project.

This will takes the businesses needs and desires, maps them with the standards and then gives you a complete list of security requirements, which then must be addresssed, or progress made towards, to gain the standard at Audit.



0
 
LVL 2

Expert Comment

by:mellowmarquis
Comment Utility
A good start might be the sample policies from SANS as they seem to cover many of the areas addressed by 17799.

http://www.sans.org/resources/policies/

Another good resource is the 7799 checklist which gives excellent coverage:

http://www.sans.org/score/checklists/ISO_17799_checklist.pdf

I also recommend you buy the document for the education and to ensure all bases are covered, but the above should be sufficient for policy development.

0
 
LVL 2

Expert Comment

by:Scorp888
Comment Utility
Small point, the SANS documents are good, and definately the best I've seen Free.

However, they appear to be based on the *OLD* BS7799 standard, not the new ISO 17799 standard.

there are subtle differences.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
What exactly do you need to do here ?
There aren't really that many organisations who can claim to have full BS7799/ISO17799  adherance - it is still pretty exclusive and remains in the echelons of larger corporations.

0
 
LVL 2

Expert Comment

by:Scorp888
Comment Utility
Actually, there are quite a number of organisations that have, or are in the process of getting ISO17799.

However, you're right, that most of them are larger organisations.
0
 
LVL 8

Author Comment

by:smeek
Comment Utility
I have looked at the SANS documents and there are great.  I am really looking for a structured approach to review the IT in a 100user company.  While I do not need to ceritfy ISO, my readings suggested that 17799 offered more completeness.  Several of the template documents I have read focus on a section of policy, like Cryptography or they cover several areas, but not in great depth.  I am really looking to find out two items.

1)  Has any personally used the 17799:2000 documents to develop an internal Security Policy and how was it.

2)  Has anyone personally used one of the "toolkits" available for purchase online.  Which toolkit and how helpful was it?

I understand that this is the undertaking of a project, but I want to first develop IT policies, then DR plan.  Also, if anyone has a good IT Policy or DR plan that they would like an opinion on, I would commit to reading a scrubbed version of theirs and offering input for the learning experience before starting mine.  I am doing that for one firm on their DR plan and already have some good suggestions for them, even though their plan is pretty nice.

Steve
0
 
LVL 1

Expert Comment

by:m4rc
Comment Utility
You might want to look at other frameworks as well.  I like COBIT (Control Objectives for Information and related Technology).   Its free to dload once you make a login,

downloads section
http://www.isaca.org/Template.cfm?Section=Downloads5&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=63&ContentID=13742

but this file you can get w/o a login, and it will give you the flavor of the objectives and controls:
IT Control Objectives for Sarbanes-Oxley (PDF, 431K) Apr 2004
http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=13923
0
 
LVL 2

Expert Comment

by:Scorp888
Comment Utility
Smeek. I think you're missing the point of the 17799 toolkits and guides.

Once you have a security policy, you can use ISO17799 to test it, and audit it.

You can use 17799 to develop a policy, but I'd suggest you start with a basic policy, evaluate it against the ISO17799 standard, and see where the gaps are.

Bear in mind, that unless your security policy covers business practises, you will need other documentation.

Other things to look at are Sarbanes-Oxley Act, and the incoming  Companies (Audit, Investigations and Community Enterprise) Bill.

These cover the following types of areas

BPM (Business Process Management) - ensures that specific tasks are assigned to the appropriate people within the organisation in a fully auditable and transparent way. As BPM can automate tasks, it allows the organisation to have greater control over high-risk accounting.

As you can see, this one is outside the scope of an Internal Security Policy.

Disaster Recovery - essential for ensuring the safe retention of keys information.

Email management - taking control of emails out of the hands of employees is "essential for compliance".

Identity and Access Management - ensuring the correct level of security over key information and data.

Network Security - preventing unauthorised access to information and data.

Policy Management - ensuring that the right policies are in place to govern the type of data stored, how long it is stored for and how it is stored.

Records Management - the management of information from the moment it is stored through to its deletion.

Search, Discovery and Retrieval - allows key documents, emails and other records to be found at request.



However the last few, if relevant to your organisation, should get an honourable mention.

You don't mention who the audiance for your security policy is. Is it the board, to feed into an AUP, or for release to the users? or a mixture of the two?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
at the moment, i am listening to the presentation given by the majoar contributor of BS 7799, Ted Humphreys. the presentation title is "Information Security Management - ISMS standards, risk management, implementation, aduits and certifications". he is introducing ISO/IEC TR 18044 at the moment. any question to Ted? hehe ;)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now