Security News > 2003 > January > Security News - ISO17799
Forwarded from: Sarah Hollins http://www.iso17799-web.com ______________________________________________________ THE ISO17799 NEWSLETTER - EDITION 6 ______________________________________________________ Welcome to the sixth edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to ISO17799 and information security. The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. In this issue we focus on the need to encompass agreements and policies to cover key areas. Included are the following topics: 1) Obtaining ISO17799 2) Information Classification Criteria 3) ISO17799 and Software 4) Third Party Cyber Crime Attacks 5) ISO17799: a World Wide Phenomena 6) Employee Internet Abuse 7) More Frequently Asked ISO17799 Questions 8) My Favorite Web Sites 9) Continuity Backup and Recovery Strategy (ISO17799 Section 11) 10) BSI Certifications 11) Employee Confidentiality Undertakings 12) More on Service Level Agreements (ISO17799 Section 4) 13) It Couldn't Happen Here.... Could It? 14) Contributions 15) Subscription Information OBTAINING ISO 17799 =================== The standard itself is available from: http://www.iso17799-made-easy.com This is the home page for the ISO17799 Toolkit. This package was put together to help those taking the first steps towards addressing ISO17799. It includes both parts of the standard, audit checklists, a roadmap, ISO17799 compliant security policies, and a range of other items. http://www.iso17799.net This is the ISO17799/BS7799 Electronic Shop. Essentially it is an online vending site for downloadable copies of the standard. INFORMATION CLASSIFICATION CRITERIA =================================== An important task for the Information Security Officer (or the person who is assigned these duties) is to establish a system to classify the organization's information with respect to its level of confidentiality and importance. It is advisable to restrict the number of information classification levels in your organization to a manageable number, as having too many makes maintenance and compliance difficult. For those currently without a structure, we suggest a five point system: - Top Secret: Highly sensitive internal documents, e.g. impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible. - Highly Confidential: Information that is considered critical to the organization's ongoing operations and could seriously impede them if made public or shared internally. Such information includes accounting information, business plans, sensitive information of customers of banks, solicitors, or accountants etc.; patients' medical records, and similar highly sensitive data. Such information should not be copied or removed from the organization's operational control without specific authority. Security should be very high. - Proprietary: Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for proprietary use by authorized personnel only. Security at this level is high. - Internal Use Only: Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility. Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal. - Public Documents: Information in the public domain: annual reports, press statements etc. which have been approved for public use. Security at this level is minimal. Care should always be applied regarding a user's tendency to over classify their own work. It can sometimes be erroneously surmised that the classification level assigned to a user's work can reflect directly on the individual's own level of importance within the organization. ISO17799 AND SOFTWARE ===================== We are sometimes asked about the role of software/products with respect to ISO17799, particularly the two most well known offerings, COBRA and The ISO17799 Toolkit. Where do they fit in? Are they competitor products or do they compliment each other? How do they help? The truth is that they fulfill completely different needs: A) The ISO17799 Toolkit comprises the basic building blocks: the standard itself (both parts), 17799 cross referenced security policies, and so on. It is intended to 'get you going' on the right path straight away, by providing some basics, as well as guidance and explanations by way of a presentations, glossary, roadmap, etc. It can basically be seen as an introduction and starting pack for compliance with the standard. B) COBRA on the other hand is designed to help you manage that compliance. It takes you through the standard and ultimately measures your compliance level, pointing out where you fall short. Quite apart from this it is one of the most widely used (possibly THE most widely used) risk analysis systems in the world... and bear in mind that risk analysis is integral to the requirements of the standard... references to 'as determined by risk assessment' are almost interwoven. In essence therefore, one product gets you started, the other helps you manage. SOURCES For further information on the ISO17799 Toolkit, and to obtain a copy, see: http://www.iso17799-made-easy.com For COBRA, see: http://www.security-risk-analysis.com [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.