Zusammenfassung der Ressource
Security Mgt U3,
BS7799 (Part 2)
- information security infrastrcture
- info sec forum
- allocation of responsibilities
- information classification
- guidelines
- ownershipt
- labelling
- management process
- HR and legal
- security in job descriptions
- recruitment screening
- confidentiality and nondisclosure agreements
- info sec coordination
- user training and awareness
- secure areas
- clear desk policy
- guidelines and security for removal of property
- security of data centers and computer rooms
- physical entry controls
- physical security perimeter
- secure equipment
- equipment disposal
- security of premise equipment
- equipment maintenance
- cabling security
- power supplies
- asset inventory
- independent review
- cooperation between orgs
- respond to incidents
- reporting of security weaknesses
- reporting software malfunctions
- disciplinary process
- specialist advice
- authorization process for IT facilities
- security of 3rd part access
- identify risks
- security conditions in contracts
- information security management system
- ISMS
- should reduce likelihood of
information security incident
from occurring
- unwanted disclosure of info
- confidentiality
- unauthorizd changes to content
- integrity
- info not available when needed
- availabiility
- 2 models
- ISO 27001 plan,act,do,check (diagram)
Anmerkungen:
- [Image: https://lh3.googleusercontent.com/-s39uB51Echw/UWFvWRPIe2I/AAAAAAAAAd8/zdNqs8Vh65g/w490-h428-p-o/plan%252Cact%252Ccheck%252Cdo.png]
- implementation notes from SANS Institute
Anmerkungen:
- http://www.giac.org/paper/gsec/2693/implementation-methodology-information-security-management-system-to-comply-bs-7799-requi/104600
- Plan (establish the ISMS)Step 1: Establish the importance of Information Security in Business Step 2: Define the Scope for ISMSStep 3: Define the Security Policy Step 4: Establish the Security Organization StructureStep 5: Identify and Classify the AssetsStep 6: Identify and Assess the Risks Step 7: Plan for Risk Management
Do (Implement and operate the ISMS)Step 8: Implement Risk Mitigation strategyStep 9: Write the Statement of ApplicabilityStep 10. Train the staff and create Security Awareness
Check (monitor and review ISMS)Step 11. Monitor and Review the ISMS performance
Act (Maintain and improve the ISMS)Step 12. Maintain the ISMS and ensure continual Improvement (4)
- STREAM assurance model
Anmerkungen:
- [Image: https://lh6.googleusercontent.com/-nJbCRVJ3yvk/UWFxe30hU8I/AAAAAAAAAeM/kJlvfXO0HU4/w529-h375-p-o/streamassurancemodel.png]
- Link to STREAM information
Anmerkungen:
- http://az290931.vo.msecnd.net/www.infosec.co.uk/__novadocuments/22363x$query$xvx$eq$x634965468272370000
- definition of ISMS (link from Martin Warren)
Anmerkungen:
- http://securityaa.com/About%20ISMS.html
- information security disciplines
- compliance
- business continuity management
- infosec incident management
- system acquisition
- access control
- communication and operations management
- physical and environmental security
- human resource security
- asset management
- organizational security
- security policy
- management framework certification requirements
- 1. define policy
- 2. define scope
- characteristics of org
- location
- assets
- technology
- 3. undertake risk assessment
- threats
- vulnerabilities
- impacts
- degree of risks
- 4. manage risks
- 5. select control objectives
- identify controls and rationale
- identify excluded controls and rationale
- 6. prepare statement of applicability