Security Mgt U3, BS7799 (Part 2)

information security infrastrcture
1. info sec forum
2. allocation of responsibilities
  1. information classification
    1. guidelines
    2. ownershipt
    3. labelling
    4. management process
  2. HR and legal
    1. security in job descriptions
    2. recruitment screening
    3. confidentiality and nondisclosure agreements
3. info sec coordination
  1. user training and awareness
  2. secure areas
    1. clear desk policy
    2. guidelines and security for removal of property
    3. security of data centers and computer rooms
    4. physical entry controls
    5. physical security perimeter
  3. secure equipment
    1. equipment disposal
    2. security of premise equipment
    3. equipment maintenance
    4. cabling security
    5. power supplies
    6. asset inventory
4. independent review
5. cooperation between orgs
  1. respond to incidents
  2. reporting of security weaknesses
  3. reporting software malfunctions
  4. disciplinary process
6. specialist advice
7. authorization process for IT facilities
  1. security of 3rd part access
    1. identify risks
    2. security conditions in contracts
information security management system
1. ISMS
  1. should reduce likelihood of information security incident from occurring
    1. unwanted disclosure of info
      1. confidentiality
    2. unauthorizd changes to content
      1. integrity
    3. info not available when needed
      1. availabiility
  2. 2 models
    1. ISO 27001 plan,act,do,check (diagram)
      Annotations:
      - [Image: https://lh3.googleusercontent.com/-s39uB51Echw/UWFvWRPIe2I/AAAAAAAAAd8/zdNqs8Vh65g/w490-h428-p-o/plan%252Cact%252Ccheck%252Cdo.png]
      1. implementation notes from SANS Institute
        Annotations:
        http://www.giac.org/paper/gsec/2693/implementation-methodology-information-security-management-system-to-comply-bs-7799-requi/104600
        Plan (establish the ISMS)Step 1: Establish the importance of Information Security in Business Step 2: Define the Scope for ISMSStep 3: Define the Security Policy Step 4: Establish the Security Organization StructureStep 5: Identify and Classify the AssetsStep 6: Identify and Assess the Risks Step 7: Plan for Risk Management Do (Implement and operate the ISMS)Step 8: Implement Risk Mitigation strategyStep 9: Write the Statement of ApplicabilityStep 10. Train the staff and create Security Awareness Check (monitor and review ISMS)Step 11. Monitor and Review the ISMS performance Act (Maintain and improve the ISMS)Step 12. Maintain the ISMS and ensure continual Improvement (4)
    2. STREAM assurance model
      Annotations:
      - [Image: https://lh6.googleusercontent.com/-nJbCRVJ3yvk/UWFxe30hU8I/AAAAAAAAAeM/kJlvfXO0HU4/w529-h375-p-o/streamassurancemodel.png]
      1. Link to STREAM information
        Annotations:
        http://az290931.vo.msecnd.net/www.infosec.co.uk/__novadocuments/22363x$query$xvx$eq$x634965468272370000
  3. definition of ISMS (link from Martin Warren)
    Annotations:
    - http://securityaa.com/About%20ISMS.html
2. information security disciplines
  1. compliance
  2. business continuity management
  3. infosec incident management
  4. system acquisition
  5. access control
  6. communication and operations management
  7. physical and environmental security
  8. human resource security
  9. asset management
  10. organizational security
  11. security policy
management framework certification requirements
1. 1. define policy
2. 2. define scope
  1. characteristics of org
  2. location
  3. assets
  4. technology
3. 3. undertake risk assessment
  1. threats
  2. vulnerabilities
  3. impacts
  4. degree of risks
4. 4. manage risks
5. 5. select control objectives
  1. identify controls and rationale
  2. identify excluded controls and rationale
6. 6. prepare statement of applicability

Next up

Security Mgt U3, BS7799 (Part 2)

Description

Resource summary

Similar

	Created by jjanesko over 11 years ago