ISO 17799:2000 Controls
Controls Using ISO 17799:2000
| Control Number | ISO 17799 Section | Class | |
1 |
Risk Assessment (2) |
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to
the confidentiality, integrity and availability of information resources. |
|
2 |
Security Policy |
Policy (3.1) |
Develop and implement an Information Security Policy. |
3 |
Organizational Security |
Management Information Security Forum (4.1) |
Establish a corporate committee to oversee information security. Develop and implement an
Information Security Organization mission statement. |
4 |
Organizational Security |
Security of Third Party Access (4.2) |
Implement a process to analyze third party connection risks and implement specific
security standards to combat third party connection risks. |
5 |
Organizational Security |
Security Requirements in Outsourcing Contracts (4.3) |
Ensure the security requirements of the information owners have been addressed in a
contract between the owners and the outsource organization. |
6 |
Asset Classification & Control |
Accounting of Assets (5.1) |
Establish an inventory of major assets associated with each information system. |
7 |
Asset Classification & Control |
Information Classification (5.2) |
Implement standards for security classification and the level of protection required for
information assets. |
8 |
Asset Classification & Control |
Information Labeling and Handling (5.2) |
Implement standards to ensure the proper handling of information assets. |
9 |
Personnel Security |
Security in Job Descriptions (6.1) |
Ensure that security responsibilities are included in employee job descriptions. |
10 |
Personnel Security |
User Training (6.2) |
Implement training standards to ensure that users are trained in information security
policies and procedures, security requirements, business controls and correct use of IT facilities. |
11 |
Personnel Security |
Responding to Security Incidents and Malfunctions (6.3) |
Implement procedures and standards for formal reporting and incident response action to
be taken on receipt of an incident report. |
12 |
Physical & Environmental Security |
Secure Areas (7.1) |
Implement standards to ensure that physical security protections exist, based on defined
perimeters through strategically located barriers throughout the organization. |
13 |
Physical & Environmental Security |
Equipment Security (7.2) |
Implement standards to ensure that equipment is located properly to reduce risks of
environmental hazards and unauthorized access. |
14 |
Physical & Environmental Security |
General Controls (7.3) |
Implement a clear desk, clear screen policy for sensitive material to reduce risks of
unauthorized access, loss, or damage outside normal working hours. |
15 |
Communications and Operations Management |
Documented Operating Procedures (8.1) |
Implement operating procedures to clearly document that all operational computer systems
are being operated in a correct, secure manner. |
16 |
Communications and Operations Management |
System Planning and Acceptance (8.2) |
Implement standards to ensure that capacity requirements are monitored, and future
requirements projected, to reduce the risk of system overload. |
17 |
Communications and Operations Management |
Protection from Malicious Software (8.3) |
Implement standards and user training to ensure that virus detection and prevention
measures are adequate. |
18 |
Communications and Operations Management |
Housekeeping (8.4) |
Establish procedures for making regular back-up copies of essential business data and
software to ensure that it can be recovered following a computer disaster or media failure. |
19 |
Communications and Operations Management |
Network Management (8.5) |
Implement appropriate standards to ensure the security of data in networks and the
protection of connected services from unauthorized access. |
20 |
Communications and Operations Management |
Media Handling and Security (8.6) |
Implement procedures for the management of removable computer media such as tapes, disks,
cassettes, and printed reports. |
21 |
Communications and Operations Management |
Exchanges of Information and Software (8.7) |
Implement procedures to establish formal agreements, including software escrow agreements
when appropriate, for exchanging data and software (whether electronically or manually) between organizations. |
22 |
Access Control |
Business requirement for System Access (9.1) |
Implement a risk analysis process to gather business requirements to document access
control levels. |
23 |
Access Control |
User Access Management (9.2) |
Implement procedures for user registration and deregistration access to all multiuse IT
services. |
24 |
Access Control |
User Responsibility (9.3) |
Implement user training to ensure users have been taught good security practices in the
selection and use of passwords. |
25 |
Access Control |
Network Access Control (9.4) |
Implement procedures to ensure that network and computer services that can be accessed by
an individual user or from a particular terminal are consistent with business access control policy. |
26 |
Access Control |
Operating System Access Control (9.5) |
Implement standards for automatic terminal identification to authenticate connections to
specific locations. |
27 |
Access Control |
Application Access Control (9.6) |
Implement procedures to restrict access to applications system data and functions in
accordance with defined access policy, and based on individual requirements. |
28 |
Access Control |
Monitoring System Access and Use (9.7) |
Implement audit trails that record exceptions and other security relevant events,
produced and maintained to assist in future investigations and in access control. |
29 |
Access Control |
Remote Access and Telecommuting (9.8) |
Implement a formal policy and supporting standards that address the risks of working with
mobile computing facilities, including requirements for physical protection, access controls, cryptographic techniques, back up, and virus protection. |
30 |
Systems Development & Maintenance |
Security Requirements of Systems (10.1) |
Implement standards to ensure that analysis of security requirements is part of the
requirement analysis stage of each development project. |
31 |
Systems Development & Maintenance |
Security in Application Systems (10.2) |
Implement standards to ensure that data that is input into applications systems is
validated, to ensure that it is correct and appropriate. |
32 |
Systems Development & Maintenance |
Cryptography (10.3) |
Implement policies and standards on the use of cryptographic controls, including
management of encryption keys, and effective implementation. |
33 |
Systems Development & Maintenance |
Security of System Files (10.4) |
Implement standards to exercise strict control over the implementation of software on
operational systems. |
34 |
Systems Development & Maintenance |
Security in Development and Support Environments (10.5) |
Implement standards and procedures for formal change management process. |
35 |
Business Continuity Management |
Aspects of Business Continuity Planning (11.1) |
Implement procedures for the development and maintenance of business continuity plans
across the organization. |
36 |
Compliance |
Compliance with Legal Requirements (12.1) |
Implement standards to ensure that all relevant statutory, regulatory, and contractual
requirements are specifically defined and documented for each information system. |
E-Fensive's Methodologies
E-Fensive follows proven standards and guidelines in the security industry. Our experts are constantly in tune with the evolving state of security. Our approach to security comes from combining a mixture of practices and theories used in the industry to meet your needs.