International IT Governance : An Executive Guide to ISO 17799/ISO 27001

The development of IT Governance, which recognizes the convergence between business and IT management, makes it essential for managers at all levels and in organizations of all sizes to understand how best to deal with information security risks. "International IT Governance" explores new legislation, including the launch of ISO/IEC 27001, which makes a single, global standard of information security best practice available.

Introduction The information economy What is IT governance? Information security 1. Why is information security necessary? Nature of information security threats Prevalence of information security threats Impacts of information security threats Cybercrime Cyberwar Future risks Legislation Benefits of an information security management system 2. Sarbanes-Oxley and regulatory compliance Sarbanes-Oxley Enterprise risk management Regulatory compliance IT governance 3. Information security standards Benefits of certification History of ISO/IEC 27 1 and ISO/IEC 17799 Use of the standard ISO/IEC 17799 PDCA and process approach Structured approach to implementation Quality system integration Documentation Continual improvement and metrics 4. Organizing information security Internal organization Management review Information security manager The cross-functional management forum ISO/IEC 27 1 project group Approval process for information processing facilities Product selection and the Common Criteria Specialist information security advice Contact with authorities and with special interest groups Independent review of information security Summary 5. Information security policy and scope Information security policy A policy statement Costs and monitoring progress 6. The risk assessment and statement of applicability Establishing security requirements Risks, impacts and risk management Selection of controls and statement of applicability Gap analysis Risk assessment tools Risk treatment plan 7. External parties Identification of risks related to external parties Types of access Reasons for access Outsourcing On-site contractors Addressing security when dealing with customers Addressing security in third party agreements 8. Asset management Asset owners Inventory Acceptable use of assets Information classification The US government classification system Unified classification markings Information labeling and handling Non-disclosure agreements and trusted partners 9. Human resources security Job descriptions and competence requirements Screening Terms and conditions of employment During employment Disciplinary process Termination or change of employment 10. Physical and environmental security Secure areas Public access, delivery and loading areas 11. Equipment security Equipment siting and protection Supporting utilities Cabling security Equipment maintenance Security of equipment off-premises Secure disposal or reuse of equipment Removal of property 12. Communications and operations management Documented operating procedures Change management Segregation of duties Separation of development, test and operational facilities Third party service delivery management Monitoring and review of third party services Managing changes to third party services System planning and acceptance 13. Controls against malicious software (malware) and back-ups Viruses, worms and Trojans Anti-malware software Hoax messages Anti-malware controls Airborne viruses Controls against mobile code Back-up 14. Network security management and media handling Network management Media handling 15. Exchanges of information Information exchange policies and procedures Exchange agreements Physical media in transit Business information systems 16. Electronic commerce services E-commerce issues Security technologies Server security Online transactions Publicly available information 17. E-mail and internet use Security risks in e-mail Misuse of the internet Internet acceptable use policy (AUP) 18. Access control Hackers Hacker techniques System configuration Access control policy User access management Clear desk and clear screen policy 19. Network access control Networks Network security 20. Operating system access control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time-out Limitation of connection time 21. Application access control and teleworking Application and information access control Mobile computing and teleworking 22. Systems acquisition, development and maintenance Security requirements analysis and specification Correct processing in applications 23. Cryptographic controls Encryption Public key infrastructure (PKI) Digital signatures Non-repudiation services Key management 24. Security in development and support processes System files Access control to program source code Development and support processes Vulnerability management 25. Monitoring and information security incident management Monitoring Information security events Management of information security incidents and improvements 26. Business continuity management Business continuity management process Business continuity and risk assessment Developing and implementing continuity plans Business continuity planning framework Testing, maintaining and reassessing business continuity plans 27. Compliance Identification of applicable legislation Intellectual property rights (IPR) Safeguarding of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Compliance with security policies and standards Information systems audit considerations 28. The ISO/IEC 27 1 audit Selection of auditors Initial visit Preparation for audit Appendices I. Useful websites II. Further reading