What is ISO 17799?
ISO 17799 is an information security code of practice. It includes a number of sections, covering a wide range of security issues. Broadly (very) the objectives of these are as follows:
1. Risk Assessment and Treatment
This section was an addition to the latest version, and deals with the fundamentals of security risk analysis..
2. System Policy
Objective: To provide management direction and support for information security
3. Organizing Information Security
a) To manage information security within the organization
b) Maintain the security of information and processing facilities with respect to external parties.
4. Asset Management
a) Achieve and maintain appropriate protection of organizational assets.
b) Ensure that information receives an appropriate level of protection.
5. Human Resources Security
a) Ensure that employees, contractors and third parties are suitable for the jobs they are considered for, understand their responsibilities, and to reduce the risk of abuse (theft, misuse, etc).
b) Ensure that the above are aware of IS threats and their responsibilities, and able to support the organization’s security policies
c) Ensure that the above exit the organization in an orderly and controlled manner.
6. Physical and Environmental Security
a) Prevent unauthorized physical access, interference and damage to the organization’s information and premises.
b) Prevent loss, theft and damage of assets
c) Prevent interruption to the organization’s activities.
7. Communications and Operations Management
a) Ensure the secure operation of information processing facilities
b) Maintain the appropriate level of information security and service delivery, aligned with 3rd party agreements
c) Minimize the risk of systems failures
d) Protect the integrity of information and software
e) Maintain the availability and integrity of information and processing facilities
f) Ensure the protection of information in networks and of the supporting infrastructure
g) Prevent unauthorized disclosure, modification, removal or destruction of assets.
h) Prevent unauthorized disruption of business activities.
i) Maintain the security of information and/or software exchanged internally and externally.
j) Ensure the security of e-commerce services
k) Detect unauthorized information processing activities
8. Access Control
a) Control access to information
b) Ensure authorized user access
c) Prevent unauthorized access to information systems
d) Prevent unauthorized user access and compromise of information and processing facilities
e) Prevent unauthorized access to networked services
f) Prevent unauthorized access to operating systems
g) Prevent unauthorized access to information within application systems
h) Ensure information security with respect to mobile computing and teleworking facilities
9. Information Systems Acquisition, Development and Maintenance
a) Ensure that security is an integral part of information systems
b) Prevent loss, errors or unauthorized modification/use of information within applications
c) Protect the confidentiality, integrity or authenticity of information via cryptography
d) Ensure the security of system files
e) Maintain the security of application system information and software
f) Reduce/manage risks resulting from exploitation of publiched vulnerabilities
10. Information Security Incident Management
a) Ensure that security information is communicated in a manner allowing corrective action to be taken in a timely fashion
b) Ensure a consistent and effective approach is applied to the management of IS issues
11. Business Continuity Management
a) Counteract interruptions to business activities and protect critical processes from the effects of major failures/disasters
b) Ensure timely resumption of the above
a) Avoid the breach of any law, regulatory or contractual obligation and of any security requirement.
b) Ensure systems comply with internal security policies/standards
c) Maximize the effectiveness of and minimize associated interference from and to the systems audit process