ISO IEC 17799 2000 *
|
|
* ISO 17799 2000 is now
OBSOLETE.
|
| We’ve used a task oriented approach to
translate the ISO 17799 information security practices into plain
English. This means that our plain English standard consists entirely of
tasks. So if you want to implement the ISO 17799
standard, all you have to do is carry out the tasks that we have listed.
However, you don’t have to perform every task. These are recommended
tasks, not compulsory tasks.
In order to give you the freedom to choose whether or not you wish to carry out a recommended task, we offer three response options for each task: DO, DONE, or N/A. If you haven’t done the task and you feel it needs to be done, select DO. Select DO if the task addresses one of your information security risks or needs. If you’ve already done the task, select DONE. If the task is not applicable in your situation or does not address your information security risks and needs, then answer N/A (not applicable). |
| THE FOLLOWING MATERIAL IS NOW OBSOLETE |
ISO IEC 17799 2000
|
| 4. ORGANIZATIONAL SECURITY |
| 4.1 ESTABLISH A SECURITY INFRASTRUCTURE | COMMENTS | |||||
| 1 | Establish a management framework to control how your organization implements information security. | DO | DONE | N/A | ||
| 2 | Establish a management forum to review and approve your information security policy. | DO | DONE | N/A | ||
| 3 | Establish a management forum to co-ordinate and control the implementation of your organization’s information security program. | DO | DONE | N/A | ||
| 4 | Establish a management forum to assign information security roles and responsibilities. | DO | DONE | N/A | ||
| 5 | Make sure that you have access to information security experts and advisors within your own organization. | DO | DONE | N/A | ||
| 6 | Make sure that your internal experts are able to provide specialized information security advice. | DO | DONE | N/A | ||
| 7 | Make sure that you have access to external information security experts and advisors. | DO | DONE | N/A | ||
| 8 | Make sure
that your external advisors help you to monitor changes in information security standards and methods. |
DO | DONE | N/A | ||
| 9 | Make sure
that your external information security experts and advisors help you to deal with security incidents. |
DO | DONE | N/A | ||
| 10 | Make sure
that your organization encourages the use of a multi-disciplinary approach to information security. |
DO | DONE | N/A | ||
| 4.1.1 SET UP AN INFORMATION SECURITY FORUM | COMMENTS | |||||
| 11 | Assign
the responsibility for information security to a single manager within your organization. |
DO | DONE | N/A | ||
| 12 | Establish
a management forum that you can use to support information security initiatives. |
DO | DONE | N/A | ||
| 13 | Make sure that your security management forum promotes the importance of information security. | DO | DONE | N/A | ||
| 14 | Make sure
that your security management forum ensures that adequate resources are provided to support security. |
DO | DONE | N/A | ||
| 15 | Make sure
that your security management forum reviews and approves your information security policy. |
DO | DONE | N/A | ||
| 16 | Make sure
that your security management forum reviews and approves information security responsibilities. |
DO | DONE | N/A | ||
| 17 | Make sure that your security management forum monitors major security threat changes and trends. | DO | DONE | N/A | ||
| 18 | Make sure that your security management forum monitors how exposed your information assets are. | DO | DONE | N/A | ||
| 19 | Make sure that your security management forum monitors and reviews information security incidents. | DO | DONE | N/A | ||
| 20 | Make sure
that your security management forum reviews and approves improvements in information security. |
DO | DONE | N/A | ||
| 4.1.2 CO-ORDINATE SECURITY IMPLEMENTION | COMMENTS | |||||
| 21 | Establish a management forum that you can use to co ordinate the implementation of security controls. | DO | DONE | N/A | ||
| 22 | Make sure that management forum members represent all relevant areas of your organization. | DO | DONE | N/A | ||
| 23 | Make sure that your security management forum distributes information security roles and responsibilities throughout your organization. | DO | DONE | N/A | ||
| 24 | Make sure
that your security management forum reviews and approves information security methods and techniques. |
DO | DONE | N/A | ||
| 25 | Make sure
that your security management forum approves and supports information security initiatives. |
DO | DONE | N/A | ||
| 26 | Make sure
that your security management forum ensures that security is considered during the information planning process. |
DO | DONE | N/A | ||
| 27 | Make sure
that your security management forum evaluates the adequacy of security controls that will be used to protect new information systems or services. |
DO | DONE | N/A | ||
| 28 | Make sure
that your security management forum co-ordinates the implementation of security controls that will be used to protect new information systems and services. |
DO | DONE | N/A | ||
| 29 | Make sure
that your security management forum reviews and evaluates information security incidents. |
DO | DONE | N/A | ||
| 30 | Make sure
that your management forum promotes the importance of information security throughout your organization. |
DO | DONE | N/A | ||
| 4.1.3 ALLOCATE SECURITY RESPONSIBILITIES | COMMENTS | |||||
| 31 | Define the responsibilities that control how individual information assets should be protected. | DO | DONE | N/A | ||
| 32 | Define
the responsibilities that control how information security processes should be carried out. |
DO | DONE | N/A | ||
| 33 | Make sure
that your information security policy describes how general security roles and responsibilities are distributed throughout your organization. |
DO | DONE | N/A | ||
| 34 | Define
how specific information security roles and responsibilities are distributed amongst various sites. |
DO | DONE | N/A | ||
| 35 | Define how specific information security roles and responsibilities are distributed amongst systems. | DO | DONE | N/A | ||
| 36 | Define how specific information security roles and responsibilities are distributed amongst services. | DO | DONE | N/A | ||
| 37 | Define
how the responsibility for individual physical assets are allocated at the local level. |
DO | DONE | N/A | ||
| 38 | Define how the responsibility for individual information assets are allocated at the local level. | DO | DONE | N/A | ||
| 39 | Define how the responsibility for individual security processes are allocated at the local level. | DO | DONE | N/A | ||
| 40 | Appoint an information security manager. | DO | DONE | N/A | ||
| 41 | Make sure that your information security manager has been given the responsibility for developing your security program. | DO | DONE | N/A | ||
| 42 | Make sure that your information security manager has been given the responsibility for implementing your security program. | DO | DONE | N/A | ||
| 43 | Make sure that your information security manager has been given the responsibility for identifying security controls. | DO | DONE | N/A | ||
| 44 | Appoint an owner for each information asset. | DO | DONE | N/A | ||
| 45 | Make sure
that asset owners have been given the responsibility for the security of their information assets. |
DO | DONE | N/A | ||
| 46 | Make sure
that your asset owners delegate specific security responsibilities to other managers or service providers. |
DO | DONE | N/A | ||
| 47 | Make sure
that asset owners ensure that delegated security responsibilities are clearly and completed stated. |
DO | DONE | N/A | ||
| 48 |
Make sure that delegated responsibilities
for security assets and processes have been clearly and completely defined. |
DO | DONE | N/A | ||
| 49 | Make sure
that you document all delegated responsibilities for information security
assets and processes. |
DO | DONE | N/A | ||
| 50 | Make sure
that you define and document all delegated authorization levels for security assets and processes. |
DO | DONE | N/A | ||
| 51 | Make sure
that your asset owners ensure that delegated security responsibilities are properly carried out. |
DO | DONE | N/A | ||
| 4.1.4 SET UP AUTHORIZATION PROCESS FOR NEW FACILITIES | COMMENTS | |||||
| 52 | Establish
a management authorization process to control new information processing facilities. |
DO | DONE | N/A | ||
| 53 | Make sure
that user managers approve of the purpose and authorize the use of all new information processing facilities. |
DO | DONE | N/A | ||
| 54 | Make sure
that your information security maintenance manager authorizes new information processing facilities. |
DO | DONE | N/A | ||
| 55 |
Make sure that your information security
maintenance manager ensures that your new information processing facilities meet all security requirements and policies. |
DO | DONE | N/A | ||
| 56 | Check new hardware to ensure that it will be compatible with existing system components. | DO | DONE | N/A | ||
| 57 | Check new software to ensure that it will be compatible with existing system components. | DO | DONE | N/A | ||
| 58 | Control
the business use of personal information processing facilities. |
DO | DONE | N/A | ||
| 59 | Evaluate
personal information processing facilities before they are used to process business information. |
DO | DONE | N/A | ||
| 60 | Authorize
the use of personal processing facilities before they are used to process business information. |
DO | DONE | N/A | ||
| 4.1.5 IDENTIFY SPECIALIZED SECURITY ADVISORS | COMMENTS | |||||
| 61 | Identify an in-house information security advisor. | DO | DONE | N/A | ||
| 62 | Make sure that your in house security advisor accumulates and co ordinates your organization’s information security knowledge and experience. | DO | DONE | N/A | ||
| 63 |
Make sure that your in house information
security advisor helps your organization to make information security decisions. |
DO | DONE | N/A | ||
| 64 |
Make sure that your in house information
security advisor has access to external security experts and advisors. |
DO | DONE | N/A | ||
| 65 |
Make sure that your information security
advisors have been asked to provide advice on all aspects of information security. |
DO | DONE | N/A | ||
| 66 |
Have information security advisors been asked to assess the security problems that threaten your organization. |
DO | DONE | N/A | ||
| 67 |
Make sure that your information security
advisors have been asked to assess your organization’s information security controls. |
DO | DONE | N/A | ||
| 68 | Make sure
that information security advisors have direct access to your organization’s management personnel. |
DO | DONE | N/A | ||
| 69 | Consult
your security advisors whenever you have a security incident or breach. |
DO | DONE | N/A | ||
| 70 | Ask your
information security advisors to investigate security incidents or breaches. |
DO | DONE | N/A | ||
| Etcetera ... | DO | DONE | N/A | |||
| ORGANIZATION: | YOUR LOCATION: |
| COMPLETED BY: | DATE COMPLETED: |
| REVIEWED BY: | DATE REVIEWED: |
|
OCT 2004 |
COPYRIGHT Ó PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. |
VER 1.0 |
|
PART 4 |
ORGANIZATIONAL SECURITY |
PAGE 12 |
| How to Order | Our Products | Our Prices | Our Guarantee |
| Home Page | Table of Contents | Our Customers | Our Supporters |
| CONTACT INFORMATION |
| Praxiom Research Group Limited 9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada Phone: (780)461-4514 Fax: (780)463-6034 info@praxiom.com |
|
|
Legal
Restrictions on the Use of this Page
Thank
you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you
keep intact
all copyright notices, you are also welcome to print or make one
copy of this
page for your own personal, noncommercial, home use.
But, you are not
legally authorized to print or produce additional copies, or to
copy and paste
any of our material onto another web site. If you would like
to purchase our
material, please contact our Sales Desk. Our staff would be very
pleased to
take your order or to answer any questions you might have.
Copyright © 2005 by Praxiom Research Group Limited. All Rights Reserved.
Updated on October 4, 2007. On the Web since May
25, 1997