IS411 Question 4

Identify how to structure an effective security policy using chapters of ISO 17799:2005.

Advertisements

About RamesesIII

Adjunct Instructor ITT-Tech IT Dept. View all posts by RamesesIII

12 responses to “IS411 Question 4

  • Catherine Childs

    http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=50297

    http://www.itgi.org

    ISO 17799:2005 presents an incredible level of detail and is a robust standard to implement a security program.

    ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management: security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management and compliance.

    • Mylo Collier

      Identify how to structure an effective security policy using chapters of ISO 17799:2005.

      The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
      • security policy;
      • organization of information security;
      • asset management;
      • human resources security;
      • physical and environmental security;
      • communications and operations management;
      • access control;
      • information systems acquisition, development and maintenance;
      • information security incident management;
      • business continuity management;
      • compliance.

  • Ryan Brown

    First, I would use that particular ISO because it is an outdated revision. I would use ISO 27002:2005.

    Since the actual document costs $208.00, I’ll give the simple answer:

    ISO27002:2005 provides the industry accepted “best practice” recommendations for the management of information security in twelve areas:

    Risk Assessment, Security Policy, Organization of Information Security, Asset Management, Human Resource Security, Physical and Environmental Security, Communication and Operation Management, Access Control, Information Systems Acquisition, Development and Maintenance, Information Security Incident Management, Business Continuity Management, and Compliance.

    While the document provides the “best practices”, it is up to the individual company to implement the specific controls that are relevant to their business.

  • Tyler Manuel

    This is a great document/guideline on where to begin/get an idea of how to write a policy for a company and the structure in which to follow. Here is a section of the document that goes into some detail of organizing said policy.

    “security policy;
    organization of information security;
    asset management;
    human resources security;
    physical and environmental security;
    communications and operations management;
    access control;
    information systems acquisition, development and maintenance;
    information security incident management;
    business continuity management;
    compliance.
    The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.”

  • Robert Wooldridge

    ISO/IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005. ISO/IEC 17799:2005/Cor.1:2007 changes the reference number of the standard from 17799 to 27002.

    ISO/IEC 27002:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2005 contains best practices of control objectives and controls in the following areas of information security management:

    ■security policy;
    ■organization of information security;
    ■asset management;
    ■human resources security;
    ■physical and environmental security;
    ■communications and operations management;
    ■access control;
    ■information systems acquisition, development and maintenance;
    ■information security incident management;
    ■business continuity management;
    ■compliance.
    The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 27002:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

  • Nolan Oribello

    To structure an effective security policy, I would address each area in Information Security Management outlined in ISO 17799:2005. This would involve creating procedures for asset management, access control, and inventory. I would have an intranet resource, such as a Sharepoint site, which is accessible to the corporation concerning Incident Management, and Business Continuity. I would further educate personnel on the appropriate usage of systems, and focus on individual security practices, such as securing workstations, and safeguarding network credentials.

  • Corey Maurer

    I would structure it around the best practices outlines in the document. Like Ryan said, the full document is only available after paying the fee, but the summary says that it covers the best practice for security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management business continuity management and compliance.

  • Noel Taylor

    The purpose is to establish “guidelines and general principles for initiation, implementing, maintaining, and improving information security management in an organization”

    ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities

    There a eleven sections of ISO/IEC 17799:
    1. Security Policy – focusing on InfoSec policy
    2. Organizatoin of InfoSec -for both the internal orgaizatoin and external parties
    3. Asset Management
    4. Human Resources Security
    5. Physical and Enviromental Security
    6. Communication and Operations Management
    7. Access Control
    8. Information Systems Acquisition, Development and Maintenance
    9. Information Security Incident Management
    10. Business Continuity Management
    11. Compliance

    In 2005, BS7799:2 was updated and codified as ISO/IEC 27001:2005, and is the foundation for third-party certification. Its major sections include:
    Introduction
    Scope
    Terms and definitions
    ISMS
    Management responsibility
    Management review
    ISMS improvement

  • Samphuppuora Ath

    ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:

    security policy;
    organization of information security;
    asset management;
    human resources security;
    physical and environmental security;
    communications and operations management;
    access control;
    information systems acquisition, development and maintenance;
    information security incident management;
    business continuity management;
    compliance.
    The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

  • Courtland Richardson

    Use of the ISO 17799:2005 security standard details the main ideas and goals that ought to be accomplished by security and information technology personnel. Pragmatic exploitation of the document should allow for proper evaluation of risk/threat assessment, analyses and the creation of global policy; to administer and secure the network and subsequent data while organizing resources, employees and the company or business.

    Care should be given to physical security as well as maintaing assets such as hardware, software and the intellectual and/or personal/critical data of patrons and business partners alike. Access to these assets and resources must also be addressed and shaped in such a way that authorized access is the foremost and singular access extended to that which created and protected.

    Compliance! There must be a mission statement that is well known, document and distributed to each and every entity that is trusted, contracted, signed and delivered…

    There have been examples of breach of contract, stealing, laundering and just about any other “white collar” crime imaginable and I am sure that at some point these examples have crossed the regulations outlined in the ISO 17799:2005 document(s). Example, Sarbanes-Oxley Act

  • Fred

    Question 4 ISO 17799:2005:

    Question: Identify how to structure an effective security policy using chapters of ISO 17799:2005

    Answer: Just based on the bullet point guidelines/principles that have already been given as a freebe for the part of the document that is not for sale.

    *security policy;
    *organization of information security;
    *asset management;
    *human resources security;
    *physical and environmental security;
    *communications and operations management;
    *access control;
    *information systems acquisition, development and maintenance;
    *information security incident management;
    *business continuity management;
    *compliance.

    Then follow those bullet point guidelines/principles and try to work up an idea of what was not said in the published part but what you may find in the purchasable document OR just go find the already bought, downloaded and pirated version that is free for download.

  • Bobby Nobody

    LulzSec is a government cover to show an active threat to the US and the Internet, then the US government will save the Internet by installing the dreaded “Kill Switch” in addition to various other forms of technology that spy on individuals. All these people following LulzSec on Twitter and do their bidding are nothing more then lemmings giving away their future Internet freedom. So far the US government has done nothing to stop LulzSec, when in fact it is incredibly simple to do so with the tools they have. Once LulzSec (the US government) has caused enough trouble, ruined enough lifes, the face of the US government will show up like a superhero to save the day, and Internet freedom is over. You are all slaves.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: