The document discusses standards and requirements for information security risk assessment and treatment from several frameworks including ISO, COBIT, Sarbanes-Oxley, HIPAA, NIST, and others. It covers assessing security risks, treating security risks, developing security policies, organizing information security, managing human resources security, physical and environmental security, communications and operations management, and network security management.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as XLS, PDF, TXT or read online from Scribd
The document discusses standards and requirements for information security risk assessment and treatment from several frameworks including ISO, COBIT, Sarbanes-Oxley, HIPAA, NIST, and others. It covers assessing security risks, treating security risks, developing security policies, organizing information security, managing human resources security, physical and environmental security, communications and operations management, and network security management.
The document discusses standards and requirements for information security risk assessment and treatment from several frameworks including ISO, COBIT, Sarbanes-Oxley, HIPAA, NIST, and others. It covers assessing security risks, treating security risks, developing security policies, organizing information security, managing human resources security, physical and environmental security, communications and operations management, and network security management.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as XLS, PDF, TXT or read online from Scribd
The document discusses standards and requirements for information security risk assessment and treatment from several frameworks including ISO, COBIT, Sarbanes-Oxley, HIPAA, NIST, and others. It covers assessing security risks, treating security risks, developing security policies, organizing information security, managing human resources security, physical and environmental security, communications and operations management, and network security management.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as XLS, PDF, TXT or read online from Scribd
Download as xls, pdf, or txt
You are on page 1/ 5
ISO 17799 2005
Se$!i%n& 4 Ris' Assess en! an( Trea! en!
4.1 Assessin* Se$uri!y Ris's Identif%& '(antif%& and prioriti)e risks a!ainst criteria for risk acceptance relevant to the or!ani)ation " *+, Assess and " "
-. -ns(re Re!(lator% Co/pliance -0 *rovide IT 1overnance ana!e IT Risks " Risk Response " -vent Identification
4.2
Plan an( Or*ani+e&
" *+, Assess and " " -1 -2
Se$uri!y S!an(ar(& a4 1. Risk
III.C.
ana!e and Control Risk
Trea!in* Se$uri!y Ris's
Deter/ine risk treat/ent options6 Appl% appropriate controls& accept risks& avoid risks or transfer risk to other parties
ana!e/ent 5R4
-%ni!%r an( 01alua!e&
onitor and -val(ate IT *erfor/ance onitor and -val(ate Internal Control
Se$!i%n& 5 Se$uri!y P%li$y
5.1 Plan an( Or*ani+e& In,%r a!i%n Se$uri!y P%li$y An infor/ation sec(rit% polic% doc(/ent sho(ld 2e approved 2% /ana!e/ent& and p(2lished and co//(nicated to all e/plo%ees and relevant e7ternal parties. The infor/ation sec(rit% polic% sho(ld 2e revie8ed at planned intervals " *+1 Define a Strate!ic IT *lan " *+0 Define the IT *rocesses& +r!ani)ation and Relationships " *+9 Co//(nicate ana!e/ent Ai/s and Direction " *+: ana!e IT ;(/an Reso(rces " Internal -nviron/ent " +23ective Settin! " Risk Assess/ent
).1 2eli1er an( Su33%r!& In!ernal Or*ani+a!i%n " DS< -ns(re S%ste/s Sec(rit% A /ana!e/ent fra/e8ork sho(ld 2e esta2lished to initiate and control the i/ple/entation of infor/ation sec(rit% 8ithin the or!ani)ation " Internal -nviron/ent " Control Activities " Infor/ation and Co//(nication
II.A. Infor/ation Sec(rit% *ro!ra/ II.B. +23ectives III.A. Involve Board of Directors III.C. ana!e and Control Risk III.=. Report to the Board
).2 0x!ernal Par!ies To /aintain the sec(rit% of infor/ation and infor/ation processin! facilities that are accessed& processed& co//(nicated to& or /ana!ed 2% e7ternal parties
Plan an( Or*ani+e&
" *+>
ana!e ?(alit%
2eli1er an( Su33%r!&
" DS1 Define and ana!e Service @evels " DS2 ana!e Third"*art% Services " DS< -ns(re S%ste/s Sec(rit%
" Internal -nviron/ent " Risk Assess/ent " Control Activities " Infor/ation and Co//(nication " onitorin!
Se$uri!y S!an(ar(&
24 1. Aritten Contract or +ther Arran!e/ent 5R4
III.C. ana!e and Control Risk III.D.+versee Service *rovider Arran!e/ents
Se$!i%n& 7 Asse! -ana*e en!
7.1 Res3%nsibili!y ,%r Asse!s All assets sho(ld 2e acco(nted for and have a no/inated o8ner
Plan an( Or*ani+e&
" *+0 Define the IT *rocesses& +r!ani)ation and Relationships
" Control Activities
P/ysi$al S!an(ar(& d4 2. Device and
#$A
edia Controls " Acco(nta2ilit% 5A4
7.2 In,%r a!i%n Classi,i$a!i%n
Plan an( Or*ani+e&
" *+2 Define the Infor/ation Architect(re " *+, Assess and ana!e IT Risks
To ens(re that e/plo%ees& contractors and third part% (sers are a8are of infor/ation sec(rit% threats and concerns& and are e'(ipped to s(pport sec(rit% polic% in the co(rse of their nor/al 8ork
" DS: -d(cate and Train Bsers
..4 Ter ina!i%n %r C/an*e %, 0 3l%y en!
Plan an( Or*ani+e&
" *+0 Define the IT *rocesses& +r!ani)ation and Relationships " *+: ana!e IT ;(/an Reso(rces
#$A
Se$uri!y S!an(ar(&
#$A
a4 .. Ter/ination *roced(res 5A4
To ens(re that e/plo%ees& contractors and third part% (sers e7it an or!ani)ation or chan!e e/plo%/ent in an orderl% /anner
Se$!i%n& 9 P/ysi$al an( 0n1ir%n en!al Se$uri!y
Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.
9.1
2eli1er an( Su33%r!&
Se$ure Areas To prevent (na(thori)ed ph%sical access& da/a!e& and interference to the or!ani)ationCs pre/ises and infor/ation
" DS< -ns(re S%ste/s Sec(rit% " DS11 ana!e Data " DS12 ana!e the *h%sical -nviron/ent
" Control Activities " Infor/ation and Co//(nication " onitorin!
Se$uri!y S!an(ar(&
III.C.
ana!e and Control Risk
a4 .. A(thori)ation and$or S(pervision 5A4 a4 .. Aorkforce Clearance *roced(re 5A4 a4 1. =acilit% Access Control a4 2. =acilit% Sec(rit% *lan a4 2. Access Control and Validation *roced(res 5A4
P/ysi$al S!an(ar(&
9.2
" DS. ana!e *erfor/ance and Capacit% " DS0 -ns(re Contin(o(s Service To prevent loss& da/a!e& theft or co/pro/ise of assets and interr(ption to the or!ani)ationCs activities
2eli1er an( Su33%r!&
0qui3 en! Se$uri!y
" Control Activities " Infor/ation and Co//(nication
Plan an( Or*ani+e& " *+0 Define the IT *rocesses& +r!ani)ation and Relationships " Internal -nviron/ent " Risk Response " Control Activities " onitorin!
Se$uri!y S!an(ar(&
III.C.
ana!e and Control Risk
O3era!i%nal Pr%$e(ures an( Res3%nsibili!ies
To ens(re the correct and sec(re operation of infor/ation processin! facilities incl(din! se!re!ation of d(ties and chan!e /ana!e/ent f(nctions
" DS0 -ns(re Contin(o(s Service " DS1. ana!e +perations " Internal -nviron/ent " Control Activities
10.2 T/ir( Par!y Ser1i$e 2eli1ery -ana*e en! To i/ple/ent and /aintain the appropriate level of infor/ation sec(rit% and service deliver% in line 8ith third part% service deliver% a!ree/ents
Plan an( Or*ani+e&
" *+0 Define the IT *rocesses& +r!ani)ation and Relationships " *+> ana!e ?(alit% " *+10 ana!e *ro3ects
Se$uri!y S!an(ar(&
24 1. Aitten Contract or +ther Arran!e/ent
III.D. +versee Service *rovider Arran!e/ents
2eli1er an( Su33%r!&
" DS1 Define and ana!e Service @evels " DS2 ana!e Third"*art% Services
10.4 Sys!e To /ini/i)e the risk of s%ste/ fail(res
2eli1er an( Su33%r!& Plannin* an( A$$e3!an$e
" DS. ana!e *erfor/ance and Capacit% " DS0 -ns(re Contin(o(s Service
" Control Activities " onitorin! " Control Activities " -vent Identification " Infor/ation and Co//(nication
#$A
III.C.
ana!e and Control Risk
10.4 Pr%!e$!i%n A*ains! -ali$i%us an( -%bile C%(e *reca(tions are re'(ired to prevent and detect the introd(ction of /alicio(s code and (na(thori)ed /o2ile code
2eli1er an( Su33%r!&
" DS< -ns(re S%ste/s Sec(rit% " DS> ana!e Service Desk and Incidents " DS, ana!e the Confi!(ration " DS10 ana!e *ro2le/s
onitor and -val(ate IT *erfor/ance onitor and -val(ate Internal Control
Se$!i%n& 11 A$$ess C%n!r%l
11.1 Business Require en! ,%r A$$ess C%n!r%l -sta2lish& doc(/ent and revie8 access control policies and r(les
2eli1er an( Su33%r!&
" DS< -ns(re S%ste/s Sec(rit%
" Internal -nviron/ent " Control Activities
Se$uri!y S!an(ar(&
III.C.
ana!e and Control Risk
a4 0. Access A(thori)ation 5A4
11.2 9ser A$$ess -ana*e en! =or/al proced(res to control the allocation of access ri!hts to infor/ation s%ste/s and services
2eli1er an( Su33%r!&
" DS< -ns(re S%ste/s Sec(rit%
" Control Activities " onitorin!
Se$uri!y S!an(ar(&
III.C.
ana!e and Control Risk
a4 0. Access A(thori)ation 5A4 a4 0. Access -sta2lish/ent and odification 5A4 a4 <. *ass8ord ana!e/ent 5A4 a4 2. Bni'(e Bser Identification D III.C. ana!e and Control Risk
Te$/ni$al S!an(ar(& 2eli1er an( Su33%r!&
" Internal -nviron/ent " Control Activities
11.4 9ser Res3%nsibili!ies Bser a8areness& partic(larl% 8ith the (se of pass8ords and the sec(rit% of e'(ip/ent
" DS< -ns(re S%ste/s Sec(rit%
Se$uri!y S!an(ar(& a4 <. *ass8ord
ana!e/ent 5A4
P/ysi$al S!an(ar(&
24 Aorkstation Bse 5R4 d4 Aorkstation Sec(rit% III.C. ana!e and Control Risk a4 <. *ass8ord ana!e/ent 5A4
2eli1er an( Su33%r!& " DS< -ns(re S%ste/s Sec(rit% 6e!7%r' A$$ess C%n!r%l -ns(re that appropriate interfaces and a(thentication
11.4
" Internal -nviron/ent " Control Activities " onitorin!
Se$uri!y S!an(ar(&
/echanis/s to net8orked services are in place
Te$/ni$al S!an(ar(&
c4 2. echanis/ to A(thenticate -lectronic *rotected ;ealth Infor/ation 5A4 d4 *erson or -ntit% A(thentication
11.5 O3era!in* Sys!e To ens(re (na(thori)ed access to operatin! s%ste/s. So/e /ethods incl(de6 ens(re '(alit% pass8ords& (ser a(thentication& and the recordin! of s(ccessf(l and failed s%ste/ accesses
2eli1er an( Su33%r!& A$$ess C%n!r%l
" DS< -ns(re S%ste/s Sec(rit%
" Internal -nviron/ent " Control Activities " onitorin!
12.1 Se$uri!y Require en!s %, In,%r a!i%n Sys!e s To ens(re that sec(rit% is 2(ilt into infor/ation s%ste/s& incl(din! infrastr(ct(re& 2(siness applications and (ser"developed applications.
A$quire an( I 3le en!&
" A12 Ac'(ire and " A1. Ac'(ire and aintain Application Soft8are aintain Technolo!% Infrastr(ct(re
" Control Activities " onitorin!
#$A
#$A
Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.
12.2
A$quire an( I 3le en!&
" A12 Ac'(ire and
" Control Activities
C%rre$! Pr%$essin* in A33li$a!i%ns
To prevent errors& loss& (na(thori)ed /odification or /is(se of infor/ation in applications
To ens(re infor/ation sec(rit% events and 8eaknesses associated 8ith infor/ation s%ste/s are co//(nicated in a /anner allo8in! ti/el% corrective -%ni!%r an( 01alua!e& action to 2e taken " -1 onitor and -val(ate IT *erfor/ance " -2 onitor and -val(ate Internal Control
14.2
2eli1er an( Su33%r!&
" DS< -ns(re S%ste/s Sec(rit% " DS> ana!e Service Desk and Incidents " DS10 ana!e *ro2le/s
To ens(re a consistent and effective approach is applied to the /ana!e/ent of infor/ation sec(rit% incidents.
onitor and -val(ate6
" " -1 -2 onitor and -val(ate IT *erfor/ance onitor and -val(ate Internal Control
Se$!i%n& 14 Business C%n!inui!y -ana*e en!
14.1 2eli1er an( Su33%r!& In,%r a!i%n Se$uri!y As3e$!s %, Business C%n!inui!y -ana*e en! " DS0 -ns(re Contin(o(s Service " DS10 ana!e *ro2le/s " DS11 ana!e Data " -vent Identification " Risk Response " Control Activities " Infor/ation and Co//(nication " onitorin!
Se$uri!y S!an(ar(&
III.C.
ana!e and Control Risk
To co(nteract interr(ptions to 2(siness activities and to protect critical 2(siness processes fro/ the effects of /a3or fail(res or disasters and to ens(re their ti/el% res(/ption
a4 :. Disaster Recover% *lan 5R4 a4 :. Testin! and Revision *roced(res 5A4 a4 :. Applications and Data Criticalit% Anal%sis 5A4
Se$!i%n& 15 C% 3lian$e 15.1 -%ni!%r an( 01alua!e& -. -ns(re Re!(lator% Co/pliance -0 *rovide IT 1overnance " To avoid 2reaches of an% la8& stat(tor%& re!(lator% or " contract(al o2li!ations& and of an% sec(rit% re'(ire/ents
C% 3lian$e 7i!/ #e*al Require en!s
" Internal -nviron/ent " -vent Identification " Risk Assess/ent " Control Activities " Infor/ation and Co//(nication " onitorin! " Internal -nviron/ent " Control Activities " onitorin!
Se$uri!y S!an(ar(&
a4 1. Sanction *olic% 5R4 a4 9. Response and Reportin! 5R4 24 1. Aritten Contract or +ther Arran!e/ent 5R4
III.C. ana!e and Control Risk III.=. Report to the Board
III.C. ana!e and Control Risk III.-. Ad3(st the *ro!ra/ III.=. Report to the Board
To ens(re co/pliance of s%ste/s 8ith or!ani)ational -%ni!%r an( 01alua!e& sec(rit% policies and standards " -1 onitor and -val(ate IT *erfor/ance " -2 onitor and -val(ate Internal Control " -0 *rovide IT 1overnance
Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.
15.4
-%ni!%r an( 01alua!e&
" " "
"
onitorin!
In,%r a!i%n Sys!e s Au(i! C%nsi(era!i%ns
To /a7i/i)e the effectiveness of an to /ini/i)e interference to$fro/ the infor/ation s%ste/s a(dit process
-1 onitor and -val(ate IT *erfor/ance -2 onitor and -val(ate Internal Control -0 *rovide IT 1overnance
Se$uri!y S!an(ar(&
24 >. A(dit Controls 5R4
III.C. ana!e and Control Risk III.=. Report to the Board
Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.
