[ISN] Security News - ISO17799

From: InfoSec News (isnat_private)
Date: Mon Jan 20 2003 - 22:54:39 PST

  • Next message: InfoSec News: "[ISN] Welsh virus writer Vallor jailed for two years"

    Forwarded from: Sarah Hollins <saraat_private>
    Welcome to the sixth edition of the ISO17799 newsletter, designed to keep you 
    abreast of news and developments with respect to ISO17799 and information 
    The information contained in this newsletter is absolutely free to our 
    subscribers and provides guidance on various practical issues, plus commentary 
    on recent Information Security incidents. 
    In this issue we focus on the need to encompass agreements and policies to 
    cover key areas. Included are the following topics: 
    1)  Obtaining ISO17799
    2)  Information Classification Criteria
    3)  ISO17799 and Software
    4)  Third Party Cyber Crime Attacks
    5)  ISO17799: a World Wide Phenomena
    6)  Employee Internet Abuse
    7)  More Frequently Asked ISO17799 Questions
    8)  My Favorite Web Sites
    9)  Continuity Backup and Recovery Strategy (ISO17799 Section 11)
    10) BSI Certifications
    11) Employee Confidentiality Undertakings
    12) More on Service Level Agreements (ISO17799 Section 4)
    13) It Couldn't Happen Here.... Could It?
    14) Contributions 
    15) Subscription Information
    The standard itself is available from:
    This is the home page for the ISO17799 Toolkit. This package was put together 
    to help those taking the first steps towards addressing ISO17799. It includes 
    both parts of the standard, audit checklists, a roadmap, ISO17799 compliant 
    security policies, and a range of other items.
    This is the ISO17799/BS7799 Electronic Shop. Essentially it is an online 
    vending site for downloadable copies of the standard.
    An important task for the Information Security Officer (or the person who is 
    assigned these duties) is to establish a system to classify the organization's 
    information with respect to its level of confidentiality and importance.  
    It is advisable to restrict the number of information classification levels in 
    your organization to a manageable number, as having too many makes maintenance 
    and compliance difficult. For those currently without a structure, we suggest 
    a five point system: 
    - Top Secret: Highly sensitive internal documents, e.g. impending mergers or 
    acquisitions, investment strategies, plans or designs that could seriously 
    damage the organization if lost or made public. Information classified as Top 
    Secret has very restricted distribution and must be protected at all times. 
    Security at this level is the highest possible. 
    - Highly Confidential: Information that is considered critical to the 
    organization's ongoing operations and could seriously impede them if made 
    public or shared internally. Such information includes accounting information, 
    business plans, sensitive information of customers of banks, solicitors, or 
    accountants etc.; patients' medical records, and similar highly sensitive 
    data. Such information should not be copied or removed from the organization's 
    operational control without specific authority. Security should be very high. 
    - Proprietary: Procedures, operational work routines, project plans, designs 
    and specifications that define the way in which the organization operates. 
    Such information is normally for proprietary use by authorized personnel only. 
    Security at this level is high. 
    - Internal Use Only: Information not approved for general circulation outside 
    the organization where its disclosure would inconvenience the organization or 
    management, but is unlikely to result in financial loss or serious damage to 
    credibility. Examples include: internal memos, minutes of meetings, internal 
    project reports. Security at this level is controlled but normal. 
    - Public Documents: Information in the public domain: annual reports, press 
    statements etc. which have been approved for public use. Security at this 
    level is minimal. 
    Care should always be applied regarding a user's tendency to over classify 
    their own work. It can sometimes be erroneously surmised that the 
    classification level assigned to a user's work can reflect directly on the 
    individual's own level of importance within the organization. 
    We are sometimes asked about the role of software/products with respect to 
    ISO17799, particularly the two most well known offerings, COBRA and The 
    ISO17799 Toolkit. Where do they fit in? Are they competitor products or do 
    they compliment each other? How do they help? 
    The truth is that they fulfill completely different needs: 
    A) The ISO17799 Toolkit comprises the basic building blocks: the standard 
    itself (both parts), 17799 cross referenced security policies, and so on. It 
    is intended to 'get you going' on the right path straight away, by providing 
    some basics, as well as guidance and explanations by way of a presentations, 
    glossary, roadmap, etc. It can basically be seen as an introduction and 
    starting pack for compliance with the standard. 
    B) COBRA on the other hand is designed to help you manage that compliance. It 
    takes you through the standard and ultimately measures your compliance level, 
    pointing out where you fall short. Quite apart from this it is one of the most 
    widely used (possibly THE most widely used) risk analysis systems in the 
    world... and bear in mind that risk analysis is integral to the requirements 
    of the standard... references to 'as determined by risk assessment' are almost 
    In essence therefore, one product gets you started, the other helps you 
    For further information on the ISO17799 Toolkit, and to obtain a copy, see: 
    For COBRA, see: http://www.security-risk-analysis.com 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 04:41:44 PST