ISO Standard ?ISO/IEC 27002? is published by International Organization and Standardization and International Electrotechnical Commission. This ISO standard makes information secure and keep organizational activities in an accrue process. It is the largest developer of Standards in the world. It was set up in 1947 and is located in Geneva, Switzerland. Its purpose is to develop standards that support and facilitate international trade.
I SO develops International Standards for all industry sectors and has developed more than 18,000 International Standards on different subjects and about 1100 new standards are published every year.
ISO 27002 is a part of ISO 27000 series of standards it began as code of practice published by the UK government. ISO/IEC 27002:2005 is the latest version of Information technology Security techniques Code of practice for information security management. It is an internationally accepted standard of good practice for information security. Thousands of organizations follow ISO/IEC 27002 world wide. The prefix ISO/IES is joint publication whose standards are most often developed by Technical Committee JTC 1 it replaced the old standard ISO 17799 2005 with the new one ISO 27002 2005.
This new standard has been entirely rewritten, reorganized, and updated in order to address new and emerging information security issues. In addition, one new section has been added on information security incident management (section 13).
When the standard was officially published on June 15, 2005, it was known as ISO/IEC 17799 2005. On July 1, 2007, the name was formally changed to ISO/IEC 27002 2005. However, nothing else has changed. The content is still exactly the same. The name was changed in order to make it clear that ISO/IEC 17799 belongs with the ISO/IEC 27000 series of information security standards.
The brief history of Information security is shown below:
In 1992 The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'.
In 1995 this document is amended and re-published by the British Standards Institute
(BSI) in 1995 as BS7799
In 1999 the first major revision of BS7799 was published. This included many major Enhancements Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies.
In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799)
in 2002 A second part to the standard is published: BS7799-2. This is an Information Security Management Specification, rather than a code of practice. It begins the process of alignment with other management standards such as ISO 9000
In 2005 A new version of ISO 17799 is published. This includes two new sections, and closer alignment with BS7799-2 processes.
With in ISO/27002 there are many Policies to control security and confidentiality and risk management, but I am aware of two of the policies which plays a very major roles in an ISO/27002.Security Policy
Security policy helps in keeping information secure and confidential. There will be different departments in an organization and like wise the information shared to the employees of each department will be different and may be confidential as well. Security policy controls will play a role to secure information of each department and share the information according to the roles and designations of the employees and department wise.
Security policy is classified into few controls. Controls are the methods of Administration and Management of technical or legal which uses for risk management. Controls includes practices, policies, procedures, programs, techniques, technologies, guidelines, and organizational structures.
The Security policy is related to other policies as well, like physical security, IT security and other. But in major areas, IT security is comparatively important to other securities.
The IT security policy should deal with security threats to the organizations information assets with respect to the following areas:
- Authentication - ensuring a user (Employee) is who and in which area of the organization he/she belongs to.
- Authorization - controlling what information and applications a user can access according to his/her designated requirements with the approval of concerned manager.
- Privacy and data integrity - preventing unauthorized users from seeing certain information and preventing them from making unauthorized changes or deletions.
- Disaster recovery and contingency planning.
- Physical security.
Once the user request form received by IT department, then the IT process of creation of users starts and then the IT manager will review with the user details and check to which department the user (employee) belongs to and what kind of access permission should be allotted after checking the approval of the Manager of the concerned department of the user.
In this first process, the user will be created on the server like Active Directory (Microsoft) and or LDAP (Linux) and will assigned to the LDAP group which will be having an limited authentications.Authorization:
Once the user is created to access the computer, then going back to the New employee joining form, it will be mentioned what softwares and which folders the user is need to have access to with the approval of the Dept. Head or manager. Once reviewing these requirements, an administrator will be assigned to this task and will taken care by him by installing required softwares.Privacy and data integrity:
This is a responsibility of IT department to re-check if other users are having any unnecessary access to other department?s information and should also be sure while giving the rights to the new user while creating and pushing the user in to groups. The rights given by the IT department will be classified in 3 major methods like Read, Write and Full. According to the manager?s approval and requirements, these roles will be assigned and must be re-check.Disaster recovery and contingency planning:
Disasters can occur any time without intimating the management of an organization. But Clients mostly expects the deliveries under given dead lines. It?s a responsibility of an organization to deliver the projects on time to continue their reputations in the market. To, avoid discontinuity of ongoing work; This DR (Disaster and Recovery) planning is must for an every organization. To follow with this fundamental, most of the organizations maintain different backup work setup in different location and will keep that DR location active all the time by re-checking it via the process of DR run every selected time periods. This Disaster recovery planning comes in Backup policy.Physical security:
We talked much about logical security, but what about physical security? Even if the user cannot access the computer if it is restricted to other departments, and if the door is opened without any limitations, then the computer can be accessed physically and in the same way the storage devices can also be accessible. To avoid these kind of incidents, and to make more secure, it is must to limit the user access to the physical equipments of the company.
These days Organizations are using door access and controls and different kind of authentication methods to avoid physical access.For Example:
The information technology based organizations having at least two departments like Human Resource and Production (Development). Human Resource department will be handling major tasks like hiring details, personal details, salary details and Certificates of Employees for NDA process. Where as Production department even handles major development tasks like Client relations, Client information, Client requirements, programming or designing codes and for sure, clients want organizations to keep their technology methods and requirements confidential for their own business. These two departments are major and confidential areas but they will be having different roles and authorities. This security policy will help in controlling the roles according to different designations. Security policy controls will speak about keeping HR Dept information secure and should not be accessible to other departments like production.
The IT department will take care of assigning access permissions for information according to Employee role. This can be done via server side by different kind of technologies. In most of the companies, IT Dept uses Windows Servers to restrict user access and allot authentications to their assigned files via configuring Active Directory and Group Policies which are easiest services provided by Microsoft windows servers.
With Active Directory, the IT Dept will allot user authentications and their shared folders or network drives. Each employee will be allotted with user account to access their assigned Desktops and Laptops. Likewise every employee will be also allotted with their folders to keep their Data according to classification of the tasks. If the files/Folders are need to be shared among their group that folder will be shared and permitted to their group/Dept, and wont be accessible to other departments. But if the files/Folders should be shared only with the dept manager not with the same group members, then these kind of authentications will be classified and will be filled in the New employee Request Format at the time of joining and will be signed by their concerned manager or department head. In this above process of New employee joining form includes in other control of Human resource department and also included with IT Dept. Once receiving request from HR Dept to IT, IT head/Manager will take care and assign this task to concerned Server Administrator to create active directory user and assign same user to authorized groups which the employee is related to. Active Directory group to which the employee user has been added will be having limited access and authentications to the files and folders which are only related to employee?s Department as mentioned above.
Security policy also classified in to few other section in which it includes different managing control of security.
- Information security policy
- Information security infrastructure
Lets start with the basic of Information security, which means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Information security is mainly share the common goals of protecting the confidentiality, integrity and availability of information.
For better understand of these three goals of information security policy, lets understand what they speak about.
Confidentiality: Confidentiality is a term which indicates its meaning towards being sure that information is accessible to only those who are authorized to the information of the organization.
Integrity: Integrity basically called to the complete process and management of the data that has a complete and whole structure. It means of classification of documents and data structure in a version wise. Integrity leads to the functions like transforming the data, storing the history, storing the definitions (Metadata) and storing the lineage of the data as it moves from one place to another.
Availability: Availability leads to the operations which have continuity. Clients always needs their projects on time and it?s a good practice for organizations of delivering projects under the dead lines decided at the time of registering to the project. To make this practice in effect, organizations will implement backup office or disaster recovery offices by purchasing the commercial premises in different location and will setup the infra to match main production location, even if any disaster occurs, the work will be continuously running in backup office.
Therefore Availability of the employees and the services 24/7 leads to a standard and good business results.Asset Management
Asset Management is also an one of the major part of every ISO standard related to information technology. The organization should be in a position to understand what information assets it holds, and to manage their security appropriately.
Let us talk about what is an Asset mean;
Asset: Asset is any thing which keep value to an organization. Maybe touchable or non touchable like chairs, desks, computers, CD, etc.
There are two major sections in Asset Management.
- Responsibility for assets
- Information classification
All information assets should be accounted for and have a nominated owner. An inventory of information assets (IT hardware, software, data, system documentation, storage media, supporting assets such as computer room air conditioners and UPSs, and ICT services) should be maintained. The inventory should record ownership and location of the assets, and owners should identify acceptable uses. (ref: http://www.qualified-audit-partners.be/index.php?cont=749&lgn=1)
In this section, the different controls will classify the different types of responsibilities in Asset Management. Here the it shows the responsibilities and the importance of the assets and helps in tracking each every movement of every asset which keep value to the organization. This also helps in misplacing confidential assets like Storage devices which contains confidential information of clients as well organization.
There are few controls to classify the responsibilities of Assets.
- Inventory of assets
- Ownership of assets
- Acceptable use of assets
All significant asset should be clearly identified and accounted for in an inventory listing, and have assigned owners (controllers) who are responsible for their appropriate protection. Control includes listings of:
- type of asset, including specification of make/model/format, creation/manufacture date and any other information necessary to specify type;
- assigned owner;
- location (logical or physical location, range of physical locations if portable);
- backup information (if appropriate);
- license information (if appropriate);
- business value, security classification and level of protection; and
- any additional data necessary to allow recovery from a disaster or otherwise assure continuity of operations.
All assets must be clearly identified and should be maintained in an inventory. The inventory will be maintained according to the responsibility of the departments of which that particular asset belongs to or the responsibility of the department which handles the assets. The complete inventory information should be tracked starting from purchasing any new asset to trashing the asset. Inventory can be maintained in any application, maybe web based or desktop based. To make the process easy, inventory can be maintain in an excel sheet by categorizing the each asset.
Example: Assets like chairs, tables, A/C?s will be maintained by Administration department or the management. Where as Computers, CDs, Softwares are maintained by IT department.
Asset types subject to this control may include, depending on organizational requirements:
All information and assets associated with information processing facilities should be "owned" by a designated part of the organization. Control includes:
- asset owner responsibilities for ensuring appropriate classification of and information on each owned asset; and
- definition and periodic review of access restrictions and other controls associated with the asset.
Example1: Computers and softwares will be maintained by one of the IT member which is also designated to Asset manager. This Asset manager will do the inventory of all IT related assets and will be tracking each and every moment of assets. There will also be a process to track the moments and comes in ?Change Management? process. The assets which are deliverable for temporary purpose to other employees will also be tracked by a ?Asset management form? or may also be tracked by an different or on the same inventory sheet by re-checking the approvals and keeping evidences of the concerned managers and head of the departments.
Example2: In this example we will talk about how we can manage the movements of computers and other hardware peripherals. IT Team can manage a form kind of sheet which can be hard copy or can be a soft copy when and why the movement has occurred including the approval evidence of concerned managers. For an static results to track current locations of computers, IT team can manage hard copy of their internal infrastructure of desk wise or computer wise drawings of each departments. But it will be hard to write on the drawing each time the movement occurs, but this will be an greater idea to manage the movements with Hard copies which led you to find out when the movement has occurred and what was the previous location of the moved item.Acceptable use of assets:
Rules for the acceptable use of information and other assets associated with information processing facilities should be identified, documented and implemented. Control includes:
- guidelines/rules for use of services (e.g., email, Internet);
- guidelines/rules for use of on-site systems and devices;
- guidelines/rules for mobile devices and non-mobile devices used off-site; and
- asset users' awareness of these guidelines/rules, including an appropriate educational program.
To include one major control of asset, it is clear that information is also an asset, and the asset which manages the information is also an asset. In simple words, the data of an employee like files and folders is also an important and confidential asset for an organization, and the assets which helps in storing these files and folders like CDs, DVDs and other portable or non-portable storage devices.
So, in the likewise, the assets must be classified according to the allotted rights of using it. Assets will also be classified according to the roles and designations of an user/employee.
Example1: In most of the organization, handheld devices like mobiles, pen drives, ipods etc, are not allowed inside the confidential areas. But, in other side, the same devices are not restricted to few authorized employees like mobiles will be allowed to few of the designated IT members to receive any emergency calls even if he/she is not available on the desk.
These kind of classifications of rights to access the asset will be managed by this control.Information classification
Information should be classified according to its need for security protection and labeled accordingly.
While this is clearly most applicable to military and government organizations handling sensitive and confidential information (May be Top Secret ), the concept of identifying important assets, classifying and grouping them, and applying controls that are judged suitable for assets of that nature, according to the organization structure.
As we discussed in above controls that assets will be tracked with the method of inventory and change management process, the classification of assets are very important to avoid confusions in future for any replacement of ownership. The information which is mentioned in the inventory should be classified in a very simple and easiest way to understand and a complete information of each asset which is assigned to and or the owner ship assigned to. These information will be maintain by an administrative or management team who involves in purchasing and trashing the asset. To make this more clear, it is must to know that the owner ship can also be for different kind of roles. According to the role of an department member the asset purchasing right will be assigned to different member but the trashing right will be having to the other member of the same department of can be other department.
This section covers with two major controls:
- Classification guidelines
- Information labelling and handling
Information and information processing facilities should be classified in terms of value and criticality to the organization, sensitivity and legal requirements. Control includes:
- assigning responsibility for the asset owner or other appropriate party to make this classification;
- periodic review to ensure that classifications appropriately reflect business needs, legal-regulatory-certificatory requirements and balance confidentiality-integrity-availability concerns again other goals.
Information of each and every asset or might be a group of assets should be classified in terms of its value, legal requirements, sensitivity and criticality to the organization.
- legal requirements
Value: The Asset must be classified according to the value of the asset. It should be classified according to how useful the asset is, and the levels of usage of the assets, like how many employees are using the same asset and for what purpose the asset is used for. If the usage is high, then the assets keeps high and major value, and if the asset usage is average, then the assets keeps average value. The assets usage is partially or with the assets the production is not effecting much, then those assets keep minor values.
Asset values are mainly classified by seeing the effect wise on production side.
Legal Requirements: Assets should also be classified according to the legality of the asset. Assets which can be used by the users according to their assigned roles and the confidentiality of the asset. Asset which are having legal roles like software licenses.
Sensitivity: As these classifications are also discussed above, assets should be classified according to its sensitivity by looking how sensitive the asset is. As we already discussed that information is also an asset of an organization, the production results of the organization will me stored an electronic storage devices by assigning an access security by allotting passwords to the storage devices. There will also be an legal notices and legal agreements or NDA?s of employees or third parties like vendors or dealers. According to roles of the team member the ownership will be assigned to maintain and manage those sensitive documents.
Like, HR department is responsible of employee NDAs and one of the team member will be assigned by the ownership to manage and maintain like changes or expansions of NDAs. In other side, the Vendor NDAs and agreements will be maintain by the purchase or Administration department.
There fore, the assets are classified according to the sensitivity of it.
Criticality: Asset criticality is must while classifying in an inventory. The most critical information or asset are the passwords or the licenses of the softwares. These are also comes in an assets and will classified according to its criticality. As Information is also an asset and the devices where the information is saved are also an assets. These storage devices and encrypted by the passwords or different methods of encryptions.
But think about where those passwords will be saved and who is authorized to have those passwords. According to the classification of the asset or information, the password authorization will also be classified and defines the ownerships of maintaining and managing the passwords. Maintaining and managing of passwords are also involves in other policy like ?Password Policy? with different controls.Information labeling and handling
An appropriate set of procedures for information labeling and handling should be developed by each information owner, and implemented in accordance with the classification scheme(s) adopted by the organization. Control includes:
- classifications that cover information in all forms and media; and
- procedures for chain of custody;
- Procedures for logging and reporting relevant security incidents and events.
This is a basic concept of tracking the assets. Each asset should be labeled and tagged according to the clear classification of category or department wise. Asset tagging is very helpful in categorizing and tracking the locations if mentioned in the inventory.
Example1: A normal Desktop computer which is used by the common user can be differentiated by other computers like Servers.Example2:
if Desktop Computer can be tagged like: PC001, ORG-PC001 or ORG-IT-PC001
and if Server Computer can be tagged like: SRV001, ORG-SRV001, ORG-IT-SRV001.
Establishing Asset Management Objectives (ref: http://www.praxiom.com/iso-17799-objectives.htm)
Establish responsibility for your organization's assets:
- Protect your organization?s assets.
- Use controls to protect your assets.
- Account for your organization?s assets.
- Nominate owners for all organizational assets.
- Make nominated owners responsible for protecting your organization?s assets.
- Assign responsibility for the maintenance of asset controls.
- Make your asset owners responsible for protecting your organization?s assets even though owners may have delegated the responsibility for implementing controls.
- Provide an appropriate level of protection for your organization?s information.
- Establish an information classification system.
- Use your classification system to define security levels.
- Specify how much protection is expected at each level.
- Assign a security priority to each information security level.
- Use your organization?s information classification system to specify how information should be protected at each level.
- Use your organization?s information classification system to specify how information should be handled at each level.