Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: InfoSec News (isn_at_c4i.org)
Date: Tue Jan 21 2003 - 00:54:39 CST
Forwarded from: Sarah Hollins <saraiec17799.com>
THE ISO17799 NEWSLETTER - EDITION 6
Welcome to the sixth edition of the ISO17799 newsletter, designed to keep you
abreast of news and developments with respect to ISO17799 and information
The information contained in this newsletter is absolutely free to our
subscribers and provides guidance on various practical issues, plus commentary
on recent Information Security incidents.
In this issue we focus on the need to encompass agreements and policies to
cover key areas. Included are the following topics:
1) Obtaining ISO17799
2) Information Classification Criteria
3) ISO17799 and Software
4) Third Party Cyber Crime Attacks
5) ISO17799: a World Wide Phenomena
6) Employee Internet Abuse
7) More Frequently Asked ISO17799 Questions
8) My Favorite Web Sites
9) Continuity Backup and Recovery Strategy (ISO17799 Section 11)
10) BSI Certifications
11) Employee Confidentiality Undertakings
12) More on Service Level Agreements (ISO17799 Section 4)
13) It Couldn't Happen Here.... Could It?
15) Subscription Information
OBTAINING ISO 17799
The standard itself is available from:
This is the home page for the ISO17799 Toolkit. This package was put together
to help those taking the first steps towards addressing ISO17799. It includes
both parts of the standard, audit checklists, a roadmap, ISO17799 compliant
security policies, and a range of other items.
This is the ISO17799/BS7799 Electronic Shop. Essentially it is an online
vending site for downloadable copies of the standard.
INFORMATION CLASSIFICATION CRITERIA
An important task for the Information Security Officer (or the person who is
assigned these duties) is to establish a system to classify the organization's
information with respect to its level of confidentiality and importance.
It is advisable to restrict the number of information classification levels in
your organization to a manageable number, as having too many makes maintenance
and compliance difficult. For those currently without a structure, we suggest
a five point system:
- Top Secret: Highly sensitive internal documents, e.g. impending mergers or
acquisitions, investment strategies, plans or designs that could seriously
damage the organization if lost or made public. Information classified as Top
Secret has very restricted distribution and must be protected at all times.
Security at this level is the highest possible.
- Highly Confidential: Information that is considered critical to the
organization's ongoing operations and could seriously impede them if made
public or shared internally. Such information includes accounting information,
business plans, sensitive information of customers of banks, solicitors, or
accountants etc.; patients' medical records, and similar highly sensitive
data. Such information should not be copied or removed from the organization's
operational control without specific authority. Security should be very high.
- Proprietary: Procedures, operational work routines, project plans, designs
and specifications that define the way in which the organization operates.
Such information is normally for proprietary use by authorized personnel only.
Security at this level is high.
- Internal Use Only: Information not approved for general circulation outside
the organization where its disclosure would inconvenience the organization or
management, but is unlikely to result in financial loss or serious damage to
credibility. Examples include: internal memos, minutes of meetings, internal
project reports. Security at this level is controlled but normal.
- Public Documents: Information in the public domain: annual reports, press
statements etc. which have been approved for public use. Security at this
level is minimal.
Care should always be applied regarding a user's tendency to over classify
their own work. It can sometimes be erroneously surmised that the
classification level assigned to a user's work can reflect directly on the
individual's own level of importance within the organization.
ISO17799 AND SOFTWARE
We are sometimes asked about the role of software/products with respect to
ISO17799, particularly the two most well known offerings, COBRA and The
ISO17799 Toolkit. Where do they fit in? Are they competitor products or do
they compliment each other? How do they help?
The truth is that they fulfill completely different needs:
A) The ISO17799 Toolkit comprises the basic building blocks: the standard
itself (both parts), 17799 cross referenced security policies, and so on. It
is intended to 'get you going' on the right path straight away, by providing
some basics, as well as guidance and explanations by way of a presentations,
glossary, roadmap, etc. It can basically be seen as an introduction and
starting pack for compliance with the standard.
B) COBRA on the other hand is designed to help you manage that compliance. It
takes you through the standard and ultimately measures your compliance level,
pointing out where you fall short. Quite apart from this it is one of the most
widely used (possibly THE most widely used) risk analysis systems in the
world... and bear in mind that risk analysis is integral to the requirements
of the standard... references to 'as determined by risk assessment' are almost
In essence therefore, one product gets you started, the other helps you
For further information on the ISO17799 Toolkit, and to obtain a copy, see:
For COBRA, see: http://www.security-risk-analysis.com
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.