Thursday,30 May, 2024

Subscribe to Newsletter

  Knowledge Center
Knowledge Center

The Iso 17799 The Definite Guide For Security Geeks (Part 7)
By: Omar Sherin from Egypt

In this part of the ISO series we will discuss the 8th section of the standard, this section (Communication and Operations Management) deals with how a typical organization should handle its IT operations.

In control 8.1.2 the standard requires that changes to information processing facilities and systems should be controlled. You can achieve this control through a formal change control mechanism. When programs, Systems configuration are changed, an audit log containing all relevant information should be retained. Changes to the operational environment can impact the entire organization in unexpected ways. The controls that should be sufficient are:

a) Identification and recording of significant changes

b) Assessment of the potential impact of such changes

c) Formal approval procedure for proposed changes

d) Communication of change details to all relevant persons

e) Procedures identifying responsibilities for aborting and recovering from unsuccessful changes

Control 8.3.1 (controls against malicious software) requires that the company should have a policy requiring compliance with software licenses and copy right laws. In some countries, it’s the government's role to ensure that this particular policy exists or your accountants can expect a big fat fine coming their way.

The company should also have a formal policy to protect against risks associated with obtaining files and software either from or via external networks, or on any other medium. It’s the company's IT department role to take its measures to comply with this policy and it’s the employee’s role to help the IT department and the company achieve this target of Virus free corporate PCs. Without the user’s cooperation and awareness, it won’t matter if the company spends thousands of dollars on a fancy enterprise edition AV while the users always choose to download the “dancing monkey” free trial edition game from the internet, or even downloading an infected file from their home PC and then carrying it over a thump drive and sticking it in their company PC bypassing all the company defenses. You just can’t spend money on the remediation and forget about the causes.

Control 8.4.1 handles the critical issue of “Information backup “, in Egypt we have a very strong sense of the importance of backup which is quite a relief. But globally backup handling evolved to be an experience and a science of its own. Now it’s not enough if you have a backup policy, the standard requires that the company should apply an appropriate level of physical and environmental protection, and that the backup jobs should have a copy sent to another remote site for maximum protection.

In simple words, you can’t store your sensitive magnetic tapes in an ordinary file cabinet or in an office drawer exposed to high temperatures, humidity and dust. You should store them in an environmentally appropriate and secure location.

Companies even opt to store the tapes in special fire proof safes to protect this valuable asset in cases of fire, and they make sure that other copies are sent to other locations (Branch offices, affiliate companies, Banks safe boxes, Service providers...etc).

Also a planned and scheduled “restore” operation is vital to ensure the integrity of the backup jobs. What would be the case if you are in a disaster and you sadly discover that all your highly regarded backups were taken on corrupted media, or are even infected with a virus?! I believe that someone will receive a not so nice email if it’s still working.

Another control of really big importance to the financial sector is (8.6.2) concerning disposal of Media:

The following list identifies items that might require secure disposal:

1. Paper documents

2. Voice or other recordings

3. Carbon paper

4. Output reports

5. One-time-use printer ribbons

6. Magnetic tapes

7. Removable disks or cassettes

8. Optical storage media (all forms and including all manufacturer software distribution media)

9. Program listings

10. Test data

11. System documentation

How many of the above media types have a disposal policy in the Egyptian financial sector and are audited by the regulatory bodies? I think You don’t want to know.

"In Egypt we have a very strong sense of the importance of backup which is quite a relief."

Rate This:

Posted by ROOT Technologies

What is your favourite search engine?

Most Viewed
  Riverbed Launches Industry’s Most Complete Digital Experience Management Solution

  Credence Security to Address Growing Market for GRC Solutions in Middle East Through Partnership with Rsam

  New Mimecast Archive Cloud Capability Streamlines GDPR Management for Email

  Planning and Scheduling Software–Helping Manufacturers Keep Their Customers Happy

  Farsight Security and Infoblox Provide Zero-Hour Protection Against Cyberattacks Due to New Domains

  Fujitsu Launches High-Security Biometric Authentication Solution for Active Directory IT Environments

  Rackspace Wins 2017 Red Hat Innovator of the Year Award

  ServiceNow Survey Shows 2018 as the Year of Automation for Routine Enterprise Work

  4 Tech Hacks to Faster Customer Onboarding

  New Mimecast Report Detects 400% Increase in Impersonation Attacks