Web Application Security Tools

I have been checking tools for a while for web application security engagements. Here is my list for web application scanners, test tools, proxies, source code analyzers, web application firewalls, XML SOA gateways.

Remote Web App Test Tools and test proxies

1- SPI Dynamics WebInspect  – Now HP Webinspect –https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__

2- Sanctum then Watchfire AppScan – Now IBM Rational AppScan –  http://www-01.ibm.com/software/awdtools/appscan/

3- Kavado Scando – Now Protegrity –http://www.protegrity.com/DefianceSecuritySuite

4- AppSecInc AppDetective Pro –http://www.appsecinc.com/products/appdetective/index.shtml

5- Cenzic Hailstorm –http://www.cenzic.com/products/software/overview/

6- NT Objectives NTOSpiderhttp://www.ntobjectives.com/products/ntospider.php

7- Acunetix Web Vulnerability Scanner http://www.acunetix.com/vulnerability-scanner/

8- Burp Suite -proxy-  http://www.portswigger.net/

9- Sandsprite Web Sleuth – http://sandsprite.com/Sleuth/about.html

10- Positive Technologies MaxPatrol 7 –http://www.ptsecurity.com/mp_eval.asp

11- NGS Typhon III –http://www.ngssoftware.com/products/internet-security/ngs-typhon.php

12- Parasofthttp://www.parasoft.com/jsp/solutions/soa_solution.jsp?itemId=319#web_iface_penetration

13- Hyperscan -Art of Defense –http://www.artofdefence.com/en/hyperscan/hyperscan.html

14- HP Assessment Management Platform software –https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9580_4000_100__

15- nCircle – http://www.ncircle.com/index.php?s=products_webapp360

16- Qualys – Web Application Scanning –http://www.qualys.com/solutions/web_application_scanning/

17- Foundstone – Now McAfee Vulnerability Manager –http://www.mcafee.com/us/enterprise/products/risk_and_vulnerablity_management/vulnerability_manager.html

18- Nessus – Tenable Security –http://www.tenablesecurity.com/nessus/

19- Syhunt SandCat http://www.syhunt.com/

20- Saint – No Web App Customization –http://www.saintcorporation.com/products/vulnerability_scan/saint/saint_scanner.html

21- MileSCAN Web Security Auditor (WSA) – Paros Proxy –http://www.milescan.com/hk/ ,http://www.parosproxy.org/index.shtml

22- N-Stalker Web Application Security Scannerhttp://www.nstalker.com/products

23- Nikto – Open Source (GPL) web server scanner  http://www.cirt.net/nikto2

24- Canvas (formerly SpikeSecurity) –http://www.immunitysec.com/products-canvas.shtml

25- WebScarab -proxy-  http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

26- Odysseus – proxy- http://www.bindshell.net/tools/odysseus

27- CoreImpact – http://www.coresecurity.com/content/core-impact-overview

28- Metasploit – http://www.metasploit.com/

29- Wikto – http://www.sensepost.com/research/wikto/

30- Proventia Scanner (formerly ISS) –http://www-935.ibm.com/services/ushttp://www-935.ibm.com/services2

31- e-Eye Retina Web Scannerhttp://www.eeye.com/html/products/RetinaWebScanner/index.html

32- SQL Power Injector http://www.sqlpowerinjector.com/

33- Sensepost BiDiBLAH – Security Assessment Power Tools (not sure for Web App features)  http://www.sensepost.com/research/bidiblah/

34- The Security Auditor’s Research Assistant (SARA) – http://www-arc.com/sara/

35- Founstone Tools –http://www.foundstone.com/us/resources/freetools.asp

36- Wapiti Web application vulnerability scanner / security auditor –http://wapiti.sourceforge.net/

37- Curl – httptools, not a scanner – http://curl.haxx.se/

38- Stanford SecuriBench –http://suif.stanford.edu/~livshits/securibench/

39- Fiddler Proxy – http://www.fiddler2.com/fiddler2/

40- Pantera – another spikeproxy-http://www.owasp.org/index.php/Pantera

41- Suru – proxy from sensepost –http://www.sensepost.com/research/suru/

42- Charles Proxy – http://www.charlesproxy.com/

43- Burp, Paros, and WebScarab for Mac OS X –http://www.corsaire.com/downloads/

44- RatPrxoy from Google http://code.google.com/p/ratproxy/

45- JS Proxy – for javascript – http://jscmd.rubyforge.org/

46- OWASP Phoenix Chapter – Another List of Tools :http://www.owasp.org/index.php/Phoenix/Tools

Source Code Analysis

1.Coverity Integrity Server / Prevent –http://www.coverity.com/products/coverity-prevent.html

2.Escher Technologies Eschertech  – http://eschertech.com/

3.Fortify Software Suite (analysis, workbench, metrics & trending console, customization module)http://www.fortify.com/products/fortify-360/vulnerability-detection.jsp

4.Gimple PC and Flexe-Lint C/C++  –http://www.gimpel.com/html/products.htm

5.Grammatech CodeSurfer C/C++ –http://www.grammatech.com/products/codesurfer/overview.html

6.Ounce Labs – Now IBM – http://www.ouncelabs.com/application_security/

7.Parasoft JTest  Parasoft Application Security- Java Static Code Analysis – http://www.parasoft.com/jsp/products/home.jsp?product=Jtest

8.Secure Software CodeAssure Workbench C/C++, Java (Now Fortify)

9.Veracode – http://www.veracode.com/solutions

10.Armorize Codesecure – http://www.armorize.com/?link_id=codesecure

11.Klocwork Insight/Solohttp://www.klocwork.com/products/product-comparison-matrix/

12.Hypersource – Art of Defense –http://www.artofdefence.com/en/hypersource/hypersource.html

13. PHP Pixy – http://pixybox.seclab.tuwien.ac.at/pixy/

14. BFBTester: Brute Force Binary Tester –http://bfbtester.sourceforge.net/

15. CROSS (Codenomicon Robust Open Source Software)  –http://www.codenomicon.com/solutions/cross.shtml

16. Flawfinder – C/C++ source code –http://www.dwheeler.com/flawfinder/

17. Gendarme -.NET applications and libraries – http://www.mono-project.com/Gendarme

18. Stanford SecuriBench -open source –http://suif.stanford.edu/~livshits/securibench/

19. OWASP Phoenix Chapter – Another List of Tools :http://www.owasp.org/index.php/Phoenix/Tools

Web Application Firewalls:

I am excluding network firewalls with deep inspection features such as Cisco, Juniper, Check Point, Fortinet

F5- ASM -Application Security Manager –http://www.f5.com/products/big-ip/product-modules/application-security-manager.html

Breach Security – http://www.breach.com/products/

Imperva – SecureSphere –http://www.imperva.com/solutions/web-application-security.html

Cisco ACE Web Application Firewallhttp://www.cisco.com/en/US/products/ps9586/index.html

White Hat Sentinel (add-on for F5, Imperva, Breach) –http://www.whitehatsec.com/home/services/waf.html

Citrix NetScalerhttp://www.citrix.com/English/ps2/products/product.asp?contentID=25636

Protegrity WAF – http://www.protegrity.com/WebApplicationFirewall

Fortify Real Time Analyzer RTA –http://www.fortify.com/products/detect/

AQtronix for IIS  – http://www.aqtronix.com/?PageID=99

DenyAll rWeb – http://www.denyall.com/products/rweb_en.html

Applicure DotDefender –http://www.applicure.com/About_dotDefender

Armorlogic Profense – http://www.armorlogic.com/

Bee Ware i-Sentry http://www.bee-ware.net/en/product/i-sentry/

BinarySec (French)http://www.binarysec.com/cms/docs/products/products.html

BugSec WebSniper http://www.bugsec.com/index.php?q=WebSniper

e-Eye SecureIIShttp://www.eeye.com/html/products/secureiis/index.html

webscurity web.AppSecure http://www.webscurity.com/products.htm

Phion Airlockhttp://www.phion.com/INT/products/websecurity/Pages/default.aspx

Radware AppWallhttp://www.radware.com/Products/ApplicationDelivery/AppWall/default.aspx

Hyperguard – Art of Defense :http://www.artofdefence.com/en/hyperguard/hyperguard.html

Barracuda Web Application Firewall –http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php

XML Firewalls

Radware AppXMLhttp://www.radware.com/Products/ApplicationDelivery/AppXML/default.aspx

DataPower (now owned by IBM) – WebSphere DataPower SOA Appliances –http://www-01.ibm.com/software/integration/datapower/

Reactivity, Inc. (acquired by CISCO), The Cisco ACE XML Gateway –http://www.cisco.com/en/US/products/ps7314/index.html

Forum Sentry XML Gateway  –http://www.forumsys.com/products/index.php

Layer 7 Technologies’ SecureSpan XML Firewall –http://www.layer7tech.com/main/solutions/firewalling.html

Vordel XML Gateway –http://www.vordel.com/products/vx_gateway/

Dajeil – http://www.dajeil.com/Products.asp

Sarvega (now owned by Intel) Intel SOA Expressway –http://www.intel.com/cd/software/products/asmo-na/eng/373233.htm

Bloombase Spitfire Security Server –http://www.bloombase.com/products/spitfire/index.html

Sonoa http://www.sonoasystems.com/product-matrix#anc-security

inferno – opensource – http://ixmlfirewall.sourceforge.net/

DAXFi – Dynamic XML Firewal – Opensource –http://sourceforge.net/projects/daxfi/




Achieving PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of broad requirements for enhancing security around payment operations. PCI DSS was developed in January 2005 by the PCI Security Standards Council, which includes American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, and aims to help facilitate the broad adoption of consistent data security measures globally. Since its introduction, PCI DSS has continually evolved to reflect changes in the security landscape.

The PCI DSS is a comprehensive security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It is intended to help organisations proactively protect sensitive customer account data against hackers, internal misuse and fraud.

As more financial organisations use a wide variety of platforms to process card payment data, such as mobile phones and the Internet, there is a need for these companies to be aware of how to meet the requirements set out by PCI DSS.

In the past, PCI DSS was seen as something only relevant to credit card clearance web sites. However, this is now changing as more and more financial institutions are offering services over mobile phones and the Internet. Also, financial services organisations are increasingly being audited on PCI DSS, so it is becoming important to protect all web-facing applications against all known attacks.

Failure to meet PCI DSS can result in a company not being able to carry out card processing, seriously disrupting business operations and potentially ruining a company’s reputation. As such, here are some important steps that an organisations can take to become PCI DSS compliant.

Step 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

Firewalls are devices that secure Internet traffic going into and out of the corporate network, as well as controlling internal traffic to sensitive databases. They assess all network traffic and block transmissions that do not meet set security criteria.

Employees need to have the freedom to carry out work, which increasingly involves having remote access to the corporate network. However, organisations must maintain and protect the integrity of sensitive data from intentional and unintentional access.

Firewalls are a key protection mechanism for any computer network and one of the most important requirements to get right when becoming PCI DSS compliant.

Step 2: Do Not Use Vendor-supplied Defaults for System Passwords and Other Security Parameters

Hackers, both external and internal, often use vendor default passwords and other default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.

Always use an original password with a combination of letters and numbers to ensure the safety of databases that contain sensitive data.

Step 3: Protect Stored Cardholder Data

Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.

Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimising risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if the full primary account number (PAN) is not needed and not sending PAN in unencrypted emails.

Step 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

Sensitive information travelling across the Internet should always be encrypted, as hackers often attempt to intercept, modify and divert data while in transit. To this end, the PCI DSS requirements make it clear that all organisations should use strong cryptography and security protocols, such as secure socket layer (SSL) and Internet protocol security, to safeguard sensitive cardholder data during transmission over open and public networks.

Step 5: Use and Regularly Update Anti-virus Software

Many vulnerabilities and malicious viruses enter the network via employees’ email activities. Anti-virus software must be used on all systems connected to the network and at risk from viruses.

In addition, sensible IT policies and procedures need to be put in place to prevent employees from independently downloading anti-virus software from sources that could carry dangerous malware. Furthermore, it would be prudent to add an additional layer of defence with an intrusion prevention system to help monitor and control against malware not detected by antivirus software. Intrusion prevention systems proactively protect networks by using artificial intelligence to look for anomalies within network traffic.

Step 6: Develop and Maintain Secure Systems and Applications

Hackers use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses.

It is important to note that appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

It is also considered best practice to incorporate intrusion prevention systems at this level to ensure protection against vulnerabilities that have been discovered but have not had patches developed or deployed.

Step 7: Restrict Access to Cardholder Data by Business ‘Need-to-know’

This requirement ensures that critical data can only be accessed by authorised personnel. This particular requirement is rather open-ended and covers the basic principle that data should not be accessible unless specifically allowed.

In order to achieve this level of control, the applications involved need to have a variety of systems in place including firewalls and intrusion prevention systems. Intrusion prevention systems in particular are very important as they enforce and control all access to systems and applications through the inspection of all network traffic in real-time.

Step 8: Assign a Unique ID to Each Person with Computer Access

Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorised users.

Step 9: Restrict Physical Access to Cardholder Data

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hard copies, and should be appropriately restricted.

Step 10: Track and Monitor All Access to Network Resources and Cardholder Data

IT departments need to implement logging mechanisms and have the ability to track user activity across the corporate network. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.

As well as tracking and monitoring activity logs, it is wise to ensure they are all maintained in a single reporting console to easily alert, access and report on all activity and potential vulnerabilities.

Step 11: Regularly Test Security Systems and Processes

Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.

Step 12: Maintain a Policy that Addresses Information Security for Employees and Contractors

A strong security policy sets the tone for the whole company and informs employees what is expected of them. All employees should be made aware on a regular basis of the sensitivity of data and their responsibilities for protecting it.

The development and adherence to an information security policy is essential for any organisation as most data breaches occur through employees not knowing how to deal with data properly.

IT Security Metrics



This paper provides basic information on what metrics are and why IT security performance should be measured. Additionally, this section defines types of metrics that can be used to measure IT security controls, discusses the key aspects of making a metrics program successful, and identifies the uses of metrics for management, reporting, and decision making.

IT security metrics can be obtained at different levels within an organisation. Detailed metrics, collected at the system level, can be aggregated and rolled up to progressively higher levels, depending on the sise and complexity of an organisation. While a case can be made for using different terms for more detailed and aggregated items, such as “metrics” and “measures,” this document uses these terms interchangeably.

IT security metrics must be based on IT security performance goals and objectives. IT security performance goals state the desired results of a system security program implementation, such as “All employees should receive adequate security awareness training.” IT security performance objectives enable accomplishment of goals by identifying practices defined by security policies and procedures that direct consistent implementation of security controls across the organisation. Examples of IT security performance objectives, corresponding to the example goal cited above are “All new employees receive new employee training,” “Employee training includes a summary of the Acceptable Usage Policy,” and “Employee training includes a summary and a reference to the organisation’s security policies and procedures.” IT security metrics monitor the accomplishment of the goals and objectives by quantifying implementation of the security controls and the effectiveness and efficiency of the controls, analysing the adequacy of security activities, and identifying possible improvement actions.

IT security metrics must yield quantifiable information for comparison purposes, apply formulas for analysis, and track changes using the same points of reference. Percentages or averages are most common, and absolute numbers are sometimes useful, depending on the activity that is being measured. To be useful for tracking performance and directing resources, metrics need to provide relevant performance trends over time and point to improvement actions that can be applied to problem areas. Management should use metrics to assess performance by reviewing metrics trends, identifying and prioritising corrective actions, and directing the application of those corrective actions based on risk mitigation factors and available resources.

Benefits of Using Metrics

A security metrics program provides a number of organisational and financial benefits. Organisations can improve accountability for security by deploying IT security metrics. Departments and agencies can demonstrate compliance with applicable laws, rules, and regulations by implementing and maintaining an IT security metrics program Fiscal constraints and market conditions compel government and industry to operate on reduced budgets. In such an environment, it is difficult to justify broad investments in the IT security infrastructure. Historically, arguments for investing in specific areas of IT security lack detail and specificity, and fail to adequately mitigate specific system risk. Use of IT security metrics will allow organisations to measure successes and failures of past and current security investments and should provide quantifiable data that will support allocation of resources for future investments.

Metrics Types

The types of metrics (implementation, efficiency and effectiveness, and impact) that can realistically be obtained and that can also be useful for performance improvement depend on the maturity of the security control implementation. Examples of implementation metrics that are applied at this level of maturity are the percentage of systems with approved security plans and the percentage of systems with password policies configured as required. As security controls are documented and implemented, the ability to reliably collect the outcome of their implementation improves. As an organisation’s IT security program evolves and performance data becomes more readily available, metrics will focus on program efficiency— timeliness of security service delivery and effectiveness—operational results of security control implementation. Measuring effectiveness and efficiency of implemented security controls and the impact of these controls on the organisation’s mission. These metrics concentrate on the evidence and results of testing and integration. Instead of measuring the percentage of approved security plans, these metrics concentrate on validating whether security controls, described in the security plans, are effective in protecting the organisation’s assets. For example, computing the percentage of crackable passwords within a predefined time threshold will validate the effectiveness of an organisation’s password policy by measuring the length of time required to break policy-compliant passwords. The impact metrics would quantify incidents by type (e.g., root compromise, password compromise, malicious code, denial of service) and correlate the incident data to the percentage of trained users and system administrators to measure the impact of training on security.

Success Factors

1. System stakeholders must be included in the IT security metrics development and program implementation.

2. A very important success factor is manageability of the metrics program. Results of many security activities can be quantified and used for performance measurement; however, since resources are limited and the majority of resources should be applied to correcting performance gaps, organisations should prioritise measurement requirements to ensure that a limited number of metrics are gathered.

3. Ascertain the quality and validity of data, data collection methods and data repositories used for metrics data collection and reporting, either directly or as data sources, should be standardised.

4. Any data collection, specifically for the purpose of IT security metrics, must be as nonintrusive as possible The establishment of a metrics program will require a significant investment to ensure that the program is properly implemented to maximise its benefits. The resources required for maintaining the program are not expected to be as significant.

Metrics Development Process

The IT security metrics development process consists of two major activities: 1. Identification and definition of the current IT security program; and 2. Development and selection of specific metrics to measure implementation, efficiency, effectiveness, and the impact of the security controls.

Stakeholder Interest Identification

The primary IT security stakeholders are:

• Chief Executive/SRO/Managing Director

• Chief Information Officer (CIO)

• Security Program Manager/Information Security Officer (ISO)

• Program Manager/System Owner

• System Security Officer

• System Administrator/Network Administrator

 • IT Support Personnel


Secondary security stakeholders include:

• Finance Director

 • Training Organisation

 • Human Resources

 • Auditors.


The interests of each stakeholder will differ, depending on the security aspects of their role and on their position within the organisational hierarchy. Each stakeholder may require an additional set of customised metrics that provides a view of the organisation’s IT security performance within their area of responsibility. It is recommended that fewer metrics per stakeholder be used when an organisation is establishing a security program; the number of metrics per stakeholder will increase gradually with the maturity of the IT security program and of the metrics program. Stakeholders should be involved in each step of security metrics development to ensure organisational buy-in to the concept of measuring security performance.

Metrics Development and Selection Organisations may decide to use a weighting scale to differentiate importance of selected metrics and to ensure that the results accurately reflect existing security program priorities. This would involve assigning values to each metric based on the importance of a metric in the context of the overall security program. Metrics weighting should be based on the overall risk mitigation goals and is likely to reflect higher criticality of department-level initiatives versus smaller scale initiatives and is a useful tool that facilitates integration of IT security metrics into the departmental capital planning process.

Establishing Performance Targets After applicable metrics are identified and described, performance targets should be identified in the indicator line of the metric form. Performance targets establish a goal by which success is measured. The degree of success is based on the metric result’s proximity to the stated performance target. The mechanics of establishing performance targets differ for implementation metrics and the other three types of metrics (effectiveness, efficiency, and impact). For implementation metrics, targets are set to 100 percent completion of specific tasks. Setting performance targets for efficiency, effectiveness, and impact metrics is more complex, because these aspects of security operation do not assume a specific level of performance. Management will need to apply qualitative and subjective reasoning to determine appropriate levels of security effectiveness and efficiency and to use these levels as targets of performance for applicable metrics. Once the baseline is obtained and corrective actions identified, appropriate measurement targets and implementation milestones can be defined that are realistic for a specific system environment. If performance targets cannot be established after the baseline has been obtained, management should evaluate whether the measured activities and corresponding metrics are providing expected value for the organisation.

METRICS PROGRAM IMPLEMENTATION Prepare for Data Collection After the metrics have been identified, specific implementation steps should be defined on how to collect, analyse, and report the metrics. These steps should be documented in the Metrics Program Implementation Plan. Collect Data and Analyse Results This phase includes the following activities: • Collect metrics data, according to the processes defined in the Metrics Program Implementation Plan • Consolidate collected data and store in a format conducive to data analysis and reporting, for example, in a database or a spreadsheet • Conduct gap analysis – compare collected measurements with targets, if defined, and identify gaps between actual and desired performance • Identify causes of poor performance • Identify areas requiring improvement.

A Business Case for ISO 27001 / ISO 17799 / BS 7799


The business value of ISO17799

A case study by

This case study concerns an IT services company that decided to implement ISO17799, the Code of Practice for Information Security Management, and gained significant business advantages as a result. The case reveals some surprising linkages between information security management and general business management, and several indirect benefits that are seldom mentioned.

Business situation

“ServiceCo” [not its real name] is a supplier of IT services, hardware and software to corporate clients. Having gained its ISO 9002 certificate nearly ten years ago, staff were used to working in a consistent manner using documented quality procedures and guidelines. A couple of years ago, however, the atmosphere within the company had turned sour. Management decisions were mostly being made instinctively on “gut-feel” with little real analysis. With staff turnover increasing, senior management recognised the need to change and took a long hard look at the organization’s strengths and weaknesses.

ServiceCo management decided to implement ISO17799. According to a senior ServiceCo director, “Implementing ISO17799 made business sense. Securing ServiceCo’s internal information would reduce the risk and hence the cost of serious breaches. ISO17799 is a known security framework developed by some of the worlds leading companies (BT, HSBC, Shell International and Unilever, amongst others), so it gave us the means to implement best practice security controls.”

Benefits of implementing ISO17799

The director told us “ISO17799 is not just about information security or IT – it actually helps the organisation save and make money.” He identified the following business benefits of ISO17799:
Direct benefits

Increased reliability and security of systems: “Like all businesses ServiceCo is reliant upon information systems. ISO17799 has ensured that we now have controls in place that maintain system availability and reduce the risk of vulnerabilities being exploited. Post-certification ‘surveillance visits’ and re-certification audits to ISO17799 ensure the business keeps up-to-date with the latest vulnerabilities and best practices.”

Increased profits: “Sales and margins are up, and clients’ perceptions of our business have improved. Our BS7799 Part 2 certificate demonstrates that we can be trusted to secure our customers’ data, as well as our own. Our customers not only understand that our investment in ISO17799 has given them benefits, but they are prepared to spend a little more for a secure IT infrastructure. Since gaining ISO17799, we have already seen a marked increase in our bottom line profit and some new customers are telling us they prefer to trade with companies who have a recognised security certification. Additionally, we are now seeing more Invitations To Tender from business that list ISO17799-compliance as a pre-requisite. And, by the way, our employees are wasting less time surfing the Internet for sites not related to work!”

Cost-effective and consistent information security: “We have implemented cost-effective security matched to our business needs. ServiceCo had many technical safeguards throughout the organisation, but the risk assessment highlighted that some of our safeguards offered little or no business benefit and would provide a better return off investment if they were reconfigured to protect assets that required a higher level of protection. All divisions and departments within ServiceCo had previously developed their own security guidelines. ISO17799 helped us develop a consistent approach to security by creating uniform policies incorporating industry best practise. Where necessary, employee compliance with the policies is supported by an enforceable disciplinary process.”

Systems rationalisation: “Analysing our information and information security requirements properly means we spend our money wisely. We were able to cut about 50% of our systems and data when we realised they were not worth keeping, and we actually relaxed controls on some low-risk systems.”

Compliance with legislation: “Implementing ISO17799 forced us to comply with UK legislation in areas such as data protection and software copyright.”
Indirect benefits

Improved management control: “Managers have more control over the organisation, and better quality information with which to manage it – management effort is therefore reduced.”

Better human relations: “Clear policies, procedures and guidelines make things easier for our staff – the atmosphere has improved and staff turnover has reduced. ISO17799 has made ServiceCo different from our competitors and provided the company with a unique selling point, leading to a better working environment for all of our staff. Employees now recognise that their earning potential is dependant on how customers perceive the company brand and that any negative publicity could affect them. Professionalism has improved throughout the company. Given that so much of security relies on internal controls, we needed to look more carefully at who we were employing. Through ISO17799 we introduced more through recruitment processes that reduce the risk of employing people unsuitable to the position or who could potentially put our business at risk. We now know who is working for us!”

Improved risk management and contingency planning: “Through the ISO17799 certification process, ServiceCo identified its vulnerabilities, threats and potential impacts to the business. As a result of this and implementing controls from ISO17799, ServiceCo now has a more structured approach to risk management. For example, we now have a rational process to decide which risks to transfer to our insurers. We also now have a business continuity plan that suits the business, not just the IT department. The risk assessment identified information assets that are critical to the success of the business. This enabled us to produce a business continuity plan that prioritised these assets and reduces our potential exposure to financial loss or negative publicity.”

Enhanced customer and trading partner confidence: “With the heightened sensitivity to security breaches, trading partners, customers and vendors were looking evidence of security. ISO17799 certification has provided this assurance. In any industry you have to stand out from your competitors. Being the first IT Value Added Reseller in the world to obtain ISO17799 is a bold statement that will always be unique to ServiceCo. Having the ISO17799 logos on our company literature is a continual reminder to potential and existing customers that we are a professionally-run organisation who take the confidentially, integrity and availability of their and our information seriously.”


“Despite what people say, the costs of implementing ISO17799 are very modest. The main cost element was the pain of cultural change (we had to ‘let a couple of our people go’ for not complying with our policies and procedures). The regular compliance reviews to maintain our certification only costs us about £3k [$5k] p.a. so ISO17799 is very cost-effective. We are now talking to our assessors about combining the ISO17799 and ISO 9002 reviews to save time and money.”

For more information

To find out more about this case study or for help to assess the business value of ISO17799 to your organization, contact IsecT Ltd. info@isect.com

ISMS 17799 Checklist – Policies

Section 1. Security policy

1.1 Information security policy

Objective: To provide management direction and support for information security.

Top management should set a clear direction and demonstrate their support for and commitment to information security through the issue of an information security policy across the organization.

[Is there a formal information security policy?]

1.1.1 Information security policy document (Key)

A written policy document should be available to all employees responsible for information security.

[Can you show me the official policy statement that is distributed to employees and tell me how it is promulgated through the organization?]

Section 2. Security organization

2.1 Information security infrastructure

Objective: To manage information security within the organization.

A management framework should be established to initiate and control the implementation of information security within the organization.

[Can you tell me who is in charge of information security and how you get in touch with them?]

2.1.1 Management information security forum

Management direction should be provided through a suitable high level steering forum.

[How does top level management guide information security controls?]

2.1.2 Information security coordination

In a large organization it might be necessary to coordinate information security measures through a cross-functional forum.

[How large is your organization and how are you able to coordinate the computer security effort between all of those people?]

2.1.3 Allocation of information security responsibilities (Key)

Responsibilities for the protection of individual assets and for carrying out specific security processes should be explicitly defined.

[Who is responsible for virus protection? Who do you call if you find a virus?]

2.1.4 Authorization process for IT facilities

Installation of IT facilities should be technically approved and authorized.

[Has this computer (pick one) been approved by computer security? How?]

2.1.5 Specialist information security advice

Specialist advice on information security may be required.

[What internal security expertise do you have and what outside experts do you use to augment your internal expertise?]

2.1.6 Cooperation between organizations

Security specialists and organizations should cooperate to combat general security threats.

[Would you say there is a lot of cooperation between groups in the area of information security?]

2.1.7 Independent review of information security

Implementation of information security should be independently reviewed.

[Who provides your outside information security audit function and who do they work for?]

2.2 Security of third party access

Objective: To maintain the security of organizational IT facilities and information assets accessed by third parties.

Access to company IT facilities by (non-organizational) third parties should be controlled.

[How do you allow business partners access to their applications without openning up your internal systems to potential harm?]

2.2.1 Identification of risks from third party connections

The risks associated with access to organizational IT facilities by third parties should be assessed and appropriate security controls implemented.

[Is there a risk management report describing why you selected the controls you selected for your outside connections?]

2.2.2 Security conditions in third party contracts

Contracts with third parties involving access to organizational IT facilities should specify security conditions.

[What provisions are put in contracts to address computer security and which contracts are those provisions included in?]

Section 3. Assets classification and control

3.1 Accountability for assets

Objective: To maintain appropriate protection of organizational assets.

All major information assets should be accounted for and have a nominated owner (see 0.3.11).

[Who in the organization owns the data in this (pick one) database? Who in this organization owns this (pick one) computer? Who owns the telephone connection on your desk? Who owns network you use?]

3.1.1 Inventory of assets

Inventories should be maintained of all major information and IT assets.

[Please show me a list of all major information and IT assets in the organization.]

3.2 Information classification

Objective: To ensure that information assets receive an appropriate level of protection.

Security classifications should be used to indicate the need and priorities for security protection.

[What is the need for protecting this (pick one) document? What is the most important file in any corporate computer that you are aware of? IF I had a dollar to spend on protecting one of these two documents (pick two) which one should I spend it on?]

3.2.1 Classification guidelines

Protection for classified information should be consistent with business needs.

[What percentage of all information assets are classified as more important than nominal systems and information? Why is that the right percentage?]

3.2.2 Classification labelling

Classified information and outputs from systems handling organizationally classified data should be labelled appropriately.

[Show me the label on the most highly sensitive document you have access to and tell me what it means.]

Section 4. Personnel security

4.1 Security in job definition and resourcing

Objective: To reduce the risks of human error, theft, fraud or misuse of facilities.

Security should be addressed at the recruitment stage, included in job descriptions and contracts, and monitored during an individual’s employment.

[What personnel security measures are taken for a janitor? for the CEO? for outsourced personnel? for your IT auditor?]

4.1.1 Security in job descriptions

Job descriptions should define security roles and responsibilities.

[Where in the janitor’s job description are their security roles and responsibilities described? for the CEO? for outsourced personnel? for your acocuntantcy firm’s employees?]

4.1.2 Recruitment screening

Applications for employment should be screened if the job involves access to an organization’s IT facilities handling sensitive information.

[How do you determine which job positions have access to sensitive information? Is the janitor position one of them? Is the CEO? Are all the programmers and data entry clerks? Are outsourcing firm employees checked byt he same process? What checks do you make of applications for those positions before hiring them?]

4.1.3 Confidentiality agreement

Users of organizational IT facilities should sign a confidentiality undertaking.

[Can you show me the signed confidentiality agreement for each of these (pick a statistically meaningful sample set of employees) employees?]

4.2 User training

Objective: To ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work.

Users should be trained in security procedures and the correct use of IT facilities.

[How do you make certain that your employees know how to follow all of your security procedures?]

4.2.1 Information security education and training (Key)

Users should be given adequate security education and technical training.

[What is the educational background of your most highly trusted employee with computer security responsibilities? Your average trusted employee with those responsibilities? Your least security-educated employee with those responsibilities?]

4.3 Responding to incidents

Objective: To minimize the damage from security incidents and malfunctions and to monitor and learn from such incidents.

Incidents affecting security should be reported through management channels as quickly as possible.

[What is the longest lag time that has ever occurred between the first detection of a security-related incident and notification of an appointed computer security person responsible for responding to the incident?]

4.3.1 Reporting of security incidents (Key)

Security incidents should be reported through management channels as quickly as possible.

[How often are the chief executives briefed on computer security incidents?]

4.3.2 Reporting of security weaknesses

Suspected security weaknesses should be reported.

[How many security weaknesses have been reported in the last day, week, and month? How do people report them when they find them?]

4.3.3 Reporting of software malfunctions

Software malfunctions should be reported.

[When your computer has a problem, who do you report it to and what do they do about it?]

4.3.4 Disciplinary process

A disciplinary process is essential for dealing with security breaches.

[What is the punishment for telling your password to another employee so they can get access when you’re out of town, and who administers the punishment?]

Section 5. Physical and environmental security

5.1 Secure areas

Objective: To prevent unauthorized access, damage and interference to IT services.

IT facilities supporting critical or sensitive business activities should be housed in secure areas.

[What kind of door locks protect the air conditioner that keeps the computer rooms cooled during the summer? Why are these locks selected for those doors? Who selected them?]

5.1.1 Physical security perimeter

Physical security protection should be based on defined perimeters.

[When you bring one of your children into work with you to show them around, how do you bring them into your office?]

5.1.2 Physical entry controls

Secure areas should be protected by appropriate entry controls.

[What kind of access control device do you use to limit access to the area where accounting processes invoices?]

5.1.3 Security of data centres and computer rooms

Data centres and computer rooms supporting critical business activities should have good physical security.

[List the data centers that have special physical security protection and describe what special protections they have.]

5.1.4 Isolated delivery loading areas

An intermediate holding area should be considered for deliveries to computer rooms.

[When printer paper is delivered to the printer room, how does the delivery-person get the paper into the computer room?]

5.1.5 Clear desk policy

A clear desk policy should protect information from unauthorized access and loss or damage.

[Who has the messiest desk in the company and just how messy is it?]

5.1.6 Removal of property

Removal of property belonging to the organization should require authorization.

[How often does the guard search people when they leave through the loading area? Who do you show the permission form to when you bring your laptop computer home to work at night?]

5.2 Equipment security

Objective: To prevent loss, damage or compromise of assets and interruption to business activities.

Equipment should be physically protected from security threats and environmental hazards.

[What protection does your office have from water damage to computers resulting from the sprinkler system going off in a fire?]

5.2.1 Equipment siting and protection

Equipment should be sited or protected to reduce the risks of damage, interference and unauthorized access.

[When you want to move your computer screen from one desk to another, what rules do you follow about where the screen can be placed on the desk?]

5.2.2 Power supplies

Equipment should be protected from power failures or other electrical anomalies.

[Does the computer on your desk have an uninterruptible power supply? What kind?]

5.2.3 Cabling security

Power and telecommunication cabling should be protected from interception or damage.

[What kind of network connection do computers have and how is the network controlled from illicit connections?]

5.2.4 Equipment maintenance

Equipment should be appropriately maintained.

[Is there a maintenance contract on all vital office equipment? How do you get service on the copier when it breaks?]

5.2.5 Security of equipment off-premises

Security procedures and controls should cover the security of equipment used outside an organization’s premises.

[How do you protect cellular telephones, laptop computers, and other similar equipment when you take it home or use in in a client’s office? Have you ever gotten a virus from another system when you were off-site?]

5.2.6 Secure disposal of equipment

Data should be erased from equipment prior to disposal.

[What is the procedure for disposing of a computer system, old backup tapes, and floppy disks? Is there a procedure for handling these items before sending a computer out for repair?]

Section 6. Computer and network management

6.1 Operational procedures and responsibilities

Objective: To ensure the correct and secure operation of computer and network facilities.

Responsibilities and procedures for the management and operation of all computers and networks should be established.

[Are there procedures for managing and operating each of the computers in your work area? What are they?]

6.1.1 Documented operating procedures

Documented procedures should be provided for the operation of all computer systems.

[Can you show me the documents that describe the procedures for operating your computers?]

6.1.2 Incident management procedures

Incident management responsibilities and procedures should be established.

[Who is responsible for handling security incidents relating to this computer? Who do you call if this computer stops working properly and you can’t figure out why?]

6.1.3 Segregation of duties

Segregation of duties minimizes the risk of negligent or deliberate system misuse.

[Are different people responsible for different functions on all of the computers? Who is responsible for what?]

6.1.4 Separation of development and operational facilities

Development and testing facilities should be isolated from operational systems.
[Do you do development or programming on the same systems used by users? How do you assure that programming mistakes or errors and omissions don’t cause the operational system to fail? Do you have a change control program? Please describe it.]

6.1.5 External facilities management

Proposals to use an external facilities management service should identify the full security implications and include appropriate security controls.

[Do you use an outside firm for facilities management? If so, please show me the proposals for that service and indicate where they mandate security controls. Are those controls comparable to the controls required within your organization? How do they stack up?]

6.2 System planning and acceptance

Objective: To minimize the risk of systems failure.

Advance planning and preparation are required to ensure the availability of adequate capacity and resources.

[How do you plan for peak usage periods, normal usage periods, and the potential for expansion?]

6.2.1 Capacity planning

Capacity requirements should be monitored to avoid failures due to inadequate capacity.

[How do you monitor usage against capacity and how and when does this monitoring trigger the expansion of capacity?]

6.2.2 System acceptance

Acceptance criteria for new systems should be established and suitable tests carried out prior to acceptance.

[Do you have a standard for testing new hardware and software for compatible operation within your environment? Is this part of the acceptance criteria required for all new equipment?]

6.2.3 Fallback planning

Fallback requirements should be coordinated and reviewed.

[Who reviews fall-back plans used in case of major system outages? When there is such an outage, who is responsible for coordinating change-over? Do they practice continuity plans with simulated failures? If so, how and how often do they do that?]

6.2.4 Operational change control

Changes to IT facilities and systems should be controlled.

[Is there a comprehensive change control program that assures that changes to information systems are necessary, appropriate, and that change-over goes smoothly?]

6.3 Protection from malicious software

Objective: To safeguard the integrity of software and data.

Precautions are required to prevent and detect the introduction of malicious software.

[How do you detect malicious software? Does this work for malicious software added by your programmers? Your users? Computer viruses? Contract programmers? People who work for companies you buy software from?]

6.3.1 Virus controls (Key)

Virus detection and prevention measures and appropriate user awareness procedures should be implemented.

[What training do your employees get about computer viruses? What technical safeguards do you have in place against viruses?]

6.4 Housekeeping

Objective: To maintain the integrity and availability of IT services.

Housekeeping measures are required to maintain the integrity and availability of services.

[What regular maintenance functions are performed on systems?]

6.4.1 Data back-up

Back-up copies of essential business data and software should be regularly taken.

[Are backups of all systems done on a regular and scheduled basis? By whom? How often? How is the schedule determined?]

6.4.2 Operator logs

Computer operators should maintain a log of all work carried out.

[Which systems have operator logs? Show all the operator logs from one of those systems to me.]

6.4.3 Fault logging

Faults should be reported and corrective action taken.

[Is every system error and crash logged, and if so, how is follow-on action coordinated? Is a root cause analysis done in each of these cases?]

6.4.4 Environmental monitoring

Computer environments should be monitored where necessary.

[What environmental monitoring do you have in place to detect particles in the air in computer rooms? Smoke? Fire? Water? Chemical vapors? Other pollutants?]

6.5 Network management

Objective: To ensure the safeguarding of information in networks and the protection of the supporting infrastructure.

The security management of computer networks, which may span organizational boundaries, requires special attention.

[How is computer network security managed differently than other computer security?]

6.5.1 Network security controls

A range of security controls is required in computer networks.

[What are the security controls in your computer network and what was the basis for their selection?]

6.6 Media handling and security

Objective: To prevent damage to assets and interruptions to business activities.

Computer media should be controlled and physically protected.

[What are the procedures for controlling access to disks, tapes, floppy disks, and other computer storage and transfer media?]

6.6.1 Management of removable computer media

Removable computer media should be controlled.

[Are there special controls for removable media? What are they?]

6.6.2 Data handling procedures

Procedures for handling sensitive data should be established.

[Are the handling procedures different for more sensitive information? In what way?]

6.6.3 Security of system documentation

System documentation should be protected from unauthorized access.

[How do you prevent unauthorized people from looking at, modifying, or removing the documentation for your systems?]

6.6.4 Disposal of media

Computer media should be disposed of securely and safely when no longer required.

[What do you use as your data remnants standard and how do you assure that all media are properly cleaned when no longer used?]

6.7 Data and software exchange

Objective: To prevent loss, modification or misuse of data.

Exchanges of data and software between organizations should be controlled.

[How do you control the purchase of hardware and software? How do you prevent users from accessing software from the Internet? How do you prevent users from emailing sensitive company information to the wrong recipient? How do you make certain that file transfers between your organization and other organizations are not intercepted, corrupted, or blocked from within the other organization?]

6.7.1 Data and software exchange agreements

Agreements for the exchange of data and software should specify security controls.

[Show me the clauses in our agreements with each outside partner, vendor, or customer that detail the specific security controls required when we do business with them. Are the controls specified in those clauses equivalent to the internal controls used within this organization? If not, why not? In what ways are they different?]

6.7.2 Security of media in transit

Computer media in transit should be protected from loss or misuse.

[How are floppy disks sent between offices protected? How are file transfers over the Internet protected? How are backup tapes stored in off-site storage facilities protected as they are sent, when at the off-site location, and when returned on an emergency basis for recovery?]

6.7.3 EDI security

Special security controls should be applied where necessary, to protect electronic data interchange.

[Where are special protections required for electronic data interchange and why? What protections are in place to protect those interchanges and how were they determined?]

6.7.4 Security of electronic mail

Controls should be applied where necessary, to reduce the business and security risks associated with electronic mail.

[How do you assure that all internal email remains only within the organization’s network and never goes through outside systems or infrastructure without special protection?]

6.7.5 Security of electronic office systems

Clear policies and guidelines are required to control the business and security risks associated with electronic office systems.

[What are the policies and guidelines for controlling office telephone systems, copiers, computers, pagers, and cell-phones?]

Section 7. System access control

7.1 Business requirement for system access

Objective: To control access to business information.

Access to computer services and data should be controlled on the basis of business requirements.

[What are the business requirements for controlling access to this computer (point to any computers in the area) and how are those requirements used as the basis for the protections in place for that computer?]

7.1.1 Documented access control policy

Business requirements for access control should be defined and documented.

[Show me the written documents that describe the business requirements for protecting this computer (pick one that’s in sight) and how those requirements were translated into the access control policy used on this computer.]

7.2 User access management

Objective: To prevent unauthorized computer access.

There should be formal procedures to control allocation of access rights to IT services.

[What are the formal procedures used to grant and remove access rights to users over information on this computer?]

7.2.1 User registration

There should be a formal user registration and de-registration procedure for access to all multi-user IT services.

[Show me the formal user registration and removal process for the network file server you use.]

7.2.2 Privilege management

The use of special privileges (see 0.3.14) should be restricted and controlled.

[Who has special privileges on this computer (pick one), what special privileges do they have, and how are those privileges restricted and controlled?]

7.2.3 User password management

The allocation of user passwords should be securely controlled.

[How do you secure the generation of passwords to make sure they are hard to guess and only the originator can ever get access to them?]

7.2.4 Review of user access rights.

User access rights should be reviewed at regular intervals.

[Who reviews all of the access control bits in each computer and how often? How do they tell the difference between a properly set protection bit and an improperly set one and what do they do when they find an improperly set one?]

7.3 User responsibilities

Objective: To prevent unauthorized user access.

The cooperation of authorized users is essential for effective security.

[How do you measure the cooperation of authorized users? At what threshold do you identify users as becoming uncooperative? What is the procedure for removing authorization from users that are below the threshold of cooperation?]

7.3.1 Password use

Users should follow good security practices in the selection and use of passwords.

[How do you select your password? Is there training to help you tell the difference between a good and a bad password? Does the computer system tell you how good or bad a password is when you try to set one?]

7.3.2 Unattended user equipment

Users should ensure that unattended equipment has appropriate security protection.

[What is the appropriate protection for unattended equipment? If nobody is there to attend the equipment, how do you assure that the security measures are always in effect?]

7.4 Network access control

Objective: Protection of networked services.

Connections to networked services should be controlled.

[How do you control connections to networked services?]

7.4.1 Limited services

Users should only be able to gain access to the services that they are authorized to use.

[What services is each individual authorized to use? Where is this information stored? How is it updated? How is this information used in real-time to control access? If some user were using an unauthorized service, how would you know? How soon would you know? How could you legally prove that the user knowingly used an unauthorized service as a basis for subsequent sanctions against them?]

7.4.2 Enforced path

The route from the user terminal to the computer service may need to be controlled.

[How do you prevent users from dialing out on their PCs to external Internet Service Providers? How do you control the internal routing of information through your networks? When access requirements change, how do you make certain that no controls are violated when you reconfigure your network to affect the new access?]

7.4.3 User authentication

Connections by remote users via public (or non-organization) networks should be authenticated.

[How do you make certain that the person at the other end of a dial-in or network-based access is who they claim to be? How do you make certain that once a connection is established, the user on the other end or the connection in between doesn’t change? What is the basis for asserting that this level of assurance is adequate to the business need for protection?]

7.4.4 Node authentication

Connections by remote computer systems should be authenticated.

[How do you make certain that the computer at the other end of a dial-in or network-based access is who they claim to be? How do you make certain that once a connection is established, the equipment on the other end or the connection in between doesn’t change? What is the basis for asserting that this level of assurance is adequate to the business need for protection?]

7.4.5 Remote diagnostic port protection

Access to diagnostic ports should be securely controlled.

[How do you allow vendors to do remote support and at the same time protect the support connections from being abused to attack your systems?]

7.4.6 Segregation in networks

Large networks may have to be divided into separate domains.

[How do you determine when security issues force the division of networks into subnetworks and how does that division provide added protection?]

7.4.7 Network connection control

The connection capability of users may need to be controlled to support the access policy requirements of certain business applications.

[How are business application access control policies reflected in limitations on network connections? When you design or implement new applications, how do you take network connections into consideration?]

7.4.8 Network routing control

Shared networks may require network routing controls.

[How do you control network routing and why do you use those controls? How do those controls relate to business requirements for protection? What is the basis for determining that those specific controls are more or less appropriate than others?]

7.4.9 Security of network services

The risks associated with the use of network services should be established.

[How do you measure the risks of using network services? How does the measured risk get related to the business decision about who may use which services and for what purpose?]

7.5 Computer access control

Objective: To prevent unauthorized computer access.

Access to computer facilities should be controlled.

[How do you control access to computing facilities? Computer rooms? Telephone rooms? Wire rooms? Individual network wires? Connections between these?]

7.5.1 Automatic terminal identification

Automatic terminal identification should be considered to authenticate connections to specific locations.

[Do you use automatic terminal identification? If not, how do you tell which equipment is connected on which connection?]

7.5.2 Terminal logon procedures

Access to IT services should be via a secure logon process.

[How do you secure the logon process against wire taps? Against forgeries? Against logical attacks on network elements? Against snooping by authorized individuals on host systems?]

7.5.3 User identifiers

Computer activities should be traceable to individuals.

[If you detect a computer virus spreading throughout your organization’s networks, how do you determine which individual in the organization first allowed the virus to enter? If a systems administrator trying to cover the tracks of an illicit activity intentionally deletes all information on a system’s disks, uses the proper data remnants removal techniques, reformats the disk, replaces it in the original computer, and restores the contents from day-old backups, how do you determine which individual did it?]

7.5.4 Password management system

An effective password system should be used to authenticate users.

[How effective is your password system? What measures of password system effectiveness do you use?]

7.5.5 Duress alarm to safeguard users

Provision of a duress alarm (see 0.3.4) should be considered for users who might be the target of coercion.

[Have duress alarms been considered for your users? How was their use analyzed? What determination was made about their use and why?]

7.5.6 Terminal time-out

Inactive terminals in high risk locations, or serving high risk systems, should be set to time out, to prevent access by unauthorized persons.

[What terminals are in high risk locations? What terminals serve high risk systems? What timeouts are used to prevent unauthorized access to those systems? Why are those timeouts selected? How are they implemented and tested?]

7.5.7 Limitation of connection time

Restrictions on connection times should provide additional security for high-risk applications.

[What applications do you have that justify restrictions on connection times? What are those restrictions? How were they determined?]

7.6 Application access control

Objective: To prevent unauthorized access to information held in computer systems.

Logical access controls should be used to control access to application systems and data.

[What protection settings are used on (name a file) associated with (pick an application) to assure that only authorized users can perform only authorized actions on that file? Who are the authorized users for that file? What rights do they have to access that file? Do they need all of those rights? Do those rights grant access beyond that needed for their jobs? What additional controls are used to prevent their excessive access?]

7.6.1 Information access restriction

Access to data and IT services should be granted in accordance with business access policy.

[What is the business access policy? How is access granted in accordance with that policy? How is access revoked in accordance with that policy? How soon after a person falls into a policy category no longer requiring access are all access rights of that individual removed from all applications they no longer require access to? What is the longest time ever taken for this process?]

7.6.2 Use of system utilities

Access to system utilities should be restricted and controlled.

[How are users prevented from using system utility programs? How are they prevented from bringing in their own copy of those programs and using that copy on the system?]

7.6.3 Access control to program source library

Access to program source libraries should be restricted and controlled.

[What special controls are placed on source programs and libraries?]

7.6.4 Sensitive system isolation

Sensitive systems might require a dedicated (isolated) computing environment.

[Are there any systems with information so sensitive that they must be physically isolated? How is this isolation done?]

7.7 Monitoring system access and use

Objective: To detect unauthorized activities.

Systems should be monitored to ensure conformity to access policy and standards.

[How is it detected when access control and policy standards are violated? How long does detection take? What are the limits of detectability?]

7.7.1 Event logging

Audit trails of security events should be maintained.

[How are audit trails of security-relevant events generated, stored, and retained?]

7.7.2 Monitoring system use

Procedures for monitoring system use should be established.

[What procedures are in place to provide for legal and authorized system and user monitoring?]

7.7.3 Clock synchronization

Computer clocks should be synchronized for accurate recording.

[How is clock skew handled? How are systems synchronized? What analytical methods are used to compensate for clock skew in reviewing and analyzing audit records?]

Section 8. Systems development and maintenance

8.1 Security requirements of systems

Objective: To ensure that security is built into IT systems.

Security requirements should be identified and agreed prior to the development of IT systems.

[At what phase in the system development process are security requirements identified and agreed to?]

8.1.1 Security requirements analysis and specification

An analysis of security requirements should be carried out at the requirements analysis stage of each development project.

[Are security requirements explicitly and adequately covered in the requirements phase of system development? Are all corporate security elements analyzed with respect to the system in the requirements phase? Are cost analyses inclusive of security lifecycle costs?]

8.2 Security in application systems

Objective: To prevent loss, modification or misuse of user data in application systems.

Appropriate security controls, including audit trails, should be designed into application systems.

[Are security controls included in all application system designs? How is the determination made about which applications include which controls? How are system audits integrated into application audits and what provisions are made to allow these audit trails to be analyzed against each other for consistency checks? What fields are mandated in all audit trails and why?]

8.2.1 Input data validation

Data input to application systems should be validated.

[How is input data validated by applications systems? Are different data elements cross-correlated (e.g., postal codes correlated with cities) to verify consistency?]

8.2.2 Internal processing validation

Data processed by application systems should be validated.

[How is input data passed from other applications validated?]

8.2.3 Data encryption

Encryption should be considered for highly sensitive data.

[Under what circumstances do you require encryption? What encryption do you use?]

8.2.4 Message authentication

A message authentication system should be considered for applications which involve the transmission of sensitive data.

[Is sensitive data authenticated during transmission and in storage to assure it’s integrity against illicit or accidental changes? How is this done?]

8.3 Security of application system files

Objective: To ensure that IT projects and support activities are conducted in a secure manner.

Access to system files should be controlled.

[How are appropriate system file protections identified and verified? How often is verification carried out?]

8.3.1 Control of operational software

Strict control should be exercised over the implementation of software on operational systems.

[Hos is control exercised over software on operational systems? Does this apply to all software? Does this include macros and interpreted instructions? ]

8.3.2 Protection of system test data

Test data should be protected and controlled.

[How do you generate, control, and protect test data? What is the coverage requirement for tests on vital systems and how is coverage determined and measured?]

8.4 Security in development and support environments

Objective: To maintain the security of application system software and data.

Project and support environments should be strictly controlled.

[What special provisions are made for the protection of support and project teams and the systems they depend on?]

8.4.1 Change control procedures

There should be formal change control procedures.

[Are there formal change control procedures? What are they? Are they effective against malicious insiders?]

8.4.2 Technical review of operating system changes

The impact of operating system changes on security should be reviewed.

[How do you review operating system changes for security?]

8.4.3 Restrictions on changes to software packages

Modifications to software packages should be discouraged. Any essential changes should be strictly controlled.

[How do you discourage software modification? What rules are there about the circumstances under which operation-critical software is changed?]

Section 9. Business continuity planning

9.1 Aspects of business continuity planning

Objective: To have plans available to counteract interruptions to business activities.

Business continuity plans should be available to protect critical business processes from the effects of major failures or disasters.

[If your most critical computing facilities and the normal staff that operates them were to be destroyed in a freak accident at this moment, how soon would whose business functions be back at full capacity? How do you know that this answer is accurate?]

9.1.1 Business continuity planning process (Key)

There should be a managed process in place for developing and maintaining business continuity plans across the organization.

[Do you have a business continuity planning process? What it is? Who is in charge of it? How is it managed?]

9.1.2 Business continuity planning framework

A consistent framework of business continuity plans should be maintained.

[Do you have a business continuity framework that covers the entire organization? How is the framework promulgated throughout the organization?]

9.1.3 Testing business continuity plans

Business continuity plans should be tested.

[How do you test your business continuity plans and what do the results of those tests reveal?]

9.1.4 Updating business continuity plans

Business continuity plans should be updated regularly.

[How often do you revisit the business continuity planning process and how often does it change?]

Section 10. Compliance

10.1 Compliance with legal requirements

Objective: To avoid breaches of any statutory, criminal or civil obligations and of any security requirements.

The design, operation and use of IT systems may be subject to statutory and contractual security requirements.

[Are you aware of all the legal requirements for operations of all your systems in all legal venues they have contact with? How do you stay aware? Are you in compliance? How do you verify this?]

10.1.1 Control of proprietary software copying (Key)

Attention is drawn to the legal restrictions on the use of copyright material.

[How do you verify that employees don’t have or use illegal copies of software? Is there an organizational policy to this effect? Show it to me.]

10.1.2 Safeguarding of organizational records (Key)

Important records of an organization should be protected from loss, destruction and falsification.

[What provisions do you use to assure that all legal requirements for retention of documents are adhered to, even by parties who might want to violate these requirements as part of an illegal activity?]

10.1.3 Data protection (Key)

Applications handling personal data on individuals should comply with data protection legislation and principles.

[Is personal data about individuals protected to the standards of all applicable laws? How is this done?]

10.1.4 Prevention of misuse of IT facilities

IT facilities should only be used for authorized business purposes.

[Is there a policy mandating that information technology of the organization may only be used for legitimate purposes of the organization? Are there safeguards in place to prevent, detect, or respond to attempts to violate this policy?]

10.2 Security reviews of IT systems

Objective: To ensure compliance of systems with organizational security policies and standards.

The security of IT systems should be regularly reviewed.

[How often are security audits or reviews done of each system? Is this regularity dictated on some specific basis? What is that basis?]

10.2.1 Compliance with security policy (Key)

All areas within the organization should be considered for regular review to ensure compliance with security policies and standards.

[Which areas have been considered for a security review, and when were they last considered? Which areas have not been considered and why?]

10.2.2 Technical compliance checking

IT facilities should be regularly checked for compliance with security implementation standards.

[How often are facilities checked against corporate security standards? How detailed are these checks? What is covered and not covered? Who performs these checks? Who do they work for?]

Information security standards

Information security standards

ISO 27002 (formerly BS 7799 Part 1) is the ‘Code of Practice for Information Security Management’. It is a management standard, designed primarily to guide senior managers through the issues that form the basis of good corporate information security.

This part of the module examines the need for protecting information, how to set the levels of information security required and possible controls to implement. It is intended to provide an introduction to Information Security Management using BS 7799 (now ISO 27001) and ISO 27002, the International Standard for Information Security Management, as the framework on which to base international best practise.

This module assumes no prior knowledge of information security and takes the reader from basic concepts. The text of this new document ISO 27001 is based on the well established British Standard 7799 part 2 (the ‘Specification for Information Security Management’). The whole information security set of standards are to be renumbered and published as ISO documents as below

New Standard

Old Standard

ISO 27001

BS 7799 Part 2

ISO 27002

ISO 27002 (latterly BS 7799 Part 1)

ISO 27003

Risk management standard (latterly BS 7799 Part 3)

ISO 27004

ISMS measurement and metrics standard

ISO 27005

ISMS implementation guidance

ISO 27006



This reflects how the originals British Standard has been adopted throughout the world either as ISO 27000 series or local variants such as AS/NZS 4444 (now AS/NZS 7799) the Australian and New Zealand variant of the original BS 7799

The title Information Security Management was deliberately chosen to emphasise the need for this fundamental component of good business practice to be addressed as an aspect of general management rather than as a new and separate topic. It is clear that security is a matter of identifying valuable assets and deciding how best to safeguard them (as outlined in the ideas of protecting your car or home as in Section 2 above). It is not the process of ‘IT Security’ which seeks to protect IT systems – what needs to be protected is the information that they process but this processing must be for the whole life cycle from creation to destruction – and this does not always involve IT systems or processes.

It’s equally clear that the art of making assets secure does involve physical or logical locks and bolts.

However, experience shows us that most breaches are not the result of locks failing to work. By far the greatest number of commercial security breaches are directly attributable to the failure people to comply with the rules and objectives of their own security policies and procedures. Failures such as doors wedged open with fire extinguishers and passwords left written on desktop pads are still some of the greatest threats to good security practise.

This is a general introduction to the terminology and issues are required to provide an appropriate level of information security in an organisation to protect the organisational assets including information. Understanding this process is essential if Senior Management are to meet the ever-increasing needs to comply with the requirements of Corporate Governance and good corporate husbandry.

ISO 27002 and ISO 27001 is divided into eleven complementary sections (or ‘clauses’ as they are called in the standard). As with most well laid out standards there is a degree of chronology to the layout in that the first section deals with policy and the subsequent sections evolve from that. It is also significant that each of the eleven sections (or clauses) are equally important as components of good security management. In brief, the eleven steps to good security management are:

Clause 1. Security policy, a top-level statement endorsed by the senior management team on which all security processes and procedures are subsequently based.

Clause 2. Organisation of Information Security, a published security organisation that shows clearly who is responsible for security and who is authorised to deal with security issues.

Clause 3. Asset management, a good understanding of what is important to the organisation and where good security is important.

Clause 4. Human resources security, careful recruiting and management of personnel employed in key positions.

Clause 5. Physical and environmental security, ensuring that the physical security precautions match the need expressed in the corporate policy.

Clause 6. Communications and operations management, the provision of adequate tools and services to ensure that corporate information in these systems is properly monitored, managed and protected.

Clause 7. Access control, close monitoring and control over who is authorised to read and to amend the organisation’s information especially within the information processing systems.

Clause 8. Information systems acquisition, development and maintenance, the need to ensure that future development continues to meet and exceed the strength of protection in previous generations of production services.

Clause 9. Information security incident management is the process for managing any incident that may affect the well being of the organisation.

Clause 10. Business continuity management is the ability to minimise the impact of major disasters on the business processes and requires comprehensive backup strategies to ensure that no corporate data is lost.

Clause 11. Compliance, the need to ensure that once good controls are put in place that they continue to work and to deliver the required level of protection to the organisation’s assets as well as meeting the legal and regulatory requirements for managing information.

ISO 27002 is derived from BS 7799 Part 1, which it superseded (formerly called ISO 17799).

ISO 27002 is the ‘Code of Practice for Information Security Management’ and is a management guide to the implementation of adequate security in an organisation.

It is a checklist of controls within the eleven clauses and explains or gives further guidance on them. It is used to advise the implementer of how and why the controls are implemented and gives some guidance on how they are to be implemented.

ISO 27002 does not set the ‘need’ for security but provides a ‘shopping list’ of components that can be installed.

BS 7799 has just been superseded by ISO 27001 (2005)

ISO 2701 is the ‘Specification for Information Security Management’ and should an organisation wish to become certified to ISO 27001 then this is the standard that certification is carried out against.

Part of the process of achieving accredited certification to ISO 27001 is the creation of an Information Security Management System (ISMS). Then the process given in Section 4 below must be followed

Whilst the certification process mandates the use of a risk assessment on the assets within the scope for certification the implementation of ISO 27002 does not

If we accept that all organisations are different and deliver their respective goods and services in different ways, how can one standard apply across the board?

The answer is that each organisation must understand and define their own need for information security by using risk assessment and risk management to set the level of protection required for the assets.




An Introduction to ISO 27001

An Introduction to ISO 27001

The ISO 27001 standard was published in October 2005, replacing the old BS7799-2 standard.

It specifies the requirements for an ISMS, an Information Security Management System.

BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems.

It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.

ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards.

The objective of the standard itself is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System”.

Regarding its adoption, this should be a strategic decision of the organization.

“The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization”.

The standard defines its ‘PROCESS APPROACH’ as “The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management”.

It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and reflects the principles set out in the OECD guidelines.


The process starts when the organization makes the decision to embark upon the exercise.

At this point, it is also important to ensure management commitment and then assign responsibilities for the project itself.

An organizational top level policy can then be developed and published. This can, and will normally, be supported by subordinate policies.

The next stage will define which part (s) of the organization will be covered by the ISMS.

Typically, it will define the location, assets and technology to be included.

At this stage a risk assessment will be undertaken, to determine the organization’s risk exposure/profile, and identify the best route to address this.

The document produced will be the basis for the next stage, which will be the management of those risks.

A part of this process will be selection of appropriate controls with respect to those outlined in the standard (and also in Code of Practice ISO 27002 i.e. ISO 17799:2005), with the justification for each decision recorded in a Statement of Applicability (SOA).

The controls themselves should then be implemented as appropriate.

The certification process itself can then be embarked upon through a suitable accredited third party.

Information Security Management System Knowledge Sharing