What is ISO 17799?

September 5, 2009 by · Leave a Comment 

ISO 17799 is a set of standards created by the International Organization for Standardization.  ISO is responsible for creating numerous standards, including the OSI model. ISO 17799 covers a broad range of information security practices and acts as a framework for an organization to establish and implement a security management program. The ten security domains that make up ISO 17799:2000 include:

  • Security policy: This domain provides input into security management from a top-down perspective and the creation of an effective security management program.
  • Organizational security: This domain focuses on both internal and external management of operational security. It isn’t limited to technical controls, but also relationship and reputation issues.
  • Asset classification and control: This domain focuses on organizations, prioritizing, and classifying information based on sensitivity and need for confidentiality and availability. It also covers the day-to-day use and storage of such information.
  • Personnel security: This domain focuses on procedures for hiring, firing, and training of employees. Employees must be screened prior to employment and consent forms need to be addressed and signed.
  • Physical and environmental security: This domain covers the protection of assets from damage to its physical infrastructure and providing access controls via cipher locks or other mechanisms. It also covers HVAC and power controls.
  • Communications and operations management: This domain covers techniques for ensuring secure communications and providing data integrity through the use of firewalls, AV protection, encryption, and backups.
  • Access control: This domain covers access and monitoring controls through the user of discretionary, mandatory, and role based controls. This constitutes authentication and identity management.
  • System development and maintenance: This domain covers change management of systems with the advancement of technology to ensure compatibility and overall quality assurance.
  • Business continuity management: This domain covers strategies for protecting a business from massive outages and prepares a company for unforeseen circumstances such as natural disasters and impromptu recovery missions.
  • Compliance: This domain covers law and legislation from a state, local, and federal standpoint. It goes into protection of trade secrets and intellectual property.

Recently, the standard was revamped and is now known as ISO 270002:2005. In addition to the new version and updates, the domain names are now:

  • security policy;
  • organization of information security;
  • asset management;
  • human resources security;
  • physical and environmental security;
  • communications and operations management;
  • access control;
  • information systems acquisition, development and maintenance;
  • information security incident management;
  • business continuity management;
  • compliance.

Organizations  should create policies for each domain (unique to their mission and objectives).

Where have I been?

September 5, 2009 by · Leave a Comment 

I’ve been poking in and out of this blog for a while now. Why? Well, I’m working on my first book. So in between writing, blogging, working, and life, I’ve been quite busy… Subscribe to my feed for upcoming information on my book.


Warning: Unknown: open(/home/content/30/5076530/tmp/sess_piq8lb582df7cqstgkp56gkct3, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0