Information Security Management. Audit Check List

Transcription

1 Information Security Management BS :2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts from BS 7799 part 1: 1999 are reproduced with the permission of BSI under license number 2003DH0251. British Standards can be purchased from BSI Customer Services, 389 Chiswick High Road, London W4 4AL. Tel : 44 (0) customerservices@bsi-global.com

2 Table of Contents Security Policy 9 Information security policy... 9 Information security policy document... 9 Review and evaluation... 9 Organisational Security 10 Information security infrastructure Management information security forum Information security coordination Allocation of information security responsibilities Authorisation process for information processing facilities Specialist information security advise Co-operation between organisations Independent review of information security Security of third party access Identification of risks from third party access Security requirements in third party contracts Outsourcing Security requirements in outsourcing contracts Asset classification and control 12 Accountability of assets Inventory of assets Information classification Classification guidelines Information labelling and handling Page - 2

3 Personnel security 12 Security in job definition and Resourcing Including security in job responsibilities Personnel screening and policy Confidentiality agreements Terms and conditions of employment User training Information security education and training Responding to security incidents and malfunctions Reporting security incidents Reporting security weaknesses Reporting software malfunctions Learning from incidents Disciplinary process Physical and Environmental Security 12 Secure Area Physical Security Perimeter Physical entry Controls Securing Offices, rooms and facilities Working in Secure Areas Isolated delivery and loading areas Equipment Security Equipment siting protection Power Supplies Cabling Security Equipment Maintenance Securing of equipment off-premises Secure disposal or re-use of equipment General Controls Page - 3

4 Clear Desk and clear screen policy Removal of property Communications and Operations Management 12 Operational Procedure and responsibilities Documented Operating procedures Operational Change Control Incident management procedures Segregation of duties Separation of development and operational facilities External facilities management System planning and acceptance Capacity Planning System acceptance Protection against malicious software Control against malicious software Housekeeping Information back-up Operator logs Fault Logging Network Management Network Controls Media handling and Security Management of removable computer media Disposal of Media Information handling procedures Security of system documentation Exchange of Information and software Information and software exchange agreement Security of Media in transit Page - 4

5 Electronic Commerce security Security of Electronic Security of Electronic office systems Publicly available systems Other forms of information exchange Access Control 12 Business Requirements for Access Control Access Control Policy User Access Management User Registration Privilege Management User Password Management Review of user access rights User Responsibilities Password use Unattended user equipment Network Access Control Policy on use of network services Enforced path User authentication for external connections Node Authentication Remote diagnostic port protection Segregation in networks Network connection protocols Network routing control Security of network services Operating system access control Automatic terminal identification Terminal log-on procedures Page - 5

6 User identification and authorisation Password management system Use of system utilities Duress alarm to safeguard users Terminal time-out Limitation of connection time Application Access Control Information access restriction Sensitive system isolation Monitoring system access and use Event logging Monitoring system use Clock synchronisation Mobile computing and teleworking Mobile computing Teleworking System development and maintenance 12 Security requirements of systems Security requirements analysis and specification Security in application systems Input data validation Control of internal processing Message authentication Output data validation Cryptographic controls Policy on use of cryptographic controls Encryption Digital Signatures Non-repudiation services Page - 6

7 Key management Security of system files Control of operational software Protection of system test data Access Control to program source library Security in development and support process Change control procedures Technical review of operating system changes Technical review of operating system changes Covert channels and Trojan code Outsourced software development Business Continuity Management 12 Aspects of Business Continuity Management Business continuity management process Business continuity and impact analysis Writing and implementing continuity plan Business continuity planning framework Testing, maintaining and re-assessing business continuity plan Compliance 12 Compliance with legal requirements Identification of applicable legislation Intellectual property rights (IPR) Safeguarding of organisational records Data protection and privacy of personal information Prevention of misuse of information processing facility Regulation of cryptographic controls Collection of evidence Reviews of Security Policy and technical compliance Page - 7

8 Compliance with security policy Technical compliance checking System audit considerations System audit controls Protection of system audit tools References 12 Page - 8

9 Audit Checklist Auditor Name: Audit Date: Information Security Management BS :2002 Audit Check List Reference Audit area, objective and question Results Checklist Standard Section Audit Question Findings Compliance Security Policy Information security policy Information security policy document Review and evaluation Whether there exists an Information security policy, which is approved by the management, published and communicated as appropriate to all employees. Whether it states the management commitment and set out the organisational approach to managing information security. Whether the Security policy has an owner, who is responsible for its maintenance and review according to a defined review process. Whether the process ensures that a review takes place in response to any changes affecting the basis of the original assessment, example: significant security incidents, new vulnerabilities or changes to Page - 9