Ejemplo checklist sans
Páginas: 29 (7232 palabras)
Publicado: 6 de diciembre de 2011
Information Security Management
BS 7799.2:2002
Audit Check List
for SANS
Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS
Extracts from BS 7799 part 1: 1999 are reproduced with the permission of BSI under license number 2003DH0251. British Standards can be purchased from BSI Customer Services, 389Chiswick High Road, London W4 4AL. Tel : 44 (0)20 8996 9001. email: customerservices@bsi-global.com
Table of Contents
Security Policy 9
Information security policy 9
Information security policy document 9
Review and evaluation 9
Organisational Security 10
Information security infrastructure 10
Management information security forum 10
Information security coordination 10
Allocationof information security responsibilities 10
Authorisation process for information processing facilities 10
Specialist information security advise 11
Co-operation between organisations 11
Independent review of information security 11
Security of third party access 11
Identification of risks from third party access 11
Security requirements in third party contracts 12
Outsourcing 12
Securityrequirements in outsourcing contracts 12
Asset classification and control 13
Accountability of assets 13
Inventory of assets 13
Information classification 13
Classification guidelines 13
Information labelling and handling 13
Personnel security 13
Security in job definition and Resourcing 13
Including security in job responsibilities 14
Personnel screening and policy 14Confidentiality agreements 14
Terms and conditions of employment 14
User training 15
Information security education and training 15
Responding to security incidents and malfunctions 15
Reporting security incidents 15
Reporting security weaknesses 15
Reporting software malfunctions 15
Learning from incidents 15
Disciplinary process 16
Physical and Environmental Security 16
Secure Area 16
PhysicalSecurity Perimeter 16
Physical entry Controls 16
Securing Offices, rooms and facilities 16
Working in Secure Areas 17
Isolated delivery and loading areas 17
Equipment Security 17
Equipment siting protection 17
Power Supplies 18
Cabling Security 18
Equipment Maintenance 18
Securing of equipment off-premises 19
Secure disposal or re-use of equipment 19
General Controls 19
Clear Deskand clear screen policy 19
Removal of property 20
Communications and Operations Management 20
Operational Procedure and responsibilities 20
Documented Operating procedures 20
Operational Change Control 20
Incident management procedures 21
Segregation of duties 21
Separation of development and operational facilities 21
External facilities management 22
System planning and acceptance 22Capacity Planning 22
System acceptance 22
Protection against malicious software 23
Control against malicious software 23
Housekeeping 24
Information back-up 24
Operator logs 24
Fault Logging 24
Network Management 25
Network Controls 25
Media handling and Security 25
Management of removable computer media 25
Disposal of Media 25
Information handling procedures 26
Security of systemdocumentation 26
Exchange of Information and software 26
Information and software exchange agreement 26
Security of Media in transit 27
Electronic Commerce security 27
Security of Electronic email 27
Security of Electronic office systems 28
Publicly available systems 28
Other forms of information exchange 28
Access Control 29
Business Requirements for Access Control 29
Access ControlPolicy 29
User Access Management 29
User Registration 29
Privilege Management 29
User Password Management 30
Review of user access rights 30
User Responsibilities 30
Password use 30
Unattended user equipment 30
Network Access Control 30
Policy on use of network services 31
Enforced path 31
User authentication for external connections 31
Node Authentication 31
Remote diagnostic port...
BS 7799.2:2002
Audit Check List
for SANS
Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS
Extracts from BS 7799 part 1: 1999 are reproduced with the permission of BSI under license number 2003DH0251. British Standards can be purchased from BSI Customer Services, 389Chiswick High Road, London W4 4AL. Tel : 44 (0)20 8996 9001. email: customerservices@bsi-global.com
Table of Contents
Security Policy 9
Information security policy 9
Information security policy document 9
Review and evaluation 9
Organisational Security 10
Information security infrastructure 10
Management information security forum 10
Information security coordination 10
Allocationof information security responsibilities 10
Authorisation process for information processing facilities 10
Specialist information security advise 11
Co-operation between organisations 11
Independent review of information security 11
Security of third party access 11
Identification of risks from third party access 11
Security requirements in third party contracts 12
Outsourcing 12
Securityrequirements in outsourcing contracts 12
Asset classification and control 13
Accountability of assets 13
Inventory of assets 13
Information classification 13
Classification guidelines 13
Information labelling and handling 13
Personnel security 13
Security in job definition and Resourcing 13
Including security in job responsibilities 14
Personnel screening and policy 14Confidentiality agreements 14
Terms and conditions of employment 14
User training 15
Information security education and training 15
Responding to security incidents and malfunctions 15
Reporting security incidents 15
Reporting security weaknesses 15
Reporting software malfunctions 15
Learning from incidents 15
Disciplinary process 16
Physical and Environmental Security 16
Secure Area 16
PhysicalSecurity Perimeter 16
Physical entry Controls 16
Securing Offices, rooms and facilities 16
Working in Secure Areas 17
Isolated delivery and loading areas 17
Equipment Security 17
Equipment siting protection 17
Power Supplies 18
Cabling Security 18
Equipment Maintenance 18
Securing of equipment off-premises 19
Secure disposal or re-use of equipment 19
General Controls 19
Clear Deskand clear screen policy 19
Removal of property 20
Communications and Operations Management 20
Operational Procedure and responsibilities 20
Documented Operating procedures 20
Operational Change Control 20
Incident management procedures 21
Segregation of duties 21
Separation of development and operational facilities 21
External facilities management 22
System planning and acceptance 22Capacity Planning 22
System acceptance 22
Protection against malicious software 23
Control against malicious software 23
Housekeeping 24
Information back-up 24
Operator logs 24
Fault Logging 24
Network Management 25
Network Controls 25
Media handling and Security 25
Management of removable computer media 25
Disposal of Media 25
Information handling procedures 26
Security of systemdocumentation 26
Exchange of Information and software 26
Information and software exchange agreement 26
Security of Media in transit 27
Electronic Commerce security 27
Security of Electronic email 27
Security of Electronic office systems 28
Publicly available systems 28
Other forms of information exchange 28
Access Control 29
Business Requirements for Access Control 29
Access ControlPolicy 29
User Access Management 29
User Registration 29
Privilege Management 29
User Password Management 30
Review of user access rights 30
User Responsibilities 30
Password use 30
Unattended user equipment 30
Network Access Control 30
Policy on use of network services 31
Enforced path 31
User authentication for external connections 31
Node Authentication 31
Remote diagnostic port...
Leer documento completo
Regístrate para leer el documento completo.