Iso17799 policy gap analysis
Páginas: 20 (4809 palabras)
Publicado: 2 de septiembre de 2010
Company Confidential – Policy Information
ISO17799 Policy Gap Analysis
Prepared for John Smith Big Company Inc.
by Fred Cohen & Associates
in partial fulfillment of Purchase Order DH203022
2005-03-23
Page 1 of 18
Company Confidential – Policy Information
Executive Summary
In November of 2004, John Smith of Big Company (CLIENT) asked Fred Cohen & Associates (FCA) to performa policy gap analysis comparing existing and internally published policies with the ISO17799 standard. The results of this analysis were then compared to the results from the recent protection posture assessment to understand how effective those policy elements were at meeting CLIENT's needs. Over the period of effort, CLIENT provided FCA with copies of all security-related policies thenavailable and FCA produced the gap analysis contained herein. From this analysis, it appears that CLIENT has a large number of policies that, in fragmented parts, substantially cover 73 of the 128 elements of the ISO17799 standard, poorly cover another 30 elements of the standard, and provide no coverage of the remaining 25 elements of the standard. Despite the substantial coverage of 73 policy elements,the presence of these policies are not reflected in internal compliance or understandings demonstrated by employees. In addition, the overall condition of those policy elements are not at proper assurance levels for the needs of CLIENT. As a result, there are significant gaps between the needs and the policies and between the policies and the desired standards. FCA recommends a policyreconciliation and rewrite. This involves writing a comprehensive security policy that follows the ISO17799 structure while incorporating existing policy elements for backward compatibility and internal consistency. The resulting policy will then update and replace the larger number of more fragmented policy elements that have evolved over many years with a new policy that covers the issues morecomprehensively, is properly adapted to CLIENT's current needs, and can be read and understood in a few hours. This policy should also meet all policy-level compliance requirements and be suitable to pass relevant audits. This policy rewrite would be best if completed prior to any upcoming audits that might be positively affected by the effort.
2005-03-23
Page 2 of 18
Company Confidential – PolicyInformation
Table of Contents
Executive Summary..........................................................................2 Background, Scope, and Overview....................................................4 Findings and Recommendations.....................................................16 Summary and Conclusions .............................................................18
2005-03-23Page 3 of 18
Company Confidential – Policy Information
Background, Scope, and Overview
Background
In September of 2004, John Smith of Big Company (CLIENT) asked FCA to perform a gap analysis assessing the current security-related policies of CLIENT relative to the ISO17799 standard in order to understand the policy needs at CLIENT in more detail. During the month of September, a policyanalysis team took material provided by CLIENT and reviewed all provided policies relative to the ISO17799 standard to understand these issues. These efforts included but were not limited to:
• •
Review all currently available CLIENT security policies. Perform line-at-a-time comparison of policy elements to ISO17799 standards and map the policy elements into the ISO17799 sections. Produce a gapanalysis. Compare these results to the protection posture assessment results and reconcile differences. Provide analysis of results. Write and deliver this report.
• •
• •
Scope
The scope of this effort was limited to security-related policies that had, at the time of the start of the effort been published as official policies on the internal CLIENT Web site and made available for...
ISO17799 Policy Gap Analysis
Prepared for John Smith Big Company Inc.
by Fred Cohen & Associates
in partial fulfillment of Purchase Order DH203022
2005-03-23
Page 1 of 18
Company Confidential – Policy Information
Executive Summary
In November of 2004, John Smith of Big Company (CLIENT) asked Fred Cohen & Associates (FCA) to performa policy gap analysis comparing existing and internally published policies with the ISO17799 standard. The results of this analysis were then compared to the results from the recent protection posture assessment to understand how effective those policy elements were at meeting CLIENT's needs. Over the period of effort, CLIENT provided FCA with copies of all security-related policies thenavailable and FCA produced the gap analysis contained herein. From this analysis, it appears that CLIENT has a large number of policies that, in fragmented parts, substantially cover 73 of the 128 elements of the ISO17799 standard, poorly cover another 30 elements of the standard, and provide no coverage of the remaining 25 elements of the standard. Despite the substantial coverage of 73 policy elements,the presence of these policies are not reflected in internal compliance or understandings demonstrated by employees. In addition, the overall condition of those policy elements are not at proper assurance levels for the needs of CLIENT. As a result, there are significant gaps between the needs and the policies and between the policies and the desired standards. FCA recommends a policyreconciliation and rewrite. This involves writing a comprehensive security policy that follows the ISO17799 structure while incorporating existing policy elements for backward compatibility and internal consistency. The resulting policy will then update and replace the larger number of more fragmented policy elements that have evolved over many years with a new policy that covers the issues morecomprehensively, is properly adapted to CLIENT's current needs, and can be read and understood in a few hours. This policy should also meet all policy-level compliance requirements and be suitable to pass relevant audits. This policy rewrite would be best if completed prior to any upcoming audits that might be positively affected by the effort.
2005-03-23
Page 2 of 18
Company Confidential – PolicyInformation
Table of Contents
Executive Summary..........................................................................2 Background, Scope, and Overview....................................................4 Findings and Recommendations.....................................................16 Summary and Conclusions .............................................................18
2005-03-23Page 3 of 18
Company Confidential – Policy Information
Background, Scope, and Overview
Background
In September of 2004, John Smith of Big Company (CLIENT) asked FCA to perform a gap analysis assessing the current security-related policies of CLIENT relative to the ISO17799 standard in order to understand the policy needs at CLIENT in more detail. During the month of September, a policyanalysis team took material provided by CLIENT and reviewed all provided policies relative to the ISO17799 standard to understand these issues. These efforts included but were not limited to:
• •
Review all currently available CLIENT security policies. Perform line-at-a-time comparison of policy elements to ISO17799 standards and map the policy elements into the ISO17799 sections. Produce a gapanalysis. Compare these results to the protection posture assessment results and reconcile differences. Provide analysis of results. Write and deliver this report.
• •
• •
Scope
The scope of this effort was limited to security-related policies that had, at the time of the start of the effort been published as official policies on the internal CLIENT Web site and made available for...
Leer documento completo
Regístrate para leer el documento completo.