| |
| |
Acknowledgements | |
| |
| |
Introduction | |
| |
| |
| |
Why is information security necessary? | |
| |
| |
The nature of information security threats | |
| |
| |
The prevalence of information security threats | |
| |
| |
Impacts of information security threats | |
| |
| |
Cybercrime | |
| |
| |
Cyberwar | |
| |
| |
Future risks | |
| |
| |
Legislation | |
| |
| |
Benefits of an information security management system | |
| |
| |
| |
The Combined Code, the Turnbull Report and Sarbanes-Oxley | |
| |
| |
The Combined Code | |
| |
| |
The Turnbull Report | |
| |
| |
The Revised Combined Code | |
| |
| |
Sarbanes-Oxley | |
| |
| |
IT governance | |
| |
| |
| |
ISO27001 | |
| |
| |
Benefits of certification | |
| |
| |
The history of ISO27001 and ISO27002 | |
| |
| |
The ISO/IEC 27000 series of standards | |
| |
| |
Use of the standard | |
| |
| |
ISO/IEC 27002 | |
| |
| |
The Plan-Do-Check-Act and process approach | |
| |
| |
Structured approach to implementation | |
| |
| |
Quality system integration | |
| |
| |
Documentation | |
| |
| |
Continual improvement and metrics | |
| |
| |
| |
Organizing information security | |
| |
| |
Internal organization | |
| |
| |
Management review | |
| |
| |
Information security manager | |
| |
| |
The cross-functional management forum | |
| |
| |
The ISO27001 project group | |
| |
| |
Approval process for information processing facilities | |
| |
| |
Product selection and the Common Criteria | |
| |
| |
Specialist information security advice | |
| |
| |
Contact with authorities and special interest groups | |
| |
| |
Independent review of information security | |
| |
| |
Summary | |
| |
| |
| |
Information security policy and scope | |
| |
| |
Information security policy | |
| |
| |
A policy statement | |
| |
| |
Costs and the monitoring of progress | |
| |
| |
| |
The risk assessment and statement of applicability | |
| |
| |
Establishing security requirements | |
| |
| |
Risks, impacts and risk management | |
| |
| |
Selection of controls and statement of applicability | |
| |
| |
Gap analysis | |
| |
| |
Risk assessment tools | |
| |
| |
Risk treatment plan | |
| |
| |
Measures of effectiveness | |
| |
| |
| |
External parties | |
| |
| |
Identification of risks related to external parties | |
| |
| |
Types of access | |
| |
| |
Reasons for access | |
| |
| |
Outsourcing | |
| |
| |
On-site contractors | |
| |
| |
Addressing security when dealing with customers | |
| |
| |
Addressing security in third-party agreements | |
| |
| |
| |
Asset management | |
| |
| |
Asset owners | |
| |
| |
Inventory | |
| |
| |
Acceptable use of assets | |
| |
| |
Information classification | |
| |
| |
Unified classification markings | |
| |
| |
Information labelling and handling | |
| |
| |
Non-disclosure agreements and trusted partners | |
| |
| |
| |
Human resources security | |
| |
| |
Job descriptions and competency requirements | |
| |
| |
Screening | |
| |
| |
Terms and conditions of employment | |
| |
| |
During employment | |
| |
| |
Disciplinary process | |
| |
| |
Termination or change of employment | |
| |
| |
| |
Physical and environmental security | |
| |
| |
Secure areas | |
| |
| |
Public access, delivery and loading areas | |
| |
| |
| |
Equipment security | |
| |
| |
Equipment siting and protection | |
| |
| |
Supporting utilities | |
| |
| |
Cabling security | |
| |
| |
Equipment maintenance | |
| |
| |
Security of equipment off-premises | |
| |
| |
Secure disposal or reuse of equipment | |
| |
| |
Removal of property | |
| |
| |
| |
Communications and operations management | |
| |
| |
Documented operating procedures | |
| |
| |
Change management | |
| |
| |
Segregation of duties | |
| |
| |
Separation of development, test and operational facilities | |
| |
| |
Third-party service delivery management | |
| |
| |
Monitoring and review of third-party services | |
| |
| |
Managing changes to third-party services | |
| |
| |
System planning and acceptance | |
| |
| |
| |
Controls against malicious software (malware) and back-ups | |
| |
| |
Viruses, worms and Trojans | |
| |
| |
Spyware | |
| |
| |
Anti-malware software | |
| |
| |
Hoax messages | |
| |
| |
Anti-malware controls | |
| |
| |
Airborne viruses | |
| |
| |
Controls against mobile code | |
| |
| |
Back-up | |
| |
| |
| |
Network security management and media handling | |
| |
| |
Network management | |
| |
| |
Media handling | |
| |
| |
| |
Exchanges of information | |
| |
| |
Information exchange policies and procedures | |
| |
| |
Exchange agreements | |
| |
| |
Physical media in transit | |
| |
| |
Business information systems | |
| |
| |
| |
Electronic commerce services | |
| |
| |
E-commerce issues | |
| |
| |
Security technologies | |
| |
| |
Server security | |
| |
| |
Online transactions | |
| |
| |
Publicly available information | |
| |
| |
| |
E-mail and internet use | |
| |
| |
Security risks in e-mail | |
| |
| |
Spam | |
| |
| |
Misuse of the internet | |
| |
| |
Internet acceptable use policy | |
| |
| |
| |
Access control | |
| |
| |
Hackers | |
| |
| |
Hacker techniques | |
| |
| |
System configuration | |
| |
| |
Access control policy | |
| |
| |
User access management | |
| |
| |
Clear desk and clear screen policy | |
| |
| |
| |
Network access control | |
| |
| |
Networks | |
| |
| |
Network security | |
| |
| |
| |
Operating system access control | |
| |
| |
Secure log-on procedures | |
| |
| |
User identification and authentication | |
| |
| |
Password management system | |
| |
| |
Use of system utilities | |
| |
| |
Session time-out | |
| |
| |
Limitation of connection time | |
| |
| |
| |
Application access control and teleworking | |
| |
| |
Application and information access control | |
| |
| |
Mobile computing and teleworking | |
| |
| |
| |
Systems acquisition, development and maintenance | |
| |
| |
Security requirements analysis and specification | |
| |
| |
Correct processing in applications | |
| |
| |
| |
Cryptographic controls | |
| |
| |
Encryption | |
| |
| |
Public key infrastructure | |
| |
| |
Digital signatures | |
| |
| |
Non-repudiation services | |
| |
| |
Key management | |
| |
| |
| |
Security in development and support processes | |
| |
| |
System files | |
| |
| |
Access control to program source code | |
| |
| |
Development and support processes | |
| |
| |
Vulnerability management | |
| |
| |
| |
Monitoring and information security incident management | |
| |
| |
Monitoring | |
| |
| |
Information security events | |
| |
| |
Management of information security incidents and improvements | |
| |
| |
Legal admissibility | |
| |
| |
| |
Business continuity management | |
| |
| |
BS25999 | |
| |
| |
The business continuity management process | |
| |
| |
Business continuity and risk assessment | |
| |
| |
Developing and implementing continuity plans | |
| |
| |
Business continuity planning framework | |
| |
| |
Testing, maintaining and reassessing business continuity plans | |
| |
| |
| |
Compliance | |
| |
| |
Identification of applicable legislation | |
| |
| |
Intellectual property rights | |
| |
| |
Safeguarding of organizational records | |
| |
| |
Data protection and privacy of personal information | |
| |
| |
Prevention of misuse of information processing facilities | |
| |
| |
Regulation of cryptographic controls | |
| |
| |
Compliance with security policies and standards, and technical compliance checking | |
| |
| |
Information systems audit considerations | |
| |
| |
| |
The ISO27001 audit | |
| |
| |
Selection of auditors | |
| |
| |
Initial audit | |
| |
| |
Preparation for audit | |
| |
| |
Terminology | |
| |
| |
| |
Useful websites | |
| |
| |
| |
Further reading | |
| |
| |
Index | |