| |
| |
| Acknowledgements | |
| |
| |
| Introduction | |
| |
| |
| |
| Why is information security necessary? | |
| |
| |
| The nature of information security threats | |
| |
| |
| The prevalence of information security threats | |
| |
| |
| Impacts of information security threats | |
| |
| |
| Cybercrime | |
| |
| |
| Cyberwar | |
| |
| |
| Future risks | |
| |
| |
| Legislation | |
| |
| |
| Benefits of an information security management system | |
| |
| |
| |
| The Combined Code, the Turnbull Report and Sarbanes-Oxley | |
| |
| |
| The Combined Code | |
| |
| |
| The Turnbull Report | |
| |
| |
| The Revised Combined Code | |
| |
| |
| Sarbanes-Oxley | |
| |
| |
| IT governance | |
| |
| |
| |
| ISO27001 | |
| |
| |
| Benefits of certification | |
| |
| |
| The history of ISO27001 and ISO27002 | |
| |
| |
| The ISO/IEC 27000 series of standards | |
| |
| |
| Use of the standard | |
| |
| |
| ISO/IEC 27002 | |
| |
| |
| The Plan-Do-Check-Act and process approach | |
| |
| |
| Structured approach to implementation | |
| |
| |
| Quality system integration | |
| |
| |
| Documentation | |
| |
| |
| Continual improvement and metrics | |
| |
| |
| |
| Organizing information security | |
| |
| |
| Internal organization | |
| |
| |
| Management review | |
| |
| |
| Information security manager | |
| |
| |
| The cross-functional management forum | |
| |
| |
| The ISO27001 project group | |
| |
| |
| Approval process for information processing facilities | |
| |
| |
| Product selection and the Common Criteria | |
| |
| |
| Specialist information security advice | |
| |
| |
| Contact with authorities and special interest groups | |
| |
| |
| Independent review of information security | |
| |
| |
| Summary | |
| |
| |
| |
| Information security policy and scope | |
| |
| |
| Information security policy | |
| |
| |
| A policy statement | |
| |
| |
| Costs and the monitoring of progress | |
| |
| |
| |
| The risk assessment and statement of applicability | |
| |
| |
| Establishing security requirements | |
| |
| |
| Risks, impacts and risk management | |
| |
| |
| Selection of controls and statement of applicability | |
| |
| |
| Gap analysis | |
| |
| |
| Risk assessment tools | |
| |
| |
| Risk treatment plan | |
| |
| |
| Measures of effectiveness | |
| |
| |
| |
| External parties | |
| |
| |
| Identification of risks related to external parties | |
| |
| |
| Types of access | |
| |
| |
| Reasons for access | |
| |
| |
| Outsourcing | |
| |
| |
| On-site contractors | |
| |
| |
| Addressing security when dealing with customers | |
| |
| |
| Addressing security in third-party agreements | |
| |
| |
| |
| Asset management | |
| |
| |
| Asset owners | |
| |
| |
| Inventory | |
| |
| |
| Acceptable use of assets | |
| |
| |
| Information classification | |
| |
| |
| Unified classification markings | |
| |
| |
| Information labelling and handling | |
| |
| |
| Non-disclosure agreements and trusted partners | |
| |
| |
| |
| Human resources security | |
| |
| |
| Job descriptions and competency requirements | |
| |
| |
| Screening | |
| |
| |
| Terms and conditions of employment | |
| |
| |
| During employment | |
| |
| |
| Disciplinary process | |
| |
| |
| Termination or change of employment | |
| |
| |
| |
| Physical and environmental security | |
| |
| |
| Secure areas | |
| |
| |
| Public access, delivery and loading areas | |
| |
| |
| |
| Equipment security | |
| |
| |
| Equipment siting and protection | |
| |
| |
| Supporting utilities | |
| |
| |
| Cabling security | |
| |
| |
| Equipment maintenance | |
| |
| |
| Security of equipment off-premises | |
| |
| |
| Secure disposal or reuse of equipment | |
| |
| |
| Removal of property | |
| |
| |
| |
| Communications and operations management | |
| |
| |
| Documented operating procedures | |
| |
| |
| Change management | |
| |
| |
| Segregation of duties | |
| |
| |
| Separation of development, test and operational facilities | |
| |
| |
| Third-party service delivery management | |
| |
| |
| Monitoring and review of third-party services | |
| |
| |
| Managing changes to third-party services | |
| |
| |
| System planning and acceptance | |
| |
| |
| |
| Controls against malicious software (malware) and back-ups | |
| |
| |
| Viruses, worms and Trojans | |
| |
| |
| Spyware | |
| |
| |
| Anti-malware software | |
| |
| |
| Hoax messages | |
| |
| |
| Anti-malware controls | |
| |
| |
| Airborne viruses | |
| |
| |
| Controls against mobile code | |
| |
| |
| Back-up | |
| |
| |
| |
| Network security management and media handling | |
| |
| |
| Network management | |
| |
| |
| Media handling | |
| |
| |
| |
| Exchanges of information | |
| |
| |
| Information exchange policies and procedures | |
| |
| |
| Exchange agreements | |
| |
| |
| Physical media in transit | |
| |
| |
| Business information systems | |
| |
| |
| |
| Electronic commerce services | |
| |
| |
| E-commerce issues | |
| |
| |
| Security technologies | |
| |
| |
| Server security | |
| |
| |
| Online transactions | |
| |
| |
| Publicly available information | |
| |
| |
| |
| E-mail and internet use | |
| |
| |
| Security risks in e-mail | |
| |
| |
| Spam | |
| |
| |
| Misuse of the internet | |
| |
| |
| Internet acceptable use policy | |
| |
| |
| |
| Access control | |
| |
| |
| Hackers | |
| |
| |
| Hacker techniques | |
| |
| |
| System configuration | |
| |
| |
| Access control policy | |
| |
| |
| User access management | |
| |
| |
| Clear desk and clear screen policy | |
| |
| |
| |
| Network access control | |
| |
| |
| Networks | |
| |
| |
| Network security | |
| |
| |
| |
| Operating system access control | |
| |
| |
| Secure log-on procedures | |
| |
| |
| User identification and authentication | |
| |
| |
| Password management system | |
| |
| |
| Use of system utilities | |
| |
| |
| Session time-out | |
| |
| |
| Limitation of connection time | |
| |
| |
| |
| Application access control and teleworking | |
| |
| |
| Application and information access control | |
| |
| |
| Mobile computing and teleworking | |
| |
| |
| |
| Systems acquisition, development and maintenance | |
| |
| |
| Security requirements analysis and specification | |
| |
| |
| Correct processing in applications | |
| |
| |
| |
| Cryptographic controls | |
| |
| |
| Encryption | |
| |
| |
| Public key infrastructure | |
| |
| |
| Digital signatures | |
| |
| |
| Non-repudiation services | |
| |
| |
| Key management | |
| |
| |
| |
| Security in development and support processes | |
| |
| |
| System files | |
| |
| |
| Access control to program source code | |
| |
| |
| Development and support processes | |
| |
| |
| Vulnerability management | |
| |
| |
| |
| Monitoring and information security incident management | |
| |
| |
| Monitoring | |
| |
| |
| Information security events | |
| |
| |
| Management of information security incidents and improvements | |
| |
| |
| Legal admissibility | |
| |
| |
| |
| Business continuity management | |
| |
| |
| BS25999 | |
| |
| |
| The business continuity management process | |
| |
| |
| Business continuity and risk assessment | |
| |
| |
| Developing and implementing continuity plans | |
| |
| |
| Business continuity planning framework | |
| |
| |
| Testing, maintaining and reassessing business continuity plans | |
| |
| |
| |
| Compliance | |
| |
| |
| Identification of applicable legislation | |
| |
| |
| Intellectual property rights | |
| |
| |
| Safeguarding of organizational records | |
| |
| |
| Data protection and privacy of personal information | |
| |
| |
| Prevention of misuse of information processing facilities | |
| |
| |
| Regulation of cryptographic controls | |
| |
| |
| Compliance with security policies and standards, and technical compliance checking | |
| |
| |
| Information systems audit considerations | |
| |
| |
| |
| The ISO27001 audit | |
| |
| |
| Selection of auditors | |
| |
| |
| Initial audit | |
| |
| |
| Preparation for audit | |
| |
| |
| Terminology | |
| |
| |
| |
| Useful websites | |
| |
| |
| |
| Further reading | |
| |
| |
| Index | |