IT Security Quick Start $349.00
$349.00 Download your copy now!
Includes the following sample policies:
| Policy covers BS-7799 & ISO-17799 Paragraph # | POLICY TITLE |
|---|---|
| 3** | SECURITY POLICY |
| 3.1* | Information Security Policy |
| 3.1.1 | Information security policy document |
| 3.1.2 | Review and evaluation |
| 4** | ORGANIZATIONAL SECURITY |
| 4.1* | Information Security Infrastructure |
| 4.1.1 | Management information security forum |
| 4.1.2 | Information security co-ordination |
| 4.1.3 | Allocation of information security responsibilities |
| 4.1.4 | Authorization process for information processing facilities |
| 4.1.5 | Specialist information security advice |
| 4.1.6 | Co-operation between organizations |
| 4.1.7 | Independent review of information security |
| 4.2* | Security of Third Party Access |
| 4.2.1 | Identification of risks from third party access |
| 4.2.2 | Security requirements in third party contracts |
| 4.3* | Outsourcing |
| 4.3.1 | Security requirements in outsourcing contracts |
| 5** | ASSET CLASSIFICATION AND CONTROL |
| 5.1* | Accountability for assets |
| 5.1.1 | Inventory of assets |
| 5.2* | Information classification |
| 5.2.1 | Classification guidelines |
| 5.2.2 | Information labeling and handling |
| 6** | PERSONNEL SECURITY |
| 6.1* | Including security in job responsibilities |
| 6.1.1 | Including security in job responsibilities |
| 6.1.2 | Personnel screening and policy |
| 6.1.3 | Confidentiality agreements |
| 6.1.4 | Terms and conditions of employment |
| 6.2* | User Training |
| 6.2.1 | Information security education and training |
| 6.3* | Responding to security incidents and malfunctions |
| 6.3.1 | Reporting security incidents |
| 6.3.2 | Reporting security weaknesses |
| 6.3.3 | Reporting software malfunctions |
| 6.3.4 | Learning from incidents |
| 6.3.5 | Disciplinary process |
| 7** | PHYSICAL AND ENVIRONMENTAL SECURITY |
| 7.1* | Secure Areas |
| 7.1.1 | Physical security perimeter |
| 7.1.2 | Physical entry controls |
| 7.1.3 | Securing offices, rooms and facilities |
| 7.1.4 | Working in secure areas |
| 7.1.5 | Isolated delivery and loading areas |
| 7.2* | Equipment Security |
| 7.2.1 | Equipment siting and protection |
| 7.2.2 | Power supplies |
| 7.2.3 | Cabling security |
| 7.2.4 | Equipment maintenance |
| 7.2.5 | Security of equipment off-premises |
| 7.2.6 | Secure disposal or re-use of equipment |
| 7.3* | General Controls |
| 7.3.1 | Clear desk and clear screen policy |
| 7.3.2 | Removal of property |
| 8** | COMMUNICATIONS AND OPERATIONS MANAGEMENT |
| 8.1* | Operational procedures and Responsibilities |
| 8.1.1 | Documented operating procedures |
| 8.1.2 | Operational change control |
| 8.1.3 | Incident management procedures |
| 8.1.4 | Segregation of duties |
| 8.1.5 | Separation of development and operational facilities |
| 8.1.6 | External facilities management |
| 8.2* | System Planning and Acceptance |
| 8.2.1 | Capacity planning |
| 8.2.2 | System acceptance |
| 8.3* | Protection Against Malicious Software |
| 8.3.1 | Controls against malicious software |
| 8.4* | Housekeeping |
| 8.4.1 | Information back-up |
| 8.4.2 | Operator logs |
| 8.4.3 | Fault logging |
| 8.5* | Network Management |
| 8.5.1 | Network controls |
| 8.6* | Media Handling and Storage |
| 8.6.1 | Management of removable computer media |
| 8.6.2 | Disposal of media |
| 8.6.3 | Information handling procedures |
| 8.6.4 | Security of system documentation |
| 8.7* | Exchanges of Information and Software |
| 8.7.1 | Information and software exchange agreements |
| 8.7.2 | Security of media in transit |
| 8.7.3 | Electronic commerce security |
| 8.7.4 | Security of electronic mail |
| 8.7.5 | Security of electronic office systems |
| 8.7.6 | Publicly available systems |
| 8.7.7 | Other forms of information exchange |
| 9** | ACCESS CONTROL |
| 9.1* | Business Requirements for Access Control |
| 9.1.1 | Access control policy |
| 9.2* | User Access Management |
| 9.2.1 | User registration |
| 9.2.2 | Privilege management |
| 9.2.3 | User password management |
| 9.2.4 | Review of user access rights |
| 9.3* | User Responsibilities |
| 9.3.1 | Password use |
| 9.3.2 | Unattended user equipment |
| 9.4* | Network Access Control |
| 9.4.1 | Policy of use of network services |
| 9.4.2 | Enforced path |
| 9.4.3 | User authentication for external connections |
| 9.4.4 | Node authentication |
| 9.4.5 | Remote diagnostic port protection |
| 9.4.6 | Segregation in networks |
| 9.4.7 | Network connection control |
| 9.4.8 | Network routing control |
| 9.4.9 | Security of network services |
| 9.5* | Operating System Access Control |
| 9.5.1 | Automatic terminal identification |
| 9.5.2 | Terminal log-on procedures |
| 9.5.3 | User identification and authentication |
| 9.5.4 | Password management system |
| 9.5.5 | Use of system utilities |
| 9.5.6 | Duress alarm to safeguard users |
| 9.5.7 | Terminal time-out |
| 9.5.8 | Limitation of connection time |
| 9.6* | Application Access Control |
| 9.6.1 | Information access restriction |
| 9.6.2 | Sensitive system isolation |
| 9.7* | Monitoring System Access and Use |
| 9.7.1 | Event logging |
| 9.7.2 | Monitoring system use |
| 9.7.3 | Clock synchronization |
| 9.8* | Mobile Computing and Teleworking |
| 9.8.1 | Mobile computing |
| 9.8.2 | Teleworking |
| 10** | SYSTEMS DEVELOPMENT AND MAINTENANCE |
| 10.1* | Security Requirement of Systems |
| 10.1.1 | Security requirements analysis and specification |
| 10.2* | Security in Application Systems |
| 10.2.1 | Input data validation |
| 10.2.2 | Control of internal processing |
| 10.2.3 | Message authentication |
| 10.2.4 | Output data validation |
| 10.3* | Cryptographic Controls |
| 10.3.1 | Policy on the use of cryptographic controls |
| 10.3.2 | Encryption |
| 10.3.3 | Digital signatures |
| 10.3.4 | Non-repudiation services |
| 10.3.5 | Key management |
| 10.4* | Security of Syetem Files |
| 10.4.1 | Control of operational software |
| 10.4.2 | Protection of system test data |
| 10.4.3 | Access control to program source library |
| 10.5* | Security in Development and Support Processes |
| 10.5.1 | Change control procedures |
| 10.5.2 | Technical review of operating systems changes |
| 10.5.3 | Restrictions on changes to software packages |
| 10.5.4 | Covert channels and Trojan code |
| 10.5.5 | Outsourced software development |
| 11** | BUSINESS CONTINUITY MANAGEMENT |
| 11.1* | Aspects of Businesses Continuity Management |
| 11.1.1 | Business continuity management process |
| 11.1.2 | Business continuity and impact analysis |
| 11.1.3 | Writing and implementing continuity plans |
| 11.1.4 | Business continuity planning framework |
| 11.1.5 | Testing, maintaining and re-assessing Business continuity plans |
| 12** | COMPLIANCE |
| 12.1* | Compliance with Legal Requirements |
| 12.1.1 | Identification of applicable legislation |
| 12.1.2 | Intellectual property rights (IPR) |
| 12.1.3 | Safeguarding of organizational records |
| 12.1.4 | Data protection and privacy of personal information |
| 12.1.5 | Prevention of misuse of information processing facilities |
| 12.1.6 | Regulation of cryptographic controls |
| 12.1.7 | Collection of evidence |
| 12.2* | Reviews of Security Policy and Technical Compliance |
| 12.2.1 | Compliance with security policy |
| 12.2.2 | Technical compliance checking |
| 12.3* | System Audit Controls |
| 12.3.1 | System audit controls |
| 12.3.2 | Protection of system audit tools |
| Symbol | Type of Policy Document |
| * | 36 Sample Objectives for BS-7799 / ISO-17799 Paragraph (x.x) |
| None | 126 Sample Policy Statements (x.x.x) |
| ** | ISO-17799 / BS-7799 clause title, no policy required or supplied |
