Escolar Documentos
Profissional Documentos
Cultura Documentos
BS 7799.2:2002
for SANS
Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS
Extracts from BS 7799 part 1: 1999 are reproduced with the permission of BSI under license number 2003DH0251. British Standards can be purchased from BSI Customer
Services, 389 Chiswick High Road, London W4 4AL. Tel : 44 (0)20 8996 9001. email: customerservices@bsi-global.com
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Table of Contents
Security Policy......................................................................................................................................9
Information security policy......................................................................................................................................................................9
Information security policy document.................................................................................................................................................9
Review and evaluation.........................................................................................................................................................................9
Organisational Security.....................................................................................................................10
Information security infrastructure........................................................................................................................................................10
Management information security forum..........................................................................................................................................10
Information security coordination......................................................................................................................................................10
Allocation of information security responsibilities............................................................................................................................10
Authorisation process for information processing facilities..............................................................................................................10
Specialist information security advise...............................................................................................................................................11
Co-operation between organisations..................................................................................................................................................11
Independent review of information security......................................................................................................................................11
Security of third party access.................................................................................................................................................................11
Identification of risks from third party access...................................................................................................................................11
Security requirements in third party contracts...................................................................................................................................12
Outsourcing............................................................................................................................................................................................12
Security requirements in outsourcing contracts.................................................................................................................................12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 2
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Personnel security..............................................................................................................................13
Security in job definition and Resourcing.............................................................................................................................................13
Including security in job responsibilities...........................................................................................................................................14
Personnel screening and policy..........................................................................................................................................................14
Confidentiality agreements................................................................................................................................................................14
Terms and conditions of employment................................................................................................................................................14
User training...........................................................................................................................................................................................15
Information security education and training......................................................................................................................................15
Responding to security incidents and malfunctions...............................................................................................................................15
Reporting security incidents..............................................................................................................................................................15
Reporting security weaknesses..........................................................................................................................................................15
Reporting software malfunctions.......................................................................................................................................................15
Learning from incidents.....................................................................................................................................................................15
Disciplinary process...........................................................................................................................................................................16
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 3
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 4
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Access Control....................................................................................................................................29
Business Requirements for Access Control...........................................................................................................................................29
Access Control Policy........................................................................................................................................................................29
User Access Management......................................................................................................................................................................29
User Registration...............................................................................................................................................................................29
Privilege Management.......................................................................................................................................................................29
User Password Management..............................................................................................................................................................30
Review of user access rights..............................................................................................................................................................30
User Responsibilities.............................................................................................................................................................................30
Password use......................................................................................................................................................................................30
Unattended user equipment................................................................................................................................................................30
Network Access Control........................................................................................................................................................................30
Policy on use of network services......................................................................................................................................................31
Enforced path.....................................................................................................................................................................................31
User authentication for external connections.....................................................................................................................................31
Node Authentication..........................................................................................................................................................................31
Remote diagnostic port protection.....................................................................................................................................................32
Segregation in networks.....................................................................................................................................................................32
Network connection protocols...........................................................................................................................................................32
Network routing control.....................................................................................................................................................................32
Security of network services..............................................................................................................................................................32
Operating system access control............................................................................................................................................................33
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 5
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 6
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Digital Signatures...............................................................................................................................................................................38
Non-repudiation services...................................................................................................................................................................39
Key management...............................................................................................................................................................................39
Security of system files..........................................................................................................................................................................39
Control of operational software.........................................................................................................................................................39
Protection of system test data............................................................................................................................................................39
Access Control to program source library.........................................................................................................................................40
Security in development and support process........................................................................................................................................40
Change control procedures................................................................................................................................................................40
Technical review of operating system changes.................................................................................................................................40
Technical review of operating system changes.................................................................................................................................40
Covert channels and Trojan code.......................................................................................................................................................41
Outsourced software development.....................................................................................................................................................41
Compliance.........................................................................................................................................43
Compliance with legal requirements.....................................................................................................................................................43
Identification of applicable legislation...............................................................................................................................................43
Intellectual property rights (IPR).......................................................................................................................................................44
Safeguarding of organisational records.............................................................................................................................................44
Data protection and privacy of personal information........................................................................................................................44
Prevention of misuse of information processing facility...................................................................................................................44
Regulation of cryptographic controls.................................................................................................................................................45
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 7
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Collection of evidence.......................................................................................................................................................................45
Reviews of Security Policy and technical compliance..........................................................................................................................45
Compliance with security policy.......................................................................................................................................................45
Technical compliance checking.........................................................................................................................................................45
System audit considerations...................................................................................................................................................................46
System audit controls.........................................................................................................................................................................46
Protection of system audit tools.........................................................................................................................................................46
References...........................................................................................................................................47
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 8
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Audit Checklist
Security Policy
1.1 3.1
Information security policy
1.1.1 3.1.1 Whether there exists an Information security policy,
Information which is approved by the management, published and
security policy communicated as appropriate to all employees.
document Whether it states the management commitment and set
out the organisational approach to managing
information security.
1.1.2 3.1.2 Whether the Security policy has an owner, who is
Review and responsible for its maintenance and review according
evaluation to a defined review process.
Whether the process ensures that a review takes place
in response to any changes affecting the basis of the
original assessment, example: significant security
incidents, new vulnerabilities or changes to
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 9
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Organisational Security
2.1 4.1
Information security infrastructure
2.1.1 4.1.1 Whether there is a management forum to ensure there
Management is a clear direction and visible management support for
information security initiatives within the organisation.
security forum
2.1.2 4.1.2 Whether there is a cross-functional forum of
Information management representatives from relevant parts of the
security organisation to coordinate the implementation of
information security controls.
coordination
2.1.3 4.1.3 Whether responsibilities for the protection of
Allocation of individual assets and for carrying out specific security
information processes were clearly defined.
security
responsibilities
2.1.4 4.1.4 Whether there is a management authorisation process
Authorisation in place for any new information processing facility.
process for This should include all new facilities such as hardware
and software.
information
processing
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 10
SANS Institute
BS 7799 Audit Checklist
5/01/2011
facilities
2.1.5 4.1.5 Whether specialist information security advice is
Specialist obtained where appropriate.
information A specific individual may be identified to co-ordinate
security advise in-house knowledge and experiences to ensure
consistency, and provide help in security decision
making.
2.1.6 4.1.6 Whether appropriate contacts with law enforcement
Co-operation authorities, regulatory bodies, information service
between providers and telecommunication operators were
maintained to ensure that appropriate action can be
organisations
quickly taken and advice obtained, in the event of a
security incident.
2.1.7 4.1.7 Whether the implementation of security policy is
Independent reviewed independently on regular basis. This is to
review of provide assurance that organisational practices
properly reflect the policy, and that it is feasible and
information
effective.
security
2.2 4.2
Security of third party access
2.2.1 4.2.1 Whether risks from third party access are identified
Identification and appropriate security controls implemented.
of risks from Whether the types of accesses are identified, classified
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 11
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 12
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Personnel security
4.1 6.1
Security in job definition and Resourcing
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 13
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 14
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 15
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 16
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 17
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 18
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 19
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 20
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 21
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 22
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 23
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 24
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 25
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 26
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 27
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 28
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Access Control
7.1 9.1
Business Requirements for Access Control
7.1.1 9.1.1 Whether the business requirements for access control
Access Control have been defined and documented.
Policy
Whether the Access control policy does address the
rules and rights for each user or a group of user.
Whether the users and service providers were given a
clear statement of the business requirement to be met
by access controls.
7.2 9.2
User Access Management
7.2.1 9.2.1 Whether there is any formal user registration and de-
User registration procedure for granting access to multi-user
Registration information systems and services.
7.2.2 9.2.2 Whether the allocation and use of any privileges in
Privilege multi-user information system environment is
Management restricted and controlled i.e., Privileges are allocated
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 29
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 30
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 31
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 32
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 33
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 34
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 35
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 36
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 37
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 38
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 39
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 40
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 41
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 42
SANS Institute
BS 7799 Audit Checklist
5/01/2011
maintaining
and re-
assessing
business
continuity plan
Whether Business continuity plans were maintained by
regular reviews and updates to ensure their continuing
effectiveness.
Whether procedures were included within the
organisations change management programme to
ensure that Business continuity matters are
appropriately addressed.
Compliance
10.1 12.1
Compliance with legal requirements
10.1.1 12.1.1 Whether all relevant statutory, regulatory and
Identification contractual requirements were explicitly defined and
of applicable documented for each information system.
legislation Whether specific controls and individual
responsibilities to meet these requirements were
defined and documented.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 43
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 44
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 45
SANS Institute
BS 7799 Audit Checklist
5/01/2011
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 46
SANS Institute
BS 7799 Audit Checklist
5/01/2011
References
1. Information Security Management, Part2: Specification for Information security management systems AS/NZS 7799.2:2003
BS 7799.2:2002
2. Information Technology – Code of practice for Information Security Management AS/NZS ISO/IEC 17799:2001
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 47