Navigation Menu Products Knowledge About NetVision Contact Us Customer Support NetVision Blog
 

NetVision Solution for ISO 27002 / ISO 17799

ISO 27002 (formerly ISO 17799) is a best practice framework for information security. Many organizations use ISO standards as a way to measure the application of information security in a very subjective field. Others leverage the ISO standard as a way to map specific security solutions to larger control frameworks related to information technology (COBIT) or corporate governance (COSO). That mapping provides a measurable way to prove compliance with governmental and industry regulations that have requirements affecting information technology. Often, the real-world application of IT solutions for compliance with regulations is widely open to interpretation. ISO 27002 has given companies a benchmark framework to work within. In summary, ISO 27002 provides three core values:

  • Allows organizations to benchmark their implementation of information security controls.
  • Provides a measurable framework with which to meet governmental and industry regulations that are often open to interpretation.
  • Enables a multi-regulatory approach of implementing information security controls that meet requirements for multiple regulations.

For more information on ISO 27002, visit the International Organization for Standardization (ISO) web site [www.iso.org].

NetVision's support for ISO 27002 primarily lies in the identity related sections of the framework (sections 10 & 11). The table below highlights the primary areas of sections 10 & 11 in which NetVision can directly help implement the practices recommended by the ISO 27002 framework. Sections shaded in gray are not directly applicable to NetVision solutions.

Please contact NetVision to learn more about how NetVision solutions can be implemented to support your organization's ISO 27002 standardization efforts!



10 Communications & Operations Management

Sections 10.1 - 10.9

These requirements do not directly apply to NetVision.

Section 10.10:
Monitoring

10.10.1 Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed upon period to assist in future investigations and access control monitoring

10.10.2 Procedures for monitoring use of information processing facilities should be established and the results of the monitoring activities reviewed regularly

10.10.3 Logging facilities and log information should be protected against tampering and unauthorized access

10.10.4 System administrator and system operator activities should be logged

10.10.5 Faults should be logged, analyzed, and appropriate actions taken

10.10.6 The clocks of all relevant information processing systems within an organization or security domain should be synchronized with an agreed accurate time source

11 Access control

Section 11.1:
Business requirements for access control

11.1.1 An access control policy should be established, documented, and reviewed based on business and security functions

Section 11.2:
User access management

11.2.1 There should be a formal user registration and deregistration procedure in place for granting and revoking access to all information systems and services

11.2.2 The allocation and use of privileges should be restricted and controlled

11.2.3 The allocation of passwords should be controlled through a formal management process

11.2.4 Management should review users' access rights at regular intervals using a formal process

Section 11.3:
User responsibilities

11.3.1 Users should be required to follow good security practices in the selection and use of passwords

11.3.2 Users should ensure that unattended equipment has appropriate protection

11.3.3 A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted

Section 11.4:
Network access control

11.4.1 Users should only be provided with access to the services that they have been specifically authorized to use

11.4.2 Appropriate authentication methods should be used to control access by remote users

11.4.3 Automatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment

11.4.4 Physical and logical access to diagnostic and configuration ports should be controlled

11.4.5 Groups of information services, users, and information systems should be segregated on networks

11.4.6 For shared networks, especially those extending across the organizations' boundaries, the capability of users to connect to the network should be restricted, in line with the access control policy and requirements of the business application

11.4.7 Routing controls should be implemented for networks to ensure that computer connections and information do not breach the access control policy of the business applications

Section 11.5:
Operating system access control

11.5.1 Access to operating systems should be controlled by a secure log-on procedure

11.5.2 All users should have a unique identifier (User ID) for their personal use only, and a suitable authentication technique should be chosen to substantiate the claimed identity of the user

11.5.3 Systems for managing passwords should be interactive and should ensure quality passwords

11.5.4 The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled

11.5.5 Inactive sessions should shut down after a defined period

11.5.6 Restrictions on connection times should be used to provide additional security for high-risk applications

Section 11.6:
Application & Information Access Control

11.6.1 Access to information and application system functions by users and support personnel should be restricted in accordance with the defined access control policy

11.6.2 Sensitive systems should have a dedicated (isolated) computing environment

Section 11.7:
Mobile Computing & Teleworking

11.7.1 A formal policy should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and communication facilities

11.7.2 A policy, operational plans and procedures should be developed and implemented for teleworking activities



To get a complete picture of NetVision's capabilities and ownership options, please sign up for a Free product demonstration >>
Three Gray Blocks