Most organizations are dependent on their information systems and business so that they are vulnerable to loss of criticism following a security breach. Fortunately, by implementing a system for managing information security (“isms”), as described in the only internationally accepted standard / code to address information security, a company can significantly reduce the risk of security breaches.

ISO / IEC 17799:2005 (“ISO 17799″), such as Code of Practice for the management of known information security, was developed by a subcommittee of the IT security of the International Organization for Standardization and was published in June 2005. ISO 17799 is another safety standards because it is widely accepted and comprehensive. ISO 17799 has been skillfully designed to also work in all sectors and regions. In addition, the International Organization for Standardization intentionally this standard in line with most other existing standards of safety technology audit and control, such as those developed by NIST (National Institute of Standards and Technology). Therefore, the ISO 17 799 are common framework that links to all other standards, regulatory requirements and corporate governance initiatives.

ISO 17799 provides practical guidance for developing organizational security policies and practices of effective safety management. An evaluation of the ISO 17799 leads to a snapshot of the security infrastructure of the company that offers a high level view of how (or how bad), a company implements information security. This standard is a great tool for companies if the creation or improvement of information security within their organization.

The process of information security is always placed on robust procedures and guidelines based, with the goals of prevention, detection and security breaches and to restore the affected data to its previous state. Although the collective wisdom of the ages is, it is also subject to various interpretations and implementations. ISO 17799 provides a framework that can be carried out, strengthen information security.

Control the selection />
base
ISO 17799 consists of 39 security controls that can be used as the basis for an assessment of security risks. The checks include all forms and types of information when electronic files, documents or various forms of communication such as e-mail, fax, and spoken conversations. The standard defines a set of hardware and software, policies, procedures and organizational structures to protect the information assets of an enterprise from a wide range of modern threats and vulnerabilities. As organizations make their programs in the field of information security to the individual needs and risks to which they depend. An organization should provide controls that are in context and is exposed in the ratio of the actual risks they are.

Orders can also be simply described as the counter-measures to the risks. considered apart from knowingly accepting risks as acceptable, or is the transfer of these risks (insurance) for the others are four main types of controls:

1. Deterrent controls to reduce the likelihood of a targeted attack.
2. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its effects.
3. Corrective controls the effect of an attack.
4. Detective controls discover attacks and trigger preventative or corrective controls.

It is important that all controls that are implemented are cost effective. The cost of implementing and maintaining a control should not exceed the costs identified and quantified the impact of the identified threat (or threats). It is not possible to provide absolute security against every risk, is the compromise offer effective protection against most risks. No director must approve all proposed policies that will eliminate all risks of the company – the company has nevertheless exist in risk and it is impossible, without risk there is, it is useless to propose to eliminate all risks.

No company should invest in information technology (hardware or software) or to implement security processes and information management procedures without conducting a risk assessment and appropriate controls to assure them that:

- The proposed investment (the total cost of the order) is the same as, or at least the cost for the identified impacts;
- The risk classification, which is taking into account the probability for the proposed investment and
- Reduction of risks is a priority – that is, all risks, which controls more priorities already sufficient, and therefore should invest now in control of it />
Although the needs of the information society and the needs are identified, an appropriate number of controls from ISO 17799 can be realized introduced, followed, reviewed and enhanced to ensure that the specific objectives of security of the organization are met.

ISO 17799 is a code of comprehensive information security practice that provides business with an internationally recognized, structured methodology for information security. In addition to the standard ISO 17799, International Organization for Standardization ISO 27001, which specifies a number of requirements for creating, implementing, maintaining and improving an ISMS using the controls described in the published ISO 17799

ISO 27001 is the formal standard against which an organization may seek independent certification of their ISMS. Although certification is voluntary, in January 2007, more than 3,000 organizations worldwide certified to ISO 27001 and demonstrated its commitment to information security. 27001 organizations can be a number of accredited certification bodies worldwide ISO. ISO 27001 certification usually involves a two-stage process of verification, with a “Table Top” review of key documentation in the first stage and a further review of the WSIS in the second stage. The approved body will be regularly reassessed by the CA.

In summary, organizations face threats to their information resources on a daily basis. At the same time they are increasingly on these assets. Technical solutions are only part of a holistic approach to information security. Establishment of a broad requirements of information security within the organization’s own risk environment is essential.


Security Auditing Tools