Welcome to this, the seventh edition of The ISO17799 newsletter, designed to keep you abreast of updates and developments with respect to the ISO 17799 information security standard.
The information contained in this newsletter is free to our subscribers and provides guidance on practical issues, plus commentary on recent Information Security incidents.
Included in this issue are the following topics:
POOR DOCUMENTATION MAY RESULT IN SYSTEM FAILURE
System documentation is important, and your organization should develop and implement a simple policy to ensure that it is kept up to date at all times. Many well organized IT departments fall short of expectations when it comes to documenting system changes and updates, particularly on in-house developed systems. This could lead to serious consequences.
The policy itself must be easy to understand and be capable of being monitored and enforced. As with all policies, thought must be given towards HOW the policy is to be distributed and policed to ensure compliance. Consider the following issues:
• Policies that are not enforced will not be followed.
It really is a matter of common sense that the quality and status of documentation is taken as seriously as that of important data. Where there are serious implications for loss, error or omission, appropriate controls are required.
• Missing or inadequate technical documentation, especially with older “in-house” systems will usually result in operational difficulties and substantially increased systems analysis effort. In such cases:
- You are likely to be totally dependent on a few key staff
- You cannot validate proposed technical changes
- You have no effective way to train support staff
• Out of date documentation can (and usually will!) result in severe operational difficulties
• If documentation is “merely” accessible, the purchase or development of replacement documentation is unlikely to be a priority. In these cases, the risks are similar to having missing or inadequate documentation.
Suggested simple policy statement:
System documentation is a mandatory requirement for all the organization’s information security systems. Such documentation must be kept up to date and be available. Regular checks will be carried out to ensure compliance.