Welcome to the eighth issue of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to ISO17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. In view of recent events, this issue focuses particularly upon business continuity and disaster recovery.
Included in this issue are the following topics:
ISO17799: MORE FREQUENTLY ASKED QUESTIONS (FAQ)
1) What is Security Risk Analysis?
A classical definition of Risk Analysis is one which describes it as a process to ensure that the security controls for a system are fully commensurate with its risks. This 'process', however, can be complex in itself. Most methods though employ the following interrelated elements:
These are things that can go wrong or that can 'attack' the system or business. Examples might include fraud or fire. Threats are ever present for every business and information system.
These make a system more prone to attack by a threat, or make an attack more likely to have some 'success’s or undesired impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper).
These are the countermeasures for vulnerabilities. There are basically four types:
Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
Corrective controls reduce the effect of an attack
Detective controls discover attacks and trigger preventative or corrective controls.
Deterrent controls reduce the likelihood of a deliberate attack
It is common for all these to be weighed against each other (manually or automatically) to produce a set of metrics, which enable business decisions regarding security to be more easily taken. Hence references to 'risk level', 'risk score' and so on.
The above information was derived from: www.security-risk-analysis.com
2) What is accreditation and certification?
This question keeps cropping up. An accreditation body is an organization (usually national) that grants third parties the authority to issue 'certificates' (to certify) against standards. This third party is the certification company.
3) What has this to do with ISO 17799?
Risk analysis is actually an integral part of the standard. It is a mandatory element of BS7799-2 (process and IS systems) and should be used for the selection of controls from part 1.
4) Can I republish articles from ISO17799 News internally, on our company intranet, or even on our external internet site?
Yes, subject to a reference (a link) to this web site.