Welcome to the eighth issue of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to ISO17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. In view of recent events, this issue focuses particularly upon business continuity and disaster recovery.
Included in this issue are the following topics:
MAIN CONTROL TYPES
Access to information should be controlled through a combination of electronic methods and 'process controls'. These process controls include applying a classification code and assigning ownership to each piece of information within the organization. Once the control process has been applied to each type of information, it is possible to establish access rights and formally authorize these rights in respect of each employee or user. The desired Information Security controls can then be achieved by restricting access to specific information through password controls or other similar access control methodologies.
Many business software packages, of course, have integral security features that support the protection and disclosure of information. Microsoft Office 2000®, for example, has a wide range of document protection and on-line tracking features, which can simplify the process controls applicable to access authorization and restriction (Note: these features are located within 'File', 'Properties', 'Tools', 'Track Changes' and 'Tools', 'Protect Document'). We recommend that such features should be evaluated with your own business software packages and, if found appropriate, incorporated in the organization’s information security processes.
The key to remember however is that protection should embrace BOTH electronic and process controls. Weakness in either is weakness of the whole.
NOTE: Additional details on controlling access to information can be found in a number of publications. A good example is the Interactive Information Security Officer’s Manual referenced above (www.security-manual.com)
ISO17799 Reference: Asset classification and control is covered in Section 5.2