Statement of Applicability

LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment

ISO 27001:2005 Controls

Sec
10.1 10.1.1 10.1.2 10.1.3 10.1.4 10.2 10.2.1 10.2.2 10.2.3 10.3 10.3.1 10.3.2

Comments (Description of implementation / Justification for exclusion)

Reasons for selection LR CO BR/BP RRA

Objective/Control
Operational Procedures and responsibilities Documented operating Procedures Change Management Segregation of Duties Separation of development and Operations facilities Third Party Service Delivery Management Service Delivery Monitoring and review of third party services Manage changes to the third party services System Planning and Acceptance Capacity management System acceptance

Statement of Applicability
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment

ISO 27001:2005 Controls

Sec
10.4 10.4.1 10.4.2 10.5 10.5.1 10.6 10.6.1 10.6.2 10.7 10.7.1 10.7.2 10.7.3 10.7.4 10.8 10.8.1 10.8.2 10.8.3 10.8.4 10.8.5

Comments (Description of implementation / Justification for exclusion)

Reasons for selection LR CO BR/BP RRA

Objective/Control
Protection against Malicious and Mobile Code Controls against malicious code Controls against Mobile code Back-Up Information Backup Network Security Management Network controls Security of Network services Media Handling Management of removable media Disposal of Media Information handling procedures Security of system documentation Exchange of Information Information exchange policies and procedures Exchange agreements Physical media in transit Electronic Messaging Business Information systems Cintas LBTR, SICAP, SWIFT LBTR, SICAP, SWIFT, SIMC LBTR y SICAP Reglamentado slo dktte y tapes; no USB, ... NAS, segmentacion, SSL VPN, IPS, FW,

Statement of Applicability
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment

ISO 27001:2005 Controls

Sec
10.9 10.9.1 10.9.2 10.9.3 10.10

Comments (Description of implementation / Justification for exclusion)

Reasons for selection LR CO BR/BP RRA

Objective/Control
Electronic Commerce Services Electronic Commerce On-Line transactions Publicly available information Monitoring OAV

10.10.1 Audit logging 10.10.2 Monitoring system use 10.10.3 Protection of log information 10.10.4 Administrator and operator logs 10.10.5 Fault logging 10.10.6 Clock synchronization

TIC. Modulo de auditoria del admin.

"This work is copyright 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).

Statement of Applicability
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment

ISO 27001:2005 Controls

Sec
11.1 11.1.1 11.2 11.2.1 11.2.2 11.2.3 11.2.4 11.3 11.3.1 11.3.2 11.3.3 11.4

Comments (Description of implementation / Justification for exclusion)

Reasons for selection LR CO BR/BP RRA

Objective/Control
Business Requirement for Access Control Access control Policy User Access Management User Registration Privilege Measurement User password management Review of user access rights User Responsibilities Password Use Unattended user equipment Clear Desk and Clear Screen Policy Network Access control

Statement of Applicability
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment

ISO 27001:2005 Controls

Sec
11.4.1 11.4.2 11.4.3 11.4.4 11.4.5 11.4.6 11.4.7 11.5 11.5.1 11.5.2 11.5.3 11.5.4 11.5.5 11.5.6 11.6 11.6.1 11.6.2 11.7 11.7.1 11.7.2

Comments (Description of implementation / Justification for exclusion)

Reasons for selection LR CO BR/BP RRA

Objective/Control
Policy on use of network services User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network Routing control Operating System Access Control Secure Log-on procedures User identification and authentication Password Management system Use of system utilities Session Time-out Limitation of connection time Application access control Information access restriction Sensitive system isolation Mobile Computing and Teleworking Mobile computing and communication Teleworking

"This work is copyright 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).

Statement of Applicability (SOA)

LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment

ISO 27001:2005 Controls

Sec
12.1

Comments (Description of implementation / Justification for exclusion)

Reasons for selection LR CO BR/BP RRA

Objective/Control
Security Requirements of Information Systems Security requirement analysis and specifications Correct Processing in Applications Se especifica como parte de los requerimientos no funcionales en los proyectos de soluciones TI.

12.1.1

El anlisis y especificacin es incipiente, usualmente se deja para el final. Se est tratando de lograr el CMMI Nivel 2 en la gestin de soluciones TI. Las actividades de ingeniera siguen los lineamientos del modelo RUP. De acuerdo a las reglas de negocio por razones de integridad. En las aplicaciones Web se realiza anlisis de vulnerabilidades siguiendo los lineamientos OWASP. An no se dispone de buenas prticas de codificacin segura. El proceso de control de calidad slo se aplica luego de la construccin, y eventualmente est a cargo de alguna fbrica de testing.

12.2

12.2.1

Input data validation

12.2.2

Control of internal processing

12.2.3

Message integrity

En sistemas sensibles los mensajes son firmados digitalmente.

12.2.4

Output data validation

No est formalizado, se realiza en forma ad-hoc y a criterio del equipo de desarrollo.

12.3

Cryptographic controls Policy on the use of cryptographic controls Key Management

Se hace uso de infraestructura PKI, para sistemas sensibles

12.3.1

Est contemplado en la poltica, ms no se tiene mayor detalle.

12.3.2

Se dispone de procedimiento para la gestin de llaves y certificados digitales.

12.4

Security of System Files

Usualmente basado en los mecanismos de control de acceso y respaldo de informacin.

12.4.1

Control of Operational software

El acceso est restringido a los administradores y est basado en los mecanismos inherentes a estos.

Statement of Applicability (SOA)

LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment

ISO 27001:2005 Controls

Sec
12.4.2

Comments (Description of implementation / Justification for exclusion)

Reasons for selection LR CO BR/BP RRA

Objective/Control
Protection of system test data No est formalizado, se acta a pedido del usuario.

12.4.3

Access control to program source library Se hace uso de software de control de versiones (CCC/Harvest), a cargo de su administrador Security in Development & Support Processes Change Control Procedures Technical review of applications after Operating system changes Restrictions on changes to software packages Information Leakage El proceso de desarrollo incluye el manejo de cambios en los proyectos. El Proceso de aseguramiento de calidad verifica su cumplimiento. No es prtica usual.

12.5

12.5.1

12.5.2

12.5.3

Procedimiento de control de cambios.

12.5.4

Est en proyecto la implementacin de mecanismos DLP.

12.5.5

Outsourced Software Development

Se trabaja con fbricas de software, pero no est establecido lo referente a propieda intelectual. En las aplicaciones Web se realiza anlisis de vulnerabilidades siguiendo los lineamientos OWASP. An no se dispone de buenas prticas de codificacin segura. En las aplicaciones Web se realiza anlisis de vulnerabilidades siguiendo los lineamientos OWASP. An no se dispone de buenas prticas de codificacin segura.

12.6

Technical Vulnerability Management

12.6.1

Control of technical vulnerabilities

"This work is copyright 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).