Beruflich Dokumente
Kultur Dokumente
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment
Objective/Control
Operational Procedures and responsibilities Documented operating Procedures Change Management Segregation of Duties Separation of development and Operations facilities Third Party Service Delivery Management Service Delivery Monitoring and review of third party services Manage changes to the third party services System Planning and Acceptance Capacity management System acceptance
Statement of Applicability
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment
Objective/Control
Protection against Malicious and Mobile Code Controls against malicious code Controls against Mobile code Back-Up Information Backup Network Security Management Network controls Security of Network services Media Handling Management of removable media Disposal of Media Information handling procedures Security of system documentation Exchange of Information Information exchange policies and procedures Exchange agreements Physical media in transit Electronic Messaging Business Information systems Cintas LBTR, SICAP, SWIFT LBTR, SICAP, SWIFT, SIMC LBTR y SICAP Reglamentado slo dktte y tapes; no USB, ... NAS, segmentacion, SSL VPN, IPS, FW,
Statement of Applicability
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment
Objective/Control
Electronic Commerce Services Electronic Commerce On-Line transactions Publicly available information Monitoring OAV
10.10.1 Audit logging 10.10.2 Monitoring system use 10.10.3 Protection of log information 10.10.4 Administrator and operator logs 10.10.5 Fault logging 10.10.6 Clock synchronization
"This work is copyright 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).
Statement of Applicability
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment
Objective/Control
Business Requirement for Access Control Access control Policy User Access Management User Registration Privilege Measurement User password management Review of user access rights User Responsibilities Password Use Unattended user equipment Clear Desk and Clear Screen Policy Network Access control
Statement of Applicability
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment
Objective/Control
Policy on use of network services User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network Routing control Operating System Access Control Secure Log-on procedures User identification and authentication Password Management system Use of system utilities Session Time-out Limitation of connection time Application access control Information access restriction Sensitive system isolation Mobile Computing and Teleworking Mobile computing and communication Teleworking
"This work is copyright 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).
Objective/Control
Security Requirements of Information Systems Security requirement analysis and specifications Correct Processing in Applications Se especifica como parte de los requerimientos no funcionales en los proyectos de soluciones TI.
12.1.1
El anlisis y especificacin es incipiente, usualmente se deja para el final. Se est tratando de lograr el CMMI Nivel 2 en la gestin de soluciones TI. Las actividades de ingeniera siguen los lineamientos del modelo RUP. De acuerdo a las reglas de negocio por razones de integridad. En las aplicaciones Web se realiza anlisis de vulnerabilidades siguiendo los lineamientos OWASP. An no se dispone de buenas prticas de codificacin segura. El proceso de control de calidad slo se aplica luego de la construccin, y eventualmente est a cargo de alguna fbrica de testing.
12.2
12.2.1
12.2.2
12.2.3
Message integrity
12.2.4
12.3
12.3.1
12.3.2
12.4
12.4.1
El acceso est restringido a los administradores y est basado en los mecanismos inherentes a estos.
Objective/Control
Protection of system test data No est formalizado, se acta a pedido del usuario.
12.4.3
Access control to program source library Se hace uso de software de control de versiones (CCC/Harvest), a cargo de su administrador Security in Development & Support Processes Change Control Procedures Technical review of applications after Operating system changes Restrictions on changes to software packages Information Leakage El proceso de desarrollo incluye el manejo de cambios en los proyectos. El Proceso de aseguramiento de calidad verifica su cumplimiento. No es prtica usual.
12.5
12.5.1
12.5.2
12.5.3
12.5.4
12.5.5
Se trabaja con fbricas de software, pero no est establecido lo referente a propieda intelectual. En las aplicaciones Web se realiza anlisis de vulnerabilidades siguiendo los lineamientos OWASP. An no se dispone de buenas prticas de codificacin segura. En las aplicaciones Web se realiza anlisis de vulnerabilidades siguiendo los lineamientos OWASP. An no se dispone de buenas prticas de codificacin segura.
12.6
12.6.1
"This work is copyright 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).