EVALUATING AND MEASURING AN INFORMATION SECURITY PROGRAM INFORMATION SECURITY RISK ASSESSMENT MODEL ‎(‎ISRAM‎(‎TM‎)‎‎)‎ ‎.‎ Background ‎.‎ Linkage ‎.‎ Risk Assessment Types ‎.‎ Relationship to Other Models and Standards ‎.‎ Terminology ‎.‎ Risk Assessment Relationship ‎.‎ Information Security Risk Assessment Model ‎(‎ISRAM‎)‎ ‎.‎ References GLOBAL INFORMATION SECURITY ASSESSMENT METHODOLOGY ‎(‎GISAM‎(‎TM‎)‎‎)‎ ‎.‎ GISAM and ISRAM Relationship ‎.‎ GISAM Design Criteria ‎.‎ General Assessment Types ‎.‎ GISAM Components ‎.‎ References DEVELOPING AN INFORMATION SECURITY EVALUATION ‎(‎ISE‎(‎TM‎)‎‎)‎ PROCESS ‎.‎ The Culmination of ISRAM and GISAM ‎.‎ Business Process A SECURITY BASELINE ‎.‎ KRI Security Baseline Controls ‎.‎ Security Baseline ‎.‎ Information Security Policy Document ‎.‎ Management Commitment to Information Security ‎.‎ Allocation of Information Security Responsibilities ‎.‎ Independent Review of Information Security ‎.‎ Identification of Risks Related to External Parties ‎.‎ Inventory of Assets ‎.‎ Classification Guidelines ‎.‎ Screening ‎.‎ Information Security Awareness‎,‎ Education‎,‎ and Training ‎.‎ Removal of Access Rights ‎.‎ Physical Security Perimeter ‎.‎ Protecting Against External and Environmental Threats ‎.‎ Secure Disposal or Reuse of Equipment ‎.‎ Documented Operating Procedures ‎.‎ Change Management ‎.‎ Segregation of Duties ‎.‎ System Acceptance ‎.‎ Controls against Malicious Code ‎.‎ Management of Removable Media ‎.‎ Information Handling Procedures ‎.‎ Physical Media in Transit ‎.‎ Electronic Commerce ‎.‎ Access Control Policy ‎.‎ User Registration ‎.‎ Segregation in Networks ‎.‎ Teleworking ‎.‎ Security Requirements Analysis and Specification ‎.‎ Policy on the Use of Cryptographic Controls ‎.‎ Protection of System Test Data ‎.‎ Control of Technical Vulnerabilities ‎.‎ Reporting Information Security Events ‎.‎ Including Information Security in the Business Continuity Process ‎.‎ Identification of Applicable Legislation ‎.‎ Data Protection and Privacy of Personal Information ‎.‎ Technical Compliance Checking ‎.‎ References BACKGROUND OF THE ISO/IEC 17799 STANDARD ‎.‎ History of the Standard ‎.‎ Internals of the Standard ‎.‎ Guidance for Use ‎.‎ High‎-Level Objectives ‎.‎ ISO/IEC Defined ‎.‎ References ISO/IEC 17799‎:‎2005 GAP ANALYSIS ‎.‎ Overview ‎.‎ Guidance for Use ‎.‎ General Changes ‎.‎ Security Policy ‎.‎ Organization of Information Security ‎.‎ Asset Management ‎.‎ Human Resources Security ‎.‎ Physical and Environmental Security ‎.‎ Communications and Operations Management ‎.‎ Access Control ‎.‎ Information Systems Acquisition‎,‎ Development‎,‎ and Maintenance ‎.‎ Information Security Incident Management ‎.‎ Business Continuity Management ‎.‎ Compliance ‎.‎ References ANALYSIS OF ISO/IEC 17799‎:‎2005 ‎(‎27002‎)‎ CONTROLS SECURITY POLICY ‎.‎ Information Security Policy ‎.‎ Summary ‎.‎ References ORGANIZATION OF INFORMATION SECURITY ‎.‎ Internal Organization ‎.‎ External Parties ‎.‎ Summary ‎.‎ References ASSET MANAGEMENT ‎.‎ Responsibility for Assets ‎.‎ Information Classification ‎.‎ Summary ‎.‎ References HUMAN RESOURCES SECURITY ‎.‎ Prior to Employment ‎.‎ During Employment ‎.‎ Termination or Change of Employment ‎.‎ Summary ‎.‎ References PHYSICAL AND ENVIRONMENTAL SECURITY ‎.‎ Secure Areas ‎.‎ Equipment Security ‎.‎ Summary ‎.‎ References COMMUNICATIONS AND OPERATIONS MANAGEMENT ‎.‎ Operational Procedures and Responsibilities ‎.‎ Third‎-Party Service Delivery Management ‎.‎ System Planning and Acceptance ‎.‎ Protection against Malicious and Mobile Code ‎.‎ Backup ‎.‎ Network Security Management ‎.‎ Media Handling ‎.‎ Exchange of Information ‎.‎ Electronic Commerce Services ‎.‎ Monitoring ‎.‎ Summary ‎.‎ References ACCESS CONTROL ‎.‎ Business Requirements for Access Control ‎.‎ User Access Management ‎.‎ User Responsibilities ‎.‎ Network Access Control ‎.‎ Operating System Access Control ‎.‎ Application and Information Access Control ‎.‎ Mobile Computing and Teleworking ‎.‎ Summary ‎.‎ References INFORMATION SYSTEMS ACQUISITION‎,‎ DEVELOPMENT‎,‎ AND MAINTENANCE ‎.‎ Security Requirements of Information Systems ‎.‎ Correct Processing in Applications ‎.‎ Cryptographic Controls ‎.‎ Security of System Files ‎.‎ Security in Development and Support Processes ‎.‎ Technical Vulnerability Management ‎.‎ Summary ‎.‎ References INFORMATION SECURITY INCIDENT MANAGEMENT ‎.‎ Reporting Information Security Events and Weaknesses ‎.‎ Management of Information Security Incidents and Improvements ‎.‎ Summary ‎.‎ References BUSINESS CONTINUITY MANAGEMENT ‎.‎ Information Security Aspects of Business Continuity Management ‎.‎ Summary ‎.‎ References COMPLIANCE ‎.‎ Compliance with Legal Requirements ‎.‎ Compliance with Security Policies and Standards‎,‎ and Technical Compliance ‎.‎ Information Systems Audit Considerations ‎.‎ Summary ‎.‎ References APPENDIX A‎:‎ ISO STANDARDS CITED IN ISO/IEC 17799‎:‎2005 APPENDIX B‎:‎ GENERAL REFERENCES INDEX