EVALUATING AND MEASURING AN INFORMATION SECURITY PROGRAM INFORMATION SECURITY RISK ASSESSMENT MODEL (ISRAM(TM)) . Background . Linkage . Risk Assessment Types . Relationship to Other Models and Standards . Terminology . Risk Assessment Relationship . Information Security Risk Assessment Model (ISRAM) . References GLOBAL INFORMATION SECURITY ASSESSMENT METHODOLOGY (GISAM(TM)) . GISAM and ISRAM Relationship . GISAM Design Criteria . General Assessment Types . GISAM Components . References DEVELOPING AN INFORMATION SECURITY EVALUATION (ISE(TM)) PROCESS . The Culmination of ISRAM and GISAM . Business Process A SECURITY BASELINE . KRI Security Baseline Controls . Security Baseline . Information Security Policy Document . Management Commitment to Information Security . Allocation of Information Security Responsibilities . Independent Review of Information Security . Identification of Risks Related to External Parties . Inventory of Assets . Classification Guidelines . Screening . Information Security Awareness, Education, and Training . Removal of Access Rights . Physical Security Perimeter . Protecting Against External and Environmental Threats . Secure Disposal or Reuse of Equipment . Documented Operating Procedures . Change Management . Segregation of Duties . System Acceptance . Controls against Malicious Code . Management of Removable Media . Information Handling Procedures . Physical Media in Transit . Electronic Commerce . Access Control Policy . User Registration . Segregation in Networks . Teleworking . Security Requirements Analysis and Specification . Policy on the Use of Cryptographic Controls . Protection of System Test Data . Control of Technical Vulnerabilities . Reporting Information Security Events . Including Information Security in the Business Continuity Process . Identification of Applicable Legislation . Data Protection and Privacy of Personal Information . Technical Compliance Checking . References BACKGROUND OF THE ISO/IEC 17799 STANDARD . History of the Standard . Internals of the Standard . Guidance for Use . High-Level Objectives . ISO/IEC Defined . References ISO/IEC 17799:2005 GAP ANALYSIS . Overview . Guidance for Use . General Changes . Security Policy . Organization of Information Security . Asset Management . Human Resources Security . Physical and Environmental Security . Communications and Operations Management . Access Control . Information Systems Acquisition, Development, and Maintenance . Information Security Incident Management . Business Continuity Management . Compliance . References ANALYSIS OF ISO/IEC 17799:2005 (27002) CONTROLS SECURITY POLICY . Information Security Policy . Summary . References ORGANIZATION OF INFORMATION SECURITY . Internal Organization . External Parties . Summary . References ASSET MANAGEMENT . Responsibility for Assets . Information Classification . Summary . References HUMAN RESOURCES SECURITY . Prior to Employment . During Employment . Termination or Change of Employment . Summary . References PHYSICAL AND ENVIRONMENTAL SECURITY . Secure Areas . Equipment Security . Summary . References COMMUNICATIONS AND OPERATIONS MANAGEMENT . Operational Procedures and Responsibilities . Third-Party Service Delivery Management . System Planning and Acceptance . Protection against Malicious and Mobile Code . Backup . Network Security Management . Media Handling . Exchange of Information . Electronic Commerce Services . Monitoring . Summary . References ACCESS CONTROL . Business Requirements for Access Control . User Access Management . User Responsibilities . Network Access Control . Operating System Access Control . Application and Information Access Control . Mobile Computing and Teleworking . Summary . References INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE . Security Requirements of Information Systems . Correct Processing in Applications . Cryptographic Controls . Security of System Files . Security in Development and Support Processes . Technical Vulnerability Management . Summary . References INFORMATION SECURITY INCIDENT MANAGEMENT . Reporting Information Security Events and Weaknesses . Management of Information Security Incidents and Improvements . Summary . References BUSINESS CONTINUITY MANAGEMENT . Information Security Aspects of Business Continuity Management . Summary . References COMPLIANCE . Compliance with Legal Requirements . Compliance with Security Policies and Standards, and Technical Compliance . Information Systems Audit Considerations . Summary . References APPENDIX A: ISO STANDARDS CITED IN ISO/IEC 17799:2005 APPENDIX B: GENERAL REFERENCES INDEX