Professional Documents
Culture Documents
ISO 17799 Checklist
ISO 17799 Checklist
BS 7799.2:2002
for SANS
Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS
Extracts from BS 7799 part 1: 1999 are reproduced with the permission of BSI under license number 2003DH0251. British Standards can be purchased from BSI Customer
Services, 389 Chiswick High Road, London W4 4AL. Tel : 44 (0)20 8996 9001. email: customerservices@bsi-global.com
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Table of Contents
Security Policy 9
Information security policy......................................................................................................................................................................9
Information security policy document.................................................................................................................................................9
Review and evaluation.........................................................................................................................................................................9
Organisational Security 10
Information security infrastructure........................................................................................................................................................10
Management information security forum..........................................................................................................................................10
Information security coordination.....................................................................................................................................................10
Allocation of information security responsibilities...........................................................................................................................10
Authorisation process for information processing facilities..............................................................................................................10
Specialist information security advise...............................................................................................................................................11
Co-operation between organisations..................................................................................................................................................11
Independent review of information security......................................................................................................................................11
Security of third party access.................................................................................................................................................................11
Identification of risks from third party access...................................................................................................................................11
Security requirements in third party contracts...................................................................................................................................12
Outsourcing............................................................................................................................................................................................12
Security requirements in outsourcing contracts.................................................................................................................................12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 2
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Personnel security 14
Security in job definition and Resourcing.............................................................................................................................................14
Including security in job responsibilities...........................................................................................................................................14
Personnel screening and policy.........................................................................................................................................................14
Confidentiality agreements................................................................................................................................................................14
Terms and conditions of employment...............................................................................................................................................15
User training..........................................................................................................................................................................................15
Information security education and training......................................................................................................................................15
Responding to security incidents and malfunctions..............................................................................................................................15
Reporting security incidents..............................................................................................................................................................15
Reporting security weaknesses..........................................................................................................................................................15
Reporting software malfunctions.......................................................................................................................................................16
Learning from incidents.....................................................................................................................................................................16
Disciplinary process...........................................................................................................................................................................16
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 3
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 4
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Access Control 29
Business Requirements for Access Control...........................................................................................................................................29
Access Control Policy........................................................................................................................................................................29
User Access Management......................................................................................................................................................................30
User Registration...............................................................................................................................................................................30
Privilege Management.......................................................................................................................................................................30
User Password Management..............................................................................................................................................................30
Review of user access rights..............................................................................................................................................................30
User Responsibilities.............................................................................................................................................................................30
Password use......................................................................................................................................................................................31
Unattended user equipment...............................................................................................................................................................31
Network Access Control........................................................................................................................................................................31
Policy on use of network services.....................................................................................................................................................31
Enforced path.....................................................................................................................................................................................31
User authentication for external connections....................................................................................................................................32
Node Authentication..........................................................................................................................................................................32
Remote diagnostic port protection.....................................................................................................................................................32
Segregation in networks....................................................................................................................................................................32
Network connection protocols...........................................................................................................................................................32
Network routing control....................................................................................................................................................................33
Security of network services..............................................................................................................................................................33
Operating system access control............................................................................................................................................................33
Automatic terminal identification......................................................................................................................................................33
Terminal log-on procedures...............................................................................................................................................................33
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 5
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 6
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Key management...............................................................................................................................................................................40
Security of system files..........................................................................................................................................................................40
Control of operational software.........................................................................................................................................................40
Protection of system test data............................................................................................................................................................40
Access Control to program source library.........................................................................................................................................40
Security in development and support process.......................................................................................................................................41
Change control procedures................................................................................................................................................................41
Technical review of operating system changes.................................................................................................................................41
Technical review of operating system changes.................................................................................................................................41
Covert channels and Trojan code......................................................................................................................................................41
Outsourced software development....................................................................................................................................................42
Compliance 44
Compliance with legal requirements.....................................................................................................................................................44
Identification of applicable legislation..............................................................................................................................................44
Intellectual property rights (IPR).......................................................................................................................................................44
Safeguarding of organisational records.............................................................................................................................................45
Data protection and privacy of personal information........................................................................................................................45
Prevention of misuse of information processing facility...................................................................................................................45
Regulation of cryptographic controls................................................................................................................................................46
Collection of evidence.......................................................................................................................................................................46
Reviews of Security Policy and technical compliance..........................................................................................................................46
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 7
SANS Institute
BS 7799 Audit Checklist
4/02/2022
References 47
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 8
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Audit Checklist
Security Policy
1.1 3.1
Information security policy
1.1.1 3.1.1 Whether there exists an Information security policy,
Information which is approved by the management, published and
security policy communicated as appropriate to all employees.
document Whether it states the management commitment and set
out the organisational approach to managing
information security.
1.1.2 3.1.2 Whether the Security policy has an owner, who is
Review and responsible for its maintenance and review according
evaluation to a defined review process.
Whether the process ensures that a review takes place
in response to any changes affecting the basis of the
original assessment, example: significant security
incidents, new vulnerabilities or changes to
organisational or technical infrastructure.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 9
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Organisational Security
2.1 4.1
Information security infrastructure
2.1.1 4.1.1 Whether there is a management forum to ensure there
Management is a clear direction and visible management support for
information security initiatives within the organisation.
security forum
2.1.2 4.1.2 Whether there is a cross-functional forum of
Information management representatives from relevant parts of the
security organisation to coordinate the implementation of
information security controls.
coordination
2.1.3 4.1.3 Whether responsibilities for the protection of
Allocation of individual assets and for carrying out specific security
information processes were clearly defined.
security
responsibilities
2.1.4 4.1.4 Whether there is a management authorisation process
Authorisation in place for any new information processing facility.
process for This should include all new facilities such as hardware
and software.
information
processing
facilities
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 10
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 11
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 12
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Personnel security
4.1 6.1
Security in job definition and Resourcing
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 13
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 14
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 15
SANS Institute
BS 7799 Audit Checklist
4/02/2022
incidents
4.3.5 6.3.5 Whether there is a formal disciplinary process in place
Disciplinary for employees who have violated organisational
process security policies and procedures. Such a process can
act as a deterrent to employees who might otherwise be
inclined to disregard security procedures.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 16
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 17
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 18
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 19
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 20
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 21
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 22
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 23
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 24
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 25
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 26
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 27
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 28
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Access Control
7.1 9.1
Business Requirements for Access Control
7.1.1 9.1.1 Whether the business requirements for access control
Access Control have been defined and documented.
Policy
Whether the Access control policy does address the
rules and rights for each user or a group of user.
Whether the users and service providers were given a
clear statement of the business requirement to be met
by access controls.
7.2 9.2
User Access Management
7.2.1 9.2.1 Whether there is any formal user registration and de-
User registration procedure for granting access to multi-user
Registration information systems and services.
7.2.2 9.2.2 Whether the allocation and use of any privileges in
Privilege multi-user information system environment is
Management restricted and controlled i.e., Privileges are allocated
on need-to-use basis; privileges are allocated only after
formal authorisation process.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 29
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 30
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 31
SANS Institute
BS 7799 Audit Checklist
4/02/2022
protection
7.4.6 9.4.6 Whether the network (where business partner’s and/ or
Segregation in third parties need access to information system) is
networks segregated using perimeter security mechanisms such
as firewalls.
7.4.7 9.4.7 Whether there exists any network connection control
Network for shared networks that extend beyond the
connection organisational boundaries. Example: electronic mail,
web access, file transfers, etc.,
protocols
7.4.8 9.4.8 Whether there exist any network control to ensure that
Network computer connections and information flows do not
routing control breach the access control policy of the business
applications. This is often essential for networks shared
with non-organisations users.
Whether the routing controls are based on the positive
source and destination identification mechanism.
Example: Network Address Translation (NAT).
7.4.9 9.4.9 Whether the organisation, using public or private
Security of network service does ensure that a clear description of
network security attributes of all services used is provided.
services
7.5 9.5
Operating system access control
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 32
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 33
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 34
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 35
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 36
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 37
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 38
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Signatures
8.3.4 10.3.4 Whether non-repudiation services were used, where it
Non- might be necessary to resolve disputes about
repudiation occurrence or non-occurrence of an event or action.
services Example: Dispute involving use of a digital signature
on an electronic payment or contract.
8.3.5 10.3.5 Whether there is a management system is in place to
Key support the organisation’s use of cryptographic
management techniques such as Secret key technique and Public key
technique.
Whether the Key management system is based on
agreed set of standards, procedures and secure
methods.
8.4 10.4
Security of system files
8.4.1 10.4.1 Whether there are any controls in place for the
Control of implementation of software on operational systems.
operational This is to minimise the risk of corruption of operational
systems.
software
8.4.2 10.4.2 Whether system test data is protected and controlled.
Protection of The use of operational database containing personal
system test information should be avoided for test purposes. If
such information is used, the data should be
data
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 39
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 40
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 41
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 42
SANS Institute
BS 7799 Audit Checklist
4/02/2022
assessing
business
continuity plan
Whether Business continuity plans were maintained by
regular reviews and updates to ensure their continuing
effectiveness.
Whether procedures were included within the
organisations change management programme to
ensure that Business continuity matters are
appropriately addressed.
Compliance
10.1 12.1
Compliance with legal requirements
10.1.1 12.1.1 Whether all relevant statutory, regulatory and
Identification contractual requirements were explicitly defined and
of applicable documented for each information system.
legislation Whether specific controls and individual
responsibilities to meet these requirements were
defined and documented.
10.1.2 12.1.2 Whether there exist any procedures to ensure
Intellectual compliance with legal restrictions on use of material in
property rights respect of which there may be intellectual property
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 43
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 44
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 45
SANS Institute
BS 7799 Audit Checklist
4/02/2022
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 46
SANS Institute
BS 7799 Audit Checklist
4/02/2022
References
1. Information Security Management, Part2: Specification for Information security management systems AS/NZS 7799.2:2003
BS 7799.2:2002
2. Information Technology – Code of practice for Information Security Management AS/NZS ISO/IEC 17799:2001
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 47