security_P
Question1234
10section.docxISO 17799 is a former international security standard that has been withdrawn. It wasn’t withdrawn because anything was wrong. In fact, it was so well received and successful that it was completely updated and turned into a new standard with a new name. You will learn about the new standard in the next section. Because ISO 17799’s original form was such an important information security standard, it is important to understand it. This standard documents a comprehensive set of controls that represent best practices in information systems. The standard actually consists of two separate parts:
The ISO 17799 code of practice
The BS 17799-2 specification for an information security management system
The main purpose of the standard is to identify security controls needed for information systems in business environments. The standard originally appeared as the “DTI Code of Practice” in Britain and was later renamed BS 7799. It did not gain wide international popularity due to its inflexibility and overly simplistic approach to control. Developers released version 2 in 1999 to address the standard’s weaknesses. Developers submitted the standard to ISO for accreditation and publishing. ISO published the standard as ISO 17799 in 2000.
Interest in the standard increased quickly. Several companies began providing tools and services to help implement ISO 17799. It quickly became the predominant information security standard. ISO 17799 gave many organizations a framework on which to build their security policy. Full compliance with the standard quickly became a goal. It also became a differentiator among competitors. The standard enabled potential customers to evaluate organizations on their efforts toward securing data.
The ISO divides the standard into 10 major sections:
Security Policy—A statement of management direction.
Security Organization—Governance of information security, or how information security should be enforced.
Asset Classification and Control—Procedures to classify and manage information assets.
Personnel Security—Guidance for security controls that protect and limit personnel.
Physical and Environmental Security—Protection of computer facilities.
Communications and Operations Management—Managing technical security controls in systems and networks.
Access Control—Controls that limit access rights to network resources, applications, functions, and data.
System Development and Maintenance—Guidelines for designing and incorporating security into applications.
Business Continuity Management—Protecting, maintaining, and recovering business-critical processes and systems.
