Implementing ISO27001 in a Windows(R) Environment

The information security management standard (ISMS), ISO/IEC 27001, provides a significant implementation challenge for all organisations. ISO27001 is a management standard: it sets out a specification for how management should identify, from a business risk perspective, the controls and safeguards that should be applied to information assets in order to assure their confidentiality, integrity and confidentiality. Management - and also the ISMS implementation project manager - will usually have a general or quality management background. A significant number of the controls to be applied will, of necessity, be technical and will relate to how IT hardware and software are set up and configured. The technical knowledge to carry out this configuration is usually within the IT or corporate information security team and, because information security is a business responsibility, this team should never have overall accountability for determining the actual controls required by the ISMS. As a result, there is often a gulf in understanding as to what is required between the ISO27001 ISMS project manager and those responsible for implementing the technical controls. This book does an outstanding job of helping parties on both sides to bridge the gulf. It identifies the recommended technical controls of ISO27001's Annex A and, for a Microsoft environment, provides guidance on how (if, on the basis of a risk assessment, they are considered necessary) to implement them. This book fills a major hole in the guidance literature for ISO27001 and will make a significant contribution to helping both project managers and IT and security staff get to grips with what controls are appropriate to mitigate identified risks.

Table of Contents:
Introduction 14 Chapter 1: Information and Information Security 18 Information security concepts 19 Other information security concepts 19 The importance of information security 21 Chapter 2: Using an ISMS to Counter the Threats 24 System security versus information security 25 The structure of an ISMS 26 Managing exceptions to the policy 31 Chapter 3: An Introduction to ISO27001 33 The ISO27000 standards family 34 History of ISO27001 36 What is in the ISO27001 standard? 37 The plan, do, check and act cycle (PDCA) 39 What are the benefits of ISO27001? 42 Chapter 4: Identify your Information Assets 44 Define the scope of the ISMS 44 Identifying your information security assets 45 Chapter 5: Conducting a Risk Assessment 49 What is risk? 50 Managing risks 55 The different types of risk analysis 57 Risk management tools 62 Chapter 6: An Overview of Microsoft Technologies 65 Microsoft(R) Windows Server(R) 2008 66 Microsoft(R) Windows Vista(R) 72 Microsoft(R) ForefrontA' 76 Microsoft(R) Systems Center 78 Microsoft(R) Windows Server(R) Update Services 79 Microsoft(R) Baseline Security Analyzer 80 Microsoft Security Risk Management Guide 80 Microsoft(R) SPIDER Technical Compliance Management 81 Microsoft(R) Threat Analysis and Modeling Enterprise Edition 82 Microsoft(R) CAT.NET 83 Microsoft(R) Source Code Analyzer for SQL Injection 84 XSS Detect Beta Code Analysis Tool 84 Chapter 7: Implementing ISO27001 in a Microsoft Environment 85 Section 4 Information security management system 86 Section A.5 Security policy 91 Section A.6 Organisational security 92 Section A.7 Asset management 96 Section A.8 Human resource security 99 Section A.9 Physical and environmental security 103 Section A.10 Communications and operations management 109 Section A.11 Access control 131 Section A.12 Information systems acquisition development and maintenance 147 Section A.13 Information security incident management 157 Section A.14 - Business continuity management 168 Section A.15 Compliance 170 Chapter 8: Securing the Windows(R) Environment 177 Windows Server(R) 2008 architecture 177 Domain user accounts naming standards 182 Chapter 9: Securing the Microsoft(R) Windows Server(R) Platform 187 Recommended settings 190 Chapter 10: Auditing and Monitoring 193 Configuring auditing of file and resource access 198 Event log settings 199 Events to record 201 Chapter 11: Securing your Servers 204 Protecting files and directories 256 Appendix 1: Overview of Security Settings for Windows Server(R) 2008 Servers and Domain Controllers 257 Service pack and hotfixes 257 Account and audit policies 258 Event log settings 263 Security settings 266 Service settings 286 User rights 294 Registry permissions 302 File and registry auditing 302 Appendix 2: Bibliography, Reference and Further Reading 303 ISO27001 resources 303 Microsoft resources 303 Microsoft products 305 Other resources 306 ITG Resources 307

About the Author :
Brian Honan is recognised as an industry expert on information security, in particular the ISO27001 information security standard, and has addressed a number of major conferences relating to the management and securing of information technology. An independent consultant based in Dublin, Ireland, Brian provides consulting services to clients in various industry segments and his work also includes advising various Government security agencies and the European Commission. Brian also established Ireland's first ever national Computer Security Incident Response Team. He has also had a number of technical papers published and has been technical editor and reviewer of a number of industry-recognised publications. Brian is also the European editor for the SANS Institute's weekly SANS NewsBites, a semi-weekly electronic newsletter. He is a member of the Information Systems Security Association, Irish Information Security Forum, Information Systems Audit and Control Association, a member of the Irish Computer Society and the Business Continuity Institute, and was a founding member of the Irish Corporate Windows NT(R) User Group.