• Share
  • Email
  • Embed
  • Like
  • Private Content
Achieving Effective IT Security with Continuous ISO 27001 Compliance
 

Achieving Effective IT Security with Continuous ISO 27001 Compliance

on

  • 2,741 views

The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment and change auditing capabilities. In this white paper, learn how with ...

The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment and change auditing capabilities. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts.

White Paper here: http://www.tripwire.com/register/effective-security-with-a-continuous-approach-to-iso-27001-compliance/

Statistics

Views

Total Views
2,741
Views on SlideShare
2,683
Embed Views
58

Actions

Likes
4
Downloads
57
Comments
0

1 Embed 58

https://twitter.com 58

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Achieving Effective IT Security with Continuous ISO 27001 Compliance Achieving Effective IT Security with Continuous ISO 27001 Compliance Document Transcript

    • Achieving Effective IT Security with Continuous ISO 27001 ComplianceWHITE PAPER
    • Executive SummaryISO 27001 is recognized internationally as a structured specific to a certain industry? What benefits are achievedmethodology for information security and is widely used by implementing such a standard?as a benchmark for protecting sensitive and private infor-mation. In this white paper, learn how with Tripwire ISO 27001: THE UMBRELLA FOR ISMSEnterprise, organizations can quickly achieve IT configura- The one standard that cuts across all security-related opera-tion integrity by proactively assessing how their current tions and subject matter is the International Standardsconfigurations measure up to specifications as given in ISO Organization’s IEC/ISO27001. The ISO 27001 standard was27001. Tripwire Enterprise provides organizations with pow- published in October 2005 as a replacement to the BS7799-erful configuration control through its compliance policy 2 standard. It is a certification standard for the creationmanagement, change auditing, real-time analysis of change and maintenance of an Information Security Managementand one-touch access to remediation advice. You’ll also be System (ISMS), and in that sense is more like a “globe” thanintroduced to Tripwire Log Center, Tripwire’s complete log a “roadmap” to information security. Organizations thatand event management solution that also fulfills many con- seek ISO certification ISMS are examined against ISO 27001.trols specified in the ISO 27001 standard. The objective of the standard is to “provide a model for Tripwire, the leading provider of IT security and compliance establishing, implementing, operating, monitoring, review-automation solutions, helps organizations gain continuous ing, maintaining and improving” a company’s ISMS. Itscompliance with regulations, standards like ISO 27001, and fundamental purpose is to act as a compendium of tech-internal policy by helping them take control of security and niques for securing IT environments and thus effectivelycompliance of their IT infrastructure. Tripwire security and managing business risk as well as demonstrating regulatorycompliance automation solutions include Tripwire Enterprise compliance. The standard is non-industry or business func-for configuration control and Tripwire Log Center for log and tion specific.security event management. And Tripwire Customer Services The standard follows the four-part “Plan-Do-Check-Act”can help organizations quickly maximize the value of their (PDCA) approach. It contains eight separate sections, theTripwire technology implementation. Tripwire solutions deliv- first three of which are introductory and the latter five ofer visibility across the entire IT infrastructure, intelligence which outline actions to be taken:to enable better and faster decisions, and automation that • Section 4: Information Security Management Systemreduces manual, repetitive tasks. Entity must identify risks, adopt a ISMS plan tailored to In the increasingly regulated world of information these risks, monitor, review, maintain and improve thesecurity, uniform standards are sometimes hard to find. ISMSNumerous governmental laws and directives exist, but thesetypically cover specific types of data (such as the EU Data • Section 5: Management ResponsibilityProtection Directive, PIPEDA and so forth covering sensitive Management must adopt, implement and train staff onpersonal information) or regulate a specific market sec- the ISMStor or specific company function (such as internal controls • Section 6: Internal ISMS Auditson reporting of financial information to the public, as in Audit ISMS at regular intervalsSarbanes-Oxley (SOX) and Japan’s Financial Instrument and • Section 7: Management ReviewExchange Law, known as “JSOX”). Industry standards that Assess audit results and update risk assessment to checkare binding under a system of contracts also exist, but these effectiveness of ISMSare again limited to participants in a particular industry(most notably, PCI DSS for credit card merchants, members • Section 8: ISMS Improvementand service providers). Utilize continuous improvement, take corrective action To what metric does an entity turn if it seeks an and adopt measures for preventative action.“umbrella”-like standard that is neither imposed by law nor 2 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • ISO 27001 does not, however, mandate specific procedures • Alignment with the organisation: Fosters interdepartmen-nor define the implementation techniques for gaining cer- tal cooperation, as departments need to be in alignmenttification. For further implementation steps, the standard in order to ensure certification;points to a set of eleven control objectives and controls • Alignment with industry groups: Cross-border industrythat are taken from ISO 17799:2005, “Information technol- groups can agree on a common standard rather than hav-ogy—Security techniques—Code of practice for information ing to refer to country-specific legislation. For example,security management.” ISO 27001 is widely accepted and implemented through- out EMEA, many of whose members require their businessBENEFITS OF ADOPTING ISO 27001 partners to have certification before working with them;ISO 27001 is recognised internationally as a structured • Alignment with governmental guidelines: Industry groupsmethodology for information security and is widely used that are urged by governments to self-regulate can turnas a benchmark for protecting sensitive and private infor- to a common standard. For example, adoption of suchmation . A widely-held opinion is that ISO 27001 is an guidelines for privacy and security is encouraged by theumbrella over other requirements of law or regulation (such Japanese government.as JSOX, SOX and the Data Protection Directive) or contrac-tual standards (PCI DSS) because it requires companies toreview such obligations when assessing risk under section Tripwire Enterprise and the4.2.1.b)2). ISO 27001 Controls Companies that choose to adopt ISO 27001 also dem- The Tripwire Enterprise solution provides organisations withonstrate their commitment to high levels of information powerful configuration control through its compliance policysecurity, as the principles of the standard synch well with management, change auditing, real-time analysis of changesthe principles of the OECD Guidelines for the Security of and one-touch access to remediation guidance. With TripwireInformation Systems and Networks. It is also compatible Enterprise, organisations can quickly achieve IT configurationwith other management standards such as ISO 9001:2000 integrity by proactively assessing how their current configura-(Quality management systems—Requirements) and ISO tions measure up to specifications as given in ISO 27001. This14001:2004 (Environmental management systems— provides organisations immediate visibility into the state ofRequirements with guidance for use). For these reasons, their systems, and through automation, saves time and effortcompanies have adopted the standard because it works well over a manual efforts.with management principles or just makes good business For non-compliant configurations, Tripwire Enterprise reportssense. that condition as part of its risk assessment feature, it offersIn the current global marketplace, several benefits flow to a remediation guidance for bringing the settings into compliance.company that obtains certification to ISO 27001: Once this state has been achieved, Tripwire’s change audit-• Standardization of practice: Systems from different com- ing monitors systems for changes that could affect ISO 27001 panies are more likely to work together if the same stan- compliance, maintaining the IT infrastructure in a known and dard applies; trusted state.• An international standard: By complying with an interna- Tripwire Enterprise then analyzes each change in real time tional standard, management proves that they are taking using ChangeIQTM capabilities. These capabilities automatically due diligence in ensuring the security of their customer examine each change to see if it introduces risk or non-com- data. In fact, one of the stated reasons by Indian compa- pliance. If it does, Tripwire Enterprise flags it for immediate nies for certification is to demonstrate security readiness attention and possible remediation; If not, Tripwire Enterprise to their international customers; auto-promotes it. Given that the majority of changes are inten- 3 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • tional and beneficial, this auto-promotion capability saves IT its industry leading change monitoring. Tripwire can monitorcountless hours manually reviewing changes. various levels of settings as part of the Change Management There are several controls that reference IT technology in ISO controls that are specified in the ISO 27001 standard.27001. Not all can be tested adequately with software, or arerelevant to the IT Infrastructure. Tripwire Enterprise provides HIGH PERFORMANCE LOG AND EVENT MANAGEMENTtwo means of coverage for the ISO 27001 controls. Compliance FROM TRIPWIREPolicy Management, to proactively assess settings and checks Tripwire Log Center also helps meet the log compliancethat they are compliant against the controls. , and change requirements of ISO 27001 with ultra-efficient log manage-auditing, which continuously monitors settings for changes ment and sophisticated event management in a single,that may take them out of compliance. For settings that are easy-to-deploy solution. When organizations combinenot compliant, Tripwire Enterprise provides the necessary reme- Tripwire Log Center with Tripwire Enterprise, they broadendiation steps to bring that setting back into compliance. There compliance coverage and reduce security risk by increasingare some controls that Tripwire Enterprise can address by using visibility, intelligence and automation.Controls addressed by Tripwire Enterprise include:A.10 COMMUNICATIONS AND OPERATIONS MANAGEMENT A.10.1 – Operational Procedures and Responsibilities The objective of this control is to ensure the correct and secure operation of information processing facilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.1.2 Change Management Changes to information processing facilities Tripwire Enterprise can monitor any changes and systems shall be controlled. to file systems, databases and active direc- tory, providing the what and who informa- tion to any changes that were made to criti- cal systems, thus enforcing a sound change process. 10.1.3 Segregation of duties Duties and areas of responsibility shall Using Roles within Tripwire Enterprise, an be segregated to reduce opportunities for organisation has complete control over who unauthorised or unintentional modifications can have access to files, directories and criti- or misuse of the organisations’ assets. cal areas within your IT Infrastructure, thus preventing unauthorised or unintentional modifications of files. 10.1.4 Separation of development, Development, test and operational facili- User groups can be developed within Tripwire test and operational facilities ties shall be separated to reduce the risks of Enterprise to separate duties of individu- unauthorised access or changes to the opera- als within those groups, restricting permis- tional system. sions and file access rights where necessary to reduce the risk of any unauthorised or unintentional changes to systems. 4 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • A.10.2 – Third Party Service Delivery ManagementThe objective of this control is to implement and maintain the appropriate level of information security and service delivery in line withthird party service delivery agreements. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE10.2.3 Managing changes to third Changes to the provision of services, Tripwire Enterprise can monitor changes to criticalparty services including maintaining and improving systems and be aligned with applications, proce- existing information security policies, dures and business systems to ensure changes procedures and controls, shall be don’t happen, and if they do, give visibility to those managed, taking account of the critical- changes, thus reducing risk. ity of business systems and processes involved and re-assessment of risks.A.10.4 – Protection Against Malicious and Mobile CodeThe objective of this control is to protect the integrity of software and information. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE10.4.1 Controls against malicious Detection, prevention and recovery By monitoring critical files, Tripwire Enterprise cancode controls to protect against malicious code detect when edits to files have been made, who and appropriate user awareness proce- made the edits, and whether code was changed, dures shall be implemented. deleted or new code added, thus creating a process around code management, and reducing the risk of malicious behavior.A.10.6 – Network Security ManagementThe objective of this control is to ensure the protection of information in networks and the protection of the supporting infrastructure. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE10.6.1 Network Controls Networks shall be adequately managed Tripwire Enterprise provides critical assessment and controlled, in order to be protected of network configuration settings to help maintain from threats, and to maintain security for the ongoing security of internal systems and appli- the systems and applications using the cations that rely upon the network. For example, network, including information in transit. ensuring that anonymous SID/name translation is disabled in the security options policy of a Windows 2003 Server. This setting prevents the null user from translating a binary SID into an actual account name, which may provide useful information that could be used in an attack.10.6.2 Security of Network Services Security features, service levels, and Maintaining security best practices on impor- management requirements of all tant network services is crucial for securing any network services shall be identified and network. Tripwire Enterprise provides ongoing included in any network services agree- assessment of network services to measure ment, wither these services are provided individual compliance with established best in-house or outsourced. practices. For example, validating that the License Logging Service is disabled on a Windows system. This service is a license-management tool with a vulnerability that permits remote code execution. Disabling this service, as well as other unneces- sary services, is a security best practice that helps limit avenues of attack.5 | WHITE PAPER | Effective Security with a Continuous Approach to ISO 27001 Compliance
    • A.10.7 – Media HandlingThe objective of this control is to prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption tobusiness activities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE10.7.1 Management of Removable There should be procedures in place for An unmanaged approach to removable media canMedia the management of removable media. be a serious vulnerability. Tripwire Enterprise provides assurance that system configuration settings are configured to reduce common risks associated with removable media. For example, ensuring that security options on a Windows system are configured to only allow administrators to format and eject removable NTFS media.A.10.8 – Exchange of InformationThe objective of this control is to maintain the security of information and software exchanged within an organisation and with any exter-nal entity. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE10.8.1 Information Exchange Policies Formal exchange policies, procedures Compliance policy management helps to ensureand Procedures and controls shall be in place to protect that proper measures are in place to safeguard the the exchange of information through exchange of information and eliminate unneces- the use of all types of communications sary communication risks. For example, verify- facilities. ing that the NetMeeting Remote Desktop Sharing Service is disabled on a Windows system. This service supports NetMeeting, but may be subject to hacker attacks and buffer overflows.10.8.5 Business Information Policies and procedures shall be Tripwire Enterprise verifies that proper systemSystems developed and implemented to protect configuration settings are used to safeguard infor- information associated with the intercon- mation necessary for disparate business infor- nection of business information systems. mation systems to interconnect. For example, ensuring that strong key protection is required for user keys stored on a covered system. Strong key protection requires users to enter a password associated with a key every time they use the key. This helps prevent user keys from being compro- mised if a computer is stolen or hijacked.A.10.9 – Electronic Commerce ServicesThe objective of this control is to ensure the security of electronic commerce services, and their secure use. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE10.9.3 Publicly Available Information The integrity of information being made Tripwire Enterprise provides the use of “roles” available on a publicly available system to restrict unauthorised access to important files shall be protected to prevent unauthor- as well as the necessary monitoring of these files ised modification. such that changes made are flagged and alerts sent to pertinent individuals.6 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • A.10.10 – Monitoring The objective of this control is to detect unauthorised information processing activities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.10.1 Audit Logging Audit logs recording user activities, The compliance policy manager in Tripwire exceptions, and information security Enterprise verifies that important audit logging events shall be produced and kept for an settings are configured to support possible agreed period to assist in future investi- audit investigations and ongoing access control gations and access control monitoring. monitoring. 10.10.3 Protection of Log Logging facilities and log information Assuming that other log settings are configured Information shall be protected against tampering and correctly, a problem with logging events could unauthorised access. indicate a security threat. The compliance policy manager in Tripwire Enterprise verifies that security options are configured to shut down a system if an event cannot be logged to the security log for any reason. 10.10.4 Administrator and Operator System administrator and system opera- The compliance policy manager in Tripwire Logs tor activities shall be logged. Enterprise verifies that application, system and security logs can be configured for necessary storage capacity. For example, the maximum size of the security log should be at least 80 MB to store an adequate amount of log data for auditing purposes. 10.10.6 Clock Synchronisation The clocks of all relevant information For Windows systems, the compliance policy processing systems within an organisa- manager in Tripwire Enterprise determines if the tion or security domain shall be synchro- Windows Time Service is used and that the system nised with an agreed accurate time is configured to synchronise with a secure, autho- source. rised time source.A.11 ACCESS CONTROL A.11.2 – User Access Management The objective of this control is to ensure authorised user access and to prevent unauthorised access to information systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.2.2 Privilege Management The allocation and use of privileges shall The compliance policy manager in Tripwire be restricted and controlled. Enterprise tests numerous privilege-related settings to ensure restrictions are in place and configured correctly. For example, Windows systems should be configured to disallow the granting of the SeTcbPrivilege right to any user. This right allows users to access the operating system in the Local System security context, which overrides the permissions granted by user group memberships. 7 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • A.11.3 – User ResponsibilitiesThe objective of this control is to prevent unauthorised user access, and compromise or theft of information and information processingfacilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE11.3.1 Password Use Users shall be required to follow good Enforcing proper password security standards is security practices in the selection and critical to securing any system. The compliance use of passwords. policy manager in Tripwire Enterprise verifies that common best practices are being used for password-related properties such as complexity, minimum length and maximum age.11.3.2 Unattended User Equipment Users shall ensure that unattended Tripwire Enterprise verifies that each system is equipment has appropriate protection. configured to use a password-protected screen saver that activates within the appropriate idle time and offers no grace period before password entry is required.11.3.3 Clear Desk and Clear Screen A clear desk policy for papers and remov- The compliance policy manager in TripwirePolicy able media and a clear screen policy for Enterprise validates that the current user has a information processing facilities shall be password-protected screen saver that is active. adopted.A.11.4 – Network Access ControlThe objective of this control is to prevent unauthorised access to networked services. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE11.4.1 Policy on Use of Network Users shall only be provided with access Tripwire Enterprise provides a number of compli-Services to the services that they have been ance policy management tests that help ensure specifically authorised to use. proper access to services is maintained. For example, verifying that a system restricts anony- mous access to named pipes and shares to those that are specifically listed in other security options. This configuration helps protect named pipes and shares from unauthorised access.11.4.2 User Authentication for Appropriate authentication methods The compliance policy manager in TripwireExternal Connections shall be used to control access by remote Enterprise can help verify proper authentica- users. tion methods are in place to control access by remote users. For example, refusing to allow a remote login when a user attempts to use a blank password (even if the blank password is valid for that account).11.4.3 Equipment Identification in Automatic equipment identification shall Tripwire Enterprise verifies that the securityNetworks be considered as a means to authenticate options for a Windows 2003 domain controller are connections from specific locations and configured to allow a domain member to change its equipment. computer account password. If the domain control- ler does not permit a domain member to change its password, the domain member computer is more vulnerable to a password attack.8 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • 11.4.4 Remote Diagnostic and Physical and logical access to diagnos- The compliance policy manager in TripwireConfiguration Port Protection tic and configuration ports shall be Enterprise tests a number of remote access controlled. settings to ensure they meet established guide- lines for controlling remote access. For example, verifying that the Remote Desktop Help Session Manager Service is disabled on a Windows system.11.4.6 Network Connection Control For shared networks, the capability of Tripwire Enterprise helps validate that controls users to connect to the network shall be are in place to enforce proper network connec- restricted, in line with the access control tion restrictions on shared networks. For example, policy. always requiring passwords and appropriate encryption levels when using Terminal Services.11.4.7 Network Routing Control Routing controls shall be implemented The compliance policy manager in Tripwire for networks to ensure that computer Enterprise can assist with the ongoing validation connections and information flows do of your access control policy by verifying proper not breach the access control policy of routing controls are in place and configured business applications. correctly. For example, on a Windows system with two valid networking devices installed, source routing traffic that passes through the device can spoof the device into thinking that the traffic came from a safe source.A.11.5 – Operating System Access ControlThe objective of this control is to prevent unauthorised access to operating systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE11.5.1 Secure Log on Procedures Access to operating systems shall be The compliance policy manager in Tripwire controlled by a secure log-on procedure. Enterprise can assess important log on settings to determine whether they support an overall secure log-on procedure. For example, not display- ing the last valid user name and requiring the use of CTRL+ALT+DEL keys to force the use of the Windows authentication process.11.5.2 User Identification and All users shall have a unique identifier Proper authentication of user IDs is a fundamentalAuthentication (user ID) for their personal use only, and component of controlling operating system access. a suitable authentication technique shall Tripwire Enterprise provides critical tests to assess be chosen to substantiate the claimed authentication settings. For example, verifying identity of a user. that the LAN Manager authentication model for a Windows system is configured correctly so it will only send NTLMv2 authentication and refuse all LM authentication challenges.11.5.3 Password Management Systems for managing passwords Ensuring quality passwords requires properSystem shall be interactive and ensure quality configuration of password-related settings. passwords. Tripwire Enterprise can assess these settings and provide assurance that all passwords being used meet minimum quality requirements. For example, enforcing the use of strong passwords and restrict- ing password reuse/history.9 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • 11.5.4 Use of System Utilities The use of utility programs that might be The compliance policy manager in Tripwire capable of overriding system and appli- Enterprise can help maintain a strict policy on cation controls shall be restricted and the use of utility programs. For example, verify- tightly controlled. ing that the FTP Publishing Service and TFTP Daemon Service are both disabled, or that the SeDebugPrivilege right is not assigned to any users on a Windows system. This right gives users the ability to debug any process on the system and is susceptible to exploits that collect account names, passwords, and other sensitive data from the Local Security Authority (LSA).11.5.5 Session Time-Out Inactive sessions shall shut down after a Tripwire Enterprise will verify that an appropriate defined period of inactivity. idle session time-out is established. In the case of Windows systems that communicate using the Server Message Block (SMB) protocol, the compliance policy manager in Tripwire Enterprise will test that the idle session timeout threshold is set to 15 minutes or less.11.5.6 Limitation of Connection Time Restrictions on connection times shall There are a number of ways to restrict connec- be used to provide additional security for tion times as part of an enhanced security protocol high-risk applications. for high-risk applications. Tripwire Enterprise can determine if best-practices are being used such as setting appropriate time limits for Terminal Services sessions and using Group Policy to restrict connections to designated hours of the day.A.11.6 – Application and Information Access ControlThe objective of this control is to prevent unauthorised access to information held in applications systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE11.6.1 Information Access Access to information and application The compliance policy manager in TripwireRestriction systems functions by users and support Enterprise provides out-of-the-box tests that help personnel shall be restricted in accor- establish an acceptable information access control dance with the defined access control policy. For example, ensuring that critical file and policy. registry permissions have been set properly to restrict access.A.11.7 – Mobile Computing and TelecommunicatingThe objective of this control is to ensure information security when using mobile computing and telecommuting facilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE11.7.1 Mobile Computing and A formal policy shall be in place, and Mobile computing and related communicationsCommunications appropriate security measures shall be pose unique risks that necessitate additional adopted to protect against the risks of security measures. The compliance policy manager using mobile computing and communica- in Tripwire Enterprise can help mitigate these tions facilities. risks by determining if established best practices are in use. For example, verifying that Windows systems are configured to negotiate signed communications with any Server Message Block (SMB) server. By supporting mutual authentication and protection against packet tampering, signed communication helps to protect against man-in- the-middle attacks.10 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • A.12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCEA.12.2 – Correct Processing in ApplicationsThe objective of this control is to prevent errors, loss, unauthorised modifications or misuse of information in applications. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE12.2.2 Control of Internal processing Validation checks shall be incorporated By monitoring changes that occur within applica- into applications to detect any corruption tions, Tripwire Enterprise can detect any changes of information through processing errors to critical files, and monitor who may have intro- or deliberate acts. duced errors that caused file corruption.A.12.4 – Security of System FilesThe objective of this control is to ensure the security of system files. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE12.4.1 Control of operational There shall be procedures in place to Tripwire Enterprise can detect changes to thesoftware control the installation of software on operating system, which includes new software operational systems. installations, when it was installed, and who performed the installation. Tripwire Enterprise can also be incorporated with Change Ticketing systems authorising these installations, showing that status.A.12.5 – Security in Development and Support ProcessThe objective of this control is to maintain the security of application system software and information. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE12.5.1 Change control procedures The implementation of changes shall be Tripwire Enterprise is the industry leader in controlled by the use of formal change change audit and detection and should be an control procedures. integral part of any formal change control proce- dure. Tripwire Enterprise is also integrated with major change ticketing systems to help control formal change processes.12.5.2 Technical review of appli- When operating systems are changed, Tripwire Enterprise provides several reportscations after operating system business critical applications shall be around changes to systems, as well as links withinchanges reviewed and tested to ensure there is no these reports that can show specific systems that adverse impact on organisational opera- changed, as well as who made the changes. These tions or security. reports provide a documented audit trail that can be reviewed and approved to prevent potential problems.12.5.3 Restrictions on changes to Modifications to software packages shall Tripwire Enterprise monitors all changes thatsoftware packages be discouraged, limited to necessary happen on defined systems, providing information changes, and all changes shall be strictly if files have been controlled. modified, added or deleted. Having Tripwire Enterprise ensures change is monitored and controlled. 11 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • A.13 INFORMATION SECURITY INCIDENT MANAGEMENT A.13.2 – Management of Information Security Incidents and Improvements The objective of this control is to ensure a consistent and effective approach is applied to the management of information security incidents. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 13.2.3 Collection of evidence Where a follow-up action against a As part of the audit trail and reporting capabilities person or organisation after an informa- within Tripwire Enterprise, changes that are made tion security incident involves legal action to systems that could provide potential vulner- (either civil or criminal), evidence shall abilities or security incidents can be documented, be collected, retained and presented to providing information as to the person(s) respon- conform to the rules for evidence laid sible for any breaches in security. down in the relevant jurisdiction(s).A.15 COMPLIANCE A.15.2 - Compliance with Security Policies and Standards, and Technical Compliance The objective of this control is to ensure compliance of systems with organisational security police and standards. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 15.2.2 Technical Compliance Information Systems shall be regularly The compliance policy manager in Tripwire Checking checked for compliance with security Enterprise validates that each Windows 2003 implementation standards. Server has the latest service pack installed. A.15.3 – Information Systems Audit and Considerations The objective of this control is to maximise the effectiveness of and to minimise interference to/from the information systems audit process. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 15.3.1 Information systems audit Audit requirements and activities involv- Tripwire Enterprise provides documented audit controls ing checks on operational systems proof behind system compliance, as well as shall be carefully planned and agreed changes that happen with IT systems. By incor- to minimise the risk of disruptions to porating Tripwire Enterprise in the change business processes. management process, changes are monitored and documented and if changes disrupt business process, they can be immediately reconciled and remediated. 15.3.2 Protection of information Access to information systems audit tools By using Roles and User Groups in Tripwire systems audit tools shall be protected to prevent any possible Enterprise, access to privileged information misuse or compromise. and software like Tripwire Enterprise can be controlled/limited to users who have proper permissions. Tripwire Enterprise requires instal- lation by a user with Administrative privileges. Users of Tripwire Enterprise can then be set up to have either full access, just read access, or several variances in between. 12 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • Sample Policy Test andChange Audit Screenshotsfrom Tripwire EnterpriseScreenshot showing assessments that address the Communicationand Operations Management control. Specifically, section A.10.6.2, Screenshot showing assessments that address the Access ControlSecurity of Network Services. This section checks that services that control of ISO 27001. Specifically, section A.11.6, Operatingdon’t need to be enable are specifically disabled. System Access Control. These controls deal with permissions and authentication processes within the operating system.Screenshot showing assessments that address the Compliancecontrol. Specifically, section A.15.2.2, Technical Compliance Screenshot showing default role types in Tripwire Enterprise withChecking. This is a check that the appropriate packages are different access rights and permissions described, depending on theinstalled for that system. role. New roles can be created and permissions set up accordingly. 13 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • Tripwire Enterprise Change Process Compliance report, highlighting Tripwire Enterprise Detailed Changes report showing detailedauthorized vs. unauthorized changes to a system. information on what changes were made, when they occurred and who made the changes. 14 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • The Nodes With Changes report shows which systems had changes,when they occurred and other details. 1 http://www.27000.org/iso-27001.htm 2 http://www.rsaconference.com/Security_Topics/Professional_ Development/Blog_Jeff_Bardin_Conspiracy_to_Commit_ Security.aspx?blogId=8527 15 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
    • ABOUT TRIPWIRE Tripwire is the leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 7,000 customers in more than 86 countries rely on Tripwire’s integrated solutions. Tripwire VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation. Learn more at tripwire.com.©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WP2714a