Uploaded byketanaagja
385 views

Tripwire Iso 27001 Wp

This document discusses how Tripwire Enterprise can help organizations achieve and maintain compliance with the ISO 27001 standard for information security management. It provides an overview of key controls from ISO 27001 and explains how Tripwire Enterprise addresses many of these controls through configuration assessment and change auditing capabilities. This allows organizations to proactively check configurations against ISO 27001 specifications and continuously monitor for changes that could impact compliance.

Embed presentation

©2008 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. Effective Security with a Continuous Approach to ISO 27001 Compliance page 2 page 3 page 12 page 16 Introduction Tripwire Enterprise and the ISO 27001 Controls Sample Policy Test and Change Audit Screenshot About Tripwire WHITE paper ©2008 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 2 Introduction The ISO 27001 standard was published in October 2005 as a replacement to the BS7799-2 standard. It is primarily referred to as the Information Security Management System (ISMS) certification standard. Organisations that seek to implement an ISMS are examined against ISO 27001. The objective of this standard is to As with several global standards, the scope of this standard is far reaching, with several sets of control objectives and guidelines. Its fundamental purpose is to act as a compendium of techniques for securing IT environments and thus effectively managing business risk as well as demonstrating regulatory compliance. ISO 27001 is recognised internationally as a structured methodology for information security. A widely-held opinion is that ISO 27001 is an umbrella over other standards (such as PCI, SOX, GLBA, HIPAA and CobiT). Companies that choose to adopt ISO 27001 demonstrate their commitment to high levels of information security, as there are 11 major controls in the standard that comprise information security best practices. ISO 27001 does not, however, mandate specific procedures nor define the implementation techniques for gain- ing certification. Thus, companies being audited for ISO 27001 compliance deal with the same issues that plague companies facing regulatory audits: how to effectively achieve compliance and, following an audit, cost-effectively maintain it. There are several benefits to a company getting ISO 27001 certification2: • Diverse parties working together: With standardisation, systems from different companies are more likely to work together, since they will be speaking a common language. • An international standard: By complying with an international standard, management proves that they are taking due diligence in ensuring the security of their customer data. • Awareness within the organisation: Complying with this standard touches a lot of aspects of a company both from a business and an IT perspective. This creates greater awareness of security and process within the organisation. • Alignment with the organisation: Since the standard covers such a broad area, several departments need to be in alignment in order to ensure certification, thus building a better working model within the entire company. • Fully accepted in EMEA: Because this standard is widely accepted and implemented throughout EMEA, there are numerous companies that require business partners to have certification before working with them. Certification proves to companies that their vendors have taken the necessary steps to protect customer data, and not having certification could have an economic impact through increased risk exposure. North American companies with operations in EMEA may start running into this issue as well. “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS”1.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 3 Tripwire Enterprise and the ISO 27001 Controls The Tripwire Enterprise solution provides organisations with powerful configuration control through its con- figuration assessment and change auditing capabilities. With Tripwire Enterprise, organisations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides organisations immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts. For incorrect configurations, not only does Tripwire Enterprise report that condition as part of its risk assess- ment feature, it offers remediation guidance for bringing the settings into compliance. Once this known state has been achieved, Tripwire’s change auditing monitors systems for changes that could affect ISO 27001 compliance, maintaining the IT infrastructure in a known and trusted state. There are several controls that reference IT technology in ISO 27001. Not all can be tested adequately with software, or are relevant to the IT Infrastructure. Tripwire Enterprise provides two means of coverage for the ISO 27001 controls. The Configuration Assessment policy proactively assesses settings and checks that they are compliant against the controls. If compliant, Tripwire Enterprise will also continuously monitor those settings for changes that may take them out of compliance. For settings that are not compliant, Tripwire Enterprise provides the necessary remediation steps to bring that setting back into compliance. There are some controls that Tripwire Enterprise can address by using its industry leading change monitoring.Tripwire can monitor various levels of settings as part of the Change Management controls that are specified in the ISO 27001 standard. Controls that are addressed by the Tripwire Enterprise include: A.10 – Communications and Operations Management A.10.1 – Operational Procedures and Responsibilities The objective of this control is to ensure the correct and secure operation of information processing facilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.1.2 Change Management Changes to information processing facil- ities and systems shall be controlled. Tripwire Enterprise can monitor any changes to file systems, databases and active directory, providing the what and who information to any changes that were made to critical systems, thus enforcing a sound change process. 10.1.3 Segregation of duties Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modi- fications or misuse of the organisations’ assets. Using Roles within Tripwire Enterprise, an organisation has complete control over who can have access to files, directories and critical areas within your IT Infrastructure, thus preventing unauthorised or unintentional modifi- cations of files. 10.1.4 Separation of development, test and operational facilities Development, test and operational facili- ties shall be separated to reduce the risks of unauthorised access or changes to the operational system. User groups can be developed within Tripwire Enterprise to separate duties of individuals within those groups, restricting permissions and file access rights where necessary to reduce the risk of any unauthorised or uninten- tional changes to systems.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 4 A.10.2 – Third Party Service Delivery Management The objective of this control is to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.2.3 Managing changes to third party services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be man- aged, taking account of the criticality of business systems and processes involved and re-assessment of risks. Tripwire Enterprise can monitor changes to critical systems and be aligned with applications, procedures and business systems to ensure changes don’t happen, and if they do, give visibility to those changes, thus reducing risk. A.10.4 – Protection Against Malicious and Mobile Code The objective of this control is to protect the integrity of software and information. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.4.1 Controls against malicious code Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented. By monitoring critical files, Tripwire Enterprise can detect when edits to files have been made, who made the edits, and whether code was changed, deleted or new code added, thus creating a process around code management, and reducing the risk of malicious behavior. A.10.6 – Network Security Management The objective of this control is to ensure the protection of information in networks and the protection of the supporting infrastructure. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.6.1 Network Controls Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. Tripwire Enterprise provides critical assessment of network configuration settings to help maintain the ongoing security of internal systems and appli- cations that rely upon the network. For example, ensuring that anonymous SID/name translation is disabled in the security options policy of a Windows 2003 Server. This setting prevents the null user from translating a binary SID into an actual account name, which may provide useful information that could be used in an attack. 10.6.2 Security of Network Services Security features, service levels, and management requirements of all net- work services shall be identified and included in any network services agreement, wither these services are provided in-house or outsourced. Maintaining security best practices on important network services is cru- cial for securing any network. Tripwire Enterprise provides ongoing assess- ment of network services to measure individual compliance with established best practices. For example, validating that the License Logging Service is disabled on a Windows system. This service is a license-management tool with a vulnerability that permits remote code execution. Disabling this service, as well as other unnecessary services, is a security best practice that helps limit avenues of attack.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 5 A.10.7 – Media Handling The objective of this control is to prevent unauthorised disclosure, modification, removal or destruction of assets, and inter- ruption to business activities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.7.1 Management of Removable Media There should be procedures in place for the management of removable media. An unmanaged approach to removable media can be a serious vulnerability. Tripwire Enterprise provides assurance that system configuration settings are configured to reduce common risks associated with removable media. For example, ensuring that security options on a Windows system are configured to only allow administrators to format and eject removable NTFS media. A.10.8 – Exchange of Information The objective of this control is to maintain the security of information and software exchanged within an organisation and with any external entity. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.8.1 Information Exchange Policies and Procedures Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communications facilities. Configuration assessment helps to ensure that proper measures are in place to safeguard the exchange of information and eliminate unnecessary communication risks. For example, verifying that the NetMeeting Remote Desktop Sharing Service is disabled on a Windows system. This service sup- ports NetMeeting, but may be subject to hacker attacks and buffer overflows. 10.8.5 Business Information Systems Policies and procedures shall be developed and implemented to pro- tect information associated with the interconnection of business information systems. Tripwire Enterprise verifies that proper system configuration settings are used to safeguard information necessary for disparate business information systems to interconnect. For example, ensuring that strong key protection is required for user keys stored on a covered system. Strong key protection requires users to enter a password associated with a key every time they use the key. This helps prevent user keys from being compromised if a computer is stolen or hijacked. A.10.9 – Electronic Commerce Services The objective of this control is to ensure the security of electronic commerce services, and their secure use. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.9.3 Publicly Available Information The integrity of information being made available on a publicly available system shall be protected to prevent unauthor- ised modification. Tripwire Enterprise provides the use of “roles” to restrict unauthorised access to important files as well as the neces- sary monitoring of these files such that changes made are flagged and alerts sent to pertinent individuals.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 6 A.10.10 – Monitoring The objective of this control is to detect unauthorised information processing activities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.10.1 Audit Logging Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control moni- toring. Tripwire’s Configuration Assessment verifies that important audit logging settings are configured to support pos- sible audit investigations and ongoing access control monitoring. 10.10.3 Protection of Log Information Logging facilities and log information shall be protected against tampering and unauthorised access. Assuming that other log settings are configured correctly, a problem with logging events could indicate a secu- rity threat. Tripwire Configuration Assessment verifies that security options are configured to shut down a system if an event cannot be logged to the security log for any reason. 10.10.4 Administrator and Operator Logs System administrator and system oper- ator activities shall be logged. Tripwire Configuration Assessment verifies that application, system and security logs can be configured for nec- essary storage capacity. For example, the maximum size of the security log should be at least 80 MB to store an adequate amount of log data for audit- ing purposes. 10.10.6 Clock Synchronisation The clocks of all relevant information processing systems within an organi- sation or security domain shall be synchronised with an agreed accurate time source. For Windows systems, Tripwire Configuration Assessment determines if the Windows Time Service is used and that the system is configured to synchronise with a secure, authorised time source. A.11 – Access Control A.11.2 – User Access Management The objective of this control is to ensure authorised user access and to prevent unauthorised access to information systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.2.2 Privilege Management The allocation and use of privileges shall be restricted and controlled. Tripwire Configuration Assessment tests numerous privilege-related settings to ensure restrictions are in place and configured correctly. For example, Windows systems should be configured to disallow the granting of the SeTcbPrivilege right to any user. This right allows users to access the operating system in the Local System security context, which overrides the permissions granted by user group memberships.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 7 A.11.3 – User Responsibilities The objective of this control is to prevent unauthorised user access, and compromise or theft of information and informa- tion processing facilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.3.1 Password Use Users shall be required to follow good security practices in the selection and use of passwords. Enforcing proper password security standards is critical to securing any sys- tem. Tripwire Configuration Assessment verifies that common best practices are being used for password-related prop- erties such as complexity, minimum length and maximum age. 11.3.2 Unattended User Equipment Users shall ensure that unattended equipment has appropriate protection. Tripwire Enterprise verifies that each system is configured to use a password- protected screen saver that activates within the appropriate idle time and offers no grace period before password entry is required. 11.3.3 Clear Desk and Clear Screen Policy A clear desk policy for papers and removable media and a clear screen policy for information processing facili- ties shall be adopted. Tripwire Configuration Assessment validates that the current user has a password-protected screen saver that is active. A.11.4 – Network Access Control The objective of this control is to prevent unauthorised access to networked services. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.4.1 Policy on Use of Network Services Users shall only be provided with access to the services that they have been specifically authorised to use. Tripwire Enterprise provides a number of configuration assessment tests that help ensure proper access to services is maintained. For example, verifying that a system restricts anonymous access to named pipes and shares to those that are specifically listed in other secu- rity options. This configuration helps protect named pipes and shares from unauthorised access. 11.4.2 User Authentication for External Connections Appropriate authentication methods shall be used to control access by remote users. Tripwire Configuration Assessment can help verify proper authentication meth- ods are in place to control access by remote users. For example, refusing to allow a remote login when a user attempts to use a blank password (even if the blank password is valid for that account). 11.4.3 Equipment Identification in Networks Automatic equipment identification shall be considered as a means to authenticate connections from specific locations and equipment. Tripwire Enterprise verifies that the security options for a Windows 2003 domain controller are configured to allow a domain member to change its computer account password. If the domain controller does not permit a domain member to change its pass- word, the domain member computer is more vulnerable to a password attack.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 8 11.4.4 Remote Diagnostic and Configuration Port Protection Physical and logical access to diag- nostic and configuration ports shall be controlled. TripwireConfigurationAssessmenttests a number of remote access settings to ensure they meet established guide- lines for controlling remote access. For example, verifying that the Remote Desktop Help Session Manager Service is disabled on a Windows system. 11.4.6 Network Connection Control For shared networks, the capability of users to connect to the network shall be restricted, in line with the access control policy. Tripwire Enterprise helps validate that controls are in place to enforce prop- er network connection restrictions on shared networks. For example, always requiring passwords and appropriate encryption levels when using Terminal Services. 11.4.7 Network Routing Control Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of business applications. Tripwire Configuration Assessment can assist with the ongoing validation of your access control policy by verifying proper routing controls are in place and configured correctly. For example, on a Windows system with two valid networking devices installed, source routing traffic that passes through the device can spoof the device into think- ing that the traffic came from a safe source. A.11.5 – Operating System Access Control The objective of this control is to prevent unauthorised access to operating systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.5.1 Secure Log on Procedures Access to operating systems shall be controlled by a secure log-on proce- dure. Tripwire Configuration Assessment can assess important log on settings to determine whether they support an overall secure log-on procedure. For example, not displaying the last valid user name and requiring the use of CTRL+ALT+DEL keys to force the use of the Windows authentication process. 11.5.2 User Identification and Authentication All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user. Proper authentication of user IDs is a fundamental component of control- ling operating system access. Tripwire Enterprise provides critical tests to assess authentication settings. For example, verifying that the LAN Manager authentication model for a Windows system is configured correctly so it will only send NTLMv2 authentica- tion and refuse all LM authentication challenges. 11.5.3 Password Management System Systems for managing passwords shall be interactive and ensure quality pass- words. Ensuring quality passwords requires proper configuration of password- related settings. Tripwire Enterprise can assess these settings and provide assurance that all passwords being used meet minimum quality require- ments. For example, enforcing the use of strong passwords and restricting password reuse/history.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 9 11.5.4 Use of System Utilities The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. Tripwire Configuration Assessment can help maintain a strict policy on the use of utility programs. For example, veri- fying that the FTP Publishing Service and TFTP Daemon Service are both disabled, or that the SeDebugPrivilege right is not assigned to any users on a Windows system. This right gives users the ability to debug any process on the system and is susceptible to exploits that collect account names, passwords, and other sensitive data from the Local Security Authority (LSA). 11.5.5 Session Time-Out Inactive sessions shall shut down after a defined period of inactivity. Tripwire Enterprise will verify that an appropriate idle session time-out is established. In the case of Windows systems that communicate using the Server Message Block (SMB) protocol, Tripwire Configuration Assessment will test that the idle session timeout threshold is set to 15 minutes or less. 11.5.6 Limitation of Connection Time Restrictions on connection times shall be used to provide additional security for high-risk applications. There are a number of ways to restrict connection times as part of an enhanced security protocol for high-risk applica- tions. Tripwire Enterprise can determine if best-practices are being used such as setting appropriate time limits for Terminal Services sessions and using Group Policy to restrict connections to designated hours of the day. A.11.6 – Application and Information Access Control The objective of this control is to prevent unauthorised access to information held in applications systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.6.1 Information Access Restriction Access to information and application systems functions by users and support personnel shall be restricted in accor- dance with the defined access control policy. Tripwire Configuration Assessment provides out-of-the-box tests that help establish an acceptable information access control policy. For example, ensuring that critical file and registry permissions have been set properly to restrict access. A.11.7 – Mobile Computing and Telecommunicating The objective of this control is to ensure information security when using mobile computing and telecommuting facilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.7.1 Mobile Computing and Communications A formal policy shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communi- cations facilities. Mobile computing and related commu- nications pose unique risks that neces- sitate additional security measures. Tripwire Configuration Assessment can help mitigate these risks by determining if established best practices are in use. For example, verifying that Windows systems are configured to negotiate signed communications with any Server Message Block (SMB) server. By sup- porting mutual authentication and protection against packet tampering, signed communication helps to protect against man-in-the-middle attacks.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 10 A.12 –Information Systems Acquisition, development and maintenance A.12.2 – Correct Processing in Applications The objective of this control is to prevent errors, loss, unauthorised modifications or misuse of information in applications. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 12.2.2 Control of Internal processing Validation checks shall be incorporated into applications to detect any corrup- tion of information through processing errors or deliberate acts. By monitoring changes that occur within applications, Tripwire Enterprise can detect any changes to critical files, and monitor who may have introduced errors that caused file corruption. A.12.4 – Security of System Files The objective of this control is to ensure the security of system files. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 12.4.1 Control of operational software There shall be procedures in place to control the installation of software on operational systems. Tripwire Enterprise can detect changes to the operating system, which includes new software installations, when it was installed, and who performed the instal- lation. Tripwire Enterprise can also be incorporated with Change Ticketing systems authorising these installations, showing that status. A.12.5 – Security in Development and Support Process The objective of this control is to maintain the security of application system software and information. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 12.5.1 Change control procedures The implementation of changes shall be controlled by the use of formal change control procedures. TripwireEnterpriseistheindustryleader in change audit and detection and should be an integral part of any formal change control procedure. Tripwire Enterprise is also integrated with major change ticketing systems to help control formal change processes. 12.5.2 Technical review of applications after operating system changes When operating systems are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organisational operations or security. Tripwire Enterprise provides several reports around changes to systems, as well as links within these reports that can show specific systems that changed, as well as who made the changes. These reports provide a docu- mented audit trail that can be reviewed and approved to prevent potential problems. 12.5.3 Restrictions on changes to soft- ware packages Modifications to software packages shall be discouraged, limited to neces- sary changes, and all changes shall be strictly controlled. Tripwire Enterprise monitors all chang- es that happen on defined systems, providing information if files have been modified, added or deleted. Having Tripwire Enterprise ensures change is monitored and controlled.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 11 A.13 – Information Security Incident Management A.13.2 – Management of Information Security Incidents and Improvements The objective of this control is to ensure a consistent and effective approach is applied to the management of information security incidents. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 13.2.3 Collection of evidence Where a follow-up action against a per- son or organisation after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). As part of the audit trail and reporting capabilities within Tripwire Enterprise, changes that are made to systems that could provide potential vulnerabilities or security incidents can be docu- mented, providing information as to the person(s) responsible for any breaches in security. A.15 – Compliance A.15.2 - Compliance with Security Policies and Standards, and Technical Compliance The objective of this control is to ensure compliance of systems with organisational security police and standards. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 15.2.2 Technical Compliance Checking Information Systems shall be regularly checked for compliance with security implementation standards. Tripwire Configuration Assessment vali- dates that each Windows 2003 Server has the latest service pack installed. A.15.3 – Information Systems Audit and Considerations The objective of this control is to maximise the effectiveness of and to minimise interference to/from the information systems audit process. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 15.3.1 Information systems audit controls Audit requirements and activities involv- ing checks on operational systems shall be carefully planned and agreed to min- imise the risk of disruptions to business processes. TripwireEnterpriseprovidesdocumented audit proof behind system compliance, as well as changes that happen with IT systems. By incorporating Tripwire Enterprise in the change management process, changes are monitored and documented and if changes disrupt business process, they can be immedi- ately reconciled and remediated. 15.3.2 Protection of information systems audit tools Access to information systems audit tools shall be protected to prevent any possible misuse or compromise. By using Roles and User Groups in Tripwire Enterprise, access to privileged information and software like Tripwire Enterprise can be controlled/limited to users who have proper permissions. Tripwire Enterprise requires installation by a user with Administrative privileges. Users of Tripwire Enterprise can then be set up to have either full access, just read access, or several variances in between.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 12 Screenshot showing assessments that address the Access Control control of ISO 27001. Specifically, section A.11.6, Operating System Access Control. These controls deal with permis- sions and authentication processes within the operating system. Screenshot showing default role types in Tripwire Enterprise with different access rights and permissions described, depending on the role. New roles can be created and permissions set up accordingly. Screenshot showing assessments that address the Compliance control. Specifically, section A.15.2.2, Technical Compliance Checking. This is a check that the appropriate packages are installed for that system. Screenshot showing assessments that address the Communication and Operations Management control. Specifically, section A.10.6.2, Security of Network Services. This section checks that ser- vices that don’t need to be enable are specifically disabled. Sample Policy Test and Change Audit Screenshots
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 13 Change Process Compliance Date: 3/27/08 1:21 PM Change window: Not applied Use strict package match: No Element Exists: Not applied Nodes: All Node name: Not applied Node Properties: Not applied Rules: All Rule name: Not applied Element name: Not applied Element Properties: Not applied Version Properties: Not applied Change types: Added, Modified, Removed Severity range: 1 - 10000 Current versions only: No Frequency: Monthly, No earlier than 4/1/07 12:00 AM, 7 intervals Packages: Not applied Details Interval Authorized Unauthorized Total Apr 2007 5,561 1,260 6,821 May 2007 6,845 1,508 8,353 Jun 2007 7,356 797 8,153 Jul 2007 8,342 807 9,149 Aug 2007 3,071 76 3,147 Tripwire Enterprise Change Process Compliance report, highlighting authorized vs. unauthor- ized changes to a system.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 14 Detailed Changes Date: 3/27/08 1:39 PM Approval ID: Not Exists Change window: Not applied Attribute display: Changed attributes Compare type: Version with previous version Display content differences: Yes Display version context: Yes Display users: Yes Display packages: No Use strict package match: No Element Exists: Not applied Nodes: All Node name: Not applied Node Properties: Not applied Rules: All Rule name: Not applied Element name: Not applied Element Properties: Not applied Version Properties: Not applied Version Attributes: Not applied Version Content: Not applied Change types: Added, Modified, Removed Severity range: 1 - 10000 Current versions only: No Time range: 4/1/07 12:00 AM up to 10/31/07 11:59 PM Packages: Not applied Nodes sort: Name, ascending Rules sort: Name, ascending Elements sort: Name, ascending Versions sort: Date, descending Node: backend.collab.tripwire.com (Windows Server) Rule: Program Files (Windows File System Rule) Element: C:Program FilesWinZipWZ.PIF Version: 8/2/07 2:42 AM Node: backend.collab.tripwire.com Rule: Program Files Element: C:Program FilesWinZipWZ.PIF Change Type: Added Severity: Windows Low (140) Approval ID: Users: PDXSEgmillard Attribute Type Expected Observed DACL [+] Inherits Entries: true NT AUTHORITYAuthenticated Users, Access Allowed Type: Standard rights: Read Contro l,Synchronize Specific rights: 00a9 Header flags: Inherited ACE BUILTINServer Oper ators, Access Allowed Type: Standard rights: Delete,Read Control,Synchronize Specif ic rights: 01bf Header flags: Inherited ACE BUILTINAd ministrators, Access Allowed Tripwire Enterprise Detailed Changes report showing detailed information on what changes were made, when they occurred and who made the changes.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 15 Nodes With Changes Date: 6/24/08 1:18 PM Approval ID: Not applied Change window: Not applied Use strict package match: No Element Exists: Not applied Nodes: All Node name: Not applied Node Properties: Not applied Rules: All Rule name: Not applied Element name: Not applied Element Properties: Not applied Version Properties: Not applied Change types: Added, Modified, Removed Severity range: 1 - 10000 Current versions only: Yes Time range: All time Packages: Not applied Details table sort: Name, ascending Details Name Type Last Change Time TRIPWIRE-SZYIXW: Microsoft SQL Server 5/14/08 7:31 AM amur.pdxse.tripwire.com Active Directory Server 5/16/08 10:21 AM cisco.ios.router Cisco IOS 5/13/08 11:39 AM cisco.pix.firewall Cisco PIX 5/13/08 11:34 AM The Nodes With Changes report shows which systems had changes, when they occurred and other details.
WHITE PAPER Effective Security with a Continuous Approach to ISO 27001 Compliance Page 16 www.tripwire.com US TOLL FREE: 1.800.TRIPWIRE MAIN: 503.276.7500 FAX: 503.223.0182 326 SW Broadway, 3rd Floor Portland, OR 97205 USA WP2711 About Tripwire Tripwire helps over 6,000 enterprises worldwide reduce security risk, attain compliance and increase opera- tional efficiency throughout their virtual and physical environments. Using Tripwire’s industry-leading configuration assessment and change auditing solutions, organizations successfully achieve and maintain IT configuration control. Tripwire is headquartered in Portland, Oregon, with offices worldwide. 1 http://www.27000.org/iso-27001.htm 2 http://www.rsaconference.com/Security_Topics/Professional_Development/Blog_Jeff_Bardin_Conspiracy_to_Commit_Security.aspx?blogId=8527

More Related Content

PDF
NQA ISO 27001 Implementation Guide
byNQA
 
PPTX
Iso 27001 awareness
byÃsħâr Ãâlâm
 
PPTX
Iso iec 27001 foundation training course by interprom
byMart Rovers
 
PDF
ISO 27001:2013 - Changes
byn|u - The Open Security Community
 
PPT
ISO/IEC 27001:2005
byFuangwith Sopharath
 
DOC
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
byAHM Pervej Kabir
 
ODP
Iso 27001 10_apr_2006
byKhawar Nehal khawar.nehal@atrc.net.pk
 
PPSX
Isms Implementer Course Module 1 Introduction To Information Security
byanilchip
 
NQA ISO 27001 Implementation Guide
byNQA
 
Iso 27001 awareness
byÃsħâr Ãâlâm
 
Iso iec 27001 foundation training course by interprom
byMart Rovers
 
ISO 27001:2013 - Changes
byn|u - The Open Security Community
 
ISO/IEC 27001:2005
byFuangwith Sopharath
 
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
byAHM Pervej Kabir
 
Iso 27001 10_apr_2006
byKhawar Nehal khawar.nehal@atrc.net.pk
 
Isms Implementer Course Module 1 Introduction To Information Security
byanilchip
 

What's hot

PDF
ISO/IEC 27001:2013 An Overview
byAhmed Riad .
 
PDF
Infosec Audit Lecture_4
byObrina Candra, CISA, ISMS-LA
 
PDF
Guide on ISO 27001 Controls
byVISTA InfoSec
 
PPT
ISMS Part I
bykhushboo
 
PDF
ISO 27001
byn|u - The Open Security Community
 
PPT
Overview of ISO 27001 ISMS
byAkhil Garg
 
PPTX
Iso 27001 isms presentation
byMidhun Nirmal
 
PDF
What is ISO 27001 ISMS
byBusiness Beam
 
PDF
Why ISO27001 For My Organisation
byVigilant Software
 
PDF
Isms awareness presentation
byPranay Kumar
 
PDF
ISO 27001 ISMS MEASUREMENT
byGaffri Johnson
 
PDF
Transitioning to iso 27001 2013
bySAIGlobalAssurance
 
PPT
Information Security Management Systems(ISMS) By Dr Wafula
byDiscover JKUAT
 
PPT
ISO 27001 - Information Security Management System
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
ISO 27001:2013 - A transition guide
byVerde Ventures Pvt. Ltd.
 
PPS
ISO 27001 2013 isms final overview
byNaresh Rao
 
PPTX
All you wanted to know about iso 27000
byRamana K V
 
PDF
ISO 27001 Implementation_Documentation_Mandatory_List
bySriramITISConsultant
 
PPT
University iso 27001 bgys intro and certification lami kaya may2012
byHakem Filiz
 
PPTX
Is iso 27001, an answer to security
byRaghunath G
 
ISO/IEC 27001:2013 An Overview
byAhmed Riad .
 
Infosec Audit Lecture_4
byObrina Candra, CISA, ISMS-LA
 
Guide on ISO 27001 Controls
byVISTA InfoSec
 
ISMS Part I
bykhushboo
 
ISO 27001
byn|u - The Open Security Community
 
Overview of ISO 27001 ISMS
byAkhil Garg
 
Iso 27001 isms presentation
byMidhun Nirmal
 
What is ISO 27001 ISMS
byBusiness Beam
 
Why ISO27001 For My Organisation
byVigilant Software
 
Isms awareness presentation
byPranay Kumar
 
ISO 27001 ISMS MEASUREMENT
byGaffri Johnson
 
Transitioning to iso 27001 2013
bySAIGlobalAssurance
 
Information Security Management Systems(ISMS) By Dr Wafula
byDiscover JKUAT
 
ISO 27001 - Information Security Management System
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO 27001:2013 - A transition guide
byVerde Ventures Pvt. Ltd.
 
ISO 27001 2013 isms final overview
byNaresh Rao
 
All you wanted to know about iso 27000
byRamana K V
 
ISO 27001 Implementation_Documentation_Mandatory_List
bySriramITISConsultant
 
University iso 27001 bgys intro and certification lami kaya may2012
byHakem Filiz
 
Is iso 27001, an answer to security
byRaghunath G
 

Similar to Tripwire Iso 27001 Wp

PDF
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Basic introduction to iso27001
byImran Ahmed
 
PPTX
the role of 27001 in cybersecurity pp.pptx
byfloresmika308
 
PDF
Achieving ISO 27001 Certification.pdf
bymicroteklearning21
 
PDF
NQA-ISO-27001-Implementation-Guide and implementation procedure book
byKrushna Mahapatra
 
PDF
NQA Your Complete Guide to ISO 27001
byNQA
 
PDF
NQA Your Complete Guide to ISO 27001
byNA Putra
 
PDF
NQA-ISO-27001-Implementation-Guide.pdf..
byssuserc911b3
 
PDF
ISO 27001 is the commonly used standard for ISMS implementation and certifica
byIbrahim78026
 
PDF
NQA - ISO 27001 Implementation Guide
byNA Putra
 
PDF
Planning for-and implementing ISO 27001
byYerlin Sturdivant
 
PPTX
Information security management system
byArani Srinivasan
 
PPTX
english_bok_ismp_202306.pptx
byssuser00d6eb
 
PPTX
Information Security Management-Planning 1.pptx
byFrancisFayiah
 
PPT
ISMS Requirements
byhumanus2
 
PPTX
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
byControlCase
 
PDF
Whitepaper iso 27001_isms | All about ISO 27001
byChandan Singh Ghodela
 
PDF
Achieving Effective IT Security with Continuous ISO 27001 Compliance
byTripwire
 
PDF
20CS024 Ethics in Information Technology
byKathirvel Ayyaswamy
 
PDF
ISO_27001___2005_OASIS
byDermot Clarke
 
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Basic introduction to iso27001
byImran Ahmed
 
the role of 27001 in cybersecurity pp.pptx
byfloresmika308
 
Achieving ISO 27001 Certification.pdf
bymicroteklearning21
 
NQA-ISO-27001-Implementation-Guide and implementation procedure book
byKrushna Mahapatra
 
NQA Your Complete Guide to ISO 27001
byNQA
 
NQA Your Complete Guide to ISO 27001
byNA Putra
 
NQA-ISO-27001-Implementation-Guide.pdf..
byssuserc911b3
 
ISO 27001 is the commonly used standard for ISMS implementation and certifica
byIbrahim78026
 
NQA - ISO 27001 Implementation Guide
byNA Putra
 
Planning for-and implementing ISO 27001
byYerlin Sturdivant
 
Information security management system
byArani Srinivasan
 
english_bok_ismp_202306.pptx
byssuser00d6eb
 
Information Security Management-Planning 1.pptx
byFrancisFayiah
 
ISMS Requirements
byhumanus2
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
byControlCase
 
Whitepaper iso 27001_isms | All about ISO 27001
byChandan Singh Ghodela
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
byTripwire
 
20CS024 Ethics in Information Technology
byKathirvel Ayyaswamy
 
ISO_27001___2005_OASIS
byDermot Clarke
 

Tripwire Iso 27001 Wp

  • 1.
    ©2008 Tripwire, Inc.Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. Effective Security with a Continuous Approach to ISO 27001 Compliance page 2 page 3 page 12 page 16 Introduction Tripwire Enterprise and the ISO 27001 Controls Sample Policy Test and Change Audit Screenshot About Tripwire WHITE paper ©2008 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.
  • 2.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 2 Introduction The ISO 27001 standard was published in October 2005 as a replacement to the BS7799-2 standard. It is primarily referred to as the Information Security Management System (ISMS) certification standard. Organisations that seek to implement an ISMS are examined against ISO 27001. The objective of this standard is to As with several global standards, the scope of this standard is far reaching, with several sets of control objectives and guidelines. Its fundamental purpose is to act as a compendium of techniques for securing IT environments and thus effectively managing business risk as well as demonstrating regulatory compliance. ISO 27001 is recognised internationally as a structured methodology for information security. A widely-held opinion is that ISO 27001 is an umbrella over other standards (such as PCI, SOX, GLBA, HIPAA and CobiT). Companies that choose to adopt ISO 27001 demonstrate their commitment to high levels of information security, as there are 11 major controls in the standard that comprise information security best practices. ISO 27001 does not, however, mandate specific procedures nor define the implementation techniques for gain- ing certification. Thus, companies being audited for ISO 27001 compliance deal with the same issues that plague companies facing regulatory audits: how to effectively achieve compliance and, following an audit, cost-effectively maintain it. There are several benefits to a company getting ISO 27001 certification2: • Diverse parties working together: With standardisation, systems from different companies are more likely to work together, since they will be speaking a common language. • An international standard: By complying with an international standard, management proves that they are taking due diligence in ensuring the security of their customer data. • Awareness within the organisation: Complying with this standard touches a lot of aspects of a company both from a business and an IT perspective. This creates greater awareness of security and process within the organisation. • Alignment with the organisation: Since the standard covers such a broad area, several departments need to be in alignment in order to ensure certification, thus building a better working model within the entire company. • Fully accepted in EMEA: Because this standard is widely accepted and implemented throughout EMEA, there are numerous companies that require business partners to have certification before working with them. Certification proves to companies that their vendors have taken the necessary steps to protect customer data, and not having certification could have an economic impact through increased risk exposure. North American companies with operations in EMEA may start running into this issue as well. “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS”1.
  • 3.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 3 Tripwire Enterprise and the ISO 27001 Controls The Tripwire Enterprise solution provides organisations with powerful configuration control through its con- figuration assessment and change auditing capabilities. With Tripwire Enterprise, organisations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides organisations immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts. For incorrect configurations, not only does Tripwire Enterprise report that condition as part of its risk assess- ment feature, it offers remediation guidance for bringing the settings into compliance. Once this known state has been achieved, Tripwire’s change auditing monitors systems for changes that could affect ISO 27001 compliance, maintaining the IT infrastructure in a known and trusted state. There are several controls that reference IT technology in ISO 27001. Not all can be tested adequately with software, or are relevant to the IT Infrastructure. Tripwire Enterprise provides two means of coverage for the ISO 27001 controls. The Configuration Assessment policy proactively assesses settings and checks that they are compliant against the controls. If compliant, Tripwire Enterprise will also continuously monitor those settings for changes that may take them out of compliance. For settings that are not compliant, Tripwire Enterprise provides the necessary remediation steps to bring that setting back into compliance. There are some controls that Tripwire Enterprise can address by using its industry leading change monitoring.Tripwire can monitor various levels of settings as part of the Change Management controls that are specified in the ISO 27001 standard. Controls that are addressed by the Tripwire Enterprise include: A.10 – Communications and Operations Management A.10.1 – Operational Procedures and Responsibilities The objective of this control is to ensure the correct and secure operation of information processing facilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.1.2 Change Management Changes to information processing facil- ities and systems shall be controlled. Tripwire Enterprise can monitor any changes to file systems, databases and active directory, providing the what and who information to any changes that were made to critical systems, thus enforcing a sound change process. 10.1.3 Segregation of duties Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modi- fications or misuse of the organisations’ assets. Using Roles within Tripwire Enterprise, an organisation has complete control over who can have access to files, directories and critical areas within your IT Infrastructure, thus preventing unauthorised or unintentional modifi- cations of files. 10.1.4 Separation of development, test and operational facilities Development, test and operational facili- ties shall be separated to reduce the risks of unauthorised access or changes to the operational system. User groups can be developed within Tripwire Enterprise to separate duties of individuals within those groups, restricting permissions and file access rights where necessary to reduce the risk of any unauthorised or uninten- tional changes to systems.
  • 4.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 4 A.10.2 – Third Party Service Delivery Management The objective of this control is to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.2.3 Managing changes to third party services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be man- aged, taking account of the criticality of business systems and processes involved and re-assessment of risks. Tripwire Enterprise can monitor changes to critical systems and be aligned with applications, procedures and business systems to ensure changes don’t happen, and if they do, give visibility to those changes, thus reducing risk. A.10.4 – Protection Against Malicious and Mobile Code The objective of this control is to protect the integrity of software and information. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.4.1 Controls against malicious code Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented. By monitoring critical files, Tripwire Enterprise can detect when edits to files have been made, who made the edits, and whether code was changed, deleted or new code added, thus creating a process around code management, and reducing the risk of malicious behavior. A.10.6 – Network Security Management The objective of this control is to ensure the protection of information in networks and the protection of the supporting infrastructure. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.6.1 Network Controls Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. Tripwire Enterprise provides critical assessment of network configuration settings to help maintain the ongoing security of internal systems and appli- cations that rely upon the network. For example, ensuring that anonymous SID/name translation is disabled in the security options policy of a Windows 2003 Server. This setting prevents the null user from translating a binary SID into an actual account name, which may provide useful information that could be used in an attack. 10.6.2 Security of Network Services Security features, service levels, and management requirements of all net- work services shall be identified and included in any network services agreement, wither these services are provided in-house or outsourced. Maintaining security best practices on important network services is cru- cial for securing any network. Tripwire Enterprise provides ongoing assess- ment of network services to measure individual compliance with established best practices. For example, validating that the License Logging Service is disabled on a Windows system. This service is a license-management tool with a vulnerability that permits remote code execution. Disabling this service, as well as other unnecessary services, is a security best practice that helps limit avenues of attack.
  • 5.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 5 A.10.7 – Media Handling The objective of this control is to prevent unauthorised disclosure, modification, removal or destruction of assets, and inter- ruption to business activities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.7.1 Management of Removable Media There should be procedures in place for the management of removable media. An unmanaged approach to removable media can be a serious vulnerability. Tripwire Enterprise provides assurance that system configuration settings are configured to reduce common risks associated with removable media. For example, ensuring that security options on a Windows system are configured to only allow administrators to format and eject removable NTFS media. A.10.8 – Exchange of Information The objective of this control is to maintain the security of information and software exchanged within an organisation and with any external entity. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.8.1 Information Exchange Policies and Procedures Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communications facilities. Configuration assessment helps to ensure that proper measures are in place to safeguard the exchange of information and eliminate unnecessary communication risks. For example, verifying that the NetMeeting Remote Desktop Sharing Service is disabled on a Windows system. This service sup- ports NetMeeting, but may be subject to hacker attacks and buffer overflows. 10.8.5 Business Information Systems Policies and procedures shall be developed and implemented to pro- tect information associated with the interconnection of business information systems. Tripwire Enterprise verifies that proper system configuration settings are used to safeguard information necessary for disparate business information systems to interconnect. For example, ensuring that strong key protection is required for user keys stored on a covered system. Strong key protection requires users to enter a password associated with a key every time they use the key. This helps prevent user keys from being compromised if a computer is stolen or hijacked. A.10.9 – Electronic Commerce Services The objective of this control is to ensure the security of electronic commerce services, and their secure use. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.9.3 Publicly Available Information The integrity of information being made available on a publicly available system shall be protected to prevent unauthor- ised modification. Tripwire Enterprise provides the use of “roles” to restrict unauthorised access to important files as well as the neces- sary monitoring of these files such that changes made are flagged and alerts sent to pertinent individuals.
  • 6.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 6 A.10.10 – Monitoring The objective of this control is to detect unauthorised information processing activities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 10.10.1 Audit Logging Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control moni- toring. Tripwire’s Configuration Assessment verifies that important audit logging settings are configured to support pos- sible audit investigations and ongoing access control monitoring. 10.10.3 Protection of Log Information Logging facilities and log information shall be protected against tampering and unauthorised access. Assuming that other log settings are configured correctly, a problem with logging events could indicate a secu- rity threat. Tripwire Configuration Assessment verifies that security options are configured to shut down a system if an event cannot be logged to the security log for any reason. 10.10.4 Administrator and Operator Logs System administrator and system oper- ator activities shall be logged. Tripwire Configuration Assessment verifies that application, system and security logs can be configured for nec- essary storage capacity. For example, the maximum size of the security log should be at least 80 MB to store an adequate amount of log data for audit- ing purposes. 10.10.6 Clock Synchronisation The clocks of all relevant information processing systems within an organi- sation or security domain shall be synchronised with an agreed accurate time source. For Windows systems, Tripwire Configuration Assessment determines if the Windows Time Service is used and that the system is configured to synchronise with a secure, authorised time source. A.11 – Access Control A.11.2 – User Access Management The objective of this control is to ensure authorised user access and to prevent unauthorised access to information systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.2.2 Privilege Management The allocation and use of privileges shall be restricted and controlled. Tripwire Configuration Assessment tests numerous privilege-related settings to ensure restrictions are in place and configured correctly. For example, Windows systems should be configured to disallow the granting of the SeTcbPrivilege right to any user. This right allows users to access the operating system in the Local System security context, which overrides the permissions granted by user group memberships.
  • 7.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 7 A.11.3 – User Responsibilities The objective of this control is to prevent unauthorised user access, and compromise or theft of information and informa- tion processing facilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.3.1 Password Use Users shall be required to follow good security practices in the selection and use of passwords. Enforcing proper password security standards is critical to securing any sys- tem. Tripwire Configuration Assessment verifies that common best practices are being used for password-related prop- erties such as complexity, minimum length and maximum age. 11.3.2 Unattended User Equipment Users shall ensure that unattended equipment has appropriate protection. Tripwire Enterprise verifies that each system is configured to use a password- protected screen saver that activates within the appropriate idle time and offers no grace period before password entry is required. 11.3.3 Clear Desk and Clear Screen Policy A clear desk policy for papers and removable media and a clear screen policy for information processing facili- ties shall be adopted. Tripwire Configuration Assessment validates that the current user has a password-protected screen saver that is active. A.11.4 – Network Access Control The objective of this control is to prevent unauthorised access to networked services. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.4.1 Policy on Use of Network Services Users shall only be provided with access to the services that they have been specifically authorised to use. Tripwire Enterprise provides a number of configuration assessment tests that help ensure proper access to services is maintained. For example, verifying that a system restricts anonymous access to named pipes and shares to those that are specifically listed in other secu- rity options. This configuration helps protect named pipes and shares from unauthorised access. 11.4.2 User Authentication for External Connections Appropriate authentication methods shall be used to control access by remote users. Tripwire Configuration Assessment can help verify proper authentication meth- ods are in place to control access by remote users. For example, refusing to allow a remote login when a user attempts to use a blank password (even if the blank password is valid for that account). 11.4.3 Equipment Identification in Networks Automatic equipment identification shall be considered as a means to authenticate connections from specific locations and equipment. Tripwire Enterprise verifies that the security options for a Windows 2003 domain controller are configured to allow a domain member to change its computer account password. If the domain controller does not permit a domain member to change its pass- word, the domain member computer is more vulnerable to a password attack.
  • 8.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 8 11.4.4 Remote Diagnostic and Configuration Port Protection Physical and logical access to diag- nostic and configuration ports shall be controlled. TripwireConfigurationAssessmenttests a number of remote access settings to ensure they meet established guide- lines for controlling remote access. For example, verifying that the Remote Desktop Help Session Manager Service is disabled on a Windows system. 11.4.6 Network Connection Control For shared networks, the capability of users to connect to the network shall be restricted, in line with the access control policy. Tripwire Enterprise helps validate that controls are in place to enforce prop- er network connection restrictions on shared networks. For example, always requiring passwords and appropriate encryption levels when using Terminal Services. 11.4.7 Network Routing Control Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of business applications. Tripwire Configuration Assessment can assist with the ongoing validation of your access control policy by verifying proper routing controls are in place and configured correctly. For example, on a Windows system with two valid networking devices installed, source routing traffic that passes through the device can spoof the device into think- ing that the traffic came from a safe source. A.11.5 – Operating System Access Control The objective of this control is to prevent unauthorised access to operating systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.5.1 Secure Log on Procedures Access to operating systems shall be controlled by a secure log-on proce- dure. Tripwire Configuration Assessment can assess important log on settings to determine whether they support an overall secure log-on procedure. For example, not displaying the last valid user name and requiring the use of CTRL+ALT+DEL keys to force the use of the Windows authentication process. 11.5.2 User Identification and Authentication All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user. Proper authentication of user IDs is a fundamental component of control- ling operating system access. Tripwire Enterprise provides critical tests to assess authentication settings. For example, verifying that the LAN Manager authentication model for a Windows system is configured correctly so it will only send NTLMv2 authentica- tion and refuse all LM authentication challenges. 11.5.3 Password Management System Systems for managing passwords shall be interactive and ensure quality pass- words. Ensuring quality passwords requires proper configuration of password- related settings. Tripwire Enterprise can assess these settings and provide assurance that all passwords being used meet minimum quality require- ments. For example, enforcing the use of strong passwords and restricting password reuse/history.
  • 9.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 9 11.5.4 Use of System Utilities The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. Tripwire Configuration Assessment can help maintain a strict policy on the use of utility programs. For example, veri- fying that the FTP Publishing Service and TFTP Daemon Service are both disabled, or that the SeDebugPrivilege right is not assigned to any users on a Windows system. This right gives users the ability to debug any process on the system and is susceptible to exploits that collect account names, passwords, and other sensitive data from the Local Security Authority (LSA). 11.5.5 Session Time-Out Inactive sessions shall shut down after a defined period of inactivity. Tripwire Enterprise will verify that an appropriate idle session time-out is established. In the case of Windows systems that communicate using the Server Message Block (SMB) protocol, Tripwire Configuration Assessment will test that the idle session timeout threshold is set to 15 minutes or less. 11.5.6 Limitation of Connection Time Restrictions on connection times shall be used to provide additional security for high-risk applications. There are a number of ways to restrict connection times as part of an enhanced security protocol for high-risk applica- tions. Tripwire Enterprise can determine if best-practices are being used such as setting appropriate time limits for Terminal Services sessions and using Group Policy to restrict connections to designated hours of the day. A.11.6 – Application and Information Access Control The objective of this control is to prevent unauthorised access to information held in applications systems. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.6.1 Information Access Restriction Access to information and application systems functions by users and support personnel shall be restricted in accor- dance with the defined access control policy. Tripwire Configuration Assessment provides out-of-the-box tests that help establish an acceptable information access control policy. For example, ensuring that critical file and registry permissions have been set properly to restrict access. A.11.7 – Mobile Computing and Telecommunicating The objective of this control is to ensure information security when using mobile computing and telecommuting facilities. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 11.7.1 Mobile Computing and Communications A formal policy shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communi- cations facilities. Mobile computing and related commu- nications pose unique risks that neces- sitate additional security measures. Tripwire Configuration Assessment can help mitigate these risks by determining if established best practices are in use. For example, verifying that Windows systems are configured to negotiate signed communications with any Server Message Block (SMB) server. By sup- porting mutual authentication and protection against packet tampering, signed communication helps to protect against man-in-the-middle attacks.
  • 10.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 10 A.12 –Information Systems Acquisition, development and maintenance A.12.2 – Correct Processing in Applications The objective of this control is to prevent errors, loss, unauthorised modifications or misuse of information in applications. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 12.2.2 Control of Internal processing Validation checks shall be incorporated into applications to detect any corrup- tion of information through processing errors or deliberate acts. By monitoring changes that occur within applications, Tripwire Enterprise can detect any changes to critical files, and monitor who may have introduced errors that caused file corruption. A.12.4 – Security of System Files The objective of this control is to ensure the security of system files. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 12.4.1 Control of operational software There shall be procedures in place to control the installation of software on operational systems. Tripwire Enterprise can detect changes to the operating system, which includes new software installations, when it was installed, and who performed the instal- lation. Tripwire Enterprise can also be incorporated with Change Ticketing systems authorising these installations, showing that status. A.12.5 – Security in Development and Support Process The objective of this control is to maintain the security of application system software and information. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 12.5.1 Change control procedures The implementation of changes shall be controlled by the use of formal change control procedures. TripwireEnterpriseistheindustryleader in change audit and detection and should be an integral part of any formal change control procedure. Tripwire Enterprise is also integrated with major change ticketing systems to help control formal change processes. 12.5.2 Technical review of applications after operating system changes When operating systems are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organisational operations or security. Tripwire Enterprise provides several reports around changes to systems, as well as links within these reports that can show specific systems that changed, as well as who made the changes. These reports provide a docu- mented audit trail that can be reviewed and approved to prevent potential problems. 12.5.3 Restrictions on changes to soft- ware packages Modifications to software packages shall be discouraged, limited to neces- sary changes, and all changes shall be strictly controlled. Tripwire Enterprise monitors all chang- es that happen on defined systems, providing information if files have been modified, added or deleted. Having Tripwire Enterprise ensures change is monitored and controlled.
  • 11.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 11 A.13 – Information Security Incident Management A.13.2 – Management of Information Security Incidents and Improvements The objective of this control is to ensure a consistent and effective approach is applied to the management of information security incidents. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 13.2.3 Collection of evidence Where a follow-up action against a per- son or organisation after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). As part of the audit trail and reporting capabilities within Tripwire Enterprise, changes that are made to systems that could provide potential vulnerabilities or security incidents can be docu- mented, providing information as to the person(s) responsible for any breaches in security. A.15 – Compliance A.15.2 - Compliance with Security Policies and Standards, and Technical Compliance The objective of this control is to ensure compliance of systems with organisational security police and standards. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 15.2.2 Technical Compliance Checking Information Systems shall be regularly checked for compliance with security implementation standards. Tripwire Configuration Assessment vali- dates that each Windows 2003 Server has the latest service pack installed. A.15.3 – Information Systems Audit and Considerations The objective of this control is to maximise the effectiveness of and to minimise interference to/from the information systems audit process. SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE 15.3.1 Information systems audit controls Audit requirements and activities involv- ing checks on operational systems shall be carefully planned and agreed to min- imise the risk of disruptions to business processes. TripwireEnterpriseprovidesdocumented audit proof behind system compliance, as well as changes that happen with IT systems. By incorporating Tripwire Enterprise in the change management process, changes are monitored and documented and if changes disrupt business process, they can be immedi- ately reconciled and remediated. 15.3.2 Protection of information systems audit tools Access to information systems audit tools shall be protected to prevent any possible misuse or compromise. By using Roles and User Groups in Tripwire Enterprise, access to privileged information and software like Tripwire Enterprise can be controlled/limited to users who have proper permissions. Tripwire Enterprise requires installation by a user with Administrative privileges. Users of Tripwire Enterprise can then be set up to have either full access, just read access, or several variances in between.
  • 12.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 12 Screenshot showing assessments that address the Access Control control of ISO 27001. Specifically, section A.11.6, Operating System Access Control. These controls deal with permis- sions and authentication processes within the operating system. Screenshot showing default role types in Tripwire Enterprise with different access rights and permissions described, depending on the role. New roles can be created and permissions set up accordingly. Screenshot showing assessments that address the Compliance control. Specifically, section A.15.2.2, Technical Compliance Checking. This is a check that the appropriate packages are installed for that system. Screenshot showing assessments that address the Communication and Operations Management control. Specifically, section A.10.6.2, Security of Network Services. This section checks that ser- vices that don’t need to be enable are specifically disabled. Sample Policy Test and Change Audit Screenshots
  • 13.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 13 Change Process Compliance Date: 3/27/08 1:21 PM Change window: Not applied Use strict package match: No Element Exists: Not applied Nodes: All Node name: Not applied Node Properties: Not applied Rules: All Rule name: Not applied Element name: Not applied Element Properties: Not applied Version Properties: Not applied Change types: Added, Modified, Removed Severity range: 1 - 10000 Current versions only: No Frequency: Monthly, No earlier than 4/1/07 12:00 AM, 7 intervals Packages: Not applied Details Interval Authorized Unauthorized Total Apr 2007 5,561 1,260 6,821 May 2007 6,845 1,508 8,353 Jun 2007 7,356 797 8,153 Jul 2007 8,342 807 9,149 Aug 2007 3,071 76 3,147 Tripwire Enterprise Change Process Compliance report, highlighting authorized vs. unauthor- ized changes to a system.
  • 14.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 14 Detailed Changes Date: 3/27/08 1:39 PM Approval ID: Not Exists Change window: Not applied Attribute display: Changed attributes Compare type: Version with previous version Display content differences: Yes Display version context: Yes Display users: Yes Display packages: No Use strict package match: No Element Exists: Not applied Nodes: All Node name: Not applied Node Properties: Not applied Rules: All Rule name: Not applied Element name: Not applied Element Properties: Not applied Version Properties: Not applied Version Attributes: Not applied Version Content: Not applied Change types: Added, Modified, Removed Severity range: 1 - 10000 Current versions only: No Time range: 4/1/07 12:00 AM up to 10/31/07 11:59 PM Packages: Not applied Nodes sort: Name, ascending Rules sort: Name, ascending Elements sort: Name, ascending Versions sort: Date, descending Node: backend.collab.tripwire.com (Windows Server) Rule: Program Files (Windows File System Rule) Element: C:Program FilesWinZipWZ.PIF Version: 8/2/07 2:42 AM Node: backend.collab.tripwire.com Rule: Program Files Element: C:Program FilesWinZipWZ.PIF Change Type: Added Severity: Windows Low (140) Approval ID: Users: PDXSEgmillard Attribute Type Expected Observed DACL [+] Inherits Entries: true NT AUTHORITYAuthenticated Users, Access Allowed Type: Standard rights: Read Contro l,Synchronize Specific rights: 00a9 Header flags: Inherited ACE BUILTINServer Oper ators, Access Allowed Type: Standard rights: Delete,Read Control,Synchronize Specif ic rights: 01bf Header flags: Inherited ACE BUILTINAd ministrators, Access Allowed Tripwire Enterprise Detailed Changes report showing detailed information on what changes were made, when they occurred and who made the changes.
  • 15.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 15 Nodes With Changes Date: 6/24/08 1:18 PM Approval ID: Not applied Change window: Not applied Use strict package match: No Element Exists: Not applied Nodes: All Node name: Not applied Node Properties: Not applied Rules: All Rule name: Not applied Element name: Not applied Element Properties: Not applied Version Properties: Not applied Change types: Added, Modified, Removed Severity range: 1 - 10000 Current versions only: Yes Time range: All time Packages: Not applied Details table sort: Name, ascending Details Name Type Last Change Time TRIPWIRE-SZYIXW: Microsoft SQL Server 5/14/08 7:31 AM amur.pdxse.tripwire.com Active Directory Server 5/16/08 10:21 AM cisco.ios.router Cisco IOS 5/13/08 11:39 AM cisco.pix.firewall Cisco PIX 5/13/08 11:34 AM The Nodes With Changes report shows which systems had changes, when they occurred and other details.
  • 16.
    WHITE PAPER Effective Security witha Continuous Approach to ISO 27001 Compliance Page 16 www.tripwire.com US TOLL FREE: 1.800.TRIPWIRE MAIN: 503.276.7500 FAX: 503.223.0182 326 SW Broadway, 3rd Floor Portland, OR 97205 USA WP2711 About Tripwire Tripwire helps over 6,000 enterprises worldwide reduce security risk, attain compliance and increase opera- tional efficiency throughout their virtual and physical environments. Using Tripwire’s industry-leading configuration assessment and change auditing solutions, organizations successfully achieve and maintain IT configuration control. Tripwire is headquartered in Portland, Oregon, with offices worldwide. 1 http://www.27000.org/iso-27001.htm 2 http://www.rsaconference.com/Security_Topics/Professional_Development/Blog_Jeff_Bardin_Conspiracy_to_Commit_Security.aspx?blogId=8527