ISO 17799 Network Vulnerability Assessment Evaluation Checklist
| ISO 17799 Section | Description | Group Responsible |
| 3.1.1 Information Security Policy | Develop an Information Security Policy. | Information Security |
| 4.1.1 Management IS Forum | Establish a corporate committee to oversee information security. | IS Steering Committee |
| 4.1.2 Information Security Coordination | Develop and implement an Information Security Organization mission statement. | Information Security |
| 4.2.1 Identification of Risks from Third-Party Access | Implement a process to analyze third party connection risks. | Information Security |
| 4.3.1 Security Requirements in Outsourcing Contracts | Implement standards to address security requirements of the information owners been in a contract between the owners and any outsource organization. | Procurement |
| 5.1.1 Inventory of Assets | Establish an inventory of major assets associated with each information system. | Operations |
| 7.2.1 Equipment Location and Protection | Implement standards to ensure that equipment is located properly to reduce risks of environmental hazards and unauthorized access. | Operations |
| 7.2.2 Power Supplies | Implement procedures for electronic equipment to protect them from power failures and other electrical anomalies. | Operations |
| 7.2.3 Cabling Security | Implement standards to protect power and telecommunications cabling from interception or damage. | Operations/Facilities |
| 7.2.4 Equipment Maintenance | Implement procedures to establish to correctly maintain IT equipment to ensure its continued availability and integrity. | Operations |
| 8.1.2 Operational Change Control | Implement procedures for controlling changes to IT facilities and systems to ensure satisfactory control of all changes to equipment, software, or procedures. | Systems/Information Security |
| 8.2.2 System Acceptance | Implement procedures to establish acceptance criteria for new systems, and that adequate tests have been performed prior to acceptance. | Systems |
| 8.5.1 Network Controls | Implement appropriate standards to ensure the security of data in networks and the protection of connected services from unauthorized access. | Network Administration |
| 8.7.4 Security of Electronic Mail | Implement standards and user training to reduce the business and security risks associated with electronic mail, to include interception, modification, and errors. | Operations & Network |
| 8.7.5 Security of Electronic Office | Implement a risk analysis process and resultant standards to control business and security risks associated with electronic office systems. | Information Security |
| 8.7.6 Publicly Available Systems | Implement a formal policy to establish an authorization process for information that is to be made publicly available. | Corporate Communications |
| 9.4.1 Policy on Use of Network Services | Implement procedures to ensure that network and computer services that can be accessed by an individual user or from a particular terminal are consistent with business access control policy. | Network |
| 9.4.2 Enforced Path | Implement standards that restrict the route between a user terminal and the computer services that its user is authorized to access. | Network |
| 9.4.3 User Authentication for External Connections | Implement standards to ensure that connections by remote users via public or nonorganization networks are authenticated to prevent unauthorized access to business applications. | Network |
| 9.4.4 Node Authentication | Implement standards to ensure that connections by remote computer systems are authenticated to prevent unauthorized access to a business application. | Network |
| 9.4.5 Remote Diagnostic Port Protection | Implement procedures to control access to diagnostic ports designed for remote use by maintenance engineers. | Network |
| 9.4.6 Network Segregation | Implement standards to have large networks divided into separate domains to mitigate the risk of unauthorized access to existing computer systems that use the network. | Network |
| 9.4.7 Network Connection Control | Implement standards to restrict the connection capability of users, in support of access policy requirements of business applications that extend across organizational boundaries. | Network |
| 9.4.8 Network Routing Control | Implement standards that identify routing controls over shared networks across organizational boundaries to ensure those computer connections and information flows conform to the access policy of business units. | Network |
| 9.4.9 Security in Network Services | Implement standards to capture network providers clearly security attributes of all services used, and use this information to establish the security controls to protect the confidentiality, integrity, and availability of business applications. | Network |
| 9.5.1 Automatic Terminal Identification | Implement standards for automatic terminal identification to authenticate connections to specific locations. | Operations |
| 9.5.2 Terminal Log-on Procedures | Implement procedures for logging into a computer system to minimize the opportunity for unauthorized access. | Operations |
Share:
Subscribe to Service news feed
