ISO 17799 and information security awareness
ISO 17799:2005 Coverage Of Information Security Awareness
Security awareness is very much an integral part of an ISO 17799-compliant information security management system. A recurring theme throughout the standard is that people in an organization must be made aware of the security policies, procedures and control requirements that they are expected to uphold.
ISO 17799:2005 section 8.2.2 (Information security awareness, education and training) is the most directly relevant section, recommending that ?All employees of the organization and, where relevant, contractors and third parties should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function? It goes on to recommend ?a formal induction process?and ?ongoing training? It suggests the need to educate employees on known threats and who to contact in the event of a security incident.
As with many other important topics, ISO 17799?s coverage of security awareness is not limited to this one section but is distributed throughout the text:
-Information security awareness, training and education is one of seven common practice controls listed in section 0.6 (Information security starting point);
-In section 0.7 (Critical success factors), ?Effective marketing of information security to all managers, employees, and other parties to achieve awareness?and ?providing appropriate awareness, training, and education?are two of the ten critical success factors;
-Section 5.1.1 (Information security policy document) acknowledges that raising security awareness and informing employees about management requirements is an important function of policies;
-Section 6.1.1 (Management commitment to information security) tells management to ?initiate plans and programs to maintain information security awareness?
-Section 6.1.2 (Information security co-ordination) says one of the duties of the information security management/co-ordination function is to ?effectively promote information security education, training and awareness throughout the organization?
-Section 6.2.1 (Identification of risks related to external parties) notes ?It should be ensured that the external party is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing the organization?s information and information processing facilities?
-Section 6.2.3 (Addressing security in third party agreements) recommends ?ensuring user awareness for information security responsibilities and issues? It further recommends ?user and administrator training in methods, procedures, and security?
-The control objective stated in section 8.2 ([Human resources security] during employment) is ?To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error? It continues ?An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks.?
-Section 8.2.1 (Management responsibilities) advises management to ensure that employees, contractors and third party users ?achieve a level of awareness on security relevant to their roles and responsibilities within the organization?[because] ?If employees, contractors and third party users are not made aware of their security responsibilities, they can cause considerable damage to an organization. Motivated personnel are likely to be more reliable and cause less information security incidents?
-Section 9.2.7 (Removal of property) says ?Individuals should be made aware if spot checks are carried out?
-Section 10.4 (Protection against malicious and mobile code) says very directly that ?Users should be made aware of the dangers of malicious code. Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented?
-Section 10.8.1 (Information exchange policies and procedures) warns ?Information could be compromised due to lack of awareness, policy or procedures on the use of information exchange facilities?
-Section 11.3 (User responsibilities) states that ?The co-operation of authorized users is essential for effective security. Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment?
-Section 11.3.2 (Unattended user equipment) recommends ?All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection?
-Section 11.7.1 (Mobile computing and communications) says ?Training should be arranged for personnel using mobile computing to raise their awareness on the additional risks resulting from this way of working and the controls that should be implemented?
-Section 12.6.1 (Control of technical vulnerabilities) states ?if no patch is available, other controls should be considered, such as ... raising awareness of the vulnerability?
-The control objective in section 13.1 (Reporting information security events and weaknesses) mentions that ?All employees, contractors and third party users should be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organizational assets?
-Section 13.1.1 (Reporting information security events) continues ?All employees, contractors and third party users should be made aware of their responsibility to report any information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact? It also notes that ?information security incidents can be used in user awareness training?
-?Appropriate education of staff in the agreed procedures and processes, including crisis management?is one of the purposes of continuity plans listed in section 14.1.3 (Developing and implementing continuity plans including information security);
-Section 14.1.4 (Business continuity planning framework) advises that a BCP framework should include, amongst other things, ?awareness, education, and training activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective?
-Section 15.1.2 (Intellectual property rights) includes the guideline ?maintaining awareness of policies to protect intellectual property rights?
-Section 15.1.4 (Data protection and privacy of personal information) notes ?Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations?
-Section 15.1.5 (Prevention of misuse of information processing facilities) advises that ?All users should be aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use?
However you look at it, information security awareness is an essential component of an ISO 17799-compliance information security management system.