ISO 27001 2013 A12 Operations Security Part 2 - by Software development company in india

iFour ConsultancyAnnexure A Control: 12 Operations Security

Software Development Company in india http://www.ifourtechnolab.com

1

A 12.4 Logging and MonitoringObjective: To record events and secure evidence.Security event logging and monitoring is examining electronic audit logs for indications that Unauthorized security-related activities have been attempted or performed on a system or application that ProcessesTransmitsStores confidential information.Event logging and monitoring assists organizations to determine what has been recorded on their systems for follow-up investigation and if necessary remediation.ISO 27001:2013 standard classifies this control into 4 subsections:A 12.4.1: Event LoggingA 12.4.2: Protection of log informationA 12.4.3: Administrator and Operator logsA 12.4.4: Clock synchronization

Software solution company in Indiahttp://www.ifourtechnolab.com


2

A 12.4.1 Event logging

Control: Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.Register information about access and actions of users, errors, events, etc. in information systems.Send the logs generated by each one of these to a central server.Configure a syslog server which allows you to centralize all the logs on a unique server.Syslog server is standard for message logging and can operate over a network with a client-server application structure.



3

A12.4.2 Protection of log information ISO for Software Outsourcing Companies in IndiaControl: Logging facilities and log information shall be protected against tampering and unauthorized access.The logs must be protected, because they cannot be removed or modified by unauthorized persons.Encrypt the event log archive files to ensure the log data is secured for future forensic analysis, compliance and internal audits by hashing and time stamping the log data.Securely store the archived log data files by employing hashing and time stamping techniques



4

Control: System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.Systems should register information about all users, regardless of the privileges that they have on the systems.PUMA (Privileged user monitoring and audit) reportsThese are the solutions that closely monitor the user activity of system administrators and operators and give you detailed security reports for any specific period of time.All audit trails should be captured to ensure that the log files that capture the activities of system administrators and system operators are protected from unauthorized access and threats.

A 12.4.3 Administrator and Operator logs



5

A 12.4.4 Clock SynchronizationControl: The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.Synchronized clocks are essential for investigating events across multiple systems in the infrastructure. If system clocks are not synchronized it may be difficult to determine whether two events are related. For example an event on one system triggers a failure on second system but the clock on the first system is behind. In this case the event that triggered the failure will appear to have occurred after the failure.Clock synchronization is important as accurate timestamps on audit log data is critical for troubleshooting, for event correlation and for use as evidence in legal or disciplinary cases.ISO for Software Outsourcing Companies in India



6

A 12.5 Control of operational softwareObjective: To ensure the integrity of operational systems.ISO 27001:2013 classifies it into:A 12.5.1: Installation of software on operational systemsA 12.5.1 Control: Procedures shall be implemented to control the installation of software on operational systems.Whether there are any controls in place for the implementation of software on operational systems. This is to minimize the risk of corruption of operational systems.



7

Objective: To prevent exploitation of technical vulnerabilities.A vulnerability is a weakness of an asset or control that could potentially be exploited by one or more threats.ISO 27001:2013 standard classifies this into:A 12.6.1: Management of technical vulnerabilitiesA 12.6.2: Restrictions on software installationAll of the hardware and software on the organizations network should be scanned using a vulnerability scanner To identify weaknesses in the configuration of systemsTo determine if any systems are missing important patches, or softwares such as anti-virus software.A 12.6 Technical Vulnerability ManagementISO for Software Outsourcing Companies in India

Software Development Company in india http://www.ifourtechnolab.com8

Control: Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion.The organizations exposure to such vulnerabilities should be evaluated and appropriate measures must be taken to address the associated risk.A 12.6.1 looks into 3 targets:Timely identification of vulnerabilities: the sooner you discover a vulnerability, the more time you will have to correct it.Assessment of organizations exposure to a vulnerability: A risk assessment should be done to identify and prioritize those vulnerabilities that are more critical to your assets and business.Proper measures considering the associated risks: Risk treatment plan - think about the actions and allocation of the resources you have to deal with them.A 12.6.1 Management of technical vulnerabilitiesISO for Software Outsourcing Companies in India


9

Control: Rules governing the installation of software by users shall be established and implemented.Here are some of the examples of such rules:Employees can not download software from the Internet, or bring software from home without authorization. It is prohibited.When an employee detects the need for use of a particular software, a request needs to be transmitted to the IT department. The request can be stored as a record or as evidence.If the software costs money, an analysis should be made as to whether there is another similar tool on the market that is cheaper or even free.Top management should participate in the decision on the acquisition of new software.Once the decision has been made, the IT department will proceed to include the software in their inventory and will install the software.

A 12.6.2 Restrictions on software installation



10

Objective: To minimize the impact of audit activities on operational systems.ISO 27001:2013 classifies it into:A 12.7.1: Information systems audit controlsA 12.7.1: Control Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.So it looks into:Planning and controlling how the audit activities are carried out.Minimizing the impact of audit activities on day-to-day operations.A 12.7 Information systems audit considerationsISO for Software Outsourcing Companies in India


11

Referenceshttps://www.sans.org/reading-room/whitepapers/iso17799/security-controls-service-management-33558http://advisera.com/27001academy/blog/2015/11/23/logging-and-monitoring-according-to-iso-27001-a-12-4/https://www.manageengine.com/products/eventlog/iso-27001-compliance-audit.htmlhttp://advisera.com/27001academy/blog/2016/02/08/implementing-restrictions-on-software-installation-using-iso-27001-control-a-12-6-2/http://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/http://www.praxiom.com/iso-27002.htm



12