Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Query regarding Server access and related Risks

    Hello,

    Opening Port 22 allows secure shell login to the server, using SSH protocol, which is a good option for remote access, using encryption between server and client.

    Regarding the risks of source code access, we can identify the following:
    - Lack of change management control
    - Property rights violations
    - Lack of control on Code security
    - Server availability
    - Software Development Lifecyle practices not accomplished
    - Difficults in Service Level Agreement between service provider and customer.

    Providing access to source code is a good practice or not depends on the business relation between parties and also the purpose of the server/code.

    As a service provider it is a good practice to have an AUP (Acceptable Use Policy) signed by your customers regarding the services you are providing, where this point should be covered for server and code access. Also the AUP should include the RACI matrix identifying who is Responsible, Accountable, Consulted and Informed, defining the ownership of the asset.

    If there is a need for shared administrator priviledges in th e server, you should use different user accounts and an external log system recording user activity in the server.

    Thanks

  • Is clause 7.2 Competences of personnel mandatory in ISO 22301?


    Answer: Clause 7.2 of ISO 22301 says "retain appropriate documented information as evidence of competence and any actions taken" - therefore, you must maintain records of all trainings and competences of your employees, and this is why we have listed that clause as mandatory in our List of documents.

    However, I think that making a Training and awareness plan is useful although it is not mandatory according to ISO 22301, so this is why we have suggested that document in our List of documents under the section "Commonly used non-mandatory documents".

  • ISMS scope in Quality Manual


    Neither ISO 9001 nor ISO 27001 prescribe how you should structure your documentation. So basically, you have the following options:
    a) ISMS Scope document is a separate document - this is the most common option
    b) ISMS scope is defined within the Information Security Policy document - this is option that is sometimes used by smaller companies
    c) ISMS scope is defined within the Quality Manual - this is very rare, but theoretically possible.

    See also this article about the ISMS scope: https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  • Assessment of processes

    Here you'll find a catalogue of threats and vulnerabilities: https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
    This catalogue is made for assessing threats and vulnerabilities of assets, but it can be used for processes as well. By the way, when speaking about ISO 27001, it is much better to do asset-based risk assessment because it gives much more precise results.

    You can also read about the process of risk assessment here: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • Information security incident managment Categories

    For me, the items you mentioned are not categories, but examples of individual IT incidents.

    In any case, since incidents are nothing else but materialized risks, here you'll see examples of threats and vulnerabilities that create information security risks: https://wiki.iso27001standard.com/inde*************************************

  • Secure system engineering principles

    If this application that you're testing (together with its data) is within the scope of your ISMS, then yes - you should apply the Secure system engineering principles policy on this application.

    See also this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • connection between BCP and security

    Yes, information security and business continuity are very related - the most recent trend in most banks is that the functions of BCP and CISO are merged in one department or one person.

    Arguments are these: you can do risk assessment at the same time for both information security and business continuity; incident management is very much related; training and awareness is almost the same, etc.

    These materials can also help you:
    - ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    - Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

  • Statement of Applicability & auditor's comments on effectiveness of controls

    Statement of Applicability (as well as other ISMS documents) are internal documents that the company develops for managing their security - they should not be produced to serve the certification audit, neither should certification auditor use them as their records.

    Certification auditors should use their own forms for noting conclusions and reporting them to you.

    The certification body won't issue the certificate if they find major nonconformities (when you lack some important part of the ISMS or when you do not comply at all with some of your documents); if they find Minor nonconformities they will issue the certificate.

    There articles can also help you:
    - Becoming ISO 27001 certified - How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
    - How to get certified against ISO 27001? https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
    - How to approach an auditor in a certification audit https://advisera.com/articles/how-to-approach-an-auditor-in-a-certification-audit/

  • How does IT complete a BIA

    IT department should focus on identifying which systems & infrastructure they need to get up and running in order to run the applications/services that are needed by the business side of the organization.

    They need to identify exactly which resources are needed, and the timing when those are needed.

  • Certification - RABQSA

    Again, I'm not sure which ISO 27001 certification you are speaking about - are you speaking about the certification of an individual or a certification of a company?

    Here are some articles that can help you:
    - ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/
    - How to learn about ISO 27001 (this article lists different possible trainings) https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
Page 1109-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +