Yes this is related to AD computer's, what setting do they need to become complaint for ISO 27002.
I need all the specfic setting for both Linux and Windows. For example what file permissions like 600 for /etc/shadow file in linux and what registry setting do all the computers that all windows machines needs to be. I need specfic details for this. So when I conduct a pre-inspection I know what to look for.
Answer:
You need to be compliant with ISO 27001:2013, ISO 27002 is only a code of best practices, so you can only certify ISO 27001. To be compliant with ISO 27001 there are many requirements that you need to implement, but you can do it technically like you want. For example, the control of the Annex of ISO 27001:2013 "A.9.2.1 User registration and de-registration: A formal user registration and de-registration process shall be implemented to enable assignment of access rights. You can implement it with Active Directory or OpenLdap, or any other LDAP software. The external auditor will verify if you have implemented the contr ol, and he can ask you how it is implemented (can also give you some tips to improve the control), but nothing more.
Anyway, from my point of view permissions like 600 (or 400 for only read) for the /etc/shadow file in Linux is a best practice, although I think that can be better if you also encrypt the hard drive (and the same for Windows) and set a BIOS password.
And if you have Linux and Windows systems, can be a good idea to add Linux systems to the Windows domain, and include Linux users in the AD.
Finally, remember that the Access Control Policy is a mandatory document in ISO 27001 (you can see the entire list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/) , so maybe this template can be interesting for you (you can see a free version clicking on Free Demo tab) Access Control Policy : https://advisera.com/27001academy/documentation/access-control-policy/
Comment as guest or Sign in
Jan 13, 2016