ISO27001 in a Windows ® Environment

ISO27001 in a Windows ® Environment: The best practice handbook for a Microsoft® Windows® environment

BRIAN HONAN
Copyright Date: 2010
Edition: 2
Published by: IT Governance Publishing
Pages: 312
https://www.jstor.org/stable/j.ctt5hh4tx
  • Cite this Item
  • Book Info
    ISO27001 in a Windows ® Environment
    Book Description:

    Organisations can minimise the risks to the vital information in their possession by putting in place an information security management system (ISMS). However, this can provide a significant implementation challenge for any organisation. A significant number of the controls to be applied will, of necessity, be technical and will relate to how IT hardware and software are set up and configured. Once an organisation decides to adopt ISO27001, it will be the job of the IT team to implement many of the associated controls. As a result, there is often a gulf in understanding as to what is required between the ISO27001 ISMS project manager and those responsible for implementing the technical controls. Implementing ISO27001 in a Windows® Environment, Second Edition, enables parties on both sides to bridge the gulf. It helps both IT managers and ISMS project managers to understand the requirements of ISO27001 and its step-by-step advice will make the road to ISO27001 implementation much easier. Providing practical advice on how to configure and secure a Microsoft® environment using ISO27001 controls, the book shows IT managers how they can take advantage of the Microsoft® technologies at their disposal.

    eISBN: 978-1-84928-050-1
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. FOREWORD
    (pp. 5-6)
    Alan Calder

    The information security management standard (ISMS), ISO/IEC 27001, provides a significant implementation challenge for all organisations. ISO27001 is a management standard: it sets out a specification for how management should identify, from a business risk perspective, the controls and safeguards that should be applied to information assets in order to assure their confidentiality, integrity and confidentiality. Management – and also the ISMS implementation project manager – will usually have a general or quality management background.

    A significant number of the controls to be applied will, of necessity, be technical and will relate to how IT hardware and software are set up and...

  3. PREFACE
    (pp. 7-8)
  4. ABOUT THE AUTHOR
    (pp. 9-9)
  5. ACKNOWLEDGEMENTS
    (pp. 10-10)
  6. Table of Contents
    (pp. 11-13)
  7. INTRODUCTION
    (pp. 14-17)

    Information security, once viewed as being solely within the domain of the IT department, is now a key issue for many businesses and organisations. Industry regulations, legal requirements, media coverage of information security incidents and a growing demand from clients that companies better manage and secure the information within their care have forced information security out of the IT department and into the boardroom.

    Companies are now faced with the dilemma of ensuring their information is secure enough to satisfy their business needs and is also compliant with various legal and regulatory requirements, such as the Data Protection Act, Basel...

  8. CHAPTER 1: INFORMATION AND INFORMATION SECURITY
    (pp. 18-23)

    Before we begin our ISO27001 journey, it is important that we understand what it is that we are trying to achieve. When most people hear the phrase information security, they automatically think that it is applicable only to IT and the securing of computers and networks.

    But information can take many forms and is not only bits and bytes on computers or networks. Information can be printed or written on to paper; it can be verbal, whether spoken face to face, in a crowded room or over a telephone; or it can indeed be stored or transmitted electronically by computers,...

  9. CHAPTER 2: USING AN ISMS TO COUNTER THE THREATS
    (pp. 24-32)

    According to the ISMS International User Group, an information security management system ‘is the means by which Senior Management monitors and controls their security, minimizing the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements’. Simply put, an ISMS is a framework which management employs to ensure a structured approach is taken to identify the business risks posed against key information assets and how best to manage, eliminate or mitigate those risks.

    An effective ISMS will be an integrated part of the overall management system within a company. This is to ensure that senior...

  10. CHAPTER 3: AN INTRODUCTION TO ISO27001
    (pp. 33-43)

    The ISO27000 family of standards, similar to the ISO9000 family of quality standards, provides a series of information security standards of which the ISO27001 information security standard is just one.

    The ISO27001 information security standard is a management system specification that provides organisations with an internationally recognised best-practice standard against which independent third-party verification of conformance can be provided. This provides an organisation, and its customers and partners, with the confidence that it is managing its security in accordance with recognised and audited best practices.

    The ISO27001 information security standard is a standard against which an organisation can certify its...

  11. CHAPTER 4: IDENTIFY YOUR INFORMATION ASSETS
    (pp. 44-48)

    In order to know what protections and controls you should implement, it is important that you first understand what it is you are trying to protect. The standard expects that all information assets within the scope of the implementation of ISO27001 have been properly identified and a value placed on them.

    So our first step in identifying our information assets should be to define the scope of the ISMS and identify what it will cover.

    The scope is one of the most important items in planning your implementation of ISO27001. How broadly you define the scope will impact the amount...

  12. CHAPTER 5: CONDUCTING A RISK ASSESSMENT
    (pp. 49-64)

    Effectively running and managing an ISMS requires the system to be based upon a solid risk assessment and subsequent risk management disciplines. This means you need to have a formal process in place to identify and rate the different types of information security risks that exist against your information assets in terms of their impact and the likelihood of occurrence.

    Once you have identified all the appropriate information security management risks, you need to put in place a formal process to assess and manage those risks. It is important that this process is one that you can repeat at regular...

  13. CHAPTER 6: AN OVERVIEW OF MICROSOFT TECHNOLOGIES
    (pp. 65-85)

    This chapter will provide an overview of the security features of the Microsoft technologies commonly found in most organisations. This book will provide you with enough information to understand the main security benefits provided by each technology, with useful implementation guidance. The technologies that we will focus on are:

    Microsoft®Windows Server®2008

    Microsoft®Windows®7

    Microsoft®Forefront™

    Microsoft®Forefront™ Threat Management Gateway

    Microsoft®Systems Center

    Microsoft®Windows Server®Update Services

    Microsoft®Baseline Security Analyzer

    Microsoft Security Risk Management Guide

    Microsoft®Security Assessment Tool

    Microsoft®Threat Analysis and Modeling Enterprise Edition

    Microsoft®CAT.NET

    Microsoft®Source Code Analyzer for SQL Injection

    We will...

  14. CHAPTER 7: IMPLEMENTING ISO27001 IN A MICROSOFT ENVIRONMENT
    (pp. 86-179)

    This section of this book will highlight how the various Microsoft technologies discussed previously can be deployed to implement controls selected as part of an ISMS based on the ISO27001 information security standard.

    As discussed earlier in this book, the ISO27001 information security standard does not focus solely on technology and therefore there are a number of controls that will not use Microsoft technology solutions. However, where possible we will try to identify how the Microsoft solutions can support the implementation or ongoing management of such controls.

    The following are extracts from the ISO27001 standard....

  15. CHAPTER 8: SECURING THE WINDOWS® ENVIRONMENT
    (pp. 180-189)

    This chapter describes how best to implement the security controls that you have selected as part of your ISO27001-based ISMS.

    The details in this chapter will focus on the key operating systems of Windows Server®2008 and Windows®7. While other Microsoft systems and applications may be referred to, the scope of this book does not provide the same level of technical detail for these other systems. Where possible, references to Microsoft resources will be made to enable the reader to research the information further.

    Furthermore, the reader is advised to ensure that all recommendations outlined in this book are...

  16. CHAPTER 9: SECURING THE MICROSOFT® WINDOWS SERVER® PLATFORM
    (pp. 190-195)

    Critical to the overall security of your network will be ensuring the security of the Windows Server®2008 platform that provides a range of services to your client base.

    There are two types of server that will need to be considered when looking at securing the Windows Server®2008 platform. These are

    Domain controllers

    Member servers.

    A network based on Windows Server®2008 technology stores all of its information about users, computers and other devices on the network in what is called Active Directory®Services. In order to manage the details stored within the Active Directory®devices, Windows Server®2008...

  17. CHAPTER 10: AUDITING AND MONITORING
    (pp. 196-206)

    Microsoft®Windows Server®2008 provides a comprehensive range of auditing and logging features. If configured correctly, these features will enable you to trace all user activity on your systems in the event you need to investigate technical or security incidents.

    The following sections outline some recommendations on how best to audit your Windows Server®2008 environment.

    The recommendations below are based on the guides provided by Microsoft, The Center for Internet Security, The SANS Institute and the US National Institute of Standards and Technology. Please refer to Appendix 2 for more details on these resources.

    Note the parameters above that...

  18. CHAPTER 11: SECURING YOUR SERVERS
    (pp. 207-259)

    The following chapter outlines how you can enhance the security of your servers running Microsoft®Windows Server®2008.

    To make these changes will require administrator access to the target systems. Note that some of the suggested settings may impact on certain applications or network services, particularly those provided by parties other than Microsoft. Therefore you should test each change thoroughly on a test system before introducing it into your production environment.

    The recommendations below are based on the guides provided by Microsoft, The Center for Internet Security, The SANS Institute and the US National Institute of Standards and Technology. Please...

  19. APPENDIX 1: OVERVIEW OF SECURITY SETTINGS FOR WINDOWS SERVER® 2008 SERVERS AND DOMAIN CONTROLLERS
    (pp. 260-305)
  20. APPENDIX 2: BIBLIOGRAPHY, REFERENCE AND FURTHER READING
    (pp. 306-309)
  21. ITG RESOURCES
    (pp. 310-312)