Achieving Effective IT Security with Continuous ISO 27001 Compliance

WHITE PAPER

Achieving Effective IT Security with Continuous ISO 27001 Compliance

2 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance

Executive Summary

ISO 27001 is recognized internationally as a structured methodology for information security and is widely used as a benchmark for protecting sensitive and private infor-mation. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configura-tion integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. Tripwire Enterprise provides organizations with pow-erful configuration control through its compliance policy management, change auditing, real-time analysis of change and one-touch access to remediation advice. You’ll also be introduced to Tripwire Log Center, Tripwire’s complete log and event management solution that also fulfills many con-trols specified in the ISO 27001 standard.

Tripwire, the leading provider of IT security and compliance automation solutions, helps organizations gain continuous compliance with regulations, standards like ISO 27001, and internal policy by helping them take control of security and compliance of their IT infrastructure. Tripwire security and compliance automation solutions include Tripwire Enterprise for configuration control and Tripwire Log Center for log and security event management. And Tripwire Customer Services can help organizations quickly maximize the value of their Tripwire technology implementation. Tripwire solutions deliv-er visibility across the entire IT infrastructure, intelligence to enable better and faster decisions, and automation that reduces manual, repetitive tasks.

In the increasingly regulated world of information security, uniform standards are sometimes hard to find. Numerous governmental laws and directives exist, but these typically cover specific types of data (such as the EU Data Protection Directive, PIPEDA and so forth covering sensitive personal information) or regulate a specific market sec-tor or specific company function (such as internal controls on reporting of financial information to the public, as in Sarbanes-Oxley (SOX) and Japan’s Financial Instrument and Exchange Law, known as “JSOX”). Industry standards that are binding under a system of contracts also exist, but these are again limited to participants in a particular industry (most notably, PCI DSS for credit card merchants, members and service providers).

To what metric does an entity turn if it seeks an “umbrella”-like standard that is neither imposed by law nor

specific to a certain industry? What benefits are achieved by implementing such a standard?

ISO 27001: THE UMBRELLA FOR ISMS

The one standard that cuts across all security-related opera-tions and subject matter is the International Standards Organization’s IEC/ISO27001. The ISO 27001 standard was published in October 2005 as a replacement to the BS7799-2 standard. It is a certification standard for the creation and maintenance of an Information Security Management System (ISMS), and in that sense is more like a “globe” than a “roadmap” to information security. Organizations that seek ISO certification ISMS are examined against ISO 27001.

The objective of the standard is to “provide a model for establishing, implementing, operating, monitoring, review-ing, maintaining and improving” a company’s ISMS. Its fundamental purpose is to act as a compendium of tech-niques for securing IT environments and thus effectively managing business risk as well as demonstrating regulatory compliance. The standard is non-industry or business func-tion specific.

The standard follows the four-part “Plan-Do-Check-Act” (PDCA) approach. It contains eight separate sections, the first three of which are introductory and the latter five of which outline actions to be taken:

• Section 4: Information Security Management System

Entity must identify risks, adopt a ISMS plan tailored to these risks, monitor, review, maintain and improve the ISMS

• Section 5: Management Responsibility

Management must adopt, implement and train staff on the ISMS

• Section 6: Internal ISMS AuditsAudit ISMS at regular intervals

• Section 7: Management Review

Assess audit results and update risk assessment to check effectiveness of ISMS

• Section 8: ISMS Improvement

Utilize continuous improvement, take corrective action and adopt measures for preventative action.


ISO 27001 does not, however, mandate specific procedures nor define the implementation techniques for gaining cer-tification. For further implementation steps, the standard points to a set of eleven control objectives and controls that are taken from ISO 17799:2005, “Information technol-ogy—Security techniques—Code of practice for information security management.”

BENEFITS OF ADOPTING ISO 27001

ISO 27001 is recognised internationally as a structured methodology for information security and is widely used as a benchmark for protecting sensitive and private infor-mation . A widely-held opinion is that ISO 27001 is an umbrella over other requirements of law or regulation (such as JSOX, SOX and the Data Protection Directive) or contrac-tual standards (PCI DSS) because it requires companies to review such obligations when assessing risk under section 4.2.1.b)2).

Companies that choose to adopt ISO 27001 also dem-onstrate their commitment to high levels of information security, as the principles of the standard synch well with the principles of the OECD Guidelines for the Security of Information Systems and Networks. It is also compatible with other management standards such as ISO 9001:2000 (Quality management systems—Requirements) and ISO 14001:2004 (Environmental management systems—Requirements with guidance for use). For these reasons, companies have adopted the standard because it works well with management principles or just makes good business sense.

In the current global marketplace, several benefits flow to a company that obtains certification to ISO 27001:

• Standardization of practice: Systems from different com-panies are more likely to work together if the same stan-dard applies;

• An international standard: By complying with an interna-tional standard, management proves that they are taking due diligence in ensuring the security of their customer data. In fact, one of the stated reasons by Indian compa-nies for certification is to demonstrate security readiness to their international customers;

• Alignment with the organisation: Fosters interdepartmen-tal cooperation, as departments need to be in alignment in order to ensure certification;

• Alignment with industry groups: Cross-border industry groups can agree on a common standard rather than hav-ing to refer to country-specific legislation. For example, ISO 27001 is widely accepted and implemented through-out EMEA, many of whose members require their business partners to have certification before working with them;

• Alignment with governmental guidelines: Industry groups that are urged by governments to self-regulate can turn to a common standard. For example, adoption of such guidelines for privacy and security is encouraged by the Japanese government.

Tripwire Enterprise and the ISO 27001 ControlsThe Tripwire Enterprise solution provides organisations with powerful configuration control through its compliance policy management, change auditing, real-time analysis of changes and one-touch access to remediation guidance. With Tripwire Enterprise, organisations can quickly achieve IT configuration integrity by proactively assessing how their current configura-tions measure up to specifications as given in ISO 27001. This provides organisations immediate visibility into the state of their systems, and through automation, saves time and effort over a manual efforts.

For non-compliant configurations, Tripwire Enterprise reports that condition as part of its risk assessment feature, it offers remediation guidance for bringing the settings into compliance. Once this state has been achieved, Tripwire’s change audit-ing monitors systems for changes that could affect ISO 27001 compliance, maintaining the IT infrastructure in a known and trusted state.

Tripwire Enterprise then analyzes each change in real time using ChangeIQTM capabilities. These capabilities automatically examine each change to see if it introduces risk or non-com-pliance. If it does, Tripwire Enterprise flags it for immediate attention and possible remediation; If not, Tripwire Enterprise auto-promotes it. Given that the majority of changes are inten-


A.10 ! COMMUNICATIONS AND OPERATIONS MANAGEMENT

A.10.1 – Operational Procedures and ResponsibilitiesThe objective of this control is to ensure the correct and secure operation of information processing facilities.

SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE10.1.2 Change Management Changes to information processing facilities

and systems shall be controlled.Tripwire Enterprise can monitor any changes to file systems, databases and active direc-tory, providing the what and who informa-tion to any changes that were made to criti-cal systems, thus enforcing a sound change process.

10.1.3 Segregation of duties Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modifications or misuse of the organisations’ assets.

Using Roles within Tripwire Enterprise, an organisation has complete control over who can have access to files, directories and criti-cal areas within your IT Infrastructure, thus preventing unauthorised or unintentional modifications of files.

10.1.4 Separation of development, test and operational facilities

Development, test and operational facili-ties shall be separated to reduce the risks of unauthorised access or changes to the opera-tional system.

User groups can be developed within Tripwire Enterprise to separate duties of individu-als within those groups, restricting permis-sions and file access rights where necessary to reduce the risk of any unauthorised or unintentional changes to systems.

tional and beneficial, this auto-promotion capability saves IT countless hours manually reviewing changes.

There are several controls that reference IT technology in ISO 27001. Not all can be tested adequately with software, or are relevant to the IT Infrastructure. Tripwire Enterprise provides two means of coverage for the ISO 27001 controls. Compliance Policy Management, to proactively assess settings and checks that they are compliant against the controls. , and change auditing, which continuously monitors settings for changes that may take them out of compliance. For settings that are not compliant, Tripwire Enterprise provides the necessary reme-diation steps to bring that setting back into compliance. There are some controls that Tripwire Enterprise can address by using

its industry leading change monitoring. Tripwire can monitor various levels of settings as part of the Change Management controls that are specified in the ISO 27001 standard.

HIGH"PERFORMANCE LOG AND EVENT MANAGEMENT FROM TRIPWIRE

Tripwire Log Center also helps meet the log compliance requirements of ISO 27001 with ultra-efficient log manage-ment and sophisticated event management in a single, easy-to-deploy solution. When organizations combine Tripwire Log Center with Tripwire Enterprise, they broaden compliance coverage and reduce security risk by increasing visibility, intelligence and automation.

Controls addressed by Tripwire Enterprise include:

5 | WHITE PAPER | Effective Security with a Continuous Approach to ISO 27001 Compliance

A.10.2 – Third Party Service Delivery ManagementThe objective of this control is to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.

SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE

10.2.3 Managing changes to third party services

Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the critical-ity of business systems and processes involved and re-assessment of risks.

Tripwire Enterprise can monitor changes to critical systems and be aligned with applications, proce-dures and business systems to ensure changes don’t happen, and if they do, give visibility to those changes, thus reducing risk.

A.10.4 – Protection Against Malicious and Mobile CodeThe objective of this control is to protect the integrity of software and information.


10.4.1 Controls against malicious code

Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness proce-dures shall be implemented.

By monitoring critical files, Tripwire Enterprise can detect when edits to files have been made, who made the edits, and whether code was changed, deleted or new code added, thus creating a process around code management, and reducing the risk of malicious behavior.

A.10.6 – Network Security Management The objective of this control is to ensure the protection of information in networks and the protection of the supporting infrastructure.


10.6.1 Network Controls Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.

Tripwire Enterprise provides critical assessment of network configuration settings to help maintain the ongoing security of internal systems and appli-cations that rely upon the network. For example, ensuring that anonymous SID/name translation is disabled in the security options policy of a Windows 2003 Server. This setting prevents the null user from translating a binary SID into an actual account name, which may provide useful information that could be used in an attack.

10.6.2 Security of Network Services Security features, service levels, and management requirements of all network services shall be identified and included in any network services agree-ment, wither these services are provided in-house or outsourced.

Maintaining security best practices on impor-tant network services is crucial for securing any network. Tripwire Enterprise provides ongoing assessment of network services to measure individual compliance with established best practices. For example, validating that the License Logging Service is disabled on a Windows system. This service is a license-management tool with a vulnerability that permits remote code execution. Disabling this service, as well as other unneces-sary services, is a security best practice that helps limit avenues of attack.


A.10.7 – Media HandlingThe objective of this control is to prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities.

SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE10.7.1 Management of Removable Media

There should be procedures in place for the management of removable media.

An unmanaged approach to removable media can be a serious vulnerability. Tripwire Enterprise provides assurance that system configuration settings are configured to reduce common risks associated with removable media. For example, ensuring that security options on a Windows system are configured to only allow administrators to format and eject removable NTFS media.

A.10.8 – Exchange of InformationThe objective of this control is to maintain the security of information and software exchanged within an organisation and with any exter-nal entity.


10.8.1 Information Exchange Policies and Procedures

Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communications facilities.

Compliance policy management helps to ensure that proper measures are in place to safeguard the exchange of information and eliminate unneces-sary communication risks. For example, verify-ing that the NetMeeting Remote Desktop Sharing Service is disabled on a Windows system. This service supports NetMeeting, but may be subject to hacker attacks and buffer overflows.

10.8.5 Business Information Systems

Policies and procedures shall be developed and implemented to protect information associated with the intercon-nection of business information systems.

Tripwire Enterprise verifies that proper system configuration settings are used to safeguard infor-mation necessary for disparate business infor-mation systems to interconnect. For example, ensuring that strong key protection is required for user keys stored on a covered system. Strong key protection requires users to enter a password associated with a key every time they use the key. This helps prevent user keys from being compro-mised if a computer is stolen or hijacked.

A.10.9 – Electronic Commerce ServicesThe objective of this control is to ensure the security of electronic commerce services, and their secure use.


10.9.3 Publicly Available Information The integrity of information being made available on a publicly available system shall be protected to prevent unauthor-ised modification.

Tripwire Enterprise provides the use of “roles” to restrict unauthorised access to important files as well as the necessary monitoring of these files such that changes made are flagged and alerts sent to pertinent individuals.


A.10.10 – MonitoringThe objective of this control is to detect unauthorised information processing activities.


10.10.1 Audit Logging Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investi-gations and access control monitoring.

The compliance policy manager in Tripwire Enterprise verifies that important audit logging settings are configured to support possible audit investigations and ongoing access control monitoring.

10.10.3 Protection of Log Information

Logging facilities and log information shall be protected against tampering and unauthorised access.

Assuming that other log settings are configured correctly, a problem with logging events could indicate a security threat. The compliance policy manager in Tripwire Enterprise verifies that security options are configured to shut down a system if an event cannot be logged to the security log for any reason.

10.10.4 Administrator and Operator Logs

System administrator and system opera-tor activities shall be logged.

The compliance policy manager in Tripwire Enterprise verifies that application, system and security logs can be configured for necessary storage capacity. For example, the maximum size of the security log should be at least 80 MB to store an adequate amount of log data for auditing purposes.

10.10.6 Clock Synchronisation The clocks of all relevant information processing systems within an organisa-tion or security domain shall be synchro-nised with an agreed accurate time source.

For Windows systems, the compliance policy manager in Tripwire Enterprise determines if the Windows Time Service is used and that the system is configured to synchronise with a secure, autho-rised time source.

A.11 ! ACCESS CONTROL

A.11.2 – User Access ManagementThe objective of this control is to ensure authorised user access and to prevent unauthorised access to information systems.


11.2.2 Privilege Management The allocation and use of privileges shall be restricted and controlled.

The compliance policy manager in Tripwire Enterprise tests numerous privilege-related settings to ensure restrictions are in place and configured correctly. For example, Windows systems should be configured to disallow the granting of the SeTcbPrivilege right to any user. This right allows users to access the operating system in the Local System security context, which overrides the permissions granted by user group memberships.


A.11.3 – User ResponsibilitiesThe objective of this control is to prevent unauthorised user access, and compromise or theft of information and information processing facilities.


11.3.1 Password Use Users shall be required to follow good security practices in the selection and use of passwords.

Enforcing proper password security standards is critical to securing any system. The compliance policy manager in Tripwire Enterprise verifies that common best practices are being used for password-related properties such as complexity, minimum length and maximum age.

11.3.2 Unattended User Equipment Users shall ensure that unattended equipment has appropriate protection.

Tripwire Enterprise verifies that each system is configured to use a password-protected screen saver that activates within the appropriate idle time and offers no grace period before password entry is required.

11.3.3 Clear Desk and Clear Screen Policy

A clear desk policy for papers and remov-able media and a clear screen policy for information processing facilities shall be adopted.

The compliance policy manager in Tripwire Enterprise validates that the current user has a password-protected screen saver that is active.

A.11.4 – Network Access ControlThe objective of this control is to prevent unauthorised access to networked services.


11.4.1 Policy on Use of Network Services

Users shall only be provided with access to the services that they have been specifically authorised to use.

Tripwire Enterprise provides a number of compli-ance policy management tests that help ensure proper access to services is maintained. For example, verifying that a system restricts anony-mous access to named pipes and shares to those that are specifically listed in other security options. This configuration helps protect named pipes and shares from unauthorised access.

11.4.2 User Authentication for External Connections

Appropriate authentication methods shall be used to control access by remote users.

The compliance policy manager in Tripwire Enterprise can help verify proper authentica-tion methods are in place to control access by remote users. For example, refusing to allow a remote login when a user attempts to use a blank password (even if the blank password is valid for that account).

11.4.3 Equipment Identification in Networks

Automatic equipment identification shall be considered as a means to authenticate connections from specific locations and equipment.

Tripwire Enterprise verifies that the security options for a Windows 2003 domain controller are configured to allow a domain member to change its computer account password. If the domain control-ler does not permit a domain member to change its password, the domain member computer is more vulnerable to a password attack.


11.4.4 Remote Diagnostic and Configuration Port Protection

Physical and logical access to diagnos-tic and configuration ports shall be controlled.

The compliance policy manager in Tripwire Enterprise tests a number of remote access settings to ensure they meet established guide-lines for controlling remote access. For example, verifying that the Remote Desktop Help Session Manager Service is disabled on a Windows system.

11.4.6 Network Connection Control For shared networks, the capability of users to connect to the network shall be restricted, in line with the access control policy.

Tripwire Enterprise helps validate that controls are in place to enforce proper network connec-tion restrictions on shared networks. For example, always requiring passwords and appropriate encryption levels when using Terminal Services.

11.4.7 Network Routing Control Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of business applications.

The compliance policy manager in Tripwire Enterprise can assist with the ongoing validation of your access control policy by verifying proper routing controls are in place and configured correctly. For example, on a Windows system with two valid networking devices installed, source routing traffic that passes through the device can spoof the device into thinking that the traffic came from a safe source.

A.11.5 – Operating System Access ControlThe objective of this control is to prevent unauthorised access to operating systems.


11.5.1 Secure Log on Procedures Access to operating systems shall be controlled by a secure log-on procedure.

The compliance policy manager in Tripwire Enterprise can assess important log on settings to determine whether they support an overall secure log-on procedure. For example, not display-ing the last valid user name and requiring the use of CTRL+ALT+DEL keys to force the use of the Windows authentication process.

11.5.2 User Identification and Authentication

All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user.

Proper authentication of user IDs is a fundamental component of controlling operating system access. Tripwire Enterprise provides critical tests to assess authentication settings. For example, verifying that the LAN Manager authentication model for a Windows system is configured correctly so it will only send NTLMv2 authentication and refuse all LM authentication challenges.

11.5.3 Password Management System

Systems for managing passwords shall be interactive and ensure quality passwords.

Ensuring quality passwords requires proper configuration of password-related settings. Tripwire Enterprise can assess these settings and provide assurance that all passwords being used meet minimum quality requirements. For example, enforcing the use of strong passwords and restrict-ing password reuse/history.


11.5.4 Use of System Utilities The use of utility programs that might be capable of overriding system and appli-cation controls shall be restricted and tightly controlled.

The compliance policy manager in Tripwire Enterprise can help maintain a strict policy on the use of utility programs. For example, verify-ing that the FTP Publishing Service and TFTP Daemon Service are both disabled, or that the SeDebugPrivilege right is not assigned to any users on a Windows system. This right gives users the ability to debug any process on the system and is susceptible to exploits that collect account names, passwords, and other sensitive data from the Local Security Authority (LSA).

11.5.5 Session Time-Out Inactive sessions shall shut down after a defined period of inactivity.

Tripwire Enterprise will verify that an appropriate idle session time-out is established. In the case of Windows systems that communicate using the Server Message Block (SMB) protocol, the compliance policy manager in Tripwire Enterprise will test that the idle session timeout threshold is set to 15 minutes or less.

11.5.6 Limitation of Connection Time Restrictions on connection times shall be used to provide additional security for high-risk applications.

There are a number of ways to restrict connec-tion times as part of an enhanced security protocol for high-risk applications. Tripwire Enterprise can determine if best-practices are being used such as setting appropriate time limits for Terminal Services sessions and using Group Policy to restrict connections to designated hours of the day.

A.11.6 – Application and Information Access ControlThe objective of this control is to prevent unauthorised access to information held in applications systems.


11.6.1 Information Access Restriction

Access to information and application systems functions by users and support personnel shall be restricted in accor-dance with the defined access control policy.

The compliance policy manager in Tripwire Enterprise provides out-of-the-box tests that help establish an acceptable information access control policy. For example, ensuring that critical file and registry permissions have been set properly to restrict access.

A.11.7 – Mobile Computing and TelecommunicatingThe objective of this control is to ensure information security when using mobile computing and telecommuting facilities.


11.7.1 Mobile Computing and Communications

A formal policy shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communica-tions facilities.

Mobile computing and related communications pose unique risks that necessitate additional security measures. The compliance policy manager in Tripwire Enterprise can help mitigate these risks by determining if established best practices are in use. For example, verifying that Windows systems are configured to negotiate signed communications with any Server Message Block (SMB) server. By supporting mutual authentication and protection against packet tampering, signed communication helps to protect against man-in-the-middle attacks.


A.12 !INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

A.12.2 – Correct Processing in ApplicationsThe objective of this control is to prevent errors, loss, unauthorised modifications or misuse of information in applications.


12.2.2 Control of Internal processing Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

By monitoring changes that occur within applica-tions, Tripwire Enterprise can detect any changes to critical files, and monitor who may have intro-duced errors that caused file corruption.

A.12.4 – Security of System FilesThe objective of this control is to ensure the security of system files.


12.4.1 Control of operational software

There shall be procedures in place to control the installation of software on operational systems.

Tripwire Enterprise can detect changes to the operating system, which includes new software installations, when it was installed, and who performed the installation. Tripwire Enterprise can also be incorporated with Change Ticketing systems authorising these installations, showing that status.

A.12.5 – Security in Development and Support ProcessThe objective of this control is to maintain the security of application system software and information.


12.5.1 Change control procedures The implementation of changes shall be controlled by the use of formal change control procedures.

Tripwire Enterprise is the industry leader in change audit and detection and should be an integral part of any formal change control proce-dure. Tripwire Enterprise is also integrated with major change ticketing systems to help control formal change processes.

12.5.2 Technical review of appli-cations after operating system changes

When operating systems are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organisational opera-tions or security.

Tripwire Enterprise provides several reports around changes to systems, as well as links within these reports that can show specific systems that changed, as well as who made the changes. These reports provide a documented audit trail that can be reviewed and approved to prevent potential problems.

12.5.3 Restrictions on changes to software packages

Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled.

Tripwire Enterprise monitors all changes that happen on defined systems, providing information if files have been modified, added or deleted. Having Tripwire Enterprise ensures change is monitored and controlled.


A.13 ! INFORMATION SECURITY INCIDENT MANAGEMENT

A.13.2 – Management of Information Security Incidents and ImprovementsThe objective of this control is to ensure a consistent and effective approach is applied to the management of information security incidents.


13.2.3 Collection of evidence Where a follow-up action against a person or organisation after an informa-tion security incident involves legal action (either civil or criminal), evidence shall be collected, retained and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).

As part of the audit trail and reporting capabilities within Tripwire Enterprise, changes that are made to systems that could provide potential vulner-abilities or security incidents can be documented, providing information as to the person(s) respon-sible for any breaches in security.

A.15 ! COMPLIANCE

A.15.2 - Compliance with Security Policies and Standards, and Technical ComplianceThe objective of this control is to ensure compliance of systems with organisational security police and standards.


15.2.2 Technical Compliance Checking

Information Systems shall be regularly checked for compliance with security implementation standards.

The compliance policy manager in Tripwire Enterprise validates that each Windows 2003 Server has the latest service pack installed.

A.15.3 – Information Systems Audit and ConsiderationsThe objective of this control is to maximise the effectiveness of and to minimise interference to/from the information systems audit process.


15.3.1 Information systems audit controls

Audit requirements and activities involv-ing checks on operational systems shall be carefully planned and agreed to minimise the risk of disruptions to business processes.

Tripwire Enterprise provides documented audit proof behind system compliance, as well as changes that happen with IT systems. By incor-porating Tripwire Enterprise in the change management process, changes are monitored and documented and if changes disrupt business process, they can be immediately reconciled and remediated.

15.3.2 Protection of information systems audit tools

Access to information systems audit tools shall be protected to prevent any possible misuse or compromise.

By using Roles and User Groups in Tripwire Enterprise, access to privileged information and software like Tripwire Enterprise can be controlled/limited to users who have proper permissions. Tripwire Enterprise requires instal-lation by a user with Administrative privileges. Users of Tripwire Enterprise can then be set up to have either full access, just read access, or several variances in between.


Sample Policy Test and Change Audit Screenshots from Tripwire Enterprise

Screenshot showing assessments that address the Communication and Operations Management control. Specifically, section A.10.6.2, Security of Network Services. This section checks that services that don’t need to be enable are specifically disabled.

Screenshot showing assessments that address the Compliance control. Specifically, section A.15.2.2, Technical Compliance Checking. This is a check that the appropriate packages are installed for that system.

Screenshot showing assessments that address the Access Control control of ISO 27001. Specifically, section A.11.6, Operating System Access Control. These controls deal with permissions and authentication processes within the operating system.

Screenshot showing default role types in Tripwire Enterprise with different access rights and permissions described, depending on the role. New roles can be created and permissions set up accordingly.


Tripwire Enterprise Change Process Compliance report, highlighting authorized vs. unauthorized changes to a system.

Tripwire Enterprise Detailed Changes report showing detailed information on what changes were made, when they occurred and who made the changes.


The Nodes With Changes report shows which systems had changes, when they occurred and other details.

1 http://www.27000.org/iso-27001.htm

2 http://www.rsaconference.com/Security_Topics/Professional_Development/Blog_Jeff_Bardin_Conspiracy_to_Commit_Security.aspx?blogId=8527

ABOUT TRIPWIRETripwire is the leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 7,000 customers in more than 86 countries rely on Tripwire’s integrated solutions. Tripwire VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation. Learn more at tripwire.com.

©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WP2714a

Date post:	20-Aug-2015
Category:	Technology
Upload:	tripwire
View:	2,872 times
Download:	3 times

Achieving Effective IT Security with Continuous ISO 27001 Compliance

Technology