Security

Controls Map

Leave a comment

With the recent release of ISO17799:2005 and CObIT4 I guess I need to rewite my controls map (not to mention the long list of privacy laws debated in California during 2005). I really like the ISO revision, but am still catching up with CObIT. One of the challenges of helping organizations stay on top of their controls is chosing the right blend of guidance and frameworks. I’m not saying you have to use a blend, but since they are never a perfect fit and different groups have their favorites (Auditors love COSO/CObIT, Engineers go for ISO, Ex-gov bring up the NSA and NIST, etc.) I find it helps to pull it all together into a shared map. For example:

SYSTEM INTEGRITY – Controls that ensure the integrity of the environment by utilizing proactive measures to prevent and detect unauthorized changes.

  • Gateway Filtering
  • Anti-virus
  • Encryption
  • Access Controls

  • ISO.17799 (8)(3) –
    Protection against malicious software
  • ISO.17799 (8)(7) –
    Exchange of information & software
  • ISO.17799 (10)(3)
    – Cryptographic controls
  • ISO.17799 (10)(5)
    – Security of system files
  • NIST.800-14 (3)(14) – Cryptography
  • NSA IAM (9) – Virus protection
  • AB 1950 (Wiggins) – California State Personal Information Security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.