SecurityFocus

BS7799 Upgrade Apr 20 2006 09:45AM
iso 27000 (is27001 gmail com) (2 replies)

Re: BS7799 Upgrade Apr 20 2006 11:19AM
Mike Gillespie (mike gillespie advent-im co uk)

RE: BS7799 Upgrade Apr 20 2006 10:12AM
Manu Nath (manu nath paladion net) (1 replies)

Re: BS7799 Upgrade Apr 20 2006 10:54AM
iso 27000 (is27001 gmail com) (2 replies)

RE: BS7799 Upgrade Apr 20 2006 01:55PM
Manu Nath (manu nath paladion net) (2 replies)

Re: BS7799 Upgrade Apr 21 2006 11:04AM
Anup Narayanan (anup anupnarayanan org)

Re: BS7799 Upgrade Apr 21 2006 03:20AM
iso 27000 (is27001 gmail com)

Re: BS7799 Upgrade Apr 20 2006 11:10AM
ljknews (ljknews mac com)

At 4:24 PM +0530 4/20/06, iso 27000 wrote:

> Could you please expand on the effectiveness part. That seems totally
> new . Has this to be done for each processes or for security as a
> whole or I am not getting it !

I don't have ISO 27001 at hand, working more on the US Federal Government
NIST 800-53, but the principle should be the same, and individualized per
control.

Presume there is a policy that unused user-id's shall be disabled.
That is just a policy, but run over the system to check if there
is any user-id that is enabled but has gone more than N days without
being used. That is a measure of effectiveness of that policy --
otherwise it is just an expenditure in memo-writing.

Effectiveness is harder to measure on those policy items whose
assessment cannot be automated - like rules against taping the
password to the underside of the keyboard. That sounds like
work !
--
Larry Kilgallen

[ reply ]