ISO 27002
ISO 27002 is an international security standard or "code of practice for information security management" published by the ISO (the International Organization for Standardization) and the IEC (the International Electrotechnical Commission), two international standards organizations whose membership includes the standards bodies from many countries. ISO 27002 was originally published in October 2000 as ISO 17799. At that time, ISO 17799 was generally accepted as a replacement for the earlier BS 7799 standard which was published by the British Standards Institute. In 2007, the standard was renamed from ISO 17799 to ISO 27002 in order to align all information security standards under a common naming structure (the 'ISO 27000 series').
ISO 27001 is a specification for an Information Security Management System (ISMS.) It is the foundation for third party audit and certification. While other sets of information security controls may potentially be used within an ISO 27001 ISMS, the ISO 27002 standard is normally used in practice.
Business Problem
The challenge of dealing with the general controls compliance requirement for even one regulation can be intimidating and cost prohibitive. Multiply that by two or even three regulations and the complexity grows exponentially. How are mature organizations managing the challenge of demonstrating compliance with multiple regulations?
The key to success stems from identifying a common framework for implementation and mapping the regulatory requirements to that framework. Because the goal of ISO 27002 is to provide a comprehensive security framework, its requirements are very broad in their impact, typically affecting all aspects of an IT organization. This broad scope is the main reason why ISO 27002 has been adopted by many mature organizations as that common framework.
The NetIQ Solution
NetIQ solutions across systems management, security management and administration assist you in the planning, implementation and management of controls necessary to meet the standards of ISO 27002. NetIQ has a variety of products for establishing written security policies, classifying and controlling access to systems and the information they contain and reporting on the areas of security weakness. NetIQ solutions also are successful in controlling system and service failures and detecting and eliminating viruses and worms.
- Performance Management – Meet service level commitment, end-user expectation and business-driven IT performance objectives, while reducing your operating costs.
- Security Management – Monitor your diverse security environment, resolve incidents and satisfy log management requirements without consuming all your time and resources.
- Configuration Management – Demonstrate IT compliance with policies and regulations through security configuration management, regulatory mapping and reporting.
- Change Control – Control and audit system changes to assure the integrity of your distributed IT infrastructure through time-based, task-specific permissions management.
- Windows Administration – Delegate and automate administrative tasks to streamline your work, while maximizing your return on Windows and Active Directory.
Key Features
In addressing the requirements to meet ISO 27002 standards across the working sections, NetIQ products can help in a number of areas, including:
Security Policy. NetIQ VigilEnt Policy Center automates the process of information security policy establishment, review and approval. The first step in achieving ISO 27002 standards acceptance is the creation of a formal, written set of Information Security policies. VigilEnt Policy Manager enables companies of all sizes and industries to develop a set of policies, standards and other internal security guidelines, and publish them to all stakeholders for review.
Access Control. NetIQ Directory and Resource Administrator gives you the ability to control administrative privilege on a granular level, enabling you to drastically reduce the number of users with elevated access to sensitive business information stored in Active Directory. It ensures consistency between the access controls of multiple systems and provides separation of duty enforcement between development and operation teams.
Business Continuity Management. ISO 27002 standards require you to establish plans to reduce the risk of business interruption, limit the consequences of damaging incidents and ensure the timely resumption of operations. The NetIQ AppManager Suite provides you with the capability to manage service levels, ensure compliance with SLAs, decrease recovery time and more effectively resolve root causes of system and application problems that can result in outages. NetIQ Security Manager protects against intrusions, manages and correlates security events and sends notifications to appropriate personnel. It also delivers remediation, such as deletion of unauthorized processes or services and server shutdown upon virus detection.
Compliance. To achieve success in acceptance and usage of the ISO 27002 standards, compliance to the standards must be demonstrated. NetIQ Secure Configuration Manager assists in this by identifying and reporting on observed or suspected security weaknesses, including malicious software, multiple user IDs and accounts, weak passwords, inappropriate user access rights and systems lacking proper audit enablement.
