The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment and change auditing capabilities. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts.
White Paper here: http://www.tripwire.com/register/effective-security-with-a-continuous-approach-to-iso-27001-compliance/
2. Executive Summary
ISO 27001 is recognized internationally as a structured specific to a certain industry? What benefits are achieved
methodology for information security and is widely used by implementing such a standard?
as a benchmark for protecting sensitive and private infor-
mation. In this white paper, learn how with Tripwire ISO 27001: THE UMBRELLA FOR ISMS
Enterprise, organizations can quickly achieve IT configura- The one standard that cuts across all security-related opera-
tion integrity by proactively assessing how their current tions and subject matter is the International Standards
configurations measure up to specifications as given in ISO Organization’s IEC/ISO27001. The ISO 27001 standard was
27001. Tripwire Enterprise provides organizations with pow- published in October 2005 as a replacement to the BS7799-
erful configuration control through its compliance policy 2 standard. It is a certification standard for the creation
management, change auditing, real-time analysis of change and maintenance of an Information Security Management
and one-touch access to remediation advice. You’ll also be System (ISMS), and in that sense is more like a “globe” than
introduced to Tripwire Log Center, Tripwire’s complete log a “roadmap” to information security. Organizations that
and event management solution that also fulfills many con- seek ISO certification ISMS are examined against ISO 27001.
trols specified in the ISO 27001 standard. The objective of the standard is to “provide a model for
Tripwire, the leading provider of IT security and compliance establishing, implementing, operating, monitoring, review-
automation solutions, helps organizations gain continuous ing, maintaining and improving” a company’s ISMS. Its
compliance with regulations, standards like ISO 27001, and fundamental purpose is to act as a compendium of tech-
internal policy by helping them take control of security and niques for securing IT environments and thus effectively
compliance of their IT infrastructure. Tripwire security and managing business risk as well as demonstrating regulatory
compliance automation solutions include Tripwire Enterprise compliance. The standard is non-industry or business func-
for configuration control and Tripwire Log Center for log and tion specific.
security event management. And Tripwire Customer Services The standard follows the four-part “Plan-Do-Check-Act”
can help organizations quickly maximize the value of their (PDCA) approach. It contains eight separate sections, the
Tripwire technology implementation. Tripwire solutions deliv- first three of which are introductory and the latter five of
er visibility across the entire IT infrastructure, intelligence which outline actions to be taken:
to enable better and faster decisions, and automation that • Section 4: Information Security Management System
reduces manual, repetitive tasks.
Entity must identify risks, adopt a ISMS plan tailored to
In the increasingly regulated world of information
these risks, monitor, review, maintain and improve the
security, uniform standards are sometimes hard to find.
ISMS
Numerous governmental laws and directives exist, but these
typically cover specific types of data (such as the EU Data • Section 5: Management Responsibility
Protection Directive, PIPEDA and so forth covering sensitive Management must adopt, implement and train staff on
personal information) or regulate a specific market sec- the ISMS
tor or specific company function (such as internal controls • Section 6: Internal ISMS Audits
on reporting of financial information to the public, as in Audit ISMS at regular intervals
Sarbanes-Oxley (SOX) and Japan’s Financial Instrument and
• Section 7: Management Review
Exchange Law, known as “JSOX”). Industry standards that
Assess audit results and update risk assessment to check
are binding under a system of contracts also exist, but these
effectiveness of ISMS
are again limited to participants in a particular industry
(most notably, PCI DSS for credit card merchants, members • Section 8: ISMS Improvement
and service providers). Utilize continuous improvement, take corrective action
To what metric does an entity turn if it seeks an and adopt measures for preventative action.
“umbrella”-like standard that is neither imposed by law nor
2 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
3. ISO 27001 does not, however, mandate specific procedures • Alignment with the organisation: Fosters interdepartmen-
nor define the implementation techniques for gaining cer- tal cooperation, as departments need to be in alignment
tification. For further implementation steps, the standard in order to ensure certification;
points to a set of eleven control objectives and controls • Alignment with industry groups: Cross-border industry
that are taken from ISO 17799:2005, “Information technol- groups can agree on a common standard rather than hav-
ogy—Security techniques—Code of practice for information ing to refer to country-specific legislation. For example,
security management.” ISO 27001 is widely accepted and implemented through-
out EMEA, many of whose members require their business
BENEFITS OF ADOPTING ISO 27001
partners to have certification before working with them;
ISO 27001 is recognised internationally as a structured
• Alignment with governmental guidelines: Industry groups
methodology for information security and is widely used
that are urged by governments to self-regulate can turn
as a benchmark for protecting sensitive and private infor-
to a common standard. For example, adoption of such
mation . A widely-held opinion is that ISO 27001 is an
guidelines for privacy and security is encouraged by the
umbrella over other requirements of law or regulation (such
Japanese government.
as JSOX, SOX and the Data Protection Directive) or contrac-
tual standards (PCI DSS) because it requires companies to
review such obligations when assessing risk under section Tripwire Enterprise and the
4.2.1.b)2). ISO 27001 Controls
Companies that choose to adopt ISO 27001 also dem-
The Tripwire Enterprise solution provides organisations with
onstrate their commitment to high levels of information
powerful configuration control through its compliance policy
security, as the principles of the standard synch well with
management, change auditing, real-time analysis of changes
the principles of the OECD Guidelines for the Security of
and one-touch access to remediation guidance. With Tripwire
Information Systems and Networks. It is also compatible
Enterprise, organisations can quickly achieve IT configuration
with other management standards such as ISO 9001:2000
integrity by proactively assessing how their current configura-
(Quality management systems—Requirements) and ISO
tions measure up to specifications as given in ISO 27001. This
14001:2004 (Environmental management systems—
provides organisations immediate visibility into the state of
Requirements with guidance for use). For these reasons,
their systems, and through automation, saves time and effort
companies have adopted the standard because it works well
over a manual efforts.
with management principles or just makes good business
For non-compliant configurations, Tripwire Enterprise reports
sense.
that condition as part of its risk assessment feature, it offers
In the current global marketplace, several benefits flow to a remediation guidance for bringing the settings into compliance.
company that obtains certification to ISO 27001: Once this state has been achieved, Tripwire’s change audit-
• Standardization of practice: Systems from different com- ing monitors systems for changes that could affect ISO 27001
panies are more likely to work together if the same stan- compliance, maintaining the IT infrastructure in a known and
dard applies; trusted state.
• An international standard: By complying with an interna- Tripwire Enterprise then analyzes each change in real time
tional standard, management proves that they are taking using ChangeIQTM capabilities. These capabilities automatically
due diligence in ensuring the security of their customer examine each change to see if it introduces risk or non-com-
data. In fact, one of the stated reasons by Indian compa- pliance. If it does, Tripwire Enterprise flags it for immediate
nies for certification is to demonstrate security readiness attention and possible remediation; If not, Tripwire Enterprise
to their international customers; auto-promotes it. Given that the majority of changes are inten-
3 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
4. tional and beneficial, this auto-promotion capability saves IT its industry leading change monitoring. Tripwire can monitor
countless hours manually reviewing changes. various levels of settings as part of the Change Management
There are several controls that reference IT technology in ISO controls that are specified in the ISO 27001 standard.
27001. Not all can be tested adequately with software, or are
relevant to the IT Infrastructure. Tripwire Enterprise provides HIGH PERFORMANCE LOG AND EVENT MANAGEMENT
two means of coverage for the ISO 27001 controls. Compliance FROM TRIPWIRE
Policy Management, to proactively assess settings and checks Tripwire Log Center also helps meet the log compliance
that they are compliant against the controls. , and change requirements of ISO 27001 with ultra-efficient log manage-
auditing, which continuously monitors settings for changes ment and sophisticated event management in a single,
that may take them out of compliance. For settings that are easy-to-deploy solution. When organizations combine
not compliant, Tripwire Enterprise provides the necessary reme- Tripwire Log Center with Tripwire Enterprise, they broaden
diation steps to bring that setting back into compliance. There compliance coverage and reduce security risk by increasing
are some controls that Tripwire Enterprise can address by using visibility, intelligence and automation.
Controls addressed by Tripwire Enterprise include:
A.10 COMMUNICATIONS AND OPERATIONS MANAGEMENT
A.10.1 – Operational Procedures and Responsibilities
The objective of this control is to ensure the correct and secure operation of information processing facilities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.1.2 Change Management Changes to information processing facilities Tripwire Enterprise can monitor any changes
and systems shall be controlled. to file systems, databases and active direc-
tory, providing the what and who informa-
tion to any changes that were made to criti-
cal systems, thus enforcing a sound change
process.
10.1.3 Segregation of duties Duties and areas of responsibility shall Using Roles within Tripwire Enterprise, an
be segregated to reduce opportunities for organisation has complete control over who
unauthorised or unintentional modifications can have access to files, directories and criti-
or misuse of the organisations’ assets. cal areas within your IT Infrastructure, thus
preventing unauthorised or unintentional
modifications of files.
10.1.4 Separation of development, Development, test and operational facili- User groups can be developed within Tripwire
test and operational facilities ties shall be separated to reduce the risks of Enterprise to separate duties of individu-
unauthorised access or changes to the opera- als within those groups, restricting permis-
tional system. sions and file access rights where necessary
to reduce the risk of any unauthorised or
unintentional changes to systems.
4 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
5. A.10.2 – Third Party Service Delivery Management
The objective of this control is to implement and maintain the appropriate level of information security and service delivery in line with
third party service delivery agreements.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.2.3 Managing changes to third Changes to the provision of services, Tripwire Enterprise can monitor changes to critical
party services including maintaining and improving systems and be aligned with applications, proce-
existing information security policies, dures and business systems to ensure changes
procedures and controls, shall be don’t happen, and if they do, give visibility to those
managed, taking account of the critical- changes, thus reducing risk.
ity of business systems and processes
involved and re-assessment of risks.
A.10.4 – Protection Against Malicious and Mobile Code
The objective of this control is to protect the integrity of software and information.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.4.1 Controls against malicious Detection, prevention and recovery By monitoring critical files, Tripwire Enterprise can
code controls to protect against malicious code detect when edits to files have been made, who
and appropriate user awareness proce- made the edits, and whether code was changed,
dures shall be implemented. deleted or new code added, thus creating a process
around code management, and reducing the risk of
malicious behavior.
A.10.6 – Network Security Management
The objective of this control is to ensure the protection of information in networks and the protection of the supporting infrastructure.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.6.1 Network Controls Networks shall be adequately managed Tripwire Enterprise provides critical assessment
and controlled, in order to be protected of network configuration settings to help maintain
from threats, and to maintain security for the ongoing security of internal systems and appli-
the systems and applications using the cations that rely upon the network. For example,
network, including information in transit. ensuring that anonymous SID/name translation is
disabled in the security options policy of a Windows
2003 Server. This setting prevents the null user
from translating a binary SID into an actual account
name, which may provide useful information that
could be used in an attack.
10.6.2 Security of Network Services Security features, service levels, and Maintaining security best practices on impor-
management requirements of all tant network services is crucial for securing any
network services shall be identified and network. Tripwire Enterprise provides ongoing
included in any network services agree- assessment of network services to measure
ment, wither these services are provided individual compliance with established best
in-house or outsourced. practices. For example, validating that the License
Logging Service is disabled on a Windows system.
This service is a license-management tool with a
vulnerability that permits remote code execution.
Disabling this service, as well as other unneces-
sary services, is a security best practice that helps
limit avenues of attack.
5 | WHITE PAPER | Effective Security with a Continuous Approach to ISO 27001 Compliance
6. A.10.7 – Media Handling
The objective of this control is to prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to
business activities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.7.1 Management of Removable There should be procedures in place for An unmanaged approach to removable media can
Media the management of removable media. be a serious vulnerability. Tripwire Enterprise
provides assurance that system configuration
settings are configured to reduce common risks
associated with removable media. For example,
ensuring that security options on a Windows
system are configured to only allow administrators
to format and eject removable NTFS media.
A.10.8 – Exchange of Information
The objective of this control is to maintain the security of information and software exchanged within an organisation and with any exter-
nal entity.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.8.1 Information Exchange Policies Formal exchange policies, procedures Compliance policy management helps to ensure
and Procedures and controls shall be in place to protect that proper measures are in place to safeguard the
the exchange of information through exchange of information and eliminate unneces-
the use of all types of communications sary communication risks. For example, verify-
facilities. ing that the NetMeeting Remote Desktop Sharing
Service is disabled on a Windows system. This
service supports NetMeeting, but may be subject to
hacker attacks and buffer overflows.
10.8.5 Business Information Policies and procedures shall be Tripwire Enterprise verifies that proper system
Systems developed and implemented to protect configuration settings are used to safeguard infor-
information associated with the intercon- mation necessary for disparate business infor-
nection of business information systems. mation systems to interconnect. For example,
ensuring that strong key protection is required
for user keys stored on a covered system. Strong
key protection requires users to enter a password
associated with a key every time they use the key.
This helps prevent user keys from being compro-
mised if a computer is stolen or hijacked.
A.10.9 – Electronic Commerce Services
The objective of this control is to ensure the security of electronic commerce services, and their secure use.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.9.3 Publicly Available Information The integrity of information being made Tripwire Enterprise provides the use of “roles”
available on a publicly available system to restrict unauthorised access to important files
shall be protected to prevent unauthor- as well as the necessary monitoring of these files
ised modification. such that changes made are flagged and alerts
sent to pertinent individuals.
6 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
7. A.10.10 – Monitoring
The objective of this control is to detect unauthorised information processing activities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.10.1 Audit Logging Audit logs recording user activities, The compliance policy manager in Tripwire
exceptions, and information security Enterprise verifies that important audit logging
events shall be produced and kept for an settings are configured to support possible
agreed period to assist in future investi- audit investigations and ongoing access control
gations and access control monitoring. monitoring.
10.10.3 Protection of Log Logging facilities and log information Assuming that other log settings are configured
Information shall be protected against tampering and correctly, a problem with logging events could
unauthorised access. indicate a security threat. The compliance policy
manager in Tripwire Enterprise verifies that
security options are configured to shut down a
system if an event cannot be logged to the security
log for any reason.
10.10.4 Administrator and Operator System administrator and system opera- The compliance policy manager in Tripwire
Logs tor activities shall be logged. Enterprise verifies that application, system and
security logs can be configured for necessary
storage capacity. For example, the maximum size
of the security log should be at least 80 MB to
store an adequate amount of log data for auditing
purposes.
10.10.6 Clock Synchronisation The clocks of all relevant information For Windows systems, the compliance policy
processing systems within an organisa- manager in Tripwire Enterprise determines if the
tion or security domain shall be synchro- Windows Time Service is used and that the system
nised with an agreed accurate time is configured to synchronise with a secure, autho-
source. rised time source.
A.11 ACCESS CONTROL
A.11.2 – User Access Management
The objective of this control is to ensure authorised user access and to prevent unauthorised access to information systems.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.2.2 Privilege Management The allocation and use of privileges shall The compliance policy manager in Tripwire
be restricted and controlled. Enterprise tests numerous privilege-related
settings to ensure restrictions are in place and
configured correctly. For example, Windows
systems should be configured to disallow the
granting of the SeTcbPrivilege right to any user.
This right allows users to access the operating
system in the Local System security context, which
overrides the permissions granted by user group
memberships.
7 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
8. A.11.3 – User Responsibilities
The objective of this control is to prevent unauthorised user access, and compromise or theft of information and information processing
facilities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.3.1 Password Use Users shall be required to follow good Enforcing proper password security standards is
security practices in the selection and critical to securing any system. The compliance
use of passwords. policy manager in Tripwire Enterprise verifies
that common best practices are being used for
password-related properties such as complexity,
minimum length and maximum age.
11.3.2 Unattended User Equipment Users shall ensure that unattended Tripwire Enterprise verifies that each system is
equipment has appropriate protection. configured to use a password-protected screen
saver that activates within the appropriate idle
time and offers no grace period before password
entry is required.
11.3.3 Clear Desk and Clear Screen A clear desk policy for papers and remov- The compliance policy manager in Tripwire
Policy able media and a clear screen policy for Enterprise validates that the current user has a
information processing facilities shall be password-protected screen saver that is active.
adopted.
A.11.4 – Network Access Control
The objective of this control is to prevent unauthorised access to networked services.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.4.1 Policy on Use of Network Users shall only be provided with access Tripwire Enterprise provides a number of compli-
Services to the services that they have been ance policy management tests that help ensure
specifically authorised to use. proper access to services is maintained. For
example, verifying that a system restricts anony-
mous access to named pipes and shares to those
that are specifically listed in other security options.
This configuration helps protect named pipes and
shares from unauthorised access.
11.4.2 User Authentication for Appropriate authentication methods The compliance policy manager in Tripwire
External Connections shall be used to control access by remote Enterprise can help verify proper authentica-
users. tion methods are in place to control access by
remote users. For example, refusing to allow a
remote login when a user attempts to use a blank
password (even if the blank password is valid for
that account).
11.4.3 Equipment Identification in Automatic equipment identification shall Tripwire Enterprise verifies that the security
Networks be considered as a means to authenticate options for a Windows 2003 domain controller are
connections from specific locations and configured to allow a domain member to change its
equipment. computer account password. If the domain control-
ler does not permit a domain member to change its
password, the domain member computer is more
vulnerable to a password attack.
8 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
9. 11.4.4 Remote Diagnostic and Physical and logical access to diagnos- The compliance policy manager in Tripwire
Configuration Port Protection tic and configuration ports shall be Enterprise tests a number of remote access
controlled. settings to ensure they meet established guide-
lines for controlling remote access. For example,
verifying that the Remote Desktop Help Session
Manager Service is disabled on a Windows system.
11.4.6 Network Connection Control For shared networks, the capability of Tripwire Enterprise helps validate that controls
users to connect to the network shall be are in place to enforce proper network connec-
restricted, in line with the access control tion restrictions on shared networks. For example,
policy. always requiring passwords and appropriate
encryption levels when using Terminal Services.
11.4.7 Network Routing Control Routing controls shall be implemented The compliance policy manager in Tripwire
for networks to ensure that computer Enterprise can assist with the ongoing validation
connections and information flows do of your access control policy by verifying proper
not breach the access control policy of routing controls are in place and configured
business applications. correctly. For example, on a Windows system with
two valid networking devices installed, source
routing traffic that passes through the device can
spoof the device into thinking that the traffic came
from a safe source.
A.11.5 – Operating System Access Control
The objective of this control is to prevent unauthorised access to operating systems.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.5.1 Secure Log on Procedures Access to operating systems shall be The compliance policy manager in Tripwire
controlled by a secure log-on procedure. Enterprise can assess important log on settings
to determine whether they support an overall
secure log-on procedure. For example, not display-
ing the last valid user name and requiring the
use of CTRL+ALT+DEL keys to force the use of the
Windows authentication process.
11.5.2 User Identification and All users shall have a unique identifier Proper authentication of user IDs is a fundamental
Authentication (user ID) for their personal use only, and component of controlling operating system access.
a suitable authentication technique shall Tripwire Enterprise provides critical tests to assess
be chosen to substantiate the claimed authentication settings. For example, verifying
identity of a user. that the LAN Manager authentication model for a
Windows system is configured correctly so it will
only send NTLMv2 authentication and refuse all LM
authentication challenges.
11.5.3 Password Management Systems for managing passwords Ensuring quality passwords requires proper
System shall be interactive and ensure quality configuration of password-related settings.
passwords. Tripwire Enterprise can assess these settings and
provide assurance that all passwords being used
meet minimum quality requirements. For example,
enforcing the use of strong passwords and restrict-
ing password reuse/history.
9 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
10. 11.5.4 Use of System Utilities The use of utility programs that might be The compliance policy manager in Tripwire
capable of overriding system and appli- Enterprise can help maintain a strict policy on
cation controls shall be restricted and the use of utility programs. For example, verify-
tightly controlled. ing that the FTP Publishing Service and TFTP
Daemon Service are both disabled, or that the
SeDebugPrivilege right is not assigned to any
users on a Windows system. This right gives users
the ability to debug any process on the system
and is susceptible to exploits that collect account
names, passwords, and other sensitive data from
the Local Security Authority (LSA).
11.5.5 Session Time-Out Inactive sessions shall shut down after a Tripwire Enterprise will verify that an appropriate
defined period of inactivity. idle session time-out is established. In the case of
Windows systems that communicate using the Server
Message Block (SMB) protocol, the compliance policy
manager in Tripwire Enterprise will test that the idle
session timeout threshold is set to 15 minutes or
less.
11.5.6 Limitation of Connection Time Restrictions on connection times shall There are a number of ways to restrict connec-
be used to provide additional security for tion times as part of an enhanced security protocol
high-risk applications. for high-risk applications. Tripwire Enterprise can
determine if best-practices are being used such
as setting appropriate time limits for Terminal
Services sessions and using Group Policy to
restrict connections to designated hours of the day.
A.11.6 – Application and Information Access Control
The objective of this control is to prevent unauthorised access to information held in applications systems.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.6.1 Information Access Access to information and application The compliance policy manager in Tripwire
Restriction systems functions by users and support Enterprise provides out-of-the-box tests that help
personnel shall be restricted in accor- establish an acceptable information access control
dance with the defined access control policy. For example, ensuring that critical file and
policy. registry permissions have been set properly to
restrict access.
A.11.7 – Mobile Computing and Telecommunicating
The objective of this control is to ensure information security when using mobile computing and telecommuting facilities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.7.1 Mobile Computing and A formal policy shall be in place, and Mobile computing and related communications
Communications appropriate security measures shall be pose unique risks that necessitate additional
adopted to protect against the risks of security measures. The compliance policy manager
using mobile computing and communica- in Tripwire Enterprise can help mitigate these
tions facilities. risks by determining if established best practices
are in use. For example, verifying that Windows
systems are configured to negotiate signed
communications with any Server Message Block
(SMB) server. By supporting mutual authentication
and protection against packet tampering, signed
communication helps to protect against man-in-
the-middle attacks.
10 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
11. A.12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
A.12.2 – Correct Processing in Applications
The objective of this control is to prevent errors, loss, unauthorised modifications or misuse of information in applications.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
12.2.2 Control of Internal processing Validation checks shall be incorporated By monitoring changes that occur within applica-
into applications to detect any corruption tions, Tripwire Enterprise can detect any changes
of information through processing errors to critical files, and monitor who may have intro-
or deliberate acts. duced errors that caused file corruption.
A.12.4 – Security of System Files
The objective of this control is to ensure the security of system files.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
12.4.1 Control of operational There shall be procedures in place to Tripwire Enterprise can detect changes to the
software control the installation of software on operating system, which includes new software
operational systems. installations, when it was installed, and who
performed the installation. Tripwire Enterprise
can also be incorporated with Change Ticketing
systems authorising these installations, showing
that status.
A.12.5 – Security in Development and Support Process
The objective of this control is to maintain the security of application system software and information.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
12.5.1 Change control procedures The implementation of changes shall be Tripwire Enterprise is the industry leader in
controlled by the use of formal change change audit and detection and should be an
control procedures. integral part of any formal change control proce-
dure. Tripwire Enterprise is also integrated with
major change ticketing systems to help control
formal change processes.
12.5.2 Technical review of appli- When operating systems are changed, Tripwire Enterprise provides several reports
cations after operating system business critical applications shall be around changes to systems, as well as links within
changes reviewed and tested to ensure there is no these reports that can show specific systems that
adverse impact on organisational opera- changed, as well as who made the changes. These
tions or security. reports provide a documented audit trail that can
be reviewed and approved to prevent potential
problems.
12.5.3 Restrictions on changes to Modifications to software packages shall Tripwire Enterprise monitors all changes that
software packages be discouraged, limited to necessary happen on defined systems, providing information
changes, and all changes shall be strictly if files have been
controlled. modified, added or deleted. Having Tripwire
Enterprise ensures change is monitored and
controlled.
11 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
12. A.13 INFORMATION SECURITY INCIDENT MANAGEMENT
A.13.2 – Management of Information Security Incidents and Improvements
The objective of this control is to ensure a consistent and effective approach is applied to the management of information security
incidents.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
13.2.3 Collection of evidence Where a follow-up action against a As part of the audit trail and reporting capabilities
person or organisation after an informa- within Tripwire Enterprise, changes that are made
tion security incident involves legal action to systems that could provide potential vulner-
(either civil or criminal), evidence shall abilities or security incidents can be documented,
be collected, retained and presented to providing information as to the person(s) respon-
conform to the rules for evidence laid sible for any breaches in security.
down in the relevant jurisdiction(s).
A.15 COMPLIANCE
A.15.2 - Compliance with Security Policies and Standards, and Technical Compliance
The objective of this control is to ensure compliance of systems with organisational security police and standards.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
15.2.2 Technical Compliance Information Systems shall be regularly The compliance policy manager in Tripwire
Checking checked for compliance with security Enterprise validates that each Windows 2003
implementation standards. Server has the latest service pack installed.
A.15.3 – Information Systems Audit and Considerations
The objective of this control is to maximise the effectiveness of and to minimise interference to/from the information systems audit
process.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
15.3.1 Information systems audit Audit requirements and activities involv- Tripwire Enterprise provides documented audit
controls ing checks on operational systems proof behind system compliance, as well as
shall be carefully planned and agreed changes that happen with IT systems. By incor-
to minimise the risk of disruptions to porating Tripwire Enterprise in the change
business processes. management process, changes are monitored
and documented and if changes disrupt business
process, they can be immediately reconciled and
remediated.
15.3.2 Protection of information Access to information systems audit tools By using Roles and User Groups in Tripwire
systems audit tools shall be protected to prevent any possible Enterprise, access to privileged information
misuse or compromise. and software like Tripwire Enterprise can be
controlled/limited to users who have proper
permissions. Tripwire Enterprise requires instal-
lation by a user with Administrative privileges.
Users of Tripwire Enterprise can then be set up to
have either full access, just read access, or several
variances in between.
12 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
13. Sample Policy Test and
Change Audit Screenshots
from Tripwire Enterprise
Screenshot showing assessments that address the Communication
and Operations Management control. Specifically, section A.10.6.2, Screenshot showing assessments that address the Access Control
Security of Network Services. This section checks that services that control of ISO 27001. Specifically, section A.11.6, Operating
don’t need to be enable are specifically disabled. System Access Control. These controls deal with permissions and
authentication processes within the operating system.
Screenshot showing assessments that address the Compliance
control. Specifically, section A.15.2.2, Technical Compliance Screenshot showing default role types in Tripwire Enterprise with
Checking. This is a check that the appropriate packages are different access rights and permissions described, depending on the
installed for that system. role. New roles can be created and permissions set up accordingly.
13 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
14. Tripwire Enterprise Change Process Compliance report, highlighting Tripwire Enterprise Detailed Changes report showing detailed
authorized vs. unauthorized changes to a system. information on what changes were made, when they occurred and
who made the changes.
14 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance
15. The Nodes With Changes report shows which systems had changes,
when they occurred and other details.
1 http://www.27000.org/iso-27001.htm
2 http://www.rsaconference.com/Security_Topics/Professional_
Development/Blog_Jeff_Bardin_Conspiracy_to_Commit_
Security.aspx?blogId=8527
15 | WHITE PAPER | Achieving Effective IT Security with Continuous ISO 27001 Compliance