Network Vulnerability Assessment Methodology 57
9.5.5 Use of System Utilities Implement standards to restrict access to system utility programs that
could be used to override system and application controls.
Operations
9.5.8 Limitation of Connection Time Implement standards to identify the period during which terminals can
be connected to sensitive application systems.
Access Control
9.6.2 Isolation of Sensitive Systems Implement standards to isolate sensitiv
e application systems processing
environment.
Operations
10.2.3 Message Authentication Implement standards to ensure that message authentication is considered
for applications that involve the transmission of sensitive data.
Applications
10.3.1 Policy on the Use of Cryptographic
Controls
Implement policies and standards on the use of cryptographic controls,
including management of encryption keys, and effective
implementation.
Asset Classification
10.4.1 Control of Operational Software Implement standards. Is strict control e
xercised over the implementation
of software on operational systems?
Systems
10.5.1 Change Control Procedures Implement standards and procedures f
or formal change control
procedures.
Systems
10.5.2 Technical Review of Operating
System Changes
Implement procedures to review application systems when changes to
the operating systems occur.
Systems
10.5.3 Restrictions on Changes to
Software Packages
Implement standards to restrict modifications to vendor-supplied
software.
Systems &
Applications
10.5.4 Covert Channels and Trojan Code Implement standards and procedures to av
oid covert channels or Trojan
codes. These standards and procedures should address, at a minimum,
that the organization: buy programs only from a reputable source; buy
programs in source code that is verifiable; use only evaluated products;
inspect all source code before operational use; control access to, and
modification of, installed code; and use trusted staff to work on key
systems.
Systems
11.1.1 Business Continuity Management
Process
Implement procedures for the development and maintenance of
business continuity plans (BCPs) across the organization.
BCP
11.1.5 Testing, Maintaining, and
Reassessing Business
Continuity Plans
Implement standards to ensure regular testing of the BCPs.
BCP
Exhibit 3. Areas of Concern and Supporting Departments (Continued)
ISO 17799 Section Description
Group Responsible