From rich67dev at hotmail.com  Mon Sep  1 14:11:29 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Mon, 01 Sep 2003 18:11:29 +0000
Subject: [Owasp-iso17799] Fwd: [iso17799security] Copy of ISO 17799 Standard
Message-ID: <Law9-F101Xbc8l2jUad00009278@hotmail.com>

Guys,
I am not sure if you are on this list, activity is low for now, I joined 
nonetheless.
iso17799security at yahoogroups.com

Richard Seiersen
rich67dev at hotmail.com

_________________________________________________________________
Help protect your PC: Get a free online virus scan at McAfee.com. 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




From mark at curphey.com  Mon Sep  1 20:30:50 2003
From: mark at curphey.com (Mark Curphey)
Date: Mon, 1 Sep 2003 20:30:50 -0400
Subject: [Owasp-iso17799] An Understanding Of ISO In General
References: <Law9-F32QONG4rZYJre00091222@hotmail.com>
Message-ID: <04ce01c370e9$75f817b0$5b86accf@markc2000>

Rich

Great mail. I am actually British (although I have lived in the US for 5
years now) so can atest to your observations about the European adoption of
standards. I have also spent several years in the US working for one of the
largest financial services companies and have seen and in some cases driven
the need for 3rd parties to adopt standards. I used to use a questioanirre
that was based on 17799 (which started life as British Standard 7799 btw) as
a way to judge 3rd party vendors and hold them legally accountable to their
answers.

Your description of the "ISO way" was an excellent read and I am sure will
make a great introduction section to an ISO project.

For context when I decided to get this work underway I saw a few gaps in the
OWASP portfolio and gaps in peoples general perception of web security.

1. No good policy templates from which people can clone and create corporate
web security policies from. I was sent some shocking policy templates from a
consulting company and felt there was a need to issue some better templates.
2. Most web security people are technicians and engineers. Many people are
now seeing security as a business issue and having to demonstrate that they
are managing the issue in an effective and accountable way. I am intrigued
to see how ISO17799 translates to a production web security environment,
what areas are missing and how tacking the 17799 principles and applying
them what the products would look like. The ISO17799 project would be an
experiment as much as anything.

So if it works with you guys, I have a proposal to get going.

1. As the first task, focus on creating a web security policy template. The
selfish objective would be for us to start working together and create a
ramp with a smaller more manageable project. This would be released as a
stand alone policy template like the ones at SANS
http://www.sans.org/resources/policies/#template under the title of web
security policy. I think this would only take a few weeks to do.

2. When successfull we would focus our attention on the IS17799 project.
There are a few approaches to doing this and several possible deliverables.
I think when we start we should all decide what we are trying to acheive. I
personally would like to produce a "Guide to applying ISO-17799 principles
to a production web site" but its definitly open to discussion. BTW Rich I
already have a copy but thanks for thinking of me.

Let me know if this works and I will send over a template I started to putn
together and shared with Sam. I tend to work by filling in headings and then
the text so its nothing more that a set of headings at this stage.

Kind regards,


Mark


----- Original Message ----- 
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: <owasp-iso17799 at lists.sourceforge.net>
Sent: Thursday, August 28, 2003 3:31 PM
Subject: [Owasp-iso17799] An Understanding Of ISO In General


> Thoughts On ISO:
> I have noted a bit of discussion as I have been googling, in terms of the
> value of the standard in question as it relates to security.  I am of the
> growing opinion that there is a misunderstanding in terms of the nature of
> ISO, and what quality is in terms of ISO.  I will not assume that any of
us
> have this misunderstanding, but I think its of value for me to make clear
> what my understanding of ISO is. Likewise,  I think it will be important
for
> us to come to terms with what ISO is as we consider developing both
> templating systems and more consultative product.
>
> ISO, of course, refers to the greek ISO (like in the triangle, or
isometric)
> - and is not the initials for an organization (which would be IOS).  I am
> sure we are aware of this, but not the consumer.   So, when people go
about
> doing ISO, they are bound for disappointment if they do not have the
> philosophical underpinning of what ISO based quality actually is -
> same/equal.  I have seen this disappointment first hand in organizations,
> and it can be avoided if done correctly.  Nonetheless, an effective ISO
> program should not only make process same or equal (which is good in and
of
> itself), but it should have a qualitative impact on the organization be it
> security, manufacturing, and or environmental ISO. If not, while you may
> pass an audit, you will have a group of disgruntled employees who don't
take
> what you are doing seriously, thus negatively impacting what your are
trying
> to improve - security in this case.
>
> To clarify what I am talking about in terms of ISO quality. If your
company
> makes lead life preservers, and you make them all the same, and its
> verifiable in terms of documentation and physical process - then you are
ISO
> according to the IOS ;-)  But, if you make life preservers that have every
> bell and whistle, they are very 'good' life preservers that save lives,
yet
> you have zero documentation or verifiable/repeatable process - you are not
> ISO - and would fail an audit despite the fact that your life preservers
> save lives.
>
> It is this type of thing, 'same/equal/repeatable/verifiable' that is at
the
> very heart of ISO.  And if you have had the opportunity to work with
larger
> Asian firms (I just got of a stint with Kyosera), you will note how
> important and ingrained this type of thing is (It can be a pain).  Hence,
> this is why larger Asian, and European organization literally force US
> companies to get ISO certified in one or more of the standards.  In fact,
> 90%+ of all ISO certifications in the US are driven by sales, i.e. they
> would not have done if it were not for a larger European and or Japanese
> organization withholding sales unless the US counterpart were certified.
> We are looking at roughly 100,000+ certifications required in such a way,
> and required in short order (5 months in some cases).
>
> Lastly, I am not aware of any sales that require companies to be ISO 17799
> certified, but I think it will happen.  Therefore, we must be clear on
what
> is, and what isn't ISO.  Because, not only having 'good' security must be
a
> result to the CSO, but passing the audit is critical to the CEO/CFO (and
> CSO).
>
> My introductory $.02
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
>
>
>
>
>
>
> Richard Seiersen
> rich67dev at hotmail.com
>
> _________________________________________________________________
> Help protect your PC: Get a free online virus scan at McAfee.com.
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-iso17799 mailing list
> Owasp-iso17799 at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>




From rich67dev at hotmail.com  Mon Sep  1 21:30:10 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Tue, 02 Sep 2003 01:30:10 +0000
Subject: [Owasp-iso17799] An Understanding Of ISO In General
Message-ID: <Law9-F88UllTZGStuka0002ad50@hotmail.com>

Mark,
This works for me, thanks.

In terms of my work effort, focus is always good.  So, if we are looking at 
a discreet section of the standard, and specific technical concerns within 
web security, the better off I am in delievering. Otherwise, we can just 
focus as we move around in the territory.

What I am concerend with of course is 'road testing' the 
product......whatever that product ends up being.

Regards,
Richard Seiersen
rich67dev at hotmail.com





>From: "Mark Curphey" <mark at curphey.com>
>To: "Rich Seiersen" 
><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>Date: Mon, 1 Sep 2003 20:30:50 -0400
>
>Rich
>
>Great mail. I am actually British (although I have lived in the US for 5
>years now) so can atest to your observations about the European adoption of
>standards. I have also spent several years in the US working for one of the
>largest financial services companies and have seen and in some cases driven
>the need for 3rd parties to adopt standards. I used to use a questioanirre
>that was based on 17799 (which started life as British Standard 7799 btw) 
>as
>a way to judge 3rd party vendors and hold them legally accountable to their
>answers.
>
>Your description of the "ISO way" was an excellent read and I am sure will
>make a great introduction section to an ISO project.
>
>For context when I decided to get this work underway I saw a few gaps in 
>the
>OWASP portfolio and gaps in peoples general perception of web security.
>
>1. No good policy templates from which people can clone and create 
>corporate
>web security policies from. I was sent some shocking policy templates from 
>a
>consulting company and felt there was a need to issue some better 
>templates.
>2. Most web security people are technicians and engineers. Many people are
>now seeing security as a business issue and having to demonstrate that they
>are managing the issue in an effective and accountable way. I am intrigued
>to see how ISO17799 translates to a production web security environment,
>what areas are missing and how tacking the 17799 principles and applying
>them what the products would look like. The ISO17799 project would be an
>experiment as much as anything.
>
>So if it works with you guys, I have a proposal to get going.
>
>1. As the first task, focus on creating a web security policy template. The
>selfish objective would be for us to start working together and create a
>ramp with a smaller more manageable project. This would be released as a
>stand alone policy template like the ones at SANS
>http://www.sans.org/resources/policies/#template under the title of web
>security policy. I think this would only take a few weeks to do.
>
>2. When successfull we would focus our attention on the IS17799 project.
>There are a few approaches to doing this and several possible deliverables.
>I think when we start we should all decide what we are trying to acheive. I
>personally would like to produce a "Guide to applying ISO-17799 principles
>to a production web site" but its definitly open to discussion. BTW Rich I
>already have a copy but thanks for thinking of me.
>
>Let me know if this works and I will send over a template I started to putn
>together and shared with Sam. I tend to work by filling in headings and 
>then
>the text so its nothing more that a set of headings at this stage.
>
>Kind regards,
>
>
>Mark
>
>
>----- Original Message -----
>From: "Rich Seiersen" <rich67dev at hotmail.com>
>To: <owasp-iso17799 at lists.sourceforge.net>
>Sent: Thursday, August 28, 2003 3:31 PM
>Subject: [Owasp-iso17799] An Understanding Of ISO In General
>
>
> > Thoughts On ISO:
> > I have noted a bit of discussion as I have been googling, in terms of 
>the
> > value of the standard in question as it relates to security.  I am of 
>the
> > growing opinion that there is a misunderstanding in terms of the nature 
>of
> > ISO, and what quality is in terms of ISO.  I will not assume that any of
>us
> > have this misunderstanding, but I think its of value for me to make 
>clear
> > what my understanding of ISO is. Likewise,  I think it will be important
>for
> > us to come to terms with what ISO is as we consider developing both
> > templating systems and more consultative product.
> >
> > ISO, of course, refers to the greek ISO (like in the triangle, or
>isometric)
> > - and is not the initials for an organization (which would be IOS).  I 
>am
> > sure we are aware of this, but not the consumer.   So, when people go
>about
> > doing ISO, they are bound for disappointment if they do not have the
> > philosophical underpinning of what ISO based quality actually is -
> > same/equal.  I have seen this disappointment first hand in 
>organizations,
> > and it can be avoided if done correctly.  Nonetheless, an effective ISO
> > program should not only make process same or equal (which is good in and
>of
> > itself), but it should have a qualitative impact on the organization be 
>it
> > security, manufacturing, and or environmental ISO. If not, while you may
> > pass an audit, you will have a group of disgruntled employees who don't
>take
> > what you are doing seriously, thus negatively impacting what your are
>trying
> > to improve - security in this case.
> >
> > To clarify what I am talking about in terms of ISO quality. If your
>company
> > makes lead life preservers, and you make them all the same, and its
> > verifiable in terms of documentation and physical process - then you are
>ISO
> > according to the IOS ;-)  But, if you make life preservers that have 
>every
> > bell and whistle, they are very 'good' life preservers that save lives,
>yet
> > you have zero documentation or verifiable/repeatable process - you are 
>not
> > ISO - and would fail an audit despite the fact that your life preservers
> > save lives.
> >
> > It is this type of thing, 'same/equal/repeatable/verifiable' that is at
>the
> > very heart of ISO.  And if you have had the opportunity to work with
>larger
> > Asian firms (I just got of a stint with Kyosera), you will note how
> > important and ingrained this type of thing is (It can be a pain).  
>Hence,
> > this is why larger Asian, and European organization literally force US
> > companies to get ISO certified in one or more of the standards.  In 
>fact,
> > 90%+ of all ISO certifications in the US are driven by sales, i.e. they
> > would not have done if it were not for a larger European and or Japanese
> > organization withholding sales unless the US counterpart were certified.
> > We are looking at roughly 100,000+ certifications required in such a 
>way,
> > and required in short order (5 months in some cases).
> >
> > Lastly, I am not aware of any sales that require companies to be ISO 
>17799
> > certified, but I think it will happen.  Therefore, we must be clear on
>what
> > is, and what isn't ISO.  Because, not only having 'good' security must 
>be
>a
> > result to the CSO, but passing the audit is critical to the CEO/CFO (and
> > CSO).
> >
> > My introductory $.02
> > Richard Seiersen
> > rich67dev at hotmail.com
> >
> >
> >
> > Richard Seiersen
> > rich67dev at hotmail.com
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Richard Seiersen
> > rich67dev at hotmail.com
> >
> > _________________________________________________________________
> > Help protect your PC: Get a free online virus scan at McAfee.com.
> > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Owasp-iso17799 mailing list
> > Owasp-iso17799 at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
>

_________________________________________________________________
MSN 8: Get 6 months for $9.95/month. http://join.msn.com/?page=dept/dialup




From mark at curphey.com  Mon Sep  1 22:12:20 2003
From: mark at curphey.com (Mark Curphey)
Date: Mon, 1 Sep 2003 22:12:20 -0400
Subject: [Owasp-iso17799] An Understanding Of ISO In General
References: <Law9-F88UllTZGStuka0002ad50@hotmail.com>
Message-ID: <052501c370f7$a68f5470$5b86accf@markc2000>

There is a big appetite for this stuff and I am sure we can get quite a few
companies to road-test. I know of a few big banks and at least two big
telcos who used the Guide to build policies for developers.

I am attaching a basic outline of a web security policy that I started to
put together. As I mentioned all this is is headings. I personally like to
build out the headings and then complete the content. There is a lot
missing, but maybe you can take a look and we can iterate?

----- Original Message ----- 
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
Sent: Monday, September 01, 2003 9:30 PM
Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General


> Mark,
> This works for me, thanks.
>
> In terms of my work effort, focus is always good.  So, if we are looking
at
> a discreet section of the standard, and specific technical concerns within
> web security, the better off I am in delievering. Otherwise, we can just
> focus as we move around in the territory.
>
> What I am concerend with of course is 'road testing' the
> product......whatever that product ends up being.
>
> Regards,
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
>
>
> >From: "Mark Curphey" <mark at curphey.com>
> >To: "Rich Seiersen"
> ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >Date: Mon, 1 Sep 2003 20:30:50 -0400
> >
> >Rich
> >
> >Great mail. I am actually British (although I have lived in the US for 5
> >years now) so can atest to your observations about the European adoption
of
> >standards. I have also spent several years in the US working for one of
the
> >largest financial services companies and have seen and in some cases
driven
> >the need for 3rd parties to adopt standards. I used to use a
questioanirre
> >that was based on 17799 (which started life as British Standard 7799 btw)
> >as
> >a way to judge 3rd party vendors and hold them legally accountable to
their
> >answers.
> >
> >Your description of the "ISO way" was an excellent read and I am sure
will
> >make a great introduction section to an ISO project.
> >
> >For context when I decided to get this work underway I saw a few gaps in
> >the
> >OWASP portfolio and gaps in peoples general perception of web security.
> >
> >1. No good policy templates from which people can clone and create
> >corporate
> >web security policies from. I was sent some shocking policy templates
from
> >a
> >consulting company and felt there was a need to issue some better
> >templates.
> >2. Most web security people are technicians and engineers. Many people
are
> >now seeing security as a business issue and having to demonstrate that
they
> >are managing the issue in an effective and accountable way. I am
intrigued
> >to see how ISO17799 translates to a production web security environment,
> >what areas are missing and how tacking the 17799 principles and applying
> >them what the products would look like. The ISO17799 project would be an
> >experiment as much as anything.
> >
> >So if it works with you guys, I have a proposal to get going.
> >
> >1. As the first task, focus on creating a web security policy template.
The
> >selfish objective would be for us to start working together and create a
> >ramp with a smaller more manageable project. This would be released as a
> >stand alone policy template like the ones at SANS
> >http://www.sans.org/resources/policies/#template under the title of web
> >security policy. I think this would only take a few weeks to do.
> >
> >2. When successfull we would focus our attention on the IS17799 project.
> >There are a few approaches to doing this and several possible
deliverables.
> >I think when we start we should all decide what we are trying to acheive.
I
> >personally would like to produce a "Guide to applying ISO-17799
principles
> >to a production web site" but its definitly open to discussion. BTW Rich
I
> >already have a copy but thanks for thinking of me.
> >
> >Let me know if this works and I will send over a template I started to
putn
> >together and shared with Sam. I tend to work by filling in headings and
> >then
> >the text so its nothing more that a set of headings at this stage.
> >
> >Kind regards,
> >
> >
> >Mark
> >
> >
> >----- Original Message -----
> >From: "Rich Seiersen" <rich67dev at hotmail.com>
> >To: <owasp-iso17799 at lists.sourceforge.net>
> >Sent: Thursday, August 28, 2003 3:31 PM
> >Subject: [Owasp-iso17799] An Understanding Of ISO In General
> >
> >
> > > Thoughts On ISO:
> > > I have noted a bit of discussion as I have been googling, in terms of
> >the
> > > value of the standard in question as it relates to security.  I am of
> >the
> > > growing opinion that there is a misunderstanding in terms of the
nature
> >of
> > > ISO, and what quality is in terms of ISO.  I will not assume that any
of
> >us
> > > have this misunderstanding, but I think its of value for me to make
> >clear
> > > what my understanding of ISO is. Likewise,  I think it will be
important
> >for
> > > us to come to terms with what ISO is as we consider developing both
> > > templating systems and more consultative product.
> > >
> > > ISO, of course, refers to the greek ISO (like in the triangle, or
> >isometric)
> > > - and is not the initials for an organization (which would be IOS).  I
> >am
> > > sure we are aware of this, but not the consumer.   So, when people go
> >about
> > > doing ISO, they are bound for disappointment if they do not have the
> > > philosophical underpinning of what ISO based quality actually is -
> > > same/equal.  I have seen this disappointment first hand in
> >organizations,
> > > and it can be avoided if done correctly.  Nonetheless, an effective
ISO
> > > program should not only make process same or equal (which is good in
and
> >of
> > > itself), but it should have a qualitative impact on the organization
be
> >it
> > > security, manufacturing, and or environmental ISO. If not, while you
may
> > > pass an audit, you will have a group of disgruntled employees who
don't
> >take
> > > what you are doing seriously, thus negatively impacting what your are
> >trying
> > > to improve - security in this case.
> > >
> > > To clarify what I am talking about in terms of ISO quality. If your
> >company
> > > makes lead life preservers, and you make them all the same, and its
> > > verifiable in terms of documentation and physical process - then you
are
> >ISO
> > > according to the IOS ;-)  But, if you make life preservers that have
> >every
> > > bell and whistle, they are very 'good' life preservers that save
lives,
> >yet
> > > you have zero documentation or verifiable/repeatable process - you are
> >not
> > > ISO - and would fail an audit despite the fact that your life
preservers
> > > save lives.
> > >
> > > It is this type of thing, 'same/equal/repeatable/verifiable' that is
at
> >the
> > > very heart of ISO.  And if you have had the opportunity to work with
> >larger
> > > Asian firms (I just got of a stint with Kyosera), you will note how
> > > important and ingrained this type of thing is (It can be a pain).
> >Hence,
> > > this is why larger Asian, and European organization literally force US
> > > companies to get ISO certified in one or more of the standards.  In
> >fact,
> > > 90%+ of all ISO certifications in the US are driven by sales, i.e.
they
> > > would not have done if it were not for a larger European and or
Japanese
> > > organization withholding sales unless the US counterpart were
certified.
> > > We are looking at roughly 100,000+ certifications required in such a
> >way,
> > > and required in short order (5 months in some cases).
> > >
> > > Lastly, I am not aware of any sales that require companies to be ISO
> >17799
> > > certified, but I think it will happen.  Therefore, we must be clear on
> >what
> > > is, and what isn't ISO.  Because, not only having 'good' security must
> >be
> >a
> > > result to the CSO, but passing the audit is critical to the CEO/CFO
(and
> > > CSO).
> > >
> > > My introductory $.02
> > > Richard Seiersen
> > > rich67dev at hotmail.com
> > >
> > >
> > >
> > > Richard Seiersen
> > > rich67dev at hotmail.com
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Richard Seiersen
> > > rich67dev at hotmail.com
> > >
> > > _________________________________________________________________
> > > Help protect your PC: Get a free online virus scan at McAfee.com.
> > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Owasp-iso17799 mailing list
> > > Owasp-iso17799 at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> >
>
> _________________________________________________________________
> MSN 8: Get 6 months for $9.95/month. http://join.msn.com/?page=dept/dialup
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-iso17799 mailing list
> Owasp-iso17799 at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP Web Site Security Policy.doc
Type: application/msword
Size: 81408 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-iso17799/attachments/20030901/bd17ef50/attachment.doc 

From rich67dev at hotmail.com  Mon Sep  1 22:19:05 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Tue, 02 Sep 2003 02:19:05 +0000
Subject: [Owasp-iso17799] An Understanding Of ISO In General
Message-ID: <Law9-F94DwP6SAH2JZZ0000c5cd@hotmail.com>

Mark,
Very good, I will take a look at this in short order.

Regards,
Richard Seiersen
rich67dev at hotmail.com





>From: "Mark Curphey" <mark at curphey.com>
>To: "Rich Seiersen" 
><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>Date: Mon, 1 Sep 2003 22:12:20 -0400
>
>There is a big appetite for this stuff and I am sure we can get quite a few
>companies to road-test. I know of a few big banks and at least two big
>telcos who used the Guide to build policies for developers.
>
>I am attaching a basic outline of a web security policy that I started to
>put together. As I mentioned all this is is headings. I personally like to
>build out the headings and then complete the content. There is a lot
>missing, but maybe you can take a look and we can iterate?
>
>----- Original Message -----
>From: "Rich Seiersen" <rich67dev at hotmail.com>
>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
>Sent: Monday, September 01, 2003 9:30 PM
>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>
>
> > Mark,
> > This works for me, thanks.
> >
> > In terms of my work effort, focus is always good.  So, if we are looking
>at
> > a discreet section of the standard, and specific technical concerns 
>within
> > web security, the better off I am in delievering. Otherwise, we can just
> > focus as we move around in the territory.
> >
> > What I am concerend with of course is 'road testing' the
> > product......whatever that product ends up being.
> >
> > Regards,
> > Richard Seiersen
> > rich67dev at hotmail.com
> >
> >
> >
> >
> >
> > >From: "Mark Curphey" <mark at curphey.com>
> > >To: "Rich Seiersen"
> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
> > >
> > >Rich
> > >
> > >Great mail. I am actually British (although I have lived in the US for 
>5
> > >years now) so can atest to your observations about the European 
>adoption
>of
> > >standards. I have also spent several years in the US working for one of
>the
> > >largest financial services companies and have seen and in some cases
>driven
> > >the need for 3rd parties to adopt standards. I used to use a
>questioanirre
> > >that was based on 17799 (which started life as British Standard 7799 
>btw)
> > >as
> > >a way to judge 3rd party vendors and hold them legally accountable to
>their
> > >answers.
> > >
> > >Your description of the "ISO way" was an excellent read and I am sure
>will
> > >make a great introduction section to an ISO project.
> > >
> > >For context when I decided to get this work underway I saw a few gaps 
>in
> > >the
> > >OWASP portfolio and gaps in peoples general perception of web security.
> > >
> > >1. No good policy templates from which people can clone and create
> > >corporate
> > >web security policies from. I was sent some shocking policy templates
>from
> > >a
> > >consulting company and felt there was a need to issue some better
> > >templates.
> > >2. Most web security people are technicians and engineers. Many people
>are
> > >now seeing security as a business issue and having to demonstrate that
>they
> > >are managing the issue in an effective and accountable way. I am
>intrigued
> > >to see how ISO17799 translates to a production web security 
>environment,
> > >what areas are missing and how tacking the 17799 principles and 
>applying
> > >them what the products would look like. The ISO17799 project would be 
>an
> > >experiment as much as anything.
> > >
> > >So if it works with you guys, I have a proposal to get going.
> > >
> > >1. As the first task, focus on creating a web security policy template.
>The
> > >selfish objective would be for us to start working together and create 
>a
> > >ramp with a smaller more manageable project. This would be released as 
>a
> > >stand alone policy template like the ones at SANS
> > >http://www.sans.org/resources/policies/#template under the title of web
> > >security policy. I think this would only take a few weeks to do.
> > >
> > >2. When successfull we would focus our attention on the IS17799 
>project.
> > >There are a few approaches to doing this and several possible
>deliverables.
> > >I think when we start we should all decide what we are trying to 
>acheive.
>I
> > >personally would like to produce a "Guide to applying ISO-17799
>principles
> > >to a production web site" but its definitly open to discussion. BTW 
>Rich
>I
> > >already have a copy but thanks for thinking of me.
> > >
> > >Let me know if this works and I will send over a template I started to
>putn
> > >together and shared with Sam. I tend to work by filling in headings and
> > >then
> > >the text so its nothing more that a set of headings at this stage.
> > >
> > >Kind regards,
> > >
> > >
> > >Mark
> > >
> > >
> > >----- Original Message -----
> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > >To: <owasp-iso17799 at lists.sourceforge.net>
> > >Sent: Thursday, August 28, 2003 3:31 PM
> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
> > >
> > >
> > > > Thoughts On ISO:
> > > > I have noted a bit of discussion as I have been googling, in terms 
>of
> > >the
> > > > value of the standard in question as it relates to security.  I am 
>of
> > >the
> > > > growing opinion that there is a misunderstanding in terms of the
>nature
> > >of
> > > > ISO, and what quality is in terms of ISO.  I will not assume that 
>any
>of
> > >us
> > > > have this misunderstanding, but I think its of value for me to make
> > >clear
> > > > what my understanding of ISO is. Likewise,  I think it will be
>important
> > >for
> > > > us to come to terms with what ISO is as we consider developing both
> > > > templating systems and more consultative product.
> > > >
> > > > ISO, of course, refers to the greek ISO (like in the triangle, or
> > >isometric)
> > > > - and is not the initials for an organization (which would be IOS).  
>I
> > >am
> > > > sure we are aware of this, but not the consumer.   So, when people 
>go
> > >about
> > > > doing ISO, they are bound for disappointment if they do not have the
> > > > philosophical underpinning of what ISO based quality actually is -
> > > > same/equal.  I have seen this disappointment first hand in
> > >organizations,
> > > > and it can be avoided if done correctly.  Nonetheless, an effective
>ISO
> > > > program should not only make process same or equal (which is good in
>and
> > >of
> > > > itself), but it should have a qualitative impact on the organization
>be
> > >it
> > > > security, manufacturing, and or environmental ISO. If not, while you
>may
> > > > pass an audit, you will have a group of disgruntled employees who
>don't
> > >take
> > > > what you are doing seriously, thus negatively impacting what your 
>are
> > >trying
> > > > to improve - security in this case.
> > > >
> > > > To clarify what I am talking about in terms of ISO quality. If your
> > >company
> > > > makes lead life preservers, and you make them all the same, and its
> > > > verifiable in terms of documentation and physical process - then you
>are
> > >ISO
> > > > according to the IOS ;-)  But, if you make life preservers that have
> > >every
> > > > bell and whistle, they are very 'good' life preservers that save
>lives,
> > >yet
> > > > you have zero documentation or verifiable/repeatable process - you 
>are
> > >not
> > > > ISO - and would fail an audit despite the fact that your life
>preservers
> > > > save lives.
> > > >
> > > > It is this type of thing, 'same/equal/repeatable/verifiable' that is
>at
> > >the
> > > > very heart of ISO.  And if you have had the opportunity to work with
> > >larger
> > > > Asian firms (I just got of a stint with Kyosera), you will note how
> > > > important and ingrained this type of thing is (It can be a pain).
> > >Hence,
> > > > this is why larger Asian, and European organization literally force 
>US
> > > > companies to get ISO certified in one or more of the standards.  In
> > >fact,
> > > > 90%+ of all ISO certifications in the US are driven by sales, i.e.
>they
> > > > would not have done if it were not for a larger European and or
>Japanese
> > > > organization withholding sales unless the US counterpart were
>certified.
> > > > We are looking at roughly 100,000+ certifications required in such a
> > >way,
> > > > and required in short order (5 months in some cases).
> > > >
> > > > Lastly, I am not aware of any sales that require companies to be ISO
> > >17799
> > > > certified, but I think it will happen.  Therefore, we must be clear 
>on
> > >what
> > > > is, and what isn't ISO.  Because, not only having 'good' security 
>must
> > >be
> > >a
> > > > result to the CSO, but passing the audit is critical to the CEO/CFO
>(and
> > > > CSO).
> > > >
> > > > My introductory $.02
> > > > Richard Seiersen
> > > > rich67dev at hotmail.com
> > > >
> > > >
> > > >
> > > > Richard Seiersen
> > > > rich67dev at hotmail.com
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Richard Seiersen
> > > > rich67dev at hotmail.com
> > > >
> > > > _________________________________________________________________
> > > > Help protect your PC: Get a free online virus scan at McAfee.com.
> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This sf.net email is sponsored by:ThinkGeek
> > > > Welcome to geek heaven.
> > > > http://thinkgeek.com/sf
> > > > _______________________________________________
> > > > Owasp-iso17799 mailing list
> > > > Owasp-iso17799 at lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > > >
> > >
> >
> > _________________________________________________________________
> > MSN 8: Get 6 months for $9.95/month. 
>http://join.msn.com/?page=dept/dialup
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Owasp-iso17799 mailing list
> > Owasp-iso17799 at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
><< OWASPWebSiteSecurityPolicy.doc >>

_________________________________________________________________
MSN 8: Get 6 months for $9.95/month http://join.msn.com/?page=dept/dialup




From rich67dev at hotmail.com  Mon Sep  1 23:24:47 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Tue, 02 Sep 2003 03:24:47 +0000
Subject: [Owasp-iso17799] An Understanding Of ISO In General
Message-ID: <Law9-F36FIIsscFkyiU0001b117@hotmail.com>

Mark,
I have just opened the document, and my initial reaction is to approach it 
from the standpoint of an auditor.  For example, in the template it states 
('understanding that the template is just an example, subject to much 
revision'):
'A statement that new applications must have a written security design 
associated with them, have passed a security code review etc...'

This would entail that there would be a security design standard template as 
well, and of course variously related standard documents.  To the point, an 
auditor would expect to see relevant security designs with associated 
controls for every single application that was commenced past a certain date 
prior to the ISO17799 registration audit and ensuing audits.   BTW: I would 
assument that the 4th part of the ISO 9001 standard, in terms of iterative 
design, might provide for a great example here.  Again, a comapny will have 
some flexibility in terms of the amounts of controls that they want to put 
in - but proof of 'same and equal' process across the organization in all 
web projects in terms of security is the goal.

To the second clause, 'passed a security code review'.  This could ential a 
variety of things, there could be a document, perhaps a standardized 
checklist, or one could go so far as to have code review teams and etc. 
Proof is in the pudding, is there documented proof of the claims within the 
companies interpretation of the standard, and are those inerpretations 
valid.

So, this will be the tack that I will take, to ensure that we approach with 
an audit in mind - I think this make sense would you not agree?



Richard Seiersen
rich67dev at hotmail.com





>From: "Rich Seiersen" <rich67dev at hotmail.com>
>To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>Date: Tue, 02 Sep 2003 02:19:05 +0000
>
>Mark,
>Very good, I will take a look at this in short order.
>
>Regards,
>Richard Seiersen
>rich67dev at hotmail.com
>
>
>
>
>
>>From: "Mark Curphey" <mark at curphey.com>
>>To: "Rich Seiersen" 
>><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>>Date: Mon, 1 Sep 2003 22:12:20 -0400
>>
>>There is a big appetite for this stuff and I am sure we can get quite a 
>>few
>>companies to road-test. I know of a few big banks and at least two big
>>telcos who used the Guide to build policies for developers.
>>
>>I am attaching a basic outline of a web security policy that I started to
>>put together. As I mentioned all this is is headings. I personally like to
>>build out the headings and then complete the content. There is a lot
>>missing, but maybe you can take a look and we can iterate?
>>
>>----- Original Message -----
>>From: "Rich Seiersen" <rich67dev at hotmail.com>
>>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
>>Sent: Monday, September 01, 2003 9:30 PM
>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>>
>>
>> > Mark,
>> > This works for me, thanks.
>> >
>> > In terms of my work effort, focus is always good.  So, if we are 
>>looking
>>at
>> > a discreet section of the standard, and specific technical concerns 
>>within
>> > web security, the better off I am in delievering. Otherwise, we can 
>>just
>> > focus as we move around in the territory.
>> >
>> > What I am concerend with of course is 'road testing' the
>> > product......whatever that product ends up being.
>> >
>> > Regards,
>> > Richard Seiersen
>> > rich67dev at hotmail.com
>> >
>> >
>> >
>> >
>> >
>> > >From: "Mark Curphey" <mark at curphey.com>
>> > >To: "Rich Seiersen"
>> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
>> > >
>> > >Rich
>> > >
>> > >Great mail. I am actually British (although I have lived in the US for 
>>5
>> > >years now) so can atest to your observations about the European 
>>adoption
>>of
>> > >standards. I have also spent several years in the US working for one 
>>of
>>the
>> > >largest financial services companies and have seen and in some cases
>>driven
>> > >the need for 3rd parties to adopt standards. I used to use a
>>questioanirre
>> > >that was based on 17799 (which started life as British Standard 7799 
>>btw)
>> > >as
>> > >a way to judge 3rd party vendors and hold them legally accountable to
>>their
>> > >answers.
>> > >
>> > >Your description of the "ISO way" was an excellent read and I am sure
>>will
>> > >make a great introduction section to an ISO project.
>> > >
>> > >For context when I decided to get this work underway I saw a few gaps 
>>in
>> > >the
>> > >OWASP portfolio and gaps in peoples general perception of web 
>>security.
>> > >
>> > >1. No good policy templates from which people can clone and create
>> > >corporate
>> > >web security policies from. I was sent some shocking policy templates
>>from
>> > >a
>> > >consulting company and felt there was a need to issue some better
>> > >templates.
>> > >2. Most web security people are technicians and engineers. Many people
>>are
>> > >now seeing security as a business issue and having to demonstrate that
>>they
>> > >are managing the issue in an effective and accountable way. I am
>>intrigued
>> > >to see how ISO17799 translates to a production web security 
>>environment,
>> > >what areas are missing and how tacking the 17799 principles and 
>>applying
>> > >them what the products would look like. The ISO17799 project would be 
>>an
>> > >experiment as much as anything.
>> > >
>> > >So if it works with you guys, I have a proposal to get going.
>> > >
>> > >1. As the first task, focus on creating a web security policy 
>>template.
>>The
>> > >selfish objective would be for us to start working together and create 
>>a
>> > >ramp with a smaller more manageable project. This would be released as 
>>a
>> > >stand alone policy template like the ones at SANS
>> > >http://www.sans.org/resources/policies/#template under the title of 
>>web
>> > >security policy. I think this would only take a few weeks to do.
>> > >
>> > >2. When successfull we would focus our attention on the IS17799 
>>project.
>> > >There are a few approaches to doing this and several possible
>>deliverables.
>> > >I think when we start we should all decide what we are trying to 
>>acheive.
>>I
>> > >personally would like to produce a "Guide to applying ISO-17799
>>principles
>> > >to a production web site" but its definitly open to discussion. BTW 
>>Rich
>>I
>> > >already have a copy but thanks for thinking of me.
>> > >
>> > >Let me know if this works and I will send over a template I started to
>>putn
>> > >together and shared with Sam. I tend to work by filling in headings 
>>and
>> > >then
>> > >the text so its nothing more that a set of headings at this stage.
>> > >
>> > >Kind regards,
>> > >
>> > >
>> > >Mark
>> > >
>> > >
>> > >----- Original Message -----
>> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
>> > >To: <owasp-iso17799 at lists.sourceforge.net>
>> > >Sent: Thursday, August 28, 2003 3:31 PM
>> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
>> > >
>> > >
>> > > > Thoughts On ISO:
>> > > > I have noted a bit of discussion as I have been googling, in terms 
>>of
>> > >the
>> > > > value of the standard in question as it relates to security.  I am 
>>of
>> > >the
>> > > > growing opinion that there is a misunderstanding in terms of the
>>nature
>> > >of
>> > > > ISO, and what quality is in terms of ISO.  I will not assume that 
>>any
>>of
>> > >us
>> > > > have this misunderstanding, but I think its of value for me to make
>> > >clear
>> > > > what my understanding of ISO is. Likewise,  I think it will be
>>important
>> > >for
>> > > > us to come to terms with what ISO is as we consider developing both
>> > > > templating systems and more consultative product.
>> > > >
>> > > > ISO, of course, refers to the greek ISO (like in the triangle, or
>> > >isometric)
>> > > > - and is not the initials for an organization (which would be IOS). 
>>  I
>> > >am
>> > > > sure we are aware of this, but not the consumer.   So, when people 
>>go
>> > >about
>> > > > doing ISO, they are bound for disappointment if they do not have 
>>the
>> > > > philosophical underpinning of what ISO based quality actually is -
>> > > > same/equal.  I have seen this disappointment first hand in
>> > >organizations,
>> > > > and it can be avoided if done correctly.  Nonetheless, an effective
>>ISO
>> > > > program should not only make process same or equal (which is good 
>>in
>>and
>> > >of
>> > > > itself), but it should have a qualitative impact on the 
>>organization
>>be
>> > >it
>> > > > security, manufacturing, and or environmental ISO. If not, while 
>>you
>>may
>> > > > pass an audit, you will have a group of disgruntled employees who
>>don't
>> > >take
>> > > > what you are doing seriously, thus negatively impacting what your 
>>are
>> > >trying
>> > > > to improve - security in this case.
>> > > >
>> > > > To clarify what I am talking about in terms of ISO quality. If your
>> > >company
>> > > > makes lead life preservers, and you make them all the same, and its
>> > > > verifiable in terms of documentation and physical process - then 
>>you
>>are
>> > >ISO
>> > > > according to the IOS ;-)  But, if you make life preservers that 
>>have
>> > >every
>> > > > bell and whistle, they are very 'good' life preservers that save
>>lives,
>> > >yet
>> > > > you have zero documentation or verifiable/repeatable process - you 
>>are
>> > >not
>> > > > ISO - and would fail an audit despite the fact that your life
>>preservers
>> > > > save lives.
>> > > >
>> > > > It is this type of thing, 'same/equal/repeatable/verifiable' that 
>>is
>>at
>> > >the
>> > > > very heart of ISO.  And if you have had the opportunity to work 
>>with
>> > >larger
>> > > > Asian firms (I just got of a stint with Kyosera), you will note how
>> > > > important and ingrained this type of thing is (It can be a pain).
>> > >Hence,
>> > > > this is why larger Asian, and European organization literally force 
>>US
>> > > > companies to get ISO certified in one or more of the standards.  In
>> > >fact,
>> > > > 90%+ of all ISO certifications in the US are driven by sales, i.e.
>>they
>> > > > would not have done if it were not for a larger European and or
>>Japanese
>> > > > organization withholding sales unless the US counterpart were
>>certified.
>> > > > We are looking at roughly 100,000+ certifications required in such 
>>a
>> > >way,
>> > > > and required in short order (5 months in some cases).
>> > > >
>> > > > Lastly, I am not aware of any sales that require companies to be 
>>ISO
>> > >17799
>> > > > certified, but I think it will happen.  Therefore, we must be clear 
>>on
>> > >what
>> > > > is, and what isn't ISO.  Because, not only having 'good' security 
>>must
>> > >be
>> > >a
>> > > > result to the CSO, but passing the audit is critical to the CEO/CFO
>>(and
>> > > > CSO).
>> > > >
>> > > > My introductory $.02
>> > > > Richard Seiersen
>> > > > rich67dev at hotmail.com
>> > > >
>> > > >
>> > > >
>> > > > Richard Seiersen
>> > > > rich67dev at hotmail.com
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > Richard Seiersen
>> > > > rich67dev at hotmail.com
>> > > >
>> > > > _________________________________________________________________
>> > > > Help protect your PC: Get a free online virus scan at McAfee.com.
>> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>> > > >
>> > > >
>> > > >
>> > > > -------------------------------------------------------
>> > > > This sf.net email is sponsored by:ThinkGeek
>> > > > Welcome to geek heaven.
>> > > > http://thinkgeek.com/sf
>> > > > _______________________________________________
>> > > > Owasp-iso17799 mailing list
>> > > > Owasp-iso17799 at lists.sourceforge.net
>> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>> > > >
>> > >
>> >
>> > _________________________________________________________________
>> > MSN 8: Get 6 months for $9.95/month. 
>>http://join.msn.com/?page=dept/dialup
>> >
>> >
>> >
>> > -------------------------------------------------------
>> > This sf.net email is sponsored by:ThinkGeek
>> > Welcome to geek heaven.
>> > http://thinkgeek.com/sf
>> > _______________________________________________
>> > Owasp-iso17799 mailing list
>> > Owasp-iso17799 at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>> >
>><< OWASPWebSiteSecurityPolicy.doc >>
>
>_________________________________________________________________
>MSN 8: Get 6 months for $9.95/month http://join.msn.com/?page=dept/dialup
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
MSN 8: Get 6 months for $9.95/month. http://join.msn.com/?page=dept/dialup




From samheinrich at hotmail.com  Thu Sep  4 13:17:13 2003
From: samheinrich at hotmail.com (sam heinrich)
Date: Thu, 04 Sep 2003 17:17:13 +0000
Subject: [Owasp-iso17799] Current policy doc
Message-ID: <BAY2-F1131XvpFVjCRG00011a8a@hotmail.com>

Hi Mark, Rich,

I have some time coming free - Mark, is the last document you sent out the 
latest version?

I have some thoughts regarding Rich's points about supporting procedures and 
specifics for the policy document.  If I understood correctly, our first 
focus is on a quick hit with a policy document.  I think maybe the 
supporting details Rich is describing fall under the procedure documents 
that support a policy, but may not be necessary to provide a recommended 
policy template.  It will be up to each company to produce these supporting 
documents, and up to an auditor to verify their existence; at some point, 
the OWASP might provide templates for them.  For now, though, do we think we 
can provide a policy template that just stipulates their existence, without 
providing templates for implementation specifics?

Thoughts?

- Sam

P.S. Rich - thanks from me, too, for illuminating the ISO ideal - as Mark 
said, it was an interesting read.


----Original Message Follows----
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: rich67dev at hotmail.com, mark at curphey.com, 
owasp-iso17799 at lists.sourceforge.net
Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
Date: Tue, 02 Sep 2003 03:24:47 +0000

Mark,
I have just opened the document, and my initial reaction is to approach it 
from the standpoint of an auditor.  For example, in the template it states 
('understanding that the template is just an example, subject to much 
revision'):
'A statement that new applications must have a written security design 
associated with them, have passed a security code review etc...'

This would entail that there would be a security design standard template as 
well, and of course variously related standard documents.  To the point, an 
auditor would expect to see relevant security designs with associated 
controls for every single application that was commenced past a certain date 
prior to the ISO17799 registration audit and ensuing audits.   BTW: I would 
assument that the 4th part of the ISO 9001 standard, in terms of iterative 
design, might provide for a great example here.  Again, a comapny will have 
some flexibility in terms of the amounts of controls that they want to put 
in - but proof of 'same and equal' process across the organization in all 
web projects in terms of security is the goal.

To the second clause, 'passed a security code review'.  This could ential a 
variety of things, there could be a document, perhaps a standardized 
checklist, or one could go so far as to have code review teams and etc. 
Proof is in the pudding, is there documented proof of the claims within the 
companies interpretation of the standard, and are those inerpretations 
valid.

So, this will be the tack that I will take, to ensure that we approach with 
an audit in mind - I think this make sense would you not agree?



Richard Seiersen
rich67dev at hotmail.com





>From: "Rich Seiersen" <rich67dev at hotmail.com>
>To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>Date: Tue, 02 Sep 2003 02:19:05 +0000
>
>Mark,
>Very good, I will take a look at this in short order.
>
>Regards,
>Richard Seiersen
>rich67dev at hotmail.com
>
>
>
>
>
>>From: "Mark Curphey" <mark at curphey.com>
>>To: "Rich Seiersen" 
>><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>>Date: Mon, 1 Sep 2003 22:12:20 -0400
>>
>>There is a big appetite for this stuff and I am sure we can get quite a 
>>few
>>companies to road-test. I know of a few big banks and at least two big
>>telcos who used the Guide to build policies for developers.
>>
>>I am attaching a basic outline of a web security policy that I started to
>>put together. As I mentioned all this is is headings. I personally like to
>>build out the headings and then complete the content. There is a lot
>>missing, but maybe you can take a look and we can iterate?
>>
>>----- Original Message -----
>>From: "Rich Seiersen" <rich67dev at hotmail.com>
>>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
>>Sent: Monday, September 01, 2003 9:30 PM
>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>>
>>
>> > Mark,
>> > This works for me, thanks.
>> >
>> > In terms of my work effort, focus is always good.  So, if we are 
>>looking
>>at
>> > a discreet section of the standard, and specific technical concerns 
>>within
>> > web security, the better off I am in delievering. Otherwise, we can 
>>just
>> > focus as we move around in the territory.
>> >
>> > What I am concerend with of course is 'road testing' the
>> > product......whatever that product ends up being.
>> >
>> > Regards,
>> > Richard Seiersen
>> > rich67dev at hotmail.com
>> >
>> >
>> >
>> >
>> >
>> > >From: "Mark Curphey" <mark at curphey.com>
>> > >To: "Rich Seiersen"
>> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
>> > >
>> > >Rich
>> > >
>> > >Great mail. I am actually British (although I have lived in the US for 
>>5
>> > >years now) so can atest to your observations about the European 
>>adoption
>>of
>> > >standards. I have also spent several years in the US working for one 
>>of
>>the
>> > >largest financial services companies and have seen and in some cases
>>driven
>> > >the need for 3rd parties to adopt standards. I used to use a
>>questioanirre
>> > >that was based on 17799 (which started life as British Standard 7799 
>>btw)
>> > >as
>> > >a way to judge 3rd party vendors and hold them legally accountable to
>>their
>> > >answers.
>> > >
>> > >Your description of the "ISO way" was an excellent read and I am sure
>>will
>> > >make a great introduction section to an ISO project.
>> > >
>> > >For context when I decided to get this work underway I saw a few gaps 
>>in
>> > >the
>> > >OWASP portfolio and gaps in peoples general perception of web 
>>security.
>> > >
>> > >1. No good policy templates from which people can clone and create
>> > >corporate
>> > >web security policies from. I was sent some shocking policy templates
>>from
>> > >a
>> > >consulting company and felt there was a need to issue some better
>> > >templates.
>> > >2. Most web security people are technicians and engineers. Many people
>>are
>> > >now seeing security as a business issue and having to demonstrate that
>>they
>> > >are managing the issue in an effective and accountable way. I am
>>intrigued
>> > >to see how ISO17799 translates to a production web security 
>>environment,
>> > >what areas are missing and how tacking the 17799 principles and 
>>applying
>> > >them what the products would look like. The ISO17799 project would be 
>>an
>> > >experiment as much as anything.
>> > >
>> > >So if it works with you guys, I have a proposal to get going.
>> > >
>> > >1. As the first task, focus on creating a web security policy 
>>template.
>>The
>> > >selfish objective would be for us to start working together and create 
>>a
>> > >ramp with a smaller more manageable project. This would be released as 
>>a
>> > >stand alone policy template like the ones at SANS
>> > >http://www.sans.org/resources/policies/#template under the title of 
>>web
>> > >security policy. I think this would only take a few weeks to do.
>> > >
>> > >2. When successfull we would focus our attention on the IS17799 
>>project.
>> > >There are a few approaches to doing this and several possible
>>deliverables.
>> > >I think when we start we should all decide what we are trying to 
>>acheive.
>>I
>> > >personally would like to produce a "Guide to applying ISO-17799
>>principles
>> > >to a production web site" but its definitly open to discussion. BTW 
>>Rich
>>I
>> > >already have a copy but thanks for thinking of me.
>> > >
>> > >Let me know if this works and I will send over a template I started to
>>putn
>> > >together and shared with Sam. I tend to work by filling in headings 
>>and
>> > >then
>> > >the text so its nothing more that a set of headings at this stage.
>> > >
>> > >Kind regards,
>> > >
>> > >
>> > >Mark
>> > >
>> > >
>> > >----- Original Message -----
>> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
>> > >To: <owasp-iso17799 at lists.sourceforge.net>
>> > >Sent: Thursday, August 28, 2003 3:31 PM
>> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
>> > >
>> > >
>> > > > Thoughts On ISO:
>> > > > I have noted a bit of discussion as I have been googling, in terms 
>>of
>> > >the
>> > > > value of the standard in question as it relates to security.  I am 
>>of
>> > >the
>> > > > growing opinion that there is a misunderstanding in terms of the
>>nature
>> > >of
>> > > > ISO, and what quality is in terms of ISO.  I will not assume that 
>>any
>>of
>> > >us
>> > > > have this misunderstanding, but I think its of value for me to make
>> > >clear
>> > > > what my understanding of ISO is. Likewise,  I think it will be
>>important
>> > >for
>> > > > us to come to terms with what ISO is as we consider developing both
>> > > > templating systems and more consultative product.
>> > > >
>> > > > ISO, of course, refers to the greek ISO (like in the triangle, or
>> > >isometric)
>> > > > - and is not the initials for an organization (which would be IOS). 
>>  I
>> > >am
>> > > > sure we are aware of this, but not the consumer.   So, when people 
>>go
>> > >about
>> > > > doing ISO, they are bound for disappointment if they do not have 
>>the
>> > > > philosophical underpinning of what ISO based quality actually is -
>> > > > same/equal.  I have seen this disappointment first hand in
>> > >organizations,
>> > > > and it can be avoided if done correctly.  Nonetheless, an effective
>>ISO
>> > > > program should not only make process same or equal (which is good 
>>in
>>and
>> > >of
>> > > > itself), but it should have a qualitative impact on the 
>>organization
>>be
>> > >it
>> > > > security, manufacturing, and or environmental ISO. If not, while 
>>you
>>may
>> > > > pass an audit, you will have a group of disgruntled employees who
>>don't
>> > >take
>> > > > what you are doing seriously, thus negatively impacting what your 
>>are
>> > >trying
>> > > > to improve - security in this case.
>> > > >
>> > > > To clarify what I am talking about in terms of ISO quality. If your
>> > >company
>> > > > makes lead life preservers, and you make them all the same, and its
>> > > > verifiable in terms of documentation and physical process - then 
>>you
>>are
>> > >ISO
>> > > > according to the IOS ;-)  But, if you make life preservers that 
>>have
>> > >every
>> > > > bell and whistle, they are very 'good' life preservers that save
>>lives,
>> > >yet
>> > > > you have zero documentation or verifiable/repeatable process - you 
>>are
>> > >not
>> > > > ISO - and would fail an audit despite the fact that your life
>>preservers
>> > > > save lives.
>> > > >
>> > > > It is this type of thing, 'same/equal/repeatable/verifiable' that 
>>is
>>at
>> > >the
>> > > > very heart of ISO.  And if you have had the opportunity to work 
>>with
>> > >larger
>> > > > Asian firms (I just got of a stint with Kyosera), you will note how
>> > > > important and ingrained this type of thing is (It can be a pain).
>> > >Hence,
>> > > > this is why larger Asian, and European organization literally force 
>>US
>> > > > companies to get ISO certified in one or more of the standards.  In
>> > >fact,
>> > > > 90%+ of all ISO certifications in the US are driven by sales, i.e.
>>they
>> > > > would not have done if it were not for a larger European and or
>>Japanese
>> > > > organization withholding sales unless the US counterpart were
>>certified.
>> > > > We are looking at roughly 100,000+ certifications required in such 
>>a
>> > >way,
>> > > > and required in short order (5 months in some cases).
>> > > >
>> > > > Lastly, I am not aware of any sales that require companies to be 
>>ISO
>> > >17799
>> > > > certified, but I think it will happen.  Therefore, we must be clear 
>>on
>> > >what
>> > > > is, and what isn't ISO.  Because, not only having 'good' security 
>>must
>> > >be
>> > >a
>> > > > result to the CSO, but passing the audit is critical to the CEO/CFO
>>(and
>> > > > CSO).
>> > > >
>> > > > My introductory $.02
>> > > > Richard Seiersen
>> > > > rich67dev at hotmail.com
>> > > >
>> > > >
>> > > >
>> > > > Richard Seiersen
>> > > > rich67dev at hotmail.com
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > Richard Seiersen
>> > > > rich67dev at hotmail.com
>> > > >
>> > > > _________________________________________________________________
>> > > > Help protect your PC: Get a free online virus scan at McAfee.com.
>> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>> > > >
>> > > >
>> > > >
>> > > > -------------------------------------------------------
>> > > > This sf.net email is sponsored by:ThinkGeek
>> > > > Welcome to geek heaven.
>> > > > http://thinkgeek.com/sf
>> > > > _______________________________________________
>> > > > Owasp-iso17799 mailing list
>> > > > Owasp-iso17799 at lists.sourceforge.net
>> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>> > > >
>> > >
>> >
>> > _________________________________________________________________
>> > MSN 8: Get 6 months for $9.95/month. 
>>http://join.msn.com/?page=dept/dialup
>> >
>> >
>> >
>> > -------------------------------------------------------
>> > This sf.net email is sponsored by:ThinkGeek
>> > Welcome to geek heaven.
>> > http://thinkgeek.com/sf
>> > _______________________________________________
>> > Owasp-iso17799 mailing list
>> > Owasp-iso17799 at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>> >
>><< OWASPWebSiteSecurityPolicy.doc >>
>
>_________________________________________________________________
>MSN 8: Get 6 months for $9.95/month http://join.msn.com/?page=dept/dialup
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
MSN 8: Get 6 months for $9.95/month. http://join.msn.com/?page=dept/dialup



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Owasp-iso17799 mailing list
Owasp-iso17799 at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
Send and receive larger attachments with Hotmail Extra Storage.   
http://join.msn.com/?PAGE=features/es




From rich67dev at hotmail.com  Thu Sep  4 15:23:29 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Thu, 04 Sep 2003 19:23:29 +0000
Subject: [Owasp-iso17799] Re: Current policy doc
Message-ID: <Law9-F60cPGwCrQH6XZ0000d064@hotmail.com>

Sam,
For my part, I agree with you, do an straight forward first step.


Regards,
Richard Seiersen
rich67dev at hotmail.com




>From: "sam heinrich" <samheinrich at hotmail.com>
>To: mark at curphey.com, rich67dev at hotmail.com
>CC: owasp-iso17799 at lists.sourceforge.net
>Subject: Current policy doc
>Date: Thu, 04 Sep 2003 17:17:13 +0000
>
>Hi Mark, Rich,
>
>I have some time coming free - Mark, is the last document you sent out the 
>latest version?
>
>I have some thoughts regarding Rich's points about supporting procedures 
>and specifics for the policy document.  If I understood correctly, our 
>first focus is on a quick hit with a policy document.  I think maybe the 
>supporting details Rich is describing fall under the procedure documents 
>that support a policy, but may not be necessary to provide a recommended 
>policy template.  It will be up to each company to produce these supporting 
>documents, and up to an auditor to verify their existence; at some point, 
>the OWASP might provide templates for them.  For now, though, do we think 
>we can provide a policy template that just stipulates their existence, 
>without providing templates for implementation specifics?
>
>Thoughts?
>
>- Sam
>
>P.S. Rich - thanks from me, too, for illuminating the ISO ideal - as Mark 
>said, it was an interesting read.
>
>
>----Original Message Follows----
>From: "Rich Seiersen" <rich67dev at hotmail.com>
>To: rich67dev at hotmail.com, mark at curphey.com, 
>owasp-iso17799 at lists.sourceforge.net
>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>Date: Tue, 02 Sep 2003 03:24:47 +0000
>
>Mark,
>I have just opened the document, and my initial reaction is to approach it 
>from the standpoint of an auditor.  For example, in the template it states 
>('understanding that the template is just an example, subject to much 
>revision'):
>'A statement that new applications must have a written security design 
>associated with them, have passed a security code review etc...'
>
>This would entail that there would be a security design standard template 
>as well, and of course variously related standard documents.  To the point, 
>an auditor would expect to see relevant security designs with associated 
>controls for every single application that was commenced past a certain 
>date prior to the ISO17799 registration audit and ensuing audits.   BTW: I 
>would assument that the 4th part of the ISO 9001 standard, in terms of 
>iterative design, might provide for a great example here.  Again, a comapny 
>will have some flexibility in terms of the amounts of controls that they 
>want to put in - but proof of 'same and equal' process across the 
>organization in all web projects in terms of security is the goal.
>
>To the second clause, 'passed a security code review'.  This could ential a 
>variety of things, there could be a document, perhaps a standardized 
>checklist, or one could go so far as to have code review teams and etc. 
>Proof is in the pudding, is there documented proof of the claims within the 
>companies interpretation of the standard, and are those inerpretations 
>valid.
>
>So, this will be the tack that I will take, to ensure that we approach with 
>an audit in mind - I think this make sense would you not agree?
>
>
>
>Richard Seiersen
>rich67dev at hotmail.com
>
>
>
>
>
>>From: "Rich Seiersen" <rich67dev at hotmail.com>
>>To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>>Date: Tue, 02 Sep 2003 02:19:05 +0000
>>
>>Mark,
>>Very good, I will take a look at this in short order.
>>
>>Regards,
>>Richard Seiersen
>>rich67dev at hotmail.com
>>
>>
>>
>>
>>
>>>From: "Mark Curphey" <mark at curphey.com>
>>>To: "Rich Seiersen" 
>>><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>>>Date: Mon, 1 Sep 2003 22:12:20 -0400
>>>
>>>There is a big appetite for this stuff and I am sure we can get quite a 
>>>few
>>>companies to road-test. I know of a few big banks and at least two big
>>>telcos who used the Guide to build policies for developers.
>>>
>>>I am attaching a basic outline of a web security policy that I started to
>>>put together. As I mentioned all this is is headings. I personally like 
>>>to
>>>build out the headings and then complete the content. There is a lot
>>>missing, but maybe you can take a look and we can iterate?
>>>
>>>----- Original Message -----
>>>From: "Rich Seiersen" <rich67dev at hotmail.com>
>>>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
>>>Sent: Monday, September 01, 2003 9:30 PM
>>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>>>
>>>
>>> > Mark,
>>> > This works for me, thanks.
>>> >
>>> > In terms of my work effort, focus is always good.  So, if we are 
>>>looking
>>>at
>>> > a discreet section of the standard, and specific technical concerns 
>>>within
>>> > web security, the better off I am in delievering. Otherwise, we can 
>>>just
>>> > focus as we move around in the territory.
>>> >
>>> > What I am concerend with of course is 'road testing' the
>>> > product......whatever that product ends up being.
>>> >
>>> > Regards,
>>> > Richard Seiersen
>>> > rich67dev at hotmail.com
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > >From: "Mark Curphey" <mark at curphey.com>
>>> > >To: "Rich Seiersen"
>>> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>>> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
>>> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
>>> > >
>>> > >Rich
>>> > >
>>> > >Great mail. I am actually British (although I have lived in the US 
>>>for 5
>>> > >years now) so can atest to your observations about the European 
>>>adoption
>>>of
>>> > >standards. I have also spent several years in the US working for one 
>>>of
>>>the
>>> > >largest financial services companies and have seen and in some cases
>>>driven
>>> > >the need for 3rd parties to adopt standards. I used to use a
>>>questioanirre
>>> > >that was based on 17799 (which started life as British Standard 7799 
>>>btw)
>>> > >as
>>> > >a way to judge 3rd party vendors and hold them legally accountable to
>>>their
>>> > >answers.
>>> > >
>>> > >Your description of the "ISO way" was an excellent read and I am sure
>>>will
>>> > >make a great introduction section to an ISO project.
>>> > >
>>> > >For context when I decided to get this work underway I saw a few gaps 
>>>in
>>> > >the
>>> > >OWASP portfolio and gaps in peoples general perception of web 
>>>security.
>>> > >
>>> > >1. No good policy templates from which people can clone and create
>>> > >corporate
>>> > >web security policies from. I was sent some shocking policy templates
>>>from
>>> > >a
>>> > >consulting company and felt there was a need to issue some better
>>> > >templates.
>>> > >2. Most web security people are technicians and engineers. Many 
>>>people
>>>are
>>> > >now seeing security as a business issue and having to demonstrate 
>>>that
>>>they
>>> > >are managing the issue in an effective and accountable way. I am
>>>intrigued
>>> > >to see how ISO17799 translates to a production web security 
>>>environment,
>>> > >what areas are missing and how tacking the 17799 principles and 
>>>applying
>>> > >them what the products would look like. The ISO17799 project would be 
>>>an
>>> > >experiment as much as anything.
>>> > >
>>> > >So if it works with you guys, I have a proposal to get going.
>>> > >
>>> > >1. As the first task, focus on creating a web security policy 
>>>template.
>>>The
>>> > >selfish objective would be for us to start working together and 
>>>create a
>>> > >ramp with a smaller more manageable project. This would be released 
>>>as a
>>> > >stand alone policy template like the ones at SANS
>>> > >http://www.sans.org/resources/policies/#template under the title of 
>>>web
>>> > >security policy. I think this would only take a few weeks to do.
>>> > >
>>> > >2. When successfull we would focus our attention on the IS17799 
>>>project.
>>> > >There are a few approaches to doing this and several possible
>>>deliverables.
>>> > >I think when we start we should all decide what we are trying to 
>>>acheive.
>>>I
>>> > >personally would like to produce a "Guide to applying ISO-17799
>>>principles
>>> > >to a production web site" but its definitly open to discussion. BTW 
>>>Rich
>>>I
>>> > >already have a copy but thanks for thinking of me.
>>> > >
>>> > >Let me know if this works and I will send over a template I started 
>>>to
>>>putn
>>> > >together and shared with Sam. I tend to work by filling in headings 
>>>and
>>> > >then
>>> > >the text so its nothing more that a set of headings at this stage.
>>> > >
>>> > >Kind regards,
>>> > >
>>> > >
>>> > >Mark
>>> > >
>>> > >
>>> > >----- Original Message -----
>>> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
>>> > >To: <owasp-iso17799 at lists.sourceforge.net>
>>> > >Sent: Thursday, August 28, 2003 3:31 PM
>>> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
>>> > >
>>> > >
>>> > > > Thoughts On ISO:
>>> > > > I have noted a bit of discussion as I have been googling, in terms 
>>>of
>>> > >the
>>> > > > value of the standard in question as it relates to security.  I am 
>>>of
>>> > >the
>>> > > > growing opinion that there is a misunderstanding in terms of the
>>>nature
>>> > >of
>>> > > > ISO, and what quality is in terms of ISO.  I will not assume that 
>>>any
>>>of
>>> > >us
>>> > > > have this misunderstanding, but I think its of value for me to 
>>>make
>>> > >clear
>>> > > > what my understanding of ISO is. Likewise,  I think it will be
>>>important
>>> > >for
>>> > > > us to come to terms with what ISO is as we consider developing 
>>>both
>>> > > > templating systems and more consultative product.
>>> > > >
>>> > > > ISO, of course, refers to the greek ISO (like in the triangle, or
>>> > >isometric)
>>> > > > - and is not the initials for an organization (which would be 
>>>IOS).  I
>>> > >am
>>> > > > sure we are aware of this, but not the consumer.   So, when people 
>>>go
>>> > >about
>>> > > > doing ISO, they are bound for disappointment if they do not have 
>>>the
>>> > > > philosophical underpinning of what ISO based quality actually is -
>>> > > > same/equal.  I have seen this disappointment first hand in
>>> > >organizations,
>>> > > > and it can be avoided if done correctly.  Nonetheless, an 
>>>effective
>>>ISO
>>> > > > program should not only make process same or equal (which is good 
>>>in
>>>and
>>> > >of
>>> > > > itself), but it should have a qualitative impact on the 
>>>organization
>>>be
>>> > >it
>>> > > > security, manufacturing, and or environmental ISO. If not, while 
>>>you
>>>may
>>> > > > pass an audit, you will have a group of disgruntled employees who
>>>don't
>>> > >take
>>> > > > what you are doing seriously, thus negatively impacting what your 
>>>are
>>> > >trying
>>> > > > to improve - security in this case.
>>> > > >
>>> > > > To clarify what I am talking about in terms of ISO quality. If 
>>>your
>>> > >company
>>> > > > makes lead life preservers, and you make them all the same, and 
>>>its
>>> > > > verifiable in terms of documentation and physical process - then 
>>>you
>>>are
>>> > >ISO
>>> > > > according to the IOS ;-)  But, if you make life preservers that 
>>>have
>>> > >every
>>> > > > bell and whistle, they are very 'good' life preservers that save
>>>lives,
>>> > >yet
>>> > > > you have zero documentation or verifiable/repeatable process - you 
>>>are
>>> > >not
>>> > > > ISO - and would fail an audit despite the fact that your life
>>>preservers
>>> > > > save lives.
>>> > > >
>>> > > > It is this type of thing, 'same/equal/repeatable/verifiable' that 
>>>is
>>>at
>>> > >the
>>> > > > very heart of ISO.  And if you have had the opportunity to work 
>>>with
>>> > >larger
>>> > > > Asian firms (I just got of a stint with Kyosera), you will note 
>>>how
>>> > > > important and ingrained this type of thing is (It can be a pain).
>>> > >Hence,
>>> > > > this is why larger Asian, and European organization literally 
>>>force US
>>> > > > companies to get ISO certified in one or more of the standards.  
>>>In
>>> > >fact,
>>> > > > 90%+ of all ISO certifications in the US are driven by sales, i.e.
>>>they
>>> > > > would not have done if it were not for a larger European and or
>>>Japanese
>>> > > > organization withholding sales unless the US counterpart were
>>>certified.
>>> > > > We are looking at roughly 100,000+ certifications required in such 
>>>a
>>> > >way,
>>> > > > and required in short order (5 months in some cases).
>>> > > >
>>> > > > Lastly, I am not aware of any sales that require companies to be 
>>>ISO
>>> > >17799
>>> > > > certified, but I think it will happen.  Therefore, we must be 
>>>clear on
>>> > >what
>>> > > > is, and what isn't ISO.  Because, not only having 'good' security 
>>>must
>>> > >be
>>> > >a
>>> > > > result to the CSO, but passing the audit is critical to the 
>>>CEO/CFO
>>>(and
>>> > > > CSO).
>>> > > >
>>> > > > My introductory $.02
>>> > > > Richard Seiersen
>>> > > > rich67dev at hotmail.com
>>> > > >
>>> > > >
>>> > > >
>>> > > > Richard Seiersen
>>> > > > rich67dev at hotmail.com
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > > Richard Seiersen
>>> > > > rich67dev at hotmail.com
>>> > > >
>>> > > > _________________________________________________________________
>>> > > > Help protect your PC: Get a free online virus scan at McAfee.com.
>>> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>> > > >
>>> > > >
>>> > > >
>>> > > > -------------------------------------------------------
>>> > > > This sf.net email is sponsored by:ThinkGeek
>>> > > > Welcome to geek heaven.
>>> > > > http://thinkgeek.com/sf
>>> > > > _______________________________________________
>>> > > > Owasp-iso17799 mailing list
>>> > > > Owasp-iso17799 at lists.sourceforge.net
>>> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>>> > > >
>>> > >
>>> >
>>> > _________________________________________________________________
>>> > MSN 8: Get 6 months for $9.95/month. 
>>>http://join.msn.com/?page=dept/dialup
>>> >
>>> >
>>> >
>>> > -------------------------------------------------------
>>> > This sf.net email is sponsored by:ThinkGeek
>>> > Welcome to geek heaven.
>>> > http://thinkgeek.com/sf
>>> > _______________________________________________
>>> > Owasp-iso17799 mailing list
>>> > Owasp-iso17799 at lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>>> >
>>><< OWASPWebSiteSecurityPolicy.doc >>
>>
>>_________________________________________________________________
>>MSN 8: Get 6 months for $9.95/month http://join.msn.com/?page=dept/dialup
>>
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>http://thinkgeek.com/sf
>>_______________________________________________
>>Owasp-iso17799 mailing list
>>Owasp-iso17799 at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
>_________________________________________________________________
>MSN 8: Get 6 months for $9.95/month. http://join.msn.com/?page=dept/dialup
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>

_________________________________________________________________
Compare Cable, DSL or Satellite plans: As low as $29.95.  
https://broadband.msn.com




From mark at curphey.com  Thu Sep  4 18:30:25 2003
From: mark at curphey.com (Mark Curphey)
Date: Thu, 4 Sep 2003 18:30:25 -0400
Subject: [Owasp-iso17799] Re: Current policy doc
References: <BAY2-F1131XvpFVjCRG00011a8a@hotmail.com>
Message-ID: <001b01c37334$23229b30$78de06d1@markc2000>

Its the last one I produced anyway. I am not sure if you guys have ever used
CVS ? Its very easy on Windows and allows people to work on documents and
code and sync the versions to a central repository. OWASP has a repository
setup at Sourceforge. If you use Windows you can download tortoisecvs.org
which is the easiest to set up and use. You will also need a Sourceforge
account that I will need to add to the OWASP project.

In terms of Rich's comments, I think they are spot on as well. I am sure
eventually we can blend and co-ordinate all of the OWASP documentation
projects to work together. The guide for instance could be thought of as
proceedures for designing and developing secure applications.

In terms of how far we can take this its down to you guys ! I think the
small step of the policy template (which can of course be updated) makes
sense but the approach you both set out makes most sense to me in the long
run so if we view this as the first step that works well for me.
----- Original Message ----- 
From: "sam heinrich" <samheinrich at hotmail.com>
To: <mark at curphey.com>; <rich67dev at hotmail.com>
Cc: <owasp-iso17799 at lists.sourceforge.net>
Sent: Thursday, September 04, 2003 1:17 PM
Subject: Current policy doc


> Hi Mark, Rich,
>
> I have some time coming free - Mark, is the last document you sent out the
> latest version?
>
> I have some thoughts regarding Rich's points about supporting procedures
and
> specifics for the policy document.  If I understood correctly, our first
> focus is on a quick hit with a policy document.  I think maybe the
> supporting details Rich is describing fall under the procedure documents
> that support a policy, but may not be necessary to provide a recommended
> policy template.  It will be up to each company to produce these
supporting
> documents, and up to an auditor to verify their existence; at some point,
> the OWASP might provide templates for them.  For now, though, do we think
we
> can provide a policy template that just stipulates their existence,
without
> providing templates for implementation specifics?
>
> Thoughts?
>
> - Sam
>
> P.S. Rich - thanks from me, too, for illuminating the ISO ideal - as Mark
> said, it was an interesting read.
>
>
> ----Original Message Follows----
> From: "Rich Seiersen" <rich67dev at hotmail.com>
> To: rich67dev at hotmail.com, mark at curphey.com,
> owasp-iso17799 at lists.sourceforge.net
> Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> Date: Tue, 02 Sep 2003 03:24:47 +0000
>
> Mark,
> I have just opened the document, and my initial reaction is to approach it
> from the standpoint of an auditor.  For example, in the template it states
> ('understanding that the template is just an example, subject to much
> revision'):
> 'A statement that new applications must have a written security design
> associated with them, have passed a security code review etc...'
>
> This would entail that there would be a security design standard template
as
> well, and of course variously related standard documents.  To the point,
an
> auditor would expect to see relevant security designs with associated
> controls for every single application that was commenced past a certain
date
> prior to the ISO17799 registration audit and ensuing audits.   BTW: I
would
> assument that the 4th part of the ISO 9001 standard, in terms of iterative
> design, might provide for a great example here.  Again, a comapny will
have
> some flexibility in terms of the amounts of controls that they want to put
> in - but proof of 'same and equal' process across the organization in all
> web projects in terms of security is the goal.
>
> To the second clause, 'passed a security code review'.  This could ential
a
> variety of things, there could be a document, perhaps a standardized
> checklist, or one could go so far as to have code review teams and etc.
> Proof is in the pudding, is there documented proof of the claims within
the
> companies interpretation of the standard, and are those inerpretations
> valid.
>
> So, this will be the tack that I will take, to ensure that we approach
with
> an audit in mind - I think this make sense would you not agree?
>
>
>
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
>
>
> >From: "Rich Seiersen" <rich67dev at hotmail.com>
> >To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
> >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >Date: Tue, 02 Sep 2003 02:19:05 +0000
> >
> >Mark,
> >Very good, I will take a look at this in short order.
> >
> >Regards,
> >Richard Seiersen
> >rich67dev at hotmail.com
> >
> >
> >
> >
> >
> >>From: "Mark Curphey" <mark at curphey.com>
> >>To: "Rich Seiersen"
> >><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >>Date: Mon, 1 Sep 2003 22:12:20 -0400
> >>
> >>There is a big appetite for this stuff and I am sure we can get quite a
> >>few
> >>companies to road-test. I know of a few big banks and at least two big
> >>telcos who used the Guide to build policies for developers.
> >>
> >>I am attaching a basic outline of a web security policy that I started
to
> >>put together. As I mentioned all this is is headings. I personally like
to
> >>build out the headings and then complete the content. There is a lot
> >>missing, but maybe you can take a look and we can iterate?
> >>
> >>----- Original Message -----
> >>From: "Rich Seiersen" <rich67dev at hotmail.com>
> >>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
> >>Sent: Monday, September 01, 2003 9:30 PM
> >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >>
> >>
> >> > Mark,
> >> > This works for me, thanks.
> >> >
> >> > In terms of my work effort, focus is always good.  So, if we are
> >>looking
> >>at
> >> > a discreet section of the standard, and specific technical concerns
> >>within
> >> > web security, the better off I am in delievering. Otherwise, we can
> >>just
> >> > focus as we move around in the territory.
> >> >
> >> > What I am concerend with of course is 'road testing' the
> >> > product......whatever that product ends up being.
> >> >
> >> > Regards,
> >> > Richard Seiersen
> >> > rich67dev at hotmail.com
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > >From: "Mark Curphey" <mark at curphey.com>
> >> > >To: "Rich Seiersen"
> >> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> >> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
> >> > >
> >> > >Rich
> >> > >
> >> > >Great mail. I am actually British (although I have lived in the US
for
> >>5
> >> > >years now) so can atest to your observations about the European
> >>adoption
> >>of
> >> > >standards. I have also spent several years in the US working for one
> >>of
> >>the
> >> > >largest financial services companies and have seen and in some cases
> >>driven
> >> > >the need for 3rd parties to adopt standards. I used to use a
> >>questioanirre
> >> > >that was based on 17799 (which started life as British Standard 7799
> >>btw)
> >> > >as
> >> > >a way to judge 3rd party vendors and hold them legally accountable
to
> >>their
> >> > >answers.
> >> > >
> >> > >Your description of the "ISO way" was an excellent read and I am
sure
> >>will
> >> > >make a great introduction section to an ISO project.
> >> > >
> >> > >For context when I decided to get this work underway I saw a few
gaps
> >>in
> >> > >the
> >> > >OWASP portfolio and gaps in peoples general perception of web
> >>security.
> >> > >
> >> > >1. No good policy templates from which people can clone and create
> >> > >corporate
> >> > >web security policies from. I was sent some shocking policy
templates
> >>from
> >> > >a
> >> > >consulting company and felt there was a need to issue some better
> >> > >templates.
> >> > >2. Most web security people are technicians and engineers. Many
people
> >>are
> >> > >now seeing security as a business issue and having to demonstrate
that
> >>they
> >> > >are managing the issue in an effective and accountable way. I am
> >>intrigued
> >> > >to see how ISO17799 translates to a production web security
> >>environment,
> >> > >what areas are missing and how tacking the 17799 principles and
> >>applying
> >> > >them what the products would look like. The ISO17799 project would
be
> >>an
> >> > >experiment as much as anything.
> >> > >
> >> > >So if it works with you guys, I have a proposal to get going.
> >> > >
> >> > >1. As the first task, focus on creating a web security policy
> >>template.
> >>The
> >> > >selfish objective would be for us to start working together and
create
> >>a
> >> > >ramp with a smaller more manageable project. This would be released
as
> >>a
> >> > >stand alone policy template like the ones at SANS
> >> > >http://www.sans.org/resources/policies/#template under the title of
> >>web
> >> > >security policy. I think this would only take a few weeks to do.
> >> > >
> >> > >2. When successfull we would focus our attention on the IS17799
> >>project.
> >> > >There are a few approaches to doing this and several possible
> >>deliverables.
> >> > >I think when we start we should all decide what we are trying to
> >>acheive.
> >>I
> >> > >personally would like to produce a "Guide to applying ISO-17799
> >>principles
> >> > >to a production web site" but its definitly open to discussion. BTW
> >>Rich
> >>I
> >> > >already have a copy but thanks for thinking of me.
> >> > >
> >> > >Let me know if this works and I will send over a template I started
to
> >>putn
> >> > >together and shared with Sam. I tend to work by filling in headings
> >>and
> >> > >then
> >> > >the text so its nothing more that a set of headings at this stage.
> >> > >
> >> > >Kind regards,
> >> > >
> >> > >
> >> > >Mark
> >> > >
> >> > >
> >> > >----- Original Message -----
> >> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> >> > >To: <owasp-iso17799 at lists.sourceforge.net>
> >> > >Sent: Thursday, August 28, 2003 3:31 PM
> >> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
> >> > >
> >> > >
> >> > > > Thoughts On ISO:
> >> > > > I have noted a bit of discussion as I have been googling, in
terms
> >>of
> >> > >the
> >> > > > value of the standard in question as it relates to security.  I
am
> >>of
> >> > >the
> >> > > > growing opinion that there is a misunderstanding in terms of the
> >>nature
> >> > >of
> >> > > > ISO, and what quality is in terms of ISO.  I will not assume that
> >>any
> >>of
> >> > >us
> >> > > > have this misunderstanding, but I think its of value for me to
make
> >> > >clear
> >> > > > what my understanding of ISO is. Likewise,  I think it will be
> >>important
> >> > >for
> >> > > > us to come to terms with what ISO is as we consider developing
both
> >> > > > templating systems and more consultative product.
> >> > > >
> >> > > > ISO, of course, refers to the greek ISO (like in the triangle, or
> >> > >isometric)
> >> > > > - and is not the initials for an organization (which would be
IOS).
> >>  I
> >> > >am
> >> > > > sure we are aware of this, but not the consumer.   So, when
people
> >>go
> >> > >about
> >> > > > doing ISO, they are bound for disappointment if they do not have
> >>the
> >> > > > philosophical underpinning of what ISO based quality actually
is -
> >> > > > same/equal.  I have seen this disappointment first hand in
> >> > >organizations,
> >> > > > and it can be avoided if done correctly.  Nonetheless, an
effective
> >>ISO
> >> > > > program should not only make process same or equal (which is good
> >>in
> >>and
> >> > >of
> >> > > > itself), but it should have a qualitative impact on the
> >>organization
> >>be
> >> > >it
> >> > > > security, manufacturing, and or environmental ISO. If not, while
> >>you
> >>may
> >> > > > pass an audit, you will have a group of disgruntled employees who
> >>don't
> >> > >take
> >> > > > what you are doing seriously, thus negatively impacting what your
> >>are
> >> > >trying
> >> > > > to improve - security in this case.
> >> > > >
> >> > > > To clarify what I am talking about in terms of ISO quality. If
your
> >> > >company
> >> > > > makes lead life preservers, and you make them all the same, and
its
> >> > > > verifiable in terms of documentation and physical process - then
> >>you
> >>are
> >> > >ISO
> >> > > > according to the IOS ;-)  But, if you make life preservers that
> >>have
> >> > >every
> >> > > > bell and whistle, they are very 'good' life preservers that save
> >>lives,
> >> > >yet
> >> > > > you have zero documentation or verifiable/repeatable process -
you
> >>are
> >> > >not
> >> > > > ISO - and would fail an audit despite the fact that your life
> >>preservers
> >> > > > save lives.
> >> > > >
> >> > > > It is this type of thing, 'same/equal/repeatable/verifiable' that
> >>is
> >>at
> >> > >the
> >> > > > very heart of ISO.  And if you have had the opportunity to work
> >>with
> >> > >larger
> >> > > > Asian firms (I just got of a stint with Kyosera), you will note
how
> >> > > > important and ingrained this type of thing is (It can be a pain).
> >> > >Hence,
> >> > > > this is why larger Asian, and European organization literally
force
> >>US
> >> > > > companies to get ISO certified in one or more of the standards.
In
> >> > >fact,
> >> > > > 90%+ of all ISO certifications in the US are driven by sales,
i.e.
> >>they
> >> > > > would not have done if it were not for a larger European and or
> >>Japanese
> >> > > > organization withholding sales unless the US counterpart were
> >>certified.
> >> > > > We are looking at roughly 100,000+ certifications required in
such
> >>a
> >> > >way,
> >> > > > and required in short order (5 months in some cases).
> >> > > >
> >> > > > Lastly, I am not aware of any sales that require companies to be
> >>ISO
> >> > >17799
> >> > > > certified, but I think it will happen.  Therefore, we must be
clear
> >>on
> >> > >what
> >> > > > is, and what isn't ISO.  Because, not only having 'good' security
> >>must
> >> > >be
> >> > >a
> >> > > > result to the CSO, but passing the audit is critical to the
CEO/CFO
> >>(and
> >> > > > CSO).
> >> > > >
> >> > > > My introductory $.02
> >> > > > Richard Seiersen
> >> > > > rich67dev at hotmail.com
> >> > > >
> >> > > >
> >> > > >
> >> > > > Richard Seiersen
> >> > > > rich67dev at hotmail.com
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > Richard Seiersen
> >> > > > rich67dev at hotmail.com
> >> > > >
> >> > > > _________________________________________________________________
> >> > > > Help protect your PC: Get a free online virus scan at McAfee.com.
> >> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >> > > >
> >> > > >
> >> > > >
> >> > > > -------------------------------------------------------
> >> > > > This sf.net email is sponsored by:ThinkGeek
> >> > > > Welcome to geek heaven.
> >> > > > http://thinkgeek.com/sf
> >> > > > _______________________________________________
> >> > > > Owasp-iso17799 mailing list
> >> > > > Owasp-iso17799 at lists.sourceforge.net
> >> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >> > > >
> >> > >
> >> >
> >> > _________________________________________________________________
> >> > MSN 8: Get 6 months for $9.95/month.
> >>http://join.msn.com/?page=dept/dialup
> >> >
> >> >
> >> >
> >> > -------------------------------------------------------
> >> > This sf.net email is sponsored by:ThinkGeek
> >> > Welcome to geek heaven.
> >> > http://thinkgeek.com/sf
> >> > _______________________________________________
> >> > Owasp-iso17799 mailing list
> >> > Owasp-iso17799 at lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >> >
> >><< OWASPWebSiteSecurityPolicy.doc >>
> >
> >_________________________________________________________________
> >MSN 8: Get 6 months for $9.95/month http://join.msn.com/?page=dept/dialup
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
> _________________________________________________________________
> MSN 8: Get 6 months for $9.95/month. http://join.msn.com/?page=dept/dialup
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-iso17799 mailing list
> Owasp-iso17799 at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
> _________________________________________________________________
> Send and receive larger attachments with Hotmail Extra Storage.
> http://join.msn.com/?PAGE=features/es
>
>




From rich67dev at hotmail.com  Thu Sep  4 18:56:46 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Thu, 04 Sep 2003 22:56:46 +0000
Subject: [Owasp-iso17799] Re: Current policy doc
Message-ID: <Law9-F7saVHLUmcJWIT00039b8a@hotmail.com>

Mark,
Yes, I am fine with CVS. I have never used a windoze client for it, but am 
open to trying a new thing, thanks for the advice.


Regards,
Richard Seiersen
rich67dev at hotmail.com




>From: "Mark Curphey" <mark at curphey.com>
>To: "sam heinrich" <samheinrich at hotmail.com>,<rich67dev at hotmail.com>
>CC: <owasp-iso17799 at lists.sourceforge.net>
>Subject: [Owasp-iso17799] Re: Current policy doc
>Date: Thu, 4 Sep 2003 18:30:25 -0400
>
>Its the last one I produced anyway. I am not sure if you guys have ever 
>used
>CVS ? Its very easy on Windows and allows people to work on documents and
>code and sync the versions to a central repository. OWASP has a repository
>setup at Sourceforge. If you use Windows you can download tortoisecvs.org
>which is the easiest to set up and use. You will also need a Sourceforge
>account that I will need to add to the OWASP project.
>
>In terms of Rich's comments, I think they are spot on as well. I am sure
>eventually we can blend and co-ordinate all of the OWASP documentation
>projects to work together. The guide for instance could be thought of as
>proceedures for designing and developing secure applications.
>
>In terms of how far we can take this its down to you guys ! I think the
>small step of the policy template (which can of course be updated) makes
>sense but the approach you both set out makes most sense to me in the long
>run so if we view this as the first step that works well for me.
>----- Original Message -----
>From: "sam heinrich" <samheinrich at hotmail.com>
>To: <mark at curphey.com>; <rich67dev at hotmail.com>
>Cc: <owasp-iso17799 at lists.sourceforge.net>
>Sent: Thursday, September 04, 2003 1:17 PM
>Subject: Current policy doc
>
>
> > Hi Mark, Rich,
> >
> > I have some time coming free - Mark, is the last document you sent out 
>the
> > latest version?
> >
> > I have some thoughts regarding Rich's points about supporting procedures
>and
> > specifics for the policy document.  If I understood correctly, our first
> > focus is on a quick hit with a policy document.  I think maybe the
> > supporting details Rich is describing fall under the procedure documents
> > that support a policy, but may not be necessary to provide a recommended
> > policy template.  It will be up to each company to produce these
>supporting
> > documents, and up to an auditor to verify their existence; at some 
>point,
> > the OWASP might provide templates for them.  For now, though, do we 
>think
>we
> > can provide a policy template that just stipulates their existence,
>without
> > providing templates for implementation specifics?
> >
> > Thoughts?
> >
> > - Sam
> >
> > P.S. Rich - thanks from me, too, for illuminating the ISO ideal - as 
>Mark
> > said, it was an interesting read.
> >
> >
> > ----Original Message Follows----
> > From: "Rich Seiersen" <rich67dev at hotmail.com>
> > To: rich67dev at hotmail.com, mark at curphey.com,
> > owasp-iso17799 at lists.sourceforge.net
> > Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > Date: Tue, 02 Sep 2003 03:24:47 +0000
> >
> > Mark,
> > I have just opened the document, and my initial reaction is to approach 
>it
> > from the standpoint of an auditor.  For example, in the template it 
>states
> > ('understanding that the template is just an example, subject to much
> > revision'):
> > 'A statement that new applications must have a written security design
> > associated with them, have passed a security code review etc...'
> >
> > This would entail that there would be a security design standard 
>template
>as
> > well, and of course variously related standard documents.  To the point,
>an
> > auditor would expect to see relevant security designs with associated
> > controls for every single application that was commenced past a certain
>date
> > prior to the ISO17799 registration audit and ensuing audits.   BTW: I
>would
> > assument that the 4th part of the ISO 9001 standard, in terms of 
>iterative
> > design, might provide for a great example here.  Again, a comapny will
>have
> > some flexibility in terms of the amounts of controls that they want to 
>put
> > in - but proof of 'same and equal' process across the organization in 
>all
> > web projects in terms of security is the goal.
> >
> > To the second clause, 'passed a security code review'.  This could 
>ential
>a
> > variety of things, there could be a document, perhaps a standardized
> > checklist, or one could go so far as to have code review teams and etc.
> > Proof is in the pudding, is there documented proof of the claims within
>the
> > companies interpretation of the standard, and are those inerpretations
> > valid.
> >
> > So, this will be the tack that I will take, to ensure that we approach
>with
> > an audit in mind - I think this make sense would you not agree?
> >
> >
> >
> > Richard Seiersen
> > rich67dev at hotmail.com
> >
> >
> >
> >
> >
> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > >To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > >Date: Tue, 02 Sep 2003 02:19:05 +0000
> > >
> > >Mark,
> > >Very good, I will take a look at this in short order.
> > >
> > >Regards,
> > >Richard Seiersen
> > >rich67dev at hotmail.com
> > >
> > >
> > >
> > >
> > >
> > >>From: "Mark Curphey" <mark at curphey.com>
> > >>To: "Rich Seiersen"
> > >><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > >>Date: Mon, 1 Sep 2003 22:12:20 -0400
> > >>
> > >>There is a big appetite for this stuff and I am sure we can get quite 
>a
> > >>few
> > >>companies to road-test. I know of a few big banks and at least two big
> > >>telcos who used the Guide to build policies for developers.
> > >>
> > >>I am attaching a basic outline of a web security policy that I started
>to
> > >>put together. As I mentioned all this is is headings. I personally 
>like
>to
> > >>build out the headings and then complete the content. There is a lot
> > >>missing, but maybe you can take a look and we can iterate?
> > >>
> > >>----- Original Message -----
> > >>From: "Rich Seiersen" <rich67dev at hotmail.com>
> > >>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
> > >>Sent: Monday, September 01, 2003 9:30 PM
> > >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > >>
> > >>
> > >> > Mark,
> > >> > This works for me, thanks.
> > >> >
> > >> > In terms of my work effort, focus is always good.  So, if we are
> > >>looking
> > >>at
> > >> > a discreet section of the standard, and specific technical concerns
> > >>within
> > >> > web security, the better off I am in delievering. Otherwise, we can
> > >>just
> > >> > focus as we move around in the territory.
> > >> >
> > >> > What I am concerend with of course is 'road testing' the
> > >> > product......whatever that product ends up being.
> > >> >
> > >> > Regards,
> > >> > Richard Seiersen
> > >> > rich67dev at hotmail.com
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > >From: "Mark Curphey" <mark at curphey.com>
> > >> > >To: "Rich Seiersen"
> > >> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > >> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > >> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
> > >> > >
> > >> > >Rich
> > >> > >
> > >> > >Great mail. I am actually British (although I have lived in the US
>for
> > >>5
> > >> > >years now) so can atest to your observations about the European
> > >>adoption
> > >>of
> > >> > >standards. I have also spent several years in the US working for 
>one
> > >>of
> > >>the
> > >> > >largest financial services companies and have seen and in some 
>cases
> > >>driven
> > >> > >the need for 3rd parties to adopt standards. I used to use a
> > >>questioanirre
> > >> > >that was based on 17799 (which started life as British Standard 
>7799
> > >>btw)
> > >> > >as
> > >> > >a way to judge 3rd party vendors and hold them legally accountable
>to
> > >>their
> > >> > >answers.
> > >> > >
> > >> > >Your description of the "ISO way" was an excellent read and I am
>sure
> > >>will
> > >> > >make a great introduction section to an ISO project.
> > >> > >
> > >> > >For context when I decided to get this work underway I saw a few
>gaps
> > >>in
> > >> > >the
> > >> > >OWASP portfolio and gaps in peoples general perception of web
> > >>security.
> > >> > >
> > >> > >1. No good policy templates from which people can clone and create
> > >> > >corporate
> > >> > >web security policies from. I was sent some shocking policy
>templates
> > >>from
> > >> > >a
> > >> > >consulting company and felt there was a need to issue some better
> > >> > >templates.
> > >> > >2. Most web security people are technicians and engineers. Many
>people
> > >>are
> > >> > >now seeing security as a business issue and having to demonstrate
>that
> > >>they
> > >> > >are managing the issue in an effective and accountable way. I am
> > >>intrigued
> > >> > >to see how ISO17799 translates to a production web security
> > >>environment,
> > >> > >what areas are missing and how tacking the 17799 principles and
> > >>applying
> > >> > >them what the products would look like. The ISO17799 project would
>be
> > >>an
> > >> > >experiment as much as anything.
> > >> > >
> > >> > >So if it works with you guys, I have a proposal to get going.
> > >> > >
> > >> > >1. As the first task, focus on creating a web security policy
> > >>template.
> > >>The
> > >> > >selfish objective would be for us to start working together and
>create
> > >>a
> > >> > >ramp with a smaller more manageable project. This would be 
>released
>as
> > >>a
> > >> > >stand alone policy template like the ones at SANS
> > >> > >http://www.sans.org/resources/policies/#template under the title 
>of
> > >>web
> > >> > >security policy. I think this would only take a few weeks to do.
> > >> > >
> > >> > >2. When successfull we would focus our attention on the IS17799
> > >>project.
> > >> > >There are a few approaches to doing this and several possible
> > >>deliverables.
> > >> > >I think when we start we should all decide what we are trying to
> > >>acheive.
> > >>I
> > >> > >personally would like to produce a "Guide to applying ISO-17799
> > >>principles
> > >> > >to a production web site" but its definitly open to discussion. 
>BTW
> > >>Rich
> > >>I
> > >> > >already have a copy but thanks for thinking of me.
> > >> > >
> > >> > >Let me know if this works and I will send over a template I 
>started
>to
> > >>putn
> > >> > >together and shared with Sam. I tend to work by filling in 
>headings
> > >>and
> > >> > >then
> > >> > >the text so its nothing more that a set of headings at this stage.
> > >> > >
> > >> > >Kind regards,
> > >> > >
> > >> > >
> > >> > >Mark
> > >> > >
> > >> > >
> > >> > >----- Original Message -----
> > >> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > >> > >To: <owasp-iso17799 at lists.sourceforge.net>
> > >> > >Sent: Thursday, August 28, 2003 3:31 PM
> > >> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
> > >> > >
> > >> > >
> > >> > > > Thoughts On ISO:
> > >> > > > I have noted a bit of discussion as I have been googling, in
>terms
> > >>of
> > >> > >the
> > >> > > > value of the standard in question as it relates to security.  I
>am
> > >>of
> > >> > >the
> > >> > > > growing opinion that there is a misunderstanding in terms of 
>the
> > >>nature
> > >> > >of
> > >> > > > ISO, and what quality is in terms of ISO.  I will not assume 
>that
> > >>any
> > >>of
> > >> > >us
> > >> > > > have this misunderstanding, but I think its of value for me to
>make
> > >> > >clear
> > >> > > > what my understanding of ISO is. Likewise,  I think it will be
> > >>important
> > >> > >for
> > >> > > > us to come to terms with what ISO is as we consider developing
>both
> > >> > > > templating systems and more consultative product.
> > >> > > >
> > >> > > > ISO, of course, refers to the greek ISO (like in the triangle, 
>or
> > >> > >isometric)
> > >> > > > - and is not the initials for an organization (which would be
>IOS).
> > >>  I
> > >> > >am
> > >> > > > sure we are aware of this, but not the consumer.   So, when
>people
> > >>go
> > >> > >about
> > >> > > > doing ISO, they are bound for disappointment if they do not 
>have
> > >>the
> > >> > > > philosophical underpinning of what ISO based quality actually
>is -
> > >> > > > same/equal.  I have seen this disappointment first hand in
> > >> > >organizations,
> > >> > > > and it can be avoided if done correctly.  Nonetheless, an
>effective
> > >>ISO
> > >> > > > program should not only make process same or equal (which is 
>good
> > >>in
> > >>and
> > >> > >of
> > >> > > > itself), but it should have a qualitative impact on the
> > >>organization
> > >>be
> > >> > >it
> > >> > > > security, manufacturing, and or environmental ISO. If not, 
>while
> > >>you
> > >>may
> > >> > > > pass an audit, you will have a group of disgruntled employees 
>who
> > >>don't
> > >> > >take
> > >> > > > what you are doing seriously, thus negatively impacting what 
>your
> > >>are
> > >> > >trying
> > >> > > > to improve - security in this case.
> > >> > > >
> > >> > > > To clarify what I am talking about in terms of ISO quality. If
>your
> > >> > >company
> > >> > > > makes lead life preservers, and you make them all the same, and
>its
> > >> > > > verifiable in terms of documentation and physical process - 
>then
> > >>you
> > >>are
> > >> > >ISO
> > >> > > > according to the IOS ;-)  But, if you make life preservers that
> > >>have
> > >> > >every
> > >> > > > bell and whistle, they are very 'good' life preservers that 
>save
> > >>lives,
> > >> > >yet
> > >> > > > you have zero documentation or verifiable/repeatable process -
>you
> > >>are
> > >> > >not
> > >> > > > ISO - and would fail an audit despite the fact that your life
> > >>preservers
> > >> > > > save lives.
> > >> > > >
> > >> > > > It is this type of thing, 'same/equal/repeatable/verifiable' 
>that
> > >>is
> > >>at
> > >> > >the
> > >> > > > very heart of ISO.  And if you have had the opportunity to work
> > >>with
> > >> > >larger
> > >> > > > Asian firms (I just got of a stint with Kyosera), you will note
>how
> > >> > > > important and ingrained this type of thing is (It can be a 
>pain).
> > >> > >Hence,
> > >> > > > this is why larger Asian, and European organization literally
>force
> > >>US
> > >> > > > companies to get ISO certified in one or more of the standards.
>In
> > >> > >fact,
> > >> > > > 90%+ of all ISO certifications in the US are driven by sales,
>i.e.
> > >>they
> > >> > > > would not have done if it were not for a larger European and or
> > >>Japanese
> > >> > > > organization withholding sales unless the US counterpart were
> > >>certified.
> > >> > > > We are looking at roughly 100,000+ certifications required in
>such
> > >>a
> > >> > >way,
> > >> > > > and required in short order (5 months in some cases).
> > >> > > >
> > >> > > > Lastly, I am not aware of any sales that require companies to 
>be
> > >>ISO
> > >> > >17799
> > >> > > > certified, but I think it will happen.  Therefore, we must be
>clear
> > >>on
> > >> > >what
> > >> > > > is, and what isn't ISO.  Because, not only having 'good' 
>security
> > >>must
> > >> > >be
> > >> > >a
> > >> > > > result to the CSO, but passing the audit is critical to the
>CEO/CFO
> > >>(and
> > >> > > > CSO).
> > >> > > >
> > >> > > > My introductory $.02
> > >> > > > Richard Seiersen
> > >> > > > rich67dev at hotmail.com
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > Richard Seiersen
> > >> > > > rich67dev at hotmail.com
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > Richard Seiersen
> > >> > > > rich67dev at hotmail.com
> > >> > > >
> > >> > > > 
>_________________________________________________________________
> > >> > > > Help protect your PC: Get a free online virus scan at 
>McAfee.com.
> > >> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > -------------------------------------------------------
> > >> > > > This sf.net email is sponsored by:ThinkGeek
> > >> > > > Welcome to geek heaven.
> > >> > > > http://thinkgeek.com/sf
> > >> > > > _______________________________________________
> > >> > > > Owasp-iso17799 mailing list
> > >> > > > Owasp-iso17799 at lists.sourceforge.net
> > >> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >> > > >
> > >> > >
> > >> >
> > >> > _________________________________________________________________
> > >> > MSN 8: Get 6 months for $9.95/month.
> > >>http://join.msn.com/?page=dept/dialup
> > >> >
> > >> >
> > >> >
> > >> > -------------------------------------------------------
> > >> > This sf.net email is sponsored by:ThinkGeek
> > >> > Welcome to geek heaven.
> > >> > http://thinkgeek.com/sf
> > >> > _______________________________________________
> > >> > Owasp-iso17799 mailing list
> > >> > Owasp-iso17799 at lists.sourceforge.net
> > >> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >> >
> > >><< OWASPWebSiteSecurityPolicy.doc >>
> > >
> > >_________________________________________________________________
> > >MSN 8: Get 6 months for $9.95/month 
>http://join.msn.com/?page=dept/dialup
> > >
> > >
> > >
> > >-------------------------------------------------------
> > >This sf.net email is sponsored by:ThinkGeek
> > >Welcome to geek heaven.
> > >http://thinkgeek.com/sf
> > >_______________________________________________
> > >Owasp-iso17799 mailing list
> > >Owasp-iso17799 at lists.sourceforge.net
> > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
> > _________________________________________________________________
> > MSN 8: Get 6 months for $9.95/month. 
>http://join.msn.com/?page=dept/dialup
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Owasp-iso17799 mailing list
> > Owasp-iso17799 at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
> > _________________________________________________________________
> > Send and receive larger attachments with Hotmail Extra Storage.
> > http://join.msn.com/?PAGE=features/es
> >
> >
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
Try MSN Messenger 6.0 with integrated webcam functionality! 
http://www.msnmessenger-download.com/tracking/reach_webcam




From mark at curphey.com  Thu Sep  4 19:02:19 2003
From: mark at curphey.com (Mark Curphey)
Date: Thu, 4 Sep 2003 19:02:19 -0400
Subject: [Owasp-iso17799] Re: Current policy doc
References: <Law9-F7saVHLUmcJWIT00039b8a@hotmail.com>
Message-ID: <004d01c37338$97f82250$78de06d1@markc2000>

If you are a Linux person then you are set already ;-)

Just let me know your Sourceforge ID's and I'll add you in so you can
commit.
----- Original Message ----- 
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: <mark at curphey.com>; <samheinrich at hotmail.com>
Cc: <owasp-iso17799 at lists.sourceforge.net>
Sent: Thursday, September 04, 2003 6:56 PM
Subject: Re: [Owasp-iso17799] Re: Current policy doc


> Mark,
> Yes, I am fine with CVS. I have never used a windoze client for it, but am
> open to trying a new thing, thanks for the advice.
>
>
> Regards,
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
>
> >From: "Mark Curphey" <mark at curphey.com>
> >To: "sam heinrich" <samheinrich at hotmail.com>,<rich67dev at hotmail.com>
> >CC: <owasp-iso17799 at lists.sourceforge.net>
> >Subject: [Owasp-iso17799] Re: Current policy doc
> >Date: Thu, 4 Sep 2003 18:30:25 -0400
> >
> >Its the last one I produced anyway. I am not sure if you guys have ever
> >used
> >CVS ? Its very easy on Windows and allows people to work on documents and
> >code and sync the versions to a central repository. OWASP has a
repository
> >setup at Sourceforge. If you use Windows you can download tortoisecvs.org
> >which is the easiest to set up and use. You will also need a Sourceforge
> >account that I will need to add to the OWASP project.
> >
> >In terms of Rich's comments, I think they are spot on as well. I am sure
> >eventually we can blend and co-ordinate all of the OWASP documentation
> >projects to work together. The guide for instance could be thought of as
> >proceedures for designing and developing secure applications.
> >
> >In terms of how far we can take this its down to you guys ! I think the
> >small step of the policy template (which can of course be updated) makes
> >sense but the approach you both set out makes most sense to me in the
long
> >run so if we view this as the first step that works well for me.
> >----- Original Message -----
> >From: "sam heinrich" <samheinrich at hotmail.com>
> >To: <mark at curphey.com>; <rich67dev at hotmail.com>
> >Cc: <owasp-iso17799 at lists.sourceforge.net>
> >Sent: Thursday, September 04, 2003 1:17 PM
> >Subject: Current policy doc
> >
> >
> > > Hi Mark, Rich,
> > >
> > > I have some time coming free - Mark, is the last document you sent out
> >the
> > > latest version?
> > >
> > > I have some thoughts regarding Rich's points about supporting
procedures
> >and
> > > specifics for the policy document.  If I understood correctly, our
first
> > > focus is on a quick hit with a policy document.  I think maybe the
> > > supporting details Rich is describing fall under the procedure
documents
> > > that support a policy, but may not be necessary to provide a
recommended
> > > policy template.  It will be up to each company to produce these
> >supporting
> > > documents, and up to an auditor to verify their existence; at some
> >point,
> > > the OWASP might provide templates for them.  For now, though, do we
> >think
> >we
> > > can provide a policy template that just stipulates their existence,
> >without
> > > providing templates for implementation specifics?
> > >
> > > Thoughts?
> > >
> > > - Sam
> > >
> > > P.S. Rich - thanks from me, too, for illuminating the ISO ideal - as
> >Mark
> > > said, it was an interesting read.
> > >
> > >
> > > ----Original Message Follows----
> > > From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > To: rich67dev at hotmail.com, mark at curphey.com,
> > > owasp-iso17799 at lists.sourceforge.net
> > > Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > Date: Tue, 02 Sep 2003 03:24:47 +0000
> > >
> > > Mark,
> > > I have just opened the document, and my initial reaction is to
approach
> >it
> > > from the standpoint of an auditor.  For example, in the template it
> >states
> > > ('understanding that the template is just an example, subject to much
> > > revision'):
> > > 'A statement that new applications must have a written security design
> > > associated with them, have passed a security code review etc...'
> > >
> > > This would entail that there would be a security design standard
> >template
> >as
> > > well, and of course variously related standard documents.  To the
point,
> >an
> > > auditor would expect to see relevant security designs with associated
> > > controls for every single application that was commenced past a
certain
> >date
> > > prior to the ISO17799 registration audit and ensuing audits.   BTW: I
> >would
> > > assument that the 4th part of the ISO 9001 standard, in terms of
> >iterative
> > > design, might provide for a great example here.  Again, a comapny will
> >have
> > > some flexibility in terms of the amounts of controls that they want to
> >put
> > > in - but proof of 'same and equal' process across the organization in
> >all
> > > web projects in terms of security is the goal.
> > >
> > > To the second clause, 'passed a security code review'.  This could
> >ential
> >a
> > > variety of things, there could be a document, perhaps a standardized
> > > checklist, or one could go so far as to have code review teams and
etc.
> > > Proof is in the pudding, is there documented proof of the claims
within
> >the
> > > companies interpretation of the standard, and are those inerpretations
> > > valid.
> > >
> > > So, this will be the tack that I will take, to ensure that we approach
> >with
> > > an audit in mind - I think this make sense would you not agree?
> > >
> > >
> > >
> > > Richard Seiersen
> > > rich67dev at hotmail.com
> > >
> > >
> > >
> > >
> > >
> > > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
> > > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >Date: Tue, 02 Sep 2003 02:19:05 +0000
> > > >
> > > >Mark,
> > > >Very good, I will take a look at this in short order.
> > > >
> > > >Regards,
> > > >Richard Seiersen
> > > >rich67dev at hotmail.com
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >>From: "Mark Curphey" <mark at curphey.com>
> > > >>To: "Rich Seiersen"
> > > >><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > > >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >>Date: Mon, 1 Sep 2003 22:12:20 -0400
> > > >>
> > > >>There is a big appetite for this stuff and I am sure we can get
quite
> >a
> > > >>few
> > > >>companies to road-test. I know of a few big banks and at least two
big
> > > >>telcos who used the Guide to build policies for developers.
> > > >>
> > > >>I am attaching a basic outline of a web security policy that I
started
> >to
> > > >>put together. As I mentioned all this is is headings. I personally
> >like
> >to
> > > >>build out the headings and then complete the content. There is a lot
> > > >>missing, but maybe you can take a look and we can iterate?
> > > >>
> > > >>----- Original Message -----
> > > >>From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
> > > >>Sent: Monday, September 01, 2003 9:30 PM
> > > >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >>
> > > >>
> > > >> > Mark,
> > > >> > This works for me, thanks.
> > > >> >
> > > >> > In terms of my work effort, focus is always good.  So, if we are
> > > >>looking
> > > >>at
> > > >> > a discreet section of the standard, and specific technical
concerns
> > > >>within
> > > >> > web security, the better off I am in delievering. Otherwise, we
can
> > > >>just
> > > >> > focus as we move around in the territory.
> > > >> >
> > > >> > What I am concerend with of course is 'road testing' the
> > > >> > product......whatever that product ends up being.
> > > >> >
> > > >> > Regards,
> > > >> > Richard Seiersen
> > > >> > rich67dev at hotmail.com
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> > >From: "Mark Curphey" <mark at curphey.com>
> > > >> > >To: "Rich Seiersen"
> > > >> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > > >> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
> > > >> > >
> > > >> > >Rich
> > > >> > >
> > > >> > >Great mail. I am actually British (although I have lived in the
US
> >for
> > > >>5
> > > >> > >years now) so can atest to your observations about the European
> > > >>adoption
> > > >>of
> > > >> > >standards. I have also spent several years in the US working for
> >one
> > > >>of
> > > >>the
> > > >> > >largest financial services companies and have seen and in some
> >cases
> > > >>driven
> > > >> > >the need for 3rd parties to adopt standards. I used to use a
> > > >>questioanirre
> > > >> > >that was based on 17799 (which started life as British Standard
> >7799
> > > >>btw)
> > > >> > >as
> > > >> > >a way to judge 3rd party vendors and hold them legally
accountable
> >to
> > > >>their
> > > >> > >answers.
> > > >> > >
> > > >> > >Your description of the "ISO way" was an excellent read and I am
> >sure
> > > >>will
> > > >> > >make a great introduction section to an ISO project.
> > > >> > >
> > > >> > >For context when I decided to get this work underway I saw a few
> >gaps
> > > >>in
> > > >> > >the
> > > >> > >OWASP portfolio and gaps in peoples general perception of web
> > > >>security.
> > > >> > >
> > > >> > >1. No good policy templates from which people can clone and
create
> > > >> > >corporate
> > > >> > >web security policies from. I was sent some shocking policy
> >templates
> > > >>from
> > > >> > >a
> > > >> > >consulting company and felt there was a need to issue some
better
> > > >> > >templates.
> > > >> > >2. Most web security people are technicians and engineers. Many
> >people
> > > >>are
> > > >> > >now seeing security as a business issue and having to
demonstrate
> >that
> > > >>they
> > > >> > >are managing the issue in an effective and accountable way. I am
> > > >>intrigued
> > > >> > >to see how ISO17799 translates to a production web security
> > > >>environment,
> > > >> > >what areas are missing and how tacking the 17799 principles and
> > > >>applying
> > > >> > >them what the products would look like. The ISO17799 project
would
> >be
> > > >>an
> > > >> > >experiment as much as anything.
> > > >> > >
> > > >> > >So if it works with you guys, I have a proposal to get going.
> > > >> > >
> > > >> > >1. As the first task, focus on creating a web security policy
> > > >>template.
> > > >>The
> > > >> > >selfish objective would be for us to start working together and
> >create
> > > >>a
> > > >> > >ramp with a smaller more manageable project. This would be
> >released
> >as
> > > >>a
> > > >> > >stand alone policy template like the ones at SANS
> > > >> > >http://www.sans.org/resources/policies/#template under the title
> >of
> > > >>web
> > > >> > >security policy. I think this would only take a few weeks to do.
> > > >> > >
> > > >> > >2. When successfull we would focus our attention on the IS17799
> > > >>project.
> > > >> > >There are a few approaches to doing this and several possible
> > > >>deliverables.
> > > >> > >I think when we start we should all decide what we are trying to
> > > >>acheive.
> > > >>I
> > > >> > >personally would like to produce a "Guide to applying ISO-17799
> > > >>principles
> > > >> > >to a production web site" but its definitly open to discussion.
> >BTW
> > > >>Rich
> > > >>I
> > > >> > >already have a copy but thanks for thinking of me.
> > > >> > >
> > > >> > >Let me know if this works and I will send over a template I
> >started
> >to
> > > >>putn
> > > >> > >together and shared with Sam. I tend to work by filling in
> >headings
> > > >>and
> > > >> > >then
> > > >> > >the text so its nothing more that a set of headings at this
stage.
> > > >> > >
> > > >> > >Kind regards,
> > > >> > >
> > > >> > >
> > > >> > >Mark
> > > >> > >
> > > >> > >
> > > >> > >----- Original Message -----
> > > >> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >> > >To: <owasp-iso17799 at lists.sourceforge.net>
> > > >> > >Sent: Thursday, August 28, 2003 3:31 PM
> > > >> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
> > > >> > >
> > > >> > >
> > > >> > > > Thoughts On ISO:
> > > >> > > > I have noted a bit of discussion as I have been googling, in
> >terms
> > > >>of
> > > >> > >the
> > > >> > > > value of the standard in question as it relates to security.
I
> >am
> > > >>of
> > > >> > >the
> > > >> > > > growing opinion that there is a misunderstanding in terms of
> >the
> > > >>nature
> > > >> > >of
> > > >> > > > ISO, and what quality is in terms of ISO.  I will not assume
> >that
> > > >>any
> > > >>of
> > > >> > >us
> > > >> > > > have this misunderstanding, but I think its of value for me
to
> >make
> > > >> > >clear
> > > >> > > > what my understanding of ISO is. Likewise,  I think it will
be
> > > >>important
> > > >> > >for
> > > >> > > > us to come to terms with what ISO is as we consider
developing
> >both
> > > >> > > > templating systems and more consultative product.
> > > >> > > >
> > > >> > > > ISO, of course, refers to the greek ISO (like in the
triangle,
> >or
> > > >> > >isometric)
> > > >> > > > - and is not the initials for an organization (which would be
> >IOS).
> > > >>  I
> > > >> > >am
> > > >> > > > sure we are aware of this, but not the consumer.   So, when
> >people
> > > >>go
> > > >> > >about
> > > >> > > > doing ISO, they are bound for disappointment if they do not
> >have
> > > >>the
> > > >> > > > philosophical underpinning of what ISO based quality actually
> >is -
> > > >> > > > same/equal.  I have seen this disappointment first hand in
> > > >> > >organizations,
> > > >> > > > and it can be avoided if done correctly.  Nonetheless, an
> >effective
> > > >>ISO
> > > >> > > > program should not only make process same or equal (which is
> >good
> > > >>in
> > > >>and
> > > >> > >of
> > > >> > > > itself), but it should have a qualitative impact on the
> > > >>organization
> > > >>be
> > > >> > >it
> > > >> > > > security, manufacturing, and or environmental ISO. If not,
> >while
> > > >>you
> > > >>may
> > > >> > > > pass an audit, you will have a group of disgruntled employees
> >who
> > > >>don't
> > > >> > >take
> > > >> > > > what you are doing seriously, thus negatively impacting what
> >your
> > > >>are
> > > >> > >trying
> > > >> > > > to improve - security in this case.
> > > >> > > >
> > > >> > > > To clarify what I am talking about in terms of ISO quality.
If
> >your
> > > >> > >company
> > > >> > > > makes lead life preservers, and you make them all the same,
and
> >its
> > > >> > > > verifiable in terms of documentation and physical process -
> >then
> > > >>you
> > > >>are
> > > >> > >ISO
> > > >> > > > according to the IOS ;-)  But, if you make life preservers
that
> > > >>have
> > > >> > >every
> > > >> > > > bell and whistle, they are very 'good' life preservers that
> >save
> > > >>lives,
> > > >> > >yet
> > > >> > > > you have zero documentation or verifiable/repeatable
process -
> >you
> > > >>are
> > > >> > >not
> > > >> > > > ISO - and would fail an audit despite the fact that your life
> > > >>preservers
> > > >> > > > save lives.
> > > >> > > >
> > > >> > > > It is this type of thing, 'same/equal/repeatable/verifiable'
> >that
> > > >>is
> > > >>at
> > > >> > >the
> > > >> > > > very heart of ISO.  And if you have had the opportunity to
work
> > > >>with
> > > >> > >larger
> > > >> > > > Asian firms (I just got of a stint with Kyosera), you will
note
> >how
> > > >> > > > important and ingrained this type of thing is (It can be a
> >pain).
> > > >> > >Hence,
> > > >> > > > this is why larger Asian, and European organization literally
> >force
> > > >>US
> > > >> > > > companies to get ISO certified in one or more of the
standards.
> >In
> > > >> > >fact,
> > > >> > > > 90%+ of all ISO certifications in the US are driven by sales,
> >i.e.
> > > >>they
> > > >> > > > would not have done if it were not for a larger European and
or
> > > >>Japanese
> > > >> > > > organization withholding sales unless the US counterpart were
> > > >>certified.
> > > >> > > > We are looking at roughly 100,000+ certifications required in
> >such
> > > >>a
> > > >> > >way,
> > > >> > > > and required in short order (5 months in some cases).
> > > >> > > >
> > > >> > > > Lastly, I am not aware of any sales that require companies to
> >be
> > > >>ISO
> > > >> > >17799
> > > >> > > > certified, but I think it will happen.  Therefore, we must be
> >clear
> > > >>on
> > > >> > >what
> > > >> > > > is, and what isn't ISO.  Because, not only having 'good'
> >security
> > > >>must
> > > >> > >be
> > > >> > >a
> > > >> > > > result to the CSO, but passing the audit is critical to the
> >CEO/CFO
> > > >>(and
> > > >> > > > CSO).
> > > >> > > >
> > > >> > > > My introductory $.02
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> >_________________________________________________________________
> > > >> > > > Help protect your PC: Get a free online virus scan at
> >McAfee.com.
> > > >> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > -------------------------------------------------------
> > > >> > > > This sf.net email is sponsored by:ThinkGeek
> > > >> > > > Welcome to geek heaven.
> > > >> > > > http://thinkgeek.com/sf
> > > >> > > > _______________________________________________
> > > >> > > > Owasp-iso17799 mailing list
> > > >> > > > Owasp-iso17799 at lists.sourceforge.net
> > > >> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > > >> > > >
> > > >> > >
> > > >> >
> > > >> > _________________________________________________________________
> > > >> > MSN 8: Get 6 months for $9.95/month.
> > > >>http://join.msn.com/?page=dept/dialup
> > > >> >
> > > >> >
> > > >> >
> > > >> > -------------------------------------------------------
> > > >> > This sf.net email is sponsored by:ThinkGeek
> > > >> > Welcome to geek heaven.
> > > >> > http://thinkgeek.com/sf
> > > >> > _______________________________________________
> > > >> > Owasp-iso17799 mailing list
> > > >> > Owasp-iso17799 at lists.sourceforge.net
> > > >> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > > >> >
> > > >><< OWASPWebSiteSecurityPolicy.doc >>
> > > >
> > > >_________________________________________________________________
> > > >MSN 8: Get 6 months for $9.95/month
> >http://join.msn.com/?page=dept/dialup
> > > >
> > > >
> > > >
> > > >-------------------------------------------------------
> > > >This sf.net email is sponsored by:ThinkGeek
> > > >Welcome to geek heaven.
> > > >http://thinkgeek.com/sf
> > > >_______________________________________________
> > > >Owasp-iso17799 mailing list
> > > >Owasp-iso17799 at lists.sourceforge.net
> > > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > > _________________________________________________________________
> > > MSN 8: Get 6 months for $9.95/month.
> >http://join.msn.com/?page=dept/dialup
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Owasp-iso17799 mailing list
> > > Owasp-iso17799 at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > > _________________________________________________________________
> > > Send and receive larger attachments with Hotmail Extra Storage.
> > > http://join.msn.com/?PAGE=features/es
> > >
> > >
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
> _________________________________________________________________
> Try MSN Messenger 6.0 with integrated webcam functionality!
> http://www.msnmessenger-download.com/tracking/reach_webcam
>
>




From mark at curphey.com  Thu Sep  4 20:23:19 2003
From: mark at curphey.com (Mark Curphey)
Date: Thu, 4 Sep 2003 20:23:19 -0400
Subject: [Owasp-iso17799] Re: Current policy doc
References: <Law9-F7saVHLUmcJWIT00039b8a@hotmail.com>
Message-ID: <000f01c37343$e852f620$78de06d1@markc2000>

CVS module created called ISO17799.
----- Original Message ----- 
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: <mark at curphey.com>; <samheinrich at hotmail.com>
Cc: <owasp-iso17799 at lists.sourceforge.net>
Sent: Thursday, September 04, 2003 6:56 PM
Subject: Re: [Owasp-iso17799] Re: Current policy doc


> Mark,
> Yes, I am fine with CVS. I have never used a windoze client for it, but am
> open to trying a new thing, thanks for the advice.
>
>
> Regards,
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
>
> >From: "Mark Curphey" <mark at curphey.com>
> >To: "sam heinrich" <samheinrich at hotmail.com>,<rich67dev at hotmail.com>
> >CC: <owasp-iso17799 at lists.sourceforge.net>
> >Subject: [Owasp-iso17799] Re: Current policy doc
> >Date: Thu, 4 Sep 2003 18:30:25 -0400
> >
> >Its the last one I produced anyway. I am not sure if you guys have ever
> >used
> >CVS ? Its very easy on Windows and allows people to work on documents and
> >code and sync the versions to a central repository. OWASP has a
repository
> >setup at Sourceforge. If you use Windows you can download tortoisecvs.org
> >which is the easiest to set up and use. You will also need a Sourceforge
> >account that I will need to add to the OWASP project.
> >
> >In terms of Rich's comments, I think they are spot on as well. I am sure
> >eventually we can blend and co-ordinate all of the OWASP documentation
> >projects to work together. The guide for instance could be thought of as
> >proceedures for designing and developing secure applications.
> >
> >In terms of how far we can take this its down to you guys ! I think the
> >small step of the policy template (which can of course be updated) makes
> >sense but the approach you both set out makes most sense to me in the
long
> >run so if we view this as the first step that works well for me.
> >----- Original Message -----
> >From: "sam heinrich" <samheinrich at hotmail.com>
> >To: <mark at curphey.com>; <rich67dev at hotmail.com>
> >Cc: <owasp-iso17799 at lists.sourceforge.net>
> >Sent: Thursday, September 04, 2003 1:17 PM
> >Subject: Current policy doc
> >
> >
> > > Hi Mark, Rich,
> > >
> > > I have some time coming free - Mark, is the last document you sent out
> >the
> > > latest version?
> > >
> > > I have some thoughts regarding Rich's points about supporting
procedures
> >and
> > > specifics for the policy document.  If I understood correctly, our
first
> > > focus is on a quick hit with a policy document.  I think maybe the
> > > supporting details Rich is describing fall under the procedure
documents
> > > that support a policy, but may not be necessary to provide a
recommended
> > > policy template.  It will be up to each company to produce these
> >supporting
> > > documents, and up to an auditor to verify their existence; at some
> >point,
> > > the OWASP might provide templates for them.  For now, though, do we
> >think
> >we
> > > can provide a policy template that just stipulates their existence,
> >without
> > > providing templates for implementation specifics?
> > >
> > > Thoughts?
> > >
> > > - Sam
> > >
> > > P.S. Rich - thanks from me, too, for illuminating the ISO ideal - as
> >Mark
> > > said, it was an interesting read.
> > >
> > >
> > > ----Original Message Follows----
> > > From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > To: rich67dev at hotmail.com, mark at curphey.com,
> > > owasp-iso17799 at lists.sourceforge.net
> > > Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > Date: Tue, 02 Sep 2003 03:24:47 +0000
> > >
> > > Mark,
> > > I have just opened the document, and my initial reaction is to
approach
> >it
> > > from the standpoint of an auditor.  For example, in the template it
> >states
> > > ('understanding that the template is just an example, subject to much
> > > revision'):
> > > 'A statement that new applications must have a written security design
> > > associated with them, have passed a security code review etc...'
> > >
> > > This would entail that there would be a security design standard
> >template
> >as
> > > well, and of course variously related standard documents.  To the
point,
> >an
> > > auditor would expect to see relevant security designs with associated
> > > controls for every single application that was commenced past a
certain
> >date
> > > prior to the ISO17799 registration audit and ensuing audits.   BTW: I
> >would
> > > assument that the 4th part of the ISO 9001 standard, in terms of
> >iterative
> > > design, might provide for a great example here.  Again, a comapny will
> >have
> > > some flexibility in terms of the amounts of controls that they want to
> >put
> > > in - but proof of 'same and equal' process across the organization in
> >all
> > > web projects in terms of security is the goal.
> > >
> > > To the second clause, 'passed a security code review'.  This could
> >ential
> >a
> > > variety of things, there could be a document, perhaps a standardized
> > > checklist, or one could go so far as to have code review teams and
etc.
> > > Proof is in the pudding, is there documented proof of the claims
within
> >the
> > > companies interpretation of the standard, and are those inerpretations
> > > valid.
> > >
> > > So, this will be the tack that I will take, to ensure that we approach
> >with
> > > an audit in mind - I think this make sense would you not agree?
> > >
> > >
> > >
> > > Richard Seiersen
> > > rich67dev at hotmail.com
> > >
> > >
> > >
> > >
> > >
> > > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
> > > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >Date: Tue, 02 Sep 2003 02:19:05 +0000
> > > >
> > > >Mark,
> > > >Very good, I will take a look at this in short order.
> > > >
> > > >Regards,
> > > >Richard Seiersen
> > > >rich67dev at hotmail.com
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >>From: "Mark Curphey" <mark at curphey.com>
> > > >>To: "Rich Seiersen"
> > > >><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > > >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >>Date: Mon, 1 Sep 2003 22:12:20 -0400
> > > >>
> > > >>There is a big appetite for this stuff and I am sure we can get
quite
> >a
> > > >>few
> > > >>companies to road-test. I know of a few big banks and at least two
big
> > > >>telcos who used the Guide to build policies for developers.
> > > >>
> > > >>I am attaching a basic outline of a web security policy that I
started
> >to
> > > >>put together. As I mentioned all this is is headings. I personally
> >like
> >to
> > > >>build out the headings and then complete the content. There is a lot
> > > >>missing, but maybe you can take a look and we can iterate?
> > > >>
> > > >>----- Original Message -----
> > > >>From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
> > > >>Sent: Monday, September 01, 2003 9:30 PM
> > > >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >>
> > > >>
> > > >> > Mark,
> > > >> > This works for me, thanks.
> > > >> >
> > > >> > In terms of my work effort, focus is always good.  So, if we are
> > > >>looking
> > > >>at
> > > >> > a discreet section of the standard, and specific technical
concerns
> > > >>within
> > > >> > web security, the better off I am in delievering. Otherwise, we
can
> > > >>just
> > > >> > focus as we move around in the territory.
> > > >> >
> > > >> > What I am concerend with of course is 'road testing' the
> > > >> > product......whatever that product ends up being.
> > > >> >
> > > >> > Regards,
> > > >> > Richard Seiersen
> > > >> > rich67dev at hotmail.com
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> > >From: "Mark Curphey" <mark at curphey.com>
> > > >> > >To: "Rich Seiersen"
> > > >> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > > >> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
> > > >> > >
> > > >> > >Rich
> > > >> > >
> > > >> > >Great mail. I am actually British (although I have lived in the
US
> >for
> > > >>5
> > > >> > >years now) so can atest to your observations about the European
> > > >>adoption
> > > >>of
> > > >> > >standards. I have also spent several years in the US working for
> >one
> > > >>of
> > > >>the
> > > >> > >largest financial services companies and have seen and in some
> >cases
> > > >>driven
> > > >> > >the need for 3rd parties to adopt standards. I used to use a
> > > >>questioanirre
> > > >> > >that was based on 17799 (which started life as British Standard
> >7799
> > > >>btw)
> > > >> > >as
> > > >> > >a way to judge 3rd party vendors and hold them legally
accountable
> >to
> > > >>their
> > > >> > >answers.
> > > >> > >
> > > >> > >Your description of the "ISO way" was an excellent read and I am
> >sure
> > > >>will
> > > >> > >make a great introduction section to an ISO project.
> > > >> > >
> > > >> > >For context when I decided to get this work underway I saw a few
> >gaps
> > > >>in
> > > >> > >the
> > > >> > >OWASP portfolio and gaps in peoples general perception of web
> > > >>security.
> > > >> > >
> > > >> > >1. No good policy templates from which people can clone and
create
> > > >> > >corporate
> > > >> > >web security policies from. I was sent some shocking policy
> >templates
> > > >>from
> > > >> > >a
> > > >> > >consulting company and felt there was a need to issue some
better
> > > >> > >templates.
> > > >> > >2. Most web security people are technicians and engineers. Many
> >people
> > > >>are
> > > >> > >now seeing security as a business issue and having to
demonstrate
> >that
> > > >>they
> > > >> > >are managing the issue in an effective and accountable way. I am
> > > >>intrigued
> > > >> > >to see how ISO17799 translates to a production web security
> > > >>environment,
> > > >> > >what areas are missing and how tacking the 17799 principles and
> > > >>applying
> > > >> > >them what the products would look like. The ISO17799 project
would
> >be
> > > >>an
> > > >> > >experiment as much as anything.
> > > >> > >
> > > >> > >So if it works with you guys, I have a proposal to get going.
> > > >> > >
> > > >> > >1. As the first task, focus on creating a web security policy
> > > >>template.
> > > >>The
> > > >> > >selfish objective would be for us to start working together and
> >create
> > > >>a
> > > >> > >ramp with a smaller more manageable project. This would be
> >released
> >as
> > > >>a
> > > >> > >stand alone policy template like the ones at SANS
> > > >> > >http://www.sans.org/resources/policies/#template under the title
> >of
> > > >>web
> > > >> > >security policy. I think this would only take a few weeks to do.
> > > >> > >
> > > >> > >2. When successfull we would focus our attention on the IS17799
> > > >>project.
> > > >> > >There are a few approaches to doing this and several possible
> > > >>deliverables.
> > > >> > >I think when we start we should all decide what we are trying to
> > > >>acheive.
> > > >>I
> > > >> > >personally would like to produce a "Guide to applying ISO-17799
> > > >>principles
> > > >> > >to a production web site" but its definitly open to discussion.
> >BTW
> > > >>Rich
> > > >>I
> > > >> > >already have a copy but thanks for thinking of me.
> > > >> > >
> > > >> > >Let me know if this works and I will send over a template I
> >started
> >to
> > > >>putn
> > > >> > >together and shared with Sam. I tend to work by filling in
> >headings
> > > >>and
> > > >> > >then
> > > >> > >the text so its nothing more that a set of headings at this
stage.
> > > >> > >
> > > >> > >Kind regards,
> > > >> > >
> > > >> > >
> > > >> > >Mark
> > > >> > >
> > > >> > >
> > > >> > >----- Original Message -----
> > > >> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >> > >To: <owasp-iso17799 at lists.sourceforge.net>
> > > >> > >Sent: Thursday, August 28, 2003 3:31 PM
> > > >> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
> > > >> > >
> > > >> > >
> > > >> > > > Thoughts On ISO:
> > > >> > > > I have noted a bit of discussion as I have been googling, in
> >terms
> > > >>of
> > > >> > >the
> > > >> > > > value of the standard in question as it relates to security.
I
> >am
> > > >>of
> > > >> > >the
> > > >> > > > growing opinion that there is a misunderstanding in terms of
> >the
> > > >>nature
> > > >> > >of
> > > >> > > > ISO, and what quality is in terms of ISO.  I will not assume
> >that
> > > >>any
> > > >>of
> > > >> > >us
> > > >> > > > have this misunderstanding, but I think its of value for me
to
> >make
> > > >> > >clear
> > > >> > > > what my understanding of ISO is. Likewise,  I think it will
be
> > > >>important
> > > >> > >for
> > > >> > > > us to come to terms with what ISO is as we consider
developing
> >both
> > > >> > > > templating systems and more consultative product.
> > > >> > > >
> > > >> > > > ISO, of course, refers to the greek ISO (like in the
triangle,
> >or
> > > >> > >isometric)
> > > >> > > > - and is not the initials for an organization (which would be
> >IOS).
> > > >>  I
> > > >> > >am
> > > >> > > > sure we are aware of this, but not the consumer.   So, when
> >people
> > > >>go
> > > >> > >about
> > > >> > > > doing ISO, they are bound for disappointment if they do not
> >have
> > > >>the
> > > >> > > > philosophical underpinning of what ISO based quality actually
> >is -
> > > >> > > > same/equal.  I have seen this disappointment first hand in
> > > >> > >organizations,
> > > >> > > > and it can be avoided if done correctly.  Nonetheless, an
> >effective
> > > >>ISO
> > > >> > > > program should not only make process same or equal (which is
> >good
> > > >>in
> > > >>and
> > > >> > >of
> > > >> > > > itself), but it should have a qualitative impact on the
> > > >>organization
> > > >>be
> > > >> > >it
> > > >> > > > security, manufacturing, and or environmental ISO. If not,
> >while
> > > >>you
> > > >>may
> > > >> > > > pass an audit, you will have a group of disgruntled employees
> >who
> > > >>don't
> > > >> > >take
> > > >> > > > what you are doing seriously, thus negatively impacting what
> >your
> > > >>are
> > > >> > >trying
> > > >> > > > to improve - security in this case.
> > > >> > > >
> > > >> > > > To clarify what I am talking about in terms of ISO quality.
If
> >your
> > > >> > >company
> > > >> > > > makes lead life preservers, and you make them all the same,
and
> >its
> > > >> > > > verifiable in terms of documentation and physical process -
> >then
> > > >>you
> > > >>are
> > > >> > >ISO
> > > >> > > > according to the IOS ;-)  But, if you make life preservers
that
> > > >>have
> > > >> > >every
> > > >> > > > bell and whistle, they are very 'good' life preservers that
> >save
> > > >>lives,
> > > >> > >yet
> > > >> > > > you have zero documentation or verifiable/repeatable
process -
> >you
> > > >>are
> > > >> > >not
> > > >> > > > ISO - and would fail an audit despite the fact that your life
> > > >>preservers
> > > >> > > > save lives.
> > > >> > > >
> > > >> > > > It is this type of thing, 'same/equal/repeatable/verifiable'
> >that
> > > >>is
> > > >>at
> > > >> > >the
> > > >> > > > very heart of ISO.  And if you have had the opportunity to
work
> > > >>with
> > > >> > >larger
> > > >> > > > Asian firms (I just got of a stint with Kyosera), you will
note
> >how
> > > >> > > > important and ingrained this type of thing is (It can be a
> >pain).
> > > >> > >Hence,
> > > >> > > > this is why larger Asian, and European organization literally
> >force
> > > >>US
> > > >> > > > companies to get ISO certified in one or more of the
standards.
> >In
> > > >> > >fact,
> > > >> > > > 90%+ of all ISO certifications in the US are driven by sales,
> >i.e.
> > > >>they
> > > >> > > > would not have done if it were not for a larger European and
or
> > > >>Japanese
> > > >> > > > organization withholding sales unless the US counterpart were
> > > >>certified.
> > > >> > > > We are looking at roughly 100,000+ certifications required in
> >such
> > > >>a
> > > >> > >way,
> > > >> > > > and required in short order (5 months in some cases).
> > > >> > > >
> > > >> > > > Lastly, I am not aware of any sales that require companies to
> >be
> > > >>ISO
> > > >> > >17799
> > > >> > > > certified, but I think it will happen.  Therefore, we must be
> >clear
> > > >>on
> > > >> > >what
> > > >> > > > is, and what isn't ISO.  Because, not only having 'good'
> >security
> > > >>must
> > > >> > >be
> > > >> > >a
> > > >> > > > result to the CSO, but passing the audit is critical to the
> >CEO/CFO
> > > >>(and
> > > >> > > > CSO).
> > > >> > > >
> > > >> > > > My introductory $.02
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> >_________________________________________________________________
> > > >> > > > Help protect your PC: Get a free online virus scan at
> >McAfee.com.
> > > >> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > -------------------------------------------------------
> > > >> > > > This sf.net email is sponsored by:ThinkGeek
> > > >> > > > Welcome to geek heaven.
> > > >> > > > http://thinkgeek.com/sf
> > > >> > > > _______________________________________________
> > > >> > > > Owasp-iso17799 mailing list
> > > >> > > > Owasp-iso17799 at lists.sourceforge.net
> > > >> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > > >> > > >
> > > >> > >
> > > >> >
> > > >> > _________________________________________________________________
> > > >> > MSN 8: Get 6 months for $9.95/month.
> > > >>http://join.msn.com/?page=dept/dialup
> > > >> >
> > > >> >
> > > >> >
> > > >> > -------------------------------------------------------
> > > >> > This sf.net email is sponsored by:ThinkGeek
> > > >> > Welcome to geek heaven.
> > > >> > http://thinkgeek.com/sf
> > > >> > _______________________________________________
> > > >> > Owasp-iso17799 mailing list
> > > >> > Owasp-iso17799 at lists.sourceforge.net
> > > >> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > > >> >
> > > >><< OWASPWebSiteSecurityPolicy.doc >>
> > > >
> > > >_________________________________________________________________
> > > >MSN 8: Get 6 months for $9.95/month
> >http://join.msn.com/?page=dept/dialup
> > > >
> > > >
> > > >
> > > >-------------------------------------------------------
> > > >This sf.net email is sponsored by:ThinkGeek
> > > >Welcome to geek heaven.
> > > >http://thinkgeek.com/sf
> > > >_______________________________________________
> > > >Owasp-iso17799 mailing list
> > > >Owasp-iso17799 at lists.sourceforge.net
> > > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > > _________________________________________________________________
> > > MSN 8: Get 6 months for $9.95/month.
> >http://join.msn.com/?page=dept/dialup
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Owasp-iso17799 mailing list
> > > Owasp-iso17799 at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > > _________________________________________________________________
> > > Send and receive larger attachments with Hotmail Extra Storage.
> > > http://join.msn.com/?PAGE=features/es
> > >
> > >
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
> _________________________________________________________________
> Try MSN Messenger 6.0 with integrated webcam functionality!
> http://www.msnmessenger-download.com/tracking/reach_webcam
>
>




From mark at curphey.com  Fri Sep  5 22:19:31 2003
From: mark at curphey.com (Mark Curphey)
Date: Fri, 5 Sep 2003 22:19:31 -0400
Subject: [Owasp-iso17799] Re: Current policy doc
References: <Law9-F60cPGwCrQH6XZ0000d064@hotmail.com>
Message-ID: <016101c3741d$4e70ba30$78de06d1@markc2000>

I have some time free coming forward although am pretty consumed with the
WAS project at OASIS right now. If you guys assign me tasks I will dutifully
complete them...feel free to boss be around at your will ;)
----- Original Message ----- 
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: <samheinrich at hotmail.com>; <mark at curphey.com>
Cc: <owasp-iso17799 at lists.sourceforge.net>
Sent: Thursday, September 04, 2003 3:23 PM
Subject: [Owasp-iso17799] Re: Current policy doc


> Sam,
> For my part, I agree with you, do an straight forward first step.
>
>
> Regards,
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
>
> >From: "sam heinrich" <samheinrich at hotmail.com>
> >To: mark at curphey.com, rich67dev at hotmail.com
> >CC: owasp-iso17799 at lists.sourceforge.net
> >Subject: Current policy doc
> >Date: Thu, 04 Sep 2003 17:17:13 +0000
> >
> >Hi Mark, Rich,
> >
> >I have some time coming free - Mark, is the last document you sent out
the
> >latest version?
> >
> >I have some thoughts regarding Rich's points about supporting procedures
> >and specifics for the policy document.  If I understood correctly, our
> >first focus is on a quick hit with a policy document.  I think maybe the
> >supporting details Rich is describing fall under the procedure documents
> >that support a policy, but may not be necessary to provide a recommended
> >policy template.  It will be up to each company to produce these
supporting
> >documents, and up to an auditor to verify their existence; at some point,
> >the OWASP might provide templates for them.  For now, though, do we think
> >we can provide a policy template that just stipulates their existence,
> >without providing templates for implementation specifics?
> >
> >Thoughts?
> >
> >- Sam
> >
> >P.S. Rich - thanks from me, too, for illuminating the ISO ideal - as Mark
> >said, it was an interesting read.
> >
> >
> >----Original Message Follows----
> >From: "Rich Seiersen" <rich67dev at hotmail.com>
> >To: rich67dev at hotmail.com, mark at curphey.com,
> >owasp-iso17799 at lists.sourceforge.net
> >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >Date: Tue, 02 Sep 2003 03:24:47 +0000
> >
> >Mark,
> >I have just opened the document, and my initial reaction is to approach
it
> >from the standpoint of an auditor.  For example, in the template it
states
> >('understanding that the template is just an example, subject to much
> >revision'):
> >'A statement that new applications must have a written security design
> >associated with them, have passed a security code review etc...'
> >
> >This would entail that there would be a security design standard template
> >as well, and of course variously related standard documents.  To the
point,
> >an auditor would expect to see relevant security designs with associated
> >controls for every single application that was commenced past a certain
> >date prior to the ISO17799 registration audit and ensuing audits.   BTW:
I
> >would assument that the 4th part of the ISO 9001 standard, in terms of
> >iterative design, might provide for a great example here.  Again, a
comapny
> >will have some flexibility in terms of the amounts of controls that they
> >want to put in - but proof of 'same and equal' process across the
> >organization in all web projects in terms of security is the goal.
> >
> >To the second clause, 'passed a security code review'.  This could ential
a
> >variety of things, there could be a document, perhaps a standardized
> >checklist, or one could go so far as to have code review teams and etc.
> >Proof is in the pudding, is there documented proof of the claims within
the
> >companies interpretation of the standard, and are those inerpretations
> >valid.
> >
> >So, this will be the tack that I will take, to ensure that we approach
with
> >an audit in mind - I think this make sense would you not agree?
> >
> >
> >
> >Richard Seiersen
> >rich67dev at hotmail.com
> >
> >
> >
> >
> >
> >>From: "Rich Seiersen" <rich67dev at hotmail.com>
> >>To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
> >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >>Date: Tue, 02 Sep 2003 02:19:05 +0000
> >>
> >>Mark,
> >>Very good, I will take a look at this in short order.
> >>
> >>Regards,
> >>Richard Seiersen
> >>rich67dev at hotmail.com
> >>
> >>
> >>
> >>
> >>
> >>>From: "Mark Curphey" <mark at curphey.com>
> >>>To: "Rich Seiersen"
> >>><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> >>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >>>Date: Mon, 1 Sep 2003 22:12:20 -0400
> >>>
> >>>There is a big appetite for this stuff and I am sure we can get quite a
> >>>few
> >>>companies to road-test. I know of a few big banks and at least two big
> >>>telcos who used the Guide to build policies for developers.
> >>>
> >>>I am attaching a basic outline of a web security policy that I started
to
> >>>put together. As I mentioned all this is is headings. I personally like
> >>>to
> >>>build out the headings and then complete the content. There is a lot
> >>>missing, but maybe you can take a look and we can iterate?
> >>>
> >>>----- Original Message -----
> >>>From: "Rich Seiersen" <rich67dev at hotmail.com>
> >>>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
> >>>Sent: Monday, September 01, 2003 9:30 PM
> >>>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >>>
> >>>
> >>> > Mark,
> >>> > This works for me, thanks.
> >>> >
> >>> > In terms of my work effort, focus is always good.  So, if we are
> >>>looking
> >>>at
> >>> > a discreet section of the standard, and specific technical concerns
> >>>within
> >>> > web security, the better off I am in delievering. Otherwise, we can
> >>>just
> >>> > focus as we move around in the territory.
> >>> >
> >>> > What I am concerend with of course is 'road testing' the
> >>> > product......whatever that product ends up being.
> >>> >
> >>> > Regards,
> >>> > Richard Seiersen
> >>> > rich67dev at hotmail.com
> >>> >
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > >From: "Mark Curphey" <mark at curphey.com>
> >>> > >To: "Rich Seiersen"
> >>> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> >>> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> >>> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
> >>> > >
> >>> > >Rich
> >>> > >
> >>> > >Great mail. I am actually British (although I have lived in the US
> >>>for 5
> >>> > >years now) so can atest to your observations about the European
> >>>adoption
> >>>of
> >>> > >standards. I have also spent several years in the US working for
one
> >>>of
> >>>the
> >>> > >largest financial services companies and have seen and in some
cases
> >>>driven
> >>> > >the need for 3rd parties to adopt standards. I used to use a
> >>>questioanirre
> >>> > >that was based on 17799 (which started life as British Standard
7799
> >>>btw)
> >>> > >as
> >>> > >a way to judge 3rd party vendors and hold them legally accountable
to
> >>>their
> >>> > >answers.
> >>> > >
> >>> > >Your description of the "ISO way" was an excellent read and I am
sure
> >>>will
> >>> > >make a great introduction section to an ISO project.
> >>> > >
> >>> > >For context when I decided to get this work underway I saw a few
gaps
> >>>in
> >>> > >the
> >>> > >OWASP portfolio and gaps in peoples general perception of web
> >>>security.
> >>> > >
> >>> > >1. No good policy templates from which people can clone and create
> >>> > >corporate
> >>> > >web security policies from. I was sent some shocking policy
templates
> >>>from
> >>> > >a
> >>> > >consulting company and felt there was a need to issue some better
> >>> > >templates.
> >>> > >2. Most web security people are technicians and engineers. Many
> >>>people
> >>>are
> >>> > >now seeing security as a business issue and having to demonstrate
> >>>that
> >>>they
> >>> > >are managing the issue in an effective and accountable way. I am
> >>>intrigued
> >>> > >to see how ISO17799 translates to a production web security
> >>>environment,
> >>> > >what areas are missing and how tacking the 17799 principles and
> >>>applying
> >>> > >them what the products would look like. The ISO17799 project would
be
> >>>an
> >>> > >experiment as much as anything.
> >>> > >
> >>> > >So if it works with you guys, I have a proposal to get going.
> >>> > >
> >>> > >1. As the first task, focus on creating a web security policy
> >>>template.
> >>>The
> >>> > >selfish objective would be for us to start working together and
> >>>create a
> >>> > >ramp with a smaller more manageable project. This would be released
> >>>as a
> >>> > >stand alone policy template like the ones at SANS
> >>> > >http://www.sans.org/resources/policies/#template under the title of
> >>>web
> >>> > >security policy. I think this would only take a few weeks to do.
> >>> > >
> >>> > >2. When successfull we would focus our attention on the IS17799
> >>>project.
> >>> > >There are a few approaches to doing this and several possible
> >>>deliverables.
> >>> > >I think when we start we should all decide what we are trying to
> >>>acheive.
> >>>I
> >>> > >personally would like to produce a "Guide to applying ISO-17799
> >>>principles
> >>> > >to a production web site" but its definitly open to discussion. BTW
> >>>Rich
> >>>I
> >>> > >already have a copy but thanks for thinking of me.
> >>> > >
> >>> > >Let me know if this works and I will send over a template I started
> >>>to
> >>>putn
> >>> > >together and shared with Sam. I tend to work by filling in headings
> >>>and
> >>> > >then
> >>> > >the text so its nothing more that a set of headings at this stage.
> >>> > >
> >>> > >Kind regards,
> >>> > >
> >>> > >
> >>> > >Mark
> >>> > >
> >>> > >
> >>> > >----- Original Message -----
> >>> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> >>> > >To: <owasp-iso17799 at lists.sourceforge.net>
> >>> > >Sent: Thursday, August 28, 2003 3:31 PM
> >>> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
> >>> > >
> >>> > >
> >>> > > > Thoughts On ISO:
> >>> > > > I have noted a bit of discussion as I have been googling, in
terms
> >>>of
> >>> > >the
> >>> > > > value of the standard in question as it relates to security.  I
am
> >>>of
> >>> > >the
> >>> > > > growing opinion that there is a misunderstanding in terms of the
> >>>nature
> >>> > >of
> >>> > > > ISO, and what quality is in terms of ISO.  I will not assume
that
> >>>any
> >>>of
> >>> > >us
> >>> > > > have this misunderstanding, but I think its of value for me to
> >>>make
> >>> > >clear
> >>> > > > what my understanding of ISO is. Likewise,  I think it will be
> >>>important
> >>> > >for
> >>> > > > us to come to terms with what ISO is as we consider developing
> >>>both
> >>> > > > templating systems and more consultative product.
> >>> > > >
> >>> > > > ISO, of course, refers to the greek ISO (like in the triangle,
or
> >>> > >isometric)
> >>> > > > - and is not the initials for an organization (which would be
> >>>IOS).  I
> >>> > >am
> >>> > > > sure we are aware of this, but not the consumer.   So, when
people
> >>>go
> >>> > >about
> >>> > > > doing ISO, they are bound for disappointment if they do not have
> >>>the
> >>> > > > philosophical underpinning of what ISO based quality actually
is -
> >>> > > > same/equal.  I have seen this disappointment first hand in
> >>> > >organizations,
> >>> > > > and it can be avoided if done correctly.  Nonetheless, an
> >>>effective
> >>>ISO
> >>> > > > program should not only make process same or equal (which is
good
> >>>in
> >>>and
> >>> > >of
> >>> > > > itself), but it should have a qualitative impact on the
> >>>organization
> >>>be
> >>> > >it
> >>> > > > security, manufacturing, and or environmental ISO. If not, while
> >>>you
> >>>may
> >>> > > > pass an audit, you will have a group of disgruntled employees
who
> >>>don't
> >>> > >take
> >>> > > > what you are doing seriously, thus negatively impacting what
your
> >>>are
> >>> > >trying
> >>> > > > to improve - security in this case.
> >>> > > >
> >>> > > > To clarify what I am talking about in terms of ISO quality. If
> >>>your
> >>> > >company
> >>> > > > makes lead life preservers, and you make them all the same, and
> >>>its
> >>> > > > verifiable in terms of documentation and physical process - then
> >>>you
> >>>are
> >>> > >ISO
> >>> > > > according to the IOS ;-)  But, if you make life preservers that
> >>>have
> >>> > >every
> >>> > > > bell and whistle, they are very 'good' life preservers that save
> >>>lives,
> >>> > >yet
> >>> > > > you have zero documentation or verifiable/repeatable process -
you
> >>>are
> >>> > >not
> >>> > > > ISO - and would fail an audit despite the fact that your life
> >>>preservers
> >>> > > > save lives.
> >>> > > >
> >>> > > > It is this type of thing, 'same/equal/repeatable/verifiable'
that
> >>>is
> >>>at
> >>> > >the
> >>> > > > very heart of ISO.  And if you have had the opportunity to work
> >>>with
> >>> > >larger
> >>> > > > Asian firms (I just got of a stint with Kyosera), you will note
> >>>how
> >>> > > > important and ingrained this type of thing is (It can be a
pain).
> >>> > >Hence,
> >>> > > > this is why larger Asian, and European organization literally
> >>>force US
> >>> > > > companies to get ISO certified in one or more of the standards.
> >>>In
> >>> > >fact,
> >>> > > > 90%+ of all ISO certifications in the US are driven by sales,
i.e.
> >>>they
> >>> > > > would not have done if it were not for a larger European and or
> >>>Japanese
> >>> > > > organization withholding sales unless the US counterpart were
> >>>certified.
> >>> > > > We are looking at roughly 100,000+ certifications required in
such
> >>>a
> >>> > >way,
> >>> > > > and required in short order (5 months in some cases).
> >>> > > >
> >>> > > > Lastly, I am not aware of any sales that require companies to be
> >>>ISO
> >>> > >17799
> >>> > > > certified, but I think it will happen.  Therefore, we must be
> >>>clear on
> >>> > >what
> >>> > > > is, and what isn't ISO.  Because, not only having 'good'
security
> >>>must
> >>> > >be
> >>> > >a
> >>> > > > result to the CSO, but passing the audit is critical to the
> >>>CEO/CFO
> >>>(and
> >>> > > > CSO).
> >>> > > >
> >>> > > > My introductory $.02
> >>> > > > Richard Seiersen
> >>> > > > rich67dev at hotmail.com
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > > Richard Seiersen
> >>> > > > rich67dev at hotmail.com
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > > Richard Seiersen
> >>> > > > rich67dev at hotmail.com
> >>> > > >
> >>> > > >
_________________________________________________________________
> >>> > > > Help protect your PC: Get a free online virus scan at
McAfee.com.
> >>> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > > -------------------------------------------------------
> >>> > > > This sf.net email is sponsored by:ThinkGeek
> >>> > > > Welcome to geek heaven.
> >>> > > > http://thinkgeek.com/sf
> >>> > > > _______________________________________________
> >>> > > > Owasp-iso17799 mailing list
> >>> > > > Owasp-iso17799 at lists.sourceforge.net
> >>> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >>> > > >
> >>> > >
> >>> >
> >>> > _________________________________________________________________
> >>> > MSN 8: Get 6 months for $9.95/month.
> >>>http://join.msn.com/?page=dept/dialup
> >>> >
> >>> >
> >>> >
> >>> > -------------------------------------------------------
> >>> > This sf.net email is sponsored by:ThinkGeek
> >>> > Welcome to geek heaven.
> >>> > http://thinkgeek.com/sf
> >>> > _______________________________________________
> >>> > Owasp-iso17799 mailing list
> >>> > Owasp-iso17799 at lists.sourceforge.net
> >>> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >>> >
> >>><< OWASPWebSiteSecurityPolicy.doc >>
> >>
> >>_________________________________________________________________
> >>MSN 8: Get 6 months for $9.95/month
http://join.msn.com/?page=dept/dialup
> >>
> >>
> >>
> >>-------------------------------------------------------
> >>This sf.net email is sponsored by:ThinkGeek
> >>Welcome to geek heaven.
> >>http://thinkgeek.com/sf
> >>_______________________________________________
> >>Owasp-iso17799 mailing list
> >>Owasp-iso17799 at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
> >_________________________________________________________________
> >MSN 8: Get 6 months for $9.95/month.
http://join.msn.com/?page=dept/dialup
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
>
> _________________________________________________________________
> Compare Cable, DSL or Satellite plans: As low as $29.95.
> https://broadband.msn.com
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-iso17799 mailing list
> Owasp-iso17799 at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>




From mark at curphey.com  Sun Sep  7 17:25:12 2003
From: mark at curphey.com (Mark Curphey)
Date: Sun, 7 Sep 2003 17:25:12 -0400
Subject: [Owasp-iso17799] Re: Current policy doc
References: <Law9-F7saVHLUmcJWIT00039b8a@hotmail.com>
Message-ID: <00d701c37586$85c34420$78de06d1@markc2000>

I checked in the draft template I had to CVS.

Do you guys want to start working through sections together or make sure we
have the right content headers before tackiling content itself ?
----- Original Message ----- 
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: <mark at curphey.com>; <samheinrich at hotmail.com>
Cc: <owasp-iso17799 at lists.sourceforge.net>
Sent: Thursday, September 04, 2003 6:56 PM
Subject: Re: [Owasp-iso17799] Re: Current policy doc


> Mark,
> Yes, I am fine with CVS. I have never used a windoze client for it, but am
> open to trying a new thing, thanks for the advice.
>
>
> Regards,
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
>
> >From: "Mark Curphey" <mark at curphey.com>
> >To: "sam heinrich" <samheinrich at hotmail.com>,<rich67dev at hotmail.com>
> >CC: <owasp-iso17799 at lists.sourceforge.net>
> >Subject: [Owasp-iso17799] Re: Current policy doc
> >Date: Thu, 4 Sep 2003 18:30:25 -0400
> >
> >Its the last one I produced anyway. I am not sure if you guys have ever
> >used
> >CVS ? Its very easy on Windows and allows people to work on documents and
> >code and sync the versions to a central repository. OWASP has a
repository
> >setup at Sourceforge. If you use Windows you can download tortoisecvs.org
> >which is the easiest to set up and use. You will also need a Sourceforge
> >account that I will need to add to the OWASP project.
> >
> >In terms of Rich's comments, I think they are spot on as well. I am sure
> >eventually we can blend and co-ordinate all of the OWASP documentation
> >projects to work together. The guide for instance could be thought of as
> >proceedures for designing and developing secure applications.
> >
> >In terms of how far we can take this its down to you guys ! I think the
> >small step of the policy template (which can of course be updated) makes
> >sense but the approach you both set out makes most sense to me in the
long
> >run so if we view this as the first step that works well for me.
> >----- Original Message -----
> >From: "sam heinrich" <samheinrich at hotmail.com>
> >To: <mark at curphey.com>; <rich67dev at hotmail.com>
> >Cc: <owasp-iso17799 at lists.sourceforge.net>
> >Sent: Thursday, September 04, 2003 1:17 PM
> >Subject: Current policy doc
> >
> >
> > > Hi Mark, Rich,
> > >
> > > I have some time coming free - Mark, is the last document you sent out
> >the
> > > latest version?
> > >
> > > I have some thoughts regarding Rich's points about supporting
procedures
> >and
> > > specifics for the policy document.  If I understood correctly, our
first
> > > focus is on a quick hit with a policy document.  I think maybe the
> > > supporting details Rich is describing fall under the procedure
documents
> > > that support a policy, but may not be necessary to provide a
recommended
> > > policy template.  It will be up to each company to produce these
> >supporting
> > > documents, and up to an auditor to verify their existence; at some
> >point,
> > > the OWASP might provide templates for them.  For now, though, do we
> >think
> >we
> > > can provide a policy template that just stipulates their existence,
> >without
> > > providing templates for implementation specifics?
> > >
> > > Thoughts?
> > >
> > > - Sam
> > >
> > > P.S. Rich - thanks from me, too, for illuminating the ISO ideal - as
> >Mark
> > > said, it was an interesting read.
> > >
> > >
> > > ----Original Message Follows----
> > > From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > To: rich67dev at hotmail.com, mark at curphey.com,
> > > owasp-iso17799 at lists.sourceforge.net
> > > Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > Date: Tue, 02 Sep 2003 03:24:47 +0000
> > >
> > > Mark,
> > > I have just opened the document, and my initial reaction is to
approach
> >it
> > > from the standpoint of an auditor.  For example, in the template it
> >states
> > > ('understanding that the template is just an example, subject to much
> > > revision'):
> > > 'A statement that new applications must have a written security design
> > > associated with them, have passed a security code review etc...'
> > >
> > > This would entail that there would be a security design standard
> >template
> >as
> > > well, and of course variously related standard documents.  To the
point,
> >an
> > > auditor would expect to see relevant security designs with associated
> > > controls for every single application that was commenced past a
certain
> >date
> > > prior to the ISO17799 registration audit and ensuing audits.   BTW: I
> >would
> > > assument that the 4th part of the ISO 9001 standard, in terms of
> >iterative
> > > design, might provide for a great example here.  Again, a comapny will
> >have
> > > some flexibility in terms of the amounts of controls that they want to
> >put
> > > in - but proof of 'same and equal' process across the organization in
> >all
> > > web projects in terms of security is the goal.
> > >
> > > To the second clause, 'passed a security code review'.  This could
> >ential
> >a
> > > variety of things, there could be a document, perhaps a standardized
> > > checklist, or one could go so far as to have code review teams and
etc.
> > > Proof is in the pudding, is there documented proof of the claims
within
> >the
> > > companies interpretation of the standard, and are those inerpretations
> > > valid.
> > >
> > > So, this will be the tack that I will take, to ensure that we approach
> >with
> > > an audit in mind - I think this make sense would you not agree?
> > >
> > >
> > >
> > > Richard Seiersen
> > > rich67dev at hotmail.com
> > >
> > >
> > >
> > >
> > >
> > > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >To: mark at curphey.com, owasp-iso17799 at lists.sourceforge.net
> > > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >Date: Tue, 02 Sep 2003 02:19:05 +0000
> > > >
> > > >Mark,
> > > >Very good, I will take a look at this in short order.
> > > >
> > > >Regards,
> > > >Richard Seiersen
> > > >rich67dev at hotmail.com
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >>From: "Mark Curphey" <mark at curphey.com>
> > > >>To: "Rich Seiersen"
> > > >><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > > >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >>Date: Mon, 1 Sep 2003 22:12:20 -0400
> > > >>
> > > >>There is a big appetite for this stuff and I am sure we can get
quite
> >a
> > > >>few
> > > >>companies to road-test. I know of a few big banks and at least two
big
> > > >>telcos who used the Guide to build policies for developers.
> > > >>
> > > >>I am attaching a basic outline of a web security policy that I
started
> >to
> > > >>put together. As I mentioned all this is is headings. I personally
> >like
> >to
> > > >>build out the headings and then complete the content. There is a lot
> > > >>missing, but maybe you can take a look and we can iterate?
> > > >>
> > > >>----- Original Message -----
> > > >>From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >>To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
> > > >>Sent: Monday, September 01, 2003 9:30 PM
> > > >>Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >>
> > > >>
> > > >> > Mark,
> > > >> > This works for me, thanks.
> > > >> >
> > > >> > In terms of my work effort, focus is always good.  So, if we are
> > > >>looking
> > > >>at
> > > >> > a discreet section of the standard, and specific technical
concerns
> > > >>within
> > > >> > web security, the better off I am in delievering. Otherwise, we
can
> > > >>just
> > > >> > focus as we move around in the territory.
> > > >> >
> > > >> > What I am concerend with of course is 'road testing' the
> > > >> > product......whatever that product ends up being.
> > > >> >
> > > >> > Regards,
> > > >> > Richard Seiersen
> > > >> > rich67dev at hotmail.com
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> > >From: "Mark Curphey" <mark at curphey.com>
> > > >> > >To: "Rich Seiersen"
> > > >> > ><rich67dev at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
> > > >> > >Subject: Re: [Owasp-iso17799] An Understanding Of ISO In General
> > > >> > >Date: Mon, 1 Sep 2003 20:30:50 -0400
> > > >> > >
> > > >> > >Rich
> > > >> > >
> > > >> > >Great mail. I am actually British (although I have lived in the
US
> >for
> > > >>5
> > > >> > >years now) so can atest to your observations about the European
> > > >>adoption
> > > >>of
> > > >> > >standards. I have also spent several years in the US working for
> >one
> > > >>of
> > > >>the
> > > >> > >largest financial services companies and have seen and in some
> >cases
> > > >>driven
> > > >> > >the need for 3rd parties to adopt standards. I used to use a
> > > >>questioanirre
> > > >> > >that was based on 17799 (which started life as British Standard
> >7799
> > > >>btw)
> > > >> > >as
> > > >> > >a way to judge 3rd party vendors and hold them legally
accountable
> >to
> > > >>their
> > > >> > >answers.
> > > >> > >
> > > >> > >Your description of the "ISO way" was an excellent read and I am
> >sure
> > > >>will
> > > >> > >make a great introduction section to an ISO project.
> > > >> > >
> > > >> > >For context when I decided to get this work underway I saw a few
> >gaps
> > > >>in
> > > >> > >the
> > > >> > >OWASP portfolio and gaps in peoples general perception of web
> > > >>security.
> > > >> > >
> > > >> > >1. No good policy templates from which people can clone and
create
> > > >> > >corporate
> > > >> > >web security policies from. I was sent some shocking policy
> >templates
> > > >>from
> > > >> > >a
> > > >> > >consulting company and felt there was a need to issue some
better
> > > >> > >templates.
> > > >> > >2. Most web security people are technicians and engineers. Many
> >people
> > > >>are
> > > >> > >now seeing security as a business issue and having to
demonstrate
> >that
> > > >>they
> > > >> > >are managing the issue in an effective and accountable way. I am
> > > >>intrigued
> > > >> > >to see how ISO17799 translates to a production web security
> > > >>environment,
> > > >> > >what areas are missing and how tacking the 17799 principles and
> > > >>applying
> > > >> > >them what the products would look like. The ISO17799 project
would
> >be
> > > >>an
> > > >> > >experiment as much as anything.
> > > >> > >
> > > >> > >So if it works with you guys, I have a proposal to get going.
> > > >> > >
> > > >> > >1. As the first task, focus on creating a web security policy
> > > >>template.
> > > >>The
> > > >> > >selfish objective would be for us to start working together and
> >create
> > > >>a
> > > >> > >ramp with a smaller more manageable project. This would be
> >released
> >as
> > > >>a
> > > >> > >stand alone policy template like the ones at SANS
> > > >> > >http://www.sans.org/resources/policies/#template under the title
> >of
> > > >>web
> > > >> > >security policy. I think this would only take a few weeks to do.
> > > >> > >
> > > >> > >2. When successfull we would focus our attention on the IS17799
> > > >>project.
> > > >> > >There are a few approaches to doing this and several possible
> > > >>deliverables.
> > > >> > >I think when we start we should all decide what we are trying to
> > > >>acheive.
> > > >>I
> > > >> > >personally would like to produce a "Guide to applying ISO-17799
> > > >>principles
> > > >> > >to a production web site" but its definitly open to discussion.
> >BTW
> > > >>Rich
> > > >>I
> > > >> > >already have a copy but thanks for thinking of me.
> > > >> > >
> > > >> > >Let me know if this works and I will send over a template I
> >started
> >to
> > > >>putn
> > > >> > >together and shared with Sam. I tend to work by filling in
> >headings
> > > >>and
> > > >> > >then
> > > >> > >the text so its nothing more that a set of headings at this
stage.
> > > >> > >
> > > >> > >Kind regards,
> > > >> > >
> > > >> > >
> > > >> > >Mark
> > > >> > >
> > > >> > >
> > > >> > >----- Original Message -----
> > > >> > >From: "Rich Seiersen" <rich67dev at hotmail.com>
> > > >> > >To: <owasp-iso17799 at lists.sourceforge.net>
> > > >> > >Sent: Thursday, August 28, 2003 3:31 PM
> > > >> > >Subject: [Owasp-iso17799] An Understanding Of ISO In General
> > > >> > >
> > > >> > >
> > > >> > > > Thoughts On ISO:
> > > >> > > > I have noted a bit of discussion as I have been googling, in
> >terms
> > > >>of
> > > >> > >the
> > > >> > > > value of the standard in question as it relates to security.
I
> >am
> > > >>of
> > > >> > >the
> > > >> > > > growing opinion that there is a misunderstanding in terms of
> >the
> > > >>nature
> > > >> > >of
> > > >> > > > ISO, and what quality is in terms of ISO.  I will not assume
> >that
> > > >>any
> > > >>of
> > > >> > >us
> > > >> > > > have this misunderstanding, but I think its of value for me
to
> >make
> > > >> > >clear
> > > >> > > > what my understanding of ISO is. Likewise,  I think it will
be
> > > >>important
> > > >> > >for
> > > >> > > > us to come to terms with what ISO is as we consider
developing
> >both
> > > >> > > > templating systems and more consultative product.
> > > >> > > >
> > > >> > > > ISO, of course, refers to the greek ISO (like in the
triangle,
> >or
> > > >> > >isometric)
> > > >> > > > - and is not the initials for an organization (which would be
> >IOS).
> > > >>  I
> > > >> > >am
> > > >> > > > sure we are aware of this, but not the consumer.   So, when
> >people
> > > >>go
> > > >> > >about
> > > >> > > > doing ISO, they are bound for disappointment if they do not
> >have
> > > >>the
> > > >> > > > philosophical underpinning of what ISO based quality actually
> >is -
> > > >> > > > same/equal.  I have seen this disappointment first hand in
> > > >> > >organizations,
> > > >> > > > and it can be avoided if done correctly.  Nonetheless, an
> >effective
> > > >>ISO
> > > >> > > > program should not only make process same or equal (which is
> >good
> > > >>in
> > > >>and
> > > >> > >of
> > > >> > > > itself), but it should have a qualitative impact on the
> > > >>organization
> > > >>be
> > > >> > >it
> > > >> > > > security, manufacturing, and or environmental ISO. If not,
> >while
> > > >>you
> > > >>may
> > > >> > > > pass an audit, you will have a group of disgruntled employees
> >who
> > > >>don't
> > > >> > >take
> > > >> > > > what you are doing seriously, thus negatively impacting what
> >your
> > > >>are
> > > >> > >trying
> > > >> > > > to improve - security in this case.
> > > >> > > >
> > > >> > > > To clarify what I am talking about in terms of ISO quality.
If
> >your
> > > >> > >company
> > > >> > > > makes lead life preservers, and you make them all the same,
and
> >its
> > > >> > > > verifiable in terms of documentation and physical process -
> >then
> > > >>you
> > > >>are
> > > >> > >ISO
> > > >> > > > according to the IOS ;-)  But, if you make life preservers
that
> > > >>have
> > > >> > >every
> > > >> > > > bell and whistle, they are very 'good' life preservers that
> >save
> > > >>lives,
> > > >> > >yet
> > > >> > > > you have zero documentation or verifiable/repeatable
process -
> >you
> > > >>are
> > > >> > >not
> > > >> > > > ISO - and would fail an audit despite the fact that your life
> > > >>preservers
> > > >> > > > save lives.
> > > >> > > >
> > > >> > > > It is this type of thing, 'same/equal/repeatable/verifiable'
> >that
> > > >>is
> > > >>at
> > > >> > >the
> > > >> > > > very heart of ISO.  And if you have had the opportunity to
work
> > > >>with
> > > >> > >larger
> > > >> > > > Asian firms (I just got of a stint with Kyosera), you will
note
> >how
> > > >> > > > important and ingrained this type of thing is (It can be a
> >pain).
> > > >> > >Hence,
> > > >> > > > this is why larger Asian, and European organization literally
> >force
> > > >>US
> > > >> > > > companies to get ISO certified in one or more of the
standards.
> >In
> > > >> > >fact,
> > > >> > > > 90%+ of all ISO certifications in the US are driven by sales,
> >i.e.
> > > >>they
> > > >> > > > would not have done if it were not for a larger European and
or
> > > >>Japanese
> > > >> > > > organization withholding sales unless the US counterpart were
> > > >>certified.
> > > >> > > > We are looking at roughly 100,000+ certifications required in
> >such
> > > >>a
> > > >> > >way,
> > > >> > > > and required in short order (5 months in some cases).
> > > >> > > >
> > > >> > > > Lastly, I am not aware of any sales that require companies to
> >be
> > > >>ISO
> > > >> > >17799
> > > >> > > > certified, but I think it will happen.  Therefore, we must be
> >clear
> > > >>on
> > > >> > >what
> > > >> > > > is, and what isn't ISO.  Because, not only having 'good'
> >security
> > > >>must
> > > >> > >be
> > > >> > >a
> > > >> > > > result to the CSO, but passing the audit is critical to the
> >CEO/CFO
> > > >>(and
> > > >> > > > CSO).
> > > >> > > >
> > > >> > > > My introductory $.02
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > Richard Seiersen
> > > >> > > > rich67dev at hotmail.com
> > > >> > > >
> > > >> > > >
> >_________________________________________________________________
> > > >> > > > Help protect your PC: Get a free online virus scan at
> >McAfee.com.
> > > >> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > -------------------------------------------------------
> > > >> > > > This sf.net email is sponsored by:ThinkGeek
> > > >> > > > Welcome to geek heaven.
> > > >> > > > http://thinkgeek.com/sf
> > > >> > > > _______________________________________________
> > > >> > > > Owasp-iso17799 mailing list
> > > >> > > > Owasp-iso17799 at lists.sourceforge.net
> > > >> > > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > > >> > > >
> > > >> > >
> > > >> >
> > > >> > _________________________________________________________________
> > > >> > MSN 8: Get 6 months for $9.95/month.
> > > >>http://join.msn.com/?page=dept/dialup
> > > >> >
> > > >> >
> > > >> >
> > > >> > -------------------------------------------------------
> > > >> > This sf.net email is sponsored by:ThinkGeek
> > > >> > Welcome to geek heaven.
> > > >> > http://thinkgeek.com/sf
> > > >> > _______________________________________________
> > > >> > Owasp-iso17799 mailing list
> > > >> > Owasp-iso17799 at lists.sourceforge.net
> > > >> > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > > >> >
> > > >><< OWASPWebSiteSecurityPolicy.doc >>
> > > >
> > > >_________________________________________________________________
> > > >MSN 8: Get 6 months for $9.95/month
> >http://join.msn.com/?page=dept/dialup
> > > >
> > > >
> > > >
> > > >-------------------------------------------------------
> > > >This sf.net email is sponsored by:ThinkGeek
> > > >Welcome to geek heaven.
> > > >http://thinkgeek.com/sf
> > > >_______________________________________________
> > > >Owasp-iso17799 mailing list
> > > >Owasp-iso17799 at lists.sourceforge.net
> > > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > > _________________________________________________________________
> > > MSN 8: Get 6 months for $9.95/month.
> >http://join.msn.com/?page=dept/dialup
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Owasp-iso17799 mailing list
> > > Owasp-iso17799 at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > > _________________________________________________________________
> > > Send and receive larger attachments with Hotmail Extra Storage.
> > > http://join.msn.com/?PAGE=features/es
> > >
> > >
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
> _________________________________________________________________
> Try MSN Messenger 6.0 with integrated webcam functionality!
> http://www.msnmessenger-download.com/tracking/reach_webcam
>
>




From mark at curphey.com  Mon Sep  8 06:45:16 2003
From: mark at curphey.com (Mark Curphey)
Date: Mon, 8 Sep 2003 06:45:16 -0400
Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
Message-ID: <022701c375f6$4a60ac40$78de06d1@markc2000>

----- Original Message ----- 
From: "InfoSec News" <isn at c4i.org>
To: <isn at attrition.org>
Sent: Monday, September 08, 2003 1:20 AM
Subject: [ISN] ISO17799 Security News 


> Forwarded from: Sara Hollins <sara at matrix0.org>
> 
> Issue 8 of the ISO 17799 Newsletter will today be released. This
> quarterly publication covers news and developments with  respect to the
> international information security standard.
> 
> The latest edition covers the following topics:
> 
> 1)  Obtaining ISO17799
> 2)  Recent Internet Attacks 
> 3)  ISO17799 Critical Success Factors
> 4)  Control Types 
> 5)  ISO17799 Section 11 - The North American Blackout
> 6)  ISO17799: a World Wide Phenomenon
> 7)  Business Continuity Emergency Types
> 8)  Back-Up and Recovery Strategy
> 9)  More Frequently Asked ISO17799 Questions
> 10) Service Availability and the SLA
> 11) ISO 17799 Related Terms and Definitions
> 12) It Couldn't Happen Here.... Could It?
> 
> This issue can be viewed directly from the publishers web site:  
> http://www.iso17799-web.com/issue8.htm and is free to subscribers.
> 
> 
> 
> -
> ISN is currently hosted by Attrition.org
> 
> To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
> in the BODY of the mail.
> 



From mark at curphey.com  Tue Sep  9 11:02:52 2003
From: mark at curphey.com (Mark Curphey)
Date: Tue, 9 Sep 2003 11:02:52 -0400
Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
References: <Law9-F7F1mGVtZNgJXO0004b074@hotmail.com>
Message-ID: <02fc01c376e3$71b13b00$78de06d1@markc2000>

No problem I am swamped myself.

I just spent 20 mins updated the doc with some draft (note DRAFT) text on
the transport security section and checked it in to CVS. I was thinking the
text would look something like this. I didnt do the tables that you will
see. I guess we would want to structure a template in such that people can
delete or not see sections / regulations that may not appeal to them
or offer several policy statements for each section
or offer section guidance on ehat people might want to change in that
specific section


----- Original Message ----- 
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: <mark at curphey.com>
Sent: Tuesday, September 09, 2003 12:38 AM
Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News


> Mark,
> Been swamped - will repsond to your other queries by tomorrow.    I think
> the best help, in short, would be for you to perhaps give an example of
> 'fleshing out' on of your template headings.  Then I can follow suite, or
> expand, from there on all the rest ('including that one').  I will be more
> complete in my next reponse.
>
> Thanks for this,
> Richard Seiersen
> rich67dev at hotmail.com
>
>
>
>
>
> >From: "Mark Curphey" <mark at curphey.com>
> >To: <owasp-iso17799 at lists.sourceforge.net>
> >Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
> >Date: Mon, 8 Sep 2003 06:45:16 -0400
> >
> >
> >----- Original Message -----
> >From: "InfoSec News" <isn at c4i.org>
> >To: <isn at attrition.org>
> >Sent: Monday, September 08, 2003 1:20 AM
> >Subject: [ISN] ISO17799 Security News
> >
> >
> > > Forwarded from: Sara Hollins <sara at matrix0.org>
> > >
> > > Issue 8 of the ISO 17799 Newsletter will today be released. This
> > > quarterly publication covers news and developments with  respect to
the
> > > international information security standard.
> > >
> > > The latest edition covers the following topics:
> > >
> > > 1)  Obtaining ISO17799
> > > 2)  Recent Internet Attacks
> > > 3)  ISO17799 Critical Success Factors
> > > 4)  Control Types
> > > 5)  ISO17799 Section 11 - The North American Blackout
> > > 6)  ISO17799: a World Wide Phenomenon
> > > 7)  Business Continuity Emergency Types
> > > 8)  Back-Up and Recovery Strategy
> > > 9)  More Frequently Asked ISO17799 Questions
> > > 10) Service Availability and the SLA
> > > 11) ISO 17799 Related Terms and Definitions
> > > 12) It Couldn't Happen Here.... Could It?
> > >
> > > This issue can be viewed directly from the publishers web site:
> > > http://www.iso17799-web.com/issue8.htm and is free to subscribers.
> > >
> > >
> > >
> > > -
> > > ISN is currently hosted by Attrition.org
> > >
> > > To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
> > > in the BODY of the mail.
> > >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
> _________________________________________________________________
> Express yourself with MSN Messenger 6.0 -- download now!
> http://www.msnmessenger-download.com/tracking/reach_general
>
>




From rich67dev at hotmail.com  Thu Sep 11 20:23:45 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Fri, 12 Sep 2003 00:23:45 +0000
Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
Message-ID: <Law9-F774QMJ80DI0Rr0000d269@hotmail.com>

Mark (and etal),
There are some docs on the SANS site you may want to consider reviewing in 
detail, I know i will:
http://www.sans.org/score/ISO_17799checklist.php
I am planning on going to their ISO17799 deal in New Orleans, any takers? I 
will probably go for the GIAC track as well. ( i do have my cissp, I think 
mark knows that, its a bit...theoretical, giac is much more hands on - hence 
the white paper, as well as multichoice testing.)
---------------------------
I have been talking with SANS, and they feel that the 17799 framework is the 
best security audit framework!?  Quite a bold statement, but falls inline 
withe Marks assessments.  So, good show Mark!  Its doubley nice to have such 
verification.
-----------------------------
In terms of the book I mentiong that  I will be purchasing from Amazon, here 
it is (not availble till sometime this month):
It Governance: A Manager's Guide to Data Security and Bs 7799/Iso 17799
by Alan Calder, Steve Watkins

http://www.amazon.com/exec/obidos/tg/detail/-/0749440783/qid=1063325776/sr=1-2/ref=sr_1_2/103-1034433-1524606?v=glance&s=books
-----------------------------------
Lastly, Mark I hope to look at your material in the next day or two at the 
most (if  not tonight). I will respond shortly to your most recent edits and 
my thoughts on what to add.

Richard Seiersen
rich67dev at hotmail.com





>From: "Mark Curphey" <mark at curphey.com>
>To: <owasp-iso17799 at lists.sourceforge.net>
>Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
>Date: Tue, 9 Sep 2003 11:02:52 -0400
>
>No problem I am swamped myself.
>
>I just spent 20 mins updated the doc with some draft (note DRAFT) text on
>the transport security section and checked it in to CVS. I was thinking the
>text would look something like this. I didnt do the tables that you will
>see. I guess we would want to structure a template in such that people can
>delete or not see sections / regulations that may not appeal to them
>or offer several policy statements for each section
>or offer section guidance on ehat people might want to change in that
>specific section
>
>
>----- Original Message -----
>From: "Rich Seiersen" <rich67dev at hotmail.com>
>To: <mark at curphey.com>
>Sent: Tuesday, September 09, 2003 12:38 AM
>Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
>
>
> > Mark,
> > Been swamped - will repsond to your other queries by tomorrow.    I 
>think
> > the best help, in short, would be for you to perhaps give an example of
> > 'fleshing out' on of your template headings.  Then I can follow suite, 
>or
> > expand, from there on all the rest ('including that one').  I will be 
>more
> > complete in my next reponse.
> >
> > Thanks for this,
> > Richard Seiersen
> > rich67dev at hotmail.com
> >
> >
> >
> >
> >
> > >From: "Mark Curphey" <mark at curphey.com>
> > >To: <owasp-iso17799 at lists.sourceforge.net>
> > >Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
> > >Date: Mon, 8 Sep 2003 06:45:16 -0400
> > >
> > >
> > >----- Original Message -----
> > >From: "InfoSec News" <isn at c4i.org>
> > >To: <isn at attrition.org>
> > >Sent: Monday, September 08, 2003 1:20 AM
> > >Subject: [ISN] ISO17799 Security News
> > >
> > >
> > > > Forwarded from: Sara Hollins <sara at matrix0.org>
> > > >
> > > > Issue 8 of the ISO 17799 Newsletter will today be released. This
> > > > quarterly publication covers news and developments with  respect to
>the
> > > > international information security standard.
> > > >
> > > > The latest edition covers the following topics:
> > > >
> > > > 1)  Obtaining ISO17799
> > > > 2)  Recent Internet Attacks
> > > > 3)  ISO17799 Critical Success Factors
> > > > 4)  Control Types
> > > > 5)  ISO17799 Section 11 - The North American Blackout
> > > > 6)  ISO17799: a World Wide Phenomenon
> > > > 7)  Business Continuity Emergency Types
> > > > 8)  Back-Up and Recovery Strategy
> > > > 9)  More Frequently Asked ISO17799 Questions
> > > > 10) Service Availability and the SLA
> > > > 11) ISO 17799 Related Terms and Definitions
> > > > 12) It Couldn't Happen Here.... Could It?
> > > >
> > > > This issue can be viewed directly from the publishers web site:
> > > > http://www.iso17799-web.com/issue8.htm and is free to subscribers.
> > > >
> > > >
> > > >
> > > > -
> > > > ISN is currently hosted by Attrition.org
> > > >
> > > > To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
> > > > in the BODY of the mail.
> > > >
> > >
> > >
> > >-------------------------------------------------------
> > >This sf.net email is sponsored by:ThinkGeek
> > >Welcome to geek heaven.
> > >http://thinkgeek.com/sf
> > >_______________________________________________
> > >Owasp-iso17799 mailing list
> > >Owasp-iso17799 at lists.sourceforge.net
> > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
> > _________________________________________________________________
> > Express yourself with MSN Messenger 6.0 -- download now!
> > http://www.msnmessenger-download.com/tracking/reach_general
> >
> >
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
Need more e-mail storage? Get 10MB with Hotmail Extra Storage.   
http://join.msn.com/?PAGE=features/es




From rich67dev at hotmail.com  Thu Sep 18 12:11:05 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Thu, 18 Sep 2003 16:11:05 +0000
Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
Message-ID: <Law9-F88BOh8s4KWiGt0002a0e8@hotmail.com>

Team,
Don't want you to think I have dropped off the radar, I haven't.  I work out 
of my home office, and my office manager (aka wife) has been gone on 
business for several days and will not return for several more - so Daddy is 
on his own with the troops.  So, please hang in there - I am on the job - 
and will be going over the template in its entirety most definitely! :-) 
(thought I would get to it sooner, but duty calls! ;-)  )


Regards,
Richard Seiersen
rich67dev at hotmail.com





>From: "Mark Curphey" <mark at curphey.com>
>To: <owasp-iso17799 at lists.sourceforge.net>
>Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
>Date: Tue, 9 Sep 2003 11:02:52 -0400
>
>No problem I am swamped myself.
>
>I just spent 20 mins updated the doc with some draft (note DRAFT) text on
>the transport security section and checked it in to CVS. I was thinking the
>text would look something like this. I didnt do the tables that you will
>see. I guess we would want to structure a template in such that people can
>delete or not see sections / regulations that may not appeal to them
>or offer several policy statements for each section
>or offer section guidance on ehat people might want to change in that
>specific section
>
>
>----- Original Message -----
>From: "Rich Seiersen" <rich67dev at hotmail.com>
>To: <mark at curphey.com>
>Sent: Tuesday, September 09, 2003 12:38 AM
>Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
>
>
> > Mark,
> > Been swamped - will repsond to your other queries by tomorrow.    I 
>think
> > the best help, in short, would be for you to perhaps give an example of
> > 'fleshing out' on of your template headings.  Then I can follow suite, 
>or
> > expand, from there on all the rest ('including that one').  I will be 
>more
> > complete in my next reponse.
> >
> > Thanks for this,
> > Richard Seiersen
> > rich67dev at hotmail.com
> >
> >
> >
> >
> >
> > >From: "Mark Curphey" <mark at curphey.com>
> > >To: <owasp-iso17799 at lists.sourceforge.net>
> > >Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
> > >Date: Mon, 8 Sep 2003 06:45:16 -0400
> > >
> > >
> > >----- Original Message -----
> > >From: "InfoSec News" <isn at c4i.org>
> > >To: <isn at attrition.org>
> > >Sent: Monday, September 08, 2003 1:20 AM
> > >Subject: [ISN] ISO17799 Security News
> > >
> > >
> > > > Forwarded from: Sara Hollins <sara at matrix0.org>
> > > >
> > > > Issue 8 of the ISO 17799 Newsletter will today be released. This
> > > > quarterly publication covers news and developments with  respect to
>the
> > > > international information security standard.
> > > >
> > > > The latest edition covers the following topics:
> > > >
> > > > 1)  Obtaining ISO17799
> > > > 2)  Recent Internet Attacks
> > > > 3)  ISO17799 Critical Success Factors
> > > > 4)  Control Types
> > > > 5)  ISO17799 Section 11 - The North American Blackout
> > > > 6)  ISO17799: a World Wide Phenomenon
> > > > 7)  Business Continuity Emergency Types
> > > > 8)  Back-Up and Recovery Strategy
> > > > 9)  More Frequently Asked ISO17799 Questions
> > > > 10) Service Availability and the SLA
> > > > 11) ISO 17799 Related Terms and Definitions
> > > > 12) It Couldn't Happen Here.... Could It?
> > > >
> > > > This issue can be viewed directly from the publishers web site:
> > > > http://www.iso17799-web.com/issue8.htm and is free to subscribers.
> > > >
> > > >
> > > >
> > > > -
> > > > ISN is currently hosted by Attrition.org
> > > >
> > > > To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
> > > > in the BODY of the mail.
> > > >
> > >
> > >
> > >-------------------------------------------------------
> > >This sf.net email is sponsored by:ThinkGeek
> > >Welcome to geek heaven.
> > >http://thinkgeek.com/sf
> > >_______________________________________________
> > >Owasp-iso17799 mailing list
> > >Owasp-iso17799 at lists.sourceforge.net
> > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
> > _________________________________________________________________
> > Express yourself with MSN Messenger 6.0 -- download now!
> > http://www.msnmessenger-download.com/tracking/reach_general
> >
> >
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
Send and receive larger attachments with Hotmail Extra Storage.   
http://join.msn.com/?PAGE=features/es




From mark at curphey.com  Thu Sep 18 15:44:08 2003
From: mark at curphey.com (Mark Curphey)
Date: Thu, 18 Sep 2003 15:44:08 -0400 (EST)
Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
In-Reply-To: <Law9-F88BOh8s4KWiGt0002a0e8@hotmail.com> from Rich Seiersen <rich67dev@hotmail.com> on Thu, 18 Sep 2003 16:11:05 +0000
Message-ID: <200309181944.PAA04367@swiftsure.cnchost.com>

An embedded and charset-unspecified text was scrubbed...
Name: not available
Url: http://lists.owasp.org/pipermail/owasp-iso17799/attachments/20030918/695dbb24/attachment.ksh 

From mark at curphey.com  Sat Sep 20 09:06:42 2003
From: mark at curphey.com (Mark Curphey)
Date: Sat, 20 Sep 2003 09:06:42 -0400
Subject: [Owasp-iso17799] Fw: ISO17799  in securing web applications
Message-ID: <00ea01c37f78$09b55e30$e4084e41@markc2000>

----- Original Message ----- 
From: "Amol Hatwar" <rollacosta at phreaker.net>
To: <owasp at owasp.org>
Sent: Friday, September 19, 2003 4:29 PM
Subject: ISO17799 in securing web applications


Dear people at OWASP,

I'd like to help with the ISO17799 documentation. I'm good at:
GNU/Linux,
C/C++,
PHP/PERL/Python
and tech writing of course :).

I hope to hear from you,

ah










From rich67dev at hotmail.com  Sat Sep 20 11:40:10 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Sat, 20 Sep 2003 15:40:10 +0000
Subject: [Owasp-iso17799] Fw: ISO17799 in securing web applications
Message-ID: <Law9-F57u5vJET29rZO00032620@hotmail.com>

Mark,
Do you want to contact him? Or shall I?



Richard Seiersen
rich67dev at hotmail.com





>From: "Mark Curphey" <mark at curphey.com>
>To: <owasp-iso17799 at lists.sourceforge.net>
>Subject: [Owasp-iso17799] Fw: ISO17799  in securing web applications
>Date: Sat, 20 Sep 2003 09:06:42 -0400
>
>
>----- Original Message -----
>From: "Amol Hatwar" <rollacosta at phreaker.net>
>To: <owasp at owasp.org>
>Sent: Friday, September 19, 2003 4:29 PM
>Subject: ISO17799 in securing web applications
>
>
>Dear people at OWASP,
>
>I'd like to help with the ISO17799 documentation. I'm good at:
>GNU/Linux,
>C/C++,
>PHP/PERL/Python
>and tech writing of course :).
>
>I hope to hear from you,
>
>ah
>
>
>
>
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
Get McAfee virus scanning and cleaning of incoming attachments.  Get Hotmail 
Extra Storage!   http://join.msn.com/?PAGE=features/es




From mark at curphey.com  Sat Sep 20 12:04:23 2003
From: mark at curphey.com (Mark Curphey)
Date: Sat, 20 Sep 2003 12:04:23 -0400
Subject: [Owasp-iso17799] Fw: ISO17799 in securing web applications
References: <Law9-F57u5vJET29rZO00032620@hotmail.com>
Message-ID: <019001c37f90$dc34eca0$e4084e41@markc2000>

No you feel free. Please go ahead.
----- Original Message ----- 
From: "Rich Seiersen" <rich67dev at hotmail.com>
To: <mark at curphey.com>; <owasp-iso17799 at lists.sourceforge.net>
Sent: Saturday, September 20, 2003 11:40 AM
Subject: Re: [Owasp-iso17799] Fw: ISO17799 in securing web applications


Mark,
Do you want to contact him? Or shall I?



Richard Seiersen
rich67dev at hotmail.com





>From: "Mark Curphey" <mark at curphey.com>
>To: <owasp-iso17799 at lists.sourceforge.net>
>Subject: [Owasp-iso17799] Fw: ISO17799  in securing web applications
>Date: Sat, 20 Sep 2003 09:06:42 -0400
>
>
>----- Original Message -----
>From: "Amol Hatwar" <rollacosta at phreaker.net>
>To: <owasp at owasp.org>
>Sent: Friday, September 19, 2003 4:29 PM
>Subject: ISO17799 in securing web applications
>
>
>Dear people at OWASP,
>
>I'd like to help with the ISO17799 documentation. I'm good at:
>GNU/Linux,
>C/C++,
>PHP/PERL/Python
>and tech writing of course :).
>
>I hope to hear from you,
>
>ah
>
>
>
>
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
Get McAfee virus scanning and cleaning of incoming attachments.  Get Hotmail
Extra Storage!   http://join.msn.com/?PAGE=features/es



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Owasp-iso17799 mailing list
Owasp-iso17799 at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-iso17799




From rich67dev at hotmail.com  Sat Sep 20 12:21:54 2003
From: rich67dev at hotmail.com (Rich Seiersen)
Date: Sat, 20 Sep 2003 16:21:54 +0000
Subject: [Owasp-iso17799] Fw: ISO17799 in securing web applications
Message-ID: <Law9-F7Ziayn0i0AE3g000333c5@hotmail.com>

Amol,
Nice to here from you.  As you can probably tell from the OWASP site, we are 
very early stage in terms of 17799.  At this stage it is not a 'technical' 
project, and will lean heavily on the side of documentation, particularly in 
terms of the relationship between what the 17799 standard sets forth and its 
potential relationship to secure web application development.

Knowing that, what are the types of things that might peak your interest?

Regards,
Richard Seiersen
rich67dev at hotmail.com





>From: "Mark Curphey" <mark at curphey.com>
>To: <owasp-iso17799 at lists.sourceforge.net>
>Subject: [Owasp-iso17799] Fw: ISO17799  in securing web applications
>Date: Sat, 20 Sep 2003 09:06:42 -0400
>
>
>----- Original Message -----
>From: "Amol Hatwar" <rollacosta at phreaker.net>
>To: <owasp at owasp.org>
>Sent: Friday, September 19, 2003 4:29 PM
>Subject: ISO17799 in securing web applications
>
>
>Dear people at OWASP,
>
>I'd like to help with the ISO17799 documentation. I'm good at:
>GNU/Linux,
>C/C++,
>PHP/PERL/Python
>and tech writing of course :).
>
>I hope to hear from you,
>
>ah
>
>
>
>
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
today!  http://join.msn.com/?PAGE=features/es




From samheinrich at hotmail.com  Mon Sep 22 12:54:19 2003
From: samheinrich at hotmail.com (sam heinrich)
Date: Mon, 22 Sep 2003 16:54:19 +0000
Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
Message-ID: <BAY2-F21stb2en0bcaQ00009810@hotmail.com>

hi guys - glad i wasn't the only one - i was out of town, too, for my 
sisters wedding.  considering how things get for all of us in our 
work/personal lives, should we try spur ourselves on by setting a due date 
for a input on the first draft of the policy?  - sam

p.s. welcome amol...


----Original Message Follows----
From: Mark Curphey <mark at curphey.com>
Reply-To: mark at curphey.com
To: Rich Seiersen <rich67dev at hotmail.com>, <mark at curphey.com>,        
<owasp-iso17799 at lists.sourceforge.net>
Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
Date: Thu, 18 Sep 2003 15:44:08 -0400 (EST)

Cool. No problem. I am in a similar situation.

---- Rich Seiersen <rich67dev at hotmail.com> wrote:
 > Team,
 > Don't want you to think I have dropped off the radar, I haven't.  I work 
out
 > of my home office, and my office manager (aka wife) has been gone on
 > business for several days and will not return for several more - so Daddy 
is
 > on his own with the troops.  So, please hang in there - I am on the job -
 > and will be going over the template in its entirety most definitely! :-)
 > (thought I would get to it sooner, but duty calls! ;-)  )
 >
 >
 > Regards,
 > Richard Seiersen
 > rich67dev at hotmail.com
 >
 >
 >
 >
 >
 > >From: "Mark Curphey" <mark at curphey.com>
 > >To: <owasp-iso17799 at lists.sourceforge.net>
 > >Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
 > >Date: Tue, 9 Sep 2003 11:02:52 -0400
 > >
 > >No problem I am swamped myself.
 > >
 > >I just spent 20 mins updated the doc with some draft (note DRAFT) text 
on
 > >the transport security section and checked it in to CVS. I was thinking 
the
 > >text would look something like this. I didnt do the tables that you will
 > >see. I guess we would want to structure a template in such that people 
can
 > >delete or not see sections / regulations that may not appeal to them
 > >or offer several policy statements for each section
 > >or offer section guidance on ehat people might want to change in that
 > >specific section
 > >
 > >
 > >----- Original Message -----
 > >From: "Rich Seiersen" <rich67dev at hotmail.com>
 > >To: <mark at curphey.com>
 > >Sent: Tuesday, September 09, 2003 12:38 AM
 > >Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
 > >
 > >
 > > > Mark,
 > > > Been swamped - will repsond to your other queries by tomorrow.    I
 > >think
 > > > the best help, in short, would be for you to perhaps give an example 
of
 > > > 'fleshing out' on of your template headings.  Then I can follow 
suite,
 > >or
 > > > expand, from there on all the rest ('including that one').  I will be
 > >more
 > > > complete in my next reponse.
 > > >
 > > > Thanks for this,
 > > > Richard Seiersen
 > > > rich67dev at hotmail.com
 > > >
 > > >
 > > >
 > > >
 > > >
 > > > >From: "Mark Curphey" <mark at curphey.com>
 > > > >To: <owasp-iso17799 at lists.sourceforge.net>
 > > > >Subject: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
 > > > >Date: Mon, 8 Sep 2003 06:45:16 -0400
 > > > >
 > > > >
 > > > >----- Original Message -----
 > > > >From: "InfoSec News" <isn at c4i.org>
 > > > >To: <isn at attrition.org>
 > > > >Sent: Monday, September 08, 2003 1:20 AM
 > > > >Subject: [ISN] ISO17799 Security News
 > > > >
 > > > >
 > > > > > Forwarded from: Sara Hollins <sara at matrix0.org>
 > > > > >
 > > > > > Issue 8 of the ISO 17799 Newsletter will today be released. This
 > > > > > quarterly publication covers news and developments with  respect 
to
 > >the
 > > > > > international information security standard.
 > > > > >
 > > > > > The latest edition covers the following topics:
 > > > > >
 > > > > > 1)  Obtaining ISO17799
 > > > > > 2)  Recent Internet Attacks
 > > > > > 3)  ISO17799 Critical Success Factors
 > > > > > 4)  Control Types
 > > > > > 5)  ISO17799 Section 11 - The North American Blackout
 > > > > > 6)  ISO17799: a World Wide Phenomenon
 > > > > > 7)  Business Continuity Emergency Types
 > > > > > 8)  Back-Up and Recovery Strategy
 > > > > > 9)  More Frequently Asked ISO17799 Questions
 > > > > > 10) Service Availability and the SLA
 > > > > > 11) ISO 17799 Related Terms and Definitions
 > > > > > 12) It Couldn't Happen Here.... Could It?
 > > > > >
 > > > > > This issue can be viewed directly from the publishers web site:
 > > > > > http://www.iso17799-web.com/issue8.htm and is free to 
subscribers.
 > > > > >
 > > > > >
 > > > > >
 > > > > > -
 > > > > > ISN is currently hosted by Attrition.org
 > > > > >
 > > > > > To unsubscribe email majordomo at attrition.org with 'unsubscribe 
isn'
 > > > > > in the BODY of the mail.
 > > > > >
 > > > >
 > > > >
 > > > >-------------------------------------------------------
 > > > >This sf.net email is sponsored by:ThinkGeek
 > > > >Welcome to geek heaven.
 > > > >http://thinkgeek.com/sf
 > > > >_______________________________________________
 > > > >Owasp-iso17799 mailing list
 > > > >Owasp-iso17799 at lists.sourceforge.net
 > > > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
 > > >
 > > > _________________________________________________________________
 > > > Express yourself with MSN Messenger 6.0 -- download now!
 > > > http://www.msnmessenger-download.com/tracking/reach_general
 > > >
 > > >
 > >
 > >
 > >
 > >-------------------------------------------------------
 > >This sf.net email is sponsored by:ThinkGeek
 > >Welcome to geek heaven.
 > >http://thinkgeek.com/sf
 > >_______________________________________________
 > >Owasp-iso17799 mailing list
 > >Owasp-iso17799 at lists.sourceforge.net
 > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
 >
 > _________________________________________________________________
 > Send and receive larger attachments with Hotmail Extra Storage.
 > http://join.msn.com/?PAGE=features/es
 >
 >
 >
 > -------------------------------------------------------
 > This sf.net email is sponsored by:ThinkGeek
 > Welcome to geek heaven.
 > http://thinkgeek.com/sf
 > _______________________________________________
 > Owasp-iso17799 mailing list
 > Owasp-iso17799 at lists.sourceforge.net
 > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
 >
 >


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Owasp-iso17799 mailing list
Owasp-iso17799 at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-iso17799

_________________________________________________________________
Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
today! http://join.msn.com/?PAGE=features/es