2. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 2
Introduction
The ISO 27001 standard was published in October 2005 as a replacement to the BS7799-2 standard. It
is primarily referred to as the Information Security Management System (ISMS) certification standard.
Organisations that seek to implement an ISMS are examined against ISO 27001.
The objective of this standard is to
As with several global standards, the scope of this standard is far reaching, with several sets of control
objectives and guidelines. Its fundamental purpose is to act as a compendium of techniques for securing IT
environments and thus effectively managing business risk as well as demonstrating regulatory compliance.
ISO 27001 is recognised internationally as a structured methodology for information security. A widely-held
opinion is that ISO 27001 is an umbrella over other standards (such as PCI, SOX, GLBA, HIPAA and CobiT).
Companies that choose to adopt ISO 27001 demonstrate their commitment to high levels of information
security, as there are 11 major controls in the standard that comprise information security best practices. ISO
27001 does not, however, mandate specific procedures nor define the implementation techniques for gain-
ing certification. Thus, companies being audited for ISO 27001 compliance deal with the same issues that
plague companies facing regulatory audits: how to effectively achieve compliance and, following an audit,
cost-effectively maintain it.
There are several benefits to a company getting ISO 27001 certification2:
• Diverse parties working together: With standardisation, systems from different companies are
more likely to work together, since they will be speaking a common language.
• An international standard: By complying with an international standard, management proves that
they are taking due diligence in ensuring the security of their customer data.
• Awareness within the organisation: Complying with this standard touches a lot of aspects of a
company both from a business and an IT perspective. This creates greater awareness of security and
process within the organisation.
• Alignment with the organisation: Since the standard covers such a broad area, several departments
need to be in alignment in order to ensure certification, thus building a better working model within
the entire company.
• Fully accepted in EMEA: Because this standard is widely accepted and implemented throughout
EMEA, there are numerous companies that require business partners to have certification before
working with them. Certification proves to companies that their vendors have taken the necessary
steps to protect customer data, and not having certification could have an economic impact through
increased risk exposure. North American companies with operations in EMEA may start running into
this issue as well.
“provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and
improving an ISMS”1.
3. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 3
Tripwire Enterprise and the ISO 27001 Controls
The Tripwire Enterprise solution provides organisations with powerful configuration control through its con-
figuration assessment and change auditing capabilities. With Tripwire Enterprise, organisations can quickly
achieve IT configuration integrity by proactively assessing how their current configurations measure up to
specifications as given in ISO 27001. This provides organisations immediate visibility into the state of their
systems, and through automating the process, saves time and effort over a manual efforts.
For incorrect configurations, not only does Tripwire Enterprise report that condition as part of its risk assess-
ment feature, it offers remediation guidance for bringing the settings into compliance. Once this known state
has been achieved, Tripwire’s change auditing monitors systems for changes that could affect ISO 27001
compliance, maintaining the IT infrastructure in a known and trusted state.
There are several controls that reference IT technology in ISO 27001. Not all can be tested adequately with
software, or are relevant to the IT Infrastructure. Tripwire Enterprise provides two means of coverage for the
ISO 27001 controls. The Configuration Assessment policy proactively assesses settings and checks that they
are compliant against the controls. If compliant, Tripwire Enterprise will also continuously monitor those
settings for changes that may take them out of compliance. For settings that are not compliant, Tripwire
Enterprise provides the necessary remediation steps to bring that setting back into compliance. There are
some controls that Tripwire Enterprise can address by using its industry leading change monitoring.Tripwire
can monitor various levels of settings as part of the Change Management controls that are specified in the
ISO 27001 standard.
Controls that are addressed by the Tripwire Enterprise include:
A.10 – Communications and Operations Management
A.10.1 – Operational Procedures and Responsibilities
The objective of this control is to ensure the correct and secure operation of information processing facilities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.1.2 Change Management Changes to information processing facil-
ities and systems shall be controlled.
Tripwire Enterprise can monitor any
changes to file systems, databases and
active directory, providing the what and
who information to any changes that
were made to critical systems, thus
enforcing a sound change process.
10.1.3 Segregation of duties Duties and areas of responsibility shall
be segregated to reduce opportunities
for unauthorised or unintentional modi-
fications or misuse of the organisations’
assets.
Using Roles within Tripwire Enterprise,
an organisation has complete control
over who can have access to files,
directories and critical areas within
your IT Infrastructure, thus preventing
unauthorised or unintentional modifi-
cations of files.
10.1.4 Separation of development, test
and operational facilities
Development, test and operational facili-
ties shall be separated to reduce the
risks of unauthorised access or changes
to the operational system.
User groups can be developed within
Tripwire Enterprise to separate duties
of individuals within those groups,
restricting permissions and file access
rights where necessary to reduce the
risk of any unauthorised or uninten-
tional changes to systems.
4. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 4
A.10.2 – Third Party Service Delivery Management
The objective of this control is to implement and maintain the appropriate level of information security and service delivery
in line with third party service delivery agreements.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.2.3 Managing changes to third party
services
Changes to the provision of services,
including maintaining and improving
existing information security policies,
procedures and controls, shall be man-
aged, taking account of the criticality
of business systems and processes
involved and re-assessment of risks.
Tripwire Enterprise can monitor changes
to critical systems and be aligned with
applications, procedures and business
systems to ensure changes don’t happen,
and if they do, give visibility to those
changes, thus reducing risk.
A.10.4 – Protection Against Malicious and Mobile Code
The objective of this control is to protect the integrity of software and information.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.4.1 Controls against malicious code Detection, prevention and recovery
controls to protect against malicious
code and appropriate user awareness
procedures shall be implemented.
By monitoring critical files, Tripwire
Enterprise can detect when edits to files
have been made, who made the edits,
and whether code was changed, deleted
or new code added, thus creating a
process around code management, and
reducing the risk of malicious behavior.
A.10.6 – Network Security Management
The objective of this control is to ensure the protection of information in networks and the protection of the supporting
infrastructure.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.6.1 Network Controls Networks shall be adequately managed
and controlled, in order to be protected
from threats, and to maintain security
for the systems and applications using
the network, including information in
transit.
Tripwire Enterprise provides critical
assessment of network configuration
settings to help maintain the ongoing
security of internal systems and appli-
cations that rely upon the network.
For example, ensuring that anonymous
SID/name translation is disabled in the
security options policy of a Windows
2003 Server. This setting prevents the
null user from translating a binary SID
into an actual account name, which may
provide useful information that could be
used in an attack.
10.6.2 Security of Network Services Security features, service levels, and
management requirements of all net-
work services shall be identified and
included in any network services
agreement, wither these services are
provided in-house or outsourced.
Maintaining security best practices
on important network services is cru-
cial for securing any network. Tripwire
Enterprise provides ongoing assess-
ment of network services to measure
individual compliance with established
best practices. For example, validating
that the License Logging Service is
disabled on a Windows system. This
service is a license-management tool
with a vulnerability that permits remote
code execution. Disabling this service,
as well as other unnecessary services,
is a security best practice that helps
limit avenues of attack.
5. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 5
A.10.7 – Media Handling
The objective of this control is to prevent unauthorised disclosure, modification, removal or destruction of assets, and inter-
ruption to business activities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.7.1 Management of Removable
Media
There should be procedures in place for
the management of removable media.
An unmanaged approach to removable
media can be a serious vulnerability.
Tripwire Enterprise provides assurance
that system configuration settings are
configured to reduce common risks
associated with removable media. For
example, ensuring that security options
on a Windows system are configured to
only allow administrators to format and
eject removable NTFS media.
A.10.8 – Exchange of Information
The objective of this control is to maintain the security of information and software exchanged within an organisation and
with any external entity.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.8.1 Information Exchange Policies
and Procedures
Formal exchange policies, procedures
and controls shall be in place to protect
the exchange of information through
the use of all types of communications
facilities.
Configuration assessment helps to
ensure that proper measures are in
place to safeguard the exchange of
information and eliminate unnecessary
communication risks. For example,
verifying that the NetMeeting Remote
Desktop Sharing Service is disabled on
a Windows system. This service sup-
ports NetMeeting, but may be subject to
hacker attacks and buffer overflows.
10.8.5 Business Information Systems Policies and procedures shall be
developed and implemented to pro-
tect information associated with the
interconnection of business information
systems.
Tripwire Enterprise verifies that proper
system configuration settings are used
to safeguard information necessary for
disparate business information systems
to interconnect. For example, ensuring
that strong key protection is required for
user keys stored on a covered system.
Strong key protection requires users
to enter a password associated with a
key every time they use the key. This
helps prevent user keys from being
compromised if a computer is stolen or
hijacked.
A.10.9 – Electronic Commerce Services
The objective of this control is to ensure the security of electronic commerce services, and their secure use.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.9.3 Publicly Available Information The integrity of information being made
available on a publicly available system
shall be protected to prevent unauthor-
ised modification.
Tripwire Enterprise provides the use of
“roles” to restrict unauthorised access
to important files as well as the neces-
sary monitoring of these files such that
changes made are flagged and alerts
sent to pertinent individuals.
6. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 6
A.10.10 – Monitoring
The objective of this control is to detect unauthorised information processing activities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
10.10.1 Audit Logging Audit logs recording user activities,
exceptions, and information security
events shall be produced and kept for
an agreed period to assist in future
investigations and access control moni-
toring.
Tripwire’s Configuration Assessment
verifies that important audit logging
settings are configured to support pos-
sible audit investigations and ongoing
access control monitoring.
10.10.3 Protection of Log Information Logging facilities and log information
shall be protected against tampering
and unauthorised access.
Assuming that other log settings are
configured correctly, a problem with
logging events could indicate a secu-
rity threat. Tripwire Configuration
Assessment verifies that security
options are configured to shut down a
system if an event cannot be logged to
the security log for any reason.
10.10.4 Administrator and Operator
Logs
System administrator and system oper-
ator activities shall be logged.
Tripwire Configuration Assessment
verifies that application, system and
security logs can be configured for nec-
essary storage capacity. For example,
the maximum size of the security log
should be at least 80 MB to store an
adequate amount of log data for audit-
ing purposes.
10.10.6 Clock Synchronisation The clocks of all relevant information
processing systems within an organi-
sation or security domain shall be
synchronised with an agreed accurate
time source.
For Windows systems, Tripwire
Configuration Assessment determines
if the Windows Time Service is used
and that the system is configured to
synchronise with a secure, authorised
time source.
A.11 – Access Control
A.11.2 – User Access Management
The objective of this control is to ensure authorised user access and to prevent unauthorised access
to information systems.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.2.2 Privilege Management The allocation and use of privileges
shall be restricted and controlled.
Tripwire Configuration Assessment
tests numerous privilege-related
settings to ensure restrictions are in
place and configured correctly. For
example, Windows systems should be
configured to disallow the granting of
the SeTcbPrivilege right to any user.
This right allows users to access the
operating system in the Local System
security context, which overrides the
permissions granted by user group
memberships.
7. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 7
A.11.3 – User Responsibilities
The objective of this control is to prevent unauthorised user access, and compromise or theft of information and informa-
tion processing facilities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.3.1 Password Use Users shall be required to follow good
security practices in the selection and
use of passwords.
Enforcing proper password security
standards is critical to securing any sys-
tem. Tripwire Configuration Assessment
verifies that common best practices are
being used for password-related prop-
erties such as complexity, minimum
length and maximum age.
11.3.2 Unattended User Equipment Users shall ensure that unattended
equipment has appropriate protection.
Tripwire Enterprise verifies that each
system is configured to use a password-
protected screen saver that activates
within the appropriate idle time and
offers no grace period before password
entry is required.
11.3.3 Clear Desk and Clear Screen
Policy
A clear desk policy for papers and
removable media and a clear screen
policy for information processing facili-
ties shall be adopted.
Tripwire Configuration Assessment
validates that the current user has a
password-protected screen saver that
is active.
A.11.4 – Network Access Control
The objective of this control is to prevent unauthorised access to networked services.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.4.1 Policy on Use of Network
Services
Users shall only be provided with access
to the services that they have been
specifically authorised to use.
Tripwire Enterprise provides a number
of configuration assessment tests that
help ensure proper access to services is
maintained. For example, verifying that
a system restricts anonymous access to
named pipes and shares to those that
are specifically listed in other secu-
rity options. This configuration helps
protect named pipes and shares from
unauthorised access.
11.4.2 User Authentication for External
Connections
Appropriate authentication methods
shall be used to control access by
remote users.
Tripwire Configuration Assessment can
help verify proper authentication meth-
ods are in place to control access by
remote users. For example, refusing
to allow a remote login when a user
attempts to use a blank password (even
if the blank password is valid for that
account).
11.4.3 Equipment Identification in
Networks
Automatic equipment identification
shall be considered as a means to
authenticate connections from specific
locations and equipment.
Tripwire Enterprise verifies that the
security options for a Windows 2003
domain controller are configured to
allow a domain member to change
its computer account password. If the
domain controller does not permit a
domain member to change its pass-
word, the domain member computer is
more vulnerable to a password attack.
8. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 8
11.4.4 Remote Diagnostic and
Configuration Port Protection
Physical and logical access to diag-
nostic and configuration ports shall be
controlled.
TripwireConfigurationAssessmenttests
a number of remote access settings to
ensure they meet established guide-
lines for controlling remote access.
For example, verifying that the Remote
Desktop Help Session Manager Service
is disabled on a Windows system.
11.4.6 Network Connection Control For shared networks, the capability of
users to connect to the network shall
be restricted, in line with the access
control policy.
Tripwire Enterprise helps validate that
controls are in place to enforce prop-
er network connection restrictions on
shared networks. For example, always
requiring passwords and appropriate
encryption levels when using Terminal
Services.
11.4.7 Network Routing Control Routing controls shall be implemented
for networks to ensure that computer
connections and information flows do
not breach the access control policy of
business applications.
Tripwire Configuration Assessment can
assist with the ongoing validation of
your access control policy by verifying
proper routing controls are in place
and configured correctly. For example,
on a Windows system with two valid
networking devices installed, source
routing traffic that passes through the
device can spoof the device into think-
ing that the traffic came from a safe
source.
A.11.5 – Operating System Access Control
The objective of this control is to prevent unauthorised access to operating systems.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.5.1 Secure Log on Procedures Access to operating systems shall be
controlled by a secure log-on proce-
dure.
Tripwire Configuration Assessment
can assess important log on settings
to determine whether they support an
overall secure log-on procedure. For
example, not displaying the last valid
user name and requiring the use of
CTRL+ALT+DEL keys to force the use of
the Windows authentication process.
11.5.2 User Identification and
Authentication
All users shall have a unique identifier
(user ID) for their personal use only,
and a suitable authentication technique
shall be chosen to substantiate the
claimed identity of a user.
Proper authentication of user IDs is
a fundamental component of control-
ling operating system access. Tripwire
Enterprise provides critical tests
to assess authentication settings.
For example, verifying that the LAN
Manager authentication model for a
Windows system is configured correctly
so it will only send NTLMv2 authentica-
tion and refuse all LM authentication
challenges.
11.5.3 Password Management System Systems for managing passwords shall
be interactive and ensure quality pass-
words.
Ensuring quality passwords requires
proper configuration of password-
related settings. Tripwire Enterprise
can assess these settings and provide
assurance that all passwords being
used meet minimum quality require-
ments. For example, enforcing the use
of strong passwords and restricting
password reuse/history.
9. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 9
11.5.4 Use of System Utilities The use of utility programs that might
be capable of overriding system and
application controls shall be restricted
and tightly controlled.
Tripwire Configuration Assessment can
help maintain a strict policy on the use
of utility programs. For example, veri-
fying that the FTP Publishing Service
and TFTP Daemon Service are both
disabled, or that the SeDebugPrivilege
right is not assigned to any users on a
Windows system. This right gives users
the ability to debug any process on the
system and is susceptible to exploits
that collect account names, passwords,
and other sensitive data from the Local
Security Authority (LSA).
11.5.5 Session Time-Out Inactive sessions shall shut down after
a defined period of inactivity.
Tripwire Enterprise will verify that an
appropriate idle session time-out is
established. In the case of Windows
systems that communicate using the
Server Message Block (SMB) protocol,
Tripwire Configuration Assessment
will test that the idle session timeout
threshold is set to 15 minutes or less.
11.5.6 Limitation of Connection Time Restrictions on connection times shall
be used to provide additional security
for high-risk applications.
There are a number of ways to restrict
connection times as part of an enhanced
security protocol for high-risk applica-
tions. Tripwire Enterprise can determine
if best-practices are being used such
as setting appropriate time limits for
Terminal Services sessions and using
Group Policy to restrict connections to
designated hours of the day.
A.11.6 – Application and Information Access Control
The objective of this control is to prevent unauthorised access to information held in applications systems.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.6.1 Information Access Restriction Access to information and application
systems functions by users and support
personnel shall be restricted in accor-
dance with the defined access control
policy.
Tripwire Configuration Assessment
provides out-of-the-box tests that help
establish an acceptable information
access control policy. For example,
ensuring that critical file and registry
permissions have been set properly to
restrict access.
A.11.7 – Mobile Computing and Telecommunicating
The objective of this control is to ensure information security when using mobile computing and telecommuting facilities.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
11.7.1 Mobile Computing and
Communications
A formal policy shall be in place, and
appropriate security measures shall be
adopted to protect against the risks of
using mobile computing and communi-
cations facilities.
Mobile computing and related commu-
nications pose unique risks that neces-
sitate additional security measures.
Tripwire Configuration Assessment can
help mitigate these risks by determining
if established best practices are in use.
For example, verifying that Windows
systems are configured to negotiate
signed communications with any Server
Message Block (SMB) server. By sup-
porting mutual authentication and
protection against packet tampering,
signed communication helps to protect
against man-in-the-middle attacks.
10. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 10
A.12 –Information Systems Acquisition, development and maintenance
A.12.2 – Correct Processing in Applications
The objective of this control is to prevent errors, loss, unauthorised modifications or misuse of
information in applications.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
12.2.2 Control of Internal processing Validation checks shall be incorporated
into applications to detect any corrup-
tion of information through processing
errors or deliberate acts.
By monitoring changes that occur within
applications, Tripwire Enterprise can
detect any changes to critical files,
and monitor who may have introduced
errors that caused file corruption.
A.12.4 – Security of System Files
The objective of this control is to ensure the security of system files.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
12.4.1 Control of operational software There shall be procedures in place to
control the installation of software on
operational systems.
Tripwire Enterprise can detect changes
to the operating system, which includes
new software installations, when it was
installed, and who performed the instal-
lation. Tripwire Enterprise can also be
incorporated with Change Ticketing
systems authorising these installations,
showing that status.
A.12.5 – Security in Development and Support Process
The objective of this control is to maintain the security of application system software and information.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
12.5.1 Change control procedures The implementation of changes shall be
controlled by the use of formal change
control procedures.
TripwireEnterpriseistheindustryleader in
change audit and detection and should
be an integral part of any formal change
control procedure. Tripwire Enterprise
is also integrated with major change
ticketing systems to help control formal
change processes.
12.5.2 Technical review of applications
after operating system changes
When operating systems are changed,
business critical applications shall be
reviewed and tested to ensure there is
no adverse impact on organisational
operations or security.
Tripwire Enterprise provides several
reports around changes to systems,
as well as links within these reports
that can show specific systems that
changed, as well as who made the
changes. These reports provide a docu-
mented audit trail that can be reviewed
and approved to prevent potential
problems.
12.5.3 Restrictions on changes to soft-
ware packages
Modifications to software packages
shall be discouraged, limited to neces-
sary changes, and all changes shall be
strictly controlled.
Tripwire Enterprise monitors all chang-
es that happen on defined systems,
providing information if files have been
modified, added or deleted. Having
Tripwire Enterprise ensures change is
monitored and controlled.
11. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 11
A.13 – Information Security Incident Management
A.13.2 – Management of Information Security Incidents and Improvements
The objective of this control is to ensure a consistent and effective approach is applied to the management of information
security incidents.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
13.2.3 Collection of evidence Where a follow-up action against a per-
son or organisation after an information
security incident involves legal action
(either civil or criminal), evidence shall
be collected, retained and presented to
conform to the rules for evidence laid
down in the relevant jurisdiction(s).
As part of the audit trail and reporting
capabilities within Tripwire Enterprise,
changes that are made to systems that
could provide potential vulnerabilities
or security incidents can be docu-
mented, providing information as to the
person(s) responsible for any breaches
in security.
A.15 – Compliance
A.15.2 - Compliance with Security Policies and Standards, and Technical Compliance
The objective of this control is to ensure compliance of systems with organisational security police and standards.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
15.2.2 Technical Compliance Checking Information Systems shall be regularly
checked for compliance with security
implementation standards.
Tripwire Configuration Assessment vali-
dates that each Windows 2003 Server
has the latest service pack installed.
A.15.3 – Information Systems Audit and Considerations
The objective of this control is to maximise the effectiveness of and to minimise interference to/from the information
systems audit process.
SUBSECTION ISO 27001 REQUIREMENT TRIPWIRE ENTERPRISE
15.3.1 Information systems audit
controls
Audit requirements and activities involv-
ing checks on operational systems shall
be carefully planned and agreed to min-
imise the risk of disruptions to business
processes.
TripwireEnterpriseprovidesdocumented
audit proof behind system compliance,
as well as changes that happen with
IT systems. By incorporating Tripwire
Enterprise in the change management
process, changes are monitored and
documented and if changes disrupt
business process, they can be immedi-
ately reconciled and remediated.
15.3.2 Protection of information
systems audit tools
Access to information systems audit
tools shall be protected to prevent any
possible misuse or compromise.
By using Roles and User Groups in
Tripwire Enterprise, access to privileged
information and software like Tripwire
Enterprise can be controlled/limited to
users who have proper permissions.
Tripwire Enterprise requires installation
by a user with Administrative privileges.
Users of Tripwire Enterprise can then
be set up to have either full access,
just read access, or several variances
in between.
12. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 12
Screenshot showing assessments that address
the Access Control control of ISO 27001.
Specifically, section A.11.6, Operating System
Access Control. These controls deal with permis-
sions and authentication processes within the
operating system.
Screenshot showing default role types in Tripwire Enterprise with different
access rights and permissions described, depending on the role. New
roles can be created and permissions set up accordingly.
Screenshot showing assessments that address the
Compliance control. Specifically, section A.15.2.2,
Technical Compliance Checking. This is a check
that the appropriate packages are installed for
that system.
Screenshot showing assessments that address
the Communication and Operations Management
control. Specifically, section A.10.6.2, Security of
Network Services. This section checks that ser-
vices that don’t need to be enable are specifically
disabled.
Sample Policy Test and Change Audit Screenshots
13. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 13
Change Process Compliance
Date: 3/27/08 1:21 PM
Change window: Not applied
Use strict package match: No
Element Exists: Not applied
Nodes: All
Node name: Not applied
Node Properties: Not applied
Rules: All
Rule name: Not applied
Element name: Not applied
Element Properties: Not applied
Version Properties: Not applied
Change types: Added, Modified, Removed
Severity range: 1 - 10000
Current versions only: No
Frequency: Monthly, No earlier than 4/1/07 12:00 AM, 7 intervals
Packages: Not applied
Details
Interval Authorized Unauthorized Total
Apr 2007 5,561 1,260 6,821
May 2007 6,845 1,508 8,353
Jun 2007 7,356 797 8,153
Jul 2007 8,342 807 9,149
Aug 2007 3,071 76 3,147
Tripwire Enterprise Change Process Compliance report, highlighting authorized vs. unauthor-
ized changes to a system.
14. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 14
Detailed Changes
Date: 3/27/08 1:39 PM
Approval ID: Not Exists
Change window: Not applied
Attribute display: Changed attributes
Compare type: Version with previous version
Display content differences: Yes
Display version context: Yes
Display users: Yes
Display packages: No
Use strict package match: No
Element Exists: Not applied
Nodes: All
Node name: Not applied
Node Properties: Not applied
Rules: All
Rule name: Not applied
Element name: Not applied
Element Properties: Not applied
Version Properties: Not applied
Version Attributes: Not applied
Version Content: Not applied
Change types: Added, Modified, Removed
Severity range: 1 - 10000
Current versions only: No
Time range: 4/1/07 12:00 AM up to 10/31/07 11:59 PM
Packages: Not applied
Nodes sort: Name, ascending
Rules sort: Name, ascending
Elements sort: Name, ascending
Versions sort: Date, descending
Node: backend.collab.tripwire.com (Windows Server)
Rule: Program Files (Windows File System Rule)
Element: C:Program FilesWinZipWZ.PIF
Version: 8/2/07 2:42 AM
Node: backend.collab.tripwire.com
Rule: Program Files
Element: C:Program FilesWinZipWZ.PIF
Change Type: Added
Severity: Windows Low (140)
Approval ID:
Users: PDXSEgmillard
Attribute Type Expected Observed
DACL [+] Inherits Entries: true NT
AUTHORITYAuthenticated
Users, Access Allowed Type:
Standard rights: Read Contro
l,Synchronize Specific rights:
00a9 Header flags: Inherited
ACE BUILTINServer Oper
ators, Access Allowed Type:
Standard rights: Delete,Read
Control,Synchronize Specif
ic rights: 01bf Header flags:
Inherited ACE BUILTINAd
ministrators, Access Allowed
Tripwire Enterprise Detailed Changes report showing detailed information on what changes were
made, when they occurred and who made the changes.
15. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 15
Nodes With Changes
Date: 6/24/08 1:18 PM
Approval ID: Not applied
Change window: Not applied
Use strict package match: No
Element Exists: Not applied
Nodes: All
Node name: Not applied
Node Properties: Not applied
Rules: All
Rule name: Not applied
Element name: Not applied
Element Properties: Not applied
Version Properties: Not applied
Change types: Added, Modified, Removed
Severity range: 1 - 10000
Current versions only: Yes
Time range: All time
Packages: Not applied
Details table sort: Name, ascending
Details
Name Type Last Change Time
TRIPWIRE-SZYIXW: Microsoft SQL Server 5/14/08 7:31 AM
amur.pdxse.tripwire.com Active Directory Server 5/16/08 10:21 AM
cisco.ios.router Cisco IOS 5/13/08 11:39 AM
cisco.pix.firewall Cisco PIX 5/13/08 11:34 AM
The Nodes With Changes report shows which systems had changes, when they occurred and other
details.
16. WHITE PAPER
Effective Security with a Continuous Approach to ISO 27001 Compliance
Page 16
www.tripwire.com
US TOLL FREE: 1.800.TRIPWIRE MAIN: 503.276.7500 FAX: 503.223.0182
326 SW Broadway, 3rd Floor Portland, OR 97205 USA
WP2711
About Tripwire
Tripwire helps over 6,000 enterprises worldwide reduce security risk, attain compliance and increase opera-
tional efficiency throughout their virtual and physical environments. Using Tripwire’s industry-leading
configuration assessment and change auditing solutions, organizations successfully achieve and maintain IT
configuration control. Tripwire is headquartered in Portland, Oregon, with offices worldwide.
1 http://www.27000.org/iso-27001.htm
2 http://www.rsaconference.com/Security_Topics/Professional_Development/Blog_Jeff_Bardin_Conspiracy_to_Commit_Security.aspx?blogId=8527