Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

ISO 27001

 

Use the JSA ISO 27001 Content Extension to ensure ISO/IEC 27001:2013 compliance.

JSA ISO 27001 Content Extension V1.1.3

The following table shows the new or changed custom properties in JSA ISO 27001 Content Extension V1.1.3.

Table 1: New or Changed Custom Properties in JSA ISO 27001 Content Extension V1.1.3

Name

Optimized

Capture Group

Regex

AccountName

Yes

1

Target Account Name: (.*?)

CRE Name

Yes

1

(.+?)\t(.+)

ObjectName

Yes

1

Object Name[:\s\\=]+(.*?)\s+(?:Handle ID|&&)

The following regex values were removed:

  • New Process Name: (.*?)

  • Object Name: (.*?)

The following table shows the changed saved searches in JSA ISO 27001 Content Extension V1.1.3. The searches were made shareable by setting the shared value to TRUE.

Table 2: Changed Saved Searches in JSA ISO 27001 Content Extension V1.1.3

Name

Admin Login Failure By IP

Compliance: Source IPs Involved in Compliance Rules

Compliance: Username Involved in Compliance Rules

Daily Policy Violation Summary

Database User Addition or Change

Groups Changed from Remote Hosts

ISO 27001 - Human Resources Data Access

ISO 27001 - Application Access Control

ISO 27001 - Application Installation / Uninstallation Events

ISO 27001 - Control of Operational Software

ISO 27001 - Covert Channels and Trojans

ISO 27001 - Data Access

ISO 27001 - Exceptions And Failures By External Contractors

ISO 27001 - Exceptions And Failures By Mobile Workers

ISO 27001 - Exceptions And Failures By Teleworkers

ISO 27001 - Exceptions And Failures For Mail Servers

ISO 27001 - Information Systems Audit Tools Access

ISO 27001 - Network Management

ISO 27001 - Operational Change Control

ISO 27001 - Operator Log

ISO 27001 - Review Of Access Rights

ISO 27001 - Source Code Access

ISO 27001 - User Identification and Authentication

ISO 27001 - User Responsibilities and Password Use

Log Failures to Expired or Disabled Accounts

Login Failures by User

Offenses by Destination IP

Offenses by Rule Name

Offenses by Source IP

Offenses by User

Remote Access Failures (VPN and Others)

User Account Added By User

User Account Modified By User

User Account Removed By User

The following table shows the changed rules in JSA ISO 27001 Content Extension V1.1.3.

Table 3: Changed Rules in ISO 27001 Content Extension V1.1.3

Name

Description

Multiple Database failures Followed by Success

Responds when there are multiple database failures followed by a success within a short time period. This rule was renamed from the previous version.

JSA ISO 27001 Content Extension V1.1.2

The following table shows the custom properties in JSA ISO 27001 Content Extension V1.1.2.

Table 4: New Custom Properties in JSA ISO 27001 Content Extension V1.1.2

Name

Optimized

Capture Group

Regex

SSH Login Audit

Yes

1

\[Authentication\] \[User\] \[(UserLogin|LoginAttempt)\] .*? on host .*

Log Source Host

Yes

1

\s+hostName=(\S+)

Audit Object ID

Yes

1

\s+id=(\S+)

The following table shows the saved searches in JSA ISO 27001 Content Extension V1.1.2.

Table 5: Saved Searches in JSA ISO 27001 Content Extension V1.1.2

Name

Description

Compliance: Username Involved in Compliance Rules

This search shows the username involved in compliance rules.

Compliance: Source IPs Involved in Compliance Rules

This search shows the source IP addresses involved in compliance rules.

JSA ISO 27001 Content Extension V1.1.1

The following table shows the building blocks in JSA ISO 27001 Content Extension V1.1.1.

Table 6: Building Blocks in JSA ISO 27001 Content Extension V1.1.1

Name

Description

BB:DeviceDefinition: Definition

Updated building block with database devices.

BB:Audit Tools Access

Added the log source type definition for Windows and Universal DSM.

BB:CategoryDefinition: Authentication to Disabled Account

Added the following QIDs:

  • 5001948: Failure Audit: An account failed to log on: Account Disabled

  • 5001959: An account failed to log on: Account Disabled

  • 5001954: Failure Audit: An account failed to log on: User Locked Out

  • 5001965: An account failed to log on: User Locked Out

  • 5001949: Failure Audit: An account failed to log on: Account Expired

  • 5001960: An account failed to log on: Account Expired

  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time

  • 5001962: An account failed to log on: Logon Outside Normal Time

The following table shows the updated custom property in JSA ISO 27001 Content Extension V1.1.1.

Table 7: Custom Property in JSA ISO 27001 Content Extension V1.1.1

Property Name

Optimized?

Update Notes

Regex

Capture Group

ObjectName

Yes

Removed extra spaces on Object name regex.

New Process Name: (.*?)

Object Name: (.*?)

1

JSA ISO 27001 Content Extension V1.1.0

The following table shows the new and updated saved searches in JSA ISO 27001 Content Extension V1.1.0.

Table 8: New and Updated Saved Searches in JSA ISO 27001 Content Extension V1.1.1

Name

Description

ISO 27001 - Covert Channels and Trojans

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Exceptions And Failures For Mail Servers

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Exceptions And Failures By Mobile Workers

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Exceptions And Failures By External Contractors

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Application Access Control

New search for ISO 27001/IEC 2013 standards

ISO 27001 - User Responsibilities and Password Use

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Human Resources Data Access

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Information Systems Audit Tools Access

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Network Management

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Control of Operational Software

New search for ISO 27001/IEC 2013 standards

ISO 27001 - User Identification and Authentication

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Data Access

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Exceptions And Failures By Teleworkers

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Source Code Access

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Operator Log

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Operational Change Control

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Review Of Access Rights

New search for ISO 27001/IEC 2013 standards

ISO 27001 - Application Installation / Uninstallation Events

New search for ISO 27001/IEC 2013 standards

Remote Access Failures (VPN and Others)

Existing search updated for new BBs, rules, custom properties.

Offenses by User

Existing search updated for new BBs, rules, custom properties.

Daily Policy Violation Summary

Existing search updated for new BBs, rules, custom properties.

Groups Changed from Remote Hosts

Existing search updated for new BBs, rules, custom properties.

Offenses by Rule Name

Existing search updated for new BBs, rules, custom properties.

Login Failures by User

Existing search updated for new BBs, rules, custom properties.

Offenses by Destination IP

Existing search updated for new BBs, rules, custom properties.

Log Failures to Expired or Disabled Accounts

Existing search updated for new BBs, rules, custom properties.

User Account Added By User

Existing search updated for new BBs, rules, custom properties.

Database User Addition or Change

Existing search updated for new BBs, rules, custom properties.

User Account Removed By User

Existing search updated for new BBs, rules, custom properties.

User Account Modified By User

Existing search updated for new BBs, rules, custom properties.

Offenses by Source IP

Existing search updated for new BBs, rules, custom properties.

Admin Login Failure By IP

Existing search updated for new BBs, rules, custom properties.

Compliance: Source IPs Involved in Compliance Rules

Existing search updated for new BBs, rules, custom properties.

Compliance: Username Involved in Compliance Rules

Existing search updated for new BBs, rules, custom properties.

The following table shows the rules and building blocks that are updated in JSA ISO 27001 Content Extension V1.1.0.

Table 9: Rules and Building Blocks in JSA ISO 27001 Content Extension V1.1.0

Type

Name

Description

Rule

Load ISO 27001:2013 Building Blocks

New enabled rule added in the ISO 27001:2013 content extension.

Rule

System: Application Installation / Uninstallation Events

New enabled rule added in the ISO 27001:2013 content extension.

Building Block

BB:Application Access Control

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Application Access Control.

Building Block

BB:Audit Tools Access

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Audit Tools Access.

Building Block

BB:CategoryDefinition: Exploits Backdoors and Trojans

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:CategoryDefinition: Exploits Backdoors and Trojans.

Building Block

BB:Data Access

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Data Access.

Building Block

BB:External Contractor Failed Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:External Contractor Failed Events.

Building Block

BB:External Contractor Policy Violation Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:External Contractor Policy Violation Events.

Building Block

BB:Failed Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Failed Events.

Building Block

BB:HR Data

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:HR Data.

Building Block

BB:IT Admin Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:IT Admin Events.

Building Block

BB:Mobile Worker Failed Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Mobile Worker Failed Events.

Building Block

BB:Mobile Worker Policy Violation Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Mobile Worker Policy Violation Events.

Building Block

BB:NetworkServices

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:NetworkServices.

Building Block

BB:Operational Change Control

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Operational Change Control.

Building Block

BB:Policy Violation Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Policy Violation Events.

Building Block

BB:Review Of Access Rights

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Review Of Access Rights.

Building Block

BB:Source Code Access

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Source Code Access .

Building Block

BB:System Update Failed Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:System Update Failed Events.

Building Block

BB:System Update Policy Violation Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:System Update Policy Violation Events.

Building Block

BB:Teleworker Failed Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Teleworker Failed Events.

Building Block

BB:Teleworker Policy Violation Events

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:Teleworker Policy Violation Events.

Building Block

BB:User Identification and Authentication

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:User Identification and Authentication.

Building Block

BB:User Responsibilities and Password Use

Apply Load ISO 27001:2013 Building Blocks on events that are detected by the Local system and when an event matches any of the following BB:User Responsibilities and Password Use.

The following table shows the custom properties that are updated in JSA ISO 27001 Content Extension V1.1.0.

Table 10: Custom Properties in JSA ISO 27001 Content Extension V1.1.0

Custom Property

Change description

AccountName

Update four Windows Security Event Log properties for Account Name, Target Account Name, and two alternative Account Name variations.

ObjectName

Updated one ObjectName property for the Universal DSM log source. Updated three ObjectName variations for the Microsoft Windows Security Event Log DSM.

CRE Name

No change, but required in the content extension.

The following table shows the reports that are updated in JSA ISO 27001 Content Extension V1.1.0.

Table 11: Reports in JSA ISO 27001 Content Extension V1.1.0

Report

Change description

ISO 27001:2013 (6.2.1) Mobile worker (Daily)

Updated chapter 6 references for ISO 27001:2013 standards

ISO 27001:2013 (6.2.1) Mobile worker (Monthly)

Updated chapter 6 references for ISO 27001:2013 standards

ISO 27001:2013 (6.2.1) Mobile worker (Weekly)

Updated chapter 6 references for ISO 27001:2013 standards

ISO 27001:2013 (6.2.2) Teleworker (Daily)

Updated chapter 6 references for ISO 27001:2013 standards

ISO 27001:2013 (6.2.2) Teleworker (Monthly)

Updated chapter 6 references for ISO 27001:2013 standards

ISO 27001:2013 (6.2.2) Teleworker (Weekly)

Updated chapter 6 references for ISO 27001:2013 standards

ISO 27001:2013 (9.2.2) User identification and authentication (Daily)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.2.2) User identification and authentication (Monthly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.2.2) User identification and authentication (Weekly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.2.5) Review of user access rights (Daily)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.2.5) Review of user access rights (Monthly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.2.5) Review of user access rights (Weekly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.3.1) User responsibilities and password use (Daily)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.3.1) User responsibilities and password use (Monthly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.3.1) User responsibilities and password use (Weekly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.4) Application access control (Daily)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.4) Application access control (Monthly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.4) Application access control (Weekly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.4.5) Source code access (Daily)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.4.5) Source code access (Monthly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (9.4.5) Source code access (Weekly)

Updated chapter 9 references for ISO 27001:2013 standards

ISO 27001:2013 (12.1) Covert channels and trojan code (Daily)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.1) Covert channels and trojan code (Monthly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.1) Covert channels and trojan code (Weekly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.1.2) Operational change control (Daily)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.1.2) Operational change control (Monthly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.1.2) Operational change control (Weekly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.4.3) Operator log (Daily)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.4.3) Operator log (Monthly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.4.3) Operator log (Weekly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.6.2) Application Installation / Uninstallation Events (Daily)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.6.2) Application Installation / Uninstallation Events (Monthly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.6.2) Application Installation / Uninstallation Events (Weekly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.7.1) Information systems audit tools access (Daily)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.7.1) Information systems audit tools access (Monthly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (12.7.1) Information systems audit tools access (Weekly)

Updated chapter 12 references for ISO 27001:2013 standards

ISO 27001:2013 (13.1) Network management (Daily)

Updated chapter 13 references for ISO 27001:2013 standards

ISO 27001:2013 (13.1) Network management (Monthly)

Updated chapter 13 references for ISO 27001:2013 standards

ISO 27001:2013 (13.1) Network management (Weekly)

Updated chapter 13 references for ISO 27001:2013 standards

ISO 27001:2013 (13.2.3) Mail server (Daily)

Updated chapter 13 references for ISO 27001:2013 standards

ISO 27001:2013 (13.2.3) Mail server (Monthly)

Updated chapter 13 references for ISO 27001:2013 standards

ISO 27001:2013 (13.2.3) Mail server (Weekly)

Updated chapter 13 references for ISO 27001:2013 standards

ISO 27001:2013 (15.2.1) Control of operational software (Daily)

Updated chapter 15 references for ISO 27001:2013 standards

ISO 27001:2013 (15.2.1) Control of operational software (Monthly)

Updated chapter 15 references for ISO 27001:2013 standards

ISO 27001:2013 (15.2.1) Control of operational software (Weekly)

Updated chapter 15 references for ISO 27001:2013 standards

ISO 27001:2013 (15.2.1) Exceptions and Failures by External contractors (Daily)

Updated chapter 15 references for ISO 27001:2013 standards

ISO 27001:2013 (15.2.1) Exceptions and Failures by External contractors (Monthly)

Updated chapter 15 references for ISO 27001:2013 standards

ISO 27001:2013 (15.2.1) Exceptions and Failures by External contractors (Weekly)

Updated chapter 15 references for ISO 27001:2013 standards

ISO 27001:2013 (16.1) Incident tracking (Daily)

Updated chapter 16 references for ISO 27001:2013 standards

ISO 27001:2013 (16.1) Incident tracking (Monthly)

Updated chapter 16 references for ISO 27001:2013 standards

ISO 27001:2013 (16.1) Incident tracking (Weekly)

Updated chapter 16 references for ISO 27001:2013 standards

ISO 27001:2013 (18.1.3) Human Resource data access (Daily)

Updated chapter 18 references for ISO 27001:2013 standards

ISO 27001:2013 (18.1.3) Human Resource data access (Monthly)

Updated chapter 18 references for ISO 27001:2013 standards

ISO 27001:2013 (18.1.3) Human Resource data access (Weekly)

Updated chapter 18 references for ISO 27001:2013 standards

ISO 27001:2013 (18.1.4) Data Access (Daily)

Updated chapter 18 references for ISO 27001:2013 standards

ISO 27001:2013 (18.1.4) Data Access (Monthly)

Updated chapter 18 references for ISO 27001:2013 standards

ISO 27001:2013 (18.1.4) Data Access (Weekly)

Updated chapter 18 references for ISO 27001:2013 standards

ISO 27001:2013 (6.2.2) Teleworker (Daily)

Updated chapter 6 references for ISO 27001:2013 standards

The following table shows the groups that are updated in JSA ISO 27001 Content Extension V1.1.0.

Table 12: Groups in JSA ISO 27001 Content Extension V1.1.0

Type

Name

Change description

Rule Group

ISO 27001:2013

Created a new group name for 27001:2013 rules and building blocks.

Reports Group

ISO 27001:2013

Created a new group name for ISO 27001:2013 reports.

Search Group

ISO 27001:2013

Created a new group under Compliance for ISO 27001:2013 searches.

The following table shows the QIDs that are updated in JSA ISO 27001 Content Extension V1.1.0.

Table 13: QIDs in JSA ISO 27001 Content Extension V1.1.0

QID

Change description

Excessive Failed Logins to Compliance IS

Rules and building blocks updated to reference QIDs. No QID changes were made.

Remote Change to Database Groups

Rules and building blocks updated to reference QIDs. No QID changes were made.

Login failure to a disabled account.

Rules and building blocks updated to reference QIDs. No QID changes were made.

Login failure to an expired account

Rules and building blocks updated to reference QIDs. No QID changes were made.

Concurrent Remote Logins

Rules and building blocks updated to reference QIDs. No QID changes were made.

Database failures followed by success

Rules and building blocks updated to reference QIDs. No QID changes were made.

Policy: Local: Clear Text Application Usage

Rules and building blocks updated to reference QIDs. No QID changes were made.

Successful login to database from a remote host

Rules and building blocks updated to reference QIDs. No QID changes were made.

Long Duration Flow Detected

Rules and building blocks updated to reference QIDs. No QID changes were made.

Remote Change to Database User Rights

Rules and building blocks updated to reference QIDs. No QID changes were made.

Local IRC Server Detected

Rules and building blocks updated to reference QIDs. No QID changes were made.

Attempted database configuration modification from remote network

Rules and building blocks updated to reference QIDs. No QID changes were made.

Policy: Remote: Clear Text Application Usage

Rules and building blocks updated to reference QIDs. No QID changes were made.

Multiple Failures Followed by User Changes

Rules and building blocks updated to reference QIDs. No QID changes were made.

JSA ISO 27001 Content Extension V1.0.1

The following table shows the building block that is updated in JSA ISO 27001 Content Extension V1.0.1.

Table 14: Building Block in JSA ISO 27001 Content Extension V1.0.1

Building Block

Change description

BB:CategoryDefinition: Authentication to Disabled Account

Added QID 5000475: Failure Audit: An account failed to log on.

JSA ISO 27001 Content Extension V1.0.0

The following table shows the custom properties that are added in JSA ISO 27001 Content Extension V1.0.0.

Table 15: Custom Properties in JSA ISO 27001 Content Extension V1.0.0

Custom Property

Regex

ObjectName

Object Name: (.*?)

ObjectName

ObjectName: (.*)

ObjectName

New Process Name: (.*?)

ObjectName

Object Name: (.*?)

The following table shows the searches that are added in JSA ISO 27001 Content Extension V1.0.0.

Table 16: Searches in JSA ISO 27001 Content Extension V1.0.0

Name

Category

Log Failures to Expired or Disabled Accounts

Compliance

Groups Changed from Remote Hosts

Compliance

Top Authentication Failures by User

Authentication, Identity, and User Activity

Groups Changed from Remote Hosts

Authentication, Identity, and User Activity

Admin Logout by IP

Authentication, Identity, and User Activity

Top Authentications by User

Authentication, Identity, and User Activity

ISO 27001 (10.2.2) - Exceptions And Failures By External Contractors

Other

ISO 27001 (11.2.4) - Supervision Review - Access Control

Other

ISO 27001 (11.4.3) - Node Authentication

Other

ISO 27001 (11.7.1) - Exceptions And Failures By Mobile Workers

Other

ISO 27001 (10.1.2.12.5) - Operational Change Control

Other

ISO 27001 (10.8.4) - Exceptions And Failures For Mail Servers

Other

ISO 27001 (11.5.2) - User Identification and Authentication

Other

ISO 27001 (11.6) - Application Access Control

Other

ISO 27001 (11.7.2) - Exceptions And Failures By Teleworkers

Other

ISO 27001 (12.4.1) - Control of Operational Software

Other

ISO 27001 (12.4.2) - System Test Data

Other

ISO 27001 (15.1.3) - Human Resources Data Access

Other

ISO 27001 (15.1.4) - Data Access

Other

ISO 27001 (15.3.2) - Information Systems Audit Tools Access

Other

ISO 27001 (10.10.4) - Operator Log

Other

ISO 27001 (11.2) - Review Of Access Rights

Other

ISO 27001 (11.3.1) - User Responsibilities and Password Use

Other

ISO 27001 (11.4) - Malicious Attacks

Other

ISO 27001 (11.4.4) - Remote Diagnostic And Configuration Port Access

Other

ISO 27001 (12.4.3) - Source Code Access

Other

ISO 27001 (10.4) - Covert Channels and Trojans

Other

ISO 27001 (10.6) - Network Management

Other

ISO 27001 (10.9.3) - Publicly Available Systems

Other

The following list shows the reports that are added in JSA ISO 27001 Content Extension V1.0.0.

  • Weekly Login Failures to Disabled or Enabled Accounts

  • Weekly Group Changes from Remote Hosts

  • Last 20 Failed Logins

  • Last 20 Logoffs

  • Last 20 Successful Logins

  • ISO 27001 (10.2.2) External contractors (Weekly)

  • ISO 27001 (10.2.2) External contractors (Monthly)

  • ISO 27001 (11.2.4) Supervision and review - access control (Monthly)

  • ISO 27001 (11.4.3) Node authentication (Monthly)

  • ISO 27001 (11.7.1) Mobile worker (Weekly)

  • ISO 27001 (10.1.2,12.5) Operational change control (Daily)

  • ISO 27001 (10.8.4) Mail server (Weekly)

  • ISO 27001 (11.5.2) User identification and authentication (Monthly)

  • ISO 27001 (11.5.2) User identification and authentication (Weekly)

  • ISO 27001 (11.6) Application access control (Daily)

  • ISO 27001 (11.7.2) Teleworker (Weekly)

  • ISO 27001 (12.4.1) Control of operational software (Weekly)

  • ISO 27001 (12.4.2) System test data (Weekly)

  • ISO 27001 (15.1.3) Human Resource data access (Daily)

  • ISO 27001 (15.1.4) Data Access (Monthly)

  • ISO 27001 (15.3.2) - Information systems audit tools access (Daily)

  • ISO 27001 (10.10.4) Operator log (Weekly)

  • ISO 27001 (11.2) Review of user access rights (Daily)

  • ISO 27001 (11.2) Review of user access rights (Monthly)

  • ISO 27001 (11.2.4) Supervision and review - access control (Weekly)

  • ISO 27001 (11.3.1) User responsibilities and password use (Weekly)

  • ISO 27001 (11.4) Malicious attacks (Monthly)

  • ISO 27001 (11.4) Malicious attacks (Weekly)

  • ISO 27001 (11.4.3) Node authentication (Weekly)

  • ISO 27001 (11.4.4) Remote diagnostic port access (Weekly)

  • ISO 27001 (11.7.1) Mobile worker (Daily)

  • ISO 27001 (12.4.1) Control of operational software (Daily)

  • ISO 27001 (12.4.2) System test data (Daily)

  • ISO 27001 (12.4.3) Source code access (Daily)

  • ISO 27001 (12.4.3) Source code access (Weekly)

  • ISO 27001 (13.2) - Incident tracking (Daily)

  • ISO 27001 (11.2.4) Supervision and review - access control (Monthly)

  • ISO 27001 (10.4) Covert channels and trojan code (Daily)

  • ISO 27001 (10.6) Network management (Monthly)

  • ISO 27001 (10.8.4) Mail server (Daily)

  • ISO 27001 (10.4) Covert channels and trojan code (Monthly)

  • ISO 27001 (10.6) Network management (Daily)

  • ISO 27001 (10.6) Network management (Weekly)

  • ISO 27001 (11.3.1) User responsibilities and password use (Monthly)

  • ISO 27001 (11.4.4) Remote diagnostic port access (Daily)

  • ISO 27001 (11.7.1) Mobile worker (Monthly)

  • ISO 27001 (15.1.4) Data Access (Daily)

  • ISO 27001 (15.1.4) Data Access (Weekly)

  • ISO 27001 (10.9.3) Publicly available systems (Monthly)

  • ISO 27001 (10.9.3) Publicly available systems (Weekly)

  • ISO 27001 (10.10.4) Operator log (Daily)

  • ISO 27001 (11.2) Review of user access rights (Weekly)

  • ISO 27001 (11.7.2) Teleworker (Daily)

  • ISO 27001 (12.4.3) Source code access (Monthly)

  • ISO 27001 (15.1.3) Human Resource data access (Weekly)

  • ISO 27001 (15.3.2) - Information systems audit tools access (Monthly)

  • ISO 27001 (15.3.2) - Information systems audit tools access (Weekly)

  • ISO 27001 (11.2.4) Supervision and review - access control (Daily)

  • ISO 27001 (11.3.1) User responsibilities and password use (Daily)

  • ISO 27001 (11.4) Malicious attacks (Daily)

  • ISO 27001 (11.4.3) Node authentication (Daily)

  • ISO 27001 (11.4.4) Remote diagnostic port access (Monthly)

  • ISO 27001 (11.5.2) User identification and authentication (Daily)

  • ISO 27001 (11.6) Application access control (Weekly)

  • ISO 27001 (11.6) Application access control (Monthly)

  • ISO 27001 (11.7.2) Teleworker (Monthly)

  • ISO 27001 (12.4.1) Control of operational software (Monthly)

  • ISO 27001 (12.4.2) System test data (Monthly)

  • ISO 27001 (15.1.3) Human Resource data access (Monthly)

  • ISO 27001 (13.2.1) - Response to security incidents (Daily)

  • ISO 27001 (10.2.2) External contractors (Daily)

  • ISO 27001 (10.4) Covert channels and trojan code (Weekly)

  • ISO 27001 (10.8.4) Mail server (Monthly)

  • ISO 27001 (10.9.3) Publicly available systems (Daily)

  • ISO 27001 (10.10.4) Operator log (Monthly)

  • ISO 27001 (10.1.2,12.5) Operational change control (Monthly)

  • ISO 27001 (10.1.2,12.5) Operational change control (Weekly)

The following table shows the rules and building blocks that are added in JSA ISO 27001 Content Extension V1.0.0.

Table 17: Rules and Building Blocks in JSA ISO 27001 Content Extension V1.0.0

Type

Name

Category

Rule

Login Failure to Disabled Account

Horizontal Movement

Rule

Database Groups Changed from Remote Host

Compliance

Rule

Login Failure to Disabled Account

Authentication

Rule

Database Groups Changed from Remote Host

Post-Intrusion Activity

Building Block

BB:HostDefinition: Database Servers

Host Definitions

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Category Definitions

Building Block

BB:CategoryDefinition: Exploits Backdoors and Trojans

Category Definitions

Building Block

BB:CategoryDefinition: Authentication Success

Category Definitions

Building Block

BB:CategoryDefinition: Authentication Failures

Category Definitions

Building Block

BB:Audit Tools Access

Other

Building Block

BB:Data Access

Other

Building Block

BB:Successes and Failures on Key Assets

Other

Building Block

BB:System Update Failed Events

Other

Building Block

BB:Application Access Control

Other

Building Block

BB:Mobile Worker Failed Events

Other

Building Block

BB:Mobile Worker Policy Violation Events

Other

Building Block

BB:NetworkServices

Other

Building Block

BB:Local To Remote

Other

Building Block

BB:HR Data

Other

Building Block

BB:Source Code Access

Other

Building Block

BB:Failed Events

Other

Building Block

BB:External Contractor Policy Violation Events

Other

Building Block

BB:System Update Policy Violation Events

Other

Building Block

BB:User Responsibilities and Password Use

Other

Building Block

BB:IT Admin Events

Other

Building Block

BB:External Contractor Failed Events

Other

Building Block

BB:Publicly Available Systems

Other

Building Block

BB:Review Of Access Rights

Other

Building Block

BB:Malicious Attacks

Other

Building Block

BB:Operational Change Control

Other

Building Block

BB:Policy Violation Events

Other

Building Block

BB:User Identification and Authentication

Other

Building Block

BB:Teleworker Policy Violation Events

Other

Building Block

BB:System Test Data

Other

Building Block

BB:Teleworker Failed Events

Other

Related Documentation