Search in ISMS Guides


Tuesday, September 25, 2007

Information Security : Design, Implementation, Measurement, and Compliance

Author : Timothy P. Layton
Product Details
Hardcover : 222 pages
Publisher : AUERBACH; 1 edition (July 20, 2006)
Language : English
ISBN-10 : 0849370876
ISBN-13 : 978-0849370878

Table of Contents
. Background
. Linkage
. Risk Assessment Types
. Relationship to Other Models and Standards
. Terminology
. Risk Assessment Relationship
. Information Security Risk Assessment Model (ISRAM)
. References
. GISAM and ISRAM Relationship
. GISAM Design Criteria
. General Assessment Types
. GISAM Components
. References
. The Culmination of ISRAM and GISAM
. Business Process
. KRI Security Baseline Controls
. Security Baseline
. Information Security Policy Document
. Management Commitment to Information Security
. Allocation of Information Security Responsibilities
. Independent Review of Information Security
. Identification of Risks Related to External Parties
. Inventory of Assets
. Classification Guidelines
. Screening
. Information Security Awareness, Education, and Training
. Removal of Access Rights
. Physical Security Perimeter
. Protecting Against External and Environmental Threats
. Secure Disposal or Reuse of Equipment
. Documented Operating Procedures
. Change Management
. Segregation of Duties
. System Acceptance
. Controls against Malicious Code
. Management of Removable Media
. Information Handling Procedures
. Physical Media in Transit
. Electronic Commerce
. Access Control Policy
. User Registration
. Segregation in Networks
. Teleworking
. Security Requirements Analysis and Specification
. Policy on the Use of Cryptographic Controls
. Protection of System Test Data
. Control of Technical Vulnerabilities
. Reporting Information Security Events
. Including Information Security in the Business Continuity Process
. Identification of Applicable Legislation
. Data Protection and Privacy of Personal Information
. Technical Compliance Checking
. References
. History of the Standard
. Internals of the Standard
. Guidance for Use
. High-Level Objectives
. ISO/IEC Defined
. References
. Overview
. Guidance for Use
. General Changes
. Security Policy
. Organization of Information Security
. Asset Management
. Human Resources Security
. Physical and Environmental Security
. Communications and Operations Management
. Access Control
. Information Systems Acquisition, Development, and Maintenance
. Information Security Incident Management
. Business Continuity Management
. Compliance
. References

. Information Security Policy
. Summary
. References
. Internal Organization
. External Parties
. Summary
. References
. Responsibility for Assets
. Information Classification
. Summary
. References
. Prior to Employment
. During Employment
. Termination or Change of Employment
. Summary
. References
. Secure Areas
. Equipment Security
. Summary
. References
. Operational Procedures and Responsibilities
. Third-Party Service Delivery Management
. System Planning and Acceptance
. Protection against Malicious and Mobile Code
. Backup
. Network Security Management
. Media Handling
. Exchange of Information
. Electronic Commerce Services
. Monitoring
. Summary
. References
. Business Requirements for Access Control
. User Access Management
. User Responsibilities
. Network Access Control
. Operating System Access Control
. Application and Information Access Control
. Mobile Computing and Teleworking
. Summary
. References
. Security Requirements of Information Systems
. Correct Processing in Applications
. Cryptographic Controls
. Security of System Files
. Security in Development and Support Processes
. Technical Vulnerability Management
. Summary
. References
. Reporting Information Security Events and Weaknesses
. Management of Information Security Incidents and Improvements
. Summary
. References
. Information Security Aspects of Business Continuity Management
. Summary
. References
. Compliance with Legal Requirements
. Compliance with Security Policies and Standards, and Technical Compliance
. Information Systems Audit Considerations
. Summary
. References


Editorial Reviews

I have had the pleasure of working with Tim on several large risk assessment projects and I have tremendous respect for his knowledge and experience as an information security practitioner. … Risk assessment is the cornerstone of an effective information security program. … striving to achieve compliance in the absence of a risk-based security strategy can only lead to failure. … Implement an effective risk assessment program and take control of the compliance monster. … This book will help you do just that. I know you will benefit from Tim's guidance on how to get the most from your risk assessment efforts. For today's information security leaders, there is not a topic more important.
-From the Foreword by Gary Geddes, CISSP, Strategic Security Advisor, Microsoft Corporation


Book Description
Organizations rely on digital information today more than ever before. Unfortunately, that information is equally sought after by criminals. New security standards and regulations are being implemented to deal with these threats, but they are very broad and organizations require focused guidance to adapt the guidelines to their specific needs. Fortunately, Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, covering systematically the 133 controls within the 39 control objectives. Tim Layton's Information Security is a practical tool to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context.


Information Security Ebook: Protecting Your Business Assets

Type : Pdf File
Page : 11 Page
Source :

Read This Ebook

The information created, used, stored and transmitted by your organisation forms one of its most important assets. This document shows how you can use good practice to protect this information from being maliciously or unintentionally changed (integrity); make it available when and where needed (availability); and ensure that only those with a legitimate right can access it (confidentiality).

This document should be regarded as a starting point for developing organisation-specific controls and guidance for the classification and protection of information assets. Not all the guidance provided in this document may be applicable to an organisation's specific needs. It is therefore important to understand the organisation's business requirements and to apply this guidance appropriately. The document provides general guidance only and, if fully
implemented, can only reduce, not eliminate, your vulnerability.
Organisations which regularly handle UK government protectively-marked information must continue to follow the procedures agreed with the appropriate UK security authorities. However, this guidance has been developed in conjunction with them, and similar security procedures can therefore be applied to commercial and protectively-marked information. Who this document is for: those responsible for initiating, implementing or maintaining information security in their organisation as well as those who use and process their organisation's information.

For the purposes of this booklet the following definitions apply:
- Information Security
Information security involves the preservation of confidentiality, integrity and availability of information (reference ISO/IEC 17799:2000).
- Risk assessment
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation (ISO Guide 73:2002).
- Risk management
Risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication (exchange or sharing of information about risk between the decisionmaker and other stakeholders) (ISO Guide 73:2002).

The CB Audit process

In order to become a certified organization, you needs to start off correctly at the beginning and determine which CB you are going to engage to provide BS 7799 Certification services.
If you have any other certifications in the organization, it makes sense to use the same CB for BS 7799 (assuming that they are Accredited to provide BS 7799 Certification services). This is called integrated auditing and allows the number of days to be spent by the CB on site to be reduced as they use the same auditor to audit more than one standard.
In my case, I have the same auditor do ISO 9001 and BS 7799 as he is dual qualified and it saves me at least an audit day per year. Additionally I have only one visit so my routine is not disturbed twice.
If you have no existing certificates, then make a list of all of the CBs that are available, ring each of them and get some idea of costs and services and then them to send you the relevant forms to fill in.
The actual Certification process is a six step one:

*** Note: Not all CBs follow this process exactly – when investigating them determine the discrepancies from this generic approach and ensure that you are happy with them.

Step 1 - Questionnaire
Typically the chosen CBs will send out a questionnaire for you to fill in. The certification process starts when you complete a questionnaire giving details of your requirements. This provides the CB with the information needed to send you a quotation.

Step 2 - Application for Assessment
If you decide to proceed with certification with the chosen CB, then you fill in an application form must be filled in. Once this has been done it is returned to the CB. On receipt, an initial visit by a BS 7799 Auditor is arranged

An initial visit allows you to meet the Auditor who will assess the ISMS for BS 7799 certification. The Auditor will explain the assessment process and carry out a review of the existing documented management system. An assessment date and an audit programme will be agreed.

Step 3 - Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap Analysis’.
This is an optional stage, but if you can afford it, I always recommend it
You should do this after you have implemented the Information Security Management System (ISMS) and developed the Statement of Applicability (SoA) and may have some controls in place and documented and may have some records available.
If you are doing this in house, it is a way of demonstrating to your management that you are on track and doing the job correctly and that your management can have confidence in that.
It also can show management where they fail as well, as non-conformances are written up as part of the audit.
Typical management failures that I see at this stage are usually lack of management commitment (5.1), inadequate resource management (5.2) or any other management type failure.
If you are using consultants, more or less the same applies, and passing this audit can be a useful pay point in their remuneration cycle or indicate the need to get a different consultancy!
Whilst this audit cannot be relied on to support a Stage 1 or2 CB Audit, it would be difficult for an Auditor to later find major non-conformances in the ISMS unless something dramatic had occurred in the organization to warrant this.

This step provides a sanity check.

Step 4 – the Stage 1 Audit (otherwise called a ‘Document Review’)
This is the first part of the audit proper.

This stage looks to see if the SoA has been implemented by selection of controls and documenting all the policies and procedures that surround their use. The auditor will also look to see that there is evidence of records being collected for implemented controls, though the full audit for this is the Stage 2 Audit. At this time also the auditor will plan the Stage 2 audit.

Typically, the auditor reviews documented ISMS – looking at:
- Policy
- Scope
- Asset Registers
- Roles and Responsibilities
- Risk process/treatment and acceptance
- SoA
- Documented processes and procedures supporting the ISMS
- Compliance, contractual and other regulatory issues.
If there are any audit failures, i.e. non-conformances then they will be written up on the Corrective Action Plan (CAP). It is then up to you, the client, to document how they are going to address these and return to the CB for agreement.

Typically, you have 20 days to respond to the raising of a CAP, and once agreed, 3 months to address issues raised on a CAP.

Failure to either respond or carry out the agreed work in the time limit can prejudice the granting (retaining) of a certificate. When the next audit occurs, the CAPs are the first items reviewed to ensure that they have been suitably addressed.

Step 5 - Stage 2 Audit (otherwise called the ‘Compliance Audit’)
During the Stage 2 Audit, an objective assessment of the organizational procedures and practice will be carried out against the documented ISMS (reviewed in the Stage 1 Audit).

The Auditor will be looking for records (i.e. proof) that the ISMS is operated as the documented ISMS says it should be.

On completion of the assessment the Auditor will present the findings of the assessment in a written report to you and CAPs will be raised if appropriate.

Following a successful Stage 2 Audit and the decision to grant registration, a certificate of registration is awarded and the organization is permitted to use the CB Certification Mark and the relevant BS 7799 certification mark.

Step 6 – Ongoing audits
A program of regular surveillance visits is agreed with you to verify that the requirements of the BS 7799 standard continue to be met and again CAPs will be raised if appropriate.

There are two types of ongoing audits, each is covered in turn below:

Surveillance Audit

A programme of ‘surveillance audits’ is undertaken over a three year cycle to ensure that the ISMS is working properly. This is performed in addition to the internal audits and ongoing monitoring and management that you perform internally (4.2., 4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of the requirements you must meet on an ongoing basis).

The actual frequency of these will vary on the CB, but typically the following will occur:

l Surveillance audits are carried out regularly (either annually, 9 monthly or 6 monthly);

l The first one is usually 3 months after the Stage 2 Audit to check for any CAPs outstanding since that audit;

l At every audit any outstanding CAPs are audited for completeness;

l Audit all mandatory requirements;

l Audit a representative sample of all other controls (so that all controls in the ISMS are reviewed in the surveillance cycle).

Triennial Audits

The Triennial audit, as the name suggests, is carried out every three years.
This audit is similar to the original Stage 2 or Certification Audit, but it should take less time as the CB Auditor now knows your systems, unless a scope or other change has occurred.
All controls are evaluated to ensure that the ISMS is operating properly and assuming it is, your certificate is renewed for another 3 years.
If not, CAPs are raised and you have to address them

The three year surveillance audit process starts all over again.

Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source :

What Documents can I read to help me prepare for BS7799?

There are a number of documents that are available, in addition to the BS 7799 and ISO17799 standards themselves, and these include:

From BSI

- Information Security Management: An Introduction (PD 3000);
- Preparing for BS 7799 Certification (PD 3001);
- Guide to BS 7799 Risk Assessment and Risk Management (PD 3002);
- Are you ready for a BS 7799 Audit? (PD 3003);
- Guide to BS7799 Auditing (PD 3004);
- Guide on the Selection of BS 7799 Controls (PD 3005).

Other publishers

- ISO Guide 62 – General Requirements for Bodies Operating Assessment / Registration of Quality Systems (to merge with ISO Guide 66 to become ISO 17021);
- EA-7/03 – Guidelines for the Accreditation of Bodies Operating Certification/ Registration of Information Security Management Systems;
- ISO 19011 – Guidelines for Quality and / or Environmental Management Systems Auditing.

A number of books have been published on the BS 7799 process, a check of the local IT Bookshop or Amazon should provide numerous titles from which to choose.

The types of Audit that may be undertaken in an organization

There are a number of audits that may be undertaken in an organisation, and these include:

- First Party (Internal Audit) – Within an organisation, internal review etc;

- Second Party (Supplier Audit) – Of a supplier or contractor

- Third Party Audit – By a CB

Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source :

What is a CB Audit, and why should I undergo one?

Auditing by a third party (an Accredited CB) is an assurance of an acceptable and risk based level of information security being implemented that is regularly reviewed.
There are a number of reasons to obtain certification, these include:
- Organizational assurance;
- Service provider assurance;
- Business trading partner assurance;
- Demonstrable and effective way of showing appropriate information security in place;
- Competitive advantage;
- Reduce trade barriers – international acceptance;
-Reduce costs of regulation, corporate governance etc.

So who can do this Certification?

The only body who can carry out this certification is a CB that has been Accredited by the ‘national accreditation service’ (in the UK this is the United Kingdom Accreditation Service – UKAS).

This ensures that CBs meet national and international standards for services they are offering. This is typically EA-7/03, which is the ‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’. EA-7/03 can be found at

This harmonises use of Guide 62 for ISMS’s and was approved by Europeans Co-operation for Accreditation (EA) in Nov 1999.

Guide 62 is the ‘General requirements for bodies operating assessment and certification / registration of quality systems’.
A CB uses auditors who are totally independent of the organization being audited.
The CB is regularly audited by the National Accreditation Service to ensure that the CB processes are appropriate and correct. This means that all work is to the standard required by EA-7/03 and allows’ mutual recognition’ between the National Accreditation Services.

So am I certified against BS 7799 Part 2 (2002) or ISO 17799 (2000)

Certification is carried out against (currently) BS 7799 Part 2 (2002). This contains the requirements for the ISMS in terms of the PDCA (Plan, Do, Check, Act or Deming Cycle) and the old Annex A (Updated) from BS 7799 Part 1 (1995).

BS 7799 Part 2 (2002) is a Specification.

ISO 17799 is a Code of Practice.

Back To : How does the BS7799 / ISO 27001 certification audit process actually work?
Source :

How does the BS7799 / ISO 27001 certification audit process actually work?

Before the audit:
The greatest mistake that organizations ever make is that they are not properly prepared for an audit. Many organizations who want to undergo a certification audit fail at the first stage because they have not properly prepared for it.

Some examples I have encountered are below:
A classic case of this was the organization that desk dropped their approved information security policy on all staff desks on the weekend before our audit started on the Monday. Somehow the words ‘published and communicated, as appropriate, to all employees’ (A.3.1.1.) did not spring to mind.

Likewise failure to perform a risk assessment would not give the auditor a warm and comforting feeling of a risk assessment being carried out on the ‘assets within the scope’ (4.2.1).

Any organization that cannot demonstrate that the ISMS works by undertaking internal ISMS audits (6.4) will not be looked upon favourably for passing a certification audit.

Another major failure at the outset of the certification or implementation project is the failure to have demonstrable management commitment. This means something more than saying ‘yes –go do it’ by the CEO or MD. There needs to be management commitment to the process as well as ring fencing resources. (5.1 and 5.2).

What is a CB Audit
What Documents can I read to help me prepare for BS7799?
The CB Audit process

Source :

Sunday, September 23, 2007

BS 7799 Certification

In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.

The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.

In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.

In this final session we would attempt to understand the structure and steps involved in certification for BS7799.

A quick recap

Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"

BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Domains on which one would be assessed:

As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:

Security policy

Security organisation

Asset classification and control

Personnel security

Physical and environmental security

Communications and operations management

Access control

Systems development and maintenance

Business continuity management


Statement of applicability

BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.

You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.

Preparing oneself for Certification:

The traditional formula of PLAN DO CHECK and ACT (PDCA CYCLE) works well with BS- 7799 too and this is a good place to either start or review the progress of the implementation team.


While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.


While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.

Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.


Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.

The audit team would check for appropriate controls and evidence of implementation.

For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.

Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.


After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.

Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.

Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.

Creative techniques like designing

posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.

The 4 Step method of Certification

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.

We now come to Specifics of Certification Process

Step One

Desktop Review:

All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.

One important check on documentation will be its validity and relevance to BS7799 controls.

The following documents needs to be presented

ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two

Technical Review

The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.

The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.

Step Three

Internal Audit

The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.

This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.

Step Four

External Audit- Certification

Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.

The company consultants and internal team would not be allowed to be part of the audit team.

They can assist and help auditors find relevant material.

The auditors check for documentation and objective evidence with the following intention.

  • Are records Correct and Relevant?
  • Are polices Known and Tested?
  • Are policies Communicated?
  • Are controls Implemented?
  • Are Polices Followed up?
  • Are preventive Actions taken?

The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.


After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.

To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:

  • Heighten security awareness within the organisation
  • Identify critical assets via the Business Risk Assessment
  • Provide a structure for continuous improvement
  • Be a confidence factor internally as well as externally
  • Enhance the knowledge and importance of security-related issues at the management level
  • Ensure that "knowledge capital" will be "stored" in a business management system
  • Enable future demands from clients, stockholders and partners to be met

Recommended Reading

  • Information Security Management: An introduction (PD3000)
  • Preparing for BS7799 Certification (PD3001)
  • The Guide to BS7799 Risk Assessment and Risk Management (PD3002)
  • Are you Ready for a BS7799 Audit? (PD3003)
  • Guide to BS7799 Auditing (PD3004)
  • Guide on selection of BS 7799 controls (PD3005)
  • BS7799 : Part 1: 1999 Code of Practice for information security management
  • BS7799 : Part 2: 1999 Specification for information security management systems
  • EA Guidelines 7/03

BS7799 Interpretation Guide (Free Download):

Det Norske Veritas (DNV) is an independent autonomous foundation with the objective of safeguarding life, property and the environment. Established in 1864, DNV provides an extensive range of technical services to the land, offshore and marine industries worldwide. The organization comprises of over 300 offices in 100 countries, with a total of 5,500 employees of 75 different nationalities.

DNV started their operations in Region India in 1972 and have established itself as a Leading Classification Society. DNV has been providing Classification, Certification, Consultancy and Verification Services for the Marine, Offshore and Land based process industries ever since both for Public and Private Sectors.

DNV is accredited in 21 countries for the Certification of Quality Management Systems and in 14 countries for Environmental Management System and is a leading Certification Body in India for both Quality & Environment Management System Certification having issued over 2500 certificates under ISO 9000 Standards and over 250 certificates under ISO 14000 Standards. DNV, in India, is also involved in Tick-IT, QS 9000, BS 7799, Risk Based Inspection (RBI), OHSMS, SA 8000 Systems Certification and CE Marking.

Key advisory services include Risk / Reliability Assessment and Loss Control Management Services. DNV is recognized by the Chief Controller of Explosives both as an Inspection Authority and Competent Person and DNV is also approved by Indian Boiler Regulations (IBR) as Competent Inspection Authority in 22 countries world-wide.

For comments and questions on this paper please write to:

Source :

Information Security Principles (ISO/IEC 17799)

Security policy
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies

Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts

Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection

Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy

Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism

Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse

Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job

Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled

Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters

Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts

Source :

Thursday, September 20, 2007

Eight Tips for Working with a Consultant

Jul/Aug 2007

by Gable Julie

Top consultants offer suggestions for identifying, hiring, and working with consultants to produce a successful experience and end result for all involved.

New regulations, changes in legal discovery, and the productivity drain of uncontrolled records all compel businesses and government to seek outside assistance from records and information management (RIM) consultants, content management experts, and others who offer fee-based services. Faced with an accelerating transition from paper to electronic recordkeeping, organizations want help in plotting their present course and positioning themselves for the future - areas in which consultants excel.

Yet, many entrusted with finding and using consulting talent don't make the best use of their budget dollars, usually because they have only vague ideas about how consultants - and the consulting business - work. Here, then, is the best advice culled from several consultants (see sidebar, "Contributors to this Article") whose organizations offer a cross-section of RIM consulting services. Knowing what to watch for (and what to watch out for) can make the experience of identifying, hiring, and collaborating with consultants more productive and rewarding for everyone involved.

1 Understand What Consultants Do

The most common reason to hire a consultant is to get expertise not available in-house. Consultants provide analyses based on data and facts they gather from various sources within the client's organization. Consultants review this data and bring insights to it based on their knowledge and experience. The resulting deliverables may include:

* Strategic planning and direction what to do in what order to move from the current situation to a desired situation. For example, a consultant might develop an enterprise strategy for managing electronic records in phases.

* Advice, guidance, and work plans-ë set of recommendations for how to solve particular problems along with estimated resources, time frame, and costs to do so. For example, a consultant may advise what must be done to replace existing RIM software.

* Tangible work product - this may include such things as retention schedules, file plans, taxonomies, software specifications, and other tools needed to advance organizalions' information management efforts.

Typical consulting projects include a mix of services delivered in phases to achieve an objective. Common projects include:

* Developing or revising records management program components - retention schedules, policies, procedures, training materials, or auditing

* Identifying functional and technical specifications for technology to be acquired

* Developing integrated information management strategies for how content will be captured, stored, shared, and managed

Sometimes, consultants are sought to validate internally developed opinions or approaches. Smaller firms may want the consultant to act as a "coach" for their own do-it-yourself effort, where internal personnel will do most of the work.

What consultants deliver depends on how the project is defined. This is principally done in writing through a documented scope of work.

2 Define the Project's Scope

Consultants unanimously agree that a scope of work statement is essential for any project. The scope document shows what the project's objeclives are, what is included (and what is not), as well as what the client expects to have at the end of the engagement. For example, a project described as "an assessment of the current records management program" can be a request for:

(1) An opinion regarding the RIM program's adaptability for use with electronic records

(2) A comparison of the RIM program to other companies' RIM practices in a specific industry

(3) A review of whether the program has adequate staffing levels

(4) An examination of whether the RIM program's workflows are efficient

Any of these could factor into the review of a records management program, but the potential disconnect is where the client expected item (1) but got (4) or, worse, where the client thought it would get not just a RIM program assessment and recommendations for change, but the actual remedial work - the new policies, procedures, and retention schedules, too.

"Scope should focus on achievable goals. Understanding clearly what RIM consultants offer and what the organization needs are important," explained Priscilla Emery of e-Nterprise Advisors. Scope is not a description of the current situation, but a clear definition of what the client wants to have accomplished at the end of the project. Recognize that the scope of work many require input from many sources, including IT, the legal department, and others.

For firms without prior experience in scoping information management projects, it can help to engage a consultant to do a needs analysis. This exercise ensures that requirements are defined as clearly as possible before any bidding process begins and that project aspects are not left open to interpretation. A needs analysis can also break a large project into smaller activities by determining how much of the organization will be part of the project. For example, are all divisions included, or only a specified group? What about international locations?

"Take the time to nail the project scope down," advised Jesse Wilkins, CDIA+, of Access Sciences. "No matter what fee structure is in place, the time you spend on specifying the scope will pay for itself and then some." Consultants also caution that project scope may change as a project progresses, so a clear change control or amendment process is a must.

3 Find the Right Fit

These days, law firms, accounting firms, management consultants, storage companies, software companies, and others have all entered the records consulting marketplace. Also available are independent firms that specialize in records management issues, often with deep expertise in particular industries such as financial services, energy companies, or pharmaceuticals. Several sources of reputable consultants are available. (see sidebar, "Finding Consultants.") To find the right firm for the job:

* Evaluate the consultant's knowledge of the organization's industry. "Shop for deep and applicable expertise, experience with current and emerging RIM practices and legal issues," suggested George Cunningham of PelliGroup.

* Verify the consultant's track record. "see if others in the sector have used consultants and find out what their experience has been," offered J. Michael Pemberton, Ph.D., CRM, FAI, of Information Management Associates Inc.

* Match the consultants' skills and expertise to the specific needs of the project, particularly where technology is involved. Noted Art Mansky of Miria Systems: "Consider the consultants' experience in technologies associated with your line of business as well as their technical and project management depth."

* Realize that big is not necessarily better. "A large project can be undertaken by a group of smaller companies who come together with specific skill sets required to meet the project requirements," advised Christine Ardern, CRM, FAI, of Entium Technology Partners.

* Never underestimate the value of hands-on experience. "It's one thing for consultants to advise how something ought to be done, but have they actually done it in a realworld situation?" said Bruce Miller of RIMtech Inc.

To get more information about specific consultants, many organizations prepare a request for information, usually a form that requests specifics about the consulting firm's:

* Years in business

* Location, management, and ownership

* Services provided

* Staff and their qualifications, including certifications such as CRM, CDIA, ERM

* Similar clients and past projects

Choosing from among qualified consultants may be a matter of personal interviews or a formalized request for proposal (RFP) process. An RFP generally includes as much detail about the contemplated project as possible, as well as a clear picture of what kind of work product the consultant must deliver in a specified time frame. The RFP allows consultants to clarify their approach and detail the activities that will take place to accomplish the project objective.

RFP responses will also clearly outline responsibilities, including the client's responsibilities, regarding project management, regular communications, scheduling of interviews, review sessions, approval of submitted work, and expectations for knowledge transfer and management concurrence for the duration of the project. Like the project scope document, the successful consultant proposal becomes part of the contract between client and consultant.

4 Understand Fees, Pay for Quality

Consultants may charge on a time and materials (T&M) basis, such as an hourly or daily rate plus all expenses associated with the project. T&M puts the onus on the client to make sure that the work is progressing at the speed expected. T&M pricing may also be negotiated with a cap or set limit that is not to be exceeded. T&M prices can range from $150 to $300 or more per hour, or $1,200 to $2,400 per day.

Where project scope is well-defined and understood, consultants may charge a firm, fixed price for the deliverables identified. However, don't expect a fixed price for hands-on work if the consultant hasn't actually seen the environment. While it is possible to estimate time per file drawer for an extensive records inventory, it is not possible to know that folders in the drawers are so old that they crumble on contact - a fact that will slow the process and likely increase the price.

Fees should not be the sole criterion for consultant selection. According to PelliGroup's Cunningham, "Shop for quality and value; cheap does not mean competent. A small amount of highquality assistance is a much better investment than a lot of bad advice."

5 Spell out the Details

The contract formalizes understanding between client and consultant. No matter how cordial the relationship or how relatively small the project, most consultants prefer to have a contract in place.

Like their clients, consultants generally don't like surprises. "Whenever possible, let consultants know standard contracting and procurement procedures up front," said e-Nterprise's Emery.

"Standard contract clauses may not be applicable," cautioned Entium's Ardern. One example is local government contracts, where liability insurance clauses written for heavy construction work are not relevant to information management projects. These can be nasty surprises for consultants that have already quoted a fixed price in their proposals. Such unexpected terms can slow the project's start while they are re-negotiated.

The contract should also represent the interests of both parties. "Consultants have the right to protect intellectual property developed and owned by the consultant," says Naremco Services Inc.'s Alan A. Andolsen, CRM, CMC.

Other clauses to include:

* Confidentiality of client and consultant information. Clients stipulate that their information should not be disclosed to others; consultants stipulate that their work product must not be shared with others outside the contracting organization.

* "Out clauses" that can be invoked by either side for project cancellation, These typically deal with payment for services rendered up to the time of cancellation.

* Estimated travel requirements, including the amount of time consultants are required or expected to be onsite.

* Acceptable expenses and how these will be reimbursed

* Clear payment schedule and payment terms. If invoices are paid net 45 days, the contract should state this. Deductions taken for prompt payment - e.g., 2 percent within 10 days - should be made clear. Required deductions for local taxes or license fees should also be spelled out.

* Additional work or addendum clauses. These describe the process for scoping, estimating, and approving costs for additional work that was not specifically identified in the initial scope of work.

6 Expect to Participate

Consultants unanimously emphasize that clients should expect to be active project participants and that such involvement is critical to project success.

"Clients must be involved in all aspects of the engagement. The client knows his or her organization and is an ongoing resource about operations, people, practices, culture, and a multitude of other issues," Cunningham said. Andolsen elaborated: "Because many elements in our projects have serious legal repercussions, it is essential that the client participate in their development and understand their ramifications."

According to Ernst & Young's Mark Lagodinski, CRM, "Client participation can be significant depending on engagement type. Clients should expect to spend time handling logistics, attending status meetings, and handling internal communications with stakeholders, interviewees, and others."

Mansky stated, "Client participation is critical to the success of an ECM engagement." Emery concurred, "The best projects are the ones where the affected parities are participating willingly."

Clients should also expect:

* Projects conducted in accord with clear and stated ethical principles and an atmosphere of trust, openness, and integrity in all consultant dealings

* Work product that is tailored to their organization's situation, not a cookie-cutter solution or a one-sizefits-all approach

* Open, honest, and frequent communication regarding project status, including risks for project completion and what can be done about them

Consultants expect that ethical behavior is a two-way street. This means that clients and potential clients will also act in good faith and respect the fact that for consultants, time really is money. Some expectations, and some behaviors, are simply unreasonable and can impede rather than foster a strong sense of partnership and collaboration (see sidebar, "What Not To Do.")

7 Remember, It's a Business

Consulting is a business. Most consultants don't want to make a killing; they simply want to make a living. Consultants have basically two things to sell: their time and their expertise, which consists of experience and knowledge. All consultants spend significant time honing their skills and keeping their knowledge up-to-date, so it is unreasonable to expect them to simply give these away. Consultants offer services in exchange for fees, the same as any other business, and they depend on prompt payment of those fees to sustain their enterprises. While most consultants don't mind a quick question, they do resent those looking for free consultation. They also don't like potential clients who presume that consultants will do anything to get their business.

8 Commit to a Successful Collaboration

The best way to work with a consultant is to be specific about what is needed, in what time frame, and what the finished product should look like. Realize that it will take time, money, and other resources to achieve the desired result, and be prepared for a commitment of all three. Consultants are partners and collaborators who genuinely want to help their clients succeed. As with all good relationships, successful consulting projects require mutual respect, ethical behavior, and willingness to work together toward specific goals.

Julie Gable, CRM, CDIA, FAI

Julie Gable, CRM, CDIA, FAI, is the associate executive editor of The Information Management Journal. For the past 18 years, she has been president of Gable Consulting LlC, an independent RIM consulting firm based in Philadelphia. She may be contacted or

Copyright ARMA International Jul/Aug 2007
Provided by ProQuest Information and Learning Company. All rights Reserved

Source :

ISO 17799: Standard for Security

Nov/Dec 2006

by Myler Ellie, Broadbent George

Organizations can use ISO 17799 as a model for creating information security policies and procedures, assigning roles and responsibilities, documenting operational procedures, preparing for incident and business continuity management, and complying with legal requirements and audit controls.

Pretexting. Zero Day Attacks. SQL Injections. Bots and Botnets. Insider Infractions. Click Fraud. Database Hacking. Identity Theft. Lost Laptops and Handhelds. According to Ted Humphreys, in a recent International Organization for Standardization (ISO) press release, "It is estimated that intentional attacks on information systems are costing businesses worldwide around $15 billion each year and the cost is rising."

Today's information professionals need to address an ever-increasing number of internal and external threats to their systems' stability and security, while maintaining access to critical information systems. As the e-commerce space continues to grow and new tools allow organizations to conduct more business online, they must have controls in place to curtail cyber crimes' malicious mayhem, tampering, and wrongdoing.

Organizations need to address information security from legal, operational, and compliance perspectives. The risk of improper use and inadequate documentation abounds, and the penalties are greater than ever. By combining best practices outlined in the international standard ISO/IEC 17799 Information Technology - Security Techniques - Code of Practice for Information security Management (ISO 17799) with electronic records management processes and principles, organizations can address their legal and compliance objectives. This article explores the opportunity to bridge the gaps and bring together information security, intellectual property rights, protection and classification of organizational records, and audit controls.

ISO 17799 Components, Applications, Implications

ISO 17799 provides a framework to establish risk assessment methods; policies, controls, and countermeasures; and program documentation. The standard is an excellent model for organizations that need to:

* Create information security policies and procedures

* Assign roles and responsibilities

* Provide consistent asset management

* Establish human and physical security mechanisms

* Document communications and operational procedures

* Determine access control and associated systems

* Prepare for incident and business continuity management

* Comply with legal requirements and audit controls

Information security can be defined as a program that allows an organization to protect a continuously interconnected environment from emerging weaknesses, vulnerabilities, attacks, threats, and incidents. The program must address tangibles and intangibles. Information assets are captured in multiple and diverse formats, and policies, processes, and procedures must be created accordingly.

Organizations can use this standard not only to set up an information security program but also to establish distinct guidelines for certification, compliance, and audit purposes. The standard provides various terms and definitions that can be adopted as well as the rationale, the importance, and the reasons for establishing programs to protect an organization's information assets and resources. Figure 1 depicts the suggested steps and tasks associated with establishing and implementing an information security program.

This ISO framework is methodically organized into 11 security control clauses. Each clause contains 39 main security categories, each with a control objective and one or more controls to achieve that objective. The control descriptions have the definitions, implementation guidance, and other information to enable an organization to set up its program objectives according to the standard methodology.

Step 1: Conduct Risk Assessments

This component of the standard applies to activities that should be completed before security policies and procedures are formulated.

Risk is defined as anything that causes exposure to possible loss or injury. Risk analysis is defined as a process of identifying the risks to an organization and often involves an evaluation of the probabilities of a particular event or an assessment of potential hazards. Loss potentials should be understood to determine an organization's vulnerability to such loss potentials.

Risk categories are both internal and external and can include:

* Natural: Significant weather events such as hurricanes, flooding, and blizzards

* Human: Fire, chemical spills, vandalism, power outages, and virus/hackers

* Political: Terrorist attacks, bomb threats, strikes, and riots

Conduct risk assessments to understand, analyze, evaluate, and determine what risks organizations feel are likely to occur in their environment. Risk assessment activities involve information technology (IT) and information processing facilities, facilities management and building security, human resources (HR), records management (RM) and vital records protection, and compliance and risk management groups. These groups must collectively determine what the risks are, the level of acceptance or non-acceptance of that risk, and the controls selected to counteract or minimize these risks.

Risk analysis is conducted to isolate specific and typical events that would likely affect an organization; considering its geography and the nature of its business activities will help to identify risks. Loss potential from any of these events can result in prohibited access, disrupted power supplies, fires from gas or electricity interruptions, water damage, mildew or mold to paper collections, smoke damage, chemical damage, and total loss (with the destruction of the entire building).

Regularly monitor emerging threats and evaluate their impacts, as this is a constant, moving target. For example, according to an IMlogic article, "IM [instant messaging] worms are the most prevalent form of IM malware, representing 90 percent of all unique attacks in 2005. These attacks frequently utilized social engineering techniques to lure end users into clicking on suspicious links embedded inside IM messages, enabling the activation of malicious code that compromised the security of host operating systems or applications."

Although threats are increasingly sophisticated in the virtual sphere, the simple occurrence of employees stealing company information on paper is still very real and prevalent in today's work space.

Step 2: Establish a security Policy

These components of the standard provide the content that should be included as well as implementation guidance to set the foundation and authorization of the program.

To set its precedence, an information security policy should be developed, authorized by management, published, and communicated. It should apply to all information assets and must demonstrate management's commitment to the program. Explain implications on work processes and associated responsibilities and outline them in employee job descriptions.

The security policy should be administered, documented, and periodically evaluated and updated to reflect organizational goals and lines of business. This is captured under clause 6.0 for organizing information security. It reflects administrative and management activities to implement the security policy. All activities must identify authorities, responsibilities, agreements, and external security requirements. This has an impact on information processing facilities, external parties, access issues, and problem resolution measures. Keep a record of all policy administration activities to create historical relevance for the information security program.

Step 3: Compile an Asset Inventory

This component of the standard addresses asset management, controls, and the protection thereof. It applies to all assets in tangible and intangible form.

Identify the organization's intellectual property (IP), tools to create and manage IP, and physical assets with a detailed inventory so the organization knows what type of resources it has, where they are located, and who has responsibility for them. Identifying how assets are to be used, classified, labeled, and handled is necesk sary to establish an asset management inventory.

This inventory should also distinguish the types, formats, and ownership control issues. Implement associated rules for the use of assets including e-mail, Internet usage, and mobile devices. Classifying assets and establishing procedures for labeling and handling according to the classification scheme are also important. Documents in electronic form will lend themselves to being identified through metadata and document properties completion. However, these processes must all be completed by resources. Although automation of these processes is a possibility, an organization still faces extensive costs and resource coordination to address this piece.

Step 4: Define Accountability

This component of the standard addresses the human aspect of security; it applies to the level of accountability that employees, contractors, and third-party users have to use to protect an organization's information assets.

An information security program will not be implemented unless roles and responsibilities are clearly articulated and understood by those having ownership in the program. Ideally, these roles and responsibilities should be outlined in job descriptions and documented in terms and conditions of employment.

Employees are part of the overall information security landscape and often they are the closest and best able to prevent certain incidents from occurring. HR is typically in charge of these issues, but they must collaborate with IT and RM to ensure that all information assets are addressed accordingly.

Define roles and responsibilities during pre-employment and screening processes, and perform background checks to support the hiring process. If the job mandates working with highly sensitive information, an organization must be on guard to hire the most qualified person to perform these tasks. These employees must possess a great deal of integrity, pay attention to detail, and take their responsibilities seriously.

Information security awareness, education, and training must be a routine activity to keep employees informed, to communicate expectations, and to provide updates on their responsibilities. Standardize a disciplinary process for security breaches.

When employees leave or change jobs, it is essential that HR, in collaboration with other stakeholders, follows through with a return of assets process and removal of access rights, which can be captured in HR exit processes and procedures. This often is not a coordinated process, which allows employees to walk off with information or leave behind on servers and in physical work spaces masses of orphaned and unidentified information. Redesign the HR exit interview to ensure that information return or transfer is a coordinated process.

Step 5: Address Physical security

This component of the standard outlines all the requirements for physical security perimeters and authorized entry controls; measures for protecting against external and environmental threats; equipment security, utilities, and cabling considerations; and secure disposal or removal of storage equipment media.

An organization's building and premises, equipment, and informationprocessing facilities must be fail proof to prevent unauthorized intrusions and access, and possible theft issues. This applies mostly to facilities management and IT, although risk management should also participate to provide environmental risk protection measures.

Include guidelines for physical security perimeters, entry controls, environmental threats, and access patterns in this section. Also address supporting utilities, power, and telecommunication networks. Finally, secure the disposal and removal of equipment that holds information so that information is truly deleted or "wiped" clean from the slate.

Step 6: Document Operating Procedures

Procedures for system activities, change management controls, and segregation of duties are included in this component.

Any organizational program will be more established when program administration, policies, procedures, and related processes are formally documented. This component sets out to define operating procedures, instructions for the detailed execution thereof, and the management of audit trail and system log information. It applies to all facets of an information security program.

Formally documenting program activities will allow an organization to keep track of the development, implementation, and associated documentation for the program. Keep in mind that documentation does not magically appear through word processing programs. It takes resources, good writing skills, and an ability to change documentation when necessary.

Address the separation of development, test, and operational facilities to reduce the risk of unauthorized actions. Monitor and review thirdparty service delivery requirements to ensure that actions are carried out as mandated. Plan for, monitor, and update system resources, capacity management, and acceptance criteria, as necessary.

Constantly monitor and prepare to protect against malicious and mobile code to guard the integrity of system software and information. This especially pertains to intelligent cybercrime activities such as structured query language injections and application to mobile devices, which are increasingly becoming more sophisticated. This should also focus on incoming e-mails and downloadable attachments, as well as a review of webpages.

Backup and restoration procedures must provide for the replication of information and methods for dispersal and testing, meeting business continuity requirements. This should also address retention periods for archival information or those with long-term retention requirements. Address media preservation issues to ensure the longevity of media that have long-term retention requirements.

Address network infrastructure through network controls and management. This includes:

* Remote equipment and connections

* Public and wireless networks

* Authentication and encryption controls

* Firewalls and intrusion detection systems

* Media handling and transit methods

* Information classification, retention, and distribution policies and procedures

Although mobile devices have helped organizations stay better connected, employees must use more discretion when using them. Alert employees to proper etiquette for relaying information so they will not be overheard in elevators, airports, or on other public transportation.

Address electronic data interchange, e-commerce, online transactions, electronic signatures, electronic publishing systems, and electronic communication methods such as e-mail and IM. Their secure use and associated procedures must demonstrate accuracy, integrity, and reliability. For organizations using e-commerce, this is not an option, as current regulations are pushing this into the forefront of IT agendas. Organizations should also monitor their systems and record security events through audit logs. Also address records retention policies for archival or evidence requirements.

Step 7: Determine Access Controls

This component of the standard includes guidelines for establishing policies and rules for information and system access.

Practice standard methods for all users and system administrators to control access to and distribution of information. Policies should apply to users, equipment, and network services. Newer technologies, such as those that have passwords connected to fingerprint digital touch pads, come at a cost, but they should be evaluated as a password management tool.

Access control measures should include:

* Setting up user registration and deregistration procedures

* Allocating privileges and passwords

* Implementing a "clear desk and clear screen policy"

* Managing:

- Unattended equipment

- Virtual private network solutions

- Wireless networks and authentications

- Network service issues such as routing and connections

- Telecommuting virtual spaces and intellectual property rights

- Cryptographic keys and procedures

- Software development, testing, and production environments

- Program source code and libraries

- Change control procedures and documentation

- Patches, updates, and service packs

Any information system that an organization procures or develops must also include security requirements for valid data input, internal processing controls, and encryption protection methods. Document the integrity, authenticity, and completeness of transactions through checks and balances. Retain and archive system documentation for configurations, implementations, audits, and older versions. This is further detailed in clause 12 of the standard.

Step 8: Coordinate Business Continuity

This component of the standard includes reporting requirements, response and escalation procedures, and business continuity management.

As organizations increasingly come under attack and suffer security breaches, they must have some formalized manner of responding to these events.

Business continuity management addresses unexpected interruptions in business activities or counters those events that impede an organization's critical business functions. This process should include:

* Identifying risks and possible occurrences

* Conducting business impact analyses

* Prioritizing critical business functions

* Developing countermeasures to mitigate and minimize the impact of occurrences

* Compiling business continuity plans and setting up regular testing methods for plan evaluation and update

A business continuity management framework also includes emergency or crisis management tasks, resumption plans, recovery and restoration procedures, and training programs. Testing the plan is an absolute must to determine its validity. Tests can include a variety of methods to simulate and rehearse real-life situations. Develop calling trees, hot- and cold-site configurations, and third-party contractors, depending on the organization's priority of critical business functions.

Report information security incidents or breaches as soon as possible to ensure that all relevant information can be remembered. This requires having feedback processes in place as well as establishing a list of contacts that are available around the clock to manage this process. Procedures should be consistent and effective to ensure orderly responses to not only manage the immediate process but also to collect evidence for legal proceedings.

Step 9: Demonstrate Compliance

This component of the standard provides standards for intellectual property rights, RM requirements, and compliance measures. These apply to everything from an organization's information processing systems to the granular data and transactional records contained within those systems.

There is an increased scrutiny on organizations to demonstrate compliance with applicable laws, regulations, and legislative requirements for all aspects of their business transactions. Adherence to rules and regulations are an integral part of the information security program and will contribute to demonstrating corporate accountability.

Address identification, categorization, retention, and stability of media for long-term retention requirements according to business and regulatory requirements. Document retention periods and associated storage media as part of managing the organization's records. Address privacy and personal data requirements, which can vary from one country to the next. Address transborder data flow and movement, and associated encryption methods as related to import and export issues depending on federal laws and regulations.

Follow up on and evaluate compliance with established policies and procedures to determine implementation effectiveness and possible shortcomings. Clearly delineate audit controls and tools to determine areas for improvement. Again, it is critical to take time to document all information related to the development and establishment of compliance and audit, including decisions made, resources involved, and other source documentation cited.

Data Breach Reporting Issues

New information security requirements are emerging as a result of organizations' negligence to protect sensitive data and impose adequate controls on employees using mobile technology to house such data. Information security issues are constantly in the media, as with the recent case when the U.S. Department of Veterans Affairs (VA) lost control of the personal information of 28 million veterans when a laptop containing the information was stolen from an employee's home. The VA was criticized for its delay in disclosing the loss and notifying those affected.

California Senate Bill (SB) 1386 is setting the precedent for reporting and disclosing data security breaches and declarations for privacy and financial security. (See Figure 2 "California SB 1386 Excerpts, Source and Language Summary.") Other states are now adopting laws allowing consumers to "freeze" their credit files, even if they have not been a victim of identity theft. If passed, pending bills in the U.S. Congress, including S.1408: Identity Theft Protec-tion Act and H.R. 4127: The Data Accountability and Trust Act, would also force organizations to be more accountable for the vast amount of personal information that they may have.

Organizations should take heed of these legislative efforts and proactively plan for them by updating their information security practices. Any organization that uses e-commerce in its business practices must align its systems and databases for the protection of information content. Organizations that are subject to these laws should structure their reporting measures according to the following components of the ISO 17799 standard:

* Clause 10.9 establishes electronic commerce countermeasures and cryptographic controls to protect sensitive customer information and all associated electronic records databases.

* Clause 13.1 provides a methodology for reporting incidents supported by timely procedures with appropriate behavior mechanisms and disciplinary processes.

Information Security Objectives and Records Management Components

Although information security is now in the limelight and is being brought to the attention of the executive-level audience, RM is still the basic foundation that branches out into all the various new compliance areas. Records managers need to work with IT to ensure that retention and vital records requirements are addressed and are part of the many inventories that the ISO standard suggests. They must also update their programs to be in line with an information security program's objectives as outlined in the controls and implementation guidance of the ISO 17799 standard.

Maintenance, retention, and protection requirements of data, information, and IP are addressed in the ISO clauses in Figure 3.

Vital records are those records that are needed to resume and continue business operations after a disaster and are necessary to recreate an organization's legal and financial position in preserving the rights of an organization's employees, customers, and stockholders. If vital records protection methods exist before an information security program is established, they should be integrated or referred to as part of the larger information security scheme. IP and the management and protection thereof have long been addressed by organizations through a vital records program. When electronic records were not prevalent, vital records protection methods included the same premises, such as:

* Appraisal and identification of those records that are deemed vital

* Duplication and dispersal processes

These methods can apply to any electronic environment but the inventories of such records must include not only the paper versions but also their electronic counterparts captured in other media or systems within the organization.

The objective to protect electronic vital records must focus on:

* Newly created records

* Work in progress

* Other information that is not stored on servers and is typically found on users' desktops

Although it can be argued that many electronic records are captured in enterprise resource planning systems, routine backups of this data may be re-circulated so that long-term retention and protection requirements are not addressed.

Initially, allowing employees to transport laptops and other devices with large amounts of data away from the corporate environment was seen as a way to increase productivity. That is still the case, but controls in the form of policies as to what can and cannot be taken must be established and consistently enforced. As technology offers more ways to compact large amounts of data on very small devices, it is crucial to monitor and correct employees to prevent their actions from compromising the organization's responsibilities for keeping information safe. Establish, fund, and monitor training, support, and compliance to ensure that employees receive appropriate training before turning them loose with the tools.

Compliance also applies to information systems and their audit considerations. Administrators running an organization's information systems must be just as closely scrutinized as the employees within the organization and in virtual spaces.

Stay Ahead of the Curve to Stay Secure

While information security is the newest flavor of the month, chances are that many organizations have no program in place and, therefore, no control over how their employees manage information.

Organizations cannot continue to practice their business in an irresponsible manner. Using the ISO standard to structure their programs is the foundation, but they must also stay ahead of the curve, outguessing and outsmarting potential incidents and occurrences. Websites for information security are pervasive and provide both written materials and podcasts to help keep information professionals informed. Records managers and IT professionals can also help each other achieve a best practices program for information security.

However, any program that an organization initiates will need management support and resources to accomplish it. Collaboration by all parties, including senior management, is essential to achieve compliance in the space of information security.


ARMA International. "VA IG Slams Top Officials in VA Data Theft Incident." Washington Policy Brief, July 2006. Available at (accessed 26 September 2006).

Bartholomew, Doug. "Responding to Risk: Invisible Enemies." Industry Week, 1 March 2006. Available at (accessed 26 September 2006).

Greenemeier, Larry. "The Next Data Breach Could Mean Your IT Job." Information Week 17 July 2006. Available at 190400266. (accessed 26 September 2006).

IMlogic. IMlogic Threat Center - 2005 Real-Time Communication Security: The Year in Review. Accessed 12 July, 2006 at No longer available.

International Organization for Standardization. ISO/IEC 17799: 2005, Information Technology - Security Techniques - Code of Practice for Information Security Management, Geneva, Switzerland: International Organization for Standardization, 2005.

_____. ISO/IEC 18043:2006, Information Technology - Security Techniques Selection, Deployment and Operations of Intrusion Detection System, Geneva, Switzerland: International Organization for Standardization, 2006.

_____. "New ISO/IEC Standard to Help Detect IT Intruders." Available at (accessed 26 September 2006).

U.S. House. Data Accountability and Trust Act, 109th Congress, H.R. 4127. Available at (accessed 26 September 2006).

U.S. Senate. Identity Theft Protection Act, 109th Congress, S.1408. Available at (accessed 26 September 2006).

Ellie Myler, CRM, and George Broadbent

Elite Myler is a Certified Records Manager and Certified Business Continuity Professional and a 17-year veteran of the records management industry. A Senior Records Management Analyst with Entium Technology Partners LLC, Myler has previously served as a consultant to Fortune 500 companies in a wide spectrum of industries. She designs and customizes corporate governance programs for records management and business continuity program initiatives and writes and lectures frequently on information management and technology topics. She may be reached at

George Broadbent has more than 17 years of diversified system architecture, network design and implementation, and application development experience, including network management of Novell NetWare and Microsoft Windows 2000/2003 networks. He has designed and built local and wide area networks (LANs/WANs) that include the use of high-availability systems, real-time data replication and hierarchical storage solutions for large multi-site organizations. He has performed the architecture, design, implementation, deployment, and/or support of enterprise electronic mail systems with integrated electronic archiving solutions for Microsoft Exchange-based systems. He can be reached at

Copyright ARMA International Nov/Dec 2006
Provided by ProQuest Information and Learning Company. All rights Reserved

Source :

SystemExperts Launches Security Standard Compliance Offering

July 9 2007

ISO 17799/27002 Compliance Program Helps Organizations Achieve and Demonstrate Security Best Practice

SUDBURY, Mass. -- SystemExperts (, a premier provider of IT compliance and network security consulting services, today announced the launch of its enhanced ISO 17799/27002 Compliance Program. Designed to help companies build effective security organizations, policies and practices, SystemExperts's ISO 17799/27002 Compliance Program will be of value to organizations looking to measure or demonstrate the use of security best practices to prospective partners, ensure that security resources are applied wisely, and focus their efforts on activities that will address real business risk. The ISO 17799/27002 Compliance Program provides a cost effective method for identifying weakness in security policies, practices, and mechanisms and addressing them through a structured program.

ISO 17799/27002 is an international standard that defines a comprehensive security framework. This balanced framework serves as the basis for both measuring organization's effectiveness in addressing risk and structuring an organization's overall security program.

The ISO 17799/27002 Compliance Program consists of three parts: education, assessment, and remediation. The education phase (Study Session) allows organizations to understand how the standard applies in the context of their unique business environment and risks. The assessment compares the company's practices to those specified in the standard. Next, the remediation phase allows companies to implement recommendations resulting from the assessment and achieve a level of compliance with the standard. After remediation is complete, SystemExperts provides a Compliance Statement. At each step, SystemExperts helps the organization identify security measures that address risks in a cost-effective manner.

"SystemExperts's ISO 17799/27002 Compliance Program has given Harvard Management Company a clear sense of what we are doing well, what we need to improve, and what we weren't doing at all. The preliminary Study Session helped us to understand what the standard is all about and how to apply it to our business," said John Bergen, Chief Information Officer of Harvard Management Company, the organization responsible for managing Harvard University's $30 billion endowment.

"The ISO 17799/27002 Compliance Program has proven useful to organizations looking for a cost effect way of demonstrating compliance with an objective security standard. This enables organizations to eliminate the burden of repeatedly performing security reviews for prospective customers or business partners. In addition, SystemExperts's ISO 17799/27002 Compliance Statement makes it easy for organizations to communicate that they have a comprehensive security program in place," said Richard Mackey, vice president of SystemExperts.

Pricing and Availability:

SystemExperts's ISO Compliance Programs are tailored to meet an organization's specific needs. Base level pricing begins at $33,000.

About SystemExperts

Founded in 1994, SystemExperts(TM) Corporation ( is the premier provider of IT compliance and network security consulting services. The company's clients include many of the leading Wall Street firms, top-tier online retailers, major manufacturers, as well as small businesses in a wide range of industries.

SystemExperts's consultants are world-renowned authorities who bring to every engagement a unique combination of business experience and technical expertise. Through a range of consulting services, based on signature methodologies, SystemExperts develops security architectures, performs network penetration and application vulnerability testing, develops security policies, provides emergency response to hacker attacks, and assesses compliance with relevant regulations and standards (ISO 17799/27002, PCI, SOX and HIPAA). Further information about SystemExperts can be found at or by calling 1 888-749-9800.

COPYRIGHT 2007 Business Wire
COPYRIGHT 2007 Gale Group

Source :