Part 1 mainly dealt with the structure of the standard and its relevance to the Indian IT environment. Readers need to have a clear understanding that BS7799 has been designed by Security Experts who were the forerunners in the field of Information Security and were working in live business environment. Thus the standard is business driven and has a perfect co-relation to business units. This standard has to be interpreted for individual business units and has the flexibility to accommodate every possible IT environment.
This article would discuss the interpretation of the standard and some of the key areas in its implementation.
While interpreting the standard one has to consider and evaluate the human, procedural, environmental, technical and cultural aspects of the business unit. While implementing the standard, one has to weigh its own technical strength as far as Information Security Professionals are concerned. Without, a through technical assessment the results of the Implementation would not lead to certification. Thus a word of caution to readers would be that identification and management of risk to IT systems is a specialized activity and needs to be conducted in a controlled environment using professional assistance.
Where do you begin?
Understand the Importance of Information Security:
Every organization is unique with its own set of requirements and concerns. The company IT-Assets are exposed to various threats. More than 70% of the threat comes from Internal Sources.
Other threat agents can be Hackers, Former Employees, Contractors, Suppliers, Competitors and Customers.
Management is tight lipped about incidents and push matters under the carpet due to the fear of losing credibility among investors and customers.
In competitive environment where IT systems become Business Enhancers, one cannot afford to loose data and have a break down.
Building awareness is the starting point for a stronger Information Security Culture.
Educating top management for the need of an effective Information Security Management and the possible benefits to do the same is crucial for the success of a project.
Get Yourself Trained:
While selecting appropriate products and vendors for doing a technical risk assessment one has to understand, implement, maintain and sustain the investments made on Information security.
The Internet serves as a huge repository of material for beginners to advanced users. The best method is to work in live environments with security professionals and get hands-on experience on various products and process. Those who are fortunate enough to work on live sites can use Internet resources like mail lists and websites on security, study for certifications on security or even attend training programs conducted by Security Institutes.
Understand your Business Need:
Security is always a Business led activity. The investments made on Security should reflect the need for security measures, criticality of IT Resources and processes in the day-to-day functioning of business. To implement strong security systems one has to grasp the core need of Information Security in the Business and identify the critical business factors.
For Example: If a Financial Organisation has to heavily depend on IT resources to assimilate, calculate, interpret and present data on a hourly basis then the level of security would be higher than a company using IT resources for maintaining accounts and downloading company mail. To remain competitive the company cannot afford a down time of its Systems.
Assigning Responsibility:
The security organization structure is important to help give direction and a solid foundation to the implementation of a project. A designated Security Officer with a team of technical and procedural security professionals would make it a perfect mix for implementation. If the company chooses to use an external security company for consulting, the Security team could work hand in hand with the security company professionals. This will help companies maintain the systems and procedures drafted and implemented by the security team.
Choosing a vendor:
Various security consultants in the market have their own set of methodology and approach. Some of the parameters of selecting a vendor would be, firstly, the vendor should be an expert only on Information Security. One cannot boast of having a shop for software development, hardware sales and also Information Security. The field on Information Security is vast and complex and needs to have a focused approach. Secondly, the vendor needs to have done live assignments in India. We cannot have Polices for Indian companies based on US firms. Thirdly, the vendor needs to have a Quantitative Risk Assessment approach which takes into consideration technical and procedural checklists and lastly, the vendor should be willing to work with the team and share knowledge, which is important for the team to sustain the project even after the assignment is over.
Importance of Risk Assessment:
While designing and deploying a security strategy one has to ask two very important questions. One, What to protect and second, How much to protect? In simpler words what and how much risk is the business is exposed to?
To define risk:
Business risk is the threat that an event or action, which can adversely affect an organisation's ability to successfully, achieve its business objectives and execute its strategies.
The key success factor of IT systems is a through risk assessment and effective risk management. Risk assessment prepares the base on which one would build the ISMS (Information Security Management System)
The entire exercise starts with Asset Identification:
An important step towards achieving BS 7799 Certification is to identify and classify assets. BS779 Defines Risk Assessment as - assessment of threats to information, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.
Every department would have assets, which they would consider important, without which one cannot continue work and achieve results. There could be assets, which would have higher or lesser value. Thus the most important asset would be need more protection and the lesser ones would require lower level of protection.
All assets in the company can be classified as:
People Assets: The number of professionals who are a part of the organisation.
Information Assets: Databases, data files, system documentation, user manuals, training material, operational and support procedures, intellectual property, continuity plans.
Paper Documents: Contacts, Company documentation, business results, HR records, Purchase documents invoices.
Software Assets: Application systems, development tools, and utilities.
Physical Assets: computers, servers, routers, hubs, firewalls, communication equipment, magnetic media, other equipment, cabinets, safes
Services: Computing, telecommunications, air-conditioning, water etc
Company Image and Reputation: Adverse publicity, Failure to deliver, Website defacement, Unable to provide connectivity to web server
Asset Classification:
Once the list of assets are identified the criticality of every asset has to be classified as
Unclassified: Considered publicly accessible. There are no requirements for access control or confidentiality.
Shared: Resources that are shared within groups or with people outside the organization.
Company Only: Access to be restricted to the internal employees only.
Confidential: Access to be restricted to a specific list of people.
This gets us to answer for "What to Protect"?
Now lets Understand How to Protect?
Technical Risk Assessment:
Penetration testing: After performing the Asset Identification exercise one has to move on testing specific devices which are critical to the running of the organisation. The first step towards doing testing is to find out if any external person can have access to the company information through the Internet. This is a specialized exercise, which requires a security professional abreast with the latest exploit and vulnerabilities from published and open sources. The professional needs to run various tests that would test the Internet Point of presence (i.e. Website) and security devices which protect these sites.
He would assume the role of a possible intruder and do all that he would do if he would like to break systems and cause harm.
The result of these tests would help one get an idea of the possible vulnerabilities on various servers.
Vulnerability Assessment: After performing an external test one needs to test the strength of various servers and operating systems available internally. This works as a second level of defense. Even if an intruder breaks the entry points he should be stopped at the internal points. Internal testing also facilitates the design of the Security Architecture.
A word of caution would be to allow only qualified and experienced professionals to operate these systems. All legal documents need to be signed before one has to complete the assignment.
Procedural Risk Assessment:
After conducting the technical risk assessment one needs to find out formal and informal polices and procedures followed in the company. This can be done with detailed questionnaires, which can help find out concerns of IT managers, IT users, Operations staff, Top Management, Divisional Heads and Technical Team.
A Gap Analysis Document can be created once the
Procedural Risk Assessment exercise completed.. This would help companies have a clear understanding of where they stand as far as acquiring the Certification is concerned.
Risk Management
Once the gaps in the systems are identified, one has to manage these risks and make sure that the possibility of these risks affecting the company is very low or in some cases totally eliminated. BS 7799 has been designed in such a manner that its 127 Control Clauses have addressed almost every Conceivable risk known to Information Systems.
The standard Defines Risk Management as -process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost
For Example: While conducting the procedural risk assessment one finds that while disposing old computer systems one does not erase or format the hard disk which goes along with the machine. So the risk is potential leakage of information, which is stored on the Hard Disk. This risk is addressed by Domain 8 Communications and operations management 8. which states that Media shall be disposed of securely and safely when no longer required.(4.6.6.2)
Creating of Security Policies and Procedures to Manage Risks Effectively
As in every Management System Security, Management is Policy driven and has to be driven and pushed in to an organisation. One has to take utmost care to address every concern expressed during the technical and
Procedural risk management exercise and prepare the documentation of the required polices (The list is only indicative and differs from organisation to organisation)
Logical Access Controls, Password Security & Controls, Network &
Telecommunication Security, Application Software Security, Program
Change Controls, Version Controls, Disaster Recovery Plan, Electronic Mail Security, Backup & Recovery, Internet access and security, Operating Systems Security, Incident Response and Management, Third Party Security, Data Classification, Web server Security, Intranet Security, Punitive Actions, Firewall Security, Use Of Cryptography, Digital Signature Security, Database Security, Virus Protection
Implementation of a effective risk management has various benefits and some of which could be enhanced understanding of business aspects, Reductions in security breaches and/or claims, Reductions in adverse publicity, Improved insurance liability rating, Identify critical assets via the Business Risk Assessment, Provide a structure for continuous improvement, Be a Confidence factor internally as well as externally, Enhance the knowledge and importance of security-related issues at the management level, Ensure that "knowledge capital" will be "stored" and managed in a business management systems.
Source : http://www.computersecuritynow.com/7799part2.htm