Search in ISMS Guides


Wednesday, August 29, 2007

Steps for implementing the ISO 17799 standard

Initiation of the Project
Ensure the commitment of upper management;
Select and train members of the initial project team.

Definition of the ISMS
(Information Security Management System)
Identifying the scope and limits of the information security management framework is crucial to the success of the project.

Risk Assessment
Identify and evaluate threats and vulnerabilities;
Calculate the value of associated risks;
Diagnose the level of compliance with ISO 17799;
Inventory and evaluate the assets to protect.

Risk Treatment
Find out how selecting and implementing the right controls can enable an organization to reduce risk to an acceptable level.

Training and Awareness
Employees may be the weakest link in your organization’s information security.

Audit Preparation
Learn how to validate your management framework and what must be done before you bring in an external auditor for BS 7799-2 certification.

Learn more about the steps performed by external auditors and about certification agencies accredited for BS 7799-2.

Greg Tilley
Infotech Enterprises America

ISO 17799 Benefits

- Compliance with governance rules for risk management.

- Better protection of the company’s confidential information.

- Reduced risk of hacker attacks.

- Faster and easier recovery from attack.

- Structured security methodology that has gained international recognition.

- Increased mutual confidence between partners.

- Potentially lower premiums for computer risk insurance.

- Improved privacy practices and compliance with privacy laws.

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the non-profit International Information Systems Security Certification Consortium (commonly known as (ISC)²). The (ISC)² has certified over 49,000 information security professionals in more than 120 countries.[1] CISSP was the first certification to earn the ANSI accreditation to ISO/IEC Standard 17024:2003, a global benchmark for assessing and certifying personnel. It is formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories.[2] The certification is also endorsed by the U.S. National Security Agency (NSA) as the benchmark for information security[3]

Common Body of Knowledge domains

The CISSP curriculum covers a wide range of subject matter in a variety of Information Security topics. The CISSP examination is based on ten domains which comprise the (ISC)² Common Body of Knowledge® (CBK), which are generally accepted as a compendium of industry best practices for information security, including:

* Access Control
* Application security
* Business Continuity and Disaster Recovery Planning
* Cryptography
* Information Security and Risk Management
* Legal, Regulations, Compliance and Investigations
* Operations Security
* Physical (Environmental) Security
* Security Architecture and Design
* Telecommunications and Network Security


Candidates for the CISSP must meet several requirements.

* They must have a minimum of four years of professional experience in information security. One year may be waived for having either a four-year college degree or a Master's degree in Information Security. Another year may be waived for possessing one of a number of other certifications from other organizations[4].

* They must attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.[5].
* They must attest to lack of criminal history and related background.[5]

* They must pass the CISSP exam with a scaled score of 700 points or greater. The exam consists of 250 questions to be answered over a period of six hours[6].

* They must have their qualifications endorsed by another CISSP or other qualified professional. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.[6]

Specialized concentrations

Highly experienced information security professionals with an (ISC)² credential in good standing, can progress to meet requirements for (ISC)² Concentrations to demonstrate their acquired rigorous knowledge of select CBK® domains. Passing a concentration examination demonstrates proven capabilities and subject-matter expertise beyond that required for the CISSP or SSCP credentials.

Current concentrations for CISSPs include the:

* ISSAP, Concentration in Architecture
* ISSEP, Concentration in Engineering
* ISSMP, Concentration in Management

Ongoing certification

The CISSP credential is valid for only three years, after which it must be renewed. The credential can be renewed by re-taking the exam, however the more common method is to report at least 120 Continuing Professional Education (CPE) credits since the previous renewal. CPEs can be earned through several paths, including taking classes, attending conferences and seminars, teaching others, undertaking volunteer work, professional writing, etc., all in areas covered by the CBK. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs[7].

Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP®, or SSCP® exam to have their qualifications endorsed by another (ISC)² credential holder. These changes will not affect those who sit for an examination on or before 30 September 2007. For more information, please refer to the Experience Requirement Change FAQs.


IT professionals with the CISSP credential are in high demand. In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation and found the following.

“For the first time, the Salary Survey’s top five certification programs all reported average salaries of more than $100,000. Two programs from the International Information Systems Security Certification Consortium (ISC)2 led the list, with the Certified Information Systems Security Management Professional (CISSP-ISSMP) program drawing $116,970 annually and the Certified Information Systems Security Architecture Professional (CISSP-ISSAP) earning $111,870.”[8]

[edit] Criticisms of the CISSP examination

Some critics have raised the issues below concerning the CISSP examination, its contents, and its processes.

* The CISSP exam questions are difficult and unfair. The fact that there is so much knowledge crammed in a 250 question test makes the exam extremely difficult to pass in the time allotted, especially the questions and cases are not always straight forward enough to understand.
* Critics say questions assume too much technical knowledge, requiring extensive knowledge of formulas, focus on obscure facts, or involve complex calculations.
* Critics say the CISSP exam covers information security topics "a mile wide, and an inch deep"[9] meaning the test has insufficient depth.
* The exam sometimes includes outdated information. Critics say that although organizations still use legacy technology, the exam should focus only on current technologies.
* Some questions on CISSP tests and information in the CBK® may be technically inaccurate or incomplete.
* The exam questions are US / Canada centric and even unique American sources like the Orange Book are included. ISC have a policy of not employing non-USA staff which doesn't help.[citation needed]
* The CISSP test is formulated so that candidates are asked to choose the best answer from among a group of correct answers. Some feel these are "trick" questions that unnecessarily distract capable candidates.


  1. ^ Member Counts (2007-04-11). Retrieved on 2007-06-04.
  2. ^ U.S. Government, DoD 8570.01-M. Retrieved March 23, 2007.
  3. ^ NSA PARTNERS WITH (ISC)² TO CREATE NEW INFOSEC CERTIFICATION (2003-02-27). Retrieved on 2007-06-04.
  4. ^ CISSP® Professional Experience Requirement. ISC2. Retrieved on 2007-04-27.
  5. ^ a b CISSP® Applicant Requirements. ISC2. Retrieved on 2007-04-27.
  6. ^ a b How To Certify. ISC2. Retrieved on 2007-04-27.
  7. ^ CPE Credit Requirements. (ISC)2. Retrieved on 2007-04-27.
  8. ^ Sosbe, Tim; Emily Hollis, Brian Summerfield, Cari McLean (December 2005). "CertMag’s 2005 Salary Survey: Monitoring Your Net Worth". Retrieved on 2007-04-27.
  9. ^ Harris, Shon (2002). Mike Meyers' CISSP(R) Certification Passport, Mike Meyers' Certification Passports. McGraw-Hill, xxi. ISBN 0072225785.
Article Source :

Information Security Policies Address Top Federal Information Risks

A July 2007 report from The Identity Theft Task Force, commissioned by the Office of Management and Budget (OMB) and Department of Homeland Security (DHS), outlined ten "Common Risks Impeding the Adequate Protection of Government Information."

While most organizations are not subject to the same data protection laws as the Federal government (FISMA), many do require the same level of protection on sensitive information to comply with regulations such as HIPAA, GLBA and Sarbanes-Oxley. So this report can serve as a reminder for all organizations that must maintain an information security program.

Written information security policies are critical for compliance with any regulations. Even within FISMA, "Level 1" compliance for a given area of risk includes written security policies. In the next section we outline how our library of information security policies addresses each of the high-level risk areas identified in the report.

Addressing Common Risks

  1. Security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of various personnel.

    ISPME contains pre-written information security policies that require formalized information security awareness and training, including policies to incorporate security requirements into job roles and department mission statements.

  2. Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.

    ISPME provides over 40 written policies that address security requirements in outsourcing contracts, including policies that require the ongoing monitoring of third-party security posture.

  3. Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.

    ISPME contains over 20 written policies describing data classification and labeling, including three and four-category classification schemes.

  4. Information is not appropriately scheduled, archived, or destroyed.

    ISPME contains over 50 written policies covering data classification, archival, de-classification and destruction.

  5. Suspicious activities and incidents are not identified and reported in a timely manner.

    ISPME contains 20 pre-written policies describing the proper reporting and handling of security incidents, including software malfunctions.

  6. Audit trails documenting how information is processed are not appropriately created or reviewed.

    ISPME contains over 100 written policies covering the proper auditing of systems security events, including policies to protect the audit logs.

  7. Inadequate physical security controls where information is collected, created, processed or maintained

    ISPME contains over 40 written policies covering the physical security of IT processing facilities, including equipment location, access controls, environmental controls, and personnel access.

  8. Information security controls are not adequate.

    ISPME contains over 1500 individual controls covering all aspects of ISO 17799/27001.

  9. Inadequate protection of information accessed or processed remotely.

    ISPME contains over 100 policies on remote working, including remote access to networks, systems and data.

  10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

    ISPME contains over 20 written policies covering the acquisition and approval of systems based on security and privacy requirements.

To find out more about developing an information security policy, please request a free sample from our library of information security policies and written information security job-descriptions.


Common Risks Impeding the Adequate Protection of Government Information, a July 2007 report from The Identity Theft Task Force.

OMB Memorandum M-06-15, "Safeguarding Personally Identifiable Information," instructed senior agency officials for privacy to conduct a review of policy and processes.

Information Security Policy Controls to Reduce the Risk of Home-based Employee Access

Attackers follow the weakest link

The never-ending battle to secure the corporate desktop against viruses, unauthorized software, and spyware now consumes significant resources for many companies. However, as organizations continue to adopt security best-practices to protect their networks, attackers are increasingly targeting the weakest link - the home internet user. Recent studies are now confirming that attacks against user's home computers present increasing risks to business.

Two "mega" trends are making it nearly impossible to ignore the home PC in the corporate security battle. First, the number and frequency of remote workers is growing rapidly. Second, rapidly-evolving threats against the users home PC and the prospect for large financial gain are creating new opportunities for hackers.

Attacks on home PCs on the rise

According Symantec's September 2006 Internet Security Threat Report, home users are the most targeted attack sector, accounting for 86 percent of all targeted attacks. Newer, more sophisticated attacks are using blends of adware, spyware and phishing attacks to lure users to download new malicious code that is becoming harder to detect. As attack vectors move from corporate networks to personal computers, newer attacks are exploiting vulnerabilities in end-user applications such as web browsers and desktop applications, rather than servers and firewalls.

Most compromised home PC become part of an increasing army of "botnets". According to the Symantec report, in the first half of 2006 the company identified more than 4.6 million distinct, active bot network computers and observed an average of 57,717 active bot network computers per day during this period.

As the internet crime business has moved from simple bragging rights to big business, the second largest target are financial services businesses. For example, in October 2006 both the U.S. Securities and Exchange Commission (SEC) and Canada's Investment Dealers Association noted a drastic increase in on-line stocking trading fraud over the last few months. On-line brokerage accounts are being compromised at an alarming rate by keyloggers and other spyware. According to one report, ETrade Financil suffered more than $18 million in losses from fraudulent online trades within a 90 day period.

A home user's PC that is compromised provides several avenues of attack against businesses, including compromised logon credentials, exposure of confidential information (via file-sharing or uploading), and coordinated SPAM and DDOS attacks using botnets. With these attacks escalating, businesses must now consider how the security of a remote PC or laptop may pose a threat to their business.

Security Policy Considerations

So what types of information security policy controls can an organization put in place to help reduce the risk of corporate data being exposed in a home based attack? Let's look at the most common areas of risk and examine some possible security policies.

Password Controls - Networks and systems are still vulnerable to weak passwords and compromised login accounts. Having strong password controls, especially for any accounts with remote access to the network, is critical for protecting the network. An increasing number of breaches are occurring where attackers are gaining access to legitimate login information from third party business partners, and then using these credentials to steal information. Password complexity requirements, password histories, and password expirations are all critical controls to be put in the password policies.

A related password security policy is to prohibit users from using their corporate userids and passwords on public web sites that they may access from home. While sharing passwords between web sites is common for users who must remember a number of different passwords, a compromised on-line brokerage account can lead to a compromised network account if login credentials are shared.

Restricting Data Transfer - Organizations should restrict users from taking sensitive information out of the corporate network and making copies of the data to use at home or one the road. Using flash drives and other portable devices, it is easy for users to make copies of sensitive data and move them to laptops or home PCs. In 2006 alone, there have been over 50 different reported cases of stolen laptops that contained sensitive corporate data.

Organizations can help restrict the flow of sensitive information by auditing or restricting access to USB drives or CD-ROM backup drives. Only certain privileged users should be allowed to remove sensitive information from the company network or physical locations. When sensitive data is removed, it should always be password protected and stored in encrypted format.

Requiring basic PC protection - Organizations should consider updating their Acceptable Use policies to require that users accessing corporate networks from home employ basic security measures on their PC including, at the minimum, Anti-virus and spyware detection. While this type of policy is very difficult to enforce using today's technology, organizations can start by requiring users to sign an agreement that they have these controls in place as part of a provisioning process for remote access. Organizations can aid users by providing access to pre-approved software that has been shown to be effective in the home environment.

User Education and Awareness - Of course, educating users is still one of the most effective controls for reducing the risk of home-based security incidents. Many organizations with a large base of users are including education on protecting the home PC as part of their standard corporate security awareness. Not only does this type of education help reduce corporate risk, is gives the end-user a reason to be motivated to learn about information security principles.

Some organizations now require their users to pass a basic security awareness quiz before being allowed access to corporate resources. It would be appropriate to add the knowledge of how to protect home-based PCs and laptops as part of a standard body of knowledge required for remote access to company information.


Information Security Policies Made Easy, Version 10 - A complete library of information security policies, including policies for personnel security.

Information Security Roles & Responsibilities Made Easy, Version 2 - An extensive library of documented information security requirements for various organizational roles.

Privacy Management Toolkit, Version 1 - A complete resource for managing customer and employee privacy based on OECD Fair Information Principles.

Other Security Policy and Data Privacy Whitepapers

Security Policy and Responsibility

By David Lineman

Last month we discussed the security policy problems revealed within the department of Veteran's Affairs (VA) in the wake of the highly public data breach, including the firing of two employees responsible for information security. Over the last month, employees at both AOL and Ohio University were terminated or resigned in the aftermath of data privacy breaches. All of these cases point to some interesting security policy questions for all organizations to consider.

Security Scapegoats?

While termination seems to be an obvious step to attempt to restore customer confidence, in both cases serious questions were raised about the overall security and privacy practices of the entire organization. In the wake of very damaging or embarrassing data breaches, some organizations seem to focus the blame on individuals, rather than on weaknesses of internal policies and procedures.

In the past, similar incidents have resulted in lawsuits for improper termination, since many organizations failed to clearly communicate their data security and privacy policies to all employees. In the case of Ohio University, lawyers have already made statements for the fired employees indicating that they were improperly targeted. Similar statements were made by ex-employees of the VA.

Security Policy Lessons

These incidents and their public fall-out raise some important questions for organizations concerned with policy creation, education and enforcement:

Question: Do your information security policies cover sanctions against employees? Is the language in the policies specific to violation of existing corporate policies?

In neither of these cases did the public statements mention that employees were violating any specific policy, but instead seemed to indicate that the employees should have "known better." AOL CEO Jon Miller in an internal memo stated that "This incident took place because some employees did not exercise good judgment or review their proposal with our privacy team. We are taking appropriate action with the employees who were responsible."

The fundamental question here is whether or not an employee should be fired for making mistakes, especially in areas where there is very little official guidance on how employees can operate safely with sensitive data. While we are not attempting to judge the legality of such actions, evidence suggests that terminating employees without proper cause or documentation will create problems.

During a risk-assessment or policy update phase, organizations would do well to consider what would happen in their own organization if an individual makes a mistake that causes an information security and privacy breach. What should be done if the organizational policies only address violation of stated policy?

Question: Does your organization clearly communicate information security and privacy policies to users based on their role in the organization?

Organizations that wish to terminate employees for violation for company policy should take great care to have their information security and privacy policies clearly documented and communicated.

In the case of AOL, it is not clear if there was a corporate privacy policy that prohibited researchers from using data without consulting the privacy group. But other data casts some doubt. Public statements by AOL suggest that they are now taking a serious look at their internal policies. Public response to the AOL incident included allegations that sensitive search data should be destroyed as part of a regular data destruction policy.

In a separate statement, Ohio University announced a 20-point plan to improve information security at the school, which has about 16,640 undergraduate students and 862 full-time faculty members on its Athens campus.

Question: Are information security and privacy responsibilities clearly documented in job responsibilities?

In the case of the VA and Ohio University, the terminated employees had direct responsibility for information security. Even so, statements from the attorneys of fired employees seem to raise some questions as to which systems the individuals were responsible for.

In the case of AOL, the employees were doing research on web searches. Company statements indicate that there were no official procedures in place for protecting customer privacy, but that the employees "were to consult the privacy team" before posting their research.

While we can only extrapolate from these public statements, the common thread is all of these cases is a poor documentation of information security responsibilities. While have information security policies is critical, they are much more effective when they are tied to specific responsibilities of various job roles. Organizations that take this more structured approach will not only have better security, but will be better prepared for any sanctions.


Information Security Policies Made Easy, Version 10 - A complete library of information security policies, including policies for personnel security.

Information Security Roles & Responsibilities Made Easy, Version 2 - An extensive library of documented information security requirements for various organizational roles.

Privacy Management Toolkit, Version 1 - A complete resource for managing customer and employee privacy based on OECD Fair Information Principles.


We are a financial institution that would like to start the process of being compliant with ISO17799 Information Security Management System ISMS. What would be the proper initial steps recommended for such process in terms of training, preparation, building security policies, etc.?

Response from Rebecca Herold:

It is first of all important to understand that there is currently no certification or registration under ISO 17799. There is formal registration under BS 7799, the forerunner of ISO 17799. ISO 17799 is the Information Technology Code of Practice for Information Security Management. It establishes 127 controls under what was just recently (this June) updated to 11 headings. BS 7799-2:2002 is the Information Security Management Systems Specification With Guidance For Use. It provides for the implementation of ISO 17799. BS 7799-2:2002 is currently the only internationally recognized security standard under which your ISMS can be formally registered. An organization can have an ISMS that conforms to BS 7799 as demonstrated by an internal or external analysis that is less formal than that required for registration. However, ISMS registration under BS 7799 is governed by international standards and requires a formal audit process.

Creating a BS 7799-confomant ISMS is a good thing for not only information security, but for business as well. A few of the information security benefits include:

  • Establishes a holistic, quality management-based security and privacy program that also provides verifiable evidence
  • BS 7799 registration is quickly recognized worldwide as a security and privacy differentiator
  • When implemented properly and successfully, an ISMS will significantly limit security and privacy breaches that can cost millions (e.g., lost information, fines/penalties, downtime, internal/external threats, consumer driven litigation, and so on)
  • Provides a documented and repeatable process for information security and privacy corporate governance
  • Ensures that security and privacy is built into all levels of an organization and that all employees are educated on security and privacy as they relate to the business
  • Reduces operational risk by mitigating vulnerabilities

The business impacts are also significant:

  • Brings organizations more confidently and demonstrably into conformance with legal, regulatory, and statutory requirements, such as HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley, California SB1386, 21 CFR Part 11, the EU Data Protection Directive, Canada's PIPEDA, as well as many other laws, regulations and industry best practices
  • Provides an organization with market differentiation resulting from a more positive company image and external goodwill parameters, and could very well positively affect the asset or share value of the organization
  • Demonstrates credibility for, and trust in how, the organization protects information, leading to increased satisfaction and confidence of stakeholders, partners, and customers
  • Reduces liability risk and demonstrates due diligence. Can also lower business insurance premiums.
  • Improves business continuity by minimizing internal and external risks
  • Demonstrates management support for internationally accepted security and privacy principles and practices

Here at a very high level are the initial recommended steps to build an ISMS that conforms to BS7799/ISO17799:

    1. Become familiar with ISO 17799 and BS7799. A new version of ISO 17799 was just released at the beginning of June.
    2. Determine the scope for which you want to base your ISMS. Many organizations try to cover the entire organization, but quickly find the scope is far too large to realistically handle. Identify the key areas you want to cover, address them, and then you can always expand your ISMS out to include other areas.
    3. Determine your information security and privacy regulatory, legal, industry, and self-imposed policy requirements.
    4. Select and validate the controls you need for your program. Evaluate your security and privacy policies, procedures, standards, guidelines, and plans. Evaluate your existing security and privacy activities, systems and tools.
    5. Perform a high-level gap analysis to see where your greatest weaknesses exist.
    6. Create a high-level ISMS compliance road map to close the gaps.
    7. Create a detailed ISMS design and implementation plan to support the road map.
    8. Determine resources for performing the implementation steps and identify where you will need outside help, if applicable.
    9. Launch training and awareness throughout the organization for the ISMS. This will be an ongoing process as training and awareness requirements change as the ISMS matures.

There are different approaches to BS 7799 conformance. The one that you choose will depend upon your goals. In order to claim that your ISMS conforms to BS 7799, you must rely on an audit process. This audit process may be formal or informal. The goal of a formal audit is to register your ISMS under BS 7799. This is called a Registration Audit.

  • You may choose to use internal resources to demonstrate that your ISMS conforms to BS7799. In the international standards world of quality management, this is known as a 1st Party Audit since you are auditing with your own personnel.
  • You may choose to have a qualified, independent third party show that your ISMS conforms to BS 7799. In the international standards world of quality management, this is called a 3rd Party Audit since the auditor is not part of your organization. A goal of a 3rd Party Audit can be formal registration under BS 7799. Of course, you might choose to use an independent, outside consultant to check to see if your ISMS conforms to BS 7799. However, it is a Certificate of Registration that results from a formal Registration Audit that has the weight of the international standard.
  • You may also choose to have qualified personnel audit part or all of your supply chain. In the international standards world of quality management, this is called a 2nd Party Audit since you are auditing second parties (your suppliers.) This is a vehicle by which business partners can show that they have appropriate and required controls on the information with which you've trusted them. They objectively demonstrate that their ISMS's conform to BS7799. Of course, you may retain the services of independent, third party auditors for this purpose.

Keep in mind many security incidents have actually been the result of mistakes and poor practices by third party vendors who were performing information activities for other companies; it was the primary company (e.g., Bank of America, Time-Warner and so on) that actually made the headlines, and whose business was most impacted. Accordingly, requiring business partners to conform to BS7799 helps to protect your organization from the business partner security and privacy inadequacies.

Each country has a limited number of organizations that register conformance with international standards such as BS7799. For example, Bureau Veritas Quality International (BVQi) and the British Standards Institute (BSI) are two organizations that operate in the US and internationally to register ISMS's. These registrars can provide you with lists of consultants who are qualified to assist organizations with their ISMS activities. It is important to use qualified auditors.

It is important to note that bringing an ISMS into registered and certified conformance with BS7799 is no small activity; it is a rigorous process. You cannot simply use BS7799 as a checklist. After familiarization with the standard, the most important step is to identify the scope of the ISMS that you want to register. There are some good guidance documents for estimating times for performing such a conformance certification based upon scope at the BVQi and BSI websites.

From :