In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.
The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.
In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.
In this final session we would attempt to understand the structure and steps involved in certification for BS7799.
A quick recap
Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:
ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"
BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.
Please note that certification is against BS7799-2:1999.
In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).
The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.
The assessor will return periodically to check that your ISMS is working as intended.
Domains on which one would be assessed:
As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:
•Security policy
•Security organisation
•Asset classification and control
•Personnel security
•Physical and environmental security
•Communications and operations management
•Access control
•Systems development and maintenance
•Business continuity management
•Compliance
Statement of applicability
BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.
You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.
Preparing oneself for Certification:
The traditional formula of PLAN …DO …CHECK and ACT works well with BS 7799 too and this is a good place to either start or review the progress of the implementation team.
Plan
While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.
Do
While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.
Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.
Check
Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.
The audit team would check for appropriate controls and evidence of implementation.
For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.
Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.
Act
After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.
Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.
Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.
Creative techniques like designing
posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.
The 4 Step method of Certification
The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.
We now come to Specifics of Certification Process
Step One
Desktop Review:
All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.
One important check on documentation will be its validity and relevance to BS7799 controls.
The following documents needs to be presented
ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.
Step Two
Technical Review
The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.
The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.
Step Three
Internal Audit
The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.
This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.
Step Four
External Audit- Certification
Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.
The company consultants and internal team would not be allowed to be part of the audit team.
They can assist and help auditors find relevant material.
The auditors check for documentation and objective evidence with the following intention.
- Are records Correct and Relevant?
- Are polices Known and Tested?
- Are policies Communicated?
- Are controls Implemented?
- Are Polices Followed up?
- Are preventive Actions taken?
The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.
Conclusion
After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.
To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:
- Heighten security awareness within the organisation
- Identify critical assets via the Business Risk Assessment
- Provide a structure for continuous improvement
- Be a confidence factor internally as well as externally
- Enhance the knowledge and importance of security-related issues at the management level
- Ensure that "knowledge capital" will be "stored" in a business management system
- Enable future demands from clients, stockholders and partners to be met
Recommended Reading
- Information Security Management: An introduction (PD3000)
- Preparing for BS7799 Certification (PD3001)
- The Guide to BS7799 Risk Assessment and Risk Management (PD3002)
- Are you Ready for a BS7799 Audit? (PD3003)
- Guide to BS7799 Auditing (PD3004)
- Guide on selection of BS 7799 controls (PD3005)
- BS7799 : Part 1: 1999 Code of Practice for information security management
- BS7799 : Part 2: 1999 Specification for information security management systems
- EA Guidelines 7/03
BS7799 Interpretation Guide (Free Download): www.dnv.com
Det Norske Veritas (DNV) is an independent autonomous foundation with the objective of safeguarding life, property and the environment. Established in 1864, DNV provides an extensive range of technical services to the land, offshore and marine industries worldwide. The organization comprises of over 300 offices in 100 countries, with a total of 5,500 employees of 75 different nationalities.
DNV started their operations in Region India in 1972 and have established itself as a Leading Classification Society. DNV has been providing Classification, Certification, Consultancy and Verification Services for the Marine, Offshore and Land based process industries ever since both for Public and Private Sectors.
DNV is accredited in 21 countries for the Certification of Quality Management Systems and in 14 countries for Environmental Management System and is a leading Certification Body in India for both Quality & Environment Management System Certification having issued over 2500 certificates under ISO 9000 Standards and over 250 certificates under ISO 14000 Standards. DNV, in India, is also involved in Tick-IT, QS 9000, BS 7799, Risk Based Inspection (RBI), OHSMS, SA 8000 Systems Certification and CE Marking.
Key advisory services include Risk / Reliability Assessment and Loss Control Management Services. DNV is recognized by the Chief Controller of Explosives both as an Inspection Authority and Competent Person and DNV is also approved by Indian Boiler Regulations (IBR) as Competent Inspection Authority in 22 countries world-wide.
Source : http://www.computersecuritynow.com/7799part3.htm