BS7799:2 : Information Security Management System

Showing posts with label BS7799:2. Show all posts

Friday, November 2, 2007

Certification : BS 7799

In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.

The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.

In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.

In this final session we would attempt to understand the structure and steps involved in certification for BS7799.

A quick recap

Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"

BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Domains on which one would be assessed:

As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:

•Security policy

•Security organisation

•Asset classification and control

•Personnel security

•Physical and environmental security

•Communications and operations management

•Access control

•Systems development and maintenance

•Business continuity management

•Compliance

Statement of applicability

BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.

You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.

Preparing oneself for Certification:

The traditional formula of PLAN …DO …CHECK and ACT works well with BS 7799 too and this is a good place to either start or review the progress of the implementation team.

Plan

While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.

While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.

Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.

Check

Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.

The audit team would check for appropriate controls and evidence of implementation.

For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.

Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.

Act

After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.

Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.

Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.

Creative techniques like designing

posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.

The 4 Step method of Certification

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.

We now come to Specifics of Certification Process

Step One

Desktop Review:

All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.

One important check on documentation will be its validity and relevance to BS7799 controls.

The following documents needs to be presented

ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two

Technical Review

The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.

The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.

Step Three

Internal Audit

The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.

This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.

Step Four

External Audit- Certification

Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.

The company consultants and internal team would not be allowed to be part of the audit team.

They can assist and help auditors find relevant material.

The auditors check for documentation and objective evidence with the following intention.

Are records Correct and Relevant?
Are polices Known and Tested?
Are policies Communicated?

Are controls Implemented?
Are Polices Followed up?
Are preventive Actions taken?

The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.

Conclusion

After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.

To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:

Heighten security awareness within the organisation
Identify critical assets via the Business Risk Assessment
Provide a structure for continuous improvement
Be a confidence factor internally as well as externally
Enhance the knowledge and importance of security-related issues at the management level
Ensure that "knowledge capital" will be "stored" in a business management system
Enable future demands from clients, stockholders and partners to be met

Implementation : BS7799

Part 1 mainly dealt with the structure of the standard and its relevance to the Indian IT environment. Readers need to have a clear understanding that BS7799 has been designed by Security Experts who were the forerunners in the field of Information Security and were working in live business environment. Thus the standard is business driven and has a perfect co-relation to business units. This standard has to be interpreted for individual business units and has the flexibility to accommodate every possible IT environment.

This article would discuss the interpretation of the standard and some of the key areas in its implementation.

While interpreting the standard one has to consider and evaluate the human, procedural, environmental, technical and cultural aspects of the business unit. While implementing the standard, one has to weigh its own technical strength as far as Information Security Professionals are concerned. Without, a through technical assessment the results of the Implementation would not lead to certification. Thus a word of caution to readers would be that identification and management of risk to IT systems is a specialized activity and needs to be conducted in a controlled environment using professional assistance.

Where do you begin?
Understand the Importance of Information Security:

Every organization is unique with its own set of requirements and concerns. The company IT-Assets are exposed to various threats. More than 70% of the threat comes from Internal Sources.

Other threat agents can be Hackers, Former Employees, Contractors, Suppliers, Competitors and Customers.

Management is tight lipped about incidents and push matters under the carpet due to the fear of losing credibility among investors and customers.

In competitive environment where IT systems become Business Enhancers, one cannot afford to loose data and have a break down.

Building awareness is the starting point for a stronger Information Security Culture.

Educating top management for the need of an effective Information Security Management and the possible benefits to do the same is crucial for the success of a project.

Get Yourself Trained:

While selecting appropriate products and vendors for doing a technical risk assessment one has to understand, implement, maintain and sustain the investments made on Information security.

The Internet serves as a huge repository of material for beginners to advanced users. The best method is to work in live environments with security professionals and get hands-on experience on various products and process. Those who are fortunate enough to work on live sites can use Internet resources like mail lists and websites on security, study for certifications on security or even attend training programs conducted by Security Institutes.

Understand your Business Need:

Security is always a Business led activity. The investments made on Security should reflect the need for security measures, criticality of IT Resources and processes in the day-to-day functioning of business. To implement strong security systems one has to grasp the core need of Information Security in the Business and identify the critical business factors.

For Example: If a Financial Organisation has to heavily depend on IT resources to assimilate, calculate, interpret and present data on a hourly basis then the level of security would be higher than a company using IT resources for maintaining accounts and downloading company mail. To remain competitive the company cannot afford a down time of its Systems.

Assigning Responsibility:

The security organization structure is important to help give direction and a solid foundation to the implementation of a project. A designated Security Officer with a team of technical and procedural security professionals would make it a perfect mix for implementation. If the company chooses to use an external security company for consulting, the Security team could work hand in hand with the security company professionals. This will help companies maintain the systems and procedures drafted and implemented by the security team.

Choosing a vendor:

Various security consultants in the market have their own set of methodology and approach. Some of the parameters of selecting a vendor would be, firstly, the vendor should be an expert only on Information Security. One cannot boast of having a shop for software development, hardware sales and also Information Security. The field on Information Security is vast and complex and needs to have a focused approach. Secondly, the vendor needs to have done live assignments in India. We cannot have Polices for Indian companies based on US firms. Thirdly, the vendor needs to have a Quantitative Risk Assessment approach which takes into consideration technical and procedural checklists and lastly, the vendor should be willing to work with the team and share knowledge, which is important for the team to sustain the project even after the assignment is over.

Importance of Risk Assessment:

While designing and deploying a security strategy one has to ask two very important questions. One, What to protect and second, How much to protect? In simpler words what and how much risk is the business is exposed to?

To define risk:

Business risk is the threat that an event or action, which can adversely affect an organisation's ability to successfully, achieve its business objectives and execute its strategies.

The key success factor of IT systems is a through risk assessment and effective risk management. Risk assessment prepares the base on which one would build the ISMS (Information Security Management System)

The entire exercise starts with Asset Identification:

An important step towards achieving BS 7799 Certification is to identify and classify assets. BS779 Defines Risk Assessment as - assessment of threats to information, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.

Every department would have assets, which they would consider important, without which one cannot continue work and achieve results. There could be assets, which would have higher or lesser value. Thus the most important asset would be need more protection and the lesser ones would require lower level of protection.

All assets in the company can be classified as:

People Assets: The number of professionals who are a part of the organisation.

Information Assets: Databases, data files, system documentation, user manuals, training material, operational and support procedures, intellectual property, continuity plans.

Paper Documents: Contacts, Company documentation, business results, HR records, Purchase documents invoices.

Software Assets: Application systems, development tools, and utilities.

Physical Assets: computers, servers, routers, hubs, firewalls, communication equipment, magnetic media, other equipment, cabinets, safes

Services: Computing, telecommunications, air-conditioning, water etc

Company Image and Reputation: Adverse publicity, Failure to deliver, Website defacement, Unable to provide connectivity to web server

Asset Classification:

Once the list of assets are identified the criticality of every asset has to be classified as

Unclassified: Considered publicly accessible. There are no requirements for access control or confidentiality.

Shared: Resources that are shared within groups or with people outside the organization.

Company Only: Access to be restricted to the internal employees only.

Confidential: Access to be restricted to a specific list of people.

This gets us to answer for "What to Protect"?

Now lets Understand How to Protect?

Technical Risk Assessment:

Penetration testing: After performing the Asset Identification exercise one has to move on testing specific devices which are critical to the running of the organisation. The first step towards doing testing is to find out if any external person can have access to the company information through the Internet. This is a specialized exercise, which requires a security professional abreast with the latest exploit and vulnerabilities from published and open sources. The professional needs to run various tests that would test the Internet Point of presence (i.e. Website) and security devices which protect these sites.

He would assume the role of a possible intruder and do all that he would do if he would like to break systems and cause harm.

The result of these tests would help one get an idea of the possible vulnerabilities on various servers.

Vulnerability Assessment: After performing an external test one needs to test the strength of various servers and operating systems available internally. This works as a second level of defense. Even if an intruder breaks the entry points he should be stopped at the internal points. Internal testing also facilitates the design of the Security Architecture.

A word of caution would be to allow only qualified and experienced professionals to operate these systems. All legal documents need to be signed before one has to complete the assignment.

Procedural Risk Assessment:

After conducting the technical risk assessment one needs to find out formal and informal polices and procedures followed in the company. This can be done with detailed questionnaires, which can help find out concerns of IT managers, IT users, Operations staff, Top Management, Divisional Heads and Technical Team.

A Gap Analysis Document can be created once the

Procedural Risk Assessment exercise completed.. This would help companies have a clear understanding of where they stand as far as acquiring the Certification is concerned.

Risk Management

Once the gaps in the systems are identified, one has to manage these risks and make sure that the possibility of these risks affecting the company is very low or in some cases totally eliminated. BS 7799 has been designed in such a manner that its 127 Control Clauses have addressed almost every Conceivable risk known to Information Systems.

The standard Defines Risk Management as -process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost

For Example: While conducting the procedural risk assessment one finds that while disposing old computer systems one does not erase or format the hard disk which goes along with the machine. So the risk is potential leakage of information, which is stored on the Hard Disk. This risk is addressed by Domain 8 Communications and operations management 8. which states that Media shall be disposed of securely and safely when no longer required.(4.6.6.2)

Creating of Security Policies and Procedures to Manage Risks Effectively

As in every Management System Security, Management is Policy driven and has to be driven and pushed in to an organisation. One has to take utmost care to address every concern expressed during the technical and

Procedural risk management exercise and prepare the documentation of the required polices (The list is only indicative and differs from organisation to organisation)

Logical Access Controls, Password Security & Controls, Network &

Telecommunication Security, Application Software Security, Program

Change Controls, Version Controls, Disaster Recovery Plan, Electronic Mail Security, Backup & Recovery, Internet access and security, Operating Systems Security, Incident Response and Management, Third Party Security, Data Classification, Web server Security, Intranet Security, Punitive Actions, Firewall Security, Use Of Cryptography, Digital Signature Security, Database Security, Virus Protection

Implementation of a effective risk management has various benefits and some of which could be enhanced understanding of business aspects, Reductions in security breaches and/or claims, Reductions in adverse publicity, Improved insurance liability rating, Identify critical assets via the Business Risk Assessment, Provide a structure for continuous improvement, Be a Confidence factor internally as well as externally, Enhance the knowledge and importance of security-related issues at the management level, Ensure that "knowledge capital" will be "stored" and managed in a business management systems.

Source : http://www.computersecuritynow.com/7799part2.htm

Key Components of the Standard : BS 7799 (ISO 17799)

The Standard is divided in two parts:

BS 7799 Part 1 (ISO 17799.2000 Standard) Code of Practice for Information Security Management

BS 7799 Part II Specifies requirements for establishing, implementing and documenting Information Security Management System (ISMS)

The standard has 10 Domains, which address key areas of Information Security Management.

Information Security Policy for the organization.

This activity involves a thorough understanding of the organization business goals and its dependence on information security. This entire exercise begins with creation of the IT Security Policy. This is an extremely important task and should convey total commitment of top management-. The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It should be implementable, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural and technical.

Creation of information security infrastructure

A management framework needs to be established to initiate, implement and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles and coordination of security across the organization.

Asset classification and control

One of the most laborious but essential task is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services. These information assets need to be classified to indicate the degree of protection. The classification should result into appropriate information labeling to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, transmit or destruction of the information asset.

Personnel Security

Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities. Various proactive measures that should be taken are, to make personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education and training.

Alert and well-trained employees who are aware of what to look for can prevent future security breaches.

Physical and Environmental Security

Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves physical security perimeter, physical entry control, creating secure offices, rooms, facilities, providing physical access controls, providing protection devices to minimize risks ranging from fire to electromagnetic radiation, providing adequate protection to power supplies and data cables are some of the activities. Cost effective design and constant monitoring are two key aspects to maintain adequate physical security control.

Communications and Operations Management

Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures.

Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services.

Exchange of information and software between external organizations should be controlled, and should be compliant with any relevant legislation. There should be proper information and software exchange agreements, the media in transit need to be secure and should not be vulnerable to unauthorized access, misuse or corruption.

Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.

Access control

Access to information and business processes should be controlled on the business and security requirements. This will include defining access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use and ensuring information security when using mobile computing and tele-working facilities.

System development and maintenance

Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography.

A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation.

Business Continuity Management

A business continuity management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and depending on the risk assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances.

Compliance

It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls and collection of evidence.

Information Technology’s use in business has also resulted in enacting of laws that enforce responsibility of compliance. All legal requirements must be complied with to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:

Although Indian companies and the Government have invested in IT, facts of theft and attacks on Indian sites and companies are alarming. 261 Indian Government sites were hacked in 2001* ^* Attacks and theft that happen on corporate websites are high and is usually kept under "strict" secrecy to avoid embarrassment from business partners, investors, media and customers.

Huge losses are some times un-audited and the only solution is to involve a model where one can see a long run business led approach to Information Security Management.

BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed above) which Indian companies can adopt to build their Security Infrastructure. Even if a company decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security through ongoing, integrated management of policies and procedures, personnel training, selecting and implementing effective controls, reviewing their effectiveness and improvement. Additional benefits of an ISMS are improved customer confidence, a competitive edge, better personnel motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.

Source : http://www.computersecuritynow.com/7799part1.htm

Tuesday, September 25, 2007

The CB Audit process

In order to become a certified organization, you needs to start off correctly at the beginning and determine which CB you are going to engage to provide BS 7799 Certification services.
If you have any other certifications in the organization, it makes sense to use the same CB for BS 7799 (assuming that they are Accredited to provide BS 7799 Certification services). This is called integrated auditing and allows the number of days to be spent by the CB on site to be reduced as they use the same auditor to audit more than one standard.
In my case, I have the same auditor do ISO 9001 and BS 7799 as he is dual qualified and it saves me at least an audit day per year. Additionally I have only one visit so my routine is not disturbed twice.
If you have no existing certificates, then make a list of all of the CBs that are available, ring each of them and get some idea of costs and services and then them to send you the relevant forms to fill in.
The actual Certification process is a six step one:

*** Note: Not all CBs follow this process exactly – when investigating them determine the discrepancies from this generic approach and ensure that you are happy with them.

Step 1 - Questionnaire
Typically the chosen CBs will send out a questionnaire for you to fill in. The certification process starts when you complete a questionnaire giving details of your requirements. This provides the CB with the information needed to send you a quotation.

Step 2 - Application for Assessment
If you decide to proceed with certification with the chosen CB, then you fill in an application form must be filled in. Once this has been done it is returned to the CB. On receipt, an initial visit by a BS 7799 Auditor is arranged

An initial visit allows you to meet the Auditor who will assess the ISMS for BS 7799 certification. The Auditor will explain the assessment process and carry out a review of the existing documented management system. An assessment date and an audit programme will be agreed.

Step 3 - Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap Analysis’.
This is an optional stage, but if you can afford it, I always recommend it
You should do this after you have implemented the Information Security Management System (ISMS) and developed the Statement of Applicability (SoA) and may have some controls in place and documented and may have some records available.
If you are doing this in house, it is a way of demonstrating to your management that you are on track and doing the job correctly and that your management can have confidence in that.
It also can show management where they fail as well, as non-conformances are written up as part of the audit.
Typical management failures that I see at this stage are usually lack of management commitment (5.1), inadequate resource management (5.2) or any other management type failure.
If you are using consultants, more or less the same applies, and passing this audit can be a useful pay point in their remuneration cycle or indicate the need to get a different consultancy!
Whilst this audit cannot be relied on to support a Stage 1 or2 CB Audit, it would be difficult for an Auditor to later find major non-conformances in the ISMS unless something dramatic had occurred in the organization to warrant this.

This step provides a sanity check.

Step 4 – the Stage 1 Audit (otherwise called a ‘Document Review’)
This is the first part of the audit proper.

This stage looks to see if the SoA has been implemented by selection of controls and documenting all the policies and procedures that surround their use. The auditor will also look to see that there is evidence of records being collected for implemented controls, though the full audit for this is the Stage 2 Audit. At this time also the auditor will plan the Stage 2 audit.

Typically, the auditor reviews documented ISMS – looking at:
- Policy
- Scope
- Asset Registers
- Roles and Responsibilities
- Risk process/treatment and acceptance
- SoA
- Documented processes and procedures supporting the ISMS
- Compliance, contractual and other regulatory issues.
If there are any audit failures, i.e. non-conformances then they will be written up on the Corrective Action Plan (CAP). It is then up to you, the client, to document how they are going to address these and return to the CB for agreement.

Typically, you have 20 days to respond to the raising of a CAP, and once agreed, 3 months to address issues raised on a CAP.

Failure to either respond or carry out the agreed work in the time limit can prejudice the granting (retaining) of a certificate. When the next audit occurs, the CAPs are the first items reviewed to ensure that they have been suitably addressed.

Step 5 - Stage 2 Audit (otherwise called the ‘Compliance Audit’)
During the Stage 2 Audit, an objective assessment of the organizational procedures and practice will be carried out against the documented ISMS (reviewed in the Stage 1 Audit).

The Auditor will be looking for records (i.e. proof) that the ISMS is operated as the documented ISMS says it should be.

On completion of the assessment the Auditor will present the findings of the assessment in a written report to you and CAPs will be raised if appropriate.

Following a successful Stage 2 Audit and the decision to grant registration, a certificate of registration is awarded and the organization is permitted to use the CB Certification Mark and the relevant BS 7799 certification mark.

Step 6 – Ongoing audits
A program of regular surveillance visits is agreed with you to verify that the requirements of the BS 7799 standard continue to be met and again CAPs will be raised if appropriate.

There are two types of ongoing audits, each is covered in turn below:

Surveillance Audit

A programme of ‘surveillance audits’ is undertaken over a three year cycle to ensure that the ISMS is working properly. This is performed in addition to the internal audits and ongoing monitoring and management that you perform internally (4.2., 4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of the requirements you must meet on an ongoing basis).

The actual frequency of these will vary on the CB, but typically the following will occur:

l Surveillance audits are carried out regularly (either annually, 9 monthly or 6 monthly);

l The first one is usually 3 months after the Stage 2 Audit to check for any CAPs outstanding since that audit;

l At every audit any outstanding CAPs are audited for completeness;

l Audit all mandatory requirements;

l Audit a representative sample of all other controls (so that all controls in the ISMS are reviewed in the surveillance cycle).

Triennial Audits

The Triennial audit, as the name suggests, is carried out every three years.
This audit is similar to the original Stage 2 or Certification Audit, but it should take less time as the CB Auditor now knows your systems, unless a scope or other change has occurred.
All controls are evaluated to ensure that the ISMS is operating properly and assuming it is, your certificate is renewed for another 3 years.
If not, CAPs are raised and you have to address them

The three year surveillance audit process starts all over again.

Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

What Documents can I read to help me prepare for BS7799?

There are a number of documents that are available, in addition to the BS 7799 and ISO17799 standards themselves, and these include:

From BSI

- Information Security Management: An Introduction (PD 3000);
- Preparing for BS 7799 Certification (PD 3001);
- Guide to BS 7799 Risk Assessment and Risk Management (PD 3002);
- Are you ready for a BS 7799 Audit? (PD 3003);
- Guide to BS7799 Auditing (PD 3004);
- Guide on the Selection of BS 7799 Controls (PD 3005).

Other publishers

- ISO Guide 62 – General Requirements for Bodies Operating Assessment / Registration of Quality Systems (to merge with ISO Guide 66 to become ISO 17021);
- EA-7/03 – Guidelines for the Accreditation of Bodies Operating Certification/ Registration of Information Security Management Systems;
- ISO 19011 – Guidelines for Quality and / or Environmental Management Systems Auditing.

A number of books have been published on the BS 7799 process, a check of the local IT Bookshop or Amazon should provide numerous titles from which to choose.

The types of Audit that may be undertaken in an organization

There are a number of audits that may be undertaken in an organisation, and these include:

- First Party (Internal Audit) – Within an organisation, internal review etc;

- Second Party (Supplier Audit) – Of a supplier or contractor

- Third Party Audit – By a CB

Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

What is a CB Audit, and why should I undergo one?

Auditing by a third party (an Accredited CB) is an assurance of an acceptable and risk based level of information security being implemented that is regularly reviewed.
There are a number of reasons to obtain certification, these include:
- Organizational assurance;
- Service provider assurance;
- Business trading partner assurance;
- Demonstrable and effective way of showing appropriate information security in place;
- Competitive advantage;
- Reduce trade barriers – international acceptance;
-Reduce costs of regulation, corporate governance etc.

So who can do this Certification?

The only body who can carry out this certification is a CB that has been Accredited by the ‘national accreditation service’ (in the UK this is the United Kingdom Accreditation Service – UKAS).

This ensures that CBs meet national and international standards for services they are offering. This is typically EA-7/03, which is the ‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’. EA-7/03 can be found at http://www.european-accreditation.org/Docs/0002_Application/0005_Application%20documents%20for%20Certification%20of%20Management%20System/00300_EA-7-03.pdf

This harmonises use of Guide 62 for ISMS’s and was approved by Europeans Co-operation for Accreditation (EA) in Nov 1999.

Guide 62 is the ‘General requirements for bodies operating assessment and certification / registration of quality systems’.
A CB uses auditors who are totally independent of the organization being audited.
The CB is regularly audited by the National Accreditation Service to ensure that the CB processes are appropriate and correct. This means that all work is to the standard required by EA-7/03 and allows’ mutual recognition’ between the National Accreditation Services.

So am I certified against BS 7799 Part 2 (2002) or ISO 17799 (2000)

Certification is carried out against (currently) BS 7799 Part 2 (2002). This contains the requirements for the ISMS in terms of the PDCA (Plan, Do, Check, Act or Deming Cycle) and the old Annex A (Updated) from BS 7799 Part 1 (1995).

BS 7799 Part 2 (2002) is a Specification.

ISO 17799 is a Code of Practice.

Back To : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

How does the BS7799 / ISO 27001 certification audit process actually work?

Before the audit:
The greatest mistake that organizations ever make is that they are not properly prepared for an audit. Many organizations who want to undergo a certification audit fail at the first stage because they have not properly prepared for it.

Some examples I have encountered are below:
A classic case of this was the organization that desk dropped their approved information security policy on all staff desks on the weekend before our audit started on the Monday. Somehow the words ‘published and communicated, as appropriate, to all employees’ (A.3.1.1.) did not spring to mind.

Likewise failure to perform a risk assessment would not give the auditor a warm and comforting feeling of a risk assessment being carried out on the ‘assets within the scope’ (4.2.1).

Any organization that cannot demonstrate that the ISMS works by undertaking internal ISMS audits (6.4) will not be looked upon favourably for passing a certification audit.

Another major failure at the outset of the certification or implementation project is the failure to have demonstrable management commitment. This means something more than saying ‘yes –go do it’ by the CEO or MD. There needs to be management commitment to the process as well as ring fencing resources. (5.1 and 5.2).

What is a CB Audit
What Documents can I read to help me prepare for BS7799?
The CB Audit process

Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

Sunday, September 23, 2007

BS 7799 Certification

In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.

In this final session we would attempt to understand the structure and steps involved in certification for BS7799.

A quick recap

Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"

Please note that certification is against BS7799-2:1999.

The assessor will return periodically to check that your ISMS is working as intended.

Domains on which one would be assessed:

As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:

•Security policy

•Security organisation

•Asset classification and control

•Personnel security

•Physical and environmental security

•Communications and operations management

•Access control

•Systems development and maintenance

•Business continuity management

•Compliance

Statement of applicability

You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.

Preparing oneself for Certification:

The traditional formula of PLAN DO CHECK and ACT (PDCA CYCLE) works well with BS- 7799 too and this is a good place to either start or review the progress of the implementation team.

Plan

Check

The audit team would check for appropriate controls and evidence of implementation.

Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.

Act

After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.

Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.

Creative techniques like designing

posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.

The 4 Step method of Certification

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.

We now come to Specifics of Certification Process

Step One

Desktop Review:

All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.

One important check on documentation will be its validity and relevance to BS7799 controls.

The following documents needs to be presented

ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two

Technical Review

The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.

The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.

Step Three

Internal Audit

The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.

This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.

Step Four

External Audit- Certification

Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.

The company consultants and internal team would not be allowed to be part of the audit team.

They can assist and help auditors find relevant material.

The auditors check for documentation and objective evidence with the following intention.

Are records Correct and Relevant?
Are polices Known and Tested?
Are policies Communicated?

Are controls Implemented?
Are Polices Followed up?
Are preventive Actions taken?

The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.

Conclusion

To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:

Heighten security awareness within the organisation
Identify critical assets via the Business Risk Assessment
Provide a structure for continuous improvement
Be a confidence factor internally as well as externally
Enhance the knowledge and importance of security-related issues at the management level
Ensure that "knowledge capital" will be "stored" in a business management system
Enable future demands from clients, stockholders and partners to be met

Monday, September 3, 2007

Information Security Management BS 7799.2:2002 Audit Check List

Information Security Management BS 7799.2:2002 Audit Check List for SANS

Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS

Table of Contents

Security Policy
Information security policy
Information security policy document
Review and evaluation

Organisational Security
Information security infrastructure
Management information security forum
Information security coordination
Allocation of information security responsibilities
Authorisation process for information processing facilities
Specialist information security advise
Co-operation between organisations
Independent review of information security
Security of third party access
Identification of risks from third party access
Security requirements in third party contracts
Outsourcing
Security requirements in outsourcing contracts

Asset classification and control
Accountability of assets
Inventory of assets
Information classification
Classification guidelines
Information labelling and handling

Personnel security
Security in job definition and Resourcing
Including security in job responsibilities
Personnel screening and policy
Confidentiality agreements
Terms and conditions of employment
User training
Information security education and training
Responding to security incidents and malfunctions
Reporting security incidents
Reporting security weaknesses
Reporting software malfunctions
Learning from incidents
Disciplinary process

Physical and Environmental Security
Secure Area
Physical Security Perimeter
Physical entry Controls
Securing Offices, rooms and facilities
Working in Secure Areas
Isolated delivery and loading areas
Equipment Security
Equipment siting protection
Power Supplies
Cabling Security
Equipment Maintenance
Securing of equipment off-premises
Secure disposal or re-use of equipment
General Controls
Clear Desk and clear screen policy
Removal of property

Communications and Operations Management
Operational Procedure and responsibilities
Documented Operating procedures
Operational Change Control
Incident management procedures
Segregation of duties
Separation of development and operational facilities
External facilities management
System planning and acceptance
Capacity Planning
System acceptance
Protection against malicious software
Control against malicious software
Housekeeping
Information back-up
Operator logs
Fault Logging
Network Management
Network Controls
Media handling and Security
Management of removable computer media
Disposal of Media
Information handling procedures
Security of system documentation
Exchange of Information and software
Information and software exchange agreement
Security of Media in transit
Electronic Commerce security
Security of Electronic email
Security of Electronic office systems
Publicly available systems
Other forms of information exchange

Access Control
Business Requirements for Access Control
Access Control Policy
User Access Management
User Registration
Privilege Management
User Password Management
Review of user access rights
User Responsibilities
Password use
Unattended user equipment
Network Access Control
Policy on use of network services
Enforced path
User authentication for external connections
Node Authentication
Remote diagnostic port protection
Segregation in networks
Network connection protocols
Network routing control
Security of network services
Operating system access control
Automatic terminal identification
Terminal log-on procedures
User identification and authorisation
Password management system
Use of system utilities
Duress alarm to safeguard users
Terminal time-out
Limitation of connection time
Application Access Control
Information access restriction
Sensitive system isolation
Monitoring system access and use
Event logging
Monitoring system use
Clock synchronisation
Mobile computing and teleworking
Mobile computing
Teleworking

System development and maintenance
Security requirements of systems
Security requirements analysis and specification
Security in application system
Input data validation
Control of internal processing
Message authentication
Output data validation
Cryptographic controls
Policy on use of cryptographic controls
Encryption
Digital Signatures
Non-repudiation services
Key management
Security of system files
Control of operational software
Protection of system test data
Access Control to program source library
Security in development and support process
Change control procedures
Technical review of operating system changes
Technical review of operating system changes
Covert channels and Trojan code
Outsourced software development

Business Continuity Management
Aspects of Business Continuity Management
Business continuity management process
Business continuity and impact analysis
Writing and implementing continuity plan
Business continuity planning framework
Testing, maintaining and re-assessing business continuity plan

Compliance
Compliance with legal requirements
Identification of applicable legislation
Intellectual property rights (IPR)
Safeguarding of organisational records
Data protection and privacy of personal information
Prevention of misuse of information processing facility
Regulation of cryptographic controls
Collection of evidence
Reviews of Security Policy and technical compliance
Compliance with security policy
Technical compliance checking
System audit considerations
System audit controls
Protection of system audit tools

References

Source : w ww.sans.org
View Full Information Security Management BS 7799.2:2002 Audit Check List for SANS

Wednesday, August 29, 2007

Question:

We are a financial institution that would like to start the process of being compliant with ISO17799 Information Security Management System ISMS. What would be the proper initial steps recommended for such process in terms of training, preparation, building security policies, etc.?

Response from Rebecca Herold:

It is first of all important to understand that there is currently no certification or registration under ISO 17799. There is formal registration under BS 7799, the forerunner of ISO 17799. ISO 17799 is the Information Technology Code of Practice for Information Security Management. It establishes 127 controls under what was just recently (this June) updated to 11 headings. BS 7799-2:2002 is the Information Security Management Systems Specification With Guidance For Use. It provides for the implementation of ISO 17799. BS 7799-2:2002 is currently the only internationally recognized security standard under which your ISMS can be formally registered. An organization can have an ISMS that conforms to BS 7799 as demonstrated by an internal or external analysis that is less formal than that required for registration. However, ISMS registration under BS 7799 is governed by international standards and requires a formal audit process.

Creating a BS 7799-confomant ISMS is a good thing for not only information security, but for business as well. A few of the information security benefits include:

Establishes a holistic, quality management-based security and privacy program that also provides verifiable evidence

BS 7799 registration is quickly recognized worldwide as a security and privacy differentiator

When implemented properly and successfully, an ISMS will significantly limit security and privacy breaches that can cost millions (e.g., lost information, fines/penalties, downtime, internal/external threats, consumer driven litigation, and so on)

Provides a documented and repeatable process for information security and privacy corporate governance

Ensures that security and privacy is built into all levels of an organization and that all employees are educated on security and privacy as they relate to the business

Reduces operational risk by mitigating vulnerabilities

The business impacts are also significant:

Brings organizations more confidently and demonstrably into conformance with legal, regulatory, and statutory requirements, such as HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley, California SB1386, 21 CFR Part 11, the EU Data Protection Directive, Canada's PIPEDA, as well as many other laws, regulations and industry best practices

Provides an organization with market differentiation resulting from a more positive company image and external goodwill parameters, and could very well positively affect the asset or share value of the organization

Demonstrates credibility for, and trust in how, the organization protects information, leading to increased satisfaction and confidence of stakeholders, partners, and customers

Reduces liability risk and demonstrates due diligence. Can also lower business insurance premiums.

Improves business continuity by minimizing internal and external risks

Demonstrates management support for internationally accepted security and privacy principles and practices

Here at a very high level are the initial recommended steps to build an ISMS that conforms to BS7799/ISO17799:

1. Become familiar with ISO 17799 and BS7799. A new version of ISO 17799 was just released at the beginning of June.
2. Determine the scope for which you want to base your ISMS. Many organizations try to cover the entire organization, but quickly find the scope is far too large to realistically handle. Identify the key areas you want to cover, address them, and then you can always expand your ISMS out to include other areas.
3. Determine your information security and privacy regulatory, legal, industry, and self-imposed policy requirements.
4. Select and validate the controls you need for your program. Evaluate your security and privacy policies, procedures, standards, guidelines, and plans. Evaluate your existing security and privacy activities, systems and tools.
5. Perform a high-level gap analysis to see where your greatest weaknesses exist.
6. Create a high-level ISMS compliance road map to close the gaps.
7. Create a detailed ISMS design and implementation plan to support the road map.
8. Determine resources for performing the implementation steps and identify where you will need outside help, if applicable.
9. Launch training and awareness throughout the organization for the ISMS. This will be an ongoing process as training and awareness requirements change as the ISMS matures.

There are different approaches to BS 7799 conformance. The one that you choose will depend upon your goals. In order to claim that your ISMS conforms to BS 7799, you must rely on an audit process. This audit process may be formal or informal. The goal of a formal audit is to register your ISMS under BS 7799. This is called a Registration Audit.

You may choose to use internal resources to demonstrate that your ISMS conforms to BS7799. In the international standards world of quality management, this is known as a 1st Party Audit since you are auditing with your own personnel.

You may choose to have a qualified, independent third party show that your ISMS conforms to BS 7799. In the international standards world of quality management, this is called a 3rd Party Audit since the auditor is not part of your organization. A goal of a 3rd Party Audit can be formal registration under BS 7799. Of course, you might choose to use an independent, outside consultant to check to see if your ISMS conforms to BS 7799. However, it is a Certificate of Registration that results from a formal Registration Audit that has the weight of the international standard.

You may also choose to have qualified personnel audit part or all of your supply chain. In the international standards world of quality management, this is called a 2nd Party Audit since you are auditing second parties (your suppliers.) This is a vehicle by which business partners can show that they have appropriate and required controls on the information with which you've trusted them. They objectively demonstrate that their ISMS's conform to BS7799. Of course, you may retain the services of independent, third party auditors for this purpose.

Keep in mind many security incidents have actually been the result of mistakes and poor practices by third party vendors who were performing information activities for other companies; it was the primary company (e.g., Bank of America, Time-Warner and so on) that actually made the headlines, and whose business was most impacted. Accordingly, requiring business partners to conform to BS7799 helps to protect your organization from the business partner security and privacy inadequacies.

Each country has a limited number of organizations that register conformance with international standards such as BS7799. For example, Bureau Veritas Quality International (BVQi) and the British Standards Institute (BSI) are two organizations that operate in the US and internationally to register ISMS's. These registrars can provide you with lists of consultants who are qualified to assist organizations with their ISMS activities. It is important to use qualified auditors.

It is important to note that bringing an ISMS into registered and certified conformance with BS7799 is no small activity; it is a rigorous process. You cannot simply use BS7799 as a checklist. After familiarization with the standard, the most important step is to identify the scope of the ISMS that you want to register. There are some good guidance documents for estimating times for performing such a conformance certification based upon scope at the BVQi and BSI websites.

From : www.informationshield.com

Tuesday, August 28, 2007

BS7799 How it Works

Overview

The standard effectively comes in two parts:

ISO/IEC 17799:2000 (Part 1) is the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do.

BS7799-2:1999 (Part 2) is a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements.

Please note that certification is against BS7799-2:1999.

Part 1: The Code of Practice

ISO/IEC 17799:2000 defines 127 security controls structured under 10 major headings to enable readers to identify the particular safeguards that are appropriate to their particular business or specific area of responsibility. These security controls contain further detailed controls bringing the overall number somewhere in the region of 500+ controls and elements of best practice.

The standard stresses the importance of risk management and makes it clear that you do not have to implement every single guideline; only those that are relevant. The scope of the standard covers all forms of information, including voice and graphics, and media such as mobile phones and fax machines. The new standard recognises new ways of doing business, such as e-commerce, the Internet, outsourcing, tele-working and mobile computing.

Part 2: The Management Standard

BS7799-2:1999 instructs you how to apply ISO/IEC 17799 and how to build an ISMS. It defines a six step process, see Figure 1.

Information Policy

It invites you to stand back and think about all of your information assets and their value to your organisation. You ought then to devise a policy that identifies what information is important and why. From a practical point of view, it is only that information with a some significant value that should be of concern.

Scope

Excluding low value information allows you to define the scope of your management concerns. You may discover that your concerns pervade your organisation as a whole. In this case you will need to regard all of your information systems and their external interfaces -IT and electronic forms of communication, filing cabinets, telephone conversations, public relations and so on, as being in scope. Alternatively, your concerns may focus onto a particular customer-facing system. For example, an interesting extreme is the application of BS7799-2:1999 to the development, manufacture and delivery of a security product.

BS7799 is applied in 6 steps. Please download to see

Figure 1 - The major steps towards BS7799-2 compliance

Risk assessment

Now you know what information is in scope and what its value is, your next move should be to determine the risk of losing that value.

Remember to consider everything. At one extreme you need to consider the complexities of technology; at the other you need to consider business forces in terms of advancing technology and enterprise, as well as the ugly side of industrial espionage and information warfare.

Risk management

You then need to decide how to manage that risk. Your forces certainly include technology, but don't forget people, administrative procedures and physical things like doors and locks and even CCTV. Don't forget insurance. If you can't prevent something from happening, maybe you can discover if it does happen and do something to contain it or otherwise reduce the danger. In the end, you will of course, need an effective continuity plan.

Choose your safeguards

You will then need to choose your "safeguards", i.e. the ways you have selected to manage the risk. BS7799-2:1999 lists a wide variety of such measures, but the list is not exhaustive and you are free to identify additional measures as you please. The list is drawn 1:1 from ISO/IEC 17799:2000.

Statement of applicability

You are required to identify all of your chosen security controls and justify why you feel they are appropriate, and show why those BS7799 controls that have not been chosen are not relevant. Clearly you could decline every BS7799 offering and invent your own. This is not a problem - it is allowed. However, you need to justify it - as much for your own benefit as anyone else's.

The Information Security Management System (ISMS)

The standard requires you to set up an Information Security Management System (ISMS) to make this happen. You should really, of course, set this up in the first place, but standards don't tell you how to do things, merely what you should achieve. Click here [offsite link] for our ideas.

Certification schemes

Certification schemes are being established in many parts of the world. It is therefore useful to reveal who the players are and what is going on. Have a look at Figure 2.

The European co-operation for Accreditation document EA7/03 provides guidance to National Accreditation Bodies for the accreditation of Certification Bodies wishing to assess ISMSs, e.g. against BS7799-2:1999. The various National Accreditation Bodies around the world operate a "mutual recognition" process that allows certificates awarded in one country to be accepted by the Accreditation Body of another.

Diagram showing the relationship between the BS7799 certification scheme players

Figure 2: Relationship between scheme players

In order to be awarded a certificate, your ISMS will be audited by a BS7799 assessor. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as BSI Assessment Services Limited and Det Norske Veritas).

The assessor will return periodically to check that your ISMS is working as intended.

Wednesday, August 15, 2007

PDCA and Continuous Improvement Process

PDCA and Continuous Improvement Process Approach (BS7799:2-2002)

Plan
- Define Scope of ISMS
- Define ISMS Policy
- Define Systematic approach to risk assessment
- Identify and assess Risk
- Identify and evaluate risk treatment options
- Select controls for risk treatment
- Prepare Statement of Applicability
Do
- Formulate Risk Treatment Plan
- Implement Risk Treatment Plan
- Implement controls
- Implement training and awareness
- Manage Operations
- Manage Resources
- Implement detective and reactive controls for security incidents
Check
- Execute monitoring procedures and controls
- Undertake regular reviews of ISMS
- Review residual risk and acceptable risk
Act
- Implement the identified improvements in ISMS
- Continuous feedback and improvement
- Communication with interested parties
- Ensure improvements achieve intended results

Generic Requirements across PDCA
- Documentation Requirements
- Management Responsibility
- Management review of ISMS
- ISMS Improvement

Marc Stefaniu - MSc, MBA, CISSP
(416) 513 5699
marc.stefaniu@bmo.com

Tuesday, July 31, 2007

A Strategy and Approach for ISO 17799 / BS7799 / ISO 27001

There are actually a variety of way to approach the standard. The correct one for a specific organization will obviously depend upon the nature the organization itself. However, the following 'cycle' has been documented as one possible approach, and may be of use.

- Firstly, obtain a copy of the stand itself. Whilst this may seem rather obvious, it is surprising how often people attempt to judge suitability without actually every having studied the documents themselves. The documents can be obtained stand alone, or as part of the starter kit (The ISO 17799 Toolkit) from the sources given on the right hand panel.

- The merits of the standard itself are considered. Factors can include impact on confidence of new/existing customers/partners, enhancing the organization's security, etc.

- The decision is made to move forward with the standard. All options are available of course: from loose alignment with it, to compliance with it, to certification.

- The project is planned in terms of resourcing (ie: people and time). This could include external resources such as consultants.

- With the previous step the scope of the exercise is decided. In other words, the part(s) of the organization to be included are determined.

- A review of existing documentation is conducted. This will help establish extent and quality of th emeasures already in place (eg: security policies).

- An inventory is drawn up of all significant information assets.

- A 'gap analysis' is performed to identify the gaps between the existing situation, and those controls, processes and procedures documented in the standard.

- A risk analysis exercise is performed in order to determine the extent of risk to the organization through security breach. A Risk Assessment document is produced.

- The organization must determine how the identified risks are to be managed. Responsibilities for managing them assigned and documented.

- Controls to address the identified risks are slected, both from the standard and elsewhere. A "Statement of Applicability" is developed following selection.

- Security policies are created/adapted using the Statement of Applicability and other inputs. This is often based upon the template included in The ISO 17799 Toolkit.

- Appropriate policy based procedures are created.

- An awareness program is initiated to ensure employees and agents are familiar with the IS requirements of the organization.

- A method of compliance monitoring is introduced.

- At this point, the organization reviews its position. Commonly, certification is considered (which of course requires external audit by an accredited body).

From : www.17799central.com/

Search in ISMS Guides

Friday, November 2, 2007

Tuesday, September 25, 2007

Sunday, September 23, 2007

Monday, September 3, 2007

Wednesday, August 29, 2007

Question:

Response from Rebecca Herold:

Tuesday, August 28, 2007

Overview

Part 1: The Code of Practice

Part 2: The Management Standard

Information Policy

Risk assessment

Risk management

Choose your safeguards

The Information Security Management System (ISMS)

Wednesday, August 15, 2007

Tuesday, July 31, 2007

Other Guide Blog

ISMS

Good Knowledge

Build Security In (BSI)

Security New White Papers