Summary
The SISAP (Simple Information Security Audit Process) is a dynamic security audit methodology fully compliant with the ISO 17799 and BS 7799.2, and conformant with the ISO 14508 in terms of its functionality guidelines. The SISAP employs a simulation-based rule base generator that balances risks and business value generation capabilities using the Plan-Do-Check-Act cycle imposed in BS 7799.2. The SISAP employs a concept proof approach based on 10 information security best practices investigation sections, 36 information security objectives, and 127 information security requirements, as specified in the ISO 17799. The auditor may apply, for collecting, analyzing, and fusing audit evidence obtained at various audit steps, selected analytical models like certainty factors, probabilities, fuzzy sets, and basic belief assignments. The SISAP adopts fully automated elicitation worksheets, as in SASA (Standard Analytic Security Audit), COBRA, and others.
Read This File : http://paper.ijcsns.org/07_book/200606/200606C10.pdf
Showing posts with label ISO Audit. Show all posts
Showing posts with label ISO Audit. Show all posts
Thursday, November 15, 2007
Tuesday, September 25, 2007
The CB Audit process
In order to become a certified organization, you needs to start off correctly at the beginning and determine which CB you are going to engage to provide BS 7799 Certification services.
If you have any other certifications in the organization, it makes sense to use the same CB for BS 7799 (assuming that they are Accredited to provide BS 7799 Certification services). This is called integrated auditing and allows the number of days to be spent by the CB on site to be reduced as they use the same auditor to audit more than one standard.
In my case, I have the same auditor do ISO 9001 and BS 7799 as he is dual qualified and it saves me at least an audit day per year. Additionally I have only one visit so my routine is not disturbed twice.
If you have no existing certificates, then make a list of all of the CBs that are available, ring each of them and get some idea of costs and services and then them to send you the relevant forms to fill in.
The actual Certification process is a six step one:
*** Note: Not all CBs follow this process exactly – when investigating them determine the discrepancies from this generic approach and ensure that you are happy with them.
Step 1 - Questionnaire
Typically the chosen CBs will send out a questionnaire for you to fill in. The certification process starts when you complete a questionnaire giving details of your requirements. This provides the CB with the information needed to send you a quotation.
Step 2 - Application for Assessment
If you decide to proceed with certification with the chosen CB, then you fill in an application form must be filled in. Once this has been done it is returned to the CB. On receipt, an initial visit by a BS 7799 Auditor is arranged
An initial visit allows you to meet the Auditor who will assess the ISMS for BS 7799 certification. The Auditor will explain the assessment process and carry out a review of the existing documented management system. An assessment date and an audit programme will be agreed.
Step 3 - Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap Analysis’.
This is an optional stage, but if you can afford it, I always recommend it
You should do this after you have implemented the Information Security Management System (ISMS) and developed the Statement of Applicability (SoA) and may have some controls in place and documented and may have some records available.
If you are doing this in house, it is a way of demonstrating to your management that you are on track and doing the job correctly and that your management can have confidence in that.
It also can show management where they fail as well, as non-conformances are written up as part of the audit.
Typical management failures that I see at this stage are usually lack of management commitment (5.1), inadequate resource management (5.2) or any other management type failure.
If you are using consultants, more or less the same applies, and passing this audit can be a useful pay point in their remuneration cycle or indicate the need to get a different consultancy!
Whilst this audit cannot be relied on to support a Stage 1 or2 CB Audit, it would be difficult for an Auditor to later find major non-conformances in the ISMS unless something dramatic had occurred in the organization to warrant this.
This step provides a sanity check.
Step 4 – the Stage 1 Audit (otherwise called a ‘Document Review’)
This is the first part of the audit proper.
This stage looks to see if the SoA has been implemented by selection of controls and documenting all the policies and procedures that surround their use. The auditor will also look to see that there is evidence of records being collected for implemented controls, though the full audit for this is the Stage 2 Audit. At this time also the auditor will plan the Stage 2 audit.
Typically, the auditor reviews documented ISMS – looking at:
- Policy
- Scope
- Asset Registers
- Roles and Responsibilities
- Risk process/treatment and acceptance
- SoA
- Documented processes and procedures supporting the ISMS
- Compliance, contractual and other regulatory issues.
If there are any audit failures, i.e. non-conformances then they will be written up on the Corrective Action Plan (CAP). It is then up to you, the client, to document how they are going to address these and return to the CB for agreement.
Typically, you have 20 days to respond to the raising of a CAP, and once agreed, 3 months to address issues raised on a CAP.
Failure to either respond or carry out the agreed work in the time limit can prejudice the granting (retaining) of a certificate. When the next audit occurs, the CAPs are the first items reviewed to ensure that they have been suitably addressed.
Step 5 - Stage 2 Audit (otherwise called the ‘Compliance Audit’)
During the Stage 2 Audit, an objective assessment of the organizational procedures and practice will be carried out against the documented ISMS (reviewed in the Stage 1 Audit).
The Auditor will be looking for records (i.e. proof) that the ISMS is operated as the documented ISMS says it should be.
On completion of the assessment the Auditor will present the findings of the assessment in a written report to you and CAPs will be raised if appropriate.
Following a successful Stage 2 Audit and the decision to grant registration, a certificate of registration is awarded and the organization is permitted to use the CB Certification Mark and the relevant BS 7799 certification mark.
Step 6 – Ongoing audits
A program of regular surveillance visits is agreed with you to verify that the requirements of the BS 7799 standard continue to be met and again CAPs will be raised if appropriate.
There are two types of ongoing audits, each is covered in turn below:
Surveillance Audit
A programme of ‘surveillance audits’ is undertaken over a three year cycle to ensure that the ISMS is working properly. This is performed in addition to the internal audits and ongoing monitoring and management that you perform internally (4.2., 4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of the requirements you must meet on an ongoing basis).
The actual frequency of these will vary on the CB, but typically the following will occur:
l Surveillance audits are carried out regularly (either annually, 9 monthly or 6 monthly);
l The first one is usually 3 months after the Stage 2 Audit to check for any CAPs outstanding since that audit;
l At every audit any outstanding CAPs are audited for completeness;
l Audit all mandatory requirements;
l Audit a representative sample of all other controls (so that all controls in the ISMS are reviewed in the surveillance cycle).
Triennial Audits
The Triennial audit, as the name suggests, is carried out every three years.
This audit is similar to the original Stage 2 or Certification Audit, but it should take less time as the CB Auditor now knows your systems, unless a scope or other change has occurred.
All controls are evaluated to ensure that the ISMS is operating properly and assuming it is, your certificate is renewed for another 3 years.
If not, CAPs are raised and you have to address them
The three year surveillance audit process starts all over again.
Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm
If you have any other certifications in the organization, it makes sense to use the same CB for BS 7799 (assuming that they are Accredited to provide BS 7799 Certification services). This is called integrated auditing and allows the number of days to be spent by the CB on site to be reduced as they use the same auditor to audit more than one standard.
In my case, I have the same auditor do ISO 9001 and BS 7799 as he is dual qualified and it saves me at least an audit day per year. Additionally I have only one visit so my routine is not disturbed twice.
If you have no existing certificates, then make a list of all of the CBs that are available, ring each of them and get some idea of costs and services and then them to send you the relevant forms to fill in.
The actual Certification process is a six step one:
*** Note: Not all CBs follow this process exactly – when investigating them determine the discrepancies from this generic approach and ensure that you are happy with them.
Step 1 - Questionnaire
Typically the chosen CBs will send out a questionnaire for you to fill in. The certification process starts when you complete a questionnaire giving details of your requirements. This provides the CB with the information needed to send you a quotation.
Step 2 - Application for Assessment
If you decide to proceed with certification with the chosen CB, then you fill in an application form must be filled in. Once this has been done it is returned to the CB. On receipt, an initial visit by a BS 7799 Auditor is arranged
An initial visit allows you to meet the Auditor who will assess the ISMS for BS 7799 certification. The Auditor will explain the assessment process and carry out a review of the existing documented management system. An assessment date and an audit programme will be agreed.
Step 3 - Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap Analysis’.
This is an optional stage, but if you can afford it, I always recommend it
You should do this after you have implemented the Information Security Management System (ISMS) and developed the Statement of Applicability (SoA) and may have some controls in place and documented and may have some records available.
If you are doing this in house, it is a way of demonstrating to your management that you are on track and doing the job correctly and that your management can have confidence in that.
It also can show management where they fail as well, as non-conformances are written up as part of the audit.
Typical management failures that I see at this stage are usually lack of management commitment (5.1), inadequate resource management (5.2) or any other management type failure.
If you are using consultants, more or less the same applies, and passing this audit can be a useful pay point in their remuneration cycle or indicate the need to get a different consultancy!
Whilst this audit cannot be relied on to support a Stage 1 or2 CB Audit, it would be difficult for an Auditor to later find major non-conformances in the ISMS unless something dramatic had occurred in the organization to warrant this.
This step provides a sanity check.
Step 4 – the Stage 1 Audit (otherwise called a ‘Document Review’)
This is the first part of the audit proper.
This stage looks to see if the SoA has been implemented by selection of controls and documenting all the policies and procedures that surround their use. The auditor will also look to see that there is evidence of records being collected for implemented controls, though the full audit for this is the Stage 2 Audit. At this time also the auditor will plan the Stage 2 audit.
Typically, the auditor reviews documented ISMS – looking at:
- Policy
- Scope
- Asset Registers
- Roles and Responsibilities
- Risk process/treatment and acceptance
- SoA
- Documented processes and procedures supporting the ISMS
- Compliance, contractual and other regulatory issues.
If there are any audit failures, i.e. non-conformances then they will be written up on the Corrective Action Plan (CAP). It is then up to you, the client, to document how they are going to address these and return to the CB for agreement.
Typically, you have 20 days to respond to the raising of a CAP, and once agreed, 3 months to address issues raised on a CAP.
Failure to either respond or carry out the agreed work in the time limit can prejudice the granting (retaining) of a certificate. When the next audit occurs, the CAPs are the first items reviewed to ensure that they have been suitably addressed.
Step 5 - Stage 2 Audit (otherwise called the ‘Compliance Audit’)
During the Stage 2 Audit, an objective assessment of the organizational procedures and practice will be carried out against the documented ISMS (reviewed in the Stage 1 Audit).
The Auditor will be looking for records (i.e. proof) that the ISMS is operated as the documented ISMS says it should be.
On completion of the assessment the Auditor will present the findings of the assessment in a written report to you and CAPs will be raised if appropriate.
Following a successful Stage 2 Audit and the decision to grant registration, a certificate of registration is awarded and the organization is permitted to use the CB Certification Mark and the relevant BS 7799 certification mark.
Step 6 – Ongoing audits
A program of regular surveillance visits is agreed with you to verify that the requirements of the BS 7799 standard continue to be met and again CAPs will be raised if appropriate.
There are two types of ongoing audits, each is covered in turn below:
Surveillance Audit
A programme of ‘surveillance audits’ is undertaken over a three year cycle to ensure that the ISMS is working properly. This is performed in addition to the internal audits and ongoing monitoring and management that you perform internally (4.2., 4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of the requirements you must meet on an ongoing basis).
The actual frequency of these will vary on the CB, but typically the following will occur:
l Surveillance audits are carried out regularly (either annually, 9 monthly or 6 monthly);
l The first one is usually 3 months after the Stage 2 Audit to check for any CAPs outstanding since that audit;
l At every audit any outstanding CAPs are audited for completeness;
l Audit all mandatory requirements;
l Audit a representative sample of all other controls (so that all controls in the ISMS are reviewed in the surveillance cycle).
Triennial Audits
The Triennial audit, as the name suggests, is carried out every three years.
This audit is similar to the original Stage 2 or Certification Audit, but it should take less time as the CB Auditor now knows your systems, unless a scope or other change has occurred.
All controls are evaluated to ensure that the ISMS is operating properly and assuming it is, your certificate is renewed for another 3 years.
If not, CAPs are raised and you have to address them
The three year surveillance audit process starts all over again.
Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm
What Documents can I read to help me prepare for BS7799?
There are a number of documents that are available, in addition to the BS 7799 and ISO17799 standards themselves, and these include:
From BSI
- Information Security Management: An Introduction (PD 3000);
- Preparing for BS 7799 Certification (PD 3001);
- Guide to BS 7799 Risk Assessment and Risk Management (PD 3002);
- Are you ready for a BS 7799 Audit? (PD 3003);
- Guide to BS7799 Auditing (PD 3004);
- Guide on the Selection of BS 7799 Controls (PD 3005).
Other publishers
- ISO Guide 62 – General Requirements for Bodies Operating Assessment / Registration of Quality Systems (to merge with ISO Guide 66 to become ISO 17021);
- EA-7/03 – Guidelines for the Accreditation of Bodies Operating Certification/ Registration of Information Security Management Systems;
- ISO 19011 – Guidelines for Quality and / or Environmental Management Systems Auditing.
A number of books have been published on the BS 7799 process, a check of the local IT Bookshop or Amazon should provide numerous titles from which to choose.
The types of Audit that may be undertaken in an organization
There are a number of audits that may be undertaken in an organisation, and these include:
- First Party (Internal Audit) – Within an organisation, internal review etc;
- Second Party (Supplier Audit) – Of a supplier or contractor
- Third Party Audit – By a CB
Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm
From BSI
- Information Security Management: An Introduction (PD 3000);
- Preparing for BS 7799 Certification (PD 3001);
- Guide to BS 7799 Risk Assessment and Risk Management (PD 3002);
- Are you ready for a BS 7799 Audit? (PD 3003);
- Guide to BS7799 Auditing (PD 3004);
- Guide on the Selection of BS 7799 Controls (PD 3005).
Other publishers
- ISO Guide 62 – General Requirements for Bodies Operating Assessment / Registration of Quality Systems (to merge with ISO Guide 66 to become ISO 17021);
- EA-7/03 – Guidelines for the Accreditation of Bodies Operating Certification/ Registration of Information Security Management Systems;
- ISO 19011 – Guidelines for Quality and / or Environmental Management Systems Auditing.
A number of books have been published on the BS 7799 process, a check of the local IT Bookshop or Amazon should provide numerous titles from which to choose.
The types of Audit that may be undertaken in an organization
There are a number of audits that may be undertaken in an organisation, and these include:
- First Party (Internal Audit) – Within an organisation, internal review etc;
- Second Party (Supplier Audit) – Of a supplier or contractor
- Third Party Audit – By a CB
Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm
What is a CB Audit, and why should I undergo one?
Auditing by a third party (an Accredited CB) is an assurance of an acceptable and risk based level of information security being implemented that is regularly reviewed.
There are a number of reasons to obtain certification, these include:
- Organizational assurance;
- Service provider assurance;
- Business trading partner assurance;
- Demonstrable and effective way of showing appropriate information security in place;
- Competitive advantage;
- Reduce trade barriers – international acceptance;
-Reduce costs of regulation, corporate governance etc.
So who can do this Certification?
The only body who can carry out this certification is a CB that has been Accredited by the ‘national accreditation service’ (in the UK this is the United Kingdom Accreditation Service – UKAS).
This ensures that CBs meet national and international standards for services they are offering. This is typically EA-7/03, which is the ‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’. EA-7/03 can be found at http://www.european-accreditation.org/Docs/0002_Application/0005_Application%20documents%20for%20Certification%20of%20Management%20System/00300_EA-7-03.pdf
This harmonises use of Guide 62 for ISMS’s and was approved by Europeans Co-operation for Accreditation (EA) in Nov 1999.
Guide 62 is the ‘General requirements for bodies operating assessment and certification / registration of quality systems’.
A CB uses auditors who are totally independent of the organization being audited.
The CB is regularly audited by the National Accreditation Service to ensure that the CB processes are appropriate and correct. This means that all work is to the standard required by EA-7/03 and allows’ mutual recognition’ between the National Accreditation Services.
So am I certified against BS 7799 Part 2 (2002) or ISO 17799 (2000)
Certification is carried out against (currently) BS 7799 Part 2 (2002). This contains the requirements for the ISMS in terms of the PDCA (Plan, Do, Check, Act or Deming Cycle) and the old Annex A (Updated) from BS 7799 Part 1 (1995).
BS 7799 Part 2 (2002) is a Specification.
ISO 17799 is a Code of Practice.
Back To : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm
There are a number of reasons to obtain certification, these include:
- Organizational assurance;
- Service provider assurance;
- Business trading partner assurance;
- Demonstrable and effective way of showing appropriate information security in place;
- Competitive advantage;
- Reduce trade barriers – international acceptance;
-Reduce costs of regulation, corporate governance etc.
So who can do this Certification?
The only body who can carry out this certification is a CB that has been Accredited by the ‘national accreditation service’ (in the UK this is the United Kingdom Accreditation Service – UKAS).
This ensures that CBs meet national and international standards for services they are offering. This is typically EA-7/03, which is the ‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’. EA-7/03 can be found at http://www.european-accreditation.org/Docs/0002_Application/0005_Application%20documents%20for%20Certification%20of%20Management%20System/00300_EA-7-03.pdf
This harmonises use of Guide 62 for ISMS’s and was approved by Europeans Co-operation for Accreditation (EA) in Nov 1999.
Guide 62 is the ‘General requirements for bodies operating assessment and certification / registration of quality systems’.
A CB uses auditors who are totally independent of the organization being audited.
The CB is regularly audited by the National Accreditation Service to ensure that the CB processes are appropriate and correct. This means that all work is to the standard required by EA-7/03 and allows’ mutual recognition’ between the National Accreditation Services.
So am I certified against BS 7799 Part 2 (2002) or ISO 17799 (2000)
Certification is carried out against (currently) BS 7799 Part 2 (2002). This contains the requirements for the ISMS in terms of the PDCA (Plan, Do, Check, Act or Deming Cycle) and the old Annex A (Updated) from BS 7799 Part 1 (1995).
BS 7799 Part 2 (2002) is a Specification.
ISO 17799 is a Code of Practice.
Back To : How does the BS7799 / ISO 27001 certification audit process actually work?
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm
How does the BS7799 / ISO 27001 certification audit process actually work?
Before the audit:
The greatest mistake that organizations ever make is that they are not properly prepared for an audit. Many organizations who want to undergo a certification audit fail at the first stage because they have not properly prepared for it.
Some examples I have encountered are below:
A classic case of this was the organization that desk dropped their approved information security policy on all staff desks on the weekend before our audit started on the Monday. Somehow the words ‘published and communicated, as appropriate, to all employees’ (A.3.1.1.) did not spring to mind.
Likewise failure to perform a risk assessment would not give the auditor a warm and comforting feeling of a risk assessment being carried out on the ‘assets within the scope’ (4.2.1).
Any organization that cannot demonstrate that the ISMS works by undertaking internal ISMS audits (6.4) will not be looked upon favourably for passing a certification audit.
Another major failure at the outset of the certification or implementation project is the failure to have demonstrable management commitment. This means something more than saying ‘yes –go do it’ by the CEO or MD. There needs to be management commitment to the process as well as ring fencing resources. (5.1 and 5.2).
What is a CB Audit
What Documents can I read to help me prepare for BS7799?
The CB Audit process
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm
The greatest mistake that organizations ever make is that they are not properly prepared for an audit. Many organizations who want to undergo a certification audit fail at the first stage because they have not properly prepared for it.
Some examples I have encountered are below:
A classic case of this was the organization that desk dropped their approved information security policy on all staff desks on the weekend before our audit started on the Monday. Somehow the words ‘published and communicated, as appropriate, to all employees’ (A.3.1.1.) did not spring to mind.
Likewise failure to perform a risk assessment would not give the auditor a warm and comforting feeling of a risk assessment being carried out on the ‘assets within the scope’ (4.2.1).
Any organization that cannot demonstrate that the ISMS works by undertaking internal ISMS audits (6.4) will not be looked upon favourably for passing a certification audit.
Another major failure at the outset of the certification or implementation project is the failure to have demonstrable management commitment. This means something more than saying ‘yes –go do it’ by the CEO or MD. There needs to be management commitment to the process as well as ring fencing resources. (5.1 and 5.2).
What is a CB Audit
What Documents can I read to help me prepare for BS7799?
The CB Audit process
Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm
Sunday, September 23, 2007
BS 7799 Certification
In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.
The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.
In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.
In this final session we would attempt to understand the structure and steps involved in certification for BS7799.
A quick recap
Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:
ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"
BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.
Please note that certification is against BS7799-2:1999.
In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).
The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.
The assessor will return periodically to check that your ISMS is working as intended.
Domains on which one would be assessed:
As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:
•Security policy
•Security organisation
•Asset classification and control
•Personnel security
•Physical and environmental security
•Communications and operations management
•Access control
•Systems development and maintenance
•Business continuity management
•Compliance
Statement of applicability
BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.
You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.
Preparing oneself for Certification:
The traditional formula of PLAN DO CHECK and ACT (PDCA CYCLE) works well with BS- 7799 too and this is a good place to either start or review the progress of the implementation team.
Plan
While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.
Do
While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.
Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.
Check
Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.
The audit team would check for appropriate controls and evidence of implementation.
For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.
Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.
Act
After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.
Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.
Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.
Creative techniques like designing
posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.
The 4 Step method of Certification
The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.
We now come to Specifics of Certification Process
Step One
Desktop Review:
All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.
One important check on documentation will be its validity and relevance to BS7799 controls.
The following documents needs to be presented
ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.
Step Two
Technical Review
The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.
The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.
Step Three
Internal Audit
The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.
This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.
Step Four
External Audit- Certification
Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.
The company consultants and internal team would not be allowed to be part of the audit team.
They can assist and help auditors find relevant material.
The auditors check for documentation and objective evidence with the following intention.
- Are records Correct and Relevant?
- Are polices Known and Tested?
- Are policies Communicated?
- Are controls Implemented?
- Are Polices Followed up?
- Are preventive Actions taken?
The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.
Conclusion
After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.
To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:
- Heighten security awareness within the organisation
- Identify critical assets via the Business Risk Assessment
- Provide a structure for continuous improvement
- Be a confidence factor internally as well as externally
- Enhance the knowledge and importance of security-related issues at the management level
- Ensure that "knowledge capital" will be "stored" in a business management system
- Enable future demands from clients, stockholders and partners to be met
Recommended Reading
- Information Security Management: An introduction (PD3000)
- Preparing for BS7799 Certification (PD3001)
- The Guide to BS7799 Risk Assessment and Risk Management (PD3002)
- Are you Ready for a BS7799 Audit? (PD3003)
- Guide to BS7799 Auditing (PD3004)
- Guide on selection of BS 7799 controls (PD3005)
- BS7799 : Part 1: 1999 Code of Practice for information security management
- BS7799 : Part 2: 1999 Specification for information security management systems
- EA Guidelines 7/03
BS7799 Interpretation Guide (Free Download): www.dnv.com
Det Norske Veritas (DNV) is an independent autonomous foundation with the objective of safeguarding life, property and the environment. Established in 1864, DNV provides an extensive range of technical services to the land, offshore and marine industries worldwide. The organization comprises of over 300 offices in 100 countries, with a total of 5,500 employees of 75 different nationalities.
DNV started their operations in Region India in 1972 and have established itself as a Leading Classification Society. DNV has been providing Classification, Certification, Consultancy and Verification Services for the Marine, Offshore and Land based process industries ever since both for Public and Private Sectors.
DNV is accredited in 21 countries for the Certification of Quality Management Systems and in 14 countries for Environmental Management System and is a leading Certification Body in India for both Quality & Environment Management System Certification having issued over 2500 certificates under ISO 9000 Standards and over 250 certificates under ISO 14000 Standards. DNV, in India, is also involved in Tick-IT, QS 9000, BS 7799, Risk Based Inspection (RBI), OHSMS, SA 8000 Systems Certification and CE Marking.
Key advisory services include Risk / Reliability Assessment and Loss Control Management Services. DNV is recognized by the Chief Controller of Explosives both as an Inspection Authority and Competent Person and DNV is also approved by Indian Boiler Regulations (IBR) as Competent Inspection Authority in 22 countries world-wide.
For comments and questions on this paper please write to: bmukund@yahoo.com
Source : http://www.computersecuritynow.com/7799part3.htm
Information Security Principles (ISO/IEC 17799)
Security policy
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies
Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts
Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection
Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy
Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism
Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse
Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job
Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled
Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters
Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts
Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies
Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts
Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection
Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy
Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism
Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse
Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job
Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled
Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters
Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts
Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm
Thursday, September 6, 2007
White Paper on Information Security Auditing / Implementation Procedures
Today, information is the lifeblood of most organizations. With the increase in global Internet access, the possibility of security risks has increased significantly. With the advent of the Gramm-Leach-Bliley Act ("GLB") in 1999, safeguarding client and consumer information has become the primary focus of many regulatory commissions like the FTC, FDIC/OCC, SEC, NCUA, and HIPPA.
Information security is an ever-evolving challenge, requiring proper attention and due
diligence to maintain. Within this white paper, we will discuss Information Technology
(IT) auditing techniques and secure network implementation methodologies.
View This White Paper : Information_Security_Auditing_White_Paper_v3
Source : www.allstatestech.com
Information security is an ever-evolving challenge, requiring proper attention and due
diligence to maintain. Within this white paper, we will discuss Information Technology
(IT) auditing techniques and secure network implementation methodologies.
View This White Paper : Information_Security_Auditing_White_Paper_v3
Source : www.allstatestech.com
INDEX
· Black Hat Method
· White Hat Method
2. Post Audit Page 5
· Costs Associated with Security
Breaches
3. Designing a Security Policy Page 6
4. Designing a Secure Architecture Page 7
5. Remediations & Migrations Page 8
6. Final Audit Page 8
7. Staying Secure Page 9
8. Credentials Page 10
Monday, September 3, 2007
Information Security Management BS 7799.2:2002 Audit Check List
Information Security Management BS 7799.2:2002 Audit Check List for SANS
Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS
Table of Contents
Security Policy
Information security policy
Information security policy document
Review and evaluation
Organisational Security
Information security infrastructure
Management information security forum
Information security coordination
Allocation of information security responsibilities
Authorisation process for information processing facilities
Specialist information security advise
Co-operation between organisations
Independent review of information security
Security of third party access
Identification of risks from third party access
Security requirements in third party contracts
Outsourcing
Security requirements in outsourcing contracts
Asset classification and control
Accountability of assets
Inventory of assets
Information classification
Classification guidelines
Information labelling and handling
Personnel security
Security in job definition and Resourcing
Including security in job responsibilities
Personnel screening and policy
Confidentiality agreements
Terms and conditions of employment
User training
Information security education and training
Responding to security incidents and malfunctions
Reporting security incidents
Reporting security weaknesses
Reporting software malfunctions
Learning from incidents
Disciplinary process
Physical and Environmental Security
Secure Area
Physical Security Perimeter
Physical entry Controls
Securing Offices, rooms and facilities
Working in Secure Areas
Isolated delivery and loading areas
Equipment Security
Equipment siting protection
Power Supplies
Cabling Security
Equipment Maintenance
Securing of equipment off-premises
Secure disposal or re-use of equipment
General Controls
Clear Desk and clear screen policy
Removal of property
Communications and Operations Management
Operational Procedure and responsibilities
Documented Operating procedures
Operational Change Control
Incident management procedures
Segregation of duties
Separation of development and operational facilities
External facilities management
System planning and acceptance
Capacity Planning
System acceptance
Protection against malicious software
Control against malicious software
Housekeeping
Information back-up
Operator logs
Fault Logging
Network Management
Network Controls
Media handling and Security
Management of removable computer media
Disposal of Media
Information handling procedures
Security of system documentation
Exchange of Information and software
Information and software exchange agreement
Security of Media in transit
Electronic Commerce security
Security of Electronic email
Security of Electronic office systems
Publicly available systems
Other forms of information exchange
Access Control
Business Requirements for Access Control
Access Control Policy
User Access Management
User Registration
Privilege Management
User Password Management
Review of user access rights
User Responsibilities
Password use
Unattended user equipment
Network Access Control
Policy on use of network services
Enforced path
User authentication for external connections
Node Authentication
Remote diagnostic port protection
Segregation in networks
Network connection protocols
Network routing control
Security of network services
Operating system access control
Automatic terminal identification
Terminal log-on procedures
User identification and authorisation
Password management system
Use of system utilities
Duress alarm to safeguard users
Terminal time-out
Limitation of connection time
Application Access Control
Information access restriction
Sensitive system isolation
Monitoring system access and use
Event logging
Monitoring system use
Clock synchronisation
Mobile computing and teleworking
Mobile computing
Teleworking
System development and maintenance
Security requirements of systems
Security requirements analysis and specification
Security in application system
Input data validation
Control of internal processing
Message authentication
Output data validation
Cryptographic controls
Policy on use of cryptographic controls
Encryption
Digital Signatures
Non-repudiation services
Key management
Security of system files
Control of operational software
Protection of system test data
Access Control to program source library
Security in development and support process
Change control procedures
Technical review of operating system changes
Technical review of operating system changes
Covert channels and Trojan code
Outsourced software development
Business Continuity Management
Aspects of Business Continuity Management
Business continuity management process
Business continuity and impact analysis
Writing and implementing continuity plan
Business continuity planning framework
Testing, maintaining and re-assessing business continuity plan
Compliance
Compliance with legal requirements
Identification of applicable legislation
Intellectual property rights (IPR)
Safeguarding of organisational records
Data protection and privacy of personal information
Prevention of misuse of information processing facility
Regulation of cryptographic controls
Collection of evidence
Reviews of Security Policy and technical compliance
Compliance with security policy
Technical compliance checking
System audit considerations
System audit controls
Protection of system audit tools
References
Source : www.sans.org
View Full Information Security Management BS 7799.2:2002 Audit Check List for SANS
Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS
Table of Contents
Security Policy
Information security policy
Information security policy document
Review and evaluation
Organisational Security
Information security infrastructure
Management information security forum
Information security coordination
Allocation of information security responsibilities
Authorisation process for information processing facilities
Specialist information security advise
Co-operation between organisations
Independent review of information security
Security of third party access
Identification of risks from third party access
Security requirements in third party contracts
Outsourcing
Security requirements in outsourcing contracts
Asset classification and control
Accountability of assets
Inventory of assets
Information classification
Classification guidelines
Information labelling and handling
Personnel security
Security in job definition and Resourcing
Including security in job responsibilities
Personnel screening and policy
Confidentiality agreements
Terms and conditions of employment
User training
Information security education and training
Responding to security incidents and malfunctions
Reporting security incidents
Reporting security weaknesses
Reporting software malfunctions
Learning from incidents
Disciplinary process
Physical and Environmental Security
Secure Area
Physical Security Perimeter
Physical entry Controls
Securing Offices, rooms and facilities
Working in Secure Areas
Isolated delivery and loading areas
Equipment Security
Equipment siting protection
Power Supplies
Cabling Security
Equipment Maintenance
Securing of equipment off-premises
Secure disposal or re-use of equipment
General Controls
Clear Desk and clear screen policy
Removal of property
Communications and Operations Management
Operational Procedure and responsibilities
Documented Operating procedures
Operational Change Control
Incident management procedures
Segregation of duties
Separation of development and operational facilities
External facilities management
System planning and acceptance
Capacity Planning
System acceptance
Protection against malicious software
Control against malicious software
Housekeeping
Information back-up
Operator logs
Fault Logging
Network Management
Network Controls
Media handling and Security
Management of removable computer media
Disposal of Media
Information handling procedures
Security of system documentation
Exchange of Information and software
Information and software exchange agreement
Security of Media in transit
Electronic Commerce security
Security of Electronic email
Security of Electronic office systems
Publicly available systems
Other forms of information exchange
Access Control
Business Requirements for Access Control
Access Control Policy
User Access Management
User Registration
Privilege Management
User Password Management
Review of user access rights
User Responsibilities
Password use
Unattended user equipment
Network Access Control
Policy on use of network services
Enforced path
User authentication for external connections
Node Authentication
Remote diagnostic port protection
Segregation in networks
Network connection protocols
Network routing control
Security of network services
Operating system access control
Automatic terminal identification
Terminal log-on procedures
User identification and authorisation
Password management system
Use of system utilities
Duress alarm to safeguard users
Terminal time-out
Limitation of connection time
Application Access Control
Information access restriction
Sensitive system isolation
Monitoring system access and use
Event logging
Monitoring system use
Clock synchronisation
Mobile computing and teleworking
Mobile computing
Teleworking
System development and maintenance
Security requirements of systems
Security requirements analysis and specification
Security in application system
Input data validation
Control of internal processing
Message authentication
Output data validation
Cryptographic controls
Policy on use of cryptographic controls
Encryption
Digital Signatures
Non-repudiation services
Key management
Security of system files
Control of operational software
Protection of system test data
Access Control to program source library
Security in development and support process
Change control procedures
Technical review of operating system changes
Technical review of operating system changes
Covert channels and Trojan code
Outsourced software development
Business Continuity Management
Aspects of Business Continuity Management
Business continuity management process
Business continuity and impact analysis
Writing and implementing continuity plan
Business continuity planning framework
Testing, maintaining and re-assessing business continuity plan
Compliance
Compliance with legal requirements
Identification of applicable legislation
Intellectual property rights (IPR)
Safeguarding of organisational records
Data protection and privacy of personal information
Prevention of misuse of information processing facility
Regulation of cryptographic controls
Collection of evidence
Reviews of Security Policy and technical compliance
Compliance with security policy
Technical compliance checking
System audit considerations
System audit controls
Protection of system audit tools
References
Source : www.sans.org
View Full Information Security Management BS 7799.2:2002 Audit Check List for SANS
Sunday, September 2, 2007
PREPARING FOR AN INFORMATION SECURITY AUDIT
For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization’s Information Security Policies and associated procedures.
At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.
Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.
As an example, if the audit chosen is regarding the Portable Computing Facilities, the documents to be considered for review are:
• Insurance documents.
• Hardware register.
• Software register.
• User Profile.
• Network Profile.
• Issue form.
• General terms of use.
• Removal of equipment authorization.
The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited:
• The issuers of portable computers.
• A sample of the user population who use portable computers.
• Ancillary staff.
As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is temptation to shortcut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit.
Source : http://www.17799central.com/news.htm
Wednesday, August 8, 2007
Auditing for ISO 17799 compliance
SANS have published an Audit Check List for ISO 17799:2005. It is available as an MS Word file "Sans Iso 17799:2005 Check List".
Tuesday, July 31, 2007
PREPARING FOR AN INFORMATION SECURITY AUDIT
For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization’s Information Security Policies and associated procedures.
At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.
Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.
As an example, if the audit chosen is regarding the Portable Computing Facilities, the documents to be considered for review are:
• Insurance documents.
• Hardware register.
• Software register.
• User Profile.
• Network Profile.
• Issue form.
• General terms of use.
• Removal of equipment authorization.
The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited:
• The issuers of portable computers.
• A sample of the user population who use portable computers.
• Ancillary staff.
As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is temptation to shortcut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit.
From : http://www.17799central.com/news.htm
Subscribe to:
Posts (Atom)
