Get documents about "BS7799_ Introduction - Microsoft
Shared by: malj
-
Stats
- views:
- 0
- posted:
- 11/3/2012
- language:
- English
- pages:
- 27
Document Sample
BS7799:
how are you managing security?
Prepared by:
David Ryan, eircom net
Overview
• Introduction to Information Security Management
• BS7799 Overview
• Implementing BS7799
• Conclusion
Introduction to
Information Security Management
What is Information Security Management?
• Information is an asset, if you don’t protect it, trouble awaits!
• Require knowledge to secure an asset
– Security requirements: Confidentiality, Integrity, Availability …
– Threats and vulnerabilities
– Protection should focus on the critical requirements
• Information security management focuses on protecting your
information assets from harm (threats and vulnerabilities)
• What to protect against?
- Unauthorised disclosure (loss of confidentiality)
- Unauthorised modification (loss of integrity)
- Loss/Destruction (loss of availability)
• Must be driven by the business, not technology.
• Security is the responsibility of everyone (Management key)
What are threats and vulnerabilities?
• Threats can be considered the goals of an attacker
– Physical Example: a burglar might want to break into your house
– Virtual Example: an attacker might want to steal your customer database
• Vulnerabilities allow an attacker to execute the threat
– Physical Example: the backdoor is left open, making it easy for the burglar
to enter your house
– Virtual Example: you allow anyone access to your database, without
restriction, making it easy for the attacker to steal your information
• By defining threats to an asset and assessing potential
vulnerabilities surrounding that asset, you can make informed
decisions about how to protect your business.
Minimum suggested approach to
Information Security Management
• Define a security policy (statement of intent)
– Simple or detailed, must be enforcable and consistent with culture
• Understand the risks you face
– Difficult at first, but becomes easier and more beneficial with experience.
– The Microsoft Security Risk Self-Assessment Tool can help direct you,
more advanced tools available if necessary
• Implement useful and cost-effective controls
– Having a €15k firewall may not be money well spent
– Don’t make security too complicated, get good/impartial advice
• Test, review and improve your security posture
– Use security assessment tools (free/commercial) and/or get in an expert
• Provide a framework for responding to incidents (attacks, policy
violations, etc)
What should a policy contain?
• Statement of the company intent towards security
– “Management at Company X is committed to ensuring information security
principles based on industry best practices will be adopted to help protect
the company against information attacks and fraudulent activity”
• Who it applies to (scope)
– “This policy applies to all users of Company X information and information
systems; This policy applies to the management of Company X networks
and firewalls; …”
• What the responsibilities are
– “All staff must adhere to this policy; management should ensure staff
awareness; IT staff must ensure identified controls are implemented …”
• Information security principles for the organisation
– “Access to Company X information assets will be restricted to authorised
users only; Use of Company X information assets is subject to management
inspection at any time; …”
Some simple rules for risk management
• Get help if you need it
– Once or twice with an expert might foster self-assessment in the future
• Adopt an existing approach, no need to reinvent the wheel
• Consider information assets (“the critical few”)
• Define the security requirements of those assets
– loss of confidentiality, integrity, availability, all?
• Identify threats, what is the impact?
• Assess vulnerabilities/exposures
Some simple rules for risk management
• Determine the risks and how to treat them
– Transfer: insurance!
– Accept: do nothing (ok to operate, too difficult to resolve now, etc)
– Avoid: drop the asset
– Mitigate: reduce the risk to an acceptable level (implement controls)
• Produce mitigation plans
– How are you going to reduce the risk?
– What controls will you implement? (high-level)
• Prioritise your risk
– Try rating risk as “high, medium, low” to help prioritise
• Repeat periodically and when significant changes occur
• DOCUMENT EVERYTHING!
Are you managing security?
• Do you have a security policy?
• Do you know what your assets are?
• Do you know why they should be protected?
• Do you know what they should be protected from? (threats and
vulnerabilities)
• Got all the above, great! But …
– Is your policy enforced? How can you tell?
– Did your risk assessment make it off the shelf?
– Are you measuring your controls? (not measuring = not managing!)
– Reviewing your risks regularly? Are your protections sufficient 12 months
later?
• Technology must be balanced with management
Are you doing enough?
• Sound familiar?
– “We have a great IT administrator who tells us everything is fine” (trusting
staff is essential, but transparency promotes understanding)
– “We did a risk assessment 3 years ago and considered our premises and IT
equipment” (physical assets only?)
– “We update passwords every 9 months or so” (are passwords written
down? Same passwords used for all systems?)
– “We apply software updates for Microsoft products” (other products?)
• Previous slides offer a simplisitic approach
• A more complete framework can be found in security
management standards and best-practices (e.g. BS7799)
BS7799 Overview
What is BS7799?
• A FRAMEWORK for managing information security
– Guidance to help you ask the right questions of your business and
to ensure you manage the answers effectively.
– Build on top of it, add details
• Two parts
– BS7799/ISO17799: code of practice for information security
management
– BS7799-2-2002: specification for information security management
systems (ISMS - certification framework)
• 10 Objectives
• 127 Controls
• After reading all of that … at least one headache!
History and Devlopment
• Initially Developed by the UK DTI with Private Sector.
• Timeline
– 1989 – Users Code of Practice
– 1995 – BS7799-1995 Initial Release
– 1999 – BS7799-1999 Major Revision, split into guidelines (code of
practice) and standard (required for an information security
management system)
– 2000 – ISO/IEC 17799 Accepted as International Standard
– 2002 – BS7799-2-2002 Official Standard for Certification
Why should you consider it? (Benefits)
• Industry standard based on best practices
• Provides direction on how to manage security
– Structured versus adhoc security
– It is flexible, you do not need to implement all 127 controls unless you deem
it necessary!
• “Business Enabler”
– Partner/Customer confidence
– Not a differentiator as its implementation grows … becomes necessary to
operate! (e.g. UK NHS)
• Can be tailored to certain portions of your business
– E.g. online services, but not your office environment
• Other external factors
– Legal/Regulatory compliance (e.g. DPA, Copyright, etc)
BS7799 Part 1:
Code of Practice
1. Security Policy
2. Security Organisation
3. Asset Classification and Control
4. Personnel Security
5. Physical and Environmental Security
6. Communications and Operations Security
7. Access Control
8. Systems Development and Maintenance
9. Business Continuity Management
10. Compliance
BS7799 Part 2:
Information Security Management System
• What is it?
– Documented approach to managing security
– Follows the Plan-Do-Check-Act cycle (continuous improvement)
• Main components
– Sets the scope (what does the ISMS cover – flexiblity)
– Encompasses the policies and procedures.
– Assess and manage the risks (selection of applicable controls)
– Implement the selected controls
– Review the effectiveness of the controls, residual risk, etc
(Management review, internal audit – can be outsourced)
– Implement improvements
– Update as your risks change
Example controls
(tales from the … standard)
• Outsourcing • Malicious Software (e.g.
– Outsourcing should not result in less viruses, worms, etc)
protection of your assets. – One of the significant problems to
– Using your security policy and the face desktop users.
controls for the standard, define the – Make sure you’ve got anti-virus
security requirements and software and it’s updated regularly
responsibilities your outsourcing (verification process)
partner should adhere to.
– Ensure users are aware of the
seriousness of these threats
Common sense? Of course! The standard is full of it.
– It can get trickier than this, but it is within your control.
BS7799 is not perfect
• Common criticisms:
– Only suitable for large organisation
– Not enough detail for a standard
– Rushed and Incomplete
– It doesn’t “make” you secure
– Documentation HELL!
• Perhaps but …
– Very flexible, can be applied to large and small organisations. You may only
apply it to a particular department, location or even procedure!
– A lot of the problems are dependant on the how it is implemented. Get good
advice/training where possible.
– Fill the gaps, adopt more detailed standards where available
– There is no silver bullet. No standard or product will “make” you secure.
Implementing
BS7799
Critical Success Factors
• You must be committed to improving security
– This is not a “check-in-the-box” exercise
• Management buy-in and support
– Leadership from top to bottom
– This MUST be visible (required for certification!)
• Staff buy-in and support
– Be consistent with your company culture
– Provide awareness and education (extend to 3rd parties/outsourcing partner
via contracts/SLA/etc)
• Available and appropriate resources
– Get training, seek expert advice where necessary
• Policies and objectives must meet business requirements
Plan-Do-Check-Act
• Four stages: Plan, Do, Check, Act (Deming Cycle)
– Many iterations, often running concurrently!
• Plan (ground work and establishing the ISMS)
– Set a security policy
– Conduct a risk assessment
– Plan for how you will manage the risks (mitigate, transfer, avoid, accept)
• Do (putting the wheels in motion)
– Implement plans to manage the risks (done by selecting controls from the
standard)
– Some controls could be in place already and can be aligned with the ISMS.
– Ensure ISMS violations are managed appropriately
Plan-Do-Check-Act
• Check (is the ISMS working with you?)
– Are people violating company policies and procedures?
– If this is frequent, it may be due to a lack of training/awareness or the
policies could be unsuitable for the culture!
• Act (adjustments/improvements/updates)
– Over time, the results of the “Check” stage will provide
recommendations for improvement of the ISMS
– It is also critical to update your ISMS as the business changes
– This is the continual improvement of security within your company
Next Step: certification?
• Certification is not required.
– You can be compliant without certification.
• Prerequisites
– ISMS must be integrated into the business (limited by scope)
– Management review has taken place, including internal audit
• Certification
– Select a certification company
– Initial review conducted, all going well schedule full audit
– Likely to be some remedial activities (PDCA again!)
– Emphasis placed on management and staff awareness!
• If successful, certification lasts for 3 years, 6 month reviews
Conclusions
Fin!
• Information security management is easy to get
wrong, but can be difficult to get right.
– Adopt best practices where possible.
• Know your risks!
• BS7799 is not perfect.
– Consider others to strengthen your position (CobIT, NIST
standards, IT Baseline Protection Manual, etc).
• Questions?
• Thanks! (dave.ryan@eircom.net)
References
• BSI Global (maintainers of BS7799)
– http://www.bsi-global.com/Global/bs7799.xalter
– You can purchase the standards from the above website
• Microsoft Security Risk Self-Assessment Tool:
– http://www.securityguidance.com/
• OCTAVE-S Risk Assessment Methodology
– http://www.cert.org/octave/
• CobIT
– http://www.isaca.org/cobit.htm
• NIST Publications
– http://csrc.nist.gov/publications/index.html
• IT Baseline Protection Manual
– http://www.bsi.bund.de/english/gshb/manual/
