BOOK Information Security Business Assurance Guidlines

Document Sample
BOOK Information Security Business Assurance Guidlines Powered By Docstoc
					Information Security: Business Assurance Guidelines

The DTI drives our ambition of ‘prosperity for all’ by working to create the best environment for business success in the UK. We help people and companies become more productive by promoting enterprise, innovation and creativity. We champion UK business at home and abroad. We invest heavily in world-class science and technology. We protect the rights of working people and consumers. And we stand up for fair and open markets in the UK, Europe and the world.


Information Security: Business Assurance Guidelines

Contents 02 Introduction 04 The risks 05 The 4 key areas of assurance 07 The solution 08 Information Security Management Systems 10 ISMS Standards 15 Identifying your security requirements 17 Implementing your security requirements 18 Achieving assurance 19 Achieving organisational assurance 22 Achieving supplier assurance 24 Achieving business partner assurance 26 Achieving service and IT systems assurance 29 Case study 34 References 36 Further help and advice

In today’s world, information security is a matter that needs to be taken seriously by every organisation. While communications technology opens up many opportunities, it also presents many risks. You need to be aware of these risks, and take action to minimise them. You can achieve both an appropriate level of assurance, and best practice in information security management, by following the procedures outlined in this publication. Aside from the business risks, there’s also a legal obligation in many countries to take proper care of personal information entrusted to your organisation. In the UK, legislation such as the Data Protection Act imposes penalties on those who do not attend to this duty of care. There’s also UK legislation regarding the protection of your organisation’s company records, to safeguard intellectual property and prevent misuse of computer systems. Having an effective information security management system (ISMS) and risk management process in place helps to ensure business continuity, minimises the damage to business activities and maximises your return on business investments and opportunities. This brochure will explain the four key areas where businesses benefit most from information security assurance: • organisational assurance • supplier assurance • business partner/customer assurance • services and IT systems assurance.


It will then walk you through a number of steps to establish, implement, maintain and improve information security assurance using the information security management system (ISMS) approach based on established industry standards for information security. By following these principles, you can ensure that the risks to your organisation are controlled and managed effectively. While security problems can never be completely eliminated, you can help your organisation to make the most of the information age without compromising security. Who this brochure is for: senior managers, internal auditors and information security managers within both public and private sector organisations, who need to understand and satisfy information security assurance requirements. What it covers: minimising the risk of your business’s information being disclosed, modified or deleted in an unauthorised way, or rendered unavailable to those authorised to access it.

IMPORTANT NOTE: For the purposes of this guide, information security assurance is defined as follows. It is all actions taken to ensure that: • information security policies and procedures are adhered to • the implemented information security management system (ISMS) is effective at managing the risks to the information assets • the ISMS processes and system of controls are adequate for the purpose of providing and maintaining a specified degree of confidence in the confidentiality, integrity and/or availability of information throughout its lifecycle, which includes input, update, manipulation, output, archiving and disposal.


The risks
Having effective risk management processes in place is of fundamental importance to an organisation’s well-being, success and survival. Such processes should be treated as essential to maintain a sound system of internal controls, to safeguard investment and business assets, and to fulfil your business objectives.
The risks to your organisation’s information assets can result from a number of threats and vulnerabilities: • The risks may come from within your organisation – caused deliberately, eg a disgruntled employee who deliberately modifies or destroys information – caused accidentally, such as through employee carelessness or a lack of secure procedures – caused by failures of electrical power, system hardware or software. • The risks may arise from external sources, eg from a hacker, competitor or an industrial spy. • The risks may come from a combination of internal (an employee involved in an insider job) and external (an accomplice to the employee) sources. The impact caused by such risks can be damaging to an organisation – resulting in loss of sales and income, customers and market share, intellectual property, image and reputation. The overall loss from not protecting your organisation’s assets versus the cost of protecting these assets appropriately is an issue that management needs to consider carefully, to achieve the right balance, and to maximise the return on investment in information security management. Having an appropriate system of controls in place to manage information security risks contributes to the effectiveness and efficiency of business operations, helps to ensure the reliability and continued availability of information systems, and assists compliance with laws and regulations. The controls, if properly implemented and used, should provide assurance that your organisation is not unnecessarily exposed to avoidable business risks and that business information used within the organisation and for publication is accurate and reliable. They also contribute to the safeguarding of assets, including the prevention and detection of security incidents. An organisation’s objectives, its internal management and the business environment in which it operates are continually evolving and, as a result, the information security risks it faces are continually changing. A sound system of controls therefore depends on a thorough and regular evaluation of the nature and extent of the information security risks to which the organisation is exposed.


The 4 key areas of assurance
The following four areas are the different types of information security assurance that an organisation should consider in order to achieve overall information security assurance:


ORGANISATIONAL ASSURANCE This is concerned with all those actions taken by the organisation to provide information security assurance to meet the needs of its owners, shareholders, customers and other stakeholders, and to govern its business. Organisational assurance is the process for providing confidence that the information security management system is effective at managing the risks to the organisation’s information assets. Perception of the risks is likely to be different according to the different stakeholder groups involved, and this can have an influence on what is considered an ‘acceptable’ level of risk, and how the risks should be managed. The management process for assessing the risk and its treatment needs to achieve an appropriate balance of control.

Figure 1: Assurance Stakeholders

Organisation Owner Creditors Shareholders Insurers Business partners Board of Directors Management Staff/Employees Stakeholders for information security assurance Customers Public Suppliers Enforcement & regulatory authorities



SUPPLIER ASSURANCE Supplier assurance is concerned with all those actions taken by third party suppliers of services and products to supply information security assurance to your organisation. The level of assurance is that claimed and sought by service providers and suppliers related to the security agreements and arrangements they have with your organisation. The aim is to provide confidence that the system of controls employed by the third party suppliers with whom information may be shared and exchanged electronically, or otherwise accessed, is adequate and fit for purpose.


BUSINESS PARTNER ASSURANCE Business and trading partner assurance addresses the level of confidence in the security arrangements established between your organisation and these other parties. Arrangements should include the secure access to, and sharing and exchange of information, and ensuring electronic business is carried out in a secure way.


SERVICES AND IT SYSTEMS ASSURANCE This is concerned with all those actions taken by developers, implementers and suppliers of services and IT systems to ensure that the designed and implemented security features are effective and correct in managing the risks to the information processed by these systems and services.

Figure 2: Supplier Assurance

Organisation Customer Information Security Assurance Supplier

Services and technology interface IT services assurance IT systems assurance

Other infrastructure assurance components


The solution
In order to tackle information security risks in the four areas described in the previous section, a firm should scope out an effective information security management system, make sure it will provide the necessary level of assurance, and audit it regularly. This process is described in the next section: Information Security Management Systems. Following this section, ISMS Standards then outlines the industry standards for information security that you need to use when setting up your own ISMS, and the controls you need to put in place around it.


Information Security Management Systems
ISMS SCOPE An information security management system (ISMS) is a part of the overall system of management an organisation should have in place. The scope of the ISMS should include those policies, planning activities, responsibilities, practices, procedures, processes and resources needed to establish, implement, operate, monitor, review, maintain and improve information security. The ISMS should embrace a system of controls suitable to manage the risks to the business assets covered by the scope of the ISMS. The security requirements and a risk assessment determine the design and specification of this system of controls. The ISMS scope could cover the whole of the organisation or a well-defined part of the organisation, eg a particular site or location, department, or business service. The business assets covered by the scope of the ISMS should be clearly identified and any interfaces and dependencies related to other systems should also be clearly identified and defined. One example is any interfaces with customers and suppliers where information is shared or exchanged or access is given. The customer might impose security requirements on the organisation’s assets which the ISMS needs to take account of, and likewise the organisation might impose security requirements on its suppliers. The ISMS scope may cover multiple sites or a single site of the organisation, or it could cover part of another organisation’s site, eg in the case of an outsourced or externally managed facility. Whatever the extent of the scope might be, it should be well defined and documented. ISMS ASSURANCE The central idea behind the ISMS process approach is to be able to establish an ISMS that achieves the desired level of information security management required by the business, and then maintain and improve the effectiveness of this management system by regularly reviewing and monitoring the changing business environment and making ISMS enhancements where necessary. If business, legal and/or regulatory requirements and conditions change, adjustments in the ISMS will need to be made to reflect these new requirements. In addition, the threats, vulnerabilities, risks and impacts associated with the ISMS need to be reassessed on a regular basis as these might change as well. There are several ISMS assurance metrics that can be used, and together they provide a means of assessing the overall assurance in the ISMS. These assurance metrics can be used to measure the: • effectiveness of the ISMS, eg how effective are the security controls in place, how effective are the procedures, and how effective are the records and other documentation in place? • correctness of implementation, eg are all the technical and organisational solutions – and controls – implemented and used correctly, and are all records and other documentation in place correct? • relevance to the business, eg is the ISMS scope still relevant to the business, and is the degree of information security assurance provided by the ISMS still appropriate and sufficient to meet the business requirements?


• operational and user deviations from applying the ISMS policies and procedures, eg what is the evidence that all employees are aware of and comply with all the policies and procedures? Regular internal ISMS audits and reviews can be used to identify any operational deviations from the existing security policy and procedural arrangements. Monitoring, reviewing and evaluating incident reports can complement this activity, as well as helping to check compliance with the policy regarding system access and use. Incident reports can show where existing controls might not be effective enough to provide protection, or are simply not being followed or are not understood by employees. It is also important to monitor all changes that can have an impact on existing security solutions, such as changes to the business, the assets in the ISMS and their importance, and the threat/vulnerability/risk situation. Finally, your organisation might want to use testing techniques, such as penetration testing, to check how efficient and successful the technical controls are at implementing their security functionality.

ASSESSMENT OF AN ISMS The assessment of an ISMS through systematic audits is a means of achieving a level of information security assurance. The ISMS can be assessed in different ways, through: • First party audits, for example internal ISMS audits, reviews or other selfchecking processes. • Second party audits, such as reviews or audits carried out by business partners or customers, or audits that take place due to contractual arrangements. • Third party audits, for example those carried out by accredited certification bodies; this form of evaluation can lead to an accredited certificate, which gives recognition that the ISMS scope is fit for purpose, and that the ISMS complies with requirements of the certification standard. In this brochure we refer to the family of BS 7799 standards: • ISO/IEC 17799 (previously BS 7799 Part 1); Code of practice for information security management • BS 7799 Part 2: Information security management systems – Specification with guidance for use.


ISMS Standards
ABOUT BS 7799-2 The British Standard BS 7799 Part 2:2002 has been developed by an international group of experts representing a diverse set of market sectors and organisations. It provides a business model for setting up and managing an effective ISMS. It helps an organisation to establish, implement, maintain and improve an ISMS appropriate for the identified information security assurance requirements and standardises the ISMS process approach. The design and implementation of the ISMS needs to take into account business needs and objectives, as well as resulting security and assurance requirements. BS 7799 Part 2 is currently being developed as an international standard and should be published in 2006. Process approach BS 7799-2:2002 adopts an ISMS process based approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organisation's Information Security Management System (ISMS). This approach takes as input the identified information security requirements, and applies the necessary processes described below to produce the required level of information security. This process approach is based on the ‘Plan-Do-Check-Act’ (PDCA) model.

Figure 3: Plan-Do-Check-Act Model





PLAN Establish the ISMS

This step involves identifying the security requirements, assessing the risks and establishing the ISMS policy. It also includes selecting a system of controls to manage risks (this includes more detailed policies and procedures and technical controls). This step involves implementing and using the system of controls, the ISMS policy and ISMS procedures that have been selected in the Plan Phase. This step involves monitoring, reviewing and assessing the performance of the ISMS: measuring the effectiveness of the ISMS to manage the risk, measuring the correctness of the implementation of controls, measuring the continued relevance of the ISMS to the business, and measuring any deviations from policy and procedures. The results of this activity will indicate whether any improvements are needed to the ISMS. This step involves taking corrective and/or preventive actions, based on the results of the Check Phase to maintain and improve the ISMS.

DO Implement & operate the ISMS CHECK Monitor & review the ISMS

ACT Maintain & improve the ISMS


This PDCA model is also used in other management system standards such as ISO 9001:2000 and ISO 14001:1996; this supports the consistent and integrated implementation and operation of all these management system standards. BASIS FOR AUDIT BS 7799 Part 2 provides a framework for carrying out an independent audit of an organisation's ISMS. It also gives guidance on the use of the standard to set up and manage an effective ISMS, and can be used as a basis for audits of the ISMS. Choosing which of the three different ways of assessing compliance to use (see ‘Assessment of an ISMS’ on page 9), depends on the requirements of your organisation, and on the requirements of customers and business partners. The third party evaluation and certification helps to provide assurance to your organisation as well as to any external interested party that the ISMS is appropriate and sufficient to achieve all information security assurance requirements. ISO/IEC 17799 ISO/IEC 17799 is a catalogue of best practice controls for information security management, and also gives advice on how to implement these controls. This standard was previously published as BS 7799 Part 1 before being adopted by ISO/IEC. It is a business-led approach to best practice on information security management. It describes a number of controls that can be considered as guiding principles, applicable to most organisations and most environments.

Some of the controls in ISO/IEC 17799 provide a good starting point for implementing information security: • Controls considered to be essential to an organisation from a legislative point of view include: – respecting intellectual property rights – safeguarding organisational records – ensuring data protection and privacy of personal information. • Controls considered to be essential as common best practice for information security include: – documenting an information security policy – allocating information security responsibilities – providing training and education on information security – reporting security incidents – ensuring business continuity management. It is important to recognise that the relevance of any control should be determined taking into account the specific risks your organisation faces. Hence, although the above controls are considered to be a good starting point, this does not replace a selection considering the controls in ISO/IEC 17799 based on a risk assessment. An overview of the controls described in ISO/IEC 17799 can be found overleaf.


THE CONTROLS Security policy An information security policy document should be approved by management, published and communicated, as appropriate, to all employees and should contain: • a definition of information security, its overall objectives and scope, and the importance of security • a statement of management intent, supporting the goals and principles of information security • a brief explanation of the security policies, principles, standards and compliance requirements of particular importance to the organisation • a definition of general and specific responsibilities for information security management, including reporting security incidents • references to documentation, which may support the policy. The policy should have an owner who is responsible for its maintenance and review according to a defined review process. Security organisation A management framework should be established to initiate and control the implementation of information security within the organisation. ISO/IEC 17799 gives guidance on how information security should be co-ordinated within the organisation: • establishing suitable management fora • assigning information security responsibilities • consultation with external experts • independent review of information security. It also helps to assess the risks from third party access and describes the security requirements that should be considered in third party contracts and outsourcing arrangements.

Asset classification and control ISO/IEC 17799 describes how to classify assets and maintain appropriate protection for them. All major information assets should be included in an asset register, should be accounted for, and have a nominated owner. All sensitive and critical assets should be classified to indicate the need, priorities and degree of protection. An appropriate set of procedures should be defined for information labelling and handling in accordance with the classification scheme adopted by the organisation. Personnel security ISO/IEC 17799 also address topics in the area of personnel security. The objective here is to reduce the risks of human error, theft, fraud or misuse of information processing facilities. This includes the definition of security in job responsibilities, personnel screening and confidentiality agreements, as well as user training and awareness. Incidents, security weaknesses and malfunctions should be reported through appropriate management channels as quickly as possible to minimise damage, and to monitor and learn from such incidents. A disciplinary process should be defined to be able to deal effectively with security breaches. Physical and environmental security The physical and environmental side of security is also addressed in ISO/IEC 17799. This covers physical controls to prevent unauthorised access, damage and interference to business premises and information. The controls address: • building of secure areas and entry controls for the business premises and these areas • controls for working in secure areas • equipment security, including power supplies, cabling security, equipment maintenance and the use of equipment off premises • general controls covering clear desk and clear screen policy, and removal of equipment.

Communications and operations management ISO/IEC 17799 includes controls to ensure the correct and secure operation of information processing facilities. These controls cover: • documented procedures and change management • segregation of duties and separation of development and operational facilities • system planning and acceptance • protection from malicious software • housekeeping operations such as information back-up • network management • secure media handling and disposal • information handling procedures • exchanges of information and software, covering electronic commerce, electronic mail, information published on the Internet and other forms of information exchange. Access control Access to information, networks, operating systems and applications should be controlled. ISO/IEC 17799 includes controls that cover: • access control policy, including business requirements and access rules • user access management, including user registration and de-registration, privileges and passwords • user responsibilities • user identification and authentication and password management • network access control, including segregation of networks and routing control • access control to sensitive information, and isolation of sensitive systems • monitoring of system access and use to detect unauthorised activities • mobile computing and teleworking.

System development and maintenance ISO/IEC 17799 includes the following controls to ensure that security is built into systems and applications, and to protect information from unauthorised disclosure or modification: • identification of system security requirements • the prevention of loss, modification or misuse of data in application systems • cryptographic controls • security of system files • security in development and support processes. Business Continuity Management Business continuity management addresses those processes and actions necessary to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. This includes the analysis of impacts of such incidents, a planning framework, and the writing, implementing, testing and maintaining of business continuity plans. Compliance An organisation should ensure it avoids breaches of any criminal and civil law, and statutory, regulatory or contractual obligations, and of any security requirements. ISO/IEC 17799 covers some of the controls necessary to address these issues, including: • IPR and software copyright • safeguarding of organisational records • data protection and privacy of personal information • prevention of misuse of information processing facilities • regulation of cryptographic controls • collection of evidence. ISO/IEC 17799 also covers compliance with security policy and technical compliance, and system audit.


SELECTING CONTROLS The guidance given in ISO/IEC 17799 provides a generalised approach to achieving security objectives. This approach needs to be used in a way that addresses the specific business and security requirements of your organisation, through a process of risk assessment, risk treatment and the appropriate selection of controls to manage the risks. In meeting your organisation’s specific set of requirements a suitable balance should be achieved, and a combination of controls needs to be selected covering management, procedural, operational and technical features. Experience has shown that there are a number of factors, which are critical to the successful implementation of information security within your organisation: • security policy, objectives and activities that reflect business objectives • an approach to implementing security that is consistent with the organisational culture

• visible support and commitment from management • a good understanding of the security requirements, risk assessment and risk management • effective marketing of security to all managers and employees • distribution of comprehensive guidance on information security policy and standards to all employees and contractors, and carrying out training and education • a comprehensive and balanced system of measurement, which is used to evaluate performance in information security management and feed back suggestions for improvement.

Identifying your security requirements
The next step, before implementing the ISMS appropriate to your organisation, is to work out the level of security assurance required.
Each organisation has different requirements for information security assurance and the system of controls to manage its risks will depend on these requirements. In deciding what these requirements are, your organisation needs to consider: • the nature and extent of the risks it is facing • the likelihood of the risks materialising and their impact on the organisation • which risks are regarded as acceptable for the organisation • the organisation’s ability to reduce the occurrence of the risks • the costs involved in implementing a system of controls relative to the benefits obtained by managing the risks. Once these questions have been answered, your organisation can identify its security requirements related to the: • business environment and legal and regulatory framework it operates in • types of information it is storing and processing, and the information systems and applications it uses • service providers, suppliers, customers and business and trading partners it has dealings with • services and IT systems it employs to implement its information processing facilities. Your requirements should be driven by the business needs of your organisation. Security requirements might vary within an organisation, depending on the size of it, and the nature of its business. Or it might be necessary to satisfy different requirements within different parts of the organisation. To achieve the desired level of information security assurance it is also important to consider: • what system of management controls is required to meet the desired level of security • assessing the level of security available from service providers and suppliers to determine whether this is adequate to protect your organisation’s information assets • the security implications of exchanging sensitive or business critical information with trading and business partners and customers • assessing the levels of risk to the information assets of the system(s) considered, and selecting controls to protect against these risks • quantifying the level of assessment and evaluation necessary to ensure that the desired level of security is achieved by the services and IT systems used.


Examples of information security requirements
Information security protects: • the data related to a company’s customers from unauthorised disclosure or modification • personnel details and records in accordance with legislation • copyrighted information or software in compliance with the legal restrictions related to such information • organisational records from loss, destruction or forgery • marketing information from unauthorised access • commercially sensitive business strategy and development plans for major new products or services from unauthorised access and disclosure • very sensitive competitor, business partner or contractor assessments from unauthorised disclosure or modification • patent secrecy information from unauthorised disclosure • details of major acquisitions, investments and mergers from exposure.


Implementing your security requirements
The following staged approach describes how you can use the processes defined in BS 7799 Part 2 and the controls and guidance in ISO/IEC 17799 as a framework to achieve information security assurance:

• BUSINESS OBJECTIVES Define the direction, aims and objectives of information security of your organisation. Put them in a policy that has the approval and commitment of senior management. • SECURITY REQUIREMENTS Identify the information security requirements of your organisation. • RISK ASSESSMENT Assess the security risks related to the information security requirements of your organisation and the business assets. This should take account of the value and importance of the assets, the vulnerabilities associated with these assets, the threats that could exploit these vulnerabilities and the likelihood of occurrence and potential impact. • RISK TREATMENT Identify the appropriate options to treat the risks and select a system of controls to reduce the identified security risks to an acceptable level. The risk treatment options available, the management decision process, and the levels of risk acceptance will vary from organisation to organisation.

• ISMS IMPLEMENTATION AND USE Implement the selected system of controls, put policies, procedures and training in place, and operate and use the ISMS you have built. The controls described in ISO/IEC 17799 should be used as a common basis and can be supplemented by additional controls, if needed. • ISMS ONGOING MANAGEMENT Monitor the ISMS as part of your organisation’s day-to-day operations and review its performance and effectiveness on a regular basis. Take account of the changing business and risk environment, and aim to make the necessary improvements to keep your ISMS operating effectively. This offers the basis for establishing the assurance needed by your organisation, to deliver it, to be able to review and assess its current suitability and to maintain and improve it.


Achieving assurance
The following section takes each of the four areas where information security assurance is needed, and explains how it can be achieved.


Achieving organisational assurance
Organisational assurance is achieved by all those actions that need to be taken by the organisation to ensure its: • information security policies and procedures are being enforced and adhered to • ISMS is effective at managing its risks • ISMS processes and system of controls are adequate for the purpose of providing and maintaining a specified degree of confidence in the confidentiality, integrity and/or availability of business information throughout its life cycle. A fundamental question is ‘Who are the stakeholders that require information security assurance and for what business purpose and objective?’ • Owners and shareholders want assurance regarding the well-being of the organisation; that it will achieve and maintain a healthy financial state. • Business managers need to have confidence that their business processes, management controls and resources meet the necessary corporate requirements for assurance and satisfy levels of expected performance. • Staff and employees need confidence that they have job security and their personal information is being protected. • Customers require assurance that the delivery of products and services will meet their requirements, and they will have ongoing support and maintenance from the organisation after delivery. • Business partners involved in collaborative ventures and projects with the organisation need ‘fit to do business with’ confidence. • Finally, the organisation needs assurance from its suppliers that the products and/or services being delivered meet its requirements. The organisation itself expects a certain degree of assurance from its customers with regard to the commercial arrangements it has in place. This concerns assurances that the customer will comply with these arrangements, and the contractual obligations relating to the products and/or services the organisation offers to the customer. Information is a key commodity in the decision-making process of any business, small, medium or large. It is also key to the effective management and operations of the business. Assurance regarding the confidentiality, timely and accurate delivery and availability of information is very important to the financial situation, performance, ownership and governance of the organisation. For medium and large-sized corporations, multinational companies and enterprises, there are various interested parties that require information security assurance: the shareholders, investors, creditors, insurers, the CEO and the board of directors, senior management, the staff and the organisation’s customers. Each of these involved parties will have their own requirements and interests. In the case of the shareholders, for example, this covers aspects such as the protection of shareholders’ rights, equitable treatment of shareholders, and the role of the shareholder in the governance of the organisation. Creditors, investors and shareholders will be looking for a healthy return on their investment and evidence of the sustainability of a financially sound business. These requirements need an appropriate framework to be in place for corporate governance to ensure the strategic guidance of the organisation, the effective monitoring of management by the board, and the board’s accountability to the organisation and the shareholders.


With regard to small-sized enterprises, many of these principles apply, though the scale of business complexity, organisational and management structure, operational functions, ownership and shareholder aspects is much reduced and generally not as involved. Nevertheless, a variety of assurance is still required from all the relevant stakeholders. ESTABLISHING ASSURANCE It is important that assurance requirements are well understood and articulated within the context of the organisation and its business, taking account of the interests of all relevant stakeholders. To satisfy these requirements the organisation needs to have an appropriate and effective ISMS in place. The organisation needs to ensure that the organisational structure, policies, procedures, processes and other management controls that constitute the ISMS are sufficient to deliver the required assurances.

DELIVERING ASSURANCE Collectively, the organisation needs to deliver the necessary assurances to all interested parties. Management needs to be committed to its role in carrying out all those actions and activities that will ensure the ISMS delivers the desired assurances to owners, shareholders, customers and business partners. Management needs to: • devote sufficient resources to the task of delivering and maintaining the desired level of assurances • assign roles and responsibilities for information security • ensure correction application of the system of controls. Staff also play an important role by being aware of the relevance and importance of information security in their day to day working environment, and by carrying out their responsibilities for implementing information security in a responsible way, adhering to the ISMS policies and procedures.


ASSESSING AND REVIEWING ASSURANCE Objective assurance that the ISMS is adequate and effective at satisfying stakeholder requirements can be assessed by means of different types of audit mentioned earlier (ie first, second or third party audits). This provides an independent and objective assessment to management that the risk management policies and system of controls it has established are adequate and effective. In addition, the systematic assessment of the business processes and controls can add value by the identification of ways to improve the effectiveness of the ISMS. Internal ISMS audits are a mandatory part of BS 7799 Part 2 for claiming compliance with this standard whereas third party audits are optional. In order to ensure that the variety of assurances being delivered continues to satisfy the requirements of interested parties, regular reviews need to be part of your ISMS operations. Changes to the business environment are inevitable and sometimes unpredictable and these can influence an organisation’s ability to maintain the assurances required. There are several monitoring and reviewing activities that can take place to ensure that all controls and policies are adhered to and are adequate for their purpose, and that the ISMS is effectively managing the risks. They are a mandatory part of BS 7799 Part 2 for claiming compliance with this standard. These activities apply at different levels of management and staff, and they need to take account of the results of incident reporting and handling processes, reviews of controls, and suggestions and feedback from all interested and relevant parties. The purpose of these activities is to ensure that the ISMS remains effective and appropriate to satisfy the requirements for information security assurance. These activities should include:

• using monitoring activities to detect errors and identify failures in the current security arrangements • evaluating the security arrangements in place for their performance • reviewing all risk assessment associated with: – changes to business requirements and priorities, or legal environment – new threats and vulnerabilities – changes in technology, embracing new technologies and the effective investment in technology – corporate culture – changes in supplier chain and delivery of services – joint ventures – effects of new markets and competitors – outsourcing key business processes – acquisitions, mergers, expansions, restructuring, downsizing – fraud. • confirming that controls remain effective and appropriate, and that policy objectives are met • identifying and recording all the improvements that are needed, based on the results of these reviews. The improvements identified by these monitoring and review exercises should be implemented, and corrective and preventive action taken to ensure that the ISMS continues to provide the assurance required.


Achieving supplier assurance
ESTABLISHING ASSURANCE Most organisations need to make use of external third party suppliers and service providers to support their business. This includes information systems and data processing facilities that have been outsourced to third party organisations. In addition, service providers will sometimes need to have access to an organisation’s information and information systems, to process, share or exchange information, and in some cases to manage information systems. Security arrangements supporting the organisation’s ISMS and that of its suppliers and service providers should be in place to take account of the particular risks the organisation faces. These arrangements should be able to provide the organisation with the required level of assurance that its information and information systems are not at risk. This type of assurance concerns the extent of confidence in the service provider or supplier systems and processes, that any risk to the information assets is being properly managed and that any protection is adequate. The following key elements of assurance apply to third party suppliers and service providers: • Information security policies and procedures are being enforced and adhered to, and this includes compliance with legal, regulatory and contractual requirements for service use and supply. • The security arrangements and the business and operational processes are effective at managing the risks. • The system of controls is adequate for the purpose of providing and maintaining a specified degree of confidence in the confidentiality, integrity and/or availability of the information assets. DELIVERING ASSURANCE An important part of your organisation’s actions to achieve supplier assurance should be a formal contract and service level agreement (SLA) between the parties. This should contain all of the necessary security requirements to ensure compliance with your organisation’s security policy and standards, and fulfilment of all of your organisation’s security requirements. ISO/IEC 17799 defines a number of the key security requirements that should be considered for inclusion in third party contracts. And specifically with regard to outsourcing, ISO/IEC 17799 details additional contractual obligations for outsourced information processing, managed data services and IT systems. Service providers and suppliers should implement all security arrangements as required by the contracts or SLAs, and should put all supporting activities in place to ensure that they are fulfilling the requirements. The implementation should include all arrangements for information transfer between the organisations, rules for how the staff of service providers or suppliers should handle your organisation’s information, the level of service provision, and all other controls to achieve assurance as required by contracts or SLAs. Service provider and supplier compliance with legal requirements (see the ISO/IEC 17799 controls relating to Compliance) is necessary to avoid breaches of any criminal and civil law, and statutory, regulatory or contractual obligations your organisation might get involved in. This needs to take account of the legal and regulatory framework in which the service provider/ supplier organisation operates and the regional or global scale of the business. Consideration needs to be given to controls governing intellectual property rights, safeguarding organisational records, data protection and privacy, and the misuse of information processing facilities.


In addition to the management controls in ISO/IEC 17799, BS 15000 also provides other best practice controls specifically designed for the management of IT services. The BS 15000 standard covers aspects such as: • service management planning • service improvement • service design and management – service level management (the process of specifying and managing the levels of service required) – availability management (the process of implementing the requirements defined in SLAs into availability targets and to manage the required availability) – service continuity (the process to ensure obligations to customers can be satisfied in the event of a major service failure, disruption or disaster) – service reporting (reliable and timely reports for decision making and service support) – capacity management (controls to ensure that the organisation has sufficient resources to deliver and meet the demands for its services). • Relationship processes (controls to engender and maintain good working relationships between the service provider and its customers) • Resolution processes: – incident management (controls to handle incidents in a timely way to restore services to normal operation) – problem management (controls to identify and manage the underlying causes of service incidents). • Control processes: – configuration management (control and management of the components of the specific service or the service infrastructure, and protection of the integrity of the services and any related information systems)

– change management (control and management of requests for change to the service). ASSESSING AND REVIEWING ASSURANCE In order to assess the assurance delivered by service providers and suppliers, your organisation needs to consider how it might review the security arrangements which are in place to comply with the contracts and SLAs. The security of the service provider and supplier facilities and processes can be assessed, and evidence as to whether their information security arrangements are effective can be achieved, in the different ways described in the ‘Assessment of an ISMS’: • The service provider or supplier organisation assesses their own security arrangements, eg via an internal audit function, then your organisation looks at their audit reports and supporting records of this activity to gain evidence that the security arrangements provide sufficient assurance for the requirements. • Your organisation carries out its own assessments or audits (eg made possible through the inclusion of the right to audit the service provider in the contract with the service providing organisation). In this case, your organisation can audit their results and check their control selection to gain evidence that they have appropriate security in place. • Your organisation insists on the service providing organisation being assessed by an independent third party, eg a certification body providing BS 7799 certification. In this case, it should be carefully checked that the scope of this certification includes all services the service provider is providing to your organisation.


In order to facilitate this, the contracts and SLAs should include a right to audit, which specifies what your organisation can do to assess the security arrangements in place. Whichever way the organisation decides to proceed regarding assessing the implementation of the agreed security arrangements, it is important that the following are covered: • The service providers and suppliers have a security policy, which describes their overall approach to information security and the controls in place for protecting your organisation’s information and information systems, and that the service provider or supplier organisation adheres to this policy. • The system of security controls the service provider or supplier has in place is adequate, effective and provides sufficient evidence that the level of assurance provided by these controls satisfies the identified requirements.

• They have in place processes for monitoring and reviewing: – vulnerabilities related to your organisation’s information and other assets handled by the service provider – the impact on your organisation’s business in the event of a security breach occurring in the service provider's facilities – the level of trust placed in those who have access to the service provider's information processing facilities. If objective evidence cannot be found that your organisation’s required level of assurance is being met, then action needs to be taken to improve the information security provided by the supplier. This may involve adding controls, changes to the contract to provide more appropriate security and service arrangements, or even your organisation choosing to add its own additional controls to achieve more security and to reduce the risks related to the services provided.

Achieving business partner assurance
ESTABLISHING ASSURANCE This type of assurance addresses the level of confidence in the security arrangements established between your organisation and your business and trading partners. This should include the requirements for securing those business processes that allow access to information, the sharing and exchange of information, and electronic transactions to take place. Your organisation needs to discuss with your business and trading partners, what risks each party faces with regard to this relationship, and what the associated security requirements are. This should lead to all parties mutually agreeing what assurances are needed to satisfy these requirements. All parties should, in a contract or in some other commercial document or agreement, sign up to a set of security arrangements that will satisfy these requirements and deliver these assurances. The security arrangements between your organisation and its trading or business partners need to specify the information security policy and procedures that both parties should adhere to. This policy and these procedures should be supported by


more detailed controls related to securing access to information, rules for handling information securely, and controls to secure the sharing and exchange of information to protect the confidentiality, integrity and availability of this information. ISO/IEC 17799 defines a number of relevant controls for this purpose, and they should be selected to manage effectively the risks involved in working with the business and trading partners. If your organisation has established an ISMS as described in Achieving organisational assurance, and this ISMS has been assessed and audited, then this can provide your business partners with assurance that your organisation has already taken steps to secure its information systems. Likewise your business partner may also have taken similar action. DELIVERING ASSURANCE Your organisation and its trading or business partners should agree the day to day working practices you will employ collectively to deliver the required assurances. Some of the principles and controls that can be applied to give both parties the appropriate assurance in information security arrangements include agreed common practices and processes to: • ensure that the policy and procedures are adhered to • provide the appropriate level of security to each other’s sensitive or critical information – this should include agreement on information classification, information handling procedures, access control, sharing and exchange of information, media security, etc • demonstrate that adequate security controls are in place to achieve the required level of security and assurance • report and handle security incidents • monitor and review the effectiveness of the arrangements.

ASSESSING AND REVIEWING ASSURANCE There are several ways your organisation and your business and trading partners can assess the assurance the respective partner is providing, ie by first, second or third party audits. Your organisation should agree with its trading and business partners which of these alternatives provides the necessary assurance. You could aim at a mutual solution, ie the method your business or trading partners choose to assess your organisation’s security might also be applicable to assess their security arrangements. The following need to be considered: • objective assurance that your business and trading partners’ organisations adhere to the security policy they have implemented • objective assurance that controls are implemented that effectively manage the risks, including: – the levels of trust in individuals who will handle sensitive information – the approach taken to protect sensitive information – assurance that the information processing facilities, services and IT systems are managed effectively • objective assurance that all controls required by contracts are adhered to and are working effectively • objective assurance that the controls that have been implemented by the business and trading partners provide sufficient protection to fulfil the requirements for confidentiality, integrity and availability of the information and information assets handled.


Achieving services and IT systems assurance
ESTABLISHING ASSURANCE This type of assurance addresses the confidence your organisation requires in the services and IT systems it uses. This might be the confidence that the security functionality and features included in the hardware, software and technology are indeed effective, and reliance and confirmation that they are managing the risks the organisation faces. It might also involve confidence in the services used: their accessibility, reliability and security. Your organisation should identify what assurances it requires from the types of services and IT systems it uses or it intends to use. In some cases, there may be IT systems and services that can deliver these assurances as standard (maybe as off-theshelf hardware and software products). In other cases your organisation may need to work with the supplier to enhance the existing product or service functionality to meet assurance requirements. The requirements of such assurances need to be viewed in the context of the working environment in which the systems and services are being used. For the security features provided by IT systems to be as effective as the original design intended, they need to work with the day-to-day business processes used within the organisation’s working environment. Typically the security design of an IT product or system will be based on a generalised risk assessment and not related to any specific or particular risk environment of an organisation or its business processes. Therefore an organisation must recognise that any assurances claimed to be provided by a particular IT system design are based on a generalised risk assessment and their use must be proved in the context of the actual operational environment. Because of this, it is important that the services and IT systems are used in a managed environment such as that provided by an ISMS, and that the requirements for assurance they are expected to provide are assessed as part of the overall ISMS requirements capture process. In addition, the establishment of organisational, supplier and business partners assurances needs to take account of the risk factors related to the services and IT systems design. DELIVERING ASSURANCE The delivery of the assurances claimed and offered by individual services and IT systems needs to be viewed in the context of their working business environment. If the services and IT systems are not managed appropriately or if there are mismatches or conflicts with business processes in the working environment then the overall organisational assurances might not be as originally expected or intended. Therefore services and IT systems need a managed environment. There are a number of controls in ISO/IEC 17799 and processes in BS 7799 Part 2 that should be considered and implemented as part of an ISMS to manage the day-to-day operations involving the use of IT systems and services. Such controls cover aspects such as the following: • maintenance and support contracts, processes and procedures for hardware, software and communications equipment • management process for capacity planning and system acceptance • authorisation procedures for new IT products, systems and services • back-up processes and procedures • business continuity and contingency planning for IT systems failure and disaster recovery • change control procedures for operational systems, hardware and software • procedures for preventing, detecting and repairing software and IT system malfunctions


• management of physical and environmental conditions to protect power supplies, cabling, equipment and work places hosting IT systems • procedures for monitoring the use of IT systems and services • protection of test data and programme source code • use of virus protection software and regular updates of such software • timely and controlled installation of software patches. This set of controls for the management of the services and IT systems environment provides a baseline level of assurance. As well as these controls and others in ISO/IEC 17799, the standard BS 15000 also provides other best practice controls specifically designed for the management of IT services. Some of these controls from BS 15000 are described under Achieving Supplier Assurance. There is also an aspect of assurance that can be associated with the delivery of some particular types of IT based business service, for example, the provision of trust services to support the use of digital or electronic signatures for electronic commerce and business. This type of assurance aims at providing confidence to users that their online transactions and exchange of electronic documents can be secured and that the services providing this security can be trusted. tScheme is a UK industry scheme for defining standards and service profiles for the approval of services offered by trust service providers (TSPs). In addition, the identification of requirements may have shown the need for specific security functionalities built into various IT components and products, eg smart cards, firewalls, or secure database servers. This may also involve the organisation, business partners or customers specifying a need for assured levels of security functionality from these products. In such cases one option is to consider the use of evaluated products. The security evaluation of IT products is delivered through several different industry processes and schemes. These include various test laboratories and facilities that provide independent evaluation.

One such scheme is that based on the use of the Common Criteria standard ISO/IEC 15408 ‘Evaluation criteria for IT security’. This international standard defines the basis for evaluation of security features and functionalities of IT products and systems. Product evaluation based around this standard operates in several countries. This type of evaluation addresses implementation of security functions related to the confidentiality, integrity and availability of information handled and processed by specific IT products, and allows evaluation of these functions against a set of functional assurance requirements. Supporting the development of evaluated products is the notion of a protection profile. This is a specification of security requirements for a particular category of IT product or system designed to satisfy a specific consumer need. These profiles are defined according to the Common Criteria standard ISO/IEC 15408 and are independent of any IT implementation. Another standard that your organisation might also use, this time from a security engineering perspective, is the Systems Security Engineering – Capability Maturity Model (SSE-CMM). The aim of this standard is for organisations to be able to demonstrate a certain confidence that their IT system has, from an engineering perspective, reached a certain level of maturity. The SSE-CMM is intended to be used as a: • tool for organisations to evaluate their security engineering practices and define improvements • basis for security evaluation organisations (eg system and product evaluators) to establish organisational capability-based confidences (as an ingredient to system or product security assurance) • standard mechanism for customers to evaluate a provider's security engineering capability.


ASSESSING AND REVIEWING ASSURANCE Objective assurance that the ISMS is adequate and effective at managing the working business environment of the services and IT systems can be assessed through the different types of audit mentioned earlier (ie first, second or third party audits). The controls your organisation is applying to manage the day-to-day operations involving services and IT systems need to be assessed for their adequacy, correct functioning and effectiveness. The implementation and effectiveness of these controls should be monitored; checks should be made to ensure they are providing the required level of security, and staff are applying them correctly. Improvements and enhancements should be implemented where necessary to provide ongoing assurance in the services and IT systems, as required. Trust services, such as those to support the use of digital or electronic signatures, can be taken through an audit process to check the management of the technical infrastructure that supports the delivery of such services. For example, tScheme supports such an audit process for the approval of services supplied by Trust Service Providers. tScheme process approves trust services that are compliant with the standards, criteria and profiles published by tScheme. The approval method is recognised by the accreditation process in the UK as a BS 7799 sector scheme as the audit involves the assessment of both an ISMS and the components of the technical infrastructure that delivers the trust services.

If your organisation is using products that have been evaluated against the Common Criteria, or any other such evaluation scheme, then this can provide different levels of assurance that security requirements are fulfilled according to the design specification. The level of assurance is ranked according to the rigour, detail and formality of the testing and evaluation carried out: the higher the assurance level (E6 is the highest) the greater rigour and detail, and the lower the assurance level (E1 is the lowest) the less rigour. This evaluation assesses whether the products have been designed, built and tested to implement certain specified security functionalities and to fulfil security requirements. It should be noted that this evaluation is undertaken in a test laboratory outside of the working environment in which the IT systems and product will be used. Also, unlike the management system approach, the process of certifying products does not include the continual improvement cycle, so there are no regular reviews, surveillance audits and/or internal ISMS audits built into this type of assurance process. If there is a modification to the product (eg through a new software release or upgrade) then the original certified product needs to be re-evaluated to ensure it still provides the desired level of assurance.


Case study
The purpose of this case study is to illustrate the different aspects of information security assurance as they might apply to a real life business situation. CALL CENTRE SYSTEM The basic idea behind most call centres is that of providing a direct human interface between the customer and a supplier of services or products. As this is a human interface the staff operating the call centre are a vital component of the system. INFORMATION SECURITY ASSURANCE The assurance scenario in this case study involves providing the desired level of confidence that suitable security arrangements are in place and are being adhered to. This will ensure that the operations function correctly, reliably and effectively to deliver the call services to customers. AREAS OF RISK The call centre management team should consider the potential areas of risk: • Physical location and environment – accessibility by staff – size and capacity of the building/offices – working conditions • Equipment – reliability – being fit for purpose – backups – maintenance and replacement • Call centre processing of enquiries – sufficient knowledge of suppliers’ services or products – limitations of the range of responses to customer enquiries – accessibility to information, advice and guidance on suppliers’ services or products – accuracy and timeliness of responses – correct processing of information • Staff – high turnover of staff – recruitment of suitable staff – staff training – operational stress • Procedures – handling customer complaints or abusive calls – handling emergencies – use of call assessment procedures • Response capability – volume of calls – number of customers – number of staff – staff shift patterns – quality and performance

Physical working conditions


IT systems

Call service processes Staff

Call Centre Customer Information Security Assurance Supplier


SECURITY RISKS AND REQUIREMENTS The primary customer requirement of the call centre is that of providing cost-effective services that are timely, efficient and reliable. To satisfy these requirements the call centre needs to address the identified areas of risk listed above and to ensure this the call centre provides assurance to the supplier that a guaranteed level of service quality and availability will be provided. Some of the specific risks the call centre needs to address are: • having insufficient system and communications capacity to meet the required levels of service availability • lack of appropriate operational procedures for handling incidents, problems, complaints, effective communications and other day-to-day issues, as well as the general procedures for the efficient running of the call centre • lack of sufficient training of call centre staff (i) for sufficient knowledge of the customers’ products to be able to respond to caller enquiries in an accurate and timely way, (ii) to be able to use procedures, and (iii) to handle difficult and abusive calls or callers and know how to use the centre technology and procedures • lack of appropriate working conditions (badly ventilated, overcrowded, unsafe) • lack of quality and timeliness of service delivery (customers are kept waiting, getting the wrong information, system and communication failures, providing out of date customer information regarding products, no service delivery culture etc). ISMS SCOPE To manage these areas of risk the call centre needs to establish an ISMS with a system of controls to ensure the customer requirements are met, as well as serving its business

objectives to be a successful and profitable service centre. The ISMS scope includes: • the information processed in the call centre, such as information relating to the supplier’s products sold, information collected from the customers, etc • the IT systems and equipment necessary to process this information, such as the PCs with all their hardware, software and connections, the telephones, faxes, printers, etc needed for the work processes in the call centre • the call centre services provided • the procedures and work processes necessary to provide these services • the staff working in the call centre • the building where the call centre operates, and all other physical assets. In addition, there are interfaces to the customers contacting the call centre to use their services, and to the suppliers whose products are sold by the call centre. SYSTEM OF CONTROLS The system of controls the call centre selects should be based on the identified risks resulting from an assessment of areas of risk and security requirements. Controls to achieve organisational assurance The call centre needs to implement and maintain organisational security throughout to establish an environment that provides sufficient assurance to suppliers and customers. The best way to provide this assurance is to implement and operate an ISMS. The controls discussed here should be implemented to achieve this. Controls for security organisation A security policy is necessary to ensure that all staff are aware of the security goals of the organisation, and the role they play in achieving these goals. There is also the need


to ensure business continuity, to address interruptions and emergencies effectively, and to be able to meet customer requirements for a timely and reliable service. This includes the implementation of the following controls: • • • • information security policy security management business continuity management controls to ensure compliance with legislation, requirements and security controls.

There are also no guidelines available for staff to handle customer complaints or abusive calls, which can lead to customer frustration and staff de-motivation. The following procedures need to be implemented: • operating procedures for effective communication with the customers • managing incidents • monitoring call handling • disciplinary process. Controls for capacity planning To ensure that the call centre can operate in such a way as to meet customer and supplier demands, there are several issues related to capacity planning that should be considered. Controls that should be implemented to achieve sufficient capacity are: • capacity planning • system acceptance • procedures for adequate staff resources. Controls for physical location and environment Environments such as call centres can involve overcrowding, poor ventilation and heating, and such conditions can have a subsequent impact on staff morale. Poor physical security is also a concern and health and safety may also be an issue. Controls that should be implemented for the location and environment are: • physical security perimeter and entry controls • securing offices, rooms and facilities • in addition, moving the site to an easier to reach location should be considered. Controls for equipment security The highest risks related to equipment have all to do with the need to provide timely and reliable services. Lack of reliable equipment

Controls for staff security Call centres tend to be particularly affected by a high turnover of staff and in such environments it is difficult to maintain an adequate skill base. Controls that should be implemented for staff are: • all staff should be clear about their security responsibilities, and the responsibilities to comply with customer requirements when handling calls • personnel screening and policy • training: the training programme needs to address the following: – providing adequate and up to date knowledge about the suppliers’ products – correct application of all procedures and technology used in the call centre – handling of difficult or abusive customer calls – providing the staff with the right culture of service delivery. Procedures in the call centre Currently there are no procedures in place that deal with incidents, which could easily impact on the provision of timely services. There are also no procedures in place that support the assessment of how the calls have been handled; it is therefore difficult to ensure the quality of the service provided.


and inadequate maintenance of such equipment can result in failures and subsequent delays in dealing with customer enquiries. The lack of backups (making them and testing them) can easily result in information being unavailable for customers. Controls that should be implemented for equipment security are: • • • • • equipment siting and protection power supply and cabling security equipment maintenance clear desk and clear screen policy information back-up.

The call centre itself is dependent on the use of reliable IT systems based on off-the-shelf products although there is no requirement for these systems to have undergone a rigorous security evaluation. Adherence to the policy Call centre management need to ensure that their staff adhere to the policies, guidelines and procedures that have been implemented. They need to ensure that call centre operations are carried out in accordance with these policies to support the security arrangements agreed with its suppliers. In addition, the call centre needs to provide assurance to the suppliers that this is actually happening. Call centre management need to monitor and review compliance with their policy, procedures and controls taking account of suggestions and feedback from all interested parties. Effectiveness of the ISMS and adequacy of controls In addition to implementing a system of ISMS controls to meet the security requirements of its suppliers, customers and other stakeholders, the call centre also needs to check the effectiveness of its ISMS. This will provide a degree of assurance being achieved against supplier requirements, levels of service and performance levels. The call centre therefore needs to monitor and review its ISMS on a regular basis to ensure its continuing suitability, adequacy and effectiveness to meet target levels of performance, service availability, and service delivery. Management needs to review any changes that could affect the ISMS and this should include assessing the opportunities for improvement of the ISMS. In order to provide assurance to the suppliers, the call centre can, for example, provide the suppliers with records of

General security and assurance that all processes work There is the general requirement that the call centre operations function correctly, reliably and effectively to deliver the services to customers, in line with the supplier’s requirements. Some other security controls should also be put in place in addition to the ones discussed above, and these are: • • • • controls against malicious software access control controls for asset management controls for IT systems.

DELIVERING ASSURANCE The suppliers’ requirements mentioned above need to be addressed by the call centre to give the suppliers sufficient assurance in the services they are paying for. The call centre needs to deliver their services to give the suppliers the confidence that they are able to answer customer calls in an efficient and timely way and that the information given about the suppliers’ products is correct and suitable to answer customer questions. There is also a requirement to keep the potential customers satisfied with the services being provided to give them confidence.


performance measures such as volume and type of calls/enquiries, responses made, customer complaints and the resolution of these to demonstrate that the ISMS works effectively and that the suppliers’ requirements are met. They can also invite the supplier to carry out their own checks to prove that they are able to answer all customer calls in a timely and efficient manner and to the customer’s satisfaction, and that the information given about the suppliers’ products is correct. Contracts and Service Level Agreements (SLAs) The suppliers need to have contracts and SLAs in place to make sure that the appropriate security arrangements are implemented to meet their requirements. The call centre, in providing a sufficient level of information security assurance against these requirements, should give confidence to the supplier that these arrangements have been addressed and implemented by the ISMS. Any contract and supporting SLAs should consider the following issues, in addition to other supplier specific requirements: • the information security policy of the call centre, and additional documentation about the ISMS the call centre has in place • procedures to ensure that all of the suppliers’ information is given in a correct and timely way, and that the call centre staff use only up to date information about the suppliers’ products • procedures ensuring that the call centre gets all required information from the suppliers in time • a process that informs call centre staff when to change/update the information given to customers

• the call centre staff are aware of all the suppliers’ products, and are sufficiently knowledgeable to give correct information to customers • the call centre staff are providing services to meet the service level requirements and performance targets of the supplier • the call centre and the supplier will review these service requirements to check their continuing suitability, adequacy and effectiveness • the rights to monitor the call centre staff’s activities • the right to audit the call centre’s arrangements for security and for providing services • a clear reporting structure and procedures for handling customer complaints, operational problems, security related events and incidents that relate to the suppliers’ products. Regular reviews The suppliers need to have the opportunity regularly to monitor and assess the call centre staff’s performance, as defined in the contract or SLA (see also above) and to review performance and sales figures. The suppliers and the call centre need to agree a meeting schedule to discuss any problems and improvements required by the suppliers, possible audits of the call centre’s site, and what to do if the call centre does not meet the suppliers’ requirements.


1. BS 7799 Part 2: 2002 Information security management systems – Specification with guidance for use. 2. BS 15000 IT Services Management • Part 1: Specification • Part 2: Code of Practice. 3. BSI/DISC PD3000: 2002 series of BS 7799 guides • PD3001: Preparing for BS 7799-2 certification • PD3002: Risk assessment and risk management • PD3003: Are you ready for a BS 7799 audit? A compliance assessment workbook • PD3004: Guide to the implementation and auditing of BS 7799 controls • PD3005: Guide on the selection of BS 7799 controls. 4. BSI PD0012 Series of Guidelines on Data Protection • PD0012-1: Guide to the practical implementation of the data protection act 1998 • PD 0012-2: Guide to developing an e-mail policy • PD 0012-3: Guide to developing an e-commerce policy • PD 0012-4: Guide to managing your database • PD 0012-6: Guide to data controller and data processor contracts • PD 0012-7: Guide to subject access • PD 0012-8: Guide to managing manual data. 5. ISO TR 13335 Guidelines for the management of IT security (GMITS) : • Part 1: Concepts and models for IT Security: 1996 (currently under revision) • Part 2: Managing and planning IT Security: 1997 (currently under revision) • Part 3: Techniques for the management of IT security: 1998 (currently under revision) • Part 4: Selection of safeguards: 2000 • Part 5: Management guidance on network security: 2001. ISO/IEC 13335 is currently being revised within ISO and should be finalised in 2006. This revision will update and make improvements to GMITS and will result in a new 2 part standard MICTS (Management of ICT Security). 6. OECD Guidelines on the security of information systems and networks: 2002. 7. EA-7/03, Guidelines for the Accreditation of Bodies Operating Certification/Registration of Information Security Management Systems. 8. EN 45012:1998, General requirements for bodies operating assessment and certification/registration of quality systems. 9. ISO Guide 62:1996, General requirements for bodies operating assessment and certification/registration of quality systems. 10. ISO 9001:2000, Quality management systems – Requirements. 11. ISO/IEC 15408: 1999 Evaluation criteria for IT security: • Part 1: Introduction and general model • Part 2: Security functional requirements • Part 3: Security assurance requirements. 12. ISO 15489: 2001 Information and documentation – Records management • Part 1: General • Part 2: Guidelines. 13. ISO/IEC 17799: 2000 (previously BS 7799 Part 1: 1999) Code of practice for information security management. 14. ISO 19011:2002, Guidelines on Quality and/or Environmental Management Systems Auditing. 15. SSE CMM: ISO/IEC 21827: 2002-10-10, Information Technology – Systems Security Engineering – Capability Maturity Model. 16. tScheme Profiles for Trust Service Providers ( 17. DTI Publication Information Security: Protecting Your Business Assets (URN 04/626)


Further help and advice
INFORMATION SECURITY ISSUES For help and advice on information security issues contact: The Information Security Policy Team Department of Trade and Industry 151 Buckingham Palace Road London SW1W 9SS Tel: 020 7215 1962 Fax: 020 7215 1966 E-mail: Our information security business advice pages and a full listing of all our publications can be found at: information_security To obtain copies of the ISO/IEC and BS standards contact: BSI 389 Chiswick High Road London W4 4AL Tel 0208 995 7799 Fax 0208 996 6411 Website: For information on data protection, contact The Information Commissioner’s Office Wycliffe House Water Lane, Wilmslow Cheshire SK9 5AF Tel: 01625 545 745 Fax: 01625 524 510 Web site: E-mail


GENERAL BUSINESS ADVICE You can also get a range of general business advice from the following organisations: England • Call Business Link on 0845 600 9 006 • Visit the website at Scotland • Call Business Gateway on 0845 609 6611 • Visit the website at Wales • Call Business Eye/Llygad Busnes on 08457 96 97 98 • Visit the website at Northern Ireland • Call Invest Northern Ireland on 028 9023 9090 • Visit the website at

Examples of products and companies included in this leaflet do not in any way imply endorsement or recommendation by DTI. Bear in mind that prices quoted are indicative at the time it was published.

Published by the Department of Trade and Industry. © Crown Copyright. URN 04/625; 07/05

Shared By: