BS7799 /ISO17799 /ISO27001 What is BS 7799 /ISO 17799? The BS 7799 /ISO 17799 standard was developed to create a common information security structure and thus cover technical, administrative and legal aspects alike. Through ten check points, this standard lists the optimal practices companies must implement to manage computer security effectively. Implementation of the principles laid out in BS 7799 /ISO 17799 makes it possible to detect, analyze and reduce information risks. Security Policy : Plan company expactations, ratify estimated completion times and evalute test succes rate. Organizational Security : Adress information security within the company and wherever company information is accessed or processed externally. Asset Classification and Control : Compile of inventory of the assets to be protected and establish levels of protection commentsurate with the importence of the assets in question. Access Control : Set in place procedures for controlling access to the company’s network and computer applications. Protect your company from external intrusions and internal abuses. Compliance : Understand the legal aspect of security as well as those of the auditing, monitoring and maintenance of all nine procceding points. Perspnnel Security : Inform of the employees of the daily procedure to be followed. Physical and Environmental Security : Assets the areas to be protected as well as access control to these areas. System Development and Maintenance : Take into account hardware and software enhancement, implementation, maintenance and development. Communications and Operations Management : Protect the dissemination and backup of information through network and computer applications. Protect your company from external intrusions and internal abuses. Business Continuity Management : Prepare of disasters. Define the best ways to cope with such situations. Differences between BS 7799 and ISO 17799 What's the difference between BS 7799 and ISO 17799? Actually, at present they are one and the same standard. BS 7799 /ISO 17799 defines the best business practices in respect to computer security. BS 7799-2 explains in addition the various stages of the certification process. In short, BS 7799 /ISO 17799 describes "ideal" security concepts, while BS 7799-2 describes those security concepts that are "indispensable" for any organization wishing to become certified. No audit mechanism for ISO 17799 conformity exists to date. Organizations wishing to follow an implementation methodology for the BS7799 /ISO 17799 standard use that of BS 7799. In short, certified companies declare themselves BS7799 /ISO 17799 compliant and BS 7799-2: 2002 certified. Callio Secura 17799 has been designed for flexibility: it permits a complete approach leading to BS 7799 certification or simply the generation of a security policy based on ISO 17799. Relationship with other standards Recent legislation Who is affected? What do the security provisions center? What are the penalties? When is it in affected? Sarbanes-Oxley Act de 2002 All public companies subject to US security laws Internal controls and financial disclosures Criminal and civil penalties Current law Gramm-Leach-Bliley Act de 1999 Financial institutions Security of customers record Criminal and civil penalties Current law Health Insurance Portability and Accountability Act(HIPAA) Health plans, health care clearinghouses and health care providers Personnal health information in electronic form Civil fines and criminal penalties Finales security rule takes effect in April 2005 To reinforce the BS 7799 /ISO 17799 standard, computer security standards from other sectors can be can be implemented, such as HIPAA (health) or GLBA (banking). Other ISO standards can also be used, such as ISO 15408, which is complementary. Created in 1996, the Common Criteria were renamed ISO 15408 and have been revised twice since 1998. This standard allows the levels of defense provided by information systems security components to be certified. These two standards can be used together, for one ensures overall security while the other verifies the tools. For example, with BS 7799 /ISO 17799 a company can demonstrate its security know-how from a general standpoint (physical, logical, human) and at the same time demonstrate that the controls used (firewall, chip-card) are ISO 15408 certified. Methodology Project Initiation The various committees and teams associated with the project are presented in the following proposed structure: Senior Management Commitment To ensure that the implementation of an information security management framework functions properly, the approval and commitment of senior management must be obtained. Without management's commitment, the project's implementation could run into some difficulties. In order to reduce the number of lengthy moratoriums, senior management commitment must be present at all levels: operational, technical, and budgetary, as well as in terms of the timeline. A project management committee A project management committee must be formed. It is usually comprised of a senior executive, the implementation project manager and representatives from the various administrative units. The project manager usually directs operations and sets priorities. He must be familiar with the implementation process, and be constantly available. In some of the larger organizations, the Chief Information Security Officer (CISO) performs the aforementioned tasks. Get every department in the project In most cases, the implementation of the ISO 17799 standard in an organization requires the involvement of all the administrative units of that organization. The following is a summary chart, i.e. non comprehensive, of the potential implications for all ten ISO domains: ISO 17799 Domains Management and Administration Finance and Accounting Human Ressources IT/ISM and communication Legal Aspect Internal Control Third Party Building Security Policy x x x x x Organizational Security x x x x x x x Asset Classification and Control x x x x x Personnel Security x x x x x x Physical and Environmental Security x x x x Communications and Operation Management x x x x x Access Control x x x System Development and Maintenance x x Business Continuity Management x x x x x x x x Compliance x x x x ISMS Definition Once a Management Committee has been created (see previous phase), it must define the scope of the information security management framework so as to focus on the essential. The security perimeter can cover either selected sections of an organization or the entire organization. Keep in mind that the ISMS must be under organizational control. If the organization does not control the ISMS, it will be unable to manage it efficiently. In order to accurately define your ISMS, you must clearly identify: Goal /Objective A clear decision must be made to either adopt the standard for compliance or obtain BS77799-2 certification. Scope What administrative units and activities will be covered by the information security management framework? Boundaries /Limits In accordance to: • The specific characteristics of the organization (size, field of endeavor, etc.); • Location of the organization; • Assets (inventory of all critical data); • Technology. Interfaces The organization has to take into account interfaces with other systems, other organizations and outside suppliers. Dependencies The ISMS has to respect certain security requirements. These requirements can be of a legal or commercial nature. Exclusions and Justification Any element or domain (part of a network or of an administrative unit) defined by the SGSI, yet not covered by a security policy or security measures, must be identified and its exclusion explained.Strategic Context Planned security measures must take into account the actual or imminent position of the organization in order to reach mission-compatible goals set by senior management. Organizational Context The organizational environment enhances the measures implemented to meet specific objectives as set by management. Gathering Existing Documentation A review of the existing documentation is necessary in order to evaluate the scope of existing security measures, such as the ISO 9000 Quality Management manual, the ISO 14001 Environmental Management manual and the Security Policies manual. Managers of every department involved in ISMS definition should draw up an inventory of all documents relating to data security within their department. Risk Assessment Whatever the type or size of a business (multinational or SME), all organizations are vulnerable to threats that jeopardize the confidentiality, integrity and availability of important data. The sooner protective action is taken, the more inexpensive and effective the security. In order to more easily identify and select the controls that will allow for better management of human and financial resources, the whereabouts and nature of the threats must be known. Measure compliance with ISO 17799 controls Make an initial assessment of the security status of the management framework, in terms of the controls, processes and procedures required by ISO 17799. Asset Identification and Evaluation The first stage of the information security risk assessment process is the identification of critical and/or sensitive data. Identification and Evaluation of Supporting and Environmental Assets Because information is an intangible asset, it must be handled, processed, stored, printed, disposed of and communicated through tangible means. Therefore, the intangible assets of an organization must be identified and their value determined as a function of CIAL criteria (Confidentiality, Integrity, Availability, Legal requirements). Identification and Evaluation of Therats and Vulnerabilities It is important to identify the weaknesses of any asset that supports the organization's critical information. Such weaknesses are vulnerable to threats and can therefore have a negative impact on information (disclosure, corruption, destruction, legal prejudice). Risk Treatment Once risks have been identified and calculated, a decision must be made as to the management of these risks. How they are to be managed is usually a function of: • Initial security policy; • Level of assurance required; • Risk assessment results; • Existing business, legislative and regulatory contraints; Risk management options : • Risk Reduction • Risk Acceptance • Risk Avoidance • Risk Transfer Selecting Controls In most cases, risk reduction is the option selected. Consequently, objectives must be set, and controls implemented. Risk management Plan The risk management plan contains all the information required for implementation: management tasks and responsibilities, the names of those in charge, risk management priorities, etc. Implementation of Controls The organization must now implement the risk management plan and monitor the implementation of controls required in each information environment to be protected. Training and Awareness The organization has to make sure that all staff members in charge of a defined ISMS responsibility are qualified and able to perform their tasks. In that sense, the organization has to: • Determine what skills personnel working on information security must have; • Give an appropriate training and, if necessary, hire experienced staff for that specific task; • Evaluate efficiency of training and actions undertaken; • Maintain a register of education and training programs followed by each employee as well as their abilities, experiences and qualifications. The organization also has to make sure the necessary personnel is aware of the importance of their information security activities and the way they participate in meeting the ISMS objectives. It is important to develop a training and awareness program in order to educate all employees in the organization. Employees have to make sure they understand and respect good practices in terms of information security. Employees represent the cheapest countermeasure against security violations. Usually, they are the first to be affected by security incidents. Employees aware of the implications of security problems can prevent and lower the impacts of incidents when they occur. Given the importance of all personnel in terms of security control, staff awareness is extremely important in any security program. Recognition and report of any event that could represent a security incident should become instinctive. This is the actual goal of the information security awareness program. Employees concerned with information security greatly helps when it comes to protecting the business's assets. Here are a few critical success factors to consider in order to implement an information security awareness program: • Immerse oneself in the environment and culture of the organization; • Ensure senior management commitment; • Understand the importance of employees in terms of security; • Find internal communication medias and associated resource personnel: Traditional, Web • Explore what is already there; • Built politics, procedures, forms and relating check sheets; • Identify final result of the program : • Ensure take over (what new employees must follow). During the Awareness Program: Politics must have been approved before proceeding to this phase. • Planning: • Definition of program objectives: • Identify general objectives of the program ; align objectives with strategy. • Identification of target groups (primary and secondary) • Identification of information to diffuse (by group) • Actual state of organizational efforts • Elaboration of the plan of action • Distribute documentation • Politics, standards and procedures should be electronically available • If possible, create a Logo for the information security department (this helps to quickly identify the department and it gives a certain notoriety) • General content of the training: Risks, Basic Principles (Intro, CIA, good habits, etc.) • Development :Specific Information, Demonstration, Solutions to threats, risks and vulnerabilities • Responsibilities • Have employees sign a form stating that they agree with the content (security agreement) and, preferably, have them sign on a regular basis • How to react and people to contact (who, what, how, when) • Procedures, forms, roles and responsibilities • Consequences of failure to respect standards, politics and agreements • A test to check knowledge is recommended Original, surprising and amusing ways for transmitting the message have to be found. Each vehicle has its own advantages and drawbacks; all you have to do is to find one that goes well with your message. After the Program: • Evaluate satisfaction towards training • Evaluate contribution of training (evolution) • Ensure knowledge transfer • Update whenever there are changes and new elements Audit preparation ISMS Compliance Diagnostic BS 7799-2 certification requires the validation of compliance with implementation specifications of the management framework. Statement of Applicability The statement of applicability must be produced before the audit. This document provides justification for the applicability or non-applicability of each ISO 17999 control to the ISMS in question. It also includes, where applicable, each control's current implementation status. In short, the objectives, selected controls and grounds for selection are therein explained, as are the grounds for the exclusion of any measure listed in the ISO 17799 standard. Audit -BS 7799-2 Certification The guidelines require that the certification body proceed to an on site ISMS audit in no less than two stages, unless an alternate approach can be justified (for example, adapting the certification process to the needs of a very small organization). The audit is two-part: 1 -Documentation Audit One of the goals of the documentation audit is to allow the certification body to gain an understanding of the ISMS in the context of the organization’s security policy, objectives and approach to risk management. It can also serve as a useful reference point when preparing for the second audit and offers an opportunity to evaluate how prepared the organization is for the audit. 2 -Implementation Audit The implementation audit is guided by the conclusions of the documentation audit report. The certification body draws up the audit plan based on these conclusions, which then allows the implementation audit to begin. The audit takes place at the site of the organization where the ISMS is located. Control and continual improvement PDCA Description Plan (establish the ISMS) Establish a security policy, along with objectives, goals, processes and procedures for managing risk and improving information security, in order to deliver results in keeping with the organizationco's overall objectives and policies. Do (implement and operate the ISMS) Implement and operate the security policy, controls, processes and procedures. Check (monitor and review the ISMS) Assess, and where applicable measure, process performance against security policies, objectives and practical experience. Report the results to management for review Act (maintain and improve the ISMS) In order to continually improve the ISMS, carry out corrective and preventative action based on the results of the management review. At this point, the two remaining steps of the cycle must be initiated • Monitoring and Reviewing the ISMS • Maintaining and Improving the ISMS PD 3000 guides What is an Information Security Management System? To establish the organization's information security policy and objectives and then meet these objectives. An Information Security Management System (ISMS) provides a systematic approach to managing sensitive information in order to protect it. It encompasses employees, processes and information systems. Review Regulary : A certified company must seek continual improvement in its ISMS by carrying out regular revision. If a publicity campaign is launched to celebrate a company's recent certification, the registrar will conduct periodic reviews to discover any discrepancies in respect to the standard's requirements. Become familiar with the standard : A registrar is an organisation (BSI, for example) that has the necessary authority to audit an ISMS and to certify a company as compliant. Since numerous registrars do exist, choosing one may be complicated. It is important to evaluate a registrar's experience, geographic coverage, rates and quality of service. Training : Training session can be attended that are designed to provide support and advice for the installation and review of an ISMS. Form team and draw up strategy : The first concrete step in implementing an ISMS is to draw up an organizational strategy in conjunction with company directors. This is when the scope of the project must be determined (will the ISMS apply to a single sector or to the entire company?). Note: consulting services are available to give you the benefit of the expertise of specialists in the field of ISMS implementation. This can help you guard against making expensive mistakes. The PD 3000 series provides an overview for obtaining BS 7799 certification or simply for complying with this standard. PD 3001, Provides advice to BS 7799 users and offers detailed information for the evaluation of the Certification Project. It offers industry the best accepted practices for providing and demonstrating the proof required by an evaluation auditor. PD 3002, The Guide to BS 7799 Risk Assessment and Risk Management describes the concepts underlying BS 7799 risk assessment and risk management. Terminology and the complete risk assessment and management process are also explained in detail. It is based on the ISO/IEC Guidelines for the Management of IT Security (GMITS). PD 3003, Are you ready for a BS 7799 audit? It's a pre-certification evaluation manual for companies. It allows them to evaluate and record their level of compliance with the control requirements in BS 7799: Part 2, and thus facilitates their preparation for a certification audit. It is a useful starting point for companies that are considering BS 7799 for the first time. PD 3004, As for the Guide to BS 7799 Auditing, it provides general information and advice for an ISMS audit. PD 3005, Guide of the selection of BS 7799-2 controls The full set of PD 3000 guides is included in Callio Secura 17799. Analyse the risk : Here it is important to identify all of the company's vulnerabilities by focusing not only on computerized systems but on all information circulating within the company. Draw up a security policy statement : The goal of this statement is to foreground management's support and responsibility for the elaboration of an ISMS. Create a help manual : This manual must cover all of the procedures and requirements of the chosen security policy. It must use the appropriate approach for each sector, and cover asset classification and control, the protection of individuals, physical and environmental security and business continuity management. Choce a registrar : This manual must cover all of the procedures and requirements of the chosen security policy. It must use the appropriate approach for each sector, and cover asset classification and control, the protection of individuals, physical and environmental security and business continuity management. Implement an ISMS : This manual must cover all of the procedures and requirements of the chosen security policy. It must use the appropriate approach for each sector, and cover asset classification and control, the protection of individuals, physical and environmental security and business continuity management. Obtain Certification : This manual must cover all of the procedures and requirements of the chosen security policy. It must use the appropriate approach for each sector, and cover asset classification and control, the protection of individuals, physical and environmental security and business continuity management. Information security involves more than simply installing a firewall or signing a contract with a security firm. In this field it is essential to integrate multiple initiatives within a corporate strategy so that each element provides an optimal level of protection. This is where information security management systems come into play -they ensure that all efforts are coordinated in order to achieve optimum security. A management system must therefore include an evaluation method, safeguards and a documentation and revision process. Documenting an ISMS At least four levels of documentation exist, as shown in the following figure. History For over a hundred years, the British Standards Institute (BSI) has carried out studies for the purpose of establishing effective, high-quality industry standards. BS 7799 was developed at the beginning of the 1990s in response to industry, government and business requests for the creation of a common information security structure. In 1995 the BS 7799 standard was officially adopted. Four years went by before the publication in May 1999 of a second major version of the BS 7799 standard, incorporating numerous improvements. It was during this period that the International Organization for Standardization (ISO) began to take an interest in the work published by the British institute. In December 2000, ISO took over the first part of BS 7799, re-baptizing it ISO 17799. In 2002, BSI published extensive documentation to help companies support ISO/IEC 17799:2000 and BS 17799-2:2002 implementation. Five guides (PD 3000 series) became available. A revision of the second part of the BS 7799 standard was also carried out in order to make it consistent with other management standards such as ISO 9001:2000 and ISO 14001:1996. Consultations are currently taking place on an international scale to keep BS 7799 /ISO 17799 at the leading edge of the latest developments. Worldwide Position Over 80 000 firms around the world are BS 7799 /ISO 17799 compliant (PricewaterhouseCoopers, 2002) . Callio Secura 17799 enables you to swell their ranks in just a few simple steps. Here is a sample of BS 7799 certified companies: • Fujitsu Limited • Insight Consulting Limited; • KPMG; • Marconi Secure Systems • Samsung Electronics Co Ltd • Sony Bank Inc. • Symantec Security Services • Toshiba IS Corporate This table shows the number of BS 7799 certifications per country: Source : www.xisec.com -01/04/2005 Who is BS 7799 /ISO 17799 for? Type of company Size Primary objective Use of the standard Small enterprise or organization Less than 200 employees Raise management's awareness regarding information security ISO 17799 contains the security topics that should be dealt with as a foundation for management. Medium enterprise (centralized or decentralized) Less than 5000 employees Create a compatible corporate security culture The standards contains the pratice required to put together an information security policy. Large enterprise More than 5000 employees Obtain security certification at the end of the process Use BS 7799-2 to create an internal security reference document BS7799 /ISO 17799 meets the needs of organizations and companies of all types, both private and public. It can be used by any organization or company. If your organization uses computer systems internally or externally, possesses confidential data, depends upon information systems in the context of its business activities, or simply wants to adopt a high level of security while complying with a standard, BS 7799 /ISO 17799 is the solution. The standard's flexibility and high adaptability make it possible for small and medium-sized companies (SMCs), as well as multinational firms, to comply with computer security standards. Advantages Obviously, complying with the ISO 17799 standard or obtaining BS 7799-2 certification does not in itself prove that an organization is 100% secure. The truth is, barring a cessation of all activity, there is no such thing as complete security. Nevertheless, adopting this international standard confers certain advantages that any manager should take into consideration, including: Organization Commitment: certification serves as a guarantee of the effectiveness of the effort put into rendering the organization secure at all levels, and demonstrates the due diligence of its administrators. Legal Compliance: certification demonstrates to competent authorities that the organization observes all applicable laws and regulations. In this matter, the standard complements other existing standards and legislation (for example HIPAA, the Privacy Act of 1974, the Computer Security Act of 1987, the National Infrastructure Act of 1996, the Gramm-Leach-Bliley Act of 1999, and the Government Information Security Reform Act of 2001). Operating level Risk management: leads to a better knowledge of information systems, their weaknesses and how to protect them. Equally, it ensures a more dependable availability of both hardware and data. Commercial Credibility and confidence: partners, shareholders and customers are reassured when they see the importance afforded by the organization to protecting information. Certification can help set a company apart from its competitors and in the marketplace. Already, international invitations to tender are starting to require ISO 17799 compliance. Finance Reduced costs related to security breaches, and possible reduction in insurance premiums. Human Improves employee awareness of security issues and their responsibilities within the organization.