BS Information Security Management  & 4 August 2000 Brasilia Peter Restell Business Programme Manager Responsible for: BS & 2 c-cure certification TickIT certification committee responsible for IT - Security techniques at an international level (JTC 1/SC 27)‏ BSI-DISC Information Security Management BS 7799 and certification

BS Information Security Management  2000 BSI- DISC DISC is a part of the Standards Division of British Standards Institution [BSI] - the national standards body for the UK, incorporated under Royal Charter Scope; the management of standardization of information, communication and telecomms technologies in UK, Europe and internationally

BS Information Security Management  2000 Why do we need BS 7799?

BS Information Security Management  2000 Increasing threats –threats from viruses, hackers, fraud and espionage increasing Increasing exposure –greater dependence on IT, less central control, new entry points for intruders Increasing expectations –managers, business partners, auditors and regulators demand protective measures

BS Information Security Management  2000 Trends in Security Threats Malicious Accidental Confidentiality Integrity Availability Fraud Mischief Sabotage Vandalism Errors Failures Breakdowns Disasters Espionage Leaks Oversights Breaches Increasing threats from espionage and information brokers Increasing threats from espionage and information brokers Fraud increasing with corporate restructuring Fraud increasing with corporate restructuring Increasing sophistication of viruses and hacker groups Increasing sophistication of viruses and hacker groups Safety critical systems cause concern Safety critical systems cause concern

BS Information Security Management  2000 Organizational Trends Strong Weak External relationships ‘Soft’‘Hard’ Trend Internal relationships Hierarchical Complex structure

BS Information Security Management  2000 Yesterday’s Solution Users Computers Company Head Office Other Company sites Business Partner Company managed security perimeter Private links

BS Information Security Management  2000 Public Network Today’s Situation Home Access Other Organizations Business Partner Company Head Office Shared Network The Internet Other Company sites

BS Information Security Management  2000 What is BS 7799?

BS Information Security Management  2000 BS 7799 : 1999 Part 1 - Code of Practice for information security management - provides ‘best practice’ advice - [developed in early 90s, Part 1 was first published in Updated in 1999] Part 2 - Specification for information security management systems - develops a management framework and enables internal/external audits to be conducted - [updated in 1999]

BS Information Security Management  2000 Information Security Management Information - all media (printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation)‏ Information Security - preservation of: confidentiality: ensuring that information is accessible only to those authorized to have access; integrity: safeguarding the accuracy and completeness of information and processing methods; availability: ensuring that authorized users have access to information and associated assets when required. Information Security Management - achieved by: selecting & implementing a suitable set of controls e.g. policies, procedures, organizational structures and software functions

BS Information Security Management  2000 BS :1999 format Control Control objective Additional controls Advice 6.2 User training Information security education and training All employees of the organization and, where relevant, third party users, should receive appropriate training and regular updates in organizational policies and procedures……………………………… Objective: To ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work. Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks.

BS Information Security Management  2000 BS : the main topics Security Policy Security Organisation Assets classification and control Personnel security Physical and environmental security Communications and Operations management Access control Systems development and maintenance Business Continuity management Compliance

BS Information Security Management  2000 BS :1999 controls 127 There are 127 detailed in BS 7799, some are applicable and some are not. What to do? Gap analysis - to determine what is in place already Risk assessment - to identify the risks to information assets Risk management - selection of controls to manage the risks

BS Information Security Management  2000 BS :1999 controls Security Policy Information security policy Information security policy document Review and evaluation

BS Information Security Management  2000 BS :1999 controls Security Organisation Information security infrastructure Management information security forum Information security co-ordination Allocation of information security responsibility Authorization process for information processing facilities Specialist information security advice Co-operation between organizations Independent review of information security Security of third party access Identification of risks from third party access Security requirements in third party contracts Outsourcing Security requirements in outsourcing contracts Essential for large organizations New control to reflect modern trends

BS Information Security Management  2000 BS :1999 controls Assets classification and control Accountability for assets Inventory of assets Information classification Classification guidelines Information labelling and handling

BS Information Security Management  2000 BS :1999 controls Personnel security Security in job definition and resourcing Including security in job responsibilities Personnel screening and policy Confidentiality agreements Terms and conditions of employment User training Information security education and training Responding to security incidents and malfunctions Reporting security incidents Reporting security weaknesses Reporting software malfunctions Learning from incidents Disciplinary process Sensitive issues - requires co-operation from personnel (HR) department Essential for success of system

BS Information Security Management  2000 Awareness Education Essential ! Main board Line managers Users Contractors IT staff

BS Information Security Management  2000 BS :1999 controls Physical and environmental security Secure areas Physical security perimeter Physical entry controls Securing offices, rooms and facilities Working in secure areas Isolated delivery and loading areas Equipment security Equipment siting and protection Power supplies Cabling security Equipment maintenance Security of equipment off-premises Secure disposal or re-use of equipment General controls Clear desk and clear screen policy Removal of property

BS Information Security Management  2000 BS :1999 controls Communications and Operations management Operational procedures and responsibilities Documented operating procedures Operational change control Incident management procedures Segregation of duties Separation of development and operational facilities External facilities management System planning and acceptance Capacity planning System acceptance Protection against malicious software Controls against malicious software Housekeeping Information back-up Operator logs Fault logging Network management Network controls Media handling and security Management of removable computer media Disposal of media Information handling procedures Security of system documentation

BS Information Security Management  2000 BS :1999 controls Communications and Operations management (Continued)‏ Exchanges of information and software Information and software exchange agreements Security of media in transit Electronic commerce security Security of electronic mail Security of electronic office systems Publicly available systems Other forms of information exchange New controls - essential for e-commerce and e- business transactions

BS Information Security Management  2000 BS :1999 controls Access control Business requirement for access control Access control policy User access management User registration Privilege management User password management Review of user access rights User responsibilities Password use Unattended user equipment Network access control Policy on use of network services Enforced path User authentication for external connections Node authentication Remote diagnostic port protection Segregation in networks

BS Information Security Management  2000 BS :1999 controls Access control (Continued)‏ Operating system access control Automatic terminal identification Terminal log-on procedures User identification and authentication Password management system Use of system utilities Duress alarm to safeguard users Terminal time-out Limitation of connection time Application access control Information access restriction Sensitive system isolation Monitoring system access and use Event logging Monitoring system use Clock synchronization Mobile computing and teleworking Mobile computing Teleworking Responsibilities need to be determined to judge strength of appropriate controls

BS Information Security Management  2000 Responsibilities Information Owner Information Custodian Information User Line Manager Information Security Manager Security Contact/Help Desk

BS Information Security Management  2000 BS :1999 controls Systems development and maintenance Security requirements of systems Security requirements analysis and specification Security in application systems Input data validation Control of internal processing Message authentication Output data validation Cryptographic controls Policy on the use of cryptographic controls Encryption Digital signatures Non-repudiation services Key management Security of system files Control of operational software Protection of system test data Access control to program source library Security in development and support processes Change control procedures Technical review of operating system changes Restrictions on changes to software packages Covert channels and Trojan code Outsourced software development

BS Information Security Management  2000 BS :1999 controls Business Continuity management Aspects of business continuity management Business continuity management process Business continuity and impact analysis Writing and implementing continuity plans Business continuity planning framework Testing, maintaining and re-assessing business continuity plans Business Continuity Management section completely revised

BS Information Security Management  2000 BS :1999 controls Compliance Compliance with legal requirements Identification of applicable legislation Intellectual property rights (IPR)‏ Safeguarding of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Collection of evidence Reviews of security policy and technical compliance Compliance with security policy Technical compliance checking System audit considerations System audit controls Protection of system audit tools

BS Information Security Management  2000 Get help or create a Forum Personnel IT Internal audit Security Building services Procurement Business Continuity Planning Quality Management

BS Information Security Management  2000 Critical Success Factors - from the standard –Should evaluate performance in information security management and feedback suggestions for improvement –Must provide appropriate training and education –Distribution of guidance on information security policy and standards to all employees and contractors... –Must effectively market security to all managers and employees... –Must have a good understanding of security requirements, risk assessment and risk management... Implementing security Security policy –Must be visible support and commitment from management –The approach to implementation must be consistent with the organization culture –security policy, objectives and activities must reflect business objectives Management support Good understanding Effective marketing Effective communication Education Measurement and feedback

BS Information Security Management  2000 Top-down commitment Policy document Allocation of responsibilities Education and training Information ownership Incident reporting Selection of appropriate controls Business continuity planning Compliance with legal requirements Continuous review & improvement Critical Success Factors - from experience

BS Information Security Management  2000 BS 7799 to become an International Standard? The UK committee responsible for BS 7799 has decided to submit BS to ISO for fast- track balloting and adoption as an International Standard. Voting closes 3 August 2000 ISO/IEC

BS Information Security Management  2000 Accredited certification to BS 7799

BS Information Security Management  2000 The c:cure scheme - how does it work? Industry and commerce representation under auspices of DISC as Scheme Manager Scheme Steering Committee Accreditation Body (UKAS)‏ Certification Body Auditor Certification Body (IRCA)‏ Certificated Auditors Certificated Organisation Formal accreditation accountability

BS Information Security Management  2000 BS 7799 Certification Accreditation Body (UKAS)‏ Certification Body Certificated Auditors Certificated Organisation Formal accreditation accountability

BS Information Security Management  2000 Accredited certification to BS 7799 The c:cure scheme - how does it work? Voluntary scheme, managed by BSI-DISC Uses BS : 1999, supported by guidance Certification Bodies must prove their competence (via UKAS)‏ Individual auditors must prove their competence through independent register (via IRCA and BCS)‏ Desktop review of submission documents Organisations undergo audit, leading to certification Continuing audit visits to ensure ISMS is maintained

BS Information Security Management  2000 BS :1999 Establishing a management framework Define a Security Policy Define the scope and boundaries Undertake a Risk Assessment Manage the risk Select appropriate controls Prepare a Statement of Applicability Implement the selected control objectives Document the system and control it Maintain the system and records

BS Information Security Management  2000 BS :1999 Establishing a management framework

BS Information Security Management  2000 BS :1999 Establishing a management framework

BS Information Security Management  2000 BS :1999 Establishing a management framework

BS Information Security Management  2000 BS :1999 Establishing a management framework

BS Information Security Management  2000 BS :1999 Establishing a management framework Clause 4, BS :1999

BS Information Security Management  2000 BS :1999 Establishing a management framework SystemDocumentationSystemDocumentation Clause 4, BS :1999

BS Information Security Management  2000 Establishing a management framework - some problem areas Define the scope and boundaries - The scope of implementation or certification can be limited and defined by location or assets or organization or technology - however the Risk Assessment must review this reduced scope to establish how the other parts of the organization are interconnected (IT network and business process)‏ For example: *Remote connections (staff working off-site)‏ *Intranet connections to other sites *Supplier chains *Outsourcing

BS Information Security Management  2000 Establishing a management framework - some problem areas BS 7799 far too complex for my business Some of the issues raised in the standard seem fine for banking environments - but do not really required for smaller businesses. BS 7799 is not prescriptive and allows the user to determine: *the organization approach risk management, *the strength of control applied *the selection/de-selection of controls (Statement of applicability) This approach provides sufficient flexibility for the standard to be applied to both large and small businesses

BS Information Security Management  2000 Establishing a management framework - some problem areas Risk Assessment - What does a certification body expect to see? The risk assessment must be appropriate and competently executed. Can BSI-DISC recommend a Risk Assessment software tool? BSI-DISC are in the process of developing a dedicated software tool that can be used to: –gather information about the ISMS; –Gap Analysis; –identify security requirements; –conduct a BS 7799 Risk Assessment (baseline or detailed); –select the appropriate controls from BS 7799; –produce a ‘Statement of Applicability’ and –produce management reports.

BS Information Security Management  2000 – RA Please contact BSI-DISC ( to register your interest in the product. Further details will be provided to you when available (September 2000)‏

BS Information Security Management  2000 BS 7799 certification - benefits? Image, reputation Improved confidence and trust - demonstrates to your trading partners/customers that you are ‘serious about information security’ Demonstrates compliance with the information security elements of the UK Data Protection Act Independent, competent external review of your systems Third party audit acts as a driver for internal programme

BS Information Security Management  2000 Additional guides to BS 7799 PD 3000 Information Security Management: An Introduction PD 3001 Preparing for BS 7799 certification *New revision* PD 3002 Guide to BS 7799 Risk Assessment and Risk Management (based on ISO/IEC ) PD 3003 Are you ready for a BS 7799 audit ? *New revision* PD 3004 Guide to BS 7799 Auditing *New revision* PD 3005 Guide on the selection of BS 7799 controls *New* (based on ISO/IEC )‏

BS Information Security Management  2000 Contact Details Peter Restell BSI-DISC 389 Chiswick High Road London W4 4AL United Kingdom Tel: +44 (0) Fax: +44 (0)

BS Information Security Management  2000 Contact Details BSI-DISC c:cure Office 389 Chiswick High Road London W4 4AL United Kingdom Tel: +44 (0) Fax: +44 (0) Internet: