1. Presentation by Rachel Su’a
BS 7799
Presentation by Rachel Su’a

2. Agenda Define BS 7799 Brainstorming Exercise Nuts and Bolts
How It Works: BS 7799 Certification
A Real World Example
Activity
Summary
Reading List

3. BS 7799 Defined A standard on Information Security
Written in 1995 by the United Kingdom Government’s Department of Trade and Industry (DTI) and commerce stakeholders
Published by the British Standards Institution (BSI Group)
Thirteen global companies from various industries (financial services, communications, and retail) collaborated with the government to create BS 7799 Part One.
Why was a standard on Information Security needed?
-Security vendors and consultants flooded the market with their own Information Security policies.
-Current policies were unsuccessful and companies lost sight of Information Security’s value.
-Companies needed a model to follow as they entered the era of Information Security Management.
The standard pulls from the collective experience of IT Managers in various companies in the world to help generate a mature and realistic approach to the present and future security issues.
Source:

4. Brainstorming Exercise
A home in your neighborhood has just been burglarized and this gets you thinking about the vulnerabilities of your own home.
Identify several points of entry.
How would you prevent a burglar from entering your home?
A home in your neighborhood has just been burglarized and this gets you thinking about the vulnerabilities of your own home.
Think to yourself and identify several points of entry.
How would you prevent a burglar from entering your home?
Possible answers: Locks on windows/doors, security systems, surveillance cameras, and attack dogs.

5. When asked about your homes, I bet you were able to identify your house’s vulnerabilities quickly. This is because a burglar’s points of entry are limited. The points of entry as so limited that most homes have the same vulnerabilities, as depicted in this graphic here.
I am also assuming it did not take long to think of ways to protect yourself against a burglary—locks, security systems, surveillance videos, etc. Identifying an effective solution quickly is the product of a known problem with known solutions.
Picture source:

6. Brainstorming Exercise
Now think about someone hacking into your company’s computer systems.
Can you identify points of entry into your computer system?
How are you protecting your information against these attacks?
Can you identify points of entry into your computer system?
This may be a bit more difficult…
President Obama has gone on record as calling cyber threats “one of the most serious and economic and national security challenges we face as a nation” and yet many companies do not make information security a priority. Every company is at risk. LinkedIn and Google are recent examples of big names that have been attacked—hackers gained access to hundreds of user accounts. 
Source:

7. 10 Ways Companies Get Hacked
1. Social Engineering/Spear Phishing 2. Infection Via a Drive-By Web Download 3. USB Key Malware 4. Scanning Networks for Vulnerabilities and Exploitation 5. Guessing or Social Engineering Passwords 6. Wifi Compromises 7. Stolen Credentials From Third-Party Sites 8. Compromising Web-Based Databases 9. Exploiting Password Reset Services to Hijack Accounts 10. Insiders
In the case of your company’s computer systems, you are faced with unknown problems and unknown solutions and is perhaps the reason why it was more difficult to identify your system’s vulnerabilities and solutions.
Here is a list of ten ways companies get hacked:
Social Engineering/Spear Phishing Cyber spies can get into a network by sending a customized or instant message to a targeted victim that will have an attachment or perhaps a link to a website.
Infection Via a Drive-By Web Download
Cyber spies can target a website that’s used by the group or company to attack a larger group. The hackers will look for a vulnerability on the group’s website.
USB Key Malware
Malware can be installed through a USB key. The malware could be on a USB key without a person knowing. For instance, someone can slide infected USB keys into packets given out at a conference.
Scanning Networks for Vulnerabilities and Exploitment
Hackers can remotely scan servers to determine vulnerabilities within that system. Once they find a vulnerability, they exploit it by sending a command or data to the server that will cause the application to crash and will then start executing code.  In other words, it is like a potential burglar “looking at your house and seeing your doors unlocked and simply [walking] in.”  
Guessing or Social Engineering Passwords
Most companies have the ability for their workers to log in remotely. “If [hackers] can find out the credentials for that user, they can log in [remotely] as that user and access network resources.” 
Wifi Compromises
Hackers can invade a system by exploiting an open wireless network, or one with easy security. They can literally sit outside a business firm’s physical location and get into the system through the unsecured or poorly secured wifi.
Stolen Credentials From Third-Party Sites
Some cyber spies like to troll for victims on third-party sites, like LinkedIn. When they find someone working for a company they want to infiltrate, they attempt to hack into the third party website and steal the employee’s credentials. Since some people tend use the same username and password for both work and other websites, the hacker can now log onto the company website and compromise the system, Alperovitch said.
Compromising Web-Based Databases
When a person enters information on a website, like an address or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. 
Exploiting Password Reset Services to Hijack Accounts
Some hackers are able to hijack accounts by resetting the user’s password without the person’s knowledge. Alperovitch said the execution is quite simple — hackers find out the answers to possible security questions by researching the victim on social networking sites and other places, and use the company’s reset service to change the password. Once the password is changed, they have unlimited access to its victim’s account.
Insiders
Even in a high-tech world, cyber spies have resorted to old-fashioned cloak-and-dagger techniques to infiltrate systems. Spies find ways to get hired by companies, and once inside they try to get into the system. They’ve also been known to bribe an individual already employed by the corporation they’re targeting to hack into the network.
These are just a few ways that hackers can infiltrate a computer system. BS 7799 certification allows companies to identify their vulnerabilities and solutions before cyber attack on their system occurs.
Source:

8. Nuts and Bolts of BS 7799 BS 7799-1 BS 7799-2 BS 7799-3 ISO/IEC 17799
BS 7799 consists of three parts:
-BS 7799 part 1
-BS 7799 part 2
-BS 7799 part 3

9. BS 7799 part 1
Describes the best practices for Information Security Management
Revised and adopted by International Standards Organization (ISO) in 1998
Made up of ten objectives
The transformation of BS 7799 part 1:
-Became ISO/IEC 17799, “Information Technology - Code of practice for information security management” in 1998.
-Revised again in June 2005.
-Renamed ISO/IEC in July 2007 when it was incorporated in the ISO series

10. Ten Objectives of BS 7799 part 1
1. Information Security Policy for the organization 2. Creation of information security infrastructure 3. Asset classification and control 4. Personnel security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. System development and maintenance 9. Business Continuity Management 10. Compliance
To address every conceivable known risk to information systems, BS 7799 is made up of 10 objectives with 127 controls. The controls are an example of BS 7799’s flexibility—an organization is not required to address every control, only the ones that are appropriate for their business.
Information Security Policy for the organization
The exercise begins with creation of the IT Security Policy. This is an extremely important task and top management should convey total commitment. Effective policies reflect the needs of the actual users, balance the level of protection with productivity, cover all the important areas (personnel, physical, procedural and technical) and can be easily implemented and explained.
Creation of information security infrastructure
To initiate, implement, and control information security within an organization, a management framework needs to be established. The framework consists of appropriate procedures of the information security policy, security roles assigned, and coordination of security throughout the organization.
Asset classification and control
Managing inventory of all the IT assets (information assets, software assets, physical assets, or other similar services) is one of the most essential and difficult tasks in the information security system process. Information assets need to be classified as either sensitive or critical and need to be assigned a procedure (copy, store, transmit or destroy).
Personnel Security
Organizations should institute personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education, and training to combat human errors, negligence, and greed—which are responsible for most thefts, frauds or misuse of facilities.
Physical and Environmental Security
The starting point of a security plan is designing a secure physical environment to prevent unauthorized access, damage, and interference to business premises and information. Developing physical security perimeters, physical entry controls, and secure offices, rooms, facilities are examples of steps in the design process. Two key aspects to sustain sufficient physical security control are cost effective design and constant monitoring.
Communications and Operations Management
Properly documented procedures, including detailed operating instructions and incident response procedures, need to be established for the management and the operation of all information processing facilities. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks, information exchanged between external organizations, and electronic commerce.
Access control
Access to information and business processes should involve defining:
access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use, and ensuring information security when using mobile computing and tele-working facilities.
System development and maintenance
Security requirements should be identified prior to the development of information systems. Start developing these requirements with a security requirements analysis and specification. Next, provide controls at every stage i.e., data input, data processing, data storage and retrieval and data output. To track operating system changes, a change control procedure should be in place. Finally, special precaution must be taken to ensure that no covert channels, back doors, or Trojans are left in the application system for later exploitation.
Business Continuity Management
A business continuity management process begins by identifying all events that could cause interruptions to business processes and by creating a strategy plan (depending on the risk assessment). The plan needs to be periodically tested, monitored, and re-evaluated based on changing circumstances.
Compliance
Organizations must strictly adhere to the provision of national and international IT laws (i.e., Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls, and collection of evidence).
Source:

11. BS 7799 part 2
Titled “"Information Security Management Systems - Specification with guidance for use."
Instructs on how to apply part one of BS 7799 and how to build a security management structure
Introduced the Plan-Do-Check-Act model in the 2002 version
Adopted in November 2005 by ISO as ISO/IEC 27001
BS 7799 part 2 instructs on how to apply part one of BS 7799 and how to build a security management structure.
Deming’s quality assurance model, Plan-Do-Check-Act, aligns the BS 7799 standard with quality standards such as ISO 9000.
BS specifies requirements for establishing, implementing, and documenting Information Security Management System (ISMS).

12. BS 7799 part 3
Titled “Information security management systems. Guidelines for information security risk management”
Developed in 2005
Covers all aspects of the risk management cycle of an information security management system
While BS 7799 part 3 has not been adopted by ISO, it is in alignment with ISO/IEC and covers all aspects of the risk management cycle of an information security management system.

13. How It Works: BS 7799 Certification
Five steps to becoming BS 7799 Certification
Plan-Do-Check-Act (PDCA) model can help guide organizations through all stages of the certification process
There are five steps to becoming BS 7799 certified and the PDCA model helps organizations navigate the certification process. We will now review each step in detail.

14. Step One: Desktop Review
Verify and check all documented polices and procedures for consistency and practicality.
Check documentation is valid and relevant to BS7799 controls
Present the following documents: ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.
All documented polices and procedures need to be checked for consistency, practicality, and validity and relevance to BS 7799 controls.
The following documents needs to be presented to the audit team:
ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.
Source:

15. Step Two: Technical Review
Check Security Architecture for vulnerabilities and possible risk exposure
Submit a document stating the “permissible risk” statement
The description and implementation of Security Architecture are checked for vulnerabilities and possible risk exposure.
The company would also need to submit a document stating the ‘permissible risk’ statement—risks the company can afford to take.
Source:

16. Step Three: Internal Audit
Internal audit by BS 7799 implementers and BS 7799 professionals where non-conformances are picked up and recommendations are documented.
The team of BS 7799 implementers and BS 7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.
This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.
Source:

17. Step Four: External Audit
Invite the predeteremined Certification Company
Prepare to face the external auditors
Auditors check for documentation and objective evidence with the following questions in mind:
Are records Correct and Relevant?
Are polices Known and Tested?
Are policies Communicated?
Are controls Implemented?
Are Polices Followed up?
Are preventive Actions taken?
Auditor evaluates the quality of risk assessment and the level of security claimed by the company
Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.
The company consultants and internal team would not be allowed to be part of the audit team.
They can assist and help auditors find relevant material.
The auditors check for documentation and objective evidence with the following intention.
Source:

18. Step Five: Certification
Certification company recommends the said company for BS 7799 Certification
After the audit, the certification company recommends the said company for bs 7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.
Source:

19. A Real World Example: Cleardata
“Although we have only recently gained certification to ISO 27001, there are at least three recent incidences where Cleardata has won contracts as a result of certification. The process ensures that we stop to think about all aspects of our security and continually monitor and improve, keeping us a step ahead of many of our competitors.”
David Bryce, Managing Director, Cleardata.co.uk
“Although we have only recently gained certification to ISO 27001, there are at least three recent incidences where Cleardata has won contracts as a result of certification. The process ensures that we stop to think about all aspects of our security and continually monitor and improve, keeping us a step ahead of many of our competitors.”
David Bryce, a managing director for Cleardata, sees the value a BS 7799 certification can bring to a company.

20. Cleardata’s ISO 27001 Accreditation
“The award from the BSI shows that information security is central to everything that Cleardata does.”
“The ISO27001 accreditation demonstrates Cleardata’s capacity for handling documents using Information Security Management Systems. It also demonstrates that the company has implemented the required processes in its operation, monitoring, maintenance and improvement procedures.”
“This accreditation gives our customers absolute confidence that our business will protect their data to the highest standards and the knowledge that this is audited by an independent body. The use of BSI, a brand that is synonymous with British Standards was an important factor in the choice of our auditors. With many high profile examples and incidents in the media, our clients are becoming ever more careful of their choice of supplier, with security and quality upper most in their minds. This complements our ISO9001 quality management award.”
Dave Bryce, Managing Director of Cleardata
The following are excerpts from the Cleardata Press Release announcing their ISO Accreditation. The italicized text displays how important a sense of security is to Cleardata’s, and most other companies’, customers.
Source:

21. Plan-Do-Check-Act Activity
Define business policy
Estimate the scope of ISMS
Decide what resources will be used to conduct a risk assessment
The traditional formula of PDCA (PLAN …DO …CHECK and ACT) also works well with BS 7799 and is a good place to either start or review the progress of the implementation team.
To better understand the model, we will apply one aspect of each phase to your organization.
For the planning phase, estimate the scope of you information security management system.
Plan
The purpose of the planning phase is to understand the business context the ISMS is being prepared for. This understanding is achieved after defining business policy and objectives, estimating the scope of ISMS, and deciding and collecting resources for conducting risk assessment.
Source:

22. Plan-Do-Check-Act Activity
Evaluate automated or manual systems options
Deploy qualified and tested vendors to implement various products and solutions
Develop a statement of applicability
Next, evaluate your automate or manual systems options. In other words, decide which processes should be automated and which should be manual. Do
Management plays an important role in the Do phase. It is their job to reach a perfect balance of automated and manual systems, to deploy vendors to implement various products and solutions, and to develop a statement of applicability.
Source: Source:

23. Plan-Do-Check-Act Activity
Find an external security audit team qualified to perform a third party security audit for BS 7799
Develop a system of continuous monitoring of the ISMS
Now, think of practical ways your ISMS can be continuously monitored while satisfying business needs.
Check
In the Check phase, the organization must get an external security audit team qualified to perform a third party security audit for BS The audit team would check for appropriate controls and evidence of implementation.
Source: Source:

24. Plan-Do-Check-Act Activity
Identify key vulnerabilities and take appropriate corrective actions
Take preventive action for unseen but predictive incidents
Communicate and deliver policies to IT users and IT team
Train management, partners, and users on policies and procedures
Finally, identify potential vulnerabilities and appropriate corrective actions.
Act
In the Act phase, preventive actions and policies can be developed, policies should be communicated to the IT team, and management, partners, and users should be trained.
Now that we have gone through a PDCA model, we have a better understanding of how it can help our organization develop, implement, maintain, and improve a Information Security Management System, which is fundamental to certification.
Source:

25. Summary
BS 7799 is a Information Security Management System standard in which companies can become certified.
The flexible certification process ensures that an organization evaluates all aspects of their security.
Successful ISMS must be continually monitored and improved.
Key Takeaways:
Companies can become BS 7799 certified if they follow the five steps we previously discussed.
The flexible certification process ensures that an organization evaluates all aspects of their security.
Successful ISMS must be continually monitored and improved.

26. Reading List
Information Security Training Courses ISO/IEC ISO Papers: BS The BS7799 / BS 7799 Security Standard A Business Case for ISO Certification