By Biju Mukund, BS 7799 Certified Professional
Part 1: Creating the Basic Blocks
Time, Money and Dreams have surrounded the development and implementation of the finest marvels of human intelligence. Seamless integration of Software and Hardware components has created online modules, which are focused on driving businesses to heights, which transcend physical boundaries and conventional business possibilities.
While aiming to acquire global wealth and global markets, business drivers have suddenly realized the need for an ‘omnipresent’ Security Guard to protect IT assets from external attack and internal abuse. Business could now open a thousand doors inviting clients, employees and potential hackers to either place orders online or complete a business process or easily steal whatever one has built for many years.
The need to allow only the "Right Guy" in has become one of the most underlying factor for business success and justification to the investments made in IT. IT Managers started buying firewalls, Intrusion Detection Systems and invested again in building the "over-night" security infrastructure for the IT assets of the company.
In 1993, many global companies realized that security is not a fix-now-and-relax mechanism but a culture, which has to be built, nurtured, enhanced, standardized and reviewed. Experts on Security came together to create an industry-working group, which would help create a standard for information security.
The world now started working on a Standard for Information Security Management.
Thirteen global Companies which includes Financial Service companies, Communications, huge retail giants and companies which have an international consumer base got together to create BS 7799 (ISO 17799) Part One – Code of Practice for Information Management which was published in 1995. BS 7799 (ISO 17799) Part Two - Specifications for Information Security Management System was then published in 1998. In 1999 BS 7799 Part One and Two were republished.
In December 2000 BS 7799 Part one was adopted as ISO 17799:2000. Part Two is now being reviewed and will soon become an ISO Standard.
The Need for the Standard:
The need for a standard on Information Security came up primarily because the market was crowded with security vendors and independent security consultants flushing their own approved methodology for Information Security Management. Many companies had burnt fingers in hiring such services, which ultimately did not find meaning in terms of sustainability and usability.
Moreover, there was an urgent need to identify the collective experience of IT Managers in various companies in the world. This would help generate a mature and realistic approach to the present and future security issues that come up in the day-to-day management of IT departments.
Companies needed a model to follow as the era of Information Security Management was just begun.
ISO 17799: The Key Components of the Standard
The Standard is divided into 2 parts:
ISO 7799 Code of Practice for Information Security Management
BS 7799 Part II Specifies requirements for establishing, implementing and documenting Information Security Management System (ISMS)
The standard has 10 Domains, which address key areas of Information Security Management.
- Information Security Policy for the organization.
This activity involves a thorough understanding of the organization business goals and its dependence on information security. This entire exercise begins with creation of the IT Security Policy. This is an extremely important task and should convey total commitment of top management-. The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It should be implementable, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural and technical.
- Creation of information security infrastructure
A management framework needs to be established to initiate, implement and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles and coordination of security across the organization.
- Asset classification and control
One of the most laborious but essential task is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services. These information assets need to be classified to indicate the degree of protection. The classification should result into appropriate information labeling to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, transmit or destruction of the information asset.
- Personnel Security
Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities. Various proactive measures that should be taken are, to make personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education and training.
Alert and well-trained employees who are aware of what to look for can prevent future security breaches.
- Physical and Environmental Security
Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves physical security perimeter, physical entry control, creating secure offices, rooms, facilities, providing physical access controls, providing protection devices to minimize risks ranging from fire to electromagnetic radiation, providing adequate protection to power supplies and data cables are some of the activities. Cost effective design and constant monitoring are two key aspects to maintain adequate physical security control.
- Communications and Operations Management
Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures.
Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services.
Exchange of information and software between external organizations should be controlled, and should be compliant with any relevant legislation. There should be proper information and software exchange agreements, the media in transit need to be secure and should not be vulnerable to unauthorized access, misuse or corruption.
Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.
- Access control
Access to information and business processes should be controlled on the business and security requirements. This will include defining access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use and ensuring information security when using mobile computing and tele-working facilities.
- System development and maintenance
Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography.
A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation.
- Business Continuity Management
A business continuity management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and depending on the risk assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances.
It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls and collection of evidence.
Information Technology’s use in business has also resulted in enacting of laws that enforce responsibility of compliance. All legal requirements must be complied with to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.
BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:
Although Indian companies and the Government have invested in IT, facts of theft and attacks on Indian sites and companies are alarming. 261 Indian Government sites were hacked in 2001* * Attacks and theft that happen on corporate websites are high and is usually kept under "strict" secrecy to avoid embarrassment from business partners, investors, media and customers.
Huge losses are some times un-audited and the only solution is to involve a model where one can see a long run business led approach to Information Security Management.
BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed above) which Indian companies can adopt to build their Security Infrastructure. Even if a company decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security through ongoing, integrated management of policies and procedures, personnel training, selecting and implementing effective controls, reviewing their effectiveness and improvement. Additional benefits of an ISMS are improved customer confidence, a competitive edge, better personnel motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.
BS 7799 Implementation
Part 1 mainly dealt with the structure of the standard and its relevance to the Indian IT environment. Readers need to have a clear understanding that BS 7799 has been designed by Security Experts who were the forerunners in the field of Information Security and were working in live business environment. Thus the standard is business driven and has a perfect co-relation to business units. This standard has to be interpreted for individual business units and has the flexibility to accommodate every possible IT environment.
This article would discuss the interpretation of the standard and some of the key areas in its implementation.
While interpreting the standard one has to consider and evaluate the human, procedural, environmental, technical and cultural aspects of the business unit. While implementing the standard, one has to weigh its own technical strength as far as Information Security Professionals are concerned. Without, a through technical assessment the results of the Implementation would not lead to certification. Thus a word of caution to readers would be that identification and management of risk to IT systems is a specialized activity and needs to be conducted in a controlled environment using professional assistance.
Where do you begin?
Understand the Importance of Information Security:
Every organization is unique with its own set of requirements and concerns. The company IT-Assets are exposed to various threats. More than 70% of the threat comes from Internal Sources.
Other threat agents can be Hackers, Former Employees, Contractors, Suppliers, Competitors and Customers.
Management is tight lipped about incidents and push matters under the carpet due to the fear of losing credibility among investors and customers.
In competitive environment where IT systems become Business Enhancers, one cannot afford to loose data and have a break down.
Building awareness is the starting point for a stronger Information Security Culture.
Educating top management for the need of an effective Information Security Management and the possible benefits to do the same is crucial for the success of a project.
Get Yourself Trained:
While selecting appropriate products and vendors for doing a technical risk assessment one has to understand, implement, maintain and sustain the investments made on Information security.
The Internet serves as a huge repository of material for beginners to advanced users. The best method is to work in live environments with security professionals and get hands-on experience on various products and process. Those who are fortunate enough to work on live sites can use Internet resources like mail lists and websites on security, study for certifications on security or even attend training programs conducted by Security Institutes.
Understand your Business Need:
Security is always a Business led activity. The investments made on Security should reflect the need for security measures, criticality of IT Resources and processes in the day-to-day functioning of business. To implement strong security systems one has to grasp the core need of Information Security in the Business and identify the critical business factors.
For Example: If a Financial Organisation has to heavily depend on IT resources to assimilate, calculate, interpret and present data on a hourly basis then the level of security would be higher than a company using IT resources for maintaining accounts and downloading company mail. To remain competitive the company cannot afford a down time of its Systems.
The security organization structure is important to help give direction and a solid foundation to the implementation of a project. A designated Security Officer with a team of technical and procedural security professionals would make it a perfect mix for implementation. If the company chooses to use an external security company for consulting, the Security team could work hand in hand with the security company professionals. This will help companies maintain the systems and procedures drafted and implemented by the security team.
Choosing a vendor:
Various security consultants in the market have their own set of methodology and approach. Some of the parameters of selecting a vendor would be, firstly, the vendor should be an expert only on Information Security. One cannot boast of having a shop for software development, hardware sales and also Information Security. The field on Information Security is vast and complex and needs to have a focused approach. Secondly, the vendor needs to have done live assignments in India. We cannot have Polices for Indian companies based on US firms. Thirdly, the vendor needs to have a Quantitative Risk Assessment approach which takes into consideration technical and procedural checklists and lastly, the vendor should be willing to work with the team and share knowledge, which is important for the team to sustain the project even after the assignment is over.
Importance of Risk Assessment:
While designing and deploying a security strategy one has to ask two very important questions. One, What to protect and second, How much to protect? In simpler words what and how much risk is the business is exposed to?
To define risk:
Business risk is the threat that an event or action, which can adversely affect an organisation's ability to successfully, achieve its business objectives and execute its strategies.
The key success factor of IT systems is a through risk assessment and effective risk management. Risk assessment prepares the base on which one would build the ISMS (Information Security Management System)
The entire exercise starts with Asset Identification:
An important step towards achieving BS 7799 Certification is to identify and classify assets. BS779 Defines Risk Assessment as - assessment of threats to information, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.
Every department would have assets, which they would consider important, without which one cannot continue work and achieve results. There could be assets, which would have higher or lesser value. Thus the most important asset would be need more protection and the lesser ones would require lower level of protection.
All assets in the company can be classified as:
People Assets: The number of professionals who are a part of the organisation.
Information Assets: Databases, data files, system documentation, user manuals, training material, operational and support procedures, intellectual property, continuity plans.
Paper Documents: Contacts, Company documentation, business results, HR records, Purchase documents invoices.
Software Assets: Application systems, development tools, and utilities.
Physical Assets: computers, servers, routers, hubs, firewalls, communication equipment, magnetic media, other equipment, cabinets, safes
Services: Computing, telecommunications, air-conditioning, water etc
Company Image and Reputation: Adverse publicity, Failure to deliver, Website defacement, Unable to provide connectivity to web server
Once the list of assets are identified the criticality of every asset has to be classified as
Unclassified: Considered publicly accessible. There are no requirements for access control or confidentiality.
Shared: Resources that are shared within groups or with people outside the organization.
Company Only: Access to be restricted to the internal employees only.
Confidential: Access to be restricted to a specific list of people.
This gets us to answer for "What to Protect"?
Now lets Understand How to Protect?
Technical Risk Assessment:
Penetration testing: After performing the Asset Identification exercise one has to move on testing specific devices which are critical to the running of the organisation. The first step towards doing testing is to find out if any external person can have access to the company information through the Internet. This is a specialized exercise, which requires a security professional abreast with the latest exploit and vulnerabilities from published and open sources. The professional needs to run various tests that would test the Internet Point of presence (i.e. Website) and security devices which protect these sites.
He would assume the role of a possible intruder and do all that he would do if he would like to break systems and cause harm.
The result of these tests would help one get an idea of the possible vulnerabilities on various servers.
After performing an external test one needs to test the strength of various servers and operating systems available internally. This works as a second level of defense. Even if an intruder breaks the entry points he should be stopped at the internal points. Internal testing also facilitates the design of the Security Architecture.
A word of caution would be to allow only qualified and experienced professionals to operate these systems. All legal documents need to be signed before one has to complete the assignment.
Procedural Risk Assessment:
After conducting the technical risk assessment one needs to find out formal and informal polices and procedures followed in the company. This can be done with detailed questionnaires, which can help find out concerns of IT managers, IT users, Operations staff, Top Management, Divisional Heads and Technical Team.
A Gap Analysis Document can be created once the
Procedural Risk Assessment exercise completed.. This would help companies have a clear understanding of where they stand as far as acquiring the Certification is concerned.
Once the gaps in the systems are identified, one has to manage these risks and make sure that the possibility of these risks affecting the company is very low or in some cases totally eliminated. BS 7799 has been designed in such a manner that its 127 Control Clauses have addressed almost every Conceivable risk known to Information Systems.
The standard Defines Risk Management as -process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost
For Example: While conducting the procedural risk assessment one finds that while disposing old computer systems one does not erase or format the hard disk which goes along with the machine. So the risk is potential leakage of information, which is stored on the Hard Disk. This risk is addressed by Domain 8 Communications and operations management 8. which states that Media shall be disposed of securely and safely when no longer required.(220.127.116.11)
Creating of Security Policies and Procedures to Manage Risks Effectively
As in every Management System Security, Management is Policy driven and has to be driven and pushed in to an organisation. One has to take utmost care to address every concern expressed during the technical and
Procedural risk management exercise and prepare the documentation of the required polices (The list is only indicative and differs from organisation to organisation)
Logical Access Controls, Password Security & Controls, Network &
Telecommunication Security, Application Software Security, Program
Change Controls, Version Controls, Disaster Recovery Plan, Electronic Mail Security, Backup & Recovery, Internet access and security, Operating Systems Security, Incident Response and Management, Third Party Security, Data Classification, Web server Security, Intranet Security, Punitive Actions, Firewall Security, Use Of Cryptography, Digital Signature Security, Database Security, Virus Protection
Implementation of a effective risk management has various benefits and some of which could be enhanced understanding of business aspects, Reductions in security breaches and/or claims, Reductions in adverse publicity, Improved insurance liability rating, Identify critical assets via the Business Risk Assessment, Provide a structure for continuous improvement, Be a Confidence factor internally as well as externally, Enhance the knowledge and importance of security-related issues at the management level, Ensure that "knowledge capital" will be "stored" and managed in a business management systems.
Part 3: BS 7799 Certification
In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.
The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.
In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.
In this final session we would attempt to understand the structure and steps involved in certification for BS 7799.
A quick recap
Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:
ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"
BS 7799-2: 2002 is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.
Please note that certification is against BS 7799-2.
In order to be awarded a certificate, a BS 7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).
The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.
The assessor will return periodically to check that your ISMS is working as intended.
Domains on which one would be assessed:
As discussed in the earlier sections the company needs to prepare its policies and procedures, which would cover all 10 sections of the standard.
Statement of applicability
BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 18.104.22.168 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.
You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS 7799 controls that have not been chosen are not relevant.
Preparing oneself for Certification:
The traditional formula of PDCA (PLAN …DO …CHECK and ACT) works well with BS 7799 too and this is a good place to either start or review the progress of the implementation team.
While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.
While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS 7799 controls need to be addressed, as our ultimate objective is to acquire certification.
Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.
Here is where one has to get an external security audit team qualified to perform a third party security audit for BS 7799. Certification companies like Det Norske Veritas can also help in finding qualified BS 7799 consultants for companies interested in performing a pre assessment audit.
The audit team would check for appropriate controls and evidence of implementation.
For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.
Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.
After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.
Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.
Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.
Creative techniques like designing
posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.
The 4 Step method of Certification
The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.
We now come to Specifics of Certification Process
All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.
One important check on documentation will be its validity and relevance to bs 7799 controls.
The following documents needs to be presented
ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.
The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.
The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.
The team of bs 7799 implementers and bs 7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.
This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.
External Audit- Certification
Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.
The company consultants and internal team would not be allowed to be part of the audit team.
They can assist and help auditors find relevant material.
The auditors check for documentation and objective evidence with the following intention.
Are records Correct and Relevant?
- Are polices Known and Tested?
- Are policies Communicated?
- Are controls Implemented?
- Are Polices Followed up?
- Are preventive Actions taken?
The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.
After the audit, the certification company recommends the said company for bs 7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.
To summarize the series ., bs 7799 is a culture one has to build in the company, which would help one:
- Heighten security awareness within the organisation
- Identify critical assets via the Business Risk Assessment
- Provide a structure for continuous improvement
- Be a confidence factor internally as well as externally
- Enhance the knowledge and importance of security-related issues at the management level
- Ensure that "knowledge capital" will be "stored" in a business management system
- Enable future demands from clients, stockholders and partners to be met
Information Security Management: An introduction (PD 3000)
- Preparing for BS 7799 Certification (PD 3001)
- The Guide to BS 7799 Risk Assessment and Risk Management (PD 3002)
- Are you Ready for a bs 7799 Audit? (PD 3003)
- Guide to BS 7799 Auditing (PD 3004)
- Guide on selection of BS 7799 controls (PD 3005)
- ISO 17799 : Part 1: 1999 Code of Practice for information security management
- BS 7799 : Part 2: 1999 Specification for information security management systems
- EA Guidelines 7/03
(All avaialable from StandardsDirect.Org)
For comments and questions on this paper please write to: bmukund [AT] yahoo [DOT] com