BS7799

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

Implementation of Security Policies Based on

the BS7799 / ISO 17799 Standard


For a better approach to information security

White Paper

Jacquelin Bisson, CISSP


Information Security Analyst, Callio Technologies

René Saint-Germain,
President, Callio Technologies

Executive Summary
When it comes to implementing codes of practice for information security management, the best point
of reference is BS 7799 / ISO 17799, an internationally recognized standard in this field that is widely
used for drafting security policies.

The BS 7799 / ISO 17799 standard is written and published in two parts:

1) ISO/IEC 17799 Part 1: Code of practice for information security management is a guide containing
advice and recommendations to ensure the security of a company’s information according to ten fields
of application.

2) BS 7799 Part 2: Information security management -- specifications with guidance for use provides
recommendations for establishing an effective Information Security Management System (ISMS). At
audit time, this document serves as the assessment guide for certification.

Several software programs are currently available on the market to help companies implement the BS
7799 / ISO 17799 standard and develop security policies. It brings together a sound methodology,
questionnaires, an informational guide and all of the tools needed to develop an information security
management system and accelerate its implementation.
Company Profile

Callio Technologies was created in 2001


and specializes in the field of information
security. Its first product, Callio Secura
17799, is software that offers companies
the opportunity to comply with the BS 7799
/ ISO 17799 information security
management standard.

Callio Technologies’ areas of expertise are:


risk analysis; developing security codes of
practice and information security
management systems; drafting security
policies based on BS 7799 / ISO 17799;
security audits; contingency plans; and
training in computer risk management.

Our mission: enable companies to assess, manage


and reduce their computer risks. We provide software
and other tools that give you decision-making power
supported by complete risk analysis.

© Callio Technologies i
BS7799 / ISO 17799 Solution infoedge.com
Introduction

Information security has always been a


major challenge to most organizations.
Computer infections by the “I-Love-You”
virus, the 9-11 terrorist attacks and the
crippling electrical blackouts in the
northeastern United States in 2003 are
just a few well-known examples of the
need to come to terms with information-
related risks.

Unfortunately, organizations forget too


quickly that information security is more
than a simple matter of technology. In
reality, it should be part of an ongoing risk
management process, covering all of the
information that needs to be protected.

An array of laws now hold the officers of a corporation liable for protection of its
informational assets, under threat of penalty. It has become a must for administrators
to show due diligence in this regard, fostering greater concern for countering risks
with appropriate measures to reduce or eliminate them.

© Callio Technologies 2
BS7799 / ISO 17799 Solution infoedge.com
What is information security?

“Information systems security is not a contradiction in terms... security without risk


management is.” (J. Bisson, 2003)

Information is an asset which, like other Information security is achieved by


important business assets, has value to an implementing a suitable set of controls, which
organization and consequently needs to be could be policies, practices, procedures,
suitably protected. Information security organizational structures and software
protects information from a wide range of functions. These controls need to be
threats in order to ensure business continuity, established in order to ensure that the
minimize business losses and maximize specific security objectives of the
return on investments and business organization are met.
opportunities.
Source: ISO/IEC 17799 Part 1: Code of
Information can exist in many forms. It can practice for information security
be printed or written on paper, stored management
electronically, transmitted by post or using
electronic means, shown on films, or spoken
in conversation. Whatever form the
information takes, whatever the means by
which it is shared or stored, it should always
be appropriately protected.

Information security consists of preserving


the following elements:

a) confidentiality: ensuring that information


can only be accessed by those with the
proper authorization;

b) integrity: safeguarding the accuracy and


completeness of information and the ways in
which it is processed;

c) availability: ensuring that authorized users


have access to information and associated
assets whenever required. Source: ISO 17799

© Callio Technologies 3
BS7799 / ISO 17799 Solution infoedge.com
What is BS 7799 / ISO 17799?

The goal of BS 7799 / ISO 17799 is to “provide a common base for developing
organizational security standards and effective security management practice and to provide
confidence in inter-organizational dealings.”

The standard is published in two parts:


3. Asset Classification and Control - Carry
ISO/IEC 17799 Part 1: Code of practice for out an inventory of assets and protect these
information security management assets effectively.

BS 7799 Part 2: Information security 4. Personnel Security - Minimize the risks of


management -- specifications with guidance human error, theft, fraud or the abusive use
for use of equipment.

ISO/IEC 17799 (Part 1) 5. Physical and Environmental Security -


The international standard ISO/IEC 17799 Prevent the violation, deterioration or
was developed by the British Standards disruption of industrial facilities and data.
Institution (BSI) as BS 7799. It was adopted
through a special “fast track procedure” by 6. Communications and Operations Management -
the JTC 1 (Joint ISO/IEC Technical Ensure the adequate and reliable operation
Committee), concurrently with its approval by of information processing devices.
the national member institutes of ISO and the
IEC. 7. Access Control - Control access to
information.
ISO/IEC 17799 is presented in the form of
guidelines and recommendations that were 8. Systems Development and Maintenance -
assembled following consultations with big Ensure that security is incorporated into
business. The 36 security objectives and 127 information systems.
security controls contained in ISO/IEC 17799
are divided among ten domains. The 9. Business Continuity Management -
following is a brief overview of each of these Minimize the impact of business interruptions
domains: and protect the company’s essential
processes from failure and major disasters.
1. Security Policy - Provide guidelines and
management advice for improving 10. Compliance - Avoid any breach of
information security. criminal or civil law, of statutory or contractual
requirements, and of security requirements.
2. Organizational Security - Facilitate
information security management within the
organization.

© Callio Technologies 4
BS7799 / ISO 17799 Solution infoedge.com
The following diagram suggests a structure for the ten domains of the standard. Each domain
deals with a separate topic built around administrative, technical and physical measures and
driven from the top down, in other words such that its impact is felt from the management level
all the way to the operational level.

About ISO and the IEC


The International Organization for BS 7799-2 (Part 2)
Standardization (ISO) and the International
Electrotechnical Organization (IEC) BS7799 provides conditions for information
constitute a specialized system for security management. Comprised of the ten
standardization around the world. Through domains and 127 controls of the ISO 17799
technical committees, these two standard, this reference applies to the
organizations participate jointly in the development, implementation and
development and adoption of international maintenance stages of an information
standards, as was the case for ISO/IEC security management system. Organizations
17799. applying for certification are evaluated
according to this document.
These technical committees, like the
ISO/IEC Joint Technical Committee An organization that bases its ISMS on the
(ISO/IEC JTC 1), submit proposed provisions in BS 7799 can obtain certification
standards to the many national from an accredited body. The organization
organizations for the purpose of a vote. In thereby demonstrates to its partners that its
order to be recognized internationally, a system both complies with the standard and
standard must obtain the approval of at least answers the need for security measures as
75% of national voting bodies. determined by its own requirements.

© Callio Technologies 5
BS7799 / ISO 17799 Solution infoedge.com
It is important to understand that an
organization that obtains certification is
considered ISO 17799 compliant and BS7799-
2 certified.
BS 7799-2 is already widely used in many
countries as a reference document for
information security management
certification. These countries include
England, Australia, Norway, Brazil and
Japan.

What is an ISMS?
“To establish the organization’s information
security policy and objectives... and then
meet these objectives.”

An Information Security Management Plan


System (ISMS) provides a systematic - Define the ISMS scope and the organization’s
security policies
approach to managing sensitive information - Identify and assess risks
in order to protect it. It encompasses - Select control objectives and controls that will help
employees, processes and information manage these risks
systems. - Prepare the statement of applicability

Information security involves more than Do


simply installing a firewall or signing a - Formulate and implement a risk mitigation plan
- Implement the previously selected controls in order
contract with a security firm. In this field it is to meet the control objectives.
essential to integrate multiple initiatives
within a corporate strategy so that each Check
element provides an optimal level of - Perform monitoring procedures
protection. This is where information security - Conduct periodic reviews to verify the effectiveness
management systems come into play - they of the ISMS
ensure that all efforts are coordinated in - Review the levels of acceptable and residual risk
- Periodically conduct internal ISMS audits
order to acheive optimum security.
Act
A management system must therefore - Implement identified ISMS improvements
include an evaluation method, safeguards - Take appropriate corrective and preventive action
and a documentation and revision process. - Maintain communications with all stakeholders
This is the underlying principle of the PDCA - Validate improvements
(Plan-Do-Check-Act) model which strongly
resembles the ISO 9001 model for quality
management.

© Callio Technologies 6
BS7799 / ISO 17799 Solution infoedge.com
History of the BS7799 / ISO 17799 standard

For over a hundred years, the British Standards Institution (BSI) has carried out studies for the
purpose of establishing effective, high-quality industry standards. BS 7799 was developed at the
beginning of the 1990s in response to industry, government and business requests for the
creation of a common information security structure. In 1995, the BS7799 standard was officially
adopted.

Four years went by before the publication in May 1999 of a second major version of the BS 7799
standard, incorporating numerous improvements. It was during this period that the International
Organization for Standardization (ISO) began to take an interest in the work published by the
British institute.

In December 2000, ISO took over the first part of BS 7799, re-baptising it ISO 17799. In
September 2002, a revision of the second part of the BS7799 standard was carried out in order
to make it consistent with other management standards such as ISO 9001:2000 and ISO
14001:1996 as well as with the principles of the Organization for Economic Cooperation and
Development (OECD).

Currently, consultations are taking place at the international level to keep BS 7799 / ISO 17799
at the leading edge of the latest developments.

Compliance, Certification and Accreditation

To avoid confusion, here is a brief definition of these three terms in the context of an Information
Security Management System (ISMS):

Compliance is a self-assessment carried out by an organization in order to verify whether a


system that has been implemented complies with a standard.

Certification (also called registration) is conferred by an accredited certification body when an


organization successfully completes an independent audit, thus certifying that the management
system meets the requirements of a specific standard, for example BS7799-2. A company may
comply with ISO 17799, but certification is only possible with BS7799.

Accreditation consists of the means by which an authorized organization (the accreditation


body) officially recognizes the authority of a certification body to evaluate, certify and register an
organization’s ISMS with regard to published standards.

© Callio Technologies 7
BS7799 / ISO 17799 Solution infoedge.com
Who is ISO 17799 for?

BS 7799 / ISO 17799 meets the needs of organizations and companies of all types, both
private and public.

For any organization that stores confidential information on internal or external systems,
depends on such systems to run its operations, or indeed wishes to demonstrate its
information security by conforming to a known standard, BS 7799 / ISO 17799 would be of very
great interest. The following chart illustrates the many possible uses of the standard:

Type of company Size Primary objective Use of the standard


Small enterprise or Less than 200 Raise management’s ISO 17799 contains the
organization employees awareness regarding security topics that should
information security be dealt with as a
foundation for management.

Medium enterprise Less than Create a compatible The standard contains the
(centralized or 5000 corporate security practices required to put
decentralized) employees culture together an information
security policy.

Large enterprise More than Obtain security Use BS 7799-2 to create an


5000 certification at the end internal security reference
employees of the process document.

Of course, the greater the risk


to an organization, the more
likely the organization is to
pay greater attention to the
security of its data.

Such is the case in


governmental, financial and
health-related fields, as
shown in the accompanying
figure:

© Callio Technologies 8
BS7799 / ISO 17799 Solution infoedge.com
Benefits of the BS7799 / ISO 17799 standard
Obviously, complying with the ISO 17799 the organization to protecting information.
standard or obtaining BS 7799-2 certification Certification can help set a company apart
does not in itself prove that an organization from its competitors and in the marketplace.
is 100% secure. The truth is, barring a Already, international invitations to tender are
cessation of all activity, there is no such starting to require ISO 17799 compliance.
thing as complete security. Nevertheless,
adopting this international standard confers At the financial level
certain advantages that any manager should Reduced costs related to security breaches,
take into consideration, including: and possible reduction in insurance
premiums.
At the organizational level
Commitment: certification serves as a At the human level
guarantee of the effectiveness of the effort Improves employee awareness of security
put into rendering the organization secure at issues and their responsibilities within the
all levels, and demonstrates the due organization.
diligence of its administrators.

At the legal level


Compliance: certification demonstrates to
competent authorities that the organization
observes all applicable laws and
regulations. In this matter, the standard
complements other existing standards and
legislation (for example HIPAA, the Privacy
Act of 1974, the Computer Security Act of
1987, the National Infrastructure Act of
1996, the Gramm-Leach-Bliley Act of 1999,
and the Government Information Security
Reform Act of 2001).

At the operating level


Risk management: leads to a better know-
ledge of information systems, their
weaknesses and how to protect them.
Equally, it ensures a more dependable
availability of both hardware and data.

At the commercial level


Credibility and confidence: partners,
shareholders and customers are reassured
when they see the importance afforded by

© Callio Technologies 9
BS7799 / ISO 17799 Solution infoedge.com
Complementarity of BS7799 / ISO 17799
The popularity of BS 7799-2 / ISO 17799 is due in part to its flexibility and its complementarity
with other information and IT security standards.

While ISO 17799 sets out the best A relationship also exists between ISO 17799
practices for managing information security and numbers 18044, 17944, 18028 and
and creating security policies, ISO 13335, 14516 of the International Organization for
also called GMITS - Guidelines for the Standardization, as summarized in the
Management of IT Security - is its big following figure:
brother. This standard deals more with the
technological aspects of information, and ISO 17799
brings value-added content to risk
assessment. The protective measures ISO 18044: Incident management
proposed in the fourth of ISO 13335’s five ISO 17944: Financial systems
guides (Part 4: Selection of safeguards) ISO 18028: Communications management
could be compared to the controls offered ISO 14516: E-commerce security

in ISO 17799. ISO 13335 ISO 15408


(GMITS)
There is also a strong complementarity
between ISO 17799 and ISO 15408. The
latter, better known under the name
Common Criteria, certifies the levels of As of the new 2002 revision, BS7799-2 is
defense conferred by the security harmonized with the standards for other well-
measures in information systems. It known management systems, such as ISO
therefore covers technical aspects, 9001:2000 and ISO 14001:1996.
whereas ISO 17799 focuses more on the
organizational and administrative aspects Indeed, numerous companies are aware of or
of security. have implemented a quality management
system (QMS) using ISO 9001, or an
environment management system (EMS)
using ISO 14001. BS 7799-2 now follows the
same structure and has much the same
requirements for developing an Information
Security Management System (ISMS).

© Callio Technologies 10
BS7799 / ISO 17799 Solution infoedge.com
Complementarity with existing legislation
Many governments around the world are preparing or have adopted regulations prescribing how
companies should manage and control information security. The aim is simple: compel
management and boards of directors to be responsible for information security, and encourage
them to display the same “due diligence” they devote to protecting their assets.

Such regulations include the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act
(GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

RECENT WHO IS WHAT DO THE WHAT ARE WHEN IS IT IN


LEGISLATION AFFECTED? SECURITY THE EFFECT?
PROVISIONS PENALTIES?
COVER?
Sarbanes-Oxley All public Internal controls Criminal and Current law
Act of 2002 companies and financial civil penalties
subject to US disclosures
security laws
Gramm-Leach- Financial Security of Criminal and Current law
Bliley Act of institutions customer civil penalties
1999 records
Health Health plans, Personal health Civil fines and Final security
Insurance health care information in criminal rule takes effect
Portability and clearinghouses, electronic form penalties in April 2005
Accountability and health care
Act (HIPAA) providers

The good news is that an organization that complies with any one of these regulations already
possesses a concrete and practical example of an information security management system.

For example, HIPAA tackles the same subjects as the ISO 17799 standard while placing the
emphasis on the protection of private information.

Similarly, the PDCA (Plan-Do-Check-Act) model in BS 7799-2 compares nicely with the four steps
in GLBA:
1. Identify and assess the risks to customers’ information;
2. Develop a plan containing policies and procedures to manage and control those risks;
3. Implement and test the plan;
4. Adjust the plan on a continuing basis.

Finally, compliance with ISO 17799 and BS7799-2 can include the definition of policies and
procedures for the security of a company’s sensitive information, as touched on in SOX.

© Callio Technologies 11
BS7799 / ISO 17799 Solution infoedge.com
Implementing an ISMS
The following table describes each of the eight steps involved in implementing an ISMS:

© Callio Technologies 12
BS7799 / ISO 17799 Solution infoedge.com
Documenting an ISMS

Documenting an ISMS is an important requirement during implementation and has two major
dimensions:
1) description of the organization’s strategy, objectives and risk assessment along with the
measures taken to mitigate risks;
2) control and followup once the ISMS is in operation.

At least four levels of documentation exist, as shown in the following figure:

Obstacles
Certain obstacles may be encountered when implementing an ISMS, namely:

- Fear, resistance to change


- Risk that changes made in one area necessitate subsequent adjustments in other areas
- Increased costs
- Insufficient knowledge of the approach used
- Seemingly insurmountable tasks

To help overcome these obstacles, certain success factors should be taken into consideration.

© Callio Technologies 13
BS7799 / ISO 17799 Solution infoedge.com
Success Factors
Experience has shown that the following factors are often crucial to ensuring the successful
implementation of information security management within an organization:
a) a security policy and security objectives and activities that reflect the company’s goals
b) an implementation approach to security management that is consistent with company
culture
c) visible support and commitment from management
d) a good understanding of security requirements, risk assessment and risk management
e) effective communication of security issues to all managers and employees
f) the distribution of guidelines regarding the information security policy and standards to all
employees and suppliers
g) appropriate training and education
h) a comprehensive and balanced system of measurement that is used to evaluate the
effectiveness of information security management and provide feedback and suggestions for
improvement

In summary: BS7799 / ISO 17799


What it is: What it isn’t:
A structured and internationally A technical standard
recognized guide with recommenda-
tions devoted to information security A product-oriented or technological
standard
A concise process for evaluating,
implementing, maintaining and An equipment evaluation methodology such as
managing information security the Common Criteria (CC/ISO 15408).
However, it is complementary to such
The fruit of efforts exerted by a standards and can make use of the evaluation
consortium of companies to meet the assurance levels (EAL) found in the Common
needs of industry Criteria.

A balanced process between physical, ISO 17799 isn’t a system that leads to a
technical and procedural security, and security certification (for the moment, only BS
personnel security 7799-2 and its national derivatives provide a
certification process).

ISO 17799 doesn’t specify any obligations


regarding the risk assessment method. It is
sufficient to choose whichever one best suits
the company’s needs.

© Callio Technologies 14
BS7799 / ISO 17799 Solution infoedge.com
Available software tools and resources
A range of information security products and services are currently available on the market. Many
are based on physical safeguards (locks, gates, fences, extinguishers, guards, etc.) and technical
controls (firewalls, biometrics, encryption, etc.). When it comes to adopting administrative
safeguards, however, often companies forget how important these are.

But information security isn’t complete without the development and publication of security policies
and procedures, or employee awareness and training programs, to name only those. Information
security is really an ongoing risk management process and therefore requires tools that meet
these needs.

Beyond any doubt, ISO 17799 offers what companies need in order to better manage information
security. The best way to implement this standard is to ease the process using multiuser software
that will collect the information required and that contains the principal tools that will be needed
along the way. Start with a simple and efficient risk assessment tool that generates
recommendations based on the ISO 17799 code of practice for each of the informational contexts
identified. Add to that a complete methodology, compliance questionnaires, a security policy
generator, an integrated document manager, examples, templates and information guides
regarding the implementation and audit of ISO 17799 controls, and managers will quickly
understand that such a tool can save the company much time and money.

Of course, another approach is to implement the standard with the aid of a consulting firm - one
that uses such software.

Methodology, method and standard

A methodology is a rigorous and standardized approach to information security analysis that


uses various tools such as specialized software and questionnaires.

A methodology therefore uses methods, that is to say, means to effectively achieve the desired
result. The latter is usually formulated in a standard.

A standard can be defined as a reference document that is based on a consensus of large


industrial or economic interests and established on a voluntary basis.

It is therefore obvious that the method will be the tool used to meet the requirements of a standard.

© Callio Technologies 15
BS7799 / ISO 17799 Solution infoedge.com
Conclusion

Now more than ever, it is essential to align information security with the corporate mission.
The confidentiality, integrity and availability of information are crucial factors in conserving a
competitive edge, cash flow, legal compliance and a good business image.

Seeking certification is also a demonstration that business executives and upper management
are showing due diligence in protecting corporate assets. Development of an information
security policy based on ISO 17799 is thus at the very core of information security
management.

BS 7799 / ISO 17799 is especially pertinent in this context. Simply by learning the
requirements of the standard, companies will improve their understanding of information
security management.

One of the best ways to implement a complete and effective information security management
system is to purchase a software tool and to use this tool in conjonction with professional or
internal services.

Over 80 000 firms around the world are BS 7799 / ISO 17799 compliant, including:
- Fujitsu Limited
- KPMG
- Marconi Secure Systems
- Sony Bank
- Toshiba IS Corporate

What about you? Implement the highest standards of information risk


management.

© Callio Technologies 17
BS7799 / ISO 17799 Solution infoedge.com

You might also like