bs7799 2
bs7799 2
bs7799 2
Inception to Certification
Dale Johnstone
Chair – BS7799 User Group (Hong Kong)
Member - Australian Standards IT/12/4
Member – ISO/IEC JTC1 SC27
Principal Security Consultant
Risk Management & Compliance
5 December 2002
[email protected]
Agenda
y History of BS7799-2
y Current Status
y Future
1
WHAT IS BS7799 ?
What is BS7799 ?
y Aim
– Build on a Common Basis for Organisational Security Standards
Development
– Enhance Security Management Practice
– Increase Confidence and Trust in Inter-Organisational Dealings
y Defines
– Desired Best Practice Methods for Controlling (Protecting) Information
(a) Confidentiality (b) Integrity & (c) Availability
y Consists of Two Parts
– Part 1 – Code of Practice for Information Security Management
y Represents Best Practice Guidance Based in Practical Industry Experience
– Part 2 – Specification for Information Security Management Systems
y Forms the Basis by Which Compliance Certification Can be Performed Against
a Management Systems Standard
3
2
HISTORY OF BS7799
PART 1
y Early 1990s
– Industry Need Determined for Best Practice Controls
– To Support Business & Government in the Implementation &
Enhancement of Information Security
– Department of Trade and Industry (UK) established a Working
Group Comprising Experienced Information Security Managers
– Information Security Management Code of Practice Produced
y 1992
– Published as an Industry Code of Practice (September)
y Provided a Structured Framework for an Organisation to Examine
& Improve the Security of their IT Systems Environment
– Originally published as a BSI-DISC publication
– Forms the Basis of British Standard 7799
3
History of BS7799 (Part 1)
y 1995
– BDD/2 Committee Revises Code suitable for publication
– BS7799 Published as a UK Standard
y 1996 - 1997
– Need to increase level of confidence in BS7799 identified
– Industry called for a means of certifying against the Code
– Steering Committee Formed
y UK Accreditation Service (UKAS)
y International Register of Certified Auditors (IRCA)
y Department of Trade & Industry (DTI)
y 1998 (April)
– UK ISMS Certification Scheme Launched
y 1999
– Revised and updated
– New Controls Added:
y E-commerce
y Mobile Computing
y Third Party Arrangements
– UK Specific References Removed
– Overall General Improvements Made
– Second Edition Published (BS 7799-1:1999)
4
History of BS7799 (Part 1)
HISTORY OF
ISO/IEC 17799
5
History of ISO 17799
y April 2000
– Given Strong International Interest - BDD/2 Recommended BS7799-1 be
submitted to ISO for Development as an International Standard
– BSI Submitted BS7799-1 to ISO using a 'Fast Track' Procedure
y Allows International Standard to Be Published in 12 months
y October 2000
– International Standard ISO/IEC 17799 Was Approved
y December 2000
– International Standard ISO/IEC 17799:2000 Published
– Some Minor Editorial Amendments
10
y April 2001
– ISO/IEC JTC1 SC27 'IT Security Techniques‘ Committee Assigned
Responsibility for Maintenance & Further Development
– Call for Revision Comments Issued
y October 2001
– Revision Commenced by ISO Committee
– 151 Pages of Comments Received
y October 2002
– Revision Continues by ISO Committee
– 666 Comments Spread Across 170 Pages Received
11
6
ISO 17799 Structure
Scope Terms & Definitions Security Policy Information Security Policy Document Review & Evaluation
Security Organization Information Security Infrastructure Security of Third Party Access Outsourcing
Asset Classification & Control Accountability for Assets Information Classification Personnel Security
Security in Job Definition & Resourcing User Training Responding to Security Incidents & Malfunctions
Physical & Environmental Security Secure Areas Equipment Security System Planning & Acceptance
Communications & Operations Management System Audit Operational Procedures & Responsibilities
Protection Against Malicious Software Housekeeping Network Management Media Handling & Security
Exchanges of Information & Software Security of System Files Business Requirement for Access Control
User Access Management Application Access Control Security Requirements of Systems User Responsibilities
Network Access Control Operating System Access Control Security in Development & Support Processes
Security in Application Systems Monitoring System Access & Use Business Continuity Management
Mobile Computing & Teleworking Cryptographic Controls Compliance with Legal Requirements
13
7
HISTORY OF BS7799
PART 2
14
y 1998
– Process for Establishing an Information Security
Management System Identified
y Developed by BDD/2
y Published as BS 7799-2:1998
– BS 7799-2:1998 Specifies Controls to Be Implemented
y According to Security, Legal and Business Requirements
– Specification Can be Used to:
y Conduct Internal Audits to the Standard
y Enable Third Party Certification to the Standard
y 1999
– Published as BS 7799-2:1999
y Alignment of Controls With BS7799-1
y Joint Publishing of New Part 1 Æ Re-issue New Part 2
15
8
History of BS7799 (Part 2)
y Late 2001
– Revision of Standard Commenced
16
y Contributors
Australia Korea
Brazil Netherlands
Germany Norway
Hong Kong Singapore
Ireland Sweden
Japan UK
17
9
CURRENT STATUS
OF BS7799-2
18
10
Present - BS7799 (Part 2)
y Provides
– Guidance on Creating an ISMS
– Critical Success Factors to Successfully Implement Information
Security
– Ability to Harmonise With Other Management Systems
– Plan-do-check-act Model for Creating and Maintaining an
Effective ISMS
– Ability to Continually
y Improve Process of Security Management
y Assess Security Procedures in the Light of Changing Business
Requirements, Technology Threats and New Circumstances
– Clarity of Relationship with:
y International Standards
y Newly Revised Guidelines From the Organisation for Economic Co-
operation and Development (OECD)
20
11
ISO 17799 & BS 7799-2
FUTURE
22
y October 2003
– ??? Comments
– International ISO Voting
y October 2004
– ??? Comments
– International ISO Voting
y 2005 Aimed Publication
Date
– Revised and Updated With a New
Look
– Contain New Additional Material
– New Controls Will be Included
– May even Include a new Major
Topic Section
y 10 Æ 11 Sections
23
12
Future of BS 7799-2
y October 2002
– Study Period Commenced Within ISO
– Review Need for an Information Security Management Systems Standard
– International Countries Expected to Contribute to Study Period
– Several Countries Have Already Indicated Very Strong Support
– BSI (UK) Yet To Decide their form of Contribution (e.g. BS7799-2)
y Expectation
– New Version to Be Issued Either by:
y BSI
or
y ISO
– Within Six Months of ISO 17799 Being Republished
24
BS 7799
INTERNATIONAL USER GROUP
(IUG)
25
13
International User Group
26
27
14
Requirements
28
Audit Objectives
y Audit Objectives
– Review Compliance to BS 7799-2
– Review Degree of Implementation to BS 7799-2
– Review the Effectiveness and Suitability in meeting:
y Security Policy
y Security Objectives
– Identify Security Holes & Weaknesses
– Provide an Opportunity to Improve ISMS
– Meet Contractual Requirements
– Meet Regulatory Requirements
TO ACHIEVE CERTIFICATION
29
15
Approach
y Preparation
– Understanding of the effort required
– Clear that it is a continuous effort
– A key operational champion is identified
– People Resources are available (minimum 6 months)
– Budgetary Resources are available
– Identified the end goals to be achieved (why proceed)
y Management Commitment
– Key management champion is identified
– Understanding of what will be achieved
– Support to make it happen
– Ability to prioritise the commitment (e.g. high)
30
Approach
y Day 0
– Determine details of ISMS
Certification Process
y Day 1
– Map out a project plan
– Determine key milestones
– Select key people resources
– Form project team (Security Forum)
– Commence documentation (e.g. minutes)
– Determine and allocate a budget
– Determine what professional assistance/advice is required
31
16
Approach
y Day 2-5
– Plan major activities
y Information Security Policy
y Asset Identification
y Risk Assessment
y Training and Awareness
y Scope of assessment
– (e.g. physical, people, shifts
etc…)
y Week 1
– Project Team Meeting
– Initial Scope of Assessment Determined
– Asset Identification Process Commenced
– Gap Analysis of ISMS Requirements within Scope Completed
32
Approach
y Week 2-4
– Project Team Meeting (held fortnightly)
– Plan/Update Project Plan/Milestones
– Develop security organisational structure (Security Forum)
– Develop/update information security policies
– Commence Risk Assessment (determine methodology)
– Identify weak and strong security areas/risks
y Month 2
– Finalise information security policies (ready for approval)
– Review scope of assessment
– Commence risk management process (safeguard selection)
– Commence development of Information Security Manual
– Continue to document your efforts
33
17
Approach
y Month 3
– Project Team Meeting (held Monthly) (Security Forum)
– Submit Information Security Policies - Senior Mgt Approval
– Commence/continue safeguard (control) implementation
– Continue to monitor Gap Analysis Study (from week 1)
7799 Non-
Part 2 Statement Comply Comply Exclusion Control Objectives, Controls & Reasons for Selection or
Clause Exclusion
4.1.1.1 Information
document
security policy √ Developed, approved and communicated information security
policy to all employees. This policy has been developed in
A policy document shall be approved accordance and supports the information security policies of its
by management, published and parent organisation.
communicated, as appropriate, to all The Policy is readily available to all employees via the
employees. company’s intranet.
4.1.1.2 Review and evaluation √ No formal process has yet been established to regularly review
the organisation’s security policies and procedures.
The policy shall be reviewed regularly,
in case of influencing changes, to The assignment of ownership and responsibility of Policy
ensure it remains appropriate. review has not yet been assigned to dedicated personnel.
4.2.1.1 M anagement information security √ Security is a topic that is constantly reviewed and promoted not
only by management to the organisation’s employees, but
forum
A management forum to ensure that additionally encouraged throughout the organisation’s customer
there is clear direction and visible environment.
management support for security Given the small size of the organisation a management forum
initiatives shall be in place. dedicated to information security is not deemed necessary.
34
Approach
y Month 4
– Continue safeguard (control) implementation (risk mgt)
– Ensure personnel awareness/training of information security
– Ensure management approval of Information Security Policy
– Continue development of Information Security Manual
y Document what you actually do – not what you should do !
y ISM forms a key element in the certification audit
– (As do) – Meeting Minutes
– Risk Assessment documentation
– Organisational structure
– Statement of Applicability
– Continue to review/revise supporting documentation
y Not necessarily security related
y But support of security safeguards/controls
35
18
Approach
y Month 5
– Commence development of ‘Statement of Applicability’
y Progressive update from Gap Analysis document
– Continue Information Security Manual
– Continue implementation of safeguards (control)
– Commence process of:
y Continuous review
y Continuous documentation
– Perform (2nd) Risk Assessment (if applicable)
– Visitor’s log etc…
– Engage internal auditors (if available)
y To assist in reviewing work to date
y To provide an element of increased confidence
y To determine any non-conformities earlier in process
– Engage External (Accredited) Certification Body
36
y Month 6
– Commence Phase 1 – Desktop/Documentation Audit#
y Review ISMS Management Framework
– Security Organisation
– Security (Committee) Meeting Minutes
y Assess Scope of Assessment (ISMS)
y Statement of Applicability
y Risk Assessment and Management Approach
y Security Policy and Supporting key Procedures
– e.g. Information Security Manual
y Determine any minor/major non-conformities
– Action taken to correct non-conformities
– Documentation updated to reflect changes
– Finalise Information Security Manual
– Finalise implementation of safeguards (control)
# May or may not be conducted on site
37
19
Certification Audit – Phase 2
y Month 7
– Commence Phase 2 – Implementation Audit
y To confirm the:
– Organisation adheres to its own policies, objectives and procedures
– ISMS conforms with requirements of:
(a) ISMS Standard; and
(b) Is achieving the organisation’s policy objectives
– Test the effectiveness of the ISMS
y On-site inspection to review/test effectiveness of (ISMS) Policies,
Procedures, Objectives
– Interview Owners and Users of ISMS
– Review High, medium and/or low risk areas
– Security objectives and targets
– Links between the core documents within the system
– Security and management reviews
y Report findings and give final recommendation
38
39
20
Certifications (171)
BENEFITS
41
21
BS7799 Benefits
y Improves
– Management Understanding of the Value of Organisational Information
– Customer Confidence, Satisfaction and TRUST
– Business Partner Confidence, Satisfaction and TRUST
y e.g. Handling Sensitive Information of Customers & Business Partners
– Level of Assurance in Organisational Security & QUALITY
– Conformance to Legal and Regulatory Requirements
– Organisational Effectiveness of Communicating Security Requirements
42
Certification Benefits
y Certification Demonstrates:
– Commitment
– Continuous Improvement
– Preparedness for Independent Review
– Measure Against Best Practice
y Certification Provides
– Means to Benchmark
y Industry & Competitors
y Business Partners
y Customers
– Increased Level of Certainty
43
22
Thank You
Q & A
23