Management Best PracticeBased on ISO/IEC 17799By René Saint-Germain

Presented By : Parves Kamal

2Management Best Practice Based on ISO/IEC 17799

Agenda: Get To know The Author What is ISO 17799? Background on ISO 17799 The Ten Domains of ISO/IEC 17799 Implementation Considerations Certification Process Benefits of Implementing the ISO/IEC 17799/BS 7799

Framework Survey How much It Cost References Questions?

3Author’s Background

Article was published In July 2005 At : Information Management Journal;Jul/Aug2005, Vol. 39 Issue 4,

p60 René Saint-Germain has expertise in the implementation of

governance and IT compliance frameworks (ISO 9001, ISO 20000, ISO 27001, ISO 27002, ISO 27005, ISO 22301, SOX, ITIL, COBIT).

As member of the International Committee for the development of security standards (CS27), he had participated in the development of ISO 27001 and others ISO 27000 family standards.

Current Position: Training and Audit Manager at Altirian Scheme Committee Member at PECB Lead Auditor at Bureau Veritas

4What is ISO 17799

ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.

ISO 17799 is high level, broad in scope, and conceptual in nature.

ISO 17799 is not: A technical standard Product or technology driven An equipment evaluation methodology such as the Common

Criteria/ISO 15408

5 Background on ISO 17799 ISO 17799 is a direct descendant of the British Standard Institute (BSI)

Information Security Management standard BS 7799. British Standard (BS) 7799 from the British Standards Institution (BSI)

was first published in 1995 to provide guidance and best practices in information security

The original standard ("Part 1") was revised and released in 1999. Adopted by ISO as ISO 17799 in 2000, In 2005 BS17799 part 1 was revised and in 2007 incorporated as ISO/IEC 27002

After wide consultation, it was determined that there was a need for a "specification" that could be audited against or used as a baseline. Thus, in 1998 a second part ("Part 2") was released, which was a specification for an Information Security Management System. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005

6The Ten Domains of ISO/IEC 17799

The Ten Domains of ISO/IEC 17799

7The Ten Domains of ISO/IEC 17799

Security PolicySecurity Policy control addresses management support, commitment, and direction in accomplishing information security goals, including: Information Security Policy document – a set of implementation-

independent, conceptual information security policy statements governing the security goals of the organization.

Ownership and review – Ongoing management commitment to information security is established by assigning ownership and review schedules for the Information Security Policy document.

8The Ten Domains of ISO/IEC 17799

Organizational SecurityOrganizational Security control addresses the need for a management framework that creates, sustains, and manages the security infrastructure, including: Information System Security Officer (ISSO) – acts as a central point of contact for

information security issues, direction, and decisions. Information Security responsibilities – individual information security

responsibilities are unambiguously allocated and detailed within job descriptions.

Authorization processes – ensures that security considerations are evaluated and approvals obtained for new and modified information processing systems.

Third-party access – mechanisms to govern third-party interaction within the organization based on business requirements.

Outsourcing – organizational outsourcing arrangements should have clear contractual security requirements.

9The Ten Domains of ISO/IEC 17799

Asset Classification and ControlAsset Classification and Control addresses the ability of the security infrastructure to protect organizational assets, including: Accountability and inventory – Mechanisms to maintain an

accurate inventory of assets, and establish ownership and stewardship of all assets.

Classification – Mechanisms to classify assets based on business impact.

Labeling – Labeling standards to indicate whether it is sensitive or critical.

Handling – Handling standards; which is appropriate for copy, store, transmit or destruction of the information asset based on asset classification.

10The Ten Domains of ISO/IEC 17799

Personnel SecurityPersonnel Security control addresses an organization’s ability to mitigate risk inherent in human interactions, including: Personnel screening –Ascertain the qualification and suitability of all personnel

with access to organizational assets. This framework may be based on job descriptions and/or asset classification.

Security responsibilities – Personnel should be clearly informed of their information security responsibilities, including codes of conduct and non-disclosure agreements.

Terms and conditions of employment – Personnel should be clearly informed of their information security responsibilities as a condition of employment.

Training – A mandatory information security awareness training program is conducted for all employees, including new hires and established employees.

Recourse – A formal process to deal with violation of information security policies.

11The Ten Domains of ISO/IEC 17799

Physical and Environmental SecurityPhysical and Environmental Security control addresses risk inherent to organizational premises, including: Location – Organizational premises should be analyzed for environmental hazards. Physical security perimeter – The premises security perimeter should be clearly

defined and physically sound. A given premises may have multiple zones based on classification level or other organizational requirements.

Access control – Breaches in the physical security perimeter should have appropriate entry/exit controls commensurate with their classification level.

Equipment – Equipment should be sited within the premises to ensure physical and environmental integrity and availability.

Asset transfer – Mechanisms to track entry and exit of assets through the security perimeter.

12The Ten Domains of ISO/IEC 17799

Communications and Operations ManagementCommunication and Operations Management control addresses an organization’s ability to ensure correct and secure operation of its assets, including: Operational procedures – Comprehensive set of procedures, in support of

organizational standards and policies. Change control – Process to manage change and configuration control,

including change management of the Information Security Management System. Incident management – Mechanism to ensure timely and effective

response to any security incidents. Segregation of duties – Segregation and rotation of duties minimize the

potential for collusion and uncontrolled exposure. Capacity planning – Mechanism to monitor and project organizational

capacity to ensure uninterrupted availability.

13The Ten Domains of ISO/IEC 17799

General – Policies and standards, such as utilization of shredding equipment, secure storage, and “cleandesk” principles, should exist to govern operational security within the workspace.

System acceptance – Methodology to evaluate system changes to ensure continued confidentiality, integrity, and availability.

Malicious code - Controls to mitigate risk from introduction of malicious code.

Housekeeping – Policies, standards, guidelines, and procedures to address routine housekeeping activities such as backup schedules and logging.

Network management - Controls to govern the secure operation of the networking infrastructure.

Media handling – Controls to govern secure handling and disposal of information storage media and documentation.

14The Ten Domains of ISO/IEC 17799

Access ControlAccess Control addresses an organization’s ability to control access to assets based on business and security requirements, includingUser management – mechanisms to: Register and deregister users Control and review access and privileges Manage passwordsNetwork access control – policy on usage of network services, including mechanisms (when appropriate) to: Authenticate nodes Authenticate external users Define routing Control network device security Maintain the security of network services

15The Ten Domains of ISO/IEC 17799 Host access control – Mechanisms (when appropriate) to: Automatically identify terminals Securely log-on Authenticate users Manage passwords Secure system utilities Furnish user duress capability, such as “panic buttons” Enable terminal, user, or connection timeouts Application access control – Limits access to applications

based on user or application authorization levels. Access monitoring – Mechanisms to monitor system access and

system use to detect unauthorized activities. Mobile computing – Policies and standards to address asset

protection, secure access, and user responsibilities.

16The Ten Domains of ISO/IEC 17799System Development and MaintenanceSecurity should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. System security requirements – Incorporates information security

considerations in the specifications of any system development or procurement. Application security requirements – Incorporates information security

considerations in the specification of any application development or procurement.

Cryptography – Policies, standards, and procedures governing the usage and maintenance of cryptographic controls.

System Integrity – Mechanisms to control access to, and verify integrity of, operational software and data, including a process to track, evaluate, and incorporate asset upgrades and patches.

Development security – Integrates change control and technical reviews into development process.

17The Ten Domains of ISO/IEC 17799

Business Continuity ManagementBusiness Continuity Management control addresses an organization’s ability to counteract interruptions to normal operations, including:

Business continuity planning – Business continuity strategy based on a business impact analysis.

Business continuity testing – Testing and documentation of business continuity strategy.

Business continuity maintenance – Identifies ownership of business continuity strategy as well as ongoing re-assessment and maintenance.

18The Ten Domains of ISO/IEC 17799

ComplianceCompliance control addresses an organization’s ability to remain in compliance with regulatory, statutory, contractual, and security requirements, including:

Legal requirements – awareness of: software copyright Intellectual property rights Safeguarding of organizational records Data protection and privacy of personal Information. Prevention of misuse Regulation of cryptography Collection of evidence

19Implementation Considerations

Uses of the ISO/IEC 17799 Standard

20Certification Process

Organizations that base information security management systems (ISMS) on BS 7799 specifications can apply to become certified.

What is an ISMS? Framework to manage the security risks within an organization

An organization that obtains certification is said to be ISO/IEC 17799 compliant and BS 7799 certified.

To guide organizations through this process, BS 7799 uses the Plan-Do-Check-Act (PDCA) model

Once an organization has developed, implemented, and documented its ISMS, an accredited certification bodycarries out a third-party audit

21 Certification Process

PDCA PHASE

22Benefits of Implementing the

ISO/IEC 17799/BS 7799 Framework BS 7799 certification serves as a public statement of an organization’s ability

to manage information security. It demonstrates to partners and clients that the organization has implemented adequate information security and business continuity controls.

It also demonstrates the organization’s commitment to ensuring that its information security management system and security policies continue to evolve and adapt to changing risk exposures

Certification is a mark of distinction that sets organizations apart from their competition and provides partners, shareholders, and clients with greater confidence.

ISO/IEC 17799 compliant organizations are exposed, these organizations will spend less money recovering from security incidents, which may also translate into lower insurance premiums

23Survey

24Survey

25 Survey

26Survey

27Survey

28How much It Cost

A copy of 17799 is available through the ISO Web site (www.iso.org) roughly $150, But that $150 investment is only a fraction of the cost of security assessments, penetration testing, auditors and consultants, which can run into the hundreds of thousands--if not millions--of dollars. This is why organizations with a solid working knowledge of their security threats have a better shot at using the standard.

29References

IT Governance: Data Security & BS 7799/ISO 17799 by Alan Calder and Steve Watkins 2002

ISO/IEC 17799:2000(E) Code of Practice for Information Security Management Geneva: ISO 2000 www.iso.ch

BS 7799-2:2002 Information Security Management Systems – Specification with Guidance for Use. London: BSi, September 2002 www.bsi-global.com

http://www.bsmreview.com/security_best_practice_survey.shtml http://www.gta.ufrj.br/ensino/cpe728/03_ins_info_security_iso_17799_

1101.pdf http://www.gta.ufrj.br/ensino/cpe728/03_ins_info_security_iso_17799_

1101.pdf http://www.openmpe.com/cslproceed/HPW04CD/papers/3353.pdf

30

31