In last month's column we discussed the practical application of Information Security Management in the Financial Services sector. We touched on the need for an overall information security strategy and capability within an organisation, especially organisations in the financial services sector. Following on last month's feature this month we bring you some insight into the application of BS7799 in an organisation, this following the acceptance of BS7799 as an international information security standard.
Organisations are increasingly relying on information technology. The organisations' reliance on information technology and the advances of electronic commerce have pressured organisations to ensure adequate protection of the organisations' information systems and information assets. Therefore an organisation needs to implement some kind of information security mechanism. It has been our experience that normally organisations implement some kind of technology solution that would provide them with the required level of security; however, what organisations forget is the people and the processes required to manage this technology.
The objective of information security is to safeguard the confidentiality, integrity and availability of information. It ensures business continuity and reduces business damage by preventing and minimising the impact of security incidents. Information security also enables mechanisms for information sharing which ensures the protection of information and computing assets.
Information security requires, not only the formulation of appropriate policies and standards, but also their implementation, review and maintenance. Once the time is taken to consider the requirements of information security, most organisations find a considerable amount of effort is needed for their implementation and this is not always economically viable in the short term.
For this reason, information security is implemented over a period of time with the most important areas being addressed early on and less important areas being addressed later in a more cost-effective manner.
On the other hand, for one organisation's system to trust another organisation's systems, an information security certification process provides assurance that the information stored and processed by the information systems are adequately protected and secured.
BS7799 (SABS 7799, ISO 17799:2000) is the only international information security standard that provides the basis of a management framework for information security and also provides for a certification process whereby organisations' information security management processes can be certified.
Background to BS7799
The British Standard (BS7799) was developed by the British Department of Trade and Industry, with the co-operation of leading UK companies and organisations. BS7799 provides over 100 security guidelines structured under 10 major headings to enable readers to identify the security controls which are appropriate to their particular business or specific area of responsibility. As well as giving detailed security controls for computers and networks, BS7799 also provides guidance on security policies, staff security awareness, business continuity planning, and legal requirements.
Since 1 December 2000 the Code of Practice for Information Security Management has been accepted and published as an international standard - ISO/IEC 17799:2000.
The same standard has also been submitted to the South African Bureau of Standards (SABS) to be accepted as a South African standard (SABS 7799)
The Code of Practice
The BS7799 comprises of two parts. Part 1 a code of practice for information security management and Part 2 the specification for information security management systems, respectively.
Compliance to the standard ensures that senior managers and personnel responsible for initiating, implementing and maintaining information security will:
* Act in accordance with their intentions.
* Detect when they fail to do so, and make amends.
* Keep abreast of market, world and technology changes that may have an effect on the way their organisation should deal with information, and take action accordingly.
BS7799 Part 1
BS7799 (Part 1) the code of practice, provides a comprehensive set of security controls that are intended to serve as a single reference to a range of controls considered as good practice.
The 1999 version emphasises the importance of risk management and makes it clear that you do not have to implement every single guideline of Part 1; but rather only those that are relevant, based on the risk assessment of your business.
A number of controls can be considered as guiding principles providing a good starting point for implementing an information security management process.
For an entry level certificate the organisation must have implemented information security based on the 10 'Key controls' described in BS7799:1995.
The key controls are as follows:
* Information security policy document (§1.1.1)
* Allocation of information security responsibilities (§2.1.3)
* Information security education and training (§4.1.2)
* Reporting of security incidents (§4.3.1)
* Virus controls (§6.3.1)
* Business continuity planning process (§9.1.1)
* Control of proprietary software copying (§10.1.1)
* Safeguarding of organisational records (§10.1.2)
* Data protection (§10.1.3)
* Compliance with security policy (§10.2.1)
The organisation must comply with the following terms regarding information security:
* The company management with executive responsibility shall compile a compliance statement, stating the scope of application and the selection of objectives and measures described in the 10 key controls. The selection and the exclusion of objectives and measures shall be justified in the compliance statement.
* The measures shall be documented. (Note: Documentation can take the form of procedures and work instructions.)
* The measures shall be implemented in an effective and demonstrable way.
The relevance of any control should be determined in the light of the specific risks an organisation is facing. The above approach can be a good starting point for information security, although the selection of controls based on a risk assessment can also be used as a starting point.
For an Advanced Level Certificate the organisation must have implemented information security in conformance with the following criteria:
* The company management with executive responsibility shall compile a compliance statement, stating the scope of application and the selection of categories, objectives and measures listed in BS7799. For all categories, objectives and measures, the selection or exclusion shall be justified in the compliance statement. The 10 key controls must be included in the selection; other in BS7799 listed categories, objectives and measures shall not be all excluded.
(Note: If so desired, additional categories, objectives and measures, not listed in BS7799, can be included, provided that the Compliance Statement contains the documented justification for this and the description of the additions.)
* The organisation shall demonstrate, via risk analysis or similar method, that the selected categories, objectives and measures offer an adequate level of protection.
* The measures shall be documented. (Note: Documentation can take the form of an information security handbook containing procedures and work instructions or referring to elsewhere documented procedures and work instructions.)
* The measures shall be implemented in an effective and demonstrable way.
BS7799 Part 2
BS7799 (Part 2) the specification for information security management systems, is based on the code of practice. The specification was prepared as a basis for an assessment of the information security management system (ISMS). The security controls defined in the specification are directly derived and aligned with those of the code of practice.
The BS7799 ISMS framework can thus be used as a basis of the information security certification process and thus be used by an organisation to prepare for and acquire BS7799 certification.
The list of security controls defined in the specification is neither exhaustive nor does it cater for every situation in all industries. The organisation should use the security controls selectively depending on the organisation's information security requirements. It may be necessary for an organisation to define additional security controls that are specific to its own environment.
The ISMS framework defines activities that develop, implement and document security controls, as part of the preparation process for BS7799 certification.
The major steps towards BS7799 compliance
A six-step process is used, to define how to build an ISMS as illustrated in the figure.
Step 1 - Define information policy:
The policy is a set of principles and directives that are based on the organisation's information security objectives and strategy. The policy statement must have senior management's commitment and support and should be documented in a policy document.
Part 2 recommends that one stand back and consider all of the information assets and their value to your organisation. You then ought to devise a policy that identifies what information is important and why. From a practical point of view, it is only that information with significant value that should be of concern.
Step 2 - Define scope:
The organisation should define the scope of the ISMS based on the information security policy defined in Step 1. The boundaries of the scope may be based on the organisation's business areas, application systems, technology or geographical area. All the information assets defined within the scope of the ISMS should be clearly documented.
Excluding low risk information assets, allows you to define the scope of your management concerns. You may discover that your concerns permeate your organisation as a whole. In this case you will need to regard all of your information systems and their external interfaces - IT and electronic forms of communication, filing cabinets, telephone conversations, public relations and so on, as being within the scope of the ISMS. Alternatively, your concerns may focus onto a particular customer-facing system.
Step 3 - Perform risk assessment:
Now that you know what information is in scope and what its value to the organisation is, your next step should be to determine the risk of losing those assets. The organisation should undertake a risk assessment of the information assets identified in the scope of the ISMS in Step 2. The organisation should assess the threats and vulnerabilities to those assets, and their impacts to the organisation. The results and conclusions of the risk assessment should be documented.
Remember to consider business and technological risks. At the one extreme you need to consider the complexities of technology; at the other you need to consider business forces in terms of advancing technology and enterprise, as well as the ugly side of industrial espionage and information warfare.
Step 4 - Management of the risk:
The organisation should identify the areas of risk and how these are to be managed based on the organisation's information security policy defined in Step 1 and the required degree of assurance.
Your actions will most certainly start with the technology, but do not forget the people and the processes, as well as administrative procedures and physical things like doors and locks. Also do not forget insurance. If you cannot prevent something from happening, maybe you can detect if it does happen and do something to contain it or otherwise reduce the danger. In the end, you will need an effective continuity plan.
Step 5 - Select security controls:
You will then need to choose your 'safeguards', ie the ways you have selected to manage the risk.
The organisation should select security controls to be implemented based on the required degree of assurance required as described in Step 4. The BS7799 code of practice provides a comprehensive set of security controls that an organisation can select from, but the list is not exhaustive and you are free to identify additional measures as you please. The selected security controls must be documented.
Step 6 - Prepare statement of applicability:
The organisation should prepare a statement of applicability, which justifies the selection and exclusions of security controls from the code of practice.
You are required to identify all of your chosen security controls and justify why you feel they are appropriate and show why those BS7799 controls that have not been chosen are not relevant. In addition to the above, the ISMS should also document the actions taken within the management framework, a summary of the management framework, the procedures to implement the controls and defined the ISMS and procedures for managing and implementing it.
For details contact Jackie Pieters, Manager, KPMG - Information Risk Management on tel: (011) 647 7010 or e-mail: email@example.com
or Celeste Teixeira, Marketing Manager at KPMG, Information Risk Management on tel: (011) 647 7156 or e-mail: firstname.lastname@example.org
The next information security column will feature a case study within the investment banking environment.