Information Security Management BS 7799 and certification 3 & 4 August 2000 Brasilia Peter Restell Business Programme Manager Responsible for: • BS 7799 -1 & 2 • c-cure certification • Tick. IT certification • committee responsible for IT - Security techniques at an international level (JTC 1/SC 27) BSI-DISC BS 7799 - Information Security Management 2000
BSI- DISC • DISC is a part of the Standards Division of British Standards Institution [BSI] - the national standards body for the UK, incorporated under Royal Charter • Scope; the management of standardization of information, communication and telecomms technologies in UK, Europe and internationally BS 7799 - Information Security Management 2000
Why do we need BS 7799? BS 7799 - Information Security Management 2000
• Increasing threats – threats from viruses, hackers, fraud and espionage increasing • Increasing exposure – greater dependence on IT, less central control, new entry points for intruders • Increasing expectations – managers, business partners, auditors and regulators demand protective measures BS 7799 - Information Security Management 2000
Trends in Security Threats Malicious Accidental Confidentiality Espionage Leaks Oversights Breaches Integrity Fraud Mischief Errors Failures Availability Sabotage Vandalism Breakdowns Disasters BS 7799 - Information Security Management 2000
Organizational Trends Strong External relationships Weak Hierarchical ‘Hard’ Internal relationships BS 7799 - Information Security Management ‘Soft’ 2000
Yesterday’s Solution BS 7799 - Information Security Management 2000
Today’s Situation Other Company sites BS 7799 - Information Security Management 2000
What is BS 7799? BS 7799 - Information Security Management 2000
BS 7799 : 1999 • Part 1 - Code of Practice for information security management - provides ‘best practice’ advice - [developed in early 90 s, Part 1 was first published in 1995. Updated in 1999] • Part 2 - Specification for information security management systems - develops a management framework and enables internal/external audits to be conducted - [updated in 1999] BS 7799 - Information Security Management 2000
Information Security Management • Information - all media (printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation) • Information Security - preservation of: confidentiality: ensuring that information is accessible only to those authorized to have access; integrity: safeguarding the accuracy and completeness of information and processing methods; availability: ensuring that authorized users have access to information and associated assets when required. • Information Security Management - achieved by: selecting & implementing a suitable set of controls e. g. policies, procedures, organizational structures and software functions BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 format • • Control 6. 2 User training Control objective Objective: To ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work. Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks. Additional controls Advice 6. 2. 1 Information security education and training All employees of the organization and, where relevant, third party users, should receive appropriate training and regular updates in organizational policies and procedures……………… BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 - the main topics • • • Security Policy Security Organisation Assets classification and control • Personnel security • Physical and environmental security • Communications and Operations management • Access control • Systems development and maintenance • Business Continuity management • Compliance BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls • There are 127 detailed in BS 7799, some are applicable and some are not. What to do? • Gap analysis - to determine what is in place already • Risk assessment - to identify the risks to information assets • Risk management - selection of controls to manage the risks BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Security Policy Information security policy • Information security policy document • Review and evaluation BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Security Organisation Information security infrastructure • Management information security forum • Information security co-ordination • Allocation of information security responsibility • Authorization process for information processing facilities • Specialist information security advice • Co-operation between organizations • Independent review of information security Essential for large organizations Security of third party access • Identification of risks from third party access • Security requirements in third party contracts New control to reflect modern trends Outsourcing • Security requirements in outsourcing contracts BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Assets classification and control Accountability for assets • Inventory of assets Information classification • Classification guidelines • Information labelling and handling BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Personnel security Security in job definition and resourcing • Including security in job responsibilities • Personnel screening and policy • Confidentiality agreements • Terms and conditions of employment Sensitive issues requires co-operation from personnel (HR) department User training • Information security education and training Essential for success of system Responding to security incidents and malfunctions • Reporting security incidents • Reporting security weaknesses • Reporting software malfunctions • Learning from incidents • Disciplinary process BS 7799 - Information Security Management 2000
Awareness Education Essential ! • Main board • Line managers • Users • Contractors • IT staff BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Physical and environmental security Secure areas • Physical security perimeter • Physical entry controls • Securing offices, rooms and facilities • Working in secure areas • Isolated delivery and loading areas Equipment security • Equipment siting and protection • Power supplies • Cabling security • Equipment maintenance • Security of equipment off-premises • Secure disposal or re-use of equipment General controls • Clear desk and clear screen policy • Removal of property BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Communications and Operations management Operational procedures and responsibilities • • • Documented operating procedures Operational change control Incident management procedures Segregation of duties Separation of development and operational facilities External facilities management System planning and acceptance • • Capacity planning System acceptance Protection against malicious software • Housekeeping • • • Information back-up Operator logs Fault logging Network management • Network controls Media handling and security • • Management of removable computer media Disposal of media Information handling procedures Security of system documentation Controls against malicious software BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Communications and Operations management (Continued Exchanges of information and software • Information and software exchange agreements • Security of media in transit • Electronic commerce security • Security of electronic mail • Security of electronic office systems • Publicly available systems • Other forms of information exchange BS 7799 - Information Security Management New controls - essential for e-commerce and ebusiness transactions 2000
BS 7799 -1: 1999 controls Access control Business requirement for access control • Access control policy User access management • • • User registration Privilege management User password management Review of user access rights User responsibilities • • Network access control • • • Policy on use of network services Enforced path User authentication for external connections Node authentication Remote diagnostic port protection Segregation in networks Password use Unattended user equipment BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Access control (Continued) Operating system access control • • Automatic terminal identification Terminal log-on procedures User identification and authentication Password management system Use of system utilities Duress alarm to safeguard users Terminal time-out Limitation of connection time Application access control • • Information access restriction Sensitive system isolation Monitoring system access and use • • • Event logging Monitoring system use Clock synchronization Mobile computing and teleworking • • Mobile computing Teleworking Responsibilities need to be determined to judge strength of appropriate controls BS 7799 - Information Security Management 2000
Responsibilities • Information Owner • Information Custodian • Information User • Line Manager • Information Security Manager • Security Contact/Help Desk BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Systems development and maintenance Security requirements of systems • Security requirements analysis and specification Security in application systems • • Input data validation Control of internal processing Message authentication Output data validation Cryptographic controls • • • Policy on the use of cryptographic controls Encryption Digital signatures Non-repudiation services Key management Security of system files • • • Control of operational software Protection of system test data Access control to program source library Security in development and support processes • • • Change control procedures Technical review of operating system changes Restrictions on changes to software packages Covert channels and Trojan code Outsourced software development BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Business Continuity management Aspects of business continuity management Business Continuity Management section completely revised • Business continuity management process • Business continuity and impact analysis • Writing and implementing continuity plans • Business continuity planning framework • Testing, maintaining and re-assessing business continuity plans BS 7799 - Information Security Management 2000
BS 7799 -1: 1999 controls Compliance with legal requirements • Identification of applicable legislation • Intellectual property rights (IPR) • Safeguarding of organizational records • Data protection and privacy of personal information • Prevention of misuse of information processing facilities • Regulation of cryptographic controls • Collection of evidence Reviews of security policy and technical compliance • Compliance with security policy • Technical compliance checking System audit considerations • System audit controls • Protection of system audit tools BS 7799 - Information Security Management 2000
Get help or create a Forum • • Personnel IT Internal audit Security Building services Procurement Business Continuity Planning Quality Management BS 7799 - Information Security Management 2000
Critical Success Factors - from the standard Security policy – security policy, objectives and activities must reflect business objectives Implementing security – The approach to implementation must be consistent with the organization culture Management. . . support – Must be visible support and commitment from management . . . – Must have a good understanding of security requirements, risk assessment and risk management . . . – Must effectively market security to all managers and employees Good understanding Effective marketing Effective communication Education Measurement and feedback – Distribution of guidance on information security policy and standards to all employees and contractors – Must provide appropriate training and education – Should evaluate performance in information security management and feedback suggestions for improvement BS 7799 - Information Security Management 2000
Critical Success Factors - from experience Top-down commitment • Policy document • Allocation of responsibilities • Education and training • Information ownership • Incident reporting • Selection of appropriate controls • Business continuity planning • Compliance with legal requirements • Continuous review & improvement BS 7799 - Information Security Management 2000
BS 7799 to become an International Standard? • The UK committee responsible for BS 7799 has decided to submit BS 7799 -1 to ISO for fasttrack balloting and adoption as an International Standard. Voting closes 3 August 2000 ISO/IEC 17799 -1 BS 7799 - Information Security Management 2000
Accredited certification to BS 7799 - Information Security Management 2000
The c: cure scheme - how does it work? Formal accreditation accountability BS 7799 - Information Security Management 2000
BS 7799 Certification Formal accreditation accountability BS 7799 - Information Security Management 2000
Accredited certification to BS 7799 The c: cure scheme - how does it work? • Voluntary scheme, managed by BSI-DISC • Uses BS 7799 -2 : 1999, supported by guidance • Certification Bodies must prove their competence (via UKAS) • Individual auditors must prove their competence through independent register (via IRCA and BCS) • Desktop review of submission documents • Organisations undergo audit, leading to certification • Continuing audit visits to ensure ISMS is maintained BS 7799 - Information Security Management 2000
BS 7799 -2: 1999 Establishing a management framework • Define a Security Policy • • Define the scope and boundaries • Applicability • • Select appropriate controls • Manage the risk • Implement the selected control objectives Undertake a Risk Assessment Prepare a Statement of Document the system and control it • Maintain the system and records BS 7799 - Information Security Management 2000
BS 7799 -2: 1999 Establishing a management framework BS 7799 - Information Security Management 2000
BS 7799 -2: 1999 Establishing a management framework BS 7799 - Information Security Management 2000
BS 7799 -2: 1999 Establishing a management framework BS 7799 - Information Security Management 2000
BS 7799 -2: 1999 Establishing a management framework BS 7799 - Information Security Management 2000
BS 7799 -2: 1999 Establishing a management framework BS 7799 - Information Security Management 2000
BS 7799 -2: 1999 Establishing a management framework S y s t e m D o c u m e n t a t i o n BS 7799 - Information Security Management 2000
Establishing a management framework - some problem areas • Define the scope and boundaries - The scope of implementation or certification can be limited and defined by location or assets or organization or technology - however the Risk Assessment must review this reduced scope to establish how the other parts of the organization are interconnected (IT network and business process) For example: * Remote connections (staff working off-site) * Intranet connections to other sites * Supplier chains * Outsourcing BS 7799 - Information Security Management 2000
Establishing a management framework - some problem areas • BS 7799 far too complex for my business Some of the issues raised in the standard seem fine for banking environments - but do not really required for smaller businesses. BS * * * 7799 is not prescriptive and allows the user to determine: the organization approach risk management, the strength of control applied the selection/de-selection of controls (Statement of applicability) This approach provides sufficient flexibility for the standard to be applied to both large and small businesses BS 7799 - Information Security Management 2000
Establishing a management framework - some problem areas • • Risk Assessment - What does a certification body expect to see? The risk assessment must be appropriate and competently executed. Can BSI-DISC recommend a Risk Assessment software tool? BSI-DISC are in the process of developing a dedicated software tool that can be used to: – – – – gather information about the ISMS; Gap Analysis; identify security requirements; conduct a BS 7799 Risk Assessment (baseline or detailed); select the appropriate controls from BS 7799; produce a ‘Statement of Applicability’ and produce management reports. BS 7799 - Information Security Management 2000
– RA Please contact BSI-DISC (c_cure@bsi. org. uk) to register your interest in the product. Further details will be provided to you when available (September 2000) BS 7799 - Information Security Management 2000
BS 7799 certification - benefits? • Image, reputation • Improved confidence and trust - demonstrates to your trading partners/customers that you are ‘serious about information security’ • Demonstrates compliance with the information security elements of the UK Data Protection Act • Independent, competent external review of your systems • Third party audit acts as a driver for internal programme BS 7799 - Information Security Management 2000
Additional guides to BS 7799 PD 3000 Information Security Management: An Introduction PD 3001 Preparing for BS 7799 certification *New revision* PD 3002 Guide to BS 7799 Risk Assessment and Risk Management (based on ISO/IEC 13335 -3) PD 3003 Are you ready for a BS 7799 audit ? *New revision* PD 3004 Guide to BS 7799 Auditing *New revision* PD 3005 Guide on the selection of BS 7799 controls *New* (based on ISO/IEC 13335 -4) BS 7799 - Information Security Management 2000
Contact Details Peter Restell BSI-DISC 389 Chiswick High Road London W 4 4 AL United Kingdom Tel: +44 (0)20 8995 7424 Fax: +44 (0)20 8996 7448 Email: peter. restell@bsi. org. uk BS 7799 - Information Security Management 2000
Contact Details BSI-DISC c: cure Office 389 Chiswick High Road London W 4 4 AL United Kingdom Tel: +44 (0)20 8995 7799 Fax: +44 (0)20 8996 7429 Email: c_cure@bsi. org. uk Internet: www. c-cure. org BS 7799 - Information Security Management 2000
Скачать презентацию Information Security Management BS 7799 and certification 3
2acb57138bd259068b7bc8ffb0d63351.ppt