BS7799:

how are you managing security?

Prepared by:
David Ryan, eircom net


Overview
Introduction to Information Security Management
BS7799 Overview
Implementing BS7799
Conclusion

Introduction to
Information Security Management

What is Information Security Management?
Information is an asset, if you dont protect it, trouble awaits!
Require knowledge to secure an asset
Security requirements: Confidentiality, Integrity, Availability
Threats and vulnerabilities
Protection should focus on the critical requirements
Information security management focuses on protecting your
information assets from harm (threats and vulnerabilities)
What to protect against?
- Unauthorised disclosure (loss of confidentiality)
- Unauthorised modification (loss of integrity)
- Loss/Destruction (loss of availability)
Must be driven by the business, not technology.
Security is the responsibility of everyone (Management key)

What are threats and vulnerabilities?
Threats can be considered the goals of an attacker
Physical Example: a burglar might want to break into your house
Virtual Example: an attacker might want to steal your customer database
Vulnerabilities allow an attacker to execute the threat
Physical Example: the backdoor is left open, making it easy for the burglar
to enter your house
Virtual Example: you allow anyone access to your database, without
restriction, making it easy for the attacker to steal your information
By defining threats to an asset and assessing potential
vulnerabilities surrounding that asset, you can make informed
decisions about how to protect your business.

Minimum suggested approach to
Information Security Management
Define a security policy (statement of intent)
Simple or detailed, must be enforcable and consistent with culture
Understand the risks you face
Difficult at first, but becomes easier and more beneficial with experience.
The Microsoft Security Risk Self-Assessment Tool can help direct you,
more advanced tools available if necessary
Implement useful and cost-effective controls
Having a 15k firewall may not be money well spent
Dont make security too complicated, get good/impartial advice
Test, review and improve your security posture
Use security assessment tools (free/commercial) and/or get in an expert
Provide a framework for responding to incidents (attacks, policy
violations, etc)

What should a policy contain?
Statement of the company intent towards security
Management at Company X is committed to ensuring information security
principles based on industry best practices will be adopted to help protect
the company against information attacks and fraudulent activity
Who it applies to (scope)
This policy applies to all users of Company X information and information
systems; This policy applies to the management of Company X networks
and firewalls;
What the responsibilities are
All staff must adhere to this policy; management should ensure staff
awareness; IT staff must ensure identified controls are implemented
Information security principles for the organisation
Access to Company X information assets will be restricted to authorised
users only; Use of Company X information assets is subject to management
inspection at any time;

Some simple rules for risk management
Get help if you need it
Once or twice with an expert might foster self-assessment in the future
Adopt an existing approach, no need to reinvent the wheel
Consider information assets (the critical few)
Define the security requirements of those assets
loss of confidentiality, integrity, availability, all?
Identify threats, what is the impact?
Assess vulnerabilities/exposures


Some simple rules for risk management
Determine the risks and how to treat them
Transfer: insurance!
Accept: do nothing (ok to operate, too difficult to resolve now, etc)
Avoid: drop the asset
Mitigate: reduce the risk to an acceptable level (implement controls)
Produce mitigation plans
How are you going to reduce the risk?
What controls will you implement? (high-level)
Prioritise your risk
Try rating risk as high, medium, low to help prioritise
Repeat periodically and when significant changes occur
DOCUMENT EVERYTHING!


Are you managing security?
Do you have a security policy?
Do you know what your assets are?
Do you know why they should be protected?
Do you know what they should be protected from? (threats and
vulnerabilities)
Got all the above, great! But
Is your policy enforced? How can you tell?
Did your risk assessment make it off the shelf?
Are you measuring your controls? (not measuring = not managing!)
Reviewing your risks regularly? Are your protections sufficient 12 months
later?
Technology must be balanced with management

Are you doing enough?
Sound familiar?
We have a great IT administrator who tells us everything is fine (trusting
staff is essential, but transparency promotes understanding)
We did a risk assessment 3 years ago and considered our premises and IT
equipment (physical assets only?)
We update passwords every 9 months or so (are passwords written
down? Same passwords used for all systems?)
We apply software updates for Microsoft products (other products?)
Previous slides offer a simplisitic approach
A more complete framework can be found in security
management standards and best-practices (e.g. BS7799)

BS7799 Overview

What is BS7799?
A FRAMEWORK for managing information security
Guidance to help you ask the right questions of your business and
to ensure you manage the answers effectively.
Build on top of it, add details
Two parts
BS7799/ISO17799: code of practice for information security
management
BS7799-2-2002: specification for information security management
systems (ISMS - certification framework)
10 Objectives
127 Controls
After reading all of that at least one headache!


History and Devlopment
Initially Developed by the UK DTI with Private Sector.
Timeline
1989 Users Code of Practice
1995 BS7799-1995 Initial Release
1999 BS7799-1999 Major Revision, split into guidelines (code of
practice) and standard (required for an information security
management system)
2000 ISO/IEC 17799 Accepted as International Standard
2002 BS7799-2-2002 Official Standard for Certification


Why should you consider it? (Benefits)
Industry standard based on best practices
Provides direction on how to manage security
Structured versus adhoc security
It is flexible, you do not need to implement all 127 controls unless you deem
it necessary!
Business Enabler
Partner/Customer confidence
Not a differentiator as its implementation grows becomes necessary to
operate! (e.g. UK NHS)
Can be tailored to certain portions of your business
E.g. online services, but not your office environment
Other external factors
Legal/Regulatory compliance (e.g. DPA, Copyright, etc)

BS7799 Part 1:
Code of Practice
1. Security Policy
2. Security Organisation
3. Asset Classification and Control
4. Personnel Security
5. Physical and Environmental Security
6. Communications and Operations Security
7. Access Control
8. Systems Development and Maintenance
9. Business Continuity Management
10. Compliance

BS7799 Part 2:
Information Security Management System
What is it?
Documented approach to managing security
Follows the Plan-Do-Check-Act cycle (continuous improvement)
Main components
Sets the scope (what does the ISMS cover flexiblity)
Encompasses the policies and procedures.
Assess and manage the risks (selection of applicable controls)
Implement the selected controls
Review the effectiveness of the controls, residual risk, etc
(Management review, internal audit can be outsourced)
Implement improvements
Update as your risks change


Example controls
(tales from the standard)
Outsourcing
Outsourcing should not result in less
protection of your assets.
Using your security policy and the
controls for the standard, define the
security requirements and
responsibilities your outsourcing
partner should adhere to.
Malicious Software (e.g.
viruses, worms, etc)
One of the significant problems to
face desktop users.
Make sure youve got anti-virus
software and its updated regularly
(verification process)
Ensure users are aware of the
seriousness of these threats
Common sense? Of course! The standard is full of it.
It can get trickier than this, but it is within your control.

BS7799 is not perfect
Common criticisms:
Only suitable for large organisation
Not enough detail for a standard
Rushed and Incomplete
It doesnt make you secure
Documentation HELL!
Perhaps but
Very flexible, can be applied to large and small organisations. You may only
apply it to a particular department, location or even procedure!
A lot of the problems are dependant on the how it is implemented. Get good
advice/training where possible.
Fill the gaps, adopt more detailed standards where available
There is no silver bullet. No standard or product will make you secure.

Implementing
BS7799

Critical Success Factors
You must be committed to improving security
This is not a check-in-the-box exercise
Management buy-in and support
Leadership from top to bottom
This MUST be visible (required for certification!)
Staff buy-in and support
Be consistent with your company culture
Provide awareness and education (extend to 3
rd
parties/outsourcing partner
via contracts/SLA/etc)
Available and appropriate resources
Get training, seek expert advice where necessary
Policies and objectives must meet business requirements

Plan-Do-Check-Act
Four stages: Plan, Do, Check, Act (Deming Cycle)
Many iterations, often running concurrently!
Plan (ground work and establishing the ISMS)
Set a security policy
Conduct a risk assessment
Plan for how you will manage the risks (mitigate, transfer, avoid, accept)
Do (putting the wheels in motion)
Implement plans to manage the risks (done by selecting controls from the
standard)
Some controls could be in place already and can be aligned with the ISMS.
Ensure ISMS violations are managed appropriately

Plan-Do-Check-Act
Check (is the ISMS working with you?)
Are people violating company policies and procedures?
If this is frequent, it may be due to a lack of training/awareness or the
policies could be unsuitable for the culture!
Act (adjustments/improvements/updates)
Over time, the results of the Check stage will provide
recommendations for improvement of the ISMS
It is also critical to update your ISMS as the business changes
This is the continual improvement of security within your company


Next Step: certification?
Certification is not required.
You can be compliant without certification.
Prerequisites
ISMS must be integrated into the business (limited by scope)
Management review has taken place, including internal audit
Certification
Select a certification company
Initial review conducted, all going well schedule full audit
Likely to be some remedial activities (PDCA again!)
Emphasis placed on management and staff awareness!
If successful, certification lasts for 3 years, 6 month reviews

Conclusions

Fin!
Information security management is easy to get
wrong, but can be difficult to get right.
Adopt best practices where possible.
Know your risks!
BS7799 is not perfect.
Consider others to strengthen your position (CobIT, NIST
standards, IT Baseline Protection Manual, etc).
Questions?
Thanks! (dave.ryan@eircom.net)

References
BSI Global (maintainers of BS7799)
http://www.bsi-global.com/Global/bs7799.xalter
You can purchase the standards from the above website
Microsoft Security Risk Self-Assessment Tool:
http://www.securityguidance.com/
OCTAVE-S Risk Assessment Methodology
http://www.cert.org/octave/
CobIT
http://www.isaca.org/cobit.htm
NIST Publications
http://csrc.nist.gov/publications/index.html
IT Baseline Protection Manual
http://www.bsi.bund.de/english/gshb/manual/