Overview Introduction to Information Security Management BS7799 Overview Implementing BS7799 Conclusion
Introduction to Information Security Management
What is Information Security Management? Information is an asset, if you dont protect it, trouble awaits! Require knowledge to secure an asset Security requirements: Confidentiality, Integrity, Availability Threats and vulnerabilities Protection should focus on the critical requirements Information security management focuses on protecting your information assets from harm (threats and vulnerabilities) What to protect against? - Unauthorised disclosure (loss of confidentiality) - Unauthorised modification (loss of integrity) - Loss/Destruction (loss of availability) Must be driven by the business, not technology. Security is the responsibility of everyone (Management key)
What are threats and vulnerabilities? Threats can be considered the goals of an attacker Physical Example: a burglar might want to break into your house Virtual Example: an attacker might want to steal your customer database Vulnerabilities allow an attacker to execute the threat Physical Example: the backdoor is left open, making it easy for the burglar to enter your house Virtual Example: you allow anyone access to your database, without restriction, making it easy for the attacker to steal your information By defining threats to an asset and assessing potential vulnerabilities surrounding that asset, you can make informed decisions about how to protect your business.
Minimum suggested approach to Information Security Management Define a security policy (statement of intent) Simple or detailed, must be enforcable and consistent with culture Understand the risks you face Difficult at first, but becomes easier and more beneficial with experience. The Microsoft Security Risk Self-Assessment Tool can help direct you, more advanced tools available if necessary Implement useful and cost-effective controls Having a 15k firewall may not be money well spent Dont make security too complicated, get good/impartial advice Test, review and improve your security posture Use security assessment tools (free/commercial) and/or get in an expert Provide a framework for responding to incidents (attacks, policy violations, etc)
What should a policy contain? Statement of the company intent towards security Management at Company X is committed to ensuring information security principles based on industry best practices will be adopted to help protect the company against information attacks and fraudulent activity Who it applies to (scope) This policy applies to all users of Company X information and information systems; This policy applies to the management of Company X networks and firewalls; What the responsibilities are All staff must adhere to this policy; management should ensure staff awareness; IT staff must ensure identified controls are implemented Information security principles for the organisation Access to Company X information assets will be restricted to authorised users only; Use of Company X information assets is subject to management inspection at any time;
Some simple rules for risk management Get help if you need it Once or twice with an expert might foster self-assessment in the future Adopt an existing approach, no need to reinvent the wheel Consider information assets (the critical few) Define the security requirements of those assets loss of confidentiality, integrity, availability, all? Identify threats, what is the impact? Assess vulnerabilities/exposures
Some simple rules for risk management Determine the risks and how to treat them Transfer: insurance! Accept: do nothing (ok to operate, too difficult to resolve now, etc) Avoid: drop the asset Mitigate: reduce the risk to an acceptable level (implement controls) Produce mitigation plans How are you going to reduce the risk? What controls will you implement? (high-level) Prioritise your risk Try rating risk as high, medium, low to help prioritise Repeat periodically and when significant changes occur DOCUMENT EVERYTHING!
Are you managing security? Do you have a security policy? Do you know what your assets are? Do you know why they should be protected? Do you know what they should be protected from? (threats and vulnerabilities) Got all the above, great! But Is your policy enforced? How can you tell? Did your risk assessment make it off the shelf? Are you measuring your controls? (not measuring = not managing!) Reviewing your risks regularly? Are your protections sufficient 12 months later? Technology must be balanced with management
Are you doing enough? Sound familiar? We have a great IT administrator who tells us everything is fine (trusting staff is essential, but transparency promotes understanding) We did a risk assessment 3 years ago and considered our premises and IT equipment (physical assets only?) We update passwords every 9 months or so (are passwords written down? Same passwords used for all systems?) We apply software updates for Microsoft products (other products?) Previous slides offer a simplisitic approach A more complete framework can be found in security management standards and best-practices (e.g. BS7799)
BS7799 Overview
What is BS7799? A FRAMEWORK for managing information security Guidance to help you ask the right questions of your business and to ensure you manage the answers effectively. Build on top of it, add details Two parts BS7799/ISO17799: code of practice for information security management BS7799-2-2002: specification for information security management systems (ISMS - certification framework) 10 Objectives 127 Controls After reading all of that at least one headache!
History and Devlopment Initially Developed by the UK DTI with Private Sector. Timeline 1989 Users Code of Practice 1995 BS7799-1995 Initial Release 1999 BS7799-1999 Major Revision, split into guidelines (code of practice) and standard (required for an information security management system) 2000 ISO/IEC 17799 Accepted as International Standard 2002 BS7799-2-2002 Official Standard for Certification
Why should you consider it? (Benefits) Industry standard based on best practices Provides direction on how to manage security Structured versus adhoc security It is flexible, you do not need to implement all 127 controls unless you deem it necessary! Business Enabler Partner/Customer confidence Not a differentiator as its implementation grows becomes necessary to operate! (e.g. UK NHS) Can be tailored to certain portions of your business E.g. online services, but not your office environment Other external factors Legal/Regulatory compliance (e.g. DPA, Copyright, etc)
BS7799 Part 1: Code of Practice 1. Security Policy 2. Security Organisation 3. Asset Classification and Control 4. Personnel Security 5. Physical and Environmental Security 6. Communications and Operations Security 7. Access Control 8. Systems Development and Maintenance 9. Business Continuity Management 10. Compliance
BS7799 Part 2: Information Security Management System What is it? Documented approach to managing security Follows the Plan-Do-Check-Act cycle (continuous improvement) Main components Sets the scope (what does the ISMS cover flexiblity) Encompasses the policies and procedures. Assess and manage the risks (selection of applicable controls) Implement the selected controls Review the effectiveness of the controls, residual risk, etc (Management review, internal audit can be outsourced) Implement improvements Update as your risks change
Example controls (tales from the standard) Outsourcing Outsourcing should not result in less protection of your assets. Using your security policy and the controls for the standard, define the security requirements and responsibilities your outsourcing partner should adhere to. Malicious Software (e.g. viruses, worms, etc) One of the significant problems to face desktop users. Make sure youve got anti-virus software and its updated regularly (verification process) Ensure users are aware of the seriousness of these threats Common sense? Of course! The standard is full of it. It can get trickier than this, but it is within your control.
BS7799 is not perfect Common criticisms: Only suitable for large organisation Not enough detail for a standard Rushed and Incomplete It doesnt make you secure Documentation HELL! Perhaps but Very flexible, can be applied to large and small organisations. You may only apply it to a particular department, location or even procedure! A lot of the problems are dependant on the how it is implemented. Get good advice/training where possible. Fill the gaps, adopt more detailed standards where available There is no silver bullet. No standard or product will make you secure.
Implementing BS7799
Critical Success Factors You must be committed to improving security This is not a check-in-the-box exercise Management buy-in and support Leadership from top to bottom This MUST be visible (required for certification!) Staff buy-in and support Be consistent with your company culture Provide awareness and education (extend to 3 rd parties/outsourcing partner via contracts/SLA/etc) Available and appropriate resources Get training, seek expert advice where necessary Policies and objectives must meet business requirements
Plan-Do-Check-Act Four stages: Plan, Do, Check, Act (Deming Cycle) Many iterations, often running concurrently! Plan (ground work and establishing the ISMS) Set a security policy Conduct a risk assessment Plan for how you will manage the risks (mitigate, transfer, avoid, accept) Do (putting the wheels in motion) Implement plans to manage the risks (done by selecting controls from the standard) Some controls could be in place already and can be aligned with the ISMS. Ensure ISMS violations are managed appropriately
Plan-Do-Check-Act Check (is the ISMS working with you?) Are people violating company policies and procedures? If this is frequent, it may be due to a lack of training/awareness or the policies could be unsuitable for the culture! Act (adjustments/improvements/updates) Over time, the results of the Check stage will provide recommendations for improvement of the ISMS It is also critical to update your ISMS as the business changes This is the continual improvement of security within your company
Next Step: certification? Certification is not required. You can be compliant without certification. Prerequisites ISMS must be integrated into the business (limited by scope) Management review has taken place, including internal audit Certification Select a certification company Initial review conducted, all going well schedule full audit Likely to be some remedial activities (PDCA again!) Emphasis placed on management and staff awareness! If successful, certification lasts for 3 years, 6 month reviews
Conclusions
Fin! Information security management is easy to get wrong, but can be difficult to get right. Adopt best practices where possible. Know your risks! BS7799 is not perfect. Consider others to strengthen your position (CobIT, NIST standards, IT Baseline Protection Manual, etc). Questions? Thanks! (dave.ryan@eircom.net)
References BSI Global (maintainers of BS7799) http://www.bsi-global.com/Global/bs7799.xalter You can purchase the standards from the above website Microsoft Security Risk Self-Assessment Tool: http://www.securityguidance.com/ OCTAVE-S Risk Assessment Methodology http://www.cert.org/octave/ CobIT http://www.isaca.org/cobit.htm NIST Publications http://csrc.nist.gov/publications/index.html IT Baseline Protection Manual http://www.bsi.bund.de/english/gshb/manual/