BS 7799

Presentation by Rachel Su’a

Agenda• Define BS 7799• Brainstorming Exercise• Nuts and Bolts• How It Works: BS 7799 Certification• A Real World Example• Activity• Summary• Reading List

BS 7799 Defined

• A standard on Information Security

• Written in 1995 by the United Kingdom Government’s Department of Trade and Industry (DTI) and commerce stakeholders

• Published by the British Standards Institution (BSI Group)

Brainstorming Exercise

A home in your neighborhood has just been burglarized and this gets you thinking about the vulnerabilities of your own home.

Identify several points of entry.

How would you prevent a burglar from entering your home?

Brainstorming Exercise

Now think about someone hacking into your company’s computer systems.

Can you identify points of entry into your computer system?

How are you protecting your information against these attacks?

10 Ways Companies Get Hacked1. Email Social Engineering/Spear Phishing

2. Infection Via a Drive-By Web Download

3. USB Key Malware

4. Scanning Networks for Vulnerabilities and Exploitation

5. Guessing or Social Engineering Passwords

6. Wifi Compromises

7. Stolen Credentials From Third-Party Sites

8. Compromising Web-Based Databases

9. Exploiting Password Reset Services to Hijack Accounts

10. Insiders

Nuts and Bolts of BS 7799

BS 7799 part 1

• Describes the best practices for Information Security Management

• Revised and adopted by International Standards Organization (ISO) in 1998

• Made up of ten objectives

Ten Objectives of BS 7799 part 11. Information Security Policy for the organization

2. Creation of information security infrastructure

3. Asset classification and control

4. Personnel security

5. Physical and environmental security

6. Communications and operations management

7. Access control

8. System development and maintenance

9. Business Continuity Management

10. Compliance

BS 7799 part 2• Titled “"Information Security Management

Systems - Specification with guidance for use."

• Instructs on how to apply part one of BS 7799 and how to build a security management structure

• Introduced the Plan-Do-Check-Act model in the 2002 version

• Adopted in November 2005 by ISO as ISO/IEC 27001

BS 7799 part 3

• Titled “Information security management systems. Guidelines for information security risk management”

• Developed in 2005

• Covers all aspects of the risk management cycle of an information security management system

How It Works: BS 7799 Certification

• Five steps to becoming BS 7799 Certification

• Plan-Do-Check-Act (PDCA) model can help guide organizations through all stages of the certification process

Step One: Desktop Review

• Verify and check all documented polices and procedures for consistency and practicality.

• Check documentation is valid and relevant to BS7799 controls

• Present the following documents: ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.

Step Two: Technical Review

• Check Security Architecture for vulnerabilities and possible risk exposure

• Submit a document stating the “permissible risk” statement

Step Three: Internal Audit

• Internal audit by BS 7799 implementers and BS 7799 professionals where non-conformances are picked up and recommendations are documented.

Step Four: External Audit• Invite the predeteremined Certification Company

• Prepare to face the external auditors

• Auditors check for documentation and objective evidence with the following questions in mind:– Are records Correct and Relevant?– Are polices Known and Tested?– Are policies Communicated?– Are controls Implemented?– Are Polices Followed up?– Are preventive Actions taken?

• Auditor evaluates the quality of risk assessment and the level of security claimed by the company

Step Five: Certification

• Certification company recommends the said company for BS 7799 Certification

A Real World Example: Cleardata

“Although we have only recently gained certification to ISO 27001, there are at least three recent incidences where Cleardata has won contracts as a result of certification. The process ensures that we stop to think about all aspects of our security and continually monitor and improve, keeping us a step ahead of many of our competitors.”

– David Bryce, Managing Director, Cleardata.co.uk

Cleardata’s ISO 27001 Accreditation • “The award from the BSI shows that information security is central to

everything that Cleardata does.”• “The ISO27001 accreditation demonstrates Cleardata’s capacity for handling

documents using Information Security Management Systems. It also demonstrates that the company has implemented the required processes in its operation, monitoring, maintenance and improvement procedures.”

• “This accreditation gives our customers absolute confidence that our business will protect their data to the highest standards and the knowledge that this is audited by an independent body. The use of BSI, a brand that is synonymous with British Standards was an important factor in the choice of our auditors. With many high profile examples and incidents in the media, our clients are becoming ever more careful of their choice of supplier, with security and quality upper most in their minds. This complements our ISO9001 quality management award.”

– Dave Bryce, Managing Director of Cleardata

Plan-Do-Check-Act Activity

Plan

•Define business policy

•Estimate the scope of ISMS

•Decide what resources will be used to conduct a risk assessment

Plan-Do-Check-Act ActivityDo

•Evaluate automated or manual systems options

•Deploy qualified and tested vendors to implement various products and solutions

•Develop a statement of applicability

Plan-Do-Check-Act Activity

Check

•Find an external security audit team qualified to perform a third party security audit for BS 7799

•Develop a system of continuous monitoring of the ISMS

Plan-Do-Check-Act ActivityAct•Identify key vulnerabilities and take appropriate corrective actions•Take preventive action for unseen but predictive incidents •Communicate and deliver policies to IT users and IT team •Train management, partners, and users on policies and procedures

Summary• BS 7799 is a Information Security

Management System standard in which companies can become certified.

• The flexible certification process ensures that an organization evaluates all aspects of their security.

• Successful ISMS must be continually monitored and improved.

Reading ListInformation Security Training Courses ISO/IEC 27001http://www.bsigroup.com/en-GB/iso-27001-information-security/iso-27001-training-courses/

ISO 17799 Papers: BS 7799http://17799.denialinfo.com/biju.htm

The BS7799 / BS 7799 Security Standardhttp://www.thewindow.to/bs7799/

A Business Case for ISO 27001 Certificationhttp://www.ittoday.info/Articles/ISO_27001_Certification.htm