BS 7799 explained.What is BS 7799? BS 7799 is the most influential, globally recognised standard for information security management. It is currently divided into two parts: * Part 1. Contains guidance and explanatory ex·plan·a·to·ry adj. Serving or intended to explain: an explanatory paragraph. ex·plan information * Part 2. Provides a model that can be used by businesses to set up and run an effective Information Security Management System (ISMS ISMS Information Security Management System ISMS Integrated Safety Management System ISMS Illinois State Medical Society ISMS In-flight Safety Monitoring System ISMS Indian Society for Medical Statistics ISMS Integrated Environmental, Safety, and Health Management System ) The two parts are formally published as: * ISO/IEC ISO/IEC International Organization for Standardization/International Electrotechnical Commission (ITU-T M 3000) 17799 Part 1 Code of Practice for Information Security * BS 7799-2:2002 Specification for Information Security Management What is an Information Security Management System (ISMS)? The essence of BS 7799 is that a sound Information Security Management System (ISMS) should be established within organisations. The purpose of this is to ensure that an organisation's information is secure and properly managed. Understanding BS 7799--Part I BS 7799 is divided into ten main sections: 1 Security Policy Explains what an information security policy should cover and why each business should have one. 2 Organisational Security 3 Asset Classification and Control Considers information and information processing information processing: see data processing. information processing Acquisition, recording, organization, retrieval, display, and dissemination of information. Today the term usually refers to computer-based operations. equipment as valuable assets to be managed and accounted for. 4 Personnel Security Details any personnel issues such as training, responsibilities, vetting vet 1 Informal n. A veterinarian. v. vet·ted, vet·ting, vets v.tr. 1. To subject to veterinary evaluation, examination, medication, or surgery. 2. procedures, and how staff responded to security incidents. 5 Physical and Environmental Security Physical aspects of security including protection of equipment and information from physical harm, as well as physical control of access to information and equipment 6 Communications and Operations Management Operations management is an area of business that is concerned with the production of goods and services, and involves the responsibility of ensuring that business operations are efficient and effective. Examines correct management and secure operation of information processing facilities during day-to-day activities. 7 Access Control Control of access to information and systems on the basis of business and security needs. 8 System Development and Maintenance Designing and maintaining systems so that they are secure and maintain information integrity. 9 Business Continuity Management Concerns the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor, local issues 10 Compliance Concerns business compliance with relevant national and international laws, professional standards, and any processes mandated by the Information Security Management System (ISMS). What Does BS 7799 Certification Mean? Certification to BS 7799 is a formal acknowledgement that your Information Security Management System (ISMS) reflects your organisation's information security needs. How is Certification Obtained? Organisations can be formally certified See certification. for BS 7799 by a UK Accreditation accreditation, n a process of formal recognition of a school or institution attesting to the required ability and performance in an area of education, training, or practice. Service (UKAS UKAS United Kingdom Accreditation Service UKAS United Kingdom Association of Sonographers ) accredited accredited recognition by an appropriate authority that the performance of a particular institution has satisfied a prestated set of criteria. accredited herds cattle herds which have achieved a low level of reactors to, e.g. body. A professional auditor auditor n. an accountant who conducts an audit to verify the accuracy of the financial records and accounting practices of a business or government. A proper audit will point out deficiencies in accounting and other financial operations. completes an independent formal review of the Information Security Management System (ISMS). The aim of the review is to confirm that the ISMS is both effective and appropriate. The auditor will check for: 1.0 Completeness. Have all parts of BS 7799 been covered? 2.0 Relevance. Is the interpretation or BS 7799 relevant for the Organisation? 3.0 Implementation. Is the Information Security Management System (ISMS) being followed? The auditor will require: * A Statement of Applicability (SOA (1) (Start Of Authority) The first record in a DNS zone file. See DNS records. (2) (Service Oriented Architecture) The modularization of business functions for greater flexibility and reusability. ). This is a document that lists all requirements in BS 7799 Part 2, with: An explanation of how the Organisation complies with them An explanation and justificaton of any deviations from them What are the Organisation's Ongoing Requirements for BS 7799? 1.0 Self Audits Each Organisation must have a schedule of audits for the whole Information Security Management System (ISMS) over a reasonable period of time. Information Security Management System (ISMS) over a reasonable period of time. This involves checking that staff are actually following the ISMS, and can prove it with appropriate records. The audits are internal, usually involve completing a standard. Where a failure to follow the ISMS, or a security breach is detected, a report should go through the normal management structure, described in organisational security. The importance of self-monitoring is that the organisation can react quickly to problems in its own procedures--sometimes the procedures must be improved to take account of reality 2.0 Accredited Audits After the initial audit, the certification body makes a review every six months 3.0 Statement of Applicability (SOA) This is a living document and must be kept up to date. It should always reflect the current status of the organisation's Information Security Management System (ISMS) What Gets Certified? There are many options for certification. A small scope that addresses core business functions could be formally certified, but equally, the Organisation as a whole could comply with the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . Only the formally certified scope of the Information Security Management System (ISMS) would be subject to six monthly reviews. What are the Benefits of BS 7799? The benefits of using ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 17799/BS 7799 are straightforward. Using it well will result in: * Reduced operational risk * Assurance that information security is being rationally applied This is achieved by ensuring that: * Security controls are justified * Policies and procedures are appropriate * Security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. is good amongst staff and managers * All security relevant information processing and supporting activities are auditable and are being audited * Internal audit, incident reporting/management mechanisms are being treated appropriately * Management actively focus on information security and its effectiveness It is likely that a number of organisations, including the Government, will require suppliers and other partners be certified to the BS 7799 before they can be given government work. This could make compliance (or certification) more of a necessity than a benefit. Certification can also be used as part of a marketing initiative, providing assurance to business partners and other outsiders. Further Information BSI BSI - British Standards Institute DISC has several publications that are specifically designed to help organisations achieve certification to BS 7799. http://ukonlineforbusiness.gov.uk/ems/template/inforsecurity.jsp?id=214391 |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion