Home About Me Gallery Blog Contact Me

            

 

 

             

                         "The true joy in life is; being used for a purpose recognized by yourself as a mighty one;
               being a force of nature instead of a feverish, selfish little clod of ailments and grievances
               complaining that the world will not devote itself to making you happy. I am of the opinion
               that my life belongs to the whole community, and as long as I live, it is my privilege to
               do for it whatever I can. I want to be thoroughly used up when I die, for the harder I work
               the more I live. I rejoice in life for its own sake. Life is no 'brief candle' to me.
              It is a sort of splendid torch which I have got hold of for the moment, and I want to
              make it burn as brightly as possible before handing it on to future generations."

                                                     

                                 Security with respect BS7799

Written by : Blessen Cherian

Published In : linuxsecurity.com
                           http://www.linuxsecurity.com/content/view/118966/
                           http://www.security-forums.com/viewtopic.php?t=28850&sid=db3e2586c190f5545



Introduction

Information plays a very important role as it is the backbone of
each IT Industry. A Company's sensitive information in wrong hands is a real
threat towards the survival of the company. So the information should be
managed considering all aspect of threats. So the standard BS7799 was
introduced for the very same reason to manage the Sensitive data in a
professional way.



BS7799 is more of a culture than standard which helps the company build the
security awareness in all its employees and manage the information asset in
a more secure and professional way.


BS7799 is a Standard which is mainly intended for Managing Information
assets Security. There is a counterpart to BS7799 Standard that is
ISO17799. The latest revision was in 2002 .


BS7799 has two parts:


a) Code of Practice on Information Security Management and BS 7799
b) Specification for Information Security Management Systems.



This Document / Article explains the Basics of BS7799 ie., how to
implement and manage information security with respect to BS7799. Please note
that this article doesn't goes into detailed or the certification part
BS7799.



Please read below for more information:



More About BS7799


Like mentioned above it is a standard which helps a company to manage
sensitive data. BS7799 has been divided into 10 sections which are mentioned
below:



* Security policy

* Organization of assets and resources

* Asset classification and control

* Personnel security

* Physical and environmental security

* Communications and operation management

* Access control

* System development and maintenance

* Business continuity management

* Compliance


The above 10 sections cover all aspects of security. BS7799 has 127 control
specification that covers all 10 domains / sections that has been specified
above. Companies can use any of these control specifications according to
their need.



The 10 domains / sections are explained below



(1) Security Policy

The Security Policy is a document which addresses the
following areas: - Authentication, Authorization, Data Protection, Internet
Access, Internet Services , Security Audit, Incident Handling and
Responsibilities. Security Policy should be easy understand and
implement. There should be a good balance between the security
implementation and the productivity.



Some of the main points in the domain area are
* Create security infrastructures.
* Restrict third party access to facilities/Office premises
* Create contracts/agreement for outsourced data processing



(2) Organization of assets and resources

An organization should implement and maintain systems to
manage information securities like assigning responsibility and making sure
that the asset owners/ responsible persons are accountable . For example,
there should be proper systems or procedures to approve security policy and
management of security across the Organization.



An organization's assets are (1) People Assets (2) Information Assets (3)
Paper Documents (4) Software Assets (5) Physical Assets (6) Services (7)
Company Image and Reputation .



Some of the main points in the domain area are
* Create inventory of all information assets
* Make sure that the asset owners/ responsible persons are
accountable.



(3) Asset classification and control

Organization should identify the assets. Assets can be
anything like Information, Softwares, Hardwares etc. Organization should also
develop methods to protect these assets.



Assets are classified as
(1) Unclassified (2) Shared (3) Confidential (4) Highly Confidential



Some of the main points in the domain area are



* Establish information classification policies.
* Information handling and labeling procedures should be
developed



(4) Personnel security

It has been found that most of the errors are human errors
which happens due to greed, negligence etc. So the organization should have
systems/ procedures to eliminate these kind of errors. This can be achieved by
having a Non Disclosure Agreement (NDA) or similar agreement with the
employee. Employees should be given a proper training regarding all these
aspects.
Some of the main points in the domain area are
* Control of recruitment process.
* Proper Training with respect to security
* Incident response



(5) Physical and environmental security

The beginning of this Security Plan is to build a secure premises where only
authorized users can access. Physical and environmental security domain
covers all aspects like entry control, secure room, protection from fire,
radiations, providing protection to data cables, electricity wires etc.


Some of the main points in the domain area are
* Secure working environment
* Protection of all equipment
(software/hardware/datacable/electric cable) from hazards.
* Implementing access control to Information and other
properties.



(6) Communication and operation management

An organization should maintain documented procedures for information
management. The main aim of Communication and operation management domain
is to make sure that the information management is done in a correct way.



Some of the main points in the domain area are
* Document and maintain procedures for all organizational
operations
* All plans and procedures should be made for better future
expansion.
* Establishing procedures for logging all incidents,backing up
of information etc.
*Establish network security controls.
* Create procedures / policy for inter-organizational data
exchanges.



(7) Access control
Access Control is one of the important domain under the
BS7799. It deals with the control of information access. Access control
domain include creating procedures / documents on access control policy and
norms, user access management, new user registration etc.



Some of the main points in the domain area are
* Manage access to Information assets
* Control access to computer networks,operating system level
and application systems.
* System usage should be monitored.
* Measures to protect mobile and teleworking assets.



(Cool System development and maintenance



System development and maintenance domain makes sure that the
security part of the Information Management system should be taken care. The
first part is to identify the security requirements . For example, remote
administration works should be done using ssh. So there should be defined
policy which is documented for such control systems implemented. Also all
changes made in the system should be properly documented and should also have
revision control.



Some of the main points in the domain area are
* First and the basic things is to Identify system security
requirements.
* Use cryptography or other security techniques to protect
information.
* Create methods or procedures to protect Organization's
system files and other important files.
* Control of development and maintenance of systems.



(9) Business Continuity Management

Business Continuity Management domain deals with identifying
events that might cause interruptions to core business processes
depending on the risk assessment and strategy planning. These developed plans
should be revised ,tested and maintained properly.



Some of the main points in the domain area are



* Continuity management process should be well designed and
developed.



(10) Compliance

Compliance domain mainly deals with all legal requirement , conducting
regular system audits and reviews .



Some of the main points in the domain area are



* Comply with all legal requirements.
* Proper security compliance reviews should be counted.
* Conduct regular system audit .


Information Security Management System



The acronym of Information Security Management System is ISMS. ISMS is a
systematic approach towards the management of sensitive information to keep
the data secure.


Implementation of ISMS (BS7799) doesn't have much
documentation compared to ISO . Implementation of BS7799 will be easy for
those who already have ISO.


ISMS only consist of few documents and those are.,



* Information Security Policy


* Information Asset Register


* Risk Assessment Report


* Statement of Applicability ( SOA)



Implementation of ISMS



The backbone of this implementation is to identify business requirements, risk
analysis (identify threats) and the management through well documented
procedures and policies . Now lets get into details and understand the various
steps of this implementation


(1) Determine the Scope

Here we try to determine the scope of ISMS in the
organization. ISMS can be implemented for a certain wing of your organization
for example., technical support, to a website and so on . So the first scope
should be identified. The scope determined should always point out to a
better future expansion , reflect the business objectives and should cover
all organization activities too.



(2) Review of documents

All established documents should be reviewed to check out
whether all security measures are correct . ie., to find out if there is a
security policy, NDA, SLA etc.



(3) Gap Analysis

Gap between existing and required processes and procedures should be
determined. Here we are trying to find out whether the existing controls and
procedures cover all the 10 domains in the BS7799 and those which do not meet
the requirement should be documented.



(4) Asset Inventory

First assets should be identified and their inventory should be
produced.



(5) Risk assessment

In Risk assessment we identifies the assets and the risk associated
with it. According to the threat / risk we will classify each assets. Some
assets can have low risk while some others may have high risk factor. It all
depends on the assets. A document named Risk Assessment report will be
developed and that is the main output of this part. The report will contain
information about all assets and the risk factor associated with it.
Risk assessment is divided into three (1) Technical Risk Assessment (2)
Vulnerability Assessment (3) Procedural Risk Assessment



(6) Risk management

Risks associated with the organization assets have been determined
during the risk assessment . Now its the turn of develop procedures/ policy's
to manage these risks. Both Risk assessment and Risk management procedures /
policy can be combined and can be known as Risk Management Report.



(7) Controls and Objectives

Controls and Objectives needed for the organization are
selected with reference to the Organization needs. During the gap analysis
itself we can get the knowledge about the required Controls and objectives
which is then selected . Statement of Applicability (SOA) is the outcome of
this section and SOA will contain the controls selected to attain the
objectives of the organization.



(Cool Develop Policies and Procedures

Policies / Procedures needed for the organization are
developed with respect to SOAR and documentation. An example of such a
policy is Security Policy.



(9) Training

A good training plan should be developed and implemented. All
employees in the organization should undergo this training to ensure that
the good practice required for the Information Security is adopted
throughout the whole business process.



(10) Compliance Monitoring

In Compliance Monitoring we ensure that the measures taken to
improve the security of the information assets should be maintained .



Conclusion



So lets conclude this article by mentioning the various steps involved in the
implementation process of BS7799. First we should identify the scope that is
for which part of the organization are you going to implement this security
standards.It can be either the whole organization or a part of it. Its decided
by the Top management. Organizations business requirements and assets should
be identified . Risks on the assets identified should be determined and
documented . The risk level of each assets should also be listed along . Once
the risk levels for each assets is identified then a proper risk management
plan should be developed. Inputs gained can be used to come to a conclusion
on choosing the required controls and procedures. SOA is created . Required
policies and procedures needed should be created and documented. Now all the
measures or steps adopted to implement ISMS should be passed on to the
employees or they should be made aware of ISMS and its requirements. ISMS
should be reviewed and ensured that the procedures / policies has to be
maintained.

By
Blessen Cherian ,
Member of Eecutive team,
Poornam Info Vision Pvt Ltd
Bobcares.com, Poornam.com, Blessen.com

 


                                         HOME | ABOUT ME | GALLERY | BLOG | CONTACT ME

                                                                        Copyright © Blessen.com