Introduction
the BS7799 standard, also know as ISO-177999, is published in
two parts;
 |
BS 7799-1: 1999 - Code
of practice for information security management |
|
BS 7799-2: 1999 - Specification
for information security management systems |
Part 1 is an introduction to the practice of Information
Security and describes the key controls necessary to ensure
an effective security implementation.
Part 2 specifies the requirements for establishing, implementing
and documenting an information security managment systems
(ISMS) and forms the basis for an assessment of the ISMS.
The standard requires a risk assessment and the identification
of the most appropriate control objectives. A set of detailed
controls are then described which can be used to achieve the
control objectives as applicable. These controls are;
|
|
Security Policy
|
This introductory section outlines
the need for a corporate information security policy which is
documented and available to all staff. It should cover;
|
a definition of information
security |
|
a statement of management
intention supporting the goals and principles of information
security |
|
allocation of responsibilities
for every aspect of implementation |
|
an explanation of specific
applicable proprietary and general, principles, standards
and compliance
requirements. |
|
an explanation of the process
for reporting of suspected security incidents |
|
a defined review process
for maintaining the policy document? |
|
means for assessing the
effectiveness of the policy embracing cost and technological
changes |
|
nomination of the policy
owner |
|
|
Security Organisation
|
This section explains how to
set up the management structure for maintaining information
security. The main subjects covered are;
|
The setting up of a management
forum |
|
The roles of the forum
|
|
Allocation of security
responsibilities |
|
Establishment of an authorisation
process for new hardware and software purchases. |
|
This section also covers
access to corporate data by third parties, and the steps
needed to prevent and
detect unauthorised access of this kind. |
|
|
Assets classification and control
|
This section concerns the protection
of company assets. It deals with the establishment of an asset
register
for hardware, software and information, and offers advice on
classifying and labeling assets. |
|
Personnel Security
|
This section covers the risks
to data and systems by deliberate and accidental human action
such as user error, fraud and theft.
Among the subjects covered are:
|
How to make security responsibilities
part of a formal job description |
|
How to screen potential
staff, such as by taking up references |
|
Training of staff in basic
security awareness |
|
Establishing a framework
to ensure that security incidents and suspected weaknesses
are reported
through the correct channels. |
|
|
Physical and environmental security
|
The main items covered in this
section are;
|
The need to establish secure
areas with physical entry controls |
|
The need to physically
protect hardware equipment to prevent theft |
|
The need to protect network
cabling from tampering |
|
Security of equipment taken
off site or sent for disposal |
|
|
Communications and Operations Management
|
This is a large section and deals
with security for computer systems. It explains the main areas
of risk of which you need to be aware, but stops short of explaining
the technical measures necessary. The following issues are covered;
|
Viruses |
|
Malicious software |
|
Change control |
|
Backup |
|
The keeping of accurate
access logs |
|
Security of system documentation |
|
Disposal of media |
|
Protection and authentication
of data during transfers and in transit |
|
Security of Email |
|
|
System Access control
|
This section explains access
control and how it can be applied to different types of system.
Items covered include;
|
issue and usage of passwords
|
|
duress alarms |
|
automatic terminal time
outs |
|
physical access to terminals |
|
software metering/monitoring
|
|
|
System development and maintenance
|
This section deals with the acquisition
of new systems and modification to existing ones. Areas covered
include;
|
input data validation |
|
data encryption |
|
security of data files
|
|
protection of test data. |
|
The section also discussed
procedures for departments where software development
and maintenance is performed, including configuration
management, change control and protection of data. |
|
|
Business continuity management
|
This is an overview of the case
for a comprehensive business continuity plan which should be
designed, implemented, tested
and maintained. |
|
Compliance
|
There are many areas in which
an organisation needs to ensure that it compiles with its legal
and contractual obligations. This section and explains the need
to comply with legislation such as;
|
The Data Protection Act
1998 |
|
The Companies Act |
| |
Contractual commitments
(such as software licenses) |
Upcoming legislation such as the new competition and distance
selling legislation would also come into
the scope of this section.
The organisation is given advice on how to ensure that it
does comply and is able to demonstrate through audit and other
procedures that it has done so.
|
|
An Overview of BS7799/ISO-17799