+++DRAFT VERSION++++

Introduction to Information Security Management Systems using BS 7799

Information is the lifeblood of all organizations and can exist in manyforms. It can be printed or written on paper, stored electronically, transmittedby mail or by electronic means, shown in films, or spoken in conversation. Intoday's competitive business environment, such information is constantly underthreat from many sources. These can be internal, external, accidental, ormalicious. With the increased use of new technology to store, transmit, andretrieve information, we have all opened ourselves up to increased numbers andtypes of threats.

To effectively deal with the complexity of this information there is a needto establish a comprehensive Information Security Management System. You need toensure the confidentiality, integrity, and availability of both vital corporateinformation and customer information.

What is an Information Security Management System?

An Information Security Management System (ISMS) is a systematic approach tomanaging sensitive company information so that it remains secure. It encompassespeople, processes and IT systems. The internationally recognised standard forInformation Security Management Systems is BS 7799.

The Information Security Management System is composed chiefly of fourdocuments: Information Security Policy; Information Asset Register; RiskAssessment Report; and Statement of Applicability.

What is BS 7799?

BS 7799 is a standard setting out the requirements for an InformationSecurity Management System. It helps identify, manage and minimize the range ofthreats to which information is regularly subjected.

The standard is composed of two parts: BS 7799 (ISO 17799) Part 1 - Code ofPractice on Information Security Management and BS 7799 Part 2 - Specificationfor Information Security Management Systems.

The Code of Practice on Information Security provides a comprehensive set ofsecurity controls comprising the best information security practices in currentuse. It is strongly business-orientated, focusing on being a good managementtool rather than being concerned with technical details.

BS 7799 is organized into 10 sections:

1. Security policy - This provides management direction and support forinformation security
2. Organization of assets and resources - To help you manage informationsecurity within the organization
3. Asset classification and control - To help you identify your assets andappropriately protect them
4. Personnel security - To reduce the risks of human error, theft, fraud ormisuse of facilities
5. Physical and environmental security - To prevent unauthorized access,damage and interference to business premises and information
6. Communications and operations management - To ensure the correct andsecure operation of information processing facilities
7. Access control - To control access to information
8. Systems development and maintenance - To ensure that security is builtinto information systems
9. Business continuity management - To counteract interruptions to businessactivities and to protect critical business processes from the effects of majorfailures or disasters
10. Compliance - To avoid breaches of any criminal and civil law, statutory,regulatory or contractual obligations, and any security requirement

Assessment of your Information Security Management System against the BS 7799standard can be carried out by external auditors and certification awarded.

Implementing an Information Security Management System

The steps to implement an Information Security Management System follow:

Scoping Study

This step sets the scope of the project. It should reflect the objectives ofthe business and be centred on a business process, such as the provision of IT.At this point consideration is given to setting an initial scope with an eye tofuture growth and how the scope could be extended.

Gap Analysis

A gap analysis is conducted against the controls listed under the tensections of BS 7799 to identify the level of compliance within the scope againstthe ten areas identified with BS 7799.

At this stage it is possible to identify areas that fall outside the scope.These can be formally excluded if the organisation does not undertake theactivity, such as code development, or if it is a valid activity but outside thescope, such as employee vetting by the HR department, a Service Level Agreementcan be put in place.

Risk Assessment

The risk assessment is undertaken to identify the information assets, thethreats posed against them and the likelihood of those threats materialising.

Initial Statement of Applicability

The Statement of Applicability (SOA) is a description of the applicablecontrols identified during the gap analysis, with reference to how they apply toyour environment.

Security Improvement Program

The policies and procedures to protect the information assets against therisks identified must be developed to improve security. At this stage it ispossible to identify any technical resources required, such as Windows domainsecurity policy, firewalls, anti-virus software, etc.

Testing and Review

The actions taken as a result of the policies and procedures should be testedto ensure they provide adequate protection of the assets. This could includevulnerability assessments, penetration testing and social engineering.

Implementation

When the policies and procedures have been developed it is necessary tointroduce them to the users and integrate them into current working practices.This can be done using awareness training and awareness material, such as screensavers, and ongoing information provision such as an intranet or document management system.

Document Finalisation

The documentation must be finalised in the light of the steps above,including the Statement of Applicability.

Certification Audit

The auditors will assess your compliance with BS 7799 and makerecommendations accordingly.

For more on BS 7799 see Insight Consulting.

+++DRAFT VERSION++++