ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
2. Management Best Practice Based on ISO/IEC 17799
Agenda:
Get To know The Author
What is ISO 17799?
Background on ISO 17799
The Ten Domains of ISO/IEC 17799
Implementation Considerations
Certification Process
Benefits of Implementing the ISO/IEC 17799/BS 7799 Framework
Survey
How much It Cost
References
Questions?
2
3. Author’s Background
Article was published In July 2005
At : Information Management Journal;Jul/Aug2005, Vol. 39 Issue 4,
p60
René Saint-Germain has expertise in the implementation of
governance and IT compliance frameworks (ISO 9001, ISO 20000,
ISO 27001, ISO 27002, ISO 27005, ISO 22301, SOX, ITIL, COBIT).
As member of the International Committee for the development of
security standards (CS27), he had participated in the development of
ISO 27001 and others ISO 27000 family standards.
Current Position: Training and Audit Manager at Altirian
Scheme Committee Member at PECB
Lead Auditor at Bureau Veritas
3
4. What is ISO 17799
ISO 17799 is an internationally recognized Information Security
Management Standard, first published by the International
Organization for Standardization, or ISO (www.iso.ch), in December
2000.
ISO 17799 is high level, broad in scope, and conceptual in nature.
ISO 17799 is not:
A technical standard
Product or technology driven
An equipment evaluation methodology such as the Common
Criteria/ISO 15408
4
5. Background on ISO 17799
ISO 17799 is a direct descendant of the British Standard Institute (BSI)
Information Security Management standard BS 7799.
British Standard (BS) 7799 from the British Standards Institution (BSI)
was first published in 1995 to provide guidance and best practices in
information security
The original standard ("Part 1") was revised and released in 1999.
Adopted by ISO as ISO 17799 in 2000, In 2005 BS17799 part 1 was
revised and in 2007 incorporated as ISO/IEC 27002
After wide consultation, it was determined that there was a need for a
"specification" that could be audited against or used as a baseline. Thus,
in 1998 a second part ("Part 2") was released, which was a specification
for an Information Security Management System. BS 7799 Part 2 was
adopted by ISO as ISO/IEC 27001 in November 2005
5
6. The Ten Domains of ISO/IEC 17799
6
The Ten Domains of ISO/IEC 17799
7. The Ten Domains of ISO/IEC 17799
Security Policy
Security Policy control addresses management support, commitment, and
direction in accomplishing information security goals, including:
Information Security Policy document – a set of implementation-
independent, conceptual information security policy statements governing
the security goals of the organization.
Ownership and review – Ongoing management commitment to
information security is established by assigning ownership and review
schedules for the Information Security Policy document.
7
8. The Ten Domains of ISO/IEC 17799
Organizational Security
Organizational Security control addresses the need for a management
framework that creates, sustains, and manages the security infrastructure,
including:
Information System Security Officer (ISSO) – acts as a central point of contact for
information security issues, direction, and decisions.
Information Security responsibilities – individual information security
responsibilities are unambiguously allocated and detailed within job
descriptions.
Authorization processes – ensures that security considerations are evaluated and
approvals obtained for new and modified information processing systems.
Third-party access – mechanisms to govern third-party interaction within the
organization based on business requirements.
Outsourcing – organizational outsourcing arrangements should have clear
contractual security requirements.
8
9. The Ten Domains of ISO/IEC 17799
Asset Classification and Control
Asset Classification and Control addresses the ability of the security
infrastructure to protect organizational assets, including:
Accountability and inventory – Mechanisms to maintain an accurate
inventory of assets, and establish ownership and stewardship of all
assets.
Classification – Mechanisms to classify assets based on business
impact.
Labeling – Labeling standards to indicate whether it is sensitive or
critical.
Handling – Handling standards; which is appropriate for copy, store,
transmit or destruction of the information asset based on asset
classification.
9
10. The Ten Domains of ISO/IEC 17799
Personnel Security
Personnel Security control addresses an organization’s ability to mitigate risk
inherent in human interactions, including:
Personnel screening –Ascertain the qualification and suitability of all
personnel with access to organizational assets. This framework may be
based on job descriptions and/or asset classification.
Security responsibilities – Personnel should be clearly informed of their
information security responsibilities, including codes of conduct and non-
disclosure agreements.
Terms and conditions of employment – Personnel should be clearly informed
of their information security responsibilities as a condition of employment.
Training – A mandatory information security awareness training program is
conducted for all employees, including new hires and established employees.
Recourse – A formal process to deal with violation of information security
policies.
10
11. The Ten Domains of ISO/IEC 17799
Physical and Environmental Security
Physical and Environmental Security control addresses risk inherent to
organizational premises, including:
Location – Organizational premises should be analyzed for environmental
hazards.
Physical security perimeter – The premises security perimeter should be
clearly defined and physically sound. A given premises may have multiple
zones based on classification level or other organizational requirements.
Access control – Breaches in the physical security perimeter should have
appropriate entry/exit controls commensurate with their classification level.
Equipment – Equipment should be sited within the premises to ensure physical
and environmental integrity and availability.
Asset transfer – Mechanisms to track entry and exit of assets through the
security perimeter.
11
12. The Ten Domains of ISO/IEC 17799
Communications and Operations Management
Communication and Operations Management control addresses an
organization’s ability to ensure correct and secure operation of its assets,
including:
Operational procedures – Comprehensive set of procedures, in support of
organizational standards and policies.
Change control – Process to manage change and configuration control,
including change management of the Information Security Management
System.
Incident management – Mechanism to ensure timely and effective
response to any security incidents.
Segregation of duties – Segregation and rotation of duties minimize the
potential for collusion and uncontrolled exposure.
Capacity planning – Mechanism to monitor and project organizational
capacity to ensure uninterrupted availability.
12
13. The Ten Domains of ISO/IEC 17799
General – Policies and standards, such as utilization of shredding equipment,
secure storage, and “cleandesk” principles, should exist to govern operational
security within the workspace.
System acceptance – Methodology to evaluate system changes to ensure
continued confidentiality, integrity, and availability.
Malicious code - Controls to mitigate risk from introduction of malicious
code.
Housekeeping – Policies, standards, guidelines, and procedures to address
routine housekeeping activities such as backup schedules and logging.
Network management - Controls to govern the secure operation of the
networking infrastructure.
Media handling – Controls to govern secure handling and disposal of
information storage media and documentation.
13
14. The Ten Domains of ISO/IEC 17799
Access Control
Access Control addresses an organization’s ability to control access to assets
based on business and security requirements, including
User management – mechanisms to:
Register and deregister users
Control and review access and privileges
Manage passwords
Network access control – policy on usage of network services,
including mechanisms (when appropriate) to:
Authenticate nodes
Authenticate external users
Define routing
Control network device security
Maintain the security of network services
14
15. The Ten Domains of ISO/IEC 17799
Host access control – Mechanisms (when appropriate) to:
Automatically identify terminals
Securely log-on
Authenticate users
Manage passwords
Secure system utilities
Furnish user duress capability, such as “panic buttons”
Enable terminal, user, or connection timeouts
Application access control – Limits access to applications based
on user or application authorization levels.
Access monitoring – Mechanisms to monitor system access and
system use to detect unauthorized activities.
Mobile computing – Policies and standards to address asset
protection, secure access, and user responsibilities.
15
16. The Ten Domains of ISO/IEC 17799
System Development and Maintenance
Security should ideally be built at the time of inception of a system. Hence
security requirements should be identified and agreed prior to the development of
information systems.
System security requirements – Incorporates information security
considerations in the specifications of any system development or
procurement.
Application security requirements – Incorporates information security
considerations in the specification of any application development or
procurement.
Cryptography – Policies, standards, and procedures governing the usage and
maintenance of cryptographic controls.
System Integrity – Mechanisms to control access to, and verify integrity of,
operational software and data, including a process to track, evaluate, and
incorporate asset upgrades and patches.
Development security – Integrates change control and technical reviews into
development process.
16
17. The Ten Domains of ISO/IEC 17799
Business Continuity Management
Business Continuity Management control addresses an organization’s ability to
counteract interruptions to normal operations, including:
Business continuity planning – Business continuity strategy based
on a business impact analysis.
Business continuity testing – Testing and documentation of business
continuity strategy.
Business continuity maintenance – Identifies ownership of
business continuity strategy as well as ongoing re-assessment and
maintenance.
17
18. The Ten Domains of ISO/IEC 17799
Compliance
Compliance control addresses an organization’s ability to remain in compliance
with regulatory, statutory, contractual, and security requirements, including:
Legal requirements – awareness of:
software copyright
Intellectual property rights
Safeguarding of organizational records
Data protection and privacy of personal Information.
Prevention of misuse
Regulation of cryptography
Collection of evidence
18
20. Certification Process
Organizations that base information security management
systems (ISMS) on BS 7799 specifications can apply to
become certified.
What is an ISMS? Framework to manage the security risks
within an organization
An organization that obtains certification is said to be ISO/IEC
17799 compliant and BS 7799 certified.
To guide organizations through this process, BS 7799 uses the
Plan-Do-Check-Act (PDCA) model
Once an organization has developed, implemented, and
documented its ISMS, an accredited certification body
carries out a third-party audit
20
22. Benefits of Implementing the
ISO/IEC 17799/BS 7799 Framework
BS 7799 certification serves as a public statement of an organization’s ability
to manage information security. It demonstrates to partners and clients that the
organization has implemented adequate information security and business
continuity controls.
It also demonstrates the organization’s commitment to ensuring that its
information security management system and security policies continue to
evolve and adapt to changing risk exposures
Certification is a mark of distinction that sets organizations apart from their
competition and provides partners, shareholders, and clients with greater
confidence.
ISO/IEC 17799 compliant organizations are exposed, these organizations will
spend less money recovering from security incidents, which may also translate
into lower insurance premiums
22
28. How much It Cost
A copy of 17799 is available through the ISO Web site
(www.iso.org) roughly $150, But that $150 investment is only a
fraction of the cost of security assessments, penetration testing,
auditors and consultants, which can run into the hundreds of
thousands--if not millions--of dollars. This is why organizations
with a solid working knowledge of their security threats have a
better shot at using the standard.
28
29. References
IT Governance: Data Security & BS 7799/ISO 17799 by Alan Calder and
Steve Watkins 2002
ISO/IEC 17799:2000(E) Code of Practice for Information Security
Management Geneva: ISO 2000 www.iso.ch
BS 7799-2:2002 Information Security Management Systems –
Specification with Guidance for Use. London: BSi, September 2002
www.bsi-global.com
http://www.bsmreview.com/security_best_practice_survey.shtml
http://www.gta.ufrj.br/ensino/cpe728/03_ins_info_security_iso_17799_110
1.pdf
http://www.gta.ufrj.br/ensino/cpe728/03_ins_info_security_iso_17799_110
1.pdf
http://www.openmpe.com/cslproceed/HPW04CD/papers/3353.pdf
29
Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use
ITIL (IT Infrastructure Library): Provides recommendations for a wide range of IT operations and service delivery best practices including security management. ITIL’s information security recommendations are based heavily on ISO/IEC 17999 and emphasize information confidentiality, integrity and availability.
ISO/IEC 17799/27002 (Information technology - Security techniques - Code of practice for information security management): Provides information security specialists with specialized recommendations for risk assessment, physical and information security policy, governance, development, compliance and access control. Originally labeled as ISO/IEC 17799, this set of best practices was renumbered as ISO/IEC 27002 in July 2007.
COBIT (Control Objectives for Information and related Technology): Provides 210 control objectives applied to 34 high-level IT processes, categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. COBIT recommendations include issues related to ensuring effectiveness and value of IT as well as information security and process governance.