3. 21-Sep-2007 Public 3
Standard Evolution
1995
1998
Initiative from Department of Trade and Industry
BS 7799 Part 1
BS 7799 Part 2
1999
New issue of BS 7799 Part 1 & 2
2000 ISO/IEC 17799:2000
2001 BS 7799-2:2002 (drafted)
Sep 2002 BS 7799-2:2002
Passed and accepted
Jun 2005 ISO 17799:2005
ISO/IEC 27001:2005Oct 2005
✓
5. 21-Sep-2007 Public 5
Standard Organization
✓
4 Information Security Management System
5 Management Responsibility
6 Internal ISMS Audits
7 Management review of the ISMS
8 ISMS improvement
A.5 Information Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human Resources Security
A.9 Physical and Environmental Security
A.10 Communications and Operations Management
A.11 Access Control
A.12 Information Systems Acquisition, Development and Maintenance
A.13 Information Security Incident Management
A.14 Business Continuity Management
A.15 Compliance
6. Public 6
Standard Organization
(contd.)
Security policy
Access control
Asset
Management
Organization of
Information Security
Human Resources
Security
Physical and
Environmental
securityCommunications
and operations
management
Information Systems
Acquisition Development
and Maintenance
Information Incident
Security Management
Business Continuity
Management
Information
Integrity Confidentiality
Availability
Compliance
✓
7. Public 7
Future of the standard
ISO/IEC Standard Description
27000 Vocabulary and
definitions
27001 Specification
27002 Code of Practice
(ISO17799:2005)
27003 Implementation
Guidance
27004 Metrics and
Measurement
27005 Risk Management
(BS 7799-3)
✓
8. Public 8
What is an implementation
issue?
• Standard directly demands and not
complied with
• Diluted implementation
• Mis-interpretation of the standard
✓
9. Public 9
Implementation Issues -
Scope
• Scope of ISMS
– Scope is very hazy, not including all the assets
and technology
• A good example of ISMS scope
The ISMS scope covers all critical systems,
applications, networks, telecommunication
links, human resources, and information
assets. The scope also includes business
operations, administrative functions, customer
information, buildings, equipment, tools and
utilities used in the execution of business of
the organization at site A and site B.
✓
10. Public 10
Implementation Issues -
Policy
• Security Policy
– Not visible in the organization
– Not spread across the organization
– Does not help in arriving at security
objectives
• Other Policies
– Many other policies not defined
– Eg. Clear Desk Clear Screen policy
– Mobile computing policy, Teleworking
policy
✓
11. Public 11
Implementation Issues – Risk
Assessment
• Risk assessment not systematic
• Risk assessment kicked off with false
comfort of existing controls
• Some core assets not identified
– Eg. Design document in an IT
organization
• Arriving at acceptable risk level not
scientific
• Projects a no-residual-risk scenario
✓
12. Public 12
Implementation Issues – SoA
Preparation
• Only exclusions justified, inclusions
should also be justified
• Bi-directional tracing from risks to
control and vice versa absent
✓
13. Public 13
Implementation Issues –
Monitoring
• Info security review very weak
• Obsolete risks not removed
• New risks not fully added
✓
14. Public 14
Implementation Issues –
Internal Audit
• Predominantly CISO and team are
the Auditees
• Sampling of other asset owners rare
• Absence of qualified internal auditors
✓
15. Public 15
Implementation Issues – Management
Review
• All review inputs as required by the
standard not addressed
• Management appreciation for
security issues very low
✓
16. Public 16
Implementation Issues –
Improvement
• CA is more prevalent than PA
• Analysis of incidents / non-
compliances weak
✓
17. Public 17
Implementation Issues – External
Parties
• Third party agreements do not stress
security requirements
• Third party Vendors not
conspicuously identified in the facility
✓
18. Public 18
Implementation Issues – Asset
Management
• Server based software owners are
identified but not their custodians
• Only critical IT assets identified
• Some core assets not properly
identified
• Asset labeling improper
✓
19. Public 19
Implementation Issues – H R
security
• No systematic screening
• Awareness training weak
• Removal of access rights weak
• Awareness of social engineering
very low
✓
20. Public 20
Implementation Issues – Physical
and Environmental Security
• Network cables run outside the
security perimeter
• No controls on piggy-backing
• Structured cabling absent
• Security of equipment off-premises
very weak
• Movement of media eg. CDs not-
controlled
✓
21. Public 21
Implementation Issues –
Communications and Operations
Management
• Disposal of media very weak
• Safety of media-in-transit not
properly addressed
• Logs not reviewed periodically
• Clock synchronization not done
✓
22. Public 22
Implementation Issues – Access
Control
• Privilege management weak
• Printouts on printers not picked
• Clear desk clear screen policy most
violated
• Unabated installation of freeware,
shareware etc.
• Laptops don’t have updated virus
signature
✓
23. Public 23
Implementation Issues – IS
acquisition, development and
maintenance
• Applies only for the IS developed to
run the business Eg. ERP, Enterprise
Project Management etc.
• Impact analysis to changes very
weak
• Fallback plan on a un-successful
software upgrade weak
✓
24. 21-Sep-2007 Public 24
Implementation Issues – Incident
Management
• Incident management seen as an
‘impossible activity’
• Awareness to report an incident very
low
✓
25. Public 25
Implementation Issues – BCP
• BCPs are static
• Scale of BCP very low vis-à-vis
business need
• BCP Testing not done
✓