BS 7799 (or ISO 17799) Standards
[ From chapter-20 of the book "Information Technology in Banking" written by Abul Kashem Md. Shirin and Nusrat Tamanna Prianka and published by Institute of Bankers, Bangladesh (IBB) ]
1. What
is BS7799?
BS7799
is a British Standard that defines “code of best practices” for an Information
Security Management System (ISMS).
BS7799
is an open framework that would be applicable to any enterprise interested in
improving security.
The BS 7799 / ISO 17799
standard is written and published in two parts:
1) BS 7799 Part 1: Code of
practice for information security management is a guide containing advice and
recommendations to ensure the security of a company’s information according to
ten fields of application.
2) BS 7799 Part 2:
Information security management -- specifications with guidance for use
provides recommendations for establishing an effective Information Security
Management System (ISMS). At audit time, this document serves as the assessment
guide for certification.
2. History
of BS 7799
For over a hundred years,
the British Standards Institution (BSI) has carried out studies for the
purpose of establishing effective, high-quality industry standards. BS 7799 was
developed at the beginning of the 1990s in response to industry, government and
business requests for the creation of a common information security structure.
In 1995, the BS7799 standard was officially adopted.
Four years went by before
the publication in May 1999 of a second major version of the BS 7799 standard,
incorporating numerous improvements. It was during this period that the
International Organization for Standardization (ISO) began to take an interest
in the work published by the British institute.
In December 2000, ISO
took over the first part of BS 7799, re-baptising it ISO 17799. In September
2002, a revision of the second part of the BS7799 standard was carried out in
order to make it consistent with other management standards such as ISO
9001:2000 and ISO 14001:1996 as well as with the principles of the Organization
for Economic Cooperation and Development (OECD).
Currently, consultations
are taking place at the international level to keep BS 7799 / ISO 17799 at the
leading edge of the latest developments.
3. BS7799
vs ISO 17799
BS7799
Part 1 has been ratified as an ISO standard (ISO/IEC 17799:2000), but Part 2
has not been approved as an ISO standard. Therefore, “ISO 17799” always refers
to the international standard based on BS7799 Part 1. ISO 17799 is a code of
practice for good security, but does not contain specific requirements for
certification. So, an organization can be assessed and certified against BS7799
(part 2), but not for ISO 17799.
4. Who
must comply?
Nobody
is required to comply. BS7799 is a voluntary standard of best practices that
can be used as a measure of how secure an environment might be. Some
organizations use other standards to define their security controls, however
BS7799 is gaining more traction due to its international recognition.
5. BS7799:
Part-I: Security Domains, Objectives and Controls
There
are 10 areas (domains) of security controls covered by BS7799, 36 security
objectives and 127 security controls. A brief overview of each of the10 domains
are given below:
Domain-1: Security policy
1.1 Information security policy
A
policy document should be published, and all employees should be aware of its
existence. This policy should be approved by top management.
Domain-2: Security organization
2.1 Information security infrastructure
A
management framework should be established to initiate and control the
implementation of information security within the organization.
2.2 Security of third party access
Access
to the organization’s information processing facilities by third parties should
be controlled.
The
security of organizational information processing facilities might be put at
risk by access from third party locations with inadequate security management.
Where there is a business need to connect to a third party location, a risk
assessment should be carried out to identify any requirements for specific
controls. This risk assessment should take into account: the type of access
required, the value of the information, the controls employed by the third
party and the implications of this access to the security of the organization’s
information.
The
type of access given to the third party is of special importance; for example,
the risks of having access across a network connection are very different from
risks resulting from physical access. Different types of access are:
a)
Physical access, e.g. to offices,
computer rooms, filing cabinets;
b)
Logical access, e.g. to an
organization’s databases, information systems.
2.3 Outsourcing
The
security of information when the responsibility for information processing has
been outsourced to another organization should be maintained strictly.
Domain-3: Asset classification and control
3.1 Accountability for assets
All
major information assets should be accounted for and have a nominated owner.
Inventories
of assets help to ensure that effective protection is maintained. The process
of compiling an inventory of assets is an important aspect of risk management.
An organization needs to have complete knowledge of all of its assets and the
relative value and importance of these assets. Based on this information an
organization can then provide levels of protection Examples of assets
associated with information systems are:
a) Information
assets: databases and data files, system documentation, user manuals, training
material, operational or support procedures, continuity plans, fallback
arrangements, archived information;
b)
Software assets: application
software, system software, development tools and utilities;
c) Physical
assets: computer equipment (processors, monitors, laptops, modems),
communications equipment (routers, PABXs, fax machines, answering machines),
magnetic media (tapes and disks), other technical equipment (power supplies,
air-conditioning units), furniture, accommodation;
d) Services:
computing and communications services, general utilities (e.g. heating,
lighting, power, air-conditioning).
Domain-4: Personnel security
4.1 Security in job definition and resourcing
Security
should be addressed at the recruitment stage, included in job descriptions and
contracts, and monitored during an individual's employment. Managers should
ensure that job descriptions address all relevant security responsibilities.
Users
of organizational information processing facilities should sign an appropriate
confidentiality (non-disclosure) agreement. Employees should normally sign such
an agreement as part of their initial conditions of employment.
Agency
staff and third party users not already covered by an existing contract
(containing the confidentiality agreement) should be required to sign a
confidentiality agreement prior to connection to organizational information
processing facilities.
Confidentiality
agreements should be reviewed when there are changes to terms of employment or
contract, particularly when employees are due to leave the organization, or
contracts are due to end.
4.2 User training
Users
should be trained in security procedures and the correct use of information
processing facilities.
Domain-5: Physical and environmental security
The
requirements for physical security will vary considerably between
organizations, depending on the scale of the information services provided and
how these are organized, as well as the sensitivity or criticality of the
business activities supported.
5.1 Secure areas
Critical
or sensitive business information processes and facilities to support them
should be housed in secure areas.
Such
facilities should also be physically protected from unauthorized access, damage
and interference. They should be sited in secure areas, protected by a defined
security perimeter, with appropriate entry controls and security barriers. The
degree of protection provided should be commensurate with the risk determined.
A clear desk and clear screen policy is recommended to reduce the risk of
unauthorized access or damage to papers and media.
5.2 Equipment security
Equipment
should be protected from power failures or other electrical anomalies.
Power
and telecommunication cabling carrying data or supporting information services
should be protected from interception or damage.
An
organization's data can be compromised through careless disposal of
equipment. It should be noted that
'deleted' data could still be easily retrieved from storage media, as deletion
does not necessarily erase the information. Even supposedly erased or
overwritten data may be retrieved using specialist equipment. Storage devices
containing very highly sensitive data should be physically destroyed or
securely overwritten, which is different from the ordinary ‘delete’ function.
All
items of equipment containing storage media, e.g. fixed hard disks, should be
checked to ensure that any sensitive data and licensed software are removed or
overwritten prior to disposal. Damaged storage devices containing very
sensitive data may require a risk assessment to determine if the items should
be destroyed, repaired or discarded.
Domain-6: Communications and Operations Management
The
level of detail and formality of procedures required to manage and operate
information processing and communication facilities will vary considerably
according to the size of the organization, type of equipment and the nature and
sensitivity of the business applications. For example, an organization highly
reliant and dependent on the use of information systems and networking
technology will require a much higher degree of protection than an organization
that makes less use of such technology and is not dependent on it. In
principle, the same security processes should be applied, but with appropriate
interpretation.
6.1 Operational procedures and responsibilities
Responsibilities
and procedures for the management and operation of all information processing
facilities should be established.
Appropriate
operating instructions and incident response procedures should be developed to
support this. The principle of segregation of duties (see 6.1.3) should be
applied, where appropriate, to reduce the risk of negligent or deliberate
system misuse.
Procedures
should be created and maintained for all operational information processing
systems to ensure the correct and secure operation of such systems. Documented
procedures should also be prepared for system development, maintenance or
testing work, especially if it requires the support or attention of other
organizational functions, e.g. computer operations. All operating procedures
should be treated as formal documents, changes to which may only be approved by
authorized management. The operating
procedures should be maintained and reviewed at least annually. One purpose of
the operating procedures is to specify the rules necessary to comply with the
information security policy for the business application in daily operations.
For example, the information security policy might specify that certain
equipment should be kept in rooms that are locked during silent hours. The
operating procedures should state who will be responsible for locking and
opening the rooms, where the key is held and the times the rooms are open.
Segregation
of duties
Segregation
of duties minimizes the risk of accidental or deliberate system misuse.
Consideration should therefore be given to separating the management or
execution of certain duties, or of areas of responsibility, in order to reduce
opportunities for unauthorized modification or misuse of data or services. In
particular, it is recommended that the same employees do not carry out the following
functions;
a) Business system use;
b) Data entry;
c) Computer operation;
d) Network management;
e) System administration;
f) Systems development and maintenance;
g) Change management;
6.2 Housekeeping
Routine
procedures should be established for taking back-up copies of data and
rehearsing their timely restoration, logging events and faults and, where
appropriate, monitoring the equipment environment.
Domain-7: Access control
7.1 Business requirement for access control
Access
to computer information and network services and data should be controlled on
the
basis of business requirements. This should take account of policies for information dissemination and entitlement.
basis of business requirements. This should take account of policies for information dissemination and entitlement.
7.2 User access management
Formal
procedures should be in place to control the allocation of access rights to
information systems and services.
The
procedures should cover all stages in the life-cycle of user access, from the
initial registration of new users to the final de-registration of users who no
longer require access to information systems and services. Special attention
should be given, where appropriate, to the need to control the allocation of
privileged access rights, which allow users to override system controls.
7.3 User responsibilities
The
co-operation of authorized users is essential for effective security.
Users
should be made aware of their responsibilities for maintaining effective access
controls, particularly regarding the use of passwords and the security of user
equipment. Where appropriate, a record of user access should be maintained to
aid investigations in case of incidents.
Users
should follow good security practices in the selection and use of passwords.
Users
should ensure that unattended equipment has appropriate protection. Equipment
installed in user areas, e.g. workstations or file servers, may require
specific protection from unauthorized access when left unattended for an
extended period. All users and contractors should be made aware of the security
requirements and procedures for protecting unattended equipment, as well as
their responsibilities for implementing such protection.
7.4 Network access control
Connections
to networked services should be controlled.
This
is necessary in order to ensure that connected users or computer services do
not compromise the security of any other networked services. Controls should
include the following:
a) Appropriate interfaces between networked services;
b) Appropriate authentication mechanisms for remote users
and equipment;
c) Control of user access to information services.
Users
should only be provided with direct access to the services that they have been
specifically authorized to use. The network and computer services that can be
accessed by an individual user or from a particular terminal should be
consistent with the business access control policy.
Large
networks may need to be divided into separate physical and logical domains.
Networks are increasingly being extended beyond traditional organizational
boundaries, as business partnerships are formed that may require the
interconnection or sharing of information processing and networking facilities.
Such extensions might increase the risk of unauthorized access to already
existing information systems that use the network, some of which might require
protection from other network users because of their sensitivity or
criticality. In such circumstances, the
introduction of controls within the network, to segregate groups of information
services, users and information systems, should be considered.
A
wide range of public or private network services is available, some of which
offer value-added services. Network services may have unique (possibly complex)
security characteristics. Organizations using network services should ensure
that their network provider gives a clear description of the security
attributes of all services used, and should establish the security implications
for the confidentiality, integrity and availability of business applications.
7.5 Computer access control
Access
to computer facilities should be controlled. Such access should be restricted
to authorized users.
All
users should have a unique identifier (user ID) for their personal and sole
use, to ensure that activities can subsequently be traced to the responsible
individual. User IDs should not give any indication of the user's privilege
level, e.g. manager, supervisor.
7.6 Application access control
Logical
access controls should be used to control access to application systems and
data.
Logical
access to software and data should be restricted to authorized users.
Application systems should:
a) Control
user access to data and application system functions, in accordance with a
defined business access control policy;
b) Provide
protection from unauthorized access for any utility and operating system
software that is capable of overriding system or application controls;
c) Not
compromise the security of other systems with which information resources are
shared;
d) Be
able to provide access to information to the owner only, other nominated
authorized individuals, or defined groups of users.
7.7 Monitoring system access and use
Systems
should be monitored to ensure conformity to access policy and standards.
Audit
logs recording exceptions and other security-relevant events should be produced
and kept for an agreed period to assist in future investigations and access
control monitoring.
Domain-8: Systems development and maintenance
8.1 Security requirements of systems
This
will include infrastructure, business applications and user-developed
applications. Note also that in some cases, the design and implementation of
the business process supporting the application or service is crucial for
security. Security requirements should be identified and agreed prior to the
development of information systems.
8.2 Security in application systems
Appropriate
controls and audit trails should be designed into application systems,
including user written applications.
Data
encryption should be considered for the protection of highly sensitive and/or
valuable data. Encryption is the process of transforming data into an
unintelligible form, to safeguard its confidentiality during transmission or in
storage. The process of encryption uses one of two types of cryptographic
technique as described below.. The level of protection provided by encryption
depends on the strength of the underlying cryptographic algorithm, size of key
space, length of key and the secure management of the keys.
Domain-9: Business continuity management
9.1 Aspects of business continuity management
Business
continuity management reduces the damage caused by disasters and security
failures (which may be caused by, for example, natural disasters, accidents,
equipment failures, and deliberate actions) to an acceptable level through a
combination of preventative and recovery measures.
The
consequences of disasters, security failures and loss of service should be
analysed. Contingency plans should be developed and implemented to ensure that
critical processes could be restored within the required time scales. Such
plans should be maintained and practised to become an integrated component of
all other management processes and be accepted as such by staff members,
suppliers and contractors.
Business
continuity planning should include measures to identify and reduce risks, limit
the consequences if a damaging incident occurs, and ensure the timely
resumption of essential operations.
There
should be a managed process in place for developing and maintaining business
continuity throughout the organization. The process should bring together the
following key elements of business continuity management:
a) An
understanding of the risks faced by the business, in terms of their likelihood
and their impact, including an identification and prioritisation of critical
business processes;
b) An
understanding of the impact interruptions of varying magnitudes and lengths
will have to the business (it is important that solutions are found that will
handle smaller incidents, as well as serious incidents threatening the ongoing
viability of the organization), and the establishment of business objectives
and priorities for each information system;
c) The
formulation and documentation of a business continuity strategy commensurate with
the agreed business objectives and priorities;
d) The
formulation and documentation of business continuity plans in line with the
agreed strategy;
e) The
recognition that the plans and processes put in place need regular testing and
updating as the business being protected evolves;
f) The
insurance that the management of business continuity, and the processes to
achieve it, are embedded into the organization’s processes and structure.
Responsibility for co-ordinating the process and status reporting should be
assigned at an appropriate level within the organization, e.g. at the
information security forum.
Domain-10: Compliance
10.1 Compliance with legal requirements
The
design, operation, use and management of information systems may be subject to
statutory, regulatory and contractual security requirements.
All
relevant statutory, regulatory and contractual requirements should be
explicitly defined and documented for each information system. The specific
controls and individual responsibilities to meet these requirements should be
similarly defined and documented.
Advice
on specific legal requirements should be sought from the organization's legal
advisers, or suitably qualified legal practitioners. Legislative requirements
vary from country to country and for information created in one country that is
transmitted to another country (i.e. transborder data flow).
10.2 System audit considerations
Audit
requirements and activities involving checks on operational systems should be
carefully planned and agreed, to minimize the risk of disruptions to business
processes. The following should be observed:
a)
Audit
requirements should be agreed with appropriate management;
b)
The scope of the
checks should be agreed and controlled;
c)
The checks should
be limited to read-only access to software and data;
d) Other types of access (other than read-only) should
only be allowed for isolated copies of system files, which should be erased
when the audit is completed;
e) IT resources for performing the checks should be
explicitly identified and made available;
f) Requirements for special or additional processing
should be identified and agreed;
g) All access should be monitored and logged to produce a
reference trail;
h) All procedures, requirements and responsibilities should
be documented.
6. BS
7799: Part-II: ISMS and Certification
6.1. Compliance/Certification
Process
Compliance with BS 7799
is a formal and sometimes complex process. The steps defined by the British
Standards Institute (BSI) are as follows:
a) Establish a management framework as defined by the standard
b) BSI will provide an estimate of costs and timeframes for
formal assessment
c) Submit
a formal application to BSI
d) BSI will undertake a
review of the enterprise’s stated security and risk policies. This will help
identify any weaknesses in the management system that need to be resolved
e) BSI
will conduct an on-site assessment
f) On successful
completion of the audit, a certificate of registration will be issued that
identifies the scope of the ISMS.
6.2. What
is an ISMS?
“To establish the
organization’s information security policy and objectives... and then
meet these objectives.”
An Information Security
Management System (ISMS) provides a systematic approach to managing sensitive
information in order to protect it. It encompasses employees, processes and
information systems.
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন