5/20/2018 Eircom - BS7799 v3.Pps
1/27
BS7799:
how are you managing security?
Prepared by:
David Ryan,eircom
net
5/20/2018 Eircom - BS7799 v3.Pps
2/27
Overview
Introduction to Information Security Management
BS7799 Overview Implementing BS7799
Conclusion
5/20/2018 Eircom - BS7799 v3.Pps
3/27
Introduction toInformation Security Management
5/20/2018 Eircom - BS7799 v3.Pps
4/27
What is Information Security Management?
Information is an asset, if you dont protect it, trouble awaits!
Require knowledge to secure an asset Security requirements: Confidentiality, Integrity, Availability
Threats and vulnerabilities
Protection should focus on the critical requirements
Information security management focuses on protecting yourinformation assets from harm (threats and vulnerabilities)
What to protect against?- Unauthorised disclosure (loss of confidentiality)
- Unauthorised modification (loss of integrity)
- Loss/Destruction (loss of availability)
Must be driven by the business, not technology.
Security is the responsibility of everyone (Management key)
5/20/2018 Eircom - BS7799 v3.Pps
5/27
What are threats and vulnerabilities?
Threats can be considered the goals of an attacker
Physical Example:a burglar might want to break into your house
Virtual Example:an attacker might want to steal your customer database
Vulnerabilities allow an attacker to execute the threat
Physical Example:the backdoor is left open, making it easy for the burglar
to enter your house
Virtual Example:you allow anyone access to your database, without
restriction, making it easy for the attacker to steal your information
By defining threats to an asset and assessing potential
vulnerabilities surrounding that asset, you can make informed
decisions about how to protect your business.
5/20/2018 Eircom - BS7799 v3.Pps
6/27
Minimum suggested approach to
Information Security Management
Define a security policy (statement of intent) Simple or detailed, must be enforcable and consistent with culture
Understand the risks you face Difficult at first, but becomes easier and more beneficial with experience.
The Microsoft Security Risk Self-Assessment Toolcan help direct you,
more advanced tools available if necessary Implement useful and cost-effective controls
Having a15k firewall may not be money well spent
Dont make security too complicated, get good/impartial advice
Test, review and improve your security posture Use security assessment tools (free/commercial) and/or get in an expert
Provide a framework for responding to incidents (attacks, policyviolations, etc)
5/20/2018 Eircom - BS7799 v3.Pps
7/27
What should a policy contain?
Statement of the company intent towards security Management at Company X is committed to ensuring information security
principles based on industry best practices will be adopted to help protectthe company against information attacks and fraudulent activity
Who it applies to (scope) This policy applies to all users of Company X information and information
systems; This policy applies to the management of Company X networksand firewalls;
What the responsibilities are All staff must adhere to this policy; management should ensure staff
awareness; IT staff must ensure identified controls are implemented
Information security principles for the organisation
Access to Company X information assets will be restricted to authorisedusers only; Use of Company X information assets is subject to managementinspection at any time;
5/20/2018 Eircom - BS7799 v3.Pps
8/27
Some simple rules for risk management
Get help if you need it
Once or twice with an expert might foster self-assessment in the future
Adopt an existing approach, no need to reinvent the wheel
Consider information assets (the critical few)
Define the security requirements of those assets loss of confidentiality, integrity, availability, all?
Identify threats, what is the impact?
Assess vulnerabilities/exposures
5/20/2018 Eircom - BS7799 v3.Pps
9/27
Some simple rules for risk management
Determine the risks and how to treat them Transfer: insurance!
Accept: do nothing (ok to operate, too difficult to resolve now, etc)
Avoid: drop the asset
Mitigate: reduce the risk to an acceptable level (implement controls)
Produce mitigation plans How are you going to reduce the risk?
What controls will you implement? (high-level)
Prioritise your risk Try rating risk as high, medium, low to help prioritise
Repeat periodically and when significant changes occur
DOCUMENT EVERYTHING!
5/20/2018 Eircom - BS7799 v3.Pps
10/27
Are you managing security?
Do you have a security policy?
Do you know what your assets are?
Do you know why they should be protected?
Do you know what they should be protected from? (threats andvulnerabilities)
Got all the above, great! But Is your policy enforced? How can you tell?
Did your risk assessment make it off the shelf?
Are you measuring your controls? (not measuring = not managing!)
Reviewing your risks regularly? Are your protections sufficient 12 months
later? Technology must be balanced with management
5/20/2018 Eircom - BS7799 v3.Pps
11/27
Are you doing enough?
Sound familiar?
We have a great IT administrator who tells us everything is fine (trusting
staff is essential, but transparency promotes understanding)
We did a risk assessment 3 years ago and considered our premises and IT
equipment (physical assets only?)
We update passwords every 9 months or so (are passwords writtendown? Same passwords used for all systems?)
We apply software updates for Microsoft products (other products?)
Previous slides offer a simplisitic approach
A more complete framework can be found in security
management standards and best-practices (e.g. BS7799)
5/20/2018 Eircom - BS7799 v3.Pps
12/27
BS7799 Overview
5/20/2018 Eircom - BS7799 v3.Pps
13/27
What is BS7799?
A FRAMEWORK for managing information security Guidance to help you ask the right questions of your business and
to ensure you manage the answers effectively.
Build on top of it, add details
Two parts
BS7799/ISO17799: code of practice for information securitymanagement
BS7799-2-2002: specification for information security managementsystems (ISMS - certification framework)
10 Objectives
127 Controls After reading all of that at least one headache!
5/20/2018 Eircom - BS7799 v3.Pps
14/27
History and Devlopment
Initially Developed by the UK DTI with Private Sector.
Timeline
1989Users Code of Practice
1995BS7799-1995 Initial Release
1999BS7799-1999 Major Revision, split into guidelines (code ofpractice) and standard (required for an information security
management system)
2000ISO/IEC 17799 Accepted as International Standard
2002BS7799-2-2002 Official Standard for Certification
5/20/2018 Eircom - BS7799 v3.Pps
15/27
Why should you consider it? (Benefits)
Industry standard based on best practices
Provides direction on how to manage security Structured versus adhoc security
It is flexible, you do not need to implement all 127 controls unless you deemit necessary!
Business Enabler Partner/Customer confidence
Not a differentiator as its implementation grows becomes necessary tooperate! (e.g. UK NHS)
Can be tailored to certain portions of your business E.g. online services, but not your office environment
Other external factors Legal/Regulatory compliance (e.g. DPA, Copyright, etc)
5/20/2018 Eircom - BS7799 v3.Pps
16/27
BS7799 Part 1:
Code of Practice
1. Security Policy
2. Security Organisation
3. Asset Classification and Control
4. Personnel Security
5. Physical and Environmental Security6. Communications and Operations Security
7. Access Control
8. Systems Development and Maintenance
9. Business Continuity Management
10. Compliance
5/20/2018 Eircom - BS7799 v3.Pps
17/27
BS7799 Part 2:
Information Security Management System
What is it? Documented approach to managing security
Follows the Plan-Do-Check-Act cycle (continuous improvement)
Main components Sets the scope (what does the ISMS coverflexiblity)
Encompasses the policies and procedures.
Assess and manage the risks (selection of applicable controls)
Implement the selected controls
Review the effectiveness of the controls, residual risk, etc(Management review, internal auditcan be outsourced)
Implement improvements Update as your risks change
5/20/2018 Eircom - BS7799 v3.Pps
18/27
Example controls
(tales from the standard)
Outsourcing Outsourcing should not result in lessprotection of your assets.
Using your security policy and the
controls for the standard, define the
security requirements and
responsibilities your outsourcing
partner should adhere to.
Malicious Software (e.g.viruses, worms, etc) One of the significant problems to
face desktop users.
Make sure youve got anti-virus
software and its updated regularly
(verification process) Ensure users are aware of the
seriousness of these threats
Common sense? Of course! The standard is full of it. It can get trickier than this, but it is within your control.
5/20/2018 Eircom - BS7799 v3.Pps
19/27
BS7799 is not perfect
Common criticisms: Only suitable for large organisation
Not enough detail for a standard
Rushed and Incomplete
It doesnt make you secure
Documentation HELL! Perhaps but
Very flexible, can be applied to large and small organisations. You may onlyapply it to a particular department, location or even procedure!
A lot of the problems are dependant on the how it is implemented. Get goodadvice/training where possible.
Fill the gaps, adopt more detailed standards where available There is no silver bullet. No standard or product will make you secure.
5/20/2018 Eircom - BS7799 v3.Pps
20/27
Implementing
BS7799
5/20/2018 Eircom - BS7799 v3.Pps
21/27
Critical Success Factors
You must be committed to improving security This is not a check-in-the-box exercise
Management buy-in and support Leadership from top to bottom
This MUST be visible (required for certification!)
Staff buy-in and support Be consistent with your company culture
Provide awareness and education (extend to 3rdparties/outsourcing partnervia contracts/SLA/etc)
Available and appropriate resources Get training, seek expert advice where necessary
Policies and objectives must meet business requirements
5/20/2018 Eircom - BS7799 v3.Pps
22/27
Plan-Do-Check-Act
Four stages: Plan, Do, Check, Act (Deming Cycle) Many iterations, often running concurrently!
Plan (ground work and establishing the ISMS) Set a security policy
Conduct a risk assessment
Plan for how you will manage the risks (mitigate, transfer, avoid, accept) Do (putting the wheels in motion)
Implement plans to manage the risks (done by selecting controls from thestandard)
Some controls could be in place already and can be aligned with the ISMS.
Ensure ISMS violations are managed appropriately
5/20/2018 Eircom - BS7799 v3.Pps
23/27
Plan-Do-Check-Act
Check (is the ISMS working with you?)
Are people violating company policies and procedures?
If this is frequent, it may be due to a lack of training/awareness or the
policies could be unsuitable for the culture!
Act (adjustments/improvements/updates)
Over time, the results of the Check stage will provide
recommendations for improvement of the ISMS
It is also critical to update your ISMS as the business changes
This is the continual improvement of security within your company
5/20/2018 Eircom - BS7799 v3.Pps
24/27
Next Step: certification?
Certification is not required. You can be compliant without certification.
Prerequisites ISMS must be integrated into the business (limited by scope)
Management review has taken place, including internal audit
Certification Select a certification company
Initial review conducted, all going well schedule full audit
Likely to be some remedial activities (PDCA again!)
Emphasis placed on management and staff awareness!
If successful, certification lasts for 3 years, 6 month reviews
5/20/2018 Eircom - BS7799 v3.Pps
25/27
Conclusions
5/20/2018 Eircom - BS7799 v3.Pps
26/27
Fin!
Information security management is easy to getwrong, but can be difficult to get right. Adopt best practices where possible.
Know your risks!
BS7799 is not perfect. Consider others to strengthen your position (CobIT, NIST
standards, IT Baseline Protection Manual, etc).
Questions?
Thanks! ([email protected])
5/20/2018 Eircom - BS7799 v3.Pps
27/27
References
BSI Global (maintainers of BS7799) http://www.bsi-global.com/Global/bs7799.xalter
You can purchase the standards from the above website
Microsoft Security Risk Self-Assessment Tool: http://www.securityguidance.com/
OCTAVE-S Risk Assessment Methodology http://www.cert.org/octave/
CobIT http://www.isaca.org/cobit.htm
NIST Publications http://csrc.nist.gov/publications/index.html
IT Baseline Protection Manual http://www.bsi.bund.de/english/gshb/manual/
http://www.bsi-global.com/Global/bs7799.xalterhttp://www.securityguidance.com/http://www.cert.org/octave/http://www.isaca.org/cobit.htmhttp://csrc.nist.gov/publications/index.htmlhttp://www.bsi.bund.de/english/gshb/manual/http://www.bsi.bund.de/english/gshb/manual/http://csrc.nist.gov/publications/index.htmlhttp://www.isaca.org/cobit.htmhttp://www.cert.org/octave/http://www.securityguidance.com/http://www.bsi-global.com/Global/bs7799.xalterhttp://www.bsi-global.com/Global/bs7799.xalterhttp://www.bsi-global.com/Global/bs7799.xalter