Presentation on theme: "BS 7799 Presentation by Rachel Su’a. Agenda Define BS 7799 Brainstorming Exercise Nuts and Bolts How It Works: BS 7799 Certification A Real World Example."— Presentation transcript:
Agenda Define BS 7799 Brainstorming Exercise Nuts and Bolts How It Works: BS 7799 Certification A Real World Example Activity Summary Reading List
BS 7799 Defined A standard on Information Security Written in 1995 by the United Kingdom Government’s Department of Trade and Industry (DTI) and commerce stakeholders Published by the British Standards Institution (BSI Group)
Brainstorming Exercise A home in your neighborhood has just been burglarized and this gets you thinking about the vulnerabilities of your own home. Identify several points of entry. How would you prevent a burglar from entering your home?
Brainstorming Exercise Now think about someone hacking into your company’s computer systems. Can you identify points of entry into your computer system? How are you protecting your information against these attacks?
10 Ways Companies Get Hacked 1. Email Social Engineering/Spear Phishing 2. Infection Via a Drive-By Web Download 3. USB Key Malware 4. Scanning Networks for Vulnerabilities and Exploitation 5. Guessing or Social Engineering Passwords 6. Wifi Compromises 7. Stolen Credentials From Third-Party Sites 8. Compromising Web-Based Databases 9. Exploiting Password Reset Services to Hijack Accounts 10. Insiders
Nuts and Bolts of BS 7799 BS 7799-1 ISO/IEC 17799 ISO/IEC 27002 BS 7799-2 ISO/IEC 27001 BS 7799-3
BS 7799 part 1 Describes the best practices for Information Security Management Revised and adopted by International Standards Organization (ISO) in 1998 Made up of ten objectives
Ten Objectives of BS 7799 part 1 1. Information Security Policy for the organization 2. Creation of information security infrastructure 3. Asset classification and control 4. Personnel security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. System development and maintenance 9. Business Continuity Management 10. Compliance
BS 7799 part 2 Titled “"Information Security Management Systems - Specification with guidance for use." Instructs on how to apply part one of BS 7799 and how to build a security management structure Introduced the Plan-Do-Check-Act model in the 2002 version Adopted in November 2005 by ISO as ISO/IEC 27001
BS 7799 part 3 Titled “Information security management systems. Guidelines for information security risk management” Developed in 2005 Covers all aspects of the risk management cycle of an information security management system
How It Works: BS 7799 Certification Five steps to becoming BS 7799 Certification Plan-Do-Check-Act (PDCA) model can help guide organizations through all stages of the certification process
Step One: Desktop Review Verify and check all documented polices and procedures for consistency and practicality. Check documentation is valid and relevant to BS7799 controls Present the following documents: ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.
Step Two: Technical Review Check Security Architecture for vulnerabilities and possible risk exposure Submit a document stating the “permissible risk” statement
Step Three: Internal Audit Internal audit by BS 7799 implementers and BS 7799 professionals where non- conformances are picked up and recommendations are documented.
Step Four: External Audit Invite the predeteremined Certification Company Prepare to face the external auditors Auditors check for documentation and objective evidence with the following questions in mind: –Are records Correct and Relevant? –Are polices Known and Tested? –Are policies Communicated? –Are controls Implemented? –Are Polices Followed up? –Are preventive Actions taken? Auditor evaluates the quality of risk assessment and the level of security claimed by the company
Step Five: Certification Certification company recommends the said company for BS 7799 Certification
A Real World Example: Cleardata “Although we have only recently gained certification to ISO 27001, there are at least three recent incidences where Cleardata has won contracts as a result of certification. The process ensures that we stop to think about all aspects of our security and continually monitor and improve, keeping us a step ahead of many of our competitors.” –David Bryce, Managing Director, Cleardata.co.uk
Cleardata’s ISO 27001 Accreditation “The award from the BSI shows that information security is central to everything that Cleardata does.” “The ISO27001 accreditation demonstrates Cleardata’s capacity for handling documents using Information Security Management Systems. It also demonstrates that the company has implemented the required processes in its operation, monitoring, maintenance and improvement procedures.” “This accreditation gives our customers absolute confidence that our business will protect their data to the highest standards and the knowledge that this is audited by an independent body. The use of BSI, a brand that is synonymous with British Standards was an important factor in the choice of our auditors. With many high profile examples and incidents in the media, our clients are becoming ever more careful of their choice of supplier, with security and quality upper most in their minds. This complements our ISO9001 quality management award.” –Dave Bryce, Managing Director of Cleardata
Plan-Do-Check-Act Activity Plan Define business policy Estimate the scope of ISMS Decide what resources will be used to conduct a risk assessment
Plan-Do-Check-Act Activity Do Evaluate automated or manual systems options Deploy qualified and tested vendors to implement various products and solutions Develop a statement of applicability
Plan-Do-Check-Act Activity Check Find an external security audit team qualified to perform a third party security audit for BS 7799 Develop a system of continuous monitoring of the ISMS
Plan-Do-Check-Act Activity Act Identify key vulnerabilities and take appropriate corrective actions Take preventive action for unseen but predictive incidents Communicate and deliver policies to IT users and IT team Train management, partners, and users on policies and procedures
Summary BS 7799 is a Information Security Management System standard in which companies can become certified. The flexible certification process ensures that an organization evaluates all aspects of their security. Successful ISMS must be continually monitored and improved.
Reading List Information Security Training Courses ISO/IEC 27001 http://www.bsigroup.com/en-GB/iso-27001-information-security/iso- 27001-training-courses/ ISO 17799 Papers: BS 7799 http://17799.denialinfo.com/biju.htm The BS7799 / BS 7799 Security Standard http://www.thewindow.to/bs7799/ A Business Case for ISO 27001 Certification http://www.ittoday.info/Articles/ISO_27001_Certification.htm