Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

BS 7799

advertisement 
BS 7799
Presentation by Rachel Su’a
Agenda
•
•
•
•
•
•
•
•
Define BS 7799
Brainstorming Exercise
Nuts and Bolts
How It Works: BS 7799 Certification
A Real World Example
Activity
Summary
Reading List
BS 7799 Defined
• A standard on Information Security
• Written in 1995 by the United Kingdom
Government’s Department of Trade and
Industry (DTI) and commerce stakeholders
• Published by the British Standards
Institution (BSI Group)
Brainstorming Exercise
A home in your neighborhood has just been
burglarized and this gets you thinking about
the vulnerabilities of your own home.
Identify several points of entry.
How would you prevent a burglar from
entering your home?
Brainstorming Exercise
Now think about someone hacking into your
company’s computer systems.
Can you identify points of entry into your
computer system?
How are you protecting your information
against these attacks?
10 Ways Companies Get Hacked
1. Email Social Engineering/Spear Phishing
2. Infection Via a Drive-By Web Download
3. USB Key Malware
4. Scanning Networks for Vulnerabilities and Exploitation
5. Guessing or Social Engineering Passwords
6. Wifi Compromises
7. Stolen Credentials From Third-Party Sites
8. Compromising Web-Based Databases
9. Exploiting Password Reset Services to Hijack Accounts
10. Insiders
Nuts and Bolts of BS 7799
BS
7799-1
BS
7799-2
• ISO/IEC
17799
• ISO/IEC
27002
• ISO/IEC
27001
BS
7799-3
BS 7799 part 1
• Describes the best practices for Information
Security Management
• Revised and adopted by International
Standards Organization (ISO) in 1998
• Made up of ten objectives
Ten Objectives of BS 7799 part 1
1. Information Security Policy for the organization
2. Creation of information security infrastructure
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. System development and maintenance
9. Business Continuity Management
10. Compliance
BS 7799 part 2
• Titled “"Information Security Management
Systems - Specification with guidance for use."
• Instructs on how to apply part one of BS 7799
and how to build a security management
structure
• Introduced the Plan-Do-Check-Act model in
the 2002 version
• Adopted in November 2005 by ISO as
ISO/IEC 27001
BS 7799 part 3
• Titled “Information security management
systems. Guidelines for information security
risk management”
• Developed in 2005
• Covers all aspects of the risk management
cycle of an information security
management system
How It Works: BS 7799 Certification
• Five steps to becoming BS 7799
Certification
• Plan-Do-Check-Act (PDCA) model can
help guide organizations through all stages
of the certification process
Step One: Desktop Review
• Verify and check all documented polices and
procedures for consistency and practicality.
• Check documentation is valid and relevant to
BS7799 controls
• Present the following documents: ISMS, Policies,
IT- Environment Documentation, Risk
Assessment Reports, Business Continuity
Planning documentation, Statement of
applicability.
Step Two: Technical Review
• Check Security Architecture for
vulnerabilities and possible risk exposure
• Submit a document stating the “permissible
risk” statement
Step Three: Internal Audit
• Internal audit by BS 7799 implementers and
BS 7799 professionals where nonconformances are picked up and
recommendations are documented.
Step Four: External Audit
• Invite the predeteremined Certification Company
• Prepare to face the external auditors
• Auditors check for documentation and objective evidence with the
following questions in mind:
–
–
–
–
–
–
Are records Correct and Relevant?
Are polices Known and Tested?
Are policies Communicated?
Are controls Implemented?
Are Polices Followed up?
Are preventive Actions taken?
• Auditor evaluates the quality of risk assessment and the level of
security claimed by the company
Step Five: Certification
• Certification company recommends the said
company for BS 7799 Certification
A Real World Example:
Cleardata
“Although we have only recently gained certification
to ISO 27001, there are at least three recent
incidences where Cleardata has won contracts as a
result of certification. The process ensures that we
stop to think about all aspects of our security and
continually monitor and improve, keeping us a step
ahead of many of our competitors.”
– David Bryce, Managing Director, Cleardata.co.uk
Cleardata’s ISO 27001 Accreditation
• “The award from the BSI shows that information security is central to
everything that Cleardata does.”
• “The ISO27001 accreditation demonstrates Cleardata’s capacity for handling
documents using Information Security Management Systems. It also
demonstrates that the company has implemented the required processes in its
operation, monitoring, maintenance and improvement procedures.”
• “This accreditation gives our customers absolute confidence that our business
will protect their data to the highest standards and the knowledge that this is
audited by an independent body. The use of BSI, a brand that is synonymous
with British Standards was an important factor in the choice of our auditors.
With many high profile examples and incidents in the media, our clients are
becoming ever more careful of their choice of supplier, with security and
quality upper most in their minds. This complements our ISO9001 quality
management award.”
– Dave Bryce, Managing Director of Cleardata
Plan-Do-Check-Act Activity
Plan
• Define business policy
• Estimate the scope of ISMS
• Decide what resources will be used to
conduct a risk assessment
Plan-Do-Check-Act Activity
Do
• Evaluate automated or manual systems
options
• Deploy qualified and tested vendors to
implement various products and solutions
• Develop a statement of applicability
Plan-Do-Check-Act Activity
Check
• Find an external security audit team
qualified to perform a third party security
audit for BS 7799
• Develop a system of continuous monitoring
of the ISMS
Plan-Do-Check-Act Activity
Act
• Identify key vulnerabilities and take appropriate
corrective actions
• Take preventive action for unseen but predictive
incidents
• Communicate and deliver policies to IT users and
IT team
• Train management, partners, and users on policies
and procedures
Summary
• BS 7799 is a Information Security
Management System standard in which
companies can become certified.
• The flexible certification process ensures
that an organization evaluates all aspects of
their security.
• Successful ISMS must be continually
monitored and improved.
Reading List
Information Security Training Courses ISO/IEC 27001
http://www.bsigroup.com/en-GB/iso-27001-information-security/iso27001-training-courses/
ISO 17799 Papers: BS 7799
http://17799.denialinfo.com/biju.htm
The BS7799 / BS 7799 Security Standard
http://www.thewindow.to/bs7799/
A Business Case for ISO 27001 Certification
http://www.ittoday.info/Articles/ISO_27001_Certification.htm
Related documents
CV
CV
IT2042-INFORMATION-SECURITY-SYS
IT2042-INFORMATION-SECURITY-SYS
New “world religion” or (and) “big business”?
New “world religion” or (and) “big business”?
Download
advertisement