Information security management
BS7799 - Code of Practice for Information Security Management
Mike Usher, Coutts Group IT – RHU,
Information Security Group,
16 Oct. ’97
Text by Filip Schepers
A couple of years ago the British Standards Institute settled a standard for practice in information security management. This document gives a summary of its history and contents as explained by Mike Usher in a lecture at RHUL.
The British Standards Institute is a non-profit organisation representing UK interests on international and European standards committees. Some of the reasons why people want standards have to do with the possibilities of exploiting economies of scale through standardisation in design and manufacturing, the facilitation of inter-company communication, legislative issues and confidence in the manufacturer, the product or the service provided. In September 1993 the Department of Trade and Industry issued the DTI Code of Practice on how to implement information security, which formed the basis for BS7799, published in March 1995. The DTI report identified difficulties and risks concerning the management and exploitation of IT systems. It also comprised a number of recommendations, including the development of an accreditation scheme for IT security and a standard. This standard has now been produced as a draft for public comment, and a final version being prepared.
The objectives of BS7799 are to provide a common basis for companies to develop, implement and measure effective security management practice and to establish confidence in inter-company trading. The categories covered range from policies, tools to manage security and assets that extend beyond information, network management, systems development and compliance to the standard.
Security management can be visualised by a layered model. The basis for a security implementation is formed by risk analysis and assesment of the value of different assets of the organisation: how much is it worth to secure confidentiality, integrity, availibility and to set up an audit system to control these elements? This analysis provides the input for drawing up a security policy, an abstract document explaining the different aspects and requirements for information security. On top of this level the standards are formulated, which are defining different procedures to be followed by the organisational units or departments. These can in turn be refined to responsibilities of individuals and form the basis of arising an overall awareness for the need of controls. The top layer exists of checking compliance of the implementation with the policies and standards. The output of this check should be used to review the starting-points of the risk analysis stadium and the resulting policies. If necessary changes should be proposed.
The security policy described above is one means of control. Allocation of responsibilities is another. Where possible it must be made clear that it is the users owning the data, not the IT managers. Education and training is another element (75% of security related incidents are inside jobs). Not only the "what" and "how" aspects must be highlighted, but particularly the "why" of doing so. A formal way of reporting incidents and responding to them appropriately should be set up. Again, management has to be made aware of the possible impact of such incidents and one has to make sure that everybody who could eventually contribute to the solution has been included in the incident response procedure. Further controls include virus controls, business continuity planning (making sure the business keeps running), control of software copying and the safeguarding of company records in all forms (guidelines on storage, handling and disposal of all forms of information carriers). Finally, regular checks against compliance to data protection acts have to be performed as well compliance checks to the security policy (cf. supra).
The benefit of the scheme is that it allows for fast implementation for organisations without security policies. In case there is already a certain security awareness available, the implementation can map onto existing policies, broaden them or even replace them. A drawback of the standard is that it only includes guidelines to good practice that are not always applicable in every case. Furthermore, the standards are hard to read and high costs can be involved implementing them.
Now how can certification against BS7799 be carried out? Two possible processes are available. Self certification is cheap and flexible, but only indicative and possibly unreliable. Independent certification by qualified reviewers is another option, but can be time consuming and hence expensive.
Common concern for information security resulted in the formulation of a code of practice by the DTI and the development of a BSI standard accepted in Britain and abroad. Much attention goes to the process of determining risks and formulating a policy that can further be refined. Essential to good practice is verifying the compliance with the intentions, which can be done internally or externally according to the organisations needs. Both the standard and the certification are available. But standards are not static. Future work includes revising the current standard and formulate proposals on information classification and encryption on public networks. Other issues to be addressed are improving the awareness that the standard exists, seek for international standardisation (unlikely in the near future) and improve readability.