Secured View: Information Security Management
Why Information Security is important for your organization

Information is the crown jewels of business. Your business partners want to know if you have done enough to protect your information assets. The BS 7799 Information Security Management System outlines the best practices that one should follow and is a benchmark for security certification in business. by Avinash Kadam

Name a key ingredient that drives your business. All those who said 'information' got it right. That's because most businesses cannot function if this ingredient is not available or is unreliable. Availability, integrity and confidentiality of information are paramount concerns today. How do you know that your organization is taking good care of all the information it has so diligently acquired, over the years?

The manufacturing records, sales records, financial records, customer records are all kept on computers. In today's networked world, these may be accessible from anywhere, via the Internet. You can't be too sure that all your digitized information is secure. Your personal and confidential records will be with banks, finance and insurance companies; your medical records are with hospitals and laboratories; your credit card details have to be tendered whenever you buy something on the Internet. Is there any guarantee that all this information is really kept confidential? Shouldn't there be a way to tell if an organization can be entrusted with confidential information and if it maintains Information Security?

In fact there is. Heard of the BS 7799 Information Security Management System?

BS 7799 standard
Anyone who wants to ascertain the quality of a business process will look for an ISO 9001:2000 certificate. This gives an assurance that the organization has achieved the minimum requirements for establishing a Quality Management System (QMS). Similarly, the British Standards Institute (BSI) has established a standard for Information Security Management System (ISMS). The BS 7799 was first issued in 1995 and was revised in 1999. Latest revision i.e. BS 7799 -2 2002 is due on 5th Sept. 2002.

The BS 7799 standard comprises two parts:

• Part 1: Code of Practice for Information security management.
• Part 2: Specifications of Information Security Management Systems.

Part 1 outlines the recommended best practices that one should follow and Part 2 gives the specifications against which an organization will be evaluated to determine whether it deserves to be certified.

Assessing your Security Requirements
BS7799 depends heavily on risk assessment. You are expected to carry out a thorough risk evaluation exercise. To prepare for this exercise, you have to take a complete inventory of all your information assets. These include not only the usual suspects like hardware assets—servers and networking devices, but also software assets like programs and databases. Also consider paper assets and infrastructure assets like power, light and air-conditioning. A risk like 'Denial of Service' is usually attributed to an external attack from the Internet, but it can also be an internal attack—someone can remove the power fuse in the server room.

The next step is to classify all the information assets according to their sensitivity and criticality, with respect to business needs. A risk evaluation exercise helps to identify the risk scenarios. The probability and consequences of a particular risk scenario in terms of business losses needs to be documented. If the losses could be quantified, that's good. Otherwise, these could be categorized into high, medium and low categories.

Security Domains and Control Objectives
After risk categorization and prioritization, the next obvious step is risk mitigation. This is where we revisit BS 7799 controls. These are given in BS 7799 Part 2: Specification for Information Security Management System. These are divided into 10 domains:

1. Security policy.
2. Security organization.
3. Asset classification and control.
4. Personnel Security.
5. Physical and environmental security.
6. Communication and operations management.
7. Access control.
8. System development and
maintenance.
9. Business continuity management.
10. Compliance

These are further categorized into 36 control objectives, which are to be achieved by fulfilling 127 specified controls.

As an example of this hierarchy, let us look at the domain of 'Communication and operations management.' This domain has seven control objectives to be fulfilled. One of these seven control objectives is 'Exchange of information and software.' The objective is 'To prevent loss, modification or misuse of information exchanged between organizations.' The steps to achieve this objective are:

• Step 1: Does the risk analysis point out that there is a business risk in exchange of information? Is this control objective applicable for protection of your business?
• Step 2: If the answer is no, prepare a statement justifying the exclusion.
• Step 3: If the answer is yes, look at each of the seven control statements under this particular control objective.

Each of these control statements has the word 'shall', which means compliance with the requirements is mandatory, unless you have a valid justification.

For example, one control is:
"Electronic commerce security: Electronic commerce security shall be protected against fraudulent activity, contract dispute and disclosure or modification of information."

So if you have E-Commerce activity, you will have to prove that you are protected against each of the stipulated risk factors.

• Step 4: Select the appropriate policy, procedure, process or product that will fulfill the requirement of each applicable control. You should be able to prove that the control is effective in reducing the risk, which you have identified.

You will realize that there's not much to help you decide what is required to be done. The control statements are extremely general in nature. They do not provide any further recommendations, technical or otherwise. On one hand, this makes the standard independent of technology but on other hand, it introduces subjectivity of interpretation.

Advantages of BS 7799 Certification
Despite these shortcomings, BS 7799 presents the following advantages:

1. You will have a structured, risk based approach to information security.
2. Your employees will have to take security seriously as you will have framed adequate policies and penalties for any breach of security.
3. Your clients will be assured about your security seriousness.
4. Foreign companies that are paranoid about information security, may feel comfortable dealing with you, if they have not already made it mandatory for you to get certified or audited by a security consultant.
5. Since availability is one of the critical components of information security, you would have set up adequate business continuity management plans.
6. You may do all of the above things without aiming for a certification, but you may even get a marketing advantage if you are certified.
7. And finally, you will definitely sleep better.

How to proceed
You can aspire for BS 7799 certification with the following steps.

• Step 1: Establish importance of information security in the organization. In the current scenario, this should not be difficult. However, it will help if you identify the critical business processes, which are dependent on information, and what is the business risk if any—check if the three pillars of information security are compromised (i.e. confidentiality, integrity and availability).
• Step 2: Set up a Security Organization. You will need organizational involvement to define and implement security measures. A steering committee for BS 7799 project, a security forum with representation of key business and technology departments, appointment of an Information Security Officer and defining security responsibilities for protection of various assets will have to be done.
• Step 3: Define the Security Policy for the company. This should be endorsed by top management and should convey their concern and commitment.
• Step 4: Define the scope of Information Security Management System (ISMS). This could be business specific, location specific or function specific.
• Step 5: Undertake risk assessment. Start with business risk assessment. This will help you in identifying the risk areas for detailed risk evaluation. Identify and prioritize all the risks.
• Step 6: Identify the controls objectives and the control options.
• Step 7: Select appropriate controls to fulfill the control objectives. These controls will be in the form of security policies, procedures and products. Prepare guidelines on how to implement these controls.
• Step 8: Implement and monitor the controls. You should be able to prove adequacy of the controls in reducing the risks.
• Step 9: Make a table of all the 127 controls and map the controls implemented by you against relevant control objectives. One control may address more than one control objective. If there are some gaps, find out, whether these are omissions or there are no requirements of controls. Fill up all the gaps.
• Step 10: Make statement of applicability, which justifies the controls in place as well as those, which really are not required. For all exclusions, you should have a justification backed by risk assessment.
• Step 11: Invite a certification body for pre-assessment. Some of the accredited certification agencies are DNV, BSI, STQC.
• Step 12: Take appropriate measures to comply with all observations.
• Step 13: Get the final assessment done.
• Step 14: Acquire the coveted certificate, which is valid for three years. An external audit will be done once a year.

How to implement the standard
If you perform all the 14 steps mentioned above, you will have implemented the standard. Alternatively, if you are short of manpower or expertise, employ an external agency to implement it for you. This will be especially useful while performing a detailed and objective risk analysis. A consultant will use a risk analysis questionnaire, which has been enhanced by his experience. The period taken for entire implementation depends on the size of the organization. It could be between 3 to 9 months.

Difference between BS 7799 and ISO 17799
ISO has adapted the BS 7799 Part 1 and numbered it as ISO 17799. As we discussed earlier, Part 1 covers the Code of Practice and as such only provides guidelines. ISO has not yet adapted the BS 7799 Part 2. So, there are no specifications, which an implementer or an auditor can refer to. An organization cannot be evaluated or certified today as an ISO 17799 compliant organization, but it can be certified as a BS 7799 compliant organization.

Why BS 7799 certification?
BS 7799 may not be a perfect security certification but it provides excellent guidelines for information security management. It presents a yardstick for measuring a company's security practices. The risk-oriented approach ensures that the organization does not become complacent after getting the certificate. If the risk has not been controlled, the ISMS may not be effective. So, apart from a periodic audit by an external auditor, the management could get regular feedback about the state of information security in the organization through the security management infrastructure created in the process of implementation of BS 7799.

Where to get the Standard?
You can order the Standard from www.c-cure.org for £94.00. In India, you may enquire with bsb@giasdl01.vsnl.net.in.

You may get more information about BS 7799 at www.bsi-global.com. Another site giving FAQs on BS 7799 is www.dnv.com. You can also down load the 'DNV Interpretation guide to BS 7799' from this site.

Avinash Kadam is Chief Executive - Assurance and Training at Miel e-Security, Pvt. Ltd.. He can be reached at awkadam@mielesecurity.com