Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
Issue of December 2002 
 Home > Focus
 Print Friendly Page ||  Email this story

Focus: Security Certification
Get Certified!

Protect your enterprise through audit and certification. by David Chin

Security certifications are all about accountability to your shareholders, customers, partners, and your own company employees. It's also increasingly an issue of being a good global citizen, as unprotected networks are fast becoming a low cost and effective method for the ill-intentioned to launch attacks.

It's also about humility, by admitting that you're not fit to (objectively) assess your own security and need third-party scrutiny. Here's a look at the why, who, how and what of approaching security—the right way.

A needs analysis
Certifications are important for individuals; from getting into universities to securing a job, the world gets its first impression and judges you by the supporting documents that accompany your resume. Whether you can really do the job well or how smart you are often doesn't count if you don't have the papers to show it first.

But what about your business? We often deal with companies and business partners because they provide a product or service that meet our business needs. As the global economy gets meshed with global networks and more business gets done electronically, there will soon come a time when people won't do business with you if they can't be sure that your organization's security policies are in line with theirs.

Take for example, the outsource services industry. Be it hosting, security, human resource, or other services that are critical to your company, tying up with a big name outsourcing organization does not guarantee that they are secure or immune to threats that could undermine your own operations. One of the most important enterprise certifications in the security space is the BS7799.

Perhaps, the most important thing a certification like BS7799 brings to the industry is a security datum—a common and "more" absolute reference point, rather than saying: "We have enterprise-class end-to-end security made up of best-of-breed technology."

Arguably, with the emergence of social engineering and the like, technology may just be the most insignificant part of the whole picture. Without proper security process and policy, security technology is a whitewash.

In addition, not having secure networks today can make your network a potential agent for terrorist activities. Now, that's as good a reason as any to consider security certification.

What's under the BS7799 spec?

The BS7799-2:2002 covers a total of 10 control areas consisting of 36 control objectives, which in turn break down to 127 control points (CPs).

1. Security policy (2 CPs)
2. Security organisation (10 CPs)

  • information security infrastructure
  • third-party access control
  • outsourcing

3. Asset classification and control (3 CPs)

  • asset accountability
  • information classification

4. Personnel security (10 CPs)

  • job definition & resourcing
  • user training
  • incident response

5. Physical and environment security (13 CPs)

  • secure areas
  • equipment security
  • general controls

6. Communications and operations management (24 CPs)

  • operational procedures & responsibilities
  • malicious software protection
  • housekeeping
  • network management
  • media handling & security
  • data & software exchange

7. Access control (31 CPs)

  • business requirement
  • user access requirement
  • user responsibilities
  • network, OS, application access control
  • access control for monitoring system
  • mobile computing and tele-workers

8. Systems development and maintenance (18 CPs)

  • system and application security requirements
  • cryptographic controls
  • system file security

9. Business continuity management (5 CPs)

10. Compliance (11 CPs)

  • legalities
  • security policy & technical compliance review
  • system audit considerations

BS7799 background: A standard and specification
The BS7799 specification is an information security management system (ISMS) that was established in 1999 (BS7799:1999) by BSI ( and consists of two parts. BS7799:1999 Part 1 is a best practices standard that is simply a code of practice. Anyone can buy the standards document and implement the security best practices. In fact, the ISO17799 standard is equivalent to BS7799:1999 Part 1.

For enterprises seeking certification, what is more important is BS7799:1999 Part 2, which is the specification that leads to certification. Moreover, as of September this year, a revised version of Part 2 of BS7799 (BS7799-2:2002) was published. The latest specification incorporates the ISO9000 quality assurance standard and the ISO14000 environmental control standard.

Both these standards bring a key continuity and change management system to BS7799, commonly known as the PDCA (Plan, Do, Check, Act) cycle. This ensures that a properly deployed ISMS will constantly evolve, along with current prevailing threats.

Speaking at a recent ISMS conference organized by Techworld, Ted Humphreys, the editor of the BS7799-2:2002 standard, and director of XiSEC Information Security Management Services, said the standard is a holistic approach to developing ISMS. "It allows you to get a good view of the business you wish to protect and understand the interfaces with the external world and its dependencies. The BS7799 also allows you understand the realities of opposing forces, system weaknesses, and how to realize the right balance," he said.

"It helps you to determine the level of risk and loss you are willing to accept."

Commenting on the revision, Humphreys said that its harmonization with ISO9000 and ISO14000 allows for the PDCA review process so that enterprises can respond to change and improve the ISMS over time. "Organizations need to expect change. Nothing is static," he said. "Security is a moving target and PDCA sets a continual improvement cycle."

Audit process
The process of getting BS7799 accredited is not an easy one, and requires a dedicated team, meticulous planning, and overall company support.

Generally, the first step in the cycle is doing a gap analysis to see how far your enterprise is from your objective. The next step is to set up a management framework that covers policy, the scope and statement of applicability, as well as a risk assessment.

Next comes the implementation and documentation phase. Then, the preliminary audit begins, in which the auditor and organization agree on the audit parameters, conduct random interviews and document checks.

This is followed by a more stringent certification assessment before the company is accredited, and the cycle continues with reviews every six months, and a full audit every three years. To prevent conflicts of interest, consultants cannot be auditors.

Between regular reviews, the auditors can do a spot check at any time. Unlike most toothless security policies in organizations today, BS7799 requires that everyone—from the CEO to the janitor—has to understand the company's security policy. The audits and reviews enforce this by randomly interviewing people within the company.

Perhaps this level of scrutiny, accountability and openness, is what makes the standard dependable and predictable. One sure thing is that you can't get certified for the sake of it, or go through the motions and pass out the policy booklets. If it's not a top-down and all-around philosophy, you probably won't pass the certification process.

Size doesn't matter
Debunking the notion that such highly regarded accreditations are only meant for big companies, Humphreys said that one of the main objectives behind BS7799 over the past decade of development was to bring standardized best practices to small, medium and large businesses. Even individual departments can get certified.

"Although BS7799 has 127 control points, the nice thing about it is that you can select the critical controls you want to implement first and then build the system up," he said. "The worst thing you can do is nothing. Don't worry about the budget as you can start small." (see What's under the BS7799 spec?)

Thus, one of the first things you need to do when applying for BS7799 is formulate a statement of applicability; meaning that you define the scope of the certification, after which you are assessed within that scope. Your enterprise can start small and grow the scope as needs change. The scope also helps the organization to clearly articulate a risk profile associated with business activities. On the broad level, the risk profile between a bank and a manufacturing company would be different, although they both use the same standard.

Gaining momentum
While the standard emerged in the UK, BS7799 is gaining momentum elsewhere. The XiSEC global registry now lists 149 companies with accredited BS7799 certificates.

Close to half are from the UK, while a good number are from Southeast Asia (42). The US trails way behind with only three. In Singapore, five companies have gotten certified to date, namely Unilever GIO Asia, Citibank N.A., Asia Pacific Processing Center,, GlaxoSmithKline, and Sony Information System Solutions (another is Singtel EXPAN, whose certification is still in progress).

Philip Sy, PSB Certification's Business Development & ISMS manager and IRCA-registered lead auditor, expects these numbers to grow rapidly, especially with the inclusion of the ISO9000 and ISO14000. "ISO14000 is corporate driven and IS09000 is customer driven. BS7799 is a bit like ISO9000 because your customers will be affected by it. After ISO9000 became a standard, the take up rate was 100,000 after a decade," he said.

One trend, noted Humphreys, is that more managed services and Internet data centers are seeing value in BS7799 accreditation. "Large companies want to present themselves as responsible companies with good corporate governance," he said. "This trend is putting more demands on smaller companies to get certified for contractual reasons."

And now to the key question. How much does it costs to get certified? The bulk of the cost will be in getting the auditors down for the duration of the audit, which typically takes five to seven days. This may cost up to US$6,000—although a lot depends on the scope and complexity of the implementation. However, Humphreys said a rough figure to work with for budget purposes would be 1-2 percent of the IT budget for getting and maintaining the certification.

Another standard that some enterprises may want to look at is the ISO TR 13335: Guidelines for Management of IT Security (GMIT). It compliments BS7799 well in that it covers the management of risk, including risk assessment, controls and safeguards in greater detail.

Monitoring and insurance
Eddie Chau has a lot to say about monitoring, and its not just because he is the president and CEO of, a security monitoring service provider. As much as infosecurity is related to technology, being able to monitor your infrastructure is also important. "If you put in a security solution and don't monitor it, then you might as well turn it off," he said.

Giving an analogy of how companies will deploy locks, motion detectors and guards from a security company to guard their building, Chau said the same needs to be done in our networks. Thus, we use firewalls as locks and IDSes as motion detectors; what is often ignored is the 24X7 monitoring. "But a large proportion of the company's assets are now in information," he said.

The truth is that there needs to be a change in mindset. Just think about it. Will your company lose more today from a break-in into your building or a break-in into your network? The paradox is that if there is a building break-in, you may bring the security company to task, but if there is a network break-in, the responsibility is often dispersed—even though more valuable assets may be lost.

In the same context, he explained that a majority of big companies will not buy cyber insurance, but they will buy insurance for their buildings. But if your company's information is a greater asset, why is this so? Chau added that BS7799 compels organizations to identify and quantify these risks and do something about them. "In BS7799, you can either accept the risk, avoid it, minimize it, or transfer it to a third party cyber insurer like AIG, Chubb or Hong Kong & Shanghai Bank—there are only about five cyber-insurers in the world."

The process of working towards certification means that that an organization commits to being audited by a third-party, and becomes accountable for managing risks. Security cannot be treated as a cost centre; it has to be seen as a way of increasing the value of your information assets, as well as maintaining trust—without which you can't do business.

BS7799 case study: NTT Data Corp.

When Japan's largest system integrator (more than 7,000 employees and 80 subsidiaries), NTT Data Corp, wanted to get BS7799 certified, the company decided to start with NTT Data's IT security center, consisting of 70+ employees and 30 subcontractors. This was followed by the public administration department. NTT Data is a subsidiary of Japanese carrier NTT, which also owns NTT Docomo.

Speaking at a Techworld conference on Information Security Management Standards & Practice 2002, Keiichiro Oguma, Assistant Manager, Security Business Division, NTT Data, said the BS7799 project team consisted of seven core members. One of the implementation goals was to increase awareness on security policies. NTT did this by passing out booklets on security policies and guidelines, and then created an online IS policy assessment for each employee that consisted of 20 questions. In addition, the implementation also included internal seminars and self-audits.

"From start to finish, the BS7799 certification for the IT security center took about nine months (Jan to Sep 2001). Pre-assessment was done by two people from BSI Japan, which took two days—one day for document review and another for the implementation audit," he said. The actual assessment phase took the same two auditors five days to complete, and the auditors went through the process of understanding the business, reviewing documents, personnel interviews, and implementation audit. A half day debrief ended the process.

Oguma added that the assessment focused on the business, the 127-control point framework, and the scope. But some things came as a surprise. "They interviewed less employees than we expected, but there were more questions on the IT security system requirements than we thought," he said. During the six monthly review, one event that caught attention was a Code Red attack. "Code Red got onto some of our servers and they [the auditors] asked what we did and checked for evidence of proper processes," he said.

The second implementation at the public administration department went more smoothly, and was completed in six months (accredited May 02). An interesting issue that cropped up was a conflict on trying to harmonize both BS7799 and ISO9001 for document management. "ISO required clear labeling for all to see, but BS7799 states that information is only for specific people and that it must be coded," he said. A workaround was eventually made by using a system that mapped codes to names.

As to the main benefits of being certified, Oguma said that with BS7799, responsibilities are made clear and there are consistent security controls. He also shared some difficulties. "The main problems were that there was some reluctance to implement security controls and some employees were not cooperative."

In conclusion, Oguma said that BS7799 accreditation only ensures that a secure management framework is established and maintained. "It does not guarantee that all risks are considered, that the level of security will meet the requirement, or 100 percent compliance." Thus, he added that key issues that still need to be addressed include how a company approaches information sharing with partners and customers. "How do you ensure a standard level of security and cross certify IS policies?" he asked.

This article first appeared in Network Computing—Asian Edition

- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD