|
Protect
your enterprise through audit and certification. by
David Chin
Security
certifications are all about accountability to your
shareholders, customers, partners, and your own company
employees. It's also increasingly an issue of being
a good global citizen, as unprotected networks are fast
becoming a low cost and effective method for the ill-intentioned
to launch attacks.
It's also about humility, by admitting that you're not
fit to (objectively) assess your own security and need
third-party scrutiny. Here's a look at the why, who,
how and what of approaching security—the right
way.
A needs analysis
Certifications are important for individuals; from getting
into universities to securing a job, the world gets
its first impression and judges you by the supporting
documents that accompany your resume. Whether you can
really do the job well or how smart you are often doesn't
count if you don't have the papers to show it first.
But what about your business? We often deal with companies
and business partners because they provide a product
or service that meet our business needs. As the global
economy gets meshed with global networks and more business
gets done electronically, there will soon come a time
when people won't do business with you if they can't
be sure that your organization's security policies are
in line with theirs.
Take for example, the outsource services industry. Be
it hosting, security, human resource, or other services
that are critical to your company, tying up with a big
name outsourcing organization does not guarantee that
they are secure or immune to threats that could undermine
your own operations. One of the most important enterprise
certifications in the security space is the BS7799.
Perhaps, the most important thing a certification like
BS7799 brings to the industry is a security datum—a
common and "more" absolute reference point,
rather than saying: "We have enterprise-class end-to-end
security made up of best-of-breed technology."
Arguably, with the emergence of social engineering and
the like, technology may just be the most insignificant
part of the whole picture. Without proper security process
and policy, security technology is a whitewash.
In addition, not having secure networks today can make
your network a potential agent for terrorist activities.
Now, that's as good a reason as any to consider security
certification.
| What's
under the BS7799 spec? |
|
The
BS7799-2:2002 covers a total of 10 control areas
consisting of 36 control objectives, which in
turn break down to 127 control points (CPs).
1. Security policy (2 CPs)
2. Security organisation (10 CPs)
-
information security infrastructure
-
third-party access control
-
outsourcing
3. Asset classification and control (3 CPs)
-
asset accountability
-
information classification
4. Personnel security (10 CPs)
-
job definition & resourcing
-
user training
-
incident response
5. Physical and environment security (13 CPs)
-
secure areas
-
equipment security
-
general controls
6.
Communications and operations management (24
CPs)
-
operational procedures & responsibilities
-
malicious software protection
-
housekeeping
-
network management
-
media handling & security
-
data & software exchange
7. Access control (31 CPs)
-
business requirement
-
user access requirement
-
user responsibilities
-
network, OS, application access control
-
access control for monitoring system
-
mobile computing and tele-workers
8. Systems development and maintenance (18 CPs)
-
system and application security requirements
-
cryptographic controls
-
system file security
9. Business continuity management (5
CPs)
10. Compliance (11 CPs)
-
legalities
-
security policy & technical compliance
review
-
system audit considerations
|
BS7799
background: A standard and specification
The BS7799 specification is an information security
management system (ISMS) that was established in 1999
(BS7799:1999) by BSI (www.bsi-global.com) and consists
of two parts. BS7799:1999 Part 1 is a best practices
standard that is simply a code of practice. Anyone can
buy the standards document and implement the security
best practices. In fact, the ISO17799 standard is equivalent
to BS7799:1999 Part 1.
For enterprises seeking certification, what is more
important is BS7799:1999 Part 2, which is the specification
that leads to certification. Moreover, as of September
this year, a revised version of Part 2 of BS7799 (BS7799-2:2002)
was published. The latest specification incorporates
the ISO9000 quality assurance standard and the ISO14000
environmental control standard.
Both
these standards bring a key continuity and change management
system to BS7799, commonly known as the PDCA (Plan,
Do, Check, Act) cycle. This ensures that a properly
deployed ISMS will constantly evolve, along with current
prevailing threats.
Speaking at a recent ISMS conference organized by Techworld,
Ted Humphreys, the editor of the BS7799-2:2002 standard,
and director of XiSEC Information Security Management
Services, said the standard is a holistic approach to
developing ISMS. "It allows you to get a good view
of the business you wish to protect and understand the
interfaces with the external world and its dependencies.
The BS7799 also allows you understand the realities
of opposing forces, system weaknesses, and how to realize
the right balance," he said.
"It
helps you to determine the level of risk and loss you
are willing to accept."
Commenting on the revision, Humphreys said that its
harmonization with ISO9000 and ISO14000 allows for the
PDCA review process so that enterprises can respond
to change and improve the ISMS over time. "Organizations
need to expect change. Nothing is static," he said.
"Security is a moving target and PDCA sets a continual
improvement cycle."
Audit
process
The process of getting BS7799 accredited is not an easy
one, and requires a dedicated team, meticulous planning,
and overall company support.
Generally, the first step in the cycle is doing a gap
analysis to see how far your enterprise is from your
objective. The next step is to set up a management framework
that covers policy, the scope and statement of applicability,
as well as a risk assessment.
Next
comes the implementation and documentation phase. Then,
the preliminary audit begins, in which the auditor and
organization agree on the audit parameters, conduct
random interviews and document checks.
This is followed by a more stringent certification assessment
before the company is accredited, and the cycle continues
with reviews every six months, and a full audit every
three years. To prevent conflicts of interest, consultants
cannot be auditors.
Between
regular reviews, the auditors can do a spot check at
any time. Unlike most toothless security policies in
organizations today, BS7799 requires that everyone—from
the CEO to the janitor—has to understand the company's
security policy. The audits and reviews enforce this
by randomly interviewing people within the company.
Perhaps this level of scrutiny, accountability and openness,
is what makes the standard dependable and predictable.
One sure thing is that you can't get certified for the
sake of it, or go through the motions and pass out the
policy booklets. If it's not a top-down and all-around
philosophy, you probably won't pass the certification
process.
Size
doesn't matter
Debunking the notion that such highly regarded
accreditations are only meant for big companies, Humphreys
said that one of the main objectives behind BS7799 over
the past decade of development was to bring standardized
best practices to small, medium and large businesses.
Even individual departments can get certified.
"Although BS7799 has 127 control points, the nice
thing about it is that you can select the critical controls
you want to implement first and then build the system
up," he said. "The worst thing you can do
is nothing. Don't worry about the budget as you can
start small." (see What's under the BS7799 spec?)
Thus,
one of the first things you need to do when applying
for BS7799 is formulate a statement of applicability;
meaning that you define the scope of the certification,
after which you are assessed within that scope. Your
enterprise can start small and grow the scope as needs
change. The scope also helps the organization to clearly
articulate a risk profile associated with business activities.
On the broad level, the risk profile between a bank
and a manufacturing company would be different, although
they both use the same standard.
Gaining momentum
While the standard emerged in the UK, BS7799 is
gaining momentum elsewhere. The XiSEC global registry
now lists 149 companies with accredited BS7799 certificates.
Close to half are from the UK, while a good number are
from Southeast Asia (42). The US trails way behind with
only three. In Singapore, five companies have gotten
certified to date, namely Unilever GIO Asia, Citibank
N.A., Asia Pacific Processing Center, e-Cop.net, GlaxoSmithKline,
and Sony Information System Solutions (another is Singtel
EXPAN, whose certification is still in progress).
Philip Sy, PSB Certification's Business Development
& ISMS manager and IRCA-registered lead auditor,
expects these numbers to grow rapidly, especially with
the inclusion of the ISO9000 and ISO14000. "ISO14000
is corporate driven and IS09000 is customer driven.
BS7799 is a bit like ISO9000 because your customers
will be affected by it. After ISO9000 became a standard,
the take up rate was 100,000 after a decade," he
said.
One trend, noted Humphreys, is that more managed services
and Internet data centers are seeing value in BS7799
accreditation. "Large companies want to present
themselves as responsible companies with good corporate
governance," he said. "This trend is putting
more demands on smaller companies to get certified for
contractual reasons."
And now to the key question. How much does it costs
to get certified? The bulk of the cost will be in getting
the auditors down for the duration of the audit, which
typically takes five to seven days. This may cost up
to US$6,000—although a lot depends on the scope
and complexity of the implementation. However, Humphreys
said a rough figure to work with for budget purposes
would be 1-2 percent of the IT budget for getting and
maintaining the certification.
Another standard that some enterprises may want to look
at is the ISO TR 13335: Guidelines for Management of
IT Security (GMIT). It compliments BS7799 well in that
it covers the management of risk, including risk assessment,
controls and safeguards in greater detail.
Monitoring and insurance
Eddie Chau has a lot to say about monitoring, and
its not just because he is the president and CEO of
e-Cop.net, a security monitoring service provider. As
much as infosecurity is related to technology, being
able to monitor your infrastructure is also important.
"If you put in a security solution and don't monitor
it, then you might as well turn it off," he said.
Giving an analogy of how companies will deploy locks,
motion detectors and guards from a security company
to guard their building, Chau said the same needs to
be done in our networks. Thus, we use firewalls as locks
and IDSes as motion detectors; what is often ignored
is the 24X7 monitoring. "But a large proportion
of the company's assets are now in information,"
he said.
The truth is that there needs to be a change in mindset.
Just think about it. Will your company lose more today
from a break-in into your building or a break-in into
your network? The paradox is that if there is a building
break-in, you may bring the security company to task,
but if there is a network break-in, the responsibility
is often dispersed—even though more valuable assets
may be lost.
In the same context, he explained that a majority of
big companies will not buy cyber insurance, but they
will buy insurance for their buildings. But if your
company's information is a greater asset, why is this
so? Chau added that BS7799 compels organizations to
identify and quantify these risks and do something about
them. "In BS7799, you can either accept the risk,
avoid it, minimize it, or transfer it to a third party
cyber insurer like AIG, Chubb or Hong Kong & Shanghai
Bank—there are only about five cyber-insurers in
the world."
The process of working towards certification means that
that an organization commits to being audited by a third-party,
and becomes accountable for managing risks. Security
cannot be treated as a cost centre; it has to be seen
as a way of increasing the value of your information
assets, as well as maintaining trust—without which
you can't do business.
| BS7799
case study: NTT Data Corp. |
|
When
Japan's largest system integrator (more than 7,000
employees and 80 subsidiaries), NTT Data Corp,
wanted to get BS7799 certified, the company decided
to start with NTT Data's IT security center, consisting
of 70+ employees and 30 subcontractors. This was
followed by the public administration department.
NTT Data is a subsidiary of Japanese carrier NTT,
which also owns NTT Docomo.
Speaking at a Techworld conference on Information
Security Management Standards & Practice 2002,
Keiichiro Oguma, Assistant Manager, Security Business
Division, NTT Data, said the BS7799 project team
consisted of seven core members. One of the implementation
goals was to increase awareness on security policies.
NTT did this by passing out booklets on security
policies and guidelines, and then created an online
IS policy assessment for each employee that consisted
of 20 questions. In addition, the implementation
also included internal seminars and self-audits.
"From start to finish, the BS7799 certification
for the IT security center took about nine months
(Jan to Sep 2001). Pre-assessment was done by
two people from BSI Japan, which took two days—one
day for document review and another for the implementation
audit," he said. The actual assessment phase
took the same two auditors five days to complete,
and the auditors went through the process of understanding
the business, reviewing documents, personnel interviews,
and implementation audit. A half day debrief ended
the process.
Oguma added that the assessment focused on the
business, the 127-control point framework, and
the scope. But some things came as a surprise.
"They interviewed less employees than we
expected, but there were more questions on the
IT security system requirements than we thought,"
he said. During the six monthly review, one event
that caught attention was a Code Red attack. "Code
Red got onto some of our servers and they [the
auditors] asked what we did and checked for evidence
of proper processes," he said.
The second implementation at the public administration
department went more smoothly, and was completed
in six months (accredited May 02). An interesting
issue that cropped up was a conflict on trying
to harmonize both BS7799 and ISO9001 for document
management. "ISO required clear labeling
for all to see, but BS7799 states that information
is only for specific people and that it must be
coded," he said. A workaround was eventually
made by using a system that mapped codes to names.
As to the main benefits of being certified, Oguma
said that with BS7799, responsibilities are made
clear and there are consistent security controls.
He also shared some difficulties. "The main
problems were that there was some reluctance to
implement security controls and some employees
were not cooperative."
In conclusion, Oguma said that BS7799 accreditation
only ensures that a secure management framework
is established and maintained. "It does not
guarantee that all risks are considered, that
the level of security will meet the requirement,
or 100 percent compliance." Thus, he added
that key issues that still need to be addressed
include how a company approaches information sharing
with partners and customers. "How do you
ensure a standard level of security and cross
certify IS policies?" he asked.
|
This
article first appeared in Network Computing—Asian
Edition
|
|| Feedback
|| Subscribe-
