ADDRESSING CORPORATE CONCERNS

ON
INFORMATION SECURITY
MANAGEMENT
WITH ISO 17799/BS 7799.

Ajai K. Srivastava
G.M. Marketing
BSI India
Presentation Outline

1. The Global Information Village

2. The Need for Protection

3. BS 7799– An Overview

4. Implementing an ISMS based on

BS7799
5. Benefits of using BS7799
1.THE GLOBAL INFORMATION
VILLAGE

www.bsiindia.com
The Global Information Village

www.bsiindia.com
The Paradigm Shift in the Nature of
Information
INDUSTRIAL ECONOMY INFORMATION ECONOMY
♦ INFORMATION AS ♦ INFORMATION AS
NOUN VERB
♦ Static:e.g. memo; ♦ Dertouzos:
financial report etc “Information Work”
♦ Automation : An e.g. Designing a
Idiot Savant – building
assisting in ♦ Dominates the
managing repetitive terrain; 50 to 60 % of
discrete steps an Industrialised
country’s GNP
www.bsiindia.com
 THE DIGITAL NERVOUS SYSTEM

Basic Operations

DIGITAL
Business Strategic
NERVOUS
Reflexes Thinking
SYSTEM

Customer Interaction

BUSINESS @ THE SPEED OF THOUGHT

www.bsiindia.com
INFORMATION FLOW
IS THE LIFEBLOOD
OF YOUR BUSINESS

www.bsiindia.com
♦ Information tends to be the most
undervalued asset a business has.

♦ Information can directly affect the

most valuable asset a business has

IMAGE

www.bsiindia.com
“Information is an asset which, like
other important business assets, has
value to an organization and
consequently needs to be suitably
protected.”

ISO/IEC 17799:2000

www.bsiindia.com
2.THE NEED FOR PROTECTION

www.bsiindia.com
Information Security

AT

K
T

AC
AC

T
K

AT
ATTACK INFORMATION ATTACK

AT
K
AC

T
AC
T
AT

www.bsiindia.com
Typical Technology Responses

www.bsiindia.com
Information Security

AT

K
AC
TA

T
AT
CK

ATTACK INFORMATION ATTACK

AT
CK

T
TA

AC
AT

www.bsiindia.com
Information Security

AT

CK
T
AC

TA
K

AT
K
TAC
AT
CK
TTA
A

ATTACK
INFORMATION ATTACK

AT
AC T
K
AT
T AC
K
CK

AT
TA

TA
AT

CK

www.bsiindia.com
Information Security

INFORMATION

www.bsiindia.com
 Management System – Building Blocks

Management
Management

Total
Business Management
Core Processes System
CoreProcesses
Inputs Outputs

Support
SupportProcesses
Processes

Resource
Resource

www.bsiindia.com
 Environment
Environment
Information
Information
Quality
Quality Security
Security

Business
Business
Risk Management
Management People
People
Risk
System
System

Health
Healthand
and Improvement
Improvement
Safety
Safety

www.bsiindia.com
 Quality
Quality Environment
Environment
ISO9001:2000 ISO
ISO9001:2000 ISO14001
14001
QS-9000
QS-9000/ /TS
TS16949
16949 Info
InfoSec
Sec
AS9000
AS9000/ /AS9100
AS9100 BS
BS7799
7799
TL9000
TL9000

Business
Business
HH&&SS Management Customers
Customers
OHSAS ManagementSystem
System
OHSAS18001
18001 BSI
BSI--IMS
IMS
BS
BS8600
8600

Risk
Risk Improvement
Improvement
BSI
BSIRisk
RiskMgmt
Mgmt ISO
ISO9004
9004

www.bsiindia.com
Management Systems & Standards
ISO
ISO9004
9004Performance
PerformanceImprovement
Improvement
All
AllInterested
InterestedParties
Parties
ISO 17799 Information Security Management
Stakeholders Involved

OHSAS
OHSAS18001
18001Health
Healthand
andSafety
SafetyManagement
Management

ISO
ISO14001
14001Environmental
EnvironmentalManagement
Management

ISO
ISO9001
9001Quality
QualityManagement
Management

Increasing Aspects Covered

www.bsiindia.com
Managing your Risks

www.bsiindia.com
Information Security Assurance
♦ 3 different layers
• PRODUCT LEVEL ASSURANCE
– e.g. Firewall- Product is fit for its Purpose
• PROCESS LEVEL ASSURANCE
– e.g. Credit card Transactions- Robust Processes to
protect interested parties
• MANAGEMENT SYSTEM LEVEL ASSURANCE
– e.g ISMS- Systemic Proactive responses aligned to
business objectives to protect ALL stakeholders
:Management,Employees,Customers,Suppliers,Users,
Regulatory etc.

www.bsiindia.com
The Virtuous M S Spiral

Continual Improvement

Commitment
and Policy
Management
Review

Planning

Checking and
Corrective Implementation
Action and Operation

www.bsiindia.com
ISMS – Your Competitive Edge
Managing Risks to Information Assets to:
♦Protect Brand

♦Retain Customers, and

♦Enhance Market Capitalization

Information Security Management must be

viewed as a strategic dimension of your business

www.bsiindia.com
Critical Security Concerns

VIRUSES –22%
HACKERS – 21%
R.A.CONTROLS-17%
INTERNET SECURITY-17%
DATA PRIVACY- 10 %

The First Global Information Security Survey –KPMG 2002

www.bsiindia.com
 What is the damage
QUANTIFIABLE

The average direct loss

of all
breaches suffered by
each
organization is
USD$108,000.
GBP 30,000
INR 500,000

The First Global Information Security Survey – KPMG 2002

www.bsiindia.com
What is the damage
INCALCULABLE
The Loss Of
♦ Productivity
♦ Recovery Costs
♦ Customers
♦ Market Capitalisation
♦ Shareholder Value
♦ Credibility

www.bsiindia.com
 Common Myths About
Information Security
♦ Myth 1:
– Information Security is the concern and responsibility of the MIS/IT
manager
♦ Myth 2:
– Security Threats from outsiders are the greatest source of risks
♦ Myth 3:
– Information Security is assured by safeguarding networks and the IT
infrastructure
♦ Myth 4:
– Managing People issues is not as important
♦ Myth 5:
– Adopting latest technological solutions will increase security

www.bsiindia.com
3.BS 7799 – AN OVERVIEW

www.bsiindia.com
What is Information Security
♦ ISO 17799:2000 defines this as the
preservation of:
– Confidentiality
• Ensuring that information is accessible only to those
authorized to have access
– Integrity
• Safeguarding the accuracy and completeness of
information and processing methods
– Availability
• Ensuring that authorized users have access to information
and associated assets when required
ISO/IEC 17799:2000

www.bsiindia.com
ISO/IEC 17799 ?
♦ What it is: ♦ What it is not:
♦ A technical standard

♦ An internationally recognized
structured methodology dedicated ♦ Product or technology driven
to information security
♦ An equipment evaluation methodology
♦ A defined process to evaluate, such as the Common Criteria/ISO 15408)
implement, maintain, and manage
information security
♦ Related to the "Generally Accepted
System Security Principles," or GASSP
♦ A comprehensive set of controls
comprised of best practices in
information security ♦ Related to the five-part "Guidelines for the
Management of IT Security," or
GMITS/ISO TR 13335
♦ Developed by industry for industry

www.bsiindia.com
What does it comprise ?

♦ ISO/IEC 17799:2000
Code of Practice for Information Security

♦ BS 7799-2:2002
Specification for information security
management systems

www.bsiindia.com
 BS 7799-2:2002 •MMeasure Performance of the ISMS
Act
•IIdentify Improvements in the ISMS and effectively implement them.
•TTake appropriate corrective & preventive action
•CCommunicate the results and actions and consult with all parties
involved.
•RRevise the ISMS where necessary
•EEnsure that the revision achieve their intended objectives.

•DDefine ISMS Scope and Policy

•EExecute Procedures to and Other Controls
•DDefine a systematic approach to risk
•UUndertake regular reviews of the effectiveness of
assessment
the ISMS
•IIdentify the risk
•RReview the level of residual risk and acceptable
•AApply the systematic approach for assessing
risk
the risk
•EExecute the management procedure
•IIdentify and Evaluate options for the
•R Record and report all actions and events
treatment of risk.
•SSelect Control Objectives and Controls for the
treatment of risks.

•IImplement a specific management

program
•IImplement controls that have been
Plan selected Check
•MManage Operations
•MManage Resources
•IImplement Procedures and Other Control
Processes

Do

www.bsiindia.com
BS 7799 –10 Domains of Information Management
Information
Security Policy
Security
Compliance
Organisation

Asset
Continuity
Classification
Planning
Controls

System Personnel
Development Security

Access Physical
Controls Security
Communications
Management

www.bsiindia.com
4.IMPLEMENTING AN ISMS BASED ON
BS 7799

www.bsiindia.com
 BS 7799Registrations
Around the Globe
R e g io n N
umberofC
ertifica
tes
A u stra lia 5
A u stria 2
B ra zil 2
C h in a 5
E g yp t 1
F in la n d 8
G e rm a n y 8
G re e ce 2
Hon gK o n g 7
H u ng ary 3
Ice la n d 1
In d ia 13
Ire la n d 3
Ita ly 11
J a p a n 34
K o re a 11
M a la ysia 1
M e xico 1
N orw a y 7
Sin g a p ore 9
S p a in 1
S w e d e n 4
Switze rla n d 1
T aiw a n 4
U A E 1
U K 91
U S A 3
239

www.bsiindia.com
 BS 7799Registrations
In India

Sl.
No. Name of Company
1 Churchill India (P) Ltd, NewDelhi
2 Cognizant TechnologySolutions, Chennai
3 Hughes Software System, Gurgaon
4 ICICI OneSource Limited

5 Larsen&Toubro Ltd, Mumbai and Vadodara

6 Mascot Systems Ltd.
7 SatyamComputer Systems, Secundrabad
8 Shipara Technologies Ltd
9 STMicroelectronics Ltd, Noida
10 Tata Ironand Steel CompanyLtd
11 Wipro Technologies
12 Xansa
13 Xansa (India) Ltd

www.bsiindia.com
Building a Management System

Measure/Analyse
Develop Progress

INPUT Management System Build Process OUTPUT

Client BSI
Business Certification
Awareness Business
Improvement

Client Consultant BSI

www.bsiindia.com
Initiating BS 7799 Implementation
♦ Step 1
ISMS – Defining Policy & Organization Structure
♦ Step 2
ISMS – Defining the Scope
♦ Step 3
ISMS - Risk Assessment
♦ Step 4
ISMS - Risk Management
♦ Step 5
ISMS – Choosing Controls
♦ Step 6
ISMS - Statement of Applicability

www.bsiindia.com
Risk Assessment and
Risk Management Process
Asset Identification Risk Assessment
and Valuation
Identification of
Vulnerabilities Identification of
Threats
Evaluation of Impacts
Business Risks
Rating/ranking of Risks
Degree of Assurance
Review of existing Risk Management
security controls Identification of
new security Policy and
Gap analysis
controls Procedures
Risk Acceptance Implementation and
(Residual risk) Risk Reduction

www.bsiindia.com
BS 7799 Implementation

Management Information
Review Security Policy
Security
Organisation
Corrective Act
Action
Classify
Check Plan Assets
Check Do
Process
Apply the
Controls
Operationalise
Process

www.bsiindia.com
ISMS Documentation

Management framework
policies relating to
BS 7799-2 Level 1 Security Manual
Policy, scope
risk assessment,
statement of applicability

Level Describes processes – who, Procedure

2 what, when, where

Work Instructions
Level Describes how tasks and specific checklists,
3 activities are done forms, etc.

Level Provides objective evidence of compliance

4 to Records
ISMS requirements

www.bsiindia.com
Critical Success Factors
♦ Security policy that reflects business objectives

♦ Implementation approach is consistent with company culture

♦ Visible support and commitment from management

♦ Good understanding of security requirements, risk assessment and risk

management
♦ Effective marketing of security to all managers and employees

♦ Providing appropriate training and education

♦ A comprehensive and balanced system of measurement which is used

to evaluate performance in information security management and
feedback suggestions for improvement

www.bsiindia.com
5.BENEFITS OF BS 7799

www.bsiindia.com
Benefits of BS 7799 certification

♦ Opportunity to identify and fix weaknesses

♦ Senior Management take ownership of information Security

♦ Provides confidence to trading partners and customers

♦ Independent review of your information Security Management

System

www.bsiindia.com
Key Challenges facing executives
– Enterprises must manage threats to Information security
across many fields while attackers can choose to specialize
in narrow fields of competencies
– Fractured Corporate response to such focused attacks
– To think precisely about the concept of threat in the security
context of the organization
– Executives must develop non traditional competencies in
strategic risk management
– Executives must manage

ENTERPRISE SECURITY PROACTIVELY

www.bsiindia.com
 Further Information

Email: ajai.srivastava
@bsiindia.com

Tel: +11 2371 9002/3

Fax: +11 2373 9003