Académique Documents
Professionnel Documents
Culture Documents
ON
INFORMATION SECURITY
MANAGEMENT
WITH ISO 17799/BS 7799.
Ajai K. Srivastava
G.M. Marketing
BSI India
Presentation Outline
3. BS 7799– An Overview
www.bsiindia.com
The Global Information Village
www.bsiindia.com
The Paradigm Shift in the Nature of
Information
INDUSTRIAL ECONOMY INFORMATION ECONOMY
♦ INFORMATION AS ♦ INFORMATION AS
NOUN VERB
♦ Static:e.g. memo; ♦ Dertouzos:
financial report etc “Information Work”
♦ Automation : An e.g. Designing a
Idiot Savant – building
assisting in ♦ Dominates the
managing repetitive terrain; 50 to 60 % of
discrete steps an Industrialised
country’s GNP
www.bsiindia.com
THE DIGITAL NERVOUS SYSTEM
Basic Operations
DIGITAL
Business Strategic
NERVOUS
Reflexes Thinking
SYSTEM
Customer Interaction
www.bsiindia.com
♦ Information tends to be the most
undervalued asset a business has.
IMAGE
www.bsiindia.com
“Information is an asset which, like
other important business assets, has
value to an organization and
consequently needs to be suitably
protected.”
ISO/IEC 17799:2000
www.bsiindia.com
2.THE NEED FOR PROTECTION
www.bsiindia.com
Information Security
AT
K
T
AC
AC
T
K
AT
ATTACK INFORMATION ATTACK
AT
K
AC
T
AC
T
AT
www.bsiindia.com
Typical Technology Responses
www.bsiindia.com
Information Security
AT
K
AC
TA
T
AT
CK
AT
CK
T
TA
AC
AT
www.bsiindia.com
Information Security
AT
CK
T
AC
TA
K
AT
K
TAC
AT
CK
TTA
A
ATTACK
INFORMATION ATTACK
AT
AC T
K
AT
T AC
K
CK
AT
TA
TA
AT
CK
www.bsiindia.com
Information Security
INFORMATION
www.bsiindia.com
Management System – Building Blocks
Management
Management
Total
Business Management
Core Processes System
CoreProcesses
Inputs Outputs
Support
SupportProcesses
Processes
Resource
Resource
www.bsiindia.com
Environment
Environment
Information
Information
Quality
Quality Security
Security
Business
Business
Risk Management
Management People
People
Risk
System
System
Health
Healthand
and Improvement
Improvement
Safety
Safety
www.bsiindia.com
Quality
Quality Environment
Environment
ISO9001:2000 ISO
ISO9001:2000 ISO14001
14001
QS-9000
QS-9000/ /TS
TS16949
16949 Info
InfoSec
Sec
AS9000
AS9000/ /AS9100
AS9100 BS
BS7799
7799
TL9000
TL9000
Business
Business
HH&&SS Management Customers
Customers
OHSAS ManagementSystem
System
OHSAS18001
18001 BSI
BSI--IMS
IMS
BS
BS8600
8600
Risk
Risk Improvement
Improvement
BSI
BSIRisk
RiskMgmt
Mgmt ISO
ISO9004
9004
www.bsiindia.com
Management Systems & Standards
ISO
ISO9004
9004Performance
PerformanceImprovement
Improvement
All
AllInterested
InterestedParties
Parties
ISO 17799 Information Security Management
Stakeholders Involved
OHSAS
OHSAS18001
18001Health
Healthand
andSafety
SafetyManagement
Management
ISO
ISO14001
14001Environmental
EnvironmentalManagement
Management
ISO
ISO9001
9001Quality
QualityManagement
Management
www.bsiindia.com
Managing your Risks
www.bsiindia.com
Information Security Assurance
♦ 3 different layers
• PRODUCT LEVEL ASSURANCE
– e.g. Firewall- Product is fit for its Purpose
• PROCESS LEVEL ASSURANCE
– e.g. Credit card Transactions- Robust Processes to
protect interested parties
• MANAGEMENT SYSTEM LEVEL ASSURANCE
– e.g ISMS- Systemic Proactive responses aligned to
business objectives to protect ALL stakeholders
:Management,Employees,Customers,Suppliers,Users,
Regulatory etc.
www.bsiindia.com
The Virtuous M S Spiral
Continual Improvement
Commitment
and Policy
Management
Review
Planning
Checking and
Corrective Implementation
Action and Operation
www.bsiindia.com
ISMS – Your Competitive Edge
Managing Risks to Information Assets to:
♦Protect Brand
www.bsiindia.com
Critical Security Concerns
VIRUSES –22%
HACKERS – 21%
R.A.CONTROLS-17%
INTERNET SECURITY-17%
DATA PRIVACY- 10 %
www.bsiindia.com
What is the damage
QUANTIFIABLE
www.bsiindia.com
What is the damage
INCALCULABLE
The Loss Of
♦ Productivity
♦ Recovery Costs
♦ Customers
♦ Market Capitalisation
♦ Shareholder Value
♦ Credibility
www.bsiindia.com
Common Myths About
Information Security
♦ Myth 1:
– Information Security is the concern and responsibility of the MIS/IT
manager
♦ Myth 2:
– Security Threats from outsiders are the greatest source of risks
♦ Myth 3:
– Information Security is assured by safeguarding networks and the IT
infrastructure
♦ Myth 4:
– Managing People issues is not as important
♦ Myth 5:
– Adopting latest technological solutions will increase security
www.bsiindia.com
3.BS 7799 – AN OVERVIEW
www.bsiindia.com
What is Information Security
♦ ISO 17799:2000 defines this as the
preservation of:
– Confidentiality
• Ensuring that information is accessible only to those
authorized to have access
– Integrity
• Safeguarding the accuracy and completeness of
information and processing methods
– Availability
• Ensuring that authorized users have access to information
and associated assets when required
ISO/IEC 17799:2000
www.bsiindia.com
ISO/IEC 17799 ?
♦ What it is: ♦ What it is not:
♦ A technical standard
♦ An internationally recognized
structured methodology dedicated ♦ Product or technology driven
to information security
♦ An equipment evaluation methodology
♦ A defined process to evaluate, such as the Common Criteria/ISO 15408)
implement, maintain, and manage
information security
♦ Related to the "Generally Accepted
System Security Principles," or GASSP
♦ A comprehensive set of controls
comprised of best practices in
information security ♦ Related to the five-part "Guidelines for the
Management of IT Security," or
GMITS/ISO TR 13335
♦ Developed by industry for industry
www.bsiindia.com
What does it comprise ?
♦ ISO/IEC 17799:2000
Code of Practice for Information Security
♦ BS 7799-2:2002
Specification for information security
management systems
www.bsiindia.com
BS 7799-2:2002 •MMeasure Performance of the ISMS
Act
•IIdentify Improvements in the ISMS and effectively implement them.
•TTake appropriate corrective & preventive action
•CCommunicate the results and actions and consult with all parties
involved.
•RRevise the ISMS where necessary
•EEnsure that the revision achieve their intended objectives.
Do
www.bsiindia.com
BS 7799 –10 Domains of Information Management
Information
Security Policy
Security
Compliance
Organisation
Asset
Continuity
Classification
Planning
Controls
System Personnel
Development Security
Access Physical
Controls Security
Communications
Management
www.bsiindia.com
4.IMPLEMENTING AN ISMS BASED ON
BS 7799
www.bsiindia.com
BS 7799Registrations
Around the Globe
R e g io n N
umberofC
ertifica
tes
A u stra lia 5
A u stria 2
B ra zil 2
C h in a 5
E g yp t 1
F in la n d 8
G e rm a n y 8
G re e ce 2
Hon gK o n g 7
H u ng ary 3
Ice la n d 1
In d ia 13
Ire la n d 3
Ita ly 11
J a p a n 34
K o re a 11
M a la ysia 1
M e xico 1
N orw a y 7
Sin g a p ore 9
S p a in 1
S w e d e n 4
Switze rla n d 1
T aiw a n 4
U A E 1
U K 91
U S A 3
239
www.bsiindia.com
BS 7799Registrations
In India
Sl.
No. Name of Company
1 Churchill India (P) Ltd, NewDelhi
2 Cognizant TechnologySolutions, Chennai
3 Hughes Software System, Gurgaon
4 ICICI OneSource Limited
www.bsiindia.com
Building a Management System
Measure/Analyse
Develop Progress
www.bsiindia.com
Initiating BS 7799 Implementation
♦ Step 1
ISMS – Defining Policy & Organization Structure
♦ Step 2
ISMS – Defining the Scope
♦ Step 3
ISMS - Risk Assessment
♦ Step 4
ISMS - Risk Management
♦ Step 5
ISMS – Choosing Controls
♦ Step 6
ISMS - Statement of Applicability
www.bsiindia.com
Risk Assessment and
Risk Management Process
Asset Identification Risk Assessment
and Valuation
Identification of
Vulnerabilities Identification of
Threats
Evaluation of Impacts
Business Risks
Rating/ranking of Risks
Degree of Assurance
Review of existing Risk Management
security controls Identification of
new security Policy and
Gap analysis
controls Procedures
Risk Acceptance Implementation and
(Residual risk) Risk Reduction
www.bsiindia.com
BS 7799 Implementation
Management Information
Review Security Policy
Security
Organisation
Corrective Act
Action
Classify
Check Plan Assets
Check Do
Process
Apply the
Controls
Operationalise
Process
www.bsiindia.com
ISMS Documentation
Management framework
policies relating to
BS 7799-2 Level 1 Security Manual
Policy, scope
risk assessment,
statement of applicability
Work Instructions
Level Describes how tasks and specific checklists,
3 activities are done forms, etc.
www.bsiindia.com
Critical Success Factors
♦ Security policy that reflects business objectives
www.bsiindia.com
5.BENEFITS OF BS 7799
www.bsiindia.com
Benefits of BS 7799 certification
www.bsiindia.com
Key Challenges facing executives
– Enterprises must manage threats to Information security
across many fields while attackers can choose to specialize
in narrow fields of competencies
– Fractured Corporate response to such focused attacks
– To think precisely about the concept of threat in the security
context of the organization
– Executives must develop non traditional competencies in
strategic risk management
– Executives must manage
www.bsiindia.com
Further Information
Email: ajai.srivastava
@bsiindia.com