IT Security MUST

Support to The Business

IT Security people MUST understand The Business and
The Business need to be able to manage IT Security
IT Security Management
Final decisions about IT Security must be taken by The Business Expert
(The Management)

The Management only must decide The level of IT Security in the
company in relation to:
Values (assets)
Image
Business Risks
Requirements from Customers, Partnerships and Company

Business management must
Control the entire cycle of IT Securiy activities
Maintain and follow-up regularly
Reports
A three pronged ISMS approach
Sets framework for:
Management goal setting
based on prioritised risk
Setting up a structured
system with essential
elements and methods
Enables internal and
external evaluation for
further system
development
(improvement)
ISMS
Who needs ISMS?
Every organisation, company, firm institution
handling information: BASICALLY EVERYBODY!
Banks
IT companies
Government (example: tax office)
Consultancy Firms
Hospitals
Schools and Universities
Insurance Companies
Certificate Service Providers, CSPs
just to name a few!
Risk assessment
The bases for ISMS
Inger Nordin
Risk assessment
The basis for ISMS
Per Rhein Hansen
Implementing an Information Security Management System

There are key steps that every company implementing an Information Security Management System will need to consider:

Purchase the Standard
Before you can begin preparing for your application, you will require a copy of the standard. You should read this and make
yourself familiar with it.

Consider Training
There are training courses available to help you implement and assess your Information Security Management System.

Assemble a team and agree your strategy
You should begin the entire implementation process by preparing your organizational strategy with top management. At this stage you should determine the Scope of your
Registration - whether the system will be adopted company wide or by one or more departments.

Review Consultancy Options
You can receive advice from independent consultants on how best to implement your information security management system.

Undertake a Risk Assessment
During this phase you should undertake a review of all potential security breaches. This should not relate solely to IT systems, but should encompass all sensitive information
within your organization.

Develop a Policy Document
This will demonstrate management support and commitment to the Information Security Management System process.

Develop Supporting Literature
Put together a Statement of Applicability and Procedures to support your security policy. This will cover a range of areas including asset clarification and control, personal
security, physical and environmental security and business continuity management.

Choose a registrar
The registrar is the 3rd party, like BSI, who come and assess the effectiveness of your information security management system, and issue a certificate if it meets the
requirements of the standard. Choosing a registrar can be a complex issue as there are so many operating in the market. Factors to consider include industry experience,
geographic coverage, price and service level offered. The key is to find the registrar who can best meet your requirements. A great place to start is by contacting us.

Implement your Information Security Management System
The key to implementation is communication and training. During the implementation phase everyone begins operating to the procedures of the management system.

Gain registration You should arrange your initial assessment with your registrar. At this point the registrar will review your Information Security Management System and
determine whether you should be recommended for registration.

Continual assessment
Once you have received registration and been awarded your certificate, you can begin to advertise your success and promote your business. Your ISMS will be periodically
checked by your registrar to ensure that it continues to meet the requirements of the standard.

http://emea.bsi-global.com/InformationSecurity/ImplementingISMS/index.xalter
Comparison SHALL and SHOULD standards
BS 7799-2:2002 -- SHALL
1 Scope
2 Normative references
3 Terms and definitions
4 Information security
management system
5 Management responsibility
6 Management review of the ISMS
7 ISMS improvement
Annex A (normative) Control
objectives and controls
- table mapping ISO/IEC 17799
Annex B (informative) Guidance on
use of the standard
Annex C (informative) Comparison
between ISO 9001:2000, ISO
14001:1996 and BS 7799-2:2002
Annex D (informative) Changes to
internal numbering
ISO/IEC 17799:2000 -- SHOULD
1 Scope
2 Terms and definitions
3 Security policy
4 Organizational security
5 Asset classification and control
6 Personnel security
7 Physical and environmental
security
8 Communications and operations
management
9 Access control
10 Systems development and
maintenance
11 Business continuity management
12 Compliance
Changes from BS 7799, part 2:1999 to BS 7799-2:2002
Adopted to ISO 9001 and ISO 14001
Better description of management system
Focus on Plan, Do, Check and Act - process
Focus on risk assessment, risk handling, ...
Corresponding tables
BS 7799, part 2, ISO 9001:2000 och ISO 14001
BS 7799, part 2:1999 and BS 7799, part 2:2002
BS 7799-2 and ISO/IEC 17799 should be viewed
as an entity
Requirements in part 2 including description of
the ISMS and Annex A with all the ISO/IEC
17799 controls
Plan
Analyse the current situations
to identify room for
improvement and promising
solutions
Do
Test the solutions in a small
scale first in order not to
disrupt critical processes
Check
Find out if the solutions are
giving the expected effects,
and if they do
Act
Implement changes on a
wider scale
Information Security Management System - ISMS
Interested
parties









Managed
information
security
Plan
Do
Check
Act
Implement and
operate the
ISMS
Maintain and
improve the
ISMS
Establish the
ISMS
Monitor and review
the ISMS
Development,
maintenance
and
improvement
cycle

Interested
parties







Information
security
requirements
and
expectations

Plan

Establish the ISMS
a) Define scope of the ISMS
b) Define an ISMS policy
c) Define a systematic approach to risk assessment
d) Identify risks
e) Assess the risks
f) Identify and evaluate options for the treatment of risks
g) Select control objectives and controls for the treatment of risks
h) Prepare a Statement of Applicability

ISMS Implementation according to BS 7799-2:2002 Process Approach

Do

Plan
Establish the ISMS

Implement and operate the ISMS
a) Formulate a risk treatment plan
b) Implement the risk treatment plan
c) Implement controls
d) Implement training and awareness programmes
e) Manage operations
f) Manage resources
g) Implement procedures and other controls for incident handling
ISMS Implementation according to BS 7799-2:2002 Process Approach


Plan
Establish the ISMS

Do
Implement and
operate the ISMS
Check
Monitor and review the ISMS
a) Execute monitoring procedures and other controls
b) Undertake regular reviews of the effectiveness of the ISMS
c) Review the level of residual risk and acceptable risk
d) Conduct internal ISMS audits
e) Undertake management review of the ISMS
f) Record actions and events that could have an impact on the
effectiveness or performance of the ISMS
ISMS Implementation according to BS 7799-2:2002 Process Approach



Maintain and improve the ISMS
a) Implement the identified
improvements
b) Take appropriate corrective and
preventive actions
c) Communicate the results and
actions and agree with all
interested parties
d) Ensure that the improvements
achieve their intended objectives
Act
Plan
Establish the ISMS
Do
Implement and
operate the ISMS
Check
Monitor and
review the
ISMS
ISMS Implementation according to BS 7799-2:2002 Process Approach



Development,
maintenance and
improvement
cycle
Plan
Establish the ISMS
Do
Implement and
operate the ISMS
Check
Monitor
and review
the ISMS
Act
Maintain and
improve the
ISMS
ISMS Implementation according to BS 7799-2:2002 Process Approach
Analyzing
phase
Development Phase
Design and
implement

HOW
Plan




WHAT
Check
Awareness
WHY
Follow
up
phase
Validation Securus
TM
security concept based on ISO/IEC 17799 and BS 7799, part 2
Process Approach
ISMS Process Model
The new PDCA (Plan, Do, Check, Act) Process Model in BS7799-2:2002 and the forthcoming Swedish version SS627799-2:2002 adds a new dimension to
the 7799-series of international and national standards for information security management systems (ISMS). Now, we can get some guidance on the
process of trying to build an ISMS that is compliant with the requirements of the standard. Ever since I heard that the PDCA-cycle was going to be the
blueprint process model, I have been trying to understand how this will work in practice. Up until now, I can't see that the PDCA-cycle is really to best
route to build an ISMS. However, when it comes to continuous improvement of an already operating ISMS - it is really good.

Some preliminary explanations and further discussions of this matter is found in my thesis (pp. 17-) that can be downloaded in full from the home page of
this web site.

In the newly revised version of BS7799-2, the PDCA-cycle is actually used to illustrate at least three different things at the same time. In doing this, it is
my opinion that, it tries to be too all-encompassing. Let us have a look of what it tries to illustrate:

1) The creation and implementation of an ISMS
2) The creation of (meta)documentation for third party reviews/certification
3) Continuous imprivement of an existing ISMS

Clearly, these three things differ very much in terms of what activities to execute. Nevertheless all three issues are said to be covered by the Plan, Do,
Check, and Act phases.

I argue that the activities involved in creating and implementing an ISMS, including the documentation for the third party reviews, could be better
desribed with other labels than PDCA. Let us therefore save the PDCA model to denote activities that has to do with improvment of existing ISMSs. That is
exacly analogous to how the PDCA-cycle is used in the area of Quality Management. You don't use PDCA to build the Quality Management System - PDCA
is more often largely the result of the QMS.

Here's a short description of the stages in the suggested model. This model does not take into account, at this stage, the meta documentation needed for
the certification auditors. If you like to add this to the model, please do and tell me how you did it! This model showed in the picture below takes care of
both 1) and 3) in the list above.

Foundation: ISMS context, scope. Top management support, High Level Information Security Policy.
Evaluation: Risk analysis, risk treatment plan, (initial) gap analysis, technical IT security analysis.
Formation: Design / choice of countermeasures (administrative, technical), Writing security documents to different groups in the organsation, developing
training programmes, etc.
Implementation: Implement risk treatment plan, conduct training, install technical controls, etc.
Operation: The ISMS is in operation and it generates logs as a result.
Certification: After some months of operation, an independent third party can certify/verify that the ISMS is compliant with the standard.
Operation: The improvement cycle using the PDCA-cycle is continuously working to futher optimise the ISMS so that maximum profits are assured and so
that the information security level is at its most optimal level.

If you compare this with the description of the PDCA activities as written in the standard BS7799-2:2002, it should be clear what I am getting at.

If you liked this process model, or if you would like to cooperate with us on ISMS research, please contact bjorck@dsv.su.se. Also, I am very interested to
hear from you if you read this page and disagree with me. Please give me your views.

http://www.bjorck.com/isms-process.htm
http://www.bjorck.com/isms-process.htm
http://www.dsv.su.se/~bjorck/files/bjorck-thesis.pdf
http://www.ids.co.kr/English/service/iso17799.html
http://www.insi.co.jp/isms/
1. Directing
3. Risk assessing
2. Organising
4. Planning
5. Implementing
10. Correcting
9. Evaluating
7. Operating
6. Training
Security
Management
System
8. Monitoring
Act
Check
Plan
Do
IT Security Committee
Group of:
Business Managers
IT Managers
IT Security Officer

who estimate:
New requirement for IT Security
Need for new Risk Assessment
Edit IT Security Policy and Guidelines
Co-ordinate IT Security tasks

IT Security Committee refer to
Concern IT Security Manager (IT Security Officer) or
IT Security Manager
IT Security Organisation
Corporate level
IT Security Officier (Concern IT Security Manager)
Normally responsible for one or more IT Security Managers
Company
IT Security Manager
Normally refer to board of directors in the Compagny
Responsible for IT Security Department
IT Security Consultant
Staff in the IT Security Department
IT Security Co-ordinator
Replacement for IT Security Manager
Department
Line managers in general are responsible for security within their areas
IT Security Responsible
Example a staff in the Network Department responsible for the firewall system
Employees
To be trained for IT Security Awareness
IT Security Management
IT Security Management shall be handled like Quality Management

IT Security Management System like
Quality Management System (ISO 9000)
Environmental Management Systems (ISO 14001)


Upgrade
now
Lines of command and response
time for activation of a new
security shield
IT Security Awareness
Employee training program to obtain
Commitment for IT Security throughout the organisation
Increasing awareness and understanding concerning IT Security
IT Security in the real World
Non existing
The issue has become a political one
To low level of IT Security
Old and outdated IT Security Guidelines
The IT Security Management is misplaced in the organization
Missing IT Security policy, vision and strategy

Some of the IT Security people is
Only for decoration as an aliby for having done something
Like candy on the fancy cake
Without any influence
Benefits of ISMS Implementation
Improved understanding of business aspects
Reductions in security breaches and/or claims
Reductions in adverse publicity
Improved insurance liability rating
Identify critical assets via the Business Risk
Assessment
Ensure that knowledge capital will be stored
in a business management system
Be a confidence factor internally as well as
externally
Systematic approach
Provide a structure for continuous improvement
Enhance the knowledge and importance of
security-related issues at the management level

Topic

Content

Information Security Management Systems (ISMS
as described in BS 7799-2:2002)


Basics of an ISMS (PRH article or BS 7799-2:2002).
How to guide and control the establishing and
maintenance of IT-security in an organization

Management Guidance (Policies, guidelines)


Why the need for policies and guidance?
Why do we talk about IT-security awareness?
Content of an IT-security policy?
Which kind of guidelines are necessary?
Examples to be shown
Allocation of responsibilities (organization, job-
descriptions)


Who should be made responsible for IT-security?
IT-security manager or IT-security coordinator?
Job descriptions shown and discussed as examples

Implementation planning (setting priorities based
on risk assessment and available funding)


When a risk assessment is produced, how should the
priorities be decided?
Balancing against costs

Reviewing IT-security versus Auditing IT-security
(how to do)


How do you evaluate the IT-security level?
Are guidelines followed?
Compare to standards
Interview
Test what people say
Document

Management follow-up (what top management has
to decide on)


How to report to management?
Incident reporting
Deviation reports (deviations from planned
countermeasures)
Management decision on increased budgets or
change of policy / guidelines

Factory
Alert
2
this is an
order!
4
Threat
1
likelihood
carry
out
5
Panic
3