WhiteHelm End to End Network Security
BS7799 Overview

 

Introduction

The  standard is published in  two parts;

BS ISO/IEC/ 17799:2005 (BS 7799-1) - Code of  practice for information  security management

BS ISO/IEC 27001:2005 (BS 7799-2)- Specification  for information security  management systems

Part 1:
Is an introduction to the practice of Information  Security and describes  the key controls necessary  to ensure an effective  security implementation.

Part 2:
Specifies  the requirements for establishing,  implementing and documenting  an information security management systems (ISMS) and forms the basis for  an assessment of the ISMS.

The  standard requires a risk assessment and the identification  of the most appropriate control objectives. A set  of detailed controls are  then described which can  be used to achieve the  control objectives as applicable. These controls are;

Security policy

Security organisation

Assets classification and control

Personnel  security

Physical and environmental security

Communications and operations management

System Access control

System development and maintenance

Business continuity management

Compliance

 

Security Policy

This introductory section outlines  the need for a corporate  information security policy which is documented and  available to all staff.  It should cover;

  • A  definition of information security
  • A  statement of management intention supporting the goals and principles of information security
  • Allocation of responsibilities for  every aspect of implementation
  • An explanation of specific  applicable proprietary  and general, principles,  standards and compliance  requirements.
  • An explanation of the process for reporting of suspected security incidents
  • A  defined review process  for maintaining the policy  document?
  • Means  for assessing the effectiveness of the policy embracing  cost and technological  changes
  • Nomination of the policy owner

Security Organisation

This section explains how to  set up the management structure for maintaining information  security. The main subjects covered are;

  • The  setting up of a management  forum
  • The  roles of the forum
  • Allocation of security responsibilities
  • Establishment  of an authorisation process for new hardware and software purchases.

This section also covers access to corporate data by third parties, and the steps needed to prevent and detect unauthorised access of this kind.

Assets classification and control

This section concerns the protection  of company assets. It deals with the establishment of an asset register for hardware, software and information, and offers  advice on classifying and labeling assets.

Personnel  Security

This section covers the risks to data and systems by deliberate and accidental  human action such as user error, fraud and theft.
Among the subjects covered are:

  • How  to make security responsibilities part of a formal job description
  • How  to screen potential staff,  such as by taking up  references
  • Training of staff in basic security awareness
  • Establishing a framework to ensure  that security incidents and suspected weaknesses are reported through the correct channels.

Physical and environmental security

The  main items covered in this  section are;

  • The  need to establish secure  areas with physical entry controls
  • The  need to physically protect  hardware equipment to prevent theft
  • The  need to protect network cabling from tampering
  • Security of equipment taken off site or sent for disposal

Communications and Operations Management

This is a large section and deals with security for  computer systems. It explains the main areas of risk of which you need to be aware, but stops short of explaining the technical  measures necessary.   The following issues are  covered;

  • Viruses
  • Malicious  software
  • Change control
  • Backup
  • The  keeping of accurate access  logs
  • Security of system documentation
  • Disposal of media
  • Protection and authentication of  data during transfers and in transit
  • Security of Email

System Access Control

This section explains access  control and how it can  be applied to different types of system.
Items covered include;

  • issue  and usage of passwords
  • duress alarms
  • automatic  terminal time outs
  • physical access to terminals
  • software metering/monitoring

System Development and Maintenance

This section deals with the acquisition of new systems and modification to existing ones. Areas covered include;

  • input  data validation
  • data encryption
  • security of data files
  • protection of test data.

The  section also discussed  procedures for departments  where software development  and maintenance is performed, including configuration  management, change control  and protection of data.

Business Continuity Management

This is an overview of the case for a comprehensive business continuity plan which should be designed, implemented,  tested and maintained.

Compliance

There  are many areas in which an organisation needs to ensure that it compiles  with its legal and contractual  obligations. This section  and explains the need to  comply with legislation such as;

  • The  Data Protection Act 1998
  • The  Companies Act
  • Contractual  commitments (such as  software licenses)

Upcoming legislation such as the  new competition and distance  selling legislation would also come into the scope of this section.

The  organisation is given advice  on how to ensure that it  does comply and is able to demonstrate through audit and other procedures that it has done so.

Please call 0870 421 4023 for  more information relating to BS7799 certification ,  or e-mail BS7799.team@Whitehelm.com.

 
[Home] [Security] [Services] [Products] [What Sets Us Apart] [Contact] [Site Map]

Copyright ©2004-2007 Whitehelm Network Security Ltd
Copyrights, Trademarks & Disclaimers Terms & Conditions