ADDRESSING CORPORATE CONCERNS ADDRESSING CORPORATE CONCERNS

ON ON

INFORMATION SECURITY INFORMATION SECURITY MANAGEMENT MANAGEMENT

WITH WITH ISO 17799/ISO 17799/BS 7799.BS 7799.

Ajai K. SrivastavaG.M. Marketing

BSI India

1. The Global Information Village

2. The Need for Protection

3. BS 7799– An Overview

4. Implementing an ISMS based on

BS7799

5. Benefits of using BS7799

Presentation Outline

www.bsiindia.com

1.THE GLOBAL INFORMATION VILLAGE

www.bsiindia.com

The Global Information VillageThe Global Information Village

www.bsiindia.com

The Paradigm Shift in the Nature of Information

INDUSTRIAL ECONOMY

INFORMATION AS NOUN

Static:e.g. memo; financial report etc

Automation : An Idiot Savant – assisting in managing repetitive discrete steps

INFORMATION ECONOMY

INFORMATION AS VERB

Dertouzos: “Information Work” e.g. Designing a building

Dominates the terrain; 50 to 60 % of an Industrialised country’s GNP

www.bsiindia.com

THE DIGITAL NERVOUS SYSTEM

DIGITALNERVOUSSYSTEM

StrategicThinking

BusinessReflexes

Basic Operations

Customer Interaction

BUSINESS @ THE SPEED OF THOUGHT

www.bsiindia.com

INFORMATION FLOWIS THE LIFEBLOOD OF YOUR BUSINESS

www.bsiindia.com

Information tends to be the most

undervalued asset a business has.

Information can directly affect the

most valuable asset a business has

IMAGE

www.bsiindia.com

“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.”

ISO/IEC 17799:2000

www.bsiindia.com

2.THE NEED FOR PROTECTION

www.bsiindia.com

INFORMATIONINFORMATION

Information Security

ATT

AC

KATTACK

ATTA

CK

ATTA

CK

ATTACK

ATT

AC

K

www.bsiindia.com

Typical Technology Responses

www.bsiindia.com

INFORMATIONINFORMATION

ATT

AC

K

ATTACK

ATTA

CK

ATTACK

ATTACK

ATT

AC

K

Information Security

www.bsiindia.com

INFORMATIONINFORMATION

ATT

AC

K

ATTACK

ATTA

CK

ATTA

CK

ATTACK

ATT

AC

K

ATTACK

ATTACK

ATTACK

ATTACK

Information Security

www.bsiindia.com

INFORMATIONINFORMATION

Information Security

www.bsiindia.com

Management System – Building Blocks

Core ProcessesCore ProcessesCore ProcessesCore Processes

InputsInputs

Support ProcessesSupport ProcessesSupport ProcessesSupport Processes

ManagementManagementManagementManagement

ResourceResourceResourceResource

OutputsOutputs

Total Total Business Management SystemBusiness Management System

www.bsiindia.com

BusinessBusinessManagementManagement

SystemSystem

BusinessBusinessManagementManagement

SystemSystem

QualityQualityQualityQuality

EnvironmentEnvironmentEnvironmentEnvironment

Health and Health and SafetySafety

Health and Health and SafetySafety

RiskRiskRiskRisk

Information Information SecuritySecurity

Information Information SecuritySecurity

PeoplePeoplePeoplePeople

ImprovementImprovementImprovementImprovement

www.bsiindia.com

BusinessBusiness Management SystemManagement System

BSI - IMSBSI - IMS

BusinessBusiness Management SystemManagement System

BSI - IMSBSI - IMS

RiskBSI Risk Mgmt

RiskBSI Risk Mgmt

H & SOHSAS 18001

H & SOHSAS 18001

ImprovementISO 9004

ImprovementISO 9004

CustomersBS 8600

CustomersBS 8600

Info SecBS 7799

Info SecBS 7799

EnvironmentISO 14001

EnvironmentISO 14001

QualityISO9001:2000

QS-9000 / TS 16949AS9000 / AS9100

TL9000

QualityISO9001:2000

QS-9000 / TS 16949AS9000 / AS9100

TL9000

www.bsiindia.com

ISO 9004 Performance Improvement ISO 9004 Performance Improvement All Interested PartiesAll Interested Parties

ISO 9004 Performance Improvement ISO 9004 Performance Improvement All Interested PartiesAll Interested Parties

ISO 17799 Information Security ManagementISO 17799 Information Security Management

OHSAS 18001 Health and Safety ManagementOHSAS 18001 Health and Safety Management OHSAS 18001 Health and Safety ManagementOHSAS 18001 Health and Safety Management

ISO 14001 Environmental ManagementISO 14001 Environmental ManagementISO 14001 Environmental ManagementISO 14001 Environmental Management

ISO 9001 Quality ManagementISO 9001 Quality ManagementISO 9001 Quality ManagementISO 9001 Quality Management

Sta

keh

old

ers

Invo

lved

Sta

keh

old

ers

Invo

lved

Increasing Aspects CoveredIncreasing Aspects Covered

Management Systems & Standards

www.bsiindia.com

Managing your Risks

www.bsiindia.com

Information Security Assurance

3 different layers• PRODUCT LEVEL ASSURANCE

– e.g. Firewall- Product is fit for its Purpose

• PROCESS LEVEL ASSURANCE– e.g. Credit card Transactions- Robust Processes to

protect interested parties

• MANAGEMENT SYSTEM LEVEL ASSURANCE– e.g ISMS- Systemic Proactive responses aligned to

business objectives to protect ALL stakeholders :Management,Employees,Customers,Suppliers,Users, Regulatory etc.

www.bsiindia.com

Commitmentand Policy

Planning

Implementationand Operation

Checking andCorrective

Action

ManagementReview

Continual Improvement

The Virtuous M S Spiral

www.bsiindia.com

Information Security Management must be viewed as a strategic dimension of your business

Managing Risks to Information Assets to:

Protect Brand

Retain Customers, and

Enhance Market Capitalization

ISMS – Your Competitive Edge

www.bsiindia.com

Critical Security Concerns

VIRUSES –22%HACKERS – 21%R.A.CONTROLS-17%INTERNET SECURITY-17%DATA PRIVACY- 10 %

The First Global Information Security Survey –KPMG 2002

www.bsiindia.comThe First Global Information Security Survey – KPMG 2002

What is the damageQUANTIFIABLE

The average direct loss of all

breaches suffered by each

organization is USD$108,000.

GBP 30,000INR 500,000

www.bsiindia.com

What is the damage

The Loss Of Productivity Recovery Costs Customers Market Capitalisation Shareholder Value Credibility

INCALCULABLE

www.bsiindia.com

Myth 1: – Information Security is the concern and responsibility of the

MIS/IT manager Myth 2:

– Security Threats from outsiders are the greatest source of risks  Myth 3:

– Information Security is assured by safeguarding networks and the IT infrastructure

Myth 4:– Managing People issues is not as important

Myth 5:– Adopting latest technological solutions will increase security

Common Myths About Common Myths About Information SecurityInformation Security

www.bsiindia.com

3.BS 7799 – AN OVERVIEW

www.bsiindia.com

What is Information Security

ISO 17799:2000 defines this as the preservation of:– Confidentiality

• Ensuring that information is accessible only to those authorized to have access

– Integrity• Safeguarding the accuracy and completeness of

information and processing methods

– Availability• Ensuring that authorized users have access to

information and associated assets when requiredISO/IEC 17799:2000

www.bsiindia.com

ISO/IEC 17799 ?ISO/IEC 17799 ?

What it is: What it is:

An internationally recognized structured methodology dedicated to information security

A defined process to evaluate, implement, maintain, and manage information security

A comprehensive set of controls comprised of best practices in information security

Developed by industry for industry

What it is not:What it is not: A technical standard

Product or technology driven

An equipment evaluation methodology such as the Common Criteria/ISO 15408)

Related to the "Generally Accepted System Security Principles," or GASSP

Related to the five-part "Guidelines for the Management of IT Security," or GMITS/ISO TR 13335

www.bsiindia.com

What does it comprise ?What does it comprise ?

ISO/IEC 17799:2000Code of Practice for Information Security

BS 7799-2:2002 Specification for information security management systems

www.bsiindia.com

•MMeasure Performance of the ISMS•IIdentify Improvements in the ISMS and effectively implement them.•TTake appropriate corrective & preventive action•CCommunicate the results and actions and consult with all parties involved.•RRevise the ISMS where necessary•EEnsure that the revision achieve their intended objectives.

BS 7799-2:2002BS 7799-2:2002

•DDefine ISMS Scope and Policy•DDefine a systematic approach to risk assessment•IIdentify the risk•AApply the systematic approach for assessing the risk•IIdentify and Evaluate options for the treatment of risk.•SSelect Control Objectives and Controls for the treatment of risks.

Act

•EExecute Procedures to and Other Controls•UUndertake regular reviews of the effectiveness of the ISMS•RReview the level of residual risk and acceptable risk•EExecute the management procedure•R Record and report all actions and events

Check

•IImplement a specific management program•IImplement controls that have been selected•MManage Operations•MManage Resources•IImplement Procedures and Other Control Processes

Do

Plan

www.bsiindia.com

BS 7799 –10 Domains of Information Management

SystemDevelopment

AccessControls

Asset Classification

Controls

Information Security Policy

Security Organisation

PersonnelSecurity

PhysicalSecurity

ContinuityPlanning

Compliance

CommunicationsManagement

www.bsiindia.com

4.IMPLEMENTING AN ISMS BASED ON BS 7799

www.bsiindia.com

BS 7799Registrations Around the Globe

Region Number of Certificates Australia 5Austria 2Brazil 2China 5Egypt 1

Finland 8Germany 8Greece 2

Hong Kong 7Hungary 3Iceland 1India 13

Ireland 3Italy 11

Japan 34Korea 11

Malaysia 1Mexico 1Norway 7

Singapore 9Spain 1

Sweden 4Switzerland 1

Taiwan 4UAE 1UK  91USA 3

239

www.bsiindia.com

BS 7799Registrations In India

Sl. No. Name of Company

1 Churchill India (P) Ltd, New Delhi

2 Cognizant Technology Solutions, Chennai

3 Hughes Software System, Gurgaon

4 ICICI OneSource Limited

5 Larsen & Toubro Ltd, Mumbai and Vadodara

6 Mascot Systems Ltd.

7 Satyam Computer Systems, Secundrabad

8 Shipara Technologies Ltd

9 ST Microelectronics Ltd, Noida

10 Tata Iron and Steel Company Ltd

11 Wipro Technologies

12 Xansa

13 Xansa (India) Ltd

www.bsiindia.com

Measure/AnalyseProgress

INPUTClientBusinessAwareness

OUTPUTBSI

CertificationBusiness

Improvement

Develop

Management System Build Process

BSIConsultantClient

Building a Management System

www.bsiindia.com

Initiating BS 7799 Implementation Step 1

ISMS – Defining Policy & Organization Structure

Step 2 ISMS – Defining the Scope

Step 3ISMS - Risk Assessment

Step 4ISMS - Risk Management

Step 5ISMS – Choosing Controls

Step 6 ISMS - Statement of Applicability

www.bsiindia.com

Risk Assessment and Risk Management Process

Asset Identificationand Valuation

Identification ofVulnerabilities Identification of

ThreatsEvaluation of Impacts

Business Risks

Review of existingsecurity controls

Risk Assessment

Rating/ranking of Risks

Risk Management

Identification ofnew security

controlsPolicy andProcedures

Implementation andRisk Reduction

Risk Acceptance(Residual risk)

Gap analysis

Degree of Assurance

www.bsiindia.com

BS 7799 Implementation

Security Organisation

ClassifyAssets

Information Security Policy

Apply the Controls

OperationaliseProcess

CheckProcess

CorrectiveAction

ManagementReview

Plan

Act

Check

Do

www.bsiindia.com

ISMS Documentation

Procedure

Work Instructions,checklists,

forms, etc.

Records

Security Manual

Policy, scoperisk assessment,

statement of applicability

Describes processes – who, what, when, where

Describes how tasks and specific activities are done

Provides objective evidence of compliance to

ISMS requirements

Management frameworkpolicies relating to

BS 7799-2

Level 2

Level 3

Level 4

Level 1

www.bsiindia.com

Critical Success Factors Security policy that reflects business objectives

Implementation approach is consistent with company culture

Visible support and commitment from management

Good understanding of security requirements, risk assessment

and risk management

Effective marketing of security to all managers and employees

Providing appropriate training and education

A comprehensive and balanced system of measurement which is

used to evaluate performance in information security management

and feedback suggestions for improvement

www.bsiindia.com

5.BENEFITS OF BS 7799

www.bsiindia.com

Benefits of BS 7799 certification

Opportunity to identify and fix weaknesses

Senior Management take ownership of

information Security

Provides confidence to trading partners and

customers

Independent review of your information Security

Management System

www.bsiindia.com

Key Challenges facing executivesKey Challenges facing executives

– Enterprises must manage threats to Information security

across many fields while attackers can choose to specialize

in narrow fields of competencies

– Fractured Corporate response to such focused attacks

– To think precisely about the concept of threat in the

security context of the organization

– Executives must develop non traditional competencies in

strategic risk management

– Executives must manage

ENTERPRISE SECURITY PROACTIVELY

Further Information

Email: ajai.srivastava@bsiindia.com

Tel: +11 2371 9002/3

Fax: +11 2373 9003