bs 7799 and bs 15000 - ho
TRANSCRIPT
3/12/2002
© BCRM 2002 1
3/12/2002 © BCRM 2002 Page 1
The Auditor Cometh!David Lilburn Watson
M.Sc., CISSP, CISA, FBCSBusiness Continuity and Risk Management Ltd.
3 Nelson St, Ryde, Isle of Wight, PO33 2EZ01983 566460 (v) 01983 811603 (f)
www.bcrm.co.uk
3/12/2002 © BCRM 2002 Page 2
BS 7799
3/12/2002 © BCRM 2002 Page 3
BS 7799 Objectives
To provide:l A common basis for companies to develop,
implement and measure effective security management practice;
l Confidence in inter-company trading.
3/12/2002
© BCRM 2002 2
3/12/2002 © BCRM 2002 Page 4
Leads us to the ISO 17799 Standard
3/12/2002 © BCRM 2002 Page 5
ISO 17799:Part 1 (2000)
• Same Clauses as old BS 7799 (1999);• Different introduction;• New title.
3/12/2002 © BCRM 2002 Page 6
BS 7799:Part 2 (2002)
• Changed approach – now process driven like ISO 9000;
• Plan, Do, Check Act Model adopted;• Adoption of ISO Guide 73:2002 (Risk
Management – Guidelines);• Much expanded ISMS Section;• Appendix A – still old 7799 Part 2 Clauses and
objectives;• Alignment with other standards (e.g. 9001:2000).
3/12/2002
© BCRM 2002 3
3/12/2002 © BCRM 2002 Page 7
PDCA Model
• Plan – Establish the ISMS – develop policies, standards, procedures , guidelines etc.;
• Do – Implement the developed and established policies, standards, procedures and processes;
• Check – assess and where possible measure compliance, reporting results to Management for review;
• Act – Take corrective action for continuous improvement.
3/12/2002 © BCRM 2002 Page 8
Changes to the ISMS
• Alignment with ISO 900:2000 and ISO1400:1996• More detail on ‘Establishing the ISMS’;• Risk terminology changed (ISO/IEC 73);• More detail on documentation requirements;• More on resource management and training; • More detail on Management responsibilities;• More detail on management of the ISMS.
3/12/2002 © BCRM 2002 Page 9
Main Clauses
• Still aligned to Part 1;• No changes from BS 7799:Part 2 (1999);• Guess what – more renumbering again!
3/12/2002
© BCRM 2002 4
3/12/2002 © BCRM 2002 Page 10
Other Changes
• Annex B – Guidance on use of Standard;• Partial alignment with OECD Principles – in the
PCDA model.
3/12/2002 © BCRM 2002 Page 11
Differences in different ISMSs
3/12/2002 © BCRM 2002 Page 12
Can 7799 provide appropriate security for me?
3/12/2002
© BCRM 2002 5
3/12/2002 © BCRM 2002 Page 13
Yes, but…
3/12/2002 © BCRM 2002 Page 14
Certification (April 1998)
l Introduced to give a ‘stamp of approval’;l May be a requirement for contract tendering;l Accreditation performed by UKAS (UK
Accreditation Service);l Certification carried out by accredited Certification
Bodies (CB).
3/12/2002 © BCRM 2002 Page 15
2 Different Schemes
c:curel Certified auditors;l Use c:cure logo;l CostNon c:cure certificationl No certified auditors required;l Can’t use c:cure logo;l Costs less than c:cure (?).
3/12/2002
© BCRM 2002 6
3/12/2002 © BCRM 2002 Page 16
Certification (April 1998)
• Introduced to give a ‘stamp of approval’;• May be a requirement for contract tendering;• Accreditation performed by UKAS (UK
Accreditation Service);• Certification carried out by accredited Certification
Bodies using specialised BS 7799 Auditors.
3/12/2002 © BCRM 2002 Page 17
Pre-Certification Steps• Implement all of the controls;• Ensure that all mandatory controls in place;• ‘Settle security’ in the organisation;• Staff awareness training;• Monitoring and incident response;• Self audit for confidence (or use a consultant);• Undertake certification.
3/12/2002 © BCRM 2002 Page 18
1 23 4 5 6
The Six Step Certification Process
Questionnaire
ApplicationInitial Visit
AssessmentCertificateAwarded
SurveillanceVisits
3/12/2002
© BCRM 2002 7
3/12/2002 © BCRM 2002 Page 19
Process to date
• 169 Certificates awarded to date (2/12/02);• 24 Different countries have certificated companies;• 7 UK CBs now have Accreditation to perform BS
7799 audits;• Costs;• Problems with CBs.
3/12/2002 © BCRM 2002 Page 20
So How do I become an 7799 Auditor?
3/12/2002 © BCRM 2002 Page 21
Requirements for c:cure AuditorsAt start - interim processl Pre qualification;l Experience;l Interview.Then process required this, plusl Specified course(s);l Examination;l Interview.
3/12/2002
© BCRM 2002 8
3/12/2002 © BCRM 2002 Page 22
But….
3/12/2002 © BCRM 2002 Page 23
EA-7/03 Requirements
• Meet ISO 10011 – 2• University education or equivalent experience;• 4 years IT, of which 2 years information security;• 5 day training course on auditing and audit
management;• Have done 20 days (4 assessments) for information
security audits;
• Done 3 ISMS audits.
3/12/2002 © BCRM 2002 Page 24
BS 15000 – IT Service Management
3/12/2002
© BCRM 2002 9
3/12/2002 © BCRM 2002 Page 25
What is BS 15000
• Process of management of IT services to the business;
• Covers a number of different areas;• ITIL is the practitioners guidelines that is built on
internal procedures;• Workbook is the Self Assessment workbook
supporting PD:0005 (1998);• Really just running the IT Department (and others)
properly to deliver the required service to the customer.
3/12/2002 © BCRM 2002 Page 26
What does BS 15000 cover (1)
Service Design and Management Processes:• Service Level Management• Availability and contingency Management;• Service reporting;• Financial management;• Capacity management;• Security management.
3/12/2002 © BCRM 2002 Page 27
What does BS 15000 cover (2)
Supplier processes:• Customer relationship management;• Supplier management.
3/12/2002
© BCRM 2002 10
3/12/2002 © BCRM 2002 Page 28
What does BS 15000 cover (3)
Resolution processes• Incident management;• Problem management.
3/12/2002 © BCRM 2002 Page 29
What does BS 15000 cover (4)
Control processes• Asset and configuration management;• Change management.
3/12/2002 © BCRM 2002 Page 30
What does BS 15000 cover (5)
Release processes• Release management.
3/12/2002
© BCRM 2002 11
3/12/2002 © BCRM 2002 Page 31
So BS 15000 could be used to assist in a BS 7799 rollout
3/12/2002 © BCRM 2002 Page 32
So what has been happening to BS 15000 recently
3/12/2002 © BCRM 2002 Page 33
Recent changes
• Split into 2 parts (Specification (part 1) and Code of Practice (Part 2));
• New specification using PCDA model;• New PD 0005 (2003) – not yet published.
3/12/2002
© BCRM 2002 12
3/12/2002 © BCRM 2002 Page 34
Other standards of note
• BS 8220 – Building Security;• BS 7858 – Security Screening;• BS 15489 – Records Management;• PAS 49 – Security Consultancy;• AS/NZS 4360 – Risk Management;• BS 3621 – Locks and bolts;• BS 4737 or 6799 – Intruder Alarms;• BS 5588 – Fire Regulations …….
3/12/2002 © BCRM 2002 Page 35
So – can I implement appropriate information security?
3/12/2002 © BCRM 2002 Page 36
So why does security fail• Lack of management support;• Lack of resourcing;• Too difficult;• Want an off the shelf solution;• Quick fix salesmen;• Ineffective audit or feedback / action;• Politics;• Sheer laziness;• No personal drivers.
3/12/2002
© BCRM 2002 13
3/12/2002 © BCRM 2002 Page 37
ISMS Concernsl Document control;l Securing the boundaries of the scope;l Traceability (SoA to RA to SoA);l Risk Assessment - Business included - Residual
Risk;l Defining SoA;l Demonstrating the effective implementation of
controls.
3/12/2002 © BCRM 2002 Page 38
Information Security Policy Documentl Often missing (Many companies do not have one);l Frequently out of date;l Often unknown by staff;l Not enforced.
3/12/2002 © BCRM 2002 Page 39
Security Organisation
l No one tasked with or monitor security regularly;l No security awareness or training undertaken by
any staff;l Outsource the problem – often with disastrous
consequences;l Little outside contact with similar minded
professionals.
3/12/2002
© BCRM 2002 14
3/12/2002 © BCRM 2002 Page 40
Asset Classification and Controll Little or no concept of data or information
ownership, or of asset classification; l Little control over movement of equipment;l Security (if implemented) is not based on this
process (or associated risk management processes);l Little, if any, accountability;l Owners rarely review their information for security
or access to it.
3/12/2002 © BCRM 2002 Page 41
Personnel Security
l Rarely up to date job descriptions;l Little advice on reporting security incidents;l Little security based training or awareness
available;l Rarely are references checked - especially for
‘sensitive’ positions;l Contractors – who are they?l Contracts often do not afford adequate protection
for the company.
3/12/2002 © BCRM 2002 Page 42
Physical & Environmental Security• Power supplies;• Equipment maintenance;• Off premises security of equipment• Secure disposal / removal;• Clear desk / screen;
3/12/2002
© BCRM 2002 15
3/12/2002 © BCRM 2002 Page 43
Communications and Operations Managementl Often no standards or documentation of the
Corporate Systems;l Rarely and effective and implemented change
management process;
l Often no management software for network, or any form of planning;
l Rarely Service Level Agreements in place;l No standards for development or security;
3/12/2002 © BCRM 2002 Page 44
Communications and Operations Management (2)l Incorrect use of default resources; l A backup process that does not provide full
integrity or recovery capability.
3/12/2002 © BCRM 2002 Page 45
Access Control
l Few records of account histories;l Few standard set ups or templates;l Few, if any, monitoring or reporting tools
available;l Poor password management;l Rarely added security for portables;l A general lack of understanding of threats.
3/12/2002
© BCRM 2002 16
3/12/2002 © BCRM 2002 Page 46
System Development and Maintenancel Often claimed to be no development or
maintenance;l Few standards for development or change
management;l Testing often omitted – ‘fix on fail’ mentality;l Source code often accessible on live system;l No Dev/Prod split or test environment;l Poor project management, over-runs or scrapping
the project;l Little documentation.
3/12/2002 © BCRM 2002 Page 47
Business Continuity Management
l Often a plan that was untested, out of date, incomplete and was not maintained;
l Heavy reliance on complacence and make do ‘if it happens’;
l Lack of awareness of what is available;l Lack of management support;l Failure to test and maintain the plan.
3/12/2002 © BCRM 2002 Page 48
Compliance
l Often no compliance/conformance monitoring;l External audits rarely at appropriate depth;l Often knee jerk reactions to issues;l Lack of understanding of requirements or penalties
(personal and corporate ones);l Lack of training.
3/12/2002
© BCRM 2002 17
3/12/2002 © BCRM 2002 Page 49
Certification - What to Watch
l What type of certification;l Qualifications of the auditor;l Scope of Certification;l Use of wording in contracts;l Contractual arrangements in outsourcing / third
party contracts;l Other connections in third parties.
3/12/2002 © BCRM 2002 Page 50
Why are we security professionals failing?
3/12/2002 © BCRM 2002 Page 51
Why are Auditors failing?
3/12/2002
© BCRM 2002 18
3/12/2002 © BCRM 2002 Page 52
Way forward from here?
3/12/2002 © BCRM 2002 Page 53
A Final Thought
3/12/2002 © BCRM 2002 Page 54
To risk or not to risk that is my question• Whether it is commercially sensible to take the
risk and suffer the consequences of loss and damage to my business
• Or whether it is wiser to do more to protect my business and undertake an ‘appropriate risk assessment’ and then manage the risks by using the BS 7799 approach.