In association with the Critical Infrastructure Assurance Office (CIAO) Initiative in the US, the Institute of Internal Auditors and other organizations developed descriptions of information security tools and guidelines that can help auditors and management deal with risks.
British Standard 7799
Part 1: Code of Practice for Information Security Management;
Part 2: Specification for Information Security Management Systems.
BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It was upgraded in 1999, and in 2000 became ISO17799. BS7799-2 was issued in 2002, this time focusing upon information security management systems. This became ISO 27001 in October 2005. The latest version of BS 7799 is "BS 7799-3:2005 Information security management systems. Guidelines for information security risk management," intended to provide guidance to support the requirements given in ISO 27001 regarding all aspects of an ISMS risk management cycle.
What is information security?
BS 7799 treats information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities.
Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, BS 7799 indicates that it should always be appropriately protected.
Information security is characterized within BS 7799 as the preservation of:
- confidentiality: ensuring that information is accessible only to those authorized to have access;
- integrity: safeguarding the accuracy and completeness of information and processing methods;
- availability: ensuring that authorized users have access to information and associated assets when required.
Information security is achieved by implementing a suitable set of controls from BS 7799, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met.
How to establish security requirements
BS 7799 states that it is essential that an organization identifies its security requirements. There are three main sources:
- The first source is derived from assessing risks to the organization. BS 7799 does not prescribe a methodology.
- The second source is the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy.
- The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations.
Assessing security risks
BS 7799 suggests that security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems and it is important to carry out periodic reviews of security risks and implemented controls.
Selecting controls
Once security requirements have been identified, controls from BS 7799 should be selected and implemented to ensure risks are reduced to an acceptable level. Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs. Non-monetary factors such as loss of reputation should also be taken into account.
Topics dealt with in BS 7799
1 Scope
2 Terms and definitions
3 Security policy
3.1 Information security policy document
3.2 Review and evaluation
4 Security organization
4.1 Information security infrastructure
4.2 Security of third party access
4.3 Outsourcing
5 Asset classification and control
5.1 Accountability for assets
5.2 Information classification
6 Personnel security
6.1 Security in job definition and resourcing
6.2 User training
6.3 Responding to security incidents and malfunctions
7 Physical and environmental security
7.1 Secure areas
7.2 Equipment security
7.3 General controls
8 Communications and operations management
8.1 Operational procedures and responsibilities
8.2 System planning and acceptance
8.3 Protection against malicious software
8.4 Housekeeping
8.5 Network management
8.6 Media handling and security
8.7 Exchanges of information and software
9 Access control
9.1 Business requirement for access control
9.2 User access management
9.3 User responsibilities
9.4 Network access control
9.5 Operating system access control
9.6 Application access control
9.7 Monitoring system access and use
9.8 Mobile computing and teleworking
10 Systems development and maintenance
10.1 Security requirements of systems
10.2 Security in application systems
10.3 Cryptographic controls
10.4 Security of system files
10.5 Security in development and support processes
11 Business continuity management
11.1 Business continuity management process
12 Compliance
12.1 Compliance with legal requirements
12.2 Reviews of security policy and technical compliance
12.3 System audit considerations