Upload
scribd-90210
View
245
Download
0
Embed Size (px)
Citation preview
8/9/2019 17799 and Secura En
1/25
BS 7799 / ISO 17799
Presentation
8/9/2019 17799 and Secura En
2/25
Outline
What is BS 7799/ISO 17799?
History
Whos it for ?
Implementation
Tools and software
8/9/2019 17799 and Secura En
3/25
What is BS 7799/ISO 17799?
.
A set of controls based on the bestpractices in information security;
An international standard covering
every aspect of information security: Equipment; Management policies; Human resources; Legal aspects.
8/9/2019 17799 and Secura En
4/25
BS7799 or ISO 17799 ?
.
ISO 17799 (part 1) is a guide containing
controls and recommendations by which an
organization can ensure the security of its
information.
BS 7799 (part 2) proposes measures for an
efficient information security management
framework. BS 7799-2 helps an organization
establish an information security managementsystem (ISMS) and thus prepare for the audit.
8/9/2019 17799 and Secura En
5/25
Qualities of BS 7799 / ISO 17799
Scope of the standard;
Proven;
Public;
International; A name associated with quality ;
Evolutionary and flexible (adapts toeach context);
Availability of tools and support.
8/9/2019 17799 and Secura En
6/25
Access control
Asset classificationand control
Security policy
Organizationalsecurity
Personnel security
Physical and
environmentalsecurityCommunications
and operations
management
Systems
development &
maintenanc
e
Business continuitymanagement
Compliance
Information
Integrity Confidentiality
Availability
The Ten Key Contexts of ISO 17799
8/9/2019 17799 and Secura En
7/25
Organizational
Operational
1. Securitypolicy
2. Organizational
security
3. Assetclassification and
control
7. Access control
4. Personnel security 5. Physical andenvironmental security
8. Systemsdevelopment and
maintenance
6. Communications andoperations management
9. Businesscontinuity
management
10. Compliance
The Ten Key Contexts of ISO 17799
8/9/2019 17799 and Secura En
8/25
Code of practice for information
security management
ISO 17799
Guidelines for the management
of IT security
ISO13335 (GMITS)
Products and systems certified
by ISO 15408(CC)
Complmentarit avec dautres normes ISO
Complementarity with Other ISO Standards
8/9/2019 17799 and Secura En
9/25
History and Development of ISMS
1995
1998
BS 7799 Part 1
BS 7799 Part 2
Swedish standards SS 62 77 99 Parts 1 and 21999Updated version of BS 7799 Parts 1 and 2
December 2000 ISO/IEC 17799:2000
2001 Review of BS 7799-2
September 2002 Updated version of BS 7799-2(revised and corrected)
History
8/9/2019 17799 and Secura En
10/25
Whos it for ?
BS 7799/ISO 17799 can be used by anyorganization or company. If your organization uses computer systemsinternally or externally, possessesconfidential data, depends uponinformation systems in the context of itsbusiness activities, or simply wants toadopt a high level of security whilecomplying with a standard, BS
7799/ISO 17799 is the solution.
8/9/2019 17799 and Secura En
11/25
Online Purchases of the ISO 17799 Standard
18 %
6 %
23 %
(% by region)
9 %
35 %
Others : 9 %
8/9/2019 17799 and Secura En
12/25
BS 7799 / ISO 17799 Audit and Certification
ISO 17799 certification does not exist at themoment.
A company can comply with ISO 17799 andthen become BS 7799-2: 2002 certified.
The audit process can be documented :
Internal audit
External audit (letter of opinion)
BSI Registrar (official certification)
8/9/2019 17799 and Secura En
13/25
List of Certified Firms
Over 80 000 firms around the world
are BS 7799/ISO 17799 compliant:
Fujitsu Limited;
Insight Consulting Limited; KPMG ;
Marconi Secure Systems ;
Samsung Electronics Co Ltd;
Sony Bank inc. ;
Symantec Security Services ;
Toshiba IS Corporate
8/9/2019 17799 and Secura En
14/25
Advantages
Compliance with governance rules forrisk management;
Better protection of the companysconfidential information ;
Reduced risk of hacker attacks ;
Faster and easier recovery fromattack.
8/9/2019 17799 and Secura En
15/25
Advantages (contd)
Structured security methodology thathas gained international recognition;
Increased mutual confidencebetween partners;
Potentially lower premiums forcomputer risk insurance;
Improved privacy practices andcompliance with privacy laws.
8/9/2019 17799 and Secura En
16/25
Management Approach (PDCAModel)
8/9/2019 17799 and Secura En
17/25
Methodology and Implementation Cycle
Identify and evaluate threats and vulnerabilities;
Calculate the value of associated risks;Diagnose the level of compliance with ISO 17799;
Inventory and evaluate the assets to protect.
Risk Assessment
Identifying the scope and limits of the information security
management framework is crucial to the success of the
project.
Definition of the ISMS(Information SecurityManagement System)
Ensure the commitment of upper management;
Select and train members of the initial project team.
Initiation of the Project
DescriptionSteps of the
methodology and cycle
for implementing the
standard
8/9/2019 17799 and Secura En
18/25
Methodology and Implementation Cycle (contd)
Learn more about the steps performed by external auditorsand about certification agencies accredited for BS 7799-2.
Audit
Learn how to validate your management framework andwhat must be done before you bring in an external auditor
for BS 7799-2 certification.
Audit Preparation
Employees may be the weakest link in your organizations
information security.
Training and Awareness
Find out how selecting and implementing the right controls
can enable an organization to reduce risk to an acceptable
level.
Risk Treatment
DescriptionSteps of the methodology
and cycle for
implementing the
standard
8/9/2019 17799 and Secura En
19/25
Continual Improvement
8/9/2019 17799 and Secura En
20/25
Deliverables ISO 17799Deliverables ISO 17799
8/9/2019 17799 and Secura En
21/25
Potential Obstacles Success Factors
Dedicated personnel andresources;
External expertise;
Good understanding of riskmanagement functions
(management) andprocesses (operations);
Frequent communication;
Manager and employeeawareness;
Commitment from uppermanagement;
Structured approach.
Fear, resistance tochange;
Risk of contiguity;
Increased costs;
Insufficientknowledge for theapproach selected;
Seeminglyinsurmountable task.
8/9/2019 17799 and Secura En
22/25
Implementation - Callio Secura 17799
8/9/2019 17799 and Secura En
23/25
Callio Secura 17799 Demonstration
8/9/2019 17799 and Secura En
24/25
References
BSI documents (www.bsi.org.uk/index.xhtml)
Information Security Management: An Introduction(PD3000)
Provides an overview of the accredited certificationprocess and serves as a useful preface to the otherguides.
Guide to BS7799 Risk Assessment and RiskManagement (PD3002)
Describes the concepts underlying the BS 7799 riskassessment, including terminology, the evaluationprocess and risk management.
ISO/IEC Guidelines for the Management of IT Security(GMITS)
Selecting BS7799 Controls (PD3005)
Describes the process for selecting appropriatecontrols.
8/9/2019 17799 and Secura En
25/25
Conclusion
For more information on the BS7799/ISO 17799 standard, visit usonline at www.callio.com or calla representative at 1-866-211-8222.