How to implement BS7799: A case study conducted at

City University
MSc in Business Systems Analysis and Design
Project Report
2005
How to implement BS7799:
A case study conducted at
the Institute of Quality Assurance.
J.R. Beltman
Supervised by: C. Smart.
Submitted: 29-September-2005
Abstract
Abstract
This dissertation presents the findings of a study into implementation of the British
Standard BS7799. BS7799 is an information security standard devised by the British
Standards Institute (BSI) aimed at assisting organisations with managing risk to
information.
In this research an action research oriented strategy is applied in an attempt to answer
four fundamental questions concerned with the implementation of BS7799.
•
•
•
•
How to successfully implement BS7799?
What are the main problems related to implementing BS7799?
How to tackle the problems related to implementation of BS7799?
How to convince management of the need for BS7799 implementation?
The research is undertaken at the Institute of Quality Assurance (IQA) and the results
found in this study are based upon the evaluation of this implementation of BS7799 at
the IQA, knowledge gained during the research and courses followed and experts
opinions and experiences.
The main findings of this research are that Management support is a vital success
factor when implementing BS7799, however to convince management is not always
easy. Scare tactics in which consequences of failure to implement BS7799 are
highlighted seem the best method of convincing management.
Once management support is secured and implementation has begun the issue of
resistance to change is the next serious obstacle. Buy-in from staff and proper change
management are additional success factors that determine the success of
implementation.
How to implement BS7799 is made easier when examples on policies and procedures
are available. The use of these and templates reduces implementation time
significantly; this report contains examples of policies, procedures and how to
overcome difficulties found during implementation.
An action research based approach is found to be an appropriate method of
researching the process of implementation as it provides an insight into issues that
would remain hidden using most alternative research methods. Action research also
links in well with the Deming Cycle which is the prescribed method for
implementing, maintaining and improving the Information Security Management
System of BS7799.
J.R. Beltman – IT Manager
Institute of Quality Assurance
Acknowledgements
Acknowledgements
Martin Rich, my advisor and mentor, whose help, support, wisdom and experience
have helped shape this dissertation.
Chris Smart, whose supervision and last minute advice have helped to get this report
in top shape and in line with the project specification as laid down by the City
University of London.
Victor Parry, at first I though it would cost me a meal and pint, but he has shared his
knowledge and experience on BS7799 and paid for his own food and drinks. He is a
well recognised professional in the field and is a principal auditor registered with the
International Register of Certified Auditors (IRCA).
Dick Price, consultant, auditor and trainer in BS7799, for the kind provision of beer
and his experiences in implementing BS7799.
Mike and Rosemary Roach, for proof reading this work and your continued
friendship and support.
Simon Feary, director of IRCA, for supporting the implementation of BS7799 and
training as a BS7799 lead auditor.
Thank you.
J.R. Beltman – IT Manager
Institute of Quality Assurance
Table of Contents
Table of Contents
1. INTRODUCTION ..............................................................................................................................1
1.1 RESEARCH QUESTIONS ....................................................................................................................1
1.2 CONTROLLING INFORMATION SECURITY .........................................................................................1
1.3 AIMS AND OBJECTIVES ...................................................................................................................2
1.4 THE INSTITUTE OF QUALITY ASSURANCE .......................................................................................3
1.4.1 IQA.........................................................................................................................................3
1.4.2 IRCA.......................................................................................................................................4
1.4.3 The IT department..................................................................................................................4
1.5 BACKGROUND ................................................................................................................................5
1.6 JUSTIFICATION FOR THIS PROJECT ...................................................................................................7
1.7 REPORT OUTLINE ............................................................................................................................8
2. LITERATURE SURVEY - BS7799 THE BASICS .........................................................................9
2.1 WHAT ARE STANDARDS? ................................................................................................................9
2.2 BS7799 COMPARED TO ITIL & ISO9001......................................................................................10
2.2.1 ITIL and BS7799 ..................................................................................................................10
2.2.2 ISO9001:2000 and BS7799..................................................................................................12
2.3 BS7799 - TERMINOLOGY ..............................................................................................................13
2.4 BS7799 – TWO PARTS TO THE PUZZLE ..........................................................................................14
2.5 BS7799 – THE DEMING CYCLE ....................................................................................................16
2.5.1 Plan......................................................................................................................................17
2.5.2 Do ........................................................................................................................................17
2.5.3 Check ...................................................................................................................................18
2.5.4 Act ........................................................................................................................................19
2.6 BS7799 – CRITICAL SUCCESS FACTORS .......................................................................................19
3. METHODOLOGY ...........................................................................................................................20
3.1 PRACTICAL RESEARCH PROBLEM ..................................................................................................21
3.2 PARTICIPATION .............................................................................................................................21
3.3 CHANGE........................................................................................................................................22
3.4 CYCLICAL FEEDBACK ...................................................................................................................22
4. INFORMATION SECURITY IN PRACTICE – AN ANALYSIS OF SECURITY CASE
STUDIES...............................................................................................................................................23
4.1 EXAMPLES OF SECURITY INCIDENTS .............................................................................................24
4.1.1 The London terrorist attacks 7-7-2005. ...............................................................................24
4.1.2 IRA bombing of Manchester 1996........................................................................................24
4.1.3 Maxine Carr – theft of documents........................................................................................24
4.1.4 Disappearance of counter-terrorism plans for Heathrow Airport.......................................25
4.1.5 MI5 agent has laptop stolen at Paddington station .............................................................25
4.1.6 British bank account holders details stolen from Indian call centres ..................................26
4.1.7 £9m computer scam .............................................................................................................26
4.1.8 Electronic crime cost UK companies an estimated £2.45bn last year .................................27
4.1.9 Ekibastuz [Kazakhstan] - hydroelectric power station disaster...........................................27
4.1.10 Northeastern United States and Southeastern Canada power blackouts...........................27
4.1.11 Staff visiting unauthorized websites. ..................................................................................28
4.2 BS7799 TO COUNTERACT INFORMATION SECURITY BREACHES .....................................................29
4.2.1 The London terrorist attacks 7-7-2005. ...............................................................................29
4.2.2 IRA bombing of Manchester 1996........................................................................................30
4.2.3 Maxine Carr – theft of documents........................................................................................30
4.2.4 Disappearance counter-terrorism plans for Heathrow Airport...........................................32
4.2.5 MI5 agent has laptop stolen at Paddington station .............................................................33
4.2.6 British bank account holders details stolen from Indian call centres ..................................34
4.2.7 £9m computer scam .............................................................................................................35
4.2.8 Electronic crime cost UK companies an estimated £2.45bn last year .................................35
4.2.9 Ekibastuz [Kazakhstan] - hydroelectric power station disaster...........................................36
J.R. Beltman – IT Manager
Institute of Quality Assurance
Table of Contents
4.2.10 North-eastern United States and South-eastern Canada power blackouts ........................37
4.2.11 Staff visiting unauthorized websites. ..................................................................................39
4.3 SUMMARY ....................................................................................................................................40
5. RESULTS - IMPLEMENTATION AND ITS DIFFICULTIES ..................................................41
5.1 WHAT CHANGED AT THE IQA? .....................................................................................................41
5.2 PRE-REQUISITES............................................................................................................................42
5.2.1 Understanding the issue.......................................................................................................43
5.2.2 How not to implement BS7799.............................................................................................43
5.2.3 BS7799 – Not an IT issue.....................................................................................................44
5.2.4 A cultural change.................................................................................................................44
5.3 THE PLAN PHASE ..........................................................................................................................45
5.3.1 The Scope .............................................................................................................................45
5.3.2 Information Security Policy .................................................................................................48
5.3.3 Risk Assessment ...................................................................................................................50
5.3.4 Options for risk treatment ....................................................................................................51
5.3.5 Statement of Applicability (SoA) ..........................................................................................53
5.3.6 Review..................................................................................................................................54
5.4 THE DO PHASE ..............................................................................................................................55
5.4.1 Formulate a risk treatment plan ..........................................................................................57
5.4.2 Implement risk treatment plan .............................................................................................59
5.4.3 Implementing training and awareness programmes ............................................................60
5.4.4 Resource management .........................................................................................................60
5.4.5 Implementation of controls and procedures.........................................................................61
5.4.6 A working version ................................................................................................................62
5.5 THE CHECK PHASE .......................................................................................................................62
5.5.1 Routine checking..................................................................................................................62
5.5.2 Self-policing procedures ......................................................................................................62
5.5.3 Learning from others ...........................................................................................................63
5.5.4 Internal ISMS audit..............................................................................................................63
5.5.5 Management review .............................................................................................................64
5.6 THE ACT PHASE...........................................................................................................................65
5.7 SUMMARY ....................................................................................................................................65
6. CONCLUSION.................................................................................................................................68
6.1 HURRICANE KATRINA FINANCIAL AFTERMATH ............................................................................68
6.2 RESEARCH QUESTIONS REVISITED.................................................................................................69
6.3 AIMS AND OBJECTIVES REVISITED ................................................................................................70
6.4 EXPERIENCE AND EVOLVEMENT ...................................................................................................70
6.5 ACTION RESEARCH REVISITED ......................................................................................................71
6.6 FINDINGS ......................................................................................................................................72
7. RECOMMENDATIONS .................................................................................................................73
7.1 THE FIRST CYCLE ..........................................................................................................................73
7.2 A HELPING HAND IN RESEARCH.....................................................................................................74
7.3 ISMS AND TOOLS AS AN ELECTRONIC ENFORCEABLE VERSION ....................................................74
7.4 INFORMATION SECURITY A POPULAR SUBJECT?............................................................................75
7.5 BS7799 – AN INTERNATIONAL STANDARD ...................................................................................75
8. REFERENCES .................................................................................................................................76
J.R. Beltman – IT Manager
Institute of Quality Assurance
List of Appendixes
List of Appendixes
APPENDIX A.
PROJECT DEFINITION.................................................................................. A1
APPENDIX B.
THE SCOPE....................................................................................................... B1
APPENDIX C.
THE SECURITY POLICY ............................................................................... C1
APPENDIX D.
RISK ASSESSMENT PROCEDURE .............................................................. D1
APPENDIX E.
RISK MANAGEMENT/ TREATMENT PROCEDURE ............................... E1
APPENDIX F.
S. GREEN, PERSONAL COMMUNICATION .............................................. F1
APPENDIX G.
R. HOWARD, PERSONAL COMMUNICATION.........................................G1
APPENDIX H.
V. PARRY, PERSONAL COMMUNICATION..............................................H1
APPENDIX I.
M. RICH, PERSONAL COMMUNICATION ................................................. I1
APPENDIX J.
V. PARRY, INTERVIEW NOTES....................................................................J1
APPENDIX K.
ASSETS AND RISKS ........................................................................................K1
APPENDIX L.
IQA OLD ASSET REGISTRY ......................................................................... L1
APPENDIX M.
IQA IT MANAGEMENT SYSTEM ASSET REGISTRY ............................ M1
APPENDIX N.
IQA LICENCE CONTROL.............................................................................. N1
APPENDIX O.
IQA EMAIL HOUSE KEEPING .....................................................................O1
APPENDIX P.
IQA FORM FOR NEW STAFF MEMBERS .................................................. P1
APPENDIX Q.
IQA STAFF IT TEST FORM ...........................................................................Q1
APPENDIX R.
SERVER ROOM ACCESS POLICY............................................................... R1
APPENDIX S.
COMMUNICATIONS POLICY .......................................................................S1
APPENDIX T.
OVERVIEW OF IMPLEMENTATION OF BS7799 AT IQA ...................... T1
J.R. Beltman – IT Manager
Institute of Quality Assurance
List of figures
List of figures
FIGURE 1.1
THE OPTIMUM LEVEL OF SECURITY. (BJÖRCK 2001)..........................................................7
FIGURE 2.1
INTEGRITY, AVAILABILITY AND CONFIDENTIALITY (BUREAU VERITAS 2003)................12
FIGURE 2.2
THE DEMING CYCLE........................................................................................................16
FIGURE 2.3
SUCCESS FACTORS...........................................................................................................19
FIGURE 3.1
STAGES IN ACTION RESEARCH (BRYMAN 1989, P. 180) ...................................................20
FIGURE 5.1
THE PLAN PHASE FLOWCHART.........................................................................................45
FIGURE 5.2
THE DO PHASE FLOWCHART.............................................................................................56
FIGURE 5.3
THE PLAN PHASE .............................................................................................................65
FIGURE 5.4
THE DO PHASE .................................................................................................................66
FIGURE 7.1
BJÖRK’S ALTERNATIVE TO THE DEMING CYCLE. (BJÖRCK 2001)....................................73
FIGURE 7.2
VENKATRAMAN FRAMEWORK. ........................................................................................74
FIGURE A.1 THE DEMING CYCLE
A4
FIGURE D.1 RISK MATRIX
D4
FIGURE L.1 IQA OLD ASSET REGISTRY
L1
FIGURE M.1 NEW IQA ASSET REGISTRY
M1
FIGURE M.2 DETAILED VIEW OF ASSET REGISTRY
M2
FIGURE N.1 IQA LICENCE CONTROL
N1
FIGURE O.1 EMAIL GROWTH, ACTUAL AND PROJECTED
O1
J.R. Beltman – IT Manager
Institute of Quality Assurance
List of tables
List of tables
TABLE 2.1
TABLE 2.2
TABLE 2.3
TABLE 2.4
TABLE 2.5
TABLE 3.1
TABLE 4.1
TABLE 4.2
TABLE 4.3
TABLE 4.4
TABLE 4.5
TABLE 4.6
TABLE 4.7
TABLE 4.8
TABLE 4.9
TABLE 4.10
TABLE 4.11
TABLE 4.12
TABLE 4.13
TABLE 4.14
TABLE 4.15
TABLE 4.16
TABLE 4.17
TABLE 4.18
TABLE 4.19
TABLE 4.20
TABLE 5.1
TABLE A.1
TABLE A.2
TABLE K.1
THE DEMING CYCLE ADAPTED TO BS7799. ....................................................................16
THE LINKS BETWEEN THE PLAN PHASE AND BS7799. ....................................................17
THE LINKS BETWEEN THE DO PHASE AND BS7799...........................................................18
THE LINKS BETWEEN THE CHECK PHASE AND BS7799. .................................................18
THE LINKS BETWEEN THE ACT PHASE AND BS7799. ......................................................19
DEMING CYCLE AND THE MATCHING ACTION RESEARCH STAGE.....................................21
ANNEX A11.1, ASPECTS OF BUSINESS CONTINUITY MANAGEMENT. ................................30
ANNEX A12.1, COMPLIANCE WITH LEGAL REQUIREMENTS. ............................................31
ANNEX A8.7, EXCHANGE OF INFORMATION AND SOFTWARE...........................................31
ANNEX A6.2, USER TRAINING.........................................................................................31
ANNEX A6.3, RESPONDING TO SECURITY INCIDENT AND MALFUNCTIONS.......................32
ANNEX A5.2, INFORMATION CLASSIFICATION.................................................................32
ANNEX A6.1, SECURITY IN JOB DEFINITION AND RESOURCING........................................32
ANNEX A8.6, MEDIA HANDLING AND SECURITY. ............................................................33
ANNEX A12.1, COMPLIANCE WITH LEGAL REQUIREMENTS. ............................................33
ANNEX A9.8, MOBILE COMPUTING AND TELEWORKING..................................................33
ANNEX A10.3, CRYPTOGRAPHIC CONTROLS. ..................................................................34
ANNEX A6.1, SECURITY IN JOB DEFINITION AND RESOURCING........................................34
ANNEX A8.1, OPERATIONAL PROCEDURES AND RESPONSIBILITIES. ................................34
ANNEX A9.5, OPERATIONAL SYSTEM ACCESS CONTROL. ................................................35
ANNEX A8.3, PROTECTION AGAINST MALICIOUS SOFTWARE...........................................36
ANNEX A11.1, ASPECT OF BUSINESS CONTINUITY MANAGEMENT...................................37
ANNEX A7.2, EQUIPMENT SECURITY...............................................................................38
ANNEX A9.7, MONITORING SYSTEM ACCESS AND USE. ...................................................39
ANNEX A9.5, OPERATIONAL SYSTEM ACCESS CONTROL. ................................................39
ANNEX A6.2, USER TRAINING. ........................................................................................40
EXAMPLE OF THE STATEMENT OF APPLICABILITY (SOA) ................................................53
SUB-COMPONENTS OF THE DEMING CYCLE FOR THE ISMS OF BS7799
A4
PROJECT RISK FACTORS
A5
ASSETS AND RISKS
K1
J.R. Beltman – IT Manager
Institute of Quality Assurance
Introduction
1. Introduction
BS7799 is a British Standard, devised by the British Standards Institute (BSI), which
looks at information security, a standard that comes with a specification with
guidance for use and a code of practice, but without a guidance on how to implement.
BS7799, is a method to help organisations reduce risk and consequences. Although
its benefits are not always understood by all, it is but rapidly gaining territory.
BS7799, should be not just an IT project, but a company wide undertaking.
1.1 Research questions
This research tries to answer a number of questions regarding BS7799
implementation.
These questions came into being after initial research into BS7799 and following a
lead auditor course in the standard.
1. How to implement BS7799 successfully?
2. What are the main problems related to implementing BS7799?
3. How to tackle the problems related to implementation of BS7799?
4. How to convince management of the need for and benefits of BS7799
implementation?
The answers to the research questions will differ for many organisations. This report
provides both examples of general answers and those specific to the implementation
of BS7799 in the Institute of Quality Assurance (IQA) umbrella organisation.
1.2 Controlling information security
Just why implement BS7799? As discussed in chapter 4 of this report information is
under a constant threat. Some of these threats could have such severe consequences if
they materialize that they could lead to closure of a company or worse.
According to the Bureau Veritas training manual for lead auditors (Bureau Veritas
2003) BS7799 aims to:
• Reduce incidents that result in liability
• Demonstrate reasonable care
• Safeguard information assets through a sound risk management process
• Define level of security required: no more no less
• Deliver tangible proof of appropriate practices
• Form a sound basis for the security policy
• Provide the organisation with an excellent checklist of controls
• Improve industry-government relations
• Facilitate obtaining permits and authorisations
• Improve cost control
J.R. Beltman – IT Manager
Institute of Quality Assurance
1
Introduction
•
•
•
•
Meet vendor certification criteria
Enhancing image and marketing share
Satisfy investor criteria and improve access to capital
Assure customers of commitment to demonstrable information security
management
After many years working in IT, with the past five years as IT Manager and studying
BS7799 for the past four months I see other benefits of BS7799 that are not explicitly
highlighted by the common benefits such as listed by Bureau Veritas and many
others. BS7799 benefits are in my opinion more direct and down to earth than most of
those outlined above. This is not to say that the longer term and more ‘business’
orientated benefits as mentioned couldn’t be realised, they certainly can and add to the
value of implementation of BS7799.
In my opinion the most fundamental benefits of BS7799 implementation are those of
prevention, control, correction, continuity and recovery. In the field of IT security and
information security it is important to prevent incidents from happening and if they do
happen the damage from the incident should be controlled and the situation corrected.
After the incident the company should be able to recover and continue their business
as per usual. BS7799 helps to realize just that.
Without prevention, control, correction, continuity and recovery companies could face
events such as:
•
•
•
•
•
•
•
•
Have their reputation damaged
Lose customers
Lose contracts
Have confidential information exposed
Face fines
Face court cases
Be defrauded
Face closure
1.3 Aims and Objectives
The aim of this project is to see to implementation of all clauses and applicable
control sets of BS 7799-2:2002 within the IQA’s IT department with a view on
possible expansion to cover all departments of the IQA, recommendation for
certification in the near future and to document the process of implementation to
make implementation of BS7799 more accessible to other organisations.
BS7799 implementation differs per organisation and the issues faced during
implementation are not necessarily the same as those faced by the IQA. In the interest
of making this report beneficial to a wide range of organisations experts in the field of
BS7799 have been consulted about their experiences with BS7799 ISMS
implementation. Their experiences and the experienced gained during the
implementation project in the IQA are highlighted in this report.
J.R. Beltman – IT Manager
Institute of Quality Assurance
2
Introduction
Project objectives
• To make implementing BS7799 a generally accessible task to third parties by
discussing the subject of ‘How to’ implement the standard, detailing process,
difficulties and challenges of implementation in the IQA and issues
highlighted by BS7799 recognised experts.
• Implement the clauses and applicable control sets of BS7799-2:2002 at the
IQA.
• Present this project report so it is easily adaptable for transformation into a
software application that will help to enforce the clause and applicable control
sets of BS7799-2:2002.
The business objectives of BS7799 are to
• Maximise return on investment
• Minimise business damage by minimising risk and consequence
• Ensure business continuity
• Attract more business
The stakeholders are identified as the Institute of Quality Assurance (IQA), the
International Register of Certificated Auditors (IRCA), their customers and suppliers
and other organisations that are eager to implement BS7799.
1.4 The Institute of Quality Assurance
The Institute of Quality Assurance, better known as the IQA, is the umbrella
organisation of two organisations:
•
•
The Institute of Quality Assurance (IQA)
The International Register of Certified Auditors (IRCA)
1.4.1 IQA
The IQA, the leading body for the advancement of quality practices in the UK, was
originally founded in 1919 as the Institute of Engineering Inspection. The IQA is a
not for profit organisation and a respected contributor to policy issues at national and
international level. It has maintained its unique position of independence from
commercial or vested interests and embraces all quality models, philosophies and
standards that help an organisation improve performance.
The IQA is a founding member organisation of the European Organisation for Quality
(EOQ). The EOQ is a federation of quality management organisations from 34
European member states, representing over 140,000 individuals and 23,000
businesses.
The IQA seeks to:
•
•
•
Promote the efficiency and competitiveness of industry and commerce
Promote the education and training of those involved in quality
Promote research into quality issues
J.R. Beltman – IT Manager
Institute of Quality Assurance
3
Introduction
•
Maintain the quality and standard of auditors and quality related training
courses. (IQA 2005)
1.4.2 IRCA
The IRCA is the world’s original and largest international certification body for
auditors of management systems. IRCA certifies more than 11,500 auditors in over
105 countries worldwide. IRCA has accredited over 90 training organisations, which
provide training to a total of over 50,000 students each year in over a 100 countries.
IRCA provides auditors, business and industry with two main services:
1. Certification of auditors of management systems. These include
a. Consultants assisting organisations to develop and implement quality
management systems
b. Certification body/registrar auditors, auditing organisations against
ISO 9001, BS7799 and other management systems standards
c. Internal auditors performing audits on suppliers or auditing their own
organisations
d. Quality managers
2. Accreditation of courses and training organisations (IRCA 2005)
1.4.3 The IT department
The IT department and other support services departments of the IQA support both
organisations, IQA & IRCA. The IT department consist of two IT Assistants and the
IT Manager and is on a continuous quest of improvement of the services it delivers
and the underlying infrastructure; this in conjunction with its customers (internal
departments) and the customers of the IQA and IRCA. The IT department realises that
improvement can only come with complete buy-in from its customers (in other words
other departments within IQA) and therefore puts the emphasis on customer
relationship.
The IT infrastructure used in the IQA makes the quest more interesting than usual.
Both the IQA and the IRCA share the same servers, but the data and applications must
be kept completely separate. This is because the IQA is accredited by IRCA, meaning
that if IQA had the ability to access IRCA’s data and applications they could gain an
advantage over other IRCA accredited training organisations resulting in unfair
competition.
Since the restructuring of the IT department began, a little over three years ago, its
functioning has improved greatly but has not yet reached its potential level of
efficiency. This does not only depend on the IT department, but on the whole of the
organisation.
Before the restructuring began servers were standing on the floor each with their own
mouse, keyboard and monitor, plugged straight into wall sockets without sufficient
protection against electricity spikes or blackouts. Cables lay dangerously on the floor,
easily unplugged by a wrong move. Backups were working poorly and not all
important information was backed up. Restore capabilities were never tested on a
realistic scale. Licensing was badly managed, to such an extent that Microsoft Office
J.R. Beltman – IT Manager
Institute of Quality Assurance
4
Introduction
licences where severely outdated. Software was not standardised, neither were
computer installations. An asset register did not exist. The budget was poorly
controlled by the IT manager. Server operating systems where installed without
sufficient knowledge resulting in frequent crashes. Customer satisfaction was below
zero, and the list goes on.
All these issues have been greatly improved over the past three years. For example
servers are in cabinets, using UPS systems (Uninterruptible Power Supplies) and
surge protection. They are installed by professionals with a regular tested backup and
restore facility. Software is licensed and licenses are controlled. Workstation
installations are managed and standardised. Assets are registered and the registry is
controlled and maintained. The budget is managed to the smallest detail. Servers do
crash, but not often and crashes do not cause much down time, and no interruption to
the daily work. Customers are far more satisfied.
The IT department recognises that there is still room for improvement and has
identified potential aids that would bring benefit to its continuous quest for
improvement.
•
•
•
ITIL (IT Infrastructure Library) – Concerned with IT Service Management.
ISO 9000:2000 (International Standard Organisation – Concerned with overall
improvement of quality within the organisation.
BS7799 (British Standard) – Concerned with Information Security.
The ITIL and ISO 9000:2000 aids have been investigated and are partly implemented,
leaving BS7799 implementation as a final, but a most challenging project to be
completed.
1.5 Background
The consequences for any company whose information security is compromised are
severe. A few examples of information at risk:
•
•
•
•
•
Email directories (customers and suppliers)
Customers’ financial information
Any other customer data (name, address etc)
The organisation’s bank account details
Employee details
Examples of assets that hold information which require risk management:
•
•
•
•
•
•
•
•
Server systems
Desktop systems
Laptops
Memory sticks
Paper files
Tapes
USB / Firewire devices
Personnel
J.R. Beltman – IT Manager
Institute of Quality Assurance
5
Introduction
Many sources reveal the need for organisations to develop a systematic approach to
implement a form of information security. I have listed four here:
•
R. Howard of NCC Group Plc wrote to inform me that the NCC Group Plc
achieved a 42% success rate in breaking into networks from an external testing
perspective and 83% for internal testing perspective over the past two
years.(Howard 2005)
•
According to the National Hi-Tech Crime Unit (NHTCU) Electronic crime
cost UK companies an estimated £2.45 billion in 2004 (Silicon 2005)
•
One survey by NHTCU also reveals that virus attacks hit 97 per cent of
respondents, costing them in total more than £70m. Nine per cent had suffered
financial fraud, at a cost of £68m. (Silicon 2005)
•
And in support to NCC Group Plc findings the NHTCU found that out of 200
companies surveyed, 178 experienced some form of high-tech crime last year.
Of those 178 firms, 90 per cent claimed to have had their systems intruded and
89 per cent said their data had been stolen
The International ISMS User Group (XISEC) states that in the United Kingdom only
212 organisations are BS7799 certified. This ranks the United Kingdom second with
Japan leading with a total of 967 certifications. (ISMS International user group 2005)
But not all companies who implement BS7799 will opt for certification, making the
number of actual implementations of the standard difficult to estimate. On the other
hand many companies may not be aware of the existence of BS7799 and are perhaps
fully unaware that information security is a distinct field, but may well have taken
measures, without realizing, to improve information security. No matter at what stage
an organisation is information security has a price tag for all.
A useful framework is provided by Fredrik Björck who is a Ph.D. candidate and
lecturer at the Department of Computer and Systems Sciences, Stockholm University
/ Royal Institute of Technology. His research is focusing on certain aspects of
information security management in organisations. He has served as vice-president of
ISACA (Information Systems Audit and Control Association) Sweden Chapter, is a
Certified Information Systems Security Professional (CISSP) and a Certified
Information Systems Auditor (CISA).
Björck (Björck 2001) has written his thesis on information security “Security
Scandinavian Style - Interpreting the management of information security in
organisations” in which he suggests that the optimum level of security in an
organisation, from a strict financial perspective, will be found in the situation where
the cost of additional security-countermeasures exactly equals the resulting reduction
in damages arising from security breaches. This is illustrated in figure 1.1; the
optimum level of security.
J.R. Beltman – IT Manager
Institute of Quality Assurance
6
Introduction
Figure 1.1
The optimum level of security. (Björck 2001)
BS7799 is a powerful tool that can help companies finding this optimum level of
security.
1.6 Justification for this project
The security of the information held by Institute of Quality Assurance (IQA) umbrella
organisation is at risk and this has to be reduced to the absolute minimum or
acceptable level, whilst at the same time the efficiency of the organisation in dealing
with information security related issues must be improved in line with organisation’s
policy of adhering to best practice in the work place.
IQA required all relevant sections of BS7799 to be implemented by the end of
September 2005 with a view to proceeding to certification in early December.
However due to the organisation’s plan to move premises the project to implement an
information security management system (ISMS) has been stalled. Therefore
implementing an ISMS for the whole of the organisation is no longer a realistic
objective and the scope had to be reduced to the IT department and its assets only.
It is worth noting that the IT department and its assets are at the core of the full scale
ISMS. All departments in the organisation use and depend on the IT infrastructure and
policies and procedures relating to the IT assets need to be adhered to by all staff. Not
including any departments but the IT department and its assets in the ISMS scope
represents an accurate case of implementing the ISMS.
As outlined in chapter 1.3 the IQA consist of two organisations with two IT systems
sharing the same hardware. The ISMS has to support both organisations, and even
though it may be assumed that, because the scope of the ISMS only looks at the IT
department and its assets, dealing with two organisations under one umbrella is not
important to the implementation of BS7799, nothing could be further from the truth.
In particular the IT infrastructure has to deal with the difference between IQA &
IRCA. Not only does the IT infrastructure need protection from outside the
organisation, but because of regulations that apply to both the IRCA and IQA the IT
J.R. Beltman – IT Manager
Institute of Quality Assurance
7
Introduction
infrastructure must protect the IRCA information assets from IQA staff and vice
versa.
1.7 Report outline
The next chapters build towards answering the research questions of chapter 1.1. The
chapters are:
•
Literature survey - BS7799 The Basics
An outline of BS7799, including comparison to other standards, terminology,
methodology and success factors.
•
Methodology
A discussion on action research and the reason to apply this research method
for this project.
•
Information security in practice – An Analysis of Security Case Studies
Examples of information security incidents and possible prevention or damage
control options by implementing BS7799. This section is aimed out
convincing management of BS7799 implementation.
•
Results - Implementation and its difficulties
An extensive step-by-step discussion on how BS7799 was implemented at the
Institute of Quality Assurance; examples of key documents, experts advice
and experiences, problems and solutions.
This dissertation is written as if walking the reader through implementation and, by
doing so, will endeavour to align more with the reader. Therefore use of ‘we’, 'us' and
'I' will be common throughout this report.
J.R. Beltman – IT Manager
Institute of Quality Assurance
8
Literature survey - BS7799 The Basics
2. Literature survey - BS7799 The Basics
2.1 What are standards?
There are many standards and regulations these days. But what are these standards
and regulations exactly? Do they have anything in common, are there differences?
Although detailed discussion about standards and regulations falls outside the scope
of this project, I feel it is beneficial to give a general overview of this topic.
“Software standards enable software to interoperate. Many things are
(somewhat) arbitrary, so the important thing is that everyone agree on what
they are.” (Wikipedia 2004)
“Agreed principles of protocol. Standards are set by committees working
under various trade and international organizations.” (Leviton, no date)
“In a military context, standardisation is defined as: The development and
implementation of concepts, doctrines, procedures and designs to achieve and
maintain the required levels of compatibility, interchangeability or
commonality in the operational, procedural, materiel, technical and
administrative fields to attain interoperability.” (Wikipedia 2005a)
Standards are either ‘de facto’ or ‘de jure’. ‘de facto’ standards are those followed for
convenience, such as the ITIL, BS7799, ISO9000 standards. ‘de jure’ standards are
(more or less) legally binding contracts and documents.
“A regulation (as a legal term) is a rule created by an administrative agency
or body that interprets the statute(s) setting out the agency's purpose and
powers, or the circumstances of applying the statute.
A regulation is a form of secondary legislation which is used to implement a
primary piece of legislation appropriately, or to take account of particular
circumstances or factors emerging during the gradual implementation of, or
during the period of, a primary piece of legislation.” (Wikipedia 2005b)
The difference between standard and regulation is that the latter is a legally required
set of rules to be incorporated (more like a ‘de jure’ standard, but set by an
administrative agency or body) whilst standards are not legally required to be
implemented.
Organisations choose to adapt standards, not by law, but by choice or by request of
customers and/or suppliers. Standards are usually adapted to improve credibility in the
organisation. This could be credibility in areas such as the quality of products,
services, security of data, with the view of improving the company’s efficiency,
cutting costs, improving image, attraction of customers, retaining customers and much
more.
In contrast organisations are forced to adapt regulations if they apply to the
organisation. Examples of regulations are the Health and Safety regulations, the Data
Protection Act and the Banking Code; again these regulations must be adhered to by
law.
J.R. Beltman – IT Manager
Institute of Quality Assurance
9
Literature survey - BS7799 The Basics
An example of standards, one we are all familiar with, is the standardisation of the
country-codes for telephone numbers, a standard laid down by the Comite Consultatif
Internationale de Telegraphie et Telephonie (CCITT), which in the early 1990's
changed its name to ITU-T (International Telecommunications UnionTelecommunication). This is a typical example of a ‘de jure’ standard even there are
no laws enforcing this practice, because to be compatible with the rest of the world
you need to implement this standard. An example of a ‘de facto’ standard is one that
stands as the basis of this project: BS7799. Many different organisations lay down
standards such as the ITU-T, ISO, BSI, manufactures, insurance companies etc
independent of the distinction between ‘de facto’ and ‘de jure’ standards.
2.2 BS7799 compared to ITIL & ISO9001
We will have a short look at what other standards have in common with the BS7799
standard. In this project we are however concentrating on information security. For
this specific subject only BS7799 applies. Whilst it is true that other standards show
commonalities with BS7799, they are not specifically designed to deal with
information security whilst BS7799 is.
By combining relevant aspects of ISO9001, ITIL and other standards we will most
likely end up with a system very similar to BS7799. At the IQA ISO9000:2000 is
already implemented for most of the company’s departments. The IQA now requires
to concentrate on the more specific and specialised areas of the organisation such as a
Health and Safety Management system and an Information Security Management
System (ISMS). To implement the ISMS the BS7799 is a widely accepted standard
and commonly used. It specializes specifically in implementing and running an ISMS
and thus is the logical choice of standard to follow.
2.2.1 ITIL and BS7799
ITIL, the Information Technology Infrastructure Library is a world-wide de facto
standard in IT services management. ITIL focuses on Best Practice and is useable for
any size organisation. ITIL was devised by the Central Computer and
Telecommunications Agency (CCTA) in the UK in the late 1980’s and became
recognised world wide by the mid 1990’s. ITIL was created as a response to the
changing role of IT within organisations. Although the CCTA’s customer base was
originally other parts of central government, it recognised that the needs of
organisations in the public or private sector, large, small, centralised or distributed
were going to be similar. (Green 2005) This was at the same time that IT changed
from being a mere ‘add-on’ of companies to a fundamental core function of the
organisation.
ITIL (Langley 2003) is organised into sets of texts which are defined by related
functions:
•
•
•
Service support
Service delivery
Managerial
J.R. Beltman – IT Manager
Institute of Quality Assurance
10
Literature survey - BS7799 The Basics
•
•
•
•
Software support
Computer operations
Security management
Environmental.
The Service Management section of ITIL is made up of eleven different disciplines,
split into two sections, namely Service Support and Service Delivery:
Service Support
1. Configuration Management
2. Change Management
3. Release Management
4. Incident Management
5. Problem Management
6. Service Desk
Service Delivery
7. Service Level Management
8. Capacity Management
9. Financial Management for IT Services
10. Availability Management
11. IT Service Continuity Management
Whilst owned by the CCTA since the mid-1980s, ITIL is currently maintained and
developed by the Office of Government Commerce. As from 1st April 2001, CCTA
became an integral part of the Office of Government Commerce. From this date,
CCTA the organisation cease to exist.
ITIL overlaps with BS7799-2:2002 in the disciplines:
•
•
•
Problem Management
Availability Management
IT Services Continuity Management
Problem management is to minimise the effects on the organisation of incidents and
problems caused by errors in the infrastructure and to prevent to occurrence of
incidents, problems and errors. Problem management also deals with problem
identification, recording, classification, investigation and diagnosis.
BS7799-2:2002 is designed to minimise the likelihood and severity of information
security related incidents and to prevent repetition by taking preventive action.
BS7799-2:2002 requires a system for logging incidents and taking corrective action. It
also requires a system for monitoring system use and reporting incidents.
The BS7799 standard looks beyond ITIL and includes all information security related
assets instead of only IT related issues. Examples of this are computer systems, hard
copies, personnel, building security etc.
Availability Management is about sustaining availability of the IT infrastructure as
and when required. By using Availability Management a company can predict and
J.R. Beltman – IT Manager
Institute of Quality Assurance
11
Literature survey - BS7799 The Basics
design for expected levels of availability and security. Availability levels are
measured against Service Level Agreements (SLAs).
BS7799-2:2002 emphasises three areas:
•
•
•
Confidentiality
Integrity
Availability
Confidentiality
Information security is the balance
between these areas.
Integrity
Availability
Figure 2.1
Integrity, Availability and
Confidentiality (Bureau Veritas 2003)
Availability in BS7799-2:2002 means
“ensuring that authorized users have access to information and associated
assets when required”. (BSI 2002)
The difference between BS7799 and ITIL is again that ITIL looks at purely IT related
systems whilst BS7799 looks at all assets, including IT, but not limited to IT.
IT Service Continuity Management is to support overall business continuity and
should integrate with the overall business continuity plan. In case of a disaster or
major failure a predetermined level of IT functionality should be restored within
agreed timescales, increasing business survival chances.
BS7799-2:2002 Annex 11.1 (BSI 2002) talks in detail about business continuity. It
requires a management process for business continuity to be in place, a strategy plan
based on risk assessment, implementation of this plan, testing and maintenance of this
plan.
Once more the difference here is that whereas ITIL looks purely at IT BS7799 looks
at all assets and continuity planning for the entire business.
2.2.2 ISO9001:2000 and BS7799
BS7799-2:2002 Annex C (BSI 2002) provides a detailed comparison table between
BS7799-2:2002, BS EN ISO9001:2000 and BS EN IS 14001:1996. I will only
highlight the areas where there are commonalities between BS7799-2:2002 and BS
EN ISO9001:2000.
ISO9000:2000 is designed as a quality management system and not as an information
security management system. ISO9000:2000 is about organisational processes to
deliver a service or a product; ISO9000:2000 follows the delivery of a service or
J.R. Beltman – IT Manager
Institute of Quality Assurance
12
Literature survey - BS7799 The Basics
product from the beginning to the end with the aim of making the process transparent,
controlled and open to continuous improvement.
ISO9000 serves as a basis to:
•
•
•
•
•
•
•
Achieve better understanding and consistency of all quality practice
throughout the organisation.
Ensure continued use of the required quality system year after year.
Improve documentation.
Improve quality awareness.
Strengthen organisational / customer confidence and relationships.
Yield cost savings and improve profitability.
Form a foundation and discipline for improvement activities within the quality
management system.
BS7799 and ISO9000:2000 seem to touch upon completely different aspects of the
organisation. Whereas ISO9000:2000 looks at the processes of service and product
delivery BS7799 concentrates on Information Security.
But they do have commonalities. Both use a Management System to implement and
use the standard.
Common requirements of both Management Systems:
•
•
•
•
•
•
•
•
•
•
•
Scope
Document Control
Record Control
Management Commitment
Provision of Resources
Training, Awareness and Competency
Management Review
Internal Audits
Continual Improvement
Corrective Action
Preventive Action
Common Business Objectives
• Maximise return on investment
• Minimise risk
• Increase customer base by increased credibility (from certification)
2.3 BS7799 - Terminology
BS7799, a standard devised by the British Standard Institute (BSI) and recently
transformed into an ISO standard (ISO17799). BS7799 is aimed at information
security. Why?
Businesses and their information assets are exposed to serious information security
threats on a daily basis. The vulnerability of information, the likelihood of it being
J.R. Beltman – IT Manager
Institute of Quality Assurance
13
Literature survey - BS7799 The Basics
compromised and the severity of the impact of it being compromised vary, but all too
often the security of high value information does get compromised.
The consequences vary. Companies can suffer serious loss of face, go bankrupt,
people can get killed. However most breaches have a less dramatic impact on the
business, but can still be very costly such as loss of reputation. Take for example
Amazon and imagine the front page of the morning papers announcing credit card
fraud at Amazon. It is a blow to Amazon’s reputation from which they would not
quickly recover if at all.
Before we can continue with BS7799 it is important to understand some terminology
and the differences between.
•
Threats
o A declaration of the intent to inflict harm or misery
o Potential to cause an unwanted incident, which may result in harm to a
system or organisation and its assets
o Intentional or accidental, man-made or an act of god
• Vulnerability
o Is a source or situation with potential for a threat to inflict harm. It
does not cause harm or threats but if not managed it will lead to harm.
o Examples: Unlocked doors, no intruder alarm system, lack of up-todate virus protection, no backup of vital data
• Likelihood
o Is the probability of a threat to materialise
o Example classification: low, medium, high
• Severity
o Describes the damage a threat can cause if it does materialise
o Example classification: slight, medium, severe
• Risk
o Is the combination of Likelihood and Severity of a Threat to
materialise
(Bureau Veritas 2003)
2.4 BS7799 – Two parts to the puzzle
BS7799 certification requires compliance to part 2 of BS7799. BS7799 consists of
two parts, part 1 and part 2, better know as:
•
•
BS ISO/IEC 17799:2000, BS 7799-1:2000 (Information technology – Code of
practice for information security management)
BS 7799-2:2002 (Information security management systems – Specification with
guidance for use)
The Code of practice explains in more detail the 10 controls addressing key areas of
Information Security Management which include a total of 127 best security
practices:
J.R. Beltman – IT Manager
Institute of Quality Assurance
14
Literature survey - BS7799 The Basics
1. Information security policy
- Objective: To provide management direction and support for information
security
2. Organisational security
- Objective: To manage information security within the organisation
3. Asset classification and control
- Objective: To maintain appropriate protection of organisational assets
4. Personnel security
- Objective: To reduce risks of human error, theft, fraud or misuse of facilities
5. Physical and environmental security
- Objective: To prevent unauthorised access, damage and interference to business
premises, information and assets
6. Communications and operations management
- Objective: To ensure the correct and secure operation of information processing
facilities, minimise the risk of system failures and maintain integrity and
availability of information processing and communication services.
7. Business requirement for access control
- Objective: To control access to information and detect unauthorised access
8. Security requirements of systems
- Objective: To ensure that security is built into information systems
9. Business continuity management
- Objective: To counteract interruptions to business activities and to protect
critical business processes from the effects of major failures or disasters
10. Compliance
- Objective: To avoid breaches of any criminal and civil law, statutory, regulatory
or contractual and thereby to ensure compliance of systems with organisational
security policies and standards (BSI 2002)
The objectives of all controls mentioned are described in far greater detail in the
actual code of practice than the summary above. It is important to be aware that not
all controls or control sets apply to every organisation and that some controls and
control sets will be difficult to implement without full co-operation of those involved,
in some cases the entire company. The controls and control sets to be implemented
will only become apparent when actually engaging in the project. It is part of the
project to determine and document which are and which are not applicable to your
BS7799 implementation and why.
Part 2 of BS7799 (BS7799-2:2002, Specification with guidance for use), as
mentioned above, is the part of BS7799 that is certifiable. It instructs on how to build,
maintain, operate and improve a measurement system for managers to monitor and
control the security systems: The Information Security Management System (ISMS).
It does this by stating that what needs to be implemented (clauses 4 to 7 of BS77992:2002 are mandatory whilst controls and control sets are optional) and gives
additional information on implementation.
Part 1 however guides us in detail through each of the 10 controls and their control
sets as laid out in Part 2. Even though part 1 is very helpful it is still alien to those
who have no experience in implementing BS7799 and is of little help on ‘how’ to
actually implement the standard.
J.R. Beltman – IT Manager
Institute of Quality Assurance
15
Literature survey - BS7799 The Basics
2.5 BS7799 – The Deming Cycle
The Information security management system (ISMS) of BS7799 is implemented
using a methodology referred to as the Deming cycle: the Plan-Do-Check-Act
(PDCA) cycle (Deming 2000). Deming is a highly respected professional in the field
of quality management. He is known as the father of the third industrial revolution of
Japan and is official recognised by many. For his work in Japan received the Second
Order Medal of the Sacred Treasure, from the Emperor of Japan, 1960, for
improvement of quality and of Japanese economy, through the statistical control of
quality and in the US he received the National Medal of Technology from President
Reagan in 1987.
The PDCA cycle is used as a systematic approach to setting up and managing a
management system. It follows a continuous cycle of activities that can be described
as a virtuous circle used to bring continuous improvement to the management system.
Figure 2.2
The Deming Cycle.
When adapted to BS7799 the four phases of the cycle, Plan-Do-Check-Act, each have
a number of BS7799 activities assigned to them. My analysis of the PDCA cycle and
BS7799 corresponding activities, as outlined in table 2.1, is based upon many
different internet resources and the Lead Auditor training course followed at Bureau
Veritas.
Plan
•
•
•
•
•
Check
•
•
Table 2.1
Do
Scope
Policy
Risk Assessment
Risk Treatment Plan
Statement of Applicability
•
•
•
•
Operate Controls
Awareness Training
Manage Resources
Prompt Detection and Response
to Incidents
•
•
•
ISMS Improvements
Preventive Action
Corrective Action
Act
Management Review
Internal ISMS Audit
The Deming Cycle adapted to BS7799.
J.R. Beltman – IT Manager
Institute of Quality Assurance
16
Literature survey - BS7799 The Basics
The tables used in the chapters 2.5.1 to 2.5.4 are based on the ‘Examination for
Auditors of Information Security Management Systems’ paper (Bureau Veritas 2004)
as provided during the BS7799 Lead Auditor course and the knowledge gained during
this course.
2.5.1 Plan
The ISMS system requires some preparation before it can be implemented.
Documenting practices, establishing risk management approach, allocation of
responsibilities and determining methods of review are activities used to “kick start”
the cycle.
“The Plan phase is used to ensure that the context and scope for the ISMS
have been correctly established, that the information security risks are
assessed and that a plan for the appropriate treatment of these risks is
developed.” (BSI 2002, p. 22)
Activity
Establishing the ISMS
Define Policy and Scope
Risk identification and assessment
Risk treatment plan
Table 2.2
Clause / Annex
4.2.1
4.2.1 a) ,b)
4.2.1 c) – e)
4.2.1 f) – i)
The links between the PLAN phase and BS7799.
BS7799-2:2002 Clause 4.2.1 a) speaks about the scope of the ISMS. An example of
the scope used for the Institute of Quality Assurance (IQA) is included in the
discussion on the actual implementation of the ISMS at the IQA (chapter 5). The
scope is nothing more than a document stating what departments and assets (i.e.
desktops, LAN, servers) are included in the ISMS and the exclusions. Depending on
the size of the ISMS it may well fit on one page A4.
After drawing up the scope it is required to develop an Information Security Policy.
This policy includes the purpose of setting up the ISMS, the objectives of the ISMS
and responsibility. It also refers to additional policies and procedures that are used to
support the ISMS, such as procedures for disciplinary action, use of email and internet
etc.
When the scope and information security policy are draw up we continue with the risk
management and treatment plan and select appropriate controls from annex A of
BS7799-2:2002. For each control set in annex A it is required to justify the inclusion
or exclusion of the control set. The resulting document is called the ‘Statement of
Applicability’ and is required for certification.
2.5.2 Do
The Do phase is about implementing and making operational the ISMS system. In this
phase we look back at what we prepared in the Plan phase and make it reality.
J.R. Beltman – IT Manager
Institute of Quality Assurance
17
Literature survey - BS7799 The Basics
“The DO activity within the PDCA cycle is designed to implement selected
controls and promote the action necessary to manage the information security
risks in line with the decisions that have been taken in the Plan phase” (BSI
2002, p. 24)
In this phase we implement the ISMS, implement the risk treatment plan which
includes a way of swift detection and response to information security incidents,
ensure that staff are being trained and are security aware and are competent to carry
out designated security tasks, and that the required resources are available.
It is also very important that management is committed to the ISMS establishment,
implementation, operation, monitoring, review, maintenance and improvement.
Without full management support, preferably top management, the ISMS is doomed
to fail from the start.
Activity
Implementing the ISMS
Risk treatment plan, training awareness
programs, resource management
Management responsibility
Management commitment
Resource management
Table 2.3
Clause / Annex
4.2.2
4.2.2 a) – g)
5.0
5.1
5.2
The links between the do phase and BS7799.
2.5.3 Check
The Check phase is to monitor the effectiveness of the ISMS. To be able to carry out a
proper review of the ISMS you will need at least three months worth of data.
During the Check phase it may be found that some controls are missing or ineffective,
that risk treatment plans may not work as well as expected, that information security
breaches have occurred and that overall improvements of the ISMS are applicable.
The Check phase is a constant phase; checks on network security, virus infection, user
activity etc are performed on a regular or even constant basis as part of the normal
business process.
It is important to remember that finding opportunities for improvement is the
objective of the Check phase. The Check phase is extensively described in BS77992:2002 page 24 section B4. (BSI 2002, p. 24)
Activity
Monitor and review the ISMS
Application of control procedures,
security breaches, action plans
Management review of the ISMS
Review of the inputs
Review of the outputs
Internal ISMS audit program
Table 2.4
Clause / Annex
4.2.3
4.2.3 a)
6.0
6.2
6.3
6.4
The links between the CHECK phase and BS7799.
J.R. Beltman – IT Manager
Institute of Quality Assurance
18
Literature survey - BS7799 The Basics
2.5.4 Act
During the Act phase we take action based on information found in the Check phase.
This could range from implementing corrective action for non-conformities, identified
opportunities for improvement, taking disciplinary action and preventive action.
Activity
Maintain and improve the ISMS
Implement improvements, apply lessons
learnt from security experiences,
communication
ISMS continual improvement plan
Corrective action plan
Preventative action plan
Table 2.5
Clause / Annex
4.2.4
4.2.4 a) – d)
7.1
7.2
7.3
The links between the ACT phase and BS7799.
During the discussion of the actual implementation of the ISMS in the Institute of
Quality Assurance (chapter 5) we will get a clear overview of each of the four phases
and related activities. The PDCA is the methodology used to build and manage the
ISMS.
2.6 BS7799 – Critical Success Factors
Over the years BS7799 auditors and consultants have identified a number of critical
success factors – that is factors which lead directly to success for a business – for
BS7799 implementation and certification. The success factors listed are derived from
BS7799 part 1 (ISO/IEC 17799).
Management
support
Well structured
Project
Holistic
approach
Success
Employee
support
Good
understanding
of BS7799
Access to
external
expertise
Figure 2.3
Awareness
training on the
need for
Security
Success factors.
J.R. Beltman – IT Manager
Institute of Quality Assurance
19
Methodology
3. Methodology
During my preliminary research into the BS7799 standard I found one aspect of
implementation missing: How to? The two parts of the standard gave me a very solid
overview of what was required for BS7799 implementation and certification, using
very helpful examples on controls and control sets, but they both left out the main part
of implementation: how?
To answer this question and the other research questions, as listed in chapter 1.1,
research questions, I concluded that it was best to actually go through the complete
activity of implementation myself. This method is one of the characteristics of what is
known as action research.
“In action research, the investigator virtually becomes part of the arena being
studied with the purpose of solving organisational problems.” (Bryman 1989)
Action research is foremost concerned with finding solutions that can be applied in
practical, real live situations, with scientific results taking backstage. It tends to
influence, and extend to, the entire organisation. The basic ideas relating to action
research have been around since the 1940s, but Bryman suggests that it has never
achieved widespread acceptance; many researches shy away from action research
because they find it too close to the traditional consultancy role. However this
similarity is exactly what makes it effective as a research method that has great
potential to bring substantial and useful benefits to the organisations and individuals
involved, instead of only contributing to science. (Bryman 1989)
M. Rich suggests that action research assumes that there are ‘participant observers’,
meaning that people carrying out the research are actually taking part in the process,
as statement which in my opinion supports Bryman’s comparison of action research
with consultancy.
M. Rich continues by suggesting that action research assumes that through some
intervention things can be done better in the future and therefore the objective of the
dissertation should be to identify suitable intervention. He continues suggesting that
overall the objective of action research is to improve a process in some way during
which some intervention is typically identified. (Rich 2005)
Figure 3.1 illustrates the different stages in action research (Bryman 1989, p. 180).
Problem
Organizational
framework for
research
Research
Diagnosis
Recommendations
and implementation
Research
(evaluation)
Solution
found
Contribution to
knowledge
Solution
not found
Figure 3.1
Stages in action research (Bryman 1989, p. 180)
J.R. Beltman – IT Manager
Institute of Quality Assurance
20
Methodology
Comparing Deming’s PDCA cycle with the action research stages related by Bryman
we can see a clear correspondence as shown in table 3.1. This vindicates the
suitability of action research for this project.
Deming Cycle
Plan
Matching Action Research Stage
Problem
Organizational framework for research
Research
Diagnosis
Recommendations and implementation
Research (evaluation)
Solution found
Solution not found
Loop back to previous stages
Do
Check
Act
Table 3.1
Deming Cycle and the matching Action research stage.
The cyclical feedback cycle (check and act in Deming and Research (evaluation),
Solution found, Solution not found and loop back to previous stages in Bryman) is a
cycle which we cannot explore within this dissertation, but it would fit with pursuing
the action research further. We can look at some smaller parts of the system we have
implemented; for these parts the feedback cycle is short and we can determine the
effect of implementation within a couple of days. However for the main part of the
system the feedback cycle can only be efficient from at least three months after
implementation. This is due to the nature of the system. Because of the timescale for
writing this dissertation the feedback cycle cannot be discussed in as much detail as
the actual implementation of the system.
3.1 Practical research problem
The research is concerned with implementation of a BS7799 ISMS; how to, problems
relating to, and convincing management of implementation of BS7799.
The research is based upon implementation of BS7799 within the IQA umbrella
organisation. The research concentrates on the IT department and its assets.
It follows how, step by step, BS7799 was implemented and the issues that arose
during implementation.
3.2 Participation
I, the researcher, am an employee of the IQA. As IT manager I had the unique
opportunity to lead the project of implementing BS7799 in the IQA. In this I was
supported by my direct staff members, the personnel manager, my direct reporting
manager and various experts in the field.
For the actual implementation of BS7799 I have followed the Deming Cycle and Part
2 of BS7799 (BS7799-2:2002, Specification with guidance for use).
J.R. Beltman – IT Manager
Institute of Quality Assurance
21
Methodology
3.3 Change
BS7799 is intended to optimise information security in an organisation. It will not
instil the same magnitude of change on all organisations it is applied to, but change is
to be expected. Sources within the IQA had identified the need for change in how it
handles information security.
How the change will be received by the organisation and what its effect is on
information security will only be fully understood until at least three months after
implementation. However staff are already picking up on some changes brought on by
BS7799.
3.4 Cyclical feedback
How exactly the implementation of BS7799 will influence the organisation and how
successful the implementation is in reality cannot yet be established. Feedback on
implementation is to be expected three months after implementation as a minimum
when the ISMS is reviewed.
The ISMS will be reviewed according to the Deming Cycle (Check) and BS77992:2002 (internal audit and management review), but currently it is too early to
determine the success of this project.
J.R. Beltman – IT Manager
Institute of Quality Assurance
22
Information security in practice – An Analysis of Security Case Studies
4. Information security in practice – An Analysis of Security
Case Studies
In this chapter we will look at answering one of the research questions, which coincidentally is one of the most important success factors to implementation of
BS7799:
•
How to convince management of the need for and benefits of BS7799
implementation?
If you are convinced that BS7799 is part of the best solution to manage information
security within your company than how do you convince management?
It is often a very difficult task to convince management and top-management of the
importance of something that does not come with any direct financial return. If you
would approach top-management and asked to buy product X which your customers
have been asking for and your profit margin is 100% there would be very positive
buy-in.
But now imagine that you come to top-management and tell them that you need time,
resources and money to put something like BS7799 in place. Where is the direct
financial return? There isn’t one. The benefit is about reducing risk and not about
immediately increasing return. How to convince them that having this in place will
save the company a considerable amount of money, and perhaps even forestall
closure, when the very objective of the project is to minimize the risk of a fatal
incident occurring and having a contingency plan in place just in case it might
happen?
BS7799 is about prevention and continuity. You can never eliminate risk, but you can
minimize the likelihood, vulnerability and impact by managing the risk. To convince
top-management I have included some examples in the next section to illustrate that
what BS7799 tries to protect against are events that are more likely to happen than
you would imagine.
From both the media and personal contacts I have been able to collect examples of
situations in which information security was compromised. Some cases had the
potential to lead to very serious consequences, but where the situation was rectified,
usually by shear luck. And other cases where the consequences for the organisation
were not directly of catastrophic nature, but where it or an individual could suffer
badly.
After discussing the examples I will indicate where and how BS7799 could have
helped minimise the likelihood, vulnerability and impact of the information security
breach. The keywords here are ‘to minimise’; BS7799 does under no circumstances
eliminate risk. However you can in some situations eliminate threats and thereby
minimise the risk, as illustrated in chapter 5.
J.R. Beltman – IT Manager
Institute of Quality Assurance
23
Information security in practice – An Analysis of Security Case Studies
4.1 Examples of Security Incidents
The examples in this section will be revisited in 4.2 which discusses them in relation
to BS7799.
4.1.1 The London terrorist attacks 7-7-2005.
The recent London bomb attacks made us realize how realistic terrorism is. From
being a thing that only happens to others it suddenly is right on our very own
doorstep. Why is this of any importance to BS7799? The standard deals with not only
minimizing the risk of security breaches but also with continuity planning. BS7799
security breaches refer to information security. The standard is NOT designed to
prevent terrorist attacks, but is designed to help implementing continuity plans in case
of severe disruption to the business such as during and after a terrorist attack.
4.1.2 IRA bombing of Manchester 1996
At the time of writing this report it is too early to determine the scale of damage to the
economy caused by the recent attacks on London and how well businesses have
planned for this kind of situation. What we do see in the immediate aftermath is a
greatly disturbed daily business environment. A better picture of the influence of
terrorist attacks on businesses can be found looking back at the Irish Republican
Army (IRA) bombing of central Manchester in 1996.
“The effect on a business of a major disaster can be devastating. Some never
recover. Not only can damage to buildings, stock, plant and computer
equipment be extensive, but also the effect on the company's trading can be
disastrous. 250 companies that suffered damage in the Manchester bomb
failed within six months of the event.” (Deloitte & Touche 2004)
It is very likely that the London bombings have a similar effect on local businesses.
Events that may not be as intimidating as terrorist bombings can also benefit from the
BS7799 standard. The lack of security of information, BS7799 main concern, could
have had fairly bad consequences in some of the following examples.
4.1.3 Maxine Carr – theft of documents
“The Home Office has said a ‘thorough’ investigation will be carried out into
the theft of key documents relating to the release of Maxine Carr.…….
……The documents were stolen from a Home Office official's car. The High
Court has issued a ban on revealing Carr's whereabouts after her expected
release on Friday.
The stolen papers containing details of her release were later recovered on
London's Hampstead Heath” (BBC 2004a)
Maxine Carr, better known as the former girlfriend of “Soham murderer” Ian Huntley,
did receive many a threat before she left prison. Therefore she would be relocated to a
secure and secret place to guarantee her safety. The Home Office denied that the
stolen papers contained her new address and telephone number. Depending on what
was really in the stolen papers Carr’s life could have been in grave danger.
J.R. Beltman – IT Manager
Institute of Quality Assurance
24
Information security in practice – An Analysis of Security Case Studies
4.1.4 Disappearance of counter-terrorism plans for Heathrow Airport
Papers, even the most important papers do go missing. Maxine Carr’s case is just one
example of this. Another high profile case of missing papers took place in June/July
2004.
“The home secretary has said the disappearance of papers reported to contain
counter-terrorism plans for Heathrow Airport was ‘very bad’.
A report in the Sun newspaper claimed the documents identified 62 sites from
which a missile strike could be made. They were found by a motorist in a layby
near the London airport who contacted its reporters, the Sun said.” (BBC
2004b)
BS7799 does deal with document security and we will see in chapter 4.2 how the
standard could have been used to minimize the likelihood of the above examples
happening.
4.1.5 MI5 agent has laptop stolen at Paddington station
“Security at MI5 is stepped up as agent has laptop stolen at Paddington
station. An MI5 agent has admitted losing a laptop notebook containing
sensitive government information at Paddington train station earlier this
month. Security has been stepped up at MI5 following the theft, which has
caused extreme embarrassment for the security agency and the government.
The Police Special Branch has launched an investigation into the theft of the
£2,000 computer, which took place on 4 March.
A spokeswoman from the Home Office said that while the government does not
perceive the crime as a threat to national security because the data was
encrypted, she admitted there is some ‘concern’. The representative confirmed
to ZDNet that both the Home Secretary and the Prime Minister have been
informed directly.
According to some press reports, the information on the laptop concerned
Northern Ireland, although the Home Office would not confirm or deny this.
The spokeswoman said the computer's data was encrypted and confirmed that
any information held on it would be very difficult to retrieve. She would not
disclose what type of encryption was in place or how strong it is.” (Knight
2000)
A laptop missing from MI5 (Military Intelligence Department 5), the British
Intelligence Service, is extremely concerning the risk of the information on the laptop
being compromised. However the risk was greatly reduced, thanks to encryption. For
MI5 having a laptop stolen in itself is very embarrassing and a reputation damaging
incident. Minimising risk of physical stealing, but also minimizing the risk of the
stolen goods being used and/or abused are important aspects of BS7799. An
interesting effect when implementing BS7799 to reduce one risk factor, such as
outlined above, is that another risk becomes more apparent, i.e. the risk to one’s
reputation and the greatest concern has suddenly changed shape.
J.R. Beltman – IT Manager
Institute of Quality Assurance
25
Information security in practice – An Analysis of Security Case Studies
The above incidents are just one aspect of information security. The accidental loss of
sensitive information happens all too frequent. Measures could be put in to place to
reduce the likelihood of this kind of incident occurring and to limit the damage if an
incident does occur despite the measures for prevention.
4.1.6 British bank account holders details stolen from Indian call centres
The media recently brought to light yet another information security issue. Long
known within IT circles, but usually denied or ignored by management is the danger
that comes from within. It is not just information lost that poses a risk, but also
information theft. And contrary to what most management tried to convince
themselves of the threat does not only come from external people such as computer
hackers (or crackers). In fact it is far more likely to be targeted by your own staff.
“Soaring cost of cybercrime” (Manchester Evening News 2005) is the headline of an
article that describes that over 50% of the computer crime is committed often by
disgruntled staff in cahoots with someone on the outside.
Not only disgruntled staff are to blame for cyber crime from within. Organised crime
has also recognised that working for a company is an easy way of gaining access to
information with the intention of committing crime.
“Britain's banking industry – or at least those firms that have outsourced
administrative operations to India - face a nightmare scenario after an
undercover reporter for the Sun newspaper was sold confidential details of
British bank account holders stolen from Indian call centres.
The reporter allegedly paid £2,750 for the full account details – including
secret passwords, addresses, phone numbers and credit card, passport and
driving licence information.
The Sun said that their reporter was told that he could purchase details of
200,000 bank accounts a month from more than one call
centre.”(Management Issues News 2005).
This incident is a loss of face for the banks involved and may well lead to a loss of
customers. Embarrassing as this is for the banks and call centres involved it does give
us a good example of information security related issues from inside the company. It
may also be a reason to reconsider outsourcing and relocating. And it is again not the
first time such an incident took place. The article continues:
“The Sun's 'sting' comes a few months after a gang operating in a call centre
near Bombay stole about £200,000 from the accounts of New York-based
Citibank customers.” (Management Issues 2005)
4.1.7 £9m computer scam
There are many best practices that help to minimize internal threads. “£9m theft ‘mad’
accountant jailed” (Financial Spread Betting News 2005) is the headline of an article
that illustrates just how important it is to follow some standard best practices. It
J.R. Beltman – IT Manager
Institute of Quality Assurance
26
Information security in practice – An Analysis of Security Case Studies
describes how a member of staff used his colleagues’ computer passwords to commit
fraud totalling up to £9m. The costs of cyber crime are huge.
4.1.8 Electronic crime cost UK companies an estimated £2.45bn last year
“Electronic crime cost UK companies an estimated £2.45bn last year, the
National Hi-tech Crime Unit (NHTCU) announced on Tuesday.
Out of 200 companies surveyed, 178 experienced some form of high-tech
crime last year. Of those 178 firms, 90 per cent claimed to have had their
systems intruded and 89 per cent said their data had been stolen.
Detective Superintendent Mick Deats, deputy head of the National Hi-Tech
Crime Unit, said: ‘Billions of pounds are being lost to the UK economy
through high-tech crime. Over the past year we have seen a sustained
increase in the professionalism of cyber criminals. Companies are taking the
brunt of criminals' attempts to steal money and data, but consumers are also
being hit.’
Speaking last week, Deats warned that organised gangs are taking a growing
interest in cybercrime.
Virus attacks hit 97 per cent of survey respondents, which cost them a total of
more than £70m. Nine per cent had suffered financial fraud, at a cost of £68m.
The NHTCU highlighted that external hackers were not the only threat to
companies — crimes committed by employees also ranked highly, with the
sabotage of data listed as the number one problem.” (Ilett 2005).
This last article describes that what BS7799 is designed to minimize; the effects and
likelihood of. Financial loss, Virus attacks, fraud, hackers, sabotage etc. But BS7799
does not stop there; bugs, faults and human error are also a cause of disruption to
information services and could lead to information being compromised and once more
BS7799 takes these issues onboard.
4.1.9 Ekibastuz [Kazakhstan] - hydroelectric power station disaster
“To start with, the electric power plant may burn out because of just about
anything. In Ekibastuz [Kazakhstan] under the Soviet regime, a large
hydroelectric power station was burned to the ground because of the
negligence of one extremely smart worker, who used a wrench to unscrew the
cap from a pressurized oil vessel.
A stream of oil shot up to the ceiling; the worker got scared and dropped the
wrench, which hit against the steel floor and created a spark that set the
stream of oil on fire. Then the lights went off.” (Latynina 2003)
Chapter 4.1.10 is a second example of a power outage, one which received more
media attention and had consequences on a larger scale.
4.1.10 Northeastern United States and Southeastern Canada power blackouts
“On August 14, 2003, parts of the Northeastern United States and
Southeastern Canada experienced widespread power blackouts. The US states
of New York, New Jersey, Vermont, Michigan, Ohio, Pennsylvania,
Connecticut, Massachusetts were affected.
J.R. Beltman – IT Manager
Institute of Quality Assurance
27
Information security in practice – An Analysis of Security Case Studies
Among the major urban agglomerations touched by the electrical power
outage in the United States were the cities of New York City, Albany, Buffalo
in New York, Cleveland and Columbus in Ohio, and Detroit. Ottawa and
Toronto in Canada were also affected.
Power was suddenly lost around 4pm Eastern Standard Time. The blackout
resulted in the shutting down of nuclear power plants in New York state and
Ohio, and air traffic was slowed as flights into affected airports were halted.
Terrorism was quickly ruled out as a cause for the incident by federal
authorities. Approximately 50 million people were affected by the outage.
The cause of the outage was still being debated the following day, as efforts
were still underway to retore power to affected areas. Industry and
government experts were appearing to place the blame on an outdated
interconneting grid system.“ (Global Security)
The power outage affected many businesses. The financial loss must have been in the
billions of dollars, but no references could be found to obtain a rough estimate.
Question of how and why this could happen should be asked. The power outage
caused significant loss of face for the companies involved and compensation claims
are to be expected, possibly ranking in the billions.
4.1.11 Staff visiting unauthorized websites.
BS7799 can also help to protect the individual at organisations. Not only does
BS7799 insist that organisations comply with legislations such as ‘The Data
Protection Act’, but also that an individual is not found guilty of misconduct without
irrefutable evidence.
An example of this is the BS7799-2:2002 control sets A9.5.3 & A9.5.4. A9.5.3
discussing having a unique user id accompanied by a suitable authentication
mechanism and control set A9.5.4 discusses the need to ensure that only quality
passwords are used. (BSI 2002)
In the United Kingdom an employee using his/her work computer to view any
pornographic illustrations may be subjected to disciplinary action. It does however
happen that some users share their username and password which makes it difficult to
prove guild, unless there are policies and procedures in place to control username and
password use. Control set A9.5.3 stipulates that the user id and password are for the
sole use of the user only. (BSI 2002)
When during a recent scan of visited internet sites it was discovered that some very
explicit adult sites had been visited it was very easy to track down which user was
responsible. However the user identified was least likely to have visited these sites
and after a brief discussion the user admitted sharing his password and username with
other individuals. In some companies the user would have been fired if proven that he
or she intentionally and frequently visited unauthorized web sites; sharing his or her
username and password would have been his/her own responsibility.
J.R. Beltman – IT Manager
Institute of Quality Assurance
28
Information security in practice – An Analysis of Security Case Studies
4.2 BS7799 to counteract information security breaches
BS7799 could have helped reducing the risk and likelihood of the incidents outlined
above and can help to ensure your business continuity and recovery plan is efficient
(i.e. in case of a terrorist attack). In this section I will draw links between the incidents
described and BS7799-2:2002. For each incident I will indicate which elements of the
standard could have been useful to reduce risk and likelihood. All tables used in this
chapter are derived from BS7799-2:2002 Annex A. (BSI 2002)
4.2.1 The London terrorist attacks 7-7-2005.
As for the Manchester businesses back in 1996, efficient continuity planning in case
the unexpected happens will in many cases determine the survival of London
businesses and businesses dependant on London. It is however true that the United
Kingdom has let its guard down since the major IRA bombings seemed to become
less frequent.
However the IRA did plant and detonate a bomb in Ealing Common in 2001 (BBC
2001a) and blew up a taxi in front of the BBC building that same year. (BBC 2001b)
Then at 9-11-2001 two planes crash into the World Trade Centre in New York in a
terrorist attack. (CNN 2001). ‘Operation Iraqi Freedom’, the war on Iraq, was
launched on March 20, 2003 and many believed and others have made threats that this
would lead to an increase of terrorist attacks on western nations. (BBC 2005).
So was a terrorist attack on a major city in the United Kingdom really unexpected
or…. “Police have even said a terror strike was not a question of ‘if’ but’when’.”
(Rice-Oxley 2005)
Reviewing the above, a business continuity plan for businesses in major cities, or
depending on suppliers or customers in major cities in the United Kingdom should
have considered the possibility of a terrorist attack, assessed the risk it could pose to
their business and taken steps to minimize the consequences to the business if such an
event would occur.
J.R. Beltman – IT Manager
Institute of Quality Assurance
29
Information security in practice – An Analysis of Security Case Studies
4.2.2 IRA bombing of Manchester 1996
250 Companies went out of business due to the bombing. (Deloitte & Touche 2004)
Although hard to put a finger on the exact cause this was widely attributed to a lack of
business continuity planning and testing of these plans.
BS7799-2:2002 states (BSI 2002):
Controls
A11.1 Aspects of business continuity management
Control objective: To counteract interruptions to business activities and to protect critical
business processes from effects of major failures or disasters.
A11.1.1 Business continuity
There shall be a managed process in place for
developing and maintaining business continuity
management process
throughout the organisation
A11.1.2 Business continuity and
A strategy plan, based on appropriate risk
assessment, shall be developed for the overall
impact analysis
approach to business continuity.
11.1.3
Plans shall be developed to maintain or restore
Writing and
business in a timely manner following interruption
implementing continuity
to, or failure of, critical business processes.
plans
11.1.4
A single framework of business continuity plans
Business continuity
shall be maintained to ensure that all plans are
planning framework
consistent, and to identify priorities for testing and
maintenance.
11.1.5
Testing, maintaining and Business continuity plans shall be tested regularly
and maintained by regular reviews to ensure that
re-assessing business
they are up to date and effective.
continuity plans
Table 4.1
Annex A11.1, Aspects of business continuity management.
If BS7799-2:2002 Annex 11.1 and its sub control sets are implemented a business
stands a far better chance of surviving the unexpected, mainly because most of ‘the
unexpected’ events are no longer unexpected, but are actually well considered
scenarios and steps are taken to continue the business if ‘the unexpected’ does occur.
Terrorist attacks by the IRA are not unheard of (chapter 4.2.1); hence it should have
been and be in continuity plans of any business in, or depending on suppliers or
customers in, a major city in the United Kingdom.
4.2.3 Maxine Carr – theft of documents
The theft of key documents relating to the release of Maxine Carr was a disturbing
incident. Depending on the value of the asset, in this case the key documents,
appropriate security measures should be considered. Judging the comments of the
Home Office in the case of the Maxine Carr documents “a thorough investigation will
be carried out” (BBC 2004) the value of the asset was high and the measures taking
to protect the asset were not adequate.
J.R. Beltman – IT Manager
Institute of Quality Assurance
30
Information security in practice – An Analysis of Security Case Studies
A control set that describes the situation best would be BS7799-2:2002 A12.1.3/4 and
A8.7.2. (BSI 2002)
Controls
A12.1 Compliance with legal requirements
Control objective: To avoid breaches of any criminal and civil law, statutory, regulatory
or contractual obligations and of any security requirements.
A12.3
Important records of an organisation shall be
Safeguarding of
protected from loss, destruction and falsification.
organisational records
A12.4
Controls shall be applied to protect personal
Data protection and
information in accordance with relevant legislation.
privacy of personal
information
Table 4.2
Annex A12.1, Compliance with legal requirements.
Controls
A8.7 Exchange of information and software
Control objective: To prevent loss, modification or misuse of information exchanged
between organizations.
A8.7.2 Security of media in
Media being transported shall be protected from
unauthorized access, misuse or corruption.
transit
Table 4.3
Annex A8.7, Exchange of information and software.
It is well possible that the above measure were already in place, but if so they were
not efficient and an urgent review is required. A requirement of BS7799 is to
periodically review the system and identify areas for improvement. A follow up to
implement and retest is a further requirement of the standard BS7799-2:2002 Clause
6.2 Review input and 6.3 Review output).
Leaving an asset in a relatively insecure environment such as a car (it is a well known
fact that cars get broken into every day) means that either the policy on the security of
the kind of asset in question was inadequate, something that should have been noticed
during a review of the system, or that the employee in question did not follow
procedure/policy.
If the employee did not follow procedure/policy BS7799-2:2002 Annex 6.2 User
training may not have been implemented effectively or at all.
Controls
A6.2 User training
Control objective: To ensure that users are aware of information security threats and
concerns, and are equipped to support organizational security policy in the course of their
normal work.
A6.2.1 Information security
All employees of the organisation and, where
relevant, third-party users, shall receive appropriate
education and training
training and regular updates in organizational
policies and procedures.
Table 4.4
Annex A6.2, User Training.
J.R. Beltman – IT Manager
Institute of Quality Assurance
31
Information security in practice – An Analysis of Security Case Studies
However if the employee chooses to ignore the policies and/or procedures BS77992:2002 Annex 6.3.5 Disciplinary process should be applied.
Controls
A6.3 Responding to security incidents and malfunctions
Control objective: To minimize the damage from security incidents and malfunctions, and
to monitor and learn from such incidents.
A6.3.5 Disciplinary process
The violation of organisational security policies and
procedures by employees shall be dealt with
through a formal disciplinary process.
Table 4.5
Annex A6.3, Responding to security incident and malfunctions.
As you are reading through the explanation on how BS7799 could have made a
difference in the above examples you will have noticed that in some situations there
could be many factors influencing a situation and that BS7799 has many a clause that
can be applied to these situations. For the sake of completeness I will continue to
outline the most relevant clauses and annexes of BS7799-2:2002 in detail for the
incidents still to be discussed.
4.2.4 Disappearance counter-terrorism plans for Heathrow Airport
Finding an asset of this importance in a lay-by means that something went very
wrong. Was the information not properly labelled and accidentally discarded? Was it
taken and left on purpose for someone to find? Did someone lose it?
Controls
A5.2 Information classification
Control objective: To maintain appropriate protection of organisational assets.
A5.2.2 Information labelling and A set of procedures shall be defined for information
labelling and handling in accordance with the
handling
classification scheme adopted by the organisation.
Table 4.6
Annex A5.2, Information classification.
Annex 5.2.2 helps to minimise the likelihood that valuable assets are recognised as
such and are not improperly handled. So if the counter-terrorism plans had been
labelled as high valued assets it would have been less likely that someone would have
just discarded them as normal rubbish.
Controls
A6.1 Security in job definition and resourcing
Control objective: To reduce the risk of human error, theft, fraud or misuse of facilities.
A6.1.2 Personnel screening and Verification checks on permanent staff, contractors,
and temporary staff shall be carried out at the time
policy
of job applications.
Table 4.7
Annex A6.1, Security in job definition and resourcing.
Annex 6.1.2 helps to minimise the likelihood of getting an employee on board who is
less trustworthy and whose motivation in applying for the job may not be to
contribute to the well being of the company. In the case of the counter-terrorism plans
J.R. Beltman – IT Manager
Institute of Quality Assurance
32
Information security in practice – An Analysis of Security Case Studies
it may have helped to deter or detect any individual whose purpose for getting the job
was to extract particular information for a third party.
It could happen that without proper checks a company hires a terrorist who then has
access to all counter-terrorism plans which could severely endanger the country.
Controls
A8.6 Media handling and security
Control objective: To prevent damage to assets and interruptions to business activities.
A8.6.2 Disposal of Media
Media shall be disposed of securely and safely
when no longer required
A8.6.3 Information handling
Procedures for the handling and storage of
information shall be established in order to protect
procedures
such information from unauthorised disclosure or
misuse.
Table 4.8
Annex A8.6, Media handling and security.
The control sets 8.6.2 and 8.6.3 from Annex 8.6 point out that we should make sure
that we look closely at the information we are handling and if we dispose of media we
do so responsibly. This could have helped prevent sensitive papers being dumped in a
lay-by.
Controls
A12.1 Compliance with legal requirements
Control objective: To avoid breaches of any criminal and civil law, statutory, regulatory
or contractual obligations and any security requirements
A12.1.3 Safeguarding
Important records of an organisation shall be
protected from loss, destruction and falsification
organisational data
Table 4.9
Annex A12.1, Compliance with legal requirements.
Reading annex 12.1.3 and comparing this to the incident of papers being found in a
lay-by it is clear that this control set was either not in place or not followed. If it had
been in place and adhered to, the chance of these papers being found in a lay-by
would have been greatly reduced.
4.2.5 MI5 agent has laptop stolen at Paddington station
Finally an example of an incident in which information went missing together with
the asset holding it, but there was actually a form of protection in place to minimise
the damage.
Controls
A9.8 Mobile computing and teleworking
Control objective: To ensure information security when using mobile computing and
teleworking facilities
A9.8.1 Mobile computing
A formal policy shall be in place and appropriate
controls shall be adopted to protect against the risks
of working with mobile computing facilities, in
particular in unprotected environments.
Table 4.10
Annex A9.8, Mobile computing and teleworking.
J.R. Beltman – IT Manager
Institute of Quality Assurance
33
Information security in practice – An Analysis of Security Case Studies
Controls
A10.3 Cryptographic controls
Control objective: To protect the confidentiality, authenticity or integrity of information
A10.3.2 Encryption
Encryption shall be applied to protect the
confidentiality of sensitive or critical information.
Table 4.11
Annex A10.3, Cryptographic controls.
In the case of the stolen MI5 laptop it is evident that the control sets discussed above
or similar were put in place. A laptop could still be stolen, but thanks to these or
similar control sets the resulting damage was greatly reduced.
Annex A9.8 concentrates on Mobile computing and Teleworking.
• Mobile computing is making use of a device such as a laptop, palmtop,
notebook, mobile phones etc.
• Teleworking is making use of communications technology to enable staff to
work remotely from a fixed location outside of the organisation.
4.2.6 British bank account holders details stolen from Indian call centres
If you cannot trust your own people then whom can you trust?
Apart from having logs of what is happening on your system and regularly checking
these you can also look at annex A6.1.2 Personnel screening and policy.
Controls
A6.1 Security in job definition and resourcing
Control objective: To reduce the risk of human error, theft, fraud or misuse of facilities.
A6.1.2 Personnel screening and Verification checks on permanent staff, contractors,
and temporary staff shall be carried out at the time
policy
of job applications
Table 4.12
Annex A6.1, Security in job definition and resourcing.
Although having verification checks for job applicants in place could be a deterrent
for many, if the opportunity for crime has great potential benefit the professional
crime syndicates will not easily be stopped and they may succeed with their criminal
activities for an unknown period of time.
This leads to another possible prevention mechanism known as segregation of duties.
Annex A8.1.4 applies to just this.
Controls
A8.1 Operational procedures and responsibilities
Control objective: To ensure the correct and secure operation of information processing
facilities.
A8.1.4 Segregation of duties
Duties and areas of responsibility shall be
segregated in order to reduce opportunities for
unauthorised modification or misuse of information
services.
Table 4.13
Annex A8.1, Operational procedures and responsibilities.
J.R. Beltman – IT Manager
Institute of Quality Assurance
34
Information security in practice – An Analysis of Security Case Studies
But there could be a conflict when segregating duties. Although it makes it far more
complex to misuse information services it may also hinder staff in carrying out their
duties and consequently lead to a reduced level of customer service.
The balance between confidentiality, integrity and availability, as briefly discussed in
chapter 2.2.1, needs to be considered before implementing segregation of duties.
Information security is always a trade-off between these factors.
4.2.7 £9m computer scam
An interesting case of an employee using colleagues’ user accounts and passwords to
defraud the company.
Controls
A9.5 Operational system access control
Control objective: To prevent unauthorised computer access.
A9.5.2 Terminal log-on
Access to information services shall use a secure
log-on process
procedures
A9.5.3 User identification and
All users shall have a unique identifier (user ID) for
their personal and sole use so that activities can be
authentication
traced to the responsible individual. A suitable
authentication technique shall be chosen to
substantiate the claimed identity of the user.
A9.5.4 Password management
Password management systems shall provide an
effective, interactive facility which aims to ensure
system
quality passwords.
Table 4.14
Annex A9.5, Operational system access control.
The main question is: Who breached the policy? If the employee was able to obtain
username and password from colleagues then the colleagues did a very poor job
following A9.5.3, or the passwords that were allowed to be used were of lesser quality
and easy to hack/crack. With A9.5.2, A9.5.3 and A9.5.4 in place and properly
implemented the possibilities of this employee defrauding the company would have
been extremely slim.
4.2.8 Electronic crime cost UK companies an estimated £2.45bn last year
The article discuses the most common external threats to information security. I will
highlight one threat that stands out: Virus attacks.
“Virus attacks hit 97 per cent of survey respondents” the article reads. The risk of a
virus infection/attack should have been identified during the risk assessment phase
(BS7799-2:2002 clause 4.2.1 c, d, e and f). (BSI 2002)
J.R. Beltman – IT Manager
Institute of Quality Assurance
35
Information security in practice – An Analysis of Security Case Studies
Controls
A8.3 Protection against malicious software
Control objective: To protect the integrity of software and information from damage by
malicious software.
A8.3.1 Controls against
Detection and prevention controls to protect against
malicious software and appropriate user awareness
malicious software
procedures shall be implemented.
Table 4.15
Annex A8.3, Protection against malicious software.
Clauses (BSI 2002)
4.2.1 c) Define a systematic approach to risk assessment
4.2.1 d) Identify the risks
4.2.1 e) Assess the risks
4.2.1 f) Identify and evaluate options for treatment of risks
Thus having identified the risk of a virus attack and having assessed the likelihood
and the severity of the risk when it materialises appropriate options for treatment
should have been selected. In case of a virus attack annex 8.3.1 seems most
appropriate. Detection and prevention is usually accomplished by installing anti virus
software. Having such software in place and ensuring that it gets updated on a regular
basis minimises the likelihood of, and the vulnerability to, a virus infection. The better
anti virus application will prevent most viruses from causing damage even if the
system does get infected. The companies losing money due to virus attacks should
start to wonder why they are still vulnerable.
4.2.9 Ekibastuz [Kazakhstan] - hydroelectric power station disaster
Due to the negligence of one member of staff the power station was burned to the
ground. The staff member was negligent in his actions.
All an organisation can do about this kind of situation is to make aware and to keep
them aware. In this case the questions should be asked whether if the member of staff
was properly trained to do his job, and whether the environment in which the member
of staff was working was secure. However, this is not an information security issue.
This example would be best mentioned when looking at health and safety related
matters. Yes, BS7799-2:2002 Annex 6.1 (BSI 2002) does indeed state that there are
controls to reduce the risks from human error which this certainly was. However the
BS7799-2:2002 standard does not deal with health and safety related issues.
It does happen occasionally that non BS7799-2:2002 issues are included in the
Information Security Management System, and adding additional controls is certainly
allowed (we are not restricted to the BS7799-2:2002 Clauses and Annexes). However
these controls should reflect to a large extent on information security issues.
What could be an interesting and relevant issue in this incident is the contingency
planning of the hydraulic power station. This question will be discussed for the next,
very similar incident.
J.R. Beltman – IT Manager
Institute of Quality Assurance
36
Information security in practice – An Analysis of Security Case Studies
What is important though in the current incident is the analysis of the risk of fire and
the possible consequences. The main focus of risk assessment should have
concentrated on the possible source of fire and controls should have been put in place
to prevent any identified source. This is a BS7799-2:2002 requirement, clause 4.2.1 d,
e, f. (BSI 2002) However, due to the very manner in which the fire was ignited, it is
doubtful that this source of fire risk was or would have been identified.
4.2.10 North-eastern United States and South-eastern Canada power blackouts
August 14, 2003, parts of the North-eastern United States and South-eastern Canada
experienced widespread power blackouts
Apparently the power outage was caused by an outdated interconnecting grid system.
A power grid is described as
“The network of transmission lines that link all generating plants in a region with
local distribution networks to help maximize service reliability” (Energy Smart library
2005)
As for the company managing the interconnecting grid system it should have carried
out regular reviews of the system and associated risks. The question of ‘what if the
grid does give in’ should have been asked and answered. The answer should have
been part of the business continuity plan and the plan should have been tested at
regular intervals.
Controls
A11.1 Aspect of business continuity management
Control objective: To counteract interruptions to business activities and to protect critical
business processes from the effects of major failures or disasters.
A11.1.2 Business continuity and
A strategy plan, based on appropriate risk
assessment shall be developed for the overall
impact analysis
approach to business continuity
A11.1.3 Writing and
Plans shall be developed to maintain or restore
business operations in a timely manner following
implementing continuity
interruption to, or failure of, critical business
plans
processes.
A11.1.4 Business continuity
A single framework of business continuity plans
shall be maintained to ensure that all plans are
planning framework
consistent, and to identify priorities for testing and
maintenance.
A11.1.5 Testing, maintaining and Business continuity plans shall be tested regularly
and maintained by regular reviews to ensure that
re-assessing business
they are up to date and effective.
continuity plans
Table 4.16
Annex A11.1, Aspect of business continuity management.
All of BS7799-2:2002 Annex 11.1 (BSI 2002) clearly expresses the need to take into
consideration a situation in which things can go horribly wrong. Had the standard
been implemented properly the likelihood of a catastrophe on this scale happening
would have been extremely small. On failure of the power grid a backup grid should
have been able to take over successfully. But that is exactly where experts believe the
J.R. Beltman – IT Manager
Institute of Quality Assurance
37
Information security in practice – An Analysis of Security Case Studies
real problem occurred. The grids that took over were not capable of handling the
electricity and a complete network overload occurred. Proper analysis and testing
should have brought the problem to light at a much earlier; this could have prevented
the disaster.
For all companies affected by this power outage it can only be hoped that they in turn
did have an effective disaster recovery plan. However yet another control set of
BS7799-2:2002 actually applies to this very situation.
Controls
A7.2 Equipment security
Control objective: To prevent loss, damage or compromise of assets and interruption to
business activities.
A7.2.2 Power supplies
Equipment shall be protected from power failures
and other electrical anomalies.
Table 4.17
Annex A7.2, Equipment security.
What happens if suddenly the electricity supply feeding your equipment (i.e. server
systems) has extremely high peaks and then stops completely? First your equipment
must be protected using surge protection to filter out the surge and an uninterruptible
power supply (UPS) can add additional filtering. This will also supply power for a
limited period of time, enough to safely shutdown your systems. Not shutting down
your systems in a safe manner can cause severe damage to the systems, and this
applies to production lines, server systems and much more electrical equipment. Some
industries, such as hospitals, need backup generators for their processes because they
require constant power. Control set A7.2.2 (BSI 2002) is designed with this in mind
and by correctly implementing this control set a lot of damage can be prevented.
Note that we discuss two different categories of backup power.
• The UPS – A battery that enables secure shutdown of systems in case of a
power failure
• The backup generator – A machine generating electricity for a longer time
period. The time period is dependent on the availability of fuel for the
generator.
J.R. Beltman – IT Manager
Institute of Quality Assurance
38
Information security in practice – An Analysis of Security Case Studies
4.2.11 Staff visiting unauthorized websites.
So what happens in the United Kingdom (UK) when a staff member of a company has
visits to porn sites against his or her name in the internet log files? This is a serious
offence and would lead to disciplinary action, perhaps even resulting in the dismissal
of the member of staff.
Controls
A9.7 Monitoring system access and use
Control objective: To detect unauthorized activities
A9.7.1 Event logging
Audit logs recording exceptions and other security
relevant events shall be produced and kept for an
agreed period to assist in future investigations and
access control monitoring
A9.7.2 Monitoring system use
Procedures for monitoring the use of information
processing facilities shall be established and the
result of the monitoring activities reviewed
regularly.
Table 4.18
Annex A9.7, Monitoring system access and use.
Organisations should have control sets A9.7.1 and A9.7.2 in place to spot security
breaches effectively. Annex 9.5 control sets A9.5.2, A9.5.3 and A9.5.4 will help to
ensure there are no errors in finding the source of any security related incidents
discovered whilst examining the log files. (BSI 2002)
Controls
A9.5 Operational system access control
Control objective: To prevent unauthorised computer access.
A9.5.2 Terminal log-on
Access to information services shall use a secure
log-on process
procedures
A9.5.3 User identification and
All users shall have a unique identifier (user ID) for
their personal and sole use so that activities can be
authentication
traced to the responsible individual. A suitable
authentication technique shall be chosen to
substantiate the claimed identity of the user.
A9.5.4 Password management
Password management systems shall provide an
effective, interactive facility which aims to ensure
system
quality passwords.
Table 4.19
Annex A9.5, Operational system access control.
If the users received sufficient training in information security (annex 6.2 below) they
will know never to share their user accounts and passwords with anyone, not even the
IT department. If they do it is most likely that they will be held responsible for any
security breaches linked to their user ID. Thus adherence to the control sets of
BS7799-2:2002 can actually protect users from the evil intentions of others. We have
already seen, in the incident of the ‘£9m computer scam’ how not following Annex
9.5 can result in fraud by a fellow member of staff.
J.R. Beltman – IT Manager
Institute of Quality Assurance
39
Information security in practice – An Analysis of Security Case Studies
Controls
A6.2 User training
Control objective: To ensure that users are aware of information security, threats and
concerns, and are equipped to support organisational security policy in the course of their
normal work.
A6.2.1 Information security
All employees of the organisation and, where
relevant third-party users, shall receive appropriate
education and training
training and regular updates in organisational
policies and procedures.
Table 4.20
Annex A6.2, User training.
4.3 Summary
In this chapter we discussed many information security incidents that are publicly
available on the internet and in newspapers. We have also looked at a less publicised
issue that does occur in organisations throughout the world on a daily basis.
For all the incidents we were able to identify one or more clauses or annexes from
BS7799-2:2002 that would have helped reducing risk, likelihood and consequence of
the incident. In some cases implementing BS7799 would have given the organisation
in question a far better chance on recovering from the incident to continue with
business as per usual.
This chapter is aimed at learning about the wide range of issues covered by BS7799
and to convince you, the reader, and help convince management of the value of
implementing the standard.
It is worth noting that the examples discussed in this chapter are just a handful of the
thousandths of information security incidents that have been published in the recent
year and there are many thousandths which we will never know about. I have been
told many stories by many people I met during this research; stories about people
walking away with complete mainframe computers, laptops being collected from
offices by people acting as IT staff and many more.
And although just as in the press the stories may be undersold or oversold, there is an
element of truth in all of them which means that security incidents do happen and they
happen an awful lot.
Unfortunately success stories of how BS7799 prevented a serious disaster are difficult
to find. This because BS7799, if implemented, maintained and managed well, does
indeed prevent information security incidents and therefore most incidents that did not
happen, because they were prevented, will go unnoticed.
J.R. Beltman – IT Manager
Institute of Quality Assurance
40
Results - Implementation and its difficulties
5. Results - Implementation and its difficulties
In this chapter I will seek to answer the remaining research questions:
•
How to implement BS7799 successfully?
•
What are the main problems related to implementing BS7799?
•
How to tackle the problems related to implementation of BS7799?
This is done by actually implementing the BS7799 ISMS within the Institute of
Quality Assurance (IQA) and using the experience and lessons learned not only to
answer the research questions, but also to help other organisations with their
implementation of BS7799.
5.1 What changed at the IQA?
Implementing BS7799 at the IQA has changed the state of information security in the
organisation. To achieve this co-operation of all departments was required, in
particular the Human Resources (HR) department and the IT department. Two staff
members of the IT department, one assistant and I, followed both a BS7799 workshop
and BS7799 Lead Auditor Course. I also studied many websites, books and papers on
the subject, in particular the Code of Practice (BSI 2000) and Specification with
guidance for use (BSI 2002).
In the past three months the IQA went through all stages of the plan and do phase and
where possible the check and act phases. These last two phases however have
elements that could not be looked at in the timescale available for writing this
dissertation.
During implementation many existing policies, procedures and workflows were
revisited whilst others where created from scratch, especially whilst looking at the
statement of applicability (SoA). Examples of these are:
•
•
•
•
•
•
•
•
•
•
Agreement on network access and data ownership
Asset and their risk level document (Appendix K)
Asset owner history is now recorded in the IT Management system (Appendix
M)
Backup schedule and procedures
Communications and computer use policy, including regulation on internet
use, use of the local area network and email (Appendix S)
Control of portable assets such as laptops and memory sticks
Escort of visitors and contractors
Forms for new staff stating their IT requirements, including IT security
requirements (Appendix P)
Forms for staff leaving, ensuring that user accounts could not be used by the
leaving staff member after their last day of work at the IQA
Housekeeping policy and procedure of email (due to the space required for
repairing email databases) (Appendix O)
J.R. Beltman – IT Manager
Institute of Quality Assurance
41
Results - Implementation and its difficulties
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Installation and improved control of Sophos Anti Virus software
IT Test (a test used to screen IT knowledge of new and current staff)
(Appendix Q)
Licensing control using the IT Management system in combination with
Active Directory which in turn is used to assign and distribute software
applications to computers (Appendix N)
Logging of security incidents in the IQA IT Management system
New and better manageable way of asset registration (Appendix M)
New group policies for staff working remotely, for example staff in Japan
(teleworking)
New policy on desktop use by visitors and trainers
Password policy change (adhering to Microsoft password policies)
Risk assessment document (Appendix D)
Risk treatment plan (Appendix E)
Schedules for backup restore testing
Scope statement (Appendix B)
Secure internet connection for remote workers (teleworking)
Security policy (Appendix C)
Server room access policy (Appendix R)
Statement of applicability (be aware that this is 15 pages and takes over 3 days
to write)
The front door to the basement is now locked after use by the cleaners
Warrantee and financial information is now linked directly to assets in the IT
Management system
The Security policy, Scope statement, Statement of applicability, Risk assessment
document and Risk treatment plan are all based on templates kindly provided by
Victor Parry (Chartered FCIPD and IRCA Registered Principal Auditor BS7799)
At the IQA from the IT perspective alone we cover over 400 assets. These include
over 15 asset groups such as desktops, laptops, servers, backup USB devices,
Monitors, USB sticks, Telecoms equipment, Licenses, Warrantee Agreements,
Contracts etc.
As mentioned before, cooperation is required from all departments in order to
implement BS7799; this is because many of the policies and procedures apply to all
staff. In the IQA this applies to about 60 staff spread over 14 departments.
5.2 Pre-requisites
In this chapter we will go through the implementation of BS7799 at the Institute of
Quality Assurance, revisiting all stages of the project. It is important first of all to gain
management support for this project and the discussion of incidents above may give
management a better insight of why implementing BS7799 is of benefit to the
organisation. Unfortunately not every manager can see the logic behind implementing
BS7799. Even worse, some cannot see the logic behind even the most basic security
measures, no matter how obvious they are in your eyes. Analogies between security
issues and daily occurrences might help. A computer firewall could be compared to a
lock on the door. Using a username and password can be compared with using a bank
J.R. Beltman – IT Manager
Institute of Quality Assurance
42
Results - Implementation and its difficulties
account number and PIN code. But if despite your efforts management simply cannot
see the benefits of implementing BS7799 then the project is doomed before you have
even started.
5.2.1 Understanding the issue
When I asked Victor H. Parry, Chartered FCIPD and IRCA Registered Principal
Auditor BS 7799:2-2002, about resistance to change, something we will discuss
during the Do phase, he answered me, but what he wrote I deemed more suitable for
this section about management support than the section about resistance to change.
Victor wrote:
“Hi JR, if I understand your question correctly then the following is what I
have found to be the biggest resistance to change by some managers when
implementing BS 7799:
Unlike the ISO 9001 Quality Management System where you can quantify
financially the improvements brought about by implementing a management
system e.g. higher productivity, less errors, reduced waste, shorter downtime,
less rework, fewer warranty claims etc, BS7799 is far more difficult to justify
in terms of higher profits.
It is hidden in terms of how much damage has been avoided /
reduced by protecting your company from an attack. Whether this be a logical,
personal or even physical attack. A company often finds out too late after the
event, very often the damage has all ready been done. In extreme cases this
actually results in the company going bust. At best it causes disruption and
impacts on the companies' financial performance, not to mention damage to
the organisations' image and reputation.
The problem is that when an organisation does implement policies, practices
and procedures to protect its assets this will often eliminate unnecessary risks
and potential attackers are unsuccessful, however this is not always obvious
and visible so management are unaware of how effective their management
system has worked.” (Parry 2005)
5.2.2 How not to implement BS7799
Management support is very important as a BS7799 consultant tells me. Because I do
not wish to put him or the company he works for in an awkward position, I will not
name the consultant nor the companies involved. This is what his experience of
implementing BS7799 without sufficient management support is.
At the beginning of last year a company was told by one of its customers that they
would lose a multi-million pound contract unless they implemented BS7799 and
become certified by the end of this year. Reason enough to get full top management
support? The consultant was drafted in shortly after the announcement last year, but
due to complete lack of management and top management support the project did not
move. Top management’s attitude was that the consultant would somehow have to get
that piece of paper on the wall (referring to the BS7799 certificate); it was not their
J.R. Beltman – IT Manager
Institute of Quality Assurance
43
Results - Implementation and its difficulties
problem. No project owner was appointed within the company and no resources were
allocated.
It was not until October last year that a business analyst was recruited and allocated to
the project. Finally there was a project owner who persuaded the management and
part of top management to take a positive approach to the project.
One of the managers involved was the Human Resources (HR) manager. The
consultant had arranged a meeting previously with the HR manager, this meeting
however was cancelled by top management who could not imagine what her role in
implementing BS7799 could possibly be and found it a waste of time to have her
participate. But the business analyst managed to get her and others involved, despite
top management attitude.
From the time the consultant started at this company early last year till when it finally
obtained its certification this September the company had grown from 70 staff to 105.
It has significantly increased its revenue and managed, just in time, to keep the multimillion pound contract. Unfortunately it also left a consultant very frustrated.
5.2.3 BS7799 – Not an IT issue
But I am told of more positive experiences by the same consultant. The consultant had
worked for many companies where full management support was given. The result
was BS7799 implementation within 2 to 4 months. Management support, so I am told,
does also help with the usually negative attitude towards change.
The consultant also illustrates the importance of BS7799 to management. As it is not
a project that generates revenue there is in principal no interest in BS7799
implementation. It is recognised that it needs to be done, but responsibility is not
taken and the issue is constantly downgraded in priority.
Many companies regard BS7799 as a IT issue, it is therefore interesting that when the
British Government made it compulsory for all its branches to implement BS7799 a
key requirement was that the project owner has to be a non-IT person. The problem
with assigning a project as ‘just an IT issue’ is the issue of ownership, an issue we
discuss in the Do phase.
At the IQA the director of IRCA who is also head of IT has given his support to this
project, however he is concerned about the attention other projects will receive during
the implementation of BS7799. The recent London bombing did help in shifting the
focus and urgency behind this project has become more apparent. But another project
has taken precedence and the scope of implementing a BS7799 ISMS has been
reduced to the core department involved only: the IT department and its assets.
5.2.4 A cultural change
It is important not just to implement BS7799, write all policies and procedures and
then forget about it. BS7799 must become part of the work culture of the organisation
and should be enforced through policies and procedures that are part of the daily
routine. It is easiest to enforce as much as possible by means of the software that is
J.R. Beltman – IT Manager
Institute of Quality Assurance
44
Results - Implementation and its difficulties
used daily, but this is not an option for all aspects of the standard. Using a unique
username and password is easily applied using standard options in many of today’s
operating systems, but getting people to NOT give out their username and password is
not easily done. Training in security aspects and raising awareness can reduce the
likelihood of people doing so, but cannot prevent this and neither can any software
tool.
The best approach is to make policies and procedures part of the work ethos. When
for example IT asks for a password people either ask why IT can’t just look it up
themselves or just give the password. IT must explain very clearly to users that
passwords are one way encrypted and that IT cannot look up any passwords. It would
be a very positive sign if users did raise a very important question when IT does ask
for their password:
Why does IT need my password?
If anyone else but IT asks for the password the user should not just ask “why” but also
report the incident to IT. To embed this and other best practice, as set out in policies
and procedures, in the organisation’s culture we must lead by example. To have topmanagement suggesting that we should abolish the use of username and password
does not help, but this did happen in the IQA. How can we then expect anyone else to
take the use of username and password seriously? However when top management is
convinced of the best practice and they openly lead by example, by this I mean
announcing their adherence to the best practice in public, i.e. during staff and
management meetings, we are on to a winner.
5.3 The Plan phase
The plan phase consists of five sections that must be in place for certification.
Together they form the foundation of the Information Security Management System
(ISMS). We illustrate the most natural flow through the five sections in figure 5.1.
Scope
Figure 5.1
Information
Security Policy
Risk
Assessment
Options for
risk treatment
Statement of
Applicability (SoA)
The plan phase flowchart.
5.3.1 The Scope
The objective of this section is to define a scope document such as the one created for
the IQA (appendix B).
In the plan phase we should start with drawing up the scope. It should define to which
departments and assets the ISMS applies. I have included the scope document of the
IQA here for ease of reading, however a copy can be found in the appendix also
(appendix B). You will notice that in this scope I have put down many departments to
be included at a later stage. You do not have to do this. It is also possible to state
which departments are not included in the scope, something that might happen in a
very large company where only one or two departments are not to be included.
J.R. Beltman – IT Manager
Institute of Quality Assurance
45
Results - Implementation and its difficulties
I believe it to be best to start the ISMS implementation at the most central department
and the assets it is responsible for and one by one involve other departments. This
way you will have more control over the project and you can divide the project in
multiple phases and set milestones.
I also believe that once you have completed work within with the main department
and its assets, including other departments in the scope should be far easier. You will
have gained experience and knowledge during the implementation of the BS7799
ISMS in the first department and will be better prepared for implementation in the
departments to follow. Adjusting the scope is very easy and the Statement of
Applicability (SoA) will require only minor tweaks.
The documents produced during implementation in the IQA reflect on the IT
department and assets traditionally seen as being the responsibility of the IT
department. The signature required and responsibilities defined should not be that of
the IT Manager when implementing an ISMS in the whole of an organisation and
should preferably read top management.
J.R. Beltman – IT Manager
Institute of Quality Assurance
46
Results - Implementation and its difficulties
Scope of the Information Security Management
System BS7799 Part 2
The scope of the information security management system in IQA/IRCA
covers the following:
All operational, technical, networking, desktop, administration and
management functions at the Grosvenor Crescent office.
Departments within scope:
1. Desktops, servers, LAN, printers, data storage devices
2. IT Services Department
To be included a later stage in the following order
1. Site Security
2. IRCA Certification
3. IRCA Training
4. Facilities
5. Accounts
6. Publishing
7. IQA Training & Events
8. IQA Education
9. IQA Membership
The departments that are currently not in scope do make use of IT assets
which are in scope. The users of the assets that are in scope will be made
aware of the policies and procedures that applies to these assets.
Signed……………………… IT Manager
Date……………………..
J.R. Beltman – IT Manager
Institute of Quality Assurance
47
Results - Implementation and its difficulties
5.3.2 Information Security Policy
The objective of this section is to define a security policy. Appendix C contains the
security policy drafted for the IQA
After completing the scope, preferably including many departments, if not all, within
your organisation and signed off by top management you can proceed writing the
Information Security Policy.
The Information Security Policy does not need to go into detail i.e. it does not have to
say that users need their own username and password, can only login on computer X
and Y from 9.00 am till 5.00 pm. Instead it should communicate the intention of the
ISMS. The policy can consist of three sections:
•
•
•
Purpose
Objectives
Actions
Purpose
What is the reason to implement the policy and ISMS?
“The purpose of this information security policy is to protect all information
assets, as defined within the scope, within the Institute of Quality Assurance
(IQA) from all threats, whether internal or external, deliberate or accidental.
Information within the IQA exists in many forms and the policy includes the
protection of data stored electronically, transmitted across networks and
printed or written on paper to safeguard the information of the company, its’
customers, employees and trading partners.” (Appendix C)
Above is an example taken from the Information Security Policy of the IQA. In this
example it is described why we need to implement the policy and the kind of assets at
risk, but not what we would like to realize by implementation.
Objective
What is the outcome we wish to realize by implementing this policy?
Below section 2 of the Information Security Policy of the IQA. In this section we
describe what we hope to achieve by implementing this policy and the ISMS as a
whole. Please note that this policy is applied only to that which is defined in the
scope. In our case we are looking at the IT department and related assets only, and it
is the IT Manager instead of top management who is committing to this.
J.R. Beltman – IT Manager
Institute of Quality Assurance
48
Results - Implementation and its difficulties
“The objective of information security is to ensure business continuity and
minimise damage by preventing and reducing the impact of security incidents.
The implementation of this policy is needed to maintain, improve and
demonstrate our integrity in our dealings with all our customers and trading
partners.
It is the policy of the IT department of the IQA to ensure:
• Information is protected against unauthorised access
• Confidentiality of information is assured
• Information is not disclosed to unauthorised persons through
deliberate or careless actions
• The integrity of information is maintained
• The availability of information to authorised users when needed
• Regulatory and legislative requirements will be met
• Business continuity plans will be produced, maintained and regularly
tested
• Information security training will be given to all staff
• All breaches of information security , actual and suspected are
recorded reported and investigated
• The IT department is compliant with best practice as identified in
ISO/IEC 17799.“ (Appendix C)
Actions
What do we need to do in order to realize the objective? Having listed why we are
implementing the policy and the ISMS one question is left: How?
Below section 3 of our policy stating how we will achieve our intentions and who is
responsible for this. An interesting aspect is the cooperation mentioned between the
IT department and Personnel department. It is important to recognize that knowledge
and experience is usually available within your company and can be obtained by
involving other departments. The IT department is not as knowledgeable as the
Personnel department when it comes to disciplinary processes.
“Standards, policies and security operating procedures will be produced to
support this policy and will include: virus control, access control, personnel
security, the use of e-mail, the Internet and the local network. A formal
disciplinary process will be documented and implemented, in collaboration
with the personnel department, for those employees who choose not to comply
with company standards.
IT Manager has overall responsibility for maintaining this Policy and
providing guidance on its implementation. It is the responsibility of each
employee to adhere to the policies and procedures in their areas.
This policy will be reviewed regularly to ensure it remains appropriate for the
organisation.” (Appendix C)
J.R. Beltman – IT Manager
Institute of Quality Assurance
49
Results - Implementation and its difficulties
5.3.3 Risk Assessment
The objective of this step is to create a risk assessment document. (Appendix D) With
this comes a document detailing all assets and asset groups and their associated
threats, level of vulnerability, level of likelihood of the threat and level of severity.
All together this will give the risk level against the asset or asset group. (Appendix K)
The risk assessment method used at the IQA consist of
•
•
•
Identifying the risks
Assessing the risks
Identifying and evaluating options for risk treatment (Appendix D)
In our risk assessment we are using a 5 step methodology to identify and assess
threats. We look at likelihood, severity and vulnerability. Giving these all a rating
from 1 to 5 (very low, low, medium, high and very high).
Step 1 – review of asset inventory
In this step we create and maintain a registry of the assets of interest. A good registry
can help with much more than just risk assessment. Asset registries are often used by
an accounts department to value the company and calculate depreciation. The IT
department can use it to register incidents (security, technical and others) against
assets and determine patterns which can be used to resolve issues. For IT the asset
register can be used to control licensing, prevent theft and control assets.
Step 2 – Asset valuation
What is the severity of the threat for an asset or group of assets? What is the effect on
the business if any asset or group of assets are stolen, destroyed, damaged,
fraudulently used, or in any other way compromised? These levels of severity are
classified from 1 to 5 (see above).
This valuation of assets is different from the nominal monetary value of the assets.
Losing papers (information assets) can cost the company customers and money, the
nominal monetary value of the actual ink and paper it has been printed on is however
negligible in comparison.
For each asset or group of assets in the inventory, which are within our scope, we
document the level of severity.
Step 3 – Identification of security threats and likelihood
We identify all possible threats and write these down. Then for each asset or asset
group we now look at all possible threats that apply to them and the likelihood of the
threat materialising. The likelihood is classified from 1 to 5 as discussed above. An
example of likelihood is the chance of being the victim of a bomb attack. This
depends very much on location and global or local political situation. Lately the
likelihood of this happening in London has increased dramatically.
For each asset or group of assets in the inventory, which are within our scope, we
document each threat and level of severity.
J.R. Beltman – IT Manager
Institute of Quality Assurance
50
Results - Implementation and its difficulties
Step 4 – Identification of vulnerabilities
In step 4 we draw up a list of all vulnerabilities that apply to the organisation. Just to
remind ourselves, vulnerability is a source or situation with potential for a threat to
inflict harm. It does not cause harm or threats but if not managed it will lead to harm.
An example of this would be having no locks on your doors. This could lead to a
person stealing assets from the organisation without anything in place to stop them. A
common burglar would try if a door or window is left open and seize the opportunity.
Were we to manage this vulnerability, i.e. by placing locks on the doors, then the
person could not just walk into the building and we are less vulnerable to people
stealing from the organisation.
In this example we see
•
•
•
Threat – A person stealing from the organisation
Likelihood – Burglary happens all too often; where the IQA is situated the
neighbours have fallen victim to burglary three times this year already.
Vulnerability – The lack of locks on doors (front/back door): in itself not a
threat, but a situation to be exploited by a burglar.
But do not forget the trade-off we always need to consider between integrity,
confidentiality and availability (chapter 2.2.1). If your business is a supermarket
locking your doors may secure your assets, but prevents your customers doing
business with you.
We match the vulnerabilities against assets and asset groups and document their level
of vulnerability using the 1-5 scale.
Step 5 – Calculation of risk
Per asset or asset group we look at each threat that applies and sum the severity,
likelihood and vulnerability. If more threats apply we take the average of the scores.
The possible outcomes of our risk calculation range from a score of 3 to 15.
We divide the outcomes in three groups:
•
•
•
3-7
8-10
11-15
Residual risk – No action required
Medium risk – Control required
High risk – Control critical
If the levels fall within the range 8 to 15 we need to apply controls to minimise the
risk.
5.3.4 Options for risk treatment
Objective of this step is to identify options for risk treatment and evaluate these. The
outcome can be used in the risk treatment plan like the one used in the IQA.
(Appendix E)
When we have identified and assessed the risk, we need to identify and evaluate
options for the treatment of risks, something we can do based on our calculation in
J.R. Beltman – IT Manager
Institute of Quality Assurance
51
Results - Implementation and its difficulties
Step 5 of our risk assessment methodology. BS7799-2:2002 gives 4 examples of
possible risk treatment plans. (BSI 2002)
•
•
•
•
Applying appropriate controls
Knowingly and objectively accepting the risks (proving that they clearly
satisfy the organisation’s policy and the criteria for risk acceptance)
Avoiding risks
Transferring the associated business risks to other parties, e.g. insurers,
suppliers
The risk treatment plan of the IQA can be found in Appendix E. In our methodology
we have determined that if the risk level falls within 3-7 we can accept the risk and no
action is required. For any risk level higher than 7 we need to implement control sets.
The specification of risk acceptance is a criterion required by BS7799-2:2002 clause
4.2.1c (BSI 2002). It is therefore useful to include the description of the 5-step
methodology in the risk assessment document to comply with clause 4.2.1 c-e in once.
Since avoiding risks is usually not an option, i.e. refusing people to take their laptops
off the premises of the organisation would indeed avoid the risk of the laptop being
stolen whilst it is out of the office, but also limits the availability of the laptop and the
information it provides access to. Knowing that BS7799 is about:
•
•
•
Integrity
Availability
Confidentiality
We realise that preventing people taking their laptops off the premises is not an
option. However security could be a reason not to have laptops at all. Such a decision
will depend on the impact on the business of not having a laptop versus the risks
associated with having a laptop and the levels of risk acceptance. Again we look at the
trade-off between integrity, confidentiality and availability (chapter 2.2.1). Some
businesses such as those employing sales agents or insurance agents in the field need
the laptops to do business.
If we are not avoiding risks we have two options left:
•
•
Applying control sets
Transferring risk
Some risk could be transferred using 3rd parties. Insurance could be helpful in case of
theft, fire, water damage etc, but is not foolproof. Insurance by its nature pays for
replacement of tangible assets but doesn’t compensate for intangibles. So you have
insured all your laptops against loss, damage, theft etc. The next day a laptop with
important information is stolen and should the information be disclosed it could have
severe consequences for your organisation. Will insurance of the laptops help? No.
Using a 3rd party to transfer risk to is not always the best solution either. Imagine that
you are an internet based company employing a third party to look after your network
and one day that network crashes. The data gets heavily corrupted and retrieving it
J.R. Beltman – IT Manager
Institute of Quality Assurance
52
Results - Implementation and its difficulties
will take days during which the company can not trade. Can your organisation afford
not to trade for even a couple of days?
In both the case of insurance and third party it could be that because of your contracts
with the third parties you are entitled to a lump sum of money if things go wrong.
Usually that will take time and court action to materialise and it could well be too late
to save the company from closure.
There are certainly risks that are transferable to a third party, but the consequences of
the risks materialising may not be covered by just transferring the risk, even if
managing the risk is well covered by the third party. To minimise the risk and effect
of materialization further we can use control sets of which many are listed in the
annex A of BS7799-2:2002.
5.3.5 Statement of Applicability (SoA)
The outcome of this section is the Statement of Applicability (SoA), a document not
included in the appendix for security reasons, and many supporting policies,
procedures and workflows. Examples from the document produced during this section
at the IQA can be found in Appendixes L to R.
The Statement of Applicability (SoA) is a document required by BS7799-2:2002. It
runs through all the control sets listed in annex A of BS7799-2:2002 and identifies if
the control set is applicable to the organisation and why. I have copied the first annex
from the SoA as an example (IQA SoA 2005). This is a template taken from Victor H.
Parry, one of the two principal auditors registered with IRCA.
It is important to differentiate between justification and how the control set has been
applied. Justification means ‘why’ and requires a reason for implementing or not
implementing the control set.
A .3.1 Information Security Policy
Contr
ol
Description
Adopted
Justification
A 3.1.1
Information
security policy
document
Y
Security Policy is required to provide
management direction and support
for information security and to set
out the policy on information
security to staff.
Security
Manual.
A.3.1.2
Review and
evaluation
Y
The Security Policy should be
reviewed for continuing applicability
at intervals not exceeding six months.
Management
systems
review
records.
Table 5.1
Reference
Example of the Statement of Applicability (SoA)
The SoA in the example above also includes a reference point where the
implementation of the control can be found. Usually this would point to a policy or
procedure, but it may happen that it points to actions or objects, such as an
uninterruptible power supply (UPS).
J.R. Beltman – IT Manager
Institute of Quality Assurance
53
Results - Implementation and its difficulties
The SoA is a document that will form the core of your ISMS. It makes you think not
only why you need to implement a control set, but also how and where you will
document this. Whilst completing the SoA there may be many occasions when you
will find that the control set should be implemented, but that there is no policy or
procedure in which there is any reference to the control set.
This is usually the case when building the ISMS from scratch. In this case you can
leave the reference blank until you have completed the SoA. Then take the SoA and
begin checking the references. If none exists you will need to include the control set
in an existing policy / procedure or create a new one.
The SoA contains a list of the 127 best practice control sets of BS7799-2:2002. Not
all have to be applicable to your organisation, but many find that at least 112 out of
the 127 are applicable. The control sets are further explained in ISO/IEC 17799:2000
clauses 3 to 12. Additional controls not contained in the BS7799-2:2002 annex A
control sets can be implemented in exactly the same manner.
The SoA prompted many changes and new policies, procedures and workflows to be
written for the IQA. Examples of these are mentioned in chapter 5.1.
5.3.6 Review
Having the Scope, Security Policy, Risk Assessment, Risk Treatment Plan and
Statement of Applicability in place we are almost done with the plan phase. But
during these activities you will find you have may have some difficulties. In the IQA
the plan phase went very smooth, except for the fact that this is an ISMS build from
scratch, meaning that before completion of the Plan phase we needed to draw up
many a policy / procedure to include the identified control sets. In some situations I
was pleasantly surprised with the unexpected contribution from the Personnel
department who, it transpired, were simultaneously working on a confidentiality
agreement and a communications policy. The latter contains many areas relevant to
the control sets we identified as to be applicable in the SoA.
It may happen that not all policies and procedures the SoA refers to are finished and
ready for implementation. This is not a big issue as it is well accepted to note these
down as outstanding actions in the Act phase. At the IQA we also have some policies
and procedures that are not ready for implementation yet as where others are ready,
but are not yet implemented.
What is clear is that in many organisations there is far too little communication
between departments resulting in either reinvention of the wheel many times over or
no action taken at all on issues that require urgent attention. An example would be my
recent issues with BulldogDSL. This company provides ADSL for companies and
consumers.
When I was approached to upgrade as an existing customer to a much faster
connection for a lower price I thought already that it was too good to be true. And
indeed, two weeks later on a Sunday morning when I was desperate for an internet
connection to test some remote access issues our Japanese counterpart experienced, I
discovered that the home internet connection was no longer. My first thought was that
J.R. Beltman – IT Manager
Institute of Quality Assurance
54
Results - Implementation and its difficulties
BulldogDSL would perhaps be upgrading me that Sunday, but by evening time, when
the Japanese were slowly waking up and getting ready for work, my internet was still
not back.
When calling BulldogDSL throughout the 1.5 weeks after the internet went down I
was sent from one department to another and back. Usually the departments had no
idea what was happening to my internet connection, were unaware that I had been a
customer for the past 12 months and blamed other departments. You can imagine that
since this time my opinion of BulldogDSL has reached an all-time low. When finally
the connection was upgraded after 1.5 week downtime, during which I had been
struggling to accommodate our Japanese counterpart, I discovered that some extra
feature I used to have with the old connection was no longer available.
I wrote an email to BulldogDSL outlining the events of the past 1.5 week and the
missing feature. I was extremely disappointed when the only reply they gave was that
the extra feature would cost me an additional 5 GBP a month and no mention of the
1.5 week unannounced downtime and the frustration I experienced. No wonder I was
about to look for another company to provide me ADSL services.
As said, every organisation has communication issues, but the above is an extreme
which may well result in customer loss. The setting up of an ISMS can highlight the
communication issues and perhaps help to improve interdepartmental communication.
Other departments often hold a part of the puzzle you are trying to piece together. The
previously mentioned personnel department will work out to be one of the key
departments when it comes to policies, procedures and expertise on legal matters such
as the data protection act (BS7799-2:2002 Annex A12.1.4). Since you may well wish
to expand your scope to include more than just one department you will need to
involve the other departments actively. You will find that just as in ISO9000 the
departments are linked to each other, and actions taken by one department will often
influence another. This also applies to information security related issues.
5.4 The Do phase
The Do phase is where we implement our findings and results from the plan phase.
The main obstacle will be the difficulties with change. Most people do not like change
at any time. That goes for the person bringing on the change and those who will be
influenced by the change.
“Like ‘beauty and the beholder,’ resistance to change is in the eye of the
proposer. The proponent of a change may perceive as resistance what his or
her audience considers careful assessment and scrutiny. Almost every change
requires the cooperation, collaboration, and co-ownership of others. It is only
by giving the assessment and scrutiny of these people full consideration that
the change can expect full acceptance……..
Everyone in an organization is a salesperson, selling his or her ideas,
proposals, and recommendations. Even a CEO, president, or owner needs to
achieve buy-in of key strategies and tactics from the necessary people if they
are to succeed. That success, i.e., the implementation of meaningful
improvement in an organization, requires answering three questions: what to
J.R. Beltman – IT Manager
Institute of Quality Assurance
55
Results - Implementation and its difficulties
change, to what to change to, and how to make the change happen.”
(Focussed Performance 2005)
“Fear of the unknown. Change implies uncertainty, and uncertainty is
uncomfortable. Not knowing what may potentially happen often leads to
heightened anxiety. Resisting change is one of the anxiety-reducing actions.”
(Topping 2002)
“Misunderstanding and lack of trust. People resist change when they do not
understand its implications and perceive that it might cost them much more
than they gain. Such situations often occur when trust is lacking between the
person initiating the change and the employees.” (Kotter 1999)
When reading the above we are getting a better picture on why there is resistance and
fear of change. We identify some key elements:
•
•
•
•
Fear of the unknown
Misunderstanding change
Lack of trust
Lack of buy-in
A factor that is also an extremely important contributor to fear and resistance is the
fear of exposure; exposure of lack of competencies which may have been believed to
be well hidden before the change. Especially if the change forces transparency in
processes and procedures and require people to take responsibility those who are not
certain of their own competencies, or of those persons they protect, will resist change
in any way possible, even if the arguments put forward against the change have no
ground at all.
Implementing the ISMS will provoke resistance, for it brings a lot of change. The Do
phase is the moment that resistance will play an important role. Policies and
procedures will be implemented and responsibility will be assigned.
BS7799-2:2002 Clause 4.2.2 Implement and operate the ISMS is central to the Do
phase. (BSI 2002)
Figure 5.2 illustrates the different steps to be taken in the Do phase, based on the
analysis above, experience gained during research and expert opinion.
Formulate risk
treatment plan
Resource
management
Figure 5.2
Implement risk
treatment plan
Implement training and
awareness program
Implement policies,
procedures and controls
The do phase flowchart.
J.R. Beltman – IT Manager
Institute of Quality Assurance
56
Results - Implementation and its difficulties
5.4.1 Formulate a risk treatment plan
Objective of this section is to formulate a risk treatment plan. The IQA risk treatment
plan can be found in appendix E.
Clause 4.2.2a) formulate a risk treatment plan that identifies the appropriate
management action, responsibilities and priorities for managing information security
risks.
We already have a risk assessment document and the Statement of Applicability. The
risk assessment document states briefly the responsibilities which will be repeated in
the risk treatment plan. It also states the risk levels and when action is required which
is touched upon in the risk treatment plan once more. The statement of applicability
states which controls are to be implemented and the documents that ensure this
implementation.
The risk treatment plan is a kind of summary of the risk assessment document. It
starts with its objective i.e. “This procedure defines the risk management/treatment
methodology adopted by the Institute of Quality Assurance” (Appendix E) and
continues with responsibilities.
Clause 4.2.2a actually refers to clause 5 Management responsibility. Clause 5.1,
Management commitment, states that management shall provide evidence of its
commitment to the establishment, implementation, operation, monitoring, review,
maintenance and improvement of the ISMS. Monitoring, review and improvement are
described later in the risk treatment plan. (BSI 2002)
Clause 5.1a, establishing an information security policy, this has been completed in
the plan phase already.
Clause 5.1b, ensuring that information security objectives and plans are established,
can only been seen to by those responsible for implementing the information security
policy and relating policies and procedures.
Clause 5.1c, establishing roles and responsibilities for information security, speaks for
itself. However the easiest and most logical solution seems to lay responsibility with
the managers of individual asset owners. The outcome of this is recorded in the risk
treatment plan.
Clause 5.1d, communicating to the organisation the importance of meeting
information security objectives and conforming to the information security policy, its
responsibilities under the law and the need for continual improvement, is one of the
most difficult requirements, the success depending significantly on top management
support and top management leading by example. Next is the need for training, clause
5.2.2, to raise awareness and the importance of the ISMS and information security.
Clause 5.1e, providing sufficient resources to develop, implement, operate and
maintain the ISMS, points to clause 5.2.1. The resources required depend on the
complexity of the organisation, the size, the activities of the organisation and the
policies and procedures already in place. Some companies may already be ISO9000
J.R. Beltman – IT Manager
Institute of Quality Assurance
57
Results - Implementation and its difficulties
certified and therefore have more experience in setting up a management system and
policies and procedures are expected to be in place for many processes already.
Clause 5.1f, deciding on acceptable level of risk, is discussed in the risk treatment
plan. It is the next step in the risk treatment plan after the responsibilities have been
defined.
A further option is to describe the aim of reducing the overall level of risk to a
prescribed target level and/or the aim of reducing the risk per asset to a lower level
”It has been decided that risk levels above 10 are not acceptable and need to
be reduced. Ideally the risk levels should all be reduced till under level 8 as
level 7 and below are seen as acceptable risk levels. In order to meet the
criteria, controls will be implemented to manage and reduce current asset
exposure levels to security threats and vulnerabilities.” (Appendix E)
Clause 5.1b, ensuring that information security objectives and plans are established as
very briefly discussed above is done in the risk treatment plan after the statement of
risk level acceptance. This section explains who will ensure that
•
•
•
The risk treatment plan procedure is executed
Risk is controlled
Risk is reduced.
“The asset owners and key users translate the control objectives and controls in
the standard into documented procedures and policy statements that describe
how they are implemented. Controls are also covered in Business Continuity
Plans that are tested frequently for their effectiveness.” (Appendix E)
Finally the monitoring and corrective action responsibilities are set out and the review
period of the ISMS is set. This corresponds with clause 5.1g, conducting management
review of the ISMS, in turn pointing to clause 6. Clause 6 explains in detail what to
look at and how to execute the management review.
“The IT Manager and asset owners are responsible for monitoring and
identifying new security threats and vulnerabilities on a regular basis and
changing working practices and procedures when required in accordance
with the recommendations from information security management system
reviews.
A formal re-evaluation of security risk levels is performed on an annual basis
the results of which are discussed at the Information Security Management
Review Meetings.” (Appendix E)
J.R. Beltman – IT Manager
Institute of Quality Assurance
58
Results - Implementation and its difficulties
5.4.2 Implement risk treatment plan
Objective of this section is to implement the risk treatment plan. No documents are
produced during this section.
Clause 4.2.2b) Implement the risk treatment plan in order to achieve the identified
control objectives, which include consideration of funding and allocation of roles and
responsibilities.
Implementing the risk treatment plan prompts us to implement the options identified
for risk treatment (clause 4.2.2c) and manage operations (clause 4.2.2e).
•
Clause 4.2.2c) Implement controls selected in 4.2.1g) to meet control
objectives.
•
Clause 4.2.2e) Manage operations.
As mentioned before, the “do” phase is where we put our prepared policies and
procedures into practice, i.e. protect an area by actually putting a lock on the door;
reduce the effects of a server crash by actually having backups and testing the restore
capabilities; delegate responsibility and secure resources and funding where required.
By this time in the implementation process there is a lot of change going on. This is
the time when people will actually be exposed to new practices and the resistance to
change can really kick in. If staff - one staff member or more - are strongly resisting
change, as we experienced in the Institute of Quality Assurance when it came to the
change of password policy, it is important to make sure that top management and
direct management are supporting the change and, if at all possible, to get the staff to
buy in. Without the staff’s cooperation the introduction of new practices may well
fail. It could even get worse, and staff could actively resist and sabotage the project.
This was reported to be one of the reasons for the failure of the London Ambulance
Service Computer Aided Dispatch project (LASCAD) (Beynon-Davies 2005)
More information on reasons behind the failure of the LASCAD project and other IS
systems can be found in a most interesting paper called “Technology alone will never
work: Understanding how organisational issues contribute to user neglect and
information systems failure in healthcare” by M.A. Jeffcott of the University of
Glasgow, Scotland (Jeffcott 2001). This paper discusses the issues of implementing
change and although it concentrates on the healthcare services the issues are not much
different for any other industry sector.
J.R. Beltman – IT Manager
Institute of Quality Assurance
59
Results - Implementation and its difficulties
5.4.3 Implementing training and awareness programmes
In this section we implement user training and awareness programs. Appendix S is the
revised communications policy of the IQA which is used as training and awareness
program.
Clause 4.2.2d) Implement training and awareness programmes.
In the Institute of Quality Assurance training and awareness programmes are divided
in two, one for current staff and another for new staff joining the organisation. These
programmes are both to be in place before we can implement them in the “do” phase.
For both programmes we use the extranet with a special section on information
security for staff. Both current and new staff need to read and agree to the Institute’s
communications policy. New staff are not aware of the extranet when they start and
that is why, during their induction period, the individual managers will explain about
their departments plus relevant information security aspects. The IT department will
educate them in the use of the extranet and particularly the information security
aspects, whilst facilities will explain the importance of entry control.
Although the Institute does not have a test programme in place to evaluate actively the
effectiveness of the training, and a simple interview with staff may well provide
enough information to carry out this evaluation, it is good practice to have a more
exhaustive program for testing and evaluation of information security understanding.
Do your staff really understand the importance of information security? Can they tell
you what could go wrong and what the consequences might be? Do they care? It is up
to you to make sure that they can, and do.
Intranet testing programs that are to be taken on a regular basis, i.e. every 6 months, in
which questions about information security are asked and answers scored, are not
only good for keeping staff alert and educated on the subject, but also for record
keeping. This is one of the major requirements of the ISMS. Having the relevant
policies readily available, for example on the intranet, contributes to the likelihood of
staff consulting the policies. But if the policies are hard to find this will result in staff
not showing any interest in trying even to locate the policies, let alone consult them.
Clause 5.2.2, Training, awareness and competency, goes into details.
5.4.4 Resource management
This section does not produce documents, but instead looks at resource management.
Clause 4.2.2f) Manage resources, refers to clause 5.2, Resource management. We
discussed this in clause 5.1e. In the Institute of Quality Assurance we decided that the
responsible managers are to allocate the required resources. They need to manage the
staff and funds required to implement and maintain the ISMS effectively.
In larger organisations a special team may be created to see to the implementation of
the ISMS. This will usually be initiated by top management. A special team can
however not see to the implementation on its own. The implementation requires the
assistance of everyone involved and that means everyone affected as set out in the
scope. The great danger with creating a special team is that ownership of the project
J.R. Beltman – IT Manager
Institute of Quality Assurance
60
Results - Implementation and its difficulties
may be perceived to be that of the team. This may result in managers and their staff
taking the project less serious and not committing the resources, time and funds
required. It is of the utmost importance that the project is owned by everyone
involved, that the managers have been delegated responsibilities and that all involved
realise the importance of implementing the ISMS and the possible consequences of
failure.
5.4.5 Implementation of controls and procedures
The objective of this step is to implement controls and procedures capable of enabling
prompt detection of and response to security incidents. No documents are produced.
Clause 4.2.2g) Implement procedures and other controls capable of enabling prompt
detection of and response to security incidents. It is important not just to have your
policies and procedures in place, but also to monitor their effectiveness and
efficiency.
There are many tools available for monitoring information security aspects. Firewalls
have logging mechanism which can be looked at either automatically by some clever
programming or manually. If there are issues with the firewall, i.e. forced entry is
detected, we should be able to respond quickly and close the hole in the wall. The
IQA’s firewall software is easy to configure and effects of actions and settings are
easy to understand.
Most server operating programmes have built-in tools for monitoring access and
security related issues, and applications are available to make this easier to read.
Windows Server 2003 Active Directory would refuse any computer trying to gain
access to the network if no valid credentials were entered and if the computer were
not registered by an administrator first. However it is not easy to filter out
unauthorised access from the logs created by the system, only because there are many
entries in the logs concerning different issues. Some fine tuning to logging settings
can help, and specialist programmes can make life even easier.
Virus checking software is widely available and should be installed by default on any
operating system. Most virus checking software is capable of updating itself these
days and thereby is able to monitor the computer and detect even the latest viruses. In
the IQA we are using Sophos Antivirus. It’s a product aimed at corporate users and is
very highly respected in the field. Sophos Antivirus was attractive because of its ease
of updating itself, a central control application which helps us monitor where the
software is installed and if the software is up to date, and the capability of detecting
not only viruses but also errors in the application. On top of that it also provides
information on action to be taken in case of a virus or an error, facilitating a quick and
efficient response to any problem.
For physical security a selection of entry systems is available. It can vary from simple
registers where people sign in and out, to sophisticated face-recognition systems that
register entry and exit automatically. Very common and affordable is a swipe card
system. This system could connect to a computer and a database which registers entry
and exit.
J.R. Beltman – IT Manager
Institute of Quality Assurance
61
Results - Implementation and its difficulties
For less IT orientated departments and activities there are many ways of logging
activities. An example is the simple sheet in some toilets which tells us when the toilet
was last cleaned and by whom. Sheets like these can be used for information security
related issues as well. For example taking a file from the filing cabinet may require a
signature and date/time in a register. Phone calls with customers can be recorded and
a sample can be checked for monitoring purposes. This may be the case in the
banking industry where staff must make sure to verify who is calling before giving
out any information.
5.4.6 A working version
We now have a working version of the ISMS. We started with planning the ISMS, put
together many policies and procedures, and then implemented them together with the
control sets to reduce risk and implemented other methods of reducing risk. Whilst
doing so we managed resistance to change and now our ISMS is in place. We are now
monitoring our information security management system, having controls in place to
detect breaches promptly and take corrective action. This is the end of the “do” phase.
5.5 The Check Phase
BS7799-2:2002 Annex B4 (BSI 2002), Check phase, suggests four different ways of
conducting checks.
•
•
•
•
Routine checking
Self-policing procedures
Learning from others
Internal ISMS audit
5.5.1 Routine checking
Routine checking is a method of checking that requires written procedures for it to be
most effective. Routine checking are checks such as inventory checks in which
inventory is counted and owners verified. Checks such as these are to make sure that
records are up-to-date and that any damage from errors is limited. For example, if
equipment was missing the process of tracking is not easy, but with early detection it
is easier for people to remember relevant information and the equipment may be
tracked down faster.
An example given in annex B4.2 of BS7799-2:2002 (BSI 2002) is that of
unauthorised changes to the company website. Regular checks can save the
organisation loss of face and may prevent legal action against it.
5.5.2 Self-policing procedures
Self-policing procedure is a control that has been constructed so that any error or
failure perpetrated during execution is capable of prompt detection. We discussed the
Sophos Antivirus software earlier and looked at its capabilities. A capability not
discussed is the action taken by the software on detection of a virus or error. The
software has the capability of notifying the system administrator and user when an
J.R. Beltman – IT Manager
Institute of Quality Assurance
62
Results - Implementation and its difficulties
error or virus is detected. This may be done by a system message or email, and the
management console will also indicate the detection of an error or virus. If the
problem is not corrected the software will send more alerts until the problem is
resolved. This is an example of the self-policing procedure.
5.5.3 Learning from others
Why not look at others? But, for a change, do not just look at what they do badly and
you do well, but look at what they do better and learn from it. Other organisations are
a great source of information and will help us find where we can optimize our own
ISMS.
But it is not just other organisations which provide a source of information to help
you check your ISMS. Online message boards, forums, specialist new-briefs, user
groups and workshops, conferences and professional societies enable us to learn and
apply what we have learnt to improve our own ISMS.
Finally, do not forget that often you have in-house experts. This is a group usually not
taken seriously – perhaps even overlooked - and many companies thus miss great
opportunities to identify and implement good ideas for improvement. A book called
“Sticky Wisdom” by “?What If!” clarifies with many examples just how valuable it is
to take your staff seriously, and to listen closely to what your staff have to say before
dismissing their opinions.
One example that stood out was that of Dyson Vacuum Cleaners. According to
“Sticky Wisdom” Mr. Dyson’s idea of bag-less vacuum cleaners was dismissed by the
large corporations which led him to start his own company (?What If! 2002). In the
United Kingdom we are all aware of Dyson’s tremendous success, and most will
agree that those who ridiculed the idea must be banging their heads against their
stockpile of unsold vacuum cleaner bags.
Don’t let this happen to your organisation. Your staff constitute a valuable resource in
the implementation and improvement of your ISMS and you should make use of this
resource whenever possible.
5.5.4 Internal ISMS audit
Internal audits, if conducted by a good auditor, should be positively welcomed.
However, most of us seem nervous about audits and feel they are designed to help us
find another job. A good and proper audit however is designed to help us optimise the
ISMS; it is not designed to find fault, but to help us prepare for certification by
identifying opportunities for improvement and by detecting non-conformities so we
may take corrective action.
When time for certification comes the external auditor will be happy to find that you
have carried out internal audits. A professional auditor will ask for the internal audit
reports and go through these. The auditor will ask to see that corrective actions as
indicated in the report have been followed up and will use the internal audit report to
decide which areas require attention. Bear in mind that an auditor can only take a
J.R. Beltman – IT Manager
Institute of Quality Assurance
63
Results - Implementation and its difficulties
small sample of the complete ISMS, and will most likely concentrate on areas which
were not included in the sample taken by the internal auditor.
The external auditor is not your great enemy either, but your friend - just like the
internal auditor. The external auditor is there to help you obtain certification by
identifying opportunities for improvement and making sure that the ISMS is
functioning as well as it might.
5.5.5 Management review
Management, providing it is supportive of the ISMS and fully dedicated to it, may
well be interested in its performance. To brief management and agree on any changes
to the ISMS we must have a management review at least once a year. In the IQA we
have a review every 6 months with those involved in accordance to the scope.
As per clause 6.2, Review input, BS7799-2:2002 (BSI 2002), we require particular
discussion points for an efficient management review.
•
•
•
•
•
•
•
Results of ISMS audits and previous management reviews.
Feedback from interested parties.
Techniques, products or procedures that could be used to improve the ISMS.
Status of preventive and corrective actions.
Follow-up actions from previous management reviews.
Any changes that could affect the ISMS.
Recommendations for improvement.
The review would be greatly helped by visual representation where possible e.g.
graphical representation of the number of security breaches per month. This could be
broken down in the different types of security breaches. Another helpful tool for
communication is a traffic light system to monitor the progress of preventative and
corrective action implementation.
In the IQA we use the traffic light system for Senior Management Board meetings and
top management sees the system as very efficient. New to the IQA is the IT
management system. This management system records all requests made to the IT
department. Many parameters are recorded giving the possibility of creating graphs
such as how many requests were submitted per month and the average time IT took to
resolve issues. There are plans to expand the system to log information security
breaches separately, thereby creating a similar possibility of graphical representation.
Currently information security breaches that affect IT are logged using the same
logging mechanism as any other IT issue.
Management review output as described in clause 6.3, review output, BS7799-2:2002
(BSI 2002), has to include decisions and actions relating to:
•
•
•
Improvement of the effectiveness of the ISMS.
Modification of procedures.
Resource needs
J.R. Beltman – IT Manager
Institute of Quality Assurance
64
Results - Implementation and its difficulties
Modification of procedures will most likely include preventive and corrective actions.
These are usually in response to non-conformities discovered during an audit, a
change in business requirements, security requirements or regulatory or legal
requirements or a change to the levels of risk and/or levels of risk acceptance.
5.6 The ACT Phase
Having been through the plan, do and check phase the only phase remaining is the act
phase. This is a strange phase for not much is done here. The act phase merely makes
sure we take action where required and this action usually leads us back to the plan
and do phase. The actions taken are determined in the check phase, i.e. a nonconformity and the corrective and/or preventative action to be taken to resolve this, or
a change in law that requires us to update our policies and procedures.
An example of the act phase leading to the plan phase would be the latter, where a
change in law forces us to review our policies and procedures and perhaps even write
new ones.
An example of the act phase leading to the do phase is where we already prepared the
new policies and/or procedures to comply with the new law. This can happen when
the change of law was known before it was actually implemented. In this case we can
skip to the do phase and simply implement the new policies and/or procedures.
The act phase is the ‘last’ phase in the Deming cycle. When ‘finished’ with the act
phase for the first time we have finished the complete implementation of a BS7799
ISMS and are ready to manage, maintain and continuously improve our ISMS, once
again by using the Deming Cycle.
5.7 Summary
Implementing BS7799 at the IQA went relatively smooth. This was however not
without reason. It went smooth because of the course and workshops attended, the
research online, the study of related books and papers, the already part implemented
ISO9000 standard, the electronic IT management system, the already existing policies
and procedures, the help of other departments and the vital help of some of the most
recognized experts in the field. And even with all this it still took over 3 months to
implement BS7799.
In this chapter we discussed the most fundamental steps of implementation and the
issues that could be expected before and whilst implementing. These steps in
flowchart form were:
Scope
Figure 5.3
Information
Security Policy
Risk
Assessment
Options for
risk treatment
Statement of
Applicability (SoA)
The plan phase
J.R. Beltman – IT Manager
Institute of Quality Assurance
65
Results - Implementation and its difficulties
Formulate risk
treatment plan
Implement risk
treatment plan
Resource
management
Figure 5.4
Implement training and
awareness program
Implement policies,
procedures and controls
The do phase
When following the flowcharts we ended up with key documents which are vital for
the ISMS to function and for certification.
•
•
•
•
•
Scope
Information Security Policy
Risk Assessment document
Risk treatment plan
Statement of Applicability
All other policies, procedures and workflows were identified whilst writing up these
key documents.
After the key documents and any other documents required to support the key
documents were established they were implemented in the do phase. This required
allocation of resources, responsibility and training.
After the implementation it was time for the check phase. We identified four methods
to check the ISMS.
•
•
•
•
Routine checking
Self-policing procedures
Learning form others
Internal ISMS audit
From checking the ISMS we expected to find issues that need to be resolved. This
was done in the act phase, which in turn brought us back to the plan and/or do phase.
With this the Deming cycle of Plan – Do – Check – Act is complete and we
established a working ISMS.
But issues were to be expected along the way. We identified the following key issues
for which we provided resolutions and advice throughout this chapter:
•
•
•
•
•
•
Lack of management support.
Change management
Communication problems
Under valuing internal expertise
Lack of staff and management understanding of BS7799
Ownership of the implementation project
J.R. Beltman – IT Manager
Institute of Quality Assurance
66
Results - Implementation and its difficulties
Issues that are not explicitly mentioned in the chapter, but have been resolved
throughout the chapter:
•
•
Lack of examples (many examples of key documents provided)
Lack of understanding BS7799 implementation (this chapter has guided you
through BS7799 implementation, step by step, and made you aware what
needs to be done, how and when and what difficulties to expect along the way)
J.R. Beltman – IT Manager
Institute of Quality Assurance
67
Conclusion
6. Conclusion
When meeting with an expert in disaster recovery it became clear how often
organisations encounter a problem that leaves them in desperate need of disaster
recovery.
The company for which this expert works is relatively young (started 04-September2001) and has a small customer base. During the past two years five customers out of
their customer base of twenty five, encountered a problem that came very close to
escalating in a full blown disaster. However the problem was resolved before the
disaster recovery plans were activated.
But not all customers were this lucky. Four other customers encountered a problem
that did result in a disaster. They required their disaster recovery plans to be put in
action which in some cases included office relocation.
Although this may be a very small sample of the total number of companies in
existence, it is scary to realize that 16% of this company’s customers did experience a
serious disaster.
6.1 Hurricane Katrina financial aftermath
Recent hurricane Katrina emphasises what BS7799 is all about. Although it is too
early to determine the scale of this natural disaster, the resulting damage will rank in
billions of US dollars. Many companies will go bust in the aftermath, many jobs will
be lost.
But this hurricane was not unannounced! Why was New Orleans so badly prepared?
As we know BS7799-2:2002 Annex 11 deals with disaster recovery (BSI 2002).
Hurricanes are not unknown to hit this area, but Katrina was an exception. New
Orleans seemed to have escaped major damage directly after the hurricane passed, but
this was an illusion. The rainfall resulting from Katrina caused the New Orleans
flooding, which in turn caused most damage, not the powerful wind.
Could the damage of the hurricane have been prevented? It is a well known fact that
New Orleans is vulnerable to flooding. With so many hurricanes in the area the local
government could have strengthened the levees to prevent flooding. Backup systems
could have been put in place just in case anything went wrong with the levees. The
cost of such a project? Maybe a couple of million US dollars compared to the damage
caused by Katrina which runs into billions of US dollars. This illustrates why the
BS7799 idea of prevention is so important.
So could the businesses in New Orleans have been prepared for Katrina and its wave
of destruction? Would BS7799 have been able to save companies and jobs from the
hurricane’s destructive force?
In my opinion the answer to this is: perhaps. Why perhaps? Katrina was an
extraordinary hurricane which created an exclusion zone larger than any ever seen
before. Damage to property was huge, but could perhaps be covered by insurance.
J.R. Beltman – IT Manager
Institute of Quality Assurance
68
Conclusion
Because of the exclusion zone, however, any organisation with a continuity plan that
did not include relocation to an area outside the exclusion zone will now be unable to
open shop, possibly posing a serious threat to the very existence of that company.
“The recovery of New Orleans depends in large part on an ever-growing bond
between the insurance industry and federal and state authorities.
Without that cooperation, it's unlikely that anyone or any business could
afford to return to New Orleans. Indeed, even with private-public assistance,
untold numbers of residents and employers likely will never return.
Hurricane Katrina put an expensive point on a huge dilemma for insurers. As
the Southeastern and Gulf Coast areas fill up with residents, the damage from
even relatively small hurricanes grows.
Including Katrina, five of the eight most expensive U.S. natural disasters have
come in the last 13 months. All were hurricanes. Katrina is likely to be the
most expensive natural disaster in U.S. history with more than $26 billion in
insured losses by private insurance companies.” (Naudi 2005)
6.2 Research questions revisited
In this research project we looked at four research questions:
1. How to successfully implement BS7799?
2. What are the main problems related to implementing BS7799?
3. How to tackle the problems related to implementation of BS7799?
4. How to convince management of the need for BS7799 implementation?
We started with answering question 4 by discussing management support issues and
some examples which might help to convince management. We continued to show
how a lack of management support can cause serious delays in implementation. We
also pointed out that lack of management support will most likely result in
implementation failure, as almost happened in one of the examples given.
It remains to be seen whether we successfully answered question 1 and it can only be
verified by using this report to implement BS7799 at other organisations. However I
believe that by sharing my experience, in implementation and related problems
(question 2 and 3) at the IQA, and the experiences of recognised professionals in the
field, this report is an accurate guide on how to implement BS7799 and to the
problems, including solutions, associated with implementation.
J.R. Beltman – IT Manager
Institute of Quality Assurance
69
Conclusion
6.3 Aims and objectives revisited
The following project objectives were set:
•
•
•
To make implementing BS7799 a generally accessible task to third parties by
discussing the subject of ‘How to’ implement the standard, detailing process,
difficulties and challenges of implementation in the IQA and issues
highlighted by BS7799 recognised experts.
Implement the clauses and applicable control sets of BS7799-2:2002 at the
IQA.
Present this project report so it is easily adaptable for transformation into a
software application that will help to enforce the clause and applicable control
sets of BS7799-2:2002.
By sharing my experience and that of experts in the field I believe that the objective
of making implementation of BS7799 a generally accessible task to third parties, as
stated in chapter 1.3, has been accomplished. However this again can only really be
evaluated by actually observing another company implementing BS7799 by using this
research report.
The Statement of Applicability (SoA) was implemented succesfully. Although some
policies and procedures must still be written and/or implemented, those implemented
have proven successful. Examples are new password policies, firewalls, anti virus
protection, internet logs, backup- and restore capabilities, etc.
But how easy is it to adapt the findings of this report to create an electronic BS7799
ISMS and enforce controls and control sets electronically? Parts of the controls
implemented are fortunately already software tools, reducing the work still to be done
to enforce BS7799 controls and control sets electronically. In chapter 7,
recommendations, this discussion is continued.
A serious setback of this research project was that I could no longer implement
BS7799 in the whole of the IQA as originally planned, due to other issues taking
precedence. But as mentioned in the report, I could still implement BS7799 in the IT
department and the assets seen as belonging to the IT department. The IT department
does represent the core of the BS7799 ISMS and expanding the system to other
departments when the time is right should not cause major difficulties. Because the
core of the system could be implemented I feel that the research project was
successful, answered research questions and fulfilled the objectives as far as this can
be measured at this point in time.
6.4 Experience and evolvement
When I started this research I knew little of BS7799. I guess I have to thank Roberto
Wolf, one of the students working for me back in 2004, for introducing me to a new
area of IT. He, together with my boss, Simon Feary the director of IRCA, have been
very influential factors behind my choice of dissertation subject
J.R. Beltman – IT Manager
Institute of Quality Assurance
70
Conclusion
Thanks to Chris Raven of 7Safe I attended my first ever workshop in BS7799. Before
this I had already studied both parts of BS7799, but I needed more information on
how this whole thing worked. It is during this workshop that I did not only get a better
idea of BS7799 and what is was really all about, but also that I met Dick Price, a
consultant and auditor in BS7799. Dick has been very helpful in answering questions
about and sharing his experience on BS7799.
I felt that the workshop, which only lasted ½ a day, was however not substantial
enough to answer the questions I had. Therefore I participated in a 5 day Lead Auditor
course to gain full understanding of what an ISMS looked like and what an auditor
would look at before recommending certification.
During this course I had the pleasure of meeting Victor Parry who was teaching it.
Victor has been extremely accommodating in providing insight to the world of
BS7799. Just as Dick, he has shared his experiences and highlighted some of the
difficulties of implementing BS7799 in general. Victor is a registered Principal
Auditor at IRCA and has many years experience in the field in many different
industries and countries.
With the knowledge gained from the workshop, course and especially the experts in
the field this research gives an accurate view of how to implement BS7799; its
problems and solutions.
6.5 Action research revisited
As action researcher I was part of the ‘experiment’. In this particular research being
the person actually implementing BS7799 in the company has given me the insight
and experience in the subject to write a realistic report on the subject. Action research
meant that instead of just looking at the issue from a scientific point of view, perhaps
investigating by just observation, surveys and interviews, I was able to stand in the
shoes of those who are to implement BS7799 and experience the project from their
perspective. This direct and personal involvement brought to light many aspects of
implementation which would have remained hidden otherwise.
J.R. Beltman – IT Manager
Institute of Quality Assurance
71
Conclusion
6.6 Findings
Whilst implementing BS7799 at the Institute of Quality Assurance and researching
the issue of implementing BS7799 specific issues were found to be essential to
implementation in general. From my own experience and that of the experts in the
field it was found that:
•
Management support is vital for the success of implementing BS7799
Examples and experience shows that without management support BS7799
has very little chance on successful implementation.
•
There are different ways to convince management.
Scare tactics, in which consequences of failure to implement BS7799 are
highlighted, are found to work best. The conventional method of risk level
discussion is usually not well understood and does not work well in
convincing them.
•
Implementation brings change which in turn aggravates resistance to change.
Change management and buy-in from all staff is a critical success factor in
implementing BS7799.
•
Examples of ‘how to’ implement BS7799 are extremely beneficial and time
saving in implementation. Templates of policies, procedures, the SoA etc help
to kick start the project and boost confidence of those in charge of
implementation.
•
Action research is a suitable method to conduct research in the subject of ‘how
to’ implement BS7799 as it highlights issues that would remain hidden using
most other research methods.
However, I conclude that the most important lesson to be learnt from this project and
report, is:
•
Disasters do happen. It is not a question of ‘if’, but ‘when’. Be wise, be
prepared!
J.R. Beltman – IT Manager
Institute of Quality Assurance
72
Recommendations
7. Recommendations
We discussed the potential problems in winning management support and
understanding. The Information Security specialist organisation 7Safe has come up
with a new concept of convincing management. Common practice is to give
information assets or asset groups a numeric risk level. However this set of numbers
does not add much to management its understanding of the actual risks. 7Safe found
that instead of talking numbers management was far more perceptive to talking actual
consequences of threats. They found that this resulted in a more positive uptake of
BS7799 by management.
7.1 The first cycle
Figure 7.1
Björk’s alternative to the Deming Cycle. (Björck 2001)
To extend on this project I would look closely at Björck’s alternative to the Deming
cycle (Björck 2001) and discuss this alternative in more detail. Note that this
alternative is suggested by Björck only to be used for setting up an ISMS from scratch
after which he advises to switch to the Deming Cycle. Also a survey on companies
that have already implemented BS7799 may prove useful to find obstacles that they
J.R. Beltman – IT Manager
Institute of Quality Assurance
73
Recommendations
may have experienced during implementation and perhaps also learn about alternative
manners to gain support of management.
7.2 A helping hand in research
The International Register of Certificated Auditors (IRCA) could also be approached
to help collect information. They send out a monthly newsletter, entitled Inform, to all
registered auditors. Perhaps it would be possible to use this newsletter to ask a wide
range of auditors about their experience with BS7799 implementation.
Next to IRCA, companies that offer consultancy and/or auditing in BS7799 are most
willing to offer a helping hand. Also companies specialising in BS7799 related fields,
such as disaster recovery, have been very accommodating during this research project.
Further research in this subject would benefit from the help these companies, from
their expertise and from their own research in the subject and affiliated subjects.
7.3 ISMS and tools as an electronic enforceable version
By having all the controls and control sets, policies and procedures in place we should
have a good understanding of the BS7799 ISMS and BS7799 itself. This will make it
easier for the IQA to adapt the current ISMS and tools into an electronic enforceable
version. Venkatraman‘s framework (figure 6.1) supports this approach. “Learn how to
walk before you try running” is the main message of this framework. Venkatraman
outlines the steps to be taken to build a system from scratch to a fully integrated
system. It also is a warning not to try and skip some steps. Venkatraman argues that
you do not skip the second level (internal integration). After this level you can go
directly to any of the higher levels. Hence first implementing a standard paper based
version of the ISMS before attempting an electronic enforcement is advisable.
Degree of business transformation
Business Scope Redefinition
Business Network Redesign
Business Process Redesign
Revolutionary
Evolutionary
Internal Integration
Localized exploitation
Range of potential benefits
Figure 7.2
Venkatraman framework.
Transforming the ISMS into an electronic application to enforce BS7799 is in my
opinion the best way of making BS7799 part of the work ethos and achieves
maximum benefit from the standard.
J.R. Beltman – IT Manager
Institute of Quality Assurance
74
Recommendations
7.4 Information Security a popular subject?
Whilst writing this report I have become aware of students at other universities
throughout the world who are writing or have written reports on similar topics. Björck
(Björck 2001) is one of those that have done research in a very similar field and Wolf
(Wolf 2005) has recently completed his thesis on BS7799 auditing named
‘Conception of a generic, data processing based, IT-Security and data protection
audit- and improvement process for a medium-sized enterprise in an international
environment’.
.
The media has recently become more interested too. The BBC (BBC 2005a) mentions
how companies are now training their own staff in penetration testing. IT briefly
refers to BS7799 in connection with hacking and security. Only 10 days later the BBC
(BBC 2005b) reports that the University of Glamorgan is offering a postgraduate
certificate in penetration testing designed with the help of 7 Safe Information
Security. In June 2005 the BBC (Biswas 2005) published an article on the security at
Indian call centres and inspection of their information security systems.
Information Security is becoming more and more important to organisations,
especially with the increase in cyber-crime, facilitated by the constant growth of the
internet, increase of wireless networks, increase of laptop use and the rapid evolution
of technology in general
.
7.5 BS7799 – An international standard
It is worth knowing that by the end of 2005 BS7799-2:2002 will become a recognized
ISO standard under the name ISO27001. Consultants tell me that there are only minor
changes to the standard and that most changes are superficial rather then in depth
content changes.
J.R. Beltman – IT Manager
Institute of Quality Assurance
75
References
8. References
?What If! 2002, Sticky Wisdom, Capstone Publishing Ltd, Oxford.
Bladergroen, D, Osinga, A, Peters, L Vonk, J 2002, Planning en beheersing van ITdienstverlening, herziene editie, ten Hagen & Stam Uitgevers, Den Haag, pp 99-111.
BBC 2001a, In pictures: Ealing bomb CCTV footage, August 6, Retrieved: September
11, 2005, from http://news.bbc.co.uk/1/hi/uk/1476586.stm
BBC 2001b, Two suspects linked to BBC bomb, March 10, Retrieved: September 11,
2005, from http://news.bbc.co.uk/1/hi/uk/1212314.stm
BBC 2004a, Inquiry into Carr documents theft, May 13, Retrieved: September 11,
2005, from http://news.bbc.co.uk/1/hi/uk/3711953.stm
BBC 2004b, 'Bad' blunder over 'dumped' papers, July 19, Retrieved: September 11,
2005, from http://news.bbc.co.uk/2/hi/uk_news/3905481.stm
BBC 2005a, Cracking the code, August 11, Retrieved: September 29, 2005, from
http://news.bbc.co.uk/1/hi/business/4142628.stm
BBC 2005b, Course to produce expert hackers, August 21, Retrieved: September 29,
2005, from http://news.bbc.co.uk/1/hi/england/cambridgeshire/4171638.stm
Beltman, J R 2005, Statement of Applicability, August 20, Institute of Quality
Assurance
Beynon-Davies, Paul 2004, Information systems `failure': case of the LASCAD
project, September 22, Retrieved: September 12, 2005, from
http://www.csm.uwe.ac.uk/teaching/notes/UQI101S2/lascad.htm
Biswas, Soutik 2005, How Secure are India’s call centres?, June 24, Retrieved:
September 29, from http://news.bbc.co.uk/1/hi/world/south_asia/4619859.stm
Björck, F 2001, Security Scandinavian Style: Interpreting the Practice of Managing
Information Security in Organisations, Retrieved: September 11, 2005, from
http://www.dsv.su.se/~bjorck/files/bjorck-thesis.pdf
Bryman, A 1989, Research Methods and Organization Studies, Academic Division of
Unwin Hyman Ltd, London, pp 178-187.
BSI 2000, Information technology: Code of practice for information security
management, 1st Edition, December 01, BSI.
BSI 2002, Information security management systems: Specification with guidance for
use, September 05, BSI.
Bureau Veritas 2003, Information Security Management Systems Auditor/Lead
Auditor Course (IRCA 2016),Unpublished, Bureau Veritas, London.
J.R. Beltman – IT Manager
Institute of Quality Assurance
76
References
Bureau Veritas 2004, Examination for Auditors of Information Security Management
Systems, Amended Edition, March, Bureau Veritas, London.
CNN 2001, September 11: Chronology of terror, September 12, Retrieved: September
11, 2005, from http://archives.cnn.com/2001/US/09/11/chronology.attack/
Clark, A W 1976, Experimenting with Organisational Life: The Action Research
Approach, Plenum Press, New York and London
Deloitte & Touche 2004, Business Insurance Consulting: Coping with the unexpected,
October 13, Retrieved: September 11, 2005, from
http://www.deloitte.com/dtt/article/0,1002,sid%253D3469%2526cid%253D62519,00.
html
Deming, W E 2000, The New Economics for Industry, Government, Education, 2nd
Edition, August 11
Energy Smart library 2005, Glossary of Energy terms, Retrieved: September 28,
2005, from
http://library.energyguide.com/EnergyLibraryGlossary.asp?bid=nstar&prd=10#P
Financial Spread Betting News 2005, £9m theft ‘mad’ accountant jailed, January 26,
Retrieved: September 29, 2005, from http://www.financial-spreadbetting.com/spread-betting-newss.html#Section60
Francis S. "Frank" Patrick 2001, Taking Advantage of Resistance to Change (and the
TOC Thinking Processes) to Improve Improvements, extract from conference, May,
Retrieved: September 11, 2005, from
http://www.focusedperformance.com/articles/resistance.html
Gamma Security Systems Ltd, Retrieved: September 11, 2005, from
http://www.gammassl.co.uk/
Global Security, Great Northeast Power Blackout of 2003, Retrieved: September 11,
2005, from http://www.globalsecurity.org/eye/blackout_2003.htm
Green, S 2005, Personal Communication, September 13
Howard, R 2005, Personal Communication, September 13
Ilett, Dan 2005, Cybercriminals taking £2.5bn from UK businesses: National Hi-tech
Crime Unit shares the bad news, April 5, Retrieved: September 11, 2005, from
http://software.silicon.com/security/0,39024655,39129301,00.htm
IQA 2005, About the Institute of Quality Assurance, Retrieved: September 13, 2005,
from http://www.iqa.org/about/
IQA SoA 2005, IQA Statement of Applicability, August 20
J.R. Beltman – IT Manager
Institute of Quality Assurance
77
References
IRCA 2005, About IRCA, Retrieved: September 13, 2005, from
http://www.irca.org/about/about.html.
ISMS International User Group 2005, Certificate Register, Retrieved: September 11,
2005, from http://www.xisec.com/register.htm
Jeffcott, M A 2004, Technology alone will never work:: Understanding How
Organisational Issues Contribute To User Neglect And Information Systems Failure
in Healthcare, Retrieved: September 18, 2005, from
http://www.dcs.gla.ac.uk/~johnson/papers/Rotterdam_Paper.pdf
Knight, Will 2000, MI5 laptop containing top secret data stolen, March 24,
Retrieved: September 11, 2005, from
http://news.zdnet.co.uk/business/0,39020645,2077931,00.htm
Koppens, S, Peters, L, Vonk, J 2001, Operationeel beheer van informatiesystemen,
herziene editie, ten Hagen & Stam Uitgevers, Den Haag
Kotter, John P 1999, What Leaders Really Do, Retrieved September 12, 2005, from
http://www.1000ventures.com/business_guide/crosscuttings/change_resistance.html
Langley, Elizabeth 2003, What is ITIL, November 13, Retrieved: September 17, from
http://www.brainbox.com.au/members/brainbox/home.nsf/0/BDD3E9AE7E4B115B4
9256DDC00301BE7?opendocument
Latynina, Yulia 2003, America in the Dark, August 18, Retrieved: September 12,
2005 from http://www.worldpress.org/Europe/1579.cfm
Laudon, K C, Laudon, J P 2004, Management Information Systems: Managing the
Digital Firm, 8th Edition, Pearson Education Inc, New Jersey, pp 448-479.
Leviton Voice & Data Division, Standards, Retrieved: September 12, 2005, from
http://www.levitonvoicedata.com/learning/glossary.asp?#S
News 24 2005, 'Iraq invasion led to UK bombs', July 26, Retrieved: September 11,
2005, from http://www.news24.com/News24/World/Londonattacks/0,,2-101854_1743598,00.html
Management Issues News 2005, Bank details 'sold by Indian call centre', June 23,
Retrieved: September 11, 2005, from http://www.managementissues.com/display_page.asp?section=research&id=2263
Manchester Evening News 2005, Soaring cost of cybercrime, April 5, Retrieved:
September 29, 2005, from
http://www.manchesteronline.co.uk/men/news/technology/s/153/153574_soaring_cos
t_of_cyber_crime.html
Naudi, J 2005, Hurricane Kartina’s aftermath, September 10, Retrieved: September
21, 2005, from
J.R. Beltman – IT Manager
Institute of Quality Assurance
78
References
http://www.stltoday.com/stltoday/business/stories.nsf/0/6623D7F1124A2D4C862570
78005A9BA6?OpenDocument
Parry, V 2005, Personal Communication, September 04.
Peach, R W, Peach, B, Ritter, D S 2000, The Memory Jogger 9000/2000: A Pocket
Guide to Implementing the ISO 9001 Quality Systems Standard Based on
ANSI/ISO/ASQ Q9001-2000, 1st Edition, GOAL/QPC, Salem.
Price, D 2005, BVQI & 7 Safe Workshop: Adding value through ISO 17799, 15 June.
Reason, P, Bradbury, H 2001, Handbook of Action Research: Participative, Iquiry &
Practice, SAGE Publications, London.
Rice-Oxley, Mark 2005, Terror jolts London, but British steady: Coordinated strikes
on rush-hour commuters Thursday killed dozens, July 08, Retrieved: September 11,
2005, from http://www.csmonitor.com/2005/0708/p01s03-woeu.html?s=yahw
Rich, M 2005, Personal Communication, September 13.
Sikkink, M 2005, IT Management System, June 09, Thesis report, Institute of Quality
Assurance.
Topping, Peter A 2002, Managerial Leadership, Retrieved September 12, 2005, from
http://www.1000ventures.com/business_guide/crosscuttings/change_resistance.html
Wikipedia 2004, Standards (software), June 28, Retrieved: September 12, 2005, from
http://en.wikipedia.org/wiki/Standards_(software)
Wikipedia 2005a, Standardization, September 3, Retrieved: September 12, 2005, from
http://en.wikipedia.org/wiki/Standardisation
Wikipedia 2005,b Regulation, September 9, Retrieved: September 12, 2005, from
http://en.wikipedia.orgwiki/Regulation
Wolf, Roberto 2005, Conception of a generic, data processing based, IT-Security and
data protection audit- and improvement process for a medium-sized enterprise in an
international environment, September 9, Unpublished thesis report, Ernst & Young
J.R. Beltman – IT Manager
Institute of Quality Assurance
79
Appendix A – Project DefinitionReferences
Appendix A. Project Definition
Name: J.R. Beltman
Email address: [email protected]
Contact phone number: 020 7245 8596
Project title: How to implement BS7799: A case study conducted at the Institute of
Quality Assurance.
Supervisor: C. Smart
How to implement BS7799: A case study conducted at the Institute of
Quality Assurance.
The Problem
The security of the information held by Institute of Quality Assurance (IQA) is at risk
and this risk has to be reduced to the absolute minimum, whilst at the same time the
efficiency of the IT department in dealing with information security related issues
must be improved in line with IQA’s business of adhering to best practice in the work
place.
The consequences for any company whose information security is compromised are
severe. A few examples of information at risk:
•
•
•
•
•
Email directories (customers and suppliers)
Customers’ financial information
Any other customer data
The organisation’s bank account details
Employee details
IQA requires for all appropriate sections of BS7799 to be implemented and this by the
end of September 2005 with a view on proceeding to certification early December.
The Institute of Quality Assurance (IQA) consists of two organisations; the Institute
of Quality Assurance (IQA) and the International Register of Certified Auditors
(IRCA). The IT department of the IQA supports both organisations. Both
organisations have very different business processes and it is this difference that
makes implementation of BS7799 an extra interesting undertaking.
Background
Since the restructuring of the IT department began 3 years ago its functioning has
improved greatly, but has not yet reached its potential level of efficiency. However
this does not only depend on the IT department, but on the whole of the organisation.
To make further improvements the IT department has identified some potential aids
that would benefit its functioning.
•
•
ITIL (IT Infrastructure Library) – Concerned with IT Service Management.
ISO 9000:2000 (international Standard Organisation – Concerned with overall
improvement of quality within the organisation.
J.R. Beltman – IT Manager
Institute of Quality Assurance
A1
Appendix A – Project DefinitionReferences
•
BS7799 (British Standard) – Concerned with Information Security.
The ITIL and ISO 9000:2000 aids are already being investigated and are partly
implemented, leaving BS7799 implementation as a final, but a most challenging
project to be completed.
Aim and Objectives
The aim of this project is to see to implementation of all applicable domains and subdomains of BS7799 within the IQA with a view on possible certification in the near
future and to document the process of implementation to make implementation of
BS7799 more accessible for other organisations.
Project objectives
• To make implementing BS7799 accessible for third parties by discussing the
subject of ‘How to’ implement the standard, detailing process, difficulties and
challenges of implementation in the IQA in a format that can be taken as
guidance for a third party.
• Implement the domains of the BS7799 standard that are applicable to the IQA.
• Format this project report so it is easily adaptable for transformation into a
software application that will help to enforce the applicable domains and subdomains of BS7799.
The business objectives of BS7799 are to
• Maximize return of investments
• Minimize business damage
• Ensure business continuity
The stakeholders are identified as the IQA/IRCA, their customers and suppliers and
other organisations that are eager to implement BS7799.
BS7799 certification requires complying with both parts of BS7799; part 1 and part 2
also known as
•
•
BS ISO/IEC 17799:2000, BS 7799-1:2000 (Information technology – Code of
practice for information security management)
BS 7799-2:2002 (Information security management systems – Specification with
guidance for use)
The Code of practice sees to 10 domains which address key area of Information
Security Management which include a total of 127 best security practices:
1. Information security policy
- Objective: To provide management direction and support for information
security
2. Organisational security
- Objective: To manage information security within the organisation
3. Asset classification and control
- Objective: To maintain appropriate protection of organizational assets
4. Personnel security
- Objective: To reduce risks of human error, theft, fraud or misuse of facilities
J.R. Beltman – IT Manager
Institute of Quality Assurance
A2
Appendix A – Project DefinitionReferences
5. Physical and environmental security
- Objective: To prevent unauthorized access, damage and interference to business
premises, information and assets
6. Communications and operations management
- Objective: To ensure the correct and secure operation of information processing
facilities, minimize the risk of system failures and maintain integrity and
availability of information processing and communication services.
7. Business requirement for access control
- Objective: To control access to information and detect unauthorized access
8. Security requirements of systems
- Objective: To ensure that security is build into information systems
9. Business continuity management
- Objective: To counteract interruptions to business activities and to protect
critical business processes from the effects of major failures or disasters
10. Compliance
- Objective: To avoid breaches of any criminal and civil law, statutory, regulatory
or contractual and thereby to ensure compliance of systems with organizational
security policies and standards
The objectives of all domains mentioned go into far greater detail in the actual code of
practise than the summary above. It is important to be aware that not all domains or
sub-domains apply to every organisation and that some domains will be difficult to
implement without full co-operation of those involved, in some cases the entire
company. The domains and sub-domains to be implemented will only become
apparent when actually engaging in the project. It is part of the project to determine
and document which are and with aren’t applicable to the IQA and why.
Successful implementation of BS7799 can be tested by internal checks and
external audit.
IQA/IRCA IT and HR personnel will carry out systematic checks on all of the
applicable/implemented domains and put forward any suggestions to improvement.
When the implemented domains are found to be adequate the project is successfully
completed. Proof of this will be a signed checklist.
As an extra, but not immediately required endorsement of success, the IQA can bring
in an external auditor to audit the BS7799 Information Security Management System.
If the IQA is then awarded certification the project will have exceeded its original
aims and objectives.
Methodology
The Information security management system (ISMS) of BS7799 is implemented
using a methodology referred to as the Deming cycle: the Plan-Do-Check-Act
(PDCA) cycle (August 11 2000, “The New Economics for Industry, Government,
Education” - 2nd Edition, W Edwards Deming). Each component has its own subcomponents.
J.R. Beltman – IT Manager
Institute of Quality Assurance
A3
Appendix A – Project DefinitionReferences
Figure A.1
The Deming Cycle
For the ISMS of BS7799 the Deming Cycle’s sub-components are:
Plan
Do
• Scope
• Operate Controls
• Policy
• Awareness Training
• Risk Assessment
• Manage Resources
• Risk Treatment Plan
• Prompt Detection and Response
to Incidents
• Statement of Applicability
Check
Act
• Management Review
• ISMS Improvements
• Internal ISMS Audit
• Preventive Action
• Corrective Action
Table A.1
Sub-components of the Deming Cycle for the ISMS of BS7799.
Part 2 of BS7799 (Specification with guidance for use) enforces the original code of
practice and instructs on how to build, maintain, operate and improve a measurement
system for managers to monitor and control the security systems: The Information
security management system (ISMS).
Part 2 guides through each of the 10 domains and their sub-domains of Part 1. It
requires justification for implementation of each sub-domain, not for discarding
certain sub-domains.
For this project I will be making use of the Deming Cycle and Part 2 of BS7799
(Specification with guidance for use). I will be going through each domain and their
sub-domains (or as worded in BS7799 part 2 – Control objectives and controls). I will
determine their applicability and justify either use or discard. If a sub-domain is
applicable I will seek to implement.
J.R. Beltman – IT Manager
Institute of Quality Assurance
A4
Appendix A – Project Definition
Factors that can influence the success of this project
Risk
Virus infection of PC
Crash of hard disk
Corruption of data
Absence of key persons
Resistance to change
Table A.2
Likelihood
0.l%
2%
1%
10%
50%
Severity
Small
Very high
Very high
Small
Medium
Project Risk factors
Resistance to change is a problem that I am likely to run into. This can be minimized
by convincing and logic argumentation of the change required and support from
higher management. The project will require a significant change in the way people
regard information security at current; however the impact of change on how they
work should be kept to a minimum.
To counteract the very possible reality that this project will not succeed to enforce the
uptake of BS7799 within the IQA and end up on the bookshelf without being taken
seriously the following actions/factors have been identified as absolutely fatal:
•
•
•
Top management support.
Management support
A follow up project where the identified domains and sub-domains of
BS7799 will be transformed into a software application that actively enforces
them.
The follow up project will require this project report to be written in a format that is
easily adaptable for transformation into a software application.
J.R. Beltman – IT Manager
Institute of Quality Assurance
A5
Appendix B – The Scope
Appendix B. The Scope
Scope of the Information Security Management
System BS7799 Part 2
The scope of the information security management system in IQA/IRCA
covers the following:
All operational, technical, networking, desktop, administration and
management functions at the Grosvernor Crescent office.
Departments within scope:
1. Desktops, servers and LAN
2. IT Services Department
To be included a later stage in the following order
1. Site Security
2. IRCA Certification
3. IRCA Training
4. Facilities
5. Accounts
6. Publishing
7. IQA Training & Events
8. IQA Education
9. IQA Membership
The departments that are currently not in scope do make use of IT assets
which are in scope. The users of the assets that are in scope will be made
aware of the policies and procedures that applies to these assets.
Signed……………………… IT Manager
Date……………………..
J.R. Beltman – IT Manager
Institute of Quality Assurance
B1
Appendix C – The Security Policy
Appendix C. The Security Policy
Institute of Quality Assurance
Information Security Policy
Purpose
The purpose of this information security policy is to protect all information assets, as
defined within the scope, within the Institute of Quality Assurance (IQA) from all
threats, whether internal or external, deliberate or accidental. Information within the
IQA exists in many forms and the policy includes the protection of data stored
electronically, transmitted across networks and printed or written on paper to
safeguard the information of the company, its’ customers, employees and trading
partners.
Objectives
The objective of information security is to ensure business continuity and minimise
damage by preventing and reducing the impact of security incidents. The
implementation of this policy is needed to maintain, improve and demonstrate our
integrity in our dealings with all our customers and trading partners.
It is the policy of the IT department of the IQA to ensure:
•
•
•
•
•
•
•
•
•
•
Information is protected against unauthorised access .
Confidentiality of information is assured
Information is not disclosed to unauthorised persons through deliberate or
careless actions
The integrity of information is maintained
The availability of information to authorised users when needed
Regulatory and legislative requirements will be met
Business continuity plans will be produced, maintained and regularly tested
Information security training will be given to all staff
All breaches of information security , actual and suspected are recorded
reported and investigated
The IT department is compliant with best practice as identified in ISO/IEC
17799.
Actions
Standards, policies and security operating procedures will be produced to support this
policy and will include: virus control, access control, personnel security, the use of email, the Internet and the local network. A formal disciplinary process will be
documented and implemented, in collaboration with the personnel department, for
those employees who choose not to comply with company standards.
J.R. Beltman – IT Manager
Institute of Quality Assurance
C1
Appendix C – The Security Policy
IT Manager has overall responsibility for maintaining this Policy and providing
guidance on its implementation. It is the responsibility of each employee to adhere to
the policies and procedures in their areas.
This policy will be reviewed regularly to ensure it remains appropriate for the
organisation.
Signed……………………………………..
IT Manager
J.R. Beltman – IT Manager
August 2005
Institute of Quality Assurance
C2
Appendix D – Risk Assessment Procedure
Appendix D. Risk Assessment Procedure
Risk Assessment Procedure
Objective
This document describes the Risk Assessment methodology adopted by IT
Department of the IQA as part of its commitment to achieve implementation of BS
7799-2:2002.
Responsibilities
The IT Manager maintains overall responsibility for the compliance and adherence to
this procedure whilst nominated asset owners are responsible for assessing the
security threats and vulnerabilities for their own information assets.
Methodology
Step One.
Review of Asset Inventory
The IT department maintains an inventory of all information assets related to the IT
department which are within scope of the ISMS. The inventory is reviewed on a
regular basis to ensure that it remains up to date and an annual review is undertaken
prior to performing a formal risk analysis. For each asset or group of assets an asset
owner or key user has been nominated. The IT manager is responsible for identifying
the value of the identified assets, where possible in conjunction with the asset owner
or user.
Step Two
Asset Valuation
Assets are valued according to the effect the asset being compromised has on the
organization also called severity of the threat.
Severity levels used:
Very Low
loss of the asset will have no effect on the business (1)
Low:
loss of the asset will have little effect on the business and not
cause any disruption (2)
Medium
loss of the asset will have an impact on the business, which can
be resolved in a number of hours but not affect the customer (3)
High
loss of the asset will disrupt the business and impact on the
customer in the short term (4)
Very high
loss of the asset will cause major disruption, affect customers
and impact revenues (5)
J.R. Beltman – IT Manager
Institute of Quality Assurance
D1
Appendix D – Risk Assessment Procedure
Step Three
Identification of Security Threats and likelihood
Threats are identified and recorded. For each threat the likelihood of the threat
materializing is assessed per asset or asset group. Likelihood is classified as follows:
Very Low
Low
Medium
High
Very High
Step Four
(1)
(2)
(3)
(4)
(5)
Identification of Vulnerabilities
Vulnerabilities of threats are identified per asset or asset group. Vulnerability is a
source or situation with potential for a threat to inflict harm. It does not cause harm or
threats but if not managed it will lead to harm.
Vulnerability is classified on five levels.
Very Low
Low
Medium
High
Very High
(1)
(2)
(3)
(4)
(5)
Example of vulnerability: paper records archived in the basement of a building known
to occasionally flood are vulnerable to water damage. The likelihood of such an event
would also be considered as well as the damage such an event would have on the
business to determine the degree of assurance required.
Step Five
Calculation of risk
The table identified in used to calculate the risk exposure of all information assets
once an asset value has been assigned.
Security Threats
Threats Identified
•
•
•
•
•
•
•
•
•
•
Physical & Environmental
Bomb attack
Earthquake
Fire
Flood
Theft
Wilful damage
Accidental damage
Power supplies
Air conditioning failure
J.R. Beltman – IT Manager
Institute of Quality Assurance
D2
Appendix D – Risk Assessment Procedure
•
Power failure
IT Threats
•
•
•
•
•
•
Software failure
Hardware failure
Damage to communication lines/cables
Deterioration of storage media
Computer viruses
Hacking
Vulnerabilities Identified
•
•
•
•
•
•
•
•
•
•
Location of the organisation near Buckingham Palace, Hide park corner and in
Belgravia where many embassies are based.
The building is shared with another organisation.
The electrical circuits in the building, especially the server room are badly
wired with ‘earth’ leaking from one plug to another.
Power supplied by 3rd party.
Unprotected telephone connections.
Unprotected public network connections.
Equipment sensitive to temperature variations.
Equipment such as laptops and data storage devices are taken out of the
building.
External connections to the company’s network are possible and open to
support staff and 3rd parties.
Insufficient security training
J.R. Beltman – IT Manager
Institute of Quality Assurance
D3
Appendix D – Risk Assessment Procedure
Severity
liklihood
Vulnerability
very low =
1 2 3
5
low =
1 2
3
2
4
medium =
5 1
2
3
3
4
4
1
3 4 5
6
7
4
5
6
7
8
5
6
7
2
4 5 6
7
8
5
6
7
8
9
6
7
3
5 6 7
8
9
6
7
8
9
10
7
4
6 7 8
9
10
7
8
9
10
11
5
7 8 9
10
11
8
9
10
11
12
Legend
Figure D.1
1
5
high =
1 2
3
4
4
5
8
9
6
7
8
9
10
7
8
9
10
11
8
9
10
7
8
9
10
11
8
9
10
11
12
8
9
10
11
8
9
10
11
12
9 10
11
12
13
8
9
10
11
12
9 10
11
12
13
10 11
12
13
14
9
10
11
12
13
10 11
12
13
14
11 12
13
14
15
3 to 7
-
residual risk - no action required
8 to 10
-
control required - medium risk
11 to 15
-
controls critical - high risk
very high =
1 2
3
4
5
5
Risk Matrix
J.R. Beltman – IT Manager
Institute of Quality Assurance
D4
Appendix E – Risk Management/ Treatment Procedure
Appendix E. Risk Management/ Treatment Procedure
Institute of Quality Assurance
Risk Management/Treatment Procedure
Objective
This procedure defines the risk management/treatment methodology adopted by the
Institute of Quality Assurance.
Responsibilities
The IT Manager maintains overall responsibility for the compliance and adherence to
this procedure whilst nominated asset owners and managers are responsible for
managing risk identified in relation to their nominated information assets.
Risk to all information assets has been calculated using the risk assessment procedure
against all assets identified on the Asset Register. Based upon this assessment the
management team have defined what level of risk is acceptable to the business and
stated the degree of assurance required.
It has been decided that risk levels above 10 are not acceptable and need to be
reduced. Ideally the risk levels should all be reduced till under level 8 as level 7 and
below are seen as acceptable risk levels. In order to meet the criteria, controls will be
implemented to manage and reduce current asset exposure levels to security threats
and vulnerabilities.
The Institute of Quality Assurance will consider options for the treatment of risk
which include Transfer of Risk, Avoidance of Risk, Risk Acceptance in accordance
with the Security Policy and the Application of Controls from the ISMS Standard BS
7799-2:2002. The control options and selection is addressed in the Statement of
Applicability, which will reference the relevant documentation that addresses the
requirements for control as identified from the risk assessment.
The asset owners and key users translate the control objectives and controls in the
standard into documented procedures and policy statements that describe how they are
implemented. Controls are also covered in Business Continuity Plans that are tested
frequently for their effectiveness.
The IT Manager and asset owners are responsible for monitoring and identifying new
security threats and vulnerabilities on a regular basis and changing working practices
and procedures when required in accordance with the recommendations from
information security management system reviews.
J.R. Beltman – IT Manager
Institute of Quality Assurance
E1
Appendix E – Risk Management/ Treatment Procedure
A formal re-evaluation of security risk levels is performed on an annual basis the
results of which are discussed at the Information Security Management Review
Meetings.
Signed……………………………… IT Manager
August 2005
J.R. Beltman – IT Manager
Institute of Quality Assurance
E2
Appendix F – S. Green, Personal Communication
Appendix F. S. Green, Personal Communication
Dear Mr Beltman,
Thank you for your email to the OGC Service Desk.
ITIL was conceived and started in the late 1980s and developed and owned by
CCTA. CCTA recognised that organisations were becoming increasingly dependant
on Information Systems (IS). Without IS most businesses cannot function. Without
quality IT services they cannot function well. Clearly there was a need for quality IT
service provision and while CCTA's customer base was central government, the needs
of organisations in the public or private sector, large, small, centralised or distributed
were going to be similar. There is a continual pressure in many organisations to
reduce costs while maintaining or improving the IT services.
When the IT Infrastructure Library project was initiated, no comprehensive guidance
existed on providing efficient and effective IT services. The IT Infrastructure Library
documents best practice for IT service management, with that best practice being
determined through the involvement of industry experts, consultants and
practitioners. It remains the only comprehensive, non-proprietary, publicly available
set of guidance, making it a unique and valuable product.
If you require further information about ITIL please visit the following link to the
ITIL section of OGC's website:
http://www.ogc.gov.uk/index.asp?id=2261
Here you will find a wealth of information about the ITIL methodology, including
Frequently Asked Questions which may help with any other queries you may have.
I hope the above is of use to you. If you have any further enquiries please do not
hesitate to contact the Service Desk again.
Kind regards
Sarah Green
Service Desk Agent
Office of Government Commerce
Rosebery Court
St Andrews Business Park
Norwich
NR7 0HS
> > -----Original Message----> > From: J.R. Beltman [mailto:[email protected]]
> > Sent: 04 September 2005 17:20
> > To: [email protected]
> > Subject: History of ITIL
>>
>>
> > Dear Sir/Madam,
J.R. Beltman – IT Manager
Institute of Quality Assurance
F1
Appendix F – S. Green, Personal Communication
> > I was just wondering if when ITIL was first devised if it was originally
>
> > devised just for the UK public sector or was it always intended to have
>a
> > broader application? And if it was just devised for the UK public sector
>
> > then when was it that this changed and why?
>>
> > Kind regards
> > JR Beltman
>>
J.R. Beltman – IT Manager
Institute of Quality Assurance
F2
Appendix G – R. Howard, Personal Communication
Appendix G. R. Howard, Personal Communication
Dear Mr Beltman,
Thank-you for taking my telephone call. I would like to provide you with details of
our services so we can be considered for any future Penetration Testing requirements
that you may have.
We get involved in all types of testing including:Security / Vulnerability Testing Methodologies
Sample Management Report - External/Internal & War Dial
Overview of Security / Vulnerability Testing Services
We offer INTERNAL TESTING,
EXTERNAL TESTING,
APPLICATION TESTING,
WIRELESS NETWORK TESTING,
MOBILE WORKING SECURITY TESTING,
STOLEN LAPTOP TESTING,
SOCIAL ENGINEERING,
PASSWORD REVIEWS.
NCC Group Plc is one of the world's leading independent providers of IT assurance,
security and consultancy services to over 10,000 clients globally in both the public
and private sectors.
Our technical excellence and independence means we are totally unique in that our
advice is totally impartial and not driven by the need to promote pre-determined
technical solutions.
You may be interested to learn that in the last 2 years, NCC Group Plc, archived a
42% success rate in breaking into networks from an external testing perspective and
83% for Internal testing perspective.
NCC Group Plc is a member of the GCHQ CESG CHECK certification scheme
(Green Standard), for providing penetration testing services. We have the
largest independent CHECK Team in the UK. Consultants are also CLAS
cleared. Should procurement be made easier for you by using S-CAT, please may I
make you aware that we are S-CAT and G-CAT listed .
The NCC Group has worked with many private sector clients including; Amec, First
Engineering, Churchill Insurance, Merrill Lynch, HSBC, Holmesdale Building
Society, Nottingham Building Society, Manchester International Airport, Marsden
Building Society, IF Online (Halifax Group), National Australia Group, UBS
Warburg, Ulster Bank, B&Q, Woolworths, Northern Electric Plc.
Also with many local and central government authorities, some of which include;
Crown Prosecution Service, British Library, Department of Enterprise, Trade &
Investment, The Royal Mint, NATO, US Department of Defence, London Borough of
J.R. Beltman – IT Manager
Institute of Quality Assurance
G1
Appendix G – R. Howard, Personal Communication
Hammersmith & Fulham, London Borough of Hackney, London Borough of Camden,
The FSA, Manchester City Council, Tate Gallery, in addition to several UK Police
Forces and Registered Charities.
Please also find attached the following information for your perusal:
Pen test Services
Sample Management Report (External, Internal & War Dial Testing)
We would be keen to meet with you to discuss this further and how we can potentially
assist you. Should you have any questions or require any additional information,
please do not hesitate to contact me.
Kind Regards,
Rachael Howard
J.R. Beltman – IT Manager
Institute of Quality Assurance
G2
Appendix H – V. Parry, Personal Communication
Appendix H. V. Parry, Personal Communication
----- Original Message ----From: Vic Parry
To: JR Beltman
Sent: Sunday, September 04, 2005 4:50 PM
Subject: Senior Management
Hi JR, if I understand your question correctly then the following is what I have found
to be the biggest resistance to change by some managers when implementing BS
7799:
Unlike the ISO 9001 Quality Management System where you can quantify financially
the improvements brought about by implementing a management system eg higher
productivity, less errors, reduced waste, shorter downtime, less rework, fewer
warranty claims etc, BS7799 is far more difficult to justify in terms of higher profits.
It is hidden in terms of how much damage has been avoided/reduced by protecting
your company from an attack. Whether this be a logical, personal or even physical
attack. A company often finds out too late after the event, very often the damage has
all ready been done. In extreme cases this actually results in the company going bust.
At best it causes disruption and impacts on the companies' financial performance, not
to mention damage to the organisations' image and reputation.
The problem is that when an organisation does implement policies, practices and
procedures to protect its' assets this will often eliminate unnecessary risks and
potential attackers are unsuccessful, however this is not always obvious and visible so
management are unaware of how effective their management system has worked. I
hope this goes some way to adding to your understanding why management are not
always fully committed to implementing this system.
Best Regards Vic Parry Chartered FCIPD
IRCA Registered Principal Auditor BS 7799:2-2002
J.R. Beltman – IT Manager
Institute of Quality Assurance
H1
Appendix I – M. Rich, Personal Communication
Appendix I. M. Rich, Personal Communication
First statement
Action research originated in the clinical world after around 1945. As well as
assuming that there are ‘participant observers’ – that is, people carrying out the
research are actually taking part in the process – action research also assumes that
through some intervention you can do things better in the future. Therefore your
objectives (in action research terms) are to do with identifying a suitable intervention.
Correction on first statement
Yes – I suggested that action research originally presumes that through some
intervention things could be done better in the future. I’m therefore suggesting that
you are dong the first stage of action research, and that part of your results will be
recommendations on what sort of interventions to try out. True action research would
depend on you trying out this intervention and then evaluating its effect – you can and
should be very open about the fact that you can’t do that within one MSc project.
J.R. Beltman – IT Manager
Institute of Quality Assurance
I1
Appendix J – V. Parry, Interview notes
Appendix J. V. Parry, Interview notes
On Monday 26-October-2005 I met up with Victor Parry, Chartered FCIPD and IRCA
Registered Principal Auditor BS 7799:2-2002. I thought it would cost me a meal and a
pint, but not only did he pay for himself, he also shared a lot of information about
BS7799 implementation with me. Below a summary of what was said during the
evening.
When I asked Victor what he felt were the largest issues with implementing BS7799
he told me about lack of management support, which can be split in a couple of sub
sections. He mentioned:
•
•
•
•
•
No resource allocation
Fear of hidden costs
There are no transparent benefits of implementing BS7799
No understanding of Business continuity and disaster recovery
The value of implementation is not understood
He continued explaining that business continuity means planning for the future, such
as for expansion, more staff, extra resources etc to provide a consistent level of
service. Disaster recovery is planning for the unexpected and unplanned events.
We moved on to resistance to change. Victor had a very interesting view on this
subject. He never found it to be a big show stopper, but in his view this is due to how
change is managed. He suggested that a good manager will communicate the positive
aspects of change and by doing so the manager can take away the physiological fear
people have of change. People fear change, according to Victor, because it makes
them think again. Whereas before the change the staff could do their job without
actively thinking about how, with change they suddenly need to start thinking about
their work again. He mentioned some examples such as making a pool player think
about how to breathe in and out when playing. This would usually go unnoticed, but
by making the player think about this the game will change and most likely not in
favour of this player.
“What are the arguments against implementing BS7799”, I asked. According to
Victor there are many of these, but not many hold ground. Examples mentioned:
•
•
•
•
•
•
•
We are a public body
Customers do not insist on it
Won’t increase our profits
We don’t need it
Nobody knows who we are or what we do
We are not prepared to invest in this
Why invest in BS7799?
“For those who implemented BS7799, how do we make sure it is not just lip service”
was my next question. Victor suggested that it does happen, but not often and it does
not go unnoticed. If it were to become a lip service the organisation would stand little
to no chance on renewing the certificate as the company simply won’t pass the
J.R. Beltman – IT Manager
Institute of Quality Assurance
J1
Appendix J – V. Parry, Interview notes
assessment. In places where it does happen it can have more factors. Victor pointed
out that he is aware of a company where it happened because of lack of management
support and involvement.
Victor continued by telling me that the critical success factors, apart from
management support are an asset register with relevant assets and a systematic
approach to risk assessment. Concluded with informing me that in the end it is all
about focussing on the business needs.
J.R. Beltman – IT Manager
Institute of Quality Assurance
J2
Appendix K – Assets and risks
Appendix K. Assets and risks
Asset / Asset Group
Desktops
Laptops
USB Sticks
USB Disks
Servers
Switches
UPS systems
Building
Table K-1
Threat
Virus infection
Abuse of workstation
Installation of unauthorised software
Virus infection
Abuse of laptop
Installation of unauthorized software
Theft
Theft
Loss
Data corruption
Hardware failure
Power outage
Hardware failure
Virus infection
Data corruption
Electricity spikes
Hardware failure
Hardware failure
Falling within a exclusion zone
Closure due to a disaster
Likelihood
2
2
4
4
3
4
3
2
3
3
2
1
1
3
2
3
1
1
1
1
Vulnerability
3
1
3
3
1
4
3
3
3
2
2
2
3
1
2
3
1
1
1
1
Severity
1
3
2
2
3
2
4
4
4
1
3
5
4
1
5
1
5
3
5
5
Score
6
6
9
9
7
10
10
9
10
6
7
8
8
5
9
7
7
5
7
7
Average
7
9
8.3
7
7.4
7
5
7
Assets and risks
Table K-1 is an example of a risk asset evaluation. This table does not contain actual information as used in the IQA for security reasons.
J.R. Beltman – IT Manager
Institute of Quality Assurance
K1
Appendix L – IQA Old asset registry
Appendix L. IQA Old asset registry
User
Location
SN New
Operating
System
xxxxxx
2nd floor
6S31KN8Z30YZ
Windows XP Pro
2nd floor
6S31KN8Z30ZJ
Windows XP Pro
2nd floor
6S31KN8Z30Z8
Windows XP Pro
2nd floor
6S31KN8Z30ZF
Windows XP Pro
Basement
6S31KN8Z30Y3
Windows XP Pro
Basement
Ground
Floor
6S31KN8Z30Z4
Windows XP Pro
PC4773
Windows 2000
xxxxxx
xxxxxx
xxxxxx
xxxxxx
xxxxxx
xxxxxx
xxxxxx
2nd floor
Windows 2000
xxxxxx
5th floor
G85270J
Windows 2000
4th floor
6S31KN8Z30X0
Windows XP Pro
4th floor
6S31KN8Z30XF
Windows XP Pro
xxxxxx
xxxxxx
Figure L.1
Category
Desktop
PC
Desktop
PC
Desktop
PC
Desktop
PC
Desktop
PC
Desktop
PC
Desktop
PC
Desktop
PC
Desktop
PC
Desktop
PC
Desktop
PC
Status
Model
Purchase
date
In use
Compaq D51c
2003-01-24
In use
Compaq D51c
2003-01-24
In use
Compaq D51c
2003-01-24
In use
Compaq D51c
2003-01-24
In use
Compaq D51c
In use
Compaq D51c
In use
Dimension 8200
In use
2001-03-01
1999-11-01
In use
Optiplex GX150
1999-01-01
In use
Compaq D51c
2003-01-24
In use
Compaq D51c
2003-01-24
IQA old asset registry
J.R. Beltman – IT Manager
Institute of Quality Assurance
L1
Appendix M – IQA IT Management system Asset registry
Appendix M. IQA IT Management system Asset registry
Figure M.1
New IQA asset registr
J.R. Beltman – IT Manager
Institute of Quality Assurance
M1
Appendix M – IQA IT Management system Asset registry
Figure M.2
Detailed view of asset registry
J.R. Beltman – IT Manager
Institute of Quality Assurance
M2
Appendix N – IQA Licence control
Appendix N. IQA Licence control
Figure N.1
IQA Licence control
Note that information in this image has been concealed for security reasons and to
comply with the data protection act.
J.R. Beltman – IT Manager
Institute of Quality Assurance
N1
Appendix O – IQA Email house keeping
Appendix O. IQA Email house keeping
A structured approach to E-Mail storage
1. The Problem
We are fast running out of storage capacity for our emails. Because having a working email
facility is business critical for all the IQA, this situation is serious.
Why has this happened?
Two reasons; A sharp increase in email usage generally and poor housekeeping of our email
accounts (see later in this document for list of major users of storage).
At the moment there are no set limits or control over staff e-mail accounts. And because filing
and retrieving emails is a very easy way of storing information there is a tendency amongst
most of us to keep almost everything.
Unfortunately, this carefree approach has got us into trouble. And referencing the graphic
below, unless we take action very soon, we will be in serious trouble. I.e. we won’t have an
email service. We have a total of 20 GB available for all emails and going by trend we will
have used all of that before the end of this year. We have already used some of the space we
need to rectify problems when they occur and an example of the problems this causes is the
email crash in April this year. The system was down for 3 days when, with more space
available we could have had it operational in less than a day.
Figure 0.1
Email Growth, actual and projected
Why not simply fit some more capacity?
Two reasons why not. While hard drives are inexpensive, fitting them is not. IT would need to
take the network off line for around 72 hours while the drives were fitted and bring in IT
specialists restructure the whole system. And the second reason is demonstrated by the
J.R. Beltman – IT Manager
Institute of Quality Assurance
O1
Appendix O – IQA Email house keeping
graph above. Our usage is growing so fast (it’s not linear, it’s more logarithmic) that even
doubling our capacity would serve only to delay the inevitable.
What we need is a change in our practices.
2. The Solution
IT’s approach to this is simple. We have allocated space to those public folders which require
more capacity, e.g. for sending out bulk emails and for publishing, who routinely use large
graphics files. We have also identified some public folders that have low usage and have
allocated these a small amount. Then we divide the remaining capacity by the number of
normal user accounts, i.e. every ‘normal’ account receives the same amount of storage. For
our calculations we have estimated 65 user accounts, a few more than we have staff, but we
are allowing for a little growth.
This leaves us with 250,000 KB per person. Not a great deal when you consider the size of
the accounts some heavy users currently have, but sufficient if the appropriate housekeeping
practices are followed.
When a suitable opportunity arises, we plan to add more capacity. But until then (and even
after) there is no long term substitute for effective housekeeping.
How to do ‘Housekeeping’
Either delete the email –by far the majority of emails are routine ones which you will never
refer to again,
Or
Delete the attachment (most space is taken up with attachments, especially spreadsheets
and graphics files, and you can remove these by opening the email, right-clicking and
selecting the remove attachment option),
Or
Archive old emails or those you only need to access rarely onto your ‘H’ drive. If your H drive
is nearing its capacity (every user’s H drive has a limit just as we now have for our email
account) then this option may not be a long term solution because all this will achieve is to
transfer the space problem from the email system to the H drive.
And/or
Then transfer the archive file(s) to CD. This is by far the most effective housekeeping method
and IT are preparing guidance on how to do this. Please note that for information security
purposes not all users will be able to transfer files to CD. The rights to transfer files to CD will
be decided by Directors and Managers. See your manager for clarification.
And
Make sure you notify IT when an email account is no longer needed. Each account has
250,000 KB allocated and as there are currently a sizeable number of ‘orphaned’ accounts,
each unused account reduces the capacity available for other, active users. See later in this
document for a list of orphaned accounts. If you recognize any as coming under your control,
please let IT know that either you wish these to remain (your name will be added as the
owner of that account) or you are happy that the account(s) is deleted. IT will remove any
accounts unclaimed after 1 October on the assumption that they are no longer active not
needed.
J.R. Beltman – IT Manager
Institute of Quality Assurance
O2
Appendix O – IQA Email house keeping
And
When sending documents internally, use links to documents instead of attaching copies.
Outlook makes it very easy to link documents and if your recipients have access to the folder
in which the document is located, all they need do to access that document is to click on the
link.
And
Don’t forget to do housekeeping on your ‘Sent Items’ folder!
And
Let IT know when a user has left the IQA. Remember that each user account deleted means
another 250,000 KB available for other users.
And
Regularly empty your ‘Deleted Items’ folder.
How to check your usage level
You can monitor the amount of storage you are using yourself. Right click on ‘Mailbox –Your
Name’ and select ‘Properties for “Mailbox –Your Name”, and select the ‘Folder Size’ option
from the ‘General’ menu. Select the ‘Server Data’ tab (Users with laptops that are configured
to work offline will see an additional tab marked ‘Local data’. Ignore this). The figure you are
looking for is ‘Total size (including subfolders)’ and it will be expressed in KB. You can then
compare your usage with the current limit of 250,000 (KB).
How IT will manage this system
Each user will be restricted to the 250,000 KB limit. IT will apply settings that will not allow any
more email activity once that limit has been reached. Shortly before the limit is reached the
system will automatically send you advice that the user is approaching the limit.
If the user fails to take appropriate action and the limit is reached, no emails will be sent or
received. Incoming emails won’t be lost, they will simply not be able to be downloaded and
accessed. As soon as capacity is released through housekeeping the ‘blocked’ emails will
become available.
When will we commence this system?
The limits will be applied from 1 October. This gives those users currently over the 250,000
KB limit a month (September) in which to reduce their usage.
Does this approach sound draconian? Maybe, but consider the alternative of not having an
email service and it begins to make sense.
J.R. Beltman – IT Manager
Institute of Quality Assurance
O3
Appendix P – IQA Form for new staff members
Appendix P. IQA Form for new staff members
A New Staff Member
What to do?
When you have a new member of staff you would most likely require a computer to
be prepared and the telephone to be working.
To get this done you will need to inform the IT department and give a minimum of
two weeks notice. The IT department will need to know a couple of things:
Personal Details
First name
Joe
Surname
Bloggs
Title
Mr.
Starting Date
28/10/2005
Temp worker
Leaving Date
Organisation
IQA
Department
Supervisor
Manager XYZ
Replaced Person
Facilities
Workplace information
Computer number
Programs
Required Training?
Installed
/Checked
Accounting
Office
Acrobat Reader
Acrobat Writer
Albacs
Adobe
Illustrator
Photoshop
Crystal Reports
Dynamics
FRX
Integra
Internet Access
Lloyds Link
Contribute 3
MS Office
MS Visio
Quark
WinZip
WS_FTP
J.R. Beltman – IT Manager
IT Department only
Person in
Date
charge
none
Commen
t
none
none
none
none
none
none
none
none
none
none
none
none
none
none
none
none
none
Institute of Quality Assurance
P1
Appendix P – IQA Form for new staff members
Security Group1
Other than own department
Has Manager of the other
department been notified?
YES
NO
YES
NO
Email Group1
Other than own department
Has Manager of the other
department been notified?
Other important information:
Supervisor Details
First name
Joe
Supervisors
substitute
Organisation
IQA
Fill out date
28/10/2005
Surname
Bloggs
Extension
number
299
Department
Facilites
Note:
Please send an email to the person in charge in the IT - Department and attach this
document. Furthermore, please make sure, that you mention the name of the new
person in the email.
Please keep in mind that although your IT department always wishes to come to your
aid, sometimes it can be so busy that if you notify them too late they are simply
unable to accommodate you in time.
1
Manger has also to notify the IT – Department, e.g. via email.
J.R. Beltman – IT Manager
Institute of Quality Assurance
P2
Appendix P – IQA Form for new staff members
IT - Department only!
To-Do’s in the department
Program
Action
Active Directory
Create user and an email address
Check users role
Check profile and home directory
Add email to distribution groups
Integra
Add user to Integra Database(s)
Check Mail merge / Copy folder
Telephone System
Add / replace user
Configure Telephone System
IT Management System
Apply changes to Inventory
Add user
Done Comment
To-Do’s at local PC
General settings
ODBC settings Integra
East Asian Language Packs
Standard Applications
Sophos
Telephone Manager
Checked by 2nd IT Person
Name
Date
J.R. Beltman – IT Manager
Institute of Quality Assurance
P3
Appendix Q – IQA Staff IT test form
Appendix Q. IQA Staff IT test form
IT assessment test
It will take about 30 – 45 minutes to finish the test. Please read and follow the
instructions accurately! The brackets () are used to indicate a variable text.
Such as (your name) means we want you to type something like: Joe Bloggs
and not (Joe Bloggs). Dates are always as in 2005-09-26.
Good luck!
1) Which program is associated with the “.doc” file extension?
………………………………………………………………………………………
…...
Search for the folder IT Test in the S-drive using the Windows Explorer.
There you find more documents that you may need.
2) Create a new folder in your H-drive and name it with ‘IT Test (your
name)’. Copy all the files of the IT Test folder to that folder.
3) Open the ‘2004-08-24 - Word Example.doc’ file and follow these
instructions:
a) Change the heading to underlined, bold
b) Add your name and address underneath the headline
c) Change the alignment of the address to the right side, the font to
“Courier New” and the style to Italic.
d) Create a header and footer for the document, including the page
number
Save the document in your folder (H-drive) with a different name:
(today’s date) - (your name) - word test.doc
4) Open Microsoft Office Power Point with a blank sheet and insert a clipart
of a Computer. Save the document to your folder, name it
(today’s date) - (your name) - power point test.ppt, close the Power
Point application and go to your directory as created in question 2, using
the Windows Explorer.
5) Create a shortcut on the desktop of your folder you created in question 2.
6) Make a screenshot of your desktop, insert it in the Microsoft Office Word
document created in question 3 and save.
J.R. Beltman – IT Manager
Institute of Quality Assurance
Q1
Appendix Q – IQA Staff IT test form
7) Let’s assume an application is hanging for some reason. Would you open
the task manager? Please state the reason for your decision.
………………………………………………………………………………………
………………………………………………
………………………………………………………………………………………
………………………………………………………………………………………
………………………………………………………………………………………
………
8) To edit a PDF file you will use:
a)
b)
c)
d)
Adobe Reader
Microsoft Notepad
Adobe Acrobat Professional
none of the above
9) During your annual vacation someone has changed the screen resolution
of your computer. It’s impossible to work with the new setting and you
have to select another resolution. How would you achieve this?
………………………………………………………………………………………
………………………………………………
………………………………………………………………………………………
………………………………………………………………………………………
………………………………………………………………………………………
………
10) Open the file ‘2004-08-24 - Excel Example.xls’ and do the requested
calculations.
11) Save the Excel Example in your folder as: (today’s date) - (your name) excel test.xls
12) Windows XP has the capability to compress folders & files into ZIP
archives. Create a ZIP file of your IT Test folder. Your folder should
contain these documents:
•
•
•
the word document from question 3,
the power point presentation from question 4,
the excel spreadsheet from question 12,
Name the file: ‘IT Test (your name).zip’
13) Open Microsoft Office Outlook 2003, create a new email to [email protected] (add yourself as CC as well) attach the following
document:
•
the ZIP file from question 12
J.R. Beltman – IT Manager
Institute of Quality Assurance
Q2
Appendix Q – IQA Staff IT test form
If you don’t have the ZIP archive then attach the 3 documents from
question 12.
Call the email ‘IT Test from (your name)’. (Please do not send it yet.)
14) Have a look at the printers you are connected to and name the default
printer. Make a note of all your printers and indicate the default printer in
your email message.
15) Send the email.
WELL DONE!
J.R. Beltman – IT Manager
Institute of Quality Assurance
Q3
Appendix R – Server Room Access policy
Appendix R. Server Room Access policy
Server Room Access
The server room access must be strictly controlled to prevent any form of disaster (or
possible theft of equipment.
If at any point a form of disaster would take place in the server room it must be
possible to track down who last accessed this room.
Possible disasters
Many things can go wrong due to user interface/interference. A short list with
examples:
•
•
•
•
•
•
•
Unplugging server(s) from the network.
Unplugging server(s) from the power supply.
Modifying the switches and patches.
Spilling a fluid on the server(s) causing a form of damage such as a short circuit.
Trying to use the system console resulting in data loss, misconfiguration and
worse.
Adjusting the air-conditioning system. Could result in overheating of equipment.
Removing hard- and/or software. This would be theft, but when applied to servers
result in data loss and downtime.
Prevention of disaster
The servers are in a secured server room. To enter the room a key code is required.
The door of the server room will always close shut and to re-enter the key code must
be used again.
IT Staff will make sure that the server room door is locked upon leaving the office at
any time.
Non IT staff is required to sign in and out, indifferent of the time spend in the server
room. On the left hand side of the door is a log book for this purpose.
Staff in possession of the key code (authorized staff)
• Hidden for security reasons
Rules for unauthorized personnel
All personnel that need access to the server room, i.e. third party maintenance
personnel, must be supervised at all times. The authorized staff member that provides
access for unauthorized personnel will be fully responsible for their actions.
Server cabinets
For extra security the operating hardware is stored in so called 'server cabinets'. These
must remain locked at all times and should only be opened by IT Staff.
The keys
The keys for all cabinets and server cases are stored in the key cabinet. The key to the
key cabinet is stored in the IT office. The location is known to all IT Staff, but will
J.R. Beltman – IT Manager
Institute of Quality Assurance
R1
Appendix R – Server Room Access policy
not be disclosed in this document since this document is available to all staff (readonly).
The keys in the key cabinet are clearly marked so there can be no confusion on where
they fit.
J.R. Beltman – IT Manager
Institute of Quality Assurance
R2
Appendix S – Communications policy
Appendix S. Communications Policy
COMMUNICATIONS AND COMPUTER USE POLICY
The Institute reserves the right to review and revise this Policy to comply with any
future statutory or legal requirements or otherwise.
The Institute requires you to read the following carefully. You should seek
clarification from the Personnel Manager if there is any part you do not
understand.
This Policy should be read in conjunction with the other Institute policies, and
specifically in conjunction with the Data Protection Policy and with the
Disciplinary Policy and Procedures. It applies to everyone who uses and has
access to IQA information technology and communications.
1 INTRODUCTION
1.1
At the Institute (the ‘Institute’), communication plays an essential role in the
conduct of our business. We value your ability to communicate with colleagues,
customers and business contacts. The Institute invests substantially in
information technology and communications systems which enable you to work
more efficiently and effectively and it trusts you to use them responsibly.
1.2
How you communicate with people not only reflects on you as an individual,
but on the Institute as an organisation. Therefore although we will respect your
personal autonomy and privacy, we have established this Communications
Policy (the ‘Policy’) which lets you know what we expect from you and what
you can expect from us in your use of email, the internet and other means of
communication such as correspondence, fax, fixed line or mobile phones.
1.3
This Policy applies to you as an Institute employee, contractor or volunteer,
whatever your position: whether permanent, temporary or voluntary. For the
purposes of this Policy, all references to ‘employees’ shall include contractors
and agents. It also applies to members who have access to the systems of the
Institute.
1.4
Any inappropriate use of the Institute’s communications systems, whether
under this Policy or otherwise, may lead to disciplinary action being taken
against you under the Institute's disciplinary procedures, which may include
summary dismissal.
1.5
It is important that you read this Policy carefully. If there is anything that you do
not understand, please discuss it with your line manager. Once you have read
and understood this Policy thoroughly, you must sign the original copy of the
Policy, then return it to the Personnel Manager and retain a copy for your own
reference.
1.6
For the purposes of this Policy all references to “third party” applies to you as
an Institute employee, contractor or volunteer, whatever your position: whether
temporary, permanent or voluntary. It also applies to members who have
access to the systems of the Institute.
J.R. Beltman – IT Manager
Institute of Quality Assurance
S1
Appendix S – Communications policy
2 THE INSTITUTE’S POLICY STATEMENT
2.1
We trust you to use the information technology and communications facilities
we provide to you sensibly, professionally, lawfully, consistently with your
duties, with respect for your colleagues and in accordance with this Policy and
the Institute’s rules and procedures.
3 GENERAL PRINCIPLES
3.1
All information relating to our members and business operations is confidential.
You must treat the Institute’s paper-based and electronic information with
utmost care.
3.2
Care must be taken when using email as a means of communication as all
expressions of fact, intention and opinion via email may bind you and/or the
Institute and can be produced in court in the same way as oral or written
statements.
3.3
We trust you to use the internet sensibly. Bear in mind at all times that when
visiting an internet site your IP address may be logged. Therefore any activity
you engage in may affect the Institute.
3.4
The advantage of the internet and email is that it is an extremely easy and
informal way of accessing and disseminating information. However, the same
principles apply to information exchanged in this way as apply under the terms
of your employment contract to any other means of communication. For
example, sending defamatory, sexist or racist jokes or other material by email
and any other form of communication are grounds for an action for
defamation, harassment or incitement to racial hatred in the same way as
making defamatory, sexist or racist comments verbally to a colleague.
3.5
Therefore, do not use the internet and email for purposes which would be
subject to disciplinary or legal action in any other context. If you are in doubt
about a course of action, take advice from your line manager.
3.6
As an employee, contractor, or member of the Institute you should exercise due
care when collecting, processing or disclosing any personal data and only
process personal data on behalf of the Institute where it is necessary for your
duties.
3.7
Although email and internet access is intended to be used for business purposes,
we appreciate that you may occasionally want to use the system and/or the
facilities for your own purposes and we expect you to use them responsibly.
3.8
However, retrieval, downloading and storage of any material for example music,
video clips or any other media for purposes not directly related to your work
activities on any storage device for example, a memory stick or the C drive or
on your home directory, currently the H drive, are not permitted for reasons of
network storage and possible legal infringements of copyright and royalties.
3.8
Generally, all aspects of communication are protected by intellectual property
rights which may be infringed by copying. Downloading, copying, possessing
J.R. Beltman – IT Manager
Institute of Quality Assurance
S2
Appendix S – Communications policy
and distributing material from the internet may be an infringement of copyright
or other intellectual property rights. Therefore, any such activity should only be
undertaken where you are
satisfied that no such breach will arise, for example, where the internet site
clearly states that permission to download is granted. You should only use the
material in accordance with any purposes which are specified on the site.
4 MONITORING COMMUNICATIONS
4.1
This Policy is intended to take into account legislation which aims to ensure a
minimum level of personal privacy for employees in their employment, for
contractors in their work and members in their role. Therefore the Institute is
taking this opportunity to draw a distinction between personal and private
communications.
4.2
We will not monitor personal communications except for traffic and billing data
at a network level. We will not look at the content of personal communications.
However, if the IQA discovers any evidence that this Policy is being abused, the
Institute reserves the right to withdraw from individual employees or groups of
employees the facility to send and receive personal communications by
particular methods. For example, abuse of the internet or email system may
result in the withdrawal of the right to use either for personal use.and may lead
to disciplinary action being taken against you under the Institute's disciplinary
procedures, which may include summary dismissal.
4.3
As the Institute will not intercept personal communications, the Institute
cannot exercise the rights and obligations of a data controller under the Data
Protection Act 1998 in relation to your personal communications. As an
Institute employee, contractor or member, you must not use our
communications systems for business purposes for example, renting out holiday
cottages is a private business purposes and as such is not permitted.
4.4
The Institute will respect your privacy and autonomy in your business
communications. However, in certain circumstances it may sometimes be
necessary to access and record your business communications for the Institute’s
business purposes which include the following:
a.
providing evidence of business transactions;
b.
making sure the Institute’s business procedures are adhered to;
c.
training and monitoring standards of service;
d.
preventing or detecting unauthorised use of the Institute’s
communications systems or criminal activities; and
e.
maintaining the effective operation of the Institute’s communication
systems.
THE INSTITUTE’S PROCEDURES
5 USE OF ELECTRONIC MAIL
5.1
You should expressly agree with the recipient of your intended email that the
use of email is an acceptable form of communication bearing in mind that if the
J.R. Beltman – IT Manager
Institute of Quality Assurance
S3
Appendix S – Communications policy
material is confidential, privileged, price sensitive or commercially sensitive unencrypted email is not secure and should not be sent in this way.
5.2
Some intended recipients may have rigorous email gateway protocols, if this is
the case, consider whether this means of communication is appropriate.
5.3
If you wish to encrypt your message, please consult your line manager or IT
support.
5.4
A copy of our currently approved email designation notice for business emails is
attached to all IQA internal and external e-mails and in no circumstances must
it be altered.
5.5
Activate the recipient read receipt mechanism.
5.6
Do not impersonate any other person when using email or amend any messages
received unless you are specifically authorised to do so. The IT department will
advise on alternative methods of access.
5.7
It is good practice to re-read emails before sending them as emails cannot be
retrieved once they have been sent.
6 USE OF INTERNET, INTRANET and EXTRANET
6.1
When entering an internet site, always read and comply with the terms and
conditions governing its use.
6.2
Do not download, retrieve or store any images, music, video clips, text or
material which are copyright protected other than for private study.
6.3
If you are involved in creating, amending or deleting our web pages or content
on our websites, including any intranet or extranet site, such work should be
consistent with your responsibilities and be in our best interests. Always ensure
that the proper vetting procedures have been complied with and the information
is accurate and up to date.
6.4
You are expressly prohibited from:
a.
introducing packet-sniffing or password detecting software;
b.
seeking to gain access to restricted areas of the network;
c.
knowingly seeking to access data which you know, or ought to know,
to be confidential;
d.
introducing any form of computer viruses; and
e.
carrying out other hacking activities.
f.
retrieving, downloading or storing any material such as music, video
clips, images etc. not directly related to your work activities.
6.5
For your information, the following activities are criminal offences under the
Computer Misuse Act 1990:
a.
unauthorised access to computer material (i.e. hacking);
b.
unauthorised modification of computer material; and
c.
unauthorised access with intent to commit and/or facilitate the
commission of further offences.
J.R. Beltman – IT Manager
Institute of Quality Assurance
S4
Appendix S – Communications policy
7 PERSONAL USE
7.1
Please ensure that your personal email and internet use:
a.
does not interfere with the performance of your duties;
b.
does not take priority over your work responsibilities;
c.
does not incur unwarranted expense on the Institute;
d.
does not have, is not intended to and could not be interpreted to have
a negative impact on the Institute in any way; and
e.
is lawful and complies with this Policy.
7.2
You should be aware that the IQA cannot guarantee that any personal
information, for example credit card details given over the internet, by e-mail,
by any other form of communication or stored on the network, for example the
H drive, is secure from hacking or from any other fraudulent methods.
8 SYSTEM SECURITY
8.1
Do not use the system in any way which may damage, overload or affect the
performance of the system or the internal or external network.
8.2
Keep all confidential information secure, use it only for the purposes for which
that information has been provided and do not disclose it to any unauthorised
third party.
8.3
Keep your system passwords safe. Do not disclose them to anyone. It is advisable
to change your passwords from time to time for security purposes.
8.4
If you reveal your system password to a third party you will be held personally
liable if it is used maliciously or with fraudulent intent and may lead to
disciplinary action being taken against you under the Institute's disciplinary
procedures, which may include summary dismissal.
8.5
If you wish another member of staff to have access to your e-mail or your
personal directory, currently the H drive, please do not do so by revealing your
system password. The IT department can arrange access by alternative
methods.
8.6
If a document is highly commercially confidential or sensitive in nature, you
should store it in a private directory or an equivalent password protected
directory. When deleting such documents, ensure that you empty your
wastebasket as well. Bear in mind that documents in general directories can be
accessed by all employees who have general access.
8.7
Copies of confidential information should only be printed out as necessary,
retrieved from the printer immediately and stored or destroyed in an
appropriate manner.
8.8
Make sure you virus check all material which is downloaded from the internet
or received from any external source (e.g. as email attachments).
J.R. Beltman – IT Manager
Institute of Quality Assurance
S5
Appendix S – Communications policy
8.9
You must first obtain explicit permission from the IT department before
loading any executable or program files which you intend to install onto the
system from a cd or floppy disk (i.e. using your ‘A-drive’) or any other source.
9 WORKING REMOTELY
9.1
This Policy and the procedures in it apply to your use of the Institute’s systems
and to your use of our laptops and your own computer equipment when you
are working on the Institute’s business away from the Institute’s premises (i.e.
working remotely).
9.2 When you are working remotely you must:
a.
password protect any work which relates to the Institute’s business so
that no other person can access your work and keep the password
secret;
b.
position yourself so that your work cannot be overlooked by any other
person;
c.
take reasonable precautions to safeguard the security of our laptop
computers,
d.
any computer equipment on which you do the Institute’s business and
your passwords;
e.
apply an appropriate level of security to any personal data which
comes into your knowledge, possession or control through your
employment with the Institute so that the personal data are protected
from theft, loss, destruction or damage and unauthorised access and
use;
f.
inform the police and the Institute’s IT department as soon as possible
if a laptop in your possession or any computer equipment on which
you do the Institute’s work has been stolen; and
g.
ensure that any work which you do remotely is saved on the Institute’s
system or transferred to the Institute’s system as soon as reasonably
practicable.
h.
not retrieve, download or store any material such as music, video clips,
images etc. on IQA computer equipment.
10 DATA PROTECTION
10.1
Through your employment with, work for or membership of the Institute,
personal data will come into your knowledge, possession or control. In relation
to such personal data (excluding personal data contained in personal
communications) whether you are working or attending at the Institute’s
premises or working or contributing remotely, you must:
a.
keep them secret and confidential and you must not disclose them to
any other person unless authorised to do so by the Institute. If in
doubt ask your line manager;
b.
familiarise yourself with the Institute’s data protection Policy
c.
process personal data strictly in accordance with the Data Protection
Act 1998, the Institute’s data protection policy and other policies and
procedures issued by the Institute; and
d.
not make personal or other inappropriate remarks about members or
colleagues on manual files or computer records since the subject of
such remarks has a right to see information the Institute holds on that
individual.
J.R. Beltman – IT Manager
Institute of Quality Assurance
S6
Appendix S – Communications policy
10.2
The Institute views any breach of the Data Protection Act 1998 and our data
protection policy as gross misconduct which may lead to summary dismissal
under our disciplinary procedures.
10.3
If you make or encourage another person to make an unauthorised disclosure
knowingly or recklessly you may be held criminally liable.
10.4
The Institute will provide data protection training which you must undertake if
requested to do so.
I have read through and fully understand the terms of the Policy. I also understand that
the Institute may amend this Policy from time to time and that I will be issued with an
amended copy.
Name in full: ………………………………….. Signed:
………………………………………
Date: ……………………………………….
J.R. Beltman – IT Manager
Institute of Quality Assurance
S7
Appendix T – Overview of implementation of BS7799 at IQA
Appendix T. Overview of implementation of BS7799 at IQA
Appendix T provides an overview of the work that was done at the IQA in order to
implement BS7799.
Below a list of 28 policies / procedures / workflows that were create or revised during
the implementation of BS7799.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Agreement on network access and data ownership
Asset and their risk level document
Asset owner history is now recorded in the IT Management system
Backup schedule and procedures
Communications and computer use policy, including regulation on internet
use, use of the local area network and email
Control of portable assets such as laptops and memory sticks
Escort of visitors and contractors
Forms for new staff stating their IT requirements, including IT security
requirements
Forms for staff leaving, ensuring that user accounts could not be used by the
leaving staff member after their last day of work at the IQA
Housekeeping policy and procedure of email (due to the space required for
repairing email databases)
Installation and improved control of Sophos Anti Virus software
IT Test (a test used to screen IT knowledge of new and current staff)
Licensing control using the IT Management system in combination with
Active Directory which in turn is used to assign and distribute software
applications to computers
Logging of security incidents in the IQA IT Management system
New and better manageable way of asset registration
New group policies for staff working remotely, for example staff in Japan
(teleworking)
New policy on desktop use by visitors and trainers
Password policy change (adhering to Microsoft password policies)
Risk assessment document
Risk treatment plan
Schedules for backup restore testing
Scope statement
Secure internet connection for remote workers (teleworking)
Security policy
Server room access policy
Statement of applicability (be aware that this is 15 pages and takes over 3 days
to write)
The front door to the basement is now locked after use by the cleaners
Warrantee and financial information is now linked directly to assets in the IT
Management system
A total of at least 40 policies / procedures / workflows were written or revised during
implementation of BS7799. The policies are mostly group policies applied in Active
J.R. Beltman – IT Manager
Institute of Quality Assurance
T1
Appendix T – Overview of implementation of BS7799 at IQA
Directory, part of the Microsoft Windows Server 2003 operating system. These are
not common documents that can be read with a word processor. Examples are the
restrictions on user accounts for teleworkers, trainers and visitors.
At the IQA from the IT perspective alone we cover over 400 assets. These include
over 15 asset groups such as desktops, laptops, servers, backup USB devices,
Monitors, USB sticks, Telecoms equipment, Licenses, Warrantee Agreements,
Contracts etc.
The BS7799 ISMS influences about 60 staff spread over 14 departments.
It took over three months to implement BS7799 with still many extra policies,
procedures and workflows to be implemented.
For this project two IT staff member followed a BS7799 Lead Auditor course and
three staff members followed BS7799 workshops.
J.R. Beltman – IT Manager
Institute of Quality Assurance
T2