The first part of the standard, called in Russian "Control information security" . Rules of Practice" contains systematic, a very complete, universal list safety regulators, useful for organizations of almost any size, structure and scope of activity. It is intended to be used as a reference document by managers and staff responsible for planning, implementing and maintaining internal system information security.
According to the standard, the goal of information security is to ensure the uninterrupted operation of the organization and, if possible, prevent and/or minimize damage from security breaches.
Information Security Management allows you to share data while protecting it and protecting your computing resources.
It is emphasized that protective measures are much cheaper and more effective if they are included in Information Systems and services at the requirements and design stages.
Proposed in the first part of the standard safety regulators divided into ten groups:
- Security policy ;
- organization-wide aspects of protection;
- asset classification and their management;
- personnel safety ;
- physical security And environmental safety ;
- systems administration and networks;
- access control to systems and networks;
- development and information systems support ;
- managing the smooth operation of the organization;
- compliance monitoring.
The standard identifies ten key regulators, which are either mandatory in accordance with current legislation or are considered the main structural elements of information security. These include:
- information security policy document;
- distribution of duties on ensuring information security;
- training and preparation of personnel to maintain the information security regime;
- notification of security breaches ;
- antivirus agents ;
- process smooth operation planning organizations;
- copy control software, protected by copyright law;
- document protection;
- data protection;
- control security policy compliance.
To provide an increased level of protection for particularly valuable resources or to counter an attacker with an exceptionally high attack potential, other (more powerful) measures may be required that are not covered in the standard.
The following factors are identified as determining for successful implementation information security systems in the organization:
- Safety goals and their implementation should be based on production objectives and requirements. Security management functions must be assumed by the organization's management;
- clear support and commitment to safety from senior management is required;
- requires a good understanding of the risks (both threats and vulnerabilities) to which the organization's assets are exposed and an adequate understanding of the value of those assets;
- It is necessary to familiarize all managers and ordinary employees of the organization with the security system.
In the second part of BS 7799-2:2002 "Systems
British Standards Institution (BSI) with contributions commercial organizations, such as Shell, National Westminster Bank, Midland Bank, Unilever, British Telecommunications, Marks & Spencer, Logica, etc. developed an information security standard, which was adopted as a national standard in 1995 BS 7799 managing the information security of an organization, regardless of the company’s field of activity.
In accordance with this standard, any security service, IT department, or company management must begin to work in accordance with general regulations. Doesn't matter, we're talking about on the protection of paper documents or electronic data. Currently, the British Standard BS 7799 is supported in 27 countries, including the British Commonwealth countries, as well as Sweden and the Netherlands. In 2000, the international ISO standards institute, based on the British BS 7799, developed and released the international safety management standard ISO / IEC 17799. Today it can be argued that BS 7799 and ISO 17799 are the same standard, which today has worldwide recognition and status ISO international standard.
However, it should be noted that the original content of the BS 7799 standard, which is still used in a number of countries. It consists of two parts.
· Security policy.
· Organization of protection.
· Classification and management of information resources.
· Personnel Management.
· Physical security.
· Administration of computer systems and networks.
· Control access to systems.
· Development and maintenance of systems.
· Planning the smooth operation of the organization.
· Checking the system for compliance with information security requirements.
"Part 2: System Specifications"(1998) considers these same aspects from a certification perspective information system for compliance with the requirements of the standard.
It defines possible functional specifications of corporate information security management systems from the point of view of their verification for compliance with the requirements of the first part of this standard. In accordance with the provisions of this standard, the procedure for auditing corporate information systems is also regulated.
Additional recommendations for information security management are provided by the British Standards Institution (BSI) guidelines http://www.bsi-giobal.com/, published between 1995-2003 in the following series:
· Introduction to the problem of information security management – Information security managment: an introduction.
· Opportunities for certification to the requirements of the BS 7799 standard -Preparing for BS 7799 certification.
· Guide to BS 7799 risk assessment and risk management.
· Are you ready for a BS 7799 audit?
· Guide to BS 7799 auditing.
Today, the international committee Joint Technical Committee ISO/IEC JTC 1 together with the British Standards Institution (BSI) - (www.bsi-global .com), and in particular the UKAS (United Kingdom Accredited Service). This service accredits organizations for the right to audit information security in accordance with the BS ISO/IEC 7799:2000 standard (BS 7799-1:2000). Certificates issued by these bodies are recognized in many countries.
Please note that in case of company certification according to ISO 9001 or ISO 9002 standards, BS ISO/IEC 7799:2000 (BS 7799-1:2000) allows combining certification of an information security system with certification for compliance with ISO 9001 or 9002 standards as at the initial stage, as well as during control checks. To do this, you must meet the condition of participation in the combined certification of a registered auditor according to BS ISO/IEC 7799:2000 (BS 7799-1:2000). At the same time, joint testing plans should clearly indicate procedures for verifying information security systems, and certifying authorities should ensure that information security verification is thorough.
The progenitor of international information security management standards, the British BS 7799, has long gone beyond national boundaries. Its first part, BS 7799-1, was developed in 1995 by order of the UK government. At the beginning of 2006, the British introduced a new standard in the field of information security risk management - BS 7799-3, which will later receive the index 27005.
There are many areas of management: production, finance, sales, purchasing, personnel, etc. Thanks to the development of modern high-tech business, the importance of such areas as information technology, information security, quality and environment. This is evidenced by the growing popularity throughout the world of the corresponding international standards of the ISO 2700x, ISO 2000x, ISO 900x and ISO 1400x series. The basic principles of management are, by and large, the same for all areas, so the corresponding management systems complement each other, forming an integrated management system of the organization (IMS). It is difficult to overestimate the contribution of the British Standards Institute (BSI) to the development of international standards for organization management, including integrated management systems, which are the subject of the BSIBIP 2000 series of publications.
Following the widespread dissemination of ISO 9001 and quality management systems, international information security management standards - ISO/IEC 27001/17799 - have finally begun to take root in Russia. They have become available in Russian, a public discussion has begun on draft relevant national information security standards GOST R ISO/IEC 27001 and GOST R ISO/IEC 17799, and certification services are gradually becoming more widespread.
The progenitor of international standards for information security management is the British standard BS 7799. Its first part, BS 7799-1 “Practical rules for information security management,” was developed by BSI in 1995 at the request of the UK government. As the title suggests, this document is a practical guide to managing information security in an organization. It describes the 10 areas and 127 controls required to build an ISMS, defined based on best examples from world practice. In 1998, the second part of this British standard appeared - BS 7799-2 “Information security management systems. Specification and Application Guide,” which defined the general model for constructing an ISMS and a set of mandatory requirements for compliance with which certification must be carried out. With the advent of the second part of BS 7799, which defined what an ISMS should be, the active development of a certification system in the field of safety management began. In 1999, both parts of BS 7799 were revised and harmonized with the international management systems standards ISO 9001 and ISO 14001, and a year later the ISO technical committee adopted BS 7799-1 without change as the International Standard ISO/IEC 17799:2000.
The second part of BS 7799 was revised in 2002, and at the end of 2005 it was adopted by ISO as the International Standard ISO/IEC 27001:2005 " Information Technology— Security methods — Information security management systems — Requirements.” At the same time, the first part of the standard was updated. With the release of ISO 27001, ISMS specifications have become international status, and we can now expect a significant increase in the role and prestige of ISMS certified to ISO 27001.
The 2700x family of international security management standards continues to evolve rapidly. According to ISO plans, it will include standards defining requirements for an ISMS, a risk management system, metrics and measurement of the effectiveness of controls, as well as implementation guidance. This family of standards will use a sequential numbering scheme from 27000 onwards. ISO/IEC 17799:2005 will subsequently be renamed ISO/IEC 27002. A draft ISO/IEC 27000 standard is also in development, which will contain basic principles and definitions and will be unified with the popular IT management standards: COBIT and ITIL.
At the beginning of 2006, a new British national standard in the field of information security risk management, BS 7799-3, was adopted, which will subsequently receive the index 27005. Work is also underway on standards for implementing and measuring the effectiveness of an ISMS, which will receive indexes 27003 and 27004, respectively. Issue of these international standards is planned for 2007.
History of BS 7799
According to the ISMS user group that maintains the international registry of certificates, as of August 2006, there were more than 2,800 organizations from 66 countries certified to ISO 27001 (BS 7799), including four Russian companies. Among the certified organizations are the largest IT companies, banking and financial sector, enterprises in the fuel and energy sector and the telecommunications sector. It is expected that the number of certificate holders in Russia in 2007 will reach several dozen.
7799/17799/27001: pros and cons
BS 7799 has gradually become the "principal information security standard". However, when ISO discussed the first edition of the international standard ISO 17799 in August 2000, consensus was difficult to achieve. The document caused a lot of criticism from representatives of leading IT powers, who argued that it did not meet the basic criteria for international standards.
“There was no way to compare this document with all the other safety work ever reviewed by ISO,” says Gene Troy, the US representative on the ISO technical committee.
Several countries, including the USA, Canada, France and Germany, opposed the adoption of ISO 17799. In their opinion, this document is good as a set of recommendations, but not as a standard. In the USA and European countries Before 2000, a huge amount of work had already been done to standardize information security. “There are several different approaches to IT security. We believed that in order to get a truly acceptable international standard, all of them should be accepted for consideration, rather than taking one of the documents and hastily agreeing on it. Troy tells Gene, “The Master Safety Standard was presented as a fait accompli, and there was simply no way to build on other work done in this area.”
BSI representatives countered that the work in question dealt primarily with technical aspects and BS 7799 was never considered a technical standard. Unlike other security standards, such as Commonly Accepted Security Practices and Regulations (CASPR) or ISO 15408/Common Criteria, it defines the basic non-technical aspects of protecting information presented in any form. “It should be like this because it is intended for all types of organizations and external environments,” says BSI spokesman Steve Tyler. “It is an information security management document, not a catalog of IT products.”
Despite all the objections, the authority of the BSI (which is the founder of ISO, the main developer of international standards and the main certification body in the world) prevailed. An accelerated approval procedure was launched and the standard was soon adopted.
The main advantage of ISO 17799 is its flexibility and versatility. The set of best practices described in it is applicable to almost any organization, regardless of ownership, type of activity, size and external conditions. It is technologically neutral and always leaves the option of choosing technologies.
When questions arise: “Where to start?”, “How to manage information security?”, “What criteria should be audited against?” — this standard will help determine the right direction and not lose sight of important points. It can also be used as an authoritative source and one of the tools for “selling” security to the management of the organization, defining criteria and justifying the costs of information security.
However, flexibility and versatility are also the Achilles heel of this standard. Critics say ISO 17799 is too abstract and loosely structured to be of real value. Insufficiently thorough use of it can give a false sense of security.
ISO 17799 describes measures to ensure safety in general view, but says nothing about the technical aspects of their implementation. For example, the standard recommends the use of access control mechanisms and defines specific technologies such as USB keys, smart cards, certificates, etc. However, he does not consider the advantages and disadvantages of these technologies, features and methods of their application.
Alexander Astakhov
Loading...