The first part of the standard, in Russian called "Control information security" . Rules of Practice" contains systematic, a very complete, universal list safety regulators, useful for organizations of almost any size, structure and field of activity. It is intended to be used as a reference document by managers and staff responsible for planning, implementing and maintaining internal system information security.
According to the standard, the goal of information security is to ensure the smooth operation of the organization, and, if possible, prevent and / or minimize damage from security breaches.
Information security management allows you to share data while protecting it and protecting computing resources.
It is emphasized that protective measures turn out to be much cheaper and more effective if they are included in Information Systems and services at the requirements and design stages.
Suggested in the first part of the standard safety regulators divided into ten groups:
- Security policy ;
- corporate security aspects;
- asset classification and their management;
- personnel safety ;
- physical security and environmental safety ;
- systems administration and networks;
- access control to systems and networks;
- development and maintenance of information systems ;
- managing the smooth operation of the organization;
- compliance control.
The standard identifies ten key regulators that are either mandatory in accordance with applicable law, or are considered the main structural elements of information security. These include:
- information security policy document;
- distribution of duties to ensure information security;
- education and training of personnel to maintain the information security regime;
- security breach notification ;
- antiviral agents ;
- process business continuity planning organizations;
- copy control software protected by copyright law;
- documentation protection;
- data protection;
- control security policy compliance.
To provide an increased level of protection for particularly valuable resources or to counter an attacker with an exceptionally high attack potential, other (stronger) means may be required that are not considered in the standard.
The following factors have been identified as determinants for successful implementation information security systems in the organization:
- safety goals and its assurance should be based on production tasks and requirements. Security management functions should be assumed by the management of the organization;
- clear support and commitment to security from senior management is needed;
- a good understanding of the risks (both threats and vulnerabilities) to which the organization's assets are exposed and an adequate understanding of the value of these assets is required;
- it is necessary to familiarize all managers and ordinary employees of the organization with the security system.
The second part of BS 7799-2:2002 "Systems
British Standards Institute (BSI) with participation commercial organizations, such as Shell, National Westminster Bank, Midland Bank, Unilever, British Telecommunications, Marks & Spencer, Logica, etc. developed an information security standard, which in 1995 was adopted as a national standard BS 7799 management of information security of the organization, regardless of the scope of the company.
In accordance with this standard, any security service, IT department, company management must begin to work in accordance with the general regulations. Never mind, in question on the protection of paper documents or electronic data. Currently, the British Standard BS 7799 is supported in 27 countries, including the countries of the British Commonwealth, as well as Sweden and the Netherlands. In 2000, the ISO International Standards Institute based on the British BS 7799 developed and released the international security management standard ISO / IEC 17799. Today it can be argued that BS 7799 and ISO 17799 are one and the same standard, which today has worldwide recognition and status international ISO standard.
However, it should be noted the original content of the BS 7799 standard, which is still used in a number of countries. It consists of two parts.
· Security policy.
Organization of protection.
· Classification and management of information resources.
· Personnel Management.
· Physical security.
· Administration of computer systems and networks.
· Management of access to systems.
· Development and maintenance of systems.
Planning for the smooth operation of the organization.
Checking the system for compliance with IS requirements.
"Part 2: System Specifications"(1998) considers these same aspects in terms of certification information system to meet the requirements of the standard.
It defines possible functional specifications for corporate information security management systems in terms of their verification against the requirements of the first part of this standard. In accordance with the provisions of this standard, the procedure for auditing corporate information systems is also regulated.
Additional recommendations for information security management are contained in the British Standards Institution (BSI) http://www.bsi-giobal.com/, published in the period 1995-2003 in the following series:
· Introduction to the problem of information security management - Information security management: an introduction.
· Certification options for BS 7799 -Preparing for BS 7799 certification.
· Guide to BS 7799 risk assessment and risk management.
· Are you ready for a BS 7799 audit?
· Guidance for auditing requirements standard -BS 7799 Guide to BS 7799 auditing.
Today, the international Joint Technical Committee ISO/IEC JTC 1 together with the British Standards Institution (BSI) – (www.bsi-global .com), and in particular the UKAS (United Kingdom Accredited Service). The named service accredits organizations for the right to audit information security in accordance with the BS ISO/IEC 7799:2000 standard (BS 7799-1:2000). The certificates issued by these bodies are recognized in many countries.
Note that in the case of certification of a company according to ISO 9001 or ISO 9002, BS ISO / IEC 7799:2000 (BS 7799-1:2000) allows you to combine certification of an information security system with certification for compliance with ISO 9001 or 9002 standards as at the initial stage, as well as control checks. To do this, you must fulfill the condition of participation in the combined certification of a registered auditor according to BS ISO/IEC 7799:2000 (BS 7799-1:2000). At the same time, joint testing plans should clearly indicate the procedures for checking the information security system, and certifying bodies should ensure the thoroughness of the information security check.
progenitor international standards information security management - British BS 7799 - has long gone beyond the national framework. The first part, BS 7799-1, was developed in 1995 by order of the UK government. At the beginning of 2006, the British introduce a new standard in the field of information security risk management - BS 7799-3, which will later receive the index 27005.
There are many areas of management: production, finance, sales, purchasing, personnel, etc. Thanks to the development of modern high-tech business, the importance of such areas as information technology, information security, quality and environment. This is evidenced by the growing worldwide popularity of the relevant international standards of the ISO 2700x, ISO 2000x, ISO 900x and ISO 1400x series. The basic principles of management, by and large, are the same for all areas, so the corresponding management systems complement one another, forming an integrated management system of the organization (IMS). It is difficult to overestimate the contribution of the British Standards Institute (BSI) to the development of international standards for organization management, including integrated management systems, which are the subject of the BSIBIP 2000 series of publications.
Following the widespread dissemination of ISO 9001 and quality management systems, international information security management standards ISO / IEC 27001/17799 have finally begun to take root in Russia. They became available in Russian, a public discussion of the drafts of the relevant national information security standards GOST R ISO/IEC 27001 and GOST R ISO/IEC 17799 has begun, and certification services are gradually spreading.
The progenitor of international information security management standards is the British standard BS 7799. Its first part - BS 7799-1 "Practical rules for information security management" - was developed by BSI in 1995 by order of the UK government. As the name suggests, this document is a practical guide to managing information security in an organization. It describes the 10 areas and 127 controls needed to build an ISMS, identified on the basis of best examples from world practice. In 1998, the second part of this British standard appeared - BS 7799-2 “Information security management systems. Specification and Application Guide”, which determined the general model for building an ISMS and a set of mandatory requirements for compliance with which certification should be carried out. With the advent of the second part of BS 7799, which defined what an ISMS should be, the active development of a certification system in the field of security management began. In 1999, both parts of BS 7799 were revised and harmonized with the international management system standards ISO 9001 and ISO 14001, and a year later, the ISO technical committee adopted BS 7799-1 unchanged as the international standard ISO / IEC 17799:2000.
The second part of BS 7799 was revised in 2002, and at the end of 2005 was adopted by ISO as an international standard ISO / IEC 27001:2005 " Information Technology- Security methods - Information security management systems - Requirements. At the same time, the first part of the standard was also updated. With the release of ISO 27001, ISMS specifications have gained international status, and now we can expect a significant increase in the role and prestige of ISO 27001-certified ISMS.
The 2700x family of international security management standards continues to evolve. As planned by ISO, it will include standards defining ISMS requirements, a risk management system, metrics and measurements of the effectiveness of controls, and implementation guidance. This family of standards will use a sequential numbering scheme from 27000 onwards. ISO/IEC 17799:2005 will later be renamed ISO/IEC 27002. A draft ISO/IEC 27000 standard is also under development, which will contain the basic principles and definitions and will be unified with popular IT management standards: COBIT and ITIL.
In early 2006, a new British national information security risk management standard, BS 7799-3, was adopted, which will subsequently receive an index of 27005. Work is also underway on standards for the implementation and measurement of the effectiveness of an ISMS, which will receive indices 27003 and 27004, respectively. of these international standards is planned for 2007.
History of BS 7799
According to the ISMS user group, which maintains the international register of certificates, as of August 2006, more than 2800 organizations from 66 countries certified according to ISO 27001 (BS 7799) were registered in the world, including four Russian companies. Among the certified organizations are the largest IT companies, banking and financial sphere, enterprises of the fuel and energy complex and the telecommunications sector. It is expected that the number of certificate holders in Russia in 2007 will reach several dozen.
7799/17799/27001: for and against
BS 7799 has gradually become "the premier information security standard". However, when the first edition of the international standard ISO 17799 was discussed in August 2000 in ISO, consensus was hardly reached. The document caused a lot of criticism from representatives of the leading IT powers, who argued that it did not meet the basic criteria for international standards.
“It wasn't even possible to compare this document with all the other security work ever considered by ISO,” says Gene Troy, US representative on the ISO technical committee.
Several states at once, including the USA, Canada, France and Germany, opposed the adoption of ISO 17799. In their opinion, this document is good as a set of recommendations, but not as a standard. in the USA and European countries before 2000, a lot of work had already been done to standardize information security. “There are several different approaches to IT security. We believed that in order to get a truly acceptable international standard, all of them should be taken into consideration, instead of taking one of the documents and quickly agreeing on it. Troy says, “The main safety standard was presented as a fait accompli, and it was simply not possible to use the results of other work done in this area.”
BSI representatives objected that the works in question dealt mainly with technical aspects, and BS 7799 was never considered as a technical standard. Unlike other security standards such as Commonly Accepted Security Practices and Regulations (CASPR) or ISO 15408/Common Criteria, it defines the basic non-technical aspects of protecting information presented in any form. "It should be, as it is intended for all kinds of organizations and external environments," says BSI spokesman Steve Tyler. "It's an information security management document, not an IT product catalog."
Despite all objections, the authority of BSI (which is the founder of ISO, the main developer of international standards and the main certification body in the world) prevailed. An accelerated approval procedure was launched and the standard was soon adopted.
The main strength of ISO 17799 is its flexibility and versatility. The set of best practices described in it is applicable to almost any organization, regardless of ownership, type of activity, size and external conditions. It is neutral in terms of technology and always leaves the choice of technologies.
When questions arise: “Where to start?”, “How to manage information security?”, “What criteria should be audited against?” - this standard will help to determine the right direction and not lose sight of essential points. It can also be used as an authoritative source and one of the tools for "selling" security to the organization's management, defining criteria and justifying the cost of information security.
However, flexibility and versatility are also the "Achilles' heel" of this standard. Critics say ISO 17799 is too abstract and vaguely structured to be of real value. Insufficiently thorough application of it can give a false sense of security.
ISO 17799 describes measures to ensure safety in general view, but says nothing about the technical aspects of their implementation. For example, the standard recommends the use of access control mechanisms and defines specific technologies such as USB keys, smart cards, certificates, and so on. However, he does not consider the advantages and disadvantages of these technologies, features and methods of their application.
Alexander Astakhov
Loading...