JISC : BS7799 Pilot Day One : Setting The Scene BS7799 : Should HEIs Use It

1
JISC BS7799 PilotDay One Setting The
Scene BS7799 Should HEIs Use It ?
Format B2
2
JISC BS7799 Pilot

• Objectives
• increase awareness
• is the Standard appropriate, need tailoring
• HEI maturity level
• security inhibitors - how can JISC help
• desire for Certification
• baseline Security Policy

3
JISC BS7799 Pilot

• Objectives of this meeting agreed
• Why did you volunteer for the Pilot
• What are your impressions of BS7799
• Have you made any use of it and if so, what ?

4
JISC BS7799 Pilot

• BS7799 - The Background
• 1993 Code of Practice - industry best practice
• DTI, BOC, DISC, BT, M S, Midland, Nationwide,
  Shell, Unilever

5
JISC BS7799 Pilot

• Objectives
• to provide a common basis for companies to
  develop, implement and measure effective security
  management practice
• to provide confidence in inter-company trading

6
JISC BS7799 Pilot

• Structure
• security policy
• security organisation
• asset classification and control
• personnel security
• physical and environmental security

• computer and network management
• system access control
• system development and maintenance
• business continuity planning
• compliance

7
JISC BS7799 Pilot

• Ten Key Controls
• information security policy document
• allocation of responsibilities
• education and training
• reporting of incidents
• virus controls

• business continuity planning process
• control of proprietary copying
• safeguarding company records
• compliance with data protection
• compliance with policy

8
JISC BS7799 Pilot

• What are your information security priorities
  today ?
• What decides their priority

9
JISC BS7799 Pilot

• Early Principles
• the three components of security
• confidentiality - protecting information from
  unauthorised disclosure
• integrity - safeguarding the accuracy and
  completeness of information
• availability - ensuring that information is
  available to users when required

10
JISC BS7799 Pilot

• Purpose of Security
• ensure business continuity
• minimise business damage by preventing and
  minimising the impact of security incidents
• an enabling mechanism for information sharing
• ensure the protection of an organisations
  information and computing assets

11
JISC BS7799 Pilot

• Why Is Security Important ?
• Information is an important business asset
• maintains competitive edge, cash-flow,
  profitability, legal compliance, respected
  company image
• increasing level of threats
• becoming more vulnerable to threats
• sooner you take action - cheaper in the long run

12
JISC BS7799 Pilot

• Assumptions
• comprehensive
• not all controls relevant
• may need to be augmented
• business driven - use risk assessment
• cost Vs business value of information potential
  business harm

13
JISC BS7799 Pilot

• Critical Success Factors
• activities led by business management
• visible support and commitment from top
  management
• based on business objectives and requirements
• security must be effectively marketed
• guidance must be available to all users

14
JISC BS7799 Pilot

• British Standard 1995
• few word changes
• BSI speak
• worse layout
• more expensive

15
JISC BS7799 Pilot

• Part 2 - 1998
• Part 1 controls and advice
• Part 2 requirements
• April 1998 Certification launched

16
JISC BS7799 Pilot

• Supporting Material
• ISM An introduction
• Guide to risk assessment and management
• Preparing for Certification
• Are you ready for an audit
• Guide to BS7799 auditing

17
JISC BS7799 Pilot

• Certification
• DISC are the scheme managers
• third party assessment of an organisation to see
  if it complies with BS7799
• UKAS certifies certification schemes
• Certification bodies use certified auditors
• Auditors have to pass written and oral test

18
JISC BS7799 Pilot

• Certification Process
• establish and maintain an information security
  management system
• apply for certification
• document review
• actual audit - show me
• pass/fail identification of non-compliances

19
JISC BS7799 Pilot

• Management Framework
• security policy
• scope
• risk assessment
• manage the risk
• select controls
• statement of applicability

20
JISC BS7799 Pilot

• What Else
• implement
• document
• control
• record

21
JISC BS7799 Pilot

• Current position
• pilots running - certificates issued
• training requirements established
• difficult to establish uptake
• Standard being revised

22
JISC BS7799 Pilot

• So What Can We Do ?
• decide if BS7799 is appropriate
• if so, decide how to use it
• its a roadmap, decide where you are
• decide where you want (need ?) to go
• decide how to get there
• get buy-in to the route and speed

23
JISC BS7799 Pilot

• What Are The Options
• measure where you are and do nothing
• find out how effective you are and plug
  deficiencies
• risk analysis - what to do next
• prioritise
• get buy-in
• small steps

24
JISC BS7799 Pilot

• The organisation must support you
• Not security for security sake
• But because they know they need it
• (or have signed off to say they accept the risks)

25
JISC BS7799 Pilot

• All Good Theoretical Stuff !
• Lets see what happens when theory hits reality
• and build on that