StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Information Security Management of BS 7799 - Case Study Example

Cite this document
Summary
This paper "Information Security Management of BS 7799" focuses on the fact that BS 7799 is the most influential globally recognised standard for information security management systems around the world. Security and safeguard of information were handled very informally till the ’90s. …
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER91.4% of users find it useful
Information Security Management of BS 7799
Read Text Preview

Extract of sample "Information Security Management of BS 7799"

Information Security Management of BS 7799 Introduction: BS 7799 is the most influential globally recognised standard for information security management systems around the world. Security and safeguard of information was handled very informally till the 90’s usually by the registry organisations through fax, letters etc. Today , in the age of extreme professionalism, there is a need of assurance that information will be safeguarded and handled properly. BS7799 (BS7799-2:2005), which now has the international number ISO 27001:2005, is the international best practice information security management standard, defining and guiding Information Security Management System (ISMS) development. History: Originally BS 7799 had the status of a Code of Practice. However, in April 1999, it became a formal two part standard. Part 1 (the original Code of Practice) of the revised BS7799 standard was re-titled "Code of Practice for Information Security Management" and provides guidance on best practices in information security management.  Part 2, titled "Specification for Information Security Management Systems", forms the standard against which an organisation's own security management systems were to be assessed and certified. In 1993 UK-DTI in collaboration of a number of UK based companies introduced the ISM Code of Practice incorporating the best information security practices in use like the computer data, written spoken or microfiche. The primary goal of the Code of Practice was to provide a common basis for organisations to develop, implement and measure effective information security management practice. Also the aim was to provide confidence in inter-organisational dealings i.e registry/ registrar interactions. The gradual development occurred as follows 1) Consultation (1993-1995) 2) COP Becomes BS7799:1995 (Implementation, Audit, Programme) 3) BS7799: PART 2 ISMS 4) Recognition as a suitable platform for ISM 5) ISO/IEC 17799: 2000 In 1999, when the COP was fragmented in two parts BS7799 Part 1 which is now ISO/IEC 17799: 2000 incorporates good security practice with 127 security guidelines which can be drilled over to provide 600 other controls. While the BS 7799 Part 2 is a framework for the ISMS, a means by which senior management monitor can control their security, minimize the risks and ensure compliance. Then the third part BS 7799 Part 3 was published in the year 2005 covering risk analysis and management. Benefits of using ISO/IEC 17799: 2000 : 1) Increased business efficiencies 2) Reduced operational risks 3) Gives assurance that information security is being rationally applied These benefits are achieved by ensuring that 1) Security controls are justified 2) Policies and procedures are appropriate 3) Security awareness is good among staff and managers 4) All security relevant information processingand supporting activities are auditable and arebeing audited 5) Internal audit, incident reporting/management mechanisms are being treated appropriately 6) Management actively focus on information security and its effectiveness. Understanding BS 7799 : Part 1 1) Security policy ensures what an information security policy must cover and why each business should have one 2) Organisational security explains how an information security system is organised. 3) Asset clarification and control considers information and information processing equipment as valuable assets to be managedand accounted for 4) Personnel Security details any personnel issues such as training, responsibilities, vetting procedures, and how staff responded to security incidents 5) Physical and Environmental Security physical aspects of security including protection of equipment and information from physical harm, as well as physical control of access to information and equipment 6) Communications and Operations Management examines correct management and secure operation of information processing facilities during day-to-day activities 7) Access Control of access to information and systems on the basis of business and security needs 8) System Development and Maintenance design and maintenance of systems so that they are secure and maintain information integrity 9) Business Continuity Management concerns the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor, local issues 10) Compliance concerns business compliance with relevant national and international laws, professional standards and any processes mandated by the Information Security Management System (ISMS). BS 7799 IS DIVIDED INTO TEN MAIN SECTIONS: BS 7799 PART 1 SECTION 1: SECURITY POLICY The security policy normally describes: 1) The organisation’s requirements for information security 2) The scope of the Information Security Management System (ISMS), including business functions, areas and sites covered. 3) The general philosophy towards information security. To be effective it should be clearly supported by senior management. Specific policies and procedures within the Information Security Management System (ISMS) must be consistent with the security policy. If a person encounters a situation that is not specifically mentioned in detail, the security policy should be a good general guide for actions required. BS 7799 PART 1 SECTION 2: ORGANISATIONAL SECURITY The organisational security section should describe: 1) How the organisation manages information security 2) The responsibilities of each relevant person, committee or forum. Includes responsibilities for creating, revising and following procedures and policies. Many companies will have a management structure that can support information security without major changes. In such companies, the only requirement may be that a few committees have ‘information security report’ as a standard agenda item. An organisational security structure should be detailed, indicating: • Who staff can contact when they need help or advice • Who staff should report to regarding security problems, difficulties or successes At the top of the structure should be the Board (or equivalent), which has overall responsibility for the organisation. Those responsible for following the policies and procedures should be arranged in a hierarchy below this level. Organisational security must include temporary staff, contractors and third parties with access to sites, equipment, people or information. BS 7799 PART 1 SECTION 3: ASSET CLASSIFICATION & CONTROL Organisations are used to completing inventories of physical assets for example, computers, printers, machinery, vehicles etc. But information is also recognised as a vital asset for every organisation. The value of specific information will depend on factors such as: • How much it cost to obtain • How much it would cost to replace • The extent of damage done to the organisation if it was disclosed to the public or a competitor INFORMATION SECURITY: UNDERSTANDING B 7799 An Information Asset Register (IAR) should be created, detailing every information asset within the organisation. For example: • Databases • Personnel records • Scale models • Prototypes • Test samples • Contracts • Software licences • Publicity material The Information Asset Register (IAR) should also describe: • Who is responsible for each information asset • Any special requirements for confidentiality, integrity or availability The value of each asset can then be determined to ensure appropriate security is in place. BS 7799 PART 1 SECTION 4: PERSONNEL SECURITY This covers aspects of job definitions and resourcing, to reduce the risk of human error and ensure that staff understand what their rights and responsibilities are concerning information security. Staff training is an important feature of personnel security to ensure the Information Security Management System (ISMS) continues to be effective. Periodically, refreshers on less frequently used parts of the Information Security Management System (ISMS), such as its role in disaster recovery plans, can make a major difference when there is a need to put the theory into practice. BS 7799 PART 1 SECTION 5: PHYSICAL AND ENVIRONMENTAL SECURITY This section details any physical aspects of access control to information and information systems. Ensuring that there is a proper environment for systems, records and staff is essential for maintaining confidentiality, integrity and availability of information. BS 7799 PART 1 SECTION 6: COMMUNICATIONS AND OPERATIONS MANAGEMENT The day-to-day operation of IT systems is fundamental to most organisations, and as such, security is vital. Keeping IT and communications systems secure is covered in this, the largest section of BS 7799. Everything from acceptance criteria for new or updated systems to virus defence software and incident management procedures is described. Many of the issues covered apply to every IT system, irrespective of size, purpose, internal or external operation. Subsections include: • Networks • Handling computer media • Electronic commerce • E-mail • Publicly available systems (such as websites) BS 7799 PART 1 SECTION 7: ACCESS CONTROL Access control is about managing direct access to: • Information • Computer applications • Operating system facilities Effective control ensures that staff have appropriate access to information and applications, and do not abuse it. BS 7799 PART 1 SECTION 8: SYSTEM DEVELOPMENT AND MAINTENANCE Designing a new system with security in mind is more likely to result in effective and workable security features, than if you attempt to impose security on an existing (but insecure) system. This area includes: • Security requirements analysis and specification • Application security • Use of cryptography • Security of system files BS 7799 PART 1 SECTION 9: BUSINESS CONTINUITY MANAGEMENT Each organisation's business relies on its own staff, systems and, to some extent, other organisations. Anything from a burst water main to a terrorist attack on a foreign country can have a major effect on an organisation. As such, there must be a process for: • Managing business continuity plans • Business impact analysis • Implementation and testing Business continuity management considers the risks within an organisation and ensures that core processes keep running during adverse events. Tests do not have to be carried out ‘for real’, but could be ‘paper exercises’. BS 7799 PART 1 SECTION 10: COMPLIANCE Every organisation within the United Kingdom is required to comply with UK and EU law. Within the scope of the Information Security Management System (ISMS), each organisation should list the main laws that affect its activities. Within the UK, these include: • Health and Safety legislation • The Data Protection Act • The Computer Misuse Act • The Designs, Copyrights and Patents Act • The Human Rights Act Compliance with these is a legal requirement, and implementing BS 7799 is a good way of ensuring that your business does comply Works Cited 1) Paul M Kane , Information security management BS 7799 now ISO 17799:2000, April 3, 2005, web, powerpoint. 2) Implementation methodology for information security management, n.d, n.p, web. www.giac.org/...information-security-management...bs-7799.../1046... 3) Understanding BS 7799, n.p,n.d, web. http://www.connectingsomerset.co.uk/tips/e-business/Understanding%20BS%207799.pdf 4) Bill Casti, Information security management system BS 7799-2: 2002, Nov 11 2003, web. www.cmwg.org/meetings/.../BS7799_Implementation_CMWG.pdf 5) ISO 17799 Papers : BS 7799 Implementation, n.p, n.d, web. 17799.denialinfo.com/biju.htm 6) BS7799, n.p,n.d, web. www.teleologica.com/bs7799.html 7) M J Kenning, Security management standard ISO 17799/BS 7799, July 3 2001, web. www.tarrani.net/AttainingISO17799.pdf   Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(Information Security Management of BS 7799 Case Study, n.d.)
Information Security Management of BS 7799 Case Study. Retrieved from https://studentshare.org/information-technology/1591222-information-systems-management
(Information Security Management of BS 7799 Case Study)
Information Security Management of BS 7799 Case Study. https://studentshare.org/information-technology/1591222-information-systems-management.
“Information Security Management of BS 7799 Case Study”. https://studentshare.org/information-technology/1591222-information-systems-management.
  • Cited: 0 times

CHECK THESE SAMPLES OF Information Security Management of BS 7799

Are the frameworks and principles of information security management

In this regard, the information security management framework involves countrywide, worldwide, managerial, and worker values to perform information security management.... What are the frameworks and principles of information security management?... In this regard, the information security management framework involves countrywide, worldwide, managerial, and worker values to perform information security management....
2 Pages (500 words) Research Paper

Security Legislations and Standards

Some of the well known examples of these rules and regulations comprise the Clinger Cohen Act, the GPRA (Government Performance and Results Act) and FISMA (Federal information security management Act).... Legislations and Standards Serving their Purposes Global information security management guidelines play a significant role in organizing and determining organizational information system security.... Thus, to cope with these limitations, it is assessed that information security management strategy should be observed as a library of policies material on information safety management for the committed companies (Siponen & Willison, 2009)....
4 Pages (1000 words) Essay

E-Business security in your organisation

he Europe-based International Organization of Standards is known for its ISO standards, the more famous of which are the ISO 9000 series used by companies to document their total quality management programs (Arnold 15).... Before conducting an evaluation of its e-business security, we begin with an outline of how e-gold operates. … E-gold Ltd.... This is the reason why this analysis on e-business security was done on this company, which has been only too happy to oblige and share information with me for this paper....
12 Pages (3000 words) Essay

Managing Email Security in Organizations

ISO/IEC 27011: they contain the guidelines for the security management of information for the telecommunication industry.... The following standards are commonly used; ISO/IEC 27000; which contains information about the family of standards and contains the terminologies used ISO/IEC 27001; it contains the standards for the establishment, implementation, improvement, and control of information security management.... They are based on British standards, bs 7799 part 2, they published ISO/IEC 27002 ISO/IEC 27005; these standards are designed to aid in the implementation of an information security system....
4 Pages (1000 words) Assignment

Information Security Planning

And that these criteria and the milestones are in line with the cost and budgeting dictated by the management of the company and to develop a comprehensive information security education policy.... The essay “information security Planning” focuses on information security, which is about taking care of business continuity which involves media backup operation, monitoring of incidents, classifying information and suitably providing access to this information to members of the company....
2 Pages (500 words) Essay

Information systems security incident

… CONOP outlines the key players, their roles and responsibilities in the event of information security incident.... CONOP outlines the key players, their roles and responsibilities in the event of information security incident.... The CONcept of OPerations on information security incident is based on the severity and impact of the incident... This paper describes the types of logs that are maintained at B-Concepts, the log management system and discusses the advantages of security logs....
8 Pages (2000 words) Essay

Successful Security Management

The statement ‘Successful security management in any organizational context must be driven by an agenda to enhance the financial viability of the organization' is based on the fact that risk is all pervasive and therefore,… Risk is not completely unavoidable in a business organization and security planning is essential to create secure environment.... Perception of risk at various levels Since security is a mission to protect the people, property and the business, an integrated approach in policy making is essential for successful security management....
11 Pages (2750 words) Research Paper

Health Information Exchange

This committee awarded contracts to three groups namely: Healthcare Information Technology Standard Panel (HITSP), Certificate Commission for Health Information Technology (CCHIT), and the Health information security and Privacy Collaboration (HISPC).... nbsp;It should, therefore, be considered that medical records are important and their security should be of high level.... The measures that have been put in place should not be taken in so lightly as problems such as being sued for poor security measures may arise....
7 Pages (1750 words) Essay
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us