How to implement BS7799: A case study conducted at
Transcription
How to implement BS7799: A case study conducted at
City University MSc in Business Systems Analysis and Design Project Report 2005 How to implement BS7799: A case study conducted at the Institute of Quality Assurance. J.R. Beltman Supervised by: C. Smart. Submitted: 29-September-2005 Abstract Abstract This dissertation presents the findings of a study into implementation of the British Standard BS7799. BS7799 is an information security standard devised by the British Standards Institute (BSI) aimed at assisting organisations with managing risk to information. In this research an action research oriented strategy is applied in an attempt to answer four fundamental questions concerned with the implementation of BS7799. • • • • How to successfully implement BS7799? What are the main problems related to implementing BS7799? How to tackle the problems related to implementation of BS7799? How to convince management of the need for BS7799 implementation? The research is undertaken at the Institute of Quality Assurance (IQA) and the results found in this study are based upon the evaluation of this implementation of BS7799 at the IQA, knowledge gained during the research and courses followed and experts opinions and experiences. The main findings of this research are that Management support is a vital success factor when implementing BS7799, however to convince management is not always easy. Scare tactics in which consequences of failure to implement BS7799 are highlighted seem the best method of convincing management. Once management support is secured and implementation has begun the issue of resistance to change is the next serious obstacle. Buy-in from staff and proper change management are additional success factors that determine the success of implementation. How to implement BS7799 is made easier when examples on policies and procedures are available. The use of these and templates reduces implementation time significantly; this report contains examples of policies, procedures and how to overcome difficulties found during implementation. An action research based approach is found to be an appropriate method of researching the process of implementation as it provides an insight into issues that would remain hidden using most alternative research methods. Action research also links in well with the Deming Cycle which is the prescribed method for implementing, maintaining and improving the Information Security Management System of BS7799. J.R. Beltman – IT Manager Institute of Quality Assurance Acknowledgements Acknowledgements Martin Rich, my advisor and mentor, whose help, support, wisdom and experience have helped shape this dissertation. Chris Smart, whose supervision and last minute advice have helped to get this report in top shape and in line with the project specification as laid down by the City University of London. Victor Parry, at first I though it would cost me a meal and pint, but he has shared his knowledge and experience on BS7799 and paid for his own food and drinks. He is a well recognised professional in the field and is a principal auditor registered with the International Register of Certified Auditors (IRCA). Dick Price, consultant, auditor and trainer in BS7799, for the kind provision of beer and his experiences in implementing BS7799. Mike and Rosemary Roach, for proof reading this work and your continued friendship and support. Simon Feary, director of IRCA, for supporting the implementation of BS7799 and training as a BS7799 lead auditor. Thank you. J.R. Beltman – IT Manager Institute of Quality Assurance Table of Contents Table of Contents 1. INTRODUCTION ..............................................................................................................................1 1.1 RESEARCH QUESTIONS ....................................................................................................................1 1.2 CONTROLLING INFORMATION SECURITY .........................................................................................1 1.3 AIMS AND OBJECTIVES ...................................................................................................................2 1.4 THE INSTITUTE OF QUALITY ASSURANCE .......................................................................................3 1.4.1 IQA.........................................................................................................................................3 1.4.2 IRCA.......................................................................................................................................4 1.4.3 The IT department..................................................................................................................4 1.5 BACKGROUND ................................................................................................................................5 1.6 JUSTIFICATION FOR THIS PROJECT ...................................................................................................7 1.7 REPORT OUTLINE ............................................................................................................................8 2. LITERATURE SURVEY - BS7799 THE BASICS .........................................................................9 2.1 WHAT ARE STANDARDS? ................................................................................................................9 2.2 BS7799 COMPARED TO ITIL & ISO9001......................................................................................10 2.2.1 ITIL and BS7799 ..................................................................................................................10 2.2.2 ISO9001:2000 and BS7799..................................................................................................12 2.3 BS7799 - TERMINOLOGY ..............................................................................................................13 2.4 BS7799 – TWO PARTS TO THE PUZZLE ..........................................................................................14 2.5 BS7799 – THE DEMING CYCLE ....................................................................................................16 2.5.1 Plan......................................................................................................................................17 2.5.2 Do ........................................................................................................................................17 2.5.3 Check ...................................................................................................................................18 2.5.4 Act ........................................................................................................................................19 2.6 BS7799 – CRITICAL SUCCESS FACTORS .......................................................................................19 3. METHODOLOGY ...........................................................................................................................20 3.1 PRACTICAL RESEARCH PROBLEM ..................................................................................................21 3.2 PARTICIPATION .............................................................................................................................21 3.3 CHANGE........................................................................................................................................22 3.4 CYCLICAL FEEDBACK ...................................................................................................................22 4. INFORMATION SECURITY IN PRACTICE – AN ANALYSIS OF SECURITY CASE STUDIES...............................................................................................................................................23 4.1 EXAMPLES OF SECURITY INCIDENTS .............................................................................................24 4.1.1 The London terrorist attacks 7-7-2005. ...............................................................................24 4.1.2 IRA bombing of Manchester 1996........................................................................................24 4.1.3 Maxine Carr – theft of documents........................................................................................24 4.1.4 Disappearance of counter-terrorism plans for Heathrow Airport.......................................25 4.1.5 MI5 agent has laptop stolen at Paddington station .............................................................25 4.1.6 British bank account holders details stolen from Indian call centres ..................................26 4.1.7 £9m computer scam .............................................................................................................26 4.1.8 Electronic crime cost UK companies an estimated £2.45bn last year .................................27 4.1.9 Ekibastuz [Kazakhstan] - hydroelectric power station disaster...........................................27 4.1.10 Northeastern United States and Southeastern Canada power blackouts...........................27 4.1.11 Staff visiting unauthorized websites. ..................................................................................28 4.2 BS7799 TO COUNTERACT INFORMATION SECURITY BREACHES .....................................................29 4.2.1 The London terrorist attacks 7-7-2005. ...............................................................................29 4.2.2 IRA bombing of Manchester 1996........................................................................................30 4.2.3 Maxine Carr – theft of documents........................................................................................30 4.2.4 Disappearance counter-terrorism plans for Heathrow Airport...........................................32 4.2.5 MI5 agent has laptop stolen at Paddington station .............................................................33 4.2.6 British bank account holders details stolen from Indian call centres ..................................34 4.2.7 £9m computer scam .............................................................................................................35 4.2.8 Electronic crime cost UK companies an estimated £2.45bn last year .................................35 4.2.9 Ekibastuz [Kazakhstan] - hydroelectric power station disaster...........................................36 J.R. Beltman – IT Manager Institute of Quality Assurance Table of Contents 4.2.10 North-eastern United States and South-eastern Canada power blackouts ........................37 4.2.11 Staff visiting unauthorized websites. ..................................................................................39 4.3 SUMMARY ....................................................................................................................................40 5. RESULTS - IMPLEMENTATION AND ITS DIFFICULTIES ..................................................41 5.1 WHAT CHANGED AT THE IQA? .....................................................................................................41 5.2 PRE-REQUISITES............................................................................................................................42 5.2.1 Understanding the issue.......................................................................................................43 5.2.2 How not to implement BS7799.............................................................................................43 5.2.3 BS7799 – Not an IT issue.....................................................................................................44 5.2.4 A cultural change.................................................................................................................44 5.3 THE PLAN PHASE ..........................................................................................................................45 5.3.1 The Scope .............................................................................................................................45 5.3.2 Information Security Policy .................................................................................................48 5.3.3 Risk Assessment ...................................................................................................................50 5.3.4 Options for risk treatment ....................................................................................................51 5.3.5 Statement of Applicability (SoA) ..........................................................................................53 5.3.6 Review..................................................................................................................................54 5.4 THE DO PHASE ..............................................................................................................................55 5.4.1 Formulate a risk treatment plan ..........................................................................................57 5.4.2 Implement risk treatment plan .............................................................................................59 5.4.3 Implementing training and awareness programmes ............................................................60 5.4.4 Resource management .........................................................................................................60 5.4.5 Implementation of controls and procedures.........................................................................61 5.4.6 A working version ................................................................................................................62 5.5 THE CHECK PHASE .......................................................................................................................62 5.5.1 Routine checking..................................................................................................................62 5.5.2 Self-policing procedures ......................................................................................................62 5.5.3 Learning from others ...........................................................................................................63 5.5.4 Internal ISMS audit..............................................................................................................63 5.5.5 Management review .............................................................................................................64 5.6 THE ACT PHASE...........................................................................................................................65 5.7 SUMMARY ....................................................................................................................................65 6. CONCLUSION.................................................................................................................................68 6.1 HURRICANE KATRINA FINANCIAL AFTERMATH ............................................................................68 6.2 RESEARCH QUESTIONS REVISITED.................................................................................................69 6.3 AIMS AND OBJECTIVES REVISITED ................................................................................................70 6.4 EXPERIENCE AND EVOLVEMENT ...................................................................................................70 6.5 ACTION RESEARCH REVISITED ......................................................................................................71 6.6 FINDINGS ......................................................................................................................................72 7. RECOMMENDATIONS .................................................................................................................73 7.1 THE FIRST CYCLE ..........................................................................................................................73 7.2 A HELPING HAND IN RESEARCH.....................................................................................................74 7.3 ISMS AND TOOLS AS AN ELECTRONIC ENFORCEABLE VERSION ....................................................74 7.4 INFORMATION SECURITY A POPULAR SUBJECT?............................................................................75 7.5 BS7799 – AN INTERNATIONAL STANDARD ...................................................................................75 8. REFERENCES .................................................................................................................................76 J.R. Beltman – IT Manager Institute of Quality Assurance List of Appendixes List of Appendixes APPENDIX A. PROJECT DEFINITION.................................................................................. A1 APPENDIX B. THE SCOPE....................................................................................................... B1 APPENDIX C. THE SECURITY POLICY ............................................................................... C1 APPENDIX D. RISK ASSESSMENT PROCEDURE .............................................................. D1 APPENDIX E. RISK MANAGEMENT/ TREATMENT PROCEDURE ............................... E1 APPENDIX F. S. GREEN, PERSONAL COMMUNICATION .............................................. F1 APPENDIX G. R. HOWARD, PERSONAL COMMUNICATION.........................................G1 APPENDIX H. V. PARRY, PERSONAL COMMUNICATION..............................................H1 APPENDIX I. M. RICH, PERSONAL COMMUNICATION ................................................. I1 APPENDIX J. V. PARRY, INTERVIEW NOTES....................................................................J1 APPENDIX K. ASSETS AND RISKS ........................................................................................K1 APPENDIX L. IQA OLD ASSET REGISTRY ......................................................................... L1 APPENDIX M. IQA IT MANAGEMENT SYSTEM ASSET REGISTRY ............................ M1 APPENDIX N. IQA LICENCE CONTROL.............................................................................. N1 APPENDIX O. IQA EMAIL HOUSE KEEPING .....................................................................O1 APPENDIX P. IQA FORM FOR NEW STAFF MEMBERS .................................................. P1 APPENDIX Q. IQA STAFF IT TEST FORM ...........................................................................Q1 APPENDIX R. SERVER ROOM ACCESS POLICY............................................................... R1 APPENDIX S. COMMUNICATIONS POLICY .......................................................................S1 APPENDIX T. OVERVIEW OF IMPLEMENTATION OF BS7799 AT IQA ...................... T1 J.R. Beltman – IT Manager Institute of Quality Assurance List of figures List of figures FIGURE 1.1 THE OPTIMUM LEVEL OF SECURITY. (BJÖRCK 2001)..........................................................7 FIGURE 2.1 INTEGRITY, AVAILABILITY AND CONFIDENTIALITY (BUREAU VERITAS 2003)................12 FIGURE 2.2 THE DEMING CYCLE........................................................................................................16 FIGURE 2.3 SUCCESS FACTORS...........................................................................................................19 FIGURE 3.1 STAGES IN ACTION RESEARCH (BRYMAN 1989, P. 180) ...................................................20 FIGURE 5.1 THE PLAN PHASE FLOWCHART.........................................................................................45 FIGURE 5.2 THE DO PHASE FLOWCHART.............................................................................................56 FIGURE 5.3 THE PLAN PHASE .............................................................................................................65 FIGURE 5.4 THE DO PHASE .................................................................................................................66 FIGURE 7.1 BJÖRK’S ALTERNATIVE TO THE DEMING CYCLE. (BJÖRCK 2001)....................................73 FIGURE 7.2 VENKATRAMAN FRAMEWORK. ........................................................................................74 FIGURE A.1 THE DEMING CYCLE A4 FIGURE D.1 RISK MATRIX D4 FIGURE L.1 IQA OLD ASSET REGISTRY L1 FIGURE M.1 NEW IQA ASSET REGISTRY M1 FIGURE M.2 DETAILED VIEW OF ASSET REGISTRY M2 FIGURE N.1 IQA LICENCE CONTROL N1 FIGURE O.1 EMAIL GROWTH, ACTUAL AND PROJECTED O1 J.R. Beltman – IT Manager Institute of Quality Assurance List of tables List of tables TABLE 2.1 TABLE 2.2 TABLE 2.3 TABLE 2.4 TABLE 2.5 TABLE 3.1 TABLE 4.1 TABLE 4.2 TABLE 4.3 TABLE 4.4 TABLE 4.5 TABLE 4.6 TABLE 4.7 TABLE 4.8 TABLE 4.9 TABLE 4.10 TABLE 4.11 TABLE 4.12 TABLE 4.13 TABLE 4.14 TABLE 4.15 TABLE 4.16 TABLE 4.17 TABLE 4.18 TABLE 4.19 TABLE 4.20 TABLE 5.1 TABLE A.1 TABLE A.2 TABLE K.1 THE DEMING CYCLE ADAPTED TO BS7799. ....................................................................16 THE LINKS BETWEEN THE PLAN PHASE AND BS7799. ....................................................17 THE LINKS BETWEEN THE DO PHASE AND BS7799...........................................................18 THE LINKS BETWEEN THE CHECK PHASE AND BS7799. .................................................18 THE LINKS BETWEEN THE ACT PHASE AND BS7799. ......................................................19 DEMING CYCLE AND THE MATCHING ACTION RESEARCH STAGE.....................................21 ANNEX A11.1, ASPECTS OF BUSINESS CONTINUITY MANAGEMENT. ................................30 ANNEX A12.1, COMPLIANCE WITH LEGAL REQUIREMENTS. ............................................31 ANNEX A8.7, EXCHANGE OF INFORMATION AND SOFTWARE...........................................31 ANNEX A6.2, USER TRAINING.........................................................................................31 ANNEX A6.3, RESPONDING TO SECURITY INCIDENT AND MALFUNCTIONS.......................32 ANNEX A5.2, INFORMATION CLASSIFICATION.................................................................32 ANNEX A6.1, SECURITY IN JOB DEFINITION AND RESOURCING........................................32 ANNEX A8.6, MEDIA HANDLING AND SECURITY. ............................................................33 ANNEX A12.1, COMPLIANCE WITH LEGAL REQUIREMENTS. ............................................33 ANNEX A9.8, MOBILE COMPUTING AND TELEWORKING..................................................33 ANNEX A10.3, CRYPTOGRAPHIC CONTROLS. ..................................................................34 ANNEX A6.1, SECURITY IN JOB DEFINITION AND RESOURCING........................................34 ANNEX A8.1, OPERATIONAL PROCEDURES AND RESPONSIBILITIES. ................................34 ANNEX A9.5, OPERATIONAL SYSTEM ACCESS CONTROL. ................................................35 ANNEX A8.3, PROTECTION AGAINST MALICIOUS SOFTWARE...........................................36 ANNEX A11.1, ASPECT OF BUSINESS CONTINUITY MANAGEMENT...................................37 ANNEX A7.2, EQUIPMENT SECURITY...............................................................................38 ANNEX A9.7, MONITORING SYSTEM ACCESS AND USE. ...................................................39 ANNEX A9.5, OPERATIONAL SYSTEM ACCESS CONTROL. ................................................39 ANNEX A6.2, USER TRAINING. ........................................................................................40 EXAMPLE OF THE STATEMENT OF APPLICABILITY (SOA) ................................................53 SUB-COMPONENTS OF THE DEMING CYCLE FOR THE ISMS OF BS7799 A4 PROJECT RISK FACTORS A5 ASSETS AND RISKS K1 J.R. Beltman – IT Manager Institute of Quality Assurance Introduction 1. Introduction BS7799 is a British Standard, devised by the British Standards Institute (BSI), which looks at information security, a standard that comes with a specification with guidance for use and a code of practice, but without a guidance on how to implement. BS7799, is a method to help organisations reduce risk and consequences. Although its benefits are not always understood by all, it is but rapidly gaining territory. BS7799, should be not just an IT project, but a company wide undertaking. 1.1 Research questions This research tries to answer a number of questions regarding BS7799 implementation. These questions came into being after initial research into BS7799 and following a lead auditor course in the standard. 1. How to implement BS7799 successfully? 2. What are the main problems related to implementing BS7799? 3. How to tackle the problems related to implementation of BS7799? 4. How to convince management of the need for and benefits of BS7799 implementation? The answers to the research questions will differ for many organisations. This report provides both examples of general answers and those specific to the implementation of BS7799 in the Institute of Quality Assurance (IQA) umbrella organisation. 1.2 Controlling information security Just why implement BS7799? As discussed in chapter 4 of this report information is under a constant threat. Some of these threats could have such severe consequences if they materialize that they could lead to closure of a company or worse. According to the Bureau Veritas training manual for lead auditors (Bureau Veritas 2003) BS7799 aims to: • Reduce incidents that result in liability • Demonstrate reasonable care • Safeguard information assets through a sound risk management process • Define level of security required: no more no less • Deliver tangible proof of appropriate practices • Form a sound basis for the security policy • Provide the organisation with an excellent checklist of controls • Improve industry-government relations • Facilitate obtaining permits and authorisations • Improve cost control J.R. Beltman – IT Manager Institute of Quality Assurance 1 Introduction • • • • Meet vendor certification criteria Enhancing image and marketing share Satisfy investor criteria and improve access to capital Assure customers of commitment to demonstrable information security management After many years working in IT, with the past five years as IT Manager and studying BS7799 for the past four months I see other benefits of BS7799 that are not explicitly highlighted by the common benefits such as listed by Bureau Veritas and many others. BS7799 benefits are in my opinion more direct and down to earth than most of those outlined above. This is not to say that the longer term and more ‘business’ orientated benefits as mentioned couldn’t be realised, they certainly can and add to the value of implementation of BS7799. In my opinion the most fundamental benefits of BS7799 implementation are those of prevention, control, correction, continuity and recovery. In the field of IT security and information security it is important to prevent incidents from happening and if they do happen the damage from the incident should be controlled and the situation corrected. After the incident the company should be able to recover and continue their business as per usual. BS7799 helps to realize just that. Without prevention, control, correction, continuity and recovery companies could face events such as: • • • • • • • • Have their reputation damaged Lose customers Lose contracts Have confidential information exposed Face fines Face court cases Be defrauded Face closure 1.3 Aims and Objectives The aim of this project is to see to implementation of all clauses and applicable control sets of BS 7799-2:2002 within the IQA’s IT department with a view on possible expansion to cover all departments of the IQA, recommendation for certification in the near future and to document the process of implementation to make implementation of BS7799 more accessible to other organisations. BS7799 implementation differs per organisation and the issues faced during implementation are not necessarily the same as those faced by the IQA. In the interest of making this report beneficial to a wide range of organisations experts in the field of BS7799 have been consulted about their experiences with BS7799 ISMS implementation. Their experiences and the experienced gained during the implementation project in the IQA are highlighted in this report. J.R. Beltman – IT Manager Institute of Quality Assurance 2 Introduction Project objectives • To make implementing BS7799 a generally accessible task to third parties by discussing the subject of ‘How to’ implement the standard, detailing process, difficulties and challenges of implementation in the IQA and issues highlighted by BS7799 recognised experts. • Implement the clauses and applicable control sets of BS7799-2:2002 at the IQA. • Present this project report so it is easily adaptable for transformation into a software application that will help to enforce the clause and applicable control sets of BS7799-2:2002. The business objectives of BS7799 are to • Maximise return on investment • Minimise business damage by minimising risk and consequence • Ensure business continuity • Attract more business The stakeholders are identified as the Institute of Quality Assurance (IQA), the International Register of Certificated Auditors (IRCA), their customers and suppliers and other organisations that are eager to implement BS7799. 1.4 The Institute of Quality Assurance The Institute of Quality Assurance, better known as the IQA, is the umbrella organisation of two organisations: • • The Institute of Quality Assurance (IQA) The International Register of Certified Auditors (IRCA) 1.4.1 IQA The IQA, the leading body for the advancement of quality practices in the UK, was originally founded in 1919 as the Institute of Engineering Inspection. The IQA is a not for profit organisation and a respected contributor to policy issues at national and international level. It has maintained its unique position of independence from commercial or vested interests and embraces all quality models, philosophies and standards that help an organisation improve performance. The IQA is a founding member organisation of the European Organisation for Quality (EOQ). The EOQ is a federation of quality management organisations from 34 European member states, representing over 140,000 individuals and 23,000 businesses. The IQA seeks to: • • • Promote the efficiency and competitiveness of industry and commerce Promote the education and training of those involved in quality Promote research into quality issues J.R. Beltman – IT Manager Institute of Quality Assurance 3 Introduction • Maintain the quality and standard of auditors and quality related training courses. (IQA 2005) 1.4.2 IRCA The IRCA is the world’s original and largest international certification body for auditors of management systems. IRCA certifies more than 11,500 auditors in over 105 countries worldwide. IRCA has accredited over 90 training organisations, which provide training to a total of over 50,000 students each year in over a 100 countries. IRCA provides auditors, business and industry with two main services: 1. Certification of auditors of management systems. These include a. Consultants assisting organisations to develop and implement quality management systems b. Certification body/registrar auditors, auditing organisations against ISO 9001, BS7799 and other management systems standards c. Internal auditors performing audits on suppliers or auditing their own organisations d. Quality managers 2. Accreditation of courses and training organisations (IRCA 2005) 1.4.3 The IT department The IT department and other support services departments of the IQA support both organisations, IQA & IRCA. The IT department consist of two IT Assistants and the IT Manager and is on a continuous quest of improvement of the services it delivers and the underlying infrastructure; this in conjunction with its customers (internal departments) and the customers of the IQA and IRCA. The IT department realises that improvement can only come with complete buy-in from its customers (in other words other departments within IQA) and therefore puts the emphasis on customer relationship. The IT infrastructure used in the IQA makes the quest more interesting than usual. Both the IQA and the IRCA share the same servers, but the data and applications must be kept completely separate. This is because the IQA is accredited by IRCA, meaning that if IQA had the ability to access IRCA’s data and applications they could gain an advantage over other IRCA accredited training organisations resulting in unfair competition. Since the restructuring of the IT department began, a little over three years ago, its functioning has improved greatly but has not yet reached its potential level of efficiency. This does not only depend on the IT department, but on the whole of the organisation. Before the restructuring began servers were standing on the floor each with their own mouse, keyboard and monitor, plugged straight into wall sockets without sufficient protection against electricity spikes or blackouts. Cables lay dangerously on the floor, easily unplugged by a wrong move. Backups were working poorly and not all important information was backed up. Restore capabilities were never tested on a realistic scale. Licensing was badly managed, to such an extent that Microsoft Office J.R. Beltman – IT Manager Institute of Quality Assurance 4 Introduction licences where severely outdated. Software was not standardised, neither were computer installations. An asset register did not exist. The budget was poorly controlled by the IT manager. Server operating systems where installed without sufficient knowledge resulting in frequent crashes. Customer satisfaction was below zero, and the list goes on. All these issues have been greatly improved over the past three years. For example servers are in cabinets, using UPS systems (Uninterruptible Power Supplies) and surge protection. They are installed by professionals with a regular tested backup and restore facility. Software is licensed and licenses are controlled. Workstation installations are managed and standardised. Assets are registered and the registry is controlled and maintained. The budget is managed to the smallest detail. Servers do crash, but not often and crashes do not cause much down time, and no interruption to the daily work. Customers are far more satisfied. The IT department recognises that there is still room for improvement and has identified potential aids that would bring benefit to its continuous quest for improvement. • • • ITIL (IT Infrastructure Library) – Concerned with IT Service Management. ISO 9000:2000 (International Standard Organisation – Concerned with overall improvement of quality within the organisation. BS7799 (British Standard) – Concerned with Information Security. The ITIL and ISO 9000:2000 aids have been investigated and are partly implemented, leaving BS7799 implementation as a final, but a most challenging project to be completed. 1.5 Background The consequences for any company whose information security is compromised are severe. A few examples of information at risk: • • • • • Email directories (customers and suppliers) Customers’ financial information Any other customer data (name, address etc) The organisation’s bank account details Employee details Examples of assets that hold information which require risk management: • • • • • • • • Server systems Desktop systems Laptops Memory sticks Paper files Tapes USB / Firewire devices Personnel J.R. Beltman – IT Manager Institute of Quality Assurance 5 Introduction Many sources reveal the need for organisations to develop a systematic approach to implement a form of information security. I have listed four here: • R. Howard of NCC Group Plc wrote to inform me that the NCC Group Plc achieved a 42% success rate in breaking into networks from an external testing perspective and 83% for internal testing perspective over the past two years.(Howard 2005) • According to the National Hi-Tech Crime Unit (NHTCU) Electronic crime cost UK companies an estimated £2.45 billion in 2004 (Silicon 2005) • One survey by NHTCU also reveals that virus attacks hit 97 per cent of respondents, costing them in total more than £70m. Nine per cent had suffered financial fraud, at a cost of £68m. (Silicon 2005) • And in support to NCC Group Plc findings the NHTCU found that out of 200 companies surveyed, 178 experienced some form of high-tech crime last year. Of those 178 firms, 90 per cent claimed to have had their systems intruded and 89 per cent said their data had been stolen The International ISMS User Group (XISEC) states that in the United Kingdom only 212 organisations are BS7799 certified. This ranks the United Kingdom second with Japan leading with a total of 967 certifications. (ISMS International user group 2005) But not all companies who implement BS7799 will opt for certification, making the number of actual implementations of the standard difficult to estimate. On the other hand many companies may not be aware of the existence of BS7799 and are perhaps fully unaware that information security is a distinct field, but may well have taken measures, without realizing, to improve information security. No matter at what stage an organisation is information security has a price tag for all. A useful framework is provided by Fredrik Björck who is a Ph.D. candidate and lecturer at the Department of Computer and Systems Sciences, Stockholm University / Royal Institute of Technology. His research is focusing on certain aspects of information security management in organisations. He has served as vice-president of ISACA (Information Systems Audit and Control Association) Sweden Chapter, is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA). Björck (Björck 2001) has written his thesis on information security “Security Scandinavian Style - Interpreting the management of information security in organisations” in which he suggests that the optimum level of security in an organisation, from a strict financial perspective, will be found in the situation where the cost of additional security-countermeasures exactly equals the resulting reduction in damages arising from security breaches. This is illustrated in figure 1.1; the optimum level of security. J.R. Beltman – IT Manager Institute of Quality Assurance 6 Introduction Figure 1.1 The optimum level of security. (Björck 2001) BS7799 is a powerful tool that can help companies finding this optimum level of security. 1.6 Justification for this project The security of the information held by Institute of Quality Assurance (IQA) umbrella organisation is at risk and this has to be reduced to the absolute minimum or acceptable level, whilst at the same time the efficiency of the organisation in dealing with information security related issues must be improved in line with organisation’s policy of adhering to best practice in the work place. IQA required all relevant sections of BS7799 to be implemented by the end of September 2005 with a view to proceeding to certification in early December. However due to the organisation’s plan to move premises the project to implement an information security management system (ISMS) has been stalled. Therefore implementing an ISMS for the whole of the organisation is no longer a realistic objective and the scope had to be reduced to the IT department and its assets only. It is worth noting that the IT department and its assets are at the core of the full scale ISMS. All departments in the organisation use and depend on the IT infrastructure and policies and procedures relating to the IT assets need to be adhered to by all staff. Not including any departments but the IT department and its assets in the ISMS scope represents an accurate case of implementing the ISMS. As outlined in chapter 1.3 the IQA consist of two organisations with two IT systems sharing the same hardware. The ISMS has to support both organisations, and even though it may be assumed that, because the scope of the ISMS only looks at the IT department and its assets, dealing with two organisations under one umbrella is not important to the implementation of BS7799, nothing could be further from the truth. In particular the IT infrastructure has to deal with the difference between IQA & IRCA. Not only does the IT infrastructure need protection from outside the organisation, but because of regulations that apply to both the IRCA and IQA the IT J.R. Beltman – IT Manager Institute of Quality Assurance 7 Introduction infrastructure must protect the IRCA information assets from IQA staff and vice versa. 1.7 Report outline The next chapters build towards answering the research questions of chapter 1.1. The chapters are: • Literature survey - BS7799 The Basics An outline of BS7799, including comparison to other standards, terminology, methodology and success factors. • Methodology A discussion on action research and the reason to apply this research method for this project. • Information security in practice – An Analysis of Security Case Studies Examples of information security incidents and possible prevention or damage control options by implementing BS7799. This section is aimed out convincing management of BS7799 implementation. • Results - Implementation and its difficulties An extensive step-by-step discussion on how BS7799 was implemented at the Institute of Quality Assurance; examples of key documents, experts advice and experiences, problems and solutions. This dissertation is written as if walking the reader through implementation and, by doing so, will endeavour to align more with the reader. Therefore use of ‘we’, 'us' and 'I' will be common throughout this report. J.R. Beltman – IT Manager Institute of Quality Assurance 8 Literature survey - BS7799 The Basics 2. Literature survey - BS7799 The Basics 2.1 What are standards? There are many standards and regulations these days. But what are these standards and regulations exactly? Do they have anything in common, are there differences? Although detailed discussion about standards and regulations falls outside the scope of this project, I feel it is beneficial to give a general overview of this topic. “Software standards enable software to interoperate. Many things are (somewhat) arbitrary, so the important thing is that everyone agree on what they are.” (Wikipedia 2004) “Agreed principles of protocol. Standards are set by committees working under various trade and international organizations.” (Leviton, no date) “In a military context, standardisation is defined as: The development and implementation of concepts, doctrines, procedures and designs to achieve and maintain the required levels of compatibility, interchangeability or commonality in the operational, procedural, materiel, technical and administrative fields to attain interoperability.” (Wikipedia 2005a) Standards are either ‘de facto’ or ‘de jure’. ‘de facto’ standards are those followed for convenience, such as the ITIL, BS7799, ISO9000 standards. ‘de jure’ standards are (more or less) legally binding contracts and documents. “A regulation (as a legal term) is a rule created by an administrative agency or body that interprets the statute(s) setting out the agency's purpose and powers, or the circumstances of applying the statute. A regulation is a form of secondary legislation which is used to implement a primary piece of legislation appropriately, or to take account of particular circumstances or factors emerging during the gradual implementation of, or during the period of, a primary piece of legislation.” (Wikipedia 2005b) The difference between standard and regulation is that the latter is a legally required set of rules to be incorporated (more like a ‘de jure’ standard, but set by an administrative agency or body) whilst standards are not legally required to be implemented. Organisations choose to adapt standards, not by law, but by choice or by request of customers and/or suppliers. Standards are usually adapted to improve credibility in the organisation. This could be credibility in areas such as the quality of products, services, security of data, with the view of improving the company’s efficiency, cutting costs, improving image, attraction of customers, retaining customers and much more. In contrast organisations are forced to adapt regulations if they apply to the organisation. Examples of regulations are the Health and Safety regulations, the Data Protection Act and the Banking Code; again these regulations must be adhered to by law. J.R. Beltman – IT Manager Institute of Quality Assurance 9 Literature survey - BS7799 The Basics An example of standards, one we are all familiar with, is the standardisation of the country-codes for telephone numbers, a standard laid down by the Comite Consultatif Internationale de Telegraphie et Telephonie (CCITT), which in the early 1990's changed its name to ITU-T (International Telecommunications UnionTelecommunication). This is a typical example of a ‘de jure’ standard even there are no laws enforcing this practice, because to be compatible with the rest of the world you need to implement this standard. An example of a ‘de facto’ standard is one that stands as the basis of this project: BS7799. Many different organisations lay down standards such as the ITU-T, ISO, BSI, manufactures, insurance companies etc independent of the distinction between ‘de facto’ and ‘de jure’ standards. 2.2 BS7799 compared to ITIL & ISO9001 We will have a short look at what other standards have in common with the BS7799 standard. In this project we are however concentrating on information security. For this specific subject only BS7799 applies. Whilst it is true that other standards show commonalities with BS7799, they are not specifically designed to deal with information security whilst BS7799 is. By combining relevant aspects of ISO9001, ITIL and other standards we will most likely end up with a system very similar to BS7799. At the IQA ISO9000:2000 is already implemented for most of the company’s departments. The IQA now requires to concentrate on the more specific and specialised areas of the organisation such as a Health and Safety Management system and an Information Security Management System (ISMS). To implement the ISMS the BS7799 is a widely accepted standard and commonly used. It specializes specifically in implementing and running an ISMS and thus is the logical choice of standard to follow. 2.2.1 ITIL and BS7799 ITIL, the Information Technology Infrastructure Library is a world-wide de facto standard in IT services management. ITIL focuses on Best Practice and is useable for any size organisation. ITIL was devised by the Central Computer and Telecommunications Agency (CCTA) in the UK in the late 1980’s and became recognised world wide by the mid 1990’s. ITIL was created as a response to the changing role of IT within organisations. Although the CCTA’s customer base was originally other parts of central government, it recognised that the needs of organisations in the public or private sector, large, small, centralised or distributed were going to be similar. (Green 2005) This was at the same time that IT changed from being a mere ‘add-on’ of companies to a fundamental core function of the organisation. ITIL (Langley 2003) is organised into sets of texts which are defined by related functions: • • • Service support Service delivery Managerial J.R. Beltman – IT Manager Institute of Quality Assurance 10 Literature survey - BS7799 The Basics • • • • Software support Computer operations Security management Environmental. The Service Management section of ITIL is made up of eleven different disciplines, split into two sections, namely Service Support and Service Delivery: Service Support 1. Configuration Management 2. Change Management 3. Release Management 4. Incident Management 5. Problem Management 6. Service Desk Service Delivery 7. Service Level Management 8. Capacity Management 9. Financial Management for IT Services 10. Availability Management 11. IT Service Continuity Management Whilst owned by the CCTA since the mid-1980s, ITIL is currently maintained and developed by the Office of Government Commerce. As from 1st April 2001, CCTA became an integral part of the Office of Government Commerce. From this date, CCTA the organisation cease to exist. ITIL overlaps with BS7799-2:2002 in the disciplines: • • • Problem Management Availability Management IT Services Continuity Management Problem management is to minimise the effects on the organisation of incidents and problems caused by errors in the infrastructure and to prevent to occurrence of incidents, problems and errors. Problem management also deals with problem identification, recording, classification, investigation and diagnosis. BS7799-2:2002 is designed to minimise the likelihood and severity of information security related incidents and to prevent repetition by taking preventive action. BS7799-2:2002 requires a system for logging incidents and taking corrective action. It also requires a system for monitoring system use and reporting incidents. The BS7799 standard looks beyond ITIL and includes all information security related assets instead of only IT related issues. Examples of this are computer systems, hard copies, personnel, building security etc. Availability Management is about sustaining availability of the IT infrastructure as and when required. By using Availability Management a company can predict and J.R. Beltman – IT Manager Institute of Quality Assurance 11 Literature survey - BS7799 The Basics design for expected levels of availability and security. Availability levels are measured against Service Level Agreements (SLAs). BS7799-2:2002 emphasises three areas: • • • Confidentiality Integrity Availability Confidentiality Information security is the balance between these areas. Integrity Availability Figure 2.1 Integrity, Availability and Confidentiality (Bureau Veritas 2003) Availability in BS7799-2:2002 means “ensuring that authorized users have access to information and associated assets when required”. (BSI 2002) The difference between BS7799 and ITIL is again that ITIL looks at purely IT related systems whilst BS7799 looks at all assets, including IT, but not limited to IT. IT Service Continuity Management is to support overall business continuity and should integrate with the overall business continuity plan. In case of a disaster or major failure a predetermined level of IT functionality should be restored within agreed timescales, increasing business survival chances. BS7799-2:2002 Annex 11.1 (BSI 2002) talks in detail about business continuity. It requires a management process for business continuity to be in place, a strategy plan based on risk assessment, implementation of this plan, testing and maintenance of this plan. Once more the difference here is that whereas ITIL looks purely at IT BS7799 looks at all assets and continuity planning for the entire business. 2.2.2 ISO9001:2000 and BS7799 BS7799-2:2002 Annex C (BSI 2002) provides a detailed comparison table between BS7799-2:2002, BS EN ISO9001:2000 and BS EN IS 14001:1996. I will only highlight the areas where there are commonalities between BS7799-2:2002 and BS EN ISO9001:2000. ISO9000:2000 is designed as a quality management system and not as an information security management system. ISO9000:2000 is about organisational processes to deliver a service or a product; ISO9000:2000 follows the delivery of a service or J.R. Beltman – IT Manager Institute of Quality Assurance 12 Literature survey - BS7799 The Basics product from the beginning to the end with the aim of making the process transparent, controlled and open to continuous improvement. ISO9000 serves as a basis to: • • • • • • • Achieve better understanding and consistency of all quality practice throughout the organisation. Ensure continued use of the required quality system year after year. Improve documentation. Improve quality awareness. Strengthen organisational / customer confidence and relationships. Yield cost savings and improve profitability. Form a foundation and discipline for improvement activities within the quality management system. BS7799 and ISO9000:2000 seem to touch upon completely different aspects of the organisation. Whereas ISO9000:2000 looks at the processes of service and product delivery BS7799 concentrates on Information Security. But they do have commonalities. Both use a Management System to implement and use the standard. Common requirements of both Management Systems: • • • • • • • • • • • Scope Document Control Record Control Management Commitment Provision of Resources Training, Awareness and Competency Management Review Internal Audits Continual Improvement Corrective Action Preventive Action Common Business Objectives • Maximise return on investment • Minimise risk • Increase customer base by increased credibility (from certification) 2.3 BS7799 - Terminology BS7799, a standard devised by the British Standard Institute (BSI) and recently transformed into an ISO standard (ISO17799). BS7799 is aimed at information security. Why? Businesses and their information assets are exposed to serious information security threats on a daily basis. The vulnerability of information, the likelihood of it being J.R. Beltman – IT Manager Institute of Quality Assurance 13 Literature survey - BS7799 The Basics compromised and the severity of the impact of it being compromised vary, but all too often the security of high value information does get compromised. The consequences vary. Companies can suffer serious loss of face, go bankrupt, people can get killed. However most breaches have a less dramatic impact on the business, but can still be very costly such as loss of reputation. Take for example Amazon and imagine the front page of the morning papers announcing credit card fraud at Amazon. It is a blow to Amazon’s reputation from which they would not quickly recover if at all. Before we can continue with BS7799 it is important to understand some terminology and the differences between. • Threats o A declaration of the intent to inflict harm or misery o Potential to cause an unwanted incident, which may result in harm to a system or organisation and its assets o Intentional or accidental, man-made or an act of god • Vulnerability o Is a source or situation with potential for a threat to inflict harm. It does not cause harm or threats but if not managed it will lead to harm. o Examples: Unlocked doors, no intruder alarm system, lack of up-todate virus protection, no backup of vital data • Likelihood o Is the probability of a threat to materialise o Example classification: low, medium, high • Severity o Describes the damage a threat can cause if it does materialise o Example classification: slight, medium, severe • Risk o Is the combination of Likelihood and Severity of a Threat to materialise (Bureau Veritas 2003) 2.4 BS7799 – Two parts to the puzzle BS7799 certification requires compliance to part 2 of BS7799. BS7799 consists of two parts, part 1 and part 2, better know as: • • BS ISO/IEC 17799:2000, BS 7799-1:2000 (Information technology – Code of practice for information security management) BS 7799-2:2002 (Information security management systems – Specification with guidance for use) The Code of practice explains in more detail the 10 controls addressing key areas of Information Security Management which include a total of 127 best security practices: J.R. Beltman – IT Manager Institute of Quality Assurance 14 Literature survey - BS7799 The Basics 1. Information security policy - Objective: To provide management direction and support for information security 2. Organisational security - Objective: To manage information security within the organisation 3. Asset classification and control - Objective: To maintain appropriate protection of organisational assets 4. Personnel security - Objective: To reduce risks of human error, theft, fraud or misuse of facilities 5. Physical and environmental security - Objective: To prevent unauthorised access, damage and interference to business premises, information and assets 6. Communications and operations management - Objective: To ensure the correct and secure operation of information processing facilities, minimise the risk of system failures and maintain integrity and availability of information processing and communication services. 7. Business requirement for access control - Objective: To control access to information and detect unauthorised access 8. Security requirements of systems - Objective: To ensure that security is built into information systems 9. Business continuity management - Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters 10. Compliance - Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual and thereby to ensure compliance of systems with organisational security policies and standards (BSI 2002) The objectives of all controls mentioned are described in far greater detail in the actual code of practice than the summary above. It is important to be aware that not all controls or control sets apply to every organisation and that some controls and control sets will be difficult to implement without full co-operation of those involved, in some cases the entire company. The controls and control sets to be implemented will only become apparent when actually engaging in the project. It is part of the project to determine and document which are and which are not applicable to your BS7799 implementation and why. Part 2 of BS7799 (BS7799-2:2002, Specification with guidance for use), as mentioned above, is the part of BS7799 that is certifiable. It instructs on how to build, maintain, operate and improve a measurement system for managers to monitor and control the security systems: The Information Security Management System (ISMS). It does this by stating that what needs to be implemented (clauses 4 to 7 of BS77992:2002 are mandatory whilst controls and control sets are optional) and gives additional information on implementation. Part 1 however guides us in detail through each of the 10 controls and their control sets as laid out in Part 2. Even though part 1 is very helpful it is still alien to those who have no experience in implementing BS7799 and is of little help on ‘how’ to actually implement the standard. J.R. Beltman – IT Manager Institute of Quality Assurance 15 Literature survey - BS7799 The Basics 2.5 BS7799 – The Deming Cycle The Information security management system (ISMS) of BS7799 is implemented using a methodology referred to as the Deming cycle: the Plan-Do-Check-Act (PDCA) cycle (Deming 2000). Deming is a highly respected professional in the field of quality management. He is known as the father of the third industrial revolution of Japan and is official recognised by many. For his work in Japan received the Second Order Medal of the Sacred Treasure, from the Emperor of Japan, 1960, for improvement of quality and of Japanese economy, through the statistical control of quality and in the US he received the National Medal of Technology from President Reagan in 1987. The PDCA cycle is used as a systematic approach to setting up and managing a management system. It follows a continuous cycle of activities that can be described as a virtuous circle used to bring continuous improvement to the management system. Figure 2.2 The Deming Cycle. When adapted to BS7799 the four phases of the cycle, Plan-Do-Check-Act, each have a number of BS7799 activities assigned to them. My analysis of the PDCA cycle and BS7799 corresponding activities, as outlined in table 2.1, is based upon many different internet resources and the Lead Auditor training course followed at Bureau Veritas. Plan • • • • • Check • • Table 2.1 Do Scope Policy Risk Assessment Risk Treatment Plan Statement of Applicability • • • • Operate Controls Awareness Training Manage Resources Prompt Detection and Response to Incidents • • • ISMS Improvements Preventive Action Corrective Action Act Management Review Internal ISMS Audit The Deming Cycle adapted to BS7799. J.R. Beltman – IT Manager Institute of Quality Assurance 16 Literature survey - BS7799 The Basics The tables used in the chapters 2.5.1 to 2.5.4 are based on the ‘Examination for Auditors of Information Security Management Systems’ paper (Bureau Veritas 2004) as provided during the BS7799 Lead Auditor course and the knowledge gained during this course. 2.5.1 Plan The ISMS system requires some preparation before it can be implemented. Documenting practices, establishing risk management approach, allocation of responsibilities and determining methods of review are activities used to “kick start” the cycle. “The Plan phase is used to ensure that the context and scope for the ISMS have been correctly established, that the information security risks are assessed and that a plan for the appropriate treatment of these risks is developed.” (BSI 2002, p. 22) Activity Establishing the ISMS Define Policy and Scope Risk identification and assessment Risk treatment plan Table 2.2 Clause / Annex 4.2.1 4.2.1 a) ,b) 4.2.1 c) – e) 4.2.1 f) – i) The links between the PLAN phase and BS7799. BS7799-2:2002 Clause 4.2.1 a) speaks about the scope of the ISMS. An example of the scope used for the Institute of Quality Assurance (IQA) is included in the discussion on the actual implementation of the ISMS at the IQA (chapter 5). The scope is nothing more than a document stating what departments and assets (i.e. desktops, LAN, servers) are included in the ISMS and the exclusions. Depending on the size of the ISMS it may well fit on one page A4. After drawing up the scope it is required to develop an Information Security Policy. This policy includes the purpose of setting up the ISMS, the objectives of the ISMS and responsibility. It also refers to additional policies and procedures that are used to support the ISMS, such as procedures for disciplinary action, use of email and internet etc. When the scope and information security policy are draw up we continue with the risk management and treatment plan and select appropriate controls from annex A of BS7799-2:2002. For each control set in annex A it is required to justify the inclusion or exclusion of the control set. The resulting document is called the ‘Statement of Applicability’ and is required for certification. 2.5.2 Do The Do phase is about implementing and making operational the ISMS system. In this phase we look back at what we prepared in the Plan phase and make it reality. J.R. Beltman – IT Manager Institute of Quality Assurance 17 Literature survey - BS7799 The Basics “The DO activity within the PDCA cycle is designed to implement selected controls and promote the action necessary to manage the information security risks in line with the decisions that have been taken in the Plan phase” (BSI 2002, p. 24) In this phase we implement the ISMS, implement the risk treatment plan which includes a way of swift detection and response to information security incidents, ensure that staff are being trained and are security aware and are competent to carry out designated security tasks, and that the required resources are available. It is also very important that management is committed to the ISMS establishment, implementation, operation, monitoring, review, maintenance and improvement. Without full management support, preferably top management, the ISMS is doomed to fail from the start. Activity Implementing the ISMS Risk treatment plan, training awareness programs, resource management Management responsibility Management commitment Resource management Table 2.3 Clause / Annex 4.2.2 4.2.2 a) – g) 5.0 5.1 5.2 The links between the do phase and BS7799. 2.5.3 Check The Check phase is to monitor the effectiveness of the ISMS. To be able to carry out a proper review of the ISMS you will need at least three months worth of data. During the Check phase it may be found that some controls are missing or ineffective, that risk treatment plans may not work as well as expected, that information security breaches have occurred and that overall improvements of the ISMS are applicable. The Check phase is a constant phase; checks on network security, virus infection, user activity etc are performed on a regular or even constant basis as part of the normal business process. It is important to remember that finding opportunities for improvement is the objective of the Check phase. The Check phase is extensively described in BS77992:2002 page 24 section B4. (BSI 2002, p. 24) Activity Monitor and review the ISMS Application of control procedures, security breaches, action plans Management review of the ISMS Review of the inputs Review of the outputs Internal ISMS audit program Table 2.4 Clause / Annex 4.2.3 4.2.3 a) 6.0 6.2 6.3 6.4 The links between the CHECK phase and BS7799. J.R. Beltman – IT Manager Institute of Quality Assurance 18 Literature survey - BS7799 The Basics 2.5.4 Act During the Act phase we take action based on information found in the Check phase. This could range from implementing corrective action for non-conformities, identified opportunities for improvement, taking disciplinary action and preventive action. Activity Maintain and improve the ISMS Implement improvements, apply lessons learnt from security experiences, communication ISMS continual improvement plan Corrective action plan Preventative action plan Table 2.5 Clause / Annex 4.2.4 4.2.4 a) – d) 7.1 7.2 7.3 The links between the ACT phase and BS7799. During the discussion of the actual implementation of the ISMS in the Institute of Quality Assurance (chapter 5) we will get a clear overview of each of the four phases and related activities. The PDCA is the methodology used to build and manage the ISMS. 2.6 BS7799 – Critical Success Factors Over the years BS7799 auditors and consultants have identified a number of critical success factors – that is factors which lead directly to success for a business – for BS7799 implementation and certification. The success factors listed are derived from BS7799 part 1 (ISO/IEC 17799). Management support Well structured Project Holistic approach Success Employee support Good understanding of BS7799 Access to external expertise Figure 2.3 Awareness training on the need for Security Success factors. J.R. Beltman – IT Manager Institute of Quality Assurance 19 Methodology 3. Methodology During my preliminary research into the BS7799 standard I found one aspect of implementation missing: How to? The two parts of the standard gave me a very solid overview of what was required for BS7799 implementation and certification, using very helpful examples on controls and control sets, but they both left out the main part of implementation: how? To answer this question and the other research questions, as listed in chapter 1.1, research questions, I concluded that it was best to actually go through the complete activity of implementation myself. This method is one of the characteristics of what is known as action research. “In action research, the investigator virtually becomes part of the arena being studied with the purpose of solving organisational problems.” (Bryman 1989) Action research is foremost concerned with finding solutions that can be applied in practical, real live situations, with scientific results taking backstage. It tends to influence, and extend to, the entire organisation. The basic ideas relating to action research have been around since the 1940s, but Bryman suggests that it has never achieved widespread acceptance; many researches shy away from action research because they find it too close to the traditional consultancy role. However this similarity is exactly what makes it effective as a research method that has great potential to bring substantial and useful benefits to the organisations and individuals involved, instead of only contributing to science. (Bryman 1989) M. Rich suggests that action research assumes that there are ‘participant observers’, meaning that people carrying out the research are actually taking part in the process, as statement which in my opinion supports Bryman’s comparison of action research with consultancy. M. Rich continues by suggesting that action research assumes that through some intervention things can be done better in the future and therefore the objective of the dissertation should be to identify suitable intervention. He continues suggesting that overall the objective of action research is to improve a process in some way during which some intervention is typically identified. (Rich 2005) Figure 3.1 illustrates the different stages in action research (Bryman 1989, p. 180). Problem Organizational framework for research Research Diagnosis Recommendations and implementation Research (evaluation) Solution found Contribution to knowledge Solution not found Figure 3.1 Stages in action research (Bryman 1989, p. 180) J.R. Beltman – IT Manager Institute of Quality Assurance 20 Methodology Comparing Deming’s PDCA cycle with the action research stages related by Bryman we can see a clear correspondence as shown in table 3.1. This vindicates the suitability of action research for this project. Deming Cycle Plan Matching Action Research Stage Problem Organizational framework for research Research Diagnosis Recommendations and implementation Research (evaluation) Solution found Solution not found Loop back to previous stages Do Check Act Table 3.1 Deming Cycle and the matching Action research stage. The cyclical feedback cycle (check and act in Deming and Research (evaluation), Solution found, Solution not found and loop back to previous stages in Bryman) is a cycle which we cannot explore within this dissertation, but it would fit with pursuing the action research further. We can look at some smaller parts of the system we have implemented; for these parts the feedback cycle is short and we can determine the effect of implementation within a couple of days. However for the main part of the system the feedback cycle can only be efficient from at least three months after implementation. This is due to the nature of the system. Because of the timescale for writing this dissertation the feedback cycle cannot be discussed in as much detail as the actual implementation of the system. 3.1 Practical research problem The research is concerned with implementation of a BS7799 ISMS; how to, problems relating to, and convincing management of implementation of BS7799. The research is based upon implementation of BS7799 within the IQA umbrella organisation. The research concentrates on the IT department and its assets. It follows how, step by step, BS7799 was implemented and the issues that arose during implementation. 3.2 Participation I, the researcher, am an employee of the IQA. As IT manager I had the unique opportunity to lead the project of implementing BS7799 in the IQA. In this I was supported by my direct staff members, the personnel manager, my direct reporting manager and various experts in the field. For the actual implementation of BS7799 I have followed the Deming Cycle and Part 2 of BS7799 (BS7799-2:2002, Specification with guidance for use). J.R. Beltman – IT Manager Institute of Quality Assurance 21 Methodology 3.3 Change BS7799 is intended to optimise information security in an organisation. It will not instil the same magnitude of change on all organisations it is applied to, but change is to be expected. Sources within the IQA had identified the need for change in how it handles information security. How the change will be received by the organisation and what its effect is on information security will only be fully understood until at least three months after implementation. However staff are already picking up on some changes brought on by BS7799. 3.4 Cyclical feedback How exactly the implementation of BS7799 will influence the organisation and how successful the implementation is in reality cannot yet be established. Feedback on implementation is to be expected three months after implementation as a minimum when the ISMS is reviewed. The ISMS will be reviewed according to the Deming Cycle (Check) and BS77992:2002 (internal audit and management review), but currently it is too early to determine the success of this project. J.R. Beltman – IT Manager Institute of Quality Assurance 22 Information security in practice – An Analysis of Security Case Studies 4. Information security in practice – An Analysis of Security Case Studies In this chapter we will look at answering one of the research questions, which coincidentally is one of the most important success factors to implementation of BS7799: • How to convince management of the need for and benefits of BS7799 implementation? If you are convinced that BS7799 is part of the best solution to manage information security within your company than how do you convince management? It is often a very difficult task to convince management and top-management of the importance of something that does not come with any direct financial return. If you would approach top-management and asked to buy product X which your customers have been asking for and your profit margin is 100% there would be very positive buy-in. But now imagine that you come to top-management and tell them that you need time, resources and money to put something like BS7799 in place. Where is the direct financial return? There isn’t one. The benefit is about reducing risk and not about immediately increasing return. How to convince them that having this in place will save the company a considerable amount of money, and perhaps even forestall closure, when the very objective of the project is to minimize the risk of a fatal incident occurring and having a contingency plan in place just in case it might happen? BS7799 is about prevention and continuity. You can never eliminate risk, but you can minimize the likelihood, vulnerability and impact by managing the risk. To convince top-management I have included some examples in the next section to illustrate that what BS7799 tries to protect against are events that are more likely to happen than you would imagine. From both the media and personal contacts I have been able to collect examples of situations in which information security was compromised. Some cases had the potential to lead to very serious consequences, but where the situation was rectified, usually by shear luck. And other cases where the consequences for the organisation were not directly of catastrophic nature, but where it or an individual could suffer badly. After discussing the examples I will indicate where and how BS7799 could have helped minimise the likelihood, vulnerability and impact of the information security breach. The keywords here are ‘to minimise’; BS7799 does under no circumstances eliminate risk. However you can in some situations eliminate threats and thereby minimise the risk, as illustrated in chapter 5. J.R. Beltman – IT Manager Institute of Quality Assurance 23 Information security in practice – An Analysis of Security Case Studies 4.1 Examples of Security Incidents The examples in this section will be revisited in 4.2 which discusses them in relation to BS7799. 4.1.1 The London terrorist attacks 7-7-2005. The recent London bomb attacks made us realize how realistic terrorism is. From being a thing that only happens to others it suddenly is right on our very own doorstep. Why is this of any importance to BS7799? The standard deals with not only minimizing the risk of security breaches but also with continuity planning. BS7799 security breaches refer to information security. The standard is NOT designed to prevent terrorist attacks, but is designed to help implementing continuity plans in case of severe disruption to the business such as during and after a terrorist attack. 4.1.2 IRA bombing of Manchester 1996 At the time of writing this report it is too early to determine the scale of damage to the economy caused by the recent attacks on London and how well businesses have planned for this kind of situation. What we do see in the immediate aftermath is a greatly disturbed daily business environment. A better picture of the influence of terrorist attacks on businesses can be found looking back at the Irish Republican Army (IRA) bombing of central Manchester in 1996. “The effect on a business of a major disaster can be devastating. Some never recover. Not only can damage to buildings, stock, plant and computer equipment be extensive, but also the effect on the company's trading can be disastrous. 250 companies that suffered damage in the Manchester bomb failed within six months of the event.” (Deloitte & Touche 2004) It is very likely that the London bombings have a similar effect on local businesses. Events that may not be as intimidating as terrorist bombings can also benefit from the BS7799 standard. The lack of security of information, BS7799 main concern, could have had fairly bad consequences in some of the following examples. 4.1.3 Maxine Carr – theft of documents “The Home Office has said a ‘thorough’ investigation will be carried out into the theft of key documents relating to the release of Maxine Carr.……. ……The documents were stolen from a Home Office official's car. The High Court has issued a ban on revealing Carr's whereabouts after her expected release on Friday. The stolen papers containing details of her release were later recovered on London's Hampstead Heath” (BBC 2004a) Maxine Carr, better known as the former girlfriend of “Soham murderer” Ian Huntley, did receive many a threat before she left prison. Therefore she would be relocated to a secure and secret place to guarantee her safety. The Home Office denied that the stolen papers contained her new address and telephone number. Depending on what was really in the stolen papers Carr’s life could have been in grave danger. J.R. Beltman – IT Manager Institute of Quality Assurance 24 Information security in practice – An Analysis of Security Case Studies 4.1.4 Disappearance of counter-terrorism plans for Heathrow Airport Papers, even the most important papers do go missing. Maxine Carr’s case is just one example of this. Another high profile case of missing papers took place in June/July 2004. “The home secretary has said the disappearance of papers reported to contain counter-terrorism plans for Heathrow Airport was ‘very bad’. A report in the Sun newspaper claimed the documents identified 62 sites from which a missile strike could be made. They were found by a motorist in a layby near the London airport who contacted its reporters, the Sun said.” (BBC 2004b) BS7799 does deal with document security and we will see in chapter 4.2 how the standard could have been used to minimize the likelihood of the above examples happening. 4.1.5 MI5 agent has laptop stolen at Paddington station “Security at MI5 is stepped up as agent has laptop stolen at Paddington station. An MI5 agent has admitted losing a laptop notebook containing sensitive government information at Paddington train station earlier this month. Security has been stepped up at MI5 following the theft, which has caused extreme embarrassment for the security agency and the government. The Police Special Branch has launched an investigation into the theft of the £2,000 computer, which took place on 4 March. A spokeswoman from the Home Office said that while the government does not perceive the crime as a threat to national security because the data was encrypted, she admitted there is some ‘concern’. The representative confirmed to ZDNet that both the Home Secretary and the Prime Minister have been informed directly. According to some press reports, the information on the laptop concerned Northern Ireland, although the Home Office would not confirm or deny this. The spokeswoman said the computer's data was encrypted and confirmed that any information held on it would be very difficult to retrieve. She would not disclose what type of encryption was in place or how strong it is.” (Knight 2000) A laptop missing from MI5 (Military Intelligence Department 5), the British Intelligence Service, is extremely concerning the risk of the information on the laptop being compromised. However the risk was greatly reduced, thanks to encryption. For MI5 having a laptop stolen in itself is very embarrassing and a reputation damaging incident. Minimising risk of physical stealing, but also minimizing the risk of the stolen goods being used and/or abused are important aspects of BS7799. An interesting effect when implementing BS7799 to reduce one risk factor, such as outlined above, is that another risk becomes more apparent, i.e. the risk to one’s reputation and the greatest concern has suddenly changed shape. J.R. Beltman – IT Manager Institute of Quality Assurance 25 Information security in practice – An Analysis of Security Case Studies The above incidents are just one aspect of information security. The accidental loss of sensitive information happens all too frequent. Measures could be put in to place to reduce the likelihood of this kind of incident occurring and to limit the damage if an incident does occur despite the measures for prevention. 4.1.6 British bank account holders details stolen from Indian call centres The media recently brought to light yet another information security issue. Long known within IT circles, but usually denied or ignored by management is the danger that comes from within. It is not just information lost that poses a risk, but also information theft. And contrary to what most management tried to convince themselves of the threat does not only come from external people such as computer hackers (or crackers). In fact it is far more likely to be targeted by your own staff. “Soaring cost of cybercrime” (Manchester Evening News 2005) is the headline of an article that describes that over 50% of the computer crime is committed often by disgruntled staff in cahoots with someone on the outside. Not only disgruntled staff are to blame for cyber crime from within. Organised crime has also recognised that working for a company is an easy way of gaining access to information with the intention of committing crime. “Britain's banking industry – or at least those firms that have outsourced administrative operations to India - face a nightmare scenario after an undercover reporter for the Sun newspaper was sold confidential details of British bank account holders stolen from Indian call centres. The reporter allegedly paid £2,750 for the full account details – including secret passwords, addresses, phone numbers and credit card, passport and driving licence information. The Sun said that their reporter was told that he could purchase details of 200,000 bank accounts a month from more than one call centre.”(Management Issues News 2005). This incident is a loss of face for the banks involved and may well lead to a loss of customers. Embarrassing as this is for the banks and call centres involved it does give us a good example of information security related issues from inside the company. It may also be a reason to reconsider outsourcing and relocating. And it is again not the first time such an incident took place. The article continues: “The Sun's 'sting' comes a few months after a gang operating in a call centre near Bombay stole about £200,000 from the accounts of New York-based Citibank customers.” (Management Issues 2005) 4.1.7 £9m computer scam There are many best practices that help to minimize internal threads. “£9m theft ‘mad’ accountant jailed” (Financial Spread Betting News 2005) is the headline of an article that illustrates just how important it is to follow some standard best practices. It J.R. Beltman – IT Manager Institute of Quality Assurance 26 Information security in practice – An Analysis of Security Case Studies describes how a member of staff used his colleagues’ computer passwords to commit fraud totalling up to £9m. The costs of cyber crime are huge. 4.1.8 Electronic crime cost UK companies an estimated £2.45bn last year “Electronic crime cost UK companies an estimated £2.45bn last year, the National Hi-tech Crime Unit (NHTCU) announced on Tuesday. Out of 200 companies surveyed, 178 experienced some form of high-tech crime last year. Of those 178 firms, 90 per cent claimed to have had their systems intruded and 89 per cent said their data had been stolen. Detective Superintendent Mick Deats, deputy head of the National Hi-Tech Crime Unit, said: ‘Billions of pounds are being lost to the UK economy through high-tech crime. Over the past year we have seen a sustained increase in the professionalism of cyber criminals. Companies are taking the brunt of criminals' attempts to steal money and data, but consumers are also being hit.’ Speaking last week, Deats warned that organised gangs are taking a growing interest in cybercrime. Virus attacks hit 97 per cent of survey respondents, which cost them a total of more than £70m. Nine per cent had suffered financial fraud, at a cost of £68m. The NHTCU highlighted that external hackers were not the only threat to companies — crimes committed by employees also ranked highly, with the sabotage of data listed as the number one problem.” (Ilett 2005). This last article describes that what BS7799 is designed to minimize; the effects and likelihood of. Financial loss, Virus attacks, fraud, hackers, sabotage etc. But BS7799 does not stop there; bugs, faults and human error are also a cause of disruption to information services and could lead to information being compromised and once more BS7799 takes these issues onboard. 4.1.9 Ekibastuz [Kazakhstan] - hydroelectric power station disaster “To start with, the electric power plant may burn out because of just about anything. In Ekibastuz [Kazakhstan] under the Soviet regime, a large hydroelectric power station was burned to the ground because of the negligence of one extremely smart worker, who used a wrench to unscrew the cap from a pressurized oil vessel. A stream of oil shot up to the ceiling; the worker got scared and dropped the wrench, which hit against the steel floor and created a spark that set the stream of oil on fire. Then the lights went off.” (Latynina 2003) Chapter 4.1.10 is a second example of a power outage, one which received more media attention and had consequences on a larger scale. 4.1.10 Northeastern United States and Southeastern Canada power blackouts “On August 14, 2003, parts of the Northeastern United States and Southeastern Canada experienced widespread power blackouts. The US states of New York, New Jersey, Vermont, Michigan, Ohio, Pennsylvania, Connecticut, Massachusetts were affected. J.R. Beltman – IT Manager Institute of Quality Assurance 27 Information security in practice – An Analysis of Security Case Studies Among the major urban agglomerations touched by the electrical power outage in the United States were the cities of New York City, Albany, Buffalo in New York, Cleveland and Columbus in Ohio, and Detroit. Ottawa and Toronto in Canada were also affected. Power was suddenly lost around 4pm Eastern Standard Time. The blackout resulted in the shutting down of nuclear power plants in New York state and Ohio, and air traffic was slowed as flights into affected airports were halted. Terrorism was quickly ruled out as a cause for the incident by federal authorities. Approximately 50 million people were affected by the outage. The cause of the outage was still being debated the following day, as efforts were still underway to retore power to affected areas. Industry and government experts were appearing to place the blame on an outdated interconneting grid system.“ (Global Security) The power outage affected many businesses. The financial loss must have been in the billions of dollars, but no references could be found to obtain a rough estimate. Question of how and why this could happen should be asked. The power outage caused significant loss of face for the companies involved and compensation claims are to be expected, possibly ranking in the billions. 4.1.11 Staff visiting unauthorized websites. BS7799 can also help to protect the individual at organisations. Not only does BS7799 insist that organisations comply with legislations such as ‘The Data Protection Act’, but also that an individual is not found guilty of misconduct without irrefutable evidence. An example of this is the BS7799-2:2002 control sets A9.5.3 & A9.5.4. A9.5.3 discussing having a unique user id accompanied by a suitable authentication mechanism and control set A9.5.4 discusses the need to ensure that only quality passwords are used. (BSI 2002) In the United Kingdom an employee using his/her work computer to view any pornographic illustrations may be subjected to disciplinary action. It does however happen that some users share their username and password which makes it difficult to prove guild, unless there are policies and procedures in place to control username and password use. Control set A9.5.3 stipulates that the user id and password are for the sole use of the user only. (BSI 2002) When during a recent scan of visited internet sites it was discovered that some very explicit adult sites had been visited it was very easy to track down which user was responsible. However the user identified was least likely to have visited these sites and after a brief discussion the user admitted sharing his password and username with other individuals. In some companies the user would have been fired if proven that he or she intentionally and frequently visited unauthorized web sites; sharing his or her username and password would have been his/her own responsibility. J.R. Beltman – IT Manager Institute of Quality Assurance 28 Information security in practice – An Analysis of Security Case Studies 4.2 BS7799 to counteract information security breaches BS7799 could have helped reducing the risk and likelihood of the incidents outlined above and can help to ensure your business continuity and recovery plan is efficient (i.e. in case of a terrorist attack). In this section I will draw links between the incidents described and BS7799-2:2002. For each incident I will indicate which elements of the standard could have been useful to reduce risk and likelihood. All tables used in this chapter are derived from BS7799-2:2002 Annex A. (BSI 2002) 4.2.1 The London terrorist attacks 7-7-2005. As for the Manchester businesses back in 1996, efficient continuity planning in case the unexpected happens will in many cases determine the survival of London businesses and businesses dependant on London. It is however true that the United Kingdom has let its guard down since the major IRA bombings seemed to become less frequent. However the IRA did plant and detonate a bomb in Ealing Common in 2001 (BBC 2001a) and blew up a taxi in front of the BBC building that same year. (BBC 2001b) Then at 9-11-2001 two planes crash into the World Trade Centre in New York in a terrorist attack. (CNN 2001). ‘Operation Iraqi Freedom’, the war on Iraq, was launched on March 20, 2003 and many believed and others have made threats that this would lead to an increase of terrorist attacks on western nations. (BBC 2005). So was a terrorist attack on a major city in the United Kingdom really unexpected or…. “Police have even said a terror strike was not a question of ‘if’ but’when’.” (Rice-Oxley 2005) Reviewing the above, a business continuity plan for businesses in major cities, or depending on suppliers or customers in major cities in the United Kingdom should have considered the possibility of a terrorist attack, assessed the risk it could pose to their business and taken steps to minimize the consequences to the business if such an event would occur. J.R. Beltman – IT Manager Institute of Quality Assurance 29 Information security in practice – An Analysis of Security Case Studies 4.2.2 IRA bombing of Manchester 1996 250 Companies went out of business due to the bombing. (Deloitte & Touche 2004) Although hard to put a finger on the exact cause this was widely attributed to a lack of business continuity planning and testing of these plans. BS7799-2:2002 states (BSI 2002): Controls A11.1 Aspects of business continuity management Control objective: To counteract interruptions to business activities and to protect critical business processes from effects of major failures or disasters. A11.1.1 Business continuity There shall be a managed process in place for developing and maintaining business continuity management process throughout the organisation A11.1.2 Business continuity and A strategy plan, based on appropriate risk assessment, shall be developed for the overall impact analysis approach to business continuity. 11.1.3 Plans shall be developed to maintain or restore Writing and business in a timely manner following interruption implementing continuity to, or failure of, critical business processes. plans 11.1.4 A single framework of business continuity plans Business continuity shall be maintained to ensure that all plans are planning framework consistent, and to identify priorities for testing and maintenance. 11.1.5 Testing, maintaining and Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that re-assessing business they are up to date and effective. continuity plans Table 4.1 Annex A11.1, Aspects of business continuity management. If BS7799-2:2002 Annex 11.1 and its sub control sets are implemented a business stands a far better chance of surviving the unexpected, mainly because most of ‘the unexpected’ events are no longer unexpected, but are actually well considered scenarios and steps are taken to continue the business if ‘the unexpected’ does occur. Terrorist attacks by the IRA are not unheard of (chapter 4.2.1); hence it should have been and be in continuity plans of any business in, or depending on suppliers or customers in, a major city in the United Kingdom. 4.2.3 Maxine Carr – theft of documents The theft of key documents relating to the release of Maxine Carr was a disturbing incident. Depending on the value of the asset, in this case the key documents, appropriate security measures should be considered. Judging the comments of the Home Office in the case of the Maxine Carr documents “a thorough investigation will be carried out” (BBC 2004) the value of the asset was high and the measures taking to protect the asset were not adequate. J.R. Beltman – IT Manager Institute of Quality Assurance 30 Information security in practice – An Analysis of Security Case Studies A control set that describes the situation best would be BS7799-2:2002 A12.1.3/4 and A8.7.2. (BSI 2002) Controls A12.1 Compliance with legal requirements Control objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. A12.3 Important records of an organisation shall be Safeguarding of protected from loss, destruction and falsification. organisational records A12.4 Controls shall be applied to protect personal Data protection and information in accordance with relevant legislation. privacy of personal information Table 4.2 Annex A12.1, Compliance with legal requirements. Controls A8.7 Exchange of information and software Control objective: To prevent loss, modification or misuse of information exchanged between organizations. A8.7.2 Security of media in Media being transported shall be protected from unauthorized access, misuse or corruption. transit Table 4.3 Annex A8.7, Exchange of information and software. It is well possible that the above measure were already in place, but if so they were not efficient and an urgent review is required. A requirement of BS7799 is to periodically review the system and identify areas for improvement. A follow up to implement and retest is a further requirement of the standard BS7799-2:2002 Clause 6.2 Review input and 6.3 Review output). Leaving an asset in a relatively insecure environment such as a car (it is a well known fact that cars get broken into every day) means that either the policy on the security of the kind of asset in question was inadequate, something that should have been noticed during a review of the system, or that the employee in question did not follow procedure/policy. If the employee did not follow procedure/policy BS7799-2:2002 Annex 6.2 User training may not have been implemented effectively or at all. Controls A6.2 User training Control objective: To ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work. A6.2.1 Information security All employees of the organisation and, where relevant, third-party users, shall receive appropriate education and training training and regular updates in organizational policies and procedures. Table 4.4 Annex A6.2, User Training. J.R. Beltman – IT Manager Institute of Quality Assurance 31 Information security in practice – An Analysis of Security Case Studies However if the employee chooses to ignore the policies and/or procedures BS77992:2002 Annex 6.3.5 Disciplinary process should be applied. Controls A6.3 Responding to security incidents and malfunctions Control objective: To minimize the damage from security incidents and malfunctions, and to monitor and learn from such incidents. A6.3.5 Disciplinary process The violation of organisational security policies and procedures by employees shall be dealt with through a formal disciplinary process. Table 4.5 Annex A6.3, Responding to security incident and malfunctions. As you are reading through the explanation on how BS7799 could have made a difference in the above examples you will have noticed that in some situations there could be many factors influencing a situation and that BS7799 has many a clause that can be applied to these situations. For the sake of completeness I will continue to outline the most relevant clauses and annexes of BS7799-2:2002 in detail for the incidents still to be discussed. 4.2.4 Disappearance counter-terrorism plans for Heathrow Airport Finding an asset of this importance in a lay-by means that something went very wrong. Was the information not properly labelled and accidentally discarded? Was it taken and left on purpose for someone to find? Did someone lose it? Controls A5.2 Information classification Control objective: To maintain appropriate protection of organisational assets. A5.2.2 Information labelling and A set of procedures shall be defined for information labelling and handling in accordance with the handling classification scheme adopted by the organisation. Table 4.6 Annex A5.2, Information classification. Annex 5.2.2 helps to minimise the likelihood that valuable assets are recognised as such and are not improperly handled. So if the counter-terrorism plans had been labelled as high valued assets it would have been less likely that someone would have just discarded them as normal rubbish. Controls A6.1 Security in job definition and resourcing Control objective: To reduce the risk of human error, theft, fraud or misuse of facilities. A6.1.2 Personnel screening and Verification checks on permanent staff, contractors, and temporary staff shall be carried out at the time policy of job applications. Table 4.7 Annex A6.1, Security in job definition and resourcing. Annex 6.1.2 helps to minimise the likelihood of getting an employee on board who is less trustworthy and whose motivation in applying for the job may not be to contribute to the well being of the company. In the case of the counter-terrorism plans J.R. Beltman – IT Manager Institute of Quality Assurance 32 Information security in practice – An Analysis of Security Case Studies it may have helped to deter or detect any individual whose purpose for getting the job was to extract particular information for a third party. It could happen that without proper checks a company hires a terrorist who then has access to all counter-terrorism plans which could severely endanger the country. Controls A8.6 Media handling and security Control objective: To prevent damage to assets and interruptions to business activities. A8.6.2 Disposal of Media Media shall be disposed of securely and safely when no longer required A8.6.3 Information handling Procedures for the handling and storage of information shall be established in order to protect procedures such information from unauthorised disclosure or misuse. Table 4.8 Annex A8.6, Media handling and security. The control sets 8.6.2 and 8.6.3 from Annex 8.6 point out that we should make sure that we look closely at the information we are handling and if we dispose of media we do so responsibly. This could have helped prevent sensitive papers being dumped in a lay-by. Controls A12.1 Compliance with legal requirements Control objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and any security requirements A12.1.3 Safeguarding Important records of an organisation shall be protected from loss, destruction and falsification organisational data Table 4.9 Annex A12.1, Compliance with legal requirements. Reading annex 12.1.3 and comparing this to the incident of papers being found in a lay-by it is clear that this control set was either not in place or not followed. If it had been in place and adhered to, the chance of these papers being found in a lay-by would have been greatly reduced. 4.2.5 MI5 agent has laptop stolen at Paddington station Finally an example of an incident in which information went missing together with the asset holding it, but there was actually a form of protection in place to minimise the damage. Controls A9.8 Mobile computing and teleworking Control objective: To ensure information security when using mobile computing and teleworking facilities A9.8.1 Mobile computing A formal policy shall be in place and appropriate controls shall be adopted to protect against the risks of working with mobile computing facilities, in particular in unprotected environments. Table 4.10 Annex A9.8, Mobile computing and teleworking. J.R. Beltman – IT Manager Institute of Quality Assurance 33 Information security in practice – An Analysis of Security Case Studies Controls A10.3 Cryptographic controls Control objective: To protect the confidentiality, authenticity or integrity of information A10.3.2 Encryption Encryption shall be applied to protect the confidentiality of sensitive or critical information. Table 4.11 Annex A10.3, Cryptographic controls. In the case of the stolen MI5 laptop it is evident that the control sets discussed above or similar were put in place. A laptop could still be stolen, but thanks to these or similar control sets the resulting damage was greatly reduced. Annex A9.8 concentrates on Mobile computing and Teleworking. • Mobile computing is making use of a device such as a laptop, palmtop, notebook, mobile phones etc. • Teleworking is making use of communications technology to enable staff to work remotely from a fixed location outside of the organisation. 4.2.6 British bank account holders details stolen from Indian call centres If you cannot trust your own people then whom can you trust? Apart from having logs of what is happening on your system and regularly checking these you can also look at annex A6.1.2 Personnel screening and policy. Controls A6.1 Security in job definition and resourcing Control objective: To reduce the risk of human error, theft, fraud or misuse of facilities. A6.1.2 Personnel screening and Verification checks on permanent staff, contractors, and temporary staff shall be carried out at the time policy of job applications Table 4.12 Annex A6.1, Security in job definition and resourcing. Although having verification checks for job applicants in place could be a deterrent for many, if the opportunity for crime has great potential benefit the professional crime syndicates will not easily be stopped and they may succeed with their criminal activities for an unknown period of time. This leads to another possible prevention mechanism known as segregation of duties. Annex A8.1.4 applies to just this. Controls A8.1 Operational procedures and responsibilities Control objective: To ensure the correct and secure operation of information processing facilities. A8.1.4 Segregation of duties Duties and areas of responsibility shall be segregated in order to reduce opportunities for unauthorised modification or misuse of information services. Table 4.13 Annex A8.1, Operational procedures and responsibilities. J.R. Beltman – IT Manager Institute of Quality Assurance 34 Information security in practice – An Analysis of Security Case Studies But there could be a conflict when segregating duties. Although it makes it far more complex to misuse information services it may also hinder staff in carrying out their duties and consequently lead to a reduced level of customer service. The balance between confidentiality, integrity and availability, as briefly discussed in chapter 2.2.1, needs to be considered before implementing segregation of duties. Information security is always a trade-off between these factors. 4.2.7 £9m computer scam An interesting case of an employee using colleagues’ user accounts and passwords to defraud the company. Controls A9.5 Operational system access control Control objective: To prevent unauthorised computer access. A9.5.2 Terminal log-on Access to information services shall use a secure log-on process procedures A9.5.3 User identification and All users shall have a unique identifier (user ID) for their personal and sole use so that activities can be authentication traced to the responsible individual. A suitable authentication technique shall be chosen to substantiate the claimed identity of the user. A9.5.4 Password management Password management systems shall provide an effective, interactive facility which aims to ensure system quality passwords. Table 4.14 Annex A9.5, Operational system access control. The main question is: Who breached the policy? If the employee was able to obtain username and password from colleagues then the colleagues did a very poor job following A9.5.3, or the passwords that were allowed to be used were of lesser quality and easy to hack/crack. With A9.5.2, A9.5.3 and A9.5.4 in place and properly implemented the possibilities of this employee defrauding the company would have been extremely slim. 4.2.8 Electronic crime cost UK companies an estimated £2.45bn last year The article discuses the most common external threats to information security. I will highlight one threat that stands out: Virus attacks. “Virus attacks hit 97 per cent of survey respondents” the article reads. The risk of a virus infection/attack should have been identified during the risk assessment phase (BS7799-2:2002 clause 4.2.1 c, d, e and f). (BSI 2002) J.R. Beltman – IT Manager Institute of Quality Assurance 35 Information security in practice – An Analysis of Security Case Studies Controls A8.3 Protection against malicious software Control objective: To protect the integrity of software and information from damage by malicious software. A8.3.1 Controls against Detection and prevention controls to protect against malicious software and appropriate user awareness malicious software procedures shall be implemented. Table 4.15 Annex A8.3, Protection against malicious software. Clauses (BSI 2002) 4.2.1 c) Define a systematic approach to risk assessment 4.2.1 d) Identify the risks 4.2.1 e) Assess the risks 4.2.1 f) Identify and evaluate options for treatment of risks Thus having identified the risk of a virus attack and having assessed the likelihood and the severity of the risk when it materialises appropriate options for treatment should have been selected. In case of a virus attack annex 8.3.1 seems most appropriate. Detection and prevention is usually accomplished by installing anti virus software. Having such software in place and ensuring that it gets updated on a regular basis minimises the likelihood of, and the vulnerability to, a virus infection. The better anti virus application will prevent most viruses from causing damage even if the system does get infected. The companies losing money due to virus attacks should start to wonder why they are still vulnerable. 4.2.9 Ekibastuz [Kazakhstan] - hydroelectric power station disaster Due to the negligence of one member of staff the power station was burned to the ground. The staff member was negligent in his actions. All an organisation can do about this kind of situation is to make aware and to keep them aware. In this case the questions should be asked whether if the member of staff was properly trained to do his job, and whether the environment in which the member of staff was working was secure. However, this is not an information security issue. This example would be best mentioned when looking at health and safety related matters. Yes, BS7799-2:2002 Annex 6.1 (BSI 2002) does indeed state that there are controls to reduce the risks from human error which this certainly was. However the BS7799-2:2002 standard does not deal with health and safety related issues. It does happen occasionally that non BS7799-2:2002 issues are included in the Information Security Management System, and adding additional controls is certainly allowed (we are not restricted to the BS7799-2:2002 Clauses and Annexes). However these controls should reflect to a large extent on information security issues. What could be an interesting and relevant issue in this incident is the contingency planning of the hydraulic power station. This question will be discussed for the next, very similar incident. J.R. Beltman – IT Manager Institute of Quality Assurance 36 Information security in practice – An Analysis of Security Case Studies What is important though in the current incident is the analysis of the risk of fire and the possible consequences. The main focus of risk assessment should have concentrated on the possible source of fire and controls should have been put in place to prevent any identified source. This is a BS7799-2:2002 requirement, clause 4.2.1 d, e, f. (BSI 2002) However, due to the very manner in which the fire was ignited, it is doubtful that this source of fire risk was or would have been identified. 4.2.10 North-eastern United States and South-eastern Canada power blackouts August 14, 2003, parts of the North-eastern United States and South-eastern Canada experienced widespread power blackouts Apparently the power outage was caused by an outdated interconnecting grid system. A power grid is described as “The network of transmission lines that link all generating plants in a region with local distribution networks to help maximize service reliability” (Energy Smart library 2005) As for the company managing the interconnecting grid system it should have carried out regular reviews of the system and associated risks. The question of ‘what if the grid does give in’ should have been asked and answered. The answer should have been part of the business continuity plan and the plan should have been tested at regular intervals. Controls A11.1 Aspect of business continuity management Control objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. A11.1.2 Business continuity and A strategy plan, based on appropriate risk assessment shall be developed for the overall impact analysis approach to business continuity A11.1.3 Writing and Plans shall be developed to maintain or restore business operations in a timely manner following implementing continuity interruption to, or failure of, critical business plans processes. A11.1.4 Business continuity A single framework of business continuity plans shall be maintained to ensure that all plans are planning framework consistent, and to identify priorities for testing and maintenance. A11.1.5 Testing, maintaining and Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that re-assessing business they are up to date and effective. continuity plans Table 4.16 Annex A11.1, Aspect of business continuity management. All of BS7799-2:2002 Annex 11.1 (BSI 2002) clearly expresses the need to take into consideration a situation in which things can go horribly wrong. Had the standard been implemented properly the likelihood of a catastrophe on this scale happening would have been extremely small. On failure of the power grid a backup grid should have been able to take over successfully. But that is exactly where experts believe the J.R. Beltman – IT Manager Institute of Quality Assurance 37 Information security in practice – An Analysis of Security Case Studies real problem occurred. The grids that took over were not capable of handling the electricity and a complete network overload occurred. Proper analysis and testing should have brought the problem to light at a much earlier; this could have prevented the disaster. For all companies affected by this power outage it can only be hoped that they in turn did have an effective disaster recovery plan. However yet another control set of BS7799-2:2002 actually applies to this very situation. Controls A7.2 Equipment security Control objective: To prevent loss, damage or compromise of assets and interruption to business activities. A7.2.2 Power supplies Equipment shall be protected from power failures and other electrical anomalies. Table 4.17 Annex A7.2, Equipment security. What happens if suddenly the electricity supply feeding your equipment (i.e. server systems) has extremely high peaks and then stops completely? First your equipment must be protected using surge protection to filter out the surge and an uninterruptible power supply (UPS) can add additional filtering. This will also supply power for a limited period of time, enough to safely shutdown your systems. Not shutting down your systems in a safe manner can cause severe damage to the systems, and this applies to production lines, server systems and much more electrical equipment. Some industries, such as hospitals, need backup generators for their processes because they require constant power. Control set A7.2.2 (BSI 2002) is designed with this in mind and by correctly implementing this control set a lot of damage can be prevented. Note that we discuss two different categories of backup power. • The UPS – A battery that enables secure shutdown of systems in case of a power failure • The backup generator – A machine generating electricity for a longer time period. The time period is dependent on the availability of fuel for the generator. J.R. Beltman – IT Manager Institute of Quality Assurance 38 Information security in practice – An Analysis of Security Case Studies 4.2.11 Staff visiting unauthorized websites. So what happens in the United Kingdom (UK) when a staff member of a company has visits to porn sites against his or her name in the internet log files? This is a serious offence and would lead to disciplinary action, perhaps even resulting in the dismissal of the member of staff. Controls A9.7 Monitoring system access and use Control objective: To detect unauthorized activities A9.7.1 Event logging Audit logs recording exceptions and other security relevant events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring A9.7.2 Monitoring system use Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly. Table 4.18 Annex A9.7, Monitoring system access and use. Organisations should have control sets A9.7.1 and A9.7.2 in place to spot security breaches effectively. Annex 9.5 control sets A9.5.2, A9.5.3 and A9.5.4 will help to ensure there are no errors in finding the source of any security related incidents discovered whilst examining the log files. (BSI 2002) Controls A9.5 Operational system access control Control objective: To prevent unauthorised computer access. A9.5.2 Terminal log-on Access to information services shall use a secure log-on process procedures A9.5.3 User identification and All users shall have a unique identifier (user ID) for their personal and sole use so that activities can be authentication traced to the responsible individual. A suitable authentication technique shall be chosen to substantiate the claimed identity of the user. A9.5.4 Password management Password management systems shall provide an effective, interactive facility which aims to ensure system quality passwords. Table 4.19 Annex A9.5, Operational system access control. If the users received sufficient training in information security (annex 6.2 below) they will know never to share their user accounts and passwords with anyone, not even the IT department. If they do it is most likely that they will be held responsible for any security breaches linked to their user ID. Thus adherence to the control sets of BS7799-2:2002 can actually protect users from the evil intentions of others. We have already seen, in the incident of the ‘£9m computer scam’ how not following Annex 9.5 can result in fraud by a fellow member of staff. J.R. Beltman – IT Manager Institute of Quality Assurance 39 Information security in practice – An Analysis of Security Case Studies Controls A6.2 User training Control objective: To ensure that users are aware of information security, threats and concerns, and are equipped to support organisational security policy in the course of their normal work. A6.2.1 Information security All employees of the organisation and, where relevant third-party users, shall receive appropriate education and training training and regular updates in organisational policies and procedures. Table 4.20 Annex A6.2, User training. 4.3 Summary In this chapter we discussed many information security incidents that are publicly available on the internet and in newspapers. We have also looked at a less publicised issue that does occur in organisations throughout the world on a daily basis. For all the incidents we were able to identify one or more clauses or annexes from BS7799-2:2002 that would have helped reducing risk, likelihood and consequence of the incident. In some cases implementing BS7799 would have given the organisation in question a far better chance on recovering from the incident to continue with business as per usual. This chapter is aimed at learning about the wide range of issues covered by BS7799 and to convince you, the reader, and help convince management of the value of implementing the standard. It is worth noting that the examples discussed in this chapter are just a handful of the thousandths of information security incidents that have been published in the recent year and there are many thousandths which we will never know about. I have been told many stories by many people I met during this research; stories about people walking away with complete mainframe computers, laptops being collected from offices by people acting as IT staff and many more. And although just as in the press the stories may be undersold or oversold, there is an element of truth in all of them which means that security incidents do happen and they happen an awful lot. Unfortunately success stories of how BS7799 prevented a serious disaster are difficult to find. This because BS7799, if implemented, maintained and managed well, does indeed prevent information security incidents and therefore most incidents that did not happen, because they were prevented, will go unnoticed. J.R. Beltman – IT Manager Institute of Quality Assurance 40 Results - Implementation and its difficulties 5. Results - Implementation and its difficulties In this chapter I will seek to answer the remaining research questions: • How to implement BS7799 successfully? • What are the main problems related to implementing BS7799? • How to tackle the problems related to implementation of BS7799? This is done by actually implementing the BS7799 ISMS within the Institute of Quality Assurance (IQA) and using the experience and lessons learned not only to answer the research questions, but also to help other organisations with their implementation of BS7799. 5.1 What changed at the IQA? Implementing BS7799 at the IQA has changed the state of information security in the organisation. To achieve this co-operation of all departments was required, in particular the Human Resources (HR) department and the IT department. Two staff members of the IT department, one assistant and I, followed both a BS7799 workshop and BS7799 Lead Auditor Course. I also studied many websites, books and papers on the subject, in particular the Code of Practice (BSI 2000) and Specification with guidance for use (BSI 2002). In the past three months the IQA went through all stages of the plan and do phase and where possible the check and act phases. These last two phases however have elements that could not be looked at in the timescale available for writing this dissertation. During implementation many existing policies, procedures and workflows were revisited whilst others where created from scratch, especially whilst looking at the statement of applicability (SoA). Examples of these are: • • • • • • • • • • Agreement on network access and data ownership Asset and their risk level document (Appendix K) Asset owner history is now recorded in the IT Management system (Appendix M) Backup schedule and procedures Communications and computer use policy, including regulation on internet use, use of the local area network and email (Appendix S) Control of portable assets such as laptops and memory sticks Escort of visitors and contractors Forms for new staff stating their IT requirements, including IT security requirements (Appendix P) Forms for staff leaving, ensuring that user accounts could not be used by the leaving staff member after their last day of work at the IQA Housekeeping policy and procedure of email (due to the space required for repairing email databases) (Appendix O) J.R. Beltman – IT Manager Institute of Quality Assurance 41 Results - Implementation and its difficulties • • • • • • • • • • • • • • • • • • Installation and improved control of Sophos Anti Virus software IT Test (a test used to screen IT knowledge of new and current staff) (Appendix Q) Licensing control using the IT Management system in combination with Active Directory which in turn is used to assign and distribute software applications to computers (Appendix N) Logging of security incidents in the IQA IT Management system New and better manageable way of asset registration (Appendix M) New group policies for staff working remotely, for example staff in Japan (teleworking) New policy on desktop use by visitors and trainers Password policy change (adhering to Microsoft password policies) Risk assessment document (Appendix D) Risk treatment plan (Appendix E) Schedules for backup restore testing Scope statement (Appendix B) Secure internet connection for remote workers (teleworking) Security policy (Appendix C) Server room access policy (Appendix R) Statement of applicability (be aware that this is 15 pages and takes over 3 days to write) The front door to the basement is now locked after use by the cleaners Warrantee and financial information is now linked directly to assets in the IT Management system The Security policy, Scope statement, Statement of applicability, Risk assessment document and Risk treatment plan are all based on templates kindly provided by Victor Parry (Chartered FCIPD and IRCA Registered Principal Auditor BS7799) At the IQA from the IT perspective alone we cover over 400 assets. These include over 15 asset groups such as desktops, laptops, servers, backup USB devices, Monitors, USB sticks, Telecoms equipment, Licenses, Warrantee Agreements, Contracts etc. As mentioned before, cooperation is required from all departments in order to implement BS7799; this is because many of the policies and procedures apply to all staff. In the IQA this applies to about 60 staff spread over 14 departments. 5.2 Pre-requisites In this chapter we will go through the implementation of BS7799 at the Institute of Quality Assurance, revisiting all stages of the project. It is important first of all to gain management support for this project and the discussion of incidents above may give management a better insight of why implementing BS7799 is of benefit to the organisation. Unfortunately not every manager can see the logic behind implementing BS7799. Even worse, some cannot see the logic behind even the most basic security measures, no matter how obvious they are in your eyes. Analogies between security issues and daily occurrences might help. A computer firewall could be compared to a lock on the door. Using a username and password can be compared with using a bank J.R. Beltman – IT Manager Institute of Quality Assurance 42 Results - Implementation and its difficulties account number and PIN code. But if despite your efforts management simply cannot see the benefits of implementing BS7799 then the project is doomed before you have even started. 5.2.1 Understanding the issue When I asked Victor H. Parry, Chartered FCIPD and IRCA Registered Principal Auditor BS 7799:2-2002, about resistance to change, something we will discuss during the Do phase, he answered me, but what he wrote I deemed more suitable for this section about management support than the section about resistance to change. Victor wrote: “Hi JR, if I understand your question correctly then the following is what I have found to be the biggest resistance to change by some managers when implementing BS 7799: Unlike the ISO 9001 Quality Management System where you can quantify financially the improvements brought about by implementing a management system e.g. higher productivity, less errors, reduced waste, shorter downtime, less rework, fewer warranty claims etc, BS7799 is far more difficult to justify in terms of higher profits. It is hidden in terms of how much damage has been avoided / reduced by protecting your company from an attack. Whether this be a logical, personal or even physical attack. A company often finds out too late after the event, very often the damage has all ready been done. In extreme cases this actually results in the company going bust. At best it causes disruption and impacts on the companies' financial performance, not to mention damage to the organisations' image and reputation. The problem is that when an organisation does implement policies, practices and procedures to protect its assets this will often eliminate unnecessary risks and potential attackers are unsuccessful, however this is not always obvious and visible so management are unaware of how effective their management system has worked.” (Parry 2005) 5.2.2 How not to implement BS7799 Management support is very important as a BS7799 consultant tells me. Because I do not wish to put him or the company he works for in an awkward position, I will not name the consultant nor the companies involved. This is what his experience of implementing BS7799 without sufficient management support is. At the beginning of last year a company was told by one of its customers that they would lose a multi-million pound contract unless they implemented BS7799 and become certified by the end of this year. Reason enough to get full top management support? The consultant was drafted in shortly after the announcement last year, but due to complete lack of management and top management support the project did not move. Top management’s attitude was that the consultant would somehow have to get that piece of paper on the wall (referring to the BS7799 certificate); it was not their J.R. Beltman – IT Manager Institute of Quality Assurance 43 Results - Implementation and its difficulties problem. No project owner was appointed within the company and no resources were allocated. It was not until October last year that a business analyst was recruited and allocated to the project. Finally there was a project owner who persuaded the management and part of top management to take a positive approach to the project. One of the managers involved was the Human Resources (HR) manager. The consultant had arranged a meeting previously with the HR manager, this meeting however was cancelled by top management who could not imagine what her role in implementing BS7799 could possibly be and found it a waste of time to have her participate. But the business analyst managed to get her and others involved, despite top management attitude. From the time the consultant started at this company early last year till when it finally obtained its certification this September the company had grown from 70 staff to 105. It has significantly increased its revenue and managed, just in time, to keep the multimillion pound contract. Unfortunately it also left a consultant very frustrated. 5.2.3 BS7799 – Not an IT issue But I am told of more positive experiences by the same consultant. The consultant had worked for many companies where full management support was given. The result was BS7799 implementation within 2 to 4 months. Management support, so I am told, does also help with the usually negative attitude towards change. The consultant also illustrates the importance of BS7799 to management. As it is not a project that generates revenue there is in principal no interest in BS7799 implementation. It is recognised that it needs to be done, but responsibility is not taken and the issue is constantly downgraded in priority. Many companies regard BS7799 as a IT issue, it is therefore interesting that when the British Government made it compulsory for all its branches to implement BS7799 a key requirement was that the project owner has to be a non-IT person. The problem with assigning a project as ‘just an IT issue’ is the issue of ownership, an issue we discuss in the Do phase. At the IQA the director of IRCA who is also head of IT has given his support to this project, however he is concerned about the attention other projects will receive during the implementation of BS7799. The recent London bombing did help in shifting the focus and urgency behind this project has become more apparent. But another project has taken precedence and the scope of implementing a BS7799 ISMS has been reduced to the core department involved only: the IT department and its assets. 5.2.4 A cultural change It is important not just to implement BS7799, write all policies and procedures and then forget about it. BS7799 must become part of the work culture of the organisation and should be enforced through policies and procedures that are part of the daily routine. It is easiest to enforce as much as possible by means of the software that is J.R. Beltman – IT Manager Institute of Quality Assurance 44 Results - Implementation and its difficulties used daily, but this is not an option for all aspects of the standard. Using a unique username and password is easily applied using standard options in many of today’s operating systems, but getting people to NOT give out their username and password is not easily done. Training in security aspects and raising awareness can reduce the likelihood of people doing so, but cannot prevent this and neither can any software tool. The best approach is to make policies and procedures part of the work ethos. When for example IT asks for a password people either ask why IT can’t just look it up themselves or just give the password. IT must explain very clearly to users that passwords are one way encrypted and that IT cannot look up any passwords. It would be a very positive sign if users did raise a very important question when IT does ask for their password: Why does IT need my password? If anyone else but IT asks for the password the user should not just ask “why” but also report the incident to IT. To embed this and other best practice, as set out in policies and procedures, in the organisation’s culture we must lead by example. To have topmanagement suggesting that we should abolish the use of username and password does not help, but this did happen in the IQA. How can we then expect anyone else to take the use of username and password seriously? However when top management is convinced of the best practice and they openly lead by example, by this I mean announcing their adherence to the best practice in public, i.e. during staff and management meetings, we are on to a winner. 5.3 The Plan phase The plan phase consists of five sections that must be in place for certification. Together they form the foundation of the Information Security Management System (ISMS). We illustrate the most natural flow through the five sections in figure 5.1. Scope Figure 5.1 Information Security Policy Risk Assessment Options for risk treatment Statement of Applicability (SoA) The plan phase flowchart. 5.3.1 The Scope The objective of this section is to define a scope document such as the one created for the IQA (appendix B). In the plan phase we should start with drawing up the scope. It should define to which departments and assets the ISMS applies. I have included the scope document of the IQA here for ease of reading, however a copy can be found in the appendix also (appendix B). You will notice that in this scope I have put down many departments to be included at a later stage. You do not have to do this. It is also possible to state which departments are not included in the scope, something that might happen in a very large company where only one or two departments are not to be included. J.R. Beltman – IT Manager Institute of Quality Assurance 45 Results - Implementation and its difficulties I believe it to be best to start the ISMS implementation at the most central department and the assets it is responsible for and one by one involve other departments. This way you will have more control over the project and you can divide the project in multiple phases and set milestones. I also believe that once you have completed work within with the main department and its assets, including other departments in the scope should be far easier. You will have gained experience and knowledge during the implementation of the BS7799 ISMS in the first department and will be better prepared for implementation in the departments to follow. Adjusting the scope is very easy and the Statement of Applicability (SoA) will require only minor tweaks. The documents produced during implementation in the IQA reflect on the IT department and assets traditionally seen as being the responsibility of the IT department. The signature required and responsibilities defined should not be that of the IT Manager when implementing an ISMS in the whole of an organisation and should preferably read top management. J.R. Beltman – IT Manager Institute of Quality Assurance 46 Results - Implementation and its difficulties Scope of the Information Security Management System BS7799 Part 2 The scope of the information security management system in IQA/IRCA covers the following: All operational, technical, networking, desktop, administration and management functions at the Grosvenor Crescent office. Departments within scope: 1. Desktops, servers, LAN, printers, data storage devices 2. IT Services Department To be included a later stage in the following order 1. Site Security 2. IRCA Certification 3. IRCA Training 4. Facilities 5. Accounts 6. Publishing 7. IQA Training & Events 8. IQA Education 9. IQA Membership The departments that are currently not in scope do make use of IT assets which are in scope. The users of the assets that are in scope will be made aware of the policies and procedures that applies to these assets. Signed……………………… IT Manager Date…………………….. J.R. Beltman – IT Manager Institute of Quality Assurance 47 Results - Implementation and its difficulties 5.3.2 Information Security Policy The objective of this section is to define a security policy. Appendix C contains the security policy drafted for the IQA After completing the scope, preferably including many departments, if not all, within your organisation and signed off by top management you can proceed writing the Information Security Policy. The Information Security Policy does not need to go into detail i.e. it does not have to say that users need their own username and password, can only login on computer X and Y from 9.00 am till 5.00 pm. Instead it should communicate the intention of the ISMS. The policy can consist of three sections: • • • Purpose Objectives Actions Purpose What is the reason to implement the policy and ISMS? “The purpose of this information security policy is to protect all information assets, as defined within the scope, within the Institute of Quality Assurance (IQA) from all threats, whether internal or external, deliberate or accidental. Information within the IQA exists in many forms and the policy includes the protection of data stored electronically, transmitted across networks and printed or written on paper to safeguard the information of the company, its’ customers, employees and trading partners.” (Appendix C) Above is an example taken from the Information Security Policy of the IQA. In this example it is described why we need to implement the policy and the kind of assets at risk, but not what we would like to realize by implementation. Objective What is the outcome we wish to realize by implementing this policy? Below section 2 of the Information Security Policy of the IQA. In this section we describe what we hope to achieve by implementing this policy and the ISMS as a whole. Please note that this policy is applied only to that which is defined in the scope. In our case we are looking at the IT department and related assets only, and it is the IT Manager instead of top management who is committing to this. J.R. Beltman – IT Manager Institute of Quality Assurance 48 Results - Implementation and its difficulties “The objective of information security is to ensure business continuity and minimise damage by preventing and reducing the impact of security incidents. The implementation of this policy is needed to maintain, improve and demonstrate our integrity in our dealings with all our customers and trading partners. It is the policy of the IT department of the IQA to ensure: • Information is protected against unauthorised access • Confidentiality of information is assured • Information is not disclosed to unauthorised persons through deliberate or careless actions • The integrity of information is maintained • The availability of information to authorised users when needed • Regulatory and legislative requirements will be met • Business continuity plans will be produced, maintained and regularly tested • Information security training will be given to all staff • All breaches of information security , actual and suspected are recorded reported and investigated • The IT department is compliant with best practice as identified in ISO/IEC 17799.“ (Appendix C) Actions What do we need to do in order to realize the objective? Having listed why we are implementing the policy and the ISMS one question is left: How? Below section 3 of our policy stating how we will achieve our intentions and who is responsible for this. An interesting aspect is the cooperation mentioned between the IT department and Personnel department. It is important to recognize that knowledge and experience is usually available within your company and can be obtained by involving other departments. The IT department is not as knowledgeable as the Personnel department when it comes to disciplinary processes. “Standards, policies and security operating procedures will be produced to support this policy and will include: virus control, access control, personnel security, the use of e-mail, the Internet and the local network. A formal disciplinary process will be documented and implemented, in collaboration with the personnel department, for those employees who choose not to comply with company standards. IT Manager has overall responsibility for maintaining this Policy and providing guidance on its implementation. It is the responsibility of each employee to adhere to the policies and procedures in their areas. This policy will be reviewed regularly to ensure it remains appropriate for the organisation.” (Appendix C) J.R. Beltman – IT Manager Institute of Quality Assurance 49 Results - Implementation and its difficulties 5.3.3 Risk Assessment The objective of this step is to create a risk assessment document. (Appendix D) With this comes a document detailing all assets and asset groups and their associated threats, level of vulnerability, level of likelihood of the threat and level of severity. All together this will give the risk level against the asset or asset group. (Appendix K) The risk assessment method used at the IQA consist of • • • Identifying the risks Assessing the risks Identifying and evaluating options for risk treatment (Appendix D) In our risk assessment we are using a 5 step methodology to identify and assess threats. We look at likelihood, severity and vulnerability. Giving these all a rating from 1 to 5 (very low, low, medium, high and very high). Step 1 – review of asset inventory In this step we create and maintain a registry of the assets of interest. A good registry can help with much more than just risk assessment. Asset registries are often used by an accounts department to value the company and calculate depreciation. The IT department can use it to register incidents (security, technical and others) against assets and determine patterns which can be used to resolve issues. For IT the asset register can be used to control licensing, prevent theft and control assets. Step 2 – Asset valuation What is the severity of the threat for an asset or group of assets? What is the effect on the business if any asset or group of assets are stolen, destroyed, damaged, fraudulently used, or in any other way compromised? These levels of severity are classified from 1 to 5 (see above). This valuation of assets is different from the nominal monetary value of the assets. Losing papers (information assets) can cost the company customers and money, the nominal monetary value of the actual ink and paper it has been printed on is however negligible in comparison. For each asset or group of assets in the inventory, which are within our scope, we document the level of severity. Step 3 – Identification of security threats and likelihood We identify all possible threats and write these down. Then for each asset or asset group we now look at all possible threats that apply to them and the likelihood of the threat materialising. The likelihood is classified from 1 to 5 as discussed above. An example of likelihood is the chance of being the victim of a bomb attack. This depends very much on location and global or local political situation. Lately the likelihood of this happening in London has increased dramatically. For each asset or group of assets in the inventory, which are within our scope, we document each threat and level of severity. J.R. Beltman – IT Manager Institute of Quality Assurance 50 Results - Implementation and its difficulties Step 4 – Identification of vulnerabilities In step 4 we draw up a list of all vulnerabilities that apply to the organisation. Just to remind ourselves, vulnerability is a source or situation with potential for a threat to inflict harm. It does not cause harm or threats but if not managed it will lead to harm. An example of this would be having no locks on your doors. This could lead to a person stealing assets from the organisation without anything in place to stop them. A common burglar would try if a door or window is left open and seize the opportunity. Were we to manage this vulnerability, i.e. by placing locks on the doors, then the person could not just walk into the building and we are less vulnerable to people stealing from the organisation. In this example we see • • • Threat – A person stealing from the organisation Likelihood – Burglary happens all too often; where the IQA is situated the neighbours have fallen victim to burglary three times this year already. Vulnerability – The lack of locks on doors (front/back door): in itself not a threat, but a situation to be exploited by a burglar. But do not forget the trade-off we always need to consider between integrity, confidentiality and availability (chapter 2.2.1). If your business is a supermarket locking your doors may secure your assets, but prevents your customers doing business with you. We match the vulnerabilities against assets and asset groups and document their level of vulnerability using the 1-5 scale. Step 5 – Calculation of risk Per asset or asset group we look at each threat that applies and sum the severity, likelihood and vulnerability. If more threats apply we take the average of the scores. The possible outcomes of our risk calculation range from a score of 3 to 15. We divide the outcomes in three groups: • • • 3-7 8-10 11-15 Residual risk – No action required Medium risk – Control required High risk – Control critical If the levels fall within the range 8 to 15 we need to apply controls to minimise the risk. 5.3.4 Options for risk treatment Objective of this step is to identify options for risk treatment and evaluate these. The outcome can be used in the risk treatment plan like the one used in the IQA. (Appendix E) When we have identified and assessed the risk, we need to identify and evaluate options for the treatment of risks, something we can do based on our calculation in J.R. Beltman – IT Manager Institute of Quality Assurance 51 Results - Implementation and its difficulties Step 5 of our risk assessment methodology. BS7799-2:2002 gives 4 examples of possible risk treatment plans. (BSI 2002) • • • • Applying appropriate controls Knowingly and objectively accepting the risks (proving that they clearly satisfy the organisation’s policy and the criteria for risk acceptance) Avoiding risks Transferring the associated business risks to other parties, e.g. insurers, suppliers The risk treatment plan of the IQA can be found in Appendix E. In our methodology we have determined that if the risk level falls within 3-7 we can accept the risk and no action is required. For any risk level higher than 7 we need to implement control sets. The specification of risk acceptance is a criterion required by BS7799-2:2002 clause 4.2.1c (BSI 2002). It is therefore useful to include the description of the 5-step methodology in the risk assessment document to comply with clause 4.2.1 c-e in once. Since avoiding risks is usually not an option, i.e. refusing people to take their laptops off the premises of the organisation would indeed avoid the risk of the laptop being stolen whilst it is out of the office, but also limits the availability of the laptop and the information it provides access to. Knowing that BS7799 is about: • • • Integrity Availability Confidentiality We realise that preventing people taking their laptops off the premises is not an option. However security could be a reason not to have laptops at all. Such a decision will depend on the impact on the business of not having a laptop versus the risks associated with having a laptop and the levels of risk acceptance. Again we look at the trade-off between integrity, confidentiality and availability (chapter 2.2.1). Some businesses such as those employing sales agents or insurance agents in the field need the laptops to do business. If we are not avoiding risks we have two options left: • • Applying control sets Transferring risk Some risk could be transferred using 3rd parties. Insurance could be helpful in case of theft, fire, water damage etc, but is not foolproof. Insurance by its nature pays for replacement of tangible assets but doesn’t compensate for intangibles. So you have insured all your laptops against loss, damage, theft etc. The next day a laptop with important information is stolen and should the information be disclosed it could have severe consequences for your organisation. Will insurance of the laptops help? No. Using a 3rd party to transfer risk to is not always the best solution either. Imagine that you are an internet based company employing a third party to look after your network and one day that network crashes. The data gets heavily corrupted and retrieving it J.R. Beltman – IT Manager Institute of Quality Assurance 52 Results - Implementation and its difficulties will take days during which the company can not trade. Can your organisation afford not to trade for even a couple of days? In both the case of insurance and third party it could be that because of your contracts with the third parties you are entitled to a lump sum of money if things go wrong. Usually that will take time and court action to materialise and it could well be too late to save the company from closure. There are certainly risks that are transferable to a third party, but the consequences of the risks materialising may not be covered by just transferring the risk, even if managing the risk is well covered by the third party. To minimise the risk and effect of materialization further we can use control sets of which many are listed in the annex A of BS7799-2:2002. 5.3.5 Statement of Applicability (SoA) The outcome of this section is the Statement of Applicability (SoA), a document not included in the appendix for security reasons, and many supporting policies, procedures and workflows. Examples from the document produced during this section at the IQA can be found in Appendixes L to R. The Statement of Applicability (SoA) is a document required by BS7799-2:2002. It runs through all the control sets listed in annex A of BS7799-2:2002 and identifies if the control set is applicable to the organisation and why. I have copied the first annex from the SoA as an example (IQA SoA 2005). This is a template taken from Victor H. Parry, one of the two principal auditors registered with IRCA. It is important to differentiate between justification and how the control set has been applied. Justification means ‘why’ and requires a reason for implementing or not implementing the control set. A .3.1 Information Security Policy Contr ol Description Adopted Justification A 3.1.1 Information security policy document Y Security Policy is required to provide management direction and support for information security and to set out the policy on information security to staff. Security Manual. A.3.1.2 Review and evaluation Y The Security Policy should be reviewed for continuing applicability at intervals not exceeding six months. Management systems review records. Table 5.1 Reference Example of the Statement of Applicability (SoA) The SoA in the example above also includes a reference point where the implementation of the control can be found. Usually this would point to a policy or procedure, but it may happen that it points to actions or objects, such as an uninterruptible power supply (UPS). J.R. Beltman – IT Manager Institute of Quality Assurance 53 Results - Implementation and its difficulties The SoA is a document that will form the core of your ISMS. It makes you think not only why you need to implement a control set, but also how and where you will document this. Whilst completing the SoA there may be many occasions when you will find that the control set should be implemented, but that there is no policy or procedure in which there is any reference to the control set. This is usually the case when building the ISMS from scratch. In this case you can leave the reference blank until you have completed the SoA. Then take the SoA and begin checking the references. If none exists you will need to include the control set in an existing policy / procedure or create a new one. The SoA contains a list of the 127 best practice control sets of BS7799-2:2002. Not all have to be applicable to your organisation, but many find that at least 112 out of the 127 are applicable. The control sets are further explained in ISO/IEC 17799:2000 clauses 3 to 12. Additional controls not contained in the BS7799-2:2002 annex A control sets can be implemented in exactly the same manner. The SoA prompted many changes and new policies, procedures and workflows to be written for the IQA. Examples of these are mentioned in chapter 5.1. 5.3.6 Review Having the Scope, Security Policy, Risk Assessment, Risk Treatment Plan and Statement of Applicability in place we are almost done with the plan phase. But during these activities you will find you have may have some difficulties. In the IQA the plan phase went very smooth, except for the fact that this is an ISMS build from scratch, meaning that before completion of the Plan phase we needed to draw up many a policy / procedure to include the identified control sets. In some situations I was pleasantly surprised with the unexpected contribution from the Personnel department who, it transpired, were simultaneously working on a confidentiality agreement and a communications policy. The latter contains many areas relevant to the control sets we identified as to be applicable in the SoA. It may happen that not all policies and procedures the SoA refers to are finished and ready for implementation. This is not a big issue as it is well accepted to note these down as outstanding actions in the Act phase. At the IQA we also have some policies and procedures that are not ready for implementation yet as where others are ready, but are not yet implemented. What is clear is that in many organisations there is far too little communication between departments resulting in either reinvention of the wheel many times over or no action taken at all on issues that require urgent attention. An example would be my recent issues with BulldogDSL. This company provides ADSL for companies and consumers. When I was approached to upgrade as an existing customer to a much faster connection for a lower price I thought already that it was too good to be true. And indeed, two weeks later on a Sunday morning when I was desperate for an internet connection to test some remote access issues our Japanese counterpart experienced, I discovered that the home internet connection was no longer. My first thought was that J.R. Beltman – IT Manager Institute of Quality Assurance 54 Results - Implementation and its difficulties BulldogDSL would perhaps be upgrading me that Sunday, but by evening time, when the Japanese were slowly waking up and getting ready for work, my internet was still not back. When calling BulldogDSL throughout the 1.5 weeks after the internet went down I was sent from one department to another and back. Usually the departments had no idea what was happening to my internet connection, were unaware that I had been a customer for the past 12 months and blamed other departments. You can imagine that since this time my opinion of BulldogDSL has reached an all-time low. When finally the connection was upgraded after 1.5 week downtime, during which I had been struggling to accommodate our Japanese counterpart, I discovered that some extra feature I used to have with the old connection was no longer available. I wrote an email to BulldogDSL outlining the events of the past 1.5 week and the missing feature. I was extremely disappointed when the only reply they gave was that the extra feature would cost me an additional 5 GBP a month and no mention of the 1.5 week unannounced downtime and the frustration I experienced. No wonder I was about to look for another company to provide me ADSL services. As said, every organisation has communication issues, but the above is an extreme which may well result in customer loss. The setting up of an ISMS can highlight the communication issues and perhaps help to improve interdepartmental communication. Other departments often hold a part of the puzzle you are trying to piece together. The previously mentioned personnel department will work out to be one of the key departments when it comes to policies, procedures and expertise on legal matters such as the data protection act (BS7799-2:2002 Annex A12.1.4). Since you may well wish to expand your scope to include more than just one department you will need to involve the other departments actively. You will find that just as in ISO9000 the departments are linked to each other, and actions taken by one department will often influence another. This also applies to information security related issues. 5.4 The Do phase The Do phase is where we implement our findings and results from the plan phase. The main obstacle will be the difficulties with change. Most people do not like change at any time. That goes for the person bringing on the change and those who will be influenced by the change. “Like ‘beauty and the beholder,’ resistance to change is in the eye of the proposer. The proponent of a change may perceive as resistance what his or her audience considers careful assessment and scrutiny. Almost every change requires the cooperation, collaboration, and co-ownership of others. It is only by giving the assessment and scrutiny of these people full consideration that the change can expect full acceptance…….. Everyone in an organization is a salesperson, selling his or her ideas, proposals, and recommendations. Even a CEO, president, or owner needs to achieve buy-in of key strategies and tactics from the necessary people if they are to succeed. That success, i.e., the implementation of meaningful improvement in an organization, requires answering three questions: what to J.R. Beltman – IT Manager Institute of Quality Assurance 55 Results - Implementation and its difficulties change, to what to change to, and how to make the change happen.” (Focussed Performance 2005) “Fear of the unknown. Change implies uncertainty, and uncertainty is uncomfortable. Not knowing what may potentially happen often leads to heightened anxiety. Resisting change is one of the anxiety-reducing actions.” (Topping 2002) “Misunderstanding and lack of trust. People resist change when they do not understand its implications and perceive that it might cost them much more than they gain. Such situations often occur when trust is lacking between the person initiating the change and the employees.” (Kotter 1999) When reading the above we are getting a better picture on why there is resistance and fear of change. We identify some key elements: • • • • Fear of the unknown Misunderstanding change Lack of trust Lack of buy-in A factor that is also an extremely important contributor to fear and resistance is the fear of exposure; exposure of lack of competencies which may have been believed to be well hidden before the change. Especially if the change forces transparency in processes and procedures and require people to take responsibility those who are not certain of their own competencies, or of those persons they protect, will resist change in any way possible, even if the arguments put forward against the change have no ground at all. Implementing the ISMS will provoke resistance, for it brings a lot of change. The Do phase is the moment that resistance will play an important role. Policies and procedures will be implemented and responsibility will be assigned. BS7799-2:2002 Clause 4.2.2 Implement and operate the ISMS is central to the Do phase. (BSI 2002) Figure 5.2 illustrates the different steps to be taken in the Do phase, based on the analysis above, experience gained during research and expert opinion. Formulate risk treatment plan Resource management Figure 5.2 Implement risk treatment plan Implement training and awareness program Implement policies, procedures and controls The do phase flowchart. J.R. Beltman – IT Manager Institute of Quality Assurance 56 Results - Implementation and its difficulties 5.4.1 Formulate a risk treatment plan Objective of this section is to formulate a risk treatment plan. The IQA risk treatment plan can be found in appendix E. Clause 4.2.2a) formulate a risk treatment plan that identifies the appropriate management action, responsibilities and priorities for managing information security risks. We already have a risk assessment document and the Statement of Applicability. The risk assessment document states briefly the responsibilities which will be repeated in the risk treatment plan. It also states the risk levels and when action is required which is touched upon in the risk treatment plan once more. The statement of applicability states which controls are to be implemented and the documents that ensure this implementation. The risk treatment plan is a kind of summary of the risk assessment document. It starts with its objective i.e. “This procedure defines the risk management/treatment methodology adopted by the Institute of Quality Assurance” (Appendix E) and continues with responsibilities. Clause 4.2.2a actually refers to clause 5 Management responsibility. Clause 5.1, Management commitment, states that management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS. Monitoring, review and improvement are described later in the risk treatment plan. (BSI 2002) Clause 5.1a, establishing an information security policy, this has been completed in the plan phase already. Clause 5.1b, ensuring that information security objectives and plans are established, can only been seen to by those responsible for implementing the information security policy and relating policies and procedures. Clause 5.1c, establishing roles and responsibilities for information security, speaks for itself. However the easiest and most logical solution seems to lay responsibility with the managers of individual asset owners. The outcome of this is recorded in the risk treatment plan. Clause 5.1d, communicating to the organisation the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement, is one of the most difficult requirements, the success depending significantly on top management support and top management leading by example. Next is the need for training, clause 5.2.2, to raise awareness and the importance of the ISMS and information security. Clause 5.1e, providing sufficient resources to develop, implement, operate and maintain the ISMS, points to clause 5.2.1. The resources required depend on the complexity of the organisation, the size, the activities of the organisation and the policies and procedures already in place. Some companies may already be ISO9000 J.R. Beltman – IT Manager Institute of Quality Assurance 57 Results - Implementation and its difficulties certified and therefore have more experience in setting up a management system and policies and procedures are expected to be in place for many processes already. Clause 5.1f, deciding on acceptable level of risk, is discussed in the risk treatment plan. It is the next step in the risk treatment plan after the responsibilities have been defined. A further option is to describe the aim of reducing the overall level of risk to a prescribed target level and/or the aim of reducing the risk per asset to a lower level ”It has been decided that risk levels above 10 are not acceptable and need to be reduced. Ideally the risk levels should all be reduced till under level 8 as level 7 and below are seen as acceptable risk levels. In order to meet the criteria, controls will be implemented to manage and reduce current asset exposure levels to security threats and vulnerabilities.” (Appendix E) Clause 5.1b, ensuring that information security objectives and plans are established as very briefly discussed above is done in the risk treatment plan after the statement of risk level acceptance. This section explains who will ensure that • • • The risk treatment plan procedure is executed Risk is controlled Risk is reduced. “The asset owners and key users translate the control objectives and controls in the standard into documented procedures and policy statements that describe how they are implemented. Controls are also covered in Business Continuity Plans that are tested frequently for their effectiveness.” (Appendix E) Finally the monitoring and corrective action responsibilities are set out and the review period of the ISMS is set. This corresponds with clause 5.1g, conducting management review of the ISMS, in turn pointing to clause 6. Clause 6 explains in detail what to look at and how to execute the management review. “The IT Manager and asset owners are responsible for monitoring and identifying new security threats and vulnerabilities on a regular basis and changing working practices and procedures when required in accordance with the recommendations from information security management system reviews. A formal re-evaluation of security risk levels is performed on an annual basis the results of which are discussed at the Information Security Management Review Meetings.” (Appendix E) J.R. Beltman – IT Manager Institute of Quality Assurance 58 Results - Implementation and its difficulties 5.4.2 Implement risk treatment plan Objective of this section is to implement the risk treatment plan. No documents are produced during this section. Clause 4.2.2b) Implement the risk treatment plan in order to achieve the identified control objectives, which include consideration of funding and allocation of roles and responsibilities. Implementing the risk treatment plan prompts us to implement the options identified for risk treatment (clause 4.2.2c) and manage operations (clause 4.2.2e). • Clause 4.2.2c) Implement controls selected in 4.2.1g) to meet control objectives. • Clause 4.2.2e) Manage operations. As mentioned before, the “do” phase is where we put our prepared policies and procedures into practice, i.e. protect an area by actually putting a lock on the door; reduce the effects of a server crash by actually having backups and testing the restore capabilities; delegate responsibility and secure resources and funding where required. By this time in the implementation process there is a lot of change going on. This is the time when people will actually be exposed to new practices and the resistance to change can really kick in. If staff - one staff member or more - are strongly resisting change, as we experienced in the Institute of Quality Assurance when it came to the change of password policy, it is important to make sure that top management and direct management are supporting the change and, if at all possible, to get the staff to buy in. Without the staff’s cooperation the introduction of new practices may well fail. It could even get worse, and staff could actively resist and sabotage the project. This was reported to be one of the reasons for the failure of the London Ambulance Service Computer Aided Dispatch project (LASCAD) (Beynon-Davies 2005) More information on reasons behind the failure of the LASCAD project and other IS systems can be found in a most interesting paper called “Technology alone will never work: Understanding how organisational issues contribute to user neglect and information systems failure in healthcare” by M.A. Jeffcott of the University of Glasgow, Scotland (Jeffcott 2001). This paper discusses the issues of implementing change and although it concentrates on the healthcare services the issues are not much different for any other industry sector. J.R. Beltman – IT Manager Institute of Quality Assurance 59 Results - Implementation and its difficulties 5.4.3 Implementing training and awareness programmes In this section we implement user training and awareness programs. Appendix S is the revised communications policy of the IQA which is used as training and awareness program. Clause 4.2.2d) Implement training and awareness programmes. In the Institute of Quality Assurance training and awareness programmes are divided in two, one for current staff and another for new staff joining the organisation. These programmes are both to be in place before we can implement them in the “do” phase. For both programmes we use the extranet with a special section on information security for staff. Both current and new staff need to read and agree to the Institute’s communications policy. New staff are not aware of the extranet when they start and that is why, during their induction period, the individual managers will explain about their departments plus relevant information security aspects. The IT department will educate them in the use of the extranet and particularly the information security aspects, whilst facilities will explain the importance of entry control. Although the Institute does not have a test programme in place to evaluate actively the effectiveness of the training, and a simple interview with staff may well provide enough information to carry out this evaluation, it is good practice to have a more exhaustive program for testing and evaluation of information security understanding. Do your staff really understand the importance of information security? Can they tell you what could go wrong and what the consequences might be? Do they care? It is up to you to make sure that they can, and do. Intranet testing programs that are to be taken on a regular basis, i.e. every 6 months, in which questions about information security are asked and answers scored, are not only good for keeping staff alert and educated on the subject, but also for record keeping. This is one of the major requirements of the ISMS. Having the relevant policies readily available, for example on the intranet, contributes to the likelihood of staff consulting the policies. But if the policies are hard to find this will result in staff not showing any interest in trying even to locate the policies, let alone consult them. Clause 5.2.2, Training, awareness and competency, goes into details. 5.4.4 Resource management This section does not produce documents, but instead looks at resource management. Clause 4.2.2f) Manage resources, refers to clause 5.2, Resource management. We discussed this in clause 5.1e. In the Institute of Quality Assurance we decided that the responsible managers are to allocate the required resources. They need to manage the staff and funds required to implement and maintain the ISMS effectively. In larger organisations a special team may be created to see to the implementation of the ISMS. This will usually be initiated by top management. A special team can however not see to the implementation on its own. The implementation requires the assistance of everyone involved and that means everyone affected as set out in the scope. The great danger with creating a special team is that ownership of the project J.R. Beltman – IT Manager Institute of Quality Assurance 60 Results - Implementation and its difficulties may be perceived to be that of the team. This may result in managers and their staff taking the project less serious and not committing the resources, time and funds required. It is of the utmost importance that the project is owned by everyone involved, that the managers have been delegated responsibilities and that all involved realise the importance of implementing the ISMS and the possible consequences of failure. 5.4.5 Implementation of controls and procedures The objective of this step is to implement controls and procedures capable of enabling prompt detection of and response to security incidents. No documents are produced. Clause 4.2.2g) Implement procedures and other controls capable of enabling prompt detection of and response to security incidents. It is important not just to have your policies and procedures in place, but also to monitor their effectiveness and efficiency. There are many tools available for monitoring information security aspects. Firewalls have logging mechanism which can be looked at either automatically by some clever programming or manually. If there are issues with the firewall, i.e. forced entry is detected, we should be able to respond quickly and close the hole in the wall. The IQA’s firewall software is easy to configure and effects of actions and settings are easy to understand. Most server operating programmes have built-in tools for monitoring access and security related issues, and applications are available to make this easier to read. Windows Server 2003 Active Directory would refuse any computer trying to gain access to the network if no valid credentials were entered and if the computer were not registered by an administrator first. However it is not easy to filter out unauthorised access from the logs created by the system, only because there are many entries in the logs concerning different issues. Some fine tuning to logging settings can help, and specialist programmes can make life even easier. Virus checking software is widely available and should be installed by default on any operating system. Most virus checking software is capable of updating itself these days and thereby is able to monitor the computer and detect even the latest viruses. In the IQA we are using Sophos Antivirus. It’s a product aimed at corporate users and is very highly respected in the field. Sophos Antivirus was attractive because of its ease of updating itself, a central control application which helps us monitor where the software is installed and if the software is up to date, and the capability of detecting not only viruses but also errors in the application. On top of that it also provides information on action to be taken in case of a virus or an error, facilitating a quick and efficient response to any problem. For physical security a selection of entry systems is available. It can vary from simple registers where people sign in and out, to sophisticated face-recognition systems that register entry and exit automatically. Very common and affordable is a swipe card system. This system could connect to a computer and a database which registers entry and exit. J.R. Beltman – IT Manager Institute of Quality Assurance 61 Results - Implementation and its difficulties For less IT orientated departments and activities there are many ways of logging activities. An example is the simple sheet in some toilets which tells us when the toilet was last cleaned and by whom. Sheets like these can be used for information security related issues as well. For example taking a file from the filing cabinet may require a signature and date/time in a register. Phone calls with customers can be recorded and a sample can be checked for monitoring purposes. This may be the case in the banking industry where staff must make sure to verify who is calling before giving out any information. 5.4.6 A working version We now have a working version of the ISMS. We started with planning the ISMS, put together many policies and procedures, and then implemented them together with the control sets to reduce risk and implemented other methods of reducing risk. Whilst doing so we managed resistance to change and now our ISMS is in place. We are now monitoring our information security management system, having controls in place to detect breaches promptly and take corrective action. This is the end of the “do” phase. 5.5 The Check Phase BS7799-2:2002 Annex B4 (BSI 2002), Check phase, suggests four different ways of conducting checks. • • • • Routine checking Self-policing procedures Learning from others Internal ISMS audit 5.5.1 Routine checking Routine checking is a method of checking that requires written procedures for it to be most effective. Routine checking are checks such as inventory checks in which inventory is counted and owners verified. Checks such as these are to make sure that records are up-to-date and that any damage from errors is limited. For example, if equipment was missing the process of tracking is not easy, but with early detection it is easier for people to remember relevant information and the equipment may be tracked down faster. An example given in annex B4.2 of BS7799-2:2002 (BSI 2002) is that of unauthorised changes to the company website. Regular checks can save the organisation loss of face and may prevent legal action against it. 5.5.2 Self-policing procedures Self-policing procedure is a control that has been constructed so that any error or failure perpetrated during execution is capable of prompt detection. We discussed the Sophos Antivirus software earlier and looked at its capabilities. A capability not discussed is the action taken by the software on detection of a virus or error. The software has the capability of notifying the system administrator and user when an J.R. Beltman – IT Manager Institute of Quality Assurance 62 Results - Implementation and its difficulties error or virus is detected. This may be done by a system message or email, and the management console will also indicate the detection of an error or virus. If the problem is not corrected the software will send more alerts until the problem is resolved. This is an example of the self-policing procedure. 5.5.3 Learning from others Why not look at others? But, for a change, do not just look at what they do badly and you do well, but look at what they do better and learn from it. Other organisations are a great source of information and will help us find where we can optimize our own ISMS. But it is not just other organisations which provide a source of information to help you check your ISMS. Online message boards, forums, specialist new-briefs, user groups and workshops, conferences and professional societies enable us to learn and apply what we have learnt to improve our own ISMS. Finally, do not forget that often you have in-house experts. This is a group usually not taken seriously – perhaps even overlooked - and many companies thus miss great opportunities to identify and implement good ideas for improvement. A book called “Sticky Wisdom” by “?What If!” clarifies with many examples just how valuable it is to take your staff seriously, and to listen closely to what your staff have to say before dismissing their opinions. One example that stood out was that of Dyson Vacuum Cleaners. According to “Sticky Wisdom” Mr. Dyson’s idea of bag-less vacuum cleaners was dismissed by the large corporations which led him to start his own company (?What If! 2002). In the United Kingdom we are all aware of Dyson’s tremendous success, and most will agree that those who ridiculed the idea must be banging their heads against their stockpile of unsold vacuum cleaner bags. Don’t let this happen to your organisation. Your staff constitute a valuable resource in the implementation and improvement of your ISMS and you should make use of this resource whenever possible. 5.5.4 Internal ISMS audit Internal audits, if conducted by a good auditor, should be positively welcomed. However, most of us seem nervous about audits and feel they are designed to help us find another job. A good and proper audit however is designed to help us optimise the ISMS; it is not designed to find fault, but to help us prepare for certification by identifying opportunities for improvement and by detecting non-conformities so we may take corrective action. When time for certification comes the external auditor will be happy to find that you have carried out internal audits. A professional auditor will ask for the internal audit reports and go through these. The auditor will ask to see that corrective actions as indicated in the report have been followed up and will use the internal audit report to decide which areas require attention. Bear in mind that an auditor can only take a J.R. Beltman – IT Manager Institute of Quality Assurance 63 Results - Implementation and its difficulties small sample of the complete ISMS, and will most likely concentrate on areas which were not included in the sample taken by the internal auditor. The external auditor is not your great enemy either, but your friend - just like the internal auditor. The external auditor is there to help you obtain certification by identifying opportunities for improvement and making sure that the ISMS is functioning as well as it might. 5.5.5 Management review Management, providing it is supportive of the ISMS and fully dedicated to it, may well be interested in its performance. To brief management and agree on any changes to the ISMS we must have a management review at least once a year. In the IQA we have a review every 6 months with those involved in accordance to the scope. As per clause 6.2, Review input, BS7799-2:2002 (BSI 2002), we require particular discussion points for an efficient management review. • • • • • • • Results of ISMS audits and previous management reviews. Feedback from interested parties. Techniques, products or procedures that could be used to improve the ISMS. Status of preventive and corrective actions. Follow-up actions from previous management reviews. Any changes that could affect the ISMS. Recommendations for improvement. The review would be greatly helped by visual representation where possible e.g. graphical representation of the number of security breaches per month. This could be broken down in the different types of security breaches. Another helpful tool for communication is a traffic light system to monitor the progress of preventative and corrective action implementation. In the IQA we use the traffic light system for Senior Management Board meetings and top management sees the system as very efficient. New to the IQA is the IT management system. This management system records all requests made to the IT department. Many parameters are recorded giving the possibility of creating graphs such as how many requests were submitted per month and the average time IT took to resolve issues. There are plans to expand the system to log information security breaches separately, thereby creating a similar possibility of graphical representation. Currently information security breaches that affect IT are logged using the same logging mechanism as any other IT issue. Management review output as described in clause 6.3, review output, BS7799-2:2002 (BSI 2002), has to include decisions and actions relating to: • • • Improvement of the effectiveness of the ISMS. Modification of procedures. Resource needs J.R. Beltman – IT Manager Institute of Quality Assurance 64 Results - Implementation and its difficulties Modification of procedures will most likely include preventive and corrective actions. These are usually in response to non-conformities discovered during an audit, a change in business requirements, security requirements or regulatory or legal requirements or a change to the levels of risk and/or levels of risk acceptance. 5.6 The ACT Phase Having been through the plan, do and check phase the only phase remaining is the act phase. This is a strange phase for not much is done here. The act phase merely makes sure we take action where required and this action usually leads us back to the plan and do phase. The actions taken are determined in the check phase, i.e. a nonconformity and the corrective and/or preventative action to be taken to resolve this, or a change in law that requires us to update our policies and procedures. An example of the act phase leading to the plan phase would be the latter, where a change in law forces us to review our policies and procedures and perhaps even write new ones. An example of the act phase leading to the do phase is where we already prepared the new policies and/or procedures to comply with the new law. This can happen when the change of law was known before it was actually implemented. In this case we can skip to the do phase and simply implement the new policies and/or procedures. The act phase is the ‘last’ phase in the Deming cycle. When ‘finished’ with the act phase for the first time we have finished the complete implementation of a BS7799 ISMS and are ready to manage, maintain and continuously improve our ISMS, once again by using the Deming Cycle. 5.7 Summary Implementing BS7799 at the IQA went relatively smooth. This was however not without reason. It went smooth because of the course and workshops attended, the research online, the study of related books and papers, the already part implemented ISO9000 standard, the electronic IT management system, the already existing policies and procedures, the help of other departments and the vital help of some of the most recognized experts in the field. And even with all this it still took over 3 months to implement BS7799. In this chapter we discussed the most fundamental steps of implementation and the issues that could be expected before and whilst implementing. These steps in flowchart form were: Scope Figure 5.3 Information Security Policy Risk Assessment Options for risk treatment Statement of Applicability (SoA) The plan phase J.R. Beltman – IT Manager Institute of Quality Assurance 65 Results - Implementation and its difficulties Formulate risk treatment plan Implement risk treatment plan Resource management Figure 5.4 Implement training and awareness program Implement policies, procedures and controls The do phase When following the flowcharts we ended up with key documents which are vital for the ISMS to function and for certification. • • • • • Scope Information Security Policy Risk Assessment document Risk treatment plan Statement of Applicability All other policies, procedures and workflows were identified whilst writing up these key documents. After the key documents and any other documents required to support the key documents were established they were implemented in the do phase. This required allocation of resources, responsibility and training. After the implementation it was time for the check phase. We identified four methods to check the ISMS. • • • • Routine checking Self-policing procedures Learning form others Internal ISMS audit From checking the ISMS we expected to find issues that need to be resolved. This was done in the act phase, which in turn brought us back to the plan and/or do phase. With this the Deming cycle of Plan – Do – Check – Act is complete and we established a working ISMS. But issues were to be expected along the way. We identified the following key issues for which we provided resolutions and advice throughout this chapter: • • • • • • Lack of management support. Change management Communication problems Under valuing internal expertise Lack of staff and management understanding of BS7799 Ownership of the implementation project J.R. Beltman – IT Manager Institute of Quality Assurance 66 Results - Implementation and its difficulties Issues that are not explicitly mentioned in the chapter, but have been resolved throughout the chapter: • • Lack of examples (many examples of key documents provided) Lack of understanding BS7799 implementation (this chapter has guided you through BS7799 implementation, step by step, and made you aware what needs to be done, how and when and what difficulties to expect along the way) J.R. Beltman – IT Manager Institute of Quality Assurance 67 Conclusion 6. Conclusion When meeting with an expert in disaster recovery it became clear how often organisations encounter a problem that leaves them in desperate need of disaster recovery. The company for which this expert works is relatively young (started 04-September2001) and has a small customer base. During the past two years five customers out of their customer base of twenty five, encountered a problem that came very close to escalating in a full blown disaster. However the problem was resolved before the disaster recovery plans were activated. But not all customers were this lucky. Four other customers encountered a problem that did result in a disaster. They required their disaster recovery plans to be put in action which in some cases included office relocation. Although this may be a very small sample of the total number of companies in existence, it is scary to realize that 16% of this company’s customers did experience a serious disaster. 6.1 Hurricane Katrina financial aftermath Recent hurricane Katrina emphasises what BS7799 is all about. Although it is too early to determine the scale of this natural disaster, the resulting damage will rank in billions of US dollars. Many companies will go bust in the aftermath, many jobs will be lost. But this hurricane was not unannounced! Why was New Orleans so badly prepared? As we know BS7799-2:2002 Annex 11 deals with disaster recovery (BSI 2002). Hurricanes are not unknown to hit this area, but Katrina was an exception. New Orleans seemed to have escaped major damage directly after the hurricane passed, but this was an illusion. The rainfall resulting from Katrina caused the New Orleans flooding, which in turn caused most damage, not the powerful wind. Could the damage of the hurricane have been prevented? It is a well known fact that New Orleans is vulnerable to flooding. With so many hurricanes in the area the local government could have strengthened the levees to prevent flooding. Backup systems could have been put in place just in case anything went wrong with the levees. The cost of such a project? Maybe a couple of million US dollars compared to the damage caused by Katrina which runs into billions of US dollars. This illustrates why the BS7799 idea of prevention is so important. So could the businesses in New Orleans have been prepared for Katrina and its wave of destruction? Would BS7799 have been able to save companies and jobs from the hurricane’s destructive force? In my opinion the answer to this is: perhaps. Why perhaps? Katrina was an extraordinary hurricane which created an exclusion zone larger than any ever seen before. Damage to property was huge, but could perhaps be covered by insurance. J.R. Beltman – IT Manager Institute of Quality Assurance 68 Conclusion Because of the exclusion zone, however, any organisation with a continuity plan that did not include relocation to an area outside the exclusion zone will now be unable to open shop, possibly posing a serious threat to the very existence of that company. “The recovery of New Orleans depends in large part on an ever-growing bond between the insurance industry and federal and state authorities. Without that cooperation, it's unlikely that anyone or any business could afford to return to New Orleans. Indeed, even with private-public assistance, untold numbers of residents and employers likely will never return. Hurricane Katrina put an expensive point on a huge dilemma for insurers. As the Southeastern and Gulf Coast areas fill up with residents, the damage from even relatively small hurricanes grows. Including Katrina, five of the eight most expensive U.S. natural disasters have come in the last 13 months. All were hurricanes. Katrina is likely to be the most expensive natural disaster in U.S. history with more than $26 billion in insured losses by private insurance companies.” (Naudi 2005) 6.2 Research questions revisited In this research project we looked at four research questions: 1. How to successfully implement BS7799? 2. What are the main problems related to implementing BS7799? 3. How to tackle the problems related to implementation of BS7799? 4. How to convince management of the need for BS7799 implementation? We started with answering question 4 by discussing management support issues and some examples which might help to convince management. We continued to show how a lack of management support can cause serious delays in implementation. We also pointed out that lack of management support will most likely result in implementation failure, as almost happened in one of the examples given. It remains to be seen whether we successfully answered question 1 and it can only be verified by using this report to implement BS7799 at other organisations. However I believe that by sharing my experience, in implementation and related problems (question 2 and 3) at the IQA, and the experiences of recognised professionals in the field, this report is an accurate guide on how to implement BS7799 and to the problems, including solutions, associated with implementation. J.R. Beltman – IT Manager Institute of Quality Assurance 69 Conclusion 6.3 Aims and objectives revisited The following project objectives were set: • • • To make implementing BS7799 a generally accessible task to third parties by discussing the subject of ‘How to’ implement the standard, detailing process, difficulties and challenges of implementation in the IQA and issues highlighted by BS7799 recognised experts. Implement the clauses and applicable control sets of BS7799-2:2002 at the IQA. Present this project report so it is easily adaptable for transformation into a software application that will help to enforce the clause and applicable control sets of BS7799-2:2002. By sharing my experience and that of experts in the field I believe that the objective of making implementation of BS7799 a generally accessible task to third parties, as stated in chapter 1.3, has been accomplished. However this again can only really be evaluated by actually observing another company implementing BS7799 by using this research report. The Statement of Applicability (SoA) was implemented succesfully. Although some policies and procedures must still be written and/or implemented, those implemented have proven successful. Examples are new password policies, firewalls, anti virus protection, internet logs, backup- and restore capabilities, etc. But how easy is it to adapt the findings of this report to create an electronic BS7799 ISMS and enforce controls and control sets electronically? Parts of the controls implemented are fortunately already software tools, reducing the work still to be done to enforce BS7799 controls and control sets electronically. In chapter 7, recommendations, this discussion is continued. A serious setback of this research project was that I could no longer implement BS7799 in the whole of the IQA as originally planned, due to other issues taking precedence. But as mentioned in the report, I could still implement BS7799 in the IT department and the assets seen as belonging to the IT department. The IT department does represent the core of the BS7799 ISMS and expanding the system to other departments when the time is right should not cause major difficulties. Because the core of the system could be implemented I feel that the research project was successful, answered research questions and fulfilled the objectives as far as this can be measured at this point in time. 6.4 Experience and evolvement When I started this research I knew little of BS7799. I guess I have to thank Roberto Wolf, one of the students working for me back in 2004, for introducing me to a new area of IT. He, together with my boss, Simon Feary the director of IRCA, have been very influential factors behind my choice of dissertation subject J.R. Beltman – IT Manager Institute of Quality Assurance 70 Conclusion Thanks to Chris Raven of 7Safe I attended my first ever workshop in BS7799. Before this I had already studied both parts of BS7799, but I needed more information on how this whole thing worked. It is during this workshop that I did not only get a better idea of BS7799 and what is was really all about, but also that I met Dick Price, a consultant and auditor in BS7799. Dick has been very helpful in answering questions about and sharing his experience on BS7799. I felt that the workshop, which only lasted ½ a day, was however not substantial enough to answer the questions I had. Therefore I participated in a 5 day Lead Auditor course to gain full understanding of what an ISMS looked like and what an auditor would look at before recommending certification. During this course I had the pleasure of meeting Victor Parry who was teaching it. Victor has been extremely accommodating in providing insight to the world of BS7799. Just as Dick, he has shared his experiences and highlighted some of the difficulties of implementing BS7799 in general. Victor is a registered Principal Auditor at IRCA and has many years experience in the field in many different industries and countries. With the knowledge gained from the workshop, course and especially the experts in the field this research gives an accurate view of how to implement BS7799; its problems and solutions. 6.5 Action research revisited As action researcher I was part of the ‘experiment’. In this particular research being the person actually implementing BS7799 in the company has given me the insight and experience in the subject to write a realistic report on the subject. Action research meant that instead of just looking at the issue from a scientific point of view, perhaps investigating by just observation, surveys and interviews, I was able to stand in the shoes of those who are to implement BS7799 and experience the project from their perspective. This direct and personal involvement brought to light many aspects of implementation which would have remained hidden otherwise. J.R. Beltman – IT Manager Institute of Quality Assurance 71 Conclusion 6.6 Findings Whilst implementing BS7799 at the Institute of Quality Assurance and researching the issue of implementing BS7799 specific issues were found to be essential to implementation in general. From my own experience and that of the experts in the field it was found that: • Management support is vital for the success of implementing BS7799 Examples and experience shows that without management support BS7799 has very little chance on successful implementation. • There are different ways to convince management. Scare tactics, in which consequences of failure to implement BS7799 are highlighted, are found to work best. The conventional method of risk level discussion is usually not well understood and does not work well in convincing them. • Implementation brings change which in turn aggravates resistance to change. Change management and buy-in from all staff is a critical success factor in implementing BS7799. • Examples of ‘how to’ implement BS7799 are extremely beneficial and time saving in implementation. Templates of policies, procedures, the SoA etc help to kick start the project and boost confidence of those in charge of implementation. • Action research is a suitable method to conduct research in the subject of ‘how to’ implement BS7799 as it highlights issues that would remain hidden using most other research methods. However, I conclude that the most important lesson to be learnt from this project and report, is: • Disasters do happen. It is not a question of ‘if’, but ‘when’. Be wise, be prepared! J.R. Beltman – IT Manager Institute of Quality Assurance 72 Recommendations 7. Recommendations We discussed the potential problems in winning management support and understanding. The Information Security specialist organisation 7Safe has come up with a new concept of convincing management. Common practice is to give information assets or asset groups a numeric risk level. However this set of numbers does not add much to management its understanding of the actual risks. 7Safe found that instead of talking numbers management was far more perceptive to talking actual consequences of threats. They found that this resulted in a more positive uptake of BS7799 by management. 7.1 The first cycle Figure 7.1 Björk’s alternative to the Deming Cycle. (Björck 2001) To extend on this project I would look closely at Björck’s alternative to the Deming cycle (Björck 2001) and discuss this alternative in more detail. Note that this alternative is suggested by Björck only to be used for setting up an ISMS from scratch after which he advises to switch to the Deming Cycle. Also a survey on companies that have already implemented BS7799 may prove useful to find obstacles that they J.R. Beltman – IT Manager Institute of Quality Assurance 73 Recommendations may have experienced during implementation and perhaps also learn about alternative manners to gain support of management. 7.2 A helping hand in research The International Register of Certificated Auditors (IRCA) could also be approached to help collect information. They send out a monthly newsletter, entitled Inform, to all registered auditors. Perhaps it would be possible to use this newsletter to ask a wide range of auditors about their experience with BS7799 implementation. Next to IRCA, companies that offer consultancy and/or auditing in BS7799 are most willing to offer a helping hand. Also companies specialising in BS7799 related fields, such as disaster recovery, have been very accommodating during this research project. Further research in this subject would benefit from the help these companies, from their expertise and from their own research in the subject and affiliated subjects. 7.3 ISMS and tools as an electronic enforceable version By having all the controls and control sets, policies and procedures in place we should have a good understanding of the BS7799 ISMS and BS7799 itself. This will make it easier for the IQA to adapt the current ISMS and tools into an electronic enforceable version. Venkatraman‘s framework (figure 6.1) supports this approach. “Learn how to walk before you try running” is the main message of this framework. Venkatraman outlines the steps to be taken to build a system from scratch to a fully integrated system. It also is a warning not to try and skip some steps. Venkatraman argues that you do not skip the second level (internal integration). After this level you can go directly to any of the higher levels. Hence first implementing a standard paper based version of the ISMS before attempting an electronic enforcement is advisable. Degree of business transformation Business Scope Redefinition Business Network Redesign Business Process Redesign Revolutionary Evolutionary Internal Integration Localized exploitation Range of potential benefits Figure 7.2 Venkatraman framework. Transforming the ISMS into an electronic application to enforce BS7799 is in my opinion the best way of making BS7799 part of the work ethos and achieves maximum benefit from the standard. J.R. Beltman – IT Manager Institute of Quality Assurance 74 Recommendations 7.4 Information Security a popular subject? Whilst writing this report I have become aware of students at other universities throughout the world who are writing or have written reports on similar topics. Björck (Björck 2001) is one of those that have done research in a very similar field and Wolf (Wolf 2005) has recently completed his thesis on BS7799 auditing named ‘Conception of a generic, data processing based, IT-Security and data protection audit- and improvement process for a medium-sized enterprise in an international environment’. . The media has recently become more interested too. The BBC (BBC 2005a) mentions how companies are now training their own staff in penetration testing. IT briefly refers to BS7799 in connection with hacking and security. Only 10 days later the BBC (BBC 2005b) reports that the University of Glamorgan is offering a postgraduate certificate in penetration testing designed with the help of 7 Safe Information Security. In June 2005 the BBC (Biswas 2005) published an article on the security at Indian call centres and inspection of their information security systems. Information Security is becoming more and more important to organisations, especially with the increase in cyber-crime, facilitated by the constant growth of the internet, increase of wireless networks, increase of laptop use and the rapid evolution of technology in general . 7.5 BS7799 – An international standard It is worth knowing that by the end of 2005 BS7799-2:2002 will become a recognized ISO standard under the name ISO27001. Consultants tell me that there are only minor changes to the standard and that most changes are superficial rather then in depth content changes. J.R. Beltman – IT Manager Institute of Quality Assurance 75 References 8. References ?What If! 2002, Sticky Wisdom, Capstone Publishing Ltd, Oxford. Bladergroen, D, Osinga, A, Peters, L Vonk, J 2002, Planning en beheersing van ITdienstverlening, herziene editie, ten Hagen & Stam Uitgevers, Den Haag, pp 99-111. BBC 2001a, In pictures: Ealing bomb CCTV footage, August 6, Retrieved: September 11, 2005, from http://news.bbc.co.uk/1/hi/uk/1476586.stm BBC 2001b, Two suspects linked to BBC bomb, March 10, Retrieved: September 11, 2005, from http://news.bbc.co.uk/1/hi/uk/1212314.stm BBC 2004a, Inquiry into Carr documents theft, May 13, Retrieved: September 11, 2005, from http://news.bbc.co.uk/1/hi/uk/3711953.stm BBC 2004b, 'Bad' blunder over 'dumped' papers, July 19, Retrieved: September 11, 2005, from http://news.bbc.co.uk/2/hi/uk_news/3905481.stm BBC 2005a, Cracking the code, August 11, Retrieved: September 29, 2005, from http://news.bbc.co.uk/1/hi/business/4142628.stm BBC 2005b, Course to produce expert hackers, August 21, Retrieved: September 29, 2005, from http://news.bbc.co.uk/1/hi/england/cambridgeshire/4171638.stm Beltman, J R 2005, Statement of Applicability, August 20, Institute of Quality Assurance Beynon-Davies, Paul 2004, Information systems `failure': case of the LASCAD project, September 22, Retrieved: September 12, 2005, from http://www.csm.uwe.ac.uk/teaching/notes/UQI101S2/lascad.htm Biswas, Soutik 2005, How Secure are India’s call centres?, June 24, Retrieved: September 29, from http://news.bbc.co.uk/1/hi/world/south_asia/4619859.stm Björck, F 2001, Security Scandinavian Style: Interpreting the Practice of Managing Information Security in Organisations, Retrieved: September 11, 2005, from http://www.dsv.su.se/~bjorck/files/bjorck-thesis.pdf Bryman, A 1989, Research Methods and Organization Studies, Academic Division of Unwin Hyman Ltd, London, pp 178-187. BSI 2000, Information technology: Code of practice for information security management, 1st Edition, December 01, BSI. BSI 2002, Information security management systems: Specification with guidance for use, September 05, BSI. Bureau Veritas 2003, Information Security Management Systems Auditor/Lead Auditor Course (IRCA 2016),Unpublished, Bureau Veritas, London. J.R. Beltman – IT Manager Institute of Quality Assurance 76 References Bureau Veritas 2004, Examination for Auditors of Information Security Management Systems, Amended Edition, March, Bureau Veritas, London. CNN 2001, September 11: Chronology of terror, September 12, Retrieved: September 11, 2005, from http://archives.cnn.com/2001/US/09/11/chronology.attack/ Clark, A W 1976, Experimenting with Organisational Life: The Action Research Approach, Plenum Press, New York and London Deloitte & Touche 2004, Business Insurance Consulting: Coping with the unexpected, October 13, Retrieved: September 11, 2005, from http://www.deloitte.com/dtt/article/0,1002,sid%253D3469%2526cid%253D62519,00. html Deming, W E 2000, The New Economics for Industry, Government, Education, 2nd Edition, August 11 Energy Smart library 2005, Glossary of Energy terms, Retrieved: September 28, 2005, from http://library.energyguide.com/EnergyLibraryGlossary.asp?bid=nstar&prd=10#P Financial Spread Betting News 2005, £9m theft ‘mad’ accountant jailed, January 26, Retrieved: September 29, 2005, from http://www.financial-spreadbetting.com/spread-betting-newss.html#Section60 Francis S. "Frank" Patrick 2001, Taking Advantage of Resistance to Change (and the TOC Thinking Processes) to Improve Improvements, extract from conference, May, Retrieved: September 11, 2005, from http://www.focusedperformance.com/articles/resistance.html Gamma Security Systems Ltd, Retrieved: September 11, 2005, from http://www.gammassl.co.uk/ Global Security, Great Northeast Power Blackout of 2003, Retrieved: September 11, 2005, from http://www.globalsecurity.org/eye/blackout_2003.htm Green, S 2005, Personal Communication, September 13 Howard, R 2005, Personal Communication, September 13 Ilett, Dan 2005, Cybercriminals taking £2.5bn from UK businesses: National Hi-tech Crime Unit shares the bad news, April 5, Retrieved: September 11, 2005, from http://software.silicon.com/security/0,39024655,39129301,00.htm IQA 2005, About the Institute of Quality Assurance, Retrieved: September 13, 2005, from http://www.iqa.org/about/ IQA SoA 2005, IQA Statement of Applicability, August 20 J.R. Beltman – IT Manager Institute of Quality Assurance 77 References IRCA 2005, About IRCA, Retrieved: September 13, 2005, from http://www.irca.org/about/about.html. ISMS International User Group 2005, Certificate Register, Retrieved: September 11, 2005, from http://www.xisec.com/register.htm Jeffcott, M A 2004, Technology alone will never work:: Understanding How Organisational Issues Contribute To User Neglect And Information Systems Failure in Healthcare, Retrieved: September 18, 2005, from http://www.dcs.gla.ac.uk/~johnson/papers/Rotterdam_Paper.pdf Knight, Will 2000, MI5 laptop containing top secret data stolen, March 24, Retrieved: September 11, 2005, from http://news.zdnet.co.uk/business/0,39020645,2077931,00.htm Koppens, S, Peters, L, Vonk, J 2001, Operationeel beheer van informatiesystemen, herziene editie, ten Hagen & Stam Uitgevers, Den Haag Kotter, John P 1999, What Leaders Really Do, Retrieved September 12, 2005, from http://www.1000ventures.com/business_guide/crosscuttings/change_resistance.html Langley, Elizabeth 2003, What is ITIL, November 13, Retrieved: September 17, from http://www.brainbox.com.au/members/brainbox/home.nsf/0/BDD3E9AE7E4B115B4 9256DDC00301BE7?opendocument Latynina, Yulia 2003, America in the Dark, August 18, Retrieved: September 12, 2005 from http://www.worldpress.org/Europe/1579.cfm Laudon, K C, Laudon, J P 2004, Management Information Systems: Managing the Digital Firm, 8th Edition, Pearson Education Inc, New Jersey, pp 448-479. Leviton Voice & Data Division, Standards, Retrieved: September 12, 2005, from http://www.levitonvoicedata.com/learning/glossary.asp?#S News 24 2005, 'Iraq invasion led to UK bombs', July 26, Retrieved: September 11, 2005, from http://www.news24.com/News24/World/Londonattacks/0,,2-101854_1743598,00.html Management Issues News 2005, Bank details 'sold by Indian call centre', June 23, Retrieved: September 11, 2005, from http://www.managementissues.com/display_page.asp?section=research&id=2263 Manchester Evening News 2005, Soaring cost of cybercrime, April 5, Retrieved: September 29, 2005, from http://www.manchesteronline.co.uk/men/news/technology/s/153/153574_soaring_cos t_of_cyber_crime.html Naudi, J 2005, Hurricane Kartina’s aftermath, September 10, Retrieved: September 21, 2005, from J.R. Beltman – IT Manager Institute of Quality Assurance 78 References http://www.stltoday.com/stltoday/business/stories.nsf/0/6623D7F1124A2D4C862570 78005A9BA6?OpenDocument Parry, V 2005, Personal Communication, September 04. Peach, R W, Peach, B, Ritter, D S 2000, The Memory Jogger 9000/2000: A Pocket Guide to Implementing the ISO 9001 Quality Systems Standard Based on ANSI/ISO/ASQ Q9001-2000, 1st Edition, GOAL/QPC, Salem. Price, D 2005, BVQI & 7 Safe Workshop: Adding value through ISO 17799, 15 June. Reason, P, Bradbury, H 2001, Handbook of Action Research: Participative, Iquiry & Practice, SAGE Publications, London. Rice-Oxley, Mark 2005, Terror jolts London, but British steady: Coordinated strikes on rush-hour commuters Thursday killed dozens, July 08, Retrieved: September 11, 2005, from http://www.csmonitor.com/2005/0708/p01s03-woeu.html?s=yahw Rich, M 2005, Personal Communication, September 13. Sikkink, M 2005, IT Management System, June 09, Thesis report, Institute of Quality Assurance. Topping, Peter A 2002, Managerial Leadership, Retrieved September 12, 2005, from http://www.1000ventures.com/business_guide/crosscuttings/change_resistance.html Wikipedia 2004, Standards (software), June 28, Retrieved: September 12, 2005, from http://en.wikipedia.org/wiki/Standards_(software) Wikipedia 2005a, Standardization, September 3, Retrieved: September 12, 2005, from http://en.wikipedia.org/wiki/Standardisation Wikipedia 2005,b Regulation, September 9, Retrieved: September 12, 2005, from http://en.wikipedia.orgwiki/Regulation Wolf, Roberto 2005, Conception of a generic, data processing based, IT-Security and data protection audit- and improvement process for a medium-sized enterprise in an international environment, September 9, Unpublished thesis report, Ernst & Young J.R. Beltman – IT Manager Institute of Quality Assurance 79 Appendix A – Project DefinitionReferences Appendix A. Project Definition Name: J.R. Beltman Email address: jrbeltman@iqa.org Contact phone number: 020 7245 8596 Project title: How to implement BS7799: A case study conducted at the Institute of Quality Assurance. Supervisor: C. Smart How to implement BS7799: A case study conducted at the Institute of Quality Assurance. The Problem The security of the information held by Institute of Quality Assurance (IQA) is at risk and this risk has to be reduced to the absolute minimum, whilst at the same time the efficiency of the IT department in dealing with information security related issues must be improved in line with IQA’s business of adhering to best practice in the work place. The consequences for any company whose information security is compromised are severe. A few examples of information at risk: • • • • • Email directories (customers and suppliers) Customers’ financial information Any other customer data The organisation’s bank account details Employee details IQA requires for all appropriate sections of BS7799 to be implemented and this by the end of September 2005 with a view on proceeding to certification early December. The Institute of Quality Assurance (IQA) consists of two organisations; the Institute of Quality Assurance (IQA) and the International Register of Certified Auditors (IRCA). The IT department of the IQA supports both organisations. Both organisations have very different business processes and it is this difference that makes implementation of BS7799 an extra interesting undertaking. Background Since the restructuring of the IT department began 3 years ago its functioning has improved greatly, but has not yet reached its potential level of efficiency. However this does not only depend on the IT department, but on the whole of the organisation. To make further improvements the IT department has identified some potential aids that would benefit its functioning. • • ITIL (IT Infrastructure Library) – Concerned with IT Service Management. ISO 9000:2000 (international Standard Organisation – Concerned with overall improvement of quality within the organisation. J.R. Beltman – IT Manager Institute of Quality Assurance A1 Appendix A – Project DefinitionReferences • BS7799 (British Standard) – Concerned with Information Security. The ITIL and ISO 9000:2000 aids are already being investigated and are partly implemented, leaving BS7799 implementation as a final, but a most challenging project to be completed. Aim and Objectives The aim of this project is to see to implementation of all applicable domains and subdomains of BS7799 within the IQA with a view on possible certification in the near future and to document the process of implementation to make implementation of BS7799 more accessible for other organisations. Project objectives • To make implementing BS7799 accessible for third parties by discussing the subject of ‘How to’ implement the standard, detailing process, difficulties and challenges of implementation in the IQA in a format that can be taken as guidance for a third party. • Implement the domains of the BS7799 standard that are applicable to the IQA. • Format this project report so it is easily adaptable for transformation into a software application that will help to enforce the applicable domains and subdomains of BS7799. The business objectives of BS7799 are to • Maximize return of investments • Minimize business damage • Ensure business continuity The stakeholders are identified as the IQA/IRCA, their customers and suppliers and other organisations that are eager to implement BS7799. BS7799 certification requires complying with both parts of BS7799; part 1 and part 2 also known as • • BS ISO/IEC 17799:2000, BS 7799-1:2000 (Information technology – Code of practice for information security management) BS 7799-2:2002 (Information security management systems – Specification with guidance for use) The Code of practice sees to 10 domains which address key area of Information Security Management which include a total of 127 best security practices: 1. Information security policy - Objective: To provide management direction and support for information security 2. Organisational security - Objective: To manage information security within the organisation 3. Asset classification and control - Objective: To maintain appropriate protection of organizational assets 4. Personnel security - Objective: To reduce risks of human error, theft, fraud or misuse of facilities J.R. Beltman – IT Manager Institute of Quality Assurance A2 Appendix A – Project DefinitionReferences 5. Physical and environmental security - Objective: To prevent unauthorized access, damage and interference to business premises, information and assets 6. Communications and operations management - Objective: To ensure the correct and secure operation of information processing facilities, minimize the risk of system failures and maintain integrity and availability of information processing and communication services. 7. Business requirement for access control - Objective: To control access to information and detect unauthorized access 8. Security requirements of systems - Objective: To ensure that security is build into information systems 9. Business continuity management - Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters 10. Compliance - Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual and thereby to ensure compliance of systems with organizational security policies and standards The objectives of all domains mentioned go into far greater detail in the actual code of practise than the summary above. It is important to be aware that not all domains or sub-domains apply to every organisation and that some domains will be difficult to implement without full co-operation of those involved, in some cases the entire company. The domains and sub-domains to be implemented will only become apparent when actually engaging in the project. It is part of the project to determine and document which are and with aren’t applicable to the IQA and why. Successful implementation of BS7799 can be tested by internal checks and external audit. IQA/IRCA IT and HR personnel will carry out systematic checks on all of the applicable/implemented domains and put forward any suggestions to improvement. When the implemented domains are found to be adequate the project is successfully completed. Proof of this will be a signed checklist. As an extra, but not immediately required endorsement of success, the IQA can bring in an external auditor to audit the BS7799 Information Security Management System. If the IQA is then awarded certification the project will have exceeded its original aims and objectives. Methodology The Information security management system (ISMS) of BS7799 is implemented using a methodology referred to as the Deming cycle: the Plan-Do-Check-Act (PDCA) cycle (August 11 2000, “The New Economics for Industry, Government, Education” - 2nd Edition, W Edwards Deming). Each component has its own subcomponents. J.R. Beltman – IT Manager Institute of Quality Assurance A3 Appendix A – Project DefinitionReferences Figure A.1 The Deming Cycle For the ISMS of BS7799 the Deming Cycle’s sub-components are: Plan Do • Scope • Operate Controls • Policy • Awareness Training • Risk Assessment • Manage Resources • Risk Treatment Plan • Prompt Detection and Response to Incidents • Statement of Applicability Check Act • Management Review • ISMS Improvements • Internal ISMS Audit • Preventive Action • Corrective Action Table A.1 Sub-components of the Deming Cycle for the ISMS of BS7799. Part 2 of BS7799 (Specification with guidance for use) enforces the original code of practice and instructs on how to build, maintain, operate and improve a measurement system for managers to monitor and control the security systems: The Information security management system (ISMS). Part 2 guides through each of the 10 domains and their sub-domains of Part 1. It requires justification for implementation of each sub-domain, not for discarding certain sub-domains. For this project I will be making use of the Deming Cycle and Part 2 of BS7799 (Specification with guidance for use). I will be going through each domain and their sub-domains (or as worded in BS7799 part 2 – Control objectives and controls). I will determine their applicability and justify either use or discard. If a sub-domain is applicable I will seek to implement. J.R. Beltman – IT Manager Institute of Quality Assurance A4 Appendix A – Project Definition Factors that can influence the success of this project Risk Virus infection of PC Crash of hard disk Corruption of data Absence of key persons Resistance to change Table A.2 Likelihood 0.l% 2% 1% 10% 50% Severity Small Very high Very high Small Medium Project Risk factors Resistance to change is a problem that I am likely to run into. This can be minimized by convincing and logic argumentation of the change required and support from higher management. The project will require a significant change in the way people regard information security at current; however the impact of change on how they work should be kept to a minimum. To counteract the very possible reality that this project will not succeed to enforce the uptake of BS7799 within the IQA and end up on the bookshelf without being taken seriously the following actions/factors have been identified as absolutely fatal: • • • Top management support. Management support A follow up project where the identified domains and sub-domains of BS7799 will be transformed into a software application that actively enforces them. The follow up project will require this project report to be written in a format that is easily adaptable for transformation into a software application. J.R. Beltman – IT Manager Institute of Quality Assurance A5 Appendix B – The Scope Appendix B. The Scope Scope of the Information Security Management System BS7799 Part 2 The scope of the information security management system in IQA/IRCA covers the following: All operational, technical, networking, desktop, administration and management functions at the Grosvernor Crescent office. Departments within scope: 1. Desktops, servers and LAN 2. IT Services Department To be included a later stage in the following order 1. Site Security 2. IRCA Certification 3. IRCA Training 4. Facilities 5. Accounts 6. Publishing 7. IQA Training & Events 8. IQA Education 9. IQA Membership The departments that are currently not in scope do make use of IT assets which are in scope. The users of the assets that are in scope will be made aware of the policies and procedures that applies to these assets. Signed……………………… IT Manager Date…………………….. J.R. Beltman – IT Manager Institute of Quality Assurance B1 Appendix C – The Security Policy Appendix C. The Security Policy Institute of Quality Assurance Information Security Policy Purpose The purpose of this information security policy is to protect all information assets, as defined within the scope, within the Institute of Quality Assurance (IQA) from all threats, whether internal or external, deliberate or accidental. Information within the IQA exists in many forms and the policy includes the protection of data stored electronically, transmitted across networks and printed or written on paper to safeguard the information of the company, its’ customers, employees and trading partners. Objectives The objective of information security is to ensure business continuity and minimise damage by preventing and reducing the impact of security incidents. The implementation of this policy is needed to maintain, improve and demonstrate our integrity in our dealings with all our customers and trading partners. It is the policy of the IT department of the IQA to ensure: • • • • • • • • • • Information is protected against unauthorised access . Confidentiality of information is assured Information is not disclosed to unauthorised persons through deliberate or careless actions The integrity of information is maintained The availability of information to authorised users when needed Regulatory and legislative requirements will be met Business continuity plans will be produced, maintained and regularly tested Information security training will be given to all staff All breaches of information security , actual and suspected are recorded reported and investigated The IT department is compliant with best practice as identified in ISO/IEC 17799. Actions Standards, policies and security operating procedures will be produced to support this policy and will include: virus control, access control, personnel security, the use of email, the Internet and the local network. A formal disciplinary process will be documented and implemented, in collaboration with the personnel department, for those employees who choose not to comply with company standards. J.R. Beltman – IT Manager Institute of Quality Assurance C1 Appendix C – The Security Policy IT Manager has overall responsibility for maintaining this Policy and providing guidance on its implementation. It is the responsibility of each employee to adhere to the policies and procedures in their areas. This policy will be reviewed regularly to ensure it remains appropriate for the organisation. Signed…………………………………….. IT Manager J.R. Beltman – IT Manager August 2005 Institute of Quality Assurance C2 Appendix D – Risk Assessment Procedure Appendix D. Risk Assessment Procedure Risk Assessment Procedure Objective This document describes the Risk Assessment methodology adopted by IT Department of the IQA as part of its commitment to achieve implementation of BS 7799-2:2002. Responsibilities The IT Manager maintains overall responsibility for the compliance and adherence to this procedure whilst nominated asset owners are responsible for assessing the security threats and vulnerabilities for their own information assets. Methodology Step One. Review of Asset Inventory The IT department maintains an inventory of all information assets related to the IT department which are within scope of the ISMS. The inventory is reviewed on a regular basis to ensure that it remains up to date and an annual review is undertaken prior to performing a formal risk analysis. For each asset or group of assets an asset owner or key user has been nominated. The IT manager is responsible for identifying the value of the identified assets, where possible in conjunction with the asset owner or user. Step Two Asset Valuation Assets are valued according to the effect the asset being compromised has on the organization also called severity of the threat. Severity levels used: Very Low loss of the asset will have no effect on the business (1) Low: loss of the asset will have little effect on the business and not cause any disruption (2) Medium loss of the asset will have an impact on the business, which can be resolved in a number of hours but not affect the customer (3) High loss of the asset will disrupt the business and impact on the customer in the short term (4) Very high loss of the asset will cause major disruption, affect customers and impact revenues (5) J.R. Beltman – IT Manager Institute of Quality Assurance D1 Appendix D – Risk Assessment Procedure Step Three Identification of Security Threats and likelihood Threats are identified and recorded. For each threat the likelihood of the threat materializing is assessed per asset or asset group. Likelihood is classified as follows: Very Low Low Medium High Very High Step Four (1) (2) (3) (4) (5) Identification of Vulnerabilities Vulnerabilities of threats are identified per asset or asset group. Vulnerability is a source or situation with potential for a threat to inflict harm. It does not cause harm or threats but if not managed it will lead to harm. Vulnerability is classified on five levels. Very Low Low Medium High Very High (1) (2) (3) (4) (5) Example of vulnerability: paper records archived in the basement of a building known to occasionally flood are vulnerable to water damage. The likelihood of such an event would also be considered as well as the damage such an event would have on the business to determine the degree of assurance required. Step Five Calculation of risk The table identified in used to calculate the risk exposure of all information assets once an asset value has been assigned. Security Threats Threats Identified • • • • • • • • • • Physical & Environmental Bomb attack Earthquake Fire Flood Theft Wilful damage Accidental damage Power supplies Air conditioning failure J.R. Beltman – IT Manager Institute of Quality Assurance D2 Appendix D – Risk Assessment Procedure • Power failure IT Threats • • • • • • Software failure Hardware failure Damage to communication lines/cables Deterioration of storage media Computer viruses Hacking Vulnerabilities Identified • • • • • • • • • • Location of the organisation near Buckingham Palace, Hide park corner and in Belgravia where many embassies are based. The building is shared with another organisation. The electrical circuits in the building, especially the server room are badly wired with ‘earth’ leaking from one plug to another. Power supplied by 3rd party. Unprotected telephone connections. Unprotected public network connections. Equipment sensitive to temperature variations. Equipment such as laptops and data storage devices are taken out of the building. External connections to the company’s network are possible and open to support staff and 3rd parties. Insufficient security training J.R. Beltman – IT Manager Institute of Quality Assurance D3 Appendix D – Risk Assessment Procedure Severity liklihood Vulnerability very low = 1 2 3 5 low = 1 2 3 2 4 medium = 5 1 2 3 3 4 4 1 3 4 5 6 7 4 5 6 7 8 5 6 7 2 4 5 6 7 8 5 6 7 8 9 6 7 3 5 6 7 8 9 6 7 8 9 10 7 4 6 7 8 9 10 7 8 9 10 11 5 7 8 9 10 11 8 9 10 11 12 Legend Figure D.1 1 5 high = 1 2 3 4 4 5 8 9 6 7 8 9 10 7 8 9 10 11 8 9 10 7 8 9 10 11 8 9 10 11 12 8 9 10 11 8 9 10 11 12 9 10 11 12 13 8 9 10 11 12 9 10 11 12 13 10 11 12 13 14 9 10 11 12 13 10 11 12 13 14 11 12 13 14 15 3 to 7 - residual risk - no action required 8 to 10 - control required - medium risk 11 to 15 - controls critical - high risk very high = 1 2 3 4 5 5 Risk Matrix J.R. Beltman – IT Manager Institute of Quality Assurance D4 Appendix E – Risk Management/ Treatment Procedure Appendix E. Risk Management/ Treatment Procedure Institute of Quality Assurance Risk Management/Treatment Procedure Objective This procedure defines the risk management/treatment methodology adopted by the Institute of Quality Assurance. Responsibilities The IT Manager maintains overall responsibility for the compliance and adherence to this procedure whilst nominated asset owners and managers are responsible for managing risk identified in relation to their nominated information assets. Risk to all information assets has been calculated using the risk assessment procedure against all assets identified on the Asset Register. Based upon this assessment the management team have defined what level of risk is acceptable to the business and stated the degree of assurance required. It has been decided that risk levels above 10 are not acceptable and need to be reduced. Ideally the risk levels should all be reduced till under level 8 as level 7 and below are seen as acceptable risk levels. In order to meet the criteria, controls will be implemented to manage and reduce current asset exposure levels to security threats and vulnerabilities. The Institute of Quality Assurance will consider options for the treatment of risk which include Transfer of Risk, Avoidance of Risk, Risk Acceptance in accordance with the Security Policy and the Application of Controls from the ISMS Standard BS 7799-2:2002. The control options and selection is addressed in the Statement of Applicability, which will reference the relevant documentation that addresses the requirements for control as identified from the risk assessment. The asset owners and key users translate the control objectives and controls in the standard into documented procedures and policy statements that describe how they are implemented. Controls are also covered in Business Continuity Plans that are tested frequently for their effectiveness. The IT Manager and asset owners are responsible for monitoring and identifying new security threats and vulnerabilities on a regular basis and changing working practices and procedures when required in accordance with the recommendations from information security management system reviews. J.R. Beltman – IT Manager Institute of Quality Assurance E1 Appendix E – Risk Management/ Treatment Procedure A formal re-evaluation of security risk levels is performed on an annual basis the results of which are discussed at the Information Security Management Review Meetings. Signed……………………………… IT Manager August 2005 J.R. Beltman – IT Manager Institute of Quality Assurance E2 Appendix F – S. Green, Personal Communication Appendix F. S. Green, Personal Communication Dear Mr Beltman, Thank you for your email to the OGC Service Desk. ITIL was conceived and started in the late 1980s and developed and owned by CCTA. CCTA recognised that organisations were becoming increasingly dependant on Information Systems (IS). Without IS most businesses cannot function. Without quality IT services they cannot function well. Clearly there was a need for quality IT service provision and while CCTA's customer base was central government, the needs of organisations in the public or private sector, large, small, centralised or distributed were going to be similar. There is a continual pressure in many organisations to reduce costs while maintaining or improving the IT services. When the IT Infrastructure Library project was initiated, no comprehensive guidance existed on providing efficient and effective IT services. The IT Infrastructure Library documents best practice for IT service management, with that best practice being determined through the involvement of industry experts, consultants and practitioners. It remains the only comprehensive, non-proprietary, publicly available set of guidance, making it a unique and valuable product. If you require further information about ITIL please visit the following link to the ITIL section of OGC's website: http://www.ogc.gov.uk/index.asp?id=2261 Here you will find a wealth of information about the ITIL methodology, including Frequently Asked Questions which may help with any other queries you may have. I hope the above is of use to you. If you have any further enquiries please do not hesitate to contact the Service Desk again. Kind regards Sarah Green Service Desk Agent Office of Government Commerce Rosebery Court St Andrews Business Park Norwich NR7 0HS > > -----Original Message----> > From: J.R. Beltman [mailto:beltman_jr@hotmail.com] > > Sent: 04 September 2005 17:20 > > To: ServiceDesk@ogc.gsi.gov.uk > > Subject: History of ITIL >> >> > > Dear Sir/Madam, J.R. Beltman – IT Manager Institute of Quality Assurance F1 Appendix F – S. Green, Personal Communication > > I was just wondering if when ITIL was first devised if it was originally > > > devised just for the UK public sector or was it always intended to have >a > > broader application? And if it was just devised for the UK public sector > > > then when was it that this changed and why? >> > > Kind regards > > JR Beltman >> J.R. Beltman – IT Manager Institute of Quality Assurance F2 Appendix G – R. Howard, Personal Communication Appendix G. R. Howard, Personal Communication Dear Mr Beltman, Thank-you for taking my telephone call. I would like to provide you with details of our services so we can be considered for any future Penetration Testing requirements that you may have. We get involved in all types of testing including:Security / Vulnerability Testing Methodologies Sample Management Report - External/Internal & War Dial Overview of Security / Vulnerability Testing Services We offer INTERNAL TESTING, EXTERNAL TESTING, APPLICATION TESTING, WIRELESS NETWORK TESTING, MOBILE WORKING SECURITY TESTING, STOLEN LAPTOP TESTING, SOCIAL ENGINEERING, PASSWORD REVIEWS. NCC Group Plc is one of the world's leading independent providers of IT assurance, security and consultancy services to over 10,000 clients globally in both the public and private sectors. Our technical excellence and independence means we are totally unique in that our advice is totally impartial and not driven by the need to promote pre-determined technical solutions. You may be interested to learn that in the last 2 years, NCC Group Plc, archived a 42% success rate in breaking into networks from an external testing perspective and 83% for Internal testing perspective. NCC Group Plc is a member of the GCHQ CESG CHECK certification scheme (Green Standard), for providing penetration testing services. We have the largest independent CHECK Team in the UK. Consultants are also CLAS cleared. Should procurement be made easier for you by using S-CAT, please may I make you aware that we are S-CAT and G-CAT listed . The NCC Group has worked with many private sector clients including; Amec, First Engineering, Churchill Insurance, Merrill Lynch, HSBC, Holmesdale Building Society, Nottingham Building Society, Manchester International Airport, Marsden Building Society, IF Online (Halifax Group), National Australia Group, UBS Warburg, Ulster Bank, B&Q, Woolworths, Northern Electric Plc. Also with many local and central government authorities, some of which include; Crown Prosecution Service, British Library, Department of Enterprise, Trade & Investment, The Royal Mint, NATO, US Department of Defence, London Borough of J.R. Beltman – IT Manager Institute of Quality Assurance G1 Appendix G – R. Howard, Personal Communication Hammersmith & Fulham, London Borough of Hackney, London Borough of Camden, The FSA, Manchester City Council, Tate Gallery, in addition to several UK Police Forces and Registered Charities. Please also find attached the following information for your perusal: Pen test Services Sample Management Report (External, Internal & War Dial Testing) We would be keen to meet with you to discuss this further and how we can potentially assist you. Should you have any questions or require any additional information, please do not hesitate to contact me. Kind Regards, Rachael Howard J.R. Beltman – IT Manager Institute of Quality Assurance G2 Appendix H – V. Parry, Personal Communication Appendix H. V. Parry, Personal Communication ----- Original Message ----From: Vic Parry To: JR Beltman Sent: Sunday, September 04, 2005 4:50 PM Subject: Senior Management Hi JR, if I understand your question correctly then the following is what I have found to be the biggest resistance to change by some managers when implementing BS 7799: Unlike the ISO 9001 Quality Management System where you can quantify financially the improvements brought about by implementing a management system eg higher productivity, less errors, reduced waste, shorter downtime, less rework, fewer warranty claims etc, BS7799 is far more difficult to justify in terms of higher profits. It is hidden in terms of how much damage has been avoided/reduced by protecting your company from an attack. Whether this be a logical, personal or even physical attack. A company often finds out too late after the event, very often the damage has all ready been done. In extreme cases this actually results in the company going bust. At best it causes disruption and impacts on the companies' financial performance, not to mention damage to the organisations' image and reputation. The problem is that when an organisation does implement policies, practices and procedures to protect its' assets this will often eliminate unnecessary risks and potential attackers are unsuccessful, however this is not always obvious and visible so management are unaware of how effective their management system has worked. I hope this goes some way to adding to your understanding why management are not always fully committed to implementing this system. Best Regards Vic Parry Chartered FCIPD IRCA Registered Principal Auditor BS 7799:2-2002 J.R. Beltman – IT Manager Institute of Quality Assurance H1 Appendix I – M. Rich, Personal Communication Appendix I. M. Rich, Personal Communication First statement Action research originated in the clinical world after around 1945. As well as assuming that there are ‘participant observers’ – that is, people carrying out the research are actually taking part in the process – action research also assumes that through some intervention you can do things better in the future. Therefore your objectives (in action research terms) are to do with identifying a suitable intervention. Correction on first statement Yes – I suggested that action research originally presumes that through some intervention things could be done better in the future. I’m therefore suggesting that you are dong the first stage of action research, and that part of your results will be recommendations on what sort of interventions to try out. True action research would depend on you trying out this intervention and then evaluating its effect – you can and should be very open about the fact that you can’t do that within one MSc project. J.R. Beltman – IT Manager Institute of Quality Assurance I1 Appendix J – V. Parry, Interview notes Appendix J. V. Parry, Interview notes On Monday 26-October-2005 I met up with Victor Parry, Chartered FCIPD and IRCA Registered Principal Auditor BS 7799:2-2002. I thought it would cost me a meal and a pint, but not only did he pay for himself, he also shared a lot of information about BS7799 implementation with me. Below a summary of what was said during the evening. When I asked Victor what he felt were the largest issues with implementing BS7799 he told me about lack of management support, which can be split in a couple of sub sections. He mentioned: • • • • • No resource allocation Fear of hidden costs There are no transparent benefits of implementing BS7799 No understanding of Business continuity and disaster recovery The value of implementation is not understood He continued explaining that business continuity means planning for the future, such as for expansion, more staff, extra resources etc to provide a consistent level of service. Disaster recovery is planning for the unexpected and unplanned events. We moved on to resistance to change. Victor had a very interesting view on this subject. He never found it to be a big show stopper, but in his view this is due to how change is managed. He suggested that a good manager will communicate the positive aspects of change and by doing so the manager can take away the physiological fear people have of change. People fear change, according to Victor, because it makes them think again. Whereas before the change the staff could do their job without actively thinking about how, with change they suddenly need to start thinking about their work again. He mentioned some examples such as making a pool player think about how to breathe in and out when playing. This would usually go unnoticed, but by making the player think about this the game will change and most likely not in favour of this player. “What are the arguments against implementing BS7799”, I asked. According to Victor there are many of these, but not many hold ground. Examples mentioned: • • • • • • • We are a public body Customers do not insist on it Won’t increase our profits We don’t need it Nobody knows who we are or what we do We are not prepared to invest in this Why invest in BS7799? “For those who implemented BS7799, how do we make sure it is not just lip service” was my next question. Victor suggested that it does happen, but not often and it does not go unnoticed. If it were to become a lip service the organisation would stand little to no chance on renewing the certificate as the company simply won’t pass the J.R. Beltman – IT Manager Institute of Quality Assurance J1 Appendix J – V. Parry, Interview notes assessment. In places where it does happen it can have more factors. Victor pointed out that he is aware of a company where it happened because of lack of management support and involvement. Victor continued by telling me that the critical success factors, apart from management support are an asset register with relevant assets and a systematic approach to risk assessment. Concluded with informing me that in the end it is all about focussing on the business needs. J.R. Beltman – IT Manager Institute of Quality Assurance J2 Appendix K – Assets and risks Appendix K. Assets and risks Asset / Asset Group Desktops Laptops USB Sticks USB Disks Servers Switches UPS systems Building Table K-1 Threat Virus infection Abuse of workstation Installation of unauthorised software Virus infection Abuse of laptop Installation of unauthorized software Theft Theft Loss Data corruption Hardware failure Power outage Hardware failure Virus infection Data corruption Electricity spikes Hardware failure Hardware failure Falling within a exclusion zone Closure due to a disaster Likelihood 2 2 4 4 3 4 3 2 3 3 2 1 1 3 2 3 1 1 1 1 Vulnerability 3 1 3 3 1 4 3 3 3 2 2 2 3 1 2 3 1 1 1 1 Severity 1 3 2 2 3 2 4 4 4 1 3 5 4 1 5 1 5 3 5 5 Score 6 6 9 9 7 10 10 9 10 6 7 8 8 5 9 7 7 5 7 7 Average 7 9 8.3 7 7.4 7 5 7 Assets and risks Table K-1 is an example of a risk asset evaluation. This table does not contain actual information as used in the IQA for security reasons. J.R. Beltman – IT Manager Institute of Quality Assurance K1 Appendix L – IQA Old asset registry Appendix L. IQA Old asset registry User Location SN New Operating System xxxxxx 2nd floor 6S31KN8Z30YZ Windows XP Pro 2nd floor 6S31KN8Z30ZJ Windows XP Pro 2nd floor 6S31KN8Z30Z8 Windows XP Pro 2nd floor 6S31KN8Z30ZF Windows XP Pro Basement 6S31KN8Z30Y3 Windows XP Pro Basement Ground Floor 6S31KN8Z30Z4 Windows XP Pro PC4773 Windows 2000 xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx 2nd floor Windows 2000 xxxxxx 5th floor G85270J Windows 2000 4th floor 6S31KN8Z30X0 Windows XP Pro 4th floor 6S31KN8Z30XF Windows XP Pro xxxxxx xxxxxx Figure L.1 Category Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC Status Model Purchase date In use Compaq D51c 2003-01-24 In use Compaq D51c 2003-01-24 In use Compaq D51c 2003-01-24 In use Compaq D51c 2003-01-24 In use Compaq D51c In use Compaq D51c In use Dimension 8200 In use 2001-03-01 1999-11-01 In use Optiplex GX150 1999-01-01 In use Compaq D51c 2003-01-24 In use Compaq D51c 2003-01-24 IQA old asset registry J.R. Beltman – IT Manager Institute of Quality Assurance L1 Appendix M – IQA IT Management system Asset registry Appendix M. IQA IT Management system Asset registry Figure M.1 New IQA asset registr J.R. Beltman – IT Manager Institute of Quality Assurance M1 Appendix M – IQA IT Management system Asset registry Figure M.2 Detailed view of asset registry J.R. Beltman – IT Manager Institute of Quality Assurance M2 Appendix N – IQA Licence control Appendix N. IQA Licence control Figure N.1 IQA Licence control Note that information in this image has been concealed for security reasons and to comply with the data protection act. J.R. Beltman – IT Manager Institute of Quality Assurance N1 Appendix O – IQA Email house keeping Appendix O. IQA Email house keeping A structured approach to E-Mail storage 1. The Problem We are fast running out of storage capacity for our emails. Because having a working email facility is business critical for all the IQA, this situation is serious. Why has this happened? Two reasons; A sharp increase in email usage generally and poor housekeeping of our email accounts (see later in this document for list of major users of storage). At the moment there are no set limits or control over staff e-mail accounts. And because filing and retrieving emails is a very easy way of storing information there is a tendency amongst most of us to keep almost everything. Unfortunately, this carefree approach has got us into trouble. And referencing the graphic below, unless we take action very soon, we will be in serious trouble. I.e. we won’t have an email service. We have a total of 20 GB available for all emails and going by trend we will have used all of that before the end of this year. We have already used some of the space we need to rectify problems when they occur and an example of the problems this causes is the email crash in April this year. The system was down for 3 days when, with more space available we could have had it operational in less than a day. Figure 0.1 Email Growth, actual and projected Why not simply fit some more capacity? Two reasons why not. While hard drives are inexpensive, fitting them is not. IT would need to take the network off line for around 72 hours while the drives were fitted and bring in IT specialists restructure the whole system. And the second reason is demonstrated by the J.R. Beltman – IT Manager Institute of Quality Assurance O1 Appendix O – IQA Email house keeping graph above. Our usage is growing so fast (it’s not linear, it’s more logarithmic) that even doubling our capacity would serve only to delay the inevitable. What we need is a change in our practices. 2. The Solution IT’s approach to this is simple. We have allocated space to those public folders which require more capacity, e.g. for sending out bulk emails and for publishing, who routinely use large graphics files. We have also identified some public folders that have low usage and have allocated these a small amount. Then we divide the remaining capacity by the number of normal user accounts, i.e. every ‘normal’ account receives the same amount of storage. For our calculations we have estimated 65 user accounts, a few more than we have staff, but we are allowing for a little growth. This leaves us with 250,000 KB per person. Not a great deal when you consider the size of the accounts some heavy users currently have, but sufficient if the appropriate housekeeping practices are followed. When a suitable opportunity arises, we plan to add more capacity. But until then (and even after) there is no long term substitute for effective housekeeping. How to do ‘Housekeeping’ Either delete the email –by far the majority of emails are routine ones which you will never refer to again, Or Delete the attachment (most space is taken up with attachments, especially spreadsheets and graphics files, and you can remove these by opening the email, right-clicking and selecting the remove attachment option), Or Archive old emails or those you only need to access rarely onto your ‘H’ drive. If your H drive is nearing its capacity (every user’s H drive has a limit just as we now have for our email account) then this option may not be a long term solution because all this will achieve is to transfer the space problem from the email system to the H drive. And/or Then transfer the archive file(s) to CD. This is by far the most effective housekeeping method and IT are preparing guidance on how to do this. Please note that for information security purposes not all users will be able to transfer files to CD. The rights to transfer files to CD will be decided by Directors and Managers. See your manager for clarification. And Make sure you notify IT when an email account is no longer needed. Each account has 250,000 KB allocated and as there are currently a sizeable number of ‘orphaned’ accounts, each unused account reduces the capacity available for other, active users. See later in this document for a list of orphaned accounts. If you recognize any as coming under your control, please let IT know that either you wish these to remain (your name will be added as the owner of that account) or you are happy that the account(s) is deleted. IT will remove any accounts unclaimed after 1 October on the assumption that they are no longer active not needed. J.R. Beltman – IT Manager Institute of Quality Assurance O2 Appendix O – IQA Email house keeping And When sending documents internally, use links to documents instead of attaching copies. Outlook makes it very easy to link documents and if your recipients have access to the folder in which the document is located, all they need do to access that document is to click on the link. And Don’t forget to do housekeeping on your ‘Sent Items’ folder! And Let IT know when a user has left the IQA. Remember that each user account deleted means another 250,000 KB available for other users. And Regularly empty your ‘Deleted Items’ folder. How to check your usage level You can monitor the amount of storage you are using yourself. Right click on ‘Mailbox –Your Name’ and select ‘Properties for “Mailbox –Your Name”, and select the ‘Folder Size’ option from the ‘General’ menu. Select the ‘Server Data’ tab (Users with laptops that are configured to work offline will see an additional tab marked ‘Local data’. Ignore this). The figure you are looking for is ‘Total size (including subfolders)’ and it will be expressed in KB. You can then compare your usage with the current limit of 250,000 (KB). How IT will manage this system Each user will be restricted to the 250,000 KB limit. IT will apply settings that will not allow any more email activity once that limit has been reached. Shortly before the limit is reached the system will automatically send you advice that the user is approaching the limit. If the user fails to take appropriate action and the limit is reached, no emails will be sent or received. Incoming emails won’t be lost, they will simply not be able to be downloaded and accessed. As soon as capacity is released through housekeeping the ‘blocked’ emails will become available. When will we commence this system? The limits will be applied from 1 October. This gives those users currently over the 250,000 KB limit a month (September) in which to reduce their usage. Does this approach sound draconian? Maybe, but consider the alternative of not having an email service and it begins to make sense. J.R. Beltman – IT Manager Institute of Quality Assurance O3 Appendix P – IQA Form for new staff members Appendix P. IQA Form for new staff members A New Staff Member What to do? When you have a new member of staff you would most likely require a computer to be prepared and the telephone to be working. To get this done you will need to inform the IT department and give a minimum of two weeks notice. The IT department will need to know a couple of things: Personal Details First name Joe Surname Bloggs Title Mr. Starting Date 28/10/2005 Temp worker Leaving Date Organisation IQA Department Supervisor Manager XYZ Replaced Person Facilities Workplace information Computer number Programs Required Training? Installed /Checked Accounting Office Acrobat Reader Acrobat Writer Albacs Adobe Illustrator Photoshop Crystal Reports Dynamics FRX Integra Internet Access Lloyds Link Contribute 3 MS Office MS Visio Quark WinZip WS_FTP J.R. Beltman – IT Manager IT Department only Person in Date charge none Commen t none none none none none none none none none none none none none none none none none Institute of Quality Assurance P1 Appendix P – IQA Form for new staff members Security Group1 Other than own department Has Manager of the other department been notified? YES NO YES NO Email Group1 Other than own department Has Manager of the other department been notified? Other important information: Supervisor Details First name Joe Supervisors substitute Organisation IQA Fill out date 28/10/2005 Surname Bloggs Extension number 299 Department Facilites Note: Please send an email to the person in charge in the IT - Department and attach this document. Furthermore, please make sure, that you mention the name of the new person in the email. Please keep in mind that although your IT department always wishes to come to your aid, sometimes it can be so busy that if you notify them too late they are simply unable to accommodate you in time. 1 Manger has also to notify the IT – Department, e.g. via email. J.R. Beltman – IT Manager Institute of Quality Assurance P2 Appendix P – IQA Form for new staff members IT - Department only! To-Do’s in the department Program Action Active Directory Create user and an email address Check users role Check profile and home directory Add email to distribution groups Integra Add user to Integra Database(s) Check Mail merge / Copy folder Telephone System Add / replace user Configure Telephone System IT Management System Apply changes to Inventory Add user Done Comment To-Do’s at local PC General settings ODBC settings Integra East Asian Language Packs Standard Applications Sophos Telephone Manager Checked by 2nd IT Person Name Date J.R. Beltman – IT Manager Institute of Quality Assurance P3 Appendix Q – IQA Staff IT test form Appendix Q. IQA Staff IT test form IT assessment test It will take about 30 – 45 minutes to finish the test. Please read and follow the instructions accurately! The brackets () are used to indicate a variable text. Such as (your name) means we want you to type something like: Joe Bloggs and not (Joe Bloggs). Dates are always as in 2005-09-26. Good luck! 1) Which program is associated with the “.doc” file extension? ……………………………………………………………………………………… …... Search for the folder IT Test in the S-drive using the Windows Explorer. There you find more documents that you may need. 2) Create a new folder in your H-drive and name it with ‘IT Test (your name)’. Copy all the files of the IT Test folder to that folder. 3) Open the ‘2004-08-24 - Word Example.doc’ file and follow these instructions: a) Change the heading to underlined, bold b) Add your name and address underneath the headline c) Change the alignment of the address to the right side, the font to “Courier New” and the style to Italic. d) Create a header and footer for the document, including the page number Save the document in your folder (H-drive) with a different name: (today’s date) - (your name) - word test.doc 4) Open Microsoft Office Power Point with a blank sheet and insert a clipart of a Computer. Save the document to your folder, name it (today’s date) - (your name) - power point test.ppt, close the Power Point application and go to your directory as created in question 2, using the Windows Explorer. 5) Create a shortcut on the desktop of your folder you created in question 2. 6) Make a screenshot of your desktop, insert it in the Microsoft Office Word document created in question 3 and save. J.R. Beltman – IT Manager Institute of Quality Assurance Q1 Appendix Q – IQA Staff IT test form 7) Let’s assume an application is hanging for some reason. Would you open the task manager? Please state the reason for your decision. ……………………………………………………………………………………… ……………………………………………… ……………………………………………………………………………………… ……………………………………………………………………………………… ……………………………………………………………………………………… ……… 8) To edit a PDF file you will use: a) b) c) d) Adobe Reader Microsoft Notepad Adobe Acrobat Professional none of the above 9) During your annual vacation someone has changed the screen resolution of your computer. It’s impossible to work with the new setting and you have to select another resolution. How would you achieve this? ……………………………………………………………………………………… ……………………………………………… ……………………………………………………………………………………… ……………………………………………………………………………………… ……………………………………………………………………………………… ……… 10) Open the file ‘2004-08-24 - Excel Example.xls’ and do the requested calculations. 11) Save the Excel Example in your folder as: (today’s date) - (your name) excel test.xls 12) Windows XP has the capability to compress folders & files into ZIP archives. Create a ZIP file of your IT Test folder. Your folder should contain these documents: • • • the word document from question 3, the power point presentation from question 4, the excel spreadsheet from question 12, Name the file: ‘IT Test (your name).zip’ 13) Open Microsoft Office Outlook 2003, create a new email to ITHelpdesk@iqa.org (add yourself as CC as well) attach the following document: • the ZIP file from question 12 J.R. Beltman – IT Manager Institute of Quality Assurance Q2 Appendix Q – IQA Staff IT test form If you don’t have the ZIP archive then attach the 3 documents from question 12. Call the email ‘IT Test from (your name)’. (Please do not send it yet.) 14) Have a look at the printers you are connected to and name the default printer. Make a note of all your printers and indicate the default printer in your email message. 15) Send the email. WELL DONE! J.R. Beltman – IT Manager Institute of Quality Assurance Q3 Appendix R – Server Room Access policy Appendix R. Server Room Access policy Server Room Access The server room access must be strictly controlled to prevent any form of disaster (or possible theft of equipment. If at any point a form of disaster would take place in the server room it must be possible to track down who last accessed this room. Possible disasters Many things can go wrong due to user interface/interference. A short list with examples: • • • • • • • Unplugging server(s) from the network. Unplugging server(s) from the power supply. Modifying the switches and patches. Spilling a fluid on the server(s) causing a form of damage such as a short circuit. Trying to use the system console resulting in data loss, misconfiguration and worse. Adjusting the air-conditioning system. Could result in overheating of equipment. Removing hard- and/or software. This would be theft, but when applied to servers result in data loss and downtime. Prevention of disaster The servers are in a secured server room. To enter the room a key code is required. The door of the server room will always close shut and to re-enter the key code must be used again. IT Staff will make sure that the server room door is locked upon leaving the office at any time. Non IT staff is required to sign in and out, indifferent of the time spend in the server room. On the left hand side of the door is a log book for this purpose. Staff in possession of the key code (authorized staff) • Hidden for security reasons Rules for unauthorized personnel All personnel that need access to the server room, i.e. third party maintenance personnel, must be supervised at all times. The authorized staff member that provides access for unauthorized personnel will be fully responsible for their actions. Server cabinets For extra security the operating hardware is stored in so called 'server cabinets'. These must remain locked at all times and should only be opened by IT Staff. The keys The keys for all cabinets and server cases are stored in the key cabinet. The key to the key cabinet is stored in the IT office. The location is known to all IT Staff, but will J.R. Beltman – IT Manager Institute of Quality Assurance R1 Appendix R – Server Room Access policy not be disclosed in this document since this document is available to all staff (readonly). The keys in the key cabinet are clearly marked so there can be no confusion on where they fit. J.R. Beltman – IT Manager Institute of Quality Assurance R2 Appendix S – Communications policy Appendix S. Communications Policy COMMUNICATIONS AND COMPUTER USE POLICY The Institute reserves the right to review and revise this Policy to comply with any future statutory or legal requirements or otherwise. The Institute requires you to read the following carefully. You should seek clarification from the Personnel Manager if there is any part you do not understand. This Policy should be read in conjunction with the other Institute policies, and specifically in conjunction with the Data Protection Policy and with the Disciplinary Policy and Procedures. It applies to everyone who uses and has access to IQA information technology and communications. 1 INTRODUCTION 1.1 At the Institute (the ‘Institute’), communication plays an essential role in the conduct of our business. We value your ability to communicate with colleagues, customers and business contacts. The Institute invests substantially in information technology and communications systems which enable you to work more efficiently and effectively and it trusts you to use them responsibly. 1.2 How you communicate with people not only reflects on you as an individual, but on the Institute as an organisation. Therefore although we will respect your personal autonomy and privacy, we have established this Communications Policy (the ‘Policy’) which lets you know what we expect from you and what you can expect from us in your use of email, the internet and other means of communication such as correspondence, fax, fixed line or mobile phones. 1.3 This Policy applies to you as an Institute employee, contractor or volunteer, whatever your position: whether permanent, temporary or voluntary. For the purposes of this Policy, all references to ‘employees’ shall include contractors and agents. It also applies to members who have access to the systems of the Institute. 1.4 Any inappropriate use of the Institute’s communications systems, whether under this Policy or otherwise, may lead to disciplinary action being taken against you under the Institute's disciplinary procedures, which may include summary dismissal. 1.5 It is important that you read this Policy carefully. If there is anything that you do not understand, please discuss it with your line manager. Once you have read and understood this Policy thoroughly, you must sign the original copy of the Policy, then return it to the Personnel Manager and retain a copy for your own reference. 1.6 For the purposes of this Policy all references to “third party” applies to you as an Institute employee, contractor or volunteer, whatever your position: whether temporary, permanent or voluntary. It also applies to members who have access to the systems of the Institute. J.R. Beltman – IT Manager Institute of Quality Assurance S1 Appendix S – Communications policy 2 THE INSTITUTE’S POLICY STATEMENT 2.1 We trust you to use the information technology and communications facilities we provide to you sensibly, professionally, lawfully, consistently with your duties, with respect for your colleagues and in accordance with this Policy and the Institute’s rules and procedures. 3 GENERAL PRINCIPLES 3.1 All information relating to our members and business operations is confidential. You must treat the Institute’s paper-based and electronic information with utmost care. 3.2 Care must be taken when using email as a means of communication as all expressions of fact, intention and opinion via email may bind you and/or the Institute and can be produced in court in the same way as oral or written statements. 3.3 We trust you to use the internet sensibly. Bear in mind at all times that when visiting an internet site your IP address may be logged. Therefore any activity you engage in may affect the Institute. 3.4 The advantage of the internet and email is that it is an extremely easy and informal way of accessing and disseminating information. However, the same principles apply to information exchanged in this way as apply under the terms of your employment contract to any other means of communication. For example, sending defamatory, sexist or racist jokes or other material by email and any other form of communication are grounds for an action for defamation, harassment or incitement to racial hatred in the same way as making defamatory, sexist or racist comments verbally to a colleague. 3.5 Therefore, do not use the internet and email for purposes which would be subject to disciplinary or legal action in any other context. If you are in doubt about a course of action, take advice from your line manager. 3.6 As an employee, contractor, or member of the Institute you should exercise due care when collecting, processing or disclosing any personal data and only process personal data on behalf of the Institute where it is necessary for your duties. 3.7 Although email and internet access is intended to be used for business purposes, we appreciate that you may occasionally want to use the system and/or the facilities for your own purposes and we expect you to use them responsibly. 3.8 However, retrieval, downloading and storage of any material for example music, video clips or any other media for purposes not directly related to your work activities on any storage device for example, a memory stick or the C drive or on your home directory, currently the H drive, are not permitted for reasons of network storage and possible legal infringements of copyright and royalties. 3.8 Generally, all aspects of communication are protected by intellectual property rights which may be infringed by copying. Downloading, copying, possessing J.R. Beltman – IT Manager Institute of Quality Assurance S2 Appendix S – Communications policy and distributing material from the internet may be an infringement of copyright or other intellectual property rights. Therefore, any such activity should only be undertaken where you are satisfied that no such breach will arise, for example, where the internet site clearly states that permission to download is granted. You should only use the material in accordance with any purposes which are specified on the site. 4 MONITORING COMMUNICATIONS 4.1 This Policy is intended to take into account legislation which aims to ensure a minimum level of personal privacy for employees in their employment, for contractors in their work and members in their role. Therefore the Institute is taking this opportunity to draw a distinction between personal and private communications. 4.2 We will not monitor personal communications except for traffic and billing data at a network level. We will not look at the content of personal communications. However, if the IQA discovers any evidence that this Policy is being abused, the Institute reserves the right to withdraw from individual employees or groups of employees the facility to send and receive personal communications by particular methods. For example, abuse of the internet or email system may result in the withdrawal of the right to use either for personal use.and may lead to disciplinary action being taken against you under the Institute's disciplinary procedures, which may include summary dismissal. 4.3 As the Institute will not intercept personal communications, the Institute cannot exercise the rights and obligations of a data controller under the Data Protection Act 1998 in relation to your personal communications. As an Institute employee, contractor or member, you must not use our communications systems for business purposes for example, renting out holiday cottages is a private business purposes and as such is not permitted. 4.4 The Institute will respect your privacy and autonomy in your business communications. However, in certain circumstances it may sometimes be necessary to access and record your business communications for the Institute’s business purposes which include the following: a. providing evidence of business transactions; b. making sure the Institute’s business procedures are adhered to; c. training and monitoring standards of service; d. preventing or detecting unauthorised use of the Institute’s communications systems or criminal activities; and e. maintaining the effective operation of the Institute’s communication systems. THE INSTITUTE’S PROCEDURES 5 USE OF ELECTRONIC MAIL 5.1 You should expressly agree with the recipient of your intended email that the use of email is an acceptable form of communication bearing in mind that if the J.R. Beltman – IT Manager Institute of Quality Assurance S3 Appendix S – Communications policy material is confidential, privileged, price sensitive or commercially sensitive unencrypted email is not secure and should not be sent in this way. 5.2 Some intended recipients may have rigorous email gateway protocols, if this is the case, consider whether this means of communication is appropriate. 5.3 If you wish to encrypt your message, please consult your line manager or IT support. 5.4 A copy of our currently approved email designation notice for business emails is attached to all IQA internal and external e-mails and in no circumstances must it be altered. 5.5 Activate the recipient read receipt mechanism. 5.6 Do not impersonate any other person when using email or amend any messages received unless you are specifically authorised to do so. The IT department will advise on alternative methods of access. 5.7 It is good practice to re-read emails before sending them as emails cannot be retrieved once they have been sent. 6 USE OF INTERNET, INTRANET and EXTRANET 6.1 When entering an internet site, always read and comply with the terms and conditions governing its use. 6.2 Do not download, retrieve or store any images, music, video clips, text or material which are copyright protected other than for private study. 6.3 If you are involved in creating, amending or deleting our web pages or content on our websites, including any intranet or extranet site, such work should be consistent with your responsibilities and be in our best interests. Always ensure that the proper vetting procedures have been complied with and the information is accurate and up to date. 6.4 You are expressly prohibited from: a. introducing packet-sniffing or password detecting software; b. seeking to gain access to restricted areas of the network; c. knowingly seeking to access data which you know, or ought to know, to be confidential; d. introducing any form of computer viruses; and e. carrying out other hacking activities. f. retrieving, downloading or storing any material such as music, video clips, images etc. not directly related to your work activities. 6.5 For your information, the following activities are criminal offences under the Computer Misuse Act 1990: a. unauthorised access to computer material (i.e. hacking); b. unauthorised modification of computer material; and c. unauthorised access with intent to commit and/or facilitate the commission of further offences. J.R. Beltman – IT Manager Institute of Quality Assurance S4 Appendix S – Communications policy 7 PERSONAL USE 7.1 Please ensure that your personal email and internet use: a. does not interfere with the performance of your duties; b. does not take priority over your work responsibilities; c. does not incur unwarranted expense on the Institute; d. does not have, is not intended to and could not be interpreted to have a negative impact on the Institute in any way; and e. is lawful and complies with this Policy. 7.2 You should be aware that the IQA cannot guarantee that any personal information, for example credit card details given over the internet, by e-mail, by any other form of communication or stored on the network, for example the H drive, is secure from hacking or from any other fraudulent methods. 8 SYSTEM SECURITY 8.1 Do not use the system in any way which may damage, overload or affect the performance of the system or the internal or external network. 8.2 Keep all confidential information secure, use it only for the purposes for which that information has been provided and do not disclose it to any unauthorised third party. 8.3 Keep your system passwords safe. Do not disclose them to anyone. It is advisable to change your passwords from time to time for security purposes. 8.4 If you reveal your system password to a third party you will be held personally liable if it is used maliciously or with fraudulent intent and may lead to disciplinary action being taken against you under the Institute's disciplinary procedures, which may include summary dismissal. 8.5 If you wish another member of staff to have access to your e-mail or your personal directory, currently the H drive, please do not do so by revealing your system password. The IT department can arrange access by alternative methods. 8.6 If a document is highly commercially confidential or sensitive in nature, you should store it in a private directory or an equivalent password protected directory. When deleting such documents, ensure that you empty your wastebasket as well. Bear in mind that documents in general directories can be accessed by all employees who have general access. 8.7 Copies of confidential information should only be printed out as necessary, retrieved from the printer immediately and stored or destroyed in an appropriate manner. 8.8 Make sure you virus check all material which is downloaded from the internet or received from any external source (e.g. as email attachments). J.R. Beltman – IT Manager Institute of Quality Assurance S5 Appendix S – Communications policy 8.9 You must first obtain explicit permission from the IT department before loading any executable or program files which you intend to install onto the system from a cd or floppy disk (i.e. using your ‘A-drive’) or any other source. 9 WORKING REMOTELY 9.1 This Policy and the procedures in it apply to your use of the Institute’s systems and to your use of our laptops and your own computer equipment when you are working on the Institute’s business away from the Institute’s premises (i.e. working remotely). 9.2 When you are working remotely you must: a. password protect any work which relates to the Institute’s business so that no other person can access your work and keep the password secret; b. position yourself so that your work cannot be overlooked by any other person; c. take reasonable precautions to safeguard the security of our laptop computers, d. any computer equipment on which you do the Institute’s business and your passwords; e. apply an appropriate level of security to any personal data which comes into your knowledge, possession or control through your employment with the Institute so that the personal data are protected from theft, loss, destruction or damage and unauthorised access and use; f. inform the police and the Institute’s IT department as soon as possible if a laptop in your possession or any computer equipment on which you do the Institute’s work has been stolen; and g. ensure that any work which you do remotely is saved on the Institute’s system or transferred to the Institute’s system as soon as reasonably practicable. h. not retrieve, download or store any material such as music, video clips, images etc. on IQA computer equipment. 10 DATA PROTECTION 10.1 Through your employment with, work for or membership of the Institute, personal data will come into your knowledge, possession or control. In relation to such personal data (excluding personal data contained in personal communications) whether you are working or attending at the Institute’s premises or working or contributing remotely, you must: a. keep them secret and confidential and you must not disclose them to any other person unless authorised to do so by the Institute. If in doubt ask your line manager; b. familiarise yourself with the Institute’s data protection Policy c. process personal data strictly in accordance with the Data Protection Act 1998, the Institute’s data protection policy and other policies and procedures issued by the Institute; and d. not make personal or other inappropriate remarks about members or colleagues on manual files or computer records since the subject of such remarks has a right to see information the Institute holds on that individual. J.R. Beltman – IT Manager Institute of Quality Assurance S6 Appendix S – Communications policy 10.2 The Institute views any breach of the Data Protection Act 1998 and our data protection policy as gross misconduct which may lead to summary dismissal under our disciplinary procedures. 10.3 If you make or encourage another person to make an unauthorised disclosure knowingly or recklessly you may be held criminally liable. 10.4 The Institute will provide data protection training which you must undertake if requested to do so. I have read through and fully understand the terms of the Policy. I also understand that the Institute may amend this Policy from time to time and that I will be issued with an amended copy. Name in full: ………………………………….. Signed: ……………………………………… Date: ………………………………………. J.R. Beltman – IT Manager Institute of Quality Assurance S7 Appendix T – Overview of implementation of BS7799 at IQA Appendix T. Overview of implementation of BS7799 at IQA Appendix T provides an overview of the work that was done at the IQA in order to implement BS7799. Below a list of 28 policies / procedures / workflows that were create or revised during the implementation of BS7799. • • • • • • • • • • • • • • • • • • • • • • • • • • • • Agreement on network access and data ownership Asset and their risk level document Asset owner history is now recorded in the IT Management system Backup schedule and procedures Communications and computer use policy, including regulation on internet use, use of the local area network and email Control of portable assets such as laptops and memory sticks Escort of visitors and contractors Forms for new staff stating their IT requirements, including IT security requirements Forms for staff leaving, ensuring that user accounts could not be used by the leaving staff member after their last day of work at the IQA Housekeeping policy and procedure of email (due to the space required for repairing email databases) Installation and improved control of Sophos Anti Virus software IT Test (a test used to screen IT knowledge of new and current staff) Licensing control using the IT Management system in combination with Active Directory which in turn is used to assign and distribute software applications to computers Logging of security incidents in the IQA IT Management system New and better manageable way of asset registration New group policies for staff working remotely, for example staff in Japan (teleworking) New policy on desktop use by visitors and trainers Password policy change (adhering to Microsoft password policies) Risk assessment document Risk treatment plan Schedules for backup restore testing Scope statement Secure internet connection for remote workers (teleworking) Security policy Server room access policy Statement of applicability (be aware that this is 15 pages and takes over 3 days to write) The front door to the basement is now locked after use by the cleaners Warrantee and financial information is now linked directly to assets in the IT Management system A total of at least 40 policies / procedures / workflows were written or revised during implementation of BS7799. The policies are mostly group policies applied in Active J.R. Beltman – IT Manager Institute of Quality Assurance T1 Appendix T – Overview of implementation of BS7799 at IQA Directory, part of the Microsoft Windows Server 2003 operating system. These are not common documents that can be read with a word processor. Examples are the restrictions on user accounts for teleworkers, trainers and visitors. At the IQA from the IT perspective alone we cover over 400 assets. These include over 15 asset groups such as desktops, laptops, servers, backup USB devices, Monitors, USB sticks, Telecoms equipment, Licenses, Warrantee Agreements, Contracts etc. The BS7799 ISMS influences about 60 staff spread over 14 departments. It took over three months to implement BS7799 with still many extra policies, procedures and workflows to be implemented. For this project two IT staff member followed a BS7799 Lead Auditor course and three staff members followed BS7799 workshops. J.R. Beltman – IT Manager Institute of Quality Assurance T2