PRINCE2 Training

Information is an asset which, like other important business assets, has value to each organisation and therefore there is a requirement for it to be suitably protected. Information can take make many forms including hand-written or printed on paper, stored electronically, transmitted via a medium such as email, fax or by post or shown in corporate videos. However, whatever forms the information takes or means by which it is shared or stored; it should always be appropriately protected.

This is the very foundation of BS ISO 17799:2005; it defines information security as:

• Confidentiality: ensuring that information is accessible only to those authorised to have access

• Integrity: safeguarding the accuracy and completeness of information and processing methods

• Availability: ensuring that authorised users have access to information and associated assets when required

Therefore, it is always important to consider the relative significance of each of the above dimensions when implementing an information security system. With this in mind, there are a number of factors contributing to the successful implementation of an information security management system:

• there is visible commitment and support from senior management
• the Security Policy is aligned to the business objectives of the organisation
• the security system is implemented in a manner consistent with the culture of the organisation
• the organisation has a good understanding of their security requirements and are aware of the associated risks
• the security concept has been effectively marketed to, and understood by all employees of the organisation – not just managers
• guidance on the information security policy and standards has been distributed to all employees and contractors
• all employees and contractors have been appropriately trained
• key measurements have been identified that will be used to evaluate the effectiveness of the information security management system

Information security protects information from a wide range of threats in order to ensure business continuity, minimise business damage and maximise return on investment. Every organisation will have a differing set of requirements in terms of control and also in the level of confidentiality, integrity and availability.

From a standards perspective there are two main tenants:

• BS ISO 17799:2005 - Code of Practice for Information Security Management:
• Defines 127 security controls structured under 10 main headings
• Provided for guidance only
• Organisations are not assessed against this document

  Due to become ISO 27002 in 2008

• BS7799-2:2002 - Specification for Information Security Management Systems:
• Provides instructions on how to apply BS ISO 17799
• Organisations are assessed against this document
• Replaced in Oct/Nov 2005 by ISO 27001:2005

It should be noted that BS7799 is not actually an IT standard. It can, and should, be applied across all parts of the organisation to all forms of information assets, for example, the controlled and timely distribution of marketing collateral or HR hand written notes during a disciplinary process.

As previously indicated there are 127 security controls structured under 10 main headings as follows:

• Security Policy
• Organisational Security
• Asset Classification and Control
• Personnel Security
• Physical and Environment Security
• Communications and Operations Management
• Access Control
• System Development and Maintenance
• Business Continuity Management
• Compliance

In addition, the standard documents four clauses which it is mandatory to follow:

 Clause 4 – Information Security Management System: Specifies that an organisation must develop, implement, maintain and continually improve a documented ISMS appropriate to it’s business activities and risk

 Clause 5 – Management Responsibility: Ensures that there is visible and consistent management commitment to the ISMS

 Clause 6 – Management Review of the ISMS: Specifies that there must be regular planned reviews of the ISMS by management to ensure the continual suitability of the ISMS

 Clause 7 – ISMS Improvement: There is an expectation that an organisation will continually improve the effectiveness of their ISMS

The standard requires an organisation to define, create and maintain an Information Security Management System (ISMS) appropriate to its business activities and the risks it faces. The purpose of the ISMS is to ensure information security matters are addressed in a structured manner and covers:

• Organisational structure
• Information security policies
• Planning
• Roles and Responsibilities
• Processes, Practices & Procedures

The ISMS is the means by which the senior management in an organisation monitor and control the security of their information assets, minimising the residual business risk and ensuring that the security function continues to fulfil corporate, client and legal requirements.

The standard defines a six step process as the route-map to achieving BS7799-2 compliance:

The key steps are defining the Information Security Policy and the creation of the Statement of Applicability.

The policy document defines the organisational expectations for information security and makes these expectations visible to the entire organisation. In general, senior management is responsible for establishing and communicating guiding principles, direction, and expectations for the organisation.

The Statement of Applicability describes the controls and control objectives that are relevant and applicable to the organisations ISMS, based on the outcome of the risk assessment. It is also important to describe why any controls are not relevant and provide a justification.

In conclusion, it is important to ensure that all the information assets of your organisation are appropriately secured. The adoption of the appropriate best practice and the visible commitment of Senior Management will go along way in ensuring that your information security efforts are effective.