RE: 7799?

From: David Brown (davidbrown_at_coal.gov.uk)
Date: 11/04/03

  • Next message: rjemckay_at_verizon.net: "Re: Home firewall Hits"
    To: 'jm' <jm@mindless.com>, security-basics@securityfocus.com
    Date: Tue, 4 Nov 2003 17:25:07 -0000 
    
    

    You'll probably find that the bulk of the work involves defining the
    business processes behind the organisation. Policy writing, risk analysis,
    change management etc will be the bulk of the work and that stays pretty
    much the same for all organisations regardless of size. Bear in mind that
    even if you think that large chunks of the standard dont necessarily apply
    to your organisation, you have to justify that decision as part of the
    accreditation process.

    BS7799 isn't just about IT security measures, its about how you manage,
    maintain and develop your Information environment as a whole. Just
    identifying your risks and control objectives will be a major piece of work
    before you even start to define your actual controls and document them. As
    an example our control framework document - listing all our areas of risk,
    the associated control objectives and the outline controls for each one ( ie
    "We need a policy for this and we need to maintain it correctly." ) runs to
    40 pages. We arn't a large organisation either, < 200 employees.

    The best approach is to work through the ISO documentation, starting with
    the "Guide on selection of BS7799 controls" and use that as your template to
    identify areas of risk where you may need to define a control objective. A
    lot of risks are predefined but you'll still have to think through your
    business processes to make sure you identify any that are unique to you.

    Use the the "Guide to BS 7799 Risk Assessement and Risk Management" to
    develop your risk assesement framework and run it against the risks you
    found in the first stage. Where your risk assesment indicates they are
    needed, define your control objectives and then develop your controls. Its
    probably overkill for a really small organisation but you might want to take
    a look at COBIT as well, Control OBjectives for Information Technology.

    Finally, you really will need buy in from senior management or its
    equivalent to do this, since it will almost certainly mean changes to the
    way the organisation works and manages it's information. Many of those
    changes will be far more proscriptive than they are used to. Especially in
    a small outfit.

    Once you've got all that done your ready to start thinking about
    accreditation and audit :)

    Dave Brown,

    -----Original Message-----
    From: jm [mailto:jm@mindless.com]
    Sent: Monday, November 03, 2003 11:24 PM
    To: security-basics@securityfocus.com
    Subject: 7799?

    Hi

    I have been asked to look at getting a small organisation up to 7799
    accreditation standards in a short time span.

    They have minimal systems; email, internet access, CRM Database, on 2
    servers, and around 10 pc s, so the quantity of work should not be too
    much.

    I realise that an approved external accreditation body has to perform
    the certification process, and have a fair bit of knowledge of the work
    required, but I am starting from a blank sheet, so I would like to know
    is if anyone on the list would have any reference
    templates/checklists/procedures available for sharing.

    I have got the BSI/ISO documents, so they are a good start, but would
    appreciate all the help that can be got.

    Thanks in advance

    JM

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to

    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------

    ****************************************************************************
    This communication contains information which is confidential and may also
    be privileged. It is for the exclusive use of the intended recipient(s)
    please note that any distribution, copying or use of this communication or
    the information in it is strictly prohibited. If you have received this
    communication in error please notify us by e-mail or telephone ((+44) 01623
    427162) and then delete the e-mail and any copies of it. This communication
    is from The Coal Authority whose principal address is at 200 Lichfield Lane,
    Berry Hill, Mansfield, Notts, NG18 4RG, England.

    ****************************************************************************

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------


  • Next message: rjemckay_at_verizon.net: "Re: Home firewall Hits"