ISO17799 Newsletter - Issue 2

Welcome to the second edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to 17799 and related information security issues. The newsletter comprises a combination of inclusive articles and the identification of useful and topical sources on the web.

This edition covers:

BSI OFFFER DISCOUNTED STANDARD

BSI have bundled both parts of the standard (see below) at a special discounted rate. The bundled Part 1 (which is now ISO17799) and Part 2 (BS7799-2:1999) can be obtained online from the BSI Electronic Shop (see left panel)

COMPUTER SECURITY BEGINS AT HOME
Whilst everyone is aware of the importance of good information security measures in the office, these are often overlooked when an employee works from home, whether on a permanent or occasional basis. Dangers range from inadequate virus protection on a laptop or home computer, to the risk of confidential data being exposed to unauthorized users, or even a breach of the company's computer network if accessed remotely.

To counter these risks, there are a number of security measures which should be taken when working from home or off-site. For example:

- Treat company property and/or data as you would in the office, according to company information security procedures
- Do not allow a laptop issued for business purposes to be used by family or friends
- Ensure that laptops are kept secure at all times, and protect access with a strong authentication mechanism
- Do not use the same computer for both business and personal use; or, where this is not possible, store company data on a separate disk with secure access and protection
- Valid licenses must be obtained for any software used at home to avoid a breach of Software Licensing laws
- Ensure that adequate virus protection software is installed on any computers used at home
- Specifically protect all sensitive business documents stored on laptops or home computers
- When connecting remotely to an office network, consider the use of a dial-back facility for added security, and always investigate the reason for failed access (your username may already be in use by an unauthorized person)

This guidance is brought to you courtesy of the RUSecure Interactive Security Manual

HOW THE STANDARD FITS TOGETHER
The standard effectively comprises of two parts:
a) Part 1: ISO/IEC 17799:2000 - this is the set of security controls... the measures and safeguards for potential implementation. It is the main body of the standard itself.
b) Part 2: BS7799-2:1999 - this a standard 'specification' for an Information Security Management System (an ISMS). It is the means managers use to measure, monitor and control their security from a top down perspective. It essentially explains how to apply ISO17799 and it is this part that can currently be certified against.

Part 2 defines a six part process, broadly as follows:

Define a security policy
Define the scope of the ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be implemented
Prepare a statement of applicability.

This perhaps indicates to a degree why web sites and this newsletter focus so heavily upon risk analysis and security policies - they are absolutely central to ISO17799.

SECURITY POLICIES: Policies are of course 'the bottom line' - the rules which define the baseline requirements for your organization. It is therefore critical that they are top quality (see www.information-security-policies-and-standards.com for more information on security policies).

RISK ANALYSIS: You do not have to implement every control covered by ISO17799 - only those that are applicable and appropriate.. the latter largely being determined via risk analysis.

MAJORITY OF CYBER CRIMES NOT REPORTED

A survey of the leading companies in 12 countries, undertaken by accounting firm KPMG, concluded that almost 10% had experienced a cyber-security breach during the past twelve months, but that the majority of these companies did not take any legal action against the offenders. A representative of KPMG was quoted as saying: "What we see in the cases that are reported to us is that companies are far more concerned in recovery of assets and keeping their names out of the newspapers than they would be about prosecutions. If they report their losses to regulators or law enforcers, then the focus of any investigation generally becomes the prosecution of offenders." He also added: "The majority of frauds are committed by people inside the company. If someone has broad knowledge, they are more capable of bypassing any procedures they might have." (From an article published on www.zdnetasia.com)

An Information Security incident must be reported to outside authorities whenever this is a requirement for compliance with legal requirements or regulations. By not reporting such an incident where it is legally required that you do so, your organization may be unwittingly aiding or abetting an offence. If you believe a crime has been committed, the following actions are strongly recommended:

- Contact the relevant regulatory body and / or law enforcement agency, as appropriate
- You may wish to take legal advice about the severity of the offence
- Gather evidence to prove malicious intent, especially if the suspects are members of staff; but consider carefully the validity of such evidence before reporting it to a third party
- Consider how best to support the investigative process with the minimum breach to your Information Security. You may wish to use a specialist Information Security organization if you lack in-house expertise.

ISO17799 RESOURCES
The first edition of ISO17799 News prompted a number of questions related to resources to help achieve compliance or certification. The following have therefore been identified as leading players for the various topics:

SECURITY POLICIES (ISO17799 Section 3)
The quality of security policies is of fundamental importance, as is their scope and relationship with ISO17799. The RUsecure Information Security Policies are one of several sets of 'off the shelf' policies that can be obtained commercially.

However, they are distinctive not only because of their quality, but because they fully embrace ISO17799. In fact, they optionally cross reference the standard, creating assurance for anyone who seriously wishes to demonstrate compliance.

The policy set is shipped in MS-Word format, enabling full editing to meet individual corporate demands. More information on these policies can be obtained from: RUsecure Information Security Policies

RISK ANALYSIS (ISO17799 - throughout!)
There is little doubt about the most ISO17799 aligned, and indeed, the most well known risk analysis product - COBRA. COBRA provides a fully comprehensive risk analysis capability ("risk analysis made easy") as well as providing a front line ISO17799 compliance management function.

Information on risk analysis itself, and COBRA in particular, can be obtained from www.riskworld.net

DISASTER RECOVERY PLANNING (ISO17799 Section 11)
Disaster recovery planning (or business continuity planning) is sometimes not fully embraced because it is seen as difficult or resource intensive. However, the recent trend is towards simplicity - to enable continuity planning to be grasped and implemented readily and easily.

The leading player in this trend is the BCP-Generator. This comprises of two components: a template for a plan and an interactive guide to help you populate it. Both are MS-Word driven, enabling full control and flexibility. If you already have a plan, and perhaps wish to audit it or audit your contingency arrangements, The Disaster Recovery Toolkit is of similar ilk.

Both these products are described at: The Disaster Recovery Shop

DOWNLOADING INFORMATION FROM THE INTERNET
There is a wealth of information available today on the Internet, and the powerful search engines at our disposal enable us to access numerous web sites extremely quickly. The fact that this information is so readily available in the familiar environment of home or office often lulls us into a false sense of security when it comes to downloading files or data. Before doing so, we should consider the risks involved, such as a potentially destructive virus or other malicious code infecting our system, or the risk of system overload and subsequent failure.

The following guidelines are recommended when downloading information from the Internet:

- Ensure that you are in compliance with your company's Information Security Policy before downloading any information
- Always choose the option to "Save this program to disk", saving it to a temporary folder away from your main network; then run an up-to-date virus and malicious code scan; if clean, re-file in the desired location on your system.
- Be particularly careful with shareware or freeware programs - these are particularly suited to introducing "Trojan horses" and other malicious code to your computer system.
- Do not introduce software via the "back door" of the Internet. Only acquire and install software according to an agreed company procedure.
- Be aware that information on the Internet may not be reliable, and may have even been released with intent to cause damage or to defraud; try to validate the source of any information you wish to use, and check its date - information on the Internet can be several years old and still claim to be "new".
- Be aware of the risk of overloading your computer system and its subsequent failure by downloading too many large files... this is easier to do than is sometimes realised.

ISO17799 POSITIONING OR CERTIFICATION?
This is still the most agonized question for organizations approaching ISO17799. It is a very individual question for each - how far to go along the ISO17799 path. For some, nothing less than full certification will do, due to a variety of possible reasons. For many, however, a positioning brief is adequate.... reaching a position of compliance and then monitoring the market and industry carefully.

For most, the correct posture will be self evident. However, for those unsure of how far to proceed, the online presentation at: The ISO1 7799 Directory may be helpful. This presents ISO17799 in the context of past, present and possible future.

+-----------------------------------------------------+
SPONSORS:
If you are interested in sponsoring this newsletter
please contact us at the email address below
+-----------------------------------------------------+

LESS THAN 1% OF WEB USERS REJECT COOKIES
The results of a recent survey of one billion pages from high-volume Web sites concluded that cookies were rejected only 0.68% of the time. Chief Privacy Officer at WebSideStory, the U.S. company which carried out the survey, said: "Although some Web surfers may not know how to disable cookies in their browsers, such a minute percentage indicates that cookies are simply not a big concern among most Internet users". However, the use of cookies has also raised concerns over consumer privacy. For example, a recent lawsuit against the Internet advertising company DoubleClick accused the company of illegal "cookie-frenzy". Also, Amazon has admitted to using cookies to determine product pricing, and may give first time visitors to their Web site (or those who disable their cookies) larger discounts than regular visitors. (From an article published on www.theregister.co.uk)

What is a Cookie?
For the unaware, a cookie is a small text file placed on a user's computer by a Web site which can log information about the user and the number of visits they make to the site. Web site owners claim that cookies are beneficial to the user, allowing faster access and 'personalization' of the site for that user. However, the use of cookies also raises a number of security issues.

The following guidelines are appropriate:
- You should be aware that confidential data may be stored by means of a cookie saved on your PC and accessed by a Web site whilst you are browsing - most likely without your knowledge.
- To turn off automatic cookies, select the security function from your browser toolbar and set "receive cookies" to "off".
- Alternatively, cookies may be monitored by the use of cookie management software.
- Ensure that you disable cookies from sites which might potentially share your details with third parties.
- Where possible, avoid entering confidential data on Web sites or other Internet resources.

MORE FOCUS ON BCP (ISO17799 Section 11) FOLLOWING SEPT 11
"To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters" - ISO17799 SECTION 11 OBJECTIVE "A business continuity management process should be implemented to reduce the disruption caused by disaster and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls." - ISO17799

The tragic events of the 11 September have resulted in a reappraisal of disaster recovery arrangements by many companies. Firms who supply products which assist with contingency planning and crisis management are reporting a significant increase in numbers seeking advice and guidance.

Terence Hewett, of Glendale Systems, developers of the BCP Generator product, comments, "Companies are recognizing that they need to give greater importance and urgency to preparing for unexpected events that can affect their ability to stay in business. If your disaster recovery plan is in place then you have a reasonable chance of staying afloat if disaster strikes your business. This is obviously in your shareholders', your customers' and your employees' best interests."

For information on the BCP Generator see: The Business Continuity Plan Generator