ISO17799 Newsletter - Issue 6

Welcome to this, the sixth edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to the ISO 17799 information security standard.

The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.

1) Obtaining ISO17799 Itself
2) Information Classification Criteria
3) ISO17799 - a World Wide Phenomena
4) Third Party Cyber Crime Attacks
5) ISO17799 and Software
6) Employee Internet Abuse
7) More Frequently Asked Questions
8) My Favorite Web Sites
9) Continuity Backup and Recovery Strategy (Section 11)
10) More on SLA's (Section 4)
11) Employee Confidentiality Undertakings
12) BSI Certifications
13) It Couldn't Happen Here.... Could It?

OBTAINING ISO 17799
The standard itself is available from:

http://www.27000-toolkit.com
This is the home page for the ISO17799 Toolkit. This package was put together to help those taking the first steps towards addressing ISO17799. It includes both parts of the standard, audit checklists, a roadmap, ISO17799 compliant security policies, and a range of other items..

http://www.iso17799.net
This is the ISO17799/BS7799 Electronic Shop. Essentially it is an online vending site for downloadable copies of the standard.

INFORMATION CLASSIFICATION CRITERIA
An important task for the Information Security Manager (or the person who is assigned these duties) is to establish a system to classify the organization's information with respect to its level of confidentiality/importance.

It is advisable to restrict the number of classification levels in your organization to a manageable number, as having too many makes maintenance and compliance difficult. For those currently without a structure, we suggest a five point system:

- Top Secret: Highly sensitive internal documents. For example: impending mergers or acquisitions; investment strategies; plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.

- Highly Confidential: Information that is considered critical to the organization's on-going operations and could seriously impede them if made public or shared internally. Such information includes business plans, accounting information, the sensitive information of customers of banks, solicitors, or accountants etc.; patients' medical records, and similar very sensitive data. Such information should not be copied or removed from the organization's operational control without specific authority. Security should be very high.

- Proprietary: Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for use by authorized personnel only. Security at this level is high.

- Internal Use Only: Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility. Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.

- Public Documents: Information in the public domain: annual reports, press statements etc. which have been approved for public use. Security at this level is minimal.

Care should always be applied regarding a user's tendency to over classify their own work. It can sometimes be erroneously surmised that the classification level assigned to a user's work can reflect directly on the individual's own level of importance within the organization.

ISO17799 - A WORLD WIDE PHENOMINA
Our source list for purchases of ISO17799 has proved a popular talking point in previous editions of ISO17799 News, so here is the up to date version of the most recent:

Argentina 1
Argentina 2
Australia 7
Austria 7
Barbados 2
Belgium 9
Bermuda 1
Bosnia and Herzegovina 1
Brazil 6
Brunei 1
Canada 68
Cayman Islands 1
Chile 4
China 3
Colombia 6
Costa Rica 1
Croatia 1
Cyprus 1
Denmark 11
Egypt 4
France 6
Germany 31
Gibraltar 1
Greece 4
Guatemala 1
Hong Kong 9
Hungary 2
India 6
Indonesia 4
Ireland 14
Isle of Man 1
Israel 1
Italy 26
Japan 6
Malaysia 5
Mexico 12
Netherlands 18
New Zealand 3
Norway 12
Panama 1
Portugal 2
Russia 4
Saudi Arabia 2
Singapore 10
Slovak Republic 1
Slovenia 2
South Africa 6
Spain 17
Sultanate of Oman 1
Sweden 8
Switzerland 24
Taiwan 3
Thailand 2
Tunisia 1
Turkey 2
UAE 4
UK 298
USA 326
Venezuela 2

The same health warnings apply as did last time: these are online credit card sales. As a consequence, those cultures that are less familiar with this form of commerce will be under represented in the figures.

THIRD PARTY CYBER CRIME ATTACKS
This critical topic is covered in ISO/IEC 17799 under Section 9.4 "Network Access Controls".

There is, of course, a high risk of external security breach where network security is inadequate. It is extremely important to have an effective policy statement covering this risk area... for the following reasons:

Criminals may target your organization's information systems, resulting in serious financial loss and damage to your business operations and reputation.
Cyber crime is an ever-increasing area of concern, and suitable training must be given to those persons responsible for network security to minimize such risks.

A suitable high level policy statement covering this could be as follows:

"Security on the network is to be maintained at the highest level. Those responsible for the network and external communications are to receive proper training in risk assessment and how to build secure systems which minimize the threats from cyber crime."

It is necessary to build adequate defences against such attacks. The following areas are among those that should be considered: Verify that the primary safeguards of your network and those of your individual systems are in place.
Identify the access points of your network layout, and verify that the current safeguards are operational.
Consider the following network protection facilities, some of which offer multiple features:-
      - Intrusion detection software that records attempted and successful access to your systems.
      - Pattern (usage) analysis, which identifies changes in on-line activity that may indicate a criminal attack.
      - Access control lists and facilities, which record certain activities for specific files, such as: read, write, execute, delete.
      - System based accounting records.
      - Network usage analysis, which identifies application access and reports on user authorization levels.
      - Network packet sniffing software to detect attack origins.
      - URL blockers, (e.g. your firewall) that can prevent connection from specific, untrustworthy web sites and / or other computers.
      - Word pattern usage analysis that can help e-mail system administrators track down breaches in e-mail policies.

Further advice on this risk area and all others covered within ISO/IEC 17799 can be obtained from the RUSecure Security On-line System at: http://www.yourwindow.to/security-policies/

ISO17799 AND SOFTWARE
We are sometimes asked about the role of software/products with respect to ISO17799, particularly the two most well known offerings, COBRA and The ISO17799 Toolkit. Where do they fit in? Are they competitor products or do they compliment each other? How do they help?

The truth is that they fulfill completely different needs:

A) The ISO17799 Toolkit comprises the basic building blocks: the standard itself (both parts), 17799 cross referenced security policies, and so on. It is intended to 'get you going' on the right path straight away, by providing some basics, as well as guidance and explanations by way of a presentations, glossary, roadmap, etc. It can basically be seen as an introduction and starting pack for compliance with the standard.

B) COBRA on the other hand is designed to help you manage that compliance. It takes you through the standard and ultimately measures your compliance level, pointing out where you fall short. Quite apart from this it is one of the most widely used (possibly THE most widely used) risk analysis systems in the world... and bear in mind that risk analysis is integral to the requirements of the standard... references to 'as determined by risk assessment' are almost interwoven.

In essence therefore, one product gets you started, the other helps you manage.

SOURCES
For further information on the ISO17799 Toolkit, and to obtain a copy, see: http://www.27000-toolkit.com
For COBRA, see: http://www.security-risk-analysis.com

EMPLOYEE INTERNET ABUSE
Although employers are placing increased emphasis on setting up policies covering internet and email abuse, the message is not always getting across to the employees. According to Eric Jacksch, who is president of a leading Canadian IT security firm, employees are continuing to put their employers at risk and also wasting significant levels of corporate resources. These abuses include inappropriate email abuse, loss of productivity through slow web access, and downloading of music, games and pornography.

It is suggested that the first steps to address this are as follows:
- The first step is to ensure that your organization has a clear policy on the acceptable use of the organization's information resources
- Secondly, ensure that this (and other information security policies) is delivered effectively to the employee either through the PC or workstation/desktop, or through the organization's intranet. Also, ensure that the employee is made fully aware of the consequences of non-compliance.
- Thirdly, ensure that the employee is made aware of the organization's right to monitor all email and internet traffic in and out of the organization.

These steps alone should reduce the scale of the problem, but equally importantly, they lay a solid foundation should further action be required. For more policies see the address above.

ISO17799 - MORE FREQUENTLY ASKED QUESTIONS
1) Where can I find back issues of the ISO17799 Newsletter?
All back issues are posted to: http://www.molemag.net
2) Who published ISO 17799? BSI or ISO?
Both... sort of. ISO 17799 is an ISO standard of course. However, there is a Part 2 to cover security management systems. This is published by BSI as BS7799 Part 2.
3) Where can I find a consultant specifically for ISO 17799?
Email iso17799@7safe.com or see The ISO17799 Consultants Directory at: http://www.iso17799world.com
4) Can I discuss ISO17799 with people online?
A new forum has recently been created at: http://groups.yahoo.com/group/iso17799security/.
5) Can I re-publish parts or all of ISO17799 News on our company intranet or via internal communication?
Subject to reference to the source web site (see Question 1) permission is almost always granted.
6) What is the difference between accreditation and certification?
Essentially an accreditation body is an organization (usually national) that grants third parties the authority to issue certificates (to certify). It is the latter, therefore, that issues certificates (certifies) against standards/etc. The former confers the right to do this on the certification company.
7) What are the 10 sections of ISO17799?
- Security Policy
- Security Organization
- Asset Classification and Control
- Personnel Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Systems Development and Maintenance
- Business Continuity Management
- Compliance

MY FAVORITE WEB SITES
From time to time we will invite a well known information security figure to nominate their favorite IS related web sites. For this issue we present the favorites of Jenni Harrison of the ISO17799 Directory.

a) Your Window To...
This is a little known portal with a wealth of free to access resources. (www.yourwindow.to)

b) BBC...
Not just news, almost an encyclopedia of resources. (www.bbc.com)

c) CCCure...
A rich source of information for CISSP. (www.cccure.org)

SECTION 11: CONTINUITY BACK-UP / RECOVERY STRATEGY
One of the most important aspects of Business Continuity Planning for the majority of organizations is in choosing an appropriate strategy for the back-up and recovery of the IT based systems.

In this section of the planning process, the key business processes are normally matched against the IT systems and an appropriate speed of recovery strategy is chosen. This may require some in-depth research to determine the relevant costs of each strategy. It may also be necessary to prepare a detailed Request for Proposal for vendors to establish the viability and cost of the preferred strategic approach and related support.

Consideration should also be given to the impact of potential severe damage to both premises and communication systems which could have a significant impact on the organization's IT services and systems.

There are a number of strategic options to be investigated when considering IT systems back up and recovery processes. The two most important factors to be considered are the criticality of the IT systems to the business process itself (the speed of recovery needed), and the amount of money available for IT back up and recovery strategies. The options, in order of cost, are as follows:

Fully mirrored recovery site
This strategy entails the maintenance of a fully mirrored duplicate site which would enable instantaneous switching between the live site and the back up site. This is normally the most expensive option.

Switchable hot site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain an identical site with communications to enable you to switch your IT operations to his site within an agreed time period, usually less than one to two hours.

Hot site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain a compatible site to enable you to switch your IT operations to his site within an agreed time period, usually less than six to twelve hours.

Cold site
This strategy involves the setting up of an emergency site once the crisis has occurred and has a standby arrangement with a vendor to deliver the minimum configuration urgently. This option usually enables the organization to be operational within two to three days.

Relocate and restore
This strategy involves the identification of a suitable location, hardware and peripherals and re-installing the systems and backed up software and data after an emergency has occurred. This strategy is often considered to be inadequate for the needs of today's business.

No effective back-up strategy
This at first glance appears to be the cheapest strategy but it also carries the highest risk as it will often involve no effective off-site back up of systems or data. As you would expect, this strategic option usually ends up with the organization eventually going out of business as they are not prepared for any unexpected emergencies occurring. You would be surprised at the number of businesses that adopt this approach to Business Continuity and Disaster Recovery. It often ends up being the most expensive strategy of all.

Finally, if you do decide to outsource some or all of these IT disaster recovery back-up processes don't forget to insist that your supplier also has adequate business continuity planning processes in place that are up-to-date and fully tested!

Additional advice and guidance on Business Continuity and Disaster Recovery Planning can be found at: http://www.disaster-recovery-guide.com

MORE ON SERVICE LEVEL AGREEMENTS
Service Level Agreements (SLAs) are covered in Section 4 of ISO/IEC 17799 and it is important that both the Supplier and the Purchaser/User of IT and other services fully understand the implications and responsibilities inherent in such agreements.

An SLA is effectively a proxy contract that the two parties have negotiated and signed, specifying the terms and conditions under which the service delivery is to be effected.

Both parties must clearly understand their respective roles and responsibilities in respect of the delivery of these services and this information is usually included the SLA. The Supplier and the Purchaser/User are identified together with a statement of expectations and abilities. The Purchaser/User should also fully understand the cost of receiving these services and the basis for the calculation of those costs. The Supplier is accountable for the quality and performance levels of the services and the service availability.

A comprehensive and interactive electronic guide to simplify the preparation and understanding of SLAs is now available. Further information can be found at: http://www.service-level-agreement.net

EMPLOYEE CONFIDENTIALITY UNDERTAKINGS
It is increasingly important that employees are required to sign confidentiality undertakings to their employers. The following guidance is given for consideration, although organizations are recommended to seek further expert opinion on the suitability of such statements to their own contracts of employment:

'Confidential Information' normally means any information which is not generally known in the relevant trade or industry, and belongs to the Organization, or is learned, discovered, developed, conceived, originated or prepared during, as a result of, or in connection with, the Employees work, or relates to the Organization's customers of clients, including but not limited to :
- Information which is unique to the Organization
- Information relating to the existing or contemplated products, services, technology, designs, processes, formulae, computer systems, computer software, algorithms, research or development of the organization;
- Information relating to the business plans, sales or marketing methods, methods of doing business, customer lists, customer requirements or supplier information of the Organization;
- Information relating to proprietary products or services;
- Any proprietary information not generally known to the public;
- Any information which the Organization or their clients or customers may wish to protect by patent or copyright, or by keeping it secret or confidential; and
- Information which may affect the value of the shares in the Organization and (where relevant) any price sensitive information

The Employees should be asked to acknowledge that the Organization:
- Is (inter alia) in the business or providing
- Has and will invest significantly in terms of money and time in developing their business and products;
- Has and will expect to develop confidential proprietary information relating to their business; and
- Operates a highly competitive commercial arena.

The Employees should acknowledge that during their employment they may have access to, gain knowledge of, be entrusted with and be involved in the creation of Confidential Information, improper disclosure of which could :
- Result in the Organization losing its competitive edge;
- Cause the Organization to suffer financial loss; and
- Be otherwise detrimental to the Organization.

The Employees should undertake that both during employment or thereafter, they will:
- Not disclose, divulge or communicate to any person any Confidential Information, save to those officials of the Organization whose proper province it is to know such information or with the written consent of the Board;
- Do everything reasonably within his power to protect the confidentiality of all Confidential Information;
- Not use any Confidential Information for his/her own benefit or for the benefit of any third party or in a manner which could be detrimental to the Organization;

The Employees should also undertake that on leaving the company they will:
- Deliver up to the Organization all copies and originals of documents, computer disks, tapes, accounts, data, records, papers, designs, specifications, price lists, lists of customers and all other information, whether written or electronically stored, which belongs to the Organization or relates in any way to their business or affairs or the business or affairs of any of their suppliers, agents, distributors or customers, or contain any Confidential Information, and are in the Employees' possession or under his control.
- Upon request supply the Organization with a signed statement confirming that the Employee has complied with this undertaking.

Again, further guidance on this and similar topics is included in the RUSecure Security On-line Support system (http://www.yourwindow.to/security-policies/).

BSI CERTIFICATIONS
We are pleased to add the following to the list produced in Issues 4 and 5, of those who have been certified by BSI with respect to BS7799 Part2 for at least one system in at least one location:

MetroMail Ltd, NTT Communications Corporation, Systems Software Solutions, Solution Business Division (Japan), Miles Smith, Global Security Experts Inc, Marine Systems Associates Co. Ltd (Japan), Broadfern, NEXOR, e-Solutions Create Corporation, IT Frontier Corporation.

A number of organizations are now re-registering their original certificates (which are valid for 3 years). Successful organizations include: Cadweb Limited, Camelot Group Plc and DBI Consulting.

Congratulations to all these organizations.

In the next issue, we will also produce some sample scopes of registration from existing certificates.

IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) The Long Goodbye
After a series of serious disagreements with his fellow directors, a director left the UK branch of an international network services company. As the service was used by a number of international banking groups, he decided to extract revenge.

Some time after his departure, he was still able to access the system... because the company's termination/departure procedures did not immediately revoke access rights.

The banking groups found to their horror that extremely rude messages began to appear on their terminal links with other banks for no apparent reason. Transfers were delayed and some messages had parts missing.

It took some time to identify the cause. Although the cost was impossible to quantify, there was certainly serious damage in terms of the company's goodwill and reputation.

2) Don't Forget The Obvious
Dial-in or remote access can be a real Achilles heel if not properly controlled.

In a recent case, a young hacker gained access to a major corporation's computer system by using the default password of a system engineer. It had never been changed from installation. This actually gave him considerable scope and powers of access.

To cover for himself, he changed a number of user passwords, semi-disabled the machine log, created several fictitious privileged users and tampered with the dial back system code. Getting more ambitious he established a communication link with another computer and ended up making it crash. All this took place over just two evenings.

Despite the fact that the hacker was not maliciously causing damage or attempting to make financial gain, his actions caused havoc. The installation ultimately had to closedown its prime computer and restore from the previous weeks back-up, at considerable cost.