ISO17799 Newsletter - Issue 7

Welcome to this, the seventh edition of The ISO17799 newsletter, designed to keep you abreast of updates and developments with respect to the ISO 17799 information security standard.

The information contained in this newsletter is free to our subscribers and provides guidance on practical issues, plus commentary on recent Information Security incidents.

Included in this issue are the following topics:
1) Working from Home - Securely!
2) The ISO17799 Toolkit - A Closer Look
3) The Criticality of Documentation - Policy
4) Business Continuity Focus Increases (ISO17799 Section 11)
5) ISO17799: a World Wide Phenomenon
6) The DTI Survey
7) More Frequently Asked ISO17799 Questions
8) ISO 17799: How Far To Go?
9) Guidelines On Cookies
10) Certifications - Sample Scopes
11) Six of the Best: Password Guidelines
12) Still More on Service Level Agreements (ISO17799 Section 4)
13) It Couldn't Happen Here.... Could It?

Home working is still on the increase, clearly encouraged by advances in technology and increased use of the internet. However, it is also clear that in many cases good security is a victim of this change.

This is due to a number of factors, and not just that a home base generates a slightly different mentality and attitude to the disciplines of office work.

To counter these risks, we reproduce below a number of security measures which should be taken when working from home or off-site:
- Treat company property and/or data as you would in the office, according to company information security procedures
- Do not allow a laptop issued for business purposes to be used by family or friends
- Ensure that laptops are kept secure at all times, and protect access with a strong authentication mechanism
- Specifically protect all sensitive business documents stored on laptops or home computers
- Do not use the same computer for both business and personal use; or, where this is not possible, store company data on a separate disk with secure access and protection
- Valid licenses must be obtained for any software used at home to avoid a breach of Software Licensing laws
- Ensure that adequate and up to date virus protection software is installed on any computers used at home
- When connecting remotely to an office network, consider the use of a dial-back facility for added security, and always investigate the reason for failed access (your username may already be in use by an unauthorized person)

These are basic, almost policy, measures and should be considered to be the absolute minimum. As such, it is also recommended that a risk assessment is also considered on a case by case basis.

ISO17799 is of course sold stand alone or as part of the ISO17799 Toolkit, the latter being designed to include a set of the basic building blocks for the standard. But what are these 'building blocks', and what are their functions? The following list of toolkit components should hopefully address these questions:

1) The ISO17799 Standard - basically the standard itself (PDF format).
2) BS7799 - this is part 2 of the standard, and again is provided as a PDF document.
3) Security Policies - essentially hundreds of ISO17799 aligned security policies. This is a substantial document (MS-Word) and in particular is highly acclaimed.
4) A Roadmap for Certification - an explanation of the process
5) The Information Security Glossary - 115 pages of definitions and explanations
6) The E-Security Audit Kit - a series of detailed questionnaires and checklists for security audit and review
7) A Disaster Recovery Kit - to assist with section 12, checklists, questionnaires and assessment materials for business continuity.
8) An ISO17799 Management Presentation - a PowerPoint presentation on the standard
9) Business Impact Analysis - as BIA is a critical part of security implementation, a full coded questionnaire is included.

Clearly, many of these are essentials, and the toolkit ensures that maximum value is obtained by providing them as part of an integrated downloadable package.
For further information on The ISO17799 Toolkit, and to obtain a copy, see:

System documentation is important, and your organization should develop and implement a simple policy to ensure that it is kept up to date at all times. Many well organized IT departments fall short of expectations when it comes to documenting system changes and updates, particularly on in-house developed systems. This could lead to serious consequences.

The policy itself must be easy to understand and be capable of being monitored and enforced. As with all policies, thought must be given towards HOW the policy is to be distributed and policed to ensure compliance. Consider the following issues:

. Missing or inadequate technical documentation, especially with older "in-house" systems will usually result in operational difficulties and substantially increased systems analysis effort. In such cases:
- You are likely to be totally dependent on a few key staff
- You cannot validate proposed technical changes
- You have no effective way to train support staff

. Out of date documentation can (and usually will!) result in severe operational difficulties

. If documentation is "merely" accessible, the purchase or development of replacement documentation is unlikely to be a priority. In these cases, the risks are similar to having missing or inadequate documentation.

. Policies that are not enforced will not be followed.

It really is a matter of common sense that the quality and status of documentation is taken as seriously as that of important data. Where there are serious implications for loss, error or omission, appropriate controls are required.

Suggested simple policy statement:
System documentation is a mandatory requirement for all the organization's information security systems. Such documentation must be kept up to date and be available. Regular checks will be carried out to ensure compliance.

Section 11 of ISO 17799 devotes itself solely to Business Continuity. This alone gives a clear indication of the growing importance to businesses of having a well structured contingency plan to be implemented in the event of an unexpected disaster or disruptive event.

The process revolves around assessing the risks to the business and identifying the weaknesses and dependencies. Once this process is completed it is necessary to set up back up procedures and processes that can be brought into play when the need arises. The level of sophistication involved in these back up processes and the speed that they can be implemented in an emergency situation will probably determine their costs. Speed and availability are the two critical issues in this scenario.

Developing a comprehensive back up plan from scratch is normally an expensive and time consuming task that can divert scarce resources from other activities. The scale of the task can also be daunting and for many organisations the sheer size of the task often prevents the work from starting. The attitude often becomes "It surely won't happen to us anyway, will it?...."

More and more organisations are therefore looking for assistance in setting up these business continuity plans. Fortunately, to provide this help there are now low cost products available. The most popular is probably The BCP Generator, which includes hundreds of pre-designed templates that just have to be completed to produce a coherent plan (see for information on this and others).

Whatever approach is adopted however, the lack of a living business continuity plan could easily prove to be an Achilles heel. If you haven't got one, WE WOULD STRONGLY ADVISE THAT ONE IS DEVELOPED.

Our source list for purchases of ISO17799 has proved a popular talking point in previous editions of ISO17799 News, so here is the up to date version of the most recent thousand or so:

Argentina 2
Australia 8
Austria 8
Bahrain 1
Barbados 2
Belgium 9
Bermuda 1
Bosnia and Herzegovina 1
Brasil 6
Brunei 1
Canada 83
Cayman Islands 1
Chile 5
China 3
Colombia 6
Costa Rica 1
Croatia 1
Cyprus 1
Denmark 12
Egypt 4
Estonia 1
Faroe Islands 1
France 8
Germany 37
Gibraltar 1
Greece 4
Guatemala 1
Hong Kong 9
Hungary 3
India 7
Indonesia 5
Ireland 16
Isle of Man 1
Israel 1
Italy 28
Jamaica 2
Japan 6
Malaysia 6
Mexico 15
New Zealand 3
Norway 13
Panama 1
Philippines 1
Portugal 5
Romania 2
Russia 3
Saudi Arabia 3
Singapore 10
Slovak Republic 1
Slovenia 2
South Africa 6
Spain 17
Sultanate of Oman 1
Sweden 9
Switzerland 28
Taiwan 4
Thailand 2
The Netherlands 21
Tunisia 1
Turkey 2
UK 247
United Arab Emirates 5
USA 388
Venezuela 2

The same health warnings apply as always - these are online credit card sales from one source. As a consequence, those cultures that are less familiar with this form of commerce will be under represented.

A recent British Government Department of Trade and Industry (DTI) survey has stated that only around one quarter of businesses have taken security seriously enough to have developed a documented and comprehensive security policy. It also went on to say that only 15% of people responsible for IT security were aware of the contents of the information security international standard ISO 17799.

Another noteworthy statistic was that 44% of the businesses covered suffered at least one malicious security breach in the previous year and the average cost of a serious incident was estimated at US$ 50,000.

Despite this, Board Directors and Executives are slow to take firm action in meeting their legal obligations to protect their organizations from losses caused through inadequate information security measures. Directors and management are reported to be recognizing that risks do exist through poor security controls but they are still not committing sufficient funds to introduce improved systems and corrective methods.

There is also a strong trend towards outsourcing of IT and business processes and this trend is expected to continue. Very often, the driver for this change is the shortage of in-house expertise.

Tellingly, a very high proportion of organizations expect information security to be an increasingly worrying area in the future and feel that their own systems need significant improvements. People are recognized as the weakest link in the information security chain but little work is being done on effective policy distribution and enforcement. This is unfortunate, as there are now specific policy delivery systems around which simplify policy distribution and give everyone easy access to the organisation's requirements.

All in all, a mixed picture, but at least there seems to be genuine realization of the importance of information security, and that significant implementation improvements are necessary in the short term.

Useful resources:
Policy distribution: RUSecure Security On-line Support at
Outsourcing: Information and guidance at
Security policy content:

1) Which ISO17799 controls are most important?
That largely depends upon the individual organization. However, ISO17799 does give some guidance, in the form of 'legislative essentials' and 'common best practice' under the IS "starting point" section. These are:
- intellectual property rights (12.1.2)
- safeguarding of organizational records (12.1.3)
- data protection and privacy of personal information (12.1.4)
- information security policy document (3.1.1)
- allocation of information security responsibilities (4.1.3)
- information security education and training (6.2.1)
- reporting security incidents (6.3.1)
- business continuity management (11.1)

2) Can I republish articles from ISO17799 News internally, on our company intranet, or even on our external internet site?
Subject to a reference (link) to the archive web site (, yes.

3) What is a Certification body?
An accredited certification body is a third party organization that assesses/certifies the IS management system against the standard (part 2).

4) Who are the Accredited Certification bodies for the standard?
There are a growing number. However, the following are amongst them: BSI, Certification Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH

5) How do I become a certified auditor?
The International Register for Certified Auditors ( operates a certification scheme for ISMS auditors.

6) Can I discuss ISO17799 with other people online?
A new forum has recently been created at:

7) How does this standard fit with ISO 9000?
BS7799 is actually being "harmonized" with other management standards, including ISO 9000 and ISO 14000. Watch this space! 8) ISO/IEC Guide 62?
This is basically for those bodies operating certification schemes. It contains the general requirements applicable to them.

How far to go along the ISO17799 path? A very common question.

For some, only full certification will do, due to a variety of reasons. For others, positioning is adequate - reaching a position of compliance and then monitoring competitors carefully.

In many cases, the appropriate posture will be clear. However, for those unsure of how far to proceed, the online presentation at: may be useful. This presents ISO17799 in the context of past, present and possible future.

As reported in The Register (, 'cookies' are rejected less than 1% of the time. This of course illustrates that the cookie issue is not currently a big issue amongst internet users in general, despite clear issues relating to privacy and confidentiality.

But what is a Cookie?
Essentially, a cookie is a small text file placed on a user's computer by a Web site which can log information about the user and the number of visits they make to the site. Web site owners claim that cookies are beneficial to the user, allowing faster access and 'personalization' of the site for that user. However, the use of cookies also raises a number of security issues.

The following guidelines are therefore appropriate:
- You should be aware that confidential data may be stored by means of a cookie saved on your PC and accessed by a Web site whilst you are browsing - most likely without your knowledge.
- To turn off automatic cookies, select the security function from your browser toolbar and set "receive cookies" to "off".
- Alternatively, cookies may be monitored by the use of cookie management software.
- Ensure that you disable cookies from sites which might potentially share your details with third parties.
- Where possible, avoid entering confidential data on Web sites or other Internet resources.

When certification against the standard is sought, scoping is essential. This determines the parameters of the certificate. The following are some typical scoping statements from existing certificates:

"The operation of an Information Security Management System relating to the provision of a direct mailing service, including production, data handling and arrangement of delivery. This is in accordance with Statement of Applicability SOA 2002/1"

"The information security management of the operation in the provision of commercial insurance broker services, in accordance to the Statement of Applicability Issue 3.0"

"The management of information security in the provision of energy procurement and management services. This is in accordance with the Statement of Applicability v.02, 11/02"

"Management of Information Security in the provision of IT security solutions involving the planning, advice, project management and implementation of commercial and bespoke data security software and hardware. This is in accordance with the Statement of Applicability v1, date September 2002"

"The Information Security Management System in relation to internal and external services. This includes Training service of Information Security, Design/Integration of Security System and Network Security Consulting. This is in accordance with the Statement of Applicability issue V1.1 dated 2002/11/13"

Trivial? Yes.... but you would be surprised at how often simple rules like these are fudged or ignored:

1) Never give your password to anyone, even if that person claims to have authorization. (In the latter case, report such requests to your Information Security Officer immediately.)
2) Change your password regularly.
3) Never write down your password
4) Never store it on a computer file
5) When receiving technical assistance, do not divulge your password to the IT specialist, but stay with your computer and enter the password yourself when required. (If this is not possible, your Systems Administrator should have permission to log on your behalf.)
6) If you believe your password may have been compromised, change it immediately

A Service Level Agreement (the Agreement) is an agreement between two parties for the delivery of specified services by a "Supplier" or vendor to another party, the "Client". It is effectively a proxy contract in that the two parties have negotiated and signed a comprehensive document specifying the terms and conditions under which the service delivery may be effected. Both parties must clearly understand their respective roles and responsibilities in respect of the delivery of the services and this information is usually included in this part of the Agreement.

In the SLA, the Supplier and the Client are identified together with a statement of expectations and abilities. The Client should also fully understand the cost of receiving these services and the basis for the calculation of those costs. The Supplier is accountable for the quality and performance levels of the services and also the service availability.

However, a major part of the SLA should in fact revolve around security. Responsibilities for this should be very clearly defined and assigned. This equally applies to continuity, and it is important that actions in the case of serious events are clearly identified.

The bottom line here is very much that the security manager or equivalent should have input to the SLA before it is signed. It is important that those responsible for agreeing an SLA are aware of this, and that the security manager (or equivalent) is factored into the process itself.

NOTE: A comprehensive and interactive electronic guide to simplify the preparation and understanding of SLAs is available from:

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) Answering Machines Simply Have No Loyalty!
Sometimes the most basic of equipment can be the source of serious breach. In this case, a medium sized business was able to fend off a takeover largely on the basis of snippets of key information it was able to glean regarding timing, and how close to 'final offer' the unwanted suitor actually was, etc.

How did it obtain this information? Quite simple: telephone answering machines!

The access control mechanism that guards remote access to messages is often very poor indeed. The secret code is sometimes only a single digit, making the odds of guessing the code first time just 10-1. Or put another way, a maximum of 10 'out of hours' calls to the target phone. In this case it was two digits... making the odds 100-1 (on average about 50 calls before the correct code for an individual phone was found).

Over several nights the medium sized company was able to crack the codes of a number of key players in the takeover drama. Simply calling in at set times (lunch, after work, etc), they were able to pick up messages covering a range of topics... including the takeover. They adapted their strategy accordingly.

The lesson from this is obvious: don't leave confidential information on telephone answering machines!

2) Don't Re-cycle Data...

Several years ago one of the worlds largest security firms uncovered a major network in the US. This specialized in the recovery and sale of computer data.

One of their most successful methods was to purchase old media (disks/etc) and old PCs from large companies and then recover the data using specially modified equipment. The recovered data was subsequently sold to competitors and others.

Again, the lesson is obvious: ensure that any equipment sold on is totally cleansed (drives/etc over-written, not just files deleted).