Security Basics mailing list archives

RE: 7799?

From: David Brown <davidbrown () coal gov uk>
Date: Tue, 4 Nov 2003 17:25:07 -0000
You'll probably find that the bulk of the work involves defining the
business processes behind the organisation.  Policy writing, risk analysis,
change management etc will be the bulk of the work and that stays pretty
much the same for all organisations regardless of size.  Bear in mind that
even if you think that large chunks of the standard dont necessarily apply
to your organisation, you have to justify that decision as part of the
accreditation process.  

BS7799 isn't just about IT security measures, its about how you manage,
maintain and develop your Information environment as a whole.  Just
identifying your risks and control objectives will be a major piece of work
before you even start to define your actual controls and document them.  As
an example our control framework document - listing all our areas of risk,
the associated control objectives and the outline controls for each one ( ie
"We need a policy for this and we need to maintain it correctly." ) runs to
40 pages.  We arn't a large organisation either,  < 200 employees.

The best approach is to work through the ISO documentation, starting with
the "Guide on selection of BS7799 controls" and use that as your template to
identify areas of risk where you may need to define a control objective.  A
lot of risks are predefined but you'll still have to think through your
business processes to make sure you identify any that are unique to you.

Use the the "Guide to BS 7799 Risk Assessement and Risk Management" to
develop your risk assesement framework  and run it against the risks you
found in the first stage.  Where your risk assesment indicates they are
needed, define your control objectives and then develop your controls.  Its
probably overkill for a really small organisation but you might want to take
a look at COBIT as well, Control OBjectives for Information Technology.


Finally, you really will need buy in from senior management or its
equivalent to do this, since it will almost certainly mean changes to the
way the organisation works and manages it's information.  Many of those
changes will be far more proscriptive than they are used to.  Especially in
a small outfit.

Once you've got all that done your ready to start thinking about
accreditation and audit :)


Dave Brown,

-----Original Message-----
From: jm [mailto:jm () mindless com]
Sent: Monday, November 03, 2003 11:24 PM
To: security-basics () securityfocus com
Subject: 7799?


Hi

I have been asked to look at getting a small organisation up to 7799
accreditation standards in a short time span.

They have minimal systems; email, internet access, CRM Database, on 2
servers, and around 10 pc s, so the quantity of work should not be too
much.

I realise that an approved external accreditation body has to perform
the certification process, and have a fair bit of knowledge of the work
required, but I am starting from a blank sheet, so I would like to know
is if anyone on the list would have any reference
templates/checklists/procedures available for sharing.

I have got the BSI/ISO documents, so they are a good start, but would
appreciate all the help that can be got.

Thanks in advance


JM



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


****************************************************************************
This communication contains information which is confidential and may also
be privileged. It is for the exclusive use of the intended recipient(s)
please note that any distribution, copying or use of this communication or
the information in it is strictly prohibited. If you have received this
communication in error please notify us by e-mail or telephone ((+44) 01623
427162) and then delete the e-mail and any copies of it. This communication
is from The Coal Authority whose principal address is at 200 Lichfield Lane,
Berry Hill, Mansfield, Notts, NG18 4RG, England.

****************************************************************************

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------
Current thread:

7799? jm (Nov 03)
- Re: 7799? Alessandro (Nov 04)
- Re: 7799? Alessandro (Nov 05)
- <Possible follow-ups>
- RE: 7799? David Brown (Nov 04)