Training and the need for stated, written procedures are themes running through the British Standards Institution’s code of practice for information security management.
Training and the need for stated, written procedures are themes running through the British Standards Institution’s BS ISO/IEC 17799 – a code of practice for information security management. It takes over from the 1999 standard, featured in Professional Security in April 2000. As the code says at the start: ‘BS ISO/IEC 17799 provides a comprehensive set of controls comprising best practices in information security.’ That takes in physical security. The standard summarises: ‘Critical or sensitive business information processing facilities should be housed in secure areas, protected by a defined security perimeter, with appropriate security barriers and entry controls. They should be physically protected from unauthorized access, damage and interference. The protection provided should be commensurate with the identified risks. A clear desk and clear screen policy is recommended to reduce the risk of unauthorized access or damage to papers, media and information processing facilities.’
<br><br>
International, defining
<br><br>
What’s more, it’s an international standard, given the backing of the ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission). Once it defines what is information security, the code covers asset control, personnel (screening and responding to incidents, for example), physical and environmental security (taking in perimeters and equipment), ‘communications and operations management’ (including housekeeping, protection from malicious software, and exchanging information securely), access control (such as passwords and event logging), developing and maintaining the system (including business continuity) and compliance (with for example data protection laws and intellectual property rights). Merely to list the contents shows how thorough this standard is
<br><br>
Three sides to security
<br><br>
The standard begins by stating three sides to information security: confidentiality (‘ensuring that information is accessible only to those authorized to have access’); integrity (‘safeguarding the accuracy and completeness of information and processing methods’); and availability (‘ensuring that authorized users have access to information and associated assets when required’). Problems arise at once; few computer systems have been designed with security in mind, and availability of information to authorised employees and customers, say, could open a firm to those with authorisation – industrial spies, ex-employees, or hackers, say. Security has to be in keeping with the organisation’s culture (what if sales are all’) and with the backing of managers. The standard goes on: ‘Controls considered to be essential to an organization from a legislative point of view include: data protection and privacy of personal information; safeguarding of organizational records; intellectual property rights. Controls considered to be common best practice for information security include: information security policy document; allocation of information security responsibilities; information security education and training; reporting security incidents; and business continuity management. The standard stresses repeatedly that an information security policy should be broadcast throughout the organisation, and that staff should be trained in it, but adds that the policy should have an owner (who reviews the policy rather than letting it go out of date as the rest of the business progresses). The documents suggests a management information security forum, while adding: ‘One manager should be responsible for all security related activities.’ and ‘One common practice is to appoint an owner for each information asset who then becomes responsible for its day-to-day security.’ Hardware and software alike should be checked; so too should be ‘new facilities’ and ‘personal information processing facilities’ – that is, the information security manager should be aware if employees bring in PCs or laptops or compact discs (say) that could be used to transmit computer viruses, or take away sensitive data from the business network.
<br><br>
Third parties
<br><br>
The standard considers third party access, by trading partners or contracted support staff such as cleaners and security guards – both physically to buildings, and to databases. How adequate is their security’ ‘Where there is a business need to connect to a third party location a risk assessment should be carried out to identify any requirements for specific controls.’ Organisations should write – and insist on the signing of – contracts that deal with the organisation’s general information security policy, access control, the right to monitor users, and arrangements to report security breaches written into contracts (among many other things listed in the standard). The same need for written agreement, to guarantee confidentiality and integrity of information, is true for outsourcing: as the standard puts it, ‘outsourcing contracts can pose some complex security questions’. Later the standard says: ‘Potential recruits should be adequately screened, especially for sensitive jobs. All employees and third party users of information processing facilities should sign a confidentiality (non-disclosure) agreement.’
<br><br>
Accountability
<br><br>
Someone has to be accountable for information, the standard argues: ‘Inventories of assets help ensure that effective asset protection takes place, and may also be required for other business purposes’ (such as health and safety, and insurance). Only by knowing what your assets are can you give them a relative value, and secure them accordingly – whether a database, or a fax or modem. ‘Each asset should be clearly identified and its ownership and security classification agreed and documented, together with its current location (important when attempting to recover from loss or damage).’ Information has to be classified, so the manager can understand how this information is to be handled and protected. Information sensitivity does change over time – when a price or project becomes public, for example. Classification categories, therefore, should not be too cumbersome or they will become impractical. For each classification, the manager should have handling procedures to cover copying and storage of data, transmission (either by e-mail or spoken word) and destruction. This might mean physical or electronic labelling.
<br><br>
Terms and conditions
<br><br>
Staff should be checked at job application stage – their references and CV checked. If they come into contact with financial or highly confidential data, the organisation should carry out a credit card – even periodically, the standard suggests. As for contractors, ‘the contract with the agency should clearly specify the agency’s responsibilities for screening and the notification procedures they need to follow if screening has not been completed …’ Terms and conditions of employment should state the employee’s responsibility for information security – even running after the end of employment. ‘All employees and contractors should be made aware of the procedures for reporting the different types of incident (security breach, threat, weakness or malfunction) that might have an impact on the security of organizational assets.’ Evidence of incidents should be gathered so that if an employee carries out a security breach, there is a disciplinary process. The same goes for security weaknesses – users should note problems and know which management channels to go along.
<br><br>
Physical security
‘Critical or sensitive business information processing facilities should be housed in secure areas, protected by a defined security perimeter, with appropriate security barriers and entry controls. They should be physically protected from unauthorized access, damage and interference. The protection provided should be commensurate with the identified risks. A clear desk and clear screen policy is recommended to reduce the risk of unauthorized access or damage to papers, media and information processing facilities.’ Sound stuff. From a security manual’ Yes, of a sort – the new British Standard code of practice for information security management. Among the pages on confidentiality and integrity of information (while allowing availability of data to staff and customers that need it) is a section on physical security. It’s basic security principles, and yet geared towards protecting information at the end of a PC mouse rather than buildings – clicks rather than bricks, to use an in-phrase. The code states: ‘Organizations should use security perimeters to protect areas which contain information processing facilities. A security perimeter is something which builds a barrier, eg a wall, a card controlled entry gate or a manned reception desk.’ The more barriers – without gaps – the more security. How strong you make the barriers, and where they go, depends on a risk assessment. The BS code calls for ‘appropriate entry controls’ – recording of visitors, wearing of ID for all staff and visitors, and ‘authentication controls’ such as wipe card and PIN, for access to both sensitive information and the areas that information is held. In such key areas, you should not have fax machines or the like that give support staff an excuse to enter, in case information is compromised. <br><br>
Third parties
Elsewhere the code deals with contract staff (such as security guards) – making sure that contracts include the general information security policy, access control, the right to monitor users, and arrangements to screen staff and report security breaches, among other things. In the physical security section, the code has this to say about non-in-house staff: ‘Information processing facilities managed by the organization should be physically separated from those managed by third parties.’ The code adds: ‘Directories and internal telephone books identifying locations of sensitive information processing facilities should not be readily accessible by the public.’ (Those lists of staff works phone numbers on animal rights protest websites come from somewhere.) Staff should only know what goes on in a key, secure area – or whether one even exists – on a need to know basis, the code argues. Vacant key areas should be locked, and loading and delivery areas ‘controlled and, if possible, isolated from information processing facilities to avoid unauthorized access’. As for equipment protection, the code goes into the business continuity field, calling for minimising the risk from theft, fire, explosives, power failure, and the like. As for cabling security: ‘Power and telecommunications lines into information processing facilities should be underground …’ For critical systems, the organisation should consider ‘armoured conduit and locked rooms or boxes at inspection and termination points’ and sweeps for listening devices.
<br><br>
Off premises
<br><br>
The code does not overlook security off the premises, and when a PC and data is no longer needed. ‘Regardless of ownership, the use of any equipment outside an organisation’s premises for information processing should be authorized by management.’ Laptops for example, should be carried as hand luggage and disguised (that is, in a plain bag) by travellers. ‘Storage devices containing sensitive information should be physically destroyed or securely overwritten rather than using the standard delete function.’ Finally, the ‘clear desk and clear screen policy’ mentioned at the start means that staff should not leave papers or computer discs on their desk that could be stolen or destroyed by fire, but should lock items away. Computer users should never leave their machines logged on, and PCs ‘should be protected by key locks, passwords or other controls when not in use’.
<br><br>
Formal procedures
<br><br>
The standard calls for former procedures: ‘Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures.’ It adds: ‘Incident management responsibilities and procedures should be established to ensure a quick, effective and orderly response to security incidents’ – whether such incidents arise from wrong input data, denial of service attacks, or a breach of confidentiality. The code calls for an audit trail for analysing the problem in house, ‘use as evidence in relation to a potential breach of contract’ and when negotiating compensation with contractors. While admitting it may be difficult for small organisations, the code recommends the principle of ‘segregation of duties’, to reduce risk of fraud, for instance. Also recommended is ‘separating development, test and operational facilities’ in case of system failure. ‘Acceptance criteria for new information systems, upgrades and new versions should be established,’ the code says, to give time for training and contingency planning. Training, checks on unauthorised incoming e-mail, and reviews, are the watchwords of protection from malicious software: ‘Software and information processing facilities are vulnerable to the introduction of malicious software, such as computer viruses, network worms, Trojan horses and logic bombs. Users should be made aware of the dangers of unauthorized or malicious software, and managers should, where appropriate, introduce special controls to detect or prevent its introduction. In particular, it is essential that precautions be taken to detect and prevent computer viruses on personal computers.’ As for housekeeping, the code says: ‘Back-up copies of essential business information and software should be taken regularly.’ Operational staff should keep a log of their activities, and report faults.
<br><br>
Media disposal
<br><br>
Media (from carbon paper to test data) should be disposed of securely and safely when no longer required,’ the code says, again done through formal procedures and with an audit trail. As for e-commerce security, among the considerations are liability (who pays if something goes wrong); authentication (what level of confidence should the customer and trader require in each other’s claimed identity’) and authorization (who is authorized to set prices, issue or sign key trading documents’). Organisations should set up a policy on use of e-mail, so that employees do not send defamatory e-mails, or retain them. If e-mails are highly sensitive, the code suggests ‘use of cryptographic techniques to protect the confidentiality and integrity of electronic messages’. Much the same controls are recommended for electronic office systems. The code covers other sorts of information exchange, with reminders to staff ‘that they should not have confidential conversations in public places or open offices and meeting places with thin walls’, and messages left on answerphones can be ‘replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialling’. The code recommends access control of information, rules ‘based on the premise ‘what must be generally forbidden unless expressly permitted’ rather than the weaker rule ‘everything is generally permitted unless expressly forbidden”. System users should formally register and de-register, and redundant user IDs swept up periodically. Access privileges, and passwords, too, should be controlled, and reviewed every few months. Passwords should be at least six characters, easy to remember and yet not based on names or dates of birth or anything that can easily be guessed. A duress alarm for users who might be coerced, and a terminal time-out in highly-sensitive areas, are suggested.
<br><br>
Monitoring and compliance
System monitoring is a tricky subject, given the recent Human Rights Act and the Regulation of Investigatory Powers Act. The code states: ‘Systems should be monitored to detect deviation from access control policy and record monitorable events to provide evidence in case of security incidents’ and makes small but necessary points such as: remember to make sure that all computer clocks are telling the same time. The code calls for special care with teleworkers, and notebooks, palmtops, laptops and mobile phones, so that business information is not compromised. Digital signatures, cryptographic controls, message authentication, and encryption are all raised as possibilities, depending on risk assessment. As for business continuity, the code says: ‘A business continuity management process should be implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.’ As for compliance with the law, the code points out that many countries have laws controling the ‘processing and transmission of personal data (generally information on living individuals who can be identified from that information)’. A data protection officer to guide managers is recommended, though it is a matter for the owner of the data to inform the data protection officer if there are plans to keep any personal data (that includes CCTV footage). Laws on use of cryptographic controls, and how to gather admissable evidence, are among the other information issues that managers may have to compy with.
In sum
The British Standard only makes recommendations and does not spell out what data protection laws an organisation has to meet, as the code is international. For a security manager who covers IT as a relative newcomer, and any manager who has to at least has his finger or on the pulse of information in the organisation (and put like that, what manager does not), the code is one way of approaching information management in the round – and security is part of it.<br><br>
To contact BSI
Subscribing members of BSI are kept up to date with standards and can have discounts on the purchase price of standards. For details, ring: 020 8996 7002. Further information about BSI is available on the BSI website.
