Saturday, August 04, 2007

Security and Compliance 3

How to do BS7799/ISO17799 Projects

Who to Interview?
Security Management --------Sec Policy/Organization
Security Management -----------Asset Classification and Control
Typically, HR --------------------- Personnel Security
Site Security/IT manager------- Physical and Environmental Security
Business Manager/IT Manager--------------- Communications and
Operations Management
System Administration Staff---------------- Access Control
Development Staff-------------- System development
Business Continuity Manager---------- Business Continuity Management
Internal Audit/Legal-------------- Compliance
Appropriate staff/line Management----------- Business/Info Process
A Good Gap Analysis

Clearly defined scope
Clear findings against each control (good areas as well as gaps)
The ISMS
Clear practical and appropriate recommendations leading to compliance.
All recommendations reinforced and supported by findings.

Finalizing Resources

Resourcing:
Match actions with in-house resources and confirm availability.
Identify availability shortfalls.
Identify where specialist support is needed.
Obtain necessary approvals for SIP.
Ensure the group have access to the full
Gap Analysis Report for guidance
Establish the ISMS through the creation of the Information Security Forum

Risk Assessment and BS7799/ISO17799

Define a systematic approach to risk assessment.
Identify the risk.
Assess the risk.
Select control objectives and controls for the treatment of risk.
Identify and evaluate options for the treatment of risk.

Generic Steps

Identify assets.
Identify asset dependencies.
Business Impact Assessment (Asset Valuation)
Threat Assessment
Determine levels of risk (Risk Assessment)
Countermeasures Selection
Map to BS7799/ISO17799
Risk Treatment

Document Management

BS7799/ISO17799 section 4.3 calls for Distribution /Availability to staff as required.
Version/ Change control
Documents to be dated (Including previous versions)
By implications, uniquely identifiable and fully controlled.

ISO 9001 compliance is an advantage.

Appropriate change control is needed for intranet solution.

10 Tips for Success

1. Ensure senior management involvement
2. Recommend a realistic and useful scope
3. Develop a good risk assessment
4. Promote Active Risk management
5. Interpret the controls for the scope
6. Ensure early Security Forum creation
7. Ensure maximum use of the Statement of Applicability
8. Get internal third parties to sign up
9. Get audits underway to raise assurance
10. Take staff awareness seriously

I wish You Great Success.

No comments: