ISO 17799 News 11

________________________

THE ISO 17799 NEWSLETTER
________________________

Welcome to the eleventh issue of ISO 17799 News, designed to keep you abreast of news and developments with respect to ISO17799 and information security.

This edition is an 'Interview Special', in that we have started what will be an occasional series of exclusive interviews with prime movers and influencers within the 17799 arena. These will hopefully provide a much better insight into the standard in terms of its development, its implementation, and its future.

1) A STANDARD IN TRANSITION
===========================

Many people have questioned recent changes and proposed changes, with respect to both ISO 17799 and BS7799. With so much happening in a relatively short period, it was perhaps inevitable that confusion would arise. Hopefully, we can clarify this and explain how events are likely to unfold.

Essentially we had an 'upgrade' to ISO 17799 in June of this year. This has been published and is now current. This event was part of the normal sequence of events for standards, which do not tend to be static indefinitely.

Perhaps the bigger changes, conceptually, are in the future. These are framed by the intention of re-numbering the standards so that they are sequentially aligned. ISO has set aside the numbers from ISO 27000 to support this. These are now specifically reserved for information security standards.

The current intention is as follows:

ISO 27001
This will be the number given to the revision of the current BS7799-2 standard. This is the requirements document for an information security management system (ISMS). The current state of play is that the final draft has been available for comment for some time, and can indeed be purchased. The final published version is expected later in the year.

ISO 27002
This number is actually earmarked for ISO 17799 itself (ie: Security Techniques - The code of practice for information security management). At some point in the future, possibly with a revision, 17799 will become 27002. This change is not imminent.

ISO 27003
This is set aside for a new standard/document covering risk management.

ISO 27004
This number will be assigned to a standard covering Information Security Management Metrics and Measurements (how, what and when to measure ISMS processes and controls). It is not expected until 2007 at the earliest.

ISO 27005
This is likely to provide implementation guidelines, with a potential publication date of mid 2007.

As part of the overall process, a BS7799-3 standard is being developed, and has a planned publication date of the very end of this year, or early next year. It is expected that this will evolve into the above ISO 27005.

2) SOURCES
==========

The standards currently published and available are ISO17799:2005 and BS7799-2:2002. Also available is the final draft of ISO 27001, known as the FDIS edition.

However, with BS7799-2 due to be withdrawn on final publication of ISO 27001, two standards bodies have decided to provide the final draft of ISO 27001, with free provision of the final version when it is published. These are BSI and SNV.

The respective sites from which to obtain all these documents are:

BSI - http://17799.standardsdirect.org

SNV - http://www.standards-online.net/InformationSecurityStandard.htm

Both these sites also offer a version of the ISO 17799 Toolkit (the main support resource for the standard) inclusive of ISO 27001, with the same upgrade arrangement in place.

3) INTERVIEW 1: FIRST AUDITOR?
==============================

David L Watson was one of the first ever certified BS7799 Auditors, possibly THE first, and is one of the most well known names in the entire information security industry. In an extensive interview, we covered a full array of issues: an overview of the early audit schemes; the IRCA scheme; how certification actually works; what the most common mistakes are; implementation tips; the future of the standard; and much more.

This proved to be an extremely enlightening session, with full details produced and recorded. You can read the entire interview on the archive site of this newsletter: http://17799-news.the-hamster.com/interviews/

This was an exceptional interview and well worth the read for anyone even remotely interested in the standard.

4) KATRINA AND BCM
==================

Now that the publicity glare is diminishing, attention and focus of businesses is turning towards the business continuity planning implications of this disaster.

For general analysis, some matters are already certain, such as the importance of considering ALL types of potential scenario during the BIA and risk analysis phases (with resultant implications for planning). This aspect is actually very well documented within Section 14 of ISO 17799:2005. However, even nitty gritty type controls, such as off-site backup in a secure REMOTE location are tested by this sort of event.

Disasters such as Katrina are very much a wake up call for the majority. The unforeseen and unexpected CAN indeed happen, and too often with devastating results. Businesses should, however, heed the lessons long after the media have moved on to the next story. We will be returning to this issue in future editions of the newsletter, applying particular focus to the planning exercise itself.

NOTE: If any subscribers were affected by this tragic event, we'd like to hear how your BCP stood up to the test: basically what went right and what went wrong. Please contact us via the email address below.

5) INTERVIEW 2: BSI
===================

BSI, the British Standards Institution, is the oldest standards body in the world. It has in fact published over 20,000 standards and has operations in more than 100 different countries. Not surprisingly, the prefix for its standards is 'BS'. Which of course brings us nicely around to BS7799.

BSI published the first version of BS7799 in 1995. Perhaps slightly confusingly, this version went on to become ISO 17799, and a new, different, BS7799, named BS7799-2, was published in 2002, covering the requirements for an ISMS as explained above. BSI therefore has had a key and defining role throughout the history of the standard, being very much a driving force.

In this interview, we ask BSI about the history, their current role, the life cycle of a typical standard, and about the forthcoming BS7799-3 standard.

Again, the details can be read in our new Interview Section: http://17799-news.the-hamster.com/interviews/

6) SECURITY NEWS SNIPPETS
=========================

- A survey by Computer Security Institute (CSI) and the FBI indicates that whilst the average loss per cybercrime incident is decreasing, the number of incidents is still increasing. [ISO 17799 Sections 10 and 11: Communications & Operations Management and Access Control]

- A man has been arrested in San Fransisco for possession of stolen property: a laptop PC holding personal information on almost 100,000 Berkeley University students. It was apparently stolen from the inner offices of the 'Graduate Division' whilst unattended during a lunch period. [ISO 17799 Section 9: Physical & Environmental Security]

- A recent survey for instant messaging company, Akonix, indicates that around 45% of US IT executives expect to fail to meet the Sarbanes-Oxley Act deadlines in 2006. [ISO 17799 Section 15.1: Compliance with Legal Requirements]

- The UK Government has been criticized after a document outlining new anti-terror measures was emailed to opposition parties... with the 'meta data' still in place. This contained earlier amendments which caused significant embarrassment. Meta data distribution is actually a VERY common exposure in business circles. [Sections 8, 10, 11: HR Security, Communications & Operations Management, and Access Control]

- A study by Trend Micro indicates that users are still more likely to click on suspicious web links at work than at home! [Section 8: HR Security]

- The US Air Force has had to notify over 30,000 of its personnel that their personal data had been exposed, after a legitimate user's login information had been compromised. [Section 11.2: User Access Management]

- USB storage devices continue to increase in popularity. Unfortunately, a recent survey reveals that almost 20% of company data is left unencrypted when copied to one. [Section 12.3, 8: Cryptographic Controls, HR Security]

- Industry News: Symantec seems to have embarked on a sustained programme of acquisitions, recently adding WholeSecurity, Sygate and Veritas to its list of pending deals.

7) INTERVIEW 3: THE USER GROUP
==============================

The International ISO 17799 User Community was the first truly international online user group built specifically to support ISO 17799. It is also the biggest dedicated such group in the world, with representation from every major nation. It is a rapidly growing community, with free membership, and a vibrant unparalleled online forum (current location http://www.17799.com).

This interview was conducted with the senior administrator and moderator of the forum, Kate Hartley. It explores the background to the user group, the inherent problems of running such an entity, and the future of the group.

8) THE IMPORTANCE OF THE SLA
============================

Not too long ago service level agreements (SLAs) were the exception, rather than the norm. Fortunately, however, most organizations are now aware of the importance of these documents and related contracts. However, it is equally clear that far too many SLAs are woefully inadequate, both in terms of quality and supporting procedures. This can be a real Achilles heel and significant risk.

Quite simply, an SLA is essential, in security terms, to govern and define the receipt of all critical services. It should identify not only what security measures are in play, but matters such as what happens when there is a breach (for example, who is responsible for what actions).

The same applies to service availability. This is sometimes covered in its own specific schedule within the agreement, and is often the most difficult aspect to agree. However, from a business continuity viewpoint it is critical that it properly meets the needs of the service recipient.

Then there are changes to the SLA itself. How are these governed? The SLA is an important document, and controls must be applied to ensure that changes, and their implications, are formally and properly considered, and signed off at the correct level. See issue 9 of this newsletter for more information on this aspect.

The ISO 17799 Newsletter has a long history of stressing the importance of a quality SLA, and makes no apologies for doing so. Too often we see organizations applying significant effort on direct security controls, but missing this important potential vulnerability. This blind spot has been the cause of countless security breaches and losses in the past... hopefully the future will continue to see this exposure reduced.

9) IT COULDN'T HAPPEN HERE!
===========================

Regular readers will be aware that every edition of the ISO 17799 Newsletter ends with several true but slightly bizarre examples of serious security breaches. As this is a special concise edition, we would simply draw attention to a little trivia in the form of a poll of the best previous stories. You can select your favorite "It couldn't happen here, could it?" and vote for it on the following page: http://17799-news.the-hamster.com/poll/index.php

10) AND FINALLY....
===================

Contributions: If you have a burning desire to say something on ISO 17799 or ISO 27001, or have some useful information, please feel free to submit your contribution to us.

Subscription: Subscription to the newsletter is free (although 'opt-in' only). Please do feel free to pass this copy on to your friends and colleagues. If your friends or colleagues wish to receive the newsletter directly, they should simply send a blank email to: newsletter@17799news.com If you do not wish to receive further copies, simply email us at the address above with a title of 'Un-subscribe'.

Finally... leave us alone! BinaryNine Ltd accepts no liability or responsibility for errors or omissions in this newsletter. This also applies to any loss or damage caused, arising directly or indirectly, by the use of or reliance on the information contained within.

ISO 17799 and ISO 27001 News: 12,000 Subscribers and Growing!

http://17799-news.the-hamster.com