BS 7799 Information Security Management ISOIEC 17799:2000 - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

BS 7799 Information Security Management ISOIEC 17799:2000

Description:

Confidentiality: protecting sensitive information from unauthorised disclosure ... Prevention of unauthorised access, interference to IT services and damage ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 35
Provided by: alexandram3
Category:

less

Transcript and Presenter's Notes

Title: BS 7799 Information Security Management ISOIEC 17799:2000


1
BS 7799Information Security Management(ISO/IEC
177992000)
  • Tom Lillywhite
  • NHSIA
  • 1 March 2001

2
What is Information Security Management (ISM)?
  • An enabling mechanism
  • whose application ensures that information may
    be shared in a manner
  • which ensures
  • the appropriate protection of that information
  • associated information assets

3
Basic Components
  • Confidentiality protecting sensitive information
    from unauthorised disclosure
  • Integrity safeguarding the accuracy and
    completeness of information/data
  • Availability ensuring that information and
    associated services are available to users when
    required

4
Problem
  • Until early 90s information was handled by many
    organisations in an ad hoc and, generally,
    unsatisfactory manner
  • In a period of increasing need to share
    information, there was little or no assurance
    that such information could or would be
    safeguarded
  • What control measures there were focussed almost
    entirely on computer data, to the exclusion of
    other forms of information

5
Code of Practice
  • 1993 DTI (Department of Trade and Industry), in
    conjunction with a number of leading UK companies
    and organisations produced an ISM Code of
    Practice - incorporating the best information
    security practices in general use.
  • Addressed all forms of informatione.g. computer
    data, written, spoken, microfiche etc

6
Code of Practice - Aims
  • To provide
  • A common basis for organisations to develop,
    implement, and measure effective information
    security management practice
  • Confidence in inter-organisational dealings

7
Development
1993 - 1995 Consultation
COP Becomes BS77991995 PART 1 (Implementation,
Audit, Programme)
ISO/IEC 17799 2000
BS7799 PART 2 ISMS
Recognition as a suitable platform for ISM
8
In Two Parts
  • BS7799 Part 1 is now ISO/IEC 177992000
  • Incorporates good security practice, with 127
    security guidelines (which can be drilled down to
    provide over 600 other controls)
  • BS7799 Part 2
  • A framework for an ISMS, which is the means by
    which Senior Management monitor and control their
    security, minimise risk and ensures compliance

9
Balance
  • A common concern amongst organisations is that
    the application of security measures often has an
    adverse impact on, or interferes with,
    operational processes
  • BS7799 processes are flexible enough to ensure
    that the right balance can be struck - security
    with operational efficiency!

10
Other Benefits
  • Enables ISM to be addressed in practical,
    cost-effective, realistic and comprehensive
    manner.
  • Establishes mutual trust between networked sites
  • Enhances Quality Assurance
  • Demonstrates a high, and appropriate, standard of
    security
  • Increases the ability to manage and survive a
    disaster

11
The Standard
  • Covers 10 categories
  • Security Policy. Implementation and maintenance
    of a security policy
  • Security Organisation. Establishment of a
    management framework to initiate and control
    implementation of security within an organisation
  • Asset Classification and Control. Each asset to
    be identified, recorded and ownership
    apportioned

12
Assets - Examples
Software Application software, system
software, development tools
Physical Computer equipment, magnetic media,
furniture, accommodation
Services Heating, lighting, power, air-conditionin
g
Information Databases, system documentation, data
files, user manuals, continuity plans, backup
processes
13
The Standard
  • And
  • Personnel Security. Measures to
    reduce risks of human error, theft,
    fraud or misuse of facilities
  • Physical/Environmental Security. Prevention of
    unauthorised access, interference to IT services
    and damage
  • Computer and Network Management. To Ensure
    correct and secure operation of computer and
    network facilities

14
The Standard
  • .
  • System Access Control. Controls to prevent
    unauthorised access to computer systems
  • System Development and Maintenance. A security
    programme complementing development/maintenance
    of IT systems
  • BCP. Measures to protect critical business
    processes from major failures and disasters
  • Compliance. To avoid breaches of statutory or
    contractual requirements (inc. DPA, Caldicott)
    and ensure the ISMS is operational

15
Controls
  • Each of these Categories contains a number of
    security controls, mandatory or otherwise, which
    can be implemented as part of the information
    security risk management strategy
  • The same controls will not, necessarily apply
    across the board, owing to the varying nature of
    organisations, risk factors etc

16
?????????????????????????? (Security policy)
  • ??????????????????????????????????????????????????
    ???????????????????
  • ??????????????????????????????????????????????????
    ???????????????

17
?????????????????????? (Security organization)
  • ??????????????????????????????????????????????????
    ????????????????????????????????????????????
  • ??????????????????????????????????????????????????
    ??????????????????????????????????????????????????
    ???
  • ??????????????????????????????????????????????????
    ?????????????????????????????????????????????

18
?????????????????????? (Security organization)
  • ??????????????????????????????????? ????
    ????????????????????????? ????????????????????????
    ? ???????????????????????????????????????????
  • ??????????????????????????????????????????????????
    ?????
  • ??????????????????????????????????????????????????
    ??????????????????????????????????????????????????
    ???????????? ?????????????????????
    (?????????????????????????????????????
    ???????????????????????????????????????????)

19
????????????????????????????????????????????
(Asset classification and control)
  • ?????????????????????????????????????
    (????????????????????????????????????)
    ????????????????????????????????? ??????????????
    ???????????????????????????
  • ??????????????????????????????????????????????????
    ??
  • ???????????????????????????????????????? ????
    ????????? ???????????????? ???????
    ??????????????????????????????????????????????????

20
??????????????????????????????????????????????????
?? (Personnel Security)
  • ??????????????????????????????????????????????????
    ??????????????????????????????????????????????????
  • ??????????????????????????????????????????????????
    ?????? ??????????????? ????????????
    ?????????????????????????????????? ??????????????
    ???????

21
??????????????????????????????????????????????????
?? (Personnel Security)
  • ??????????????????????????????? ?????????
    ??????????? ??????????????????????????????????????
    ?????????????????????? ??????????????????????????
    ??????????????????????????????????????????????????
    ?
  • ??????????????????????????????????????????????????
    ??????????????????????????????????????????????????
    ???????????????????

22
???????????????????????????????????????????????
(Physical and enviromental security)
  • ??????????????????????????????????????????????????
    ??????????????????????????????
  • ??????????????????????????????????????????????????
    ???????????? ?????????????????????????????????????
    ?????????
  • ??????????????????????????????????????????????????
    ?????????????? ?????? ????????????????????????????
    ????????????????? ???????????????????????????????
    ???????????????????????????????????????????

23
???????????????????????????????????????????????
(Physical and enviromental security)
  • ???????????????????????????????????????????
    ??????????????????????????????????????????????????
    ????????????????
  • ???????????????????????????? ????
    ????????????????????? ??? UPS ????????????????????
    ?
  • ???????????????????????????????
    ????????????????????????????? ???????? ????
    ??????????????????? ??????????????????
    ???????????????????????????????????????????

24
??????????????????????????????????????????????????
(Communications and operations management)
  • ?????????????????????????????????????????
  • ??????????????????????????????????????????????????
    ???? ????????????????????????????????????????????
    ?????????????????????????????????????????
  • ??????????????????????????????????????????????????
    ??????????????????????????????????????? ??????
    ?????????????????? ?????????????????????????
    ??????????????????????????????????????????????????
    ?? ????????????????????????????????

25
??????????????????????????????????????????????????
(Communications and operations management)
  • ??????????????????????????????????????????????????
    ??? ???? ????????????? 1 ?????????? ????
    ???????????????????? ??????????????????????????
  • ??????????????????????????????????????????????
    ???? ???????????? ????????????????????????????????
    ?????????????????????????????????????????????????
    ????????
  • ????????????????????????????????????????????

26
??????????????????????????????????????????????????
(Communications and operations management)
  • ??????????????????????????????????????????????????
    ??????
  • ??????????????????????????????????????????????????
  • ??????????????????????????????????????????????????
    ??????????? ?????? ??????????????????????????????
    ??????????
  • ??????????????????????????????????????????????????
    ????????????????????????????

27
??????????????????????????????????????????????????
(Communications and operations management)
  • ??????????????????????????????????????????????????
    ??????????????? ??????
  • ?????????????????????
  • ????????????????????????????????????????????????
  • ???????????????????????????????
    ??????????????????????
  • ???????????????????????????????????????????????
    (????????????????)
  • ???????????????????????????????
  • ???????

28
?????????????????? (Access control)
  • ??????????????????????????????????????????????????
    ???????????????????????
  • ??????????????????????????????????????????????????
    ??????????????? ??????????????????????????????????
    ???????????????????????????????????? ??????????
  • ?????????????????????????????????????????????????
    ??????????????????????????????????????????????

29
?????????????????? (Access control)
  • ??????????????????????????????????????? ??????
    ??????????????????????????????????????????????????
    ???????????????????????????? ?????????????????????
    ???????????????????????????? ?????????????????????
    ????????????? ????????????????????????????????????
    ????????????????
  • ??????????????????????????????????????????????????
    ????????????????????
  • ??????????????????????????????????????????????????
    ????? ????????????????????? ??????????????????????
    ????????????????????????????

30
?????????????????? (Access control)
  • ????????????????????????????????????????
    ????????????? ?????? ????????? ???????????????????
    ???????? ????????????????????????? ???????
    ????????????????????????????????????????????
  • ??????????????????????????????????????????????????
    ????? ?????????????????????????????
  • ?????????????????????? ???????????????????????????
    ??????????????????????????????

31
??????????????????????????? (Systems development
and maintenance)
  • ??????????????????????????????????????????????????
    ???????????????????????????????????????????
  • ??????????????????????????????????????????????
    ?????? ???????????????????????????????????
    ????????????????????????????????
    ???????????????????????????????????? ???????
  • ??????????????????????????????????????????????????
    ????????????????
  • ??????????????????????????????????????????????????
    ? (???? ?????????????????????? )
    ???????????????????????????????????????????? ????
    ?????????????????????????????????????

32
??????????????????????????? (Systems development
and maintenance)
  • ??????????????????????????????????????????????
  • ??????????????????????????????????????????????????
    ???????????????????
  • ??????????????????????????????????????????????????
    ???????? ????????????????????????????????
  • ??????????????????????????????????????
    ????????????????? ????????????????????????????????
    ????????? ?????????????????????
    ??????????????????????????????????????????????????
    ??????????????????????????????????????????????????

33
?????????????????????????????????????????
(Business continuity management)
  • ??????????????????????????????????????????????????
    ???????????????????????? ?????????????????????????
    ?
  • ??????????????????????????? ?????????????????????
    ????????
  • ???????????????????????????
  • ??????????????????????????????????????????????????
    ???
  • ??????????????????????????????????????????????????
    ????????????????
  • ???????????????????????????? ?????????????????????
    ?????????????? (??????????????????????????????????
    )

34
??????????????????????????????????
???????????????????????????????????????????
(Compliance)
  • ????????????????????????? ??????? ?????????
    ????????? ????????????????????????????????????????
    ??? ?????????
  • ??????????????????????????????????????????????????
    ????????????????????????????????? ???
    ????????????????????????????
  • ??????????????????????????????????????????????????
    ???????????????????????? ?????????????????????????
    ???????????????????????????????????????
  • ????????????????????????????????????
    ??????????????????????????????????????????????????
    ???????????????????????????
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "BS 7799 Information Security Management ISOIEC 17799:2000" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!