Information Security: Business Assurance Guidelines

Transcription

1 Information Security: Business Assurance Guidelines

2 The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies become more productive by promoting enterprise, innovation and creativity. We champion UK business at home and abroad. We invest heavily in world-class science and technology. We protect the rights of working people and consumers. And we stand up for fair and open markets in the UK, Europe and the world. 0iii

3 Information Security: Business Assurance Guidelines Contents 02 Introduction 04 The risks 05 The 4 key areas of assurance 07 The solution 08 Information Security Management Systems 10 ISMS Standards 15 Identifying your security requirements 17 Implementing your security requirements 18 Achieving assurance 19 Achieving organisational assurance 22 Achieving supplier assurance 24 Achieving business partner assurance 26 Achieving service and IT systems assurance 29 Case study 34 References 36 Further help and advice

4 In today s world, information security is a matter that needs to be taken seriously by every organisation. While communications technology opens up many opportunities, it also presents many risks. You need to be aware of these risks, and take action to minimise them. You can achieve both an appropriate level of assurance, and best practice in information security management, by following the procedures outlined in this publication. Aside from the business risks, there s also a legal obligation in many countries to take proper care of personal information entrusted to your organisation. In the UK, legislation such as the Data Protection Act imposes penalties on those who do not attend to this duty of care. There s also UK legislation regarding the protection of your organisation s company records, to safeguard intellectual property and prevent misuse of computer systems. Having an effective information security management system (ISMS) and risk management process in place helps to ensure business continuity, minimises the damage to business activities and maximises your return on business investments and opportunities. This brochure will explain the four key areas where businesses benefit most from information security assurance: organisational assurance supplier assurance business partner/customer assurance services and IT systems assurance. 02

5 It will then walk you through a number of steps to establish, implement, maintain and improve information security assurance using the information security management system (ISMS) approach based on established industry standards for information security. By following these principles, you can ensure that the risks to your organisation are controlled and managed effectively. While security problems can never be completely eliminated, you can help your organisation to make the most of the information age without compromising security. Who this brochure is for: senior managers, internal auditors and information security managers within both public and private sector organisations, who need to understand and satisfy information security assurance requirements. What it covers: minimising the risk of your business s information being disclosed, modified or deleted in an unauthorised way, or rendered unavailable to those authorised to access it. IMPORTANT NOTE: For the purposes of this guide, information security assurance is defined as follows. It is all actions taken to ensure that: information security policies and procedures are adhered to the implemented information security management system (ISMS) is effective at managing the risks to the information assets the ISMS processes and system of controls are adequate for the purpose of providing and maintaining a specified degree of confidence in the confidentiality, integrity and/or availability of information throughout its lifecycle, which includes input, update, manipulation, output, archiving and disposal. 03

6 The risks Having effective risk management processes in place is of fundamental importance to an organisation s well-being, success and survival. Such processes should be treated as essential to maintain a sound system of internal controls, to safeguard investment and business assets, and to fulfil your business objectives. The risks to your organisation s information assets can result from a number of threats and vulnerabilities: The risks may come from within your organisation caused deliberately, eg a disgruntled employee who deliberately modifies or destroys information caused accidentally, such as through employee carelessness or a lack of secure procedures caused by failures of electrical power, system hardware or software. The risks may arise from external sources, eg from a hacker, competitor or an industrial spy. The risks may come from a combination of internal (an employee involved in an insider job) and external (an accomplice to the employee) sources. The impact caused by such risks can be damaging to an organisation resulting in loss of sales and income, customers and market share, intellectual property, image and reputation. The overall loss from not protecting your organisation s assets versus the cost of protecting these assets appropriately is an issue that management needs to consider carefully, to achieve the right balance, and to maximise the return on investment in information security management. Having an appropriate system of controls in place to manage information security risks contributes to the effectiveness and efficiency of business operations, helps to ensure the reliability and continued availability of information systems, and assists compliance with laws and regulations. The controls, if properly implemented and used, should provide assurance that your organisation is not unnecessarily exposed to avoidable business risks and that business information used within the organisation and for publication is accurate and reliable. They also contribute to the safeguarding of assets, including the prevention and detection of security incidents. An organisation s objectives, its internal management and the business environment in which it operates are continually evolving and, as a result, the information security risks it faces are continually changing. A sound system of controls therefore depends on a thorough and regular evaluation of the nature and extent of the information security risks to which the organisation is exposed. 04

7 The 4 key areas of assurance The following four areas are the different types of information security assurance that an organisation should consider in order to achieve overall information security assurance: 1 ORGANISATIONAL ASSURANCE This is concerned with all those actions taken by the organisation to provide information security assurance to meet the needs of its owners, shareholders, customers and other stakeholders, and to govern its business. Organisational assurance is the process for providing confidence that the information security management system is effective at managing the risks to the organisation s information assets. Perception of the risks is likely to be different according to the different stakeholder groups involved, and this can have an influence on what is considered an acceptable level of risk, and how the risks should be managed. The management process for assessing the risk and its treatment needs to achieve an appropriate balance of control. Figure 1: Assurance Stakeholders Organisation Owner Creditors Shareholders Insurers Business partners Stakeholders for information security assurance Customers Public Suppliers Enforcement & regulatory authorities Board of Directors Management Staff/Employees 05

8 2 3 SUPPLIER ASSURANCE Supplier assurance is concerned with all those actions taken by third party suppliers of services and products to supply information security assurance to your organisation. The level of assurance is that claimed and sought by service providers and suppliers related to the security agreements and arrangements they have with your organisation. The aim is to provide confidence that the system of controls employed by the third party suppliers with whom information may be shared and exchanged electronically, or otherwise accessed, is adequate and fit for purpose. 4 BUSINESS PARTNER ASSURANCE Business and trading partner assurance addresses the level of confidence in the security arrangements established between your organisation and these other parties. Arrangements should include the secure access to, and sharing and exchange of information, and ensuring electronic business is carried out in a secure way. SERVICES AND IT SYSTEMS ASSURANCE This is concerned with all those actions taken by developers, implementers and suppliers of services and IT systems to ensure that the designed and implemented security features are effective and correct in managing the risks to the information processed by these systems and services. Figure 2: Supplier Assurance Organisation Customer Information Security Assurance Supplier Services and technology interface IT services assurance IT systems assurance Other infrastructure assurance components 06

9 The solution In order to tackle information security risks in the four areas described in the previous section, a firm should scope out an effective information security management system, make sure it will provide the necessary level of assurance, and audit it regularly. This process is described in the next section: Information Security Management Systems. Following this section, ISMS Standards then outlines the industry standards for information security that you need to use when setting up your own ISMS, and the controls you need to put in place around it. 07

10 Information Security Management Systems ISMS SCOPE An information security management system (ISMS) is a part of the overall system of management an organisation should have in place. The scope of the ISMS should include those policies, planning activities, responsibilities, practices, procedures, processes and resources needed to establish, implement, operate, monitor, review, maintain and improve information security. The ISMS should embrace a system of controls suitable to manage the risks to the business assets covered by the scope of the ISMS. The security requirements and a risk assessment determine the design and specification of this system of controls. The ISMS scope could cover the whole of the organisation or a well-defined part of the organisation, eg a particular site or location, department, or business service. The business assets covered by the scope of the ISMS should be clearly identified and any interfaces and dependencies related to other systems should also be clearly identified and defined. One example is any interfaces with customers and suppliers where information is shared or exchanged or access is given. The customer might impose security requirements on the organisation s assets which the ISMS needs to take account of, and likewise the organisation might impose security requirements on its suppliers. The ISMS scope may cover multiple sites or a single site of the organisation, or it could cover part of another organisation s site, eg in the case of an outsourced or externally managed facility. Whatever the extent of the scope might be, it should be well defined and documented. ISMS ASSURANCE The central idea behind the ISMS process approach is to be able to establish an ISMS that achieves the desired level of information security management required by the business, and then maintain and improve the effectiveness of this management system by regularly reviewing and monitoring the changing business environment and making ISMS enhancements where necessary. If business, legal and/or regulatory requirements and conditions change, adjustments in the ISMS will need to be made to reflect these new requirements. In addition, the threats, vulnerabilities, risks and impacts associated with the ISMS need to be reassessed on a regular basis as these might change as well. There are several ISMS assurance metrics that can be used, and together they provide a means of assessing the overall assurance in the ISMS. These assurance metrics can be used to measure the: effectiveness of the ISMS, eg how effective are the security controls in place, how effective are the procedures, and how effective are the records and other documentation in place? correctness of implementation, eg are all the technical and organisational solutions and controls implemented and used correctly, and are all records and other documentation in place correct? relevance to the business, eg is the ISMS scope still relevant to the business, and is the degree of information security assurance provided by the ISMS still appropriate and sufficient to meet the business requirements? 08

11 operational and user deviations from applying the ISMS policies and procedures, eg what is the evidence that all employees are aware of and comply with all the policies and procedures? Regular internal ISMS audits and reviews can be used to identify any operational deviations from the existing security policy and procedural arrangements. Monitoring, reviewing and evaluating incident reports can complement this activity, as well as helping to check compliance with the policy regarding system access and use. Incident reports can show where existing controls might not be effective enough to provide protection, or are simply not being followed or are not understood by employees. It is also important to monitor all changes that can have an impact on existing security solutions, such as changes to the business, the assets in the ISMS and their importance, and the threat/vulnerability/risk situation. Finally, your organisation might want to use testing techniques, such as penetration testing, to check how efficient and successful the technical controls are at implementing their security functionality. ASSESSMENT OF AN ISMS The assessment of an ISMS through systematic audits is a means of achieving a level of information security assurance. The ISMS can be assessed in different ways, through: First party audits, for example internal ISMS audits, reviews or other selfchecking processes. Second party audits, such as reviews or audits carried out by business partners or customers, or audits that take place due to contractual arrangements. Third party audits, for example those carried out by accredited certification bodies; this form of evaluation can lead to an accredited certificate, which gives recognition that the ISMS scope is fit for purpose, and that the ISMS complies with requirements of the certification standard. In this brochure we refer to the family of BS 7799 standards: ISO/IEC (previously BS 7799 Part 1); Code of practice for information security management BS 7799 Part 2: Information security management systems Specification with guidance for use. 09

12 ISMS Standards ABOUT BS The British Standard BS 7799 Part 2:2002 has been developed by an international group of experts representing a diverse set of market sectors and organisations. It provides a business model for setting up and managing an effective ISMS. It helps an organisation to establish, implement, maintain and improve an ISMS appropriate for the identified information security assurance requirements and standardises the ISMS process approach. The design and implementation of the ISMS needs to take into account business needs and objectives, as well as resulting security and assurance requirements. BS 7799 Part 2 is currently being developed as an international standard and should be published in Process approach BS :2002 adopts an ISMS process based approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organisation's Information Security Management System (ISMS). This approach takes as input the identified information security requirements, and applies the necessary processes described below to produce the required level of information security. This process approach is based on the Plan-Do-Check-Act (PDCA) model. Figure 3: Plan-Do-Check-Act Model Plan Act Do Check PLAN Establish the ISMS DO Implement & operate the ISMS CHECK Monitor & review the ISMS ACT Maintain & improve the ISMS This step involves identifying the security requirements, assessing the risks and establishing the ISMS policy. It also includes selecting a system of controls to manage risks (this includes more detailed policies and procedures and technical controls). This step involves implementing and using the system of controls, the ISMS policy and ISMS procedures that have been selected in the Plan Phase. This step involves monitoring, reviewing and assessing the performance of the ISMS: measuring the effectiveness of the ISMS to manage the risk, measuring the correctness of the implementation of controls, measuring the continued relevance of the ISMS to the business, and measuring any deviations from policy and procedures. The results of this activity will indicate whether any improvements are needed to the ISMS. This step involves taking corrective and/or preventive actions, based on the results of the Check Phase to maintain and improve the ISMS. 10

13 This PDCA model is also used in other management system standards such as ISO 9001:2000 and ISO 14001:1996; this supports the consistent and integrated implementation and operation of all these management system standards. BASIS FOR AUDIT BS 7799 Part 2 provides a framework for carrying out an independent audit of an organisation's ISMS. It also gives guidance on the use of the standard to set up and manage an effective ISMS, and can be used as a basis for audits of the ISMS. Choosing which of the three different ways of assessing compliance to use (see Assessment of an ISMS on page 9), depends on the requirements of your organisation, and on the requirements of customers and business partners. The third party evaluation and certification helps to provide assurance to your organisation as well as to any external interested party that the ISMS is appropriate and sufficient to achieve all information security assurance requirements. ISO/IEC ISO/IEC is a catalogue of best practice controls for information security management, and also gives advice on how to implement these controls. This standard was previously published as BS 7799 Part 1 before being adopted by ISO/IEC. It is a business-led approach to best practice on information security management. It describes a number of controls that can be considered as guiding principles, applicable to most organisations and most environments. Some of the controls in ISO/IEC provide a good starting point for implementing information security: Controls considered to be essential to an organisation from a legislative point of view include: respecting intellectual property rights safeguarding organisational records ensuring data protection and privacy of personal information. Controls considered to be essential as common best practice for information security include: documenting an information security policy allocating information security responsibilities providing training and education on information security reporting security incidents ensuring business continuity management. It is important to recognise that the relevance of any control should be determined taking into account the specific risks your organisation faces. Hence, although the above controls are considered to be a good starting point, this does not replace a selection considering the controls in ISO/IEC based on a risk assessment. An overview of the controls described in ISO/IEC can be found overleaf. 11

14 THE CONTROLS Security policy An information security policy document should be approved by management, published and communicated, as appropriate, to all employees and should contain: a definition of information security, its overall objectives and scope, and the importance of security a statement of management intent, supporting the goals and principles of information security a brief explanation of the security policies, principles, standards and compliance requirements of particular importance to the organisation a definition of general and specific responsibilities for information security management, including reporting security incidents references to documentation, which may support the policy. The policy should have an owner who is responsible for its maintenance and review according to a defined review process. Security organisation A management framework should be established to initiate and control the implementation of information security within the organisation. ISO/IEC gives guidance on how information security should be co-ordinated within the organisation: establishing suitable management fora assigning information security responsibilities consultation with external experts independent review of information security. It also helps to assess the risks from third party access and describes the security requirements that should be considered in third party contracts and outsourcing arrangements. Asset classification and control ISO/IEC describes how to classify assets and maintain appropriate protection for them. All major information assets should be included in an asset register, should be accounted for, and have a nominated owner. All sensitive and critical assets should be classified to indicate the need, priorities and degree of protection. An appropriate set of procedures should be defined for information labelling and handling in accordance with the classification scheme adopted by the organisation. Personnel security ISO/IEC also address topics in the area of personnel security. The objective here is to reduce the risks of human error, theft, fraud or misuse of information processing facilities. This includes the definition of security in job responsibilities, personnel screening and confidentiality agreements, as well as user training and awareness. Incidents, security weaknesses and malfunctions should be reported through appropriate management channels as quickly as possible to minimise damage, and to monitor and learn from such incidents. A disciplinary process should be defined to be able to deal effectively with security breaches. Physical and environmental security The physical and environmental side of security is also addressed in ISO/IEC This covers physical controls to prevent unauthorised access, damage and interference to business premises and information. The controls address: building of secure areas and entry controls for the business premises and these areas controls for working in secure areas equipment security, including power supplies, cabling security, equipment maintenance and the use of equipment off premises general controls covering clear desk and clear screen policy, and removal of equipment. 12

15 Communications and operations management ISO/IEC includes controls to ensure the correct and secure operation of information processing facilities. These controls cover: documented procedures and change management segregation of duties and separation of development and operational facilities system planning and acceptance protection from malicious software housekeeping operations such as information back-up network management secure media handling and disposal information handling procedures exchanges of information and software, covering electronic commerce, electronic mail, information published on the Internet and other forms of information exchange. Access control Access to information, networks, operating systems and applications should be controlled. ISO/IEC includes controls that cover: access control policy, including business requirements and access rules user access management, including user registration and de-registration, privileges and passwords user responsibilities user identification and authentication and password management network access control, including segregation of networks and routing control access control to sensitive information, and isolation of sensitive systems monitoring of system access and use to detect unauthorised activities mobile computing and teleworking. System development and maintenance ISO/IEC includes the following controls to ensure that security is built into systems and applications, and to protect information from unauthorised disclosure or modification: identification of system security requirements the prevention of loss, modification or misuse of data in application systems cryptographic controls security of system files security in development and support processes. Business Continuity Management Business continuity management addresses those processes and actions necessary to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. This includes the analysis of impacts of such incidents, a planning framework, and the writing, implementing, testing and maintaining of business continuity plans. Compliance An organisation should ensure it avoids breaches of any criminal and civil law, and statutory, regulatory or contractual obligations, and of any security requirements. ISO/IEC covers some of the controls necessary to address these issues, including: IPR and software copyright safeguarding of organisational records data protection and privacy of personal information prevention of misuse of information processing facilities regulation of cryptographic controls collection of evidence. ISO/IEC also covers compliance with security policy and technical compliance, and system audit. 13

16 SELECTING CONTROLS The guidance given in ISO/IEC provides a generalised approach to achieving security objectives. This approach needs to be used in a way that addresses the specific business and security requirements of your organisation, through a process of risk assessment, risk treatment and the appropriate selection of controls to manage the risks. In meeting your organisation s specific set of requirements a suitable balance should be achieved, and a combination of controls needs to be selected covering management, procedural, operational and technical features. Experience has shown that there are a number of factors, which are critical to the successful implementation of information security within your organisation: visible support and commitment from management a good understanding of the security requirements, risk assessment and risk management effective marketing of security to all managers and employees distribution of comprehensive guidance on information security policy and standards to all employees and contractors, and carrying out training and education a comprehensive and balanced system of measurement, which is used to evaluate performance in information security management and feed back suggestions for improvement. security policy, objectives and activities that reflect business objectives an approach to implementing security that is consistent with the organisational culture

17 Identifying your security requirements The next step, before implementing the ISMS appropriate to your organisation, is to work out the level of security assurance required. Each organisation has different requirements for information security assurance and the system of controls to manage its risks will depend on these requirements. In deciding what these requirements are, your organisation needs to consider: the nature and extent of the risks it is facing the likelihood of the risks materialising and their impact on the organisation which risks are regarded as acceptable for the organisation the organisation s ability to reduce the occurrence of the risks the costs involved in implementing a system of controls relative to the benefits obtained by managing the risks. Once these questions have been answered, your organisation can identify its security requirements related to the: business environment and legal and regulatory framework it operates in types of information it is storing and processing, and the information systems and applications it uses service providers, suppliers, customers and business and trading partners it has dealings with services and IT systems it employs to implement its information processing facilities. Your requirements should be driven by the business needs of your organisation. Security requirements might vary within an organisation, depending on the size of it, and the nature of its business. Or it might be necessary to satisfy different requirements within different parts of the organisation. To achieve the desired level of information security assurance it is also important to consider: what system of management controls is required to meet the desired level of security assessing the level of security available from service providers and suppliers to determine whether this is adequate to protect your organisation s information assets the security implications of exchanging sensitive or business critical information with trading and business partners and customers assessing the levels of risk to the information assets of the system(s) considered, and selecting controls to protect against these risks quantifying the level of assessment and evaluation necessary to ensure that the desired level of security is achieved by the services and IT systems used. 15

18 Examples of information security requirements Information security protects: the data related to a company s customers from unauthorised disclosure or modification personnel details and records in accordance with legislation copyrighted information or software in compliance with the legal restrictions related to such information organisational records from loss, destruction or forgery marketing information from unauthorised access commercially sensitive business strategy and development plans for major new products or services from unauthorised access and disclosure very sensitive competitor, business partner or contractor assessments from unauthorised disclosure or modification patent secrecy information from unauthorised disclosure details of major acquisitions, investments and mergers from exposure. 16

19 Implementing your security requirements The following staged approach describes how you can use the processes defined in BS 7799 Part 2 and the controls and guidance in ISO/IEC as a framework to achieve information security assurance: BUSINESS OBJECTIVES Define the direction, aims and objectives of information security of your organisation. Put them in a policy that has the approval and commitment of senior management. SECURITY REQUIREMENTS Identify the information security requirements of your organisation. RISK ASSESSMENT Assess the security risks related to the information security requirements of your organisation and the business assets. This should take account of the value and importance of the assets, the vulnerabilities associated with these assets, the threats that could exploit these vulnerabilities and the likelihood of occurrence and potential impact. RISK TREATMENT Identify the appropriate options to treat the risks and select a system of controls to reduce the identified security risks to an acceptable level. The risk treatment options available, the management decision process, and the levels of risk acceptance will vary from organisation to organisation. ISMS IMPLEMENTATION AND USE Implement the selected system of controls, put policies, procedures and training in place, and operate and use the ISMS you have built. The controls described in ISO/IEC should be used as a common basis and can be supplemented by additional controls, if needed. ISMS ONGOING MANAGEMENT Monitor the ISMS as part of your organisation s day-to-day operations and review its performance and effectiveness on a regular basis. Take account of the changing business and risk environment, and aim to make the necessary improvements to keep your ISMS operating effectively. This offers the basis for establishing the assurance needed by your organisation, to deliver it, to be able to review and assess its current suitability and to maintain and improve it. 17

20 Achieving assurance The following section takes each of the four areas where information security assurance is needed, and explains how it can be achieved. 18

21 Achieving organisational assurance Organisational assurance is achieved by all those actions that need to be taken by the organisation to ensure its: information security policies and procedures are being enforced and adhered to ISMS is effective at managing its risks ISMS processes and system of controls are adequate for the purpose of providing and maintaining a specified degree of confidence in the confidentiality, integrity and/or availability of business information throughout its life cycle. A fundamental question is Who are the stakeholders that require information security assurance and for what business purpose and objective? Owners and shareholders want assurance regarding the well-being of the organisation; that it will achieve and maintain a healthy financial state. Business managers need to have confidence that their business processes, management controls and resources meet the necessary corporate requirements for assurance and satisfy levels of expected performance. Staff and employees need confidence that they have job security and their personal information is being protected. Customers require assurance that the delivery of products and services will meet their requirements, and they will have ongoing support and maintenance from the organisation after delivery. Business partners involved in collaborative ventures and projects with the organisation need fit to do business with confidence. Finally, the organisation needs assurance from its suppliers that the products and/or services being delivered meet its requirements. The organisation itself expects a certain degree of assurance from its customers with regard to the commercial arrangements it has in place. This concerns assurances that the customer will comply with these arrangements, and the contractual obligations relating to the products and/or services the organisation offers to the customer. Information is a key commodity in the decision-making process of any business, small, medium or large. It is also key to the effective management and operations of the business. Assurance regarding the confidentiality, timely and accurate delivery and availability of information is very important to the financial situation, performance, ownership and governance of the organisation. For medium and large-sized corporations, multinational companies and enterprises, there are various interested parties that require information security assurance: the shareholders, investors, creditors, insurers, the CEO and the board of directors, senior management, the staff and the organisation s customers. Each of these involved parties will have their own requirements and interests. In the case of the shareholders, for example, this covers aspects such as the protection of shareholders rights, equitable treatment of shareholders, and the role of the shareholder in the governance of the organisation. Creditors, investors and shareholders will be looking for a healthy return on their investment and evidence of the sustainability of a financially sound business. These requirements need an appropriate framework to be in place for corporate governance to ensure the strategic guidance of the organisation, the effective monitoring of management by the board, and the board s accountability to the organisation and the shareholders. 19

22 With regard to small-sized enterprises, many of these principles apply, though the scale of business complexity, organisational and management structure, operational functions, ownership and shareholder aspects is much reduced and generally not as involved. Nevertheless, a variety of assurance is still required from all the relevant stakeholders. ESTABLISHING ASSURANCE It is important that assurance requirements are well understood and articulated within the context of the organisation and its business, taking account of the interests of all relevant stakeholders. To satisfy these requirements the organisation needs to have an appropriate and effective ISMS in place. The organisation needs to ensure that the organisational structure, policies, procedures, processes and other management controls that constitute the ISMS are sufficient to deliver the required assurances. DELIVERING ASSURANCE Collectively, the organisation needs to deliver the necessary assurances to all interested parties. Management needs to be committed to its role in carrying out all those actions and activities that will ensure the ISMS delivers the desired assurances to owners, shareholders, customers and business partners. Management needs to: devote sufficient resources to the task of delivering and maintaining the desired level of assurances assign roles and responsibilities for information security ensure correction application of the system of controls. Staff also play an important role by being aware of the relevance and importance of information security in their day to day working environment, and by carrying out their responsibilities for implementing information security in a responsible way, adhering to the ISMS policies and procedures. 20

23 ASSESSING AND REVIEWING ASSURANCE Objective assurance that the ISMS is adequate and effective at satisfying stakeholder requirements can be assessed by means of different types of audit mentioned earlier (ie first, second or third party audits). This provides an independent and objective assessment to management that the risk management policies and system of controls it has established are adequate and effective. In addition, the systematic assessment of the business processes and controls can add value by the identification of ways to improve the effectiveness of the ISMS. Internal ISMS audits are a mandatory part of BS 7799 Part 2 for claiming compliance with this standard whereas third party audits are optional. In order to ensure that the variety of assurances being delivered continues to satisfy the requirements of interested parties, regular reviews need to be part of your ISMS operations. Changes to the business environment are inevitable and sometimes unpredictable and these can influence an organisation s ability to maintain the assurances required. There are several monitoring and reviewing activities that can take place to ensure that all controls and policies are adhered to and are adequate for their purpose, and that the ISMS is effectively managing the risks. They are a mandatory part of BS 7799 Part 2 for claiming compliance with this standard. These activities apply at different levels of management and staff, and they need to take account of the results of incident reporting and handling processes, reviews of controls, and suggestions and feedback from all interested and relevant parties. The purpose of these activities is to ensure that the ISMS remains effective and appropriate to satisfy the requirements for information security assurance. These activities should include: using monitoring activities to detect errors and identify failures in the current security arrangements evaluating the security arrangements in place for their performance reviewing all risk assessment associated with: changes to business requirements and priorities, or legal environment new threats and vulnerabilities changes in technology, embracing new technologies and the effective investment in technology corporate culture changes in supplier chain and delivery of services joint ventures effects of new markets and competitors outsourcing key business processes acquisitions, mergers, expansions, restructuring, downsizing fraud. confirming that controls remain effective and appropriate, and that policy objectives are met identifying and recording all the improvements that are needed, based on the results of these reviews. The improvements identified by these monitoring and review exercises should be implemented, and corrective and preventive action taken to ensure that the ISMS continues to provide the assurance required. 21

24 Achieving supplier assurance ESTABLISHING ASSURANCE Most organisations need to make use of external third party suppliers and service providers to support their business. This includes information systems and data processing facilities that have been outsourced to third party organisations. In addition, service providers will sometimes need to have access to an organisation s information and information systems, to process, share or exchange information, and in some cases to manage information systems. Security arrangements supporting the organisation s ISMS and that of its suppliers and service providers should be in place to take account of the particular risks the organisation faces. These arrangements should be able to provide the organisation with the required level of assurance that its information and information systems are not at risk. This type of assurance concerns the extent of confidence in the service provider or supplier systems and processes, that any risk to the information assets is being properly managed and that any protection is adequate. The following key elements of assurance apply to third party suppliers and service providers: Information security policies and procedures are being enforced and adhered to, and this includes compliance with legal, regulatory and contractual requirements for service use and supply. The security arrangements and the business and operational processes are effective at managing the risks. The system of controls is adequate for the purpose of providing and maintaining a specified degree of confidence in the confidentiality, integrity and/or availability of the information assets. DELIVERING ASSURANCE An important part of your organisation s actions to achieve supplier assurance should be a formal contract and service level agreement (SLA) between the parties. This should contain all of the necessary security requirements to ensure compliance with your organisation s security policy and standards, and fulfilment of all of your organisation s security requirements. ISO/IEC defines a number of the key security requirements that should be considered for inclusion in third party contracts. And specifically with regard to outsourcing, ISO/IEC details additional contractual obligations for outsourced information processing, managed data services and IT systems. Service providers and suppliers should implement all security arrangements as required by the contracts or SLAs, and should put all supporting activities in place to ensure that they are fulfilling the requirements. The implementation should include all arrangements for information transfer between the organisations, rules for how the staff of service providers or suppliers should handle your organisation s information, the level of service provision, and all other controls to achieve assurance as required by contracts or SLAs. Service provider and supplier compliance with legal requirements (see the ISO/IEC controls relating to Compliance) is necessary to avoid breaches of any criminal and civil law, and statutory, regulatory or contractual obligations your organisation might get involved in. This needs to take account of the legal and regulatory framework in which the service provider/ supplier organisation operates and the regional or global scale of the business. Consideration needs to be given to controls governing intellectual property rights, safeguarding organisational records, data protection and privacy, and the misuse of information processing facilities. 22

25 In addition to the management controls in ISO/IEC 17799, BS also provides other best practice controls specifically designed for the management of IT services. The BS standard covers aspects such as: service management planning service improvement service design and management service level management (the process of specifying and managing the levels of service required) availability management (the process of implementing the requirements defined in SLAs into availability targets and to manage the required availability) service continuity (the process to ensure obligations to customers can be satisfied in the event of a major service failure, disruption or disaster) service reporting (reliable and timely reports for decision making and service support) capacity management (controls to ensure that the organisation has sufficient resources to deliver and meet the demands for its services). Relationship processes (controls to engender and maintain good working relationships between the service provider and its customers) Resolution processes: incident management (controls to handle incidents in a timely way to restore services to normal operation) problem management (controls to identify and manage the underlying causes of service incidents). Control processes: configuration management (control and management of the components of the specific service or the service infrastructure, and protection of the integrity of the services and any related information systems) change management (control and management of requests for change to the service). ASSESSING AND REVIEWING ASSURANCE In order to assess the assurance delivered by service providers and suppliers, your organisation needs to consider how it might review the security arrangements which are in place to comply with the contracts and SLAs. The security of the service provider and supplier facilities and processes can be assessed, and evidence as to whether their information security arrangements are effective can be achieved, in the different ways described in the Assessment of an ISMS : The service provider or supplier organisation assesses their own security arrangements, eg via an internal audit function, then your organisation looks at their audit reports and supporting records of this activity to gain evidence that the security arrangements provide sufficient assurance for the requirements. Your organisation carries out its own assessments or audits (eg made possible through the inclusion of the right to audit the service provider in the contract with the service providing organisation). In this case, your organisation can audit their results and check their control selection to gain evidence that they have appropriate security in place. Your organisation insists on the service providing organisation being assessed by an independent third party, eg a certification body providing BS 7799 certification. In this case, it should be carefully checked that the scope of this certification includes all services the service provider is providing to your organisation. 23

26 In order to facilitate this, the contracts and SLAs should include a right to audit, which specifies what your organisation can do to assess the security arrangements in place. Whichever way the organisation decides to proceed regarding assessing the implementation of the agreed security arrangements, it is important that the following are covered: The service providers and suppliers have a security policy, which describes their overall approach to information security and the controls in place for protecting your organisation s information and information systems, and that the service provider or supplier organisation adheres to this policy. The system of security controls the service provider or supplier has in place is adequate, effective and provides sufficient evidence that the level of assurance provided by these controls satisfies the identified requirements. They have in place processes for monitoring and reviewing: vulnerabilities related to your organisation s information and other assets handled by the service provider the impact on your organisation s business in the event of a security breach occurring in the service provider's facilities the level of trust placed in those who have access to the service provider's information processing facilities. If objective evidence cannot be found that your organisation s required level of assurance is being met, then action needs to be taken to improve the information security provided by the supplier. This may involve adding controls, changes to the contract to provide more appropriate security and service arrangements, or even your organisation choosing to add its own additional controls to achieve more security and to reduce the risks related to the services provided. Achieving business partner assurance ESTABLISHING ASSURANCE This type of assurance addresses the level of confidence in the security arrangements established between your organisation and your business and trading partners. This should include the requirements for securing those business processes that allow access to information, the sharing and exchange of information, and electronic transactions to take place. Your organisation needs to discuss with your business and trading partners, what risks each party faces with regard to this relationship, and what the associated security requirements are. This should lead to all parties mutually agreeing what assurances are needed to satisfy these requirements. All parties should, in a contract or in some other commercial document or agreement, sign up to a set of security arrangements that will satisfy these requirements and deliver these assurances. The security arrangements between your organisation and its trading or business partners need to specify the information security policy and procedures that both parties should adhere to. This policy and these procedures should be supported by 24