Embed Size (px)
Citation preview
Computers & Security, 18 (1999) 307-311
The Revised Version of BS7799 - So What’s New? Chris Pounder
Is the release, in late April, of a revised standard ‘A Code ~$Practirt~ jbr I~~fiw~~i~tiorr Sccurify .~far~qpv~~~t’ (BS7799-1: 1999)’ an itnpor-
taut kegtone, a publication which most organizations should read
and inwardly digest? Or is the recent publicity about the latect ver-
sion of the Code the result of an over-the-top PR strategy which
is attempting to re-launch an old standard in a new guise; mutton
dressed as lamb, to ~umnmize the point succinctly.This article is
intended to help the reader decide between these two extremes. It
first explore\ the main changes to the content and then considers
the changes m the legislative environment under which the prove-
sions of 13S7709 will be interpreted.
Changes to the Text of BS7799
Although the first version of the Code specified over
200 controls, it drew particular attention to ten ‘Key Controls’ which were always identified as such in the
text; this emphasis gave the impression that a failure to meet any Key Control would be fatal to an organiza-
tion’s objective, for example, of seeking accreditation
as catisf)Ting the requirements of the Code.
The second version of the Code avoids implications
like this by carefully avoiding language which is pre- scriptive.Thus, for example, BS7799 takes “the form of
guidance and recommendations” for best practice; it
should “not be quoted as if it were a specification” for secure processing or as a definitive guide. Nor is there
any guarantee that an organization, which implements
the security controls identified in the Code, is secure.
Nevertheless, nine of the ten Key Controls of the first
version do find expression in the new text either as part of the three “essential” controls, or contained
within the five controls which are specifically identi- fied as necessary to ensure “common best practice”, or mentioned as a component of eight “critical success factors” \\shich “experience has shown” to be vital to
the implementation of good security. In further detail:
(a) The three controls “considered to be essential to an
organization from a legislative point of view” reflect statutory obligations which are necessary to
ensure that any processing is lawful. For example,
obligations with respect to protecting intellectual
property rights, safeguarding organizational records
and data protection and privacy of personal infor- matioii.
(b) The five “common best practice” controls which
are explicitly identified relate to: the content of security policy document; the allocation of secu-
rity responsibilities to staff and managers; the
importance of security training; the reporting of security incidents as they arise; and the need for organizations to have a business continuity plan in
the event of a catastrophic failure in their infor- mation systems.
(c) The eight “critical success factors” are all noii- technical and are directed at management. In most
0167-4048/99$20.00 0 1999 Elsevier Science Ltd. All rights reserved. 307
The Revised Version of BS7799 - So What’s New?/Chris Pounder
cases, they amplify the common best practice con- trols identified above. However, one critical success factor, to “evaluate performance in information security management”, for example by measuring compliance with a particular procedure or policy, was identified as a Key Control of the 1995 Code.
(d) Only one Key Control identified in the first ver- sion of BS7799 has been ‘relegated’ as such; this related to preventing the spread of computer virus- es. The new Code, instead, identifies such anti- virus controls as an important component in the need for an organization to protection itself against alI varieties of unauthorized or malicious software, of which a computer virus is but one example.
Another major change is that the emphasis on “IT” in the 1995 Code has been replaced by one which stress- es “information” or “information processing”. This is more than a semantic change; it means that the secu- rity provisions of the 1999 Code are to be extended, for example, to information in non-automated files. In a sense, therefore, the new text begins to serve the requirements of the Data Protection Act 1998 which, unlike the 1984 Act, does not distinguish between automated and non-automated files, and which also contains a very broad definition of “processing” (uny operation, whether automated or non-automated, which is performed on personal data). For many orga- nizations, which provide services that are dependent on the collection of manually-based case files (for example, social services and immigration), amending security policies and practices beyond electronically processed data will not be a trivial affair.
The result is also to make BS7799 effectively inde- pendent of technology; for example, the section on information exchange identifies controls which are relevant to the transfer of databases via the Internet und to simple exchanges of information in a telephone conversation. Consequently the Code becomes more applicable to a wider number of situations where information security is a potential problem in its most general sense.
In addition, the applicability of the Code has been enhanced by the removal of references specific to the
UK. For example, unlike the first version, there is no mention of the eight Principles of the UK’s Data Protection Act, or reference to specific provisions of the Computer Misuse Act 1990, the Companies Act 1985 or the Copyright, Designs and Patents Act 1988. In their place are references to general legislative obli- gations so that BS7799 will be “more internationally applicable”.
A criticism often levelled at the first version of BS7799 was that it gave little guidance on how to select, apart from the obligatory Key Controls, the security controls which were most likely to be rele- vant to a particular set of circumstances.The new ver- sion of BS7799 now follows the practice adopted by most information security practitioners and provides details on the prior need for “a methodical assessment of security risks” and an approach which minimizes those risks so identified. BS7799 then notes that once the risk analysis is completed, the Code can help to provide “examples of common approaches” to the controls necessary to achieve particular security objectives.
Two sections of the Code have been substantially re- worked. For instance the section on “Computer and Network Management” of the 1995 Code has been renamed as “Computer and Operations Manage- ment”, where the word “operations” covers every aspect of information processing. For example, text has been added to help secure other forms of electronic messaging (e.g. mobile computing, voice mail) as well as non-automated forms of disclosure (e.g. by use of phone, postal services or fax machines).
The text on access control has also been changed to reflect the development of E-commerce and the Internet applications. For instance, the brief paragraphs on encryption and authentication of the first version of the Code have been significantly extended to include additional detailed sections on cryptographic policy, digital signatures and key management techniques.
In addition the Code contains security controls which are relevant to electronic mail, output validation, covert channels and Trojan code and provides new paragraphs on homeworking or teleworking. Given
308
Computers & Security, Vol. 18, No. 4
that that the latter is becoming a burgeoning industry, the Code covers the need to extend existing security
policies and procedures so that they identify when
remote connection can occur, by whom and to what
databases, and to the controls necessary to cover those
circumstances when matters go awry.
Several other parts of BS7799 has been amended or
substantially altered; for example:
(a) The text on the valuation and importance of assets
has been augmented; for example, to have regard to the security classifications used by other organiza- tions when their data are exchanged. However,
BS7799 also reminds readers that such asset classi-
fication systems can easily become “cumbersome”, “uneconomic” or “impractical”. In addition, con-
cept of information classification has been extend-
ed to include labels which indicate the integrity of data or its availability.
(b) The description of the security issues associated
with third party access has been substantially
extended. This includes details which should be considered for being specified in third party con-
tracts and in outsourcing contracts.
(c) The section on business continuity management (a “common best practice” control) been restructured
and extended to put more emphasis on manage-
ment processes. For example, procedures associated with the production of tested business continuity
plans and a commitment towards maintenance of
such plans.
Changes to the Legislative Environment Under Which BS7799 Will Operate
The constitutional reforms, implemented by the UK’s
new Labour Government, have profoundly changed
the environment under which the new version of BS7799 will operate.These changes, which encompass the Data Protection Act 1998, the Human Rights Act 1998 and the draft Freedom of Information Bill (pub- lished in May), will eventually mean that compliance
with the Code will form part of an organization’s
defence mechanisms.
The reason for this can be explained simply. In sum-
mary, compliance with BS7790 will nor tangy that an
organization is compliant with its many legal obliga-
tions; however, failure to consider US7799 seriously could harm its defence in cases where the poor or lax
security of information becomes an issue. Opponents
wishing to prove their case can be expected to use any
discrepancy from the controls identified as BS7799 as
useful ammunition in proving that an organization IYJS
negligent of its security obligations.
The legislation which is likely to provide US7799 with
its biggest boost is the Data Protection Act 1998 since this Act introduces several new, explicit security
requirement?. For example, the Act requires the level
of securit) offered by an outsourcing party to be a fac- tor in the choice of that party, and for contractual
arrangemcsnts with such parties to contain specific
security guarantees which must be ‘ludited.
In anticipation of this change, the l>ats Protection
Registrar has been considering US7799 in the context of assessing an organization’s response to its statutory
security obligations. For example, in a document enti-
tled “Z~$~vnation Senrvit)) - A Consdtntion Pap”, issued at the end of 1997, the Registrar noted that “At
the top end of the risk spectrum” (e.g. particularly seti- sitive processing operations such as those involving health records), “it may be appropriate to require for-
mal compliance with British Standard BS7790”. Thi5
indicates, at the very least, that in any future investiga- tion, the IIata Protection Commissioner of the 1998
Act, is likely to take into account an organization’s
attitude (the Data Controller’s attitude, to use the cor- rect data protection jargon) towards BS7709.
So it is worth exploring the relationship between data
protection and BS7799 in detail. Firstly, the Data Controller could well be under a new obligation to
register security details, by means of a statement which describes their baseline security.This arises by virtue of Section 1X(2)(b) of the Act, which requires those Data Controllers who must give (or who volunteer to give) registration details to the I>ata Protection
309
The Revised Version of BS7799 - So What’s New?/Chris Pounder
Commissioner, to include “a general description of
measures to be taken for the purpose of complying with the seventh data protection principle”. This
description of security will not be in the public domain
as the Act carefully excludes them from the list of reg-
istrable particulars which can be inspected by the pub-
lic (Section 19(2)).
However, such details do permit the Commissioner to
begin to assess, independently, the state of security
compliance adopted by a Data Controller. If the Controller’s registration is found to be inadequate (per-
haps following a complaint associated with a breach of
security such as an unauthorized disclosure of person-
al data), then the Commissioner has powers to obtain further details about the security procedures associated
with the processing (via an Information Notice;
Section 43). In worst cases, if the Data Controller were judged to have registered misleading security details
which did not, in practice, apply to the processing, then the Controller could face prosecution.
In other words, Data Controllers must anticipate that
the adequacy of their internal security procedures
associated with the processing of personal data, and the related management and contractual arrangements,
can become the subject of independent scrutiny. What Controllers do in practice will be assessed against what
they have stated they do in theory, and in making this assessment, the Commissioner is likely to refer to
BS7799. If this is the case, then it follows that the
obvious defence is to align controls and procedures
with those recommended in BS7799.
It will be useful to link the obligations in the Seventh Data Protection Principle (the Principle which is most
relevant to ‘security’ matters) with specific parts of the second edition of BS7799; this is especially the case
since the most important provisions of this Principle are not subject to the phasing-in period which ends in October 2001. In summary the Principle (and its Interpretation) require a Data Controller:
(a) To take “appropriate organizational measures” to secure the data. Such considerations point to the need for some kind of IT security management infrastructure and make it essential that formal
records are kept as proof that security arrangements
were established; proof would be needed if the Data Controller had to demonstrate that it had
taken all reasonable steps to secure the personal data in its care. These aspects are covered in sec-
tions 3 to 5 of BS7799 which deals the need for
“security organization”, a formal “security policy”
and “asset classification and control”.These sections also relate to the main elements of the five “com-
mon best practice” controls and the eight “critical success factors” as identified previously
(b) To “take reasonable steps to ensure the reliability of
any staff of his who have access to the personal
data”. There are three main connotations of the word ‘reliable’: staff can be made ‘reliable’ by train-
ing them in the correct security or data protection
procedures; ‘reliable’ staff are those individuals who
have been vetted, or otherwise approved, prior to being permitted to access personal data (for exam-
ple, by taking up references, checking qualitica-
tions); staff become more ‘reliable’ (for example, in
the processing of personal data by means of a desk- top computer) if the environment in which they
work meets best practice with respect to health and
safety standards (e.g. with respect to the use of VDUs). All these provisions are essentially covered
in a section of the Code devoted to Personnel Security; staff education and training is regarded as
a “common best practice” control.
(c) To take appropriate security measures to guard against all forms of unauthorized processing (for
example, taking measures to guard against unau- thorized access, alteration, use, disclosure, deletion
or destruction of personal data). These aspects are mainly covered in sections 7 to 9 of BS7799 which
deal with physical security, communications and
operations management, and access control. These provisions, as already indicated, extend to tele-
working and all forms of communications between organizations.
(d) To choose suppliers of services (‘Data Processors’ to use the correct data protection jargon) which formally guarantee the expected level of security. The Data Controller must also ensure that agreed
310
Computers & Security, Vol. 7 8, No. 4
security standards are maintained.These aspects are
covered in detail in paragraphs 4.2 and 4.3 of the
Code which lists over forty considerations (for
example, the involvement of sub-contractors)
which should formally be agreed between
Controller and Processor.
(e) To “ensure a level of security appropriate to . . . the
harm that might result from such unauthorized or
unlawful processing or accidental loss, destruction
or damage as are mentioned in the seventh princi-
ple and (to) the nature of the data being protect-
ed.” This is in harmony with the revised BS7799 which now expressly states that “security require-
ments are identified by a methodical assessment of security risk”.
(4 To take precautions against “accidental loss,
destruction or damage” which can be the outcome of a range of incidents (e.g. theft of a home com-
puter, leaving a laptop on a train, a major fire in a
computer centre). BS7799 devotes a complete sec- tion to business-continuity planning and identifies
it as a “common best practice” control.
Security considerations also arise under the Eighth Principle of the 1998 Act which outlines a number of
conditions which would permit personal data to be
transferred legitimately to another country or territo-
ry. One of these conditions is that Data Controllers
should have regard to “any security measures taken in respect of the data in that country or territory”.
Clearly, therefore, ensuring that the personal data in another country or territory are secured in accordance
with BS7799 will go a long way to meeting this con-
dition. After all, if the Commissioner uses the Code as
a benchmark for the Seventh Principle, it follows that
it will be used as such with respect to the Eighth.
With respect to the Human Rights and Freedom of
Information (FOI) legislation, BS7799 can be expected
to play a more tangential role. For example, the Human
Rights Act requires public bodies to demonstrate that
“Everyone has the right to respect for his private and
family life, his home and his correspondence”. If
breaches of privacy arose from poor security, an argu- ment likely to be raised would be that organization
which was not even adopting basic BS7799 standards
would be showing disrespect. Similarly, suppose a pub-
lic body fails to deliver its services reliably because of
continued unavailability of information. Aggrieved tax-
payers could use the general right of access to records, granted by FOI, to explore why this was a problem.
There again, failure to comply with a British standard
would show that authority in a very poor light.
Concluding Comment So back to the question at the beginning: can the
revised ‘Code of Practice $Y Icformation Security Management (BS7799-1: 1999) be ignored? We11 if your
organization is looking for trouble in the future, I sup-
pose the answer to this question is “yes”.
311
