callio secura 17799 white paper

Callio Technologies Product Support Services White Paper

By Rima SalibaInformation Security Analyst, Callio Technologies

René Saint-Germain,President, Callio Technologies

Abstract

This white paper presents Callio Secura 17799, a tool that includes everything you need to devel-op, implement, manage and certify your Information Security Management System (ISMS) basedon the ISO 17799 / BS 7799-2 standard - the only international ISMS standard available today. WithCallio Secura 17799 you apply a practical method of developing, implementing, managing, andcertifying an Information Security Management System. Starting by defining the desired scope ofyour organization's ISMS, the process continues with assessing and managing risks, generatingpolicies, implementing security controls in accordance with the risk analysis, controlling and pub-lishing your ISMS policies, procedures and documentation, auditing your ISMS, and finally, review-ing and improving your ISMS.


Callio Secura 17799A tool for implementing the ISO 17799 / BS 7799 standard

Pages

1 Introduction2 ISO 17799 / BS 7799-2 Methodology and Callio Secura 17799 Tools and Modules 3 Callio Secura 17799 Structure5 Steps for Implementing ISO 17799 / BS 7799-2 with Callio Secura 17799

5 Project Initiation (Methodology)5 Define the ISMS Scope (Project Management)7 Customize the Evaluation Scales (Project Management)7 Gather Existing Documentation (Document Management)

8 Risk Assessment and Risk Treatment8 Definitions and Terminology8 Assets, Threats, Vulnerabilities and Legal & Business Requirements9 Risk9 Risk Assessment9 Risk Treatment10 Qualitative Risk Assessment Approach10 Risk Assessment Process and Modules in Callio Secura 1779911 ISO 17799 Preliminary Diagnostic12 Asset Inventory13 Asset Evaluation14 Risk Identification15 Risk Evaluation16 Risk Calculation17 Risk Treatment17 Selection of ISO 17799 Controls18 Policy Management19 Template Selection20 Audit Preparation20 ISMS Diagnostic21 Statement of Applicability22 Document Management23 Reports

24 Advantages of Callio Secura 1779925 Technical Specifications26 Conclusion


Table of Contents

i

Information exchange and other relations between businesses, organizations and administrations,both at national and international levels, create a need for the use of recognized standards in themanagement of information security.

Specialists in information security widely view ISO 17799 / BS 7799-2 as the answer to this need. Asa model and reference, it enables an organization to define its own security goals and to develop anInformation Security Management System (ISMS) that is customized to its needs.

The ISO 17799 standard makes recommendations for information security management for use bythose who are responsible for initiating, implementing or maintaining security in their organization. Itspurpose is to provide a common basis for organizational security standards and for effective securitymanagement practice, thereby improving confidence in inter-organizational dealings.Recommendations from this standard should be selected and used in accordance with applicablelaws and regulations.

Complementary to ISO 17799, the BS 7799-2 standard specifies requirements for establishing, imple-menting, operating, monitoring, reviewing, documenting, maintaining and improving an ISMS withinthe context of an organization's overall business risks. It specifies requirements for implementingsecurity controls customized to the needs of individual organizations or parts thereof.

Consequently, implementation of the ISO 17799 / BS 7799-2 standard can be carried out in a seriesof steps, as touched on in the introduction to ISO 17799 and in the second part of BS 7799. Thesesteps can be summarized as follows:

1- Identify what to protect and why 2- Identify what to protect from 3- Identify the risks 4- Learn how to protect your organization 5- Audit and certify your organization

To carry out the first three steps, you need to follow a methodology and use a risk-analysis tool. ISO17799 does not specify requirements for methods of risk analysis, since each organization has its ownparticular needs and characteristics.

The bulk of ISO 17799 / BS 7799-2 is devoted to the fourth and fifth steps of the process, telling you"what to do" but not "how to do it". This is where CALLIO SECURA 17799 comes in, helping organi-zations define the "how to" of managing information security, and providing tools for the development,management and certification of their Information Security Management Systems.

The following section presents the features and functionalities of Callio Secura 17799, beginning withthe relation between the methodology of ISO 17799 / BS 7799-2 and the tools in Callio Secura 17799.Each module and implementation tool is explored, including the risk analysis tool, the policy genera-tor, the diagnostics for audit and compliance, and the document management tool.


Introduction

1

As indicated by the title of this article, Callio Secura 17799 is a tool for implementing the ISO 17799/ BS 7799-2 standard. As such, it offers virtually everything needed to develop an InformationSecurity Management System and to manage the documents required by the standard.

The table below shows the relation between the ISO 17799 / BS 7799-2 methodology and the toolsand modules of Callio Secura 17799, which implement the standard in a practical way.


ISO 17799 / BS 7799-2 Methodology and Callio Secura17799 Tools and Modules

ISO 17799/BS 7799Methodology

Description Callio Secura 17799 Toolsand Modules

Project Initiation Ensure the commitment of senior management.Select and train members of the initial project

team.

Methodology: Refer to this guide toinitiate the project and to learn whattools should be used at each step of

the standard’s implementation

ISMS Definition Identify the scope and limits of the informationsecurity management framework.

Project management module

Risk Assessment Diagnose the level of compliance with ISO 17799.Compile an inventory of, and evaluate, the assets

to protect. Identify and evaluate threats and vulner-abilities. Calculate the value of associated risks.

Risk assessment module, includingpreliminary diagnostic, asset invento-ry and evaluation, risk identificationand evaluation, and risk calculation

Risk Treatment Find out how selecting and implementing the rightcontrols can enable an organization to reduce risk

to an acceptable level.

Control selection Consult selected controls

Policy management Template selection

Training andAwareness

Employees may be the weakest link in your organi-zation's information security. Learn how to set up

an information security awareness program.

MethodologyDocument management tool

Audit Preparation Learn how to validate your management frame-work and what must be done before bringing in an

external auditor for BS 7799-2 certification.

ISMS diagnostic Statement of applicability

Audit Learn more about the steps performed by externalauditors and find out about BS 7799-2 accredited

certification bodies.

Document management tool

Documentationand Reports

Generate all ISMS reports and documentation,including the ISMS scope, policies, risk assess-

ment report, risk treatment plan, procedures, state-ment of applicability, etc.

Reports module: generate reportsand send them to the document man-

ager for control

Control of Documentation

Approve, review, update and publish ISMS docu-ments

Document management tool

Control andContinual Improvement

Learn how to improve the effectiveness of yourISMS in accordance with the management model

recognized by ISO.

All Callio Secura 17799 modules aswell as continual improvement tools

2


Callio Secura 17799 Structure

3

The following diagram illustrates the structure of Callio Secura 17799. In each module, the user hasaccess to the input and resources provided by Callio Secura 17799, and by the ISO 17799 / BS7799-2 standard, in order to work on specific tasks in the implementation process. This gives theuser everything he needs to generate the corresponding reports required for managing the ISMS.

Callio Secura 17799 helps you identify valuable assets by proposing examples of tangible and intan-gible assets and classifying them according to different categories. It also offers a substantial list ofthreats and vulnerabilities associated with each category of asset. It guides you through the imple-mentation of your information security management framework by providing implementation, audit,interpretation and recommendation guides corresponding to each of ISO 17799's controls. It offers35 policies and over 500 guidelines divided among the various sections of the standard. It also pro-poses over 100 documents to help you implement the standard, including examples, strategic plansand templates.

Callio Technologies Product Support Services White Paper 4

1) Project Initiation (Methodology)

Learn how to get the ISO 17799 implementation project under way. More specifically, learn to:- Encourage commitment from senior management;- Choose and train all members of the initial team taking part in the project.

Power Point presentations and implementation diagrams are available in the methodology module.They will introduce you to the step-by-step approach to ISO 17799 implementation and BS 7799-2certification.

- Define the ISMS Scope (Project Management)Identifying the scope and limits of the information security management framework is crucial tothe project. Define the mandate of the ISMS. More than one ISMS may be required dependingon the IT systems, departments or projects within your organization that require independentinformation security management.


Steps for Implementing ISO 17799 / BS 7799-2 withCallio Secura 17799

5

Contracts and Agre ements

Source: BSI presentation (www.ceem.com)

While defining the ISMS scope, identify the following:

Company: Enter the organization's name. This name will appear in reports as well as in the policiesgenerated.

ISMS Name: Assign a name to your management framework. For example: Canadian Subsidiary ofCompany XYZ Inc.

Objective / Goal: In light of the initial intent, a clear decision must be made to either adopt the stan-dard for compliance or obtain BS 77799-2 certification.

Scope: What administrative units and activities will be covered by the information security manage-ment framework? The answer to this question offers a fair representation of the organization's mostimportant activities.

Limits / Boundary: The limits of the ISMS scope must reflect: o The specific characteristics of the organization (size, field of endeavour, etc.);o Location of the organization;o Assets (inventory of all critical data);o Technology.

Interfaces: The organization must take into account interfaces with other systems, other organizationsand outside suppliers. Note: all interfaces with services or activities not entirely included within thelimits of ISMS definition should be considered in the ISMS certification submission and be part of theorganization's information security risk assessment; for example, sharing equipment such as comput-ers, telecom systems, etc.

Dependencies: The ISMS has to respect certain security requirements. These requirements could beof a legal or commercial nature. For example, an organization in the health sector may be subject tothe Health Insurance Portability and Accountability Act (HIPAA).

Exclusions & Justifications: Any element or domain (part of a network or of an administrative unit) thatis defined by the ISMS but not covered by a security policy or security measures must be identifiedand its exclusion explained.

Strategic Context: Planned security measures must take into account the actual or imminent positionof the organization as determined by mission-compatible goals set by senior management. Examplesof such goals include the acquisition of a new company, the merging of existing infrastructures, down-sizing, or the decision to outsource information systems.

Organizational Context: The organizational environment affects the measures that must be imple-mented to meet certain management objectives. For example, outside access to company servers forteleworking purposes would require specific security measures.

ISMS Coordinator: This role may be assumed by a management committee made up of several mem-bers.


While defining the ISMS scope, the project leader must create work teams and select personnel totake part in the project. In view of the importance of documentation in the development and certifica-tion of an ISMS, these teams should reflect the way documentation will be organized in the documentmanagement tool. Personnel will be then be assigned to the various teams, where each will have aspecific role to play.

-Customize the Evaluation Scales (Project Management) Before beginning the risk assessment, the project leader can define customized scales for assetevaluation and risk evaluation. These scales use qualitative values such as "low," "medium" and"high," which are then associated to numerical values, such as 1, 2 and 3.

-Gather Existing Documentation (Document Management) The organization may already have documentation regarding information security management.It would therefore make sense to gather these documents together in the integrated documentmanagement tool.

The methodology guide provides a list of the type of documents to look for, such as: - Security policy documents;- Standards and procedures for policies (administrative or technical);- Risk assessment reports;- Risk treatment plans;- Documents indicating the existence of information security controls or that reflect the

ongoing management of the ISMS, such as audit journals, audit trails, computer incidentreports, etc.

These documents should be reviewed by the implementation team, and controlled, revised andapproved by senior management or by security officers. Should the company require a documentmanagement tool, it can use the one provided by Callio Secura 17799.


2) Risk Assessment and Risk Treatment

Once the project initiation step is completed, the next phase in Callio Secura 17799 is that of riskassessment and risk treatment.

-Definitions and Terminology

Assets, Threats, Vulnerabilities and Legal & Business Requirements

An organization's value resides in its assets. Assets can take a variety of forms, from the phys-ical (buildings and equipment), to intellectual or informational (ideas, software and patents), oreven the meta-physical (brand and reputation).

A given asset may present a weakness that makes it susceptible to attack or damage. This isreferred to as an asset's vulnerability.


Risk Assessment and Risk Treatment

8

A threat is an incident with the potential to damage an asset. Various types of threats exist. Threatsmay be natural (tornados, earthquakes, floods) or man-made (computer viruses, industrial espionage,theft).

The statutory and contractual obligations that the organization must comply with, along with its trad-ing partners, contractors and suppliers, constitute the legal requirements.

Business requirements, on the other hand, are the unique set of principles, objectives and require-ments for information processing that the organization has developed and implemented in order torun its business operations and processes. These requirements apply to the organization's informa-tion systems.

Risk

When a threat exploits an asset's vulnerability, the asset is compromised. This compromise can affectthe confidentiality, integrity or availability of the asset and results in a partial or total loss of value. Thisloss of value is called the asset's exposure.

The term 'risk' is used to describe the possibility or the likelihood of this compromise occurring.

Risk Assessment

The risk assessment process involves identifying and evaluating the risk of compromise and loss ofvalue that exists for each asset.

Risk Treatment

During the risk treatment process an overall strategy is defined to deal with the risks identified duringthe risk assessment. Risks can be managed using one or more of the following four basic approach-es:

- Avoiding the risk- Accepting the risk- Mitigating the risk - Transferring the risk

Ignoring a risk is never an appropriate solution. However, risks can be avoided by removing poten-tially targeted assets from an area of risk or by abandoning the business activities that create securi-ty weaknesses.


Accepting the risk involves documenting the fact that no additional efforts will be made to deal withthe risk in question. Risk mitigation refers to any steps that are taken to reduce the risk. When a riskis transferred, responsibility for dealing with the risk is passed on to another party. For example, trans-ferring risk may include insuring the asset in question, or placing it under the protection of a third party.Risk treatment strategies focus to a large extent on minimizing risk. Controls may be implemented toprotect an asset by addressing the vulnerability or threat, or by reducing the asset's value.

Risk assessment and risk treatment are both subjective processes. It is therefore important that assetowners and security personnel communicate effectively in order to successfully identify risks and cre-ate an overall management strategy.

Qualitative Risk Assessment Approach

A qualitative approach to risk assessment provides a simple way of measuring the value of an assetand the likelihood of a threat occurring. The values used can be described by a single word, such as"High", "Medium" and "Low". This approach deals effectively with the shortcomings of a quantitativeapproach by reducing the ambiguity inherent in figures.

-Risk Assessment Process and Modules in Callio Secura 17799 The risk assessment process involves completion of the following steps:

• Preliminary diagnostic; • Identification of critical information and assets; • Evaluation of critical information and assets;• Identification of all security requirements: i.e. threats and vulnerabilities, legal and business

requirements; • Assessment of the likelihood of threats and vulnerabilities occurring, as well as the importance

of legal and business requirements; • Calculation of risk following completion of the above steps.


ISO 17799 Preliminary Diagnostic

Answer the preliminary diagnostic's 127 questions in order to form an initial judgement regardingthe state of security of your management framework, based on the controls, processes and pro-cedures required by the ISO 17799 standard.

Find out more about the ISO 17799 standard and each of its controls through the explanationsprovided for each question in the Guide.

Identify existing protective measures. Verify which controls have been completely or partiallyimplemented, are non-applicable, or do not exist in your ISMS.


Asset Inventory

Identify and classify your organization's critical and sensitive information. This classificationdetermines the level of importance of the information (confidential, internal use only, public, etc.)

Identify the tangible assets that process, handle, print, store or transmit the intangible informationpreviously identified.

The "Asset Inventory" module offers a wide range of examples of assets to help you draw up thelist of your own assets. The examples are divided among the following categories:

- Buildings and equipment;- Documents;- Software;- Computer hardware;- Human resources;- Services


Asset Evaluation

Before beginning the evaluation, customize your own evaluation scale (for example, 1- very low,2- low, 3- medium, 4- high, 5- very high). Next, for each asset, evaluate the loss or damage thatwould result from a loss of confidentiality, integrity or availability, or by contravening legislation.Use the qualitative scale you initially defined in the "Project Management" module. Finally, justi-fy your evaluation for each criterion for audit purposes.


Risk Identification

Identify vulnerabilities, threats and legal and business requirements and associate them witheach asset that processes critical information.

Use the suggestions Callio Secura 17799 offers in terms of threats, vulnerabilities and legal andbusiness requirements in order to refine this list.


Risk Evaluation

Using your own qualitative scale, evaluate the probability of threats that could exploit the vulner-abilities that have been identified for each asset. Next, determine which criteria - Confidentiality,Integrity, Availability, Legal - comprise the potential impact of a given threat.


Risk Calculation

View the risks you need to manage in order of priority. Risk value is calculated based on the like-lihood of occurrence and the impact of these risks on the organization.

Risk = impact x probability of the threat occurring or of legal/business requirements not being met.

View the risk analysis report in order to make the right decision regarding each risk (reduce,accept, avoid, or transfer).


- Risk Treatment

Selection of ISO 17799 Controls

Following your risk assessment, Callio Secura 17799 suggests administrative, technical andphysical controls for implementation in your company. Choose whether or not to retain the sug-gested controls and justify your risk treatment decision regarding each control.

Refer to the guides in order to properly understand each control. Consult the implementationguides, the interpretation of the standard's recommendations, security issues, the objectivesassociated with each control, and the glossary, which contains over 250 words related to informa-tion security management.


Policy Management

Rapidly create your security policy using the wide selection of policies and directives proposedby Callio Secura 17799 (35 policies and over 500 guidelines divided among the 10 points of theISO 17799 standard).

Once your risk analysis is completed, predefined policies are proposed in the "Policy Generator"tool. You do not need to create entirely new policies from scratch.

Create user groups and roles, then customize your policy coverage by sending each group onlythose policies that deal with that group's specialty. This strategy saves time and money, and helpscomplete the policy coverage in your organization.

Select, add, delete, modify and classify the policies required to meet your security needs. Entiresections of any policy can be modified using the policy management tool. You can change a pol-icy's scope, objectives, guidelines, and audience, as well as the person responsible and the linksbetween the policy and ISO 17799 controls and sections.

Prepare reports documenting your efforts to comply with internal or external guidelines.

Next, generate your customized security policy manual and export it to the document managerfor revision and, finally, company-wide publication.


Template Selection

Over 100 documents, including models, checklists, examples, additional information and utilities, areavailable to help you implement ISO 17799 controls in your ISMS.

Choose the desired templates and export them directly into the integrated document managementtool.


- Audit Preparation

ISMS Diagnostic

Verify whether your ISMS meets the requirements for BS 7799-2 certification.

The diagnostic's 81 questions will help you determine whether the ISMS framework you havedeveloped can be effectively implemented, controlled, maintained, reviewed and continuallyimproved as required by the standard.

Is the documentation required for certification being managed correctly? Is your organizationresponding adequately to its inherent security responsibilities? The diagnostic will help you findthe answers.

Use the interpretation guide for each question in order to clarify the issues covered.


Statement of Applicability

Document and justify the applicability or non-applicability of the 127 controls in the ISO 17799 stan-dard to your management framework.

Document the implementation status of each control for each informational asset.

Use the audit guide to ensure the effectiveness of the implementation of each control.

Prior to the documentation audit for BS 7799-2 certification, generate the general or detailed state-ment of applicability and export it to the document manager.


- Document Management

Bring together all of your files and documents, regardless of format, in a centralized database on theWeb server.

Give your various work teams access rights to one or more directories, and assign privileges, suchas reader, writer or approving officer, to each team member. Only users with assigned privileges canaccess documents in the document management system. These privileges are set up by the systemadministrator in the project management section.

Manage version control, follow-up, approval and publication of your files and documents. Audit and approve files for certification.


- Reports

Callio Secura 17799 provides the following reports, which you can view onscreen, print, or automat-ically export to the document manager for later review and maintenance:

-ISMS goal and scope-ISO 17799 compliance report -Inventory of assets and critical information-Risk analysis report-Risk treatment plan outline -Statement of applicability -Customized security policies

These are the necessary reports demanded by the ISO 17799 / BS 7799-2 standard.


This section highlights important benefits of Callio Secura 17799 and itemizes key features that worktogether to offer those benefits. Here is a quick review:

- A comprehensive tool for implementing the ISO 17799 / BS 7799-2 standard- Available in English and French - Easy to install: Web application installed on the company server and accessible to all

internal and external users via their browsers- Document management centralized in one module. Offers a single location for document

storage instead of documents being scattered throughout the organization- 36 policies and over 500 directives that can be modified and customized to meet your

security needs- Uses ISO 17799 format for information and for policy statements - Creates an entire policy document from a provided sample- Over 100 templates and working papers- Guides and explanations are offered at each step of the ISMS implementation process- Safe: unauthorized users cannot alter or access any part of the application - Secure: only users with appropriate permissions can create, edit, and manage policies and

other documents and procedures - Provides simple, easy-to-read reports that can be exported to the document management

tool for printing, storage, or subsequent maintenance


Advantages Of Callio Secura 17799

24


Technical Specifications

25

Server Requirements Computer IBM® or compatible (800 Mhz and up)

Random AccessMemory (RAM)

512 MB

Disk Space 1 Gb (minimum), 2 Gb (recommended)

Network Adapter 100 Mbps

Operating System Windows® Nt, 2000, XP or 2003

Database MySQL

Web Server IIS 4/5/6 Apache®1.3.x / 1.2.x

Software Macromedia® ColdFusion® MXServer

Client Requirements Computer IBM® or Compatible (Intel Pentium®and greater)

Resolution 800 by 600 pixels or higher

Web Browser Internet Explorer® 5.x, 6

Software Word processing software

Many organizations already possess the information they need to create a strong security program.What they typically lack however is a routine, ongoing mechanism to track progress against a normand to build a solid framework.

Callio Secura 17799 is a simple but effective technique for implementing an information security man-agement system framework, based on the ISO 17799 / BS 7799-2 standard.

It is powerful, capable of providing an enterprise-wide management framework covering every secu-rity need. It is flexible, with each component letting you link existing information instead of re-enter-ing data or creating it from scratch; for example, it suggests the likeliest threats to an organization'sassets, and once a risk analysis has been performed it provides full-fledged security policies that youcan modify as you wish. Its logical workflow leads to a greater understanding of the security needsof every asset and of the organization as a whole. Finally, by helping to ensure that risk assessmentis thoroughly informed, Callio Secura 17799 offers the ultimate capability in risk analysis, giving accu-rate pictures of risk levels and of the appropriate security controls for your organization's computingenvironment.


Conclusion

26

www.callio.com

Callio Technologies740, Galt Street West, Suite 10

Sherbrooke, (Quebec)Canada, J1H 1Z3

www.callio.com

Telephone: (819) 820-8222 Toll-free: 1-866-211-8222

Fax: (819) 820-9518Information: [email protected]

Human Resources: [email protected]: [email protected]