The Standard

In my previous article we delved into questions such as what is the Indian market's status with respect to information security and do we really need to be talking about the BS 7799 standard. My research showed that there was a definite need present to manage information security effectively and efficiently. Since BS 7799 aims towards the same direction let us briefly understand the standard.

BS 7799 is organized into 10 sections: A brief description of the sections are given below

Security policy: In tandem with all other management quality systems, BS 7799 emphasizes on the presence of management commitment to provide direction and support for information security. This commitment is evidenced through the presence of a formal Information Security policy.

Organization of assets and resources: This section delves on management of information security within the organization. Finer details of how you would maintain the security of organizational information processing facilities and information assets accessed by third parties or how you would maintain the security of information when the responsibility for information processing has been outsourced to another organization are highlighted.

Asset Classification and Control: A framework for maintaining appropriate protection of organizational assets through Accountability of Assets and Information Classification is sorted out in this section.

Personnel Security: Emphasis on Job definition and resourcing has been made to reduce the risks of human error, theft, fraud or misuse of facilities. Here the standard seeks to ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work: through User Training, and incidence response mechanisms.

Physical and Environmental Security: Physical & Environmental Security have been given due emphasis to prevent unauthorized access, damage or compromise to Business premises and Business related and general equipment.

Communications and Operations Management: Seeks to achieve the three pillars of security, i.e., confidentiality, availability and integrity for operational procedures, software, information, data & communications.

Access Control: Attributed to preventing unauthorized access to protected information, database applications, networked systems and services. It also touches upon mobile computing and teleworking to ensure information security when using mobile computing and teleworking facilities.

Systems development and maintenance: Security should be top of the mind recall throughout the designing and development of any software, application. This section talks about the benefits of Cryptographic Controls to maintain confidentiality, authenticity or integrity of information.

Business continuity management: This section delves into the preparations required to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.

Compliance: Dedicated to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations of any security requirements. The review of security policy to ensure compliance of systems with organizational security policies and standards is a part of this section.

The next article would be the last in the series "Demystifying BS 7799". It will further delve into the benefits that can be gained by deploying/implementing this information security standard.

- Montu Das