Compliance and Security

Compliance and Security

February 20, 2007 – Emmanuel Sodipo

It is possible to have excellent security and not be compliant, and it is also possible to pass a compliance audit and have a very poor organization security. The illusion that compliance equals security has led organizations to excessively spend on compliance at the detriment of security.

There are five principles in balancing compliance with security

o Base your security program on a security framework
o Leverage compliance budgets for information security controls
o Automate policy compliance and auditing
o Be prepared to manage change in threats and regulations
o Create an effective awareness and training program

Different organizations, information security professionals and consulting companies approach security program in different ways. Many organizations follow the ISO 17799 approach (International Organization for Standardization) and a few follow the COBIT standards (Control Objectives for Information and Related Technology) which are both great starting points. But there is another approach called the Sherwood applied Business Security Architecture (SABSA).

The SABSA model uses different roles that work with the following perspective:

o Business owner - Contextual
o Architecture - Conceptual
o Designer - Logical
o Builder - Physical
o Tradesman - Component
o Facilities Manager - Operational

SABSA model slices an enterprise into six different layers so that security can be more focused, it is more business oriented. Although the model is theoretical and academic in nature, once an organization has its security building blocks in place it can evolve past the ISO model and implement the SABSA.

6.1 Complying with BS7799/ISO 17799

Developing and implementing considerations from Business and Technical Perspective consists of:
Part 1

o Code of practice for information security management

Part 2

o Specification for information management systems

Why Implement:

o Helps realize the security policy
o Builds a level of business confidence
o Easy and flexible architecture
o Common standard
o Position of strength
o Ability to leverage business benefits
o Develop best practice
o Introduce bench mark standards
o Recognized international standards

The standard was developed from the following legislation:

o Data Protection Act 1984
o Data Protection Act 1988
o Data Protection Act 1998
o Computer Misuse Act 1990
o Copyright Designs and Patents Act 1988
o Human Rights Act 2000
o Regulatory Investigatory Powers Act 2000 (RIP Bill)

BS7799 Contents of Part 1

o Scope
o Terms and definitions
o Security policy
o Security organization
o Asset classification and control
o Personnel security
o Physical and environmental security
o Communications and operations management
o Access control
o Systems development and maintenance
o Business continuity management
o Compliance

BS7799 Contents of Part 2

o Scope
o Terms and definitions
o Information security management system requirements
o Detailed controls
1. Security policy
2. Security organization
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and environmental security
7. Communications and operations management
8. Access control
9. System development and maintenance
10. Business continuity management
11. Compliance

Critical Success Factors

o Policies, Objectives and Activities that reflect business objectives
o Appropriate resources
o Consistency with culture
o Visible support and commitment from management
o Clear understanding of the security requirements and risk
o Effective marketing of security to all employees
o Distribution of information to all partners, suppliers, employees and contractors
o Providing appropriate training and education
o Key performance indicators

Selecting Controls

o Identify business objectives
o Identify business strategy
o Identify security strategy
o Identify and implement controls

Key controls

1. Information security policy document
2. Allocation of security responsibilities
3. Information security education and training
4. Reporting of security incidents
5. Virus controls
6. Business continuity planning
7. Control of proprietary software copying
8. Safeguarding of company records
9. Compliance with data protection legislation
10. Compliance with the security policy

Certification requirements for BS7799 /ISO 17799

Organization shall establish and maintain a document ISMS

Management framework

1. Risk management approach
2. Identify control objectives and controls
3. Documented evidence:
- evidence of the actions undertaken
- a summary of the management frame work
- the procedures adopted to implement the controls
- the procedures covering the management and operation of the ISMS

In 2005 International Organization for Standardization released a specification, ISO 17799 in 2005 which establishes guidelines and general principles for initiating, implementing, maintaining and improving information security in an organization. They intended to be implemented to meet the requirements identified by a risk assessment.

Management framework

o Define the policy
o Define the scope of the information security management system
1. Characteristics of the organization
2. Location
3. Assets
4. Technology

o Undertake risk assessment
1. Threats
2. Vulnerabilities
3. Impacts
4. Degree of risk

o Manage the risks
o Select control objectives & controls
o Prepare statement of applicability
1. Selected control objectives and rationale
2. Exclusion of controls and rationale

6.2 Applying BS7799/ISO17799

o A Practical Approach
o Gap Analysis
o Action Planning
o Risk Assessment and Treatment
o Developing an improvement program
o Effective Statement of Applicability
o Planning and Costing a BS7799/ISO17799 project
o ISMS (Information Security Management System)
o Audit

How to do BS7799/ISO17799 Projects

Who to Interview

Security Management --------Sec Policy/Organization
Security Management -----------Asset Classification and Control
Typically HR --------------------- Personnel Security
Site Security/IT manager------- Physical and Environmental Security
Business Manager/IT Manager--------------- Communications and Operations Management
System Administration Staff---------------- Access Control
Development Staff-------------- System development
Business Continuity Manager---------- Business Continuity Management
Internal Audit/Legal-------------- Compliance
Appropriate staff/line Management----------- Business/Info Process

A Good Gap Analysis

o Clearly defined scope
o Clear findings against each control (good areas as well as gaps)
o The ISMS
o Clear practical and appropriate recommendations leading to compliance
o All recommendations reinforced and supported by findings

Finalizing Resources

o Match actions with in-house resources and confirm availability
o Identify availability shortfalls
o Identify where specialist support is needed
o Obtain necessary approvals for SIP
Ensure the group have access to the full Gap Analysis Report for guidance
Establish the ISMS through the creation of the Information Security Forum

6.3 Risk Assessment and BS7799/ISO17799

o Define a systematic approach to risk assessment
o Identify the risk
o Assess the risk
o Select control objectives and controls for the treatment of risk
o Identify and evaluate options for the treatment of risk

Generic Steps

o Identify assets
o Identify asset dependencies
o Business Impact Assessment (Asset Valuation)
o Threat Assessment
o Determine levels of risk (Risk Assessment)
o Countermeasures Selection
o Map to BS7799/ISO17799
o Risk Treatment

Document Management

BS7799/ISO17799 section 4.3 calls for
o Distribution /Availability to staff as required
o Version/ Change control
o Documents to be dated (Including previous versions)
o By implications, uniquely identifiable and fully controlled

ISO 9001 compliance is an advantage

Appropriate change control is needed for intranet solution

10 Tips for Success

1. Ensure senior management involvement
2. Recommend a realistic and useful scope
3. Develop a good risk assessment
4. Promote Active Risk management
5. Interpret the controls for the scope
6. Ensure early Security Forum creation
7. Ensure maximum use of the Statement of Applicability
8. Get internal third parties to sign up
9. Get audits underway to raise assurance
10. Take staff awareness seriously

You can purchase this best seller "The Art of Security and Information Hiding" at

Emmanuel Sodipo is a consultant managing several successful online businesses. You can also purchase this book directly from

Article Source: