Joe Davidson at the Washington Post writes about the recent report by Social Security’s Office of Inspector General (OIG) on the problems that the agency is having delivering service to the public with a dramatically smaller workforce. Attack scenarios model, common attack graph building procedures, used security metrics, and general security level evaluation are defined. Our customers not only understand that our investment in ISO17799 has given them benefits, but they are prepared to spend a little more for a secure IT infrastructure. Given that so much of security relies on internal controls, we needed to look more carefully at who we were employing. Since gaining ISO17799, we have already seen a marked increase in our bottom line profit and some new customers are telling us they prefer to trade with companies who have a recognised security certification. We now know who is working for us! ISO17799 has made ServiceCo different from our competitors and provided the company with a unique selling point, leading to a better working environment for all of our staff.

A working knowledge of the risk management process, including the information cycle. “Through the ISO17799 certification process, ServiceCo identified its vulnerabilities, threats and potential impacts to the business. Employees now recognise that their earning potential is dependant on how customers perceive the company brand and that any negative publicity could affect them. After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions. The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure. ISO17799 has ensured that we now have controls in place that maintain system availability and reduce the risk of vulnerabilities being exploited. As a result of this and implementing controls from ISO17799, ServiceCo now has a more structured approach to risk management. “Despite what people say, the costs of implementing ISO17799 are very modest. While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk.

While incorporating the changes into the security program, prepare another report of the impact to your organization. After the OCA makes a determination, the classification level is documented through a security classification guide, Contract Security Classification Specification (DD Form 254) and classification marking on the products. Mandatory access control models use the concept of ‘labels,’ which describe the confidentiality level (or security clearance) of a subject or an object. The implemented version of security analysis system is described, and examples of express-evaluations of security level are considered. And, by the way, our employees are wasting less time surfing the Internet for sites not related to work! The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited). BS 7799 requires a company to identify process and controls , which they practically work on. Professionalism has improved throughout the company. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation. Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799.

The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor. In this final session we would attempt to understand the structure and steps involved in certification for BS7799. In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. “Sales and margins are up, and clients’ perceptions of our business have improved. For example, we now have a rational process to decide which risks to transfer to our insurers. Additionally, we are now seeing more Invitations To Tender from business that list ISO17799-compliance as a pre-requisite. We also now have a business continuity plan that suits the business, not just the IT department. The traditional formula of PLAN …DO …CHECK and ACT works well with BS 7799 too and this is a good place to either start or review the progress of the implementation team. The audit team would check for appropriate controls and evidence of implementation. Corresponding templates and forms are presented to the Audit team. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.