12:13 Standard bs 7799 part 1 | |
Standard BS 7799 was designed by the British Standards Institution (British Standards Institution, BSI), with the participation of some large commercial organizations (Shell UK, National Westminster Group, Unilever, British Telecommunications, British Computer Society, Association of British Insurers, Marks & Spencer, Logica, and others). In 1995, Standard BS 7799 as a set of established rules and regulations with respect to providing information security has received in the UK status of the state. Standard consists of two parts. The first - BS 7799 Part 1 Code of Practice for Information Security Management (Code of practice for information security management). In 1999, this part has been processed and transferred to the International Organization for Standardization (ISO ), and in 2000 was approved as an international standard ISO / IEC 17799:2000 (BS 7799-1:2000). The latest version of this standard was adopted in 2005, is the ISO / IEC 17799:2005. ISO 17 799 describes more than 120 control mechanisms required to build information security management system of the organization. These mechanisms have been developed on the basis of the best examples of international experience in this area and any suitable organization regardless of its size and activities. It should be noted that the certification by ISO 17799 is not carried out - the document is merely a compendium of best practices and is the kind of leadership to create a system of information security organization. At some some extent this is similar to ITIL adjusted for the fact that ITIL claimed to be the de facto standard for IT, and BS 7799 - for information security. In September 2002, entered into force second part of the standard BS 7799 Part 2 Information Security management - specification for information security management systems (specification information security management system). In October 2005, the International Organization for Standardization adopted the standard BSI BS 7799 -2:2002 as an international - ISO / IEC 27001:2005 The Standard BSI BS 7799-2:2002 defines the requirements for the design, implementation, operation, monitoring, auditing, maintaining and improving a documented Information Security Management System in the context of overall business risk of the organization. It also defines the requirements for implementing security measures required of individual organizations or their related entities. In accordance with this document, Information Security Management System initially be designed in such a way as to give the selection of adequate security measures to protect information resources and guarantee the confidentiality of interested parties. Appendix to this standard is created based on ISO / IEC 17799 requirements list and the appropriate action to be taken in the company. The first part of the standard, in Russian called "Information Security Management. Rules of thumb", contains a systematic and very comprehensive, universal list of security controls, useful for the organization of almost any size, structure and activities . It is intended for use as a reference by managers and staff responsible for planning, implementing and maintaining internal security. According to the standard, the purpose of information security - to ensure the smooth operation of the organization as possible to prevent and / or minimize the damage from security breaches. Information Security Management allows to use the data collectively, while ensuring their protection and the protection of computing resources. It is emphasized that protective measures are much cheaper and more effective if they are embedded in information systems and services to stages of the job requirements and design. Offered in the first part of the standard safety controls are divided into ten groups:
The standard is allocated ten key regulators, which are either mandatory, in accordance with applicable law, or as major structural elements of information security. These include:
To ensure the high level of protection of valuable resources, or to counter an attacker with an exceptionally high potential for attacks may require other (stronger) means that the standard does not address. The following factors have been identified as determinants for successful implementation of information security in organization : purpose of security and its provision should be based on production goals and requirements. Functions of the Trust should take the lead organization; require explicit support and commitment to adherence to safety from senior management; requires a good understanding of the risks (both threats and vulnerabilities), which are assets of the organization, and adequate representation of the value of those assets; need to get acquainted with the security system for all managers and staff of the organization. In the second part of the standard BS 7799-2:2002 «Information Security Management Systems - specification with guidance for use" under consideration, as the name implies, is an Information Security Management System. Under Information Security Management System (ISMS) (Information Security Management System, ISMS) is understood part of the overall management system, based on risk analysis and is intended for the design, implementation, monitoring, maintenance and improvement measures in the field of information security. This system is the organizational structure, policies, action planning, responsibilities, procedures, processes and resources. The basis of the management process is put four-phase model, including:
In Russian this model can be called PPW (original - Plan-Do-Check-Act, PDCA). A detailed analysis of each of the selected phase is the main content standard BS 7799-2:2002. Look for the continuation:) | |
|
Total comments: 0 | |