Understanding the BS7799 Standard

Note: This course is no longer available.
This page is maintained only for archival purposes.

The rising value of information and the recent high-profile information security breaches have emphasized the ever-increasing need for organizations to protect their data.

An Information Security Management System (ISMS) is crucial for ensuring that organizations effectively manage the risks inherent to organizational information data systems.

Such ISM Systems should have scalability and universal inter-operability as their prime features.

This can be achieved by using the British Standard BS-7799, as a tool for auditing and scaling the existing security procedures and having them conform to international best practices.

First published in February 1995, BS-7799 comes equipped with a comprehensive set of information security controls, which cover all domains of Information security.

BS7799 was significantly revised, extended and improved in May 1999, before being republished as ISO 17799 in December 2000.

Now, with BS-7799 accreditation and certification schemes also firmly established, BS-7799 has become a benchmark against which the information security practices of all organizations will be measured.

COURSE OBJECTIVES

  1. To enable professionals to design and implement an ISM System that adequately supports BS-7799.
  2. To establish compliance level for all ten security controls.
  3. To identify which additional controls can be applied to increase compliance and thus improve security of information assets.
  4. To produce a comprehensive and professional report, in business format.

COURSE METHODOLOGY

  1. Instructor led intensive classroom training sessions that are backed by comprehensive self-study course material and exercises.
  2. Case studies and Class Exercises involving designing of security policies and auditing hypothetical organizational systems.
  3. Hands-on application of BS-7799 application software.
  4. Practical, case study and theory based assessment.

TARGET AUDIENCE

  • Top management
  • Internal Affairs / Vigilance Department
  • Management Consultants
  • Security Professionals
  • Audit, Law, Security and IT consultants
  • Defence and Law Enforcement

COURSE CONTENTS

Introduction to Information Security

This section examines the needs and objectives of Information Security and also the background of the British Standard and its current status. This session will be illustrated with how information security has attained the importance that necessitates having an independent standard for benchmarking security practices.

The rise of the British Standard - 7799, as the world's accepted parameter of security controls will be traced since the release of the standard.

Managing Information Risks

This session starts with understanding the many risks that information assets are prone to, along with the technology that is often employed by those who pose a threat to the information. The focus of this session will be electronic information assets and electronic crimes. The main topics of discussion in this session are:

  • Risks, Threats and Vulnerabilities of Information Assets.
  • Real time threats to Information Assets
  • Technology Used by Attackers.

The continuing session shall focus on how the present and potential risks or vulnerabilities within or outside an organization are perceived as threats to the business continuity. This session shall provide a practical approach to evaluation and concurrent management of risks. The topics covered are:

  • Risk Assessment and Risk Analysis.
  • Classification of Risks, Threats and Vulnerabilities.

Role & Initiatives of Management

This session deals with the role of the executive management of an organization in keeping updated with the risk scenario of the company. It is always advisable to delegate the security functions to subordinates but never the accountabilities for security management.

This session discusses the aspects of Information Security that any management should keep close within reach. Also it covers the basic functions of the management of the company in its security management. Some of the topics covered briefly are:

  • Creation of Security forum and its functions.
  • Security Policies
  • Reporting Policies and Feedback
  • Management Reviews

Security Controls and Practices

This session shall discuss in depth the ten security controls that are recommended by the British Standard for maintaining of the information security of all organizations. The technical aspects of some of the security mechanisms and controls shall be discussed length like firewalls for network security, cryptography for information security and legislative requirements for business security.

Security Controls and Practices (Contd.)

In continuation of the previous session the remaining Security Controls shall be explained as well as the demonstrations of the security practices like basic-level firewalls and encryption technologies will be provided for better comprehension of the controls. Software demos include Zone-Alarm, PGP v. 8 and Windows 2000 Advance Server Security Mechanism.

Planning Audits of Security Systems

In this session, the participants will be explained how one goes about planning for a security audit of any organization. It includes all preliminary measures that are to be taken by the auditor before he commences the audit. The session includes:

  • Preparing the Audit Team.
  • Scope and Goals of the Audit.
  • Preparing the Statement of Applicability (SoA).

Audit Process

Once the due diligence process for the audit has been performed, the auditor moves on to the various phases of the audit process. The participants will be required to analyse real-life cases for covering this session. The topics that are provided are:

  • Collection of Evidence and Verification.
  • Explaining the Process to Management.
  • Preparing an Audit Report.
  • Real Life Case Studies for Audits.

Audit Software

The presentation of the audit findings in standardized audit formats has been simplified by the use of automated systems for preparation of the standardized audit reports. It is essential for the participants to adapt themselves to using popular audit tools. This is briefly taken up in hands-on practical in this session.

  • Use of COBRA Software for Audit Compliance.

Assessment of Participants

The assessment of the participants shall be conducted to gauge the understanding of the participants to the subject. This assessment shall comprise of practical, case study and theory based examination.