IT GOVERNANCE

Alan Calder is CEO of Wide Learning, a supplier of e-learning, and was previously CEO of Focus Central London and, before that, of Business Link London City Partners (BLLCP). He was also a member of the DTI's Information Age Competitiveness Working Group. He is a non-executive director of DNV Certification Services Ltd, a company that certifies compliance with international standards including BS 7799. He is also a Director of IT Governance Ltd, which provides information security services through its web site at www.itgovernance.co.uk Steve Watkins is Corporate Services Manager of HMCPSI and was Head of Quality and Operations at Focus Central London and was, before that, Quality Manager at Business Link. The authors were responsible for one of the first companies (BLLCP) to achieve BS 7799 registration when the standard was first promulgated in 1996. They have aided other organizations since then to implement effective information security management systems, and have been involved in the development of both the accredited certification scheme and related training standards.

Foreword Introduction Background Chapters 1. Why is information security necessary? Nature of information security threats Prevalence of information security threats Impacts of information security threats Cybercrime Cyberwar Legislation Benefits of an information security management system 2. The Combined Code and the Turnbull Report The Combined Code The Turnbull Report IT governance 3. BS 7799 Benefits of certification History of BS 7799 and ISO 17799 Use of the standard ISO 17799 Structured approach to implementation Quality system integration 4. Information security management The management information security forum Information security manager The cross-functional management forum BS 7799 project group Authorization process for information processing facilities Product selection and the Common Criteria Specialist information security advice Co-operation between organizations Independent review of information security Summary 5. Information security policy and scope Information security policy A policy statement Costs and monitoring progress 6. The risk assessment and statement of applicability Approach to risk Selection of controls and statement of applicability Gap analysis Risk assessment tools 7. Security of third party access and outsourcing Identification of risks Types of access Reasons for access Onsite contractors Security requirements in third party contracts Outsourcing 8. Asset classification and control Asset owners Inventory Information classification Unified classification markings Information labelling and handling Non-disclosure agreements and trusted partners 9. Personnel security Job descriptions Personnel screening and policy Confidentiality agreements and terms of employment User training Responding to security incidents and malfunctions Learning from incidents Disciplinary process 10. Physical and environmental security Secure areas Isolated delivery and loading areas 11. Equipment security Equipment siting and protection Power supplies Cabling security Equipment maintenance Security of equipment off-premises Secure disposal or re-use of equipment 12. General security controls Clear desk and clear screen policy Removal of property 13. Communications and operations management Documented operating procedures Operational change control Incident management procedures Segregation of duties Separation of development and operational facilities External facilities management System planning and acceptance 14. Controls against malicious software (malware) Viruses, worms and Trojans Anti-malware software Hoax messages Anti-malware controls Airborne viruses 15. Housekeeping, network management and media handling Network management Media handling and security 16. Exchanges of information and software Information and software exchange agreements Security of media in transit Electronic commerce security Security technologies Server security Security of electronic office systems Publicly available systems Other forms of information exchange 17. E-mail and Internet use Security risks in e-mail Misuse of the Internet Internet Acceptable Use Policy (AUP) 18. Access control Hackers Hacker techniques System configuration Access control policy 19. Network access control Networks 20. Operating system access control Automatic terminal identification Terminal logon procedures User identification and authentication Password management system Use of system utilities Duress alarms Terminal time-outs Limitation of connection time 21. Application access control Monitoring system access and use 22. Mobile computing and teleworking Mobile computing Teleworking 23. Systems development and maintenance Security requirements analysis and specification Security in application systems 24. Cryptographic controls Encryption Public Key Infrastructure (PKI) Digital signatures Non-repudiation services Key management 25. Security in development and support processes System files Access control to program source library Development and support processes 26. Business continuity management Business continuity management process Business continuity and impact analysis Writing and implementing continuity plans Business continuity planning framework Testing, maintaining and re-assessing business continuity plans 27. Compliance Identification of applicable legislation Intellectual Property Rights (IPR) Safeguarding or organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Collection of evidence Review of security policy and technical compliance System audit considerations 28. The BS 7799 audit Selection of auditors Initial visit Preparation for audit Appendix: Sources of further information I. Useful websites Consultancy firms BS 7799 certification organizations E-learning Microsoft Information security Accounting, finance and economics Business, management and governance Contingency planning and disaster recovery Information technology Risk management II. Further reading Index