ISO17799 Newsletter - Issue 10

Welcome to the tenth issue of ISO17799 News, designed to keep you abreast of developments and news with respect to ISO 17799 and information security. The information within the newsletter is totally free to subscribers and provides guidance on various practical issues, as well as commentary on recent Information Security incidents.

Included in this edition are the following topics:
1) Implementing ISO17799 in Your Organization
2) Security Awareness: ISO17799 Section 4
3) Recent Certifications
4) Introducing an Effective Email Security Policy
5) Hacked Websites
6) ISO17799: a World Wide Phenomenon
7) Introducing a Disaster Recovery Team Into Your Organization
8) A short history of ISO 17799
9) Security Update
10) The FAQ: More Frequently Asked ISO17799 Questions
11) Preparing for an Information Security Audit
12) ISO17799 Section 12: The Sarbanes-Oxley Act 2002
13) It Couldn't Happen Here.... Could It?

It is becoming increasingly critical that information security is given the attention and level of importance it deserves. Most organizations are now absolutelyy dependent upon their information and business systems, so much so that serious disruption can mean disaster or critical loss.

ISO17799 is the only internationally accepted worldwide standard/code dealing comprehensively with these issues. Purchasing this standard is a good first step, but as the standard is by necessity a comprehensive and therefore a reasonable complex document, guidance is often necessary to help organizations decide where to start and what priorities should be applied to the implementation process.

The ISO 17799 Toolkit was of course introduced to solve many of these issues in one step. As well as containing both parts of the standard, it also includes a full set of compliant policies ready for implementation, a road map for potential certification of the organization, an audit kit for network based systems, a business impact analysis questionnaire together with many other supportive items (eg: a disaster recovery kit, a management presentation and an IS glossary). This toolkit represents extremely good value as it can enable organizations to commence work with the introduction of vital security aids without reference to expensive external consulting resources.

However, even armed with a support kit such as this, it is important to understand that the key to the standard is PROCESS... the creation and maintenance of a robust ISMS. This is occasionally overlooked, as some organizations simply adopt a tick list from the first part of the standard (ISO17799). This is certainly a good stride forward, but is by no means the end of the journey.

When first considering the standard, therefore, it should be understood that the path forward will certainly include enhancement and improvement of security, but it will largely be driven via the creation and maintenance of information security management systems and supporting procedures.

Most security breaches occur at ground floor level, through employees making errors or inadvertently revealing information. It is ironic therefore that so many organizations do not have a comprehensive awareness program in place... perhaps missing the obvious and focusing upon the rather more stimulating high-tech threat instead.

Security should ideally be part and parcel of the organization's culture. To meet this objective however requires support from the top, determination, and a properly planned and comprehensive awareness plan and program.

This program should include a range of different aspects. To assist, we list some of the most common below:
- A Security Newsletter. This is an important vehicle and can include both news and information in a topical context. Please feel free to extract from this newsletter for inclusion.
- A 'Roadshow'. Security personnel regularly give presentations to senior management and staff on current threats and issues.
- Hijacking Training. If your organization produces internal courses for staff on other topics, make sure that the security angle is covered.
- Video/DVD. If you have the budget, produce and distribute.
- The Screen Saver. Why not use it for security related messages?
- Posters. Use them and replace them often.
- Cheap gifts. Pens, key fobs, and coffee mugs bearing a security message may seem tacky, but they work.
- Competitions. Security crosswords, puzzles and problems, with a suitable prize for the winner.

Some of these may well be seen as mundane. But in the final analysis, threats are usually far more likely to materialize through lack of awareness than through complex cyber crime.

Congratulations to all the following who we have recently added to our list of firms which have been certified with respect to BS7799 Part2 for at least one system in at least one location: Symantec Security Services, Banco Matone (Brazil), Communisis Security Products, Federal Reserve Bank of New York, Royal Bank of Scotland, SWA Ltd, Yorkshire Water Information Technology, Télefoníca Data Argentina, Eastern Petrochemical Company (Saudi Arabia), GTECH Ireland Corporation, Supermask Co Ltd, Progeon Ltd (India), Consul Risk Management, Kingdom Fine Metal Ltd (China), IM Systems Group Inc.

More certifications will be listed in future issues.

Note: A new 'Register of Certifications' for the standard has been created at The backlog is apparently being added on a daily basis.

Email security breach is becoming an increasingly significant threat to organizations around the world. To counter this, most organizations will already have a firewall and anti-virus software in place. Hopefully, as new viruses are found daily, they have made sure that their virus protection is also updated on a daily basis.

Viruses, of course, can sometimes penetrate the firewall by hiding within emails. Once opened, the virus can spread and cause significant damage to internal systems. The virus may not always be serious enough to cause permanent damage but, even with moribund viruses, the disruption may well take time and money to rectify.

Despite these risks, there is no escaping the fact that e-mail is rapidly becoming the principal means of business communication. Draconian restrictions on use are therefore not tenable. However, rigid application of stringent security policy certainly is.

The following high level best practice statements should be adhered to as a basic minimum (extracted from
- Personnel should understand the rights granted to them by the organization in respect of privacy in personal e-mail transmitted across the organization's systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

- Personnel should not open emails or attached files without ensuring that the content appears to be genuine. If you are not expecting to receive the message or are not absolutely certain about its source, do not open it.

- Confidential and sensitive information should not be transmitted by e-mail - unless it is secured through encryption or other secure means.

- Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

From these, it is recommended that more specific corporate requirements are produced and implemented.

Fact: Every day of every week dozens of corporate websites are hacked and defaced. This statement may surprise some people, but it does illustrate that this problem is extremely large scale and the threat is very significant. Even on the very day this item is being written, well known sites owned by Lycos and the European Union have been defaced.

A future edition of this newsletter will therefore investigate this issue in some depth. We will explore some of the more high profile attacks, and offer advice on what to do to minimize risks... and recover should you become a victim.

In the meantime, if you ever wondered what drives these guys, Zone-H ( reports the following (from a substantial sample):

Heh...just for fun! 35%
No reason specified 19.2%
I just want to be the best defacer 12.5%
As a challenge 11.7%
Patriotism 10.5%
Political reasons 9.2%
Revenge against that website 1.9%

They also report that over half of successful hacks exploit either configuration errors, or unpatched systems: which are very basic security issues!

The source list for the most recent purchases of the ISO17799 is always popular:

Argentina 3
Australia 18
Austria 9
Barbados 2
Bahrain 1
Belgium 14
Bermuda 3
Bosnia and Herzegovina 1
Brazil 11
Brunei 1
Canada 101
Cayman Islands 1
Chile 7
China 5
Colombia 6
Costa Rica 1
Croatia 2
Cyprus 3
Denmark 16
Egypt 5
Estonia 1
Faroe Isle 1
France 19
Germany 55
Gibraltar 1
Greece 5
Guatemala 1
Hong Kong 12
Hungary 4
Iceland 1
India 12
Indonesia 5
Ireland 27
Israel 2
Italy 36
Jamaica 2
Japan 10
Jordan 2
Korea 1
Lebanon 2
Luxembourg 2
Malaysia 8
Malta 1
México 22
Netherlands 39
New Zealand 5
Norway 19
Panama 1
Peru 1
Philippines 2
Poland 3
Portugal 6
R.O.C. 3
Russia 4
Saudi Arabia 9
Singapore 15
Slovak Republic 1
Slovenia 3
South Africa 11
Spain 23
Sultanate of Oman 1
Sweden 11
Switzerland 48
Taiwan 5
Thailand 2
Tunisia 1
Turkey 3
United Arab Emirates 5
UK 379
USA 588
Venezuela 2

The same warnings apply as normal: these are online credit card sales only from one source.Those cultures that are less familiar with this form of commerce will be under represented.

Even for small enterprises, it is often necessary to establish a Disaster Recovery Team to handle the initial stages of an emergency situation. Certainly, it is vital for larger corporations.

The DRT should be made up of a group of specialists who have previously been nominated as being able to assist in dealing with the initial emergency situation. These will not necessarily be the same persons who are members of the Business Recovery Team (BRT). Although the configuration of the DRT will depend upon the type and severity of the emergency, and the nature of the organization itself, the following personnel may need to be involved according to circumstance:

. Key members of Senior Management . Premises Maintenance Staff . IT technicians . Communication technicians . Security staff . Personnel Manager . Premises of Facilities Manager . Fire and Safety Officer . Information Security Officer

The DRT is responsible for working with the emergency services to clear the initial emergency crisis situation, in order that the Business Recovery Team is able to start their activities. The DRT itself will only be able to start their own recovery activities once the emergency services have given permission for these duties to commence. During the initial emergency, the DRT will normally make themselves available to provide assistance to the emergency services, as appropriate.

Nominated members from the DRT should actually be on-standby or available at all times, and should ensure that their contact details are known. All members of the DRT should maintain an up-to-date copy of the BCP in a secure location off-site, and each member should also be issued with special equipment such as torches, hard hats, gloves, overalls, hand held dictaphones and mobile phones to use in such emergencies.

These initial preparations can make all the difference to the outcome of the disaster situation, and at the very least, will create a sound platform for the Business Recovery Team.

Where did it come from? When? Who produced it? Why? Perhaps most of these questions can be answered via an abridged history of the standard:
ISO 17799 actually began life as the DTI Code of Practice (CoP) for Information Security, the 'DTI' being the UK Government's Department of Trade and Industry. This was published in the early nineties. Even in these early years, however, BSI was involved, and indeed, the CoP was re-badged and re-published as BS7799-1 in 1995.

This certainly had its supporters, but it was not widely embraced, for a variety of reasons. This situation was to change in the late nineties.

In 1999 a major revision of the standard was published. This significantly strengthened the standard in many respects. Accreditation and certification schemes were also launched, and these helped increase the momentum.

Within a year or so, the standard had been fast-tracked through ISO, and it became ISO 17799 in December 2000. This stimulated worldwide interest further. In 2002 BSI published BS7799-2, a second part, which covered ISMS and helped bridge the gap with ISO 9000. The ISO17799 Toolkit was released around the same time.

Since then, the standard has gone from strength to strength, and as the sales data in this newsletter illustrates, it is now very much a worldwide phenomenon.

- First certified organization: Business Link City Partners.
- First ISO 17799 domain name: (owned not surprisingly by BSI)
- First qualified certified BS7799 c:cure Auditor: David Lilburn Watson
- First populated dedicated ISO17799 website:
- First certification bodies: LRQA and BSI
- First ISO17799 related product: COBRA
- First regular dedicated publication: This one!

This list was compiled following are own research. If you know of any organization/website/etc that existed prior to these, please let us know!

An interview with David Watson will appear in a future edition of ISO 17799 News.

- Security Focus ( reports that charges have been filed against a Florida man known as 'The-Rev', for his alleged role in the high profile 'Deceptive Duo' hacking team. The 'Deceptive Duo' are responsible for defacing a significant number of government and corporate websites.

- At time of publication a security alert has been issued regarding a new fast spreading worm, the 'Sasser' worm. This already has several variants and threatens to achieve similar notoriety to previous attacks last year (eg: Blaster). Now seems a pretty good time to update those anti-virus definition files. More information:

- Currently, of course, we have ISO 17799 and BS7799-2. However, efforts are currently on-going to convert BS7799-2 to an ISO document as well ISO17799-2). We hope to provide an update on this in the next issue.

1) Are there any forums or message boards on which I can discuss ISO 17799 topics or issues with other people? Yes. The two biggest are:
- The ISO 17799 Community: - The Yahoo ISO 17799 Group:

2) How should security REQUIREMENTS be established? ISO 17799 identifies three main sources:
- "The first source is derived from assessing risks to the organization. Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated"
- "The second source is the legal, statutory
, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy" - "The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations".

3) What is the PDCA Model?
This is the "Plan-Do-Check-Act" model and is used in BS 7799-2. It is intended to be used as the basis for creating, implementing, monitoring and maintaining an information security management system. This is more fully documented at 'Induction to BS7799' (

4) Where can I find a consultant to help?
A directory of ISO17799 and BS7799 Consultants can be found at:

5) What is accreditation and certification?
An accreditation body is an organization (usually a national one) which grants third parties the authority to issue 'certificates' (to certify) against standards. This third party is the certification company, which actually certifies against the standard. Examples include: BSI, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH.

For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization's Information Security Policies and associated procedures.

At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.

Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.

As an example, if the audit chosen is regarding the Portable Computing Facilities, the documents to be considered for review are: Insurance documents, Network Profile, Issue form, General terms of use, Hardware register, Software register, User Profile, Removal of equipment authorization.

The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited: A sample of the user population who use portable computers, The issuers of portable computers, Ancillary staff.

As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is a temptation to short-cut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit itself.

Note: This information extracted from the Interactive Security Manual and used with permission:

The Sarbanes-Oxley Act was signed into law on 30th July 2002, on the back of the Enron scandal, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".

These legislative changes in the US are also of particular interest to users of ISO 17799 generally, as they deal with the requirement to monitor internal controls, including information security procedures. In addition, of course, ISO17799 itself embraces legislative compliance within Section 12.

For these reasons, each issue of the ISO17799 Newsletter covers a different aspect of this legislation. The topic covered in this issue is "Corporate Responsibility for Financial Reports"

Periodic statutory financial reports issued by public companies must include certifications that:
- The signing officers have reviewed the report
- The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
- A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
- The report does not contain any material untrue statements or material omission or be considered misleading
- The financial statements and related information fairly present the financial condition and the results in all material respects
- Any significant changes in internal controls or related factors that could have a negative impact on the internal controls

Importantly, it is also specified that organizations may not attempt to avoid these requirements by reincorporating their activities or transferring their activities outside of the United States

With compliance deadlines for the Sarbanes-Oxley Act fast approaching, focus on the legislation, and indeed its security implications, is increasing. For more information on this legislation, the Sarbanes-Oxley Community ( provides a public forum and FAQ.

In each newsletter we include a selection of definitions and terms to explain some of the jargon and language used by information security and IT professionals. In this issue, the selected terms all start with the letter D:

An electronic device that is capable of detecting and reading the bit-patterns of data passing down a communications line and interpreting/translating these patterns into readable alphanumeric characters. Some devices are capable of detecting/reading the electromagnetic radiation emitted directly by computers without the need to 'tap' a communications line.

Dual Control is one of the foundations of Information Security as it is based upon the premise that, for a breach to be committed, then both parties would need to be in collusion and, because one should always alternate the pairs of people, it would require a much greater level of corruption in order to breach dual control procedures; especially is such procedures require nested dual control access, such that (say) 2 pairs of people are required to enable access.

The Data Encryption Standard (DES) is a data encryption standard for the scrambling of data to protect its confidentiality. It was developed by IBM in co-operation with the American National Security Agency and published in 1974. It has become extremely popular and, because it used to be so difficult to break, with 72,000,000,000,000,000 possible key variations, was banned from export from the United States. However, restrictions by the US Government on the export of encryption technology were lifted in 2000 to the countries of the EU and a number of other countries.

A mechanical device used by software developers to prevent unlicensed use of their product. Typically, a Dongle is a small connector plug, supplied with the original software package, which fits into a socket on a PC - usually a parallel port, also known generally as the LPT1 Printer port. Without the Dongle present, the software will not run. Some older Dongles act as a terminator, effectively blocking the port for any other use, but later versions have a pass-through function, allowing a printer to be connected at the same time. Even though the PC can still communicate with the printer, there have been problems with more recent printers which use active two-way communications with the PC to notify printing status, ink levels, etc.

A unique identifier that becomes part of a digital document and cannot be removed. The watermark is invisible to the human eye but a computer can analyze the document and extract the hidden data. Digital watermarks are being used for Classified/Top Secret documents - usually Military/Governmental - and highly confidential commercial material. The primary use of such marks is to allow different marks to be used when the document is copied to different persons and thereby establish an Audit Trail should there be any leakage of information.

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) The Disgruntled Employee Strikes Back
An organization in the US fired an employee who had been known to be less than happy in his work and had been causing problems for management through a variety of activities. Unbeknown to the organization, this employee had made a copy of the main client database for himself and therefore had access to sensitive information.

Shortly after the employee was dismissed, major customers started receiving offensive material purportedly being sent by the organization itself. The ex-employee used a simple open SMTP server to simulate the organization's email addresses. Customers immediately started to move away from the organization and even when they were informed that this material had been maliciously sent to them by a previous employee, they remained unimpressed with a company that had so little security in place.

The organization quickly went out of business, paying a heavy price for not having sufficient control over employee access to sensitive information.

2) But Who Audits the Auditor?
A large financial company thought they had security in the bag. Their security department was active, and involved in most activities of the Group. It had a reputation for being on top of new technology, and had an aggressive audit schedule, with all sensitive applications and projects being regularly audited.

What a pity they got a fundamental principle so badly wrong! As the Group's security area they had full access to security settings, and administered access control for key applications. As auditors they audited the same. That was the crunch.

The same individuals who set security levels and granted access to information resources, also audited them. A classic case of insufficient segregation of duties.

In one sense they were lucky. The incident which brought this to light was petty. The individual in question could not resist the temptation to adjust his overtime figures on the payment database. He inflated the figures by several hundred dollars, each month, for several months. He was caught because someone else on his team spotted his payslip (which he had left inside his briefcase, which he left open!) and knew instinctively that he had not been working long hours in recent weeks and therefore that the salary figure was far too high.

It could, however, just as easily been an accounting database he adjusted, or a number of financial databases, and the company could have been facing a substantial and embarrassing loss.

The golden rule of course is that auditors usually need only read access to audit, and not update.

3) Intellectual Property Rights (IPR)
A company in London developed a range of new products mainly by utilizing the services of one of its employees who was particularly skilled at these activities. Once these products had been developed, they were successfully marketed by the firm and a good revenue stream emanated from this new business area.

Unfortunately, the firm had not considered protecting the intellectual property rights of work undertaken during the employee's time with them and it was subsequently successfully sued by the employee who had authored the products, and who then claimed ownership over the intellectual property rights contained within them.

The lesson to be learned here is that employees' contracts should clearly state the ownership of any work developed for the company during his/her employment. This agreement should be signed by the employee to signify acceptance of these terms and conditions prior to undertaking this type of work.