ISO17799 Newsletter - Issue 3

Welcome to the third edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to 17799 and information security. T

he information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.

Guidance and information included in this months issue:

The anticipated advance of ISO17799, as it becomes established as core currency within information security circles and beyond, continues unabated.

This is evident not just from those seeking formal certification, but via more peripheral statistics:

* Weekly sales of ISO17799 via the 17799 Electronic Shop ( ) have increased by 50% in just three months.
* Visits to ISO17799 web sites (including our own have doubled in the same period. Subscription to this newsletter increases at a rate of 10-20 every DAY.
* Sales of supporting software, such as COBRA, have increased similarly.

Some observers argue that ISO publication of the standard (from BS7799) made this inevitable. However, the need for a common set of terms of reference for information security greatly pre-dated this. ISO17799 simply filled the void that has been clearly evident for many years.

Its success not only reflects the quality of the standard itself, but the actual need for an international standard in the first place.

Despite the potential for significantly increased efficiency through the use of e-mail and the internet in the workplace, there is a growing awareness that inappropriate use of these facilities can actually stifle productivity and distract staff from their work.

It is reported that many companies still do not have a code of practice for dealing with external e-mail, and may not be aware that they can be held liable for various infringements resulting from their employee's misuse of this facility, such as sexual and racial harassment, breach of confidence, unwanted contracts, virus transmission and breaches of Data Protection legislation.

A large e-mail services company recently commented that, "E-mail is not really any different from telephone or post, yet people write things in e-mail they would squirm at putting in an envelope. If the company name appears on a letterhead, employees instinctively think twice about what they are writing and often ask for approval. There is nothing to stop companies considering branding their e-mails in the same way to improve internal awareness and external protection."

The following are business related activities which should be considered when establishing a workable set of policy statements for internet and email protection:

* Downloading Files and Information from the Internet
* Using and Receiving Digital Signatures
* Sending Electronic Mail (E-mail)
* Receiving Electronic Mail (E-mail)
* Retaining or Deleting Electronic Mail
* Setting up Intranet Access
* Setting up Extranet Access
* Setting up Internet Access
* Developing a Web Site
* Receiving Misdirected Information by E-mail
* Forwarding E-mail
* Using Internet for Work Purposes Using Internet for Work Purposes
* Using Usenet, Newsgroups and Message Boards
* Giving Information when Ordering Goods on Internet
* 'Out of the Box' Web Browser Issues
* Using Internet 'Search Engines'
* Maintaining your Web Site
* Filtering Inappropriate Material from the Internet
* Certainty of File Origin

Comprehensive information on establishing information security policies for each of these business areas, in conformity to ISO 17799, can be found in the Information Security Policy Templates available at

Choosing a secure password is an important element of effective information security within an organization, but good password management is of equal importance... this is another straight forward issue that is too often overlooked.

The following guidelines will enable you to protect your own passwords and maintain its confidentiality.

* Never give your password to anyone, even if that person claims to have authorization. (In the latter case, report such requests to your Information Security Officer immediately.)
* Never write down your password
* Never store it on a computer file * When receiving technical assistance, do not divulge your password to the IT specialist, but stay with your computer and enter the password yourself when required. (If this is not possible, your Systems Administrator should have permission to log on your behalf.)
* If you believe your password may have been compromised, change it immediately
* Change your password regularly. (Your system should prompt a change on, say, a monthly basis.)

Obvious? Maybe - but is surprising how many security breaches stem from employees and others NOT following these simple steps. SEE: "It couldn't happen here... could it?" at the end of this newsletter!!!

For a flying start, the ISO17799 standard can now be obtained as part of 'The ISO17799 Toolkit'. This comprises various resources to assist compliance with, and management of, ISO17799. Included are: ISO17799 Parts 1&2; 17799 compliant security policies, a road map for ISO17799 certification; an audit kit for section 12; a management presentation on ISO17799; a set of business continuity resources; a business impact analysis tool and a comprehensive ISO17799/security glossary.

For more information, visit:

1) When was it published?
December 2000

2) What is BS7799
BS7799 was the forerunner of ISO17799. It was superseded in Dec 2000

3) Who is accredited to certify (certification bodies)?
BSI, DNV, LRQA, National Quality Assurance, and others.

4) How can I measure and manage compliance?
The most well known tool is COBRA, which is also an established risk analysis product. A newly published tool is also described above (The ISO17799 Toolkit).

5) Tools to help me comply?
See the list of resources above

6) What is ISO17799? ISO17799 Part 1 is "intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations". It is essentially a 'code of practice'

7) Who wrote it?
Originally a BSI/DISC committee including representatives from a cross section of trade and industry. It was subsequently reviewed by an ISO committee and emerged through the ISO publication process.

8) What is Part 2?
ISO17799 Part 2 is a "specification for information security management systems". This is not an optional extra, but is critical to the process.

Despite employing regularly updated anti-virus software and maintaining a constant awareness of the risks of virus infection, some viruses nevertheless can still enter and infect an organization's computer system. For example, a high profile case was reported earlier this year where a senior businessman was sent a price list infected with a virus by another company known to him, albeit a competitor.... he should of course have known better. But what steps can be taken to help mitigate this sort of situation?

Dealing with a virus in a professional and planned way reduces both its impact and its spread throughout the organization and beyond. A failure to respond appropriately to a virus incident can rapidly result in multiple system failures and continued infection.

We offer the following best practice guidelines on how to respond to virus incidents:
* If possible, appoint a Virus Control Officer who would be the first point of contact for all virus alerts and who co-ordinates follow-up actions.

* Ensure that your organization has a Virus Incident Response Plan, drawn up jointly by the Information Security Officer, Virus Control Officer and System Administrator. Where no agreed response plan is in place, the reaction of users, IT and management are likely to be ad-hoc and inadequate, possibly turning a containable incident into a significant problem.

* Ensure that your server anti-virus software is configured to proactively scan all incoming and outgoing files. (Also investigate the source of any virus detected on OUTBOUND e-mail as this may indicate a failure to scan files on a workstation or the use of unscanned floppy disks or CD-Roms.)

* Update your anti-virus file definition files on a regular basis

* When a virus is detected:
1) immediately locate and scan the relevant file(s) with your anti-virus software to determine if the virus has been immunized.
2) establish whether the virus might have infected others and, if so, respond accordingly - if necessary close down workstations and possibly parts of the network.
3) communicate a virus alert to warn staff of the incident and the appropriate response
4) following the virus attack, review the measures taken to minimize damage and prevent a recurrence, and question whether procedures and safeguards remain adequate. Consider updating your anti-virus file definitions on a more frequent, possibly daily, basis.

* Consider regularly reviewing software and files used for critical business processes to identify and investigate unauthorized and/or suspicious changes.

* Promote awareness among users of the risks associated with e-mail, and train them to be aware of this type of cyber crime and their responsibilities for its prevention.

This issue of the ISO 17799 Newsletter features a relatively new software product that is designed to provide valuable help and guidance for the Information Security Officer. The Information Security Officer's Manual (ISOM) is supplied as a compiled help file and it is therefore extremely easy to search for advice on information security organization matters. It assumes no previous knowledge of security issues and explains everything in plain English.

The manual provides information and guidance covering all standard areas of responsibility of the ISO and includes everything from the basics to comprehensive risk management measurement techniques. The ISOM helps simplify the critical points of security assessment and the implementation of secure computer-based systems. It also covers the issues associated with notebook and portable computers, and business continuity planning. It includes the following topics:

* Establishing an effective Information Security structure
* Implementing Information Security policies
* Classifying information and data
* Authorizing access to data
* ISO duties and responsibilities
* Risk assessment techniques
* Controlling portable computers
* Emergency data amendments
* Information Security audit and compliance
* Business continuity planning
* Information Security HR issues
* Handling Information Security incidents

The guidance given is both practical and easy to understand, using diagrams and flow charts where necessary. This software is excellent value at US$295 for a single user license and is an excellent addition to the Information Security Officers electronic 'bookshelf'

A downloadable evaluation version, and further information on how to obtain this useful reference toolkit, can be found at the rather lengthy:

Every future issue of The ISO17799 Newsletter will feature at least one TRUE story of an information security breach and its consequences. We will kick off with two 'low tech' but high impact incidents:

1) On 27th December, when most workers were enjoying their Christmas holiday, a supervisor in a major city bank went into work "to do a little overtime". In accordance with procedure, his employers had given him only one of two security numbers that would enable him, if combined, to transfer funds internationally.

Unfortunately, for the sake of convenience, his colleague had pinned the other to a display terminal. Within minutes of arrival he had transferred 2.5M UKP to international accounts. Within hours, he too was out of the country. With the holiday break his actions were not detected for a considerable period.

It might, after all, be worth re-reading the item on passwords above!

2) A series of incidents occurred during one night shift at a major computer installation. A series of power-downs prevented further output as there was no engineer present to re-initialize the system. Shift staff consequently had to be sent home each time.

The cause was eventually discovered. An operator was so jealous of his unfaithful girlfriend (allegedly!) that he discovered a way of "checking up on her". On random occasions he would turn the mains switch off and then back on again, and would subsequently be sent home... unexpectedly. The idea occurred to him following a genuine failure.