It is reported that 60 per cent of organizations have suffered a data security breach in the past two years and 43 per cent of those that have sensitive or critical information have suffered an extremely serious one. With the growing importance of IT to both internal systems and external e-commerce, this may be alarming but perhaps not surprising. What is surprising is that, up until very recently, data security has been seen as the province of the IT department rather than, as it should be, a key board-room issue for the e-commerce age. The Turnbull report has focused interest in this issue by setting out how directors of listed companies must comply with the UK's Combined Code requirements in respect of internal controls including both financial, risk management and operational - specifically operational from an IT perspective. By underlining the importance of IT Governance as a critical aspect of Corporate Governance the report establishes "best practice" for any organization both public and private, large and small. The development of IT governance - which recognizes the convergence between business management and IT management - makes it essential for managers at all levels of the organization to adopt "best practice" in information security. By taking on BS 7799 or ISO 17799 organizations can be certain that they are doing this. This handbook guides managers through the maze of issues involved in effective information security management and shows how to introduce reliable management controls. In so doing, it also goes into detail through the process of achieving BS or ISO certification. It is a resource for directors and senior managers in organizations of all sorts and sizes but particularly those with well-developed internal IT systems and those focused on e-commerce. Coverage includes: why is information security necessary?; the Combined Code and the Turnbull Report; BS 7799 - Benefits of certification; information security management; information security policy and scope; the risk assessment and statement of applicability; security of third party access and outsourcing; asset classification and control; personnel security; physical and environmental security; equipment security; general security controls; communications and operations management; controls against malicious software (malware); and housekeeping, network management and media handling.

Table of Contents:
Foreword Introduction Background Chapters 1. Why is information security necessary? Nature of information security threats Prevalence of information security threats Impacts of information security threats Cybercrime Cyberwar Legislation Benefits of an information security management system 2. The Combined Code and the Turnbull Report The Combined Code The Turnbull Report IT governance 3. BS 7799 Benefits of certification History of BS 7799 and ISO 17799 Use of the standard ISO 17799 Structured approach to implementation Quality system integration 4. Information security management The management information security forum Information security manager The cross-functional management forum BS 7799 project group Authorization process for information processing facilities Product selection and the Common Criteria Specialist information security advice Co-operation between organizations Independent review of information security Summary 5. Information security policy and scope Information security policy A policy statement Costs and monitoring progress 6. The risk assessment and statement of applicability Approach to risk Selection of controls and statement of applicability Gap analysis Risk assessment tools 7. Security of third party access and outsourcing Identification of risks Types of access Reasons for access Onsite contractors Security requirements in third party contracts Outsourcing 8. Asset classification and control Asset owners Inventory Information classification Unified classification markings Information labelling and handling Non-disclosure agreements and trusted partners 9. Personnel security Job descriptions Personnel screening and policy Confidentiality agreements and terms of employment User training Responding to security incidents and malfunctions Learning from incidents Disciplinary process 10. Physical and environmental security Secure areas Isolated delivery and loading areas 11. Equipment security Equipment siting and protection Power supplies Cabling security Equipment maintenance Security of equipment off-premises Secure disposal or re-use of equipment 12. General security controls Clear desk and clear screen policy Removal of property 13. Communications and operations management Documented operating procedures Operational change control Incident management procedures Segregation of duties Separation of development and operational facilities External facilities management System planning and acceptance 14. Controls against malicious software (malware) Viruses, worms and Trojans Anti-malware software Hoax messages Anti-malware controls Airborne viruses 15. Housekeeping, network management and media handling Network management Media handling and security 16. Exchanges of information and software Information and software exchange agreements Security of media in transit Electronic commerce security Security technologies Server security Security of electronic office systems Publicly available systems Other forms of information exchange 17. E-mail and Internet use Security risks in e-mail Misuse of the Internet Internet Acceptable Use Policy (AUP) 18. Access control Hackers Hacker techniques System configuration Access control policy 19. Network access control Networks 20. Operating system access control Automatic terminal identification Terminal logon procedures User identification and authentication Password management system Use of system utilities Duress alarms Terminal time-outs Limitation of connection time 21. Application access control Monitoring system access and use 22. Mobile computing and teleworking Mobile computing Teleworking 23. Systems development and maintenance Security requirements analysis and specification Security in application systems 24. Cryptographic controls Encryption Public Key Infrastructure (PKI) Digital signatures Non-repudiation services Key management 25. Security in development and support processes System files Access control to program source library Development and support processes 26. Business continuity management Business continuity management process Business continuity and impact analysis Writing and implementing continuity plans Business continuity planning framework Testing, maintaining and re-assessing business continuity plans 27. Compliance Identification of applicable legislation Intellectual Property Rights (IPR) Safeguarding or organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Collection of evidence Review of security policy and technical compliance System audit considerations 28. The BS 7799 audit Selection of auditors Initial visit Preparation for audit Appendix: Sources of further information I. Useful websites Consultancy firms BS 7799 certification organizations E-learning Microsoft Information security Accounting, finance and economics Business, management and governance Contingency planning and disaster recovery Information technology Risk management II. Further reading Index