International codes of practice for Information Security Management may assist organizations in the
management and implementation of an organizational information security strategy. These codes have been
compiled ba
codes of practice should however, serve as a ba
exceptional cases. In other words, these codes represent the minimally acceptable security countermeasures
that an organization should have implemented (Brooks, Warren & Hutchinson, 2002). Although many
organizations still tend to develop their own set of guidelines ba
experiences, such guidelines should still be cross-referenced to an already existing international code of
practice. It is in the interest of organizations – to protect themselves – to adopt and comply with
international information security management codes of practice (Weiler, 2002).
Additionally, electronic commerce implicitly requires that business partners proof to each other that they
are adequately secured. The lack of sufficient security countermeasures of an organization may threaten the
security of its electronic business partners and vice versa. It is therefore necessary that an organization is
evaluated and certified as complying to some international information security standard. The British
standard for Information Security Management (BS7799) – now also known as the ISO17799 Standard – is
the only international code of practice that could be used presently, when an organization wants to provide
the necessary proof of adequate information protection (Barnard & von Solms, 1998). Such a certificate
would provide the necessary proof and all trading partners should then conform to this same standard to
ensure mutual trust between business partners.
There are several other International codes of practice for Information Security Management available
today, for example the Generally Accepted System Security Principles (GASSP) document, Control
ob
Information Technology Security (GMITS) and the Information Security Forum (ISF). The purpose of this
Technical Report is to provide an overview of these leading international codes of practice for Information
Security Management.
2
2. BS7799
In 1993 the UK Department of Trade and Industry (DTI) issued a code of practice on data security for
commercial IT users. This code of practice was intended to serve as a reference document for the agreement
on common security practices between trading organisations – especially those involved in electronic data
interchange (Buzard, 1999 and Kearvell-White, 1996). In February 1995 the British Standards Institution
published the British standard for Information Security Management (BS7799), which was ba
code (Department of Trade and Industry, 1995). This was the first standard for information security
management (Hickson, 1996). The 1995 version of BS7799 was revised and expanded and the current
version of BS7799 was published in 1999 (von Solms, 2000).
The aim of the BS7799 standard is to ( Department of Trade and Industry, 1995; Quinn, 1997 and von
Solms, 2000):
• Provide common best practice guidance to organizations to develop, implement and measure
Information security and to
• provide confidence in inter-organizational business.
Employees who are responsible for the implementation and management of Information Security in their
organizations can use the BS7799 code of practice as reference. Additionally, with regard to inter-company
trading the BS7799 code provides confidence in the security of shared information.
The 1999 version of the BS7799 standard consists of two parts (Buzard, 1999; Kearvell-White, 1996;
KPMG, 1998; Lillywhite, 2004; Pounder, 1999 and von Solms, 2000). Part 1: 1995 was submitted to the
International Standards Organization in 2000 and has since been accepted as an international standard. It is
now also known as ISO/IEC17799:2000. Part 1 provides guidance and recommendations to assist
companies in implementing best practices of Information Security. It designates ten essential key controls
which are either legislatively required or are considered fundamental building blocks for information
security, namely (Buzard, 1999; Keravell-White, 1996 and von Solms, 2000):
• Information security policy document
• Allocation of information security responsibilities i.e. security organization
• Information security education and training i.e. personnel security
• Reporting of security incidents
• Virus controls
• Business continuity planning
• Control of proprietary software copying
• Safeguard of organizational records
• Data protection
• Compliance with security policy
3
BS7799 Part 1 serves as a reference fr
companies in developing a strong, structured strategy for information security that are internationally
accepted as important (May, 2003).
Part2: 1998 of BS7799 provides the requirements specification against which an organisation can be
assessed for compliance to the control measures stipulated in Part 1. This is the only internationally
accepted scheme against which formal information security certification can be done presently. If an
accredited and certificated BS7799 auditor successfully evaluates the company’s information security
management system against the BS7799 Code of Practice, an internationally accepted Certificate of
Compliance is issued. Such a Certificate is valid for three years (Buzard, 1999; May, 2003; von Solms &
von Solms, 2001 and von Solms, 2002).
Although BS7799 has gained international support by some countries, the uptake is slow because many
companies still do not realize that accreditation is the only viable option. Additionally, accreditation is
supplier driven and it takes time to filter down the supply chain (Barnard & von Solms, 1998 and BS 7799,
2003). However, according to the 2004 Department of Trade and Industry Survey organised by
PriceWaterhouseCoopers, organizations that have implemented the BS7799 Code of Practice experienced
fewer attacks and simultaneously cut their IT security costs (Hunter, 2004).
3. GASSP
The Generally Accepted System Security Principles (GASSP) document is another internationally standard
that identifies a core set of Best Practice Information Security principles. The GASSP document resulted
from work done by the International Information Security Foundation in 1992 to develop generally accepted
system security principles (Grimaila & Kim, 2001; Ott, 1999; Ozier, 1998; Poore, 1999 and Tipton, 2002).
The ob
• harmonize culturally neutral information security internationally;
• eliminate artificial barriers with regard to the free flow of information worldwide;
• define and implement a principled foundation for industry;
• provide for the rapidly evolving nature of information methods, issues and technology and
• to recognise and correlate to related management issues.
There are a number of benefits to the GASSP that can be summarized as follow (Poore, 1999):
• It promotes good practice;
• It serves as a legal and authoritative point of reference for information security practices;
4
• Good information security practice will increase the effectiveness and efficiency of business and will
help preserve the public trust in IT;
• The GASSP promotes best practice and in this way improves the effectiveness and efficiency of the IT
security functions.
• Global harmonization of information security principles will minimize barriers to the free flow of
information;
• A globally known skill set will be assured;
• Management confidence in information security practitioners’ decisions will increase;
• Industry and government will be motivated to support GASSP;
• Management worldwide will hold functional information security to the same set of rules;
• Vendors will be able to develop products with global conformance and in this way reduce development
and end-user costs;
• Vendor products conforming to GASSP will enjoy increased customer confidence, trust and acceptance.
The International Information Systems Security Certifications Consortium used the GASSP document to
standardize and maintain a Common Body of Knowledge (CBK) of security information relevant to
Information Security professionals. The CBK lists the following 10 domains as depicted in table 1 that are
essential knowledge for Information Security professionals (International Information Systems Security
Certifications Consortium, Inc. (ISC) , 2002):
2
Table 1. Domains of essential knowledge for Information Security professionals as defined by the CBK
Information Security Domains
1. Security management practices
2. Security architecture and models
3. Access control systems and Methodology
4. Application development security
5. Operations security
6. Physical security
7. Cryptography
8. Telecommunications, Networks and Internet Security
9. Business continuity planning
10. Law, investigations and ethics
4. COBIT
Control ob
Systems Audit and Control Association (ISACA) (Krull, 1996 and Ward & Smith, 2002). This model is
primarily business oriented and was designed to be employed by users, auditors and business process
5
owners. The purpose of CobiT is to provide organisations with a comprehensive fr
applicable Information Security control practices (Ward & Smith, 2002). It provides a fr
generally accepted IT security and control practices which can be used by organizations to benchmark their
existing and planned IT environment to standards of policy and good practices implemented worldwide.
The CobiT model focuses on specific control ob
processes that can be classified into 4 major domains, namely planning and organization, acquisition and
implementation, delivery and support and monitoring (Van GremBergen, 1997). Table 2 provides an
overview of each of the four domains:
Table 2. Domains of the CobiT model (Van GremBergen, 1997)
Planning and
organization
Acquisition and
implementation
Delivery and support Monitoring
1.Define a strategic IT plan 12.Identify automated solutions 18.Define service levels 31.Monitor the progress
2.Define the information
architecture
13.Acquire & maintain
application software
19.Manage third party service 32.Obtain independent
assurance
3.Determine technological
direction
14.Acquire & maintain
technology architecture process
20.Manage performance &
capacity
4.Define organization and
relationship
15.Develop & maintain
procedures independent
assurance
21.Ensure continuous service
5.Manage investment 16.Install & accredit systems 22.Ensure systems security
6.Communicate management
and direction
17.Manage change 23.Identify & allocate costs
7.Manage human resources 24.Educate & train users
8.Ensure compliance with
external requirements
25.Assist & advise customers
9.Assess risk 26.Manage the configuration
10.Manage projects 27.Manage problems &
incidents
11.Manage quality 28.Manage data
29.Manage facilities
30.Manage operations
6
5. GMITS
Guidelines to the management of information technology security (GMITS) is a comprehensive IT security
programme that provides guidance on Information Security management. The International Standards
Organization (ISO) and the International Electrotechnical Commission (IEC) have introduced it jointly (von
Solms, 1998). Information Security is no longer a technical issue only and security problems can be
addressed through technical, physical, procedural, managerial or administrative controls. Organizations are
accordingly forced to adopt a more holistic approach towards Information Security. GMITS does not only
provide organizations with a way to develop such an approach, but also provide a way to establish
commonality between organizations.
GMITS consists presently of five parts (Resources for Information Security Management and von Solms,
1998). Part 1: Concepts and models of IT Security (also known as ISO/IEC TR 13335-1: 1996) forms the
foundation for the other components of the GMITS standard. It is primarily aimed at managers who are
responsible for the overall security program of an organization. It introduces a series of concepts and models
that are independent of the nature of the organization. The aim of this part is to ensure that top and senior
management are able to make informed decisions regarding information security.
Part 2: Managing and planning IT Security (also known as ISO/IEC TR 13335-2: 1997) is aimed at
managers that oversee the design, implementation, testing, procurement or operation of IT systems and the
managers who are responsible for activities that make substantial use of IT systems. This part includes the
issues that an organization should address before establishing or altering an IT security program.
Part 3: Techniques for the management of IT security (also known as ISO/IEC TR 13335-3: 1998) is
relevant to all parties involved with the execution of any of the security relevant aspects. It focuses
specifically on IT risk assessment and consider a number of different approaches.
Part 4: Selection of safeguards (also known as ISO/IEC TR 13335-4: 2000) is devoted to a discussion of
the merits of different safeguards and provides pointers to readily available safeguard catalogues.
Part 5: Management guidance on network security (also known as ISO/IEC TR 13335-5: 2001) addresses
the problem of communicating with other organizations or the public. In this way companies need to deal
with the risks associated with crossing the security perimeter of their organization.
It is important to note that GMITS and BS7799 complement one another – there is no overlap between
these two documents (Information and Communication Technology). GMITS provides a fr
thinking about managing IT security, whereas BS7799 specifies a set of controls to implement the ideas
provided in GMITS. Furthermore, GMITS discusses high-level concepts about IT security management,
7
whereas BS7799 specifies a comprehensive set of controls for the development of an information security
management system. Finally, GMITS introduces general requirements and techniques for risk assessment,
whereas BS7799 applies these techniques to select the most appropriate controls.
6. ISF
The Information Security Forum (ISF) – an international non-profit association – was established in 1989
(Information Security Forum). It consists of more than 250 of the world's leading organizations who realize
that it is essential to protect their information. The ISF is dedicated to meet the demand for the increase need
to protect information against risks. The standard addresses information security from a business perspective
and it delivers practical, business-focused guidance to solve information security challenges impacting
business information today (The ISF’s standard of Good Practice).
The ISF standard has been developed using a proven methodology. It is ba
work programme conducted over 14 years and it presents an international benchmark for information
security against which organizations can assess their performance. The Standard is updated and refined
every two years to keep up with the ever-changing nature of IT.
The ISF Standard will be of practical use to all types of organizations irrespective of size. It provides a
set of high-level principles for information security as well as good practices regarding information security.
There are many benefits when using and implementing the Standard. Organizations that implemented the
ISF standard will benefit as follows (Information Security Forum):
• Such organizations will move towards an international best practice.
• They will be able to manage information security risks and minimize the likelihood of the occurrence of
major risks.
• They will be able to maintain business integrity.
• They will fight the increase in cyber crime.
• They will comply with legal requirements.
• Such organizations will provide third parties with the assurance that information security is being
addressed professionally and this will lead to increase trust.
8
7. THE AUSTRALIAN/NEW ZEELAND STANDARD FOR INFORMATION
SECURITY MANAGEMENT
The Joint Standards Australia/Standards New Zealand Committee IT/12 published the Australian/New
Zeeland Standard for Information Security Management (AS/NZCS 4444) in 1996 (Janczewski. & Shi, 2002
and Brooks, Warrren & Hutchinson 2002). This Joint Standard is ba
The AS/NZCS 4444 standard has been revised in 1999 and rebranded as an internationally recognised ISO
standard (AS/NZS ISO/IEC 17799).
The AS/NZS 4444:1999 aims to provide a comprehensive reference document for managers and
employees who are responsible for implementing and maintaining information security within their
organization. It serves as a ba
controls needed in industrial and commercial applications. The standard consists of two parts, namely
AS/NZS 4444.1:19999 (Part 1) and AS/NZS 4444.2:2000 (Part 2) (Janczewski. & Shi, 2002 and Brooks,
Warrren & Hutchinson 2002).
Part 1 is identical to the British Standard BS 7799.1:2000. It provides a comprehensive set of controls
comprising the best information security practices currently in use. This part can be used as a ba
information security practices. Part 2 is identical to the British Standard BS 7799:2:2000. This part
accordingly forms the basis for an assessment of the information security of an organization.
The AS/NZS 4444 code of practice has many advantages including the following:
• It is simple to deploy.
• It is easy to establish policies.
• It is easy to maintain security consistency.
However, there are also a few limitations:
• It lacks the guidance on how to choose the applicable controls from the listed ones that will provide an
acceptable level of security for the specific organization. This can create insecurity as an organization
might decide to ignore some controls that were actually required.
• It is hard for the standard to always keep track of the recent developments and issues of IT and security
technologies.
• It cannot take account of environmental constraints and select, apart from the obligatory key controls, the
security controls which would be most likely to be relevant to a particular industry.
9
The following are the major criteria of AS/NZS 4444 (Janczewski. & Shi, 2002 and Brooks, Warrren &
Hutchinson 2002):
1. Security policy
2. Security organization
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Computer and network management
7. System access control
8. System development and maintenance
9. Business continuity planning
10. Compliance
8. GERMAN IT ba
The German federal agency for security in IT developed the IT ba
Warrren & Hutchinson 2002). This is a nationally recognized standard in Europe and presents a detailed set
of ba
protection recommendations is to achieve a security level for IT systems that is reasonable and adequate to
satisfy normal protection requirements. This is achieved through the appropriate application of
organizational, personnel, infrastructural and technical standard security safeguards.
The IT ba
• standard security measures for typical IT systems with “normal” protection requirements.
• A desc
• Detailed desc
• A desc
• A simple procedure for ascertaining the level of IT security attained in the form of a target versus actual
comparison.
The IT ba
areas in which IT assets are employed. Every module starts by describing the typical threats and their
probability of occurrence that might be expected in the given area. This “threat scenario” provides the basis
for generating a specific package of security measures from the areas of infrastructure, personnel,
organization, hardware, software, communications and contingency planning. These scenarios are presented
to create awareness.
10
The safeguards listed in the IT ba
is reasonable to implement in the modules concerned using the latest available technology. In some cases
these safeguards also provide a higher level of protection than that required simply to implement a ba
level of protection.
The approach adopted in the IT ba
exercise. It requires only that a target versus actual comparison is performed between the recommended
measures and those already implemented. The security shortcomings, which need to be eliminated through
adoption of the recommended measures, are defined in terms of those security measures identified which are
lacking and not yet implemented. It is only necessary to execute a supplementary security analysis where the
protection requirement is significantly higher.
The IT ba
economically in terms of the resources required. It is continuously updated and expanded.
9. THE INFORMATION SECURITY INSTITUTE OF SOUTH AFRICA
The Information Security Institute of South Africa – ISIZA – was established in October 2000 (Von Solms
& von Solms, 2001). The ISIZA model operates by using an Information Security Certification fr
that consists of 5 levels:
• ISIZA Level 1 – This is the introductory level and consists of a selection of BS 7799 controls.
• ISIZA Level 2 – It follows on Level 1 and includes more BS7799 controls.
• ISIZA level 3 – It follows on Level 2 and includes more BS7799 controls.
• ISIZA level 4 – It follows on Level 3 and includes more BS7799 controls.
• ISIZA level 5 – This is the full BS7799 certification.
The ISIZA model has the advantage that an organization can get an initial ISIZA certificate much faster,
by conforming to a small subset of BS7799 controls. The company can then over time move incrementally
to higher levels, until the full BS7799 level is eventually reached. An advisory board, consisting of
interested parties from industry, determines the controls contained in the different levels.
11
10. CONCLUSION
The ever-changing field of information technology has lead to an increase in the number of risks occurring
and therefore information security has become a critical factor in any organization. This situation forced
organisations to revisit the issue of information security. International codes of practice for Information
Security Management may assist organizations in the management and implementation of information
security in their organizations. There are several International codes of practice for Information Security
Management available today, for example the British Standard for Information Security Management
(BS7799), the Generally Accepted System Security Principles (GASSP) document, Control ob
information and Related Technologies (COBIT), Guidelines for the management for Information
Technology Security (GMITS) and the Information Security Forum (ISF). This report was devoted to
providing an overview of these leading international codes of practice for Information Security Management.