Callio Secura 17799

A tool for implementing the ISO 17799 / BS 7799 standard

Callio Technologies Product Support Services White Paper

By Rima Saliba
Information Security Analyst, Callio Technologies

René Saint-Germain,
President, Callio Technologies

Abstract

This white paper presents Callio Secura 17799, a tool that includes everything you need to devel-
op, implement, manage and certify your Information Security Management System (ISMS) based
on the ISO 17799 / BS 7799-2 standard - the only international ISMS standard available today. With
Callio Secura 17799 you apply a practical method of developing, implementing, managing, and
certifying an Information Security Management System. Starting by defining the desired scope of
your organization's ISMS, the process continues with assessing and managing risks, generating
policies, implementing security controls in accordance with the risk analysis, controlling and pub-
lishing your ISMS policies, procedures and documentation, auditing your ISMS, and finally, review-
ing and improving your ISMS.

Callio Technologies Product Support Services White Paper

 Table of Contents

Pages

1 Introduction
2 ISO 17799 / BS 7799-2 Methodology and Callio Secura 17799 Tools and Modules
3 Callio Secura 17799 Structure
5 Steps for Implementing ISO 17799 / BS 7799-2 with Callio Secura 17799

5 Project Initiation (Methodology)

5 Define the ISMS Scope (Project Management)
7 Customize the Evaluation Scales (Project Management)
7 Gather Existing Documentation (Document Management)

8 Risk Assessment and Risk Treatment

8 Definitions and Terminology
8 Assets, Threats, Vulnerabilities and Legal & Business Requirements
9 Risk
9 Risk Assessment
9 Risk Treatment
10 Qualitative Risk Assessment Approach
10 Risk Assessment Process and Modules in Callio Secura 17799
11 ISO 17799 Preliminary Diagnostic
12 Asset Inventory
13 Asset Evaluation
14 Risk Identification
15 Risk Evaluation
16 Risk Calculation
17 Risk Treatment
17 Selection of ISO 17799 Controls
18 Policy Management
19 Template Selection
20 Audit Preparation
20 ISMS Diagnostic
21 Statement of Applicability
22 Document Management
23 Reports

24 Advantages of Callio Secura 17799

25 Technical Specifications
26 Conclusion

Callio Technologies Product Support Services White Paper i

 Introduction

Information exchange and other relations between businesses, organizations and administrations,
both at national and international levels, create a need for the use of recognized standards in the
management of information security.
Specialists in information security widely view ISO 17799 / BS 7799-2 as the answer to this need. As
a model and reference, it enables an organization to define its own security goals and to develop an
Information Security Management System (ISMS) that is customized to its needs.
The ISO 17799 standard makes recommendations for information security management for use by
those who are responsible for initiating, implementing or maintaining security in their organization. Its
purpose is to provide a common basis for organizational security standards and for effective security
management practice, thereby improving confidence in inter-organizational dealings.
Recommendations from this standard should be selected and used in accordance with applicable
laws and regulations.
Complementary to ISO 17799, the BS 7799-2 standard specifies requirements for establishing, imple-
menting, operating, monitoring, reviewing, documenting, maintaining and improving an ISMS within
the context of an organization's overall business risks. It specifies requirements for implementing
security controls customized to the needs of individual organizations or parts thereof.
Consequently, implementation of the ISO 17799 / BS 7799-2 standard can be carried out in a series
of steps, as touched on in the introduction to ISO 17799 and in the second part of BS 7799. These
steps can be summarized as follows:

1- Identify what to protect and why

2- Identify what to protect from
3- Identify the risks
4- Learn how to protect your organization
5- Audit and certify your organization

To carry out the first three steps, you need to follow a methodology and use a risk-analysis tool. ISO
17799 does not specify requirements for methods of risk analysis, since each organization has its own
particular needs and characteristics.
The bulk of ISO 17799 / BS 7799-2 is devoted to the fourth and fifth steps of the process, telling you
"what to do" but not "how to do it". This is where CALLIO SECURA 17799 comes in, helping organi-
zations define the "how to" of managing information security, and providing tools for the development,
management and certification of their Information Security Management Systems.
The following section presents the features and functionalities of Callio Secura 17799, beginning with
the relation between the methodology of ISO 17799 / BS 7799-2 and the tools in Callio Secura 17799.
Each module and implementation tool is explored, including the risk analysis tool, the policy genera-
tor, the diagnostics for audit and compliance, and the document management tool.

Callio Technologies Product Support Services White Paper 1

 ISO 17799 / BS 7799-2 Methodology and Callio Secura
17799 Tools and Modules

As indicated by the title of this article, Callio Secura 17799 is a tool for implementing the ISO 17799
/ BS 7799-2 standard. As such, it offers virtually everything needed to develop an Information
Security Management System and to manage the documents required by the standard.
The table below shows the relation between the ISO 17799 / BS 7799-2 methodology and the tools
and modules of Callio Secura 17799, which implement the standard in a practical way.

ISO 17799/BS 7799 Description Callio Secura 17799 Tools

Methodology and Modules
Project Initiation Ensure the commitment of senior management. Methodology: Refer to this guide to
Select and train members of the initial project initiate the project and to learn what
team. tools should be used at each step of
the standard’s implementation
ISMS Definition Identify the scope and limits of the information Project management module
security management framework.

Risk Assessment Diagnose the level of compliance with ISO 17799. Risk assessment module, including
Compile an inventory of, and evaluate, the assets preliminary diagnostic, asset invento-
to protect. Identify and evaluate threats and vulner- ry and evaluation, risk identification
abilities. Calculate the value of associated risks. and evaluation, and risk calculation

Risk Treatment Find out how selecting and implementing the right Control selection
controls can enable an organization to reduce risk Consult selected controls
to an acceptable level. Policy management
Template selection

Training and Employees may be the weakest link in your organi- Methodology
Awareness zation's information security. Learn how to set up Document management tool
an information security awareness program.

Audit Preparation Learn how to validate your management frame- ISMS diagnostic
work and what must be done before bringing in an Statement of applicability
external auditor for BS 7799-2 certification.

Audit Learn more about the steps performed by external Document management tool
auditors and find out about BS 7799-2 accredited
certification bodies.

Documentation Generate all ISMS reports and documentation, Reports module: generate reports
and Reports including the ISMS scope, policies, risk assess- and send them to the document man-
ment report, risk treatment plan, procedures, state- ager for control
ment of applicability, etc.

Control of Approve, review, update and publish ISMS docu- Document management tool
Documentation ments

Control and Learn how to improve the effectiveness of your All Callio Secura 17799 modules as
Continual ISMS in accordance with the management model well as continual improvement tools
recognized by ISO.
Improvement

Callio Technologies Product Support Services White Paper 2

 Callio Secura 17799 Structure

The following diagram illustrates the structure of Callio Secura 17799. In each module, the user has
access to the input and resources provided by Callio Secura 17799, and by the ISO 17799 / BS
7799-2 standard, in order to work on specific tasks in the implementation process. This gives the
user everything he needs to generate the corresponding reports required for managing the ISMS.

Callio Technologies Product Support Services White Paper 3

Callio Secura 17799 helps you identify valuable assets by proposing examples of tangible and intan-
gible assets and classifying them according to different categories. It also offers a substantial list of
threats and vulnerabilities associated with each category of asset. It guides you through the imple-
mentation of your information security management framework by providing implementation, audit,
interpretation and recommendation guides corresponding to each of ISO 17799's controls. It offers
35 policies and over 500 guidelines divided among the various sections of the standard. It also pro-
poses over 100 documents to help you implement the standard, including examples, strategic plans
and templates.

Callio Technologies Product Support Services White Paper 4

 Steps for Implementing ISO 17799 / BS 7799-2 with
Callio Secura 17799

1) Project Initiation (Methodology)

Learn how to get the ISO 17799 implementation project under way. More specifically, learn to:
- Encourage commitment from senior management;
- Choose and train all members of the initial team taking part in the project.

Power Point presentations and implementation diagrams are available in the methodology module.
They will introduce you to the step-by-step approach to ISO 17799 implementation and BS 7799-2
certification.

- Define the ISMS Scope (Project Management)

Identifying the scope and limits of the information security management framework is crucial to
the project. Define the mandate of the ISMS. More than one ISMS may be required depending
on the IT systems, departments or projects within your organization that require independent
information security management.

Contracts and Agre ements

Source: BSI presentation

(www.ceem.com)

Callio Technologies Product Support Services White Paper 5

While defining the ISMS scope, identify the following:
Company: Enter the organization's name. This name will appear in reports as well as in the policies
generated.
ISMS Name: Assign a name to your management framework. For example: Canadian Subsidiary of
Company XYZ Inc.
Objective / Goal: In light of the initial intent, a clear decision must be made to either adopt the stan-
dard for compliance or obtain BS 77799-2 certification.
Scope: What administrative units and activities will be covered by the information security manage-
ment framework? The answer to this question offers a fair representation of the organization's most
important activities.
Limits / Boundary: The limits of the ISMS scope must reflect:
o The specific characteristics of the organization (size, field of endeavour, etc.);
o Location of the organization;
o Assets (inventory of all critical data);
o Technology.
Interfaces: The organization must take into account interfaces with other systems, other organizations
and outside suppliers. Note: all interfaces with services or activities not entirely included within the
limits of ISMS definition should be considered in the ISMS certification submission and be part of the
organization's information security risk assessment; for example, sharing equipment such as comput-
ers, telecom systems, etc.
Dependencies: The ISMS has to respect certain security requirements. These requirements could be
of a legal or commercial nature. For example, an organization in the health sector may be subject to
the Health Insurance Portability and Accountability Act (HIPAA).
Exclusions & Justifications: Any element or domain (part of a network or of an administrative unit) that
is defined by the ISMS but not covered by a security policy or security measures must be identified
and its exclusion explained.
Strategic Context: Planned security measures must take into account the actual or imminent position
of the organization as determined by mission-compatible goals set by senior management. Examples
of such goals include the acquisition of a new company, the merging of existing infrastructures, down-
sizing, or the decision to outsource information systems.
Organizational Context: The organizational environment affects the measures that must be imple-
mented to meet certain management objectives. For example, outside access to company servers for
teleworking purposes would require specific security measures.
ISMS Coordinator: This role may be assumed by a management committee made up of several mem-
bers.

Callio Technologies Product Support Services White Paper 6

While defining the ISMS scope, the project leader must create work teams and select personnel to
take part in the project. In view of the importance of documentation in the development and certifica-
tion of an ISMS, these teams should reflect the way documentation will be organized in the document
management tool. Personnel will be then be assigned to the various teams, where each will have a
specific role to play.

-Customize the Evaluation Scales (Project Management)

Before beginning the risk assessment, the project leader can define customized scales for asset
evaluation and risk evaluation. These scales use qualitative values such as "low," "medium" and
"high," which are then associated to numerical values, such as 1, 2 and 3.

-Gather Existing Documentation (Document Management)

The organization may already have documentation regarding information security management.
It would therefore make sense to gather these documents together in the integrated document
management tool.

The methodology guide provides a list of the type of documents to look for, such as:
- Security policy documents;
- Standards and procedures for policies (administrative or technical);
- Risk assessment reports;
- Risk treatment plans;
- Documents indicating the existence of information security controls or that reflect the
ongoing management of the ISMS, such as audit journals, audit trails, computer incident
reports, etc.

These documents should be reviewed by the implementation team, and controlled, revised and
approved by senior management or by security officers. Should the company require a document
management tool, it can use the one provided by Callio Secura 17799.

Callio Technologies Product Support Services White Paper 7

 Risk Assessment and Risk Treatment

2) Risk Assessment and Risk Treatment

Once the project initiation step is completed, the next phase in Callio Secura 17799 is that of risk
assessment and risk treatment.

-Definitions and Terminology

Assets, Threats, Vulnerabilities and Legal & Business Requirements

An organization's value resides in its assets. Assets can take a variety of forms, from the phys-
ical (buildings and equipment), to intellectual or informational (ideas, software and patents), or
even the meta-physical (brand and reputation).

A given asset may present a weakness that makes it susceptible to attack or damage. This is
referred to as an asset's vulnerability.

Callio Technologies Product Support Services White Paper 8

A threat is an incident with the potential to damage an asset. Various types of threats exist. Threats
may be natural (tornados, earthquakes, floods) or man-made (computer viruses, industrial espionage,
theft).

The statutory and contractual obligations that the organization must comply with, along with its trad-
ing partners, contractors and suppliers, constitute the legal requirements.

Business requirements, on the other hand, are the unique set of principles, objectives and require-
ments for information processing that the organization has developed and implemented in order to
run its business operations and processes. These requirements apply to the organization's informa-
tion systems.

Risk

When a threat exploits an asset's vulnerability, the asset is compromised. This compromise can affect
the confidentiality, integrity or availability of the asset and results in a partial or total loss of value. This
loss of value is called the asset's exposure.

The term 'risk' is used to describe the possibility or the likelihood of this compromise occurring.

Risk Assessment

The risk assessment process involves identifying and evaluating the risk of compromise and loss of
value that exists for each asset.

Risk Treatment

During the risk treatment process an overall strategy is defined to deal with the risks identified during
the risk assessment. Risks can be managed using one or more of the following four basic approach-
es:
- Avoiding the risk
- Accepting the risk
- Mitigating the risk
- Transferring the risk

Ignoring a risk is never an appropriate solution. However, risks can be avoided by removing poten-
tially targeted assets from an area of risk or by abandoning the business activities that create securi-
ty weaknesses.

Callio Technologies Product Support Services White Paper 9

Accepting the risk involves documenting the fact that no additional efforts will be made to deal with
the risk in question. Risk mitigation refers to any steps that are taken to reduce the risk. When a risk
is transferred, responsibility for dealing with the risk is passed on to another party. For example, trans-
ferring risk may include insuring the asset in question, or placing it under the protection of a third party.
Risk treatment strategies focus to a large extent on minimizing risk. Controls may be implemented to
protect an asset by addressing the vulnerability or threat, or by reducing the asset's value.

Risk assessment and risk treatment are both subjective processes. It is therefore important that asset
owners and security personnel communicate effectively in order to successfully identify risks and cre-
ate an overall management strategy.

Qualitative Risk Assessment Approach

A qualitative approach to risk assessment provides a simple way of measuring the value of an asset
and the likelihood of a threat occurring. The values used can be described by a single word, such as
"High", "Medium" and "Low". This approach deals effectively with the shortcomings of a quantitative
approach by reducing the ambiguity inherent in figures.

-Risk Assessment Process and Modules in Callio Secura 17799

The risk assessment process involves completion of the following steps:
• Preliminary diagnostic;
• Identification of critical information and assets;
• Evaluation of critical information and assets;
• Identification of all security requirements: i.e. threats and vulnerabilities, legal and business
requirements;
• Assessment of the likelihood of threats and vulnerabilities occurring, as well as the importance
of legal and business requirements;
• Calculation of risk following completion of the above steps.

Callio Technologies Product Support Services White Paper 10

ISO 17799 Preliminary Diagnostic

Answer the preliminary diagnostic's 127 questions in order to form an initial judgement regarding
the state of security of your management framework, based on the controls, processes and pro-
cedures required by the ISO 17799 standard.

Find out more about the ISO 17799 standard and each of its controls through the explanations
provided for each question in the Guide.

Identify existing protective measures. Verify which controls have been completely or partially
implemented, are non-applicable, or do not exist in your ISMS.

Callio Technologies Product Support Services White Paper 11

Asset Inventory

Identify and classify your organization's critical and sensitive information. This classification
determines the level of importance of the information (confidential, internal use only, public, etc.)

Identify the tangible assets that process, handle, print, store or transmit the intangible information
previously identified.

The "Asset Inventory" module offers a wide range of examples of assets to help you draw up the
list of your own assets. The examples are divided among the following categories:
- Buildings and equipment;
- Documents;
- Software;
- Computer hardware;
- Human resources;
- Services

Callio Technologies Product Support Services White Paper 12

Asset Evaluation

Before beginning the evaluation, customize your own evaluation scale (for example, 1- very low,
2- low, 3- medium, 4- high, 5- very high). Next, for each asset, evaluate the loss or damage that
would result from a loss of confidentiality, integrity or availability, or by contravening legislation.
Use the qualitative scale you initially defined in the "Project Management" module. Finally, justi-
fy your evaluation for each criterion for audit purposes.

Callio Technologies Product Support Services White Paper 13

Risk Identification

Identify vulnerabilities, threats and legal and business requirements and associate them with
each asset that processes critical information.

Use the suggestions Callio Secura 17799 offers in terms of threats, vulnerabilities and legal and
business requirements in order to refine this list.

Callio Technologies Product Support Services White Paper 14

Risk Evaluation

Using your own qualitative scale, evaluate the probability of threats that could exploit the vulner-
abilities that have been identified for each asset. Next, determine which criteria - Confidentiality,
Integrity, Availability, Legal - comprise the potential impact of a given threat.

Callio Technologies Product Support Services White Paper 15

Risk Calculation

View the risks you need to manage in order of priority. Risk value is calculated based on the like-
lihood of occurrence and the impact of these risks on the organization.

Risk = impact x probability of the threat occurring or of legal/business requirements not being met.

View the risk analysis report in order to make the right decision regarding each risk (reduce,
accept, avoid, or transfer).

Callio Technologies Product Support Services White Paper 16

 - Risk Treatment

Selection of ISO 17799 Controls

Following your risk assessment, Callio Secura 17799 suggests administrative, technical and
physical controls for implementation in your company. Choose whether or not to retain the sug-
gested controls and justify your risk treatment decision regarding each control.

Refer to the guides in order to properly understand each control. Consult the implementation
guides, the interpretation of the standard's recommendations, security issues, the objectives
associated with each control, and the glossary, which contains over 250 words related to informa-
tion security management.

Callio Technologies Product Support Services White Paper 17

Policy Management

Rapidly create your security policy using the wide selection of policies and directives proposed
by Callio Secura 17799 (35 policies and over 500 guidelines divided among the 10 points of the
ISO 17799 standard).
Once your risk analysis is completed, predefined policies are proposed in the "Policy Generator"
tool. You do not need to create entirely new policies from scratch.
Create user groups and roles, then customize your policy coverage by sending each group only
those policies that deal with that group's specialty. This strategy saves time and money, and helps
complete the policy coverage in your organization.
Select, add, delete, modify and classify the policies required to meet your security needs. Entire
sections of any policy can be modified using the policy management tool. You can change a pol-
icy's scope, objectives, guidelines, and audience, as well as the person responsible and the links
between the policy and ISO 17799 controls and sections.
Prepare reports documenting your efforts to comply with internal or external guidelines.
Next, generate your customized security policy manual and export it to the document manager
for revision and, finally, company-wide publication.

Callio Technologies Product Support Services White Paper 18

Template Selection

Over 100 documents, including models, checklists, examples, additional information and utilities, are
available to help you implement ISO 17799 controls in your ISMS.

Choose the desired templates and export them directly into the integrated document management
tool.

Callio Technologies Product Support Services White Paper 19

 - Audit Preparation

ISMS Diagnostic

Verify whether your ISMS meets the requirements for BS 7799-2 certification.

The diagnostic's 81 questions will help you determine whether the ISMS framework you have
developed can be effectively implemented, controlled, maintained, reviewed and continually
improved as required by the standard.

Is the documentation required for certification being managed correctly? Is your organization
responding adequately to its inherent security responsibilities? The diagnostic will help you find
the answers.

Use the interpretation guide for each question in order to clarify the issues covered.

Callio Technologies Product Support Services White Paper 20

Statement of Applicability

Document and justify the applicability or non-applicability of the 127 controls in the ISO 17799 stan-
dard to your management framework.

Document the implementation status of each control for each informational asset.

Use the audit guide to ensure the effectiveness of the implementation of each control.

Prior to the documentation audit for BS 7799-2 certification, generate the general or detailed state-
ment of applicability and export it to the document manager.

Callio Technologies Product Support Services White Paper 21

- Document Management

Bring together all of your files and documents, regardless of format, in a centralized database on the
Web server.

Give your various work teams access rights to one or more directories, and assign privileges, such
as reader, writer or approving officer, to each team member. Only users with assigned privileges can
access documents in the document management system. These privileges are set up by the system
administrator in the project management section.

Manage version control, follow-up, approval and publication of your files and documents.
Audit and approve files for certification.

Callio Technologies Product Support Services White Paper 22

- Reports

Callio Secura 17799 provides the following reports, which you can view onscreen, print, or automat-
ically export to the document manager for later review and maintenance:
-ISMS goal and scope
-ISO 17799 compliance report
-Inventory of assets and critical information
-Risk analysis report
-Risk treatment plan outline
-Statement of applicability
-Customized security policies

These are the necessary reports demanded by the ISO 17799 / BS 7799-2 standard.

Callio Technologies Product Support Services White Paper 23

 Advantages Of Callio Secura 17799

This section highlights important benefits of Callio Secura 17799 and itemizes key features that work
together to offer those benefits. Here is a quick review:

- A comprehensive tool for implementing the ISO 17799 / BS 7799-2 standard

- Available in English and French
- Easy to install: Web application installed on the company server and accessible to all
internal and external users via their browsers
- Document management centralized in one module. Offers a single location for document
storage instead of documents being scattered throughout the organization
- 36 policies and over 500 directives that can be modified and customized to meet your
security needs
- Uses ISO 17799 format for information and for policy statements
- Creates an entire policy document from a provided sample
- Over 100 templates and working papers
- Guides and explanations are offered at each step of the ISMS implementation process
- Safe: unauthorized users cannot alter or access any part of the application
- Secure: only users with appropriate permissions can create, edit, and manage policies and
other documents and procedures
- Provides simple, easy-to-read reports that can be exported to the document management
tool for printing, storage, or subsequent maintenance

Callio Technologies Product Support Services White Paper 24

 Technical Specifications

Server Requirements Computer IBM® or compatible (800 Mhz and up)

Random Access 512 MB

Memory (RAM)
Disk Space 1 Gb (minimum),
2 Gb (recommended)
Network Adapter 100 Mbps

Operating System Windows® Nt, 2000, XP or 2003

Database MySQL

Web Server IIS 4/5/6

Apache®1.3.x / 1.2.x
Software Macromedia® ColdFusion® MX
Server
Client Requirements Computer IBM® or Compatible (Intel Pentium®
and greater)
Resolution 800 by 600 pixels or higher

Web Browser Internet Explorer® 5.x, 6

Software Word processing software

Callio Technologies Product Support Services White Paper 25

 Conclusion

Many organizations already possess the information they need to create a strong security program.
What they typically lack however is a routine, ongoing mechanism to track progress against a norm
and to build a solid framework.

Callio Secura 17799 is a simple but effective technique for implementing an information security man-
agement system framework, based on the ISO 17799 / BS 7799-2 standard.

It is powerful, capable of providing an enterprise-wide management framework covering every secu-

rity need. It is flexible, with each component letting you link existing information instead of re-enter-
ing data or creating it from scratch; for example, it suggests the likeliest threats to an organization's
assets, and once a risk analysis has been performed it provides full-fledged security policies that you
can modify as you wish. Its logical workflow leads to a greater understanding of the security needs
of every asset and of the organization as a whole. Finally, by helping to ensure that risk assessment
is thoroughly informed, Callio Secura 17799 offers the ultimate capability in risk analysis, giving accu-
rate pictures of risk levels and of the appropriate security controls for your organization's computing
environment.

www.callio.com

Callio Technologies Product Support Services White Paper 26

 Callio Technologies
740, Galt Street West, Suite 10
Sherbrooke, (Quebec)
Canada, J1H 1Z3

www.callio.com

Telephone: (819) 820-8222

Toll-free: 1-866-211-8222
Fax: (819) 820-9518
Information: info@callio.com
Human Resources: rh@callio.com
Webmaster: webmestre@callio.com