ISO портал

Титульная страница
Цель системы качества
Управление качеством
IDEF
ISO
ISO 9000
ISO 13485
ISO 14000
ISO 17025
ISO 17799
OHSAS 18001
ISO 19011
Total Quality Management
Management
Отраслевые стандарты
Capability Maturity Model
Фармацевтика
Информационные технологии
Оформление документации
Forum
Ссылки
Поиск на сайте
Реклама на сайте

ISO/IEC 17799 Compliant
Fredrik M Andersson Master Thesis
Department of Computer and Systems Sciences
Stockholm’s University / Royal Institute of technology
December 2004

Abstract
As companies more and more recognize information as a valuable asset, the handling of that
information becomes more and more important. There is a need to keep information secure,
and different ways of ensuring this has been developed.
The ISO17799 standard sets out to aid the work towards good security and is considered an
ample tool for this job. Many companies are adopting it, or plan to adopt it. However,
information security in general, and the standard in particular is a comprehensive piece of
work, and requires pre-knowledge and a lot of efforts from those who are to implement it.
This thesis aim to find out what the current status of the information security work looks like
within a modern large sales company that is part of a corporation recognized as the worlds
largest producer within their area of business. The results gained are produced with the use of
available documentation, a comprehensive questionnaire and informal interviews. The
process does not start from a hypothesis but aims to get a picture of what, and how much has
been done within the company, in the work towards compliance with their version of the
standard. The company is part of a large international corporation, and has received a stated
minimum level of security from higher up in the organization. At the time of the writing of
this thesis they have worked towards ensuring information security for over two years.
The picture that is being drawn shows that the level of security is lower than it is supposed be,
and the work has not really gained full support. Main reasons for this lack of support are
concluded to be lack of motivation, interest, and knowledge from top to bottom within the
company. Also, those issues that have been taken care of are those that are directly visible and
are most known of in general public, while those that have not been taken care of are those
that are not generally known of, or requires more pre-knowledge in the area. For instance
there is good protection against viruses, and there are some rules on what you can and cannot
do as an employee. At the same time there are no continuity procedures for the most
important systems in the company and there are no general mechanisms enforcing
confidentiality and/or integrity of even the most important documents. However, the work is
slowly progressing, raising the level of security inch-by-inch.
On the whole, the conclusion is drawn that the information security work has not really
gained momentum and that the company would benefit from heightening the level of
knowledge and motivation within this area, so that they could proceed with the work towards
good security more efficiently and reach the targeted minimum level sometime in the future.
It is also concluded that the work towards information security in this company is held back
more by lack of interest in the area in general, than lack of knowledge and understanding
about the standard or their version of the standard.

Acknowledgements
I would like to thank:
My examiner Fil. Dr. Christer Magnusson and his wealth of good thoughts and comments.
Without him I would probably not have been able to produce this thesis at all.
The head of, and employees at, the IT-department of this company. They all patiently
answered all of my endless unexciting questions and were of great help.
All the other people at top and middle management and the employees in this company who
took out of their time to answer my organizational and security related questions and in other
ways helped me understand how the organization works.
The people at other parts of the corporation who answered my questions.
The head of information security for the European sector who kindly helped me with
information when I was totally alone and lost in the beginning.
And last but not least I would like to thank the head of corporate global information security,
who, despite being very busy took time to help me.
Thank you all.

Department of Computer and Systems Sciences
Fredrik M Andersson
I
Table of contents
1 INTRODUCTION.... 1
1.1 BACKGROUND ..... 1
1.2 PROBLEM ............ 2
1.3 OBJECTIVES......... 2
1.4 LIMITATIONS ....... 3
1.5 INTENDED AUDIENCE ........................ 3
1.6 LAYOUT .............. 3
2 METHOD , .............. 5
2.1 HERMENEUTIC – INTERPRETATIONS OF OBSERVED CONDITIONS. ................... 5
2.2 POSITIVISM – PRESENTATION OF FACTS........................... 5
2.3 WHAT APPROACH WILL FIT BEST IN THIS THESIS? ............ 5
2.3.1 Quantitative or qualitative........ 6
2.4 RELIABILITY & VALIDITY................. 6
2.4.1 Reliability.... 7
2.4.2 Validity ....... 7
3 DESCRIPTIONS (THEORETICAL FRAMEWORK). ... 8
3.1 INFORMATION SECURITY................... 8
3.1.1 Confidentiality.......................... 8
3.1.2 Integrity ...... 8
3.1.3 Availability.. 9
3.1.4 Accountability .......................... 9
3.1.5 Risk management (and risk assessment) ................ 9
3.1.6 Contingency planning............. 10
3.2 ISO/IEC 17799:2002, CODE OF PRACTICE FOR INFORMATION SECURITY
MANAGEMENT. .............. 11
3.3 INFORMATION SECURITY FRAMEWORK......................... 15
3.4 MONITOR TOOL . 16
4 COMPANY SETTING.........................18
5 DATA COLLECTION.........................20
5.1 HOW DATA WAS COLLECTED. .......... 20
5.2 WHAT PROBLEMS WERE THERE IN COLLECTING THE DATA? ........................ 20
6 RESULT...................22
6.1 TOTAL COMPLIANCE ....................... 22
6.2 COMPLIANCES WITHIN DIFFERENT AREAS (%) ............... 24
6.2.1 ISF Chapter 2: Roles and responsibilities (25%). 25
6.2.2 ISF Chapter 3: Information security risk mgmt process (57%). ........ 25
6.2.3 ISF Chapter 4: Security functions and classifications (18%). ........... 25
6.2.4 ISF Chapter 5: Personnel security (38%). ........... 26
6.2.5 ISF Chapter 6: Security of third-party access (25%). ....................... 26
6.2.6 ISF Chapter 7: Physical and environmental security (71%).............. 27
6.2.7 ISF Chapter 8: Authentication and rights management (68%). ......... 27
6.2.8 ISF Chapter 9: Communications and operations mgmt (49%). ......... 28
6.2.9 ISF Chapter 10: System development and maintenance (39%). ........ 28
6.2.10 ISF Chapter 11: Compliance (13%). ................... 29

Department of Computer and Systems Sciences
Fredrik M Andersson
II
6.3 RISK ASSESSMENT........................... 29
6.4 CONTINGENCY PLAN....................... 29
7 ANALYSIS ..............30
8 CONCLUSION (& RECOMMENDATION) ...................32
9 DISCUSSION ..........34
9.1 KNOWLEDGE ..... 34
9.1.1 Knowledge - Conclusion......... 35
9.2 MOTIVATION/INTEREST .................. 35
9.2.1 Motivation/Interest - Conclusion ......................... 36
9.3 TIME ................. 37
9.3.1 Time - Conclusion .................. 37
10 UNDERLYING CAUSE.......................38
11 FURTHER RESEARCH......................40
12 WEAKNESSES .......41
REFERENCES................42
BOOKS .......................... 42
INTERNET...................... 42
OTHER .......................... 43

Department of Computer and Systems Sciences
Fredrik M Andersson
1
1 Introduction
1.1 Background
“Information is an asset which, like other important business assets, has value to an
organization and consequently needs to be suitably protected. Information security protects
information from a wide range of threats in order to ensure business continuity, minimize
business damage and maximize return on investments and business opportunities.”1
As modern companies rely more and more on IT in their daily business, more and
more information is being held within those companies IT-systems. These days IT is
being used not only in the internal and external communications of an enterprise, but
also in daily business operations. Much of the information stored within, and
transferred through, those companies systems is considered to be important data, and
some is even considered business critical data. If this information is lost, ends up in
the wrong hands or in any other way is misused, it can be catastrophic to the company
in question, and equally catastrophic to other parties doing business, directly or
indirectly, with this company.
Imagine for instance a service provider who provides handling of backups for other
companies. If their backups fail and no one knows if, and how they can be restored, or
if one of their employees gets talked into giving up, or by accident gives up,
information about one customer to another, this could end up, not only in the backup
company going down due to bad reputation and/or lawsuits, but also a number of their
customers. All because of that the backup company did not have adequate routines
and procedures for the handling of their information.
For companies to be able to trust each other regarding the handling of critical
information, and shareholders to be able to trust the companies ability to do so, there
need to be assurance of that the companies has adequate routines and procedures for
this. In other words, companies need to know what risks they are exposing themselves
to when doing business with each other.
As an answer to this need, and to aid in conforming the work of protecting all of the
companies’ information assets (not just the IT-related), an international standard,
ISO/IEC 17799, has evolved and can be described as a set of best practices for dealing
with information security (IS). As it is written it is flexible and neutral enough to be
used in any organization. This flexibility, meant to make it easy for adopters has its
setbacks though. Although the editing group has not had any complaints/concerns
about the standard being vague2, concerns has been expressed from other directions
that it is vague and might give companies a false sense of security3,4,5, and it is
actually currently being revised to make it easier to understand.
For example, there are many places where it is stated that “appropriate measures”
shall be taken to ensure security within various areas, but what those appropriate
measures are is not explained.
1 International Organization for Standardization
2 Plate, Dr angelica, E-mail conversation (2004)
3 Walsh, Lawrence M, (2002)
4 Symantec, (2002)
5 Cline, Jay, (2003)

Department of Computer and Systems Sciences
Fredrik M Andersson
2
For this standard, and the work towards information security, to be of any real value
to the companies adopting it they will need to have a pre-understanding of
information security and how the standard works. Without adequate knowledge in
companies they might end up with a false sense of security.
With more and more organizations adopting or planning to adopt this standard the
issue of understanding it, and being able to successfully adopt it, becomes more and
more relevant if it is to be regarded as a sort of quality mark.
Also companies need to address potential incidents that can harm their business, and
produce a roadmap of what is to be done to protect vital business. One way of doing
this is to simply ignore the fact that incidents can and probably will cause problems,
or to go by feel when deciding what needs to be done and not. This might work in
many cases, but a more optimal way of dealing with risks is to apply a structured
method of working towards risk handling and security. This is often done through risk
analysis/assessment, where the risks are highlighted and plans on how to mitigate,
avoid, or otherwise treat them are produced. Conducting a risk assessment is
considered to be of such great importance that it is stated as one of the key
requirements in the process (really in BS7799-2, described later).
With the requirements of performing risk assessments included in the complianceprocess
this also needs to be understood correctly to successfully adopt the standard.
This also helps in finding out how to prioritize the work towards information security.
1
.2 Problem
ISO/IEC 17799 is already widely accepted, but its level of abstraction may present
difficulties when interpreting and implementing it. Adding to this problem is that this
area is still new to many people and there is a lack of people with sufficient
information security knowledge.
This standard (and information security in general) requires those who are to
implement it to have a certain degree of pre-knowledge to be able to interpret it
correctly, and if companies decide to adopt the standard without the needed
preparations and resources within the company to handle the process, it might not take
off and get done in a timely and proper manner. In short you could say that this area
needs resources and efforts being available to spend for success.
To get a picture of the current situation within this area it might be of interest to
benchmark a company in the process of adopting the standard and see what picture is
being drawn, get a snapshot of the current status. See what the situation looks like and
what has and has not been done. Preferably in a large company with adequate
potential resources to handle the process, so that for instance lack of people or funds
won’t be an issue (at least in theory).
1
.3 Objectives
The objective of this thesis is to find out how well a large company, in the process of
adopting the standard, complies with their targeted level of compliance and also to see
what has been done altogether in the work towards information security. I will keep
an open mind and not state any hypothesis.

Department of Computer and Systems Sciences
Fredrik M Andersson
3
This means that I will benchmark a company that has worked towards information
security in a structured way for a reasonable amount of time (at least since 2001 in
this case) and get a picture of the current status of the security work.
The two main objectives will be to:
· Find out what, and how much, has been done within the company to heighten
the level of information security.
· Get a picture of the current status of the company’s work towards better
information security and compliance with their version of the information
security standard ISO17799.
The result should act as a sample of the security work and the work towards the
standard in a large company today. And possibly it will, through the results, thoughts
and discussion, be able to provide a base, for those interested in the area, to further
studies on why the current status is as it is, which in turn could be used to further
optimize the approach to the area of information security within companies.
1
.4 Limitations
The company that is being benchmarked is part of a large global corporation and is
only one out of hundreds of companies in this group. I will however only focus on
this specific company to as great extent as possible.
This thesis does point out what problems have been found and discusses reasons
behind them and what changes would improve the information security work, but
does not go further to develop any scientific methods of correcting the problems.
1
.5 Intended audience
This thesis aims to target educated people with at least little knowledge in the area of
information security and the terminology used in the area and the standard (Especially
chapter 8.2 requires basic IS knowledge). Of course an interest in what the status in a
normal company is today will also help. Some pre-knowledge is preferred when
reading this thesis, I will however explain the most central information security
related areas and terms. I will also try to avoid using fancy language so that what is
written is easily understandable.
1
.6 Layout
After having described the method used in the thesis, I describe information security
in general and the most central terms used in the area in chapter 3. After that I give an
explanation of what ISO/IEC 17799 is and how it is used before I go into and explain
the in-house developed “Information Security Framework” that uses the ISO standard
as base. At the end of the chapter I go through the “Monitor Tool”, which is used to
benchmark the compliance level towards this Information Security Framework.

Department of Computer and Systems Sciences
Fredrik M Andersson
4
To allow the reader to get a feel for what the current situation in the company looks
like I give a little background in chapter 4 before continuing on to the results. The
results are dealt with in a top-down manner in chapter 6, with the spread results
allowing for a more refined picture of the current status. Finally I get into a short
analysis chapter followed by the parts that enlightened me and heightened my
knowledge the most: “Conclusion”, “Discussion” and “Underlying cause”(chapter 8,
9 & 10).

Department of Computer and Systems Sciences
Fredrik M Andersson
5
2 Method6 , 7
2.1 Hermeneutic – interpretations of observed
conditions.
Hermeneutic deals with interpretations of the data. The same information can be
interpreted in different ways by different people, each one as right as the other. This
can be of particular interest when dealing with humans and their behavior.
When researching historical events for instance, a hermeneutic approach, where one
tries to understand why people did what they did by interpreting their thoughts and
feelings, might be the more suitable one. This way we can get a richer picture and
gain a more complete understanding of what happened and why. We can get different
solutions for different problems, each solution adding to the understanding of the
problem.
The problem when the researcher applies his or her own experiences and thoughts
when arriving to the conclusion is that it can never be said to be true in a logical sense
(as in strict true versus false). It can only be said to be more or less believable,
depending on who has done the research, how and what data has been analyzed.
2
.2 Positivism – presentation of facts.
Positivism tries to deal only with facts. One tries to clean out everything that is or has
been subject to interpretations. The idea is that one should only rely on facts that can
be verified and is directly accessible to observation. Positivism accepts only two
sources of knowledge: empirical experience and logical reasoning.
Empirical knowledge can be gained by using our five senses, but since those senses
can deceive us we have to carefully analyze what we see and after that decide if it
holds or not. An example of an empiric experience might be: There is a person in the
room. (It might be true but there’s also a chance it is only my imagination)
Logical reasoning, on the other hand, is more dealing on a theoretical plane with the
way we express ourselves. Here things can be either absolutely true or absolutely
false. An example of a logical truth might be: If the person is in the room, then he
cannot be in the other room at the same time. (As long as all known physical laws are
valid, this is a truth that will hold, no matter what we see or hear or in any other way
sense). This is the type of reasoning that mathematicians must rely on.
2
.3 What approach will fit best in this thesis?
Since the purpose here is to measure or benchmark the situation and see what has
been done and what has not, a positivistic approach would be the best choice of
approach. This thesis will however also discuss why the situation is as it is later on.
This will be done by collecting information on what has been done as required by the
internal Information Security Framework (ISF, described later under theoretical
framework), which the company has set out to adopt and then analyze the results.
Empirical experiences will be used in conjunction with logical reasoning.
6 Thuren.T, (1991)
7 Olsson.H & Sorensen.S, (2001)

Department of Computer and Systems Sciences
Fredrik M Andersson
6
To monitor and benchmark the current status, an in-house tool (Monitor Tool, also
described in the theoretical framework) has been developed. This tool consists of
several hundreds of questions on what has been done according to the internal
framework, and can be configured to present the answers as percentages, both of
overall compliance and compliance within chosen areas such as for instance a certain
chapter of the ISF.
I will be observing what has been done, using existing documentation and interviews,
and use that as input into this monitor tool. I will assume that my senses do not
deceive me and that the interviewed people tell the truth to the best of their
knowledge.
Hence the knowledge gained from this will be based on empirical experience, and of
course I will use everyday logical reasoning and try to eliminate any logical
inconsistencies.
2.3.1 Quantitative or qualitative
Research fall under two different categories, qualitative or quantitative. The
qualitative research process seeks to gain understanding of, and in depth description
of, something8. A qualitative approach would be to collect and analyze the data,
interview people, and try to come to an understanding of why it looks as it does, for
instance.
The quantitative approach, on the other hand, deals with gaining understanding by
collecting and presenting data. A quantitative example could be the measuring of
average day temperature versus ice cream sales.
An alert reader might have noticed that the choice between a quantitative and
qualitative approach is fairly easy for the first part of the thesis. Since I will be
dealing with facts and numbers and do a measurement, a quantitative approach will
best describe what will be aimed for. The questions to other people have been in the
format “Have you done X?” rather than “What do you think of X?”. In the analysis
and discussion, however, I will discuss why the result looks as it does. That part of the
thesis will be steered in a more qualitative direction
2
.4 Reliability & Validity
Am I studying what I think I am, and are the measurements consistent?
8 McKereghan, Donna L (1998)

Department of Computer and Systems Sciences
Fredrik M Andersson
7
2.4.1 Reliability
The level of reliability can be seen as to what extent the measuring procedure will
yield the same results when repeating the trial. The security work within the company
is an ongoing process, constantly improving the level of security and the number of
security controls that are implemented. Also, the benchmark itself with me asking a
lot of security related questions to various people in the organization have certainly
changed some people’s awareness and knowledge. However small that change may
be, it is still a change. Therefore, in my opinion, it will be impossible to re-conduct
this measurement under the same conditions. If it were possible, then the same result
would most certainly be achieved, but as it isn’t, the conclusion must be that the
research has no reliability as it is defined in the first sentence in this paragraph.
2.4.2 Validity
Validity, in this context, is to what extent I have measured what I set out to measure.
Have I really measured how many of the required security controls are in place in this
company, have I gotten the (5 month-) snapshot I set out to get?
The tool used to measure this was specifically developed to measure how much has
been done. The questions are right to the point in all the different areas and cover the
whole of the ISF (which is the defined basic level of security). Since these questions
all are of type “Have you done …” or “Is there a …”, I am convinced that the result
from this research has high (face-) validity.

Department of Computer and Systems Sciences
Fredrik M Andersson
8
3 Descriptions (Theoretical Framework).
3.1 Information Security
A common misunderstanding is that information security deals specifically with
computer security, when in fact it deals with the need and desire to protect
information from undesirable actions. Information security (security of information)
applies to all sorts of information in whatever form it may take, weather it be an email,
a document in the trash or spoken words through the telephone lines.
Generally it is believed that there is no such thing as 100% secure, the security can
never be perfect. One has to aim for as high level of security as possible and find the
best way of compromising security versus usability. In a business context one must
also consider the value of what is to be protected versus the cost to protect it and what
legal requirements there are. Widely used terms within this area are confidentiality,
integrity and availability (The acronym CIA is often used). Also terms such as
accountability, non-repudiation, risk assessment and contingency planning are
relevant in this area.
3.1.1 Confidentiality
The International Standards Organization (ISO) has defined confidentiality as
“ensuring that information is accessible only to those authorized to have access”. This is
important in cases of, for instance, product data, sales figures etc. where damage
could be caused to a company, both in long term and short term, if they fail to enforce
their information confidentiality.
Examples of ways of enforcing confidentiality are encryption of information and the
use of passwords for access to information. Encryption will (in theory) render data
unreadable to everyone who hasn’t got the right key, for as long as needed. There are
many different algorithms for encrypting information but they all have the same
purpose.
3.1.2 Integrity
Integrity has various definitions depending on where one looks, but basically it deals
with keeping information safe from accidental or malicious modification, alteration or
destruction. In a business setting, you need to be able to trust that the information
received is intact and still says what was intended when it was sent. In whatever state
a piece of information might have, if the information is of any value to the business, it
is of vital importance to be able to trust that that it is correct. If a company fails to
enforce their data integrity they might, in worst case suffer economic and legal
consequences (consider for instance financial data) and in best case have to take
corrective actions, which will cost money.
Integrity can, for instance, be enforced with the use of so-called hash functions (i.e.
MD5, SHA-1). Very simplified, the use can be described as follows: A sender can use
a hash function to calculate a checksum on a chosen piece of information and include
that in the message. The receiver can then use the same function on the message and
if the same checksum is produced he knows that the message has not been altered. Of
course one also has to sign the message for it to be of any use.

Department of Computer and Systems Sciences
Fredrik M Andersson
9
3.1.3 Availability
Availability deals with the need to have a certain service or piece of information
available when requested. The level of availability means to what extent a service is
accessible upon request. In a business context ensuring availability might mean to
have the web portal secured against Denial of Service (DoS) attacks, or ensuring that
the computer infrastructure is redundant enough to allow people to do their job during
incidents. Failing to ensure availability in an organization’s systems might result in
people or processes not being able to perform their tasks in due time, causing a lot of
unnecessary extra costs and time delays.
3.1.4 Accountability
With the changing use of digital media, accountability has become a more and more
important aspect of information security. There is a need for the ability to hold an
entity accountable for its actions, especially when it comes to things like electronic
orders and transactions. For a company to be able to do business electronically there
has to be repudiation and non-repudiation mechanisms in effect. In other words there
has to be mechanisms in use that makes it possible to prove who has or hasn’t done
what (“has to be mechanisms in use” as in ‘has to be implemented for there to be any
information security in effect’).
A common way of ensuring accountability is the use of a PKI system (Public Key
Infrastructure, encryption/decryption using asymmetric keys), which incorporates the
signing of documents in the encryption process. This provides both repudiation and
non-repudiation assuming there is an agreement that only those documents signed are
viable.
3.1.5 Risk management (and risk assessment)
“…the process of measuring, or assessing risk and then developing strategies to manage the
risk”9
Risk management tries to deal with, and plan for, risks in a structured way, ensuring
that the available resources are spent wisely in this area.
Risk assessment is an important part of risk management and deals with identifying
and grading risks to the company. Grading of the risks is based on the magnitude of
impact versus probability of occurrence. Generally the quantitative risk management
process is divided into steps that cover the following:
1. Identify important assets
2. Identify (key) risks
3. Grade risks with regards to impact versus probability
4. Decide tactics to counter the risks
5. Create and implement a plan for the risk handling
The deliverable produced by these steps needs to be up to date and hence should be
revised on a regular basis.
9 Wikipedia

Department of Computer and Systems Sciences
Fredrik M Andersson
10
Risk management has evolved from being something optional to something preferable
to something required when it comes to corporate governance. From the fifties when
risk management, as a concept started to take off, to the seventies, when it started to
take a structured organized form driven by the insurance industry, to the “black
Monday” 1987, “…reminding all investors of the inherent risk and volatility in the
market”10. Recent events have led to the Sarbanes&Oxley act of 2002, which requires
companies, not only to have risk management in place (amongst other things), but
also that it is in fact effective.
3.1.6 Contingency planning
In the event of a serious unwanted disruption to critical business functions, what do
we do? How long can we last without the ability to conduct business? How do we
make sure that we can continue business during the resolving of a disaster?
Without a plan of any sort chances are that a disaster will cost a huge amount of
money at best or put the company out of business at worst. This is where contingency
planning comes into play.
Everyday all around the world incidents occur, reminding companies of the
importance of having set up plans for dealing with contingencies. Floods and fires
destroy buildings, systems crashes and dies and so on. A contingency plan lets the
company respond immediately to such events. It also covers the continuation and
resuming of business in a structured way.
A typical setup of the core information in a contingency plan might consist of the
following four sections:
Assess risks/Create Critical Impact list:
Define which systems are the most important. Which are crucial to business? Which
will cost most money when non-functioning? What are the maximum allowed outage
times for these systems? Rank risks with regards to impact versus probability of
occurrence.
Response:
What do we do immediately when an incident occurs? Who is in charge of what? For
instance business might relocate to an alternative facility.
Survival/Continuity:
How do we keep business running during the resolving of the incident? What options
are there and how long shall they be able to uphold business? If the outage is longer
than the specified maximum time, what do we do then?
Recovery: When do we go back to normal business? How is this to be done? Who
decides what? How do we take care of the data that has been produced during the
outage (How do we re-introduce it into the system)?
10 Kloman H.Felix, (2001)

Department of Computer and Systems Sciences
Fredrik M Andersson
11
The plan needs to be as detailed as possible but at the same time it is important to
remember the acronym KISS (Keep It Simple Stupid). If it is written in a to complex
language people might not understand what it says when stressed due to an
emergency. It is also important to rehearse the plan to see that it works in reality and
to keep it updated so that it will have intended effect when the disaster occur. Based
on my own experience, there is an opinion that the absolutely best way to make sure a
plan or procedure will work in a live situation is to rehearse it under as real conditions
as possible, as many times as possible. This will effectively reveal weaknesses and
sources of error in the plan and it will also train those involved in responding to
unplanned incidents that occur during the execution of the plan itself.
Applying a structured plan for handling of incidents, and exercising the plan in a
realistic way, will mitigate the effects of those types of incidents and in the long run
probably save money.
3
.2 ISO/IEC 17799:2002, code of practice for
information security management.
“People love it and hate it for the exact same reasons: It tells you what to do but not how to
do it”11
The ISO/IEC 17799 has become the third best selling standard in the UK, and is
considered to have taken up from a successful Code of Practice to a “’super’
successful CoP”.12 (At BSI homepage it is however listed as the fourth best selling,
041025)
This standard is a non-technical framework intended to aid in the work of handling an
organizations information assets. It was first published in the year 2000 and was
evolved from the British standard BS7799-1 that was first published in 1995. It is a
comprehensive standard on Information Security, aiming to provide a best set of
practices for controlling things such as confidentiality, integrity and availability
within different areas.
This standard is preferably used in conjunction with BS7799-2 (or any national
versions of the “-2”), which is a specification for an information security management
system, how to set it up and work it. In short you can say that BS7799-2 (or, for
instance SS 62 7799 in Sweden) covers how to set up and organize your work towards
information security, and ISO/IEC 17799 provides a comprehensive set of best
practices from which you have to choose those that apply to your organization. As a
requirement in annex A of BS7799-2, it is stated that you have to go through ISO/IEC
17799 and decide which controls you need and do not need to implement.
11 Scalet, Sarah. D, (2003)
12 Humphreys, Ted, (2004)

Department of Computer and Systems Sciences
Fredrik M Andersson
12
ISO/IEC 17799 offers a range of high-level guidelines, controls and “best practices”
for security management within different areas. Currently these areas cover13:
· Establishing security policy
· Organizational security infrastructure
· Asset classification and control
· Personnel security
· Physical and environmental security
· Communications and operations management
· Access control
· System development and maintenance
· Business continuity management
· Compliance
Each of these sections contains descriptions and sub controls on what to control to
have an effective set of practices in use within that section. And each of these sub
controls contains further sub controls.
An example of walking down the tree to a sub-sub-control might look like this:
[System development and maintenance -> Change control procedures -> Review
controls and integrity procedures to ensure that they will not be compromised by the
changes.] Notice the general formulation of the control.
You do not have to comply with all of the 127 controls and their 5000+ sub controls
to get certified14, only those you consider relevant, but you have to explain why you
have chosen those you have and why you have left others out. Most companies will
probably never feel that they need, or have use of, all the controls, but every company
should be able to find all the controls they need in the standard.
Currently the ISO/IEC17799:2002(2nd edition) is under revision and it is at present in
its “Final Committee Draft” (6 Oct, 2004). The new revised version is targeted for
completion around end of 2005. Most likely it will contain a new structure for the
controls and a user-friendly interface, meant to make it easier to understand what the
standard says and how to implement it15. It will also add, move, and remove controls
and control objectives.
13 National Institute of Standards and Technology, (2002)
14 Gamma Secure Systems, (2004)
15 Plate, Dr angelica, E-mail conversation (2004)

Department of Computer and Systems Sciences
Fredrik M Andersson
13
The BS7799-2 was originally published in 1998 and was revised and improved until it
was finalized in 2002. It is basically a specification for how to set up and work an
information security management system (ISMS). The ISMS is intended to be used by
company management to control and minimize the information security related risks.
Important steps in the BS7799-2 process are16:
1. SCOPE: Define the scope of the IS work.
2. POLICY: What do you want to achieve? What do you need to achieve?
3. RISK ASSESSMENT: What are your actual risks? Which are acceptable and
which are not?
4. RISK TREATMENT: How are you going to treat the risks?
5. SELECT CONTROLS: Which of the controls in ISO17799 do you need to
implement? Which are relevant?
6. STATEMENT OF APPLICABILITY: Why did you choose the controls you
did, and why did you leave out the ones you did?
7. DO: Implement the controls.
8. CHECK: Monitor that the controls are achieving their objectives. (Here are
Internal audit and management review mandatory)
9. ACT: Correct and improve taken actions.
More and more companies around the world are using the standard but the speed with
which the certifications increase varies a lot as well as the level of acceptance and
implementation amongst companies in different countries (See figure 1 to get a
picture of the varying levels of implementation around the world).
Sweden who was an early adopter of the standard has come to a halt with only 4
certified companies (of which one is a Finnish company) while Japan now is leading
the way with 408 certifications (as of Monday 30 august, 2004).17
According to Callio Technologies the certification growth rate lies around 50% per
year18, but the knowledge about its existence is still fairly low. The register at the
International ISMS User Group, where companies themselves report that they have
been certified, had an “Absolute total” of 844 certifications worldwide as of Monday
30 august, 2004. This list is changing by the week and, for instance, by October 8th,
the number was up to an absolute total of 890 certifications worldwide. (See figure 1)
16 Gamma Secure Systems, (2004)
17 XiSEC Consulting Ltd , (2004)
18 Callio Technologies, (2004)

Department of Computer and Systems Sciences
Fredrik M Andersson
14

!"# $
#
%&
'
(&

& && (!)&!$
* #+& ,-!
#
.+ ,
"
&#/&" -& ,

0
$
$ ,&)-
1#
!"# $&#
2&
3 .&$!
!#/4-
$
& 5&6 7&#2&*
#
/ %&&-& "
!#&*
#
0!$

& !
Figure 1. Number of BS7799-2 certifications worldwide on October 8th, 2004,
according to ISMS International User Group (image from www.xisec.com).
Interesting to see here is that companies in countries such as Colombia, Lebanon,
Morocco and Slovenia has started working towards this standard. Also worth noticing
is that the two leading countries: Japan and Great Britain, provides roughly 65% of all
the certifications, and that one of the biggest industrial nations, USA, only has 9
certifications, equaling to around 1% of the total. Why the situation looks like this is
however not in the scope of this thesis and will not be discussed.
According to Ted Humphreys, companies in three main business areas so far
dominate the certification market: Telecom (British Telecom, Deutche Telekom,
Telecom Italia, etc…), Finance and insurance (ANZ Bank, Royal Bank of Scotland,
Federal Reserve Bank New York, etc…) and Manufacturing and multinationals
(Canon, Fujitsu, Siemens, Unilever, etc…). There are many different future markets
with growth potential regarding the standard, and a few examples of these are
gambling, healthcare, shipping and traffic control.19
19 Humphreys, Ted, (2004)

Department of Computer and Systems Sciences
Fredrik M Andersson
15
The people at gammasl.co.uk20 describes the growth of BS7799-2 with the following
self explanatory diagram:

Figure 2, Image from www.gammassl.co.uk
One has to keep in mind though, that there is a big difference between adopting the
standard and certifying your company against it. No one really knows the exact
number of certifications worldwide since it is optional to report your company’s
certification, but what is certain is that the number is growing. It is my belief that as
more companies adopt the standard and certifies themselves, the growth speed will
become less linear and more exponential. Gamma has also conducted a 7-year survey
showing that 2400 out of 2818 (85%) respondents have an immediate need for an
ISMS (Like BS7799-2).21
3
.3 Information Security Framework
The “Information Security Framework” is a comprehensive set of rules and policies.
If I have understood it correctly it uses the ISO17799-1 standard as base and has a
similar setup, but it is adopted to suit the companies in the group. This framework has
been developed at highest level (at the corporation) and constitutes the minimum
requirements, which all the companies within the group have to meet. The current
version of the ISF is under revision and the new version is expected somewhere
around 2005.
20 Gamma Secure Systems, (2004)
21 Gamma Secure Systems, (2004)

Department of Computer and Systems Sciences
Fredrik M Andersson
16
The contents of the framework is divided into eleven chapters as follows (for a more
detailed description of what each chapter addresses see chapter 8.2 - “Compliances
within different areas”):
1. Background and scope
2. Roles and responsibilities
3. Information Security risk management process
4. Security functions and Information classification
5. Personnel security
6. Security of third party access
7. Physical and environmental security
8. Authentication and rights management
9. Communications and operations management
10. System development and maintenance
11. Compliance
Chapters two through eleven contains the policies, directives and standards that are to
be followed by the companies in the group.
3
.4 Monitor Tool
To be able to benchmark what has been done in the work towards compliance with
the ISF, the corporation has developed the “Monitor Tool”. This tool is a
questionnaire, based on an excel sheet22, with 262 questions covering the whole of the
framework (all of the different chapters), which means that if a company can answer
every question in the tool with a full yes it is 100% compliant.
An example of a question is as follows: “Do we periodically check for, and remove,
invalid user IDs and access rights?” and to answer this one has to find out if this is
implemented or not.
However the answers are not only limited to either yes or no, but are also graded from
“?” to “4”, with “?” meaning “not applicable” or “Don’t know”, 0-not at all, 1-up to
25%, 2 up to 50%, 3 up to 75% and 4-completely. This means that it is both possible
to get a number on how many security controls are completely implemented and a
number on how much has been done altogether. Every question is also divided into
either being marked as “red”, meaning that it is a more important question of a
fundamental nature, or as “basic”, meaning that it is not one of the more important
questions. The decisions made on what questions should be regarded as red or basic
has been taken at corporate level, and I believe that the criteria used for these
decisions was based on a risk assessment done at this level. However did not get a
definite answer on this.
An example of a “red” question might be: “Do we have routines for accountability
classification of our information?”
And an example of a “basic” question might be: “Do we archive signed employment
contracts and non-disclosure agreements with the responsible Personnel department?”
22 Analyse Monitoring tool v2.xls

Department of Computer and Systems Sciences
Fredrik M Andersson
17
The flexibility of this tool does not stop there, it is also possible to isolate and present
the result in different ways. One can choose to get results on the compliance status
within the different topics of the ISF (such as for instance physical security or
personnel security) and one can also choose to see compliance levels based on
thirteen different roles (such as for instance “manager”, “employee” and “functional
system owner”).
All together there are thirteen roles, nine topics and two priorities represented, which
can be combined to enable an isolated presentation of the level of compliance within a
specific area of interest. This means that one for instance can choose to isolate the
level of compliance within personnel security concerning employees. I will use this
tool to present the overall compliance and the compliance within different areas
(chapters) of the ISF.

Department of Computer and Systems Sciences
Fredrik M Andersson
18
4 Company setting
During late June to late November I benchmarked the information security work
within company X. Company X is a part of, and owned by, an international
corporation Y, which is the worlds largest producer within their area of business.
In the text I refer to company X as “the company”, and corporation Y as “the
corporation” or the “organization”.
Being a sales company, the focus is set on selling as much products as possible and
creating as much value as possible. Information security is not seen as anything that
creates value to any great extent, and consequently is not that interesting. One has to
keep in mind that the company has many other issues competing for resources
and that there, as always, is a pressure on cutting down costs and saving money.
I believe that those things that can generate or save the most money in the shortest
time will have easier to “skip the line”. IS related issues have a hard time qualifying
as a contender in the “generate much money in short time”-competition, since it is
more of a “prevent loss of money in the long run”-area.
Many systems used in the company today are old (The ordering system, for instance,
is at least from the early seventies and has no real documentation) and in need of
replacement, both because of technical issues (it is just not reasonable to hardcode
“hotfixes” forever) and because of the fact that the number of people with knowledge
about the systems is slowly becoming small. It has been considered too complex and
not meaningful from an economic perspective to implement a lot of security controls
into these old systems that are soon to be replaced. At the same time, replacing those
systems will be expensive, and projects aiming to replace them have been aborted
before and might as well be aborted in the future.
This leads us to a position where the work towards security for these systems is, if not
halted, slowed down. I believe that until it has been decided what hurts the least,
economically, this situation will remain for sure. Also, since these systems have been
around for a while, they have been more or less integrated with each other by various
methods, which means that it, in many cases, will not be possible to just replace one
system without having to replace additional ones, adding more costs to the procedure.
Perhaps (hopefully) the projects currently going on will show that the best economical
choice is to replace the older systems, and perhaps the replacing of these old systems
will provide for better possibilities to incorporate a higher level of information
security.

Department of Computer and Systems Sciences
Fredrik M Andersson
19
Earlier a project ran by a consultancy firm took place, which basically tried to enforce
implementation of several information security controls within the company. There
was a deadline that had to be met so that the work would be done, but as it turned out
people did not fully understand what the implementation of these controls meant and
the result was not really satisfactory for the involved parties. During this project it
became clear that one must start with changing peoples minds so that they understand
what they must do, why they must do it and how, instead of only saying what they
shall do. Adding to this project not being a 100% success was the fact that there was
lack of time possible to devote to this, people were “busy doing their jobs”. Even
though it wasn’t a full success it led to some things being implemented, which has to
be considered a good thing. It probably also raised the level of knowledge a bit, with
those involved.
Very simplified, the Sarbanes&Oxley (SOX) act of 2002 requires companies to
implement controls and procedures, mainly when it comes to controlling, and
ensuring the security of, financial information and audit procedures. Since this work is
enforced by law (If this work is not done correctly there WILL be punishments to
expect, not just for the company but more so for the person running it) it will probably
get up to speed and be given adequate resources to be conducted thoroughly and
correct in time. Parts of the corporation have started the work towards compliance
with the SOX. This act also covers some other information security related areas, and
I believe that because of that it will be beneficial to the IS work in general. Hopefully
it will heighten the motivation, knowledge and interest in also working towards IS at a
greater extent within the company (and other companies within the group). Who
knows, there might be laws covering the other information security related areas in
the future as well.
I believe work is being done at corporate group level on refining the existing material.
There are also projects going on, aiming to produce additional material that will help
in understanding the security work and the requirements better. With easier language
and templates, the work will hopefully be easier for employees to digest in the future.
The ones in charge of information security within the company has attended a three
day course on the subject and every employee has in turn been offered a session by
those people.

Department of Computer and Systems Sciences
Fredrik M Andersson
20
5 Data collection
The benchmark was conducted versus the ISF and to aid in this, the in-house
developed “Monitor tool” was used. If a subject was documented as being
implemented, and signed by someone taking responsibility for it, then the question
was answered by a “4 – completely”. For the questions that could not be given a “4”,
an estimation had to be done about how much of the work towards that question has
been done and a value from “?” – “3” was awarded. Estimations were done with the
aid of those considered to have the most knowledge within the company in the area in
question. This was usually the ones responsible for that particular area.
The borders between different entities in the organization are somewhat fluent, and
some questions that directly affected the company had to be directed to the internal
service provider (another company within the same group) and other departments that
operate at the borders of the company. This helped to get a more complete picture of
the work being done.
I also paid special attention to two important processes when it comes to the work
towards information security: risk assessment and contingency plans. In my opinion,
since these two are such vital parts of the security work, they make for a good
addition to the overall picture of how the status of the security work looks like in the
company.
5
.1 How data was collected.
As base for the answers given to each question, existing information security related
documentation and interviews with key personnel were used. Certain areas, like for
instance some of the questions regarding physical security, were answered completely
by the one responsible for that area. I tried to, as much as possible, have key
personnel answer questions related to their responsibilities. This, because they should
logically be the most qualified when it comes to estimations of to what extent a
certain security control (within their area of work) is implemented and what
documentation exists about it. In those cases where key personnel answered questions
I pointed out that they should take as long time as needed to answer the questions.
Quality was considered more important than speed.
5
.2 What problems were there in collecting the data?
First of all: It is my impression that everyone was very willing to help with all the
information they had.
Some of the security work is already implemented in the organization. However, not
all of that work is documented as according to the internal ISF. So many of the
questions of type: “Do we have a documented procedure covering X?” had to be
answered “No” (or really 0 in monitor tool), but the directly following question:
“Have we implemented X?” needed additional research to be answered. Much of the
work was spent on trying to figure out who might know or be in charge of certain
subjects covered in the tool and the standard.

Department of Computer and Systems Sciences
Fredrik M Andersson
21
Not many people have the time and interest to penetrate the area of information
security. This meant that I on occasions had to start with providing a “theoretical
background” and explain what I wanted to know and what the questions meant before
I could begin to discuss and ask questions about a certain subject.
The corporation itself can be regarded as a huge organic being, constantly changing.
The matrix-like structure makes it hard for anyone to present a complete picture of
how the corporation is built today. The boundaries between different entities are fluid
and responsibilities go in various directions. This presents a slight increase in the
work required when finding answers to questions that require other parts of the
organization to have implemented certain subjects, and also when trying to find out
what really has been done and who has done it.

Department of Computer and Systems Sciences
Fredrik M Andersson
22
6 Result
6.1 Total compliance
The following results are based on the information that I have had available to me,
about the information security work in the company, during the time I was there. I
believe that I have had access to all the documents regarding the information security
work and that those people who were interviewed told the truth, but of course I cannot
be 100% sure. It would not surprise me if there is some little error in the resulting
numbers, but the big picture still remains the same. Also, I had no personal interest
whatsoever in getting a specific result, I was only interested in getting a result, and
this is the picture I got.
The company is, in theory, demanded to comply with 100% of the internal
Information Security Framework since it represents the minimum level of security
acceptable within the companies in the group. In reality the expectations are not that
every company has implemented all of the controls yet, but they should be on their
way and hopefully reach at least 75% compliance. So what is the current situation
then?
The answers will include an element of evaluation from the questionnaire responsible
and the people responsible for implementing the controls in question. However, the
grading of answers will help in giving a fairer picture of the overall work since not
many controls are 100% implemented. This way I will both get a number on how
many of the controls are completely implemented and how much has been done all
together.
Some of the questions are outside of the company’s scope and was answered with a ‘?
– Not applicable/Don’t know’, further some were not possible to find answers to and
were given the same answer (“?”). There are also questions that do not directly
concern the company, but indirectly, like for instance employment issues, which are
dealt with in a department of its own. Another example is some of the questions
regarding system development, which is handled by another entity within the larger
corporation but is directly affected by the specifications and requirements from the
company ordering the system. This means that, since the company is integrated into a
larger organization, some of the results are not strictly limited to the company’s
boundaries within some areas. However they do still bear a reflection on what has
been done within the company.
As I mentioned earlier, some questions in the tool are marked as “red”, which means
they cover fundamental areas, and because of that are to be considered as more
important. I will use this as an indicator of the quality of the work having been done
(Quality here meaning to what level the most important controls have been prioritized
in the implementation process)
After having gone through all the questions in the Monitor Tool the following results
were achieved:
When allowing for the 262 controls to be in the range of: “?”,”0”,”1”,”2”,”3” and “4”
(equaling to the questions being 0,25,50,75 and 100% implemented, with the ‘?’
meaning “Not applicable” or “Don’t know”, as mentioned earlier), the distribution of
answers looks like in Table 1 & Table 2:

Department of Computer and Systems Sciences
Fredrik M Andersson
23
“Answer” means what type of answer was given.
“Number of given answers” means how many of the questions were answered
with the particular answer. (Red = “red” answers, Total = Total number of answers)
“Percentage of total” means how many percent of the total amount of answers was
given that particular answer.
The two darkest columns (Red & Total) are to be read against the left “Number of
answers”-axis, and the lightest column represents the percentages and hence should be
read against the right “Percentage of total”-axis.
Distribution of 262 answers
0
10
20
30
40
50
60
70
? 0 1 2 3 4
Answer
Number of given
answers
0%
5%
10%
15%
20%
25%
Percentage of total
Red
Total
Percentage
Table 1
Answer Red Total
? 23 52
0 27 61
1 16 32
2 18 30
3 17 34
4 23 53
Table 2.
The result should be read like this:
Example: A total of thirty controls (roughly 11 percent of the total number of
controls) have been awarded a ‘2’ (A ‘2’ as answer, as you may remember, equals the
issue having been 50% implemented).
And out of these were 18 fundamental, more important ones.
As we can see in Table 1 and Table 2, about 20% (53 out of 262) of the controls are
completely implemented and approximately 23% (61 out of 262) is not implemented.

Department of Computer and Systems Sciences
Fredrik M Andersson
24
When looking at the total, and weighting the answers accordingly, we can see that, of
all of the work, around 39% has been done.23 For this number, I have reversed the
“innocent until proven guilty”-principle and treated all those questions answered with
‘?’ as being not implemented. This way of doing it lowers the result a bit and should,
to be fair, also lower the targeted level of compliance, since some of the ‘?’’s
certainly are legitimate “Not applicable”’s. (As mentioned earlier a ‘?’ can mean both
“Not applicable” and “Don’t know”, the former should logically be removed
altogether from the questionnaire and the latter should be treated as being not
implemented. For it to be possible to split these two categories correctly the company
would have to decide which controls belong in which category and this has not yet
been done)
This was not near as high as I thought it would be when I started. But as I learned
more and more about the situation in the company I was not surprised about the result
in the end. The main conclusion here is that the total level of compliance is lower than
it should.
As mentioned before, the results can be presented with different views based upon 13
different roles (i.e. manager, employee, functional system owner) combined with 9
different topics (i.e. authentication and rights management). This gives 9*13=117
different views, which can be used to see the progress done within different specific
areas. Some of these different views are less interesting to look at since they contain
to few questions to be any real indicator. For instance, when setting role to
“Employee” and topic to “Personnel security” only 5 questions apply, making each
question represent a 20% increase/decrease. Since this is not of any use when the
purpose is to see the overall compliance I will not present each one of the 117
different views. It is also possible to see the distribution of answers within each
section of the ISF, which add even more possible views. See annex A for a graphic
presentation of the total results based on these different areas (topics) of interest. Also
see next chapter for further discussion on the results within the different areas.
6
.2 Compliances within different areas (%)
As it turned out, there were differences in levels, of to which the areas covered by the
chapters of the ISF had been subjected to improvements. There were also, obviously,
differences in the “red” levels. In annex A (Which presents the distribution of
answers with regards to different areas/topics) we can see that the red questions help
bringing a better overall picture of the quality of what has been done. We can for
instance see that in “personnel security” just below 40 percent of the total controls
have been implemented but within those, 60 percent of the red more important ones
have been covered. This indicates that in this section it might not be really as bad as it
looks at first glance. Below is a listing of the results within the different chapters,
along with comments. (Perhaps it would make more sense using a precision of
1*10^1 but here I’ll keep the numbers as they are presented in the tool)
23 ((53*1)+(34*0,75)+(30*0,5)+(32*0,25)+(113*0))/262 =
(53+24,75+15+7,68+0)/262 » 0,39

Department of Computer and Systems Sciences
Fredrik M Andersson
25
6.2.1 ISF Chapter 2: Roles and responsibilities (25%).
There were only three questions for this chapter, covering compliance demands with
BS7799 for other parties and the existence of a continuity plan. The demands for third
party compliance when writing contracts has more and more become standard in the
company over the last year.
However, the absence of continuity plans is worth noticing. There is documentation
stating that at least one of the systems has a contingency plan24 but I have not seen
one. No service provider has supplied one and the company itself has not produced
one. The need for these plans has however been identified and documents and
procedures covering some of the functionality of contingency plans have been
produced/implemented. Also, work on improving these documents and procedures are
being done. Producing contingency plans would require knowledge, efforts and
resources, but, if disaster strikes, they would probably be worth several times its price.
The questions in this section are all red ones, which makes the “red compliance level”
reach 25%.
6.2.2 ISF Chapter 3: Information security risk mgmt process (57%).
This deals with using and producing things such as security plan, vulnerability
analysis, incident-reporting routines and critical impact lists. Some of those
documents that have been produced within this area are the results of the earlier
project, which enforced the producing of these documents in a bit of a rush. Even
though they exist, they are many times not much more than just documents. However,
this makes for 57% compliance. Documents that have been produced are, amongst
other things, Critical business impact analysis, security plan, and incident
reporting/handling routines.
Level of reds: 50%.
The most important things that are missing here are vulnerability analysis for all
systems and the allocation of organizational resources for the maintaining of security
safeguards, things that requires time and efforts being spent.
6.2.3 ISF Chapter 4: Security functions and classifications (18%).
This deals with routines and procedures for maintaining confidentiality, integrity,
availability and accountability of information. As one can see in the chart, this area
has not gotten much attention, resulting in (as I mentioned earlier) information in
many places being unprotected when it comes to the “CIA”-part.
The functional system owner documentation for each system does cover some
classification with regards to sensitivity and availability, but no measures (technical or
procedural) are in place to enforce these classification levels when handling
documents, and the knowledge about them are some times not up to date. Lotus Notes
has a built-in signing feature but this is not used by default, leaving accountability and
confidentiality not implemented.
24 “SA_system 2003 Scand.xls”, sw dev.dep. authors’ note

Department of Computer and Systems Sciences
Fredrik M Andersson
26
There are policies in place saying that, when ordering new systems, the demands for
compliance with the ISF shall be fulfilled (which means that amongst other things, the
CIA-part shall be covered). It would be a good thing to make sure the demands are
met in reality to as great extent as possible.
Level of reds: 20%.
There is not much to say about the level of reds here as it is at the same level as the
total. We can conclude that there is great room for improvement. What can be said is
that it is a bit surprising that the level of compliance in this area is low, considering
that those who handle sensitive information (the higher up the more likely) knows that
it is sensitive and also probably knows what could happen if it ended up being
destroyed or in wrong hands.
6.2.4 ISF Chapter 5: Personnel security (38%).
This area deals with things such as procedures and routines when hiring personnel,
security training of personnel and disciplinary measures for not following the
routines. These questions had to be directed mainly to a department not strictly within
the company’s borders since the administrative procedures regarding employment of
personnel is being handled by another unit. In this area things already work pretty
much as intended and the 38% compliance is not as low as it seems, but with an easy
implementation of the rules, this area would increase pretty much compliance-wise
also. Here there seemed to be not so much resistance towards the security but merely
non-knowledge of what was supposed to be.
Level of reds: 59%.
Here we see that even though the compliance lies just under 40%, they have managed
to pinpoint the important issues pretty well. Of the few important ones missed it is
worth mentioning that there is no general information security training in place and
that there is no general rule of employees signing Non Disclosure Agreements, only
employees who handle particularly sensitive information signs NDA’s.
6.2.5 ISF Chapter 6: Security of third-party access (25%).
As the title suggests, this area covers rules and regulations concerning third parties
when it comes to access rights and authorizations. The documentation covering this is
not really up to date and those controls that have been implemented seems to have
been so indirectly mostly.
An example is the following question: “In case of outsourcing management and the
control of all or some of the company.s information systems, do I make an agreement with the
other party regulating the security requirements?” This is indirectly covered by a general
service agreement, stating that the directives in the ISF shall be followed.
Depending on what type of third party is being handled, the rules are applied with
different weight. In this area there is a mixture of responsibilities and parties involved,
making this one of the areas that is hardest to overview for compliance.
The direct and indirect implementations make for a compliance level of 25%.

Department of Computer and Systems Sciences
Fredrik M Andersson
27
Level of reds: 44%
Here, again, we have a case of not much having been done as according to the ISF,
but those things that have been done are many of the issues considered important.
(Several documents have been produced). What needs to be done is to make sure that
the “implemented” controls (the produced documents) are in effect and being applied,
so that they do not end up/remain being empty documents and rules.
6.2.6 ISF Chapter 7: Physical and environmental security (71%).
This area obviously deals with the physical security of people, buildings (and
information). Some things here are not that obvious however, like, for instance, how
to deal with paper trash and rules regarding how to handle the desks. It is my belief
that this area has gotten the high percentage it has because of that the things covered
here are mostly things that anyone can understand and visualize (For instance rules
regarding physical access, security parameters and reviews of the rules are things that
are implemented). The easier to understand the risks and potential impacts, the easier
to get support to handle them. Everyone knows that houses can, and has burn(ed) to
the ground, and everyone knows what can happen if you do not lock the doors.
Another strongly contributing factor to the high result, in my opinion, is that there is a
person appointed responsible for this area, making it possible to devote fulltime
attention to these issues. This responsibility also covers the whole of the building,
which holds not only this company but also other companies within the group and the
head office of the corporation.
Level of reds: 63%
Those things that are missing in this area are things that are being worked on, and are
on its way. For instance a new security manual for the building is on its way and this
will have the currently missing “yearly reviews concerning secure areas”, which is
one of the fundamental controls, added.
6.2.7 ISF Chapter 8: Authentication and rights management (68%).
This area deals with things such as user id’s, passwords, network access and
screensavers. The reason for this high percentage (68% compliance), in my opinion, is
that these controls are, almost all, things that are implemented by default in software
and hardware today and that many of them are traditional computer/network/ITsecurity
issues. These are things that every employee comes in contact with daily. The
issues pulling the result down a bit within this area are some network related ones and
some procedures regarding review of the rules (Those things that are not implemented
by standard in modern software and hardware). Examples of things that are
implemented here are: Password handling/routines, unique UID’s and passwords
hidden when entered on screen.
Level of reds: 58%
What pulls the result of the reds down the most is the fact that there are no procedures
regarding reviews of different areas in place. There are for instance no yearly reviews
concerning password handling or access rights routines. Almost no review
procedures, regarding anything information security related, are in place, and if it is so
that the overall interest in information security seems to be a bit low it would follow
that the interest in reviewing the security is not peaking.

Department of Computer and Systems Sciences
Fredrik M Andersson
28
6.2.8 ISF Chapter 9: Communications and operations mgmt (49%).
This chapter covers procedures for changes to software, segregation of rights for
development and test, Internet use, and handling of digitally transferred media.
The security project (See Chapter 6.1) that took place earlier enforced the
implementation of many of these controls, and therefore the required documents are
in place to provide 49% compliance. However, it is not clear if people know of and
makes use of these documents stating how things should be handled. Many employees
I have met have little to no knowledge about what documents exist, and those who
knows about them have sometimes forgotten what they were about. In other words
there is a risk that even though the documents exist, they are hollow so to speak.
Also, the “internal” service provider handles many of the procedures covered by this
chapter, since they deal with the software development. Some of the implemented
controls are: separation of dev and test, backup routines, use-of-internet policy and email
policy.
Level of reds: 53%
Here, the absence of routines for handling of information according to its
classification is worth noticing. It is not possible to handle information according to
non-existing classifications. (See 8.2.3)
6.2.9 ISF Chapter 10: System development and maintenance (39%).
Most of these questions have been directed to the company, within the organization,
that is responsible for developing and supplying the other companies in the
organization with software solutions. The questions in this area mostly concern the
procedures for software development and maintenance as the title suggests, and
therefore they are not directly within the borders of the company I have examined.
However, what is being developed is directly dependent on the requirements from the
company that puts in the order, so they indirectly affect the result.
I wanted to get a good picture of the status in this area as well, but unfortunately for
me, the department responsible for these issues was heavily tied up in the work
towards compliance with Sarbanes&Oxley. This made it not possible time-wise for
them to investigate and answer all these questions at the moment
The only things I could find answers to, by myself, was those issues regarding what
the company shall demand when ordering systems and the handling of them. Also
here we have the case again, where documents have been produced under pressure
from the earlier security project…to what level are these documents being followed?
No one will know until enough time has passed and something has happened that
reveals the true routines. There is however 39% compliance level. Examples of
implemented controls are: input validation and procedures covering software changes.
Level of reds: 45%
Not much to say here about the reds, most of the issues concerns software
development, which is handled by another department/company and because of that
not relevant (“not applicable” if you so wish). However it is worth noticing that there
have been cases where the company ordering a system has no idea what security
features to demand, and also cases where it has been known what to demand but not
why, making the result not optimal.

Department of Computer and Systems Sciences
Fredrik M Andersson
29
6.2.10 ISF Chapter 11: Compliance (13%).
Here the focus is set on compliance with laws, reviews of the security policies and
technical compliance. There are not many systems, in the company, where laws
regulating the use of personal information are affected. Not much attention has
therefore been given to this area and no audits are conducted at a regular basis,
leaving the compliance level at 13%. However, those laws that concern financial data
are being followed. Maybe the level within this area is close to sufficient when
considering the type and amount of information stored today.
As you, as a reader, might have understood, this is also one of those areas where more
in-depth knowledge would be beneficial, not only within information security but also
within laws and technology.
Level of reds: 10%
Most of the procedures and controls are missing in this area, as you can see. But as
not many systems are affected, this is not as bad as it looks, and also maybe the
Sarbanes&Oxley act will boost the efforts being spent in this area in the near future.
6
.3 Risk assessment
A regular stand-alone “Risk assessment” (as described in chapter. 5.1.5, or as defined
in the ISF of the company) regarding information security has not been conducted at
company level. When it comes to other areas the risk assessing has evolved to be an
integrated part of the daily operations and the needed information can be extracted
from various documents within the company. The company believes that the
procedures at work presently, are sufficient.
6
.4 Contingency plan
No contingency plan existed or was produced during the time of the writing of this
thesis. A template for business continuity planning and disaster recovery planning is
available through the internal network, and I also wrote a small 5-page template for a
contingency plan to be used by the company to at least cover the most important
systems, but it has not yet evolved further to be implemented. The company realizes
that there is a need for a contingency plans and the work has started on producing
documents that cover some of the functionality of such plans.

Department of Computer and Systems Sciences
Fredrik M Andersson
30
7 Analysis
We can see that those areas that have the highest level of implementation are those
that address either strictly IT-related issues (like passwords and UID’s) or areas where
there is obvious need for high security (like physical security). Those areas that lag
behind are mainly those that are not strictly IT-related (like continuity plan), or are
not that visible (like CIA of information) and/or require more in-depth knowledge
within the area (again, like continuity plan).
Perhaps this is an indicator that the view on information security is somewhat tilted
into being more about what the papers write about than what reality looks like, or that
those issues requiring more resources to handle are not that interesting.
As noted, it can be seen that those issues that have had the most effort put into them
are those that are directly visible to most people that work in an environment with
PC’s. However, these efforts do probably not reflect the threats to the company in an
optimal way since it is easy to find examples of things such as:
A: They have not conducted an information security risk assessment. (No information
security risk assessment has been found, also the results when looking at the red vs.
basic questions indicates this)
B: There are no contingency procedures for the system that, on a daily basis, handles
all of the company’s orders. (What would happen if this system went down for a week
or two?). There are no contingency plans.
C: There are no real procedures in place for labeling of information (documents),
which means that anyone with technical access to a top secret document can take this
to a competitor without the company being able to do a single thing about it. (The
level of compliance here is unnecessary low at 18%, and in my opinion it would be a
good idea to put extra effort in improving the level of security in this area. It would be
relatively cheap (at least classification, and enforcing of adequate protection
according to the classifications, of information) and would not require that much
security knowledge but more business knowledge to know what types of documents
needs different types of procedures and regulations.)
D: There is no general rule for the (digital) signing of documents or data in the
company’s systems, which means that anyone with the right access can do practically
anything and then deny all knowledge about it.
Worth noticing is that the levels of implemented controls and the levels of
implemented red controls differs a lot in some areas. For instance “Personnel
security”, which lands at 38%, and “Physical and environmental security”, which
lands at 71%, seems to differ greatly at first glance, but when we look further, into the
“red’s”, we see that they both end up pretty close to 60%, suggesting that they both
are roughly equally secure in reality.
In six of the ten areas the compliance level is low (<40%) or significantly low (<30%)
(Chapters 2, 4,5,6,10 and 11) while the remaining four areas have a compliance level
of roughly 50% or higher.

Department of Computer and Systems Sciences
Fredrik M Andersson
31
We can also see that in roughly two thirds of the topics, the percentages of reds are
higher than the overall percentages for the very same topics, and in five of the ten
topics the compliance level for the reds lands at 50% or higher, indicating that the
company has managed to capture many of the important things within those areas
even without the risk assessment. At the same time, though, the level of “reds” is
significantly low in three areas (10%, 20% and 25%) and slightly lower than 50% in
two additional areas (44% and 45%). It is a question of the cup being half full or half
empty when (only) looking at the numbers. (Whether it be seen as half full or half
empty would perhaps depend on what weight is given to the remaining issues versus
those having been implemented).
These variations was not unexpected and I believe that there can be drawn a similar
picture in many other companies today. If I had taken a guess in the first week of the
thesis I would not have guessed that the security in a modern, well known company
would be at this level, but as the months went by I, of course, got a better and better
view on what the situation looked like, and after a couple of surprises along the way I
was not surprised by the end result when it finally was clear.

Department of Computer and Systems Sciences
Fredrik M Andersson
32
8 Conclusion (& recommendation)
It seems that, if something does not gain or hurt enough economically, it’s extremely
unlikely to happen. And if there is no one to explain that, and how, it will gain or hurt
it’s definitely not going to happen.
At 39%, the level of compliance towards the ISF is not as high as demanded. To
counter this and to get things started it would be good to produce numbers that can be
shown to top management so that they can get a more hands-on picture of what can
and needs to be done and why it should be given resources. Information security
within the company needs to get its own space cut out on the organizational map and
get running by itself, and it has to start in the heads of those involved.
To be able to present the above-mentioned numbers, those charged with that task
needs the resources to produce them. This leads us to a slightly “catch 22-like”
situation where there is somewhat hard to get the resources needed to show top
management why they need to spend resources on security.
Another contradiction is when the company is focused on saving money and cutting
down costs, but does not seem to be equally interested in the cost savings that can be
achieved with good information security. Perhaps this is partially because the IS
related savings are more long term orientated and hard to put definite numbers on.
Also contributing to this is probably the absence of models and argumentation
showing the how’s and why’s.
However, besides the obviously urgent matters, it should be possible to implement
those things that do not require any large investments like for instance labeling of
documents (confidentiality classifications) and changing login procedures (“By
logging in to this computer I agree to…”). There are many things that can be done
that do not require any substantial investments, but instead changing of procedures,
and that could have reasonably good effect on the level of security. Also, if the
economic incitements for this work to be conducted were presented/produced then I
believe that it would gain more support across the company.
One aspect that was not covered by the compliance-monitoring tool, and therefore
could have been overlooked, is the issue of how the information security organization
is set up within the company. As it is now the company’s head of information security
also has the responsibility of being IT-manager. The information security has become
a sub-part of the IT-department. This has some advantages as knowledge about the
IT-infrastructure is beneficial, but it also has drawbacks. Separation of IT-manager &
Chief Security Officer (CSO) duties gives benefits (see chapter 11.3).

Department of Computer and Systems Sciences
Fredrik M Andersson
33
One solution to things such as, for instance, the time related problems that can occur
(Where IS competes with IT time-wise, described further in chapter 11.4 - Time) is to
have the CSO being an entity of its own, and not sharing that responsibility with other
demanding responsibilities. This is also considered to help in preventing biased
decisions due to feelings of obligations to other areas and people. A third benefit of
this is that, with the IS-function set “beside” other functions, focus can be put on all
the aspects and areas of importance, and since information security does not only
apply to one area of the company this is a good alternative. This of course requires
that information security be seen as important enough to have someone constantly
nagging everyone about it.
All the information that has been available to me during this benchmark leads me to
conclude that the situation, when it comes to information security within the
company, is not ideal. This area is somewhat down-prioritized and lagging behind.
But at the same time it is not altogether bad since some work has been done, is being
done and will be done, even if it is happening as late as possible.
I see the work towards information security being held back, more by lack of interest
and knowledge within information security in general than lack of capabilities to
understand the internal version of the ISO17799 standard. This general lack of interest
in IS, however does contribute to the difficulties of understanding the Information
Security Framework since there is no real motivation to put effort in understanding
and implementing it (Generally there seems to be low knowledge within the company
about the contents of the ISF and how to interpret it).
I also believe that a significant rise in knowledge and motivation alone would
probably not be enough to single-handedly get the work on track, since there are a
myriad of factors affecting what gets done, but these two would present the best
starting point in my opinion (and it would also help in deciding which issues to
prioritize) and further research would probably be able to prove that to be true or
false.
As a final note, even if the level of security is low or not as high as it is supposed to
be, some security is better than no security, and even if it is so that the implemented
controls do not reflect the risks, there is still the case of some security being better
than no security. Also, the security is progressing, although slow, which makes the
situation improve little by little. However, there needs to be efforts put, not only in
improving the security, but also in ensuring that what is being done has the intended
effect, and that it is actually being effective. (It will not be enough to state that you
shall vacuum clean the floor. It will also not be enough to just drag the vacuum
cleaner around the floor. You must make sure that it actually removes the dust from
the floor). Otherwise the company will risk ending up in that “false sense of security”
(and the vacuum cleaner operator with a dirty floor).

Department of Computer and Systems Sciences
Fredrik M Andersson
34
9 Discussion
In the text below I will assume that, sometime in the future, the company has as
intention to fulfill the stated minimum requirements as they are written in their ISF.
As one can conclude from the numbers gained, the company does not fulfill their
targeted minimum level of security. This is no surprise since there doesn’t seem to be
any interest, so far, in implementing everything. The work would benefit from gaining
more of momentum, and the controls that are implemented are mostly the
“minimum’s” that are “standard” in any IT-infrastructure today. Why is this?
Below I will discuss three areas of special interest: Knowledge, Motivation and Time
and give some small conclusions based on the current situation. I believe that the
situation within these areas heavily affect how the work towards information security
progresses (or towards whatever one chooses).
9
.1 Knowledge
Given that the area of information security has taken years to develop into what it is
today, I believe that the company’s work towards a higher level of information
security would benefit from complementing the actual work experience gained so far
within the area, with more education being offered (As it is within every area of work:
more knowledge = better). A heightened level of knowledge, accompanied with
detailed templates for various document types would help the overall information
security work. Those faced with the task of enforcing information security need to be
supplied with the right tools.
To be able to get things done in this area it is of utter importance to have the support
from top management because they decide where the company’s resources are spent.
Also, information security deals with the whole of the company, and this means that
top management need to be there to assign resources and rights to those who are to
change the organization. This is so important that it is stated as the first thing to do in
every guide there is covering how to work towards IS in a company, “Get stated
support from top management”. As it is now top management is not against it, but it
seems that they are also not that interested in implementing security just for the sake
of it. This is probably a normal situation today, and as long as top management in
companies/the company cannot see why, economically, they should invest in
information security no real major changes will take place. This is also the driver
behind the importance of supplying the ones charged with the task of enforcing IS,
with the tools to argue for its being. Without the arguments and models showing what
the benefits are, little support will be given for its implementation and top
management decisions, regarding this area, will be based more on feelings than on
facts.
This lead me, again, to believe that the company would benefit from having all the
involved parties further educated and informed on how to work towards information
security, and why. Hopefully this would help top management see that, and how, IS
can save money, but not for free.

Department of Computer and Systems Sciences
Fredrik M Andersson
35
Also the general concept of “information security” within the company would benefit
from not only including the obvious IT-related things such as firewalls and passwords
but also things such as labeling of information, ensuring integrity of information,
various policies, procedures and regulations etc. In other words, a more holistic
approach would help all involved in understanding more of what information security
is about, and different ways of implementing it, which in turn would help in
understanding the ISF and what it demands. The effects of “digital” protection are
diminished if one, for instance, still send sensitive physical documents unprotected
around the world.
9.1.1 Knowledge - Conclusion
I believe that further progress could be achieved with a higher/wider level of
knowledge within the company. With more knowledge it would be easier for those
involved in the decision making to see the benefits of it. As it is now, the level of real
knowledge within the area could be significantly higher. This cannot be considered to
be the most optimal situation when trying to get things done. Of course it will
decrease upward to some extent, but there needs to be some sort of basic knowledge
in place allowing people to see the risks facing the company.
Also, with higher knowledge, more of the non-obvious security controls (see chapter
8.2 and annex A) might be seen as important and deserving attention.
9
.2 Motivation/Interest
The mindset at the moment seems to be to do only the minimum that is required,
those things that everyone realizes has to be done (Like replacing a system that is old,
has no documentation, handles 100% of the company’s orders and has a small,
decreasing, old group of “fixers”).
Work like this requires that people invest time in finding out what needs to be done
and doing it. Normally this work includes a risk assessment. Not only does this
highlight the risks at hand, and where efforts are needed, but it also lets the involved
people gain knowledge within the area, and get a clear picture of the current security
status. I believe that this clear picture of what needs to be done makes it easier to be
motivated and to devote time to the task, than if the task is as broad as for instance
“promote security”. As it is now there hasn’t been any risk assessment, regarding
information security, conducted at company level (Also the relatively low level of
reds can be seen as an indicator on, or result of, a risk assessment not having been
conducted). Probably it is so that the assessment that has been done has been
conducted at the higher international (corporate) level (finding the most corporate
critical systems) and then the result has been applied to the national companies, of
which this is one. Could this affect what has been done and not?

Department of Computer and Systems Sciences
Fredrik M Andersson
36
I believe that if people are presented with a huge number of controls that are to be
implemented but do not understand what they mean and do not see clearly the reasons
behind them and the importance of implementing them, then the interest might not be
at its highest. Every employee is required to comply with the minimum requirements
as stated in the internal ISF but not many have any knowledge at all regarding it, and
it is not unusual to meet employees that has not heard of it. If management at different
levels in the company had been involved in working out an information security risk
assessment, then perhaps they would have been more on track and interested in
promoting all the security measures. Especially it would have been beneficial to
include top management in such a process. (I know I am starting to repeat myself)
I also believe that the producing of other things, such as a contingency plan and risk
assessment, would bring other benefits than just the plan itself. These processes would
require people to go through some extensive “security thinking” and hopefully it
would wear off into other issues in need of attention as those involved realizes what
risks there are. The problem is that, to be able to produce this work, the involved
people needs to obtain the needed knowledge so that they know how to conduct, and
produce, risk assessments and contingency plans. This would in turn require those
involved to devote time and resources to this, and this, again in turn, would require
the motivation and interest that simply is not there yet.
It is stated that there shall be punishments for not complying with various parts of the
rules (i.e. misusing the rules, but also punishments for things such as not having
implemented a certain control). But if the punishment is not realized in case of
violation, then, as one person pointed out, people will be inclined to put convenience
in front of logic when faced with “all these rules”. And also, if the stated punishments
do not reflect the severity of the violation then this will also promote the ignoring of
the rules altogether.
As it is today many rules are not being followed and incidents do mostly not lead to
any disciplinary sanctions as long as the incidents are not too severe in nature. This is
comfortable for the employees but from a security point of view this is not a good
thing since it works against the goal of good security. I believe that real formal
motivated regulations, that actually were being followed, concerning punishments,
would promote the motivation amongst employees to pursue the work towards
security within the company.
However this would also require that everyone be thoroughly informed about what
goes and what does not, and why this is. It would also require a deadline being set,
stating when the company shall comply with the regulations at latest.
9.2.1 Motivation/Interest - Conclusion
It would be beneficial, from a security point of view, to spend efforts in providing the
“why’s” and the background of the work. I believe that producing things such as a
risk assessment and a contingency plan would help with that. Also enforcing the
stated disciplinary sanctions might improve the (motivation for) the security work, but
this would also require that people are informed on what the rules are, why they are as
they are and what the punishments for not following them are.

Department of Computer and Systems Sciences
Fredrik M Andersson
37
9.3 Time
No work will be done by itself. This also applies to the information security work.
People need to put in work hours to understand, argue and implement security, but as
one of the persons with insight in the security work said: “business is busy doing
business”. Most people have other things to do and haven’t got the time or interest to
spend efforts on security issues. The security officer needs to be able to devote time to
the issues at hand.
Information security is not only limited to technology, but with the present setup of
combined IT and IS roles, the IS related issues will constantly have to compete for
time and resources directly against the IT related ones, and as the list of the ITdepartments
tasks (version 5, 2004-04-01) does not include any security related
responsibilities and there is no real pressure from above, chances are that those issues
will come second place as long as they are not urgent. This will promote a RE-active
way of working towards security instead of a PRO-active, but as long as no one at the
top sees any problem of the security work lagging behind there will not be any change
of the process. (A pro-active approach to security would be the better choice.)
There are different views on which organizational structure is best, but whatever
conclusion you come to, from what I have seen most people would still be able to
agree that for best result the one in charge of information security should not share
this responsibility with other responsibilities such as, for instance, being head of
departments within other areas. (This, of course, presumes that the company is big
enough to justify having these positions separated.) It will promote the abovementioned
problem, but potentially also other problems. For instance there might lay
a problem when it is time for the security chief to audit the security work being done
in the company. If the one in charge of the security also is in charge of a department
within the company it might end up in a biased result since it would basically mean
one would be auditing oneself.
On the other hand, if security is “down prioritized” to be a peripheral issue, then there
will not be any “time-problem”, and if no security audits are being conducted then the
self-auditing problem also disappears. This only presents one downside: There will
also not be any real level of security.
9.3.1 Time - Conclusion
Information security is not given much priority, which means that there is not any
problem of having the different roles combined. Whether this is good or bad depends
on where you look at it from. The time possible to devote to this area reflects the
priority it is given within the company, and at present the priority is set to low, as is
the level of the security and the time being devoted to it. (Tip: For more thoughts on
this, see the “ISMS Journal”, issue 4, Aug 2004, available through www.aexis.de)

Department of Computer and Systems Sciences
Fredrik M Andersson
38
10 Underlying cause
When trying to get to the root of the problem we can see that on the whole, there is a
lack of interest and motivation to prioritize information security and those things that
have been done are mostly the obvious short-term oriented controls. In my opinion,
this will not be cured by brute force (and by brute force I mean to only try to state
what must be done), b