This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
The IA goals and processes defined at the start of an IS development cycle will inevitably change as the system itself develops to meet changing circumstances and as a result of identified shortcomings. The review and maintenance of the IA related aspects must be carried out in parallel if protection is to be maintained.
For the purposes of this document, the term ‘change management’ relates to IS, and encompasses elements of the processes listed below:
The IA aspects of change management and related processes should be tightly integrated with the mainstream IS practice in this area, so that the organisation maintains an acceptable level of IA.
In the general case, security approval should not be seen as a one-off event, and Accreditors will want to be sure that once approved, the system will continue to work in a secure manner. In the case of ISO/IEC 17799 compliance, Auditors will look for similar assurances. Internal auditors may also wish to examine business or management aspects of information security. Consequently an effective change management process is a necessary part of maintaining the value of an organisation’s investment in information assurance.
Whilst the available guidance is focussed on Information Systems, it should be remembered that change management is necessary in other areas also (such as changes in personnel and changes to the physical environment) since these have the potential to affect the overall security for the system.
There are a number of standards detailing general best practice in this area, the most relevant being the IT Infrastructure Library (ITIL) available from OGC [External website]. The ITIL document set includes a component dealing specifically with managing the achievement of agreed security service levels.
However, the two main sources of governance in relation to the framework are ISO/IEC 17799, and the requirement for systems processing protectively marked information to maintain accreditation:
Both of these aspects are dealt with in the discussion of best practice in subsequent sections.
An effective problem reporting and management mechanism is specifically identified as a component of best practice in ISO/IEC 17799.
Problem management relies upon the use of available sources of advice, such as CPNI and UNIRAS, and must be based on an ongoing monitoring of threats and vulnerabilities. Problems raised by users also constitute a relevant source of potential improvements.
Organisations must ensure that:
In this context. ‘incident’ refers to an event which affects the level of service provided by IS, but which is not severe enough to trigger the disaster recovery or business continuity planning options.
Incident reporting is covered as a specific issue later in this document.
There must be a review process by which lessons learned from the incident are used to ensure that the implemented countermeasures are consistent with the threat profile. ISO/IEC 17799 specifically recommends this.
Configuration management concentrates on controlling changes as the business requirement evolves. As a general principle the system configuration must be based on essential business requirements, with all other functionality locked down.
IA also requires effective configuration management in terms of application of patches and security updates (i.e. the maintenance of a secure configuration). Therefore organisations should ensure that there is an effective process for reviewing the available patches (such as those identified by UNIRAS alerts) and for ensuring timely application where appropriate. In each case there must be:
ISO/IEC 17799 recommends the use of a configuration management process to ensure that unauthorised changes are not made to the system.
In IA terms configuration control must also be applied to the security documentation applying to a system, since it documents the protective measures based on an analysis of the risks. This will mean in the general case that configuration control will also be applied to the documented supporting IA processes.
There may also be areas of IS that require especially stringent control to be applied: firewalls and other boundary security devices for example. For these critical areas, and in some cases for the system in general, IT Health Checks on a six monthly basis will guard against configuration ‘drift’ and ensure that technical countermeasures are aligned with the totality of threats.
Effective configuration management also relies upon an up to date and reliable asset inventory and supporting documentation; these too are specifically identified in ISO/IEC 17799.
As a general principle the change review and approval mechanism must address the security impact of each proposed change.
GSi–connected organisations are required to obtain re–authorisation following major changes.
In general terms, accreditation/approval is granted on a qualified basis for an identified period. Organisations need to keep a watching brief on configuration records and business plans in order to confirm that the bounds of the original approval have not been exceeded, and in order to ensure timely re-approval (usually on an annual basis). Systems with an accreditation requirement will have their re-accreditation triggers identified and agreed in their Risk Management and Accreditation Documentation Set (RMADS); the inclusion of this information is mandated in IS2. Certification to BS7799 requires a six monthly review and a complete audit every three years.
In all cases organisations must ensure that the responsibility for monitoring accreditation status is allocated and accepted.
A capacity monitoring and management process is identified as best practice in ISO/IEC 17799, on the basis that Information Assurance covers availability of service as well as confidentiality and integrity.
Recommended best practice therefore is to implement a capacity management process which is linked to future business plans, and which has a cycle review time that takes into account procurement lead times and other delays in reacting to emerging requirements.
ISO/IEC 17799 sets out a process of authorisation for new information processing facilities, and a process for system acceptance. In IA terms this authorisation is accreditation, which will need to be renewed on major releases; the acceptance process should include a component which delivers the necessary evidence to allow accreditation to take place. In the general case this could include physical inspection reports, the results of IT Health Checks, and the results of functionality testing.
For Government systems accreditation approval is required for an information system to become operational.