Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...

Using Reflex Disknet Pro to Aid 

Compliance with 

BS 7799 & ISO/IEC 17799:2000 

A whitepaper by Reflex Magnetics Ltd.

Contents 

INTRODUCTION 4 

EXECUTIVE OVERVIEW 4 

MEETING AND RETAINING THE STANDARD 5 

1. ASSET CLASSIFICATION AND CONTROL [5] 6 

1.1. INVENTORY OF ASSETS – PHYSICAL ASSETS [5.1.1 (C)] 6 

2. PHYSICAL AND ENVIRONMENTAL SECURITY [7] 7 

2.1. SECURITY OF EQUIPMENT OFF-PREMISES [7.2.5 (A) & (C)] 7 

2.2. SECURE DISPOSAL OR RE-USE OF EQUIPMENT [7.2.6] 8 

3. COMMUNICATIONS AND OPERATIONS MANAGEMENT [8] 8 

3.1. OPERATIONAL CHANGE CONTROL [8.1.2] 8 

3.2. INCIDENT MANAGEMENT PROCEDURES [8.1.3 (A) (B) (C)] 9 

3.3. PROTECTION AGAINST MALICIOUS SOFTWARE [8.3] 10 

3.4. CONTROLS AGAINST MALICIOUS SOFTWARE [8.3.1 (A) (B) (E) (F)] 11 

3.5. MEDIA HANDLING AND SECURITY [8.6] 12 

3.6. MANAGEMENT OF REMOVABLE MEDIA [8.6.1 (A) (B)] 12 

3.7. DISPOSAL OF MEDIA [8.6.2 (A)] 13 

3.8. EXCHANGES OF INFORMATION AND SOFTWARE [8.7] 13 

3.9. SECURITY OF MEDIA IN TRANSIT [8.7.2 (C)] 13 

4. ACCESS CONTROL [9] 13 

4.1. EVENT LOGGING [9.7.1 (A) (B) (C) (E)] 13 

4.2. MOBILE COMPUTING AND TELEWORKING [9.8] 13 

5. SYSTEMS DEVELOPMENT AND MAINTENANCE [10] 14 

5.1. POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS [10.3.1] 14 

5.2. SECURITY OF SYSTEM FILES [10.4] 14 

5.3. CONTROL OF OPERATIONAL SOFTWARE [10.4.1 (A) (C)] 14 

5.4. CHANGE CONTROL PROCEDURES [10.5.1] 15 

5.5. COVERT CHANNELS AND TROJAN CODE [10.5.4 (E)] 15 

6. COMPLIANCE [12] 15 

© Reflex Magnetics Ltd 2

6.1. SOFTWARE COPYRIGHT [12.1.2.2] 15 

6.2. COMPLIANCE WITH SECURITY POLICY [12.2.1 (D)] 15 

SUMMARY 15 


Introduction 

Just like any other business asset information has a value, and consequently we 

should as organisations look at protecting that most valuable of assets. Having a 

recognised standard to work toward is both desirable and effective. Since compliance 

with a recognised standard will clearly identify to others that you have seriously 

considered the subject in question. The ISO (International Organisation for 

Standardisation) and the IEC (International Electrotechnical Commission) form the 

specialised system for worldwide standardisation. Numerous national bodies make 

up the membership of these organisations developing and publishing internationally 

recognised standards. Gaining accreditation of BS 7799 or ISO/IEC 17799:2000 is 

fast becoming the accepted minimal standard for Information Security. 

More and more companies are demanding that their suppliers and partners become 

compliant, thereby indicating that they have taken credible steps to implement 

information security. Why is information security required and what is causing so 

many organisations to sign-up to this standard? Confidentiality, integrity and 

availability of information are probably the main drivers, which are directly linked to 

competitive edge, cash-flow, profitability, legal compliance and not least commercial 

image. 

Executive Overview 

Since BS 7799 was converted into the international standard ISO/IEC 17799:2000 it 

has become almost a prerequisite when implementing information security. This 

standard or code of practice covers all aspects of IT including such elements as; 

Security Policy, Organisational Security, Physical and Environmental Security, 

Systems Development and Maintenance and Business Continuity Management. 

The standard is divided into twelve main sections, each section sub-divided to allow 

all aspects of this vast subject to be considered. For any organisation either looking 

to implement this standard or for those that have already attained accreditation and 

require to remain compliant, Reflex Disknet Pro offers a software solution that will 

enforce policy in six of the twelve main areas: 

• Asset classification and control 

• Physical and environmental security 

• Communications and operations management 

• Access control 

• Systems development and maintenance 

• Compliance 

Investment in information security and it’s formal acknowledgement via ISO 17799 

accreditation is not to be taken lightly. Notwithstanding the benefits already 

described above, any product which is capable of offering support of this standard 

whilst in itself providing further benefits in enforcing policy and security in a uniformed 

and manageable way, is worthy of consideration. The remaining pages of this 

document illustrate how Reflex Disknet Pro delivers just that. 


Meeting and Retaining the Standard 

What follows will be a description of various aspects of the standard complete with an 

explanation of how Reflex Disknet Pro (RDP) addresses this issue. Screen shots 

have been included for completeness, however it is not essential that the reader 

have a thorough knowledge of RDP. Reviewing this document will give the reader an 

understanding of how RDP can be used to achieve this compliance. 

RDP is a software product that is constructed around client>server architecture. The 

client element being installed on all PCs connected to the network. These PCs can 

be removed from the network, as in the case of a mobile user’s and still be part of the 

security shield that RDP provides. The server element communicates with the client 

and pushes security profiles onto the client PCs. It also receives information from the 

client with regard to audit information and security alerts. Management of this 

software is conducted through a Microsoft Management Console (MMC), which can 

either be sited on the server machine, or any other PC connected to the network. 

This software itself has been submitted for Common Criteria accreditation ( 

http://csrc.nist.gov/cc/ ). 

To aid reference with ISO/IEC 17799 each aspect discussed below will have the 

relevant numbering convention of that standard in brackets after the section heading. 


1. Asset classification and control [5] 

By identifying assets and nominating an owner who will have responsibility for that 

asset, it is possible to assign an appropriate level of control. 

1.1. Inventory of assets – physical assets [5.1.1 (c)] 

Magnetic media and other removable storage devices can be accounted for using 

RDP by implementing the Removable Media Manager. This control mechanism 

identifies individual devices and will either allow or deny access to them dependant 

on the policy in force for that particular user. If the policy allows access to the device, 

there is a process of authorisation that must be undertaken. 

Fig. 1 

All requests to access any removable memory device will first be checked against the 

policy in force. If access is possible, the device is checked for a unique RDP 

identifier. However, if this is not present the authorisation mode commences. This 

may include the scanning of the device with a third party anti-virus tool to check for 

known viruses and/or a scan of the device with RDP’s own content scanner. This 

content scanner is used to ensure that only data can be imported. It can be 

configured further to ban particular data file types, such as .MP3 for instance. 


From within the RDP administration management console a security profile can be 

built to apply to a user, or more usually a group of users. By selecting “Profile 

Templates” a range of policy decisions can be enforced. Fig. 1 above shows the 

Removable Media Manager tab from within the profile template of a “standard user” 

2. Physical and environmental security [7] 

This section deals with unauthorised access, damage and interference to business 

premises and information. RDP addresses issues raised under clause 7.2 Equipment 

security. 

2.1. Security of equipment off-premises [7.2.5 (a) & (c)] 

The standard maintains that “regardless of ownership, the use of equipment outside 

an organisation’s premises for information processing should be authorised by 

management. The security provided should be equivalent to that for on-site 

equipment used for the same purpose, taking into account the risks of working 

outside of the organisation’s premises.” 

RDP ensures that the last security profile template in force when that equipment 

(PC/laptop) was last used inside the organisation’s premises, will apply to the 

equipment when used outside of the premises. If the PC/laptop was never 

connected to the network where a security profile template would be automatically 

applied or had specifically imported onto it a security profile template, then the default 

“lock-down” template would apply. In this way, controls can be applied to mobile 

workers consistent with those controls that apply to members of the organisation’s 

LAN. 

This clause also raises the issue of media left unattended. The risk here is the 

unauthorised access to information. It is essential that the information contained on 

the local hard disk of the PC/laptop be protected, either by access control 

mechanisms or encryption. Equally, the security of removable media needs to be 

addressed, especially since modern portable storage devices can hold vast amounts 

of data. The 2Gig memory stick is a reality. 

RDP manages this risk by providing a centrally managed encryption system. Users 

and groups can be automatically supplied with keys to encrypt and decrypt all 

information stored on removable devices. Fig. 2 below shows the EPM (Encryption 

Policy Manager) tab from within the profile template. Using the options on this tab, an 

administrator can create a policy where all removable media is encrypted by default. 

Segregation of information can also be achieved by dictating if the user can view 

information written by another user. 

The system also allows the off-line access to encrypted information via the input of 

the users personal password, where desirable. This is achieved without the need to 

install any additional software on the host machine. 


Fig. 2 

2.2. Secure disposal or re-use of equipment [7.2.6] 

The issue of secure disposal is covered by this clause. Both sensitive data and 

licensed programs should be rendered inaccessible when no longer required. The 

standard advise that overwriting and removed be used. However the EPM option 

above (Fig. 2) can also be used to put this information beyond the reach of 

unauthorised users. If the contents of a disposed memory device are encrypted, it is 

more secure than just overwriting the data. 

3. Communications and operations management [8] 

One of the largest sections of the standard covers all operational issues concerning 

information processing. RDP can be used to enforce nine of the sub clauses 

3.1. Operational change control [8.1.2] 

This clause states amongst others, “inadequate control of changes to information 

processing facilities and systems is a common cause of system or security failures. 

Formal management responsibilities and procedures should be in place to ensure 

satisfactory control of all changes to equipment, software or procedures.” 


RDP through the use of it’s Program Security Guard (PSG) can enforce the policy of 

preventing change to installed software and software configuration. It will also 

prevent new unauthorised software from being installed. 

Fig. 3 

Fig. 3 shows the PSG tab from within the profile template. PSG when activated, as 

part of a user profile will effectively lock by default all executable files as read only, 

and prevents new executable code from being introduced by the user. Additional file 

types can be added to the default list of protected files using the “Unsafe file types” 

configure button. 

3.2. Incident management procedures [8.1.3 (a) (b) (c)] 

This clause requires procedures to be established to ensure a quick, effective and 

orderly response to security incidents. 

RDP makes use of an alerting system for specific security incidents monitored by the 

software. The system allows for any of the specified events (see Fig. 4) to be added 

to an audit log. When used in conjunction with the “Alerts” mode within the 

management console, this can generate an email alert to be sent to the system 

administrator or other designated personnel. 


Fig. 4 

By initiating an immediate log of the event and also activating an email alert (Fig. 5) 

to designated personnel security, incidents can be dealt with immediately. 

All monitored events are added to a security log on the local PC/laptop that is 

periodically synchronised with a central audit log. This audit log records a unique ID 

log number, time, the event name, whether an alert was issued, user name, host 

name (PC), source and message. Since audit logs by nature have a habit of growing 

in size very quickly, filtering is also supplied so that specific events can be viewed or 

incidents for a specific user or group can be viewed. 

3.3. Protection against malicious software [8.3] 

This clause deals with the protection from computer viruses, network worms, Trojan 

horses and logic bombs, collectively referred to as malware. Malware at worst has 

the ability to destroy or alter software and information. Even in its most benign form, 

it can disrupt systems by replicating and sending automated emails to those 

addresses stored in the host computers address book. Anti-virus software can be 

used to detect known viruses and if kept regularly up to date, effectively this means 

daily at the very least, perform reasonably. However, there is always the “window of 

opportunity” between when a new virus or worm is released into the world and the 

anti-virus companies issue an update to their products that will recognise it. 

Protection for this period has become known as “zero day” protection, and is 

considered by some as the “Holy Grail” with regard to anti-virus research. RDP has 

the potential to offer zero day protection. Indeed, Reflex Magnetics Ltd have clients 


that make use of the products zero day protection capabilities and report no virus 

infections. Logic bombs present a real problem for anti-virus software since a logic 

bomb can be targeted at a particular organisation. Therefore, the first people to see 

this malicious code will be the target and as such their anti-virus software will not 

recognise the attack. RDP’s zero day protection will also help to combat this threat. 

Fig.5 

3.4. Controls against malicious software [8.3.1 (a) (b) (e) (f)] 

The standard requires that a formal policy exists requiring compliance with software 

licences, prohibiting the use of unauthorised software, and one that protects against 

the risks associated with obtaining files and software from or via external networks, 

or on any other medium. RDP can be used to absolutely enforce such a policy. By 

selecting the PSG option, which prevents the addition of any new executable files 

whilst locking the currently installed executables files as “read only”, software 

licensing is maintained since no new software can be installed without the permission 

of the system administrator. It does not matter where these types of file are intended 

to be introduced, they will be blocked. Non executable files can be subjected to a 

virus scan as an added precaution before the media on which they are stored is 

authorised for use. This will include the checking of email attachments. The PSG 

tab from within the profile template can be viewed at Fig. 3. 


3.5. Media handling and security [8.6] 

Clause 8.6 asks that all media should be controlled and protected from theft and 

unauthorised access. 

3.6. Management of removable media [8.6.1 (a) (b)] 

There should be procedures for the management of removable computer media. 

RDP was designed specifically to offer this type of management control. All media 

must be authorised for use which will necessitate a content scan using either a third 

party anti-virus product or RDP’s own content scanner. It may indeed require both of 

these scans to be performed. Once authorised for use, an audit trail can be kept of 

all files stored on the device. Fig. 6 shows one event from a removable media log 

file. 

Fig. 6 

You will note that there is a unique ID number, time, operation, host name (PC), 

process, file name, and user name recorded. 

Protecting the media’s contents from unauthorised access is achieved by making the 

policy dictate that all removable media should be encrypted, as discussed in section 

2. 


3.7. Disposal of media [8.6.2 (a)] 

Safe disposal of media is required where sensitive information may have been 

recorded on that media. The standard talks of incineration or shredding to provide 

this protection. However, with a policy enforced by RDP of encryption of removable 

media, this will negate the need to securely erase or incinerate the media to achieve 

the desired level of protection. 

3.8. Exchanges of information and software [8.7] 

The objective here is to prevent loss, modification or misuse of information 

exchanged between organisations. 

3.9. Security of media in transit [8.7.2 (c)] 

Information can be vulnerable to unauthorised access or misuse during physical 

transport. The use of encryption when applied to information in transit will obviate 

this concern. 

4. Access control [9] 

“Access to information and business processes should be controlled on the basis of 

business and security requirements. This should take account of policies for 

information dissemination and authorisation.” 

4.1. Event logging [9.7.1 (a) (b) (c) (e)] 

The standard requires audit logs to be produced and kept for exceptions and other 

security related events. 

RDP is able to audit all of its monitored and controlled areas, such as removable 

media management, unauthorised attempts to introduce new software and any 

attempted malicious code activity. These log files include all of the following 

information; user ID, date and time, type of event, and files accessed or copied. 

Where devices are forbidden or blocked, any failed attempt to connect is also 

recorded, including this detailed information. 

4.2. Mobile computing and teleworking [9.8] 

When considering mobile computing or teleworking, the standard requires that the 

protection be commensurate with the risks these specific was of working cause. 

RDP’s use of profile templates to set the security level for any particular authorised 

user, works particularly well in the case of mobile or teleworking. If the computer is 

mobile and not connected to the organisations network when the user logs on, they 

will receive the last known profile template as their security control. If this template 

has been corrupted in anyway then a default “lock down” template would apply. 

Updates to the profile template in force can be achieved by importing a new template 

file, although this would need administrator rights. All audit information will be stored 

locally and transferred when the computer next connects to the network. 


For teleworkers who normally connect via a VPN to the organisations network, their 

profile template will be delivered in the usual way. Dynamic updates to this profile 

template can also be achieved as though the computer was connected locally. 

5. Systems development and maintenance [10] 

This clause deals with the security of the system itself, but not limited to the operating 

system and those applications that run on it. 

5.1. Policy on the use of cryptographic controls [10.3.1] 

Where an organisation has developed a policy on the use of cryptographic controls 

these will need to be managed. 

RDP makes management of a cryptographic policy with regard to removable media 

very simple. The most onerous part of implementing cryptography is the 

management of crypto keys. RDP’s Encryption Policy Manager takes care of this 

aspect automatically. Once the policy has been invoked, any user accessing 

removable media will have a key pair produced for them without the need to ask. 

Should the user be part of a larger group who need to be able to share information 

stored on the removable media, group keys will also be added to facilitate this. 

Additionally a management escrow key will also be used so that management can 

access any data encrypted by the system. 

Users are authenticated by their operating system logon (user ID and password). In 

this way no further passwords are required by the system, unless the user has been 

granted the ability to access stored information on an encrypted device off-line. In 

this case the user will be prompted to choose and enter a password. Rules 

concerning password quality are also set by EPM and are viewable by users. 

All technical aspects of the encryption process such as algorithm used and key 

length are hard coded by the system, using industry standards. 

5.2. Security of system files [10.4] 

Access to system files should be controlled. By maintaining system file integrity, a 

degree of confidence can be assumed. 

By implementing RDP’s Program Security Guard (PSG) all existing system 

executable files are locked as “read only” and therefore can not be modified or 

replaced by anyone but the designated system administrator. 

5.3. Control of operational software [10.4.1 (a) (c)] 

Controls should be in place to allow only nominated personnel the freedom to update 

operational program libraries, and furthermore, executable code should not be 

allowed on to an operational system until it has been tested and authorised. 

PSG can be used to enforce this policy. 


5.4. Change control procedures [10.5.1] 

Formal change control procedures should be enforced according to the standard. By 

locking the current configuration with regard to existing executable code, PSG 

achieves this enforcement. 

To aid systems maintenance, PSG has the ability to be instructed to allow certain 

processes exemption from its control. In this way, a system administrator can use 

software deployment tools to update existing software or install new packages whilst 

PSG is active. 

5.5. Covert channels and Trojan code [10.5.4 (e)] 

The standard requires control of installed code to prevent modification of this code 

and checks to be in place for covert channels where Trojan code may be introduced. 

PSG can be used again to afford a level of assurance that existing executable code 

cannot be modified, and since the introduction on new executable code is also 

blocked, even a covert route for Trojan introduction will be blocked. 

6. Compliance [12] 

This clause covers compliance with any criminal and civil law, statutory, regulatory or 

contractual. 

6.1. Software copyright [12.1.2.2] 

Maintaining software licenses can be an onerous task unless there are measures in 

place to prevent users from installing software. The task of auditing what is actually 

installed across an organisation’s PCs can be never ending. 

By utilising the PSG module within RDP, an organisation can be certain that users 

are unable to introduce any new software without the permission of the system 

administrator. 

6.2. Compliance with security policy [12.2.1 (d)] 

Ensuring compliance with this standard is for the most part a procedural one, unless 

some form of enforcement can be utilised. 

This document has sought to show how Reflex Disknet Pro software can be used to 

enforce policy. It is not a replacement for that policy and cannot be correctly installed 

and configured without reference to a security policy. However, having both a policy 

and an enforcement element ensures not just compliance but also an uniformed 

approach. 

Summary 

The desire to meet ISO/IEC 17799:2000 is a very worthy one. The challenge is that 

once an organisation achieves this standard, how best to maintain it. The policy that 

you have written will go a long way to helping you but it is the nature of human 


eings that they will require more tangible methods of guidance. Security software 

such as Reflex Disknet Pro, we believe is worthy of consideration for this task. As an 

enforcer it will sit quietly in the background not troubling the user unless they try to do 

something that they should not. At that point, clear and precise messaging can be 

displayed informing the user of the problem and an audit record will be recorded. 

When the area of malicious code is considered, this software acts as an excellent 

backstop for your chosen anti-virus product. With true zero day protection in place 

RDP will keep hostile code off of your network. 

Further information about Reflex Disknet Pro or Reflex Magnetics can be found at 

www.reflex-magnetics.com or by contacting one of the following email addresses 

enquires@reflex-magnetics.com or sales@reflex-magnetics.com.

Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...

Create successful ePaper yourself

Delete template?

Save as template?