23.isms presentation
TRANSCRIPT
Information Security Management System
Information is an asset which, like other important business assets, has value to an organization andconsequently needs to be suitably protected.
ISO/IEC 17799:2005
Information
Confidentiality
Integrity Availability
Information Security Management is a top-down, business drivenapproach to the management of an organization’s physical andelectronic information assets in order to preserve their • confidentiality, • integrity and • availability.
Increased dependence on information assets
Increased demand for information availability
Increased threats to information security
Consequences of Security Breach Destroy Image Depress the value of the business Erode the “bottom line”; and Compromise future earnings.
What is ISMS
An ISMS is the means by which management monitors and controls the security,minimizing the residual business risk andensuring that security continues to fulfillcorporate, customer and legal requirements.
ISO 17799 & ISO 27001
ISO 17799:2005 Information Technology Security
techniques – Code of practice for information
security management
ISO 27001:2005Information technology Securitytechniques –Information securityManagement systems –Requirements
Provides a comprehensiveframework to guide and focus your efforts in building an Information Security Management System (ISMS)
Provides a framework for a risk based security management system that can be independently certified
ISO 17799
An Internationally recognized Code of Practice for information security management systems (ISMS)
A comprehensive framework to guide and focus your efforts in building an Information Security Management System
A collection of security best practices along with implementation guidance
ISO 27001 : 2005 An internationally recognized requirement
document for information security management systems
A framework for building a risk based security management system that can be independently certified
Communications & Operations Management
Critical Information
AssetsRisk
AssessmentRisk
Treatment
ComplianceSecurity Policy
Organization of Information Security
Asset Management
Human Resources Security
Physical & Environmental Security
Access Control
Information Systems Acquisition, Development & Maintenance
Information Security Incident Management
Business Continuity Management
11 Clauses
39 Control Objectives
133 Security Control
An Outline of ISO / IEC 17799/27001 Security Clauses
Management Aspects
Technical Aspects
Physical Aspects
Legend :
Security Policy
Organization of Information Security
Asset Management
Business Continuity Management
Compliance Communications & Operations Management
Human Resources Security
Information Security Incident Management
Information System Acquisition, Development & Maintenance
Access Control Physical & Environmental Security
Operations
Management
Organizational Structure
The 11 Security Clauses Security Policy (1)
Organization of Information Security (2)
Asset Management (2)
Human Resources Security (3)
Physical & Environmental Security (2)
Communications & Operations Management (10)
Access Control (7)
Information System Acquisition, Development & Maintenance (6)
Information Security Incident Management (2)
Business Continuity Management (1)
Compliance (3)
(1) Define Scope
(2) Perform Gap Analysis
(3) Security Improvement
Plan (SIP)
(4) Information Asset Register
(4) Risk Assessment
(4) Risk Treatment Plans
(4) Selection of Controls
(4) Initial SoA
(6) Certification Readiness
(6) Continues Improvement
(6) Internal Audit, Management Review
(5) Policies, Procedures, Controls & ISMS Documentation
(5) Final SoA
On-Going Security Program Improvement
Pre-Certification Preparation Methodology
Steps Towards Certification
Plan
DoCheck
Act
Establish the ISMS
Implement & Operate the
ISMS
Monitor & Review the
ISMS
Maintain & Improve the
ISMS
Apply for Certification
ISMS Implementation Requires Advisory Services, Project Leadership & Staff Augmentation
Established the ISMS Implement & Operate Monitor & Review Maintain & Improve
Plan (4.2.1) Do (4.2.2) Check (4.2.3) Act (4.2.4)
Initial Training
ISMS Scope
ISMS Policy
ISMS Assets
Gap Analysis/ SIP
Business Impact
Threats & Vulnerabilities
Probability of Occurrence
Calculate/Evaluate Risks
Prioritize Risks
Treatment Options
Select Controls
Management Apvl.
Prepare Initial SoA
Risk Treatment Plans
Implement Risk Treatment
Define Effectiveness Metrics
Document WI’s, Procedures
Implement Training & Awareness Program
Conduct Internal Auditor Training
Operate the ISMS
Monitoring & Incident Response
Update SoA
Execute Monitoring & Review Procedures
Review ISMS Effectiveness
Measure the Effectiveness of the Controls
Review Risk Assessments
Conduct Internal ISMS Audits
Regular Mgmt. reviews of the ISMS
Update SIP’s based on Findings
Record Actions & Events Impacting ISMS
Implement Identified Improvements
Take Corrective & Preventive Actions
Communicate the Actions & Improvements
Ensure Improvements Achieve Objectives
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project Team
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project Team Ensure management commitment Select and train team members Establish Management Committee Establish Implementation Committee Establish Working Groups Team Definition
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project Team• Careful consideration to the processes, applications
& locations to be included
• scope should recognize business objectives, security requirements and structure of the organization
• The scope must clearly define the boundaries of the ISMS including justification for exclusions
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project TeamIdentify all assets important to the scope including:
• Physical Assets- IT
• Physical Assets- Non IT
• Information (Hard Copy and Electronic)
• Software
• Services
• Supporting documentation
• Intangible
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project Team• Valuation of assets - Impact to the Business in terms
of Confidentiality, Integrity & Availability
• Threat & Vulnerability Assessment
• Probability of Occurrence
• Effectiveness and Strength of Current Safeguards
• Residual Risk
• Determination of Risk Tolerance
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project Team• Risk Management decisions –
• Terminate• Treat• Transfer or• Tolerate
• Selection of controls from ISO 27001:2005 with direct link back to the risk assessment
• Measurement of the effectiveness of controls
• Manage risk treatment activities and resources
• Management approval of residual risk
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project Team• Information classification & document and records
control procedures
• Internal ISMS audit plan
• Corrective & preventive action procedures
• Procedures and controls supporting the ISMS based on the risk assessment results
• Description of the risk assessment methodology & risk treatment plan
• Development of the Statement of Applicability, (SoA), with justification for controls not selected
• Objective evidence of a living & improving ISMS
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project Team• Roles & responsibilities fully understood
• Staff, contractors and third party users trained
• Competency assessed
• Training program formulation
• Role based training
• Metrics and measurements
Steps Towards Certification
Internal Audit Ongoing Improvement
Training & Awareness
Documentation Management
Risk Treatment Plan
Risk Assessment
Identification of Assets
ISMS Scope Definition
Establish Project Team• Implementation of the Plan Do Check Act model for
continuous improvement
• Independent internal evaluation of compliance to security Policy’s and Procedures
• Risk based corrective actions
• Defined preventive action requirements
• Feedback into the Risk Management Framework
• Records of continuous improvement
The Certification Audit
Post Certification Process
Stage 2 Audit
System in Action
Stage 1 Audit Documentation Review
Application for Certification with a Certification Body
• Agree on scope and contract terms
• Assessment of Process Documentation
• On-site Completion of Audit of Staff & Process
• Presentation of the Audit Findings
• Corrective Actions if Required
• Award of Certificate
• Certification is valid for three years
• Annual Surveillance Audits are required
• Internal Audit Program is Required
• Full re-audit on the third Anniversary
Thank You