1. Conferncia FIST Maio 2006 LisboaChallenges and Benefits ofInformation SecurityManagement

2. Conferncia FIST Maio 2006 LisboaSinfic, S.A. 3. Conferncia FIST Maio 2006 LisboaKnowledge based company Business and Process ModelingEnterprise Customer Relationship ManagementInformation Systems ArchitectureInfrastructure and NetworkingEnterprise Resource PlanningMaintenance Management Knowledge ManagementInformation SecuritySoftware System Quality Architecture IntegrationDocument Management Internet Development Software EngineeringContent ManagementChange ManagementBusiness Intelligence Data warehousing Corporate Portals Data QualityWeb DesignData MiningE-Business 4. Conferncia FIST Maio 2006 LisboaBritish Standards Institution Founded in 1901, BSI Group is a leading businessservices provider to organizations worldwide. The Group provides, in 86 countries: independent certification of management systems andproducts; product testing services; the development of private, national and internationalstandards (over 500,000!); management systems training& information on standards and international trade. 5. Conferncia FIST Maio 2006 LisboaCompetences & PartnershipBritish Standards InstitutionAn 27001 Certified Lead AuditorAuditAspectos essenciais BS ISO/IEC 17799 e 27001Implantao BS ISO/IEC 27001Auditorias Internas BS ISO/IEC 27001Auditor Coordenador BS ISO/IEC 27001 (IRCA)Trainning Consultancy 6. Conferncia FIST Maio 2006 LisboaCompetences & PartnershipBritish Standards Institution BS ISO/IEC 20000 (20000-1 e 20000-2) Audit, Consultancy & Trainning IT Service Management PAS 56 (BS 25999) Consultancy & Trainning Business Continuity Management Six Sigma Consultancy & Trainning Fine-tune products & processes meetingcustomer requirements 7. Conferncia FIST Maio 2006 LisboaISMSpt.blogspot.com 81 registered members 7 countries Angola, Brazil, Cabo Verde, India, Kenia,Portugal & Spain, 8. Conferncia FIST Maio 2006 LisboaChallenges and Benefits ofInformation SecurityManagement 9. Conferncia FIST Maio 2006 LisboaISMS Information SecurityManagement System Management system based on BSISO/IEC 27001 Directly related with BS ISO/IEC 17799 InfoSec Best practices 10. Conferncia FIST Maio 2006 LisboaNatural DisastersAcoustic (Flood, Lightning,Earthquake, ...)Information(Telephone conversations,in public, in meetings, ...)Technical failuresLogicalPhysical17799 * 2700117799 * 27001(Communication, Lack of energy,InformationInformationEquipment break-down, ...)(Faxs, contracts,BS ISO/IEC (electronic records)reports, manuals, ...)BusinessHuman Failure (Maintenance errors, User errors, Lack of staff, ...)Visual Intelectual Information (Vdeo, fotos, Informationenvironment, ...) (Knowledge) Social Problens(Strikes,Terrorism Attack, politics, legislation...) 11. Conferncia FIST Maio 2006 Lisboa11 Control ObjectivesA5 Security policy A6 Organization of Information SecurityA7 Asset management A8 HRA9 Physical andA10 Communications A12 Information securityEnvironmental and operationsSystemssecurity management Acquisition, development A11 Access controland maintenanceA13 Incident ManagementA14 Business continuity managementA15 Compliance 12. Conferncia FIST Maio 2006 LisboaImplementation FrameworkScope High levelAsset Asset Risk Policys andidentificationValueAnalisys Assurance BS ISO/IEC levelObjectives and 27001Control Policies & Certification identificationProcedures Policies &implementation ISMS Proceduresdesign Mngmt 13. Conferncia FIST Maio 2006 LisboaRisk management basedapproach In accordance with ISO/IEC Guide 73:2002 Communicate and ConsultAssess RisksIdentifyAnalyse Evaluate ControlEstablish thethe thethe Context Risks Risks RisksRisks Monitor and Review 14. Conferncia FIST Maio 2006 LisboaRisk Assessment Process Asset IdentificationRisk Assessment and ValuationIdentification of Vulnerabilities Identification of Evaluation of Impacts Threats Business Risk Rating/ranking of Risks Review of ExistingRisk Management Security Controls Identification of new Security Controls Policy andImplementation andProcedures Risk Acceptance Risk Reduction(Residual Risk) 15. Conferncia FIST Maio 2006 LisboaPDCA 16. Conferncia FIST Maio 2006 LisboaChallenges 17. Conferncia FIST Maio 2006 LisboaQuestion? What financial impact would yourbusiness suffer if a nearby fire preventyou to access your building for 48hrs? 18. Conferncia FIST Maio 2006 LisboaChallenges Cultural constrains Reaction vs PreventionI Dont care! Pblico*Quinta-Feira, 25 MAI 2006Thats got nothing to do with me We will see about it.It only happens to others!!! 19. Conferncia FIST Maio 2006 LisboaChallenges Lack of enforcement Legal Business sector Shareholders Customers 20. Conferncia FIST Maio 2006 LisboaChallenges Lack of external auditing Insuficient governmental resources Slow, unaware and unprepared justicePblico*Quinta-Feira, 25 MAI 2006 21. Conferncia FIST Maio 2006 LisboaChallenges Insufficient country-wide awareness onmenaces and Risks To the business image & reputation To the business income and survival Lack of big, real, high impact damage toknown institution(s) 22. Conferncia FIST Maio 2006 Lisboawww.pse.com.ptConstitui uma ameaa para os interesseseconmicos nacionais o facto de Estados e de empresas estrangeiras estarem empenhadas na obteno de conhecimentos com recurso amtodos ilcitos no nosso pas. 23. Conferncia FIST Maio 2006 LisboaChallenges Low adoption of Risk Managementapproach Insufficient knowledge of ISMS benefitseven without a Certification route scenario 24. Conferncia FIST Maio 2006 LisboaChallenges Management vs Technology approach Identification of the right CISO From IT? From where? Who? Him? Internal corporation politics Departmental posture & culture 25. Conferncia FIST Maio 2006 LisboaChallenges Low ongoing use of Best practices ITIL, SOX, BaselII, .? Disbelive on Certification ISO 9001 hassle, Low process-based approach maturity Lack of business support documentation 26. Conferncia FIST Maio 2006 Lisboa27001 worldwide certificationwww.xisec.com 27. Conferncia FIST Maio 2006 LisboaChallengesReal (!) commitment from the Board, the ISC and the CISO 28. Conferncia FIST Maio 2006 LisboaBenefits! 29. Conferncia FIST Maio 2006 LisboaBenefits Improvement of InfoSec ! Information Classification Critical / Non-critical CIA scenario ROSI 30. Conferncia FIST Maio 2006 LisboaBenefits Business Continuity Management Awareness More than Technology continuity More than Business Continuity PlanPAS 56 / BS 25999 www.thebci.org 31. Conferncia FIST Maio 2006 LisboaBenefits On-going compliance with Businessrelated legislation !!! Strategic alignment of InfoSecpractices with business requirements 32. Conferncia FIST Maio 2006 LisboaBenefits Process improvement Wider range of metrics for Business Management Improvement of overall business quality Cultural changes / Change management Responsability !!!! Speed-up opportunity advantage 33. Conferncia FIST Maio 2006 LisboaBenefits Early adopters with a high potencialmarketing tool Followers with need to comply effort 34. Conferncia FIST Maio 2006 LisboaQuestion? Is your critical business informationprotected to survive the next incident? 35. Conferncia FIST Maio 2006 LisboaYou are free:Creative Commons Attribution-to copy, distribute, display, and perform this workNoDerivs 2.0to make commercial use of this workUnder the following conditions:Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work.For any reuse or distribution, you must make clear to others the license terms of this work.Any of these conditions can be waived if you get permission from the author.Your fair use and other rights are in no way affected by the above.This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of thislicense, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559Nathan Abbott Way, Stanford, California 94305, USA. 36. Conferncia FIST Maio 2006 LisboaChallenges and Benefits ofInformation SecurityManagement THANK YOU FFMENDES@SINFIC.COM SDI@SINFIC.COM