course: information security management in e...
TRANSCRIPT
Course: Information Security Management in e-Governance
Day 1
Session 3: Models and Frameworks for Information Security Management
Agenda
� Introduction to Enterprise Security framework
� Overview of security models , framework & standards
� Salient features of ISO 27001 security standards
Slide 3
What is Information Security
ISO 27001:2005 defines this as:
• Confidentiality : the property that information is not made available or disclosed to unauthorized individuals, entities(programs), or processes (superceding processes)
• Integrity : the property of safeguarding the accuracy and completeness of assets.
• Availability : the property of being accessible and usable upon demand by an authorized entity.
Slide 4
Who Should be Concerned?
• Users -Standards will affect them the most.
• System Support Personnel -they will be required to implement and adapt and support the standards.
• Executive Management -concerned about protection of data and the associated cost of the policy / standards.
Slide 5
Role of Standards
• Manage Information Security
• Identify assets and appropriately protect them
• Reduce the risks of human error, theft, fraud or misuse of facilities
• Prevent unauthorized access, damage and interference to business
• Ensure the correct and secure operation of information processing facilities
• Control Access to Information
• Ensure security is built into information systems
• Counteract interruptions to business activities
• Avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations
Slide 6
Why Best Practices are Important!
• Today, the effective use of best practices can help avoid re-inventing wheels, optimize the use of scarce IT resources and reduce the occurrence of major IT risks, such as:
� Project failures
� Wasted investments
� Security breaches
� System crashes
� Failures by service providers to understand and meet customer requirements
Slide 7
Why Best Practices are Important!
COBIT, ITIL and ISO 27000 are valuable to the ongoing growth and success of an organization because:
– Companies are demanding better returns from IT investments
– Best practices help meet regulatory requirements for IT controls
– Organizations face increasingly complex IT-related risks
– Organizations can optimize costs by standardizing controls
– Best practices help organizations assess how IT is performing
– Management of IT is critical to the success of enterprise strategy
– They help enable effective governance of IT activities
– A management framework helps staff understand what to do (policy, internal
controls and defined practices)
– They can provide efficiency gains, less reliance on experts, fewer errors,
increased trust from business partners and respect from regulators
Slide 8
Benefits
• Productivity: Audit/Review Savings
• Breaking Barriers -Business Relationships
• Self-Analysis
• Security Awareness
• Targeting Of Security
• 'Baseline' Security and Policy
• Consistency
• Communication
Slide 9
After adopting Standards
• Moved towards international best practice
• Manage the breadth and depth of information risk
• Build confidence in third parties
• Reduce the likelihood of disruption from major incidents
• Fight the growing threats of cybercrime
• Comply with legal and regulatory requirements
• Maintain business integrity
• Citizens Confidence – Most Important
Slide 10
Approach in Implementing Standards
• Support from Top Management
• Risk management -Accept, Mitigate, Transfer
• Well developed Security Policy
• Effective Implementation of policy
• User awareness is most important
• Prevention is better than cure
• Periodic review / audit
• Understand fundamental system functionality
• Identify security issues due to gaps
Slide 11
Integrated IS Framework
Serv
ice M
anagem
ent
Info
rmation S
ecurity
Pro
ject
Managem
ent
Applic
ation D
eliv
ery
Busin
ess
Continuity
IT Operations
COBIT
ITIL ISO 20000
ISO 27K PMI CMM BS 25999
Slide 12
Some of the Standards - Overview
Organization
Environment (ISO 14001)
Quality (ISO 9001: 2000 ,
QS 9000)
Improvement (ISO 9004)
Customers (BS 8600)
Information Security
(ISO 27001 , 27002)
Governance
( COBIT)
Environment (ISO 14001)
Business Continuity
( BS 25999)
Slide 14
History of ISO - Timeline
• 1992The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'.
• 1995This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS7799.
• 1996Support and compliance tools begin to emerge, such as COBRA.
• 1999The first major revision of BS7799 was published. This included many major enhancements. Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies.
Slide 15
History of ISO – The Timeline
• 2000In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).
• 2001The 'ISO 17799 Toolkit' is launched.
• 2002A second part to the standard is published: BS7799-2. This is an Information Security Management Specification, rather than a code of practice. It begins the
process of alignment with other management standards such as ISO 9000.
• 2005A new version of ISO 17799 is published. This includes two new sections, and
closer alignment with BS7799-2 processes..
• 2005ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a
specification for an ISMS (information security management system), which aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001
Slide 16
Where did 17799 come from?
• BS7799 was conceived, as a technology-neutral, vendor-neutral management system that, properly implemented, would enable an organization's management to assure itself that its information security measures and arrangements were effective.
• From the outset, BS7799 focused on protecting the availability, confidentiality and integrity of organizational information and these remain, today, the driving objectives of the standard.
• BS7799 was originally just a single standard, and had the status of a “Code of Practice”.
• In other words, it provided guidance for organizations, but hadn't been written as a specification that could form the basis of an external third party verification and certification scheme.
Slide 17
Overview – ISO 27000 (base standard)
Published standardsISO/IEC 27001 - the certification standard against which organizations' ISMS may be
certified (published in 2005)
ISO/IEC 27002 - the re-naming of existing standard ISO 17799 (last revised in 2005,
and renumbered ISO/IEC 27002:2005 in July 2007) ISO/IEC 27006 - a guide to the certification/registration process (published in 2007)
In preparationISO/IEC 27000 - a standard vocabulary for the ISMS standards
ISO/IEC 27003 - a new ISMS implementation guide ISO/IEC 27004 - a new standard for information security management measurements
ISO/IEC 27005 - a proposed standard for risk management
ISO/IEC 27007 - a guideline for auditing information security management systems ISO/IEC 27011 - a guideline for telecommunications in information security
management system
ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry
Slide 18
Well known ISO standards in the 27xxx series
ISO 27001This is the
specification for an information security
management system & replaces
old BS7799-2
ISO 27002This is the new
standard number of the existing ISO 17799 standard
ISO 27004Designated number for a new standard
covering information security
management measurement &
metric
ISO 27005 Emerging standard
for information security risk
management
Slide 20
Implementation context for PDCA
ISO 27001 Information Security Management System (ISMS) adopts the PDCA model
• Plan (Design Phase)
Establish the objectives and processes necessary to deliver results in accordance with the
specifications.
• Do (Implementation Phase)
Implement the processes.
• Check AKA Study (Assessment Phase)
Monitor and evaluate the processes and results against objectives and Specifications and
report the outcome.
• Act (Manage, Authorize Phase)
Apply actions to the outcome for necessary improvement. This means reviewing all steps
(Plan, Do, Check, Act) and modifying the process to improve it before its next implementation.
Slide 21
InterestedParties
InformationSecurity
Requirements&
Expectations
PLANEstablish
ISMS
Review ISMS
CHECKMonitor &
Review ISMS
ACTMaintain &Improve
Management Responsibility
ISMS PROCESS
PDCA Process
InterestedParties
ManagedInformation
Security
DOImplement &Operate the
ISMS
P
D
C
A
P
R
O
C
E
S
S
The international Standard that establishes the guidelines and general principles for initiating,
implementing, maintaining, and improving information security management in an organization.
The full title of this standard is: “Information technology. Security techniques. Code of practice for information security management”
ISO 27002 is technology independent, focusing on :
• Management aspects of information security,
• Defining controls in a generic sense so that they are applicable across different applications,
platforms, and technologies.
BS ISO/IEC 27002:2005 (aka – ISO 27002)
Slide 22
ISO/IEC 27002 is:
• A code of practice - a generic, advisory document, not truly a standard or formal specification
• A reasonably well structured set of suggested controls to address information security risks,
covering confidentiality, integrity and availability aspects
ISO 27002 specifies 39 control objectives:
• To protect information assets against threats to their confidentiality, integrity and availability
• Which comprise a generic functional requirements specification for an organization’s
information security management controls architecture
• And suggests literally hundreds of best-practice information security control measures
Structure and Format of ISO 27002
Slide 23
The formal standard is arranged in the following sections:
0. Introduction1. Scope2. Terms and definitions3. Structure of this standard4. Risk assessment
The actual control domains and detail controls begin with Section 5.
Section 5: Security policyManagement should :
• Define a policy to clarify their direction of, and support for, information security,
• Provide a high-level information security policy statement identifying key information security
directives and mandates for the entire organization
• Support the policy by a comprehensive suite of more detailed corporate information security
policies, typically in the form of an information security policy manual. The policy manual in
turn is supported by a set of information security standards, procedures and guidelines
Structure and Format of ISO 27002
Section 6: Organization of information security
A suitable information security governance structure should be designed and implemented.
6.1 Internal organization
• The organization should have a management framework for information security.
• Senior management should approve information security policies.
• Roles and responsibilities should be defined
• Information security should be independently reviewed.
6.2 External parties
Information security should not be compromised by the introduction of third party products or
services. Risks should be assessed and mitigated. when dealing with customers and in third
party agreements.
Structure and Format of ISO 27002
Slide 25
• storage media
• computer room air conditioners and UPSs,
and ICT services)
Section 7: Asset management
The organization should be in a position to understand what information assets it holds, and to
manage their security appropriately.
7.1 Responsibility for assets
All [information] assets should be accounted for and have a nominated owner. The inventory
should record ownership and location of the assets, and owners should identify acceptable uses.
An inventory of information assets should be maintained, including:
• IT hardware,
• software
• data
• system documentation
7.2 Information classification
Information should be classified according to its need for security protection and labeled
accordingly.
Structure and Format of ISO 27002
Slide 26
Section 8: Human resources securityThe organization should manage system access rights etc. for ‘joiners, movers and leavers’, and should undertake suitable security awareness, training and educational
activities.
8.1 Prior to employment
Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff
8.2 During employment
Management responsibilities regarding information security should be defined. Employees and third party IT users should educated and trained in security
procedures. A formal disciplinary process is necessary to handle security breaches.
8.3 Termination or change of employment
Security aspects of a person’s exit from the organization (e.g. the return of corporate
assets and removal of access rights) or change of responsibilities
Structure and Format of ISO 27002
Slide 27
Section 9: Physical and environmental security
Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.
9.1 Secure areas
This section describes the need for concentric layers of physical controls to protect
sensitive IT facilities from unauthorized access.
9.2 Equipment security
Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be
secured. IT equipment should be maintained properly and disposed of securely.
Structure and Format of ISO 27002
Slide 28
Section 10: Communications and operations managementThis lengthy, detailed section of the standard describes security controls for systems and network management.
10.1 Operational procedures and responsibilities
10.2 Third party service delivery management
10.3 System planning and acceptance
10.4 Protection against malicious and mobile code
10.5 Back-up
10.6 Network security management
10.7 Media handling
10.8 Exchange of information
10.9 Electronic commerce services
10.10 Monitoring
Structure and Format of ISO 27002
Slide 29
Section 11: Access control
Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use. This is another lengthy and detailed section.
11.1 Business requirement for access control
11.2 User access management
11.3 User responsibilities
11.4 Network access control
11.5 Operating system access control
11.6 Application and information access control
11.7 Mobile computing and teleworking
Structure and Format of ISO 27002
Slide 30
Section 12: Information systems acquisition, development and maintenanceInformation security must be taken into account in the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.
12.1 Security requirements of information systems
12.2 Correct processing in application systems
12.3 Cryptographic controls
12.4 Security of system files
12.5 Security in development and support processes
12.6 Technical vulnerability management
Structure and Format of ISO 27002
Slide 31
Section 13: Information security incident management
Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.
13.1 Reporting in information security events and weaknesses
An incident reporting/alarm procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities.
13.2 Management of information security incidents and improvements
Responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence.
Structure and Format of ISO 27002
Slide 32
Section 14: Business continuity management
This section describes the relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.
Section 15: Compliance
15.1 Compliance with legal requirements
15.2 Compliance with security policies and standards, and technical compliance
15.3 Information systems audit considerations
Structure and Format of ISO 27002
Slide 33
Slide 34
PLANEstablish ISMS
CHECKMonitor &
Review ISMS
ACTMaintain &Improve
DOImplement &
Operate the
ISMS
IS POLICY
SECURITY ORGANISATION
ASSET IDENTIFICATION
& CLASSIFICATION
CONTROL SELECTION &
IMPLEMENTATION
OPERATIONALIZE THE PROCESES
MANAGEMENT REVIEW
CORRECTIVE & PREVENTIVE ACTIONS
CHECK PROCESSES
Implementation process cycle
• Describes best practice in IT service management (ITSM) drawn from public and private sector IT organizations
− The primary objective of Service Management is to ensure that the IT services are aligned to the business needs and actively support them.
• Benefits include:
− Increased user and customer satisfaction with IT services
− Improved service availability, directly leading to increased benefits profits and revenue
− Financial savings from reduced rework, lost time, improved resource management and usage
− Improved time to market for new products and services
− Improved decision making and optimized risks
What is Information Technology Infrastructure Library (ITIL ®)?
Background
ITIL® is a Registered Trade Mark, and Registered Community Trade Mark of the Office of Government Commerce,
and is Registered in the U.S. Patent and Trademark Office.
Slide 36
Slide 37
What is ITIL® V3?
• ITIL® is about more than ‘just’ infrastructure
• “Business of IT” oriented approach
• Promoting service based approach to managing IT
• Includes discussion topics about strategic options, functions, roles and responsibilities as well as continual improvement
• Makes reference to other frameworks (i.e. Cobit, ISO27001) and talks about
better alignment to those
• Helps to provide a standardized process context
• Highlights the importance of process
• Identifies the core activities and metrics for its processes
• Requests measurement programs (baselining, benchmarking) to ensure
performance (i.e. TCO, ROI, Costing/Pricing)
• Revised certification program for Professionals – more structured and focused
by processes
Slide 38
V3 Overview
Version 3 Overview
Continual Service Improvement:
• Seven Step Improvement Process
Service strategy:
• Service Portfolio Mgmt
• Financial Mgmt
• Demand Mgmt
Service operation:
• Event Mgmt
• Incident Mgmt
• Request Fulfilment
• Access Mgmt
• Problem Mgmt
Functions:
• Service Desk
• Technical Mgmt
• IT Operations Mgmt
• Applications Mgmt
Supporting material:
• Service, organizational, process
and technology maps
Service transition:
• Change Mgmt
• Service Asset & Configuration
Mgmt
• Knowledge Mgmt
• Transition Planning and Support
• Release & Deployment Mgmt
• Service Validation & Testing
• Evaluation
Service design:
• Service Catalogue Mgmt
• Service Level Mgmt
• Supplier Mgmt
• Capacity Mgmt
• Availability Mgmt
• IT Service Continuity Mgmt
• Information Security Mgmt
Slide 40
Goal:The design of appropriate and innovative IT services, including their architectures, processes, policies, and documentation, to meet current and future agreed business requirements.
Objectives:
− Design services to meet agreed business outcomes
− Design processes to support the service lifecycle
− Identify and manage risks
− Design secure and resilient IT infrastructures, environments, applications and data/information resources and capability
− Design measurement methods and metrics
Goals & Objectives
Service Design
Slide 41
Objectives (contd..):
− Produce and maintain plans, processes, policies, standards, architectures, frameworks and documents to support the design of quality IT solutions
− Develop skills and capability within IT
− Contribute to the overall improvement in IT service quality
Goals & Objectives (contd..)
Service Design
Slide 42
• Service Catalogue Management: The purpose SCM is to provide a single, consistent source of information on all of the agreed services, and ensure that it is widely
available to those who are approved to access the service catalogue
• Service Level Management: SLM negotiates, agrees and documents appropriate IT service targets with the business, and then monitors and produces reports on
delivery against the agreed level of service
• Capacity Management: The purpose of Capacity Management is to provide a point
of focus and management for all capacity and performance-related issues, relating to
both services and resources, and to match the capacity of IT to the agreed business demands
• IT Service Continuity Management: The purpose of ITSCM is to maintain the
appropriate on-going recovery capability within IT services to match the agreed needs, requirements and timescales of the business
Processes covered in Service Design
Service Design
Slide 43
Processes covered in Service Design (con’t)
• Availability Management: The purpose of Availability Management is to provide a
point of focus and management for all availability-related issues, relating to services, components and resources, ensuring that availability targets in all areas are
measured and achieved, and that they match or exceed the current and future agreed needs of the business in a cost-effective manner
• Information Security Management: The purpose of the ISM process is to align IT
security with business security and ensure that information security is effectively
managed in all service and Service Management activities
• Supplier Management: The purpose of the Supplier Management process is to
obtain value for money from suppliers and to ensure that suppliers perform to the targets contained within their contracts and agreements, while conforming to all of the
terms and conditions
Service Design
Slide 44
ITSCM is concerned with managing an organisation’s ability to continue to provide a pre-determined and agreed level of IT Services to support the minimum business requirements following an interruption to the business.
Goal:The goal of the ITSCM is to support the overall Business Continuity Management process by ensuring that the required IT technical and service facilities (including
computer systems, networks, applications, data repositories, telecommunications,
technical support, and Service Desk) can be resumed within required, and agreed,
business timescales.
IT Service Continuity Management (ITSCM)
Service Design
Slide 45
• To maintain a set of IT service Continuity Plans and IT recovery plans that support the overall Business Continuity Plans (BCPs) of the organization
• To complete regular Business Impact Analysis (BIA) exercises to ensure that all
continuity plans are maintained in line with changing business impacts and
requirements
• To conduct regular risk assessment and management exercises in conjunction particularly with the business and the Availability Management and Security
Management processes, that manages IT services within an agreed level of
business risk
IT Service Continuity Management – Objectives
Service Design
Slide 46
• To ensure that appropriate continuity and recovery mechanisms are put in place to meet or exceed the agreed business continuity targets
• To assess the impact of all changes on the IT service Continuity Plans and IT
recovery plans
• To ensure that proactive measures to improve the availability of services are
implemented wherever it is cost justifiable to do so
• To negotiate and agree the necessary contracts with suppliers for the provision of the
necessary recovery capability to support all continuity plans in conjunction with the Supplier Management process
IT Service Continuity Management – Objectives
Service Design
Slide 47
Lifecycle of Service Continuity Management
IT Service Continuity Management
Service Design
Invocation
Requirements
and strategy
Policy setting
Scope
Initiate a project
Business Impact Analysis
Risk Assessment
IT Service Continuity Strategy
Develop IT Service continuity plans
Develop IT plans, recovery plans
and procedures
Organization Planning
Testing strategy
Education, awareness and Training
Review and audit
Testing
Change Management
Business Continuity
Strategy
Business
Continuity
Management
(BCM)
Lifecycle Key activities
Initiation
Business Continuity
plans Implementation
On going
Operation
Slide 48
• Positive results from audits performed over the ITSCM plans to ensure that, at all times, the agreed recovery requirements of the business can be achieved
• Successful results from recovery testing
• Reduction in the risk and impact of possible failure of IT services
• Increased awareness of business impact, needs and requirements throughout IT
• Increased preparedness of all IT service areas and staff to respond to an invocation of the ITSCM plans
IT Service Continuity Management – KPIs
Service Design
Slide 49
• Response time to restore business operations after a disaster occurs based on the type of recovery option chosen (i.e. manual, immediate, fast, intermediate, or gradual)
• Cost of service continuity management vs. cost incurred by the business in the event of an IT service loss. This could include both tangible (i.e. financial) and intangible (i.e. reputation) costs
IT Service Continuity Management – KPIs
Slide 50
COBIT – Control Objective for Information & related Technology
• Accepted globally as a set of tools that ensures IT is working effectively
• Provides common language to communicate goals, objectives and expected results to all stakeholders
• Based on, and integrates, industry standards and good practices in:
– Strategic alignment of IT with business goals
– Value delivery of services and new projects
– Risk management
– Resource management
– Performance measurement
Slide 51
COBIT – Control Objective for Information & related Technology
COBIT® provides guidance for executive management to govern IT within the enterprise
• More effective tools for IT to support business goals
• More transparent and predictable full life-cycle IT costs
• More timely and reliable information from IT
• Higher quality IT services and more successful projects
• More effective management of IT-related risks
Slide 54
COBIT®
Defines Processes, Goals and Metrics
Relationship Amongst Process, Goals and Metrics (DS5)
Slide 55
COBIT®
Products and Their Primary Audience
COBIT, Risk IT and Val IT frameworks Implementing and
Continually Improving IT Governance COBIT User Guide for
Service Managers
COBIT and Application Controls