dsp smart metering programme iso/iec 27001 certification...iso 27001 certification . this is a 2...
TRANSCRIPT
© CGI Group Inc. NOT PROTECTIVELY MARKED People who know how
DSP Smart Metering Programme ISO/IEC 27001 Certification
William Bowers, DSP Chief Information Security Officer 19th June 2014
NOT PROTECTIVELY MARKED People who know how
Content / Outline
• DSP Partnership – CGI & QinetiQ
• Brief Introduction to ISO 27001 Standard and Certification
• ISO 27001 and the DSP Programme
• Gaining Certification
• Summary
2
NOT PROTECTIVELY MARKED People who know how
QinetiQ and CGI DSP Partnership
• CGI and QinetiQ partnered for the DSP bid and programme • QinetiQ are providing for the DSP:
• Security expertise to develop secure policies and procedures • Achieve ISO 27001 certification • Security Health Checks • Secure Operations Centre (SOC) for security monitoring
• QinetiQ provide CGI with a level of independence and objectivity in
terms of the risk assessment, security testing and security monitoring
• Avoids “marking your own homework”
3
NOT PROTECTIVELY MARKED People who know how
QinetiQ’s Security Credentials
A formidable security partner
• Ex-DERA
• Over 50 years of security heritage
• List X status with 6500 security-cleared staff
• International security experts in understanding threats and how to counter them
• Unrivalled knowledge of security technology – we know what works and where to find it
• Trusted by Governments to respect their special needs and protect their secrets
• Security partners of choice by numerous commercial companies
4
NOT PROTECTIVELY MARKED People who know how
Introduction to ISO/IEC 27001
• ISO 27001 Information Security Management System is the international best practice standard for information security.
• ISO 27001:2013, the current version • Suitable for any organisation especially where the protection of
information is critical • The key security properties considered throughout the DSP ISMS are:
• Confidentiality: Protecting information from unauthorised parties; • Integrity: Protecting information from modification by unauthorised
users; • Availability: Making information available to authorised users.
5
NOT PROTECTIVELY MARKED People who know how
ISO 27001 Summary
The standard includes directions for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the ISMS.
6
NOT PROTECTIVELY MARKED People who know how
PLAN, DO, CHECK, ACT
7
NOT PROTECTIVELY MARKED People who know how
ISO 27001 Certification
This is a 2 stage process: • Stage One: Checks documentation is capable of being audited. • Stage Two: Audit of the effectiveness of the system. Both stages must be completed to achieve ISO 27001 certification. Re-audited every six months
8
NOT PROTECTIVELY MARKED People who know how
DSP ISMS Structure
• Stage 1 audit – July 2015 • Stage 2 audit – September 2015
9
NOT PROTECTIVELY MARKED People who know how
ISO 27001 and Service Users
NOT PROTECTIVELY MARKED People who know how
ISO 27001 and the Smart Meter Programme
• Information Security is a key element of the Programme.
• Scope for Smart Meter eco-system • DCC, DSP, CSPs.
• ISO 27001 scope • Appropriate to business benefit
• SEC and Codes of Connection • Security is a business-enabler; integrated into all functions. • Embed a security culture. • Compliance to ISO 27001.
11
NOT PROTECTIVELY MARKED People who know how
Benefits of ISO 27001
• Completing ISO 27001 information security management systems certification will aid organisations in managing and protecting valuable data and information assets. For example:
Keeps confidential information secure Provides customers with confidence in how you manage risk Allows for secure exchange of information Ensure you are meeting legal obligations Manages and minimises exposure to risk Brings a culture of security Protects the company, assets, shareholders and directors. Provides a competitive advantage Enhanced customer satisfaction Consistency in delivery of service
12
NOT PROTECTIVELY MARKED People who know how
Summary
• Not all about documentation • Processes, • Performing health checks, both infrastructure and application • Meetings & minutes • Recording incidents, • Continuous improvement.
13
NOT PROTECTIVELY MARKED People who know how
Thank you
14