iso27001,sas70,sox,revenue assurance

• ISO 27001 & ISMS

Vijay Singh::Balaji institute of telecom & management,Pune (2008-10)

Information Security

Information Security Definition:

• “preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved”– Source: ISO/IEC 27001:2005

Introduction -ISO 27001 & ISMS

• ISO 27001 has been prepared to provide a model for:

• Establishing• Implementing• Operating• Monitoring• Reviewing• Maintaining• and improving

an Information Security Management System (ISMS)

Source: ISO/IEC 27001:2005

What is an ISMS?

• Information Security Management System – Strategic decision of an organization• Design and implementation

– Needs and objectives– Security requirements– Processes employed– Size and structure of the organization

• Scaled with ‘needs’ – simple situation requires a simple ISMS solution


International Organization for Standardization (ISO)

Credible Established in 1947 Published over 16,077 international standards ISO meetings attract some 30,000 experts a year

Decentralized Federation comprised of 156 national standards bodies National member bodies manage development work

Consensus-based ISO standards are consensus based


History Of ISO 270001

• Originally the standard was developed as BS 7799 in1995 and just included the controls.

• A second part, formalising the process for creating an ISMS was added and known as BS 7799 (Part 2)

• The first part was then adopted as an ISO standard becoming ISO 17799. Part 2 was then adopted as ISO Standard 27001 in 2005.


Decision To Adopt ISMS a Strategic Decision• Adoption of an ISMS should be a strategic decision

• Design and implementation is influenced by the organization’s needs and objectives, security requirements, the processes employed and the size and structure of the organization

• Scale the system in accordance with your needs, which may well change (simple situation=simple ISMS solution; complex situation=complex ISMS solution)


Process Approach

• ISO 27001 has adopted a Process Approach, which means an organization needs to identify and manage many activities in order to function effectively.

• Any activity using resources and managed in order to enable the transformation of Inputs into Outputs, can be considered to be a Process.

• Inputs >>>>>>> Process >>>>>>> outputs• Often, outputs from one process provide inputs into

the next.


Process approach for ISMS encourages users to emphasize the importance of:

a) Understanding an organization’s information security requirements and the need to establish POLICY and OBJECTIVES for information security

b) Implementing and operating CONTROLS to manage an organization’s information security risks in the context of the organization’s overall business risks

c) Monitoring and reviewing the performance and effectiveness of the ISMS, and

d) CONTINUAL IMPROVEMENT based on objective measurement


PDCA • Plan, Do, Check, Act is to be applied to structure all ISMS

processes

• ISMS takes the information security requirements and expectations of the interested parties and, through the necessary actions and processes, produces information security outcomes that meets those requirements and expectations.

Model of an ISMS

Growing Acceptance

Source: http://www.xisec.com/

Additional benefits of implementing an ISO 27001 system

• Provides the means for information security corporate governance and legal compliance

• Provides for a market differentiator• Focus of staff responsibilities and create security

awareness• Enforcement of policies and procedures


SAS 70

http://www.tech-faq.com/sas-70.shtml

Introduction-SAS 70

• SAS 70 is an acronym for Statement on Auditing Standard 70.

• SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) in 1988.

• It defines the standards an auditor must employ in order to assess the contracted internal controls of a service organization.


Continued ….

• SAS 70 reports are commissioned at the request of either a service organization (the company) or the user organization (customers).

• At the end of the audit, the service auditor issues an important report called the "Service Auditor's Report".


Types of SAS 70 Reports

18

Type 1

Reports on controls placed in operation (as of a point in time)

Looks at the design of controls- not operating effectiveness

Considered for information purposes only

Not considered a significant use for purposes of reliance by user auditors/organizations

Most often performed only in the first year a client has a SAS 70

Reports on controls placed in operation (as of a point in time)

Looks at the design of controls- not operating effectiveness

Considered for information purposes only

Not considered a significant use for purposes of reliance by user auditors/organizations

Most often performed only in the first year a client has a SAS 70

Type 2

Reports on controls placed in operation and tests of operating effectiveness (for a period of time, generally not less than 6 months)

Differentiating factor: Includes Tests of Operating Effectiveness

More comprehensive Requires more internal and

external effort Identifies instances of non-

compliance More emphasis on evidential

matter


Advantages of SAS 70


Users of the SAS70


Areas of Focus

• Operations

– Account Set-up and administration

– Security Set-up – Trade and FX Processing– Pricing– Dividend Processing– Corporate Actions– Confirmation/

Affirmation/Settlement– Custody Reconciliation– Client Report– Investment Income– Portfolio Compliance– Personal Trading

21

• Technology

• Information Systems Operations• Security (Physical & Logical)• Application Systems Implementation &

Maintenance• Computer Operations


SOX:Sarbanes Oxley Act

• The Sarbanes-Oxley Act of 2002 is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise

• The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements.

• Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long.

RISK THREAT & VULNERABILITY

Risk Threats and Vulnerability

Risk = Threat X Vulnerability

• Being “at risk" is being exposed to threats.

• Risks are subjective -- the potential to incur consequences of harm or loss of target assets. A Risk Factor is the likelihood of resources being attacked.

• Threats are dangerous actions that can cause harm. The degree of threat depends on the attacker's Skills, Knowledge, Resources, Authority, and Motives.

• Vulnerabilities are weaknesses in victims that allow a threat to become effective.

Continued……..

• Risk is a function of the likelihood of a given threat-source’s exercising a particular potential

• Vulnerability, and the resulting impact of that adverse event on the organization.

Do Enterprise’s Internet Connection deploying VPN’s not Vulnerable to Threat??

• To secure the connection to the Internet and protect internal networks, enterprises deploy a variety of security devices, including firewalls, Virtual Private Networks (VPNs), Intrusion Detection/Prevention (IDP), anti-virus, and content monitoring.

• However, none of these Internet-related security technologies protect the internal IP network from attacksagainst the traditional voice network connections created by unauthorized or non-secure modems and poorlyconfigured voice systems.

Unauthorized n unsecured Modems An easy Cake for Attackers!!

• When an attacker accesses an unauthorized or non-securemodem, the IP network-based security products cannot seeor detect the intrusion

• Typically, no record of theattacker’s access is logged—except perhaps a long callrecorded on the PBX—and even this record exists only if theaccessed modem line routes through the PBX. Logs on theattacked system may record the access—but they areeasily deleted by the attacker

Unauthorized Remote Access

• In order to provide their remote users with access to the internal network, most enterprises invest in Internet-based VPNs and managed Remote Access Servers (RAS).

• Unfortunately, users often set up their own personal remote access

Backdoor remote access in enterprize LAN

Unauthorized ISP Access• Employee use of unauthorized modems for Internet access is

a more common and serious problem• To reach the Internet from work, these users simply install a

modem on their work computer and dial a local or 1-800 ISP• Employee abuse of Internet access privileges is quantified in

the 2004 CSI/FBI Computer Crime and Security Survey. Of the almost 500 respondents (primarily financial institutions, large corporations and government agencies),59% detected employee abuse of Internet access privileges, for an estimated loss of $10,601,055!!!!

VoIP Vulnerabilities and Threats

• VoIP is vulnerable to traditional IP attacks—worms, viruses, and DoS—and is only as secure as the weakest link on the network

• Securing VoIP is also more complex and arduous because it involves more components and software than a traditional circuit-switched voice network

–Security Gap Left by Traditional Data Firewall

REVENUE ASSURANCEA Competitive Edge

Introduction to-Revenue Assurance

• In this world of hybrid telecommunications companies, even a simple phone call involves several kinds of carriers.

• These multi level handoffs means that carriers have to mediate & disputes more complicated combination of revenues, billings & tariff data.

• More often,telcos stand helplessly as millions of dollars of their revenues go uncounted.

Tata consultancy services

Continued……..

• Every telco consider 5% revenue leakage as normal.

• Revenue assurance is one of the simplest & easiest ways to stop revenue leakage.


What is revenue assurance

• It is about billing all transactions for all events without losing revenue to fraud.

• It extends its functionality that include collection of bad debts & outstanding revenues.


Why RA required?

1.Safeguard against loss of revenue:Collecting revenues due to a company is

one of the easiest ways for a company to grow. It has been found that telecom companies regularly miss out billing 5% of their revenues.

2.Reducing customer churn:RA strategies help in monitoring the causes

of customer dissatisfaction & controlling them methodically & quite effectively.


Continued………

3.Reducing customer churn:RA atrategies help in monitoring the causes

of customer dissatisfaction & controlling them methodically & quite effectively.

4.Maintaining billing accuracy standard:both under-billing & over billing is a cause

of worry for the company. While under billing results in loss of revenue,over billing results in loss of reputation.


Causes of Revenue Leakage

1.Lack of co-ordination among different units in the same organisation.

2.Complexity in the product/service defination.

3.Mismatch between service(de-)activation on network & billing (de-)activation.

4.Improper functioning of switch components.


Continued…………..

5.Inaccuracy of switch/network transactions.

6.Rating complexity.

7.Bill production & bill delivery.

8. Business process weakness.

9.Data centre process weaknesses.


Key factors to be considered

1.Collective responsibility for RA-the root cause for revenue leakage being the lack of co-ordination .it is important to have a separate team with clear responsibilty towards RA.

2.There should be a framework document for the RA activities

3.The RA team should also consider the external events related to the reliability factors such as system failures.

4.Tracking & reporting as specified in the framework document should be strickly implemented.


STATE OF ART IN RA-for how to tackle the problems


ANY QUESTIONS ?

iso27001,sas70,sox,revenue assurance

Documents