ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
1
Information Security
How to establish and ensure Information Securityin practice
AvailabilityIntegrityConfidentialityPrivacy
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
2
Incident
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
3
Information Security Management:
It is not the sufficient way to prevent Information Domains against security incidents
The art is to manage security incidents
according to Bruce Schneier
1
2
3
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
4
Information Security
What is an Information Security Management System ?????
AvailabilityIntegrityConfidentialityPrivacy
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
5
Information Security
What is an Information Security Management System ?????
AvailabilityIntegrityConfidentialityPrivacy
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
6
Quality Management:
“A set of co-ordinated activities to direct and control an organization in order to continually improve the effectiveness and efficiency of its performance.”
from Department of Trade and Industry, UK, QMS
4
5
6
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
7
Quality Management:
• set direction and meet customers’ expectations• improve process control • reduce wastage • lower costs• increase market share • facilitate training • involve staff • raise morale
from Department of Trade and Industry, UK, QMS
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
8
Quality Management:
from Department of Trade and Industry, UK, TQM
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
9
Quality Management:
from Department of Trade and Industry, UK, QMS
7
8
9
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
10
Quality Management:
from Department of Trade and Industry, UK, QMS
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
11
The PDCA Cycle is a checklist of the four stages.starting at „problem-faced“ going to „problem solved“
Quality Management:
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
12
Quality Management:
10
11
12
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
13
Why shall we manage Information Security?
• personal data of students --> call from health insurance• timely no meetings of german high tech firms in USA• open WLAN --> court decision, to secure your access point• web archives --> how long will your personal data be stored
and who stores the data? • Email --> postcard in the Internet, who is reading your mail?• your personal data stored at public administration:
Gordon Brown says: government cannot ensure data safety,
times online November 2, 2008
• mobile data storage --> USB Stick (forgotten, lost, stolen)• .......
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
14
Why shall we manage Information Security?
• Increase Information Security• raise awareness by all employees• establish Information security as a company process (QMS)• measurability • checkability • traceability• detectability• adoptability• .......
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
15
Why shall we manage Information Security?
How do you ensure Information Security for your personal data using your information technology?• at home• at work
- student co-worker- student project- community (sport club etc.)
• mobile access (in a Pub, cafe etc.)• during travel
and how do you handle your USB-Stick?
13
14
15
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
16
Information Security, Definition and Basics
Targets for protection:
• confidentiality• integrity• availability• privacy• authenticity• non-repudiability• anonymity
and how does this effect your USB-Stick?
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
17
Information Security, Definition and Basics
What is a security incident?:
A security incident exits if:
a threat fits an appropriate weakness
and how does this effect your USB-Stick?
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
18
Information Security, Definition and Basics
Force majeure: burn, water, lightning, sickness, ... Organizational lacks: missing or unclear rules, missing
concepts, ... Human Failure: “The biggest security problem is sitting in
front of the keyboard" Technical failure: system crash, hard disk crash, ... Malicious Actions: Hacker, Virus, Trojan, ...
16
17
18
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
19
Information Security, Definition and Basics
Who is responsible for information security in an organization:
• higher management
• middle management
• human resources department
• legal office
• IT-department
• external staff
• .....
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
20
Information Security, Definition and Basics
How is the Information Security Process organized?
• Bottom Up
• Top Down
• democracy --> election every two months
• self organized responsibility of each employee
• external control
• .....
à Standards !!
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
21
Why is it so exhausting to implement Information Security?
Convenience
Security Costs
Often:secure, convenient, cheap take two of them!
19
20
21
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
22
Information Security - Costs?
Information Security Costs
Cos
ts
Security Level
Security Costsdamagetotal costs
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
23
Information Security, Definition and Basics
Can we solve Information Security by pure technical measures?
• Firewall
• complex access control measures
• secure/complex passwords (...?...)
• auditing, IDS/IPS
• restricted network service access
• .....
and how does this effect your USB-Stick?
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
24
Information Security – Management System
„All activities of the overall management, defining the quality policy, the targets and the responsibilities according a quality management system as well as the instruments like quality planing, quality control, quality insurance and quality improvement are in the area of responsibility of the quality management“
(according to DIN EN ISO 8402)
Here:Information Security Management are all organized measures serving the security of information and processes where information are been transferred or processed. This includes especially the organizational structures and the behavior patterns of the involved persons.
22
23
24
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
25
Information Security Management System (ISMS)
Components of an Information Security Strategy according to BSI-Standard 100-1
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
26
Information Security Management System (ISMS)
Security Strategy according to BSI-Standard 100-1
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
27
Information Security Management System (ISMS)
Implementation of the Information Security Strategy according to BSI-Standard 100-1
25
26
27
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
28
Information Security Management System
Three (four) main components:
• Security Policy (goals and strategies – management level)
• Security Concept
• Security Organization
plus:
• Security Audit
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
29
Information Security Management System (ISMS)Example for an Information Security Policy structure (acc. to Cisco Systems)
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
30
Information Security Management System
Life cycle Model:
• planing and concepts
• provisioning (if applicable)
• realization
• service (maintenance and control)
• segregation (if applicable)
• emergency prevention (emergency handbook, business continuity)
28
29
30
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
31
Information Security Management System
Management Principles:
Information Security Management is the task of planing and controlling which is necessary for the implementation, practical realization and ensuring of the effectiveness of the security process
For the management this results in important tasks and duties:
• assumption of the overall responsibility of the IS Management process• integration of IS into the business processes• control and maintain the ISMS Process• accessible targets during implementation of ISMS• cost-benefit analysis• acting by example
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
32
5.3 Informationssicherheits – Managementsysteme (ISMS)
Prozess der Informationssicherheit (PDCA-Zyklus):
Management
IT-Management
System-administration
IT-Security Concept
CheckControl
Planing
Operation
IT-Security Management
IT-Security Policy
Revision
Qualification
Level of Detail of the Rules
Doing
PDCA-Cycle of (ISMS)
ISMSInformation Security Management Systems
contact:Thomas [email protected]
Baltic Summer School 2013
VILNIUS
07/13
33
Information Security Management System
and how do you handle your USB-Stick?
31
32
33