Date post: | 08-Apr-2015 |
Category: |
Documents |
Upload: | jamal-najib |
View: | 78 times |
Download: | 4 times |
Less Effective Approaches
• Product / Toolkit based approach
– Offers the ease of obtaining generic pre-written “policies”
– Can only cover those controls addressable by “policy”
– Cannot address controls that require an organizational component
– Cannot justify selection of controls
– Is not defensible
– Creates a false sense of security
• Linear approach
– Broadly follows the guidelines presented in the ISO Standard
– Implements the ISMS by following the guidelines to the letter, not spirit and intent
– Sometimes performed by internal teams without external assistance
– Several vendors use this ‘closed’ approach, or use hybrid approach that combines this and a product based approach
– The approach is not easily extensible, thereby limiting the ISMS to a specific part of the organization after attaining certification
ISMS Development and Approach © Orange Parachute
Common Shortcomings with Less Effective Approaches
Technical Shortcomings
• Incomplete Risk Assessment Process
• Incomprehensive Asset Listing
• Lack of Assurance for Controls Effectiveness
• Improper Interpretation of Controls
• Scope Minimization
• Difficulties in Developing Comprehensive BCP Plan
ISMS Development and Approach © Orange Parachute
Common Shortcomings with Less Effective Approaches (cont’d)
Management Shortcomings
• Lack of Documentation
• Failure to Define Specific Roles and Responsibilities in Information Security
• Difficulties in Conducting Regular Management Reviews and Implementing Suggestions
• Lack of a Comprehensive ISMS Project Plan
• ISMS regarded as a one-off project, rather than a continuous one
• Failure to Obtain Enough Support from Top Management
• Difficulties in Conducting Internal Audit
• Difficulties in Writing Proper Security Policies, Procedures & Guidelines
ISMS Development and Approach © Orange Parachute
Orange Parachute’s Approach
• Systematic
– Follows, implements and adopts every requirement of the Standard by the letter and spirit
– Our experienced consultants work with the client to understand the cultural, business and organizational environments, and build an ISMS adopted to the client
– Proven tools and templates are utilized to speed-up the implementation process
• Process based
– Takes into account the legal and regulatory environment
– Works within the existent culture and values
– Produces justifiable, risk based requirements, processes, roles, and activities
– Is defensible and extensible
ISMS Development and Approach © Orange Parachute
How we implement the ISMS
The Process
Secure Management
Commitment
Determine scope of
the Information
Security Program
Identify security
domains
Create information
security organization
Assess risk Mitigate risk
Audit
ISMS Development and Approach © Orange Parachute
How we implement and certify an ISMS?
• We use ISO27001 to manage Information Security Programs
• An Information Security Program may have governance over multiple security domains
• Security domains serve as the basis of establishing scope for ISO27001 certification
• Security domains are where ISO27002/ISO27001 Annex A controls ultimately reside
• Scope of an ISO27001 Information Security Program and ISO27001 registration may not be the same
ISO27001 based ISMS to manage the Information Security Program
Data Center
ISO27001 certified
Security Domain
Call Center
ISO27001 managed
Security Domain
Branch Office
ISO27001 managed
Security Domain
Production Area
ISO27001 managed
Security Domain
Build a program once
Extend the program to
several security domains and certify
ISMS Development and Approach © Orange Parachute
Our Implementation Focus
• Effective communication
– Consistent terms and definitions
• Understand relationships
– RACI
– Empowered through charters and plans
• Scope the program
– Program span of control
• Define / package sensible operational areas (security domains)
– Operational span of control
• Perimeters
• Assets
• Leverage security domains for
– Risk assessment
– Incident response
– BC/DR
– Certification
ISMS Development and Approach © Orange Parachute
Orange Parachute’s Approach:• ISMS Framework – A real life sample
(Sample)
ISMS Development and Approach © Orange Parachute
Our Implementation Focus (contd.)Risk Assessment methodology
– By audience
• Strategic: liability
• Tactical: vulnerability
• Operational: gap:
– By environment:
• Raw,
• Residual
• Accepted
ISMS Development and Approach © Orange Parachute
Our Implementation Focus (contd.)
Selection of controls
– Tactical control objectives• From tactical risk assessment
– Tactical controls • From ISO27001 Annex A
– Operational control objectives• Domain specific and derived from Tactical controls
– Operational controls• Domain specific and derived from operational control objectives
– Technical
– Procedural
– Temporal
– Taskings
ISMS Development and Approach © Orange Parachute
Our Implementation Focus (contd.)
Operational control elements
– Technical
• Devices
• Configurations
– Procedural
• Standard operating procedures (SOP’s)
– Temporal
• Domain schedules
– Tasking
• Individually assigned responsibilities
ISMS Development and Approach © Orange Parachute
Our Implementation Focus (contd.)
Example– Risk basis (tactical)
• Threat: Unauthorized disclosure
• Vulnerability: weak logon procedure
– A 11.5 Access control• Objective: To prevent unauthorized access to operating systems
– A 11.5.1 control• Secure logon procedure
– Access to operating systems shall be controlled by a secure logon procedure
– Specific domain objective with windows platforms– Objective: To provide a secure logon procedure for windows platforms
– Domain control: technical: windows configuration• Password masking
• Lockout after 3 failed attempts
• Password hashing
• Password history with no re-use
ISMS Development and Approach © Orange Parachute
Sample of Key Deliverables from our Implementations
Fully documented management intent and support
• Policies (vision)
• Charters (empowerment)
• Program plans (strategy)
Fully documented information security direction
• Standards (requirements)
• Processes (methodologies)
• Activities (schedules)
• Roles (responsibilities)
Domain specific operational details
• Specifications
• Standard Operating Procedures (SOP’s)
• Job descriptions
• Tasking
ISMS Development and Approach © Orange Parachute
Process Example
Frequency: As required Version 1.1
Process: Supplier Governance
Business Unit: Information Security
Author:
ISO
ISO
Ou
tpu
tO
utp
ut
Info
rma
tio
n
Se
cu
rity
An
aly
st
Info
rma
tio
n
Se
cu
rity
An
aly
st
Re
qu
esto
rR
eq
ue
sto
r
Pending Business
Contract
Determine data
types involved
Identify required
protection levels
Incorporate
protection
requirements in
contract
Process Owner: ISO
Approver: ISMS Oversight Committee
Date Approved:
Info Governance
Matrix
Info Security
Standards
Security
Specifications for
Contract
Negotiate process
hand-off points
Assign roles and
responsibilities
Input to ISMS
Conformance
Process
Info Security
ProcessesFunctional Roles
Assign task
schedules
Activity matrix
Third party SLA
Output from
Supplier
Evaluation
Process
Review contract
specifications
Input to Risk
Assessment
Process
ISMS Development and Approach © Orange Parachute
Trends• Worldwide demand for standardized and
internationally sanctioned information security certification– Certification is already a requirement in some markets– Competitive edge– Interoperability– Due diligence concerns
• Continued focus on a process based approach– Integration with other process based management
systems– Integration with other process based operational models– Manages the quality of information
ISMS Development and Approach © Orange Parachute
Attributes of an Orange Parachute ISMS
• Addresses risk at all levels
– Strategic
– Tactical
– Operational
• Extensible
• Defensible / Justifiable
• Minimizes change
• Helps plan continuity in the workforce
• Compatible and integrated with other ISO and other standards (ISO 9001, ISO 20000, ISO 27005, BS 25999, etc.)
• Compatible with other catalog of controls (CoBit, PCI, FISAP)
• Meets information protection requirements required by various laws and regulations, such as Sarbanes Oxley, HIPAA, GLBA, SB 1386, etc.
ISMS Development and Approach © Orange Parachute
Summary / Benefits
• The ISO27002/ISO27001 family is an internationally recognized benchmark for Information Security Management
– ISO27002 is used to deploy comprehensive information security controls.
– ISO27001 is used to manage Information Security Programs and certify discrete operational areas.
• ISO27001/2 may serve as an umbrella under which an organization can address multiple information protection regulations.
– Most are already mapped to ISO27002 controls
– All can be managed by ISO27001
• ISO27001 can be used to certify due diligence. Areas of application include:
– security assessments of supplier / vendor / service provider 3rd parties,
– reducing redundant audit overheads,
• A standards based ISMS is defensible, extensible, flexible and efficient.
ISMS Development and Approach © Orange Parachute
Successful Client CertificationsCertified Clients:
• Federal Reserve NY – BS7799-2 • The World Bank – ISO 27001 • McQuarie Corporate Communications (Australia) – BS7799-2• Premier Bank – ISO 27001• International Monetary Fund (IMF) – ISO 27001• Merrill Corporation – ISO 27001• Convey Compliance Systems – ISO 27001• DCM Services – ISO 27001• Pacific Life Insurance Company – ISO 27001
Some Additional Clients:• Blue Cross Blue Shield • Coventry Healthcare• RxHub• Merck & Co., Inc.• Nielsen Media Research• Wake County Public Schools• ConocoPhillips• American Express• Ameriprise Financial• FINRA/NASD• INTUIT• National City Bank• PSECU
ISMS Development and Approach © Orange Parachute