Date post: | 21-Jun-2015 |
Category: |
Technology |
Upload: | anup-narayanan |
View: | 397 times |
Download: | 1 times |
“I am certified, but am I safe?”
Anup Narayanan, CISA, CISSP
Founder & CEO, ISQ World
Agenda What exactly is Certification? The audit process & fear: Why? The cost of poor implementation Getting your ISMS right The ISM3 model The CXO’s Security Plan How do I know I am safe?
What exactly is Certification?
An explanation in simple terms
The auditor looks for two factors
The existence of the ISMS
Is the P-D-C-A (Plan-Do-Check-Act) model is in place
Scope, Security forum, Asset classification list, Risk
analysis, documents etc.
The functioning of the ISMS
Review and improvement processes, CHECK and ACT
phase.
Auditor - “Have you done a root cause
analysis?”
Not just identifying, but solving
If the auditor is satisfied, you are recommended
for the certification
The essence of ISO 27001/ ISMS Tells you what to do:
Implement an ISMS (Information Security Management System) fit for business
Does it tell you how to do it? Not very well!! ISO 27002 is a good guide, but subject to poor
interpretation Not the fault of the standard
Example
“Build a vehicle”
Poor Interpretation
Good Interpretation
The audit process & fear
Why?
Analysis The purpose of the ISMS is not well
understood The implementation process is not well
understood The audit process is not well understood You are misguided by ill-informed people
Some facts! Fallacy - I must select as many controls as
possible Truth – Choose those controls that are
required (some of them will be mandatory)
Fallacy – I must produce a ton of documentation
Truth – I must produce documents that I will read
Fallacy – The auditors will be tough and strict Truth – The auditors know their job and you
should know yours
This leads to….ISMS fatigue After the first few years, you will not be able
to maintain all controls – Managers will grumble
Leads to poor maintenance of controls This will lead to “quick-fixes” that open more
vulnerabilities Slowly controls weaken and people start
finding alternates to avoid the ISMS that opens more weaknesses
The cost of poor implementation
A poorly implemented ISMS leads to more security weaknesses rather than not having one
Getting your ISMS right
Information Security Goals, Targets and Processes (Not Controls)
My primary focus is to constantly increase
shareholder value
Depends on: Customer
retention & acquisition
Depends on: TRUST
Depends on: Continuous
availability of services
Depends on: Continuous
availability of Information and
Information Systems
INFORMATION SECURITY
On the Internet ….
The customer cannot see you
They don’t know how you look like,
or talk…
This makes it difficult for you to influence the perception of TRUST on the internet using visible factors…
Trust & the impersonal nature of the Internet
TRUST on the Internet is based on measurable factors such as Availability of Services
Hence, you need Information Security, to be there, when the customer needs you
The purpose of the ISMS
Helped by
Business Targets
Business Goals
Profitable, Be ethical, Socially
responsible
Generate $X through sales
Sales: Sell products & Services
HR: hire the right people
Pay Bills/ Salaries/
Taxes on time
Finance: Process
payments, pay bills & salaries,
accounting
Maintain the offices and
facilities
Admin: Maintenance
functions, HVAC etc.
Where does Information Security fit in?
Realize this…
No two businesses are alike, hence no two ISMS’s are alike
Be Confident! Build an ISMS fit-for your business!
Choose only processes that are useful for your business, not because someone else too does it.
Using ISM3 to implement ISO 27001
ISM3 – Information Security Management Maturity Model
ISM3 Recently adopted as The Open Group Standard -
www.ism3.com ISM3 provides a set of “security management
processes” that are consistent with business goals You can select “Maturity Levels” based on
available resources
Level 1: Low risk
environment
Level 2: Normal risk environmen
ts
Level 3: Normal to High-Risk
Environments – IT
Service Providers/
e-Commerce
Level 4: High risk
environments – Public companies,
Finance
Level 5: High risk
environments +
Mandatory Metrics
Security Investment & Risk Reduction
The advantage of process based approach A process;
Gives more clarity on what needs to be done Makes you realize the amount of resources that
needs to be assigned to execute it Hence, you will select those processes that
are truly required for the ISMS This leads to building an ISMS “for your
business” and “not for certification”
The CXO’s Security Plan
As the CEO, you want to spend
less but effective time on information
security.
So, your plan must be simple, precise and must give you answers
to 3 questions.
What are my information assets? (Give me the latest list)
What are the threats to my information assets? (Give me the newest threats? )
What are the vulnerabilities that can be exploited by these threats? (What are we doing about them?)
1 - Assets
2 - Threats
3 - Vulnerabilities (Weaknesses)
The 3 questions are…..
Your plan centers around “Assets”, “Threats” and “Vulnerabilities”
In fact, you must work together with your information security officer to have the latest list of, Assets, Threats & Vulnerabilities briefed to you at regular intervals (at-least once a month or quarter)
Idea!
Ask your Information Security Officer to create a threat and
vulnerability pipe.
March
•Security survey reveals poor user security awareness
•SANS reports 5 vulnerabilities that affects our applications
Feb
•Some web applications do not have privacy policy displayed
•Backup restoration is not tested
Jan
•Background verification of new employees not uniformly done
•Information security risks not considered as part of business continuity plan
A sample threat & vulnerability pipe
Latest threats and vulnerabilities go on top
So, the next time you are with your information security officer, you know what
to ask….
Could you please tell me the top 3 items off the top of the threat &
vulnerability pipe?
Hmm…she is getting security
sharp!
Remember!
A good security manager will tell you your weaknesses and not always your strengths!
How do I know that I am safe?
How do I know that I am Safe? You are safe when,
You know what your business is about? You know the Information Systems that are
required to attain business goals You know the risks to the Information Systems You have reduced the risks as best possible
You know exactly what your weaknesses are and are prepared for it
The Art of War – Sun Tzu
It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles;
if you do not know your enemies but do know yourself, you will win one and lose one;
if you do not know your enemies nor yourself, you will be imperiled in every single battle.
Please keep in mind
Information Security does not earn you big money. But it ensures that you keep earning the big money.
….because, information security influences the way your customers TRUST and BUY your brand.
© First Legion Consulting34
Than
k
You
Anup Narayanan,Founder & Principal Architect
ISQ World, A First Legion [email protected]