30 April 2012

Information Security Management System

2012 Page 2

Introduction

This session will present the key concepts related to

► Information ► Information Security► Information Security Management System (ISMS)► ISMS Principles► ISMS Implementation► Critical Success Factors► Relevant International Standards

2012 Page 3

Information – an Intangible Entity

► Information in itself is an intangible entity. It does not have a ‘physical’ form but exists as► Conversation► Visuals► Impressions/Memories ► Songs, Movies, etc.► Personal /Organizational data and information about Past and

present (and future predictions/forecasts…)► Quantitative data and analysis about business► Qualitative Analysis, etc.

2012 Page 4

Information – Business Context

Data Information

Collection of facts from which conclusions may be drawn.

Data that is accurate, specific and organized for a purpose, presented within a context that gives it meaning and relevance.

Business Intelligence

` `AnalysisProcessing

Collection of tools and systems and, more importantly, the corporate information managed by such systems – used to aid in the strategic planning and decision-making process.

2012 Page 5

Information – Container / Medium

► Information in itself is an intangible entity. It can exist only either in stored form or while in transmission

► Stored in a ‘Container’► Paper (printed or written)► Tapes, Diskettes and CD ROMs► Recorded conversations /video► Electronic records,► PDAs / phones / computers► Databases, computer files

► Waste bin

2012 Page 6

Information – Container / Medium

► Transmitted via a ‘Medium’ (or a channel) ► Verbal (Spoken and listened)► Visual► Converted and transmitted electronically:

► Voice transmission via phone, intercom, etc.► data transmission via Leased lines, etc.► IP based data transmission via DSL, wireless, WiMax, etc.

► Physical movement of paper or other storage / media

► Information can exist only while in transmission or when stored.

► Information needs to be secured while in transmission or when stored.

2012 Page 7

Information – A Valuable Asset Requiring Protection

► Information is a most valuable asset for a business. Like any other business asset:► It is valuable only if can be used for value creation ► It requires proper management► It needs to be protected

► Without suitable protection, information can be:► Given away, leaked or disclosed in an unauthorized way► Modified without your knowledge to become less valuable► Lost without trace or hope of recovery► Can be rendered unavailable when needed

2012 Page 8

Information Security – Types of Information

All organizations collect, process, store, and transmit large amounts of information which can be classified as:

► Internal Information that you would not want your competitors to know.

► Customer/client/supplier Information that these entities would not wish you to divulge.

► Shared Information that needs to be shared with partners.

2012 Page 9

Information Security – Dimensions

Information Assets

Confidentiality

Integrity Availability

The property that information is not made available or disclosed

to unauthorized individuals, entities, or processes.

Information Security is characterized as preservation of:

The property of being accessible and usable upon demand by

authorized entity.

The property of safeguarding the accuracy and completeness of

assets.

2012 Page 10

Information Security – Key Management Requirements

Formal management of information security is required to:► Satisfy the security requirements of customers and other

stakeholders► Improve an organization's plans and activities► Meet the organization's information security objectives► Comply with regulations, legislation and industry mandates► Manage information assets in an organized way to facilitate

► Continual improvement ► Adjustment to current organizational goals and to the environment

2012 Page 11

Information Security Management System (ISMS)

Information Security

Information Security is preservation of confidentiality, integrity and availability of information assets of organization.

Information Security

Management System (ISMS)

ISMS is that part of overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.

Elements of Management

System

Security Organization

Structure

Security Policy and Procedures

Resources with roles and

responsibilities

Testing and sustenance

InformationInformation is an Asset which, like other important business assets, has value to an organization and subsequently needs to be suitably protected.

Information Security is a Management process, not a technological process.

2012 Page 12

Information Security Management System (ISMS) - Definition

“An Information Security Management System (ISMS) provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets

to achieve business objectives based upon a risk assessment and the organization's risk acceptance levels designed to effectively treat and manage risks”.

(ref ISO 27000)

2012 Page 13

ISMS Principles

Principles

Awareness of the need for information

security Assignment of responsibility

for information security

Incorporating management commitment

Enhancing societal values

Risk assessments determining appropriate

controls

Security incorporated in

information networks and

systems

Active prevention and

detection of information

security incidents

Ensuring a comprehensive

approach to information

security

Continual reassessment of information

security

(ref ISO 27000)

2012 Page 14

ISMS Implementation - Key Elements

► Following elements need to be provided for a proper implementation of a successful ISMS:► Organizational structure► Policies ► Planning activities► Responsibility assignment► Processes► Procedures► Standards and guidelines► Resources

► Needs to be appropriate for the size and complexity of the organization► (should not translate into unreasonable high costs and efforts)

2012 Page 15

ISMS Implementation - Organizational Roles & Responsibilities / Ownership (Example)

Board of Directors

C Level

IT Management

Functional Management

Technical Management

Strategy(including IT and information Security)

Secured Firewall Configuration

Automated Applications controls

Network Security Architecture Proper Network Zoning

Logical Access Control

Data Encryption and Security

Business Objectives

Business Continuity Management

2012 Page 16

ISMS Implementation

► The ISMS is implemented by successful completion of the below:► Identify information assets and associated security requirements► Assess information security risks► Select and implement relevant controls► Monitor, maintain and improve the effectiveness of the security

controls associated with the organization's information assets

Identify information

assets

Assess information

security risks

Select and implement

relevant controls *

Monitor, maintain and improve the effectiveness of

the security controls

Controls are required to be specified, implemented, monitored and reviewed Controls should be integrated with the business processes

2012 Page 17

ISMS Implementation - Process Approach - PDCA

2012 Page 18

ISMS Implementation - Process Approach - PDCA

► Plan: establish the ISMSEstablish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.

► Do: implement and Operate the ISMSImplement and operate the ISMS policy, controls, processes and procedures.

► Check: Monitor and Review the ISMSAssess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.

► Act: Maintain and Improve the ISMSTake corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

2012 Page 19

ISMS – Key Critical Success Factors

► IS Policies are aligned with objectives► IS Approach and Framework is established and monitored► Management buy-in and commitment ► Understanding of Information assets protection via risk

assessment► Effective IS awareness ► Effective incident management process► Effective business continuity management► Performance measurement mechanism

2012 Page 20

ISMS – Recap

Information Security Management System (ISMS)

Information Managed as an Asset

Information Security

Information Security

Management

Elements ofIS

Management System

Process Approach

Pla

n

Do

Che

ck

Act

Org

Stru

ctur

e

PP

Ps

Res

ourc

es

Res

pons

ibili

ties

Dire

ct

Con

trol

Impr

ove

Con

fiden

tialit

y

Avai

labi

lity

Inte

grity

Ass

et

Cre

atio

n

Pro

cess

ing

Tran

smitt

ing

Pro

tect

ion

Des

truct

ion

2012 Page 21

Relevant International Standards

► A family of standards (ISO 270xx) have been established by ISO/IEC to provide comprehensive guidance on the subject of ISMS.

► ISO 27001 and ISO 27002 are the most important and well-know standards that are used as the primary reference for IS requirements and code of practice by all organizations wanting to implement ISMS.

► Other ISO 270xx standards address various other aspects of establishing and maintaining a successful ISMS.

2012 Page 22

ISO Family of Standards

2012 Page 23

ISO 27001Standard – 11 Domains

39 control objectives133 Controls

SecurityPolicy

Organization of information

security

Asset Management

Human Resource security

Physical & environmental

security

Communication& Operations

ManagementAccess Control

Info system acquisition,

development maintenance

Info Security Incident

Management

Business Continuity

Management

Compliance

2012 Page 24

ISO 27001 Certification

Establish Information Security Management► Design and Implement ISMS, train the relevant employees, create

security awareness leading to an improved information security environment throughout the organization.

► Preparation of all the needed documentation as per ISO standard. Usually requires support from independent information security professionals.

ISO Certification► Stage 1: Preliminary, informal review of the ISMS to check key documentation

such as the IS policy, Statement of Applicability (SOA) and Risk Treatment Plan (RTP), etc.

► Stage 2: Formal compliance audit of ISMS against the requirements specified in ISO/IEC 27001. Certification audits are conducted by ISO/IEC 27001 Lead Auditors. This results in ISO certificate issued by a certification registrar.

► Stage 3: Follow-up reviews and audits to confirm that the organization remains in compliance with the standard. Annual reassessment audits are part of Certification maintenance requirement.

2012 Page 25

ISO 27001 – Control Objectives – Example

2012 Page 26

ISO 27002 – Code of Conduct – Example

2012 Page 27

ISO Family

► ISO/IEC 27000: describes the fundamentals of information security management systems, which form the subject of the ISMS family of standards, and defines related terms.

► ISO/IEC 27001: ISO/IEC 27001 provides normative requirements for the development and operation of an ISMS, Including a set of controls for the control and mitigation of the risks associated with the information assets which the organization seeks to protect by operating its ISMS.

► ISO/IEC 27002: ISO/IEC 27002 provides guidance on the implementation of information security controls.

► ISO/IEC 27003: ISO/IEC 27003 will provide a process oriented approach to the successful implementation of the ISMS in accordance with ISO/IEC 27001

► ISO/IEC 27004: ISO/IEC 27004 will provide a measurement framework allowing an assessment of ISMS effectiveness to be measured in accordance with ISO/IEC 27001

► ISO/IEC 27005: ISO/IEC 27005 provides guidance on implementing a process oriented risk management approach to assist in satisfactorily implementing and fulfilling the information security risk management requirements of ISO/IEC 27001.

► ISO/IEC 27006: ISO/IEC 27006 supplements ISO/IEC 17021 in providing the requirements by which certification organizations are accredited, thus permitting these organizations to provide compliance certifications consistently against the requirements set forth in ISO/IEC 27001

2012 Page 28

ISO Family

► ISO/IEC 27007: ISO/IEC 27007 will provide guidance to organizations needing to conduct internal or external audits of an ISMS or to manage an ISMS audit program against the requirements specified in ISO/IEC 27001.

► ISO/IEC 27011: ISO/IEC 27011 provides telecommunications organizations with an adaptation of the ISO/IEC 27002 guidelines unique to their industry sector which are additional to the guidance provided towards fulfilling the requirements of ISO/IEC 27001

► ISO 27799: ISO/IEC 27799 provides health organizations with an adaptation of the ISO/IEC 27002 guidelines unique to their industry sector which are additional to the guidance provided towards fulfilling the requirements of ISO/IEC 27001, Annex A.

2012 Page 29

Always remember. . .

There is no secUrity without you