Presentation title Page 1 Introduction to standards & frameworks Role ► Improve the business processes – ISO 9000, Six Sigma ► Regulatory Imposition/Governance – SoX, Basel II, COSO ► IT focused discipline – ISO 27001, CMM, ITIL, ISO 20000, CobiT ► Governance and continuity – ISO 38500 and BS25999 Commonality ► Many are certifiable – May require multiple certifications ► Significant overlap with each other Differences ► Focus areas and objectives ► The processes and applicable procedures
Transcript
Presentation titlePage 1
Introduction to standards & frameworks
Role► Improve the business processes – ISO 9000, Six Sigma► Regulatory Imposition/Governance – SoX, Basel II, COSO► IT focused discipline – ISO 27001, CMM, ITIL, ISO 20000, CobiT► Governance and continuity – ISO 38500 and BS25999
Commonality► Many are certifiable – May require multiple certifications► Significant overlap with each other
Differences► Focus areas and objectives► The processes and applicable procedures
Presentation titlePage 2
Introduction to standards & frameworks
► Most Quality Management Systems and frameworks, by their very nature, overlap with each other. However, there is no straight comparison between standards, frameworks and best practices.
► They serve different purposes and are not mutually exclusive. The most common overlaps are in the areas of quality management, training, audit documentation and conformance.
Share a common set of principles and practices: Senior Management Commitment, Leadership, Costumer Focus, People Focus, Management by Process, Systemic View
Focus, Learning and Improvement and “Win-Win” Partnership.
CobiT
ISO 27001ITIL
ISO 20000CMM
ISO
9000
Other Best Practices, Procedures and Guidelines
ISO 38500
BS 25999
Presentation titlePage 3
Introduction to standards & frameworksISO 27001 – An overview
► ISO/IEC 27001:2005► Published by ISO and IEC, ISO/IEC 27001 is an
international standard for ISMS► Provides information to responsible parties for
implementing information security ► Basis for developing security standards, and
management practices within an organization to improve reliability on information security
► Through the process of regular risk assessment & continuous improvement, it lays down the roadmap to identify, assess, mitigate and monitor the IS risks.
► Selection of adequate security controls that protect information assets and give confidence to interested stakeholders.
Presentation titlePage 4
Introduction to standards & frameworksCOBIT – An overview
► COBIT► Control Objectives for Information and related
Technology (COBIT) is a set of best practices (framework) for IT governance, providing management tools such as metrics and maturity models.
► It also provides greater focus on alignment of business and IT goals, and greater clarity on IT delivering value, performance management, governance, ownership and assurance requirements.
► It includes 34 high-level control objectives grouped under the domains of ► Planning and Organization► Acquisition and Implementation► Delivery and Support, and ► Monitoring and Evaluation.
► The current version is COBIT 4.1.
Presentation titlePage 5
Introduction to standards & frameworksISO 38500 – An overview
► ISO/IEC 38500:2008► The ISO/IEC 38500:2008, Corporate governance of information technology standard, provides
a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.
► ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations.
► This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
► The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:► Responsibility► Strategy► Acquisition► Performance► Conformance► Human behaviour
Presentation titlePage 6
Introduction to standards & frameworksInformation Technology Infrastructure Library (ITIL) – An overview
► ITIL v2► Developed by the Office of Government
Commerce (OGC) in the UK► Is a set of concepts and policies for
managing the Information Technology (IT) services (ITSM), developments and operations.
► Used by organizations world-wide as a comprehensive and consistent source of “good practice” to establish and improve capabilities in Service Management.
► ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.
Planning to implement service management
Application management
The Business Perspective
IT infrastructure management
Th
e b
usi
nes
s
Th
e Techn
olo
gy
Service support
Service delivery
Security management
Presentation titlePage 7
Introduction to standards & frameworksInformation Technology Infrastructure Library (ITIL) – An overview
► ITIL v3► Framework of “best practice” guidance for ITSM► Addresses particular "point of pain"► Addresses issues such as services, quality,
organization, and policy and process management► Key changes from ITIL v2 to ITIL v3
► Business and IT – From Alignment to Integration► From Value Chain Management to Value Service
Network Integration► From Linear Service Catalogues to Dynamic Service
Portfolios► From Integrated Processes to ‘The Service
Management Lifecycle’► Integrate business and IT strategy► Agile service design► Clarity in management of service providers► Improve measurement and demonstrate value
ITIL
Service Design
Service Transition
Service Operation
Presentation titlePage 8
Introduction to standards & frameworksISO 20000 overview – An overview
► ISO/IEC 20000► Published by ISO and IEC in December 2005,
ISO/IEC 20000 is the first international standard for IT Service Management
► Based on, and supersede the earlier British Standard, BS 15000
► Enables the organizations to benchmark their capability in delivering managed services, measuring service levels and assessing performance
► Issued under 2 parts► Part 1: Specification – Provides requirements for IT
Service Management► Part 2: Code of practice – Represents an industry
consensus on guidance to auditors and assistance to service providers
Service delivery processes
Release processes
Relationshipprocesses
Control processes
Capacity management Service level managementInformation security
management
Service continuity and availability management
Service reporting Budgeting and accounting
for IT services
Configuration Management
Change Management
Release management
Incident management
Problem management
Business relationship management
Resolutionprocesses
Supplier management
ISO 20000:2005 standard
Presentation titlePage 9
Introduction to standards & frameworksBS 25999 – An overview
► BS 25999► British standard for business continuity
management (BCM), has been developed to help minimize the risk of disruptions.
► It establishes the process, principles and terminology of BCM.
► It provides a basis for understanding, developing and implementing business continuity within the organization.
► BS 25999 is suitable for any organization, large or small, from any sector.
► The BS 25999 comprises of two parts: ► BS 25999-1:2006 - Code of Practice for BCM
(provides BCM best practice recommendations)► BS 25999-2:2006 - A Specification for BCM
(provides the requirements for a BCMS based on BCM best practice)
Presentation titlePage 10
Introduction to standards & frameworksISO 9000 – An overview
► ISO 9000► ISO 9000 is a family of standards for quality management systems. ► Structure
► ISO 9000 lays down what requirements an organization's quality system must meet. Effective, December 15, 2000, the ISO 9000 standards were revised as follows:► ISO 9000:2000, Quality management systems - Fundamentals and vocabulary► ISO 9001:2000, Quality management systems - Requirements Revised to include concepts from the
former ISO 9001, 9002, and 9003 standards.► ISO 9004:2000, Quality management systems - Guidelines for performance improvements.
► Environment► Quality Management System Audit and Certification► Self Declaration and External Audit
► Positioning► Quality Management System► ISO 9000 is a family of standards that addresses quality management systems within an
organization
Presentation titlePage 11
Introduction to standards & frameworksCapability Maturity Model (CMM) – An overview
► CMM► The Capability Maturity Model (CMM) is a methodology used to develop and refine an
organization's software development process.► The model describes a five-level evolutionary path of increasingly organized and
systematically more mature processes.► The Capability Maturity Model involves the following aspects:
► Maturity Levels: A 5-Level process maturity continuum - where the uppermost (5th) level is a notional ideal state where processes would be systematically managed by a combination of process optimization and continuous process improvement.
► Key Process Areas: A Key Process Area (KPA) identifies a cluster of related activities that, when performed collectively, achieve a set of goals considered important.
► Goals: The goals of a key process area summarize the states that must exist for that key process area to have been implemented in an effective and lasting way. The goals signify the scope, boundaries, and intent of each key process area.
► Common Features: Common features include practices that implement and institutionalize a key process area. There are five types of common features: Commitment to Perform, Ability to Perform, Activities Performed, Measurement and Analysis, and Verifying Implementation.
► Key Practices: The key practices describe the elements of infrastructure and practice that contribute most effectively to the implementation and institutionalization of the KPAs.
Presentation titlePage 12
Introduction to standards & frameworksSix sigma – An overview
► Six sigma► Six Sigma is a process of quality measurement, which helps the organization in the
improvement of their quality.► Six Sigma seeks to improve the quality of process outputs by identifying and removing the
causes of defects (errors) and minimizing variability in manufacturing and business processes.► Six Sigma doctrine asserts that:
► Continuous efforts to achieve stable and predictable process results (i.e. reduce process variation) are of vital importance to business success.
► Manufacturing and business processes have characteristics that can be measured, analyzed, improved and controlled.
► Achieving sustained quality improvement requires commitment from the entire organization, particularly from top-level management.
Presentation titlePage 13
Introduction to standards & frameworksSix sigma – An overview
Presentation titlePage 14
ISO 27001:2005 structure
Annex A (A.5 to A.15)ISO 27001:20050 Introduction
1 Scope
2 Normative References
3Terms & Definitions
Clause 4 to 8
Annex A (normative) Control objectives and controls (A.5 to A.15)
Annex B (informative) OECD principles and this International Standard
Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard
Security policy
Organization of Information Security
Asset management
Human resources security
Physical and environmental security
Communications & operations management
Access control
Information systems acquisition, development and maintenance
Information Security incident management
Business continuity management
Compliance
Presentation titlePage 15
Clause 4
4 Information security management system► 4.1 General requirements► 4.2 Establishing and managing the ISMS
► 4.2.1 Establish the ISMS► 4.2.2 Implement and operate the ISMS► 4.2.3 Monitor and review the ISMS► 4.2.4 Maintain and improve the ISMS
► 4.3 Documentation requirements► 4.3.1 General► 4.3.2 Control of documents► 4.3.3 Control of records
Covers:► Management commitment to information security► Information security coordination ► Allocation of information security responsibilities ► Authorization process for information processing facilities► Confidentiality agreements► Contact with authorities► Contact with special interest groups► Independent review of information security► Identification of risks related to external parties ► Addressing security when dealing with customers ► Addressing Security in third party agreements
Presentation titlePage 22
Asset Management
Objective:► Responsibility for assets► Information classification
Covers:► Inventory of assets ► Ownership of assets ► Acceptable use of assets ► Classification guidelines ► Information labelling and handling
Presentation titlePage 23
Human Resource Security
Objective:► Prior to employment ► During employment► Termination or change of employment
Covers:► Roles and responsibilities ► Screening ► Terms and conditions of employment ► Management responsibilities ► Information security awareness, education and training ► Disciplinary process ► Termination responsibilities ► Return of assets ► Removal of access rights
Presentation titlePage 24
Physical & Environmental Security
Objective:► Secure Areas ► Equipment Security
Covers:► Physical Security Perimeter ► Physical entry Controls ► Securing Offices, rooms and facilities ► Protecting against external and environmental threats ► Working in Secure Areas ► Public access delivery and loading areas ► Cabling Security ► Equipment Maintenance► Securing of equipment off-premises ► Secure disposal or re-use of equipment ► Removal of property
Presentation titlePage 25
Communication & Operations Management
Objective:► Operational Procedures and responsibilities► Third party service delivery management ► System planning and acceptance ► Protection against malicious and mobile code ► Backup ► Network Security Management ► Media handling ► Exchange of Information ► Electronic Commerce Services ► Monitoring
Covers:► Documented Operating procedures► Change management ► Segregation of duties
Presentation titlePage 26
Communication & Operations Management (Contd..)
► Separation of development, test and operational facilities► Service delivery ► Monitoring and review of third party services ► Managing changes to third party services ► Capacity Management ► System acceptance ► Controls against malicious code ► Controls against mobile code ► Information backup ► Network Controls ► Security of network services ► Management of removable media ► Disposal of Media ► Information handling procedures ► Security of system documentation ► Information exchange policies and procedures ► Exchange agreements
Presentation titlePage 27
Communication & Operations Management (Contd..)
► Exchange agreements ► Electronic Messaging ► Business information systems ► Electronic Commerce► On-Line Transactions ► Publicly available information ► Audit logging ► Monitoring system use ► Protection of log information ► Administrator and operator logs ► Fault logging ► Clock synchronisation
Presentation titlePage 28
Access Control
Objective:► Business Requirement for Access Control ► User Access Management ► User Responsibilities ► Network Access Control ► Operating system access control ► Application and Information Access Control ► Mobile Computing and tele-working
Covers: ► Access Control Policy ► User Registration ► Privilege Management ► User Password Management ► Review of user access rights ► Password use
Presentation titlePage 29
Access Control
► Unattended user equipment ► Clear desk and clear screen policy ► Policy on use of network services ► User authentication for external connections ► Equipment identification in networks ► Remote diagnostic and configuration port protection ► Segregation in networks ► Network connection control ► Network routing control ► Secure log-on procedures ► User identification and authentication ► Password management system ► Use of system utilities ► Session time-out ► Limitation of connection time ► Information access restriction ► Sensitive system isolation ► Mobile computing and communications ► Teleworking
Presentation titlePage 30
Information system acquisition, development and maintenance
Objective:► Security requirements of information systems ► Correct processing in applications ► Cryptographic controls ► Security of system files ► Security in development and support processes ► Technical Vulnerability Management
Covers:► Security requirements analysis and specification ► Input data validation ► Control of internal processing ► Message integrity ► Output data validation ► Policy on use of cryptographic controls ► Key management ► Control of operational software ► Protection of system test data
Presentation titlePage 31
Information system acquisition, development and maintenance (Contd…)
► Access Control to program source code ► Change control procedures ► Technical review of applications after operating system
changes ► Restriction on changes to software packages ► Information leakage ► Outsourced software development ► Control of technical vulnerabilities
Presentation titlePage 32
Information Security Incident Mangement
Objective:► Reporting information security events and weaknesses ► Management of information security incidents and
improvements
Covers: ► Reporting information security events ► Reporting security weaknesses ► Responsibilities and procedures ► Learning from information security incidents ► Collection of evidence
Presentation titlePage 33
Business Continuity Management
Objective:► Information security aspects of business continuity
management
Covers: ► Including information security in the business continuity
management process ► Business continuity and risk assessment ► Developing and implementing continuity plans including
information security ► Business continuity planning framework ► Testing, maintaining and re-assessing business continuity
plans
Presentation titlePage 34
Compliance
Objective► Compliance with legal requirements ► Compliance with security policies and standards, and technical compliance ► Information Systems audit considerations
Covers:► Identification of applicable legislation ► Intellectual property rights (IPR) ► Protection of organizational records ► Data protection and privacy of personal information ► Prevention of misuse of information processing facilities ► Regulation of cryptographic controls ► Compliance with security policies and standards ► Technical compliance checking ► Information systems audit controls ► Protection of information system audit tools
Presentation titlePage 35
Implementation of an ISMS
Define the scope and boundaries, security policy
Define the risk assessment approach
Identify the risks► Assets/Threats/Vulnerabilities/Impacts
Analyze and evaluate the risks
Identify and evaluate options for the treatment of risks
Select control objectives and controls for the treatment of risks
Obtain management approval of the proposed residual risks
Obtain management authorization to implement and operate the ISMS
Prepare a Statement of Applicability
Formulate and implement the risk treatment plan
Presentation titlePage 36
Implementation of an ISMS
Implement controls to meet the control objectives
Measure the effectiveness of the selected controls or groups of controls
Implement training and awareness
Manage operations and resources
Implement sub-policies or procedures
Monitor and review the ISMS► Effectiveness of the ISMS controls► Risk Assessments► Internal ISMS audits and management review
Maintain and improve the ISMS► Corrective and preventive actions► Ensure improvements achieve their intended objectives
Presentation titlePage 37
Structure of ISMS
Electronic► Stand alone► Intranet
Manual► Paper
Consider how to control► Distribution► Updates ► Authorization
Presentation titlePage 38
Is the organization ready for a ISO 27001:2005 Audit?
Ensure► All clauses 4 to 8 defining the set of processes for the
ISMS implemented► Appropriate controls A5 to A15 implemented
Presentation titlePage 39
Final steps in implementation
Training ► Initial awareness
► Ongoing► Specific policies
Internal ISMS audits► Competent auditors (internal/external)► Audit process and reporting
Management Review► Regular Basis ► Scope remains adequate► Improvements in ISMS process are identified
Presentation titlePage 40
Re-evaluating the system
Risk assessment and risk treatment are not one-off events
ISMS should identify how the system is to be re-evaluated and updated
Presentation titlePage 41
Assessment time requirements
Depends on a variety of factors► Size of scope of activities covered by assessment ► Number of sites within scope ► Business function within scope► Other certifications may be taken into account
► E.g. ISO 9001:2000
Presentation titlePage 42
Assessment and certification
Stage 1- Documentation audit► Generally conducted on site ► Examines the ISMS framework for compliance with ISO 27001:2005► Looks at policy, scope, risk management, selection of controls and statement
of applicability ► Auditors will probably not look in depth at specific procedures, but will expect
adequate ‘sign-posting’ to standards, procedures and work instructions
Stage 2 – Implementation audit► Follow up non-conformities from Stage 1 – Documentation Audit► Verify implementation and operation of ISMS
► More focused► Drill Down
The Assessment Team Leader makes a recommendation but not make final decision for certification – confirmed by office.
Presentation titlePage 43
Certification
A certificate will be issued for ISO 27001 certification
The certificate is valid for a period of three years, excepting suspension, withdrawal or cancellation.
The certificate carries wording relating to scope and reference to the Statement of Applicability (SOA) available at the time of assessment
Continuing surveillance audit► Carries out a surveillance audit generally twice per year► Aims to cover the scope of certification over a three year cycle► Intermediate audits (i.e. Special Visits) may be carried
At the end of this period the certification body can extend the certificate for a new period of three years on condition of a positive re-assessment
Presentation titlePage 44
Implementation challenges
Mindset about Information security as Information technology security
Implementation of security controls across departments other than IT
Security awareness training
Adopting the right methodology for risk assessment
Investment decisions/ budget constraints
Resistance in terms of added documentation
Implementation delays due to work overload, cost deduction and lack of top management involvement
Identification of CISO, where the company has a small or medium size IT team - Independence of CISO from IT team
