CHALLENGES OF AN ISMS IMPLEMENTATION
VIJANDRAN RAMASAMY - CISSPINFORMATION SECURITY OFFICER
ISM INSURANCE SERVICES MALAYSIA BERHAD
CHALLENGES OF AN ISMS IMPLEMENTATION
AGENDACertification Program at ISMCommon Problems FacedKey Concerns on the Current StandardCritical Success FactorsRecommendationsResources
BUSINESS FOCUS FOR ISM
ISM Insurance Services Malaysia Berhad is the leading provider of insurance and takafulshared services in the region..ISM Knowledge Management System (ISM-KMS)ISM Fraud Management System (ISM-FMS)ISM Electronic Exchange System (ISM-EES)
ISMS STANDARD
The ISO/IEC 27001:2005 International Standard establishes guidelines, and general principles for initiating, implementing, maintaining, & improving information security management in an organization.
The control objectives, & controls of this International Standard are intended to be implemented to meet the requirements identified by a risk assessment.
PURPOSE OF ISMS
To protect ISM Insurance Services Malaysia Berhad (ISM) from adverse impact on its reputation, & operations that could result from failures of Confidentiality, Integrity, and Availability.
Information security is the preservation of “C-I-A”.
SCOPE OF CERTIFICATION FOR ISMS
The ISMS scope is for the entire operations of ISM. ISM is made up of 5 functional units:
1. Actuarial & Statistical Services
2. Administration & Accounts
3. Anti-Fraud Services4. IT Services5. Research &
Development Services
ISMS CONTROL OBJECTIVES AND CONTROLS
There are in total 11 control objectives, & 133 individual controls. For ISM, it has been determined that 131 controls are applicable for our organization.
ISMS CONTROL OBJECTIVES
Security Policy (1)• Management direction and support
Organization of Information Security (2)• Infrastructure, third party access and controlling
security of outsourced information processingAsset Management (3)• Identifying, classifying and protecting assets and
information
ISMS CONTROL OBJECTIVES
Human Resources Security (4)• Addressing roles and responsibilities, screening,
training, disciplinary process, termination.Physical and Environmental Security (5)• Managing physical access to prevent loss, damage,
theft, compromise.
ISMS CONTROL OBJECTIVES
Communications and Operations Management (6)• Ensuring correct and secure operations in computer
and network systems, third party services, media (disks), electronic messaging, monitoring.
Access Control (7)• Controlling access to information, enforced by
controlling and monitoring access rights to networked devices, operating systems, applications, both directly on the organization’s network and via remote access.
ISMS CONTROL OBJECTIVES
Information Systems Acquisition, Development and Maintenance (8)• Building security into information systems.
Information Security Incident Management (9)• Damage control, reporting, collecting evidence.
ISMS CONTROL OBJECTIVES
Business Continuity Management (10)• Counteracting interruptions and minimizing their
impact.Compliance (11)• Avoiding breaches of law, regulatory or contractual
requirements.
CHALLENGES OF AN ISMS IMPLEMENTATION
CERTIFICATION PROGRAM AT ISMOne of the key initiatives set by the Board of Directors.Balancing the need for accessibility and the preservation of “C-I-A”.Comprehensive insurance databases requires clearly defined security responsibilities that establish accountability.As Key Performance Indicator (KPI) for the organization.
CHALLENGES OF AN ISMS IMPLEMENTATION
CERTIFICATION PROGRAM AT ISMDecember 2005 – Program Start.August 2006 – Stage 1 Audit by SIRIM.September 2006 – Stage 2 Audit by SIRIM.November 2006 –Obtained ISMS certification in accordance to ISO/IEC 27001:2005.
CONSIDERATIONS FOR OBTAINING ISMS CERTIFICATIONObtaining senior management commitment.Setting the ISMS scope.Personnel awareness and training.No magic bullet/formula.Asset identification and classification.Implementation flaws.Risk assessment.Resources.
VENDOR SELECTION CRTERIA
Service fee structure.RFP scope requirements.Technology infrastructure.Organization track record – customer base.Other factors – ISMS certified.
CHALLENGES OF AN ISMS IMPLEMENTATION
ISMS IMPLEMENTATION CONCEPTPLAN-DO-CHECK-ACTPDCA Model was adopted to provide systematic approach in developing, implementing, and improving the ISMS.
PHASE 1: ISMS PLANNING
ISMSCertification
Road Map
EstablishRoles
DevelopSecurity
Policy
Training & Awareness on
ISO/IEC 27001:2005
ISMS Awareness Training
Security Awareness Training
ISO/IEC 27001:2005 Implementation Course
ISO/IEC 27001:2005 Lead Auditor Course
ISMS Policy
Information Security Policy
Information Security Forum
ISMS Steering Committee
ISMS Secretariats
ISMS Internal Auditor
ISMS Implementation Team
Certification Roadmap
PHASE 2: ISMS IMPLEMENTATION
Scoping & Definition
of ISMS
GapAnalysis
Risk Assessment &
Treatment
Implement Controls
& Procedures
Internal Audit,
Corrective & Preventive
Action
ManagementReview
Review on ISMS Effectiveness
Internal Audit Report
Corrective Action
Preventive Action
Records Maintenance
IS Risk Assessment Methodology
IS Risk Assessment Report
Risk Treatment Plan
Develop relevant policies & procedures
Develop security metrics
Gap Analysis Report
ISMS Scope Statement
ISMS Scope Document
ISMS Statement of Applicability
PHASE 3: ISMS CERTIFICATION
Application Stage 1 Audit Stage 2 Audit Certification
CertifiedOnsite AuditDocumentation Audit
Application for Certification to SIRIM
PHASE 4: ISMS MAINTENANCE AND CONTINOUS IMPROVEMENT
Enhance security controls and implementation.Evaluation of controls effectiveness.Measurement of effectiveness of control.Enhance security metrics.
COMMON PROBLEMS FACED
Lack of understanding of the requirements.Unrealistic or impractical scoping.Resource allocation.Inadequate enforcement.Security is not well integrated into current management systems or processes.Keeping the ball rolling.
KEY CONCERNS ON THE CURRENT STANDARD
Control-driven, extensive elaboration on control implementation.• Lose sight on some of the mandatory requirements in
ISO/IEC 27001:2005Tendency for individual interpretation of the standard, different auditors may have different focus and expectations.
KEY CONCERNS ON THE CURRENT STANDARD
Efficient method for security risk assessment is still lacking.Lack of guidance on security metrics measurement.• How do I measure effectiveness of ISMS?• How do I define the desired state of my ISMS?• How do I benchmark my ISMS implementation?
CRITICAL SUCCESS FACTORS
Senior management commitment – resources, funding, time, people.Seamless integration of ISMS into current management systems.Proper assurance and governance framework established.Balancing of business and security requirements.
POST-IMPLEMENTATIONIMPROVEMENTS
Account Management – SUMSite-To-Site VPN (STS-VPN)High availability and load balancing of ISM computer and communication systems.Development of applications based on SDLC as per ISMS control objective.Implementation and testing of disaster recovery plans.Establishment of DRC site.
RECOMMENDATIONS
Guidance on effective ISMS scoping.Interrelate to other standards and regulatory compliance (e.g. ITIL, GPIS-1, SOX, Basel II, etc.).To supplement ISO/IEC 27001:2005 with more implementation guidance, especially in the are of security metrics and measurement, risk assessment.To have more objective way of measurement based on a security maturity model or progressive improvement.ISO/IEC 27003 – Working Draft for ISMS Implementation Guidance.
RESOURCES
Here are a few good resources to check when considering ISMS implementations and certifications:
www.irca.orgwww.iso27001security.comwww.iso27001certificates.comwww.sirim.my/iscg