ADDRESSING CORPORATE CONCERNS ADDRESSING CORPORATE CONCERNS
ON ON
INFORMATION SECURITY INFORMATION SECURITY MANAGEMENT MANAGEMENT
WITH WITH ISO 17799/ISO 17799/BS 7799.BS 7799.
Ajai K. SrivastavaG.M. Marketing
BSI India
1. The Global Information Village
2. The Need for Protection
3. BS 7799– An Overview
4. Implementing an ISMS based on
BS7799
5. Benefits of using BS7799
Presentation Outline
www.bsiindia.com
1.THE GLOBAL INFORMATION VILLAGE
www.bsiindia.com
The Global Information VillageThe Global Information Village
www.bsiindia.com
The Paradigm Shift in the Nature of Information
INDUSTRIAL ECONOMY
INFORMATION AS NOUN
Static:e.g. memo; financial report etc
Automation : An Idiot Savant – assisting in managing repetitive discrete steps
INFORMATION ECONOMY
INFORMATION AS VERB
Dertouzos: “Information Work” e.g. Designing a building
Dominates the terrain; 50 to 60 % of an Industrialised country’s GNP
www.bsiindia.com
THE DIGITAL NERVOUS SYSTEM
DIGITALNERVOUSSYSTEM
StrategicThinking
BusinessReflexes
Basic Operations
Customer Interaction
BUSINESS @ THE SPEED OF THOUGHT
www.bsiindia.com
INFORMATION FLOWIS THE LIFEBLOOD OF YOUR BUSINESS
www.bsiindia.com
Information tends to be the most
undervalued asset a business has.
Information can directly affect the
most valuable asset a business has
IMAGE
www.bsiindia.com
“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.”
ISO/IEC 17799:2000
www.bsiindia.com
2.THE NEED FOR PROTECTION
www.bsiindia.com
INFORMATIONINFORMATION
Information Security
ATT
AC
KATTACK
ATTA
CK
ATTA
CK
ATTACK
ATT
AC
K
www.bsiindia.com
Typical Technology Responses
www.bsiindia.com
INFORMATIONINFORMATION
ATT
AC
K
ATTACK
ATTA
CK
ATTACK
ATTACK
ATT
AC
K
Information Security
www.bsiindia.com
INFORMATIONINFORMATION
ATT
AC
K
ATTACK
ATTA
CK
ATTA
CK
ATTACK
ATT
AC
K
ATTACK
ATTACK
ATTACK
ATTACK
Information Security
www.bsiindia.com
INFORMATIONINFORMATION
Information Security
www.bsiindia.com
Management System – Building Blocks
Core ProcessesCore ProcessesCore ProcessesCore Processes
InputsInputs
Support ProcessesSupport ProcessesSupport ProcessesSupport Processes
ManagementManagementManagementManagement
ResourceResourceResourceResource
OutputsOutputs
Total Total Business Management SystemBusiness Management System
www.bsiindia.com
BusinessBusinessManagementManagement
SystemSystem
BusinessBusinessManagementManagement
SystemSystem
QualityQualityQualityQuality
EnvironmentEnvironmentEnvironmentEnvironment
Health and Health and SafetySafety
Health and Health and SafetySafety
RiskRiskRiskRisk
Information Information SecuritySecurity
Information Information SecuritySecurity
PeoplePeoplePeoplePeople
ImprovementImprovementImprovementImprovement
www.bsiindia.com
BusinessBusiness Management SystemManagement System
BSI - IMSBSI - IMS
BusinessBusiness Management SystemManagement System
BSI - IMSBSI - IMS
RiskBSI Risk Mgmt
RiskBSI Risk Mgmt
H & SOHSAS 18001
H & SOHSAS 18001
ImprovementISO 9004
ImprovementISO 9004
CustomersBS 8600
CustomersBS 8600
Info SecBS 7799
Info SecBS 7799
EnvironmentISO 14001
EnvironmentISO 14001
QualityISO9001:2000
QS-9000 / TS 16949AS9000 / AS9100
TL9000
QualityISO9001:2000
QS-9000 / TS 16949AS9000 / AS9100
TL9000
www.bsiindia.com
ISO 9004 Performance Improvement ISO 9004 Performance Improvement All Interested PartiesAll Interested Parties
ISO 9004 Performance Improvement ISO 9004 Performance Improvement All Interested PartiesAll Interested Parties
ISO 17799 Information Security ManagementISO 17799 Information Security Management
OHSAS 18001 Health and Safety ManagementOHSAS 18001 Health and Safety Management OHSAS 18001 Health and Safety ManagementOHSAS 18001 Health and Safety Management
ISO 14001 Environmental ManagementISO 14001 Environmental ManagementISO 14001 Environmental ManagementISO 14001 Environmental Management
ISO 9001 Quality ManagementISO 9001 Quality ManagementISO 9001 Quality ManagementISO 9001 Quality Management
Sta
keh
old
ers
Invo
lved
Sta
keh
old
ers
Invo
lved
Increasing Aspects CoveredIncreasing Aspects Covered
Management Systems & Standards
www.bsiindia.com
Managing your Risks
www.bsiindia.com
Information Security Assurance
3 different layers• PRODUCT LEVEL ASSURANCE
– e.g. Firewall- Product is fit for its Purpose
• PROCESS LEVEL ASSURANCE– e.g. Credit card Transactions- Robust Processes to
protect interested parties
• MANAGEMENT SYSTEM LEVEL ASSURANCE– e.g ISMS- Systemic Proactive responses aligned to
business objectives to protect ALL stakeholders :Management,Employees,Customers,Suppliers,Users, Regulatory etc.
www.bsiindia.com
Commitmentand Policy
Planning
Implementationand Operation
Checking andCorrective
Action
ManagementReview
Continual Improvement
The Virtuous M S Spiral
www.bsiindia.com
Information Security Management must be viewed as a strategic dimension of your business
Managing Risks to Information Assets to:
Protect Brand
Retain Customers, and
Enhance Market Capitalization
ISMS – Your Competitive Edge
www.bsiindia.com
Critical Security Concerns
VIRUSES –22%HACKERS – 21%R.A.CONTROLS-17%INTERNET SECURITY-17%DATA PRIVACY- 10 %
The First Global Information Security Survey –KPMG 2002
www.bsiindia.comThe First Global Information Security Survey – KPMG 2002
What is the damageQUANTIFIABLE
The average direct loss of all
breaches suffered by each
organization is USD$108,000.
GBP 30,000INR 500,000
www.bsiindia.com
What is the damage
The Loss Of Productivity Recovery Costs Customers Market Capitalisation Shareholder Value Credibility
INCALCULABLE
www.bsiindia.com
Myth 1: – Information Security is the concern and responsibility of the
MIS/IT manager Myth 2:
– Security Threats from outsiders are the greatest source of risks Myth 3:
– Information Security is assured by safeguarding networks and the IT infrastructure
Myth 4:– Managing People issues is not as important
Myth 5:– Adopting latest technological solutions will increase security
Common Myths About Common Myths About Information SecurityInformation Security
www.bsiindia.com
3.BS 7799 – AN OVERVIEW
www.bsiindia.com
What is Information Security
ISO 17799:2000 defines this as the preservation of:– Confidentiality
• Ensuring that information is accessible only to those authorized to have access
– Integrity• Safeguarding the accuracy and completeness of
information and processing methods
– Availability• Ensuring that authorized users have access to
information and associated assets when requiredISO/IEC 17799:2000
www.bsiindia.com
ISO/IEC 17799 ?ISO/IEC 17799 ?
What it is: What it is:
An internationally recognized structured methodology dedicated to information security
A defined process to evaluate, implement, maintain, and manage information security
A comprehensive set of controls comprised of best practices in information security
Developed by industry for industry
What it is not:What it is not: A technical standard
Product or technology driven
An equipment evaluation methodology such as the Common Criteria/ISO 15408)
Related to the "Generally Accepted System Security Principles," or GASSP
Related to the five-part "Guidelines for the Management of IT Security," or GMITS/ISO TR 13335
www.bsiindia.com
What does it comprise ?What does it comprise ?
ISO/IEC 17799:2000Code of Practice for Information Security
BS 7799-2:2002 Specification for information security management systems
www.bsiindia.com
•MMeasure Performance of the ISMS•IIdentify Improvements in the ISMS and effectively implement them.•TTake appropriate corrective & preventive action•CCommunicate the results and actions and consult with all parties involved.•RRevise the ISMS where necessary•EEnsure that the revision achieve their intended objectives.
BS 7799-2:2002BS 7799-2:2002
•DDefine ISMS Scope and Policy•DDefine a systematic approach to risk assessment•IIdentify the risk•AApply the systematic approach for assessing the risk•IIdentify and Evaluate options for the treatment of risk.•SSelect Control Objectives and Controls for the treatment of risks.
Act
•EExecute Procedures to and Other Controls•UUndertake regular reviews of the effectiveness of the ISMS•RReview the level of residual risk and acceptable risk•EExecute the management procedure•R Record and report all actions and events
Check
•IImplement a specific management program•IImplement controls that have been selected•MManage Operations•MManage Resources•IImplement Procedures and Other Control Processes
Do
Plan
www.bsiindia.com
BS 7799 –10 Domains of Information Management
SystemDevelopment
AccessControls
Asset Classification
Controls
Information Security Policy
Security Organisation
PersonnelSecurity
PhysicalSecurity
ContinuityPlanning
Compliance
CommunicationsManagement
www.bsiindia.com
4.IMPLEMENTING AN ISMS BASED ON BS 7799
www.bsiindia.com
BS 7799Registrations Around the Globe
Region Number of Certificates Australia 5Austria 2Brazil 2China 5Egypt 1
Finland 8Germany 8Greece 2
Hong Kong 7Hungary 3Iceland 1India 13
Ireland 3Italy 11
Japan 34Korea 11
Malaysia 1Mexico 1Norway 7
Singapore 9Spain 1
Sweden 4Switzerland 1
Taiwan 4UAE 1UK 91USA 3
239
www.bsiindia.com
BS 7799Registrations In India
Sl. No. Name of Company
1 Churchill India (P) Ltd, New Delhi
2 Cognizant Technology Solutions, Chennai
3 Hughes Software System, Gurgaon
4 ICICI OneSource Limited
5 Larsen & Toubro Ltd, Mumbai and Vadodara
6 Mascot Systems Ltd.
7 Satyam Computer Systems, Secundrabad
8 Shipara Technologies Ltd
9 ST Microelectronics Ltd, Noida
10 Tata Iron and Steel Company Ltd
11 Wipro Technologies
12 Xansa
13 Xansa (India) Ltd
www.bsiindia.com
Measure/AnalyseProgress
INPUTClientBusinessAwareness
OUTPUTBSI
CertificationBusiness
Improvement
Develop
Management System Build Process
BSIConsultantClient
Building a Management System
www.bsiindia.com
Initiating BS 7799 Implementation Step 1
ISMS – Defining Policy & Organization Structure
Step 2 ISMS – Defining the Scope
Step 3ISMS - Risk Assessment
Step 4ISMS - Risk Management
Step 5ISMS – Choosing Controls
Step 6 ISMS - Statement of Applicability
www.bsiindia.com
Risk Assessment and Risk Management Process
Asset Identificationand Valuation
Identification ofVulnerabilities Identification of
ThreatsEvaluation of Impacts
Business Risks
Review of existingsecurity controls
Risk Assessment
Rating/ranking of Risks
Risk Management
Identification ofnew security
controlsPolicy andProcedures
Implementation andRisk Reduction
Risk Acceptance(Residual risk)
Gap analysis
Degree of Assurance
www.bsiindia.com
BS 7799 Implementation
Security Organisation
ClassifyAssets
Information Security Policy
Apply the Controls
OperationaliseProcess
CheckProcess
CorrectiveAction
ManagementReview
Plan
Act
Check
Do
www.bsiindia.com
ISMS Documentation
Procedure
Work Instructions,checklists,
forms, etc.
Records
Security Manual
Policy, scoperisk assessment,
statement of applicability
Describes processes – who, what, when, where
Describes how tasks and specific activities are done
Provides objective evidence of compliance to
ISMS requirements
Management frameworkpolicies relating to
BS 7799-2
Level 2
Level 3
Level 4
Level 1
www.bsiindia.com
Critical Success Factors Security policy that reflects business objectives
Implementation approach is consistent with company culture
Visible support and commitment from management
Good understanding of security requirements, risk assessment
and risk management
Effective marketing of security to all managers and employees
Providing appropriate training and education
A comprehensive and balanced system of measurement which is
used to evaluate performance in information security management
and feedback suggestions for improvement
www.bsiindia.com
5.BENEFITS OF BS 7799
www.bsiindia.com
Benefits of BS 7799 certification
Opportunity to identify and fix weaknesses
Senior Management take ownership of
information Security
Provides confidence to trading partners and
customers
Independent review of your information Security
Management System
www.bsiindia.com
Key Challenges facing executivesKey Challenges facing executives
– Enterprises must manage threats to Information security
across many fields while attackers can choose to specialize
in narrow fields of competencies
– Fractured Corporate response to such focused attacks
– To think precisely about the concept of threat in the
security context of the organization
– Executives must develop non traditional competencies in
strategic risk management
– Executives must manage
ENTERPRISE SECURITY PROACTIVELY