220 likes | 391 Views
ISACA Lietuvos skyriaus (180) Birželio mėnesio susitikimas ISMS Implementation Pitfalls & Misconceptions. Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6. Agenda. 01 Introduction to ISO/IEC 27003:2010 02 Completing the Deming Cycle (Plan-Do-Check-ACT)
E N D
ISACA Lietuvos skyriaus (180) Birželiomėnesio susitikimas ISMS ImplementationPitfalls & Misconceptions Jatin Sehgal Quality Manager EY CertifyPoint2010-06-16
Agenda 01 Introduction to ISO/IEC 27003:2010 • 02 Completing the Deming Cycle (Plan-Do-Check-ACT) • 03 Achieving performance during ISMS implementation • 04 Defining Scope & Boundaries of ISMS • 05 Challenges faced by organizations when implementing an ISMS • 06 Common Pitfalls and Mistakes in ISMS Implementation.
ISO 27003:2010 - Introduction • Introduction • Scope • Terms and definitions • Obtaining management approval for initiating an ISMS project • Defining ISMS scope, boundaries and ISMS policy • Conducting information security requirements analysis • Conducting risk assessment and planning risk treatment • ISMS improvement • Designing the ISMS • Appendix A : Checklist description • Appendix B : Roles and responsibilities for Information Security • Appendix C : Information about Internal Auditing • Appendix D: Structure of policies • Appendix E: Monitoring and measuring This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005.
The DEMING CYCLE – Plan, Do, Check, Act Plan Act 3 Deming Cycle 1 2 Do Do Check
Information Security Management System • A management system is a proven framework for managing and continually improving an organization's policies, procedures and processes. • An ISMS is part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. • A management system is a means by which business processes remain concurrent with business and are repeatable. Combined with the information security objectives, ISMS is defined using a Plan- Do-Check-Act cycle. • Plan-Do-Check-Act is a cyclical process • With each iteration you can expand the policy and objectives, and the scope of the ISMS.
Information Security Management System • Documentation requirements • A successful ISMS Meeting Requirements of ISO 27001:2005 requires documentation • If an organization is planning to become certified, documentation will be essential • Certifying bodies performing audits will use documentation as integral component of certification process • This is where many companies fail! • Management requirements • ISO/IEC 27001:2005 defines certain management responsibility and requirements • These include commitments to the ISMS, resource management, and training, awareness, and readiness • Management needs to understand the key role they play in a successful ISMS • Information Security Control requirements • Based on the outcome of IS risk assessment and management decision (expectations)
The ISMS in More Detail • Establish ISMS • Define the scope & Boundaries • Define ISMS policy • Define risk assessment approach • Identify and assess risks • Evaluate options for treatment of risks • Selection of controls (annex A) • Obtain management approval • Prepare a Statement of Applicability • Maintain and improve ISMS • Implement identified improvements • Take corrective and preventive actions • Communicate actions and improvements Plan Act Do • Implement and operate ISMS • Formulate and implement risk treatment plan • Implementing selected controls • Implement training and awareness programs • Manage operations of the ISMS • Manage resources for the ISMS • Implement procedures for detecting/handling security incidents • Monitor and review ISMS • Execute monitoring procedures • Review and measure effectiveness of ISMS • Conduct internal ISMS audits • Undertake management review • Update security plans • Record actions and events that impact ISMS Check
Management framework policies relating to ISO 27001:2005 Requirement 4 • ISMS Design Level 1 Policy, scope risk assessment, statement of applicability Describes processes – who, what, when, where (4.1- 4.10) Level 2 Policies/Procedures Work Instructions, checklists, forms, etc. Level 3 Describes how tasks and specific activities are done Level 4 Provides objective evidence of compliance to ISMS requirements clause 3.6 Records Introduction to Information Security Management System (3)
Achieving performance during ISMS implementation • Spend time to clearly define the scope & boundaries of ISMS. • Develop an ISMS Project Plan and get it approved by Management. • Identify Quick Win Solutions and Do not wait for the release of ISPP. • Keep the release date and effective date of ISMS with some gap to identify opportunities for improvement. • Keep management involved at each step and define critical success factors. • Categorize implementation of Security Controls based on the “High”, “Medium” and “Low” priority. • Identify implementation interdependencies at an initial stage and prioritize accordingly. • Keep pace with the changes in the security environment that might affect implementation. • Treat it like a formal security project. • Arrange workshops, awareness sessions and prepare communication strategies to spread knowledge from the beginning. • Secure required resources for the project before initiating.
Location Organization & Structure ISMS SCOPE Enterprise Assets Technology Defining Scope & Boundaries of ISMS • Office Buildings, • Rooms, • Remote Locations, • Sites, etc. • Hardware, • Software, • People, • Services, etc. • Departments, • Business Processes, • Roles, etc. • Applications, • Servers, • Network Infrastructure, • Domains/Security Zones, etc.
Challenges faced by organizations when implementing an ISMS • Lack of management commitment (inadequate governance/enforcement) and budget; • Bringing the cultural change in the organization (resistance by employees or feeling of security as an additional burden); • Lack of skilled resources; • Unclear or unrealistic scope and boundaries of ISMS (confusion on where to start and where to stop); • Legacy systems hinder the implementation of security controls; • Confusion related with automation or manual use of processes; • Too many tools to choose from, but none suiting to exact requirements; • Fear of loosing operations leading to a sluggish progress; • Lack of clarity of end results; • Roles not clear to employees; • Lack of knowledge of risk exposures or changes to the risk appetite; • Lack of ownership & integration amongst various (in scope) departments; • A perception of ISMS as a highly complex system and seemingly huge task; • To many versions of same document resulting in confusion.
Common Pitfalls • Pressure to go in for certification immediately after the implementation of an ISO 27001 ISMS. • Lose sight on the mandatory requirements of ISO 27001:2005. • Written policies and procedures that are not mapped to SoA and ISMS requirements; • Risk assessment results are not linked with selection of controls; • Evidence of management support not enough or clear; • Security policies are vague (too high level) or too complex; • Lack of understanding of security responsibilities and management intent; • Lack of resources for ISMS implementation leading to a unmanageably long project; • No way of fully understanding the security program deficiencies, and having a standardized way of improving upon the deficiencies; • Lack of knowledge of applicable regulations, laws, or policies; • Relying fully on technology or on manual procedures for all security solutions; • A “fire alarm” approach to any breaches instead of a calm proactive and detective approach; • A false sense of security with an undercurrent of confusion; • Lack of integration with business processes • Bypassing policies and taking exceptions, loosing the spirit of ISMS.
Ernst & Young CertifyPoint ThankYou Jatin Sehgal +31 6 2908 4825 Jatin.sehgal@nl.ey.com