Information Security Management System 30 April 2012
Introduction This session will present the key concepts related to • Information • Information Security • Information Security Management System (ISMS) • ISMS Principles • ISMS Implementation • Critical Success Factors • Relevant International Standards
Information – an Intangible Entity • Information in itself is an intangible entity. It does not have a ‘physical’ form but exists as • Conversation • Visuals • Impressions/Memories • Songs, Movies, etc. • Personal /Organizational data and information about Past and present (and future predictions/forecasts…) • Quantitative data and analysis about business • Qualitative Analysis, etc.
Information – Business Context Analysis • ` • ` Processing Business Intelligence Information Data • Collection of tools and systems and, more importantly, the corporate information managed by such systems – used to aid in the strategic planning and decision-making process. • Data that is accurate, specific and organized for a purpose, presented within a context that gives it meaning and relevance. Collection of facts from which conclusions may be drawn.
Information – Container / Medium • Information in itself is an intangible entity. It can exist only either in stored form or while in transmission • Stored in a ‘Container’ • Paper (printed or written) • Tapes, Diskettes and CD ROMs • Recorded conversations /video • Electronic records, • PDAs / phones / computers • Databases, computer files • Waste bin
Information – Container / Medium • Transmitted via a ‘Medium’ (or a channel) • Verbal (Spoken and listened) • Visual • Converted and transmitted electronically: • Voice transmission via phone, intercom, etc. • data transmission via Leased lines, etc. • IP based data transmission via DSL, wireless, WiMax, etc. • Physical movement of paper or other storage / media • Information can exist only while in transmission or when stored. • Information needs to be secured while in transmission or when stored.
Information – A Valuable Asset Requiring Protection • Information is a most valuable asset for a business. Like any other business asset: • It is valuable only if can be used for value creation • It requires proper management • It needs to be protected • Without suitable protection, information can be: • Given away, leaked or disclosed in an unauthorized way • Modified without your knowledge to become less valuable • Lost without trace or hope of recovery • Can be rendered unavailable when needed
Information Security – Types of Information All organizations collect, process, store, and transmit large amounts of information which can be classified as: • InternalInformation that you would not want your competitors to know. • Customer/client/supplierInformation that these entities would not wish you to divulge. • Shared Information that needs to be shared with partners.
Information Security – Dimensions Information Security is characterized as preservation of: Confidentiality The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Information Assets Integrity Availability The property of safeguarding the accuracy and completeness of assets. The property of being accessible and usable upon demand by authorized entity.
Information Security – Key Management Requirements Formal management of information security is required to: • Satisfy the security requirements of customers and other stakeholders • Improve an organization's plans and activities • Meet the organization's information security objectives • Comply with regulations, legislation and industry mandates • Manage information assets in an organized way to facilitate • Continual improvement • Adjustment to current organizational goals and to the environment
Information Security Management System (ISMS) Information Information is an Asset which, like other important business assets, has value to an organization and subsequently needs to be suitably protected. Information Security Information Security is preservation of confidentiality, integrity and availability of information assets of organization. Information Security Management System (ISMS) ISMS is that part of overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. Elements of Management System Security Organization Structure Security Policy and Procedures Resources with roles and responsibilities Testing and sustenance Information Security is a Management process, not a technological process.
Information Security Management System (ISMS) - Definition “An Information Security Management System (ISMS) provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve business objectives based upon a risk assessment and the organization's risk acceptance levels designed to effectively treat and manage risks”. (ref ISO 27000)
ISMS Principles (ref ISO 27000)
ISMS Implementation - Key Elements • Following elements need to be provided for a proper implementation of a successful ISMS: • Organizational structure • Policies • Planning activities • Responsibility assignment • Processes • Procedures • Standards and guidelines • Resources • Needs to be appropriate for the size and complexity of the organization • (should not translate into unreasonable high costs and efforts)
ISMS Implementation- Organizational Roles & Responsibilities / Ownership (Example) Business Objectives Strategy (including IT and information Security) Business Continuity Management Automated Applications controls Logical Access Control Data Encryption and Security Secured Firewall Configuration Network Security Architecture Proper Network Zoning
ISMS Implementation • The ISMS is implemented by successful completion of the below: • Identify information assets and associated security requirements • Assess information security risks • Select and implement relevant controls • Monitor, maintain and improve the effectiveness of the security controls associated with the organization's information assets • Controls are required to be specified, implemented, monitored and reviewed • Controls should be integrated with the business processes
ISMS Implementation - Process Approach - PDCA • Plan: establish the ISMS Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives. • Do: implement and Operate the ISMS Implement and operate the ISMS policy, controls, processes and procedures. • Check: Monitor and Review the ISMS Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. • Act: Maintain and Improve the ISMS Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
ISMS – Key Critical Success Factors • IS Policies are aligned with objectives • IS Approach and Framework is established and monitored • Management buy-in and commitment • Understanding of Information assets protection via risk assessment • Effective IS awareness • Effective incident management process • Effective business continuity management • Performance measurement mechanism
ISMS – Recap Information Security Management System (ISMS) Information Managed as an Asset Information Security Information Security Management Elements of IS Management System Process Approach Asset Creation Processing Transmitting Protection Destruction Confidentiality Availability Integrity Direct Control Improve Org Structure PPPs Resources Responsibilities Plan Do Check Act
Relevant International Standards • A family of standards (ISO 270xx) have been established by ISO/IEC to provide comprehensive guidance on the subject of ISMS. • ISO 27001 and ISO 27002 are the most important and well-know standards that are used as the primary reference for IS requirements and code of practice by all organizations wanting to implement ISMS. • Other ISO 270xx standards address various other aspects of establishing and maintaining a successful ISMS.
ISO 27001Standard – 11 Domains 39 control objectives 133 Controls Security Policy • Organization • of information • security • Asset • Management • Human • Resource • security • Physical & • environmental • security Communication & Operations • Management • Access Control Info system acquisition, development maintenance • Info Security • Incident • Management • Business • Continuity • Management • Compliance
ISO 27001 Certification • Establish Information Security Management • Design and Implement ISMS, train the relevant employees, create security awareness leading to an improved information security environment throughout the organization. • Preparation of all the needed documentation as per ISO standard. Usually requires support from independent information security professionals. • ISO Certification • Stage 1: Preliminary, informal review of the ISMS to check key documentation such as the IS policy, Statement of Applicability (SOA) and Risk Treatment Plan (RTP), etc. • Stage 2: Formal compliance audit of ISMS against the requirements specified in ISO/IEC 27001. Certification audits are conducted by ISO/IEC 27001 Lead Auditors. This results in ISO certificate issued by a certification registrar. • Stage 3: Follow-up reviews and audits to confirm that the organization remains in compliance with the standard. Annual reassessment audits are part of Certification maintenance requirement.
ISO Family • ISO/IEC 27000: describes the fundamentals of information security management systems, which form the subject of the ISMS family of standards, and defines related terms. • ISO/IEC 27001: ISO/IEC 27001 provides normative requirements for the development and operation of an ISMS, Including a set of controls for the control and mitigation of the risks associated with the information assets which the organization seeks to protect by operating its ISMS. • ISO/IEC 27002: ISO/IEC 27002 provides guidance on the implementation of information security controls. • ISO/IEC 27003: ISO/IEC 27003 will provide a process oriented approach to the successful implementation of the ISMS in accordance with ISO/IEC 27001 • ISO/IEC 27004: ISO/IEC 27004 will provide a measurement framework allowing an assessment of ISMS effectiveness to be measured in accordance with ISO/IEC 27001 • ISO/IEC 27005: ISO/IEC 27005 provides guidance on implementing a process oriented risk management approach to assist in satisfactorily implementing and fulfilling the information security risk management requirements of ISO/IEC 27001. • ISO/IEC 27006: ISO/IEC 27006 supplements ISO/IEC 17021 in providing the requirements by which certification organizations are accredited, thus permitting these organizations to provide compliance certifications consistently against the requirements set forth in ISO/IEC 27001
ISO Family • ISO/IEC 27007: ISO/IEC 27007 will provide guidance to organizations needing to conduct internal or external audits of an ISMS or to manage an ISMS audit program against the requirements specified in ISO/IEC 27001. • ISO/IEC 27011: ISO/IEC 27011 provides telecommunications organizations with an adaptation of the ISO/IEC 27002 guidelines unique to their industry sector which are additional to the guidance provided towards fulfilling the requirements of ISO/IEC 27001 • ISO 27799: ISO/IEC 27799 provides health organizations with an adaptation of the ISO/IEC 27002 guidelines unique to their industry sector which are additional to the guidance provided towards fulfilling the requirements of ISO/IEC 27001, Annex A.
Always remember. . . There is no secUrity without you