Top Banner
Information Security Management System
25
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: 23.ISMS Presentation

Information Security Management System

Page 2: 23.ISMS Presentation

Information is an asset which, like other important business assets, has value to an organization andconsequently needs to be suitably protected.

ISO/IEC 17799:2005

Information

Confidentiality

Integrity Availability

Page 3: 23.ISMS Presentation

Information Security Management is a top-down, business drivenapproach to the management of an organization’s physical andelectronic information assets in order to preserve their • confidentiality, • integrity and • availability.

Page 4: 23.ISMS Presentation

Increased dependence on information assets

Increased demand for information availability

Increased threats to information security

Page 5: 23.ISMS Presentation

Consequences of Security Breach Destroy Image Depress the value of the business Erode the “bottom line”; and Compromise future earnings.

Page 6: 23.ISMS Presentation

What is ISMS

An ISMS is the means by which management monitors and controls the security,minimizing the residual business risk andensuring that security continues to fulfillcorporate, customer and legal requirements.

Page 7: 23.ISMS Presentation

ISO 17799 & ISO 27001

ISO 17799:2005 Information Technology Security

techniques – Code of practice for information

security management

ISO 27001:2005Information technology Securitytechniques –Information securityManagement systems –Requirements

Provides a comprehensiveframework to guide and focus your efforts in building an Information Security Management System (ISMS)

Provides a framework for a risk based security management system that can be independently certified

Page 8: 23.ISMS Presentation

ISO 17799

An Internationally recognized Code of Practice for information security management systems (ISMS)

A comprehensive framework to guide and focus your efforts in building an Information Security Management System

A collection of security best practices along with implementation guidance

Page 9: 23.ISMS Presentation

ISO 27001 : 2005 An internationally recognized requirement

document for information security management systems

A framework for building a risk based security management system that can be independently certified

Page 10: 23.ISMS Presentation

Communications & Operations Management

Critical Information

AssetsRisk

AssessmentRisk

Treatment

ComplianceSecurity Policy

Organization of Information Security

Asset Management

Human Resources Security

Physical & Environmental Security

Access Control

Information Systems Acquisition, Development & Maintenance

Information Security Incident Management

Business Continuity Management

11 Clauses

39 Control Objectives

133 Security Control

Page 11: 23.ISMS Presentation

An Outline of ISO / IEC 17799/27001 Security Clauses

Management Aspects

Technical Aspects

Physical Aspects

Legend :

Security Policy

Organization of Information Security

Asset Management

Business Continuity Management

Compliance Communications & Operations Management

Human Resources Security

Information Security Incident Management

Information System Acquisition, Development & Maintenance

Access Control Physical & Environmental Security

Operations

Management

Organizational Structure

The 11 Security Clauses Security Policy (1)

Organization of Information Security (2)

Asset Management (2)

Human Resources Security (3)

Physical & Environmental Security (2)

Communications & Operations Management (10)

Access Control (7)

Information System Acquisition, Development & Maintenance (6)

Information Security Incident Management (2)

Business Continuity Management (1)

Compliance (3)

Page 12: 23.ISMS Presentation

(1) Define Scope

(2) Perform Gap Analysis

(3) Security Improvement

Plan (SIP)

(4) Information Asset Register

(4) Risk Assessment

(4) Risk Treatment Plans

(4) Selection of Controls

(4) Initial SoA

(6) Certification Readiness

(6) Continues Improvement

(6) Internal Audit, Management Review

(5) Policies, Procedures, Controls & ISMS Documentation

(5) Final SoA

On-Going Security Program Improvement

Pre-Certification Preparation Methodology

Page 13: 23.ISMS Presentation

Steps Towards Certification

Plan

DoCheck

Act

Establish the ISMS

Implement & Operate the

ISMS

Monitor & Review the

ISMS

Maintain & Improve the

ISMS

Apply for Certification

Page 14: 23.ISMS Presentation

ISMS Implementation Requires Advisory Services, Project Leadership & Staff Augmentation

Established the ISMS Implement & Operate Monitor & Review Maintain & Improve

Plan (4.2.1) Do (4.2.2) Check (4.2.3) Act (4.2.4)

Initial Training

ISMS Scope

ISMS Policy

ISMS Assets

Gap Analysis/ SIP

Business Impact

Threats & Vulnerabilities

Probability of Occurrence

Calculate/Evaluate Risks

Prioritize Risks

Treatment Options

Select Controls

Management Apvl.

Prepare Initial SoA

Risk Treatment Plans

Implement Risk Treatment

Define Effectiveness Metrics

Document WI’s, Procedures

Implement Training & Awareness Program

Conduct Internal Auditor Training

Operate the ISMS

Monitoring & Incident Response

Update SoA

Execute Monitoring & Review Procedures

Review ISMS Effectiveness

Measure the Effectiveness of the Controls

Review Risk Assessments

Conduct Internal ISMS Audits

Regular Mgmt. reviews of the ISMS

Update SIP’s based on Findings

Record Actions & Events Impacting ISMS

Implement Identified Improvements

Take Corrective & Preventive Actions

Communicate the Actions & Improvements

Ensure Improvements Achieve Objectives

Page 15: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project Team

Page 16: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project Team Ensure management commitment Select and train team members Establish Management Committee Establish Implementation Committee Establish Working Groups Team Definition

Page 17: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project Team• Careful consideration to the processes, applications

& locations to be included

• scope should recognize business objectives, security requirements and structure of the organization

• The scope must clearly define the boundaries of the ISMS including justification for exclusions

Page 18: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project TeamIdentify all assets important to the scope including:

• Physical Assets- IT

• Physical Assets- Non IT

• Information (Hard Copy and Electronic)

• Software

• Services

• Supporting documentation

• Intangible

Page 19: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project Team• Valuation of assets - Impact to the Business in terms

of Confidentiality, Integrity & Availability

• Threat & Vulnerability Assessment

• Probability of Occurrence

• Effectiveness and Strength of Current Safeguards

• Residual Risk

• Determination of Risk Tolerance

Page 20: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project Team• Risk Management decisions –

• Terminate• Treat• Transfer or• Tolerate

• Selection of controls from ISO 27001:2005 with direct link back to the risk assessment

• Measurement of the effectiveness of controls

• Manage risk treatment activities and resources

• Management approval of residual risk

Page 21: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project Team• Information classification & document and records

control procedures

• Internal ISMS audit plan

• Corrective & preventive action procedures

• Procedures and controls supporting the ISMS based on the risk assessment results

• Description of the risk assessment methodology & risk treatment plan

• Development of the Statement of Applicability, (SoA), with justification for controls not selected

• Objective evidence of a living & improving ISMS

Page 22: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project Team• Roles & responsibilities fully understood

• Staff, contractors and third party users trained

• Competency assessed

• Training program formulation

• Role based training

• Metrics and measurements

Page 23: 23.ISMS Presentation

Steps Towards Certification

Internal Audit Ongoing Improvement

Training & Awareness

Documentation Management

Risk Treatment Plan

Risk Assessment

Identification of Assets

ISMS Scope Definition

Establish Project Team• Implementation of the Plan Do Check Act model for

continuous improvement

• Independent internal evaluation of compliance to security Policy’s and Procedures

• Risk based corrective actions

• Defined preventive action requirements

• Feedback into the Risk Management Framework

• Records of continuous improvement

Page 24: 23.ISMS Presentation

The Certification Audit

Post Certification Process

Stage 2 Audit

System in Action

Stage 1 Audit Documentation Review

Application for Certification with a Certification Body

• Agree on scope and contract terms

• Assessment of Process Documentation

• On-site Completion of Audit of Staff & Process

• Presentation of the Audit Findings

• Corrective Actions if Required

• Award of Certificate

• Certification is valid for three years

• Annual Surveillance Audits are required

• Internal Audit Program is Required

• Full re-audit on the third Anniversary

Page 25: 23.ISMS Presentation

Thank You