Effective ISMS Development

Contact: Travis Hyde, CEO, Orange [email protected]

800.841.9329 x705

Effective ISMS Development

mailto:[email protected]

Less Effective Approaches

• Product / Toolkit based approach

– Offers the ease of obtaining generic pre-written “policies”

– Can only cover those controls addressable by “policy”

– Cannot address controls that require an organizational component

– Cannot justify selection of controls

– Is not defensible

– Creates a false sense of security

• Linear approach

– Broadly follows the guidelines presented in the ISO Standard

– Implements the ISMS by following the guidelines to the letter, not spirit and intent

– Sometimes performed by internal teams without external assistance

– Several vendors use this ‘closed’ approach, or use hybrid approach that combines this and a product based approach

– The approach is not easily extensible, thereby limiting the ISMS to a specific part of the organization after attaining certification

ISMS Development and Approach © Orange Parachute

Common Shortcomings with Less Effective Approaches

Technical Shortcomings

• Incomplete Risk Assessment Process

• Incomprehensive Asset Listing

• Lack of Assurance for Controls Effectiveness

• Improper Interpretation of Controls

• Scope Minimization

• Difficulties in Developing Comprehensive BCP Plan


Common Shortcomings with Less Effective Approaches (cont’d)

Management Shortcomings

• Lack of Documentation

• Failure to Define Specific Roles and Responsibilities in Information Security

• Difficulties in Conducting Regular Management Reviews and Implementing Suggestions

• Lack of a Comprehensive ISMS Project Plan

• ISMS regarded as a one-off project, rather than a continuous one

• Failure to Obtain Enough Support from Top Management

• Difficulties in Conducting Internal Audit

• Difficulties in Writing Proper Security Policies, Procedures & Guidelines


Orange Parachute’s Approach

• Systematic

– Follows, implements and adopts every requirement of the Standard by the letter and spirit

– Our experienced consultants work with the client to understand the cultural, business and organizational environments, and build an ISMS adopted to the client

– Proven tools and templates are utilized to speed-up the implementation process

• Process based

– Takes into account the legal and regulatory environment

– Works within the existent culture and values

– Produces justifiable, risk based requirements, processes, roles, and activities

– Is defensible and extensible


How we implement the ISMS

The Process

Secure Management

Commitment

Determine scope of

the Information

Security Program

Identify security

domains

Create information

security organization

Assess risk Mitigate risk

Audit


How we implement and certify an ISMS?

• We use ISO27001 to manage Information Security Programs

• An Information Security Program may have governance over multiple security domains

• Security domains serve as the basis of establishing scope for ISO27001 certification

• Security domains are where ISO27002/ISO27001 Annex A controls ultimately reside

• Scope of an ISO27001 Information Security Program and ISO27001 registration may not be the same

ISO27001 based ISMS to manage the Information Security Program

Data Center

ISO27001 certified

Security Domain

Call Center

ISO27001 managed

Security Domain

Branch Office

ISO27001 managed

Security Domain

Production Area

ISO27001 managed

Security Domain

Build a program once

Extend the program to

several security domains and certify


Our Implementation Focus

• Effective communication

– Consistent terms and definitions

• Understand relationships

– RACI

– Empowered through charters and plans

• Scope the program

– Program span of control

• Define / package sensible operational areas (security domains)

– Operational span of control

• Perimeters

• Assets

• Leverage security domains for

– Risk assessment

– Incident response

– BC/DR

– Certification


Orange Parachute’s Approach:• ISMS Framework – A real life sample

(Sample)


Our Implementation Focus (contd.)Risk Assessment methodology

– By audience

• Strategic: liability

• Tactical: vulnerability

• Operational: gap:

– By environment:

• Raw,

• Residual

• Accepted


Our Implementation Focus (contd.)

Selection of controls

– Tactical control objectives• From tactical risk assessment

– Tactical controls • From ISO27001 Annex A

– Operational control objectives• Domain specific and derived from Tactical controls

– Operational controls• Domain specific and derived from operational control objectives

– Technical

– Procedural

– Temporal

– Taskings



Operational control elements

– Technical

• Devices

• Configurations

– Procedural

• Standard operating procedures (SOP’s)

– Temporal

• Domain schedules

– Tasking

• Individually assigned responsibilities



Example– Risk basis (tactical)

• Threat: Unauthorized disclosure

• Vulnerability: weak logon procedure

– A 11.5 Access control• Objective: To prevent unauthorized access to operating systems

– A 11.5.1 control• Secure logon procedure

– Access to operating systems shall be controlled by a secure logon procedure

– Specific domain objective with windows platforms– Objective: To provide a secure logon procedure for windows platforms

– Domain control: technical: windows configuration• Password masking

• Lockout after 3 failed attempts

• Password hashing

• Password history with no re-use


Sample of Key Deliverables from our Implementations

Fully documented management intent and support

• Policies (vision)

• Charters (empowerment)

• Program plans (strategy)

Fully documented information security direction

• Standards (requirements)

• Processes (methodologies)

• Activities (schedules)

• Roles (responsibilities)

Domain specific operational details

• Specifications

• Standard Operating Procedures (SOP’s)

• Job descriptions

• Tasking


Process Example

Frequency: As required Version 1.1

Process: Supplier Governance

Business Unit: Information Security

Author:

ISO

ISO

Ou

tpu

tO

utp

ut

Info

rma

tio

n

Se

cu

rity

An

aly

st

Info

rma

tio

n

Se

cu

rity

An

aly

st

Re

qu

esto

rR

eq

ue

sto

r

Pending Business

Contract

Determine data

types involved

Identify required

protection levels

Incorporate

protection

requirements in

contract

Process Owner: ISO

Approver: ISMS Oversight Committee

Date Approved:

Info Governance

Matrix

Info Security

Standards

Security

Specifications for

Contract

Negotiate process

hand-off points

Assign roles and

responsibilities

Input to ISMS

Conformance

Process

Info Security

ProcessesFunctional Roles

Assign task

schedules

Activity matrix

Third party SLA

Output from

Supplier

Evaluation

Process

Review contract

specifications

Input to Risk

Assessment

Process


Trends• Worldwide demand for standardized and

internationally sanctioned information security certification– Certification is already a requirement in some markets– Competitive edge– Interoperability– Due diligence concerns

• Continued focus on a process based approach– Integration with other process based management

systems– Integration with other process based operational models– Manages the quality of information


Attributes of an Orange Parachute ISMS

• Addresses risk at all levels

– Strategic

– Tactical

– Operational

• Extensible

• Defensible / Justifiable

• Minimizes change

• Helps plan continuity in the workforce

• Compatible and integrated with other ISO and other standards (ISO 9001, ISO 20000, ISO 27005, BS 25999, etc.)

• Compatible with other catalog of controls (CoBit, PCI, FISAP)

• Meets information protection requirements required by various laws and regulations, such as Sarbanes Oxley, HIPAA, GLBA, SB 1386, etc.


Summary / Benefits

• The ISO27002/ISO27001 family is an internationally recognized benchmark for Information Security Management

– ISO27002 is used to deploy comprehensive information security controls.

– ISO27001 is used to manage Information Security Programs and certify discrete operational areas.

• ISO27001/2 may serve as an umbrella under which an organization can address multiple information protection regulations.

– Most are already mapped to ISO27002 controls

– All can be managed by ISO27001

• ISO27001 can be used to certify due diligence. Areas of application include:

– security assessments of supplier / vendor / service provider 3rd parties,

– reducing redundant audit overheads,

• A standards based ISMS is defensible, extensible, flexible and efficient.


Successful Client CertificationsCertified Clients:

• Federal Reserve NY – BS7799-2 • The World Bank – ISO 27001 • McQuarie Corporate Communications (Australia) – BS7799-2• Premier Bank – ISO 27001• International Monetary Fund (IMF) – ISO 27001• Merrill Corporation – ISO 27001• Convey Compliance Systems – ISO 27001• DCM Services – ISO 27001• Pacific Life Insurance Company – ISO 27001

Some Additional Clients:• Blue Cross Blue Shield • Coventry Healthcare• RxHub• Merck & Co., Inc.• Nielsen Media Research• Wake County Public Schools• ConocoPhillips• American Express• Ameriprise Financial• FINRA/NASD• INTUIT• National City Bank• PSECU


Thank you!

800.841.9329 x1

[email protected]

www.orangeparachute.com

mailto:[email protected]

Effective ISMS Development

Documents