Information Security Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications
Jan 20, 2016
Information SecurityInformation Security
14 October 2005
IT Security Unit
Ministry of IT & Telecommunications
AgendaAgenda Information Security – Why ?Information Security – Why ? Security threatsSecurity threats Types of MeasuresTypes of Measures ISO 17799 & its evolution ISO 17799 & its evolution Information Security Management Information Security Management
SystemSystem Status in Mauritius Status in Mauritius ISO 27000 seriesISO 27000 series
Information Security – Information Security – Why ?Why ?
Information is an asset, has value & needs to be suitably protected
Information exists in many forms Printed or written - transmitted by post Stored electronically – transmitted using electronic means Spoken in conversation
Information security : protects information from a wide range of threats in order to ensure business continuity & minimise business damage maximize return on investments & business opportunities maintain competitive edge, legal compliance and
commercial image
Information Security – Information Security – Why ?Why ?
characterised as the preservation of: confidentiality: ensuring that
information is accessible only to those authorized to have access
integrity: safeguarding the accuracy and completeness of information and processing methods
availability: ensuring that authorized users have access to information and associated assets when required
Some Security ThreatsSome Security Threats Usual (standard) threats :
Theft Fraud Acts of God Errors
IT related Threats : System failures Malware : Virus/Spyware Denial of Service Hacking
Cybercrimes
Types of MeasuresTypes of Measures Technology : IT solutions… Physical : Access control … People : Screen, Train, Monitor… Policies, Procedure: Info on a need to
know basis… Comply to legislations
Cybercrime Act, Data Protection Act, Copyright Act…
Info Sec Mgt : integrate all in a structured way
ISO/IEC 17799ISO/IEC 17799 Roadmap to manage information security Roadmap to manage information security
within an organisationwithin an organisation Serve as a single reference point for
identifying the range of controls needed to be used Part 1: ISO 17799 – Code of PracticePart 1: ISO 17799 – Code of Practice Part 2: BS7799-2 – Requirements for an Part 2: BS7799-2 – Requirements for an ISMSISMS
for Certificationfor Certification 2000 version has 10 Domains, 36 Control 2000 version has 10 Domains, 36 Control
Objectives, 127 ControlsObjectives, 127 Controls 2005 version has 11 Domains, 2005 version has 11 Domains, 39 Control 39 Control
objectives and 133 controlsobjectives and 133 controls
AccessControls
Asset Classification
Controls
Information Security Policy Security
Organisation
PersonnelSecurity
PhysicalSecurity Communication
& Operations Mgmt
System Development &
Maint.
Bus. ContinuityPlanning
Compliance
Information
Integrity Confidentiality
Availability
ISO 17799 - 2000ISO 17799 - 2000
3 Control Objectives • Secure Areas• Equipment Security• General Controls
6 Controls • Siting• Power Supplies• Cabling• Maintenance• Off-premises• Disposal/reuse
“all equipment should be protected from power failure & other electrical anomalies. A suitable electric supply should be provided that conforms to the equipment manufacturer specifications.”
Evolution of StdsEvolution of Stds Code of practice - 1993Code of practice - 1993 British Standard - 1995British Standard - 1995 BS 7799 Part 2 – 1998BS 7799 Part 2 – 1998 BS 7799 Part1 and Part 2 revised – 1999BS 7799 Part1 and Part 2 revised – 1999 ISO 17799 (BS 7799–1 : 2000)ISO 17799 (BS 7799–1 : 2000) BS 7799-2:2002 BS 7799-2:2002 ISO/IEC 17799-2000 revision –June 2005ISO/IEC 17799-2000 revision –June 2005 ISO/IEC 27000 series ISO/IEC 27000 series
ISO/IEC 17799 ISO/IEC 17799 Comparison 2000 & 2005Comparison 2000 & 2005
Security policySecurity policy Security policySecurity policy
Security organisationSecurity organisation Organising information securityOrganising information security
Asset classification & controlAsset classification & control Asset managementAsset management
Personnel securityPersonnel security Human resources securityHuman resources security
Physical & environmental Physical & environmental securitysecurity Physical & environmental securityPhysical & environmental security
Communications & operations Communications & operations managementmanagement
Communications & operations Communications & operations managementmanagement
Access controlAccess control Access controlAccess control
Systems development & Systems development & maintenancemaintenance
Information systems acquisition, Information systems acquisition, development and maintenancedevelopment and maintenance
Information security incident Information security incident managementmanagement
Business continuity Business continuity managementmanagement Business continuity managementBusiness continuity management
ComplianceCompliance ComplianceCompliance
ISMSISMS Information Security Management Information Security Management
SystemSystem The means to implement 7799The means to implement 7799
Set an ISMS team – ISMS WG Set an ISMS team – ISMS WG Based on the Deming PDCA Cycle - Plan Do Based on the Deming PDCA Cycle - Plan Do
Check ActCheck Act Common to other ISO stds e.g. ISO 9000, ISO Common to other ISO stds e.g. ISO 9000, ISO
14000 14000 The ingredient that allows the integration of the The ingredient that allows the integration of the
different management systems that these different management systems that these standards define.standards define.
Establish the Establish the ISMSISMS
Monitor & Monitor & Review Review ISMSISMS
Implement & Implement & operate the operate the
ISMSISMS
Maintain & Maintain & improve improve
ISMSISMS
ActActDoDo
PlanPlan
CheckCheck
ISMS ProcessISMS Process
Plan Phase Plan Phase Define the ISMS scope & the ISMS policyDefine the ISMS scope & the ISMS policy Identify & assess the risksIdentify & assess the risks Formulate a Risk Treatment Plan - outcomeFormulate a Risk Treatment Plan - outcome
Apply appropriate controlApply appropriate control to reduce risk to reduce risk Accept the risk – substantiate whyAccept the risk – substantiate why Avoid the risk – do not allow action causing riskAvoid the risk – do not allow action causing risk Transfer the risk to a third party e.g. insurerTransfer the risk to a third party e.g. insurer
Select control objectives and controlsSelect control objectives and controls Prepare a Statement of ApplicabilityPrepare a Statement of Applicability
Do PhaseDo Phase Allocate resources & conduct trainingAllocate resources & conduct training Implement the Risk Treatment PlanImplement the Risk Treatment Plan
Implement Implement controls selectedcontrols selected to meet the control to meet the control objectivesobjectives
ISMS ProcessISMS Process
Check PhaseCheck Phase Execute monitoring processes Execute monitoring processes Conduct internal audits of the ISMS at planned Conduct internal audits of the ISMS at planned
intervalsintervals Undertake regular mgt reviews of the Undertake regular mgt reviews of the
effectiveness of the ISMSeffectiveness of the ISMS Review levels of residual risk and acceptable riskReview levels of residual risk and acceptable risk
Act PhaseAct Phase Implement improvements identifiedImplement improvements identified Take appropriate preventive and corrective Take appropriate preventive and corrective
actionsactions Communicate the results and actionsCommunicate the results and actions Ensure improvements meet their intended Ensure improvements meet their intended
objectivesobjectives
ISMS ProcessISMS Process
Level 1
Level 2
Level 3
Level 4
Procedures, Guidelines
Forms, Template, etc.
Records providing evidence of ISMS implementation
ISMS Manual, ISMS Policy
SoA
ISMS DocumentationISMS Documentation
ISMS WG
3rd party Auditor(s)
ISMS WG
Surveillance& Re-assessment:Follow Up
Stage 2 Audit
Stage 1 AuditDevelopmentDevelopme
ntImplementa
tion
Steps Towards Steps Towards CertificationCertification
Steps to followSteps to follow Purchase the standard (ISO 17799:2000, Purchase the standard (ISO 17799:2000,
BS7799-2:2002)BS7799-2:2002) Read the standardsRead the standards Assemble a team –ISMS WGAssemble a team –ISMS WG Attend an ISMS workshop Attend an ISMS workshop Appoint technical consultant or own technical Appoint technical consultant or own technical
ExpertExpert Undertake risk assessmentUndertake risk assessment Develop ISMS documentsDevelop ISMS documents Apply ISMS certificationApply ISMS certification
Benefits Benefits
Improved enterprise securityImproved enterprise security More effective security planning and More effective security planning and
managementmanagement Better risk managementBetter risk management Enhanced user confidenceEnhanced user confidence Promote development of a business continuity Promote development of a business continuity
planplan Deeper knowledge of different aspects of securityDeeper knowledge of different aspects of security Broader user level awareness on security threats Broader user level awareness on security threats
and measuresand measures
Mauritius Mauritius ISO 17799:2000 & BS 7799-2 2002, was ISO 17799:2000 & BS 7799-2 2002, was
adopted as a national standard in 2005adopted as a national standard in 2005 Adoption of ISO 17799 June 2005 version in Adoption of ISO 17799 June 2005 version in
progressprogress MSB gearing up for providing certification MSB gearing up for providing certification
servicesservices Government Government
Adopted ISO 17799 for rollout in Adopted ISO 17799 for rollout in Ministries & DepartmentsMinistries & Departments
4-5 pilot sites ISMS done 4-5 pilot sites ISMS done Facilitated by IT Security UnitFacilitated by IT Security Unit
ISO 27000 seriesISO 27000 series Information Security SeriesInformation Security Series 27001:will replace BS7799-2 2002 27001:will replace BS7799-2 2002 27002: Earmarked for ISO 17799 (code 27002: Earmarked for ISO 17799 (code
of practice)of practice) 27003: To cover risk management 27003: To cover risk management 27004: To cover information security mgt 27004: To cover information security mgt
metrics & measurementsmetrics & measurements 27005: To provide implementation 27005: To provide implementation
guidelinesguidelines
Thank YouThank You