Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.

Information SecurityInformation Security

14 October 2005

IT Security Unit

Ministry of IT & Telecommunications

AgendaAgenda Information Security – Why ?Information Security – Why ? Security threatsSecurity threats Types of MeasuresTypes of Measures ISO 17799 & its evolution ISO 17799 & its evolution Information Security Management Information Security Management

SystemSystem Status in Mauritius Status in Mauritius ISO 27000 seriesISO 27000 series

Information Security – Information Security – Why ?Why ?

Information is an asset, has value & needs to be suitably protected

Information exists in many forms Printed or written - transmitted by post Stored electronically – transmitted using electronic means Spoken in conversation

Information security : protects information from a wide range of threats in order to ensure business continuity & minimise business damage maximize return on investments & business opportunities maintain competitive edge, legal compliance and

commercial image

Information Security – Information Security – Why ?Why ?

characterised as the preservation of: confidentiality: ensuring that

information is accessible only to those authorized to have access

integrity: safeguarding the accuracy and completeness of information and processing methods

availability: ensuring that authorized users have access to information and associated assets when required

Some Security ThreatsSome Security Threats Usual (standard) threats :

Theft Fraud Acts of God Errors

IT related Threats : System failures Malware : Virus/Spyware Denial of Service Hacking

Cybercrimes

Types of MeasuresTypes of Measures Technology : IT solutions… Physical : Access control … People : Screen, Train, Monitor… Policies, Procedure: Info on a need to

know basis… Comply to legislations

Cybercrime Act, Data Protection Act, Copyright Act…

Info Sec Mgt : integrate all in a structured way

ISO/IEC 17799ISO/IEC 17799 Roadmap to manage information security Roadmap to manage information security

within an organisationwithin an organisation Serve as a single reference point for

identifying the range of controls needed to be used Part 1: ISO 17799 – Code of PracticePart 1: ISO 17799 – Code of Practice Part 2: BS7799-2 – Requirements for an Part 2: BS7799-2 – Requirements for an ISMSISMS

for Certificationfor Certification 2000 version has 10 Domains, 36 Control 2000 version has 10 Domains, 36 Control

Objectives, 127 ControlsObjectives, 127 Controls 2005 version has 11 Domains, 2005 version has 11 Domains, 39 Control 39 Control

objectives and 133 controlsobjectives and 133 controls

AccessControls

Asset Classification

Controls

Information Security Policy Security

Organisation

PersonnelSecurity

PhysicalSecurity Communication

& Operations Mgmt

System Development &

Maint.

Bus. ContinuityPlanning

Compliance

Information

Integrity Confidentiality

Availability

ISO 17799 - 2000ISO 17799 - 2000

3 Control Objectives • Secure Areas• Equipment Security• General Controls

6 Controls • Siting• Power Supplies• Cabling• Maintenance• Off-premises• Disposal/reuse

“all equipment should be protected from power failure & other electrical anomalies. A suitable electric supply should be provided that conforms to the equipment manufacturer specifications.”

Evolution of StdsEvolution of Stds Code of practice - 1993Code of practice - 1993 British Standard - 1995British Standard - 1995 BS 7799 Part 2 – 1998BS 7799 Part 2 – 1998 BS 7799 Part1 and Part 2 revised – 1999BS 7799 Part1 and Part 2 revised – 1999 ISO 17799 (BS 7799–1 : 2000)ISO 17799 (BS 7799–1 : 2000) BS 7799-2:2002 BS 7799-2:2002 ISO/IEC 17799-2000 revision –June 2005ISO/IEC 17799-2000 revision –June 2005 ISO/IEC 27000 series ISO/IEC 27000 series

ISO/IEC 17799 ISO/IEC 17799 Comparison 2000 & 2005Comparison 2000 & 2005

Security policySecurity policy Security policySecurity policy

Security organisationSecurity organisation Organising information securityOrganising information security

Asset classification & controlAsset classification & control Asset managementAsset management

Personnel securityPersonnel security Human resources securityHuman resources security

Physical & environmental Physical & environmental securitysecurity Physical & environmental securityPhysical & environmental security

Communications & operations Communications & operations managementmanagement

Communications & operations Communications & operations managementmanagement

Access controlAccess control Access controlAccess control

Systems development & Systems development & maintenancemaintenance

Information systems acquisition, Information systems acquisition, development and maintenancedevelopment and maintenance

   Information security incident Information security incident managementmanagement

Business continuity Business continuity managementmanagement Business continuity managementBusiness continuity management

ComplianceCompliance ComplianceCompliance

ISMSISMS Information Security Management Information Security Management

SystemSystem The means to implement 7799The means to implement 7799

Set an ISMS team – ISMS WG Set an ISMS team – ISMS WG Based on the Deming PDCA Cycle - Plan Do Based on the Deming PDCA Cycle - Plan Do

Check ActCheck Act Common to other ISO stds e.g. ISO 9000, ISO Common to other ISO stds e.g. ISO 9000, ISO

14000 14000 The ingredient that allows the integration of the The ingredient that allows the integration of the

different management systems that these different management systems that these standards define.standards define.

Establish the Establish the ISMSISMS

Monitor & Monitor & Review Review ISMSISMS

Implement & Implement & operate the operate the

ISMSISMS

Maintain & Maintain & improve improve

ISMSISMS

ActActDoDo

PlanPlan

CheckCheck

ISMS ProcessISMS Process

Plan Phase Plan Phase Define the ISMS scope & the ISMS policyDefine the ISMS scope & the ISMS policy Identify & assess the risksIdentify & assess the risks Formulate a Risk Treatment Plan - outcomeFormulate a Risk Treatment Plan - outcome

Apply appropriate controlApply appropriate control to reduce risk to reduce risk Accept the risk – substantiate whyAccept the risk – substantiate why Avoid the risk – do not allow action causing riskAvoid the risk – do not allow action causing risk Transfer the risk to a third party e.g. insurerTransfer the risk to a third party e.g. insurer

Select control objectives and controlsSelect control objectives and controls Prepare a Statement of ApplicabilityPrepare a Statement of Applicability

Do PhaseDo Phase Allocate resources & conduct trainingAllocate resources & conduct training Implement the Risk Treatment PlanImplement the Risk Treatment Plan

Implement Implement controls selectedcontrols selected to meet the control to meet the control objectivesobjectives

ISMS ProcessISMS Process

Check PhaseCheck Phase Execute monitoring processes Execute monitoring processes Conduct internal audits of the ISMS at planned Conduct internal audits of the ISMS at planned

intervalsintervals Undertake regular mgt reviews of the Undertake regular mgt reviews of the

effectiveness of the ISMSeffectiveness of the ISMS Review levels of residual risk and acceptable riskReview levels of residual risk and acceptable risk

Act PhaseAct Phase Implement improvements identifiedImplement improvements identified Take appropriate preventive and corrective Take appropriate preventive and corrective

actionsactions Communicate the results and actionsCommunicate the results and actions Ensure improvements meet their intended Ensure improvements meet their intended

objectivesobjectives

ISMS ProcessISMS Process

Level 1

Level 2

Level 3

Level 4

Procedures, Guidelines

Forms, Template, etc.

Records providing evidence of ISMS implementation

ISMS Manual, ISMS Policy

SoA

ISMS DocumentationISMS Documentation

ISMS WG

3rd party Auditor(s)

ISMS WG

Surveillance& Re-assessment:Follow Up

Stage 2 Audit

Stage 1 AuditDevelopmentDevelopme

ntImplementa

tion

Steps Towards Steps Towards CertificationCertification

Steps to followSteps to follow Purchase the standard (ISO 17799:2000, Purchase the standard (ISO 17799:2000,

BS7799-2:2002)BS7799-2:2002) Read the standardsRead the standards Assemble a team –ISMS WGAssemble a team –ISMS WG Attend an ISMS workshop Attend an ISMS workshop Appoint technical consultant or own technical Appoint technical consultant or own technical

ExpertExpert Undertake risk assessmentUndertake risk assessment Develop ISMS documentsDevelop ISMS documents Apply ISMS certificationApply ISMS certification

Benefits Benefits

Improved enterprise securityImproved enterprise security More effective security planning and More effective security planning and

managementmanagement Better risk managementBetter risk management Enhanced user confidenceEnhanced user confidence Promote development of a business continuity Promote development of a business continuity

planplan Deeper knowledge of different aspects of securityDeeper knowledge of different aspects of security Broader user level awareness on security threats Broader user level awareness on security threats

and measuresand measures

Mauritius Mauritius ISO 17799:2000 & BS 7799-2 2002, was ISO 17799:2000 & BS 7799-2 2002, was

adopted as a national standard in 2005adopted as a national standard in 2005 Adoption of ISO 17799 June 2005 version in Adoption of ISO 17799 June 2005 version in

progressprogress MSB gearing up for providing certification MSB gearing up for providing certification

servicesservices Government Government

Adopted ISO 17799 for rollout in Adopted ISO 17799 for rollout in Ministries & DepartmentsMinistries & Departments

4-5 pilot sites ISMS done 4-5 pilot sites ISMS done Facilitated by IT Security UnitFacilitated by IT Security Unit

ISO 27000 seriesISO 27000 series Information Security SeriesInformation Security Series 27001:will replace BS7799-2 2002 27001:will replace BS7799-2 2002 27002: Earmarked for ISO 17799 (code 27002: Earmarked for ISO 17799 (code

of practice)of practice) 27003: To cover risk management 27003: To cover risk management 27004: To cover information security mgt 27004: To cover information security mgt

metrics & measurementsmetrics & measurements 27005: To provide implementation 27005: To provide implementation

guidelinesguidelines

Thank YouThank You