Information Security Management – Management System Requirements, Code of Practice for Controls, and Risk Management supervision Assistant Professor Dr.

Information Security Management – Management System Requirements, Code of Practice for Controls, and Risk Management

supervisionAssistant Professor Assistant Professor Dr. Sana’a Wafa Al-Dr. Sana’a Wafa Al-SayeghSayegh

ITGD 2202 Tamer abo lehia

Security Management

Background of ISMS StandardsInformation Security Management System (ISMS) standards have been produced to help organisations come up with cost effective answers to questions like:

– Why do the same type of information security problem come up again and again?

– Why does the IT department keep asking for more and more money to solve information security problems (that don’t go away)?

– How can we do information security well when IT is core to our business, but not our core business?

Origins in UK business in the 1990’s, pooling knowledge of best practice– Initial focus on controls (now published as ISO/IEC 17799:2005)– Enhanced with a management decision making framework (now

published as ISO/IEC 27001:2005)

Recently internationalised and updated by ISO/IEC

STANDARDS AUSTRALIA SECURITY FORUM

Nationally:– Large corporates (e.g. ANZ, Shell, Bluescope, Telstra) – Information and IT security specialists (e.g. Witham Labs, Pacific

Research, Fujitsu, Megaprime)

Internationally:– Representatives from large corporates in the IT and other

sectors, information security specialists from specialist business and government organizations

• Australia, Austria, Belgium, Brazil, Canada, China, Czech Republic, Denmark, Finland, France, Germany, India, Italy, Japan, Kenya, Luxembourg, Malaysia, New Zealand, Netherlands, Norway, Poland, Russia, Singapore, Spain, South Africa, South Korea,Sri Lanka, Sweden, Switzerland, UK, Ukraine, USA

Organisations involved in the development of the ISMS Standards

STANDARDS AUSTRALIA SECURITY FORUM

These standards are relevant to any organisation reliant on information and IT

– Large corporates– SMEs– Government agencies

Focus is on organizations that can’t justify a staff of information security specialists

– Value is provided by making pooled, peer reviewed, best practices for the management and implementation of an information security programme available to all at a modest cost

The target audience and the value the ISMS Standards bring to the market

STANDARDS AUSTRALIA SECURITY FORUM

The ISMS standards specify a framework for organisations to manage information security aspects of their business, and if necessary to demonstrate to other parties (e.g. business partners, auditors, customers, suppliers) their ability to manage information security.

Objectives of the Standards

STANDARDS AUSTRALIA SECURITY FORUM

ISO/IEC 27001: ‘Information Security Management Systems - Requirements’ is the foundational standard; it is applicable to all types of organisation and all sectors of the economy.

It specifies a risk-based management system that is designed to ensure that organisations select and operate adequate and proportionate (i.e. cost effective) security controls to protect information assets.

– It uses the ‘plan-do-check-act (improve)’ model used in environment and quality management standards.

– It is specified to allow implementation integrated within broader management systems.

• The standard shows how requirements relate to the OECD Guidelines for the Security of Information Systems and Networks.

Key Elements / Scope of the ISMS Standards

STANDARDS AUSTRALIA SECURITY FORUM

Foundations (ISO/IEC 27001):- Establishing, implementing, operating,

maintaining and improving an ISMS

- Documentation requirements

- Management responsibilities

- Internal audits and management reviews

Supporting Standards:ISO/IEC 27000 - ISMS fundamentals and vocabulary (under development)

ISO/IEC 27002 - Code of practice for information security management (controls) (ISO/IEC 17799 to be renumbered next year)

ISO/IEC 27003 - ISMS implementation Guide (under development) ISO/IEC 27004 – Measurement and metrics (under development) ISO/IEC 27005 – Risk management (under development) ISO/IEC 27006 – Requirements for the accreditation of bodies providing

certification of ISMS (under development)

Content of the ISMS Standards Plan

Do

Check

ActMaintain andimprove the ISMS

Maintain andimprove the ISMS

Establish theISMS

Establish theISMS

Implement andoperate the ISMS

Implement andoperate the ISMS

Monitor andreview the ISMS

Monitor andreview the ISMS

STANDARDS AUSTRALIA SECURITY FORUM

There are also generally applicable ISO/IEC and/or Australian/NZ Standards covering:

- Digital signatures

- Encryption (algorithms,modes of operation,key management)

- Entity authentication

- Hash functions

- Intrusion detection

- IT evidence collection

- Message authentication codes

ISMS - the tip of the iceberg

- Network security

- Non repudiation

- Prime numbers

- Random numbers

- Security evaluation of products

- Security incident management

- Time-stamping

- Trusted third party services

STANDARDS AUSTRALIA SECURITY FORUM

Call to action

Poor information security outcomesare commonly the result of

poor managementand not

poor technical controls.

The 27000 series of ISMS Standards tackle the information problems we face from the management perspective.

- It is not easy, but it is best practice and it works

STANDARDS AUSTRALIA SECURITY FORUM

Reference•From internet