UNITED REPUBLIC OF TANZANIA President’s Office-Public Service Management e-Government Agency Information Security Management (ISM) June, 2012 1 © e-Government.

UNITED REPUBLIC OF TANZANIA

President’s Office-Public Service Management

e-Government Agency

Information Security Management (ISM)

June, 2012

1© e-Government Agency

Agenda

© e-Government Agency2

Introduction to ISMOverview of ICT Security

ManagementApproachWay Forward

Introduction to Information Security Management

• The main objective of information security is to protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity

• The ISM process should be the focal point for all IT security issues, and must ensure that an Information Security Policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services.

© e-Government Agency3

ISM Introduction..ISM needs to understand the total IT and business security environment, including the:

– Business Security Policy and plans– Current business operation and its security requirements– Future business plans and requirements– Legislative requirements– Obligations and responsibilities with regard to security

contained within SLAs– The business and IT risks and their management.

© e-Government Agency4

Agenda

© e-Government Agency5

Introduction to ISMIntroduction to ISMOverview of ICT Security

ManagementApproachApproachWay ForwardWay Forward

6

Hardware

Operatingsystem

ApplicationsStore

ProcessCollect

Communicate

Hardware

Operating system

ApplicationsStore

ProcessCollect

Communicate

OperationalProcedural Operational

Procedural

Mechanical/Electronic

Mechanical/Electronic

AdministrationalManagerial Administrational

Managerial

Legal/ContractualLegal/Contractual

Ethical/CultureEthical/Culture

Information security is about protection of ICT assets/resources in terms of Confidentiality Integrity Availability – (information and services)Access Control to Information Involves: Protective/Proactive, Detective, Reactive and/or Recovery Measures

Database(Various business

records etc. )Database

(Various businessrecords etc. )

An overview of ICT & its security Problem

Valuable asset of organizations-Information Valuable asset of

organizations-Information

Software (Operating Operating systems, Application systems, Application software) set of software) set of instructionsinstructions

ICT

Holistic View of ICT security Problem

7

Hardware

Operatingsystem

ApplicationsStore

ProcessCollect

Communicate

Hardware

Operatingsystem

ApplicationsStore

ProcessCollect

Communicate

OperationalProcedural Operational

Procedural

Mechanical/ElectronicMechanical/Electronic

AdministrationalManagerial Administrational

Managerial

Legal/ContractualLegal/Contractual

Ethical/CultureEthical/Culture

Managing ICT security is a continuouscontinuous processprocess by which an organisation determines whatwhat needs to be protected and whywhy; whatwhat it needs to be protected from (i.e. ThreatsThreats and VulnerabilitiesVulnerabilities); and howhow (i.e. mechanisms) to protect it for as long as it exists.

Malicious software (Virus, Virus, worm or denial-of-service worm or denial-of-service attack, Backdoors, salami attack, Backdoors, salami attacks, spyware, etc.)attacks, spyware, etc.) can be introduced here !

Holistic Approach required

Database(Various business

records etc. )

Database(Various business

records etc. )

Valuable asset of the organizations-Information

Valuable asset of the organizations-Information

An overview of ICT security Problem

Physical security of the hardware

Authorised user abusing his/her privileges e.g. Disgruntled staff

8

An overview of ICT Security Management in the organisations

Perception Problem

At the strategic level (Absence of ICT Security policy, no defined budget for ICT security, Perceived as technical problem and not business risk)

At the operational (perceived to belong to the IT departments and in some cases not coordinated)

Absence of designated ICT security personnel/unit.

9

Perception Problem

Ad-hoc

An overview of ICT Security Management in the organisations -

Agenda

© e-Government Agency10

Introduction to ISMIntroduction to ISMOverview of ICT Security Overview of ICT Security

ManagementManagementApproachWay ForwardWay Forward

11

A Holistic Approach for Managing ICT Security in Organisations

Strategic (Top)Management’s

Backing (GL-01)

TechnicalManagement's

Backing (GL-02)

Quick Scan

(GL-04)

FormProject

Team & Plan (GL-03)

General Management’s

attention & Backing (GL-05)

Risk Assessment/

Analysis (GL-08)

Mitigation Planning(GL-09)

Develop Counter

Measures(GL-10)

Operationalisation(ICT Security

Policy, Services & Mechanisms)

(GL-11)

Maintenance(Monitor the Progress)(GL-12)

Review/Audit ICT Security

(GL-06)

Awareness & Backing of General staff

(GL-07)

INTERNALISED & CONTINUOUS PROCESS

INTRODUCTION OF ICT SECURITY MANAGEMENT

PROCESS (INITIALISATION)

The Organisation

The Organisation’s goal & services

Sta

nd

ard

s an

d B

est

Pra

ctis

es

Th

e O

rgan

isat

ion

’s c

ult

ure

& b

ehav

iou

r

The Environment

Stakeholders

Pu

blic

infr

astr

uct

ure

s

Th

e O

rgan

isat

ion

’s s

tru

ctu

re

Presented in a book: ISBN Nr 91-7155-383-8

12

Each process maps the Holistic View of the security Problem

Mechanical/Electronic

Applications

Operating system

Hardware

StoreProcessCollect

Communicate

Social

Technical

Holistic view of ICT Security Problem (SBC)

Ethical/Culture

Legal/Contractual

AdministrationalManagerial

OperationalProcedural

People

Users

Valuable asset-Information

Database(Various business

records etc. )

Process(GL - X)

13

Management team discussing ICT security Problem

General Management

Mechanical/Electronic

Applications

Operating system

Hardware

StoreProcessCollect

Communicate

Social

IT managers & Security Personnel

Technical

Holistic view of ICT Security Problem (SBC)

Ethical/Culture

Legal/Contractual

AdministrationalManagerial

OperationalProcedural

People

Users

Perception Problem

Valuable asset-Information

Database(Financial, customer

records etc. )

General Management

This is a technical problem

Lets have the best Firewall,

Antivirus etc.

This is a business

Problem

Depending on organisation structure - The general management team may comprise of CEO, Assistant to CEO,

All Directors, and all CXOs from major units which are not Directorates

Agenda

© e-Government Agency14

Introduction to ISMIntroduction to ISMOverview of ICT Security Overview of ICT Security

ManagementManagementApproachApproachWay Forward

The way Forward - How the Government Reacts

• Government has purchase ISO 27000 Series Toolkit which is the formal standard against which Government may seek certify their ISMS (meaning Government frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the MDAs/LGAs)

• Auditing of the current IT Governance frameworks in all MDAs and LGAs

© e-Government Agency15

ITIL – Framework for Managing IT Security

© e-Government Agency16

Customers – Requirements – Government NeedsCustomers – Requirements – Government Needs

Reference• ITIL V3 – System Design• A Holistic Approach for Managing ICT

Security in organizations - Dr. Jabiri Kuwe Bakari

© e-Government Agency17

THE ENDThank You For Your Attention

18© e-Government Agency

President’s Office, Public Service Management e-Government Agency / Wakala wa Serikali Mtandao

Samora, Avenue, ExTelecoms House, 2nd Floor,P.O Box 4273, Dar es Salaam

Telephone: +255222129868/74Fax: +255222129878

General eMail: [email protected] eMail: [email protected]

Website: http://www.ega.co.tz