UNITED REPUBLIC OF TANZANIA President’s Office-Public Service Management e-Government Agency Information Security Management (ISM) June, 2012 1 © e-Government Agency
Jan 21, 2016
UNITED REPUBLIC OF TANZANIA
President’s Office-Public Service Management
e-Government Agency
Information Security Management (ISM)
June, 2012
1© e-Government Agency
Agenda
© e-Government Agency2
Introduction to ISMOverview of ICT Security
ManagementApproachWay Forward
Introduction to Information Security Management
• The main objective of information security is to protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity
• The ISM process should be the focal point for all IT security issues, and must ensure that an Information Security Policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services.
© e-Government Agency3
ISM Introduction..ISM needs to understand the total IT and business security environment, including the:
– Business Security Policy and plans– Current business operation and its security requirements– Future business plans and requirements– Legislative requirements– Obligations and responsibilities with regard to security
contained within SLAs– The business and IT risks and their management.
© e-Government Agency4
Agenda
© e-Government Agency5
Introduction to ISMIntroduction to ISMOverview of ICT Security
ManagementApproachApproachWay ForwardWay Forward
6
Hardware
Operatingsystem
ApplicationsStore
ProcessCollect
Communicate
Hardware
Operating system
ApplicationsStore
ProcessCollect
Communicate
OperationalProcedural Operational
Procedural
Mechanical/Electronic
Mechanical/Electronic
AdministrationalManagerial Administrational
Managerial
Legal/ContractualLegal/Contractual
Ethical/CultureEthical/Culture
Information security is about protection of ICT assets/resources in terms of Confidentiality Integrity Availability – (information and services)Access Control to Information Involves: Protective/Proactive, Detective, Reactive and/or Recovery Measures
Database(Various business
records etc. )Database
(Various businessrecords etc. )
An overview of ICT & its security Problem
Valuable asset of organizations-Information Valuable asset of
organizations-Information
Software (Operating Operating systems, Application systems, Application software) set of software) set of instructionsinstructions
ICT
Holistic View of ICT security Problem
7
Hardware
Operatingsystem
ApplicationsStore
ProcessCollect
Communicate
Hardware
Operatingsystem
ApplicationsStore
ProcessCollect
Communicate
OperationalProcedural Operational
Procedural
Mechanical/ElectronicMechanical/Electronic
AdministrationalManagerial Administrational
Managerial
Legal/ContractualLegal/Contractual
Ethical/CultureEthical/Culture
Managing ICT security is a continuouscontinuous processprocess by which an organisation determines whatwhat needs to be protected and whywhy; whatwhat it needs to be protected from (i.e. ThreatsThreats and VulnerabilitiesVulnerabilities); and howhow (i.e. mechanisms) to protect it for as long as it exists.
Malicious software (Virus, Virus, worm or denial-of-service worm or denial-of-service attack, Backdoors, salami attack, Backdoors, salami attacks, spyware, etc.)attacks, spyware, etc.) can be introduced here !
Holistic Approach required
Database(Various business
records etc. )
Database(Various business
records etc. )
Valuable asset of the organizations-Information
Valuable asset of the organizations-Information
An overview of ICT security Problem
Physical security of the hardware
Authorised user abusing his/her privileges e.g. Disgruntled staff
8
An overview of ICT Security Management in the organisations
Perception Problem
At the strategic level (Absence of ICT Security policy, no defined budget for ICT security, Perceived as technical problem and not business risk)
At the operational (perceived to belong to the IT departments and in some cases not coordinated)
Absence of designated ICT security personnel/unit.
9
Perception Problem
Ad-hoc
An overview of ICT Security Management in the organisations -
Agenda
© e-Government Agency10
Introduction to ISMIntroduction to ISMOverview of ICT Security Overview of ICT Security
ManagementManagementApproachWay ForwardWay Forward
11
A Holistic Approach for Managing ICT Security in Organisations
Strategic (Top)Management’s
Backing (GL-01)
TechnicalManagement's
Backing (GL-02)
Quick Scan
(GL-04)
FormProject
Team & Plan (GL-03)
General Management’s
attention & Backing (GL-05)
Risk Assessment/
Analysis (GL-08)
Mitigation Planning(GL-09)
Develop Counter
Measures(GL-10)
Operationalisation(ICT Security
Policy, Services & Mechanisms)
(GL-11)
Maintenance(Monitor the Progress)(GL-12)
Review/Audit ICT Security
(GL-06)
Awareness & Backing of General staff
(GL-07)
INTERNALISED & CONTINUOUS PROCESS
INTRODUCTION OF ICT SECURITY MANAGEMENT
PROCESS (INITIALISATION)
The Organisation
The Organisation’s goal & services
Sta
nd
ard
s an
d B
est
Pra
ctis
es
Th
e O
rgan
isat
ion
’s c
ult
ure
& b
ehav
iou
r
The Environment
Stakeholders
Pu
blic
infr
astr
uct
ure
s
Th
e O
rgan
isat
ion
’s s
tru
ctu
re
Presented in a book: ISBN Nr 91-7155-383-8
12
Each process maps the Holistic View of the security Problem
Mechanical/Electronic
Applications
Operating system
Hardware
StoreProcessCollect
Communicate
Social
Technical
Holistic view of ICT Security Problem (SBC)
Ethical/Culture
Legal/Contractual
AdministrationalManagerial
OperationalProcedural
People
Users
Valuable asset-Information
Database(Various business
records etc. )
Process(GL - X)
13
Management team discussing ICT security Problem
General Management
Mechanical/Electronic
Applications
Operating system
Hardware
StoreProcessCollect
Communicate
Social
IT managers & Security Personnel
Technical
Holistic view of ICT Security Problem (SBC)
Ethical/Culture
Legal/Contractual
AdministrationalManagerial
OperationalProcedural
People
Users
Perception Problem
Valuable asset-Information
Database(Financial, customer
records etc. )
General Management
This is a technical problem
Lets have the best Firewall,
Antivirus etc.
This is a business
Problem
Depending on organisation structure - The general management team may comprise of CEO, Assistant to CEO,
All Directors, and all CXOs from major units which are not Directorates
Agenda
© e-Government Agency14
Introduction to ISMIntroduction to ISMOverview of ICT Security Overview of ICT Security
ManagementManagementApproachApproachWay Forward
The way Forward - How the Government Reacts
• Government has purchase ISO 27000 Series Toolkit which is the formal standard against which Government may seek certify their ISMS (meaning Government frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the MDAs/LGAs)
• Auditing of the current IT Governance frameworks in all MDAs and LGAs
© e-Government Agency15
ITIL – Framework for Managing IT Security
© e-Government Agency16
Customers – Requirements – Government NeedsCustomers – Requirements – Government Needs
Reference• ITIL V3 – System Design• A Holistic Approach for Managing ICT
Security in organizations - Dr. Jabiri Kuwe Bakari
© e-Government Agency17
THE ENDThank You For Your Attention
18© e-Government Agency
President’s Office, Public Service Management e-Government Agency / Wakala wa Serikali Mtandao
Samora, Avenue, ExTelecoms House, 2nd Floor,P.O Box 4273, Dar es Salaam
Telephone: +255222129868/74Fax: +255222129878
General eMail: [email protected] eMail: [email protected]
Website: http://www.ega.co.tz