course: information security management in e...

Course: Information Security Management in e-Governance

Day 1

Session 3: Models and Frameworks for Information Security Management

Agenda

� Introduction to Enterprise Security framework

� Overview of security models , framework & standards

� Salient features of ISO 27001 security standards

What is Information Security

ISO 27001:2005 defines this as:

• Confidentiality : the property that information is not made available or disclosed to unauthorized individuals, entities(programs), or processes (superceding processes)

• Integrity : the property of safeguarding the accuracy and completeness of assets.

• Availability : the property of being accessible and usable upon demand by an authorized entity.

Who Should be Concerned?

• Users -Standards will affect them the most.

• System Support Personnel -they will be required to implement and adapt and support the standards.

• Executive Management -concerned about protection of data and the associated cost of the policy / standards.

Role of Standards

• Manage Information Security

• Identify assets and appropriately protect them

• Reduce the risks of human error, theft, fraud or misuse of facilities

• Prevent unauthorized access, damage and interference to business

• Ensure the correct and secure operation of information processing facilities

• Control Access to Information

• Ensure security is built into information systems

• Counteract interruptions to business activities

• Avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations

Why Best Practices are Important!

• Today, the effective use of best practices can help avoid re-inventing wheels, optimize the use of scarce IT resources and reduce the occurrence of major IT risks, such as:

� Project failures

� Wasted investments

� Security breaches

� System crashes

� Failures by service providers to understand and meet customer requirements

Why Best Practices are Important!

COBIT, ITIL and ISO 27000 are valuable to the ongoing growth and success of an organization because:

– Companies are demanding better returns from IT investments

– Best practices help meet regulatory requirements for IT controls

– Organizations face increasingly complex IT-related risks

– Organizations can optimize costs by standardizing controls

– Best practices help organizations assess how IT is performing

– Management of IT is critical to the success of enterprise strategy

– They help enable effective governance of IT activities

– A management framework helps staff understand what to do (policy, internal

controls and defined practices)

– They can provide efficiency gains, less reliance on experts, fewer errors,

increased trust from business partners and respect from regulators

Benefits

• Productivity: Audit/Review Savings

• Breaking Barriers -Business Relationships

• Self-Analysis

• Security Awareness

• Targeting Of Security

• 'Baseline' Security and Policy

• Consistency

• Communication

After adopting Standards

• Moved towards international best practice

• Manage the breadth and depth of information risk

• Build confidence in third parties

• Reduce the likelihood of disruption from major incidents

• Fight the growing threats of cybercrime

• Comply with legal and regulatory requirements

• Maintain business integrity

• Citizens Confidence – Most Important

Approach in Implementing Standards

• Support from Top Management

• Risk management -Accept, Mitigate, Transfer

• Well developed Security Policy

• Effective Implementation of policy

• User awareness is most important

• Prevention is better than cure

• Periodic review / audit

• Understand fundamental system functionality

• Identify security issues due to gaps

Integrated IS Framework

Serv

ice M

anagem

ent

Info

rmation S

ecurity

Pro

ject

Managem

ent

Applic

ation D

eliv

ery

Busin

ess

Continuity

IT Operations

COBIT

ITIL ISO 20000

ISO 27K PMI CMM BS 25999

Some of the Standards - Overview

Organization

Environment (ISO 14001)

Quality (ISO 9001: 2000 ,

QS 9000)

Improvement (ISO 9004)

Customers (BS 8600)

Information Security

(ISO 27001 , 27002)

Governance

( COBIT)

Environment (ISO 14001)

Business Continuity

( BS 25999)

ISO 27000

History of ISO - Timeline

• 1992The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'.

• 1995This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS7799.

• 1996Support and compliance tools begin to emerge, such as COBRA.

• 1999The first major revision of BS7799 was published. This included many major enhancements. Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies.

History of ISO – The Timeline

• 2000In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).

• 2001The 'ISO 17799 Toolkit' is launched.

• 2002A second part to the standard is published: BS7799-2. This is an Information Security Management Specification, rather than a code of practice. It begins the

process of alignment with other management standards such as ISO 9000.

• 2005A new version of ISO 17799 is published. This includes two new sections, and

closer alignment with BS7799-2 processes..

• 2005ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a

specification for an ISMS (information security management system), which aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001

Where did 17799 come from?

• BS7799 was conceived, as a technology-neutral, vendor-neutral management system that, properly implemented, would enable an organization's management to assure itself that its information security measures and arrangements were effective.

• From the outset, BS7799 focused on protecting the availability, confidentiality and integrity of organizational information and these remain, today, the driving objectives of the standard.

• BS7799 was originally just a single standard, and had the status of a “Code of Practice”.

• In other words, it provided guidance for organizations, but hadn't been written as a specification that could form the basis of an external third party verification and certification scheme.

Overview – ISO 27000 (base standard)

Published standardsISO/IEC 27001 - the certification standard against which organizations' ISMS may be

certified (published in 2005)

ISO/IEC 27002 - the re-naming of existing standard ISO 17799 (last revised in 2005,

and renumbered ISO/IEC 27002:2005 in July 2007) ISO/IEC 27006 - a guide to the certification/registration process (published in 2007)

In preparationISO/IEC 27000 - a standard vocabulary for the ISMS standards

ISO/IEC 27003 - a new ISMS implementation guide ISO/IEC 27004 - a new standard for information security management measurements

ISO/IEC 27005 - a proposed standard for risk management

ISO/IEC 27007 - a guideline for auditing information security management systems ISO/IEC 27011 - a guideline for telecommunications in information security

management system

ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry

Well known ISO standards in the 27xxx series

ISO 27001This is the

specification for an information security

management system & replaces

old BS7799-2

ISO 27002This is the new

standard number of the existing ISO 17799 standard

ISO 27004Designated number for a new standard

covering information security

management measurement &

metric

ISO 27005 Emerging standard

for information security risk

management

Where does ISO 27001 / 27002 fits in…..

Implementation context for PDCA

ISO 27001 Information Security Management System (ISMS) adopts the PDCA model

• Plan (Design Phase)

Establish the objectives and processes necessary to deliver results in accordance with the

specifications.

• Do (Implementation Phase)

Implement the processes.

• Check AKA Study (Assessment Phase)

Monitor and evaluate the processes and results against objectives and Specifications and

report the outcome.

• Act (Manage, Authorize Phase)

Apply actions to the outcome for necessary improvement. This means reviewing all steps

(Plan, Do, Check, Act) and modifying the process to improve it before its next implementation.

InterestedParties

InformationSecurity

Requirements&

Expectations

PLANEstablish

ISMS

Review ISMS

CHECKMonitor &

Review ISMS

ACTMaintain &Improve

Management Responsibility

ISMS PROCESS

PDCA Process

InterestedParties

ManagedInformation

Security

DOImplement &Operate the

ISMS

P

D

C

A

P

R

O

C

E

S

S

The international Standard that establishes the guidelines and general principles for initiating,

implementing, maintaining, and improving information security management in an organization.

The full title of this standard is: “Information technology. Security techniques. Code of practice for information security management”

ISO 27002 is technology independent, focusing on :

• Management aspects of information security,

• Defining controls in a generic sense so that they are applicable across different applications,

platforms, and technologies.

BS ISO/IEC 27002:2005 (aka – ISO 27002)

Slide 22

ISO/IEC 27002 is:

• A code of practice - a generic, advisory document, not truly a standard or formal specification

• A reasonably well structured set of suggested controls to address information security risks,

covering confidentiality, integrity and availability aspects

ISO 27002 specifies 39 control objectives:

• To protect information assets against threats to their confidentiality, integrity and availability

• Which comprise a generic functional requirements specification for an organization’s

information security management controls architecture

• And suggests literally hundreds of best-practice information security control measures

Structure and Format of ISO 27002

Slide 23

The formal standard is arranged in the following sections:

0. Introduction1. Scope2. Terms and definitions3. Structure of this standard4. Risk assessment

The actual control domains and detail controls begin with Section 5.

Section 5: Security policyManagement should :

• Define a policy to clarify their direction of, and support for, information security,

• Provide a high-level information security policy statement identifying key information security

directives and mandates for the entire organization

• Support the policy by a comprehensive suite of more detailed corporate information security

policies, typically in the form of an information security policy manual. The policy manual in

turn is supported by a set of information security standards, procedures and guidelines


Section 6: Organization of information security

A suitable information security governance structure should be designed and implemented.

6.1 Internal organization

• The organization should have a management framework for information security.

• Senior management should approve information security policies.

• Roles and responsibilities should be defined

• Information security should be independently reviewed.

6.2 External parties

Information security should not be compromised by the introduction of third party products or

services. Risks should be assessed and mitigated. when dealing with customers and in third

party agreements.


Slide 25

• storage media

• computer room air conditioners and UPSs,

and ICT services)

Section 7: Asset management

The organization should be in a position to understand what information assets it holds, and to

manage their security appropriately.

7.1 Responsibility for assets

All [information] assets should be accounted for and have a nominated owner. The inventory

should record ownership and location of the assets, and owners should identify acceptable uses.

An inventory of information assets should be maintained, including:

• IT hardware,

• software

• data

• system documentation

7.2 Information classification

Information should be classified according to its need for security protection and labeled

accordingly.


Slide 26

Section 8: Human resources securityThe organization should manage system access rights etc. for ‘joiners, movers and leavers’, and should undertake suitable security awareness, training and educational

activities.

8.1 Prior to employment

Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff

8.2 During employment

Management responsibilities regarding information security should be defined. Employees and third party IT users should educated and trained in security

procedures. A formal disciplinary process is necessary to handle security breaches.

8.3 Termination or change of employment

Security aspects of a person’s exit from the organization (e.g. the return of corporate

assets and removal of access rights) or change of responsibilities


Slide 27

Section 9: Physical and environmental security

Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.

9.1 Secure areas

This section describes the need for concentric layers of physical controls to protect

sensitive IT facilities from unauthorized access.

9.2 Equipment security

Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be

secured. IT equipment should be maintained properly and disposed of securely.


Slide 28

Section 10: Communications and operations managementThis lengthy, detailed section of the standard describes security controls for systems and network management.

10.1 Operational procedures and responsibilities

10.2 Third party service delivery management

10.3 System planning and acceptance

10.4 Protection against malicious and mobile code

10.5 Back-up

10.6 Network security management

10.7 Media handling

10.8 Exchange of information

10.9 Electronic commerce services

10.10 Monitoring


Slide 29

Section 11: Access control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use. This is another lengthy and detailed section.

11.1 Business requirement for access control

11.2 User access management

11.3 User responsibilities

11.4 Network access control

11.5 Operating system access control

11.6 Application and information access control

11.7 Mobile computing and teleworking


Slide 30

Section 12: Information systems acquisition, development and maintenanceInformation security must be taken into account in the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

12.1 Security requirements of information systems

12.2 Correct processing in application systems

12.3 Cryptographic controls

12.4 Security of system files

12.5 Security in development and support processes

12.6 Technical vulnerability management


Slide 31

Section 13: Information security incident management

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

13.1 Reporting in information security events and weaknesses

An incident reporting/alarm procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities.

13.2 Management of information security incidents and improvements

Responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence.


Slide 32

Section 14: Business continuity management

This section describes the relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 15: Compliance

15.1 Compliance with legal requirements

15.2 Compliance with security policies and standards, and technical compliance

15.3 Information systems audit considerations


Slide 33

PLANEstablish ISMS

CHECKMonitor &

Review ISMS

ACTMaintain &Improve

DOImplement &

Operate the

ISMS

IS POLICY

SECURITY ORGANISATION

ASSET IDENTIFICATION

& CLASSIFICATION

CONTROL SELECTION &

IMPLEMENTATION

OPERATIONALIZE THE PROCESES

MANAGEMENT REVIEW

CORRECTIVE & PREVENTIVE ACTIONS

CHECK PROCESSES

Implementation process cycle

• Describes best practice in IT service management (ITSM) drawn from public and private sector IT organizations

− The primary objective of Service Management is to ensure that the IT services are aligned to the business needs and actively support them.

• Benefits include:

− Increased user and customer satisfaction with IT services

− Improved service availability, directly leading to increased benefits profits and revenue

− Financial savings from reduced rework, lost time, improved resource management and usage

− Improved time to market for new products and services

− Improved decision making and optimized risks

What is Information Technology Infrastructure Library (ITIL ®)?

Background

ITIL® is a Registered Trade Mark, and Registered Community Trade Mark of the Office of Government Commerce,

and is Registered in the U.S. Patent and Trademark Office.

Slide 36

What is ITIL® V3?

• ITIL® is about more than ‘just’ infrastructure

• “Business of IT” oriented approach

• Promoting service based approach to managing IT

• Includes discussion topics about strategic options, functions, roles and responsibilities as well as continual improvement

• Makes reference to other frameworks (i.e. Cobit, ISO27001) and talks about

better alignment to those

• Helps to provide a standardized process context

• Highlights the importance of process

• Identifies the core activities and metrics for its processes

• Requests measurement programs (baselining, benchmarking) to ensure

performance (i.e. TCO, ROI, Costing/Pricing)

• Revised certification program for Professionals – more structured and focused

by processes

V3 Overview

Version 3 Overview

Continual Service Improvement:

• Seven Step Improvement Process

Service strategy:

• Service Portfolio Mgmt

• Financial Mgmt

• Demand Mgmt

Service operation:

• Event Mgmt

• Incident Mgmt

• Request Fulfilment

• Access Mgmt

• Problem Mgmt

Functions:

• Service Desk

• Technical Mgmt

• IT Operations Mgmt

• Applications Mgmt

Supporting material:

• Service, organizational, process

and technology maps

Service transition:

• Change Mgmt

• Service Asset & Configuration

Mgmt

• Knowledge Mgmt

• Transition Planning and Support

• Release & Deployment Mgmt

• Service Validation & Testing

• Evaluation

Service design:

• Service Catalogue Mgmt

• Service Level Mgmt

• Supplier Mgmt

• Capacity Mgmt

• Availability Mgmt

• IT Service Continuity Mgmt

• Information Security Mgmt

Service Design

ITIL® Version 3

Goal:The design of appropriate and innovative IT services, including their architectures, processes, policies, and documentation, to meet current and future agreed business requirements.

Objectives:

− Design services to meet agreed business outcomes

− Design processes to support the service lifecycle

− Identify and manage risks

− Design secure and resilient IT infrastructures, environments, applications and data/information resources and capability

− Design measurement methods and metrics

Goals & Objectives

Service Design

Objectives (contd..):

− Produce and maintain plans, processes, policies, standards, architectures, frameworks and documents to support the design of quality IT solutions

− Develop skills and capability within IT

− Contribute to the overall improvement in IT service quality

Goals & Objectives (contd..)

Service Design

• Service Catalogue Management: The purpose SCM is to provide a single, consistent source of information on all of the agreed services, and ensure that it is widely

available to those who are approved to access the service catalogue

• Service Level Management: SLM negotiates, agrees and documents appropriate IT service targets with the business, and then monitors and produces reports on

delivery against the agreed level of service

• Capacity Management: The purpose of Capacity Management is to provide a point

of focus and management for all capacity and performance-related issues, relating to

both services and resources, and to match the capacity of IT to the agreed business demands

• IT Service Continuity Management: The purpose of ITSCM is to maintain the

appropriate on-going recovery capability within IT services to match the agreed needs, requirements and timescales of the business

Processes covered in Service Design

Service Design

Processes covered in Service Design (con’t)

• Availability Management: The purpose of Availability Management is to provide a

point of focus and management for all availability-related issues, relating to services, components and resources, ensuring that availability targets in all areas are

measured and achieved, and that they match or exceed the current and future agreed needs of the business in a cost-effective manner

• Information Security Management: The purpose of the ISM process is to align IT

security with business security and ensure that information security is effectively

managed in all service and Service Management activities

• Supplier Management: The purpose of the Supplier Management process is to

obtain value for money from suppliers and to ensure that suppliers perform to the targets contained within their contracts and agreements, while conforming to all of the

terms and conditions

Service Design

ITSCM is concerned with managing an organisation’s ability to continue to provide a pre-determined and agreed level of IT Services to support the minimum business requirements following an interruption to the business.

Goal:The goal of the ITSCM is to support the overall Business Continuity Management process by ensuring that the required IT technical and service facilities (including

computer systems, networks, applications, data repositories, telecommunications,

technical support, and Service Desk) can be resumed within required, and agreed,

business timescales.

IT Service Continuity Management (ITSCM)

Service Design

• To maintain a set of IT service Continuity Plans and IT recovery plans that support the overall Business Continuity Plans (BCPs) of the organization

• To complete regular Business Impact Analysis (BIA) exercises to ensure that all

continuity plans are maintained in line with changing business impacts and

requirements

• To conduct regular risk assessment and management exercises in conjunction particularly with the business and the Availability Management and Security

Management processes, that manages IT services within an agreed level of

business risk

IT Service Continuity Management – Objectives

Service Design

• To ensure that appropriate continuity and recovery mechanisms are put in place to meet or exceed the agreed business continuity targets

• To assess the impact of all changes on the IT service Continuity Plans and IT

recovery plans

• To ensure that proactive measures to improve the availability of services are

implemented wherever it is cost justifiable to do so

• To negotiate and agree the necessary contracts with suppliers for the provision of the

necessary recovery capability to support all continuity plans in conjunction with the Supplier Management process

IT Service Continuity Management – Objectives

Service Design

Lifecycle of Service Continuity Management

IT Service Continuity Management

Service Design

Invocation

Requirements

and strategy

Policy setting

Scope

Initiate a project

Business Impact Analysis

Risk Assessment

IT Service Continuity Strategy

Develop IT Service continuity plans

Develop IT plans, recovery plans

and procedures

Organization Planning

Testing strategy

Education, awareness and Training

Review and audit

Testing

Change Management

Business Continuity

Strategy

Business

Continuity

Management

(BCM)

Lifecycle Key activities

Initiation

Business Continuity

plans Implementation

On going

Operation

• Positive results from audits performed over the ITSCM plans to ensure that, at all times, the agreed recovery requirements of the business can be achieved

• Successful results from recovery testing

• Reduction in the risk and impact of possible failure of IT services

• Increased awareness of business impact, needs and requirements throughout IT

• Increased preparedness of all IT service areas and staff to respond to an invocation of the ITSCM plans

IT Service Continuity Management – KPIs

Service Design

• Response time to restore business operations after a disaster occurs based on the type of recovery option chosen (i.e. manual, immediate, fast, intermediate, or gradual)

• Cost of service continuity management vs. cost incurred by the business in the event of an IT service loss. This could include both tangible (i.e. financial) and intangible (i.e. reputation) costs

IT Service Continuity Management – KPIs

COBIT – Control Objective for Information & related Technology

• Accepted globally as a set of tools that ensures IT is working effectively

• Provides common language to communicate goals, objectives and expected results to all stakeholders

• Based on, and integrates, industry standards and good practices in:

– Strategic alignment of IT with business goals

– Value delivery of services and new projects

– Risk management

– Resource management

– Performance measurement

COBIT – Control Objective for Information & related Technology

COBIT® provides guidance for executive management to govern IT within the enterprise

• More effective tools for IT to support business goals

• More transparent and predictable full life-cycle IT costs

• More timely and reliable information from IT

• Higher quality IT services and more successful projects

• More effective management of IT-related risks

Harmonizing the Elements of IT Governance

IT

Governance

ResourceManagement

The COBIT®

Framework

COBIT®

Defines Processes, Goals and Metrics

Relationship Amongst Process, Goals and Metrics (DS5)

COBIT®

Products and Their Primary Audience

COBIT, Risk IT and Val IT frameworks Implementing and

Continually Improving IT Governance COBIT User Guide for

Service Managers

COBIT and Application Controls

End of Session

course: information security management in e...

Documents