isms at cdc - oct 2011

Upload: maira-izhar-3279

Post on 05-Apr-2018

223 views

Category:

Documents


3 download

TRANSCRIPT

  • 8/2/2019 ISMS at CDC - Oct 2011

    1/16

    Information Security Management SystemPresented to

    Prof. M. Moinuddin Ali Khan and team

    Institute of Business Management

    1

    October 26, 2011

    Proprietary - Authorized Distribution Only

  • 8/2/2019 ISMS at CDC - Oct 2011

    2/16

    Synopsis

    Information security - key driver since inception;Enterprise Security unit established in 2001;

    Multilayered security approach to ensure fault-

    tolerance;

    Core depository function certified against ISO 27001;

    SOC for visibility, control and automation.

    2Proprietary - Authorized Distribution Only

  • 8/2/2019 ISMS at CDC - Oct 2011

    3/16

    Overview of CDC Businesses

    Proprietary - Authorized Distribution Only 3

    1997 -DepositoryOperations

    1999 -Investor

    AccountService

    2002 - Trustee& CustodialService

    2008 - RTAService

    2010 -ITMinds

    Holding 66.6billion sharesworth 17.66billion USDs in

    592 securities

    ISO/IEC27001:2005certified

    100,000 directaccount holders

    Over 300,000account holders

    Assets over 2.1billion USDs in 90funds for 25 AMC

    Servicing 26 large-base issuers

    Enterprise IT basedconsultancy and

    implementationservices

  • 8/2/2019 ISMS at CDC - Oct 2011

    4/16

    SecurityManagementGroup

    Information Security Hierarchy

    CEO

    CIO

    CISO

    EnterpriseSecurity

    DepartmentHeads

    ChampionUsers

    Proprietary - Authorized Distribution Only 4

  • 8/2/2019 ISMS at CDC - Oct 2011

    5/16

    CDC Technology Footprint

    Proprietary - Authorized Distribution Only 5

    3 core BusinessApplications

    3 different

    Databases Technologies

    10 EnterpriseClass Servers

    28 TBs of 3different Ent.

    Storage

    ApplicationServers

    50 + Serversby 3 different

    vendors

    Network Devices NW Software Multi-homed

    Internet ACL Etc

    Security Devices Authentication Anti Virus Complaince Etc

    Others Email BlackBerry GL / Payroll IVR, Call

    Center,Internet

    Real-time live data service to NCCPL andall 3 Stock ExchangesMultiple database servers (primary &standby) to support alternate channelsSeparate Dev / QA / UAT environments

    8 offices in 5 cities3 inter-connected datacenters with datareplicated in real-time, and providingconnectivity hubsLive connectivity to 100,000 clients

  • 8/2/2019 ISMS at CDC - Oct 2011

    6/16

    Key information security questions

    What is valuable information?

    How does information flow within the organization?

    Where is information stored?

    How is information risk defined?

    How is information safe-guarded?

    6Proprietary - Authorized Distribution Only

  • 8/2/2019 ISMS at CDC - Oct 2011

    7/16

    Information Patterns & Needs

    Proprietary - Authorized Distribution Only 7

    What is management doing to grow business?How is the company image?

    Are company plans / secrets adequately

    protected?Can business continue in case of disaster?What is IT ROI?

    Are systems available when required?Are controls appropriate to the risks?Who is accessing information?Can reliable services be developed?

    Controlcosts?

    Are privileged user activity monitored?How are logs protected?Are logs centrally managed? Tamperproof?How to provide assurance to board?

    How are customer details protected?In how many forms are the detailsavailable?

    How is IT service quality?How is IT security ensured?How is compliance done?

    What are links usage?Database / application performance?Capacity management?

    How is physical security managed?How are vendors managed?How are service-levels?

    How is compliance with legal and regulatoryrequirements performed?

    What risks arise due to non-compliance?How to prove due-diligence to auditors?

  • 8/2/2019 ISMS at CDC - Oct 2011

    8/16

    CDC - ISMS Scope

    Primary objective:To establish an ISMS that provides balancedapproach to information security.

    11 departments, 2 locationsApplicable controls 131 out of 1339 months implementation

    Certified by SGS / UKAS in Sept 2009

    Proprietary - Authorized Distribution Only 8

  • 8/2/2019 ISMS at CDC - Oct 2011

    9/16

    Culture

    Information Security Dimensions

    i

    9Proprietary - Authorized Distribution Only

  • 8/2/2019 ISMS at CDC - Oct 2011

    10/16

    ISO 27001 Standard

    An internationally recognized business drivenapproach to managing information security.

    Management system enabling balance b/w

    physical, technical, manual & personnel security.1. Security Policy2. Organizing Information Security3. Asset Management

    4. Human Resources Security5. Physical & Environmental

    Security6. Communications & Operations

    Management

    7. Access Control8. Information Systems Acquisition,

    Development and Maintenance9. Information Security Incident

    Management10.Business Continuity Management11.Compliance

    10Proprietary - Authorized Distribution Only

  • 8/2/2019 ISMS at CDC - Oct 2011

    11/16

    IBTRM

    ISO 27001 Standard vs. others

    BS25999

    SCOPE OFCOVERAGE

    WHAT HOW

    COSO / SOx / HIPAA

    COBIT

    ISO 27001

    ITILPCI DSS

    11Proprietary - Authorized Distribution Only

  • 8/2/2019 ISMS at CDC - Oct 2011

    12/16

    ISMS Implementation Approach

    Proprietary - Authorized Distribution Only 12

    Establish Implement

    MonitorMaintain

  • 8/2/2019 ISMS at CDC - Oct 2011

    13/16

    ISMS Implementation Approach

    Proprietary - Authorized Distribution Only 13

    Measureeffectiveness Internal audits Vulnerability

    assessment

    Management review Residual risk

    acceptance Corrective /

    preventive actions

    Documentprocedures Deploy Controls Training Maintain ISMS

    records

    Scope Policy Risk Assessment Gap Analysis

    Establish Implement

    MonitorMaintain

  • 8/2/2019 ISMS at CDC - Oct 2011

    14/16

    ISMS Implementation Methodology

    Initiation Scoping

    Project planning

    Gap analysis

    Develop workingpapers

    Project roll out plan

    Awareness

    Implementation Information asset

    inventoryclassification

    Risk assessment

    BCP / DR testing

    Development of

    policy / procedures

    Implement controls

    Compliance Internal Audit

    InformationSecurity Forummeeting

    Certification auditstage I

    Certification auditstage II

    14Proprietary - Authorized Distribution Only

  • 8/2/2019 ISMS at CDC - Oct 2011

    15/16

    ISMS Framework

    15

    Management

    Operations

    Proprietary - Authorized Distribution Only

    Policies

    ISMS

    Manual

    Procedures

    Forms / Templates /Records

  • 8/2/2019 ISMS at CDC - Oct 2011

    16/16

    Open Discussion

    16Proprietary - Authorized Distribution Only

    Security is an attitude.