isms at cdc - oct 2011
TRANSCRIPT
-
8/2/2019 ISMS at CDC - Oct 2011
1/16
Information Security Management SystemPresented to
Prof. M. Moinuddin Ali Khan and team
Institute of Business Management
1
October 26, 2011
Proprietary - Authorized Distribution Only
-
8/2/2019 ISMS at CDC - Oct 2011
2/16
Synopsis
Information security - key driver since inception;Enterprise Security unit established in 2001;
Multilayered security approach to ensure fault-
tolerance;
Core depository function certified against ISO 27001;
SOC for visibility, control and automation.
2Proprietary - Authorized Distribution Only
-
8/2/2019 ISMS at CDC - Oct 2011
3/16
Overview of CDC Businesses
Proprietary - Authorized Distribution Only 3
1997 -DepositoryOperations
1999 -Investor
AccountService
2002 - Trustee& CustodialService
2008 - RTAService
2010 -ITMinds
Holding 66.6billion sharesworth 17.66billion USDs in
592 securities
ISO/IEC27001:2005certified
100,000 directaccount holders
Over 300,000account holders
Assets over 2.1billion USDs in 90funds for 25 AMC
Servicing 26 large-base issuers
Enterprise IT basedconsultancy and
implementationservices
-
8/2/2019 ISMS at CDC - Oct 2011
4/16
SecurityManagementGroup
Information Security Hierarchy
CEO
CIO
CISO
EnterpriseSecurity
DepartmentHeads
ChampionUsers
Proprietary - Authorized Distribution Only 4
-
8/2/2019 ISMS at CDC - Oct 2011
5/16
CDC Technology Footprint
Proprietary - Authorized Distribution Only 5
3 core BusinessApplications
3 different
Databases Technologies
10 EnterpriseClass Servers
28 TBs of 3different Ent.
Storage
ApplicationServers
50 + Serversby 3 different
vendors
Network Devices NW Software Multi-homed
Internet ACL Etc
Security Devices Authentication Anti Virus Complaince Etc
Others Email BlackBerry GL / Payroll IVR, Call
Center,Internet
Real-time live data service to NCCPL andall 3 Stock ExchangesMultiple database servers (primary &standby) to support alternate channelsSeparate Dev / QA / UAT environments
8 offices in 5 cities3 inter-connected datacenters with datareplicated in real-time, and providingconnectivity hubsLive connectivity to 100,000 clients
-
8/2/2019 ISMS at CDC - Oct 2011
6/16
Key information security questions
What is valuable information?
How does information flow within the organization?
Where is information stored?
How is information risk defined?
How is information safe-guarded?
6Proprietary - Authorized Distribution Only
-
8/2/2019 ISMS at CDC - Oct 2011
7/16
Information Patterns & Needs
Proprietary - Authorized Distribution Only 7
What is management doing to grow business?How is the company image?
Are company plans / secrets adequately
protected?Can business continue in case of disaster?What is IT ROI?
Are systems available when required?Are controls appropriate to the risks?Who is accessing information?Can reliable services be developed?
Controlcosts?
Are privileged user activity monitored?How are logs protected?Are logs centrally managed? Tamperproof?How to provide assurance to board?
How are customer details protected?In how many forms are the detailsavailable?
How is IT service quality?How is IT security ensured?How is compliance done?
What are links usage?Database / application performance?Capacity management?
How is physical security managed?How are vendors managed?How are service-levels?
How is compliance with legal and regulatoryrequirements performed?
What risks arise due to non-compliance?How to prove due-diligence to auditors?
-
8/2/2019 ISMS at CDC - Oct 2011
8/16
CDC - ISMS Scope
Primary objective:To establish an ISMS that provides balancedapproach to information security.
11 departments, 2 locationsApplicable controls 131 out of 1339 months implementation
Certified by SGS / UKAS in Sept 2009
Proprietary - Authorized Distribution Only 8
-
8/2/2019 ISMS at CDC - Oct 2011
9/16
Culture
Information Security Dimensions
i
9Proprietary - Authorized Distribution Only
-
8/2/2019 ISMS at CDC - Oct 2011
10/16
ISO 27001 Standard
An internationally recognized business drivenapproach to managing information security.
Management system enabling balance b/w
physical, technical, manual & personnel security.1. Security Policy2. Organizing Information Security3. Asset Management
4. Human Resources Security5. Physical & Environmental
Security6. Communications & Operations
Management
7. Access Control8. Information Systems Acquisition,
Development and Maintenance9. Information Security Incident
Management10.Business Continuity Management11.Compliance
10Proprietary - Authorized Distribution Only
-
8/2/2019 ISMS at CDC - Oct 2011
11/16
IBTRM
ISO 27001 Standard vs. others
BS25999
SCOPE OFCOVERAGE
WHAT HOW
COSO / SOx / HIPAA
COBIT
ISO 27001
ITILPCI DSS
11Proprietary - Authorized Distribution Only
-
8/2/2019 ISMS at CDC - Oct 2011
12/16
ISMS Implementation Approach
Proprietary - Authorized Distribution Only 12
Establish Implement
MonitorMaintain
-
8/2/2019 ISMS at CDC - Oct 2011
13/16
ISMS Implementation Approach
Proprietary - Authorized Distribution Only 13
Measureeffectiveness Internal audits Vulnerability
assessment
Management review Residual risk
acceptance Corrective /
preventive actions
Documentprocedures Deploy Controls Training Maintain ISMS
records
Scope Policy Risk Assessment Gap Analysis
Establish Implement
MonitorMaintain
-
8/2/2019 ISMS at CDC - Oct 2011
14/16
ISMS Implementation Methodology
Initiation Scoping
Project planning
Gap analysis
Develop workingpapers
Project roll out plan
Awareness
Implementation Information asset
inventoryclassification
Risk assessment
BCP / DR testing
Development of
policy / procedures
Implement controls
Compliance Internal Audit
InformationSecurity Forummeeting
Certification auditstage I
Certification auditstage II
14Proprietary - Authorized Distribution Only
-
8/2/2019 ISMS at CDC - Oct 2011
15/16
ISMS Framework
15
Management
Operations
Proprietary - Authorized Distribution Only
Policies
ISMS
Manual
Procedures
Forms / Templates /Records
-
8/2/2019 ISMS at CDC - Oct 2011
16/16
Open Discussion
16Proprietary - Authorized Distribution Only
Security is an attitude.