popular pitfalls in isms compliance
TRANSCRIPT
2Public
Contents• Introduction• Standard Evolution• Standard Organization• Future of the standard• Implementation issues
✓
321-Sep-2007 Public
Standard Evolution
1995
1998
Initiative from Department of Trade and IndustryBS 7799 Part 1
BS 7799 Part 2
1999New issue of BS 7799 Part 1 & 2
2000 ISO/IEC 17799:2000
2001 BS 7799-2:2002 (drafted)
Sep 2002 BS 7799-2:2002Passed and accepted
Jun 2005 ISO 17799:2005
ISO/IEC 27001:2005Oct 2005
✓
521-Sep-2007 Public
Standard Organization
✓
4 Information Security Management System
5 Management Responsibility
6 Internal ISMS Audits
7 Management review of the ISMS
8 ISMS improvement
A.5 Information Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human Resources Security
A.9 Physical and Environmental Security
A.10 Communications and Operations Management
A.11 Access Control
A.12 Information Systems Acquisition, Development and Maintenance
A.13 Information Security Incident Management
A.14 Business Continuity Management
A.15 Compliance
6Public
Standard Organization (contd.)
Security policy
Access control
AssetManagement
Organization of Information Security
Human Resources Security
Physical and Environmental
security Communications and operationsmanagement
Information Systems Acquisition Development
and Maintenance
Information IncidentSecurity Management
Business ContinuityManagement
Information
Integrity Confidentiality
Availability
Compliance
✓
7Public
Future of the standardISO/IEC Standard Description
27000 Vocabulary and definitions
27001 Specification27002 Code of Practice
(ISO17799:2005)27003 Implementation
Guidance27004 Metrics and
Measurement27005 Risk Management
(BS 7799-3)
✓
8Public
What is an implementation issue?• Standard directly demands and not
complied with• Diluted implementation• Mis-interpretation of the standard
✓
9Public
Implementation Issues - Scope• Scope of ISMS
– Scope is very hazy, not including all the assets and technology
• A good example of ISMS scope The ISMS scope covers all critical systems,
applications, networks, telecommunication links, human resources, and information assets. The scope also includes business operations, administrative functions, customer information, buildings, equipment, tools and utilities used in the execution of business of the organization at site A and site B.
✓
10Public
Implementation Issues - Policy• Security Policy
– Not visible in the organization– Not spread across the organization– Does not help in arriving at security
objectives• Other Policies
– Many other policies not defined– Eg. Clear Desk Clear Screen policy– Mobile computing policy, Teleworking
policy✓
11Public
Implementation Issues – Risk Assessment• Risk assessment not systematic• Risk assessment kicked off with false
comfort of existing controls• Some core assets not identified
– Eg. Design document in an IT organization
• Arriving at acceptable risk level not scientific
• Projects a no-residual-risk scenario✓
12Public
Implementation Issues – SoA Preparation• Only exclusions justified, inclusions
should also be justified• Bi-directional tracing from risks to
control and vice versa absent
✓
13Public
Implementation Issues – Monitoring• Info security review very weak• Obsolete risks not removed• New risks not fully added
✓
14Public
Implementation Issues – Internal Audit• Predominantly CISO and team are
the Auditees• Sampling of other asset owners rare• Absence of qualified internal auditors
✓
15Public
Implementation Issues – Management Review
• All review inputs as required by the standard not addressed
• Management appreciation for security issues very low
✓
16Public
Implementation Issues – Improvement• CA is more prevalent than PA• Analysis of incidents / non-
compliances weak
✓
17Public
Implementation Issues – External Parties• Third party agreements do not stress
security requirements• Third party Vendors not
conspicuously identified in the facility
✓
18Public
Implementation Issues – Asset Management• Server based software owners are
identified but not their custodians• Only critical IT assets identified• Some core assets not properly
identified• Asset labeling improper
✓
19Public
Implementation Issues – H R security
• No systematic screening• Awareness training weak• Removal of access rights weak• Awareness of social engineering
very low
✓
20Public
Implementation Issues – Physical and Environmental Security• Network cables run outside the
security perimeter• No controls on piggy-backing• Structured cabling absent• Security of equipment off-premises
very weak• Movement of media eg. CDs not-
controlled
✓
21Public
Implementation Issues – Communications and Operations Management• Disposal of media very weak• Safety of media-in-transit not
properly addressed• Logs not reviewed periodically• Clock synchronization not done
✓
22Public
Implementation Issues – Access Control
• Privilege management weak• Printouts on printers not picked• Clear desk clear screen policy most
violated• Unabated installation of freeware,
shareware etc.• Laptops don’t have updated virus
signature
✓
23Public
Implementation Issues – IS acquisition, development and maintenance• Applies only for the IS developed to
run the business Eg. ERP, Enterprise Project Management etc.
• Impact analysis to changes very weak
• Fallback plan on a un-successful software upgrade weak
✓
2421-Sep-2007 Public
Implementation Issues – Incident Management• Incident management seen as an
‘impossible activity’• Awareness to report an incident very
low
✓
25Public
Implementation Issues – BCP• BCPs are static• Scale of BCP very low vis-à-vis
business need• BCP Testing not done
✓
26Public
Implementation Issues – Compliance
• One comprehensive list of applicable rules & regulations absent
✓