w w w . t u v . c o misms sectors in organizations (bs7799-2:2002) management-security policy...
TRANSCRIPT
w w w . t u v . c o m
w w w . t u v . c o m
2 / 18© TÜV Secure iT GmbH 2003
Agenda
TÜV Secure iT GmbH – short introduction
Risk Analysis – Case Study
Certification Procedure
w w w . t u v . c o m
3 / 18© TÜV Secure iT GmbH 2003
Let TÜV Secure iT Be Your GuideWho we are.
Subsidiary of TÜV Rheinland Group
TÜV Secure iT: Specialists in durable securityfor IT Infrastructure design and operation
Staff of approx. 30 expertsExperienceSpecialists
Competence Center on services in the areas of IT ProcessesIT Security ManagementIT Security Testing
w w w . t u v . c o m
4 / 18© TÜV Secure iT GmbH 2003
Security Management for Agencies and Enterprises
w w w . t u v . c o m
5 / 18© TÜV Secure iT GmbH 2003
AnalysisMonitoring
Certification
Testing Advice and Implementation
Concepts
Consulting
IT Security Management creates Added Value for existing and future business processes
Verif
icat
ion
w w w . t u v . c o m
6 / 18© TÜV Secure iT GmbH 2003
Agenda
TÜV Secure iT GmbH – short introduction
Risk Analysis – Case Study
Certification Procedure
w w w . t u v . c o m
7 / 18© TÜV Secure iT GmbH 2003
Assessed Organization
Government Institution (Administration)1 HQ, 2 subsidiaries, 1300 Employees total, 700 in administrative sector, 1 CISO
w w w . t u v . c o m
8 / 18© TÜV Secure iT GmbH 2003
Protection Requirements
Infrastructure
Hardware
System Software
Applications
area, eletric power, air condition, access, cabling
Mainframe, Midrange, Intel, Storage-Sys., Network components
OS/390, Unix, Windows, Nutzersys.
DB/DC-Systems, Middleware
DB2, ORACLE, MQ-Series, IMS, CICS, ...
ERP Systems, ...
Identification of critical IT Infrastructure
Business processes(Management Workshop, 1 day, 2 experts)
(Detailed Analysis, 2 days, 2 experts)
w w w . t u v . c o m
9 / 18© TÜV Secure iT GmbH 2003
Identify Threats (Selection)
HumanHackersTheft (electronically and physically)Non-technical staff (financial/accounting)AccidentalInadequately trained IT staffBackup operatorsTechnicians, Electricians
Non-HumanFloodsLightning strikesPlumbingVirusesFireElectricalAir (dust)Heat control
(Detailed Analysis, 4 days, 2 auditors)
w w w . t u v . c o m
10 / 18© TÜV Secure iT GmbH 2003
Risk matrix (1/2)
Likelihood of occurrence
high
medium
low
Extend of damage< 500K. 500k - < 1 Mio. 1 - <10 Mio. > 10 Mio.
(risk assessment, 3 days, 1 expert)
w w w . t u v . c o m
11 / 18© TÜV Secure iT GmbH 2003
Risk matrix (2/2)
Likelihood of occurrence
high
medium
low
Extent of damage< 500K. 500k - < 1 Mio. 1 - <10 Mio. > 10 Mio.
w w w . t u v . c o m
12 / 18© TÜV Secure iT GmbH 2003
countermeasures
risk identification evaluation measures monitoring
Risk C
Risk A 1Risk A 2Risk A 3...
Risk B 1Risk B 2Risk B 3Risk B 4...
Risk B
risk A
Risk C 1Risk C 2...
EUR(EBIT)
Likelihood of occurrence
Extent of damage
RiskA 1 Risk
B 3
RiskC 2
RisikoB 4
measure 1
measure 2
measure 3
Security level
Security levellow
high
Security level
(risk treatment plan, 2 days, 1 expert)
w w w . t u v . c o m
13 / 18© TÜV Secure iT GmbH 2003
ISMS Sectors in Organizations (BS7799-2:2002)
Management -Security Policy (A.3)
-Organizational security (A.4)
-Asset classification and control (A.5)
-Compliance / laws, regulations, agreements (A.12)
Personnel Security(A.6)
Business processes -Risk Management (4.2.1)
-Business Continuity Management (A.11)
Access ControlAccess Control (A.9)
Communicationsand OperationsManagement (A.8)
Planning / Projects
System Developmentand maintenance(A.10)
Facility Management
Physical and environmental security(A.7)
w w w . t u v . c o m
14 / 18© TÜV Secure iT GmbH 2003
Agenda
TÜV Secure iT GmbH – short introduction
Risk Analysis – Case Study
Certification Procedure
w w w . t u v . c o m
15 / 18© TÜV Secure iT GmbH 2003
BS 7799-Certification by TÜV Secure iT
Pre-AssessmentAssessment of protection requirements
Appropriateness of security measures
Assessment
CertificationIssuing of the certificate
Monitoring
Phase 1Phase 1
Phase 4Phase 4
Phase 3Phase 3
Phase 2Phase 2
validation of documentation1
validation of documentation2
validation of documentation3
spot check audits
project-related documentation
validation
w w w . t u v . c o m
16 / 18© TÜV Secure iT GmbH 2003
Time Frame
Stage 1
Stage 2
implementation / Improvement ISMS
Certification
January 2005 June 2005
(certification assessment, 4 days, 2 auditors)
w w w . t u v . c o m
17 / 18© TÜV Secure iT GmbH 2003
TÜV Rheinland Group certification body issues a certificate that is internationally recognized, provided an information security management system is effectively implemented and auditing was completed successfully.
ISO 17799 / BS 7799Certification
w w w . t u v . c o m
18 / 18© TÜV Secure iT GmbH 2003
Thank you for your attention!
Now I am ready to answer your questions