Professional Documents
Culture Documents
World leader in Risk Management and Compliance solutions. Create value and minimize your risks through our on-demand management systems.
Real ISO Corp. 626, Glenn Curtiss Uniondale, 11556 New York USA www.realiso.com
Informative Aspects
Guide Objectives:
General view of Information Security Focus on security management Understanding an ISMS Understanding Risk Analysis Study of Information Security management processes
Old-fashioned view!!!
Decision-Taking
Control Information
Decision-Making
Information Security
Far beyond firewall!
Security does not depend upon IT alone Assuring security does not mean simply ensuring information secrecy Proper decisions depend on accurate information Security may generate perceivable value
What is information?
On paper: Memos, standards, formulas, designs, strategies.
On digital media: Disks, tapes, CDs, transmitted files. Sound: Meeting recording, messages left on telephone switchboards, cell phone mailbox.
Image: Document photos, identification photos, facilities photos, videotapes, digital videos.
Resources
Processing: Ability to handle information and generate results
Storage: Ability to store information. Does not change information Communication: Ability to transmit information. Should not change transmitted information
Warning: Not carrying out Due Diligence and Due Care may characterize administrative negligence.
Basic Principles
Confidentiality: given information that may not be made available or disclosed for people, entities or processes without permission. A concept to ensure that sensitive, confidential information is limited to an appropriate group of individuals or organizations.
Integrity: the condition by which information or information resources are protected from unauthorized changes. Information accuracy and completeness.
Basic Principles
Availability: information is to be delivered to the right people, when needed.
ISO 27001
Implementing ISMS -
Starting Point
System Scope
Which processes will my system act upon?
The scope defines which information assets the system will act upon It is interesting to define scope through business process approach Scope definition should be clear and allow identification of locations and assets involved
How does information security relate to these strategies? Which are the companys security objectives?
Risk Analysis
Security Requirements for a Company
Information Security risks Regulatory and Contractual Obligations Set of principles, objectives and business requirements needed for information processing
Risk Analysis
National and International Standards References
ISO 13335-1 and ISO 13335-2
Risk Analysis
Objectives
To identify the main risks to information security in a systematic way To ensure compliance of Security Management process with ISO 27001 standard To present in a quantified way the events that may prevent the organization to achieve their goals Security Policy
Risk Analysis
Objectives
To provide an overview of the aspects that need to be managed to assure compliance to the Security Policy Risk Management is one of the main ways to ensure safety for diverse market segments
Risk Analysis
Methodology
What are the risks of non-compliance with Security Policy? Analysis of risks: Technological Physical Administrative
Risk Analysis
Methodology
Business focus: What are the risks really impacting my business Every organization area must be involved Direct participation of managers and those individuals responsible for information assets
Risk Analysis
Methodology
Identification and evaluation through: On-site analyses Interviews and meetings Authorized simulations Interim results must be submitted to approval
Risk Analysis
Business Processes
Information flow Consider the point where information is generated or starts to be part of the processes Consider emergence, life and destruction of information Identify flow main components
Risk Analysis
Information Assets
Information flow components Examples of assets: Computers, telephone, fax People, outsourced resources Forms, documents, reports Evaluate asset importance for the company
Information flow
Mainframe
Telefone Telephone
Risk Analysis
Information Assets
Risk Analysis
Threats and Vulnerabilities
Risk Analysis
Threats and Vulnerabilities
Risk Analysis
Threats and Vulnerabilities
What is the damage to the company if the event really takes place? This estimation must consider: Revenue and financial losses Penalties and indemnifications Impact to the companys image Evaluate damage in face of loss of reliability, integrity and availability
Participation of the company management What is the frequency by which the issues occur Great impact on the final risk rate Probability is one of the risk determining factors
Determine the probability for listed events to occur We will be discussing within 20 minutes
Risks are the result from threats and vulnerabilities, when considering their probability to occur and related damages Risks must be quantified into a numeric scale Asset value must always be considered
Risk Treatment
Risk Acceptance Criteria
Companies have distinct profiles Daring: speed, greater risk Conservative: stability, lower risk Risk acceptance criteria must be defined Management decision Risks must be advertently accepted or handled
Risk Treatment
Treatment Options
Apply controls for risk reduction Recognize and accept risks as per predefined criteria Avoid risks Transfer risks
Risk Treatment
Selection of Controls
Conformance with the risk acceptance criteria Risks should be selected that will be handled by application of controls
ISO 17799:2005
Additional controls may be used
Control Metrics What are the evaluation metrics and the service levels which the control must conform to
Risk Treatment
Risk Treatment Plan
Document indicating responsibilities for risk treatment Must indicate Residual Risk Must indicate deadlines Must describe how risks will be treated Document required in the course of the certification process
Risk Treatment
Residual Risk
Control implementation may be in two ways: By minimizing impact By minimizing probability Residual Risk is the new risk value after control implementation
Gather into groups of 3 Select one or more controls from Attachment A of ISO 27001 standard Document and identify metrics as per items presented in CS document Results will be discussed with the other groups within 20 minutes
Risk Treatment
Statement of Applicability (SoA)
Describes all controls in Attachment A of the standard Identifies the ones that are applied and those that are not Justifies non-implementation of discarded controls Justifies implementation of selected controls Indicates additional controls Indicates where control application is described
Gather into groups of 3 Prepare a statement of applicability Results will be discussed with the other groups within 45 minutes
Risk Management
Security Policy Monitor and Review
Risk Communication
Identify Risks
Quantify Risks
Evaluate Risks
Treat Risks
Risk Management
ISO Guide 73
Documentation
Documentation Requirements
Statements of Security Policy and security objectives System scope as well as procedures and controls supporting the system Risk Analysis Report and Risk Treatment Plan
Documentation
Documentation Requirements
Procedures required to ensure effectiveness, operation and control for your security processes Remaining records required by ISO 27001 Statement of Applicability
Documentation
Document Control
System for document approval Document review and update Identification of changes and revision traceability Make sure the latest document version is always in place wherever it is used
Documentation
Document Control
Control of document distribution Ensure external document source identification Ensure document access control!
Documentation
Record Control
Records are documents evidencing that a given control or procedure has been performed Records have usually date and represent instances of a same document Examples of records: Completed forms Minutes of Meetings System Logs
Documentation
Record Control
The standard requires maintenance of records evidencing that System has been executed Records must be kept secure for predetermined periods Record maintenance requirements must be clearly identified
Document hierarchy
SM SC SI SR
Security Record
SR SR SR SR
SR SR SR SR
SR SR SR SR
Document Arrangement
Gather into groups of 3 Select one or more controls from previous tasks Briefly describe the possible content for the control document. Create some instructions for this control Results will be discussed with the other groups within 30 minutes
Management Responsibility
Commitment with the System
Management must set a Security Policy They must make sure that security objectives and plans are in place They must define security roles and responsibilities
Management Responsibilities
Commitment with the System
Management must communicate to the whole organization the importance of achieving security objectives through compliance with Policy and individual responsibilities For these objectives to be met Management must provide the required resources
Management Responsibilities
Commitment with the System
Management must define the acceptable risk level according to methodology Management must periodically review the system in search of improvement opportunities Management must monitor and check efficiency of ISMS and Security Controls
Management Responsibilities
Resource Management
Management must provide the required resources to establish, implement, operate and maintain the System They must provide resources to make sure proper application of controls and compliance to regulatory and contractual requirements They must assure a periodic critical analysis and System improvement
Management Responsibilities
Training, Culture and Capabilities
Management must make sure that individuals have the required capability to perform their assigned tasks The organization culture level must be periodically evaluated and improvement actions performed Records must be kept of all training and remaining qualification services
Training
Capability and responsibility
Each function must have clearly defined responsibilities Job Description It must be assured that individuals performing these functions have due skills to perform them Training must be carried out in line with the required skills
Security Awareness
Maintenance
Processes
Technology
Awareness
Disclosure
Perimeter
People
Training
Responsibilities - Exercise
Basic Responsibilities
Gather into groups of 3 Briefly describe responsibilities of the following roles Process Manager, Asset Manager, Area Manager; Control Manager; Security Officer Results will be discussed with the other groups within 30 minutes
ISMS Monitoring
Performance evaluation
The organization must carry out monitoring routines and other controls to: Detect errors in process results Identify incidents and security flaws Check if security routines are being carried out Determine whether actions reflect business priorities
ISMS Monitoring
System Efficiency
The organization must carry out monitoring routines and other controls to: Check if ISMS procedures are being efficient Check if security controls are being efficient Check if security objectives are being met
ISMS Monitoring
Risk Management
The organization must periodically review risks by considering changes in: the organization technology business objectives and processes identified threats external events such as changes in the political social or economical scenario
Internal Audit
Process-oriented
Audits of all areas, business processes, procedures and controls Checking of compliance with ISO 27001 and regulatory / contractual requirements Checking of compliance with security requirements Checking of effective implementation and maintenance of security controls
Internal Audit
Basic Aspects
It is important to keep trained and skilled internal auditors to audit ISMS Experts to check technical compliance Audits must be planned: Audit Schedule Previous audit results must be considered when planning audits Auditors should never audit their own work
Audit Schedule
Technical knowledge
Administrative Controls
Internal Audit
Audit Performance
They must be focused on the audit scope There must be an opening meeting Non-compliances found must be recorded as well as notes and incidents The audited ones must formally acknowledge the audit results
Internal Audit
Audit Techniques
Sampling audit Interviews with managers and employees Reading of controls and procedures and requesting of records Checking of work routine performance Simulation of scenarios
Input Data
System Efficiency Audit Results New Risks Business changes
System Improvement
Ongoing Improvement
Most similar features among ISO standards Critical analysis actions, efficiency monitoring and audit should generate improvement actions Corrective and preventive actions must be considered
The organization must be capable of showing its ability to improve system with time
System Improvement
Corrective Actions
Identification and elimination of non-compliance causes Assurance that non-compliance will not recur Base for System improvement actions Results of corrective actions must be recorded Corrective action results must be periodically revised
System Improvement
Preventive Actions
Pro-activity: identifying non-compliances in advance Implementing preventive actions Results of such actions must be recorded Evaluated risks and possibility of changes in the initial scenario must be considered The cost for preventive actions is generally lower than the cost for corrective actions
Ongoing Improvement
Certification Audit
Required actions
Full turn on PDCA Internal Audit and identification of the required improvements Evidences proving system life for approximately 3 months Evidences that Management critically analyzed ISMS and found it adequate to their needs
Certification Audit
Audit System
World leader in Risk Management and Compliance solutions. Create value and minimize your risks through our on-demand management systems.
Real ISO Corp. 626, Glenn Curtiss Uniondale, 11556 New York USA www.realiso.com