MASLINA DAUD CISSP, ISMS Lead Auditor SPACE & CYBER SECURITY NATIONAL SECURITY COUNCIL FOR SEMINAR KESELAMATAN ICT KKM 24 MARCH 2011 PUTRAJAYA

Transcription

1 INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS) : MS ISO/IEC 27001:2007 MASLINA DAUD CISSP, ISMS Lead Auditor SPACE & CYBER SECURITY NATIONAL SECURITY COUNCIL FOR SEMINAR KESELAMATAN ICT KKM 24 MARCH 2011 PUTRAJAYA - 1 -

2 Introduction OUTLINE MS ISO/IEC 27001:2007 Information Security Management System Scope determination ISMS Implementation - 2 -

3 Introduction - 3 -

4 INTRODUCTION Today s increased interconnectivities and interdependencies amongst organizations poses bigger security challenges if nations and businesses are not prepared - 4 -

5 INFORMATION SECURITY - NEED HIGH DEPENDENCY ON ICT Nation, corporations, industry, government, home, universities, schools How to secure your INFORMATION ASSETS against THREATS Approaches Towards Secured National Operating Environment And National Sustainability A systematic approach in managing information security - 5-5

6 NATIONAL EXPERIENCE: NATIONAL CYBER SECURITY POLICY NCSP NCSP Adoption and Implementation 2007 National Cyber Security Policy formulated by MOSTI Objectives NCSP Implementation Address The Risks To The Critical National Information Infrastructure Ensure That Critical Infrastructure Are Protected To A Level That Is Commensurate With The Risks NITC Meeting on 7 Apr 2006 agreed to implement NCSP NCSP was endorsed by the Cabinet in May The policy recognises the critical and highly interdependent nature of the CNII and aims to develop and establish a comprehensive programme and a series of frameworks that will ensure the effectiveness of cyber security controls over vital assets Develop And Establish A Comprehensive Program And A Series Of Frameworks 6-6 -

7 NATIONAL CYBER SECURITY POLICY VISION Malaysia s CNII shall be secure, resilient and self-reliant. Infused with a culture of security it will promote stability, social well being and wealth creation. DEFENCE & SECURITY TRANSPORTATION BANKING & FINANCE HEALTH SERVICES EMERGENCY SERVICES CRITICAL NATIONAL INFORMATION INFRASTRUCTURE Assets (real & virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on National economic strength National image National defense & security Government capability to function Public health & safety ENERGY INFORMATION & COMMUNICATIONS GOVERNMENT FOOD & AGRICULTURE WATER - 7-7

8 EFFECTIVE GOVERNANCE 1 INTERNATIONAL COOPERATION Ministry of Information, Communication & Culture LEGISLATION & REGULATORY FRAMEWORK Attorney General s Office 2 7 CYBER SECURITY Malaysia's Critical National Information Infrastructure shall be secure, resilient and CYBER SECURITY 3

9 MANDAT: MEMORANDUM JEMAAH MENTERI Memorandum Jemaah Menteri bertarikh 24 Februari2010 telah bersetuju: a)supaya dilaksanakan Pensijilan MS ISO/IEC Pengurusan Sistem Keselamatan Maklumat (InformationSecurityManagementSystem-ISMS) untuk sektor-sektor Prasarana Maklumat Kritikal Negara (Critical National Information Infrastructure- CNII); b)supaya pelaksanaan Pensijilan ISMS ini diselaraskan oleh kementerian-kementerian dan agensi-agensi regulatori yang bertanggungjawab terhadap sektorsektor CNII negara; dan c)supaya organisasi-organisasi CNII mendapat Pensijilan ISMS dalam tempoh 3 tahun

10 ANNOUNCEMENT BY MOH

11 MS ISO/IEC 27001:2007 Information Security Management System

12 INFORMATION PROPERTIES TO SECURE The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Confidentiality The property of being accessible and usable upon demand by an authorized entity Availability Available, accessible Integrity The property of safeguarding the accuracy and completeness of assets Information is the crown jewels of business Avinash Kadam, Chief Executive Miel e-security Pvt. Ltd

13 SECURITY INCIDENTS IN HOSPITALS 1994, Dominic Rymer, then a 21-year-old male nurse in the United Kingdom, had hacked into the computer system at Arrowe Park Hospital, Wirral and modified the prescriptions for two patients. A nine-year-old boy, suffering from meningitis was only saved from serious harm by a sharp-eyed ward sister. She spotted that the youngster's prescription had been altered the previous day to include drugs used to treat heart disease and high blood pressure and an investigation was immediately launched. Rymer had also secretly used the computer system at Arrowe Park Hospital... to prescribe anti -biotics to 70- year-old Kathleen Wilson, a patient on a geriatric ward. She had been given the drug, but had suffered no adverse reaction. Source: Nurse- hacker Alters Hospital Prescriptions, Computer Audit Update (February 1, 1994), 1994 WLNR

14 CYBERATTACKS THREATEN HOSPITALS Source:

15 CHALLENGES AND REALITY Attackers are getting more sophisticated Defensive technologies are getting better, but so are attack technologies The environment is getting riskier Risks can be managed but not eliminated Security is a process, not a state

16 Understand the threats Mitigate the risks YOUR RESPONSE? Security strategy people, process & technology Establish security requirements: Risk assessment Legal, statutory, regulatory and contractual requirements Set of principles, objectives and business requirements for information processing that an organization has developed to support its operations

17 INFORMATION SECURITY FRAMEWORK Protection of information can be achieved by identifying and implementing a suitable set of controls. The implementation of controls can be managed systematically by implementing Information Security Management System(ISMS) Adoption of ISMS should be a strategic decision for an organisation ISO (the International Organization for Standardization) IEC (the International Electrotechnical Commission) ISO/IEC JTC 1 (Joint technical committee IT)

18 SECURITY STRATEGY People» Explicit roles and functions» Responsibilities and accountabilities» Continuous awareness, training and education Process» Clear business process and its interactions» Policies Information classification, access control etc» Procedures Incident Handling, Backup/restore etc Technology» Practicality and adoptable

19 WHAT IS ISMS? Information Security Management System ISMS is that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. A systematic approach in managing organization s information security Reference: ISO/IEC 27001:

20 INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS) Based on two international standards: MS ISO/IEC 27001:2007 Specifications with guidance for use Requirements for establishing, implementing and documenting ISMS Annex A: Control objectives and controls ISO/IEC 27002:2005 Code of practice for information security management Catalogue of controls

21 ISMS REQUIREMENT PLAN Risk assessment, risk treatment, controls selection Design & establish DO Implement and deploy controls Implement & operate OVERALL MANAGEMENT SYSTEM RISK BASED APPROACH ACT Improve and update controls, continual Maintain improvement & improve Monitor & review CHECK Monitor and review controls, measure effectiveness, conduct internal audits and re-assess risk

22 Scope Determination

23 SCOPE DETERMINATION Management to determine key business area for ISMS scope Consideration for determination: To consider the most critical information within organisation that requires protection (eg. patients medical records, new product design, market research, customer s information) in which failure of CIA will have significant impact to organisation and country To consider business functions or serviceswithin an organisation that provide the most benefit to the organisation in which failure of any of those business functions or services will give a significant impact to organisation and country To identify the flow of information (eg. origin, transfer, store) Scope to be defined: Boundaries Characteristics of the business Location Assets Technology Justification of exclusion, if any

24 SCOPE -RULE OF THUMB Relates back to business objectives and vision Why require management decision? To expose to the management on the requirements of the standard in anticipation for resources allocation To ensure that the scope is aligned to the organization s strategic objectives

25 Implementation of Information Security Management System (ISMS)

26 OVERVIEW OF ISMS IMPLEMENTATION ISMS CONTROLS [11areas, 133 controls] Establish Roles Scoping of ISMS Develop ISMS Policy Conduct Awareness Workshops Conduct Preliminary Study Perform Risk Assessment Perform Improvement Conduct Internal Audit Measure Effectiveness Select & Implement Controls Security Policy Organization Of Information Security Asset Management Human Resources Security Physical and Environmental Security Communication and Operation Management Access Control Information System Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance Information Security Management Requirement (based on MS ISO/IEC 27001:2007)

27 4.2.1 Establish the ISMS (Plan) Establish the ISMS (Plan Phase) Define the scope and boundaries of the ISMS Define an ISMS policy Define the risk assessment approach of the organization Identify the risks Analyse and evaluate the risks Identify and evaluate options for the treatment of risks Select control objectives and controls for the treatment of Risks Obtain management approval of the proposed residual Risks Obtain management authorization to implement and operate the ISMS Prepare a Statement of Applicability Source: ISO27001:2005

28 DEFINE ISMS POLICY Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that: includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security; takes into account business and legal or regulatory requirements, and contractual security obligations; aligns with the organization s strategic risk management context in which the establishment and maintenance of the ISMS will take place; establishes criteria against which risk will be evaluated has been approved by management Source: ISO27001:2005

29 DEFINE RISK ASSESSMENT METHODOLOGY Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements Develop criteria for accepting risks and identify the acceptable levels of risk Source: ISO27001:2005

30 RISK IDENTIFICATION Identify the assets within the scope of the ISMS, and the owners of these assets Identify the threats to those assets Identify the vulnerabilities that might be exploited by the threats Identify the impacts that losses of confidentiality, integrity and availability may have on the assets Source: ISO27001:2005

31 THREAT AND VULNERABILITY A threat has the potential to cause an unwanted incident which may result in harm to a system or organization and its assets A threat would need to exploit a vulnerability of the systems, applications or services in order to successfully cause harm to the asset A vulnerability is a weakness. Weaknesses associated with an organization's asset. These weaknesses may be exploited by a threat causing unwanted incidents that may result in loss, damage or harm to these assets

32 THREAT,VULNERABILITY & RISK THREAT (potential danger) X VULNERABILITY = (weakness) RISK (likelihood of weakness exploited) C I A Value of Asset THREAT VULNERABILITY RISK OF EXPOSURE Virus attack Notebook theft Absence of anti-virus software Virus signatures outdated Unattended notebook Absence of physical access control Loss of information availability and integrity Loss of information availability and confidentiality

33 ANALYSE AND EVALUATE RISK Assess the business impact upon the organization that might result from a security failure, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets Assess the realistic likelihood of such a security failure occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented Estimate the levels of risks Determine whether the risk is acceptable or requires treatment using the risk acceptance criteria Source: ISO27001:2005

34 IDENTIFY AND EVALUATE OPTION FOR RISK TREATMENT Possible actions include: applying appropriate controls knowingly and objectively accepting risks, providing they clearly satisfy the organization s policies and the criteria for risk acceptance avoiding risks transferring the associated business risks to other parties Source: ISO27001:2005

35 SELECT CONTROLS FOR RISK TREATMENT Controls objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks as well as legal, regulatory and contractual requirements New controls can be added Some controls not applicable to all security environment Source: ISO27001:2005

36 ISMS CONTROLS : STRUCTURE Security Control Control Objective 1 Control Objective 2 Control 1 Control 2 Control

37 ISMS CONTROL : A. 5 SECURITY POLICY Security Policy Information Security Policy Information Security Policy Document Review of the information security policy

38 4.2.2 Implement and Operate (Do) Implement and Operate ISMS (Do phase) Formulate risk treatment plan Implement risk treatment plan Implements controls Define measurement of effectiveness of selected controls Implement training and awareness programmes Manage operation of the ISMS Manage resources Implement procedures and other controls Source: ISO27001:2005

39 4.2.3 Monitor and Review (Check) Monitor and Review (Check phase) Monitor and review procedures and other controls Undertake regular review of ISMS effectiveness Measure effectiveness of controls Review risk assessments at planned interval Conduct internal audit Management review in a regular basis Update security plans Record events that could have impact on the ISMS effectiveness Source: ISO27001:2005

40 4.2.3 Maintain and Improve (Act) Maintain and improve (Act phase) Implement identified improvements Take corrective and preventive actions Communicate actions and improvements Ensure improvement achieve intended objective Source: ISO27001:2005

41 PREPARATION FOR AUDIT Who provides certification? Internal audit procedure Awareness of ISMS require creative tools Do s and don ts during the audit Internal audit presentation Ensure controls are implemented

42 ISMS CERTIFICATION ROADMAP Maintain ISMS in accordance to the requirements of the standard Continual improvement Initial certification (Year 1) Surveillance (Year 2) Surveillance (Year 3) Recertification Stage 1- Documentation Stage 2 - Implementation To review documentation as required under clause of MS ISO/IEC 27001: 2007 To assess state of readiness To provide focus for planning of the Stage 2 audit Deficiencies highlighted in audit finding need to be resolved before proceeding to Stage 2 audit To confirm that the ISMS conforms to all the requirements of the standard and is achieving the organization s policy objectives To review objectives, procedures and records To interview personnel and observe operations & implementation of controls To recommend certification if no major non-conformance issued Organisations to respond and close all non-conformance

43 IMPLEMENTATION CHALLENGES People Introducing new way of doing thing. Adapting to changes and getting good cooperation from related parties Not enough personnel experts Process Need to study the best way to accommodate current practice with the requirements May not be accurate the first time, but there are always room for improvement Technology Comparative analysis on available solutions Justification for selection of solution. Either to keep up with latest product in the market vs fit for purpose Huge cost to treat risks

44 BENEFITS OF ISMS Provide a structured approach of managing and protecting information security within an organisation Improved management capability in addressing security threats from a variety of sources Create a more secure and organized working environment Protect from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care Reduce the number of internal as well as external breaches Better cost justification in security spending

45 BENEFITS OF CERTIFICATION Enhance information security governance (Risk, Control and Audit) Increase level of confidence to customers and stakeholders and provide assurance that their information is secured and protected Able to position an organisation globally since ISMS certification is a recognition that the organisation has implemented an system that is based on internationnallly accepted standard

46 ISMS CERTIFIED ORGANISATIONS GLOBALLY NO. COUNTRY NO. OF CERTS 1. Japan India 509 China UK Taiwan Germany Korea Czech Republic USA Hungary Italy Spain Poland Malaysia Ireland Thailand Austria Hong Kong Greece Romania countries with at least one certified organization Total of 7058 certified worldwide m/ as at 21 January 2011

47 CRITICAL SUCCESS FACTORS Management commitment and support In-house competency development with dedicated team Effective awareness programs, training and education in inculcating security as a culture Get the right scope and focus only on controls implementation Willingness to change Make it a fun thing, NOT a serious subject! Security is a shared responsibility, not rest on a single person or department

48 - 48 -