How to implement an ISO/IEC information security management system

Transcription

1 How to implement an ISO/IEC information security management system The March-April issue of ISO Management Systems reported positive user feedback on the new ISO/IEC 27001:2005 standard for information security management systems. This follow-up article provides advice from experts who developed the standard on how to achieve its benefits. by Ted Humphreys Ted Humphreys is Convenor of the Joint Technical Committee, ISO/IEC JTC 1, Information Technology, Subcommittee 27, IT Security techniques, Working Group 1, Requirements, services and guidelines. He is also Director of XiSEC, a company specializing in information security management systems. Tel tedxisec@aol.com Web The recently published ISO/ IEC 27001:2005, Information technology Security techniques Information security management systems Requirements, provides a foundation for designing and deploying a management system for information security to prevent a variety of business-threatening risks such as the following : financial losses and damages ; loss of the organization s intellectual capital and intellectual property rights ; loss of market share ; poor productivity and performance ratings ; ineffective operations ; inability to comply with laws and regulations ; and even loss of image and reputation. This ISO/IEC standard is already showing signings of becoming even more of a winner than its predecessor the hugely successful previous British standard BS 7799 Part 2:2002 My previous article, in the March-April 2006 issue of ISO Management Systems, provided some feedback from those thousands of businesses that have already been using an Information Security Management System (ISMS) to manage and protect this critical and important asset. This article provides some ideas on how to get started with implementing the standard, as well as going for certification if so desired. The ISMS model ISO/IEC 27001:2005 specifies the requirements and processes for enabling a business to establish, implement, review and monitor, manage and maintain effective information security. Like ISO 9001:2000, it is built on the Plan-Do-Check-Act (PDCA) process cycle model (see Figure 1 for the ISMS version of this model), as well as on the requirement for continual improvement. John Snare : Organizations need to consider how the ISMS processes will be imbedded as part of business as usual. Here is advice on implementing ISO/IEC gleaned from a question-and-answer session with John Snare (Fujitsu, Australia) one of the coeditors of the standard. What are the three key things an organization needs to consider when designing and developing an ISMS based on ISO/IEC 27001:2005? John Snare : Firstly, an organization needs to have a very 40 ISO Management Systems May-June 2006

2 clear understanding of why information security is important and what it wants an ISMS to help it achieve. This means understanding how information security relates to its specific business objectives, taking into account the expectations of its customers, the financial objectives of the organization, and any relevant regulatory or legal requirements. ISO/IEC is based on the PDCA process cycle model Secondly, an organization s senior management needs to be actively involved in the decision-making processes concerning objectives, priorities and implementation timeframes. Senior management needs to determine how they are going to demonstrate that they are actively involved in the leadership of ISMS activities, have p r o v i d e d t h e n e c e s s a r y resources, and have ensured that sufficient trained personnel are available for implementation and ongoing operation and improvement of the Thirdly, organizations need to consider how the ISMS processes will be imbedded as part of business as usual operational processes. This is important to ensure that the ISMS is effectively used as a means to achieve the desired outcomes on an ongoing and sustainable basis. If this is not done, the ISMS is destined to become shelf-ware, ineffective, and a waste of money. What are the main areas that an organization needs to consider in order to achieve a successful ISMS implementation and operational deployment? John Snare : Selection of a suitable risk assessment approach and tools are critical to the ongoing effectiveness of an The approach taken must be consistent with the culture of the organization concerning the management of other types of risk, and staff must be trained in the methodology and use of the tools. A successful ISMS implementation also requires follow through from planning to operation. It is very easy to become distracted following an intensive initial implementation phase and neglect ongoing operational and improvement activities. Monitor and review ISMS Maintain and improve ISMS Implement and deploy ISMS Figure 1 The ISMS version of the PDCA model As ISO/IEC is based on the PDCA model, its approach is targeted towards continual monitoring, review and improvement of the Do you have any useful tips on how go about these tasks? John Snare : It is inevitable that security incidents will occur and that, from time to time, management reviews or audits will detect nonconformities with ISMS standards, policies and procedures. When such circumstances arise, don t just take a tactical approach to solve the problem on an ad hoc basis. Instead, use the If procedures and processes are found wanting, then improve them. For example, if they do not support rapid response to a crisis, update them so that they will in future. Design ISMS Angelika Plate : A risk assessment should be seen as an enabler for organizations. Risk management One of the key aspects of ISO/IEC 27001:2005 is that of risk management and the reduction of risks based on ISO/IEC 17799:2005, Information technology Security techniques Code of practice for information security management. The following advice is based on recent interviews with Angelika Plate (AEXIS, Germany) co-editor of ISO/ IEC What are the three key things an organization needs to consider when doing a risk assessment? Angelika Plate : Carrying out a risk assessment is a requirement of ISO/IEC 27001, but this should not be the only driver for doing so. A risk assessment should be seen as an enabler for organizations to tailor the amount of information security and the extent of controls exactly to what their business needs. Therefore, organizations should take this opportunity seriously and identify all their individual legal and regulatory, contractual and business requirements. ISO Management Systems May-June

3 Next, an organization should think about what it wants to protect (its assets), the utility the assets have for the business and what could damage the assets (threats and vulnerabilities). Following on from this, the impact of a damaging event and the likelihood that such an event takes place need to be assessed. The combination of these two factors creates the risk. The result of the risk assessment should be a list of identified risks, ranked in order of their severity and the need to take action. Selection of a suitable risk assessment approach and tools are critical After carrying out the risk assessment, what does a user need to do next? Angelika Plate : An organization needs to decide how it wants to deal with the risks. There will be an initial threshold, a level of risk that has been identified as acceptable, and all risks below or at this level will not require further treatment. For all other risks, there are different options (as described in ISO/IEC 27001) that an organization can take : Reduce the risk by implementing controls ; Knowingly and objectively accept the risk (even though it is above the threshold of acceptance; for example, if no other feasible solution exists ; Job skills in areas that impact information security effectiveness should be evaluated. (Photo: DIN) Avoid the risk ; for example, by not getting involved in the business activity that causes the risk ; Transfer the risk ; for example to an insurance company. Whichever of these alternatives or a combination of them is to be taken is entirely up to the organization doing the risk assessment. These decisions are to be made by the management of the organization, and the business objectives and requirements should be taken into account when making these decisions. ISMS controls Do you have any useful tips of how go about the selection of controls from ISO/IEC 17799:2005? Angelika Plate: There are different objectives that controls might fulfil when they are selected to reduce risks : limiting the damage if a risk occurs ; an example is information back-up that can limit the damage due to information loss, irrespective of the risk that causes the information loss ; reducing the likelihood that a damaging event ; i.e. a particular threat/vulnerability combination, occurs. Let s look at these in more detail. Limiting the impact In addition to information back-up, incident management, which ensures a controlled, orderly response, can again limit the impact regardless of the problem that might have caused the incident. Dealing with the vulnerability If the organization s Internetconnected systems have been compromised due to a software vulnerability, then this weakness needs to be dealt with. For example, the problem might be caused by lack of software patch management and so the latest software updates need to be obtained and installed. Perhaps the access to the organization s information systems is based on a standard password mechanism and this has been recently compromised. This may be due to lack of awareness or diligence by the staff in the need to apply good password management for their own passwords. Is the weakness in fact a lack of awareness, a lack of clear procedures or both? Again, this weakness needs to be investigated and dealt with to avoid a recurrence of the comprised systems. Reducing the risk of exposure A control might also aim at reducing the likelihood that a threat is able to exploit a vulnerability, i.e. a particular combination of threat and vulnerability occurs. The threat is not removed, or, as is generally the case, it is not possible to influence or removes the threats. Internet attacks and hackers exist, and always will do. However, it is possible to reduce the vulnerabilities by improving the protection that is applied, thereby making it more difficult for a threat to take place. If the policies and procedures are well written, understood and applied, if the technical controls work as intended and if this system of controls is also regularly updated with the latest developments and changes, the organization is far less likely to be subject to successful attacks than otherwise. 42 ISO Management Systems May-June 2006

4 Very often, a combination of both effects (reducing the damage and the likelihood that it takes place) is most effective and in all cases it is worth while considering alternatives to achieve protection. It is not always necessary to use expensive, sophisticated technical solutions sometimes a simple change or improvement of procedures might achieve the same effect. In addition, it is recommended only select a control if it is possible to consistently and completely implement it, including all needed expertise and resources otherwise the controls might only create a false sense of security. A risk assessment enables organizations to tailor the amount of information security For example, implementing a control such as a firewall only makes sense if this firewall is configured to the particular needs of the organization, and if this configuration is well managed, monitored and regularly updated. User awareness There is no doubting the importance that user training and awareness plays in information security. Most of the problems that occur can be traced back to a people problem. Here is some advice provided by Eva Kuiper (HP, USA and Eva Kuiper : Security needs to be sold as an enabler to keeping an organization healthy. Canada) one of the co-editors of ISO/IEC 27001:2005. Eva Kuiper : The long term effectiveness of an information security programme depends on buy-in from the entire organizational community, not just those in the security staff. Communicating the value of the programme and the responsibilities of the people involved is a requirement for the success of any security programme. This makes security awareness and training indispensable as a key deliverable of any information security management system. Policies and standards, no matter how clearly written, become a lot more personal when familiar examples are presented to employees, explaining their roles in implementing the policies. Security awareness and training programmes are also identified as key controls in ISO/ IEC 17799:2005, and they are a mandatory deliverable in demonstrating both competence and understanding of security responsibilities in ISO/IEC 27001:2005. When putting such a programme in place, the following elements should be considered : Security awareness sponsorship must start at the top. Security needs to be sold as an enabler to keeping an organization healthy, changing the perception of security as a barrier to getting one s job done. Upper management needs to be involved in communicating why they want to enhance the security posture of their organization and what the advantages will be to the organization. Information back-up can limit the damage due to information loss These advantages can be around customer loyalty, brand image or other business benefits, and should not focus merely on the technical benefits. Job skills and certification programs required for information security staff should be clearly identified. Training should be tracked and reviewed to determine its value and impact on improving the effectiveness of the information security programme. Job skills in areas that impact information security effectiveness should be evaluated and recommendations for training put in place. This may include areas such as software development, project management, and operation delivery where process improvement may improve overall effectiveness of security. Basic mandatory training of user responsibilities and accountability for maintaining a secure organization should be in place for all employees. This training should be kept timely, coordinated with any changes in policies and standards, and repeated at a reasonable time interval. The consequences of employee actions should be clearly communicated. Business partners, contractors, and outsourcers should not be forgotten in any training and awareness programme. An organization that uses contractors or outsourced services should not ignore the security impact of communicating security requirements for storage and transmission of sensitive information. Education on policies and standards is not sufficient without the tools to enable employees to meet what's being asked of them. It is not always necessary to use expensive, sophisticated technical solutions A Web site consisting of how to tutorials, security tips and tricks, how to report security events, links to policies and standards, and other articles of interest, such as home network security, is indispensable for enhancing the sometimes terse language of policies and standards. ISO Management Systems May-June

5 This Web site should include contacts and answers to frequently asked questions (FAQ s) can also be provided. The FAQ s can also be used during policy reviews to identify gaps and areas of further clarification. Ultimately, the goal of any security training and awareness programme is to distribute the responsibility of meeting security requirements across the entire organization and not just something that s the job of the information security staff. A strong feedback loop between information security and the rest of the organization can become an effective tool for improving security throughout the organization. Maintaining the state of the art After designing, implementing and deploying the ISMS it is extremely important that to have a regular review programme to check whether any change that are made to the organization s business environment has an impact on the Security awareness and training are indispensable It may be that over the following 6 to 9 months, the threats to the organization s information resources have increased and diversified. It may be that the business processes or ways of doing business have changed, or that new technology has been introduced, or there is a new company structure, or new legislation has been introduced, or the size of the company has changed. All these factors could have an impact on the Th e I S M S P D CA m o d e l defines monitoring, review and improvement processes as part of the ISMS life cycle to ensure that the businesses security posture is effective and is kept up to date through continual improvement. Hence, delivering effective ISMS protection is an on-going activity. The certification option Certification of ISMS in conformity to BS 7799 Part 2 has been in place for several years. Certification is not a requirement of ISO/IEC 27001:2005 (nor was it of BS 7799 Part 2) it is the decision of the organization whether it wishes to take the certification route. However, more organizations from over 50 countries have been certified and the growth in this area is increasing at a rate see The International Register of Accredited Certifications at www. ISO27001certificates.com. Now that ISO/IEC has been published BS 7799 Part 2 has been withdrawn and all current certificates are being migrated to ISO/IEC during a formal transition period of about 18 months as defined by the national accreditation bodies that approve certification bodies as competent. How does the ISMS certification market look since the arrival of ISO/IEC 27001? Malcolm Marshall : Have you got the risk and control balance right? Malcolm Marshall, Director, Certification Services, KPMG Audit Plc, provided his perspective : Having been involved in some of the very first BS 7799 certification assessments in 1999, it is very pleasing to welcome the internationalisation of the standard in the form of ISO/IEC We are already seeing an increase in demand for services and expect to see a more aggressive take-up in the Americas and in Europe, the Middle East and Africa during 2006 and beyond as more organizations seek to implement ISMS on a global scale. If you decide to embark on the certification route you need to think through four key questions: 1. Do you need it? Perform a needs analysis to determine the impacts of becoming certified it is easy to underestimate the effort in moving from adherence with the concepts of ISO/IEC and implementing a certifiable 2. Can you do it? You need to make sure that you have the right senior support and suf- ficient in-house capability to achieve and maintain certification. Think about external help to coach you through your preparations. 3. Do you understand it? Recognize that there are two components to the standard management system (governance) and security controls. 4. Have you got the risk and control balance right? A key to achieving certification is demonstrating that the balance between risks and controls is appropriate make sure there is rigour behind your risk assessment so that the processes and controls mitigate the risks to the business. 5. Can you maintain it? Do not underestimate the need to maintain and improve this should, in fact, be an integral part of business-as-usual activities. Common language ISO/IEC 27001:2005 is already providing many benefits for businesses world-wide. It is ensuring their well-being and allowing them to be successful in today s risk-pervasive business environments. ISO/IEC promises to be more even more successful than its predecessor, BS 7799 Part 2. The new standard is rapidly becoming the common international language for information security management systems across the whole spectrum of business markets and sectors. 44 ISO Management Systems May-June 2006