Information security PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT LEADERS

Transcription

1 Information security 2005 PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT LEADERS The National Computing Centre 2008

2 You can t undisclose a disclosure 1 ISO 9001 Act Quality Plan TickIT management Capability How do we do it systems Maturity What to do? better next time? ISO/IEC Model How to do it? System ISO Life Cycle EFQM BS Information security Processes Excellence IT service continuity management systems. Model Requirements BS Evidential ISO/IEC weight and legal admissibility ISO/IEC Information technology of electronic information Software Guidelines for requirements life cycle engineering tool capabilities BS ISO/IEC processes Corporate governance Towards of information technology STARTS Software Software Techniques ISO Excellence e-government Interoperability for Reliable, Software Framework (e-gif) Trusted process Systems assessment ISO Information security: risk management ISO/IEC TR All business or service processes need the ability to go ISO/IEC Framework for IT through iterative phases of plan-do-check-act. This chart shows IT service how the top 8 national and international standards (emboldened management security assurance: Analysis of assurance text) form part of the best practice framework in information technology. methods ISO/IEC This standards framework is the foundation for organisations Quality characteristics to accept the technical standards of particular Accredit UK technologies including those special to vendors. ISO/IEC Guidelines for ICT disaster Control recovery services Objectives ISO for Information Guidelines for the design and Related and preparation of user Check Technology documentation for Do (CobIT) Data Protection application software 9 Did it go according Act Do what was to plan? 1998 planned The National Computing Centre The National Computing Centre The landscape of Information Security standards Introduce a corporate information security programme step-by-step Good practice security controls for information management 2 1 Gerry O Neill, CEO, IISP

3 ITadviser Benchmarks Guidelines The National Computing Centre Corporate Advisory Service Seminars Home User Legal Guidance School User Intermediary User Home User Small Business User University User Best Practice Training Research Central Government User Local Government User National Infrastructure User Corporate User Small Business User Rapid Surveys RFI service Technical Consultant Round Tables System Developer System Analyst System Tester Technical Support Technical Support Bespoke Reports Advisory services Human Firewall 3No. The National Computing Centre doesn t do escrow!

4 History (Learning Lessons) 1994: Security Breaches Survey 1995: DTI Code of Practice/BS : BS 7799 Code of practice for information security (the catalogue of controls) 2000: ISO (aka BS 7799 Part 1) No certificates! 2002: BS 7799 Part 2 (Plan-Do-Check-Act) Specification for and information security management system 2005: ISO (Revised):= ISO (aka BS 7799 Part 2) 4

5 The landscape of Information Security standards 5

6 What they really mean ISO (BS 7799 Part 2) Information security management system requirements Plan-do-check-act Like ISO 9001/ISO Certification Benchmark ISO (ISO 17799; BS 7799 Part 1) Code of practice Catalogue of 135 controls! Pick and mix using ISO No certificates! 6

7 Quality policy Preventive action Customer feedback Responsibility, authority and communication Measurement Resource management Product realisation Design and development review Human resources 7 A taxonomy of treatment (not a wish list) Purchasing

8 TickIT ement Plan What to do? ISO/IEC How to do it? System 7001 Life Cycle BS n security Processes IT service continuity t systems. ments BS Evidential weight and legal admissibility ISO/IEC of electronic information Software life cycle BS ISO/IEC processes Corporate governance of information technology STARTS Software Techniques e-government Interoperability for Reliable, Framework (e-gif) Trusted Systems ISO Information security: risk management ocesses need the ability to go ISO/IEC do-check-act. This chart shows IT service ernational standards (emboldened management ractice framework in information nology. ISO/IEC the foundation for Quality organisations characteristics al standards of particular those special to vendors. ISO/IEC Guidelines for ICT disaster recovery services ISO Guidelines for the design and preparation of user documentation for ction application software 8 The National Computing Centre Do Do what was planned

9 ISO/IEC in 13 Steps 2005 PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT LEADERS The National Computing Centre 2008

10 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 10

11 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 11

12 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 12

13 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 13

14 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 14

15 15

16 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 16

17 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 17

18 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 18

19 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 19

20 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 20

21 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 21

22 22 How serious are the threats to our assets? What is our commitment to security? What level of risk can we accept? Asset ownership? What assets are we protecting? 3. Risk Assessment 2. Policy 1. Scope How do we do all this? Reappraise How much risk can we accept for each asset? Test Management Security Incidents Security Incidents Controlled Cost 7. Processes Security Incidents (10) System security plans and procedures 4. Security Controls Update Invoke 6. Business Continuity How is risk kept to acceptable levels? 5. Applicability Which assets are protected by which controls? What are the priorities for the business? Are we achieving set service level measures?

23 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 23

24 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure time (3) High level security policy (4) Staff training and education creating security awareness (5) Identify quality and classify the assets (6) Risk assessment cost content (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 24

25 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 25

26 Protection of organizational records (ISO/IEC 27002:2007) Categorise records manage according to impact level Protect against deterioration Long term storage - use paper and microfiche (encrypt?!) Guide retention, storage media type, handling, and disposal to meet business, statutory, regulatory or contractual requirements Keep inventory of sources of key information Implement procedures (with/without technology) to protect records and information from: Loss Destruction Falsification. Store cryptographic keys and programs to enable decryption See ISO ISMS=RMS ISMS IT

27 Final thought 2008 The year of lost data (UK) 2009 The year of encryption 2010 The year of lost encryption keys Think: Retrieval and retention not loss 27 Good security is an enabler

28 You can t undisclose a disclosure ISO 9001 Act Quality Plan TickIT management Capability How do we do it systems Maturity What to do? better next time? ISO/IEC Model How to do it? System ISO Life Cycle EFQM BS Information security Processes Excellence IT service continuity management systems. Model Requirements BS Evidential ISO/IEC weight and legal admissibility ISO/IEC Information technology of electronic information Software Guidelines for requirements life cycle engineering tool capabilities BS ISO/IEC processes Corporate governance Towards of information technology STARTS Software Software Techniques ISO Excellence e-government Interoperability for Reliable, Software Framework (e-gif) Trusted process Systems assessment ISO Information security: risk management ISO/IEC TR All business or service processes need the ability to go ISO/IEC Framework for IT through iterative phases of plan-do-check-act. This chart shows IT service how the top 8 national and international standards (emboldened management security assurance: Analysis of assurance text) form part of the best practice framework in information technology. methods ISO/IEC This standards framework is the foundation for organisations Quality characteristics to accept the technical standards of particular Accredit UK technologies including those special to vendors. ISO/IEC Guidelines for ICT disaster Control recovery services Objectives ISO for Information Guidelines for the design and Related and preparation of user Check Technology documentation for Do (CobIT) Data Protection application software 9 Did it go according Act Do what was to plan? 1998 planned The National Computing Centre The National Computing Centre The landscape of Information Security standards Introduce a corporate information security programme step-by-step Good practice security controls for information management 28

29 PAS 77:2006 IT Service continuity 29

30 30