The Information Security Management System According ISO The Value for Services

Transcription

1 I T S e r v i c e M a n a g e m e n t W h i t e P a p e r The Information Security Management System According ISO The Value for Services Author: Julio José Ballesteros Garcia Introduction Evolution of the Information Security Management Standard The first Information Security Management models emerged in the United Kingdom in the 1990s, and the first security standard, the BS779, was introduced in The development of Information Security Management Systems quickly spread. In 2002, the ISO17799 (replacing the BS7799-1) appeared, and in the same year, the new version of BS Both are popular, and have become valuable tools to introduce ISMSs into organizations. The adoption of the British standard by the International Organization for Standardization (ISO) in 2005 created the ISO27001:2005 standard, which is recognized as an international model. From this point forward, ISO began to develop new security standards with the objective to provide a comprehensive information security catalog. D a r e t o c h a l l e n g e

2 Security Standards Development BS7799-2: 1999 BS7799-2: 2002 ISO27.001: 2005 ISO27.001: 200 BS BS BS7799-1: 1999 ISO17799: 2000 ISO17799: 2005 ISO : 2004 ISO standards for Information Security Management ISO27000 Vocabulary and definitions (terminology for other standards in the series) ISO27001:2005 This provides the requirements for an Information Management Security System. This standard also provides guidelines for the accreditation of organizations offering ISMS certification. ISO27002:2007 The Code of Practice of Information Security Management, formerly known as ISO ISO27003 The implementation guide for ISO27004 Information security system management measurement and metrics ISO27005 This is the methodology for the ISO standard for information security risk management. What are the benefits of an Information Security Management System? ISMS benefits To have an Information Security Management System is not a security guarantee. However, an ISMS does ensure that security levels are achieved, and in the case of an incident or situation, that management knows how to address the security compromise, and understands the three fundamental principles of information security: Integrity Assurance that the information and process methods are authentic and complete. Confidentiality Assurance that information is shared only among authorized persons or organizations. Availability Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. The adoption of an ISMS provides a range of advantages for any organization. The most important are the following: -2-

3 Correct management of the information generated by the business processes. For each business process, the necessary information is available at all times and with the qualities required. Definition and controls for legal requirements regarding information, personal data protection, tax and financial legislation, etc. Increased legal requirements make it necessary to have a model that defines, controls and guarantees the performance of these requirements. Fulfill the customer s security needs. The customer s participation in service delivery is increasing. As consequence, the organization has access to information related to the customers activities (internal or external), and this information must be properly managed. Awareness of information assets value. A risk analysis signifies the importance of that information to the organization, and underscores the value of that asset, which may have gone unnoticed. Assure the confidence of shareholders and other key groups. An ISMS certification implies a guarantee of performance based on an independent organization s internationally recognized standards, offering clear advantages in the marketplace. Establish and implement an ISMS The ISMS, as well as other management systems defined by ISO, are built in accordance with the PDCA model (Plan, Do, Check, Act). It is a model created by Walter Shewhart in the 1930s and popularized by W. Edwards Deming in the 1950s. The next figure shows the model and the different activities that compose its stages. ISMS Lifecycle PDCA Model (Plan, Do, Check, Act) ISMS Lifecycle PLAN Establish the Scope Define Policy Identify Security Requirements for Services Risk Analysis Statement of Applicability DO Risk Treatment Plan (Design and Implement) Control Implementation Establish Metrics Training ACT Continual Improvement Execute Preventive and Corrective Actions CHECK Measure the effectiveness of controls Audit ISMS Reviews Non-conformities, Corrective and Preventive Actions -3-

4 Plan The first activity in this stage is to obtain management s commitment and to verify that support through the following steps: Designate the person responsible for the management systems. The Security Manager is the person who directs the management system, and guarantees and facilitates deployment of all the processes. The Chief Information Security Officer (CISO) may assume this role. Create the Security Board. The Security Board is the highest decision-making and management body in Information Security. The Security Board is made up of directors of the organization and those persons responsible for the management systems. An organization may have two or three Security Boards; this decision will depend on how the organization understands security and the defined scopes. Establish the Information Security Policy. The policy establishes the key drivers to be implemented by the ISMS. The security policy must align with business needs; this is the best way to demonstrate how the ISMS contributes to increased effectiveness. The Security Board defines the policies and its president authorizes them. Define the Security Objectives. These express in a clear and measurable manner the achievements to be reached through the ISMS implementation. The Security Board formulates them and they are connected with the ISMS policies. Scope Definition It is important to know where, for which services and for which customers the ISMS will be implemented. Compared to other management systems such as ISO9001, where the trend is to obtain certification for the entire organization with an ISMS it is preferable to start with limited scopes and increase them later. The defined scope is connected with a particular and important service for the organization. Requirements of Security Services The defined scope of services must provide real value for the customers. The manager of the organization will determine the security needs. These security requirements are defined in terms of integrity, confidentiality and availability. For example, it may be necessary to encrypt the information, or to provide employees with an individual password. Develop the documentation structure of the ISMS The next step, after defining the scope and the security ISMS requirements, is to prepare all the documents needed to deploy the ISMS. The documentation must capture how the organization executes the requirements of the standard. -4-

5 The ISMS documentation is formed by: Management System Manual, including the documented policies Statement of Applicability Procedures Manual Work Instructions Manual ISMS Registers ISMS Handbook Documented Policies Statement of Applicability Documented Procedures Work Instructions Records Do After approval by the board of directors, the documentation will be implemented. Implement the procedures This stage begins implementation of the documentation. When the activities described in the procedures begin the implementation, the results are the records. The records are the evidence that demonstrate the performance of the requirements indicated by the standard. The main registers into Implementation Plan are: Risk Analysis. Determines the assets that integrate the ISMS. The level of monitoring required for individual facilities should be determined by a risk assessment. Management Risk Plan. The process of identifying, controlling and minimizing or eliminating security risks that may affect information systems. Implement the rest of controls. In order to develop the Statement of Applicability, the organization must select appropriate control objectives and controls from those specified in ISO27001 Annex A. ISO27002 provides more details about these controls. Define measures The ISMS is a management model based on a process approach. In order to know the stage of an organization s process, it is necessary to measure its activities. -5-

6 An indicator framework is built to indicate which measurements are associated with the processes and controls, and to determine how quickly the ISMS is operational. Check Implementation of measures A structure of metrics and indicators will measure the effectiveness of implemented controls. The numbers of indicators will depend on the scope and the size of the organization. It is important to know what information to obtain and if the selected indicators accurately measure that information. This information should be useful for the management system and the business. Internal Audit The audit is a process that checks the adaptation of the ISMS against the requirements of ISO The process starts with a document audit of the ISMS to ensure that the requirements of the standard are in the management system documentation. The procedures, the Security Manual, the Statement of Applicability and other ISMS documents are checked against the standard. The result will be a report in which the non-conformities and remarks of documentation are indicated. After the document audit, the next stage is in the audit in situ in the ISMS. This audit demonstrates that what is stated in the documentation is met in practice. At the same time, it is verified that such compliance is sufficient to meet the standard requirements. The result is an audit report that identifies non-conformities or observations associated with the implementation of the system. The audit generates a report with the detected curvatures, called non-conformities. These are solved and implemented on the Corrective Action Plan (CAP). Fulfillment of security requirements Once the controls are implemented, their correspondence with the security requirements identified in the planning stage is confirmed. Reports are generated based on information from the organization and its customers, including: What security measures have been implemented The effectiveness of the security measures implemented The impact of these security measures in the services Security incidents associated with the services and their management As a result of these reports, the organization may make any necessary changes in the security requirements, proceedings or in the controls. -6-

7 Check the ISMS The ISMS revisions are executed by the Security Board and implemented by the managers. These revisions are discussed at revision meetings of the Security Board, attended by managers and other relevant staff members. The objective of these meetings is to: Check the security policy Check and guarantee that the objectives are met Explain future security objectives Determine the necessity of an internal audit and, if required, begin audit planning Confirm that the implemented management system continues to work efficiently Each revision must be certified in a record document that should include information about actions that will: Improve the ISMS effectiveness Update the risk analysis and the risk management planning Change the method and the controls related to the security information for responding to internal or external events that may impact the ISMS. The changes may be related to: Business requirements Security requirements Legal requirements Contractual obligations Risks levels and/or criteria for acceptable risks Indicated required resources Improve the effectiveness of the controls measurement Identify non-conformities, corrective and preventive actions In the internal auditing or at any stage of the ISMS implementation, the non-conformities may be identified, and corrective or preventive actions taken. Any person involved in the ISMS, including the organization s clients, may propose improvements. The managers implement the improvements and track their progress. The non-conformities identify the failure to comply with any requirements in the management system documentation or requirements in the standard. The corrective action sets the measures for correcting the detected non-conformities. These types of measures correct situations and also serve to prevent or reduce future non-conformities. The preventive actions will help prevent future non-conformities. With the information provided by each ISMS process, the preventive action sets the actions that will decrease or eliminate the possibility of future non-conformities. Act Implement improvements The person responsible for the management system manages the improvement actions. Every improvement action has information relative to: -7-

8 The process or control affected Areas to improve Estimates about personnel, materials and needed resources. Execution period Expected results Following actions and reports Implement corrective and preventive actions Implement corrective actions as follows: 1. Detect the non-conformities, investigate the causes and determine the corrective actions to implement. 2. Analyze all security processes, reports and registers for detecting and eliminating the causes of the non-conformities. 3. Implement the necessary countermeasures at the appropriate level to manage the potential risk. 4. Ensure the effectiveness of controls that guarantee the implementation of corrective actions. 5. Implement and log procedural changes as a result of corrective actions. Implement preventive actions as follows: 1. Identify potential non-conformities and their causes. 2. Assess the need for preventive measures against non-conformities. 3. Set the necessary activities to resolve any issues that require preventive actions. 4. Keep the register of fulfilled actions. 5. Confirm fulfilled preventive actions. ISMS certification and maintenance Certification audit The certification process is not a mandatory requirement when implementing an ISMS. However, it is a recommended step that should not be difficult to pass if the system is well developed. Certification by a third-party company offers many benefits to an organization. To ensure these benefits, it is important to: Conduct regular reviews of ISMS by third-party companies. Successfully certify your organization against ISO27001 through a robust security system Simplify Plan-Do-Check-Act Cycle of ISO

9 The certification process consists of the following activities: a. Choose an organization dedicated to the development of standardization and certification. b. Conduct an ISMS documentation review. c. Prepare the audit plan with date, audit team and expected planning. d. The organization approves the audit plan. e. Perform the audit. f. The auditor presents the assessment results in a written report. g. Any audit failures (i.e., non-conformities), should be noted on the Corrective Action Plan (CAP). If the auditor accepts the decisions, then a certificate is granted. Once the company has the certification, a program of regular inspection visits is agreed upon to verify that the requirements of the ISO27001 standard continue to be met. Three years after obtaining the certificate, a renewal certificate is required. ISMS maintenance Once certification is obtained, the focus will be on maintenance, and the implementation of the processes and procedures of continual service improvement. The objective is to adapt the ISMS changes that occur in the organization and its environment, in addition to guaranteeing the correct performance of processes and procedures. The results of improvement provided by ISMS should demonstrate improved organizational security management. Relationship of ISMS with other standards The ISO27001 standard, in its Annex C, includes a table with the correspondence between ISO9001:2000, ISO14001:2004 and this international standard. As previously mentioned in this white paper, the PDCA model is used in other ISO management systems. In this model, the responsibilities of direction, requirements of documentation, nonconformities, corrective and preventive actions are similar to other ISO standards. This enables ISMS integration with other management systems of the organization. Integrated Management System Model ISO38500 IT Governance BS25999 ISO9001 ISO15504 ISO20000 ISO14001 Measure 3 CMMI ISO27001 Product Management Area Service Management Area -9-

10 In addition to the similarities to the quality and environment management systems, there are other series of standards necessary to implement an ISMS. These are based on the following standards: ISO Relating to quality on IT service delivery ISO38500 Relating to IT governance BS25999 Relating to business continuity These standards will help to establish a framework of necessary processes for a correct IT service delivery. The framework includes standards and models of the product, specifically the software that is critical for IT service delivery. The following models are of special importance: CMMI: Capability Maturity Model Integration, designed by the Carnegie Mellon Software Engineering Institute Measure 3: Designed for the United Kingdom s Ministry of Public Administration ISO15504: Model for improving and assessing the processes of development and maintenance The integration of the different management systems is the next important development to watch. The IT contributes to the implemented management system in the organization, such as the quality management system in accordance with ISO9001, the environment management system in accordance with ISO14001, with an owner model of organization and performance. At the same time this model offers a common language and philosophy that can be integrated with other systems. In addition to the internal motivations that an organization may have for the design, implementation and certification of an ISMS, there are also external factors. These include: Market demands Customers demand the security measures for contracted services. These security measures must be demonstrated (in certain cases through the ISO27001 certificate). In these cases, certification is an indispensable requirement to apply for delivery services. Legislation Regulations require that organizations demonstrate greater control. In certain cases, ISO27001 certification is required to comply with the minimum requirements of security information. Government contracts When government contracts for services, they demand certain levels of information security. Sometimes these security levels and requirements are the equivalent of the ISO27001 standard. -10-

11 About the author: Julio José Ballesteros Garcia is a Senior Consultant with Quint Wellington Redwood in the area of quality of ICT services. He is a specialist in the organization, design and implementation of management systems under ISO standards. Between 2002 and 2004, he designed and implemented an Information Security Management System (ISMS), based on BS7799, in five companies throughout Spain, all of which became certified. During this time, he also worked as a security auditor. In 2005, Julio began a new project for Telefónica Soluciones. The objective was to design, implement and obtain certification for an Information Security Management System in compliance with the new security standard ISO In May 2006, Telefónica Soluciones became the first company in Spain to earn its ISMS certification. He is also an experienced consultant in ISO20000, and is currently involved in the ISO Spanish Committee. Julio is also a member of the Spanish Association for Standardisation and Certification (AENOR) and serves on a working group for management and governance of IT services. -11-

12 Quint Wellington Redwood is a leading global independent consulting firm dedicated to resolving IT-related organizational challenges. Operating in more than 49 countries and across four continents, Quint provides strategy, sourcing and service management to leading organizations from all industries, creating and implementing best practices worldwide. Quint was founded to help organizations get more from IT, not by adding more or new technology, but by simply managing IT better. The firm s portfolio of services includes education, consulting and measurement, integrated across the domains of business and IT. Quint s Dare to Challenge mission challenges itself and its clients to implement changes that deliver true results, outperform the competition and create a measurable return on investment. Quint s vision is to reinvent not only its clients organizations, but also the consulting industry itself. Copyright 2009, Quint Wellington Redwood. All rights reserved. No part of this publication may be reproduced, transferred and/or shown to third parties without the written consent of The Quint Wellington Redwood Group. Q u i n t W e l l i n g t o n R e d w o o d info@quintgroup.com Q u i n t G r o u p. c o m