Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Transcription

1 Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management

2 Agenda Introduction to Enterprise Security framework Overview of security models, framework & standards Salient features of ISO security standards

3 What is Information Security ISO 27001:2005 defines this as: Confidentiality : the property that information is not made available or disclosed to unauthorized individuals, entities(programs), or processes (superceding processes) Integrity : the property of safeguarding the accuracy and completeness of assets. Availability : the property of being accessible and usable upon demand by an authorized entity. Slide 3

4 Who Should be Concerned? Users -Standards will affect them the most. System Support Personnel -they will be required to implement and adapt and support the standards. Executive Management -concerned about protection of data and the associated cost of the policy / standards. Slide 4

5 Role of Standards Manage Information Security Identify assets and appropriately protect them Reduce the risks of human error, theft, fraud or misuse of facilities Prevent unauthorized access, damage and interference to business Ensure the correct and secure operation of information processing facilities Control Access to Information Ensure security is built into information systems Counteract interruptions to business activities Avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations Slide 5

6 Why Best Practices are Important! Today, the effective use of best practices can help avoid re-inventing wheels, optimize the use of scarce IT resources and reduce the occurrence of major IT risks, such as: Project failures Wasted investments Security breaches System crashes Failures by service providers to understand and meet customer requirements Slide 6

7 Why Best Practices are Important! COBIT, ITIL and ISO are valuable to the ongoing growth and success of an organization because: Companies are demanding better returns from IT investments Best practices help meet regulatory requirements for IT controls Organizations face increasingly complex IT-related risks Organizations can optimize costs by standardizing controls Best practices help organizations assess how IT is performing Management of IT is critical to the success of enterprise strategy They help enable effective governance of IT activities A management framework helps staff understand what to do (policy, internal controls and defined practices) They can provide efficiency gains, less reliance on experts, fewer errors, increased trust from business partners and respect from regulators Slide 7

8 Benefits Productivity: Audit/Review Savings Breaking Barriers -Business Relationships Self-Analysis Security Awareness Targeting Of Security 'Baseline' Security and Policy Consistency Communication Slide 8

9 After adopting Standards Moved towards international best practice Manage the breadth and depth of information risk Build confidence in third parties Reduce the likelihood of disruption from major incidents Fight the growing threats of cybercrime Comply with legal and regulatory requirements Maintain business integrity Citizens Confidence Most Important Slide 9

10 Approach in Implementing Standards Support from Top Management Risk management -Accept, Mitigate, Transfer Well developed Security Policy Effective Implementation of policy User awareness is most important Prevention is better than cure Periodic review / audit Understand fundamental system functionality Identify security issues due to gaps Slide 10

11 Integrated IS Framework COBIT Service Management Information Security Project Management Application Delivery Business Continuity ITIL ISO IT Operations ISO 27K PMI CMM BS Slide 11

12 Some of the Standards - Overview Environment (ISO 14001) Business Continuity ( BS 25999) Quality (ISO 9001: 2000, QS 9000) Environment (ISO 14001) Organization Improvement (ISO 9004) Governance ( COBIT) Information Security (ISO 27001, 27002) Customers (BS 8600) Slide 12

13 ISO Slide 13

14 History of ISO - Timeline 1992 The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management' This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS Support and compliance tools begin to emerge, such as COBRA The first major revision of BS7799 was published. This included many major enhancements. Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies. Slide 14

15 History of ISO The Timeline 2000 In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO (or more formally, ISO/IEC 17799) The 'ISO Toolkit' is launched A second part to the standard is published: BS This is an Information Security Management Specification, rather than a code of practice. It begins the process of alignment with other management standards such as ISO A new version of ISO is published. This includes two new sections, and closer alignment with BS processes ISO is published, replacing BS7799-2, which is withdrawn. This is a specification for an ISMS (information security management system), which aligns with ISO and is compatible with ISO 9001 and ISO Slide 15

16 Where did come from? BS7799 was conceived, as a technology-neutral, vendor-neutral management system that, properly implemented, would enable an organization's management to assure itself that its information security measures and arrangements were effective. From the outset, BS7799 focused on protecting the availability, confidentiality and integrity of organizational information and these remain, today, the driving objectives of the standard. BS7799 was originally just a single standard, and had the status of a Code of Practice. In other words, it provided guidance for organizations, but hadn't been written as a specification that could form the basis of an external third party verification and certification scheme. Slide 16

17 Overview ISO (base standard) Published standards ISO/IEC the certification standard against which organizations' ISMS may be certified (published in 2005) ISO/IEC the re-naming of existing standard ISO (last revised in 2005, and renumbered ISO/IEC 27002:2005 in July 2007) ISO/IEC a guide to the certification/registration process (published in 2007) In preparation ISO/IEC a standard vocabulary for the ISMS standards ISO/IEC a new ISMS implementation guide ISO/IEC a new standard for information security management measurements ISO/IEC a proposed standard for risk management ISO/IEC a guideline for auditing information security management systems ISO/IEC a guideline for telecommunications in information security management system ISO/IEC guidance on implementing ISO/IEC in the healthcare industry Slide 17

18 Well known ISO standards in the 27xxx series ISO This is the specification for an information security management system & replaces old BS ISO This is the new standard number of the existing ISO standard ISO Designated number for a new standard covering information security management measurement & metric ISO Emerging standard for information security risk management Slide 18

19 Where does ISO / fits in.. Slide 19

20 Implementation context for PDCA ISO Information Security Management System (ISMS) adopts the PDCA model Plan (Design Phase) Establish the objectives and processes necessary to deliver results in accordance with the specifications. Do (Implementation Phase) Implement the processes. Check AKA Study (Assessment Phase) Monitor and evaluate the processes and results against objectives and Specifications and report the outcome. Act (Manage, Authorize Phase) Apply actions to the outcome for necessary improvement. This means reviewing all steps (Plan, Do, Check, Act) and modifying the process to improve it before its next implementation. Slide 20

21 PDCA Process P D C A Interested Parties ISMS PROCESS Management Responsibility Interested Parties PLAN Establish ISMS P R O C E S S Information Security Requirements & Expectations DO Implement & Operate the ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve Managed Information Security Slide 21

22 BS ISO/IEC 27002:2005 (aka ISO 27002) The international Standard that establishes the guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The full title of this standard is: Information technology. Security techniques. Code of practice for information security management ISO is technology independent, focusing on : Management aspects of information security, Defining controls in a generic sense so that they are applicable across different applications, platforms, and technologies. Slide 22

23 Structure and Format of ISO ISO/IEC is: A code of practice - a generic, advisory document, not truly a standard or formal specification A reasonably well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects ISO specifies 39 control objectives: To protect information assets against threats to their confidentiality, integrity and availability Which comprise a generic functional requirements specification for an organization s information security management controls architecture And suggests literally hundreds of best-practice information security control measures Slide 23

24 Structure and Format of ISO The formal standard is arranged in the following sections: 0. Introduction 1. Scope 2. Terms and definitions 3. Structure of this standard 4. Risk assessment The actual control domains and detail controls begin with Section 5. Section 5: Security policy Management should : Define a policy to clarify their direction of, and support for, information security, Provide a high-level information security policy statement identifying key information security directives and mandates for the entire organization Support the policy by a comprehensive suite of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security standards, procedures and guidelines

25 Structure and Format of ISO Section 6: Organization of information security A suitable information security governance structure should be designed and implemented. 6.1 Internal organization The organization should have a management framework for information security. Senior management should approve information security policies. Roles and responsibilities should be defined Information security should be independently reviewed. 6.2 External parties Information security should not be compromised by the introduction of third party products or services. Risks should be assessed and mitigated. when dealing with customers and in third party agreements. Slide 25

26 Structure and Format of ISO Section 7: Asset management The organization should be in a position to understand what information assets it holds, and to manage their security appropriately. 7.1 Responsibility for assets All [information] assets should be accounted for and have a nominated owner. The inventory should record ownership and location of the assets, and owners should identify acceptable uses. An inventory of information assets should be maintained, including: IT hardware, software data storage media computer room air conditioners and UPSs, and ICT services) system documentation 7.2 Information classification Information should be classified according to its need for security protection and labeled accordingly. Slide 26

27 Structure and Format of ISO Section 8: Human resources security The organization should manage system access rights etc. for joiners, movers and leavers, and should undertake suitable security awareness, training and educational activities. 8.1 Prior to employment Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff 8.2 During employment Management responsibilities regarding information security should be defined. Employees and third party IT users should educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches. 8.3 Termination or change of employment Security aspects of a person s exit from the organization (e.g. the return of corporate assets and removal of access rights) or change of responsibilities Slide 27

28 Structure and Format of ISO Section 9: Physical and environmental security Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc. 9.1 Secure areas This section describes the need for concentric layers of physical controls to protect sensitive IT facilities from unauthorized access. 9.2 Equipment security Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely. Slide 28

29 Structure and Format of ISO Section 10: Communications and operations management This lengthy, detailed section of the standard describes security controls for systems and network management Operational procedures and responsibilities 10.2 Third party service delivery management 10.3 System planning and acceptance 10.4 Protection against malicious and mobile code 10.5 Back-up 10.6 Network security management 10.7 Media handling 10.8 Exchange of information 10.9 Electronic commerce services Monitoring Slide 29

30 Structure and Format of ISO Section 11: Access control Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use. This is another lengthy and detailed section Business requirement for access control 11.2 User access management 11.3 User responsibilities 11.4 Network access control 11.5 Operating system access control 11.6 Application and information access control 11.7 Mobile computing and teleworking Slide 30

31 Structure and Format of ISO Section 12: Information systems acquisition, development and maintenance Information security must be taken into account in the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems Security requirements of information systems 12.2 Correct processing in application systems 12.3 Cryptographic controls 12.4 Security of system files 12.5 Security in development and support processes 12.6 Technical vulnerability management Slide 31

32 Structure and Format of ISO Section 13: Information security incident management Information security events, incidents and weaknesses (including nearmisses) should be promptly reported and properly managed Reporting in information security events and weaknesses An incident reporting/alarm procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities Management of information security incidents and improvements Responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence. Slide 32

33 Structure and Format of ISO Section 14: Business continuity management This section describes the relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard. Section 15: Compliance 15.1 Compliance with legal requirements 15.2 Compliance with security policies and standards, and technical compliance 15.3 Information systems audit considerations Slide 33

34 Implementation process cycle IS POLICY SECURITY ORGANISATION MANAGEMENT REVIEW PLAN Establish ISMS ASSET IDENTIFICATION & CLASSIFICATION DO Implement & Operate the ISMS ACT Maintain & Improve CORRECTIVE & PREVENTIVE ACTIONS CHECK Monitor & Review ISMS CONTROL SELECTION & IMPLEMENTATION CHECK PROCESSES OPERATIONALIZ E THE PROCESES Slide 34

35 ITIL Slide 35

36 Background What is Information Technology Infrastructure Library (ITIL )? Describes best practice in IT service management (ITSM) drawn from public and private sector IT organizations The primary objective of Service Management is to ensure that the IT services are aligned to the business needs and actively support them. Benefits include: Increased user and customer satisfaction with IT services Improved service availability, directly leading to increased benefits profits and revenue Financial savings from reduced rework, lost time, improved resource management and usage Improved time to market for new products and services Improved decision making and optimized risks ITIL is a Registered Trade Mark, and Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office. Slide 36

37 What is ITIL V3? ITIL is about more than just infrastructure Business of IT oriented approach Promoting service based approach to managing IT Includes discussion topics about strategic options, functions, roles and responsibilities as well as continual improvement Makes reference to other frameworks (i.e. Cobit, ISO27001) and talks about better alignment to those Helps to provide a standardized process context Highlights the importance of process Identifies the core activities and metrics for its processes Requests measurement programs (baselining, benchmarking) to ensure performance (i.e. TCO, ROI, Costing/Pricing) Revised certification program for Professionals more structured and focused by processes Slide 37

38 Version 3 Overview V3 Overview Service strategy: Service Portfolio Mgmt Financial Mgmt Demand Mgmt Supporting material: Service, organizational, process and technology maps Service design: Service Catalogue Mgmt Service Level Mgmt Supplier Mgmt Capacity Mgmt Availability Mgmt IT Service Continuity Mgmt Information Security Mgmt Service operation: Event Mgmt Incident Mgmt Request Fulfilment Access Mgmt Problem Mgmt Functions: Service Desk Technical Mgmt IT Operations Mgmt Applications Mgmt Service transition: Change Mgmt Service Asset & Configuration Mgmt Knowledge Mgmt Transition Planning and Support Release & Deployment Mgmt Service Validation & Testing Evaluation Continual Service Improvement: Seven Step Improvement Process Slide 38

39 ITIL Version 3 Service Design Slide 39

40 Service Design Goals & Objectives Goal: The design of appropriate and innovative IT services, including their architectures, processes, policies, and documentation, to meet current and future agreed business requirements. Objectives: Design services to meet agreed business outcomes Design processes to support the service lifecycle Identify and manage risks Design secure and resilient IT infrastructures, environments, applications and data/information resources and capability Design measurement methods and metrics Slide 40

41 Service Design Goals & Objectives (contd..) Objectives (contd..): Produce and maintain plans, processes, policies, standards, architectures, frameworks and documents to support the design of quality IT solutions Develop skills and capability within IT Contribute to the overall improvement in IT service quality Slide 41

42 Service Design Processes covered in Service Design Service Catalogue Management: The purpose SCM is to provide a single, consistent source of information on all of the agreed services, and ensure that it is widely available to those who are approved to access the service catalogue Service Level Management: SLM negotiates, agrees and documents appropriate IT service targets with the business, and then monitors and produces reports on delivery against the agreed level of service Capacity Management: The purpose of Capacity Management is to provide a point of focus and management for all capacity and performance-related issues, relating to both services and resources, and to match the capacity of IT to the agreed business demands IT Service Continuity Management: The purpose of ITSCM is to maintain the appropriate on-going recovery capability within IT services to match the agreed needs, requirements and timescales of the business Slide 42

43 Service Design Processes covered in Service Design (con t) Availability Management: The purpose of Availability Management is to provide a point of focus and management for all availability-related issues, relating to services, components and resources, ensuring that availability targets in all areas are measured and achieved, and that they match or exceed the current and future agreed needs of the business in a cost-effective manner Information Security Management: The purpose of the ISM process is to align IT security with business security and ensure that information security is effectively managed in all service and Service Management activities Supplier Management: The purpose of the Supplier Management process is to obtain value for money from suppliers and to ensure that suppliers perform to the targets contained within their contracts and agreements, while conforming to all of the terms and conditions Slide 43

44 Service Design IT Service Continuity Management (ITSCM) ITSCM is concerned with managing an organisation s ability to continue to provide a pre-determined and agreed level of IT Services to support the minimum business requirements following an interruption to the business. Goal: The goal of the ITSCM is to support the overall Business Continuity Management process by ensuring that the required IT technical and service facilities (including computer systems, networks, applications, data repositories, telecommunications, technical support, and Service Desk) can be resumed within required, and agreed, business timescales. Slide 44

45 Service Design IT Service Continuity Management Objectives To maintain a set of IT service Continuity Plans and IT recovery plans that support the overall Business Continuity Plans (BCPs) of the organization To complete regular Business Impact Analysis (BIA) exercises to ensure that all continuity plans are maintained in line with changing business impacts and requirements To conduct regular risk assessment and management exercises in conjunction particularly with the business and the Availability Management and Security Management processes, that manages IT services within an agreed level of business risk Slide 45

46 Service Design IT Service Continuity Management Objectives To ensure that appropriate continuity and recovery mechanisms are put in place to meet or exceed the agreed business continuity targets To assess the impact of all changes on the IT service Continuity Plans and IT recovery plans To ensure that proactive measures to improve the availability of services are implemented wherever it is cost justifiable to do so To negotiate and agree the necessary contracts with suppliers for the provision of the necessary recovery capability to support all continuity plans in conjunction with the Supplier Management process Slide 46

47 Service Design IT Service Continuity Management Lifecycle of Service Continuity Management Business Continuity Management (BCM) Initiation Lifecycle Key activities Policy setting Scope Initiate a project Business Continuity Strategy Requirements and strategy Business Impact Analysis Risk Assessment IT Service Continuity Strategy Business Continuity plans Implementation Develop IT Service continuity plans Develop IT plans, recovery plans and procedures Organization Planning Testing strategy Invocation On going Operation Slide 47 Education, awareness and Training Review and audit Testing Change Management

48 Service Design IT Service Continuity Management KPIs Positive results from audits performed over the ITSCM plans to ensure that, at all times, the agreed recovery requirements of the business can be achieved Successful results from recovery testing Reduction in the risk and impact of possible failure of IT services Increased awareness of business impact, needs and requirements throughout IT Increased preparedness of all IT service areas and staff to respond to an invocation of the ITSCM plans Slide 48

49 IT Service Continuity Management KPIs Response time to restore business operations after a disaster occurs based on the type of recovery option chosen (i.e. manual, immediate, fast, intermediate, or gradual) Cost of service continuity management vs. cost incurred by the business in the event of an IT service loss. This could include both tangible (i.e. financial) and intangible (i.e. reputation) costs Slide 49

50 COBIT Control Objective for Information & related Technology Accepted globally as a set of tools that ensures IT is working effectively Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement Slide 50

51 COBIT Control Objective for Information & related Technology COBIT provides guidance for executive management to govern IT within the enterprise More effective tools for IT to support business goals More transparent and predictable full life-cycle IT costs More timely and reliable information from IT Higher quality IT services and more successful projects More effective management of IT-related risks Slide 51

52 Harmonizing the Elements of IT Governance IT Governance Resource Management Slide 52

53 The COBIT Framework Slide 53

54 COBIT Defines Processes, Goals and Metrics Relationship Amongst Process, Goals and Metrics (DS5) Slide 54

55 COBIT Products and Their Primary Audience COBIT, Risk IT and Val IT frameworks Implementing and Continually Improving IT Governance COBIT User Guide for Service Managers COBIT and Application Controls Slide 55

56 End of Session Slide 56