Security Organization & Awareness. Januari, 28/29th th CENTR Security Workshop Brussels Bert ten Brinke

Size: px

Start display at page:

Download "Security Organization & Awareness. Januari, 28/29th 2014 6th CENTR Security Workshop Brussels Bert ten Brinke"

Sophia Wade
8 years ago
Views:

1 Security Organization & Awareness Januari, 28/29th th CENTR Security Workshop Brussels Bert ten Brinke

2 Goals Creating a awareness plan Describing the security organization

3 What is necessary regarding ISO27001? 7.1 Resources The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. -> Security Officer role 7.2 Competence The organization shall: a) determine the necessary competence of person(s) doing work under its control that affects its information security performance; -> Security tasks and responsibilities b) ensure that these persons are competent on the basis of appropriate education, training, or experience; -> How? With test? c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and -> Awareness document d) retain appropriate documented information as evidence of competence. -> of all employees, list of people with ok/nok training

4 What is necessary regarding ISO27001? 7.3 Awareness Persons doing work under the organization s control shall be aware of: the information security policy; -> Everybody must know Homerules (by head :) ) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and ->Security Functions and roles the implications of not conforming with the information security management system requirements. ->Security Functions and roles

5 Working out the ISO27001: Awareness & Training Goal of Security Awareness The aim of the document is to describe all activities which has to be done to train the XYZ Organization in such a way that all employees have sufficient knowledge from security and are sufficient security aware to fulfill their function in a secure way. The aim of the security awareness and training program is that all employees should have had at least 1 training, security meeting or security course. The security officer should: -> Paragraph 7.3 determine what which security capabilities the employees should have. Offer training to comply with these capabilities. Keep a registration of all security trainings. Audit the effectiveness of the training.

6 Awareness?

7 Working out the ISO27001: Awareness & Training Possible types of training Initial training new employees Every new employee should be trained by the security officer. The employee will be told how to behave and how not, where he can find the security policies and company rules and what is in these documents. Every new employee signs in his contract for having read the company rules including security policies. Visiting department meetings The security Officer should visit department meetings ones a year to explain security policies. Security presentations for whole company Security papers on the companies Intranet Security campaigns with as example Flyers on doors or near coffee machines E-learning Employee specific training

8 Security Organization What is necessary regarding ISO27001: 5.3 Organizational roles, responsibilities and authorities Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management shall assign the responsibility and authority for: a) ensuring that the information security management system conforms to the requirements of this International Standard; and -> Let CEO approve your yearplan b) reporting on the performance of the information security management system to top management. NOTE Top management may also assign responsibilities and authorities for reporting performance of the information security management system within the organization. -> Report to Board

9 Security Organization What is necessary regarding ISO27001: 7.4 Communication The organization shall determine the need for internal and external communications relevant to the information security management system including: a) on what to communicate; b) when to communicate; c) with whom to communicate; d) who shall communicate; and e) the processes by which communication shall be effected.

10 Security Organization document Organization chart Functions and roles -> Separate document Types of security meetings (tasks, frequency, participants) Management participation The CEO proves his engagement with the improvement of the ISMS by: Approve the ISMS; To assure that ISMS plans and targets are fulfilled Establish roles and responsibilities for IS. Underline the importance of IS to employees Making resources available Establish criteria for risk acceptance Doing a ISMS Management Review have supervision on security targets and results

11 Responsibilities of Security Officer & Management Responsibility Owner Overall responsible for Info Security CEO Managing the Security Officer Responsible for maintain ISMS Responsible for updating and controlling ISMS documentation Baselines BIA en Risk Man Implementation of Controls Audits CEO Security officer Security officer Security officer Owner of Information System Owner of Information System Auditor

12 Control of resources The Sec Off determines the yearly needed resources necessary to maintain the ISMS, mitigate the risk conform Risk Treatment Plan and report about the effectiveness from the controls. He should: Improve the ISMS Take care that information security procedures support the overall business processes. Regard compliance to laws and rules. Audit security controls Other documents Separation of duties Acceptable Use Policy

Security tasks and responsibilities XYZ functions Within organization XYZ all functions should be described with their Security tasks and responsibilities.

13 Security tasks and responsibilities XYZ functions Within organization XYZ all functions should be described with their Security tasks and responsibilities. Every employee of XYZ Competence Every employee should have knowledge from the homerules and generic policies, procedures and working instructions Tasks Will use assigned autorizations for access to systems and rooms integer. Will treat laptops, and other mobile HW integer and with responsibility Takes care of the clean desk, clear screen policy Takes care of the information classification policy Operates according to the NDA Wears his Access badge visible Escorts visitors Reports security incidents Regards the Acceptable Use Policy Works according roles, policies, procedures working instructions

14 Security tasks description Manager Manager Domain Registration Competence The manager Domain Registration should have knowledge of the ISMS and all its processes. He should have sufficient capabilities to explain all necessary policies, procedures and working instructions to his employees Tasks Stimulates the integration of security in the department Enforces the IS Policy Is responsible for autorizations to applications from his department and uses the need-toknow principle Takes care of separation of duties Checks if employees follow IS Policies, procedures, etc.

15 Questions? Any questions? Don t hesitate to ask!

16 Exercises for participants 1. Design possible trainings and awareness campaigns and design the contents of the Awareness and training document. 10 minutes 2. Design the contents of the Security Organization document. What security meeting structure will be used? 10 minutes 3. Design security competence, tasks and responsibilities for a Operations employee (Linux, networks, eg). 10 minutes 4. What mandatory mailing lists or environment information systems should people follow. How follow what goes on in the rest of the world? 5 minutes

17 Exercises 1 Answers Training and Awareness Security Officer s meeting for training new employees Visiting department meetings Security presentations for whole company Security papers on the companies Intranet Security campaigns with as example Flyers on doors or near coffee machines E-learning Employee specific training

18 Exercises 2 Answers Exercise 2: Contents Organization document Organization chart Functions and roles -> Separate document? Types of security meetings (tasks, frequency, participants) Management participation

19 Assignment 3 Answers Software Developer Competence A SW developper should be able to develop high secure SW, by implementing XYZ and international security standards. He should have a good security programming education Tasks Interpret standards an use these standards in daily work Perform code review against these standards

Risk Management. Januari, 28/29th 2014 6th CENTR Security Workshop Brussels Bert ten Brinke

Risk Management. Januari, 28/29th 2014 6th CENTR Security Workshop Brussels Bert ten Brinke Risk Management Januari, 28/29th 2014 6th CENTR Security Workshop Brussels Bert ten Brinke Goals Participants are able to design their own RM process Participants understand the ISO27001 requirements Participants