Presentation on theme: "GSU's Roadmap for a World-Class Information Security Management System– ISO/IEC 27001:2005 Tammy Clark, Chief Information Security Officer, William Monahan,"— Presentation transcript:
GSU's Roadmap for a World-Class Information Security Management System– ISO/IEC 27001:2005 Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator “You will now have a starting place and a destination, and you will be able to determine what it will cost you to get there. You will be going someplace.” H. Stanley Judd
GSU’s Information Security Roadmap JL Albert’s (CIO) Vision and Support Strategic & Tactical Planning Alignment with academic/ business objectives Incremental and distributed deployments Continuous cycles of reviews and improvements
Strategic Choices Determine Our Direction… –WHY develop a World-Class Information Security Management System (ISMS)? –Critical success factors –Using the ISO/IEC –Overview of ISO –Advantages of Using ISO 27001/27002 –Deming’s “Plan, Do, Check, Act” model –Building an Information Security Management System WHICH ROAD DO I CHOOSE ??! HOW DO I GET THERE??! WHERE DO I WANT TO GO?
What a Long and Exhausting Road Trip! (Why Implement an ISMS?!) Protect the university’s reputation Stop chasing compliance (with legal and contractual requirements) Ensure CIA (confidentiality, integrity, and availability) and reduce the chances of business disruptions Reduce exposure for illegal or malicious acts committed with the university's information technology resources Ensure effective control and continuous improvement of information security Implement a comprehensive approach (far beyond technical sphere) –close the gaps
Navigate Around Traffic Jams and Slow Downs (Critical Success Factors) Align your course in parallel with strategic information technology and business goals & objectives Provide a good set of directions to your navigator (and convince him to drive)! Set realistic and attainable milestones upfront—and be prepared to handle obstacles Get everyone traveling in the same direction Advance your initiative down the road successfully through collaborations with key University stakeholders Avoid accidents and dead ends! Continually work behind the scenes to promote the synergy of people, processes & technology
Chart a Course to Your Destination Using ISO/IEC and ISO/IEC Requirements Certification –This process involves the auditing of an ISO/IEC 27002:2005 compliant ISMS to the requirements of ISO/IEC 27001:2005. –The ISMS will be audited by an accredited certification body –Uses the word “shall”. ISO/IEC Code of Practice Compliance –Users of the ISO/IEC framework need to carry out a risk assessment to identify which controls are relevant to their own business environment and implement them. –The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices” –Uses the word “should”.
Quick Overview of ISO Covers 11 information security ‘domains’: –Information Security Policy –Organization of information security –Asset Management –Human resource security –Physical and environmental security –Communication and operations management –Access control –Information systems acquisition, development and maintenance –Information security incident management –Business continuity management –Compliance 39 security objectives and a total of 133 separate controls Using its baseline security approach enables an enterprise to increase security levels using existing resources without additional costs Comprehensive & holistic Favors incremental deployment of controls
Advantages of Using ISO Flexible and comprehensive ‘umbrella’ framework for your information security program Integrated into ITIL v3 (ISO 20000) Same process approach as ISO 9000 Total Quality Management Series and ISO Service Management Process (Plan-Do-Check-Act) A Framework which provides a structure that organizations can follow. Helps everyone to be “on the same page” because they can see what is expected. Information security best practices Auditable
Plan-Do-Check-Act A ‘cycle’ of continuous review and improvements Plan—Establish Do—Implement and Operate Check—Monitor and Review Act—Maintain and Improve
PLAN Phase - Establish Your ISMS Define the Scope and Boundary of the ISMS. Define an ISMS Policy. Define the risk assessment approach Identify, analyze and evaluate the risks to the assets identified in your scope and select risk treatment options. Select controls and control objectives, reasons for selection and prepare a Statement of Applicability. Obtain management approval of the proposed residual risks. Obtain management authorization to implement and operate ISMS.
DO Phase-Implement Your ISMS Formulate and implement your Risk Treatment Plan (RTP) Implement selected controls to meet your control objectives Define metrics to measure the effectiveness of your controls Implement a training and awareness program Manage operations in accordance with identified controls, policies and procedures Implement procedures and controls to manage incidents
CHECK Phase-Monitor and Review Your ISMS Execute monitoring and review procedures: –Documentary evidence of monitoring such as logs, records, files –Measure effectiveness (metrics) –Review risk assessments –Conduct internal ISMS audits –Management Reviews –Update Security Plans –Record actions and events
ACT Phase-Maintain and Improve the ISMS –Implement identified improvements –Take appropriate corrective and preventive actions –Communicate actions & improvements to interested parties –Ensure improvements meet objectives
Tactical Actions Moving Us Closer to Our Destination… Annual Security Plan based on ISO Risk Management Automated Governance, Risk and Compliance (Proteus) Communicate/Cooperate/ Collaborate What Areas Pose the Greatest Risk??! Do You Have a Plan??! Can We All Work Together?
Annual Security Plan based on ISO (If You Don't Know Where You're Going, Any Road Will Get You There) Began in 2004 – First Plan was Painful Incremental Approach – Requirements – Status of Security – Proposed Action Items Plan is a Moving Target – New Legislation, Standard, & Compliance Requirements Tool to Solicit/Incorporate Feedback
Risk Assessments (Vote early and vote often) Risk Assessment Policy in 2005 – Required in ISO 17799:2005 update – Approximately 50 Reviews/Year (and growing) A Lot of Benefits from Proactive Approach – More Secure/Robust Services – Found/Curtailed Some Craziness – The Auditor Effect – Foster/Strengthen Relationships & Understanding –
Risk Management System (Trust But Verify) Trusted Third Party (Internal Audit) is Required – Ensures Controls Were Adequate/Commensurate – Ensures Controls Were Implemented in Timely Manner We Must Continuously Reevaluate Risk
Automated Governance, Risk and Compliance (Proteus) Online audit any part of your organization against any standard Create an Information Security focused asset register Define roles with meaning Do business impact analysis simply & easily Identify the key services, assets & data which need Business Continuity or DR Perform Risk Assessments, simply & easily Incident reporting with a difference Build a central policy register Helps you plan your security investment Provides you with a real time RiskView Online audit of external suppliers, saves time & money Links assets to legislation/controls Roles linked to controls/policy/procedures Quick win, keeps risk business focused Reduce exposure Reduces risks with countermeasures Instantaneously sizes problem Supports the audit process Spend effectively & wisely Manage more effectively
Some of the Benefits of Proteus “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” - Bill Gates One Repository for ISMS Materials - Policies, Procedures, Objective Evidence, Action Plans… Good Discretionary Access Control – Can Assign Access to Sites (Audit Points) – Centralized Control/Distributed Administration Workflow Engine helps you collect information and stay in compliance
Communicate/Cooperate/Collaborate Centralized Control/Distributed Administration Model – IntruShield IPS, ISS SiteProtector, Symantec System Center Console, Proteus, On Line Security Awareness Classes, PGP Full Disk Encryption... Hyper Communicate – Monthly ITSSS, NEO, Web Presence… It is all about Relationships! – Know/Trust/Like
Governance Training BSI Americas Information Security Training – ISO 27001/ISMS nSecurity/index.xalter HISP (Holistic Information Security Practitioner) Training/Certification
References –ISO/IEC standard –BS :2006 (Risk Mgt) –BS (Business Continuity) –BIP (ISMS Guidance Series from BSI) –ISO/IEC standard –(ISO/IEC 27001:2005 in plain English) om/iso overview.htm –(ISO/IEC 27002:2005 in plain English) om/iso overview.htm
Questions? Feel free to write us! Tammy Clark William Monahan T Copyright Tammy L. Clark, October Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and with permission of author.