Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications

Agenda Information Security – Why ? Information Security – Why ? Security threats Security threats Types of Measures Types of Measures ISO & its evolution ISO & its evolution Information Security Management System Information Security Management System Status in Mauritius Status in Mauritius ISO series ISO series

Information Security – Why ? Information is an asset, has value & needs to be suitably protected Information exists in many forms Printed or written - transmitted by post Stored electronically – transmitted using electronic means Spoken in conversation Information security : protects information from a wide range of threats in order to ensure business continuity & minimise business damage maximize return on investments & business opportunities maintain competitive edge, legal compliance and commercial image

Information Security – Why ? characterised as the preservation of: confidentiality: ensuring that information is accessible only to those authorized to have access integrity: safeguarding the accuracy and completeness of information and processing methods availability: ensuring that authorized users have access to information and associated assets when required

Some Security Threats Usual (standard) threats : Theft Fraud Acts of God Errors IT related Threats : System failures Malware : Virus/Spyware Denial of Service Hacking Cybercrimes

Types of Measures Technology : IT solutions… Physical : Access control … People : Screen, Train, Monitor… Policies, Procedure: Info on a need to know basis… Comply to legislations Cybercrime Act, Data Protection Act, Copyright Act… Info Sec Mgt : integrate all in a structured way

ISO/IEC Roadmap to manage information security within an organisation Roadmap to manage information security within an organisation Serve as a single reference point for identifying the range of controls needed to be used Part 1: ISO – Code of Practice Part 1: ISO – Code of Practice Part 2: BS – Requirements for an ISMS for Certification Part 2: BS – Requirements for an ISMS for Certification 2000 version has 10 Domains, 36 Control Objectives, 127 Controls 2000 version has 10 Domains, 36 Control Objectives, 127 Controls 2005 version has 11 Domains, 39 Control objectives and 133 controls 2005 version has 11 Domains, 39 Control objectives and 133 controls

Access Controls Asset Classification Controls Information Security Policy Security Organisation Personnel Security Physical Security Communication & Operations Mgmt System Development & Maint. Bus. Continuity Planning Compliance Information IntegrityConfidentiality Availability ISO Control Objectives Secure Areas Equipment Security General Controls 6 Controls Siting Power Supplies Cabling Maintenance Off-premises Disposal/reuse “all equipment should be protected from power failure & other electrical anomalies. A suitable electric supply should be provided that conforms to the equipment manufacturer specifications.”

Evolution of Stds Code of practice Code of practice British Standard British Standard BS 7799 Part 2 – 1998 BS 7799 Part 2 – 1998 BS 7799 Part1 and Part 2 revised – 1999 BS 7799 Part1 and Part 2 revised – 1999 ISO (BS 7799–1 : 2000) ISO (BS 7799–1 : 2000) BS :2002 BS :2002 ISO/IEC revision –June 2005 ISO/IEC revision –June 2005 ISO/IEC series ISO/IEC series

ISO/IEC Comparison 2000 & 2005 Security policy Security organisation Organising information security Asset classification & control Asset management Personnel security Human resources security Physical & environmental security Communications & operations management Access control Systems development & maintenance Information systems acquisition, development and maintenance Information security incident management Business continuity management ComplianceCompliance

ISMS Information Security Management System Information Security Management System The means to implement 7799 The means to implement 7799 Set an ISMS team – ISMS WG Set an ISMS team – ISMS WG Based on the Deming PDCA Cycle - Plan Do Check Act Based on the Deming PDCA Cycle - Plan Do Check Act Common to other ISO stds e.g. ISO 9000, ISO Common to other ISO stds e.g. ISO 9000, ISO The ingredient that allows the integration of the different management systems that these standards define. The ingredient that allows the integration of the different management systems that these standards define.

Establish the ISMS Monitor & Review ISMS Implement & operate the ISMS Maintain & improve ISMS ActDo Plan Check ISMS Process

Plan Phase Plan Phase Define the ISMS scope & the ISMS policy Define the ISMS scope & the ISMS policy Identify & assess the risks Identify & assess the risks Formulate a Risk Treatment Plan - outcome Formulate a Risk Treatment Plan - outcome Apply appropriate control to reduce risk Apply appropriate control to reduce risk Accept the risk – substantiate why Accept the risk – substantiate why Avoid the risk – do not allow action causing risk Avoid the risk – do not allow action causing risk Transfer the risk to a third party e.g. insurer Transfer the risk to a third party e.g. insurer Select control objectives and controls Select control objectives and controls Prepare a Statement of Applicability Prepare a Statement of Applicability Do Phase Do Phase Allocate resources & conduct training Allocate resources & conduct training Implement the Risk Treatment Plan Implement the Risk Treatment Plan Implement controls selected to meet the control objectives Implement controls selected to meet the control objectives ISMS Process

Check Phase Check Phase Execute monitoring processes Execute monitoring processes Conduct internal audits of the ISMS at planned intervals Conduct internal audits of the ISMS at planned intervals Undertake regular mgt reviews of the effectiveness of the ISMS Undertake regular mgt reviews of the effectiveness of the ISMS Review levels of residual risk and acceptable risk Review levels of residual risk and acceptable risk Act Phase Act Phase Implement improvements identified Implement improvements identified Take appropriate preventive and corrective actions Take appropriate preventive and corrective actions Communicate the results and actions Communicate the results and actions Ensure improvements meet their intended objectives Ensure improvements meet their intended objectives ISMS Process

Level 1 Level 2 Level 3 Level 4 Procedures, Guidelines Forms, Template, etc. Records providing evidence of ISMS implementation ISMS Manual, ISMS Policy SoA ISMS Documentation

ISMS WG3 rd party Auditor(s) ISMS WG Surveillance & Re-assessment: Follow Up Stage 2 Audit Stage 1 Audit Development Implementatio n Steps Towards Certification

Steps to follow Purchase the standard (ISO 17799:2000, BS :2002) Purchase the standard (ISO 17799:2000, BS :2002) Read the standards Read the standards Assemble a team –ISMS WG Assemble a team –ISMS WG Attend an ISMS workshop Attend an ISMS workshop Appoint technical consultant or own technical Expert Appoint technical consultant or own technical Expert Undertake risk assessment Undertake risk assessment Develop ISMS documents Develop ISMS documents Apply ISMS certification Apply ISMS certification

Benefits Improved enterprise security Improved enterprise security More effective security planning and management More effective security planning and management Better risk management Better risk management Enhanced user confidence Enhanced user confidence Promote development of a business continuity plan Promote development of a business continuity plan Deeper knowledge of different aspects of security Deeper knowledge of different aspects of security Broader user level awareness on security threats and measures Broader user level awareness on security threats and measures

Mauritius ISO 17799:2000 & BS , was adopted as a national standard in 2005 ISO 17799:2000 & BS , was adopted as a national standard in 2005 Adoption of ISO June 2005 version in progress Adoption of ISO June 2005 version in progress MSB gearing up for providing certification services MSB gearing up for providing certification services Government Government Adopted ISO for rollout in Ministries & Departments Adopted ISO for rollout in Ministries & Departments 4-5 pilot sites ISMS done 4-5 pilot sites ISMS done Facilitated by IT Security Unit Facilitated by IT Security Unit

ISO series Information Security Series Information Security Series 27001:will replace BS :will replace BS : Earmarked for ISO (code of practice) 27002: Earmarked for ISO (code of practice) 27003: To cover risk management 27003: To cover risk management 27004: To cover information security mgt metrics & measurements 27004: To cover information security mgt metrics & measurements 27005: To provide implementation guidelines 27005: To provide implementation guidelines

Thank You