An ISMS Implementation Practice in Environments with Limited ResourcesPrepared for APEC-OECD Workshop on Security of Information Systems and Networks

September 05, 2005Sophie, Lihsuan Liang, Project Manager

NII Enterprise Promotion Association

2

Outline

• Prolog• Mechanism Design• Methodology• Practice (school-net in Chinese Taipei)• Future developments

3

Prolog

• Security threat for small and medium enterprises (SMEs)– Factors make SMEs prime security targets - heavily rely on Microsoft– More than half of the SMEs that receive successful Internet attacks

won't know they were attacked.– 70% attacks that cause more than $50,000 in damage involve an insider

• Simple and Affordable Steps for SMEs:– Educate system administrators & users on security policies and

procedures – evaluate the patch status of all production systems– Don't give users administrative privileges on their PCs.– Configure the email server to block potential dangerous attachments – Disable all inactive accounts and close out obvious vulnerabilities.– Perform full anti-virus scans on all systems, using the latest signatures– Protect every Internet connection with a certified firewall

Source: Gartner

4

It’s possible to have affordable ISMS solution for units with simple networks.

How can we apply this model to a group of units with similar network environments?

5

Mechanism design principles

• Neutral operation body• Developing unified standard,

guidance, operation manuals

• Optimizing existing management structure

• Including certification and auditing functions

• Covering awareness and education promotion activities

• Cost sharing for affordable pricing

Authority

ISMS Promotion Committee

Management body

Small and Medium units

Training, professional certifying

Auditing,certification,general awareness

ISMS ConsultingSecond-tier training

Financial supportAuthorize

6

Mechanism Operations

• Certification / auditing services– Ensuring the quality of ISMS implementation– Verifying the compliance to the standard or guidance

• Standard version updates– Following the change nature of information threats and risks

• Promotion activities / training sessions– Training for trainers– Training for qualified auditors– Training for administrators– Training for users

• Publications

Awareness& training planning, materials

Certification and audit criteria and

procedure

Standards,Guidelines,

SOP

7

Methodology

• Simplify the existing large scale ISMS standards (e.g. BS7799)– Considering the common natures in Internet and information

facility usage of the specific group– Preparing “statement of inapplicability (SOI)“ based on the

controls– The rest becomes a guidance (tailor to be more specific to

school environment)– Providing operation instructions based on the guidance contexts– Offering security level options– Designing different training/awareness courses for different

groups of targets, such as courses for school principal, for system manager, for regular teachers

8

Example - SOI

Most of the primary/secondary schools do not have their own routers. Local network centers take the duty to centrally manage the router. Hence, the port diagnosis control is waived

Access to diagnostic ports shall be securely controlled.

9.4.5 Remote diagnostic port protection

Media being transported shall be protected from unauthorized access, misuse or corruption

Electronic commerce shall be protected from fraudulent activity, contract dispute and disclosure or modification of information.

Control Contexts defined in CNS17800/BS7799

Considering the benchmark of investment and return, this control activity shall be done by user education

8.7.2Security of media in transit

Electronic commerce activities are rare or none in most of the primary/secondary schools, the relevant controls can be waived .

8.7.3 Electronic commerce security

Reasons of IncompatibilitySecurity controls

9

School-net in Chinese TaipeiTaiwan Academic Network (TANET) management infrastructures

TANET Backbone

RNC Regional NetworkCenter (RNC)

RNC

University Networks

University Networks

Local NetworkCenter (LNC)

LNC

Primary, secondary and high schools

13 RNCs

25 LNCsLNC

4000+ Schools

10

Information security concerns

• Infrastructures– all the primary and secondary schools have broadband access

to TANet (by ADSL, FTTx) since 2000– Each of the schools has at least one computer cluster

• Information security risks– Personal data theft and abuse, misuse of computer and

networks, managing downloads, computer virus, malicious software, relay…

• Concerns for both LNCs and schools– Limited IT budgets and resources– Lack of full time IT personnel– Changing nature of the threat– No unified ISMS guidelines and relevant references tailored

11

Roles of Schools• As an information

user

ISMS practice in schools

Local Network Center

LNC

ISMS Promotion Committee

Services offered by local NC• Centralized network security

controls• School ISMS implementation

support• Training sessions • Awareness raising • Certifications to Schools• Security incidents response

Services offered by Committee• Seed lecture training• Overall awareness planning• Auditing to LNCs• Security incidents report

Primary, secondary and high schools

LNC

12

In PracticesPrinciples

Operation manual is able to apply to all 25 LNCs.

Cost sharing for affordable pricing

awareness and education promotion activities are added to both Committee and LNC responsibilities

Covering awareness and education promotion activities

certification and auditing functions are added to the Committee responsibilities

Including certification and auditing functions

Security functions are added to the LNC operation

Optimizing existing management structure

Two sets of guideline and training materials (with differing levels) are developed for LNC and schools.

Developing unified standard, guidance, operation manual

ISMS Promotion Committee shall be formed by a group of professionals from academic, government and private sector.

Neutral operation body

13

Future developments

• Management controls in ISMS are more challenging– The importance of awareness

• Differing target, differing priority, and differing promotion strategies– Top management IT staff generals

• Information security e-learning center– now under development– designing e-learning content with easy & practical approach – considering learners as information users rather than system

administrators– security awareness assessment campaign– to share with APEC & OECD members

• Suggest to form a study group under eSTG of APEC TEL– as a start point for further international collaborations on resolving

security concerns for small and medium organizations

Thank you for your attentions

Sophie, Lihsuan Lianglliang@nii.org,tw