Ensuring Information Security through ISO27001 (ISMS)

Ensuring Information Security through ISO27001 (ISMS)

Term Report E-Commerce

Submitted On: Dec 19, 2009

Submitted To: Mr. Imran Chugtai

of Business Management

Group Members:

Khurram Zakaria - 8870

Hassham Idris – 8866

Jehanzeb Qamar – 8868

Suleman Ali – 8754

Baber Ali – 8663


Executive Summary

An information security management system (ISMS) is, as the name implies, a set of policies concerned with information security management. The key concept of ISMS is for an organization to design, implement and maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO 27001:2005 specifies the approach in the following sets using the PDCA (Plan-Do-Check-Act) methodology:

Security Management & Principles: The core components of risk management, information security policy, procedures, standards, guidelines, baselines, classification, education, and security organization serve as the foundation of information security. Security controls are implemented and maintained to address the three interdependent principles present in all programs: Confidentiality, Integrity and Availability, also known as the "CIA triad."

Security Management Responsibilities: This includes the resources, funding, and strategic representation needed to participate in a security program. The assigned responsibilities get the ISMS off the ground and keep it thriving and evolving as the environment changes. Management support is one of the most important factors for the success of the security program.

Top-Down Approach: The top-down approach means that top management provides support and direction, which is cascaded down through middle-level management and then to staff members.

Risk Management: Risk management is the process of identifying, analyzing, assessing, evaluating, and reducing risk to an acceptable level, and implementing the right defense mechanisms to maintain an acceptable level of risk.

Security Awareness: To achieve the desired results of the security program, an organization must communicate the "what, how and why" of security to their employees. This awareness should be comprehensive, tailored, and organization-wide. Business Continuity and Disaster Management: Ensures continuity, recovery and restoration of the business in case of disaster. In the case of an emergency, it would involve getting critical systems to another environment while repair of the original facilities is taking place.

Electronic Commerce Term Report


Legal Compliance: Includes compliance to various civil, criminal, and administrative (regulatory) laws such as intellectual property laws, trade secrets, copyrights, trademarks, patents, and data protection.



Table of ContentsExecutive Summary.............................................................................................................................2

Introduction.............................................................................................................................................4

Overview to Information Security Management System....................................................4

The CIA triad.......................................................................................................................................6

Business Challenge..........................................................................................................................6

Information security management system..................................................................................6

Why implement ISMS?........................................................................................................................7

What is ISO 27001?..............................................................................................................................8

Why ISO 27001?....................................................................................................................................9

Background.........................................................................................................................................9

ISO 27001 versus ISO 27002......................................................................................................10

How is ISO 27001 implemented?..................................................................................................11

PDCA Model.......................................................................................................................................11

Key Benefits..........................................................................................................................................12

How ISMS is implemented?.............................................................................................................13

Implementation Process...............................................................................................................13

The team............................................................................................................................................13

Define the Scope.............................................................................................................................13

ISMS Documentation Levels........................................................................................................15

Implementation Issues..................................................................................................................15

Risk Assessment..............................................................................................................................16

Business Impact Analysis (BIA)..............................................................................................................18

Risk Management...........................................................................................................................21

Different Methods of Handling Risks....................................................................................21

Statement of Applicability (SOA)...............................................................................................23

What are Information Security Controls?...................................................................................24

Control Areas....................................................................................................................................25

ISMS improvement.........................................................................................................................27

Conclusion.............................................................................................................................................29



Introduction

Overview to Information Security Management System

What is Information Security?

Information is a valuable asset in any organization, whether it's printed or written on paper, stored electronically or sent by mail or electronic means.

To effectively manage the threats and risks to your organization's information you should establish an Information Security Management System (ISMS).

Information Security has three primary goals, known as the security triad:

Confidentiality – Making sure that those who should not see your information can not see it.

Integrity – Making sure the information has not been changed from how it was intended to be.

Availability – Making sure that the information is available for use when you need it.



As you can see, the security triad can be remembered as the letters CIA. These principals are simplistic when broken down, but when you think about it more in depth, all steps taken within security are to help complete one or more of these three security goals. When most people think about Information Security, they will generally only think of the first item, Confidentiality, and for good reason, since that's all the media seems to think security is about. Confidentiality is also, ironically, the one of the three goals you most often do not need. A public web-site does not want to be confidential; it would defeat the point of being public.

In order to promote Confidentiality, you have several tools at your disposal, depending on the nature of the information. Encryption is the most commonly thought of method used to promote Confidentiality, but other methods include Access Control Lists (ACLs) that keep people from having access to information, using smart cards plus pin numbers to prevent unauthorized people into your building and looking around, or even explaining to your employees what information about the company they can and can not disclose over the phone.

Integrity is the part of the triad that affects the most people in the IT world, but few seem to notice it, and fewer still think of it as a security issue. The files on your operating system must maintain a high level of integrity, but worms, viruses and trojans are a major issue in IT, and can also be a way that an attacker can get information out of your network, or inject his own information into it. And integrity is not just about malicious parties, it also covers items such as disk errors, or accidental changes made to files by unauthorized users. Access control lists (ACLs), physical security, and regular backups all fall under integrity (And sometimes confidentiality and availability. One fix can solve multiple problems).

Availability is the part of the triad most administrators have to worry about at work, and with good reason. It's the most common, and most visible, part of the security triad, and it is part of the job duties of just about every administrator, even non-security based ones. It's mostly about system uptime for them, but it can also cover subjects such as accidentally denying a user access to a resource they should have, having a user locked out of the front door because the biometrics does not recognize his fingerprints (False negative), or even major issues such as natural disasters, and how the company should recover in case of one



The CIA triadThe framework addresses three core factors of all the Information assets.

Business ChallengeDependence on information systems and services means organizations are more vulnerable to security threats. Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. By proper identification and classification of those assets and a systematic risk assessment of threats and vulnerabilities your company can select appropriate controls to manage those risks and demonstrate that it is preserving confidentiality, integrity and availability of those information assets to clients, consumers, shareholders, authorities and society at large.

Information security management systemRecent high profile information security breaches and the value of information are highlighting the ever increasing need for organizations to protect their information. An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.

An information security management system (ISMS) is a formal, controlled set of processes and procedures dealing with the management of information security within an organization. The implementation of ISMS is a key step that any organization in possession of valuable information assets



should consider. This article offers an overview of the implementation process, and explains the benefits of ISMS.

Why implement ISMS?

An ISM offers a number of significant benefits to both the organization and its customers.

It ensures suitable security controls are in placeIntensive risk assessment and other processes involved in implementing the ISMS help to verify that any security controls and strategies are appropriate, cost effective, and prioritized to address the core security needs of the organization.

It demonstrates a commitment to security best practiceExistence of an ISMS is a powerful demonstration to an organization's customers of its commitment to information security. Customers can be confident that an ISMS-compliant organization understands and implements industry best practice. Certification of the ISMS provides independent and unbiased evidence of this compliance.

It ensures compliance with third party obligationsMany organizations will have external responsibilities with regard to the data in their possession. These may concern privacy, intellectual data ownership, or, in an increasingly regulatory environment, legal issues. ISMS can greatly assist an organization in the fulfillment of such requirements.



What is ISO 27001?

ISO 27001 is an International Standard giving requirements related to Information Security Management System in order to enable an organization to assess its risk and implement appropriate controls to preserve confidentiality, integrity and availability of information assets. The fundamental aim is to protect the information of your organization getting into the wrong hands or losing it forever.

ISO 27001 is an internationally recognized standard codifying the audit requirements for an Information Security Management System, or ISMS. This standard was the first of the ISO27XXX series first published by the International Organization for Standardization, or ISO (www.iso.ch), in October 2005. ISO 27001 is high level, broad in scope, and conceptual in nature. This approach allows it to be applied across multiple types of enterprises and applications. ISO 27001 is the only information security “standard” devoted to information security management audit criteria in a field generally governed by specific operational audit criteria. As a standard that is primarily conceptual, ISO 27001 is not:

A technical standard. Product or technology driven. An equipment evaluation methodology.

ISO 27001 is however:

A comprehensive minimum baseline of information security management controls that all Information Security Programs SHALL address in some manner.

This in essence makes ISO 27001 internationally sanctioned “due diligence”.



Why ISO 27001?

The information security field has traditionally been based on sound “best practices” and “guidelines”. While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations, not always consistent or harmonious. Furthermore, without the risk justification required by ISO 27001 “best practice” is in reality “best guess” devoid of the underlying analysis that makes control implementation both justifiable and defensible. ISO 27001 offers the following benefits:

An internationally recognized management system that can enhance information security interoperability and trust with trading partners.

A yardstick to evaluate Information Security Program effectiveness. A vehicle to certify “due diligence”. An umbrella under which multiple data protection regulations may be

managed. For some industries, an ISO 27001 certified operational area may become a

de facto requirement. For organizations subject to government regulation, ISO 27001 may increase

efficiency and eliminate redundancy in complying with multiple information protection regulations through centralized management.

For data centric organizations, customer perception of an ISO 27001 certified operational area may offer a marketing advantage.

An ISO 27001 certified operational area provides a high degree of defensibility.

Background

ISO 27001 is a direct descendent of the British Standards Institute (BSI) Information Security Management standard BS 7799-2. BSI has long been proactive in the evolving field of Information Security. In response to industry demands, a working group devoted to Information Security was first established in the early 1990’s, culminating in a “Code of Practice for Information Security Management” in 1993. This work evolved into the first version of the BS 7799 standard released in 1995. In the late 1990’s, in response to industry demands, BSI formed a program to accredit auditing firms, or “Certification Bodies,” as competent to audit to BS 7799. Simultaneously, a steering committee was formed, culminating with the update and release of BS 7799 in 1998, 1999, 2000, and finally in 2002. By this time, information security had become headline news and a concern to computer users worldwide. While some organizations utilized the BS 7799 standard, demand grew for an internationally recognized information security standard under the aegis of an internationally recognized body, such as the ISO. This demand led to the updating and release of BS7799-2 as ISO 27001 in October of 2005.



ISO 27001 versus ISO 27002

Both standards serve distinct purposes, hence it is important to understand the differences between ISO 27001 and ISO 27002.



How is ISO 27001 implemented?

A process is considered to be any activity using resources and managed in order to enable the transformation of inputs into outputs. A process approach is when individual processes and their interactions are bundled into a cohesive package, or system, chartered to accomplish something. ISO 27001 is implemented through the creation and maintenance of an Information Security Management System or ISMS chartered with establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organizations information security.

PDCA ModelTrue to its roots in Quality Management, ISO 27001 has adopted the closed loop PDCA (PLAN …DO …CHECK and ACT) and this is a good place to either start or review the progress of the implementation.

The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.It is recommended that the ISMS be based on the Deming Wheel model introduced in BS7799-2002 Part 2 (PDCA - Plan, Do, Check & Act), which is a de-facto



methodology and ensures that the correct components are engaged, evaluated, monitored and improved on a continuous basis.

Key Benefits

1- Due to dependability of information and information systems, confidentiality, integrity and availability of information is essential to maintain competitive edge, cash-flow, profitability and commercial image.

2- Compliance with legal, statutory, regulatory and contractual requirements.

3- Improved corporate governance and assurance to stakeholders such as shareholders, clients, consumers and suppliers.

4- Through a proper risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated, so your investment is allocated where it is necessary.

5- Improved security throughout the organization

6- Improved security planning

7- Demonstrates company’s commitment in protecting information

8- Security management effectiveness

9- Ongoing protection over Information

10-Less risk when dealing with partners

11-Improved customer, employee and partner confidence

12-More realistic and manageable auditing

13-Reduced liability over information



How ISMS is implemented?

Implementation Process

To implement the ISMS process lets look at the various points that need to be covered under each domain. A brief explanation is given and examples quoted wherever necessary.

The team

We will require forming a team to take this forward. We will require having a person who will be the primary interface between the implementation team and the senior management. Let us name this person as the Chief Information Security Officer (CISO). The CISO will be responsible in getting formal approvals from the management and also should be capable of taking decisions on behalf of the management. We will also require having a project manager who will be overall in charge of the project and will be reporting to the CISO. Let us name his as the Information Security Officer (ISO). The implementation team members can be selected from every team / group / department within your scope, which will help in a smooth implementation process.



Define the Scope

ISMS can be implemented for just a department, for just one floor of an organization, for the entire or part of an organization. You will require having a discussion with the senior management and pen down the areas where you would like to implement ISMS practices. This has to be clearly defined in your Information Security Policy document.Business process study of individual departments: We have already identified the departments within the scope and also we have one member from each department to be a part of our implementation team. Have a discussion with these team members to understand the process involved in carrying out their task within their department.

For ex: let us take one part of the HR department. If we looking at the hiring process of the HR department, there would be different levels of interviews, every interview will have it own standards and methods, after the interviews are over, there will be an offer given and on acceptance the candidate joins the organization. Once the joining formalities are over, there will be a background check done of the employee.

This process of hiring an employee, which is a part of the HR department, need to be documented and is known as Business Process study and it has to be done for each and every department within the scope. The process of having the business process study document is not a mandatory requirement as ISO 27001 standards, but will help in the later stages for identifying the assets involved in carrying out their tasks and also to value those assets. Following diagram may also illustrate the idea.



ISMS Documentation Levels



Implementation Issues

Security Awareness Program is a very important issue. A Tool is essential to make security policies visible across the organization and to translate policy objectives into actual compliance.



Risk Assessment

Asset Inventory Information can exist in different forms and those that hold this information are known as information assets. This can be

Information / Data asset Technology Asset People Asset Service Asset

All the information assets of these departments should be identified and documented. On identifying these assets it will be a good practice to label these assets. A format needs to be defined to label all the assets within the organization.Every asset will have an asset owner and an asset custodian. We will require documenting the asset owner and the asset custodian of a particular asset.

For ex: Let us take the case of a critical server in the organization. The owner of the server (hardware) would be the server group, the application owner might be the application group and the owner of the data residing in the server might be the system development group. This will vary from server to server or organization to organization or might be the same. It is also possible that the owner and custodian of the hardware, software and data be the same. This needs to be identified and documented.

Asset Value Asset value can be defined by looking at confidentiality, integrity and availability of an asset. Let me give you an example which will be easier to understand.

Let us take the mail server of the organization. The asset owner of the server and the custodian of the data been the server group and asset owner of the data been everyone who uses the server. Let us define a scale of 1-5 to record and assign a value to the owners and custodians views.

ConfidentialityQ. What if an intruder or another employee of a lower access level gets to read confidential top management mails?Answer 1: It is very critical. Since the top management exchanges a lot of information through emails.Answer 2: It is not very critical. Since all our communication is encrypted using digital signatures, there is a very rare chance of information leakage.

For answer 1 the confidentiality value is 4For answer 2 the confidentiality value is 2

Integrity



Q. What if an intruder or another employee tries to modify the contents of the mail and the mail delivered is something different? For ex: The CEO sends out a mail to the CFO to donate Rs.1, 00,000 for a charity. Someone in between tampers the mail and changes the amount to Rs.7, 00,000 and give his account number.

Answer 1: It is very critical.Answer 2: It is not very critical as all the internal and external mail communication are encrypted

For answer 1 the integrity value is 4For answer 2 the integrity value is 2

AvailabilityQ. What happens if there is a hardware failure and the server is not available to the organization?Answer 1: It is very critical. We might even have the mails coming in not been delivered. There might be a data corruption and there is a possibility of users losing their mails.Answer 2: It is not very critical. My servers run on redundancy and I have a backup MX record created. If there is a hardware failure, the backup server and MX record will take over and there will not disruption to the services.

For answer 1 the availability value is 4For answer 2 the availability value is 2

Now let us arrive at the asset value by using a simple method. Note: various other methods are also available, this is just an example.

Asset value = Confidentiality + Availability + Integrity

Mail Server Value = 4 + 4 + 4 = 12 (for very critical)

Mail Server Value = 2 + 2 + 2 = 8 (for not critical)

The next step is to identify the risk value of this particular asset. Let us see how to arrive at the risk value.



Risk Value The risk value for an asset has to be determined by identifying the possible threats that can impact the CIA of the asset, how much impact will it cause, what is the frequency of the impact and the asset value.

Let us take the mail server as mentioned above for this example. We have already identified the asset value, now we need to list down the threats to the mail server.

Power failures Hardware failure Fire Virus attacks / Malicious code injection Intruders (Hacking), Denial of Service (DoS attack) Mail accidentally sent to a different recipient Data corruption / data loss Unauthorized access Link failure Natural calamities

Business Impact Analysis (BIA) BIA is performed to analyze the impact on the system due to various unprecedented events or incidents. Various failure scenarios and its possible business impacts are analyzed. This includes technical problems, human resources and other events.

We have already identified the asset value which is based on the threats and vulnerabilities, that will show us the impact on business. Why do we need to have another analysis?

BIA is different from Risk assessment. Risk Assessment will identify the possible threats and vulnerabilities and how those will impact the asset and business. The asset value shows how critical is that asset to the organization.

BIA is based on time. If there is a server crash, let's take the mail server as per the example above, how much time can the organization go without an email server.This is derived by doing the business impact analysis. The different steps to be followed in determining the business impact is as shown below:



Identify the critical resource, which has already been done during accumulating the assets and deriving the asset value. List down all possible impact to business and prioritize the assets. In this example of deriving the BIA, we shall use a scale of 1 to 5 and since mail server is critical to the organization, we shall take 4 as the BIA value.

Probability of Occurrence

The probability of occurrence is required to understand the frequency at which such failures occur. This is based upon previous experiences and also looking at the current implementation. The probability of occurrence is measured on a scale of 0.1 to 1. Refer to the table as mentioned below.

For this example, let us consider the probability of occurrence to be rated at Medium which will have the value as 0.4. Let us now see how we can arrive at the risk value.

Risk Value = Asset value * Business Impact * Probability of Occurrence

Risk Value = 12 * 4 * 0.4 = 19.2

Why identify the risk value?



Here we have taken the example of a mail server and determined the risk value. In cases where you do a risk assessment on a desktop or some templates, the risk value might be much lower. By this method you will be able to decide as which assets need to be considered for risk treatment in the next phase and the rest can be ignored. This is done because, if we do a risk treatment on assets that has a low risk value, the money spent to mitigate risk on those assets might be much higher than the cost of the asset on the loss it could cause to the business. We have the risk value and have decided to do a risk treatment for this asset as it is a very important asset for the organization.



Risk Management

Let us see how we can eliminate or reduce the risk due to the above mentioned threats, by mapping each threat to an available ISO 27001 standards.

Above is the example of how we can map each threat identified to ISO 27001 controls and also to find how to minimize the risk.

Deciding Assets for Risk Mitigation

Having the asset value and risk value determined, the management should now decide on assets that have to be considered for risk mitigation. This is mandatory because, some of the controls that need to be implemented to mitigate risk might cost the organization more than the asset value. Assets that can be recreated (such as templates, standard forms etc) without causing any impact to the business can to be eliminated from risk mitigation process.

Different Methods of Handling Risks

Risk Acceptance: To accept the risk and continue operating or to implement controls to lower the risk to an acceptable level. We need to give a high priority to the business requirements, while also looking at how to safeguard information. There are instances where we will require accepting certain risk and seeing to that the business requirements are met.

For example: Due to some testing purpose who need to move one of your servers to the DMZ zone for a particular period of time. Since this testing is



mandatory, it can be considered as an acceptable risk for that period. But this should be agreed by the management and the asset owners.

Risk Avoidance: To avoid the risk by eliminating the risk cause and/or consequence. If there is an old system (Windows 98 running some proprietary application), which cannot be patched for the current vulnerabilities and is of not much use to the organization can be eliminated by switching off the machine.

Risk Limitation: To limit the risk by implementing controls that minimizes the adverse impact of a threat's on an asset. By implementing anti-virus server in the organization does not ensure that the assets will be protected from virus attacks. This is a method of minimizing the risk from known virus attacks.

Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements and maintains control. We foresee some of the risks due to natural calamities. For the case of fire, it is recommended to have fire drills at regular intervals, have fire extinguishers placed at fire prone areas; marking fire exists and keeping those paths clear with no obstructions, have documented procedures and guidelines on operations of fire extinguishers and how to act during a fire.

Research and Acknowledgement: To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability. As mentioned before, if you have a system that is outdated or having some proprietary applications, it might not be possible to patch the system for vulnerabilities, as the patch might affect the operation of the software. In such cases it is recommended to either run the application as it is and treat it as an acceptable risk or research to find if there are any alternative methods to patch the particular application.

Risk Transfer: To transfer the risk by using other options to compensate for the loss, such as purchasing insurance. Risk can also be transferred by having a contract with your vendors. In the means of annual maintenance contract (AMC's) or any other agreement of having spares at your location.



Statement of Applicability (SOA)

SOA is a document that states all of the ISO 27001 controls. This requires identifying those that are applicable and give a justification for choosing that particular control. A justification also needs to be given for that control that not been chosen for implementation.This SOA document will be provided to clients and external trusted authorities on demand, for them to identify the level of implementation of security practices in the organization. The headers of the SOA document can be as mentioned below. This is just an example:

Some of these controls require policies to support the implementation. As mentioned above anti-virus policy is a policy that defines how anti-virus is deployed across the organization, what are the tools used and how is it monitored? Make sure all the policies are in place and we will also require documenting the operating procedures of all the assets in the organization.



What are Information Security Controls?

Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.

To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:

Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;

During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;

After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.

(Some security professionals would add further categories such as deterrent controls and compensation. Others argue that these are subsidiary categories. This is simply a matter of semantics.)

Security controls can also be categorized according to their nature, for example:

Physical controls e.g. fences, doors, locks and fire extinguishers; Procedural controls e.g. incident response processes, management

oversight, security awareness and training; Technical controls e.g. user authentication (login) and logical access

controls, antivirus software, firewalls; Legal and regulatory or compliance controls e.g. privacy laws,

policies and clauses.

A similar categorization distinguishes control involving people, technology and operations/processes.

Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined.



Control Areas ISO 27001 defines a management system as organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources. ISO 27001 further defines ISMS as that part of the overall management system, based on a risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. This comprehensiveness causes an ISO 27001 ISMS to potentially interact with multiple enterprise departments and programs such as:

Human Resources Legal / Compliance Audit Facilities Business Continuity Operations Physical Security

In order to accomplish this goal, ISO 27001 has identified 5 control areas, 12 control objectives, and 78 controls. Each control is defined as an auditable requirement. It should be noted that implementation of a control may involve interaction with other departments and programs previously mentioned. The ISO 27001 control areas, control objectives and key control attributes are summarized below.

Mandatory controls The controls detailed within ISO 27001 sections 4-8 are required for conformance to this standard.

Information security management system This control area addresses the need to establish, implement, operate monitor, review, maintain, and improve a documented ISMS including: Establishing and managing the ISMS – creation and management of a risk driven process based ISMS based upon:

Defined ISMS scope including boundaries and assets Risk identification and treatment methodologies Management framework for setting control objectives Measuring and monitoring of ISMS performance

Documentation requirements – identification of the type of ISMS required documentation as well as requirements for the control of both documents and records.

Management responsibility This control area addresses the need for clearly assigned ISMS management responsibilities including: Management commitment – management identification and communication of information security control objectives



and risk tolerance. Resource management – provisioning of adequate resources to meet the defined control objectives and ensuring competency in execution.

Internal ISMS audits This control area addresses the need for internal ISMS audit capability including a documented audit procedure addressing audit criteria, scope, frequency, methodology, and responsibilities.

Management review of the ISMS This control area addresses the need for management participation and support of the ISMS including: General – scheduled and documented periodic review of the performance of the ISMS. Review input – the various sources of metrics required for a comprehensive management review. Review output – the various management review decision criteria and the need to track changes resulting from these management decisions.



ISMS improvement This control area addresses the need for mechanisms to continually improve the ISMS including: Continual improvement – tools and techniques to measure and monitor the ISMS performance. Corrective action – reactive identification and root cause analysis of existent ISMS non-conformities as well as tracking of remediation actions. Preventive action – proactive identification and root cause analysis of potential ISMS non-conformities as well as tracking of remediation actions.

Discretionary controls

The controls detailed within ISO 27001 Annex A are the same controls detailed within ISO 27002, but without the implementation guidance provided within ISO 27002. ISO 27001 requires that these Annex A controls be completely addressed, but not necessarily implemented. The business friendly stance of ISO 27001 allows for risk acceptance based upon organizational risk tolerance criteria established by management. Those Annex A controls not implemented must have documented risk acceptance justification. There are 11 domains in the ISO 27001 version which are as follows:

1- Information Security Policy: describe how your security policies are documented, approved, published, reviewed and updated.

2- Organization of Security Policy: describe how your company is organized in terms of its approach to information security.

3- Asset Management: describe how your assets are identified and managed, and how information within your organization is classified, labeled and handled.

4- Human Resources Security: describe how your employees understand their responsibilities and how you ensure continued appropriate access to information before, during, and after employment.

5- Physical and Environmental Security: describe how you prevent unauthorized physical access, damage and interference to your organization’s premises and information.

6- Communications and Operations Management: describe how your organization ensures the correct and secure operation of information processing facilities, through:

- operational procedures and responsibilities



- 3rd party service delivery management- system planning and acceptance- protection against malicious code- backup- network security management- media handling- exchange of information- electronic commerce services- monitoring

7- Access Control: describe how access to information is controlled, through:

- user access management- user responsibilities- network access control- operating system access control- application and information access control- mobile computing and teleworking

8- Information systems acquisition, development and maintenance. Describe how your organization ensures that security is an integral part of information systems through:

- - security requirements analysis and specification- - correct processing in applications- - cryptographic controls- - security of system files- - security in development and support processes- - technical vulnerability management

9- Information Security Incident Management: describe how your organization ensures that information security weaknesses and events are communicated in a timely manner.

10-Business Continuity Management: describe how your organization counteracts interruptions to business activities and protects critical business processes from the effects of major failures or disasters, and ensures their timely resumption.

11-Compliance: describe how your organization ensures compliance with organizational security policies and standards.



BS 7799 (ISO 27001) consists of 134 best security practices or controls (covering 11 Domains which was discussed above) which organizations can adopt to build their Security Infrastructure.Even if an organization decides not go in for the certification, BS 7799 (ISO 27001) model helps organizations maintain organizational security through ongoing, integrated management of policies and procedures, personnel training, selecting and implementing effective controls, reviewing their effectiveness and improvement.



Conclusion

Information is now globally accepted as being a vital asset for most organizations and businesses. As such, the confidentiality, integrity, and availability of vital corporate and customer information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. ISO 27001 is intended to assist with this task. It is easy to imagine the consequences for an organisation if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it can (and has) led to the collapse of companies.

Research conducted in several offices has shown that technical security controls are used at a good level. Unfortunately, organizational security controls are at a satisfactory level. This is so because the implementation of technical security controls is the responsibility of an information technology officer, who has the relevant qualifications, whereas the organisational security controls are the responsibility of all employees. The implementation of such security controls will require substantial changes in the organization’s culture.

Due to that reason the implementation phase should be accompanied by a series of employee training courses. Their purpose is to acquaint employees with the new ways of the work organisation and to explain the reasons for introducing changes. Next, there comes the development and implementation of the risk treatment plan that will define the actions that need to be undertaken, their sequence, and the positions that are responsible for the introduction of changes should be indicated. The further stage includes the implementation of security controls provided for in the statement of acceptability, and defining the way of measuring their effectiveness. The measurement should allow not only for the assessment of system operations in the future, but also the results of comparisons of changes in time.

Developed nations are today at the forefront of developing and defining standards in Information Security, significant amongst them being COBIT, ISO 27001, ISM3 etc. The primary purpose of this standard is to provide a single framework for effective Information Security management. This includes in general,

Having a vision defining the importance of Information Security from a business perspective.

Integrating technical and non-technical security approaches. Planning and implementing solutions. A method for continuous improvement. Adequate documentation.



Steps to ensure continuity of business.

A significant change in outlook which standards have brought about can be summarized below,

An organization stands to lose it’s chance for good business with intelligent customers if they do not pay attention to Information Security or rather see it as an area purely concerning the IT department.

The realization that customers need assurance that there is adequate protection for critical information.

The catalyst for this change in approach has been standards and guidelines. The current international standards in Information Security work around the principle of ISMS. These standards approach Information Security in a top-down manner, with the initiatives towards ISMS set and supported by the senior management and implemented by the lower rungs of the organization.


Ensuring Information Security through ISO27001 (ISMS)

Documents

Transcript of Ensuring Information Security through ISO27001 (ISMS)