“I am certified, but am I safe?”

Anup Narayanan, CISA, CISSP

Founder & CEO, ISQ World

Agenda What exactly is Certification? The audit process & fear: Why? The cost of poor implementation Getting your ISMS right The ISM3 model The CXO’s Security Plan How do I know I am safe?

What exactly is Certification?

An explanation in simple terms

The auditor looks for two factors

The existence of the ISMS

Is the P-D-C-A (Plan-Do-Check-Act) model is in place

Scope, Security forum, Asset classification list, Risk

analysis, documents etc.

The functioning of the ISMS

Review and improvement processes, CHECK and ACT

phase.

Auditor - “Have you done a root cause

analysis?” 

Not just identifying, but solving

If the auditor is satisfied, you are recommended

for the certification

The essence of ISO 27001/ ISMS Tells you what to do:

Implement an ISMS (Information Security Management System) fit for business

Does it tell you how to do it? Not very well!! ISO 27002 is a good guide, but subject to poor

interpretation Not the fault of the standard

Example

“Build a vehicle”

Poor Interpretation

Good Interpretation

The audit process & fear

Why?

Analysis The purpose of the ISMS is not well

understood The implementation process is not well

understood The audit process is not well understood You are misguided by ill-informed people

Some facts! Fallacy - I must select as many controls as

possible Truth – Choose those controls that are

required (some of them will be mandatory)

Fallacy – I must produce a ton of documentation

Truth – I must produce documents that I will read

Fallacy – The auditors will be tough and strict Truth – The auditors know their job and you

should know yours

This leads to….ISMS fatigue After the first few years, you will not be able

to maintain all controls – Managers will grumble

Leads to poor maintenance of controls This will lead to “quick-fixes” that open more

vulnerabilities Slowly controls weaken and people start

finding alternates to avoid the ISMS that opens more weaknesses

The cost of poor implementation

A poorly implemented ISMS leads to more security weaknesses rather than not having one

Getting your ISMS right

Information Security Goals, Targets and Processes (Not Controls)

My primary focus is to constantly increase

shareholder value

Depends on: Customer

retention & acquisition

Depends on: TRUST

Depends on: Continuous

availability of services

Depends on: Continuous

availability of Information and

Information Systems

INFORMATION SECURITY

On the Internet ….

The customer cannot see you

They don’t know how you look like,

or talk…

This makes it difficult for you to influence the perception of TRUST on the internet using visible factors…

Trust & the impersonal nature of the Internet

TRUST on the Internet is based on measurable factors such as Availability of Services

Hence, you need Information Security, to be there, when the customer needs you

The purpose of the ISMS

Helped by

Business Targets

Business Goals

Profitable, Be ethical, Socially

responsible

Generate $X through sales

Sales: Sell products & Services

HR: hire the right people

Pay Bills/ Salaries/

Taxes on time

Finance: Process

payments, pay bills & salaries,

accounting

Maintain the offices and

facilities

Admin: Maintenance

functions, HVAC etc.

Where does Information Security fit in?

Realize this…

No two businesses are alike, hence no two ISMS’s are alike

Be Confident! Build an ISMS fit-for your business!

Choose only processes that are useful for your business, not because someone else too does it.

Using ISM3 to implement ISO 27001

ISM3 – Information Security Management Maturity Model

ISM3 Recently adopted as The Open Group Standard -

www.ism3.com ISM3 provides a set of “security management

processes” that are consistent with business goals You can select “Maturity Levels” based on

available resources

Level 1: Low risk

environment

Level 2: Normal risk environmen

ts

Level 3: Normal to High-Risk

Environments – IT

Service Providers/

e-Commerce

Level 4: High risk

environments – Public companies,

Finance

Level 5: High risk

environments +

Mandatory Metrics

Security Investment & Risk Reduction

The advantage of process based approach A process;

Gives more clarity on what needs to be done Makes you realize the amount of resources that

needs to be assigned to execute it Hence, you will select those processes that

are truly required for the ISMS This leads to building an ISMS “for your

business” and “not for certification”

The CXO’s Security Plan

As the CEO, you want to spend

less but effective time on information

security.

So, your plan must be simple, precise and must give you answers

to 3 questions.

What are my information assets? (Give me the latest list)

What are the threats to my information assets? (Give me the newest threats? )

What are the vulnerabilities that can be exploited by these threats? (What are we doing about them?)

1 - Assets

2 - Threats

3 - Vulnerabilities (Weaknesses)

The 3 questions are…..

Your plan centers around “Assets”, “Threats” and “Vulnerabilities”

In fact, you must work together with your information security officer to have the latest list of, Assets, Threats & Vulnerabilities briefed to you at regular intervals (at-least once a month or quarter)

Idea!

Ask your Information Security Officer to create a threat and

vulnerability pipe.

March

•Security survey reveals poor user security awareness

•SANS reports 5 vulnerabilities that affects our applications

Feb

•Some web applications do not have privacy policy displayed

•Backup restoration is not tested

Jan

•Background verification of new employees not uniformly done

•Information security risks not considered as part of business continuity plan

A sample threat & vulnerability pipe

Latest threats and vulnerabilities go on top

So, the next time you are with your information security officer, you know what

to ask….

Could you please tell me the top 3 items off the top of the threat &

vulnerability pipe?

Hmm…she is getting security

sharp!

Remember!

A good security manager will tell you your weaknesses and not always your strengths!

How do I know that I am safe?

How do I know that I am Safe? You are safe when,

You know what your business is about? You know the Information Systems that are

required to attain business goals You know the risks to the Information Systems You have reduced the risks as best possible

You know exactly what your weaknesses are and are prepared for it

The Art of War – Sun Tzu

It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles;

if you do not know your enemies but do know yourself, you will win one and lose one;

if you do not know your enemies nor yourself, you will be imperiled in every single battle.

Please keep in mind

Information Security does not earn you big money. But it ensures that you keep earning the big money.

….because, information security influences the way your customers TRUST and BUY your brand.

© First Legion Consulting34

Than

k

You

Anup Narayanan,Founder & Principal Architect

ISQ World, A First Legion Initiativeanup@isqworld.comwww.isqworld.com