Information Security Strategy Implementation and Framework ...
Transcript of Information Security Strategy Implementation and Framework ...
1
© Infosec Associates 2001
Information Security StrategyInformation Security Strategy
Implementation andImplementation andFramework SeminarFramework Seminar
© Infosec Associates 2001
David DowlingDavid Dowling Tom FairfaxTom Fairfax
© Infosec Associates 2001
AgendaAgenda
• Putting information security in context
• The information security management system
• Implementation
2
© Infosec Associates 2001
Putting information securityPutting information securityin contextin context
© Infosec Associates 2001
Strong
Weak
External relationships
‘Soft’‘Hard’ Internal relationships
Hierarchical
TrendTrend
Organic
Organizational trendsOrganizational trends
© Infosec Associates 2001
Users Computers
Company Head Office
Other Company sites
Business Partner
Company managedsecurity perimeter
Private links
Yesterday’s solutionYesterday’s solution
3
© Infosec Associates 2001
Home AccessOther Organizations
BusinessPartner
Company Head OfficePublic Network
SharedNetwork
The Internet
Today’s situationToday’s situation
© Infosec Associates 2001
• Increasing threats– threats from viruses, hackers, fraud and espionage increasing
• Increasing exposure– greater dependence on IT, less central control, new entry points for
intruders
• Increasing expectations– managers, business partners, auditors and regulators demand
protective measures
Why information securityWhy information securitymanagement?management?
© Infosec Associates 2001
• Confidentiality– protecting sensitive information from unauthorised disclosure or
intelligible interception
• Integrity– safeguarding the accuracy and completeness of information and
computer software
• Availability– ensuring that information and vital services are available to users
when required
Information securityInformation security
4
© Infosec Associates 2001
Malicious Accidental
Confidentiality
Integrity
Availability
FraudMischief
SabotageVandalism
ErrorsFailures
BreakdownsDisasters
EspionageLeaks
OversightsBreaches Safety
critical systemscause concern
Safety critical systemscause concern
Trends in security threatsTrends in security threats
Increasing threats from espionage andinformation brokers
Increasing threats from espionage andinformation brokers
Fraud increasingwith corporaterestructuring
Fraud increasingwith corporaterestructuring
Increasing sophistication of viruses and hacker groups
Increasing sophistication of viruses and hacker groups
© Infosec Associates 2001
The Holy Grail ofInformation Security
… or is it?
Buy-inBuy-in
© Infosec Associates 2001
• Demonstrate the business benefits– Minimised security risks
– Optimised business partnerships
– Exploitation of electronic commerce
• List other organizations who are committed
• Show horror stories of security breaches
Getting top-down commitmentGetting top-down commitment
5
© Infosec Associates 2001
• Feature
• Benefit
• You appeal
Selling the ideaSelling the idea
© Infosec Associates 2001
So you’ve been givensome money !
… is that all you need?
On-going supportOn-going support
© Infosec Associates 2001
• Watch out for saboteurs !
• Malicious or accidental,they can undermine all ofyour good work
• Make sure themanagement lead byexample
On-going supportOn-going support
6
© Infosec Associates 2001
A short overview ofA short overview ofBS 7799 parts 1 & 2BS 7799 parts 1 & 2
© Infosec Associates 2001
Scope:
Safeguarding the confidentiality, integrity and availabilityof written spoken and computer information
Objective:
To ensure business continuity and minimise businessdamage by preventing and minimising the impact ofsecurity incidents
Information securityInformation security
© Infosec Associates 2001
• A code of practice (not a specification)
• Provides best practice guidance
• Use as required within your business
• Not for certification
• Originally an initiative by DTI, launched in 1993
• Developed into British Standard in 1995
• Further revision issued in May’99, written by industryexperts including international contributions
• Now an international standard - BS ISO/IEC 17799
BS 7799 - part 1BS 7799 - part 1
7
© Infosec Associates 2001
• Security policy
• Organizational security
• Asset classification andcontrol
• Personnel security
• Physical andenvironmental security
• Communications andoperations management
• Access control
• Systems developmentand maintenance
• Business continuitymanagement
• Compliance
Code of practice structureCode of practice structure
© Infosec Associates 2001
• A specification
• Used as a basis for certification
• Requires:
– Risk assessment
– Statement of applicability
– Proof to certification body
BS 7799 - part 2BS 7799 - part 2
© Infosec Associates 2001
Certification requirementsCertification requirements
8
© Infosec Associates 2001 BS 7799 - Information Security Management 2000
BS 7799 Certification
AccreditationBody (UKAS)
CertificationBody
Auditors
Certificated Organization
Formal accreditation accountability
© Infosec Associates 2001
Define the policyDefine the policy
© Infosec Associates 2001
Boundaries defined in terms of:
• Organization
• Location
• Assets
• Technology
Scope of the ISMSScope of the ISMS
9
© Infosec Associates 2001
• Threats to assets
• Vulnerabilities
• Impact onorganization
• Degree of risk
Risk assessmentRisk assessment
© Infosec Associates 2001
• Identify risk to be managed, based on
– approach to risk management
– degree of assurance required
• Determine options for controls to manage the risk
Risk managementRisk management
© Infosec Associates 2001
• Clause 4, BS 7799-2 provides a list ofdetailed controls
• Additional controls may also be required
Select and apply controlsSelect and apply controls
Security
10
© Infosec Associates 2001
“A critique of the objectives and controlsapplicable to the needs of the organization”
Statement of applicabilityStatement of applicability
• Selected control objectives and controls
• The reasons for their selection
• Justification of any controls not selected
© Infosec Associates 2001
• A basis for assessment
• A basis for a formal certification scheme
• Compatibility with Data Protection
BS 7799 part 2BS 7799 part 2
© Infosec Associates 2001
• Clause 1: Scope
• Clause 2: Terms and definitions
• Clause 3: ISMS Requirements
• Clause 4: Detailed controls
Part 2 structurePart 2 structure
11
© Infosec Associates 2001
• Same as your ISMS
or
• Statement of Applicability
Scope of auditScope of audit
© Infosec Associates 2001
• Select anappropriate body(ask UKAS)
• Provide informationto help them withtheir proposal
Selecting a certification bodySelecting a certification body
© Infosec Associates 2001
• Document review
• On-site audit
• Correction ofnon-compliance
• Issue of certificate
• Maintaining certification
The review processThe review process
12
© Infosec Associates 2001
What is anWhat is aninformation securityinformation security
management system?management system?
© Infosec Associates 2001
BS 7799-1:2000 identifies these:– security policy, objectives and activities that reflect business
objectives
– approach consistent with the organization’s culture
– visible support and commitment from management
– good understanding of security requirements, risk assessment andrisk management
– effective marketing of security to all managers and employees
– distribution of comprehensive guidance and education & training
– comprehensive and balanced system of measurement
Critical success factorsCritical success factors
© Infosec Associates 2001
ISMS (from BS7799)ISMS (from BS7799)
13
© Infosec Associates 2001
ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion
© Infosec Associates 2001
ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion
© Infosec Associates 2001
• Gets you startedcheaply and easily
• Must be integratedwith risk assessment!
Healthcheck / gap analysisHealthcheck / gap analysis
14
© Infosec Associates 2001
The objective of the gap analysis is to establish:
• where we are
• where we want to go
• what we need to do to get there
Healthcheck / gap analysisHealthcheck / gap analysis
© Infosec Associates 2001
• Review project terms of reference
• Look at the shape of the system
• Look at what controls are in place?
Healthcheck / gap analysisHealthcheck / gap analysis
© Infosec Associates 2001
• Review organizational mandates
• Review any standards supporting the terms ofreference?
Healthcheck / gap analysisHealthcheck / gap analysis
15
© Infosec Associates 2001
• Formal organization– is there a formal or informal security organization?
• Policy– is it current
– when did it last change
• Requirements analysis– Was the system pulled out of a hat or does it reflect the
needs of the organization?
• Review and change history– Is the system a dinosaur?
• Policy dissemination and training
Healthcheck / gap analysisHealthcheck / gap analysis
© Infosec Associates 2001
• Why was the control implemented?
• How effectively is it implemented?
• Does it reflect organizational needs?
• Is further work required?
Look at what controls are in place?Look at what controls are in place?
© Infosec Associates 2001
• Independence
• Imagination
• Credibility
Critical success factorsCritical success factors
16
© Infosec Associates 2001
Initial document fact findInitial document fact find
• Organization chart
• Any existing security policies
• Staff handbook
• Contract of employment
• Confidentiality agreement
• Capital equipment asset register and also anyregisters of software licenses and of critical data
© Infosec Associates 2001
Lining up the interviews - 1Lining up the interviews - 1
• Information security policy and organization
• IT policy and plans
• Computer operations & housekeeping
• New IT systems planning and acceptance process
• IT help desk
• Network management
• EDI and inter-company connectivity
• User access management
• In-house or third-party software development
• Third-party relationships
• Internet access and e-mail
© Infosec Associates 2001
• Personnel and training
• Physical security, including buildings and visitor control
• Business continuity planning for each site
• Legal compliance issues (usually answered by the companysecretary, data protection officer and IT manager)
• A representative from Computer Audit should be very helpful!
• Half an hour will be needed with each of a selection of“users”. Say two “power users” (people who really exploittheir PCs), two people with administrative roles (such assecretaries) and two managers.
Lining up the interviews - 2Lining up the interviews - 2
17
© Infosec Associates 2001
• Gap analysis report
• Recommendations
• Action plan
DeliverableDeliverable
© Infosec Associates 2001
• Independent reviewers
• Management system documentation
• Software tools
• Policy documentation
ResourcesResources
© Infosec Associates 2001
• Asset Valuation
• Threats
• Vulnerabilities
• Impacts
Risk assessmentRisk assessment
18
© Infosec Associates 2001
• Valuable
– expensive to replace
• Sensitive
– disclosure may damagethe business
• Critical– health & safety
– mission critical
Asset valuation
Risk assessmentRisk assessment
© Infosec Associates 2001
• The business harmlikely to result from asignificant breach
• The realisticlikelihood of such abreach occurring
Risk assessmentRisk assessment
© Infosec Associates 2001
Select an approach which is:
• Suitable for theorganization
• Suitable for its securityrequirements
Risk assessmentRisk assessment
19
© Infosec Associates 2001
Risk Management Process
Risk Assessment Process
Identification and Selectionof Security Controls
Reducing the Risks
Risk Acceptance
Risk managementRisk management
© Infosec Associates 2001
ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion
© Infosec Associates 2001
• Critical actions– Threaten the business now!
• Tactical actions– Quick wins
• Strategic actions– Require planning & budget
• The rest!– Can be mopped up later
Action plan: Sorting & weightingAction plan: Sorting & weighting
20
© Infosec Associates 2001
• Who is on the ISSG?
• Who is the InformationSecurity champion?
• Assign responsibilities
– Who? When? How?
• Agree meeting schedule
– Milestones and reviews
Action plan: Review meetingAction plan: Review meeting
© Infosec Associates 2001
The BoardApprove policy and overall responsibilities
Monitor exposure and review incidentsApprove major initiatives
Information Owner
Information Security Steering GroupSpecific roles & responsibilities
Specific methods and processesPromoting visibility
Security organizationSecurity organization
© Infosec Associates 2001
• Information Security Manager
• Board-level sponsor
• Personnel / HR
• IT
• Internal audit
• Quality Management
• External advisor
Information security steering groupInformation security steering group
21
© Infosec Associates 2001
• Information Owner
• Information Custodian
• Information User
• Line Manager
• Information Security Manager
• Security Contact or Help Desk
Define responsibilitiesDefine responsibilities
© Infosec Associates 2001
InfosecManager
Line Manager
User
Service Provider
Promote &Oversee Security
MaintainSecurity for IT
Services
Security inApplications
Co-ordinateSecurity Policy &
Education
© Infosec Associates 2001
• Personnel / HR
• IT
• Software development
• Internal audit
• Security / Building services
• Procurement
• Business Continuity Planning
• Quality Management
• Board members
Get helpGet help
22
© Infosec Associates 2001
ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion
© Infosec Associates 2001
Code ofPractice
Code ofPractice
ImplementationStandards
ImplementationStandards
InterpretationGuides
InterpretationGuides
GroupPolicy
GroupPolicy
Users andManagers
ServiceProviders
CompanyPolicy
Information security documentsInformation security documents
© Infosec Associates 2001
Information security policyInformation security policy
A policy document should beapproved by management, publishedand communicated, as appropriate,to all employees.
It should state managementcommitment and set out theorganization's approach to managinginformation security.
This policy should be communicatedthroughout the organization to usersin a form that is relevant, accessibleand understandable to the intendedreader.
23
© Infosec Associates 2001
• States management commitment
• Sets out the organization's approach tomanaging information security
• Is published
• Is communicated throughout the organization ina form that is relevant, accessible andunderstandable
Information security policyInformation security policy
© Infosec Associates 2001
Code of practiceCode of practice
BS 7799 Part 1
• This code of practice may be regarded as a startingpoint for developing organization specific guidance.
• Not all of the guidance and controls in this code ofpractice may be applicable. Furthermore, additionalcontrols not included in this document may berequired. When this happens it may be useful toretain cross-references which will facilitatecompliance checking by auditors and businesspartners.
© Infosec Associates 2001
• Must be relevant
• Must reflect organizational culture
• Must be accessible
Code of practiceCode of practice
24
© Infosec Associates 2001
Employee guidelinesEmployee guidelines
• Relevant
• Short
• Easy to read
• Accessible
• Cross-referenced to yourCode of Practice & Procedures
© Infosec Associates 2001
ImplementationStandards
ImplementationStandards
ServiceProviders
Code ofPractice
Code ofPractice
InterpretationGuides
InterpretationGuides
GroupPolicy
GroupPolicy
Users andManagers
CompanyPolicy
Procedures & technical standardsProcedures & technical standards
© Infosec Associates 2001
• How to - referenced to yourCode of Practice
• Situation-specific orplatform-specific
• Easy to follow
• Consistent design
• Change controlled
• Thoroughly tested
• Centrally maintained
Procedures & technical standardsProcedures & technical standards
25
© Infosec Associates 2001
© Infosec Associates 2001
© Infosec Associates 2001
Why distribute the documentation?Why distribute the documentation?
27
© Infosec Associates 2001
© Infosec Associates 2001
ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion
© Infosec Associates 2001
ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion
28
© Infosec Associates 2001
Why do staff awareness?Why do staff awareness?
© Infosec Associates 2001
Why do staff awareness?Why do staff awareness?
Over 70% ofinformation securityincidents are directlyattributable to humanerror or ignorance
- Source: BCS
They could be your‘weak link’
© Infosec Associates 2001
Awareness(I know it exists)
Understanding(I know what it is)
Value(I know why it’s worthwhile)
Ownership(I agree with it)
Commitment(I’ll do it)
Communication(I’ll promote it)
Development(I’ll help enhance it)
The Awareness cycleThe Awareness cycle
29
© Infosec Associates 2001
Culture &Methodology
Analysis
ProgrammeStructure
Time-tabling
Launch Follow-upSessions
Self-study
Review
Launch Event
MaterialsProduction
Administration
TrainingRequirements
Planning
TraditionalTraining
ReinforcementSessions
Promotional
The Delivery
Objectives &Benefits
Generic training / awareness roll-outGeneric training / awareness roll-out
© Infosec Associates 2001
Objectives & benefits analysisObjectives & benefits analysis
Purpose
• To enable you to understand the business objectives andbenefits of the awareness campaign and to ensure thatthey are addressed appropriately.
Method
• An Information Security Health Check, or similar audit, willdefine the project objectives and perceived benefits.
© Infosec Associates 2001
Purpose
• To enable you to understand the culture of yourorganization, existing training methodologies and anyresistance to change. You are then able to proposeappropriate training methods.
Method
Key personnel from each site are identified and interviewed.The staff are asked three key questions:• What do you currently do that does not work?• What do you currently do that does work?• What else could be done that might work?
Culture & methodology analysisCulture & methodology analysis
30
© Infosec Associates 2001
Purpose
• To ensure that the programme content is appropriate foryour organization’s culture. To structure the awarenessprogramme to make the most efficient use of time andresources.
Method
• A meeting with your training contact.
Programme structure designProgramme structure design
© Infosec Associates 2001
Purpose
• To act as the basis for self-study, traditional training orpromotional activities, to reinforce the programme contentand act as reference material.
DeliverableThe materials could be almost anything.Some examples would be:
CBT VideosPosters Self-study/ reference materials (books/CDs/disks)E-mail Mouse mats, mugs, etc.
Materials productionMaterials production
© Infosec Associates 2001
Method
• Meet with representatives from each site, department, workgroup and local training units to determine which of theoptions best suit the department, group or location.
Deliverable
• A plan of who receives which portions or variations of theawareness programme.
Training requirements planningTraining requirements planning
31
© Infosec Associates 2001
Purpose
• These are key to the success of the awareness programme.The launch events are used to achieve fast buy-in to theprogramme by staff, focusing on the key issues and to setthe backdrop for the rest of the programme.
Method
• Methods are tailored to suit the message, culture andphysical environment.
Launch eventLaunch event
© Infosec Associates 2001
Purpose
• To effectively drive home messages on key security issues,such as password management, visitor control or viruses.
Method
• Methods are tailored to suit the message, culture andphysical environment.
Training method selectionTraining method selection
© Infosec Associates 2001
Purpose
• These meetings provide an opportunity to consolidatefeedback from delegates, managers and presenters toevaluate the programme on an on-going basis.
Method
• Review meetings are held with representatives from thebusiness areas. Corrections and improvements to materialsand methods are also discussed and authorised in thisforum.
ReviewsReviews
32
© Infosec Associates 2001
ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion
© Infosec Associates 2001
Technical checks includingTechnical checks includingrevisiting the health checkrevisiting the health check
© Infosec Associates 2001
• Is my Code ofPractice up to dateand appropriate?
• Do I comply with myCode of Practice?
Review proceduresReview procedures
33
© Infosec Associates 2001
© Infosec Associates 2001
© Infosec Associates 2001
To validate current status or to drive change?
Audit and reviewAudit and review
34
© Infosec Associates 2001
• Define scope and objectives
• Desktop review
• Compliance audit
• Recommendations
• Close out
ComponentsComponents
© Infosec Associates 2001
• Relevance
• Planning
• Co-operation
• Routine
• Imagination
Critical success factorsCritical success factors
© Infosec Associates 2001
• Audit report
• Recommendations
DeliverableDeliverable
35
© Infosec Associates 2001
• Policy
• Internal or external resource
• Key personnel
• Software tools
ResourcesResources
© Infosec Associates 2001
ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion
© Infosec Associates 2001
ImplementationImplementation
36
© Infosec Associates 2001
The cost of doing nothingThe cost of doing nothing
UnacceptableUnacceptableRiskRisk
© Infosec Associates 2001
Seven stages of implementationSeven stages of implementation
OrganizationOrganization
UnacceptableUnacceptableRiskRisk
OrganizationOrganization
© Infosec Associates 2001
Seven stages of implementationSeven stages of implementation
Gap analysisGap analysis
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
37
© Infosec Associates 2001
Seven stages of implementationSeven stages of implementation
Risk assessment / managementRisk assessment / management
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement
© Infosec Associates 2001
Seven stages of implementationSeven stages of implementation
Authoring policy / COPAuthoring policy / COP
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
© Infosec Associates 2001
Seven stages of implementationSeven stages of implementation
Issuing policy / COPIssuing policy / COP
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
IssuingIssuingPolicyPolicy
& COP& COP
38
© Infosec Associates 2001
Seven stages of implementationSeven stages of implementation
Awareness & educationAwareness & education
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
IssuingIssuingPolicyPolicy
& COP& COPEducationEducation
© Infosec Associates 2001
Seven stages of implementationSeven stages of implementation
Audit & reviewAudit & review
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
IssuingIssuingPolicyPolicy
& COP& COPEducationEducation
Audit &Audit &ReviewReview
© Infosec Associates 2001
The objective is to remove the costThe objective is to remove the costof not being secureof not being secure
This can only be done onceThis can only be done oncethe bridge is completethe bridge is complete
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
IssuingIssuingPolicyPolicy
& COP& COPEducationEducation
Audit &Audit &ReviewReview
39
© Infosec Associates 2001
OrganizationOrganization
UnacceptableUnacceptableRiskRisk
OrganizationOrganization
© Infosec Associates 2001
To create and maintain conditions to support theeffective implementation of ISM within yourorganization
Organization - ObjectivesOrganization - Objectives
© Infosec Associates 2001
Organization - Critical success factorsOrganization - Critical success factors
• Get the right people
• Give them the skills and information
• Make them accountable
• Make them care
40
© Infosec Associates 2001
Organization -Organization -Common pitfalls and problem areasCommon pitfalls and problem areas
• Failure to create a strong guiding coalition
• Failure to tie in support at a high enough level
• Failure to engage or enable supporters
• Failure to engage the whole organization
• Failure to identify with business objectives
• Failure to integrate ISM with business practices
© Infosec Associates 2001
Organization -Organization -Strategies & deliverablesStrategies & deliverables
• Maintain a register of responsibilities
• Include non IT personnel in the steering group
• Clearly define the project support structure
• Maintain a visible review mechanism
• Use existing fora or structures
© Infosec Associates 2001
Organization -Organization -Tools & productsTools & products
• Existing fora or structures
• External consultancy resource
• Decision support information
• Proteus
• RA tool
• Cobra
41
© Infosec Associates 2001
• Organizational mapping
• Register of security responsibilities
• Contact or call-tree management
• Primary and secondary levels of accountability
Organization -Organization -Feature checklistFeature checklist
© Infosec Associates 2001
Gap analysisGap analysis
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
© Infosec Associates 2001
Gap analysis -Gap analysis -ObjectivesObjectives
Establish….
• Where we are now?
• Where we want to go?
• What must we do to get there?
42
© Infosec Associates 2001
Gap analysis -Gap analysis -Critical success factorsCritical success factors
You should be able to:
• Conduct an independent analysis
• Relate analysis to organizational objectives
• Relate analysis to risk environment
• Update analysis as the situation changes
© Infosec Associates 2001
Gap analysis -Gap analysis -Common pitfalls and problem areasCommon pitfalls and problem areas
Beware…
• Irrelevant information or excessive detail
• Out of date assumptions and values
• Lack of visibility
• Biased findings
© Infosec Associates 2001
Gap analysis -Gap analysis -Strategies & deliverablesStrategies & deliverables
• Achieve independence - Use external resource
• Collate information using gap analysis tool
• Benchmark against industry best practice
• Prioritise against organizational objectives
• Work top down and bottom up
43
© Infosec Associates 2001
• Cobra
• Proteus
• RA Tool
• Risk Limited
• DIY
Gap analysis -Gap analysis -Tools & productsTools & products
© Infosec Associates 2001
• Scalability
• Flexibility
• Identification of relevant controls
• Reporting – Management information
• Prioritisation of controls
• Prioritisation of tasks
• Ongoing management and reporting ofexposure levels
Gap analysis -Gap analysis -Feature checklistFeature checklist
© Infosec Associates 2001
Risk assessment / managementRisk assessment / management
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement
44
© Infosec Associates 2001
To ensure that proportional measures areimplemented in order to bring risk affecting theorganization within acceptable limits
Risk management -Risk management -ObjectivesObjectives
© Infosec Associates 2001
• Ensure the strategy consistent withorganizational objectives
• Ensure that the strategy reflects the riskenvironment
• Find the most efficient compromise between costand benefit
• Integrate risk management with organizationaldecision making process at all levels
• Ensure risk owners are accountable at all levels
Risk management -Risk management -Critical success factorsCritical success factors
© Infosec Associates 2001
• Over complexity
• Failure to conform to organizational context
• Failure to evolve with organizational changes
• Failure to present risk in relevant form
• Failure assign ownership at appropriate level
• Failure to consider risks associated with statusquo
• Inappropriate measurement criteria
Risk management -Risk management -Common pitfalls and problem areasCommon pitfalls and problem areas
45
© Infosec Associates 2001
• Use third party resource
• Use software tool / combination
• Use manual methods
• Select quantitative / qualitative strategy
• Use operational risk management strategies
Risk management -Risk management -Strategies & deliverablesStrategies & deliverables
© Infosec Associates 2001
• Existing fora or structures
• External consultancy resource
• Decision Support Information
– CRAMM
– InfoSec Associates
– Proteus Plus
– RA Tool
– Risk Limited (Corporate governance tool)
Risk management -Risk management -Tools & productsTools & products
© Infosec Associates 2001
• Link to organizational objectives
– Explicit or implicit
• Identification and valuation of assets / capabilities
• Risk management policy identification
• Risk assessment functions
• Ease of use / speed of review / practicality
• Audit trail / change control
• Reporting and management information
• Integration with other tools
Risk management -Risk management -Feature checklistFeature checklist
46
© Infosec Associates 2001
Authoring policy / COPAuthoring policy / COP
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
© Infosec Associates 2001
The policy, code of practice and procedures tellstaff what they can do, what they cannot do, whatthey must do, and what their responsibilitiestowards information security are
Authoring policy / COP -Authoring policy / COP -ObjectivesObjectives
© Infosec Associates 2001
All documentation must be:
• In a style suited to its purpose
• In a style suited to the culture of its audience
• Relevant
• Easy to read and accessible
• Reviewed regularly
Authoring policy / COP -Authoring policy / COP -Critical success factorsCritical success factors
47
© Infosec Associates 2001
• It is more difficult to produce good, effectivedocumentation than most people believe
• Re-inventing wheels - what already exists?
• Can be very time consuming
• Blank paper syndrome
• Poor proof reading
• Ineffective distribution
• Lack of version & change control
Authoring policy / COP -Authoring policy / COP -Common pitfalls and problem areasCommon pitfalls and problem areas
© Infosec Associates 2001
Authoring policy / COP -Authoring policy / COP -Strategies & deliverablesStrategies & deliverables
• Gather all existing related documents fromwithin the organization
• Define the style before pen hits paper
• Buy-in template versions to fill any gaps andmodify them
• Get help - You cannot proof read your own work
• Define distribution methods suitable to theorganization
• Adopt version & change control
© Infosec Associates 2001
• Existing documentation
• BS 7799
• Charles Cresson Wood
• Gee Publishing
• InfoSec Associates
• DIY
Authoring policy / COP -Authoring policy / COP -Tools & productsTools & products
48
© Infosec Associates 2001
Issuing policy / COPIssuing policy / COP
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
IssuingIssuingPolicyPolicy
& COP& COP
© Infosec Associates 2001
To ensure all staff members have easy access tosecurity documentation in a format that is easy touse and is acceptable to them
Issuing policy / COP -Issuing policy / COP -ObjectivesObjectives
© Infosec Associates 2001
Make sure that it is:
• Publicised (location, content, responsibilities)
• Accessible
• Easy to use
• Has functionality (search, index, bookmarking)
• Has regular, controlled updates
Issuing policy / COP -Issuing policy / COP -Critical success factorsCritical success factors
49
© Infosec Associates 2001
Avoid using a format that is:
• Something that you like but others don’t
• Difficult or expensive to update
• Inaccessible to portions of the target audience
Issuing policy / COP -Issuing policy / COP -Common pitfalls and problem areasCommon pitfalls and problem areas
© Infosec Associates 2001
• Intranet– CHM– HTML– PDF
• Hard copy
• Pentasafe
• Visflow
• Outsourced
– InfoSec Associates
Issuing policy / COP -Issuing policy / COP -Tools & productsTools & products
© Infosec Associates 2001
• Ease of access
• Ease of update
• Multi-format from a single source
• Existing technology (no learning curve)
Issuing policy / COP -Issuing policy / COP -Feature checklistFeature checklist
50
© Infosec Associates 2001
Awareness & educationAwareness & education
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
IssuingIssuingPolicyPolicy
& COP& COPEducationEducation
© Infosec Associates 2001
To gain commitment to the principlesand good practice associated withinformation security
Awareness & education -Awareness & education -ObjectivesObjectives
© Infosec Associates 2001
Awareness & education -Awareness & education -Critical success factorsCritical success factors
Awareness must be:
• Aimed at changing attitudes, not merely theunderstanding of rules
• In a style suited to the organizational culture
• Directed by a clear statement of objectives
• Relevant to the audience
• Accessible
• Timely / On-going
51
© Infosec Associates 2001
Awareness fails if it is:
• Done as training instead of education
– WHY is more important than HOW
• Too time consuming
• Boring
• Irrelevant (even partially)
• Not supported from the top
Awareness & education -Awareness & education -Common pitfalls and problem areasCommon pitfalls and problem areas
© Infosec Associates 2001
Awareness & education -Awareness & education -Tools & productsTools & products
• Easy-I
• Mission Possible
• SMH
• Traditional teaching– Outsourced– InfoSec Associates– Purchased materials
• Marketing products
© Infosec Associates 2001
• Match contents to your objectives
• Takes an appropriate time to complete
• Fully customisable in content and appearance
• Modular– Relevant to specific audiences
• Accessible– Multi-format
• Suited to organizational culture
• Fits the budget
• On-going education requirements
• NOT BORING
Awareness & education -Awareness & education -Feature checklistFeature checklist
52
© Infosec Associates 2001
UnacceptableUnacceptableRiskRisk
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
IssuingIssuingPolicyPolicy
& COP& COPEducationEducation
Audit &Audit &ReviewReview
Audit & reviewAudit & review
© Infosec Associates 2001
Establish….
• Where we are now
• Is our strategy still relevant?
• How effective our our controls?
• Where do we need to make changes?
Audit and review -Audit and review -ObjectivesObjectives
© Infosec Associates 2001
• Regular and periodic
• Independent mandate
• Positive attitude – changes are positive!
• Whole organizational support
• Consistent approach
• Ensure changes are implemented
Audit and review -Audit and review -Critical success factorsCritical success factors
53
© Infosec Associates 2001
Beware…
• Political and operational resistance
• Negative or defensive attitude
• Lack of “close out”
• Impractical observations
Audit and review -Audit and review -Common pitfalls and problem areasCommon pitfalls and problem areas
© Infosec Associates 2001
• Achieve independence - Use external resource
• Collate information using audit tool
• Benchmark against industry best practice
• Prioritise against organizational objectives
• Work top down and bottom up
Audit and review -Audit and review -Strategies & deliverablesStrategies & deliverables
© Infosec Associates 2001
• Cobra
• RA Tool
• Proteus Plus
• Risk Limited
• In house tools
• Templated material
Audit and review -Audit and review -Tools & productsTools & products
54
© Infosec Associates 2001
• Ease of Use
• Maximum use of existing data
• Identification of changes to assumptions
• Reporting
– Technical
– Managerial
• Audit Trail
• Benchmarking and progress reporting
Audit and review -Audit and review -Feature checklistFeature checklist
© Infosec Associates 2001
If you have got it right, you can removeIf you have got it right, you can removemost of the cost of not being securemost of the cost of not being secure
Maintenance costs?Maintenance costs?Think Forth bridge!Think Forth bridge!
OrganizationOrganization Gap AnalysisGap Analysis
RiskRiskManagementManagement AuthoringAuthoring
Policy & COPPolicy & COP
IssuingIssuingPolicyPolicy
& COP& COPEducationEducation
Audit &Audit &ReviewReview
© Infosec Associates 2001
OrganizationOrganization
Gap analysisGap analysis
Risk assessment / managementRisk assessment / management
Authoring policy / COPAuthoring policy / COP
Issuing policy / COPIssuing policy / COP
Awareness & educationAwareness & education
Audit & reviewAudit & review
55
© Infosec Associates 2001
The ten immutable laws of IT security according to Microsoft
Law #1: If a bad guy can persuade you to run his program on your computer,it’s not your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer,it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer,it’s not your computer anymore.
Law #4: If you allow a bad guy to upload programs to your web site,it’s not your web site any more.
Law #5: Weak passwords trump strong security.
Law #6: A machine is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as the decryption key.
Law #8: An out of date virus scanner is only marginally better than no virusscanner at all.
Law #9: Absolute anonymity isn't practical, in real life or on the web.
Law #10: Technology is not a panacea.
© Infosec Associates 2001
www.Infosec-Associates.co.ukwww.Infosec-Associates.co.uk
www.FirstBase.co.ukwww.FirstBase.co.uk
www.c-cure.orgwww.c-cure.org
www.www.bkbk-up.co.uk-up.co.uk