Interactive Workshop on ISMS - sig-switzerland.ch · Interactive Workshop on ISMS ... deterrence,...
Transcript of Interactive Workshop on ISMS - sig-switzerland.ch · Interactive Workshop on ISMS ... deterrence,...
Kanton Basel-Stadt
Interactive Workshop on ISMS
Pascal ReinigerChief Information Security Officer Kanton Basel-Stadt
Basel – Security Interest Group Switzerland 27.04.2017
Kanton Basel-Stadt Agenda
1. Intro
2. Workshop 1: Top Risks and Pain Points
3. What is “ISMS”?
4. Workshop 2: ISMS Maturity Levels
5. Building an ISMS Strategy
6. Workshop 3: Next Steps
27.04.2017 SIGS – ISMS Workshop | 2
Kanton Basel-Stadt ISO-RSM’s Goals for 2017
ISO = IT Steering and Organisation (across the canton BS)
RSM = Risk and Security Management
Goals 2017, e.g.:
1. Design and Implement ISMS at the Kanton BS
2. Redesign IT security processes
3. Implement Application Inventory
27.04.2017 SIGS – ISMS Workshop | 3
Kanton Basel-Stadt Cyber Risk
Definition Cyber Risk:
It is not a specific IT risk, but a group of risks which have a significant impact and have not yet been in the focus of attention because so far it has been unthinkable or technically not possible.
The Security Landscape has changed fundamentally because of the massive increase of technological connectivity.
27.04.2017 SIGS – ISMS Workshop | 4
Kanton Basel-Stadt Scope of ISMS and Cyber Security
27.04.2017 SIGS – ISMS Workshop | 5
Where do we start? What should we cover with the ISMS?
Kanton Basel-Stadt Paradigm Shift in IT SecurityAttacks are getting technically more advanced, persistent and complex (multilayered). The threat is increasing continuously. APT's include amongst other 1. Social Engineering aimed at individual employees (= Spearfishing) and 2. Internet of Things (IoT) to find new backdoors in the network.
The New IT Security Paradigm:► Prevention is not sufficient anymore (Firewall, Antivirus etc.) ► You Have to assume to already be hacked successfully!► Tools are needed, to find and stop intruders.► The protection must be centered around the data.
27.04.2017 SIGS – ISMS Workshop | 6
Kanton Basel-Stadt Vulnerabilities
http://techzoom.net/BugBounty/SecureSoftware
Blue: Total number of known vulnerabilities Red: Known vulnerabilities top 10 most important IT-providers (10 years)
Security vulnerabilities are increasing consistently. A ISMS is needed to manage, monitor and secure the systems, network and data
27.04.2017 SIGS – ISMS Workshop | 7
Kanton Basel-Stadt Penetration Tests: Discovered Vulnerabilities
0 10 20 30 40 50 60 70 80 90
Dienstleistungen
Pharma Industrie
Tourismus
Banken
Energie
Baugewerbe
Kommunikation
Behörden
Industrie
Versicherungen
Gesundheitswesen
Private
ISP
Wissenschaft
IT
Landwirtschaft
Schwachstellen/Host
125‘000 potential Vulnerabilities (Source: first-security.com)
AgricultureIT
ScienceISP
PrivateHealth
InsurancesIndustry
AuthoritiesCommunication
ConstructionEnergy
BankingTourism
PharmaceuticalsServices
Vulnerabilities / Host
27.04.2017 SIGS – ISMS Workshop | 8
Kanton Basel-Stadt Agenda
1. Intro
2. Workshop 1: Top Risks and Pain Points
3. What is “ISMS”?
4. Workshop 2: ISMS Maturity Levels
5. Building an ISMS Strategy
6. Workshop 3: Next Steps
27.04.2017 SIGS – ISMS Workshop | 9
Kanton Basel-Stadt WORKSHOP 1: Top Risks and Pain Points .
27.04.2017 SIGS – ISMS Workshop | 10
Threats and Problems(Where have you been under attack?)
Open / unknown
Real Pain Points
No Problemo
Inefficient Roles, Responsibilities, Processes
Maleware including Ransomware
Hacking, APT’s, Social Engineering, Phishing
Denial of Service Attacks (DOS/DDOS)
Missing Awareness
Insider Threat (Data Theft, Sabotage)
Missing Information and/or Monitoring
Other
Best Practice?
Kanton Basel-Stadt Agenda
1. Intro
2. Workshop 1: Top Risks and Pain Points
3. What is “ISMS”?
4. Workshop 2: ISMS Maturity Levels
5. Building an ISMS Strategy
6. Workshop 3: Next Steps
27.04.2017 SIGS – ISMS Workshop | 11
Kanton Basel-Stadt Definitions of Cyber Security
Cyber Security according to Wikipedia:Cyber Security = Computer Security = IT Security
Cyber Security according to ISACA: The protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.
Cyber Security according to ITgovernance.co.uk: Protection of systems, networks and data in the cyber space.
A holistic understanding is needed to protect againstclassical and new emerging threats!
27.04.2017 SIGS – ISMS Workshop | 12
Kanton Basel-Stadt Lines of Defence under the new ParadigmPrevention: Keep Hackers and Malware from entering the network.
Detection: RecognizeEntrudors and their activitiesafter a successful breach.
Reaction: Isolate systemsand or hardwareand repair theaftermath of an incident.
27.04.2017 SIGS – ISMS Workshop | 13
Kanton Basel-Stadt Definitions of ISMS
Information Security Management System (Wikipedia): Framework of processes and regulations within an organization to ensure the long term definition, monitoring, control and improvement of information security.
ISMS according to ISO 27002: An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.It can help small, medium and large businesses in any sector keep information assets secure.
27.04.2017 SIGS – ISMS Workshop | 14
Kanton Basel-Stadt
Info
.Sec
.Arc
hite
ctur
e(N
etw
ork,
Fire
wal
ls e
tc.)
Laws, Regulations, Directives, International Agreementse.g. data privacy laws, EU Data Security Directive etc.
Strategies and PoliciesIT Strategy, IT Governance, eGovernance etc.
Ris
kM
anag
emen
t
Build an ISMS
IT Technological Implemetationof Security REquirements in network, HW/SW/DB etc.
Info.Security Audits by Data Privacy OfficialsInternal Audit (FinanzKontrolle), Suppliers etc. AND CISO (ausstehend)
Info
.Sec
. Reg
ulat
ions
and
Con
cept
sN
etw
ork
Secu
rity
Polic
y, e
Mai
lpol
icy
etc.
Standard Processese.g. Change Management, Implementation of HW/SW etc. (Internal Control System!)
Info
.Sec
. Sta
ndar
ds(IS
O27
001/
2, C
OBI
T, B
SI, I
TIL
etc.
)
ISM
S To
olto
impl
emen
tand
man
age
ISM
S
and
prod
uceSe
curit
y R
epor
ting
Info
rmat
ion
Secu
rity
Awar
enes
s
Iden
tity
+ Ac
cess
Mgm
tfo
rcen
tral
Man
agem
ent o
fide
ntiti
esan
dau
thor
izat
ions
Info
.Sec
.Pr
oces
ses
and
Form
se.
g. R
isk
Anal
ysis
, Ap
plic
atio
nfo
rexc
eptio
net
c.
27.04.2017 SIGS – ISMS Workshop | 15
Kanton Basel-Stadt Agenda
1. Intro
2. Workshop 1: Top Risks and Pain Points
3. What is “ISMS”?
4. Workshop 2: ISMS Maturity Levels
5. Building an ISMS Strategy
6. Workshop 3: Next Steps
27.04.2017 SIGS – ISMS Workshop | 16
Kanton Basel-Stadt WORKSHOP 2: ISMS Maturity Levels .
27.04.2017 SIGS – ISMS Workshop | 17
ISMS Dimensions Open / unknown
In Focus Completed with Tool
Policies and Regulations
Roles, Responsibilities, Processes, Forms and (ISMS) Data ManagementAwareness
Inventory, Monitoring, SIEM/IDS/IPS
Risk Management
Security Audits
Security Reporting
Other
Best Practice?
Kanton Basel-Stadt WORKSHOP 2: ISMS Maturity Levels .
27.04.2017 SIGS – ISMS Workshop | 18
ISMS Dimensions Open / unknown
In Focus Completed with Tool
Policies and Regulations
Roles, Responsibilities, Processes, Forms and (ISMS) Data ManagementAwareness
Inventory, Monitoring, SIEM/IDS/IPS
Risk Management
Security Audits
Security Reporting
Other
Best Practice?
Kanton Basel-Stadt Agenda
1. Intro
2. Workshop 1: Top Risks and Pain Points
3. What is “ISMS”?
4. Workshop 2: ISMS Maturity Levels
5. Building an ISMS Strategy
6. Workshop 3: Next Steps
27.04.2017 SIGS – ISMS Workshop | 19
Kanton Basel-Stadt Building a Cyber Security and ISMS Strategy
1. Find out where you stand regarding cyber risks and based on that your need for cyber security and ISMS (to protect against cyber risks).
2. Assess that status of your ISMS
3. Build Top Management Awareness including reports on:- Show scale of actual attacks- Show organizational readiness compared with benchmark- List approved and funded projects to improve situations- List remaining shortcomings
4. Get ressources for indepth analysis (time, people, funds)
27.04.2017 SIGS – ISMS Workshop | 20
Kanton Basel-Stadt Building a Cyber Security and ISMS Strategy
5. Reach out to ISMS stakeholders, e.g. top management, internal audit, legal, data privacy, business development etc.
6. Define the targeted maturity level for each ISMS dimension which you want to achieve.
7. Prioritize and plan projects based on quick wins. Start small, show benefits and gain followers.
27.04.2017 SIGS – ISMS Workshop | 21
Kanton Basel-Stadt Evaluate Regulations, Standards, Concepts
IT Security Framework (Regulations)
What parts of the IT security framework is missing regulations or it is outdated, e.g.
Law, (Supplier) Contracts
IT Strategy,
I T Security Strategy, IT Security Policy
IT Security Baseline, IT Security Concepts
IT User Regulations / Directives27.04.2017 SIGS – ISMS Workshop | 22
Kanton Basel-Stadt Evaluate Business Alignment
27.04.2017 SIGS – ISMS Workshop | 23
Check Standard IT Services against individual business requirements. Align SLA’s from business with IT’s systems, organization, resources and processes.
Kanton Basel-Stadt Evaluate IT Security Architecture
Assessment of Quality andUsability of «Border Patrol»- Firewall- Intrusion Prevention System- Email Security - Security Zones
etc.
Backup and Recoveryfuntionalities: based on SLAs? Tested? Task forcetrained and stand by? Qualified deputies? etc.
Antivirus and Malware Protection: State of theart? (sandboxing etc.)
Prevention Detection Reaction
Inventory of hardware, systems and software
Data classification andprotection: holisticapproach?
SIEM (Security Information andEvent Management): State of the art?
27.04.2017 SIGS – ISMS Workshop | 24
Kanton Basel-Stadt Evaluate Awareness
The incline in connectivity dies improve organizations, but also makes them a lot more vulnerable. Humans are becoming a critical factor:
Phishing attacks: About 60% of all e-Mails are spam mails (Kapersky Lab, Q1 2015 report )
50% of users open e-Mails and click on phishing links (Verizon Study 2015)
95% of all security incidents involve humans (IBM 2014 Cyber Security Intelligence Index report)
Is there an information security awareness program?
How aware are your employees? Is this being tested?
27.04.2017 SIGS – ISMS Workshop | 25
Kanton Basel-Stadt Evaluate Awareness
The incline in connectivity dies improve organizations, but also makes them a lot more vulnerable. Humans are becoming a critical factor:
Phishing attacks: About 60% of all e-Mails are spam mails (Kapersky Lab, Q1 2015 report )
50% of users open e-Mails and click on phishing links (Verizon Study 2015)
95% of all security incidents involve humans (IBM 2014 Cyber Security Intelligence Index report)
Is there an information security awareness program?
How aware are your employees? Is this being tested?
27.04.2017 SIGS – ISMS Workshop | 26
Kanton Basel-Stadt Evaluate Staff
Benchmarks on IT Security Staff
1 information security staff per 1000 users; 3 - 5 information security staff per 100 IT staff; 6 - 8.5 information security staff per 100 IT staff; 1.5 - 2 information security staff per 100 IT staff; 3 – 4 information security staff per 100 IT staff; 1.75 information security staff per internal IT auditor; 1 information security staff per 5000 networked devices; 5% - 8% of overall IT budget allocated to information security; 10% of overall IT budget allocated to information security; 3% - 11% of overall IT budget allocated to information security(Source: K. Aubuchon 2010, InfoSecIsland.com)
27.04.2017 SIGS – ISMS Workshop | 27
Kanton Basel-Stadt Evaluate Risk Management
27.04.2017 SIGS – ISMS Workshop | 28
Flip-chart
Integrate Risk Mgmt in daily processes, e.g. exception requests, audit report, change mgmt, reporting etc.Share the information on a need to know basis.
Kanton Basel-Stadt Evaluate Audits
Who is doing what kinds of audits, based on what standards, mandate, what is the scope, where is the information, can we use it for ISMS?
Do we have an official madate (law) to perform audits ourselves?
Do we have the required knowledge, experience, tools, budget to perform or outsource audits?
With whom should we coordinate audits and share results?
How can we use the data from the audit results for our risk management and security reporting?
27.04.2017 SIGS – ISMS Workshop | 29
Kanton Basel-Stadt Evaluate IT Security Reporting
Who do we need to report to? What do they want to see and are able to understand?
What data is located where? Do we have it?
Can we use undisputable objective known data, e.g. number of change requests (normal, emergency, failed), security patches, systems with missing security updates, incidents, security projects, critical employees passing awareness training, results of phishing tests, results of audits (CISO, internal audit, suppliers, external security consultants) etc.
How often should we report, how do we show actions for security gaps, can we break down reporting and allocate parts?
27.04.2017 SIGS – ISMS Workshop | 30
Kanton Basel-Stadt
Info
.Sec
.Arc
hite
ctur
e(N
etw
ork,
Fire
wal
ls e
tc.)
Laws, Regulations, Directives, International Agreementse.g. data privacy laws, EU Data Security Directive etc.
Strategies and PoliciesIT Strategy, IT Governance, eGovernance etc.
Ris
kM
anag
emen
t
BYO* ISMS
IT Technological Implemetationof Security REquirements in network, HW/SW/DB etc.
Info.Security Audits by Data Privacy OfficialsInternal Audit (FinanzKontrolle), Suppliers etc. AND CISO (ausstehend)
Info
.Sec
. Reg
ulat
ions
and
Con
cept
sN
etw
ork
Secu
rity
Polic
y, e
Mai
lpol
icy
etc.
Standard Processese.g. Change Management, Implementation of HW/SW etc. (Internal Control System!)
Info
.Sec
. Sta
ndar
ds(IS
O27
001/
2, C
OBI
T, B
SI, I
TIL
etc.
)
ISM
S To
olto
impl
emen
tand
man
age
ISM
S
and
prod
uceSe
curit
y R
epor
ting
Info
rmat
ion
Secu
rity
Awar
enes
s
Iden
tity
+ Ac
cess
Mgm
tfo
rcen
tral
Man
agem
ent o
fide
ntiti
esan
dau
thor
izat
ions
Info
.Sec
.Pr
oces
ses
and
Form
se.
g. R
isk
Anal
ysis
, Ap
plic
atio
nfo
rexc
eptio
net
c.
27.04.2017 SIGS – ISMS Workshop | 31
* Bui
ldYo
urO
wn
ISM
S H
ouse
Kanton Basel-Stadt Agenda
1. Intro
2. Workshop 1: Top Risks and Pain Points
3. What is “ISMS”?
4. Workshop 2: ISMS Maturity Levels
5. Building an ISMS Strategy
6. Workshop 3: Next Steps / ISMS Needs
27.04.2017 SIGS – ISMS Workshop | 32
Kanton Basel-Stadt WORKSHOP 3: Next Steps / ISMS Needs .
27.04.2017 SIGS – ISMS Workshop | 33
ISMS Dimensions Guidelines References
ConsultingAdaptation
ExperianceExchange
Tool
Policies and Regulations
Roles, Responsibilities, Processes, Forms and (ISMS) Data ManagementAwareness
Inventory, Monitoring, SIEM/IDS/IPS
Risk Management
Security Audits
Security Reporting
Other
SIGS ??? !
Kanton Basel-Stadt WORKSHOP 3: Next Steps / ISMS Needs .
27.04.2017 SIGS – ISMS Workshop | 34
ISMS Dimensions Guidelines References
ConsultingAdaptation
ExperianceExchange
Tool
Policies and Regulations
Roles, Responsibilities, Processes, Forms and (ISMS) Data ManagementAwareness
Inventory, Monitoring, SIEM/IDS/IPS
Risk Management
Security Audits
Security Reporting
Other
SIGS ??? !
Kanton Basel-Stadt Thank you for your attention!
Questions?
Pascal ReinigerLeiter kantonale Fachstelle Informationssicherheit (CISO)Finanzdepartement – Informatiksteuerung und Organisation (ISO)Kanton Basel-Stadt
27.04.2017 SIGS – ISMS Workshop | 35
Kanton Basel-Stadt Agenda
1. Intro
2. Workshop 1: Top Risks and Pain Points
3. What is “ISMS”?
4. Workshop 2: ISMS Maturity Levels
5. Building an ISMS Strategy
6. Workshop 3: Next Steps / ISMS Needs
7. Anhang27.04.2017 SIGS – ISMS Workshop | 36
Kanton Basel-Stadt Cyber Security: Improve Preventive Measurements
- Update and complete policies and regulations
- Update Firewall and Malware Protection to state of the art
- Upgrade IT work force (specialists, numbers, training etc.)
- Introduce an systematic security awareness program
- Analyse and plan improvements in your architecture (e.g. separated network zones, data classification and holistic protection (cradle to grave) etc.
Prepare for Discussions on Costs. Focus on Functionality! Move discussions away form probability to damage!
27.04.2017 SIGS – ISMS Workshop | 37
Kanton Basel-Stadt Cyber Security:Improve Detection Capabilities
- List current protocols and if/what is monitored
- Identify and integrate critical information
- Evaluate modern state of the art detection tools (artificial intelligence and automated)
- Implement a systematic and regular process to check and update users and their authorizations.
- Systematic and regular vulnerability scans and penetration tests
Choose smart benchmarks (people + costs)Choose automated monitoring to free ressources
27.04.2017 SIGS – ISMS Workshop | 38
Kanton Basel-Stadt Cyber Security:Improve Reaction Capabilities
- Check and Update your SLA’s based on a risk assessment
- Audit your Backup and Recovery Possibilities
- Regularly test your business continuity plans and recovery processes.
- Make a long tem audit plan and coordinate across audit functions
Let data owner decide based on price tagIf it is not tested, it doesn’t work.
27.04.2017 SIGS – ISMS Workshop | 39