11

The First Step First for your

ISMS Certification

Presented by :

Engr. A. Fattah Yatim

CSM-ACE 2010

Teknimuda (M) Sdn Bhd2CSM-ACE 2010 2

Outline

• What is the first step?

• Information Security coverage

• How do we decide the scope

• Interfaces with service providers

• Example ISMS Scope statements

• Malaysian National Cyber Security Policy

• Information search and news trends

• Closing Remarks

Teknimuda (M) Sdn Bhd3CSM-ACE 2010 3

Is my organisation vulnerable?

• Hacked Kaspersky Download Site Directs Users to Fake Antivirus

2010-10-19

Kaspersky Lab now admits that people attempting to buy Kaspersky's

security products on Oct. 17 were redirected by hackers to a scareware

site with links to fake antivirus software called Security Tool.

Hackers have caused serious embarrassment for a major security technology company. KasperskyLab's Website was hacked over the weekend, sending customers looking for security software to an external download page pushing counterfeit software.

When users tried to download software from Kaspersky on Oct. 17, they were redirected to a malware site that tricked users into downloading fake antivirus software called Security Tool. Once executed, Security Tool displays pop-ups reporting a number of vulnerabilities and threats "found" to scare users into buying what it says is a full version in order to fix these problems.

Source : http://www.eweek.com/c/a/Security/Kasperskys-Download-Site-Hacked-Directs-Users-to-Fake-AntiVirus-336193/?kc=EWKNLNAV10212010STR2

• Lessons reminder – Information security management is not about eliminating incidents completely. It is about managing the implementation of measures to prevent incidents, and corrective or remedial actions to recover from incidents if the incidents do occur.

Teknimuda (M) Sdn Bhd4CSM-ACE 2010 4

What is the first step?

• Which direction should I take?

• Which signal should I obey?

Teknimuda (M) Sdn Bhd5CSM-ACE 2010 5

First Steps to ISMS Implementation?

• Depending on specific situations, first steps can mean one or more of the following to the different organisations:

– Getting management buy-in and commitment

– Secure a budget for ISMS implementation

– Assembling a team to implement ISMS

– Hiring a consultant to advise on ISMS implementation

– Sending staff for ISMS Lead Auditor and Lead Implementer training

– Defining the scope

– Engage experts to perform a security posture assessment

– Others…….

• This presentation focuses on ‘Defining the scope or boundary for ISMS implementation and certification’.

Teknimuda (M) Sdn Bhd6CSM-ACE 2010 6

Information Security Coverage

• ISMS covers protection of information (confidentiality, integrity, availability) that exists in:

– Digital or electronic form (computers, PDAs, disk storage, emails, sms etc) or

– Non-digital form (paper, verbal communication etc)

• Information protected may be:

– Readily understandable to people - reports, emails, sms etc, or

– Not easily understandable to people – data flows between equipment e.g. process control systems, SCADA etc.

• ICT security is part of information security, but not the only element covered under ISMS.

Teknimuda (M) Sdn Bhd7CSM-ACE 2010 7

How Do We Decide The Scope –Stakeholder Expectations

• Expectation Angles That May Influence Scope Boundary

– Board of Directors – Focus on governance, profitability and continuity of business??

– Senior Management – Wants good corporate image??

– Crisis Manager – Wants everything to be secure??

– ICT Manager – Wants data centre and network to be secure??

– Shareholders – Want good return from investment ??

– Customers – Want good and affordable quality service??

– Employees – Want job satisfaction??

– Regulators – Want to ensure that the entity meets its regulatory requirements to deliver its services??

Note : the ?? Above connotes possible views of the various stakeholders and in no way imply that these views are the common or absolute views of the different stakeholders. The intent is to illustrate difficulties in deciding the scope with different expectations and demands from stakeholders against limited resources.

Teknimuda (M) Sdn Bhd8CSM-ACE 2010 8

How Do We Decide The Scope –Approaches to Implementation

• There are various approaches to ISMS implementation

a. Whole organisation included in the scope - can be costly depending on organisation type and size.

b. Pilot implementation with a ‘manageable’ scope first right through certification, followed by phased implementation in other key parts of the organisation

c. Implement for one critical service followed by the next critical service and so on. Ideal when there is little dependency between services.

d. Other variations to the above

• General guide – implement ISMS with the scope that, if initially limited, will eventually be expanded or revised to cover the critical services characteristic of the organisation.

Teknimuda (M) Sdn Bhd9CSM-ACE 2010 9

Interfaces with service providers

• Where services required within an ISMS scope are partially outsourced or it can only be provided by a third party (e.g. communications network services) then, interfaces are necessary with the parties covering those areas … usually in the form of Service Level Agreements.

• If services are outsourced to several different parties, more SLAs will have to be managed.

– For example, if you outsource the maintenance of your data center auxiliary services (UPS, standby generator, air-conditioning, humidity control, access control systems, heat detection, CCTV etc) then you need to have SLAs with the outsourced party(s).

• Think about services you want to oursource and how you want to manage the outsourced services, one SLA with one party or several SLAs with different parties.

Teknimuda (M) Sdn Bhd10CSM-ACE 2010 10

Malaysian National Cyber Security Policy - Vision

• Approved by Cabinet in 2006. Policy summary available from following websites:

– Ministry of Science, Technology and Innovation (MOSTI) -www.mosti.gov.my

– National IT Council - www.nitc.my

• National Cyber Security Vision

“Malaysian’s Critical National Information Infrastructure will be secure, resilient and self-reliant. Infused with a culture of security, it will promote stability, social well being and wealth creation.”

Teknimuda (M) Sdn Bhd11CSM-ACE 2010 11

Malaysian National Cyber Security Policy – Sectors Covered

• The National Cyber Security Policy seeks to address the risks to the Critical National Information Infrastructure (CNII) which comprises the networked information systems of ten critical sectors.

• The CNII sectors are:– National Defence and Security

– Banking and Finance

– Information and Communications

– Energy

– Transportation

– Water

– Health Services

– Government

– Emergency services

– Food and Agriculture

Teknimuda (M) Sdn Bhd12CSM-ACE 2010 12

CNII Entities Definition

CNII: Critical National Information Infrastructure (CNII) is defined as those assets (real and virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on:

a) National economic strength - Confidence that the nation's key growth area can successfully compete in the global market while maintaining favourable standards of living.

b) National image - Projection of the national image towards enhancing stature and sphere of influence.

c) National defense and security - Guarantee sovereignty and independence whilst maintaining internal security.

d) Government capability to function - Maintain order to perform and deliver minimum essential public services.

e) Public health and safety - Delivering and managing optimal health care to the citizen.

The CNII entities are those that depend on information assets or information systems for the delivery of their Critical Services or Products to the nation.

Source : National IT Council Portal - http://www.nitc.org.my/index.cfm?&menuid=60

12

Teknimuda (M) Sdn Bhd13CSM-ACE 2010 13

Malaysian National Cyber Security Policy – Cabinet Directive

• Malaysian Cabinet directive (February 2010) intent summary:

• CNII entities must be ISMS certified within three years

• CNII entities must ensure the certification scope covers the information

security management in the operating areas that deliver their critical

services and products to the nation (national economy and public).

• Implementation of ISMS to be coordinated/enforced by the Regulatory

Bodies governing the sectors (MCMC, Energy Commission, SPAN, BNM,

Securities Commission , DCA etc)

Teknimuda (M) Sdn Bhd14CSM-ACE 2010 14

Malaysian National Cyber Security Policy – Cabinet Directive

• What does the ISMS directive for CNII mean?

– For delivery of utilities, ensure that quality and supply of utilities

(water, electricity, gas, communications network) are properly

managed by ensuring that the ICT systems used in managing their

production and delivery are secure

– For services , ensure that the services (banking, securities,

government services etc) are delivered securely

– Scope of certification must cover the end-to-end service and not the

data center and communications network only. It should cover the

complete elements of People, Process and Technology that are

involved in the secure delivery of services.

Teknimuda (M) Sdn Bhd15CSM-ACE 2010 15

Actual ISMS Scope Statements for CNII entities – Other Countries

Organization Country Organization's ISMS Scope National Immigration

Agency

Taiwan The Information Security Management System for Managing the National Immigration

Information System (Entry and Exit Application Processing and Permit Issuing System, Airport

and Seaport Document Inspection System and Digitalized Documentation System) and

Operations for related Offices and Server Rooms Located in Taipei Headquarters, Taoyuan and

Kaohsiung Airports

National Internet

Development Agency

of Korea

Korea The information security management system for .kr domain name service operation and

management provided by Internet Address Resources Management Centre. This is in

accordance with the SOA 2.0

National ITMX

Company Limited

Thailand Interbank Transaction Management and Exchange Services: - Bulk Payment Systems - Single

Payment Systems - Back Office Systems

Capgemini UK Plc UK The information security management of IT infrastructure for sensitive UK Government

accounts. This covers the services by Outsourcing UK provided to these accounts as laid out

below: Service management framework; Desktop & distributed services; Data centre services;

Application management; Network management. The accounts covered by the scope of this

Information Security Management System are: MOD DECS; Metropolitan Police Service (MPS).

This is in accordance with version v2.0 of the Statement of Applicability dated 8th August

2008.

ACM Advanced

Currency Markets SA

Switzerland Financial operations, currency trading, foreign exchange market on-line.

NTT Communications

Corporation (Global

Business Division)

Japan To provide high value-added and high-quality managed network services with the global IP

network as a base, and total solution services by packaging global products. Statement of

Applicability, issued on 13/Apr/2009 Version 1.2

PGE Elektrownia

Turów S.A.

Poland Electric power and heat energy production, in accordance with the latest version of the

Statement of Applicability

ISMS Scope statements can be found in http://www.iso27001certificates.com/Taxonomy/ScopeResults.asp

Teknimuda (M) Sdn Bhd16CSM-ACE 2010 16

Examples of (Possible) ISMS Scopes - Malaysia

No Scope Statements (Examples) Entities (Examples)

1 ISMS covers the management, operation and maintenance of

the information assets and information systems and the

associated processes that enable the processing of passport

applications, work permit applications, visa applications and

immigration control at country’s entry and exit points

Jabatan Imigresen

Malaysia

2 ISMS covers the management, operation and maintenance of

the information assets and information systems that enable

the management and tracking of container and cargo

movements from ship to shore and vice versa including

storage of containers and cargo.

Port of Tanjung

Pelepas, Westport,

Northport,

3 ISMS covers the management, operation and maintenance of

the Total Airport Management System (TAMS) that manages

the whole airport operations in KLIA. This includes plane

logistics, passenger handling, baggage handling and security.

KLIA

Teknimuda (M) Sdn Bhd17CSM-ACE 2010 17

Information Search and News Trends – Information Security

Teknimuda (M) Sdn Bhd18CSM-ACE 2010 18

Information Search and News Trends – Infrastructure Protection

Teknimuda (M) Sdn Bhd19CSM-ACE 2010 19

Substance vs Form in ISMS

Form Substance

We have a set of policy and procedures. All employees are made aware and

adhere to policy and procedures and

provide appropriate feedback on the

effectiveness or otherwise of

procedures.

All our systems generate audit trails. Audit trails are reviewed every two

months and remedial action is taken to

prevent security anomalies in the long

term.

We have a log book to record visitors

entering the data centre and restricted

areas.

We review the log book at random to

determine the pattern of physical access

needs and plan for measures to

minimise the need for physical access

except when absolutely necessary.

ISMS implementation must reflect true Substance

rather than just Form (Appearance).

Teknimuda (M) Sdn Bhd20CSM-ACE 2010 20

Substance vs Form in ISMS (contd)

Form Substance

We have a helpdesk to address and

resolve incidents.

All helpdesk staff are adequately trained

to ask the right questions and are able

to resolve 70% of problems via email or

over the phone. Patterns of incident

reports are analysed to plan for long

term preventive measures.

We have a business continuity plan. Our BCP is tested twice a year and

lessons learnt are factored in to improve

the BCP.

We have an asset register. Our asset register is periodically

reviewed to determine if the

classification of assets is current and

whether the security measures for such

assets need revision.

ISMS implementation must reflect true Substance

rather than just Form (Appearance).

Teknimuda (M) Sdn Bhd21CSM-ACE 2010 21

Substance vs Form in ISMS (contd)

Form Substance

We allocate 5% of our operating budget

security.

We ensure that adequate budget is

allocated to meet security objectives,

balancing risks, costs and service

delivery.

We are ISMS certified. Our ISMS certification scope covers

key elements of our operations that

deliver the end-to-end services which

reflect the purpose or function of the

organisation.

ISMS implementation must reflect true Substance

rather than just Form (Appearance).

Teknimuda (M) Sdn Bhd22CSM-ACE 2010 22

Closing Remarks

• With limited resources, ensure that these resources are well spent to implement ISMS covering the most appropriate scope meaningful to the organisation

• Outsourced services will require SLAs – a manageable balance must be maintained to ensure effective overall ISMS implementation and certification

• Critical infrastructure providers must at least ensure that the ISMS scope covers the people, process and technologies that deliver their critical services to the nation

• Implement ISMS in true substance and not merely in form.

Teknimuda (M) Sdn Bhd23CSM-ACE 2010 23

Thank You.

My contact :

Engr. Abdul Fattah Yatim

fattah@teknimuda.com

6019-3206636

Teknimuda (M) Sdn Bhd

Suite E-10-5, Megan Avenue 1,

189 Jalan Tun Razak

50400 Kuala Lumpur

Phone 603-21668105,

Fax 603-21620636

Teknimuda (M) Sdn Bhd24CSM-ACE 2010 24

THANK YOU

Questions ?