ISMS Certification Scope - CSM- · PDF file1 The First Step First for your ISMS Certification...
Transcript of ISMS Certification Scope - CSM- · PDF file1 The First Step First for your ISMS Certification...
11
The First Step First for your
ISMS Certification
Presented by :
Engr. A. Fattah Yatim
CSM-ACE 2010
Teknimuda (M) Sdn Bhd2CSM-ACE 2010 2
Outline
• What is the first step?
• Information Security coverage
• How do we decide the scope
• Interfaces with service providers
• Example ISMS Scope statements
• Malaysian National Cyber Security Policy
• Information search and news trends
• Closing Remarks
Teknimuda (M) Sdn Bhd3CSM-ACE 2010 3
Is my organisation vulnerable?
• Hacked Kaspersky Download Site Directs Users to Fake Antivirus
2010-10-19
Kaspersky Lab now admits that people attempting to buy Kaspersky's
security products on Oct. 17 were redirected by hackers to a scareware
site with links to fake antivirus software called Security Tool.
Hackers have caused serious embarrassment for a major security technology company. KasperskyLab's Website was hacked over the weekend, sending customers looking for security software to an external download page pushing counterfeit software.
When users tried to download software from Kaspersky on Oct. 17, they were redirected to a malware site that tricked users into downloading fake antivirus software called Security Tool. Once executed, Security Tool displays pop-ups reporting a number of vulnerabilities and threats "found" to scare users into buying what it says is a full version in order to fix these problems.
Source : http://www.eweek.com/c/a/Security/Kasperskys-Download-Site-Hacked-Directs-Users-to-Fake-AntiVirus-336193/?kc=EWKNLNAV10212010STR2
• Lessons reminder – Information security management is not about eliminating incidents completely. It is about managing the implementation of measures to prevent incidents, and corrective or remedial actions to recover from incidents if the incidents do occur.
Teknimuda (M) Sdn Bhd4CSM-ACE 2010 4
What is the first step?
• Which direction should I take?
• Which signal should I obey?
Teknimuda (M) Sdn Bhd5CSM-ACE 2010 5
First Steps to ISMS Implementation?
• Depending on specific situations, first steps can mean one or more of the following to the different organisations:
– Getting management buy-in and commitment
– Secure a budget for ISMS implementation
– Assembling a team to implement ISMS
– Hiring a consultant to advise on ISMS implementation
– Sending staff for ISMS Lead Auditor and Lead Implementer training
– Defining the scope
– Engage experts to perform a security posture assessment
– Others…….
• This presentation focuses on ‘Defining the scope or boundary for ISMS implementation and certification’.
Teknimuda (M) Sdn Bhd6CSM-ACE 2010 6
Information Security Coverage
• ISMS covers protection of information (confidentiality, integrity, availability) that exists in:
– Digital or electronic form (computers, PDAs, disk storage, emails, sms etc) or
– Non-digital form (paper, verbal communication etc)
• Information protected may be:
– Readily understandable to people - reports, emails, sms etc, or
– Not easily understandable to people – data flows between equipment e.g. process control systems, SCADA etc.
• ICT security is part of information security, but not the only element covered under ISMS.
Teknimuda (M) Sdn Bhd7CSM-ACE 2010 7
How Do We Decide The Scope –Stakeholder Expectations
• Expectation Angles That May Influence Scope Boundary
– Board of Directors – Focus on governance, profitability and continuity of business??
– Senior Management – Wants good corporate image??
– Crisis Manager – Wants everything to be secure??
– ICT Manager – Wants data centre and network to be secure??
– Shareholders – Want good return from investment ??
– Customers – Want good and affordable quality service??
– Employees – Want job satisfaction??
– Regulators – Want to ensure that the entity meets its regulatory requirements to deliver its services??
Note : the ?? Above connotes possible views of the various stakeholders and in no way imply that these views are the common or absolute views of the different stakeholders. The intent is to illustrate difficulties in deciding the scope with different expectations and demands from stakeholders against limited resources.
Teknimuda (M) Sdn Bhd8CSM-ACE 2010 8
How Do We Decide The Scope –Approaches to Implementation
• There are various approaches to ISMS implementation
a. Whole organisation included in the scope - can be costly depending on organisation type and size.
b. Pilot implementation with a ‘manageable’ scope first right through certification, followed by phased implementation in other key parts of the organisation
c. Implement for one critical service followed by the next critical service and so on. Ideal when there is little dependency between services.
d. Other variations to the above
• General guide – implement ISMS with the scope that, if initially limited, will eventually be expanded or revised to cover the critical services characteristic of the organisation.
Teknimuda (M) Sdn Bhd9CSM-ACE 2010 9
Interfaces with service providers
• Where services required within an ISMS scope are partially outsourced or it can only be provided by a third party (e.g. communications network services) then, interfaces are necessary with the parties covering those areas … usually in the form of Service Level Agreements.
• If services are outsourced to several different parties, more SLAs will have to be managed.
– For example, if you outsource the maintenance of your data center auxiliary services (UPS, standby generator, air-conditioning, humidity control, access control systems, heat detection, CCTV etc) then you need to have SLAs with the outsourced party(s).
• Think about services you want to oursource and how you want to manage the outsourced services, one SLA with one party or several SLAs with different parties.
Teknimuda (M) Sdn Bhd10CSM-ACE 2010 10
Malaysian National Cyber Security Policy - Vision
• Approved by Cabinet in 2006. Policy summary available from following websites:
– Ministry of Science, Technology and Innovation (MOSTI) -www.mosti.gov.my
– National IT Council - www.nitc.my
• National Cyber Security Vision
“Malaysian’s Critical National Information Infrastructure will be secure, resilient and self-reliant. Infused with a culture of security, it will promote stability, social well being and wealth creation.”
Teknimuda (M) Sdn Bhd11CSM-ACE 2010 11
Malaysian National Cyber Security Policy – Sectors Covered
• The National Cyber Security Policy seeks to address the risks to the Critical National Information Infrastructure (CNII) which comprises the networked information systems of ten critical sectors.
• The CNII sectors are:– National Defence and Security
– Banking and Finance
– Information and Communications
– Energy
– Transportation
– Water
– Health Services
– Government
– Emergency services
– Food and Agriculture
Teknimuda (M) Sdn Bhd12CSM-ACE 2010 12
CNII Entities Definition
CNII: Critical National Information Infrastructure (CNII) is defined as those assets (real and virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on:
a) National economic strength - Confidence that the nation's key growth area can successfully compete in the global market while maintaining favourable standards of living.
b) National image - Projection of the national image towards enhancing stature and sphere of influence.
c) National defense and security - Guarantee sovereignty and independence whilst maintaining internal security.
d) Government capability to function - Maintain order to perform and deliver minimum essential public services.
e) Public health and safety - Delivering and managing optimal health care to the citizen.
The CNII entities are those that depend on information assets or information systems for the delivery of their Critical Services or Products to the nation.
Source : National IT Council Portal - http://www.nitc.org.my/index.cfm?&menuid=60
12
Teknimuda (M) Sdn Bhd13CSM-ACE 2010 13
Malaysian National Cyber Security Policy – Cabinet Directive
• Malaysian Cabinet directive (February 2010) intent summary:
• CNII entities must be ISMS certified within three years
• CNII entities must ensure the certification scope covers the information
security management in the operating areas that deliver their critical
services and products to the nation (national economy and public).
• Implementation of ISMS to be coordinated/enforced by the Regulatory
Bodies governing the sectors (MCMC, Energy Commission, SPAN, BNM,
Securities Commission , DCA etc)
Teknimuda (M) Sdn Bhd14CSM-ACE 2010 14
Malaysian National Cyber Security Policy – Cabinet Directive
• What does the ISMS directive for CNII mean?
– For delivery of utilities, ensure that quality and supply of utilities
(water, electricity, gas, communications network) are properly
managed by ensuring that the ICT systems used in managing their
production and delivery are secure
– For services , ensure that the services (banking, securities,
government services etc) are delivered securely
– Scope of certification must cover the end-to-end service and not the
data center and communications network only. It should cover the
complete elements of People, Process and Technology that are
involved in the secure delivery of services.
Teknimuda (M) Sdn Bhd15CSM-ACE 2010 15
Actual ISMS Scope Statements for CNII entities – Other Countries
Organization Country Organization's ISMS Scope National Immigration
Agency
Taiwan The Information Security Management System for Managing the National Immigration
Information System (Entry and Exit Application Processing and Permit Issuing System, Airport
and Seaport Document Inspection System and Digitalized Documentation System) and
Operations for related Offices and Server Rooms Located in Taipei Headquarters, Taoyuan and
Kaohsiung Airports
National Internet
Development Agency
of Korea
Korea The information security management system for .kr domain name service operation and
management provided by Internet Address Resources Management Centre. This is in
accordance with the SOA 2.0
National ITMX
Company Limited
Thailand Interbank Transaction Management and Exchange Services: - Bulk Payment Systems - Single
Payment Systems - Back Office Systems
Capgemini UK Plc UK The information security management of IT infrastructure for sensitive UK Government
accounts. This covers the services by Outsourcing UK provided to these accounts as laid out
below: Service management framework; Desktop & distributed services; Data centre services;
Application management; Network management. The accounts covered by the scope of this
Information Security Management System are: MOD DECS; Metropolitan Police Service (MPS).
This is in accordance with version v2.0 of the Statement of Applicability dated 8th August
2008.
ACM Advanced
Currency Markets SA
Switzerland Financial operations, currency trading, foreign exchange market on-line.
NTT Communications
Corporation (Global
Business Division)
Japan To provide high value-added and high-quality managed network services with the global IP
network as a base, and total solution services by packaging global products. Statement of
Applicability, issued on 13/Apr/2009 Version 1.2
PGE Elektrownia
Turów S.A.
Poland Electric power and heat energy production, in accordance with the latest version of the
Statement of Applicability
ISMS Scope statements can be found in http://www.iso27001certificates.com/Taxonomy/ScopeResults.asp
Teknimuda (M) Sdn Bhd16CSM-ACE 2010 16
Examples of (Possible) ISMS Scopes - Malaysia
No Scope Statements (Examples) Entities (Examples)
1 ISMS covers the management, operation and maintenance of
the information assets and information systems and the
associated processes that enable the processing of passport
applications, work permit applications, visa applications and
immigration control at country’s entry and exit points
Jabatan Imigresen
Malaysia
2 ISMS covers the management, operation and maintenance of
the information assets and information systems that enable
the management and tracking of container and cargo
movements from ship to shore and vice versa including
storage of containers and cargo.
Port of Tanjung
Pelepas, Westport,
Northport,
3 ISMS covers the management, operation and maintenance of
the Total Airport Management System (TAMS) that manages
the whole airport operations in KLIA. This includes plane
logistics, passenger handling, baggage handling and security.
KLIA
Teknimuda (M) Sdn Bhd17CSM-ACE 2010 17
Information Search and News Trends – Information Security
Teknimuda (M) Sdn Bhd18CSM-ACE 2010 18
Information Search and News Trends – Infrastructure Protection
Teknimuda (M) Sdn Bhd19CSM-ACE 2010 19
Substance vs Form in ISMS
Form Substance
We have a set of policy and procedures. All employees are made aware and
adhere to policy and procedures and
provide appropriate feedback on the
effectiveness or otherwise of
procedures.
All our systems generate audit trails. Audit trails are reviewed every two
months and remedial action is taken to
prevent security anomalies in the long
term.
We have a log book to record visitors
entering the data centre and restricted
areas.
We review the log book at random to
determine the pattern of physical access
needs and plan for measures to
minimise the need for physical access
except when absolutely necessary.
ISMS implementation must reflect true Substance
rather than just Form (Appearance).
Teknimuda (M) Sdn Bhd20CSM-ACE 2010 20
Substance vs Form in ISMS (contd)
Form Substance
We have a helpdesk to address and
resolve incidents.
All helpdesk staff are adequately trained
to ask the right questions and are able
to resolve 70% of problems via email or
over the phone. Patterns of incident
reports are analysed to plan for long
term preventive measures.
We have a business continuity plan. Our BCP is tested twice a year and
lessons learnt are factored in to improve
the BCP.
We have an asset register. Our asset register is periodically
reviewed to determine if the
classification of assets is current and
whether the security measures for such
assets need revision.
ISMS implementation must reflect true Substance
rather than just Form (Appearance).
Teknimuda (M) Sdn Bhd21CSM-ACE 2010 21
Substance vs Form in ISMS (contd)
Form Substance
We allocate 5% of our operating budget
security.
We ensure that adequate budget is
allocated to meet security objectives,
balancing risks, costs and service
delivery.
We are ISMS certified. Our ISMS certification scope covers
key elements of our operations that
deliver the end-to-end services which
reflect the purpose or function of the
organisation.
ISMS implementation must reflect true Substance
rather than just Form (Appearance).
Teknimuda (M) Sdn Bhd22CSM-ACE 2010 22
Closing Remarks
• With limited resources, ensure that these resources are well spent to implement ISMS covering the most appropriate scope meaningful to the organisation
• Outsourced services will require SLAs – a manageable balance must be maintained to ensure effective overall ISMS implementation and certification
• Critical infrastructure providers must at least ensure that the ISMS scope covers the people, process and technologies that deliver their critical services to the nation
• Implement ISMS in true substance and not merely in form.
Teknimuda (M) Sdn Bhd23CSM-ACE 2010 23
Thank You.
My contact :
Engr. Abdul Fattah Yatim
6019-3206636
Teknimuda (M) Sdn Bhd
Suite E-10-5, Megan Avenue 1,
189 Jalan Tun Razak
50400 Kuala Lumpur
Phone 603-21668105,
Fax 603-21620636
Teknimuda (M) Sdn Bhd24CSM-ACE 2010 24
THANK YOU
Questions ?