- 1. Popular pitfalls in ISMS Compliance A Certifying Bodys
perspective
2. Contents
3. Standard Evolution 1995 1998 Initiative from Department of
Trade and Industry BS 7799Part 1 BS 7799 Part 2 1999 New issue of
BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002
(drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun2005 ISO
17799:2005 ISO/IEC 27001:2005 Oct2005 4. Standard Organization
CONTROLS CONTROL OBJECTIVES DOMAINS 5. Standard Organization
ComplianceA.15 Business Continuity ManagementA.14 Information
Security Incident ManagementA.13 Information Systems Acquisition,
Development and MaintenanceA.12 Access ControlA.11 Communications
and Operations ManagementA.10 Physical and Environmental
SecurityA.9 Human Resources SecurityA.8 Asset ManagementA.7
Organization of Information SecurityA.6 Information Security
PolicyA.5 ISMS improvement 8 Management review of the ISMS 7
Internal ISMS Audits 6 Management Responsibility 5 Information
Security Management System 4 6. Standard Organization(contd.)
Security policy Access control Asset ManagementOrganization of
Information Security Human ResourcesSecurity Physical
andEnvironmental security Communicationsand operations
managementInformation Systems Acquisition Development and
Maintenance Information Incident Security Management Business
Continuity Management Information Integrity Confidentiality
Availability Compliance 7. Future of the standard Risk
Management(BS 7799-3) 27005 Metrics and Measurement 27004
Implementation Guidance 27003 Code of Practice (ISO17799:2005)
27002 Specification 27001 Vocabulary and definitions 27000
Description ISO/IEC Standard 8. What is an implementation
issue?
- Standard directly demands and not complied with
- Mis-interpretation of the standard
9. Implementation Issues - Scope
-
- Scope is very hazy, not including all the assets and
technology
- A good example of ISMS scope
-
- The ISMS scope covers all critical systems, applications,
networks, telecommunication links, human resources, and information
assets. The scope also includes business operations, administrative
functions, customer information, buildings, equipment, tools and
utilities used in the execution of business of the organization at
site A and site B.
10. Implementation Issues - Policy
-
- Not visible in the organization
-
- Not spread across the organization
-
- Does not help in arriving at security objectives
-
- Many other policies not defined
-
- Eg. Clear Desk Clear Screen policy
-
- Mobile computing policy, Teleworking policy
11. Implementation Issues Risk Assessment
- Risk assessment not systematic
- Risk assessment kicked off with false comfort of existing
controls
- Some core assets not identified
-
- Eg. Design document in an IT organization
- Arriving at acceptable risk level not scientific
- Projects a no-residual-risk scenario
12. Implementation Issues SoA Preparation
- Only exclusions justified, inclusions should also be
justified
- Bi-directional tracing from risks to control and vice versa
absent
13. Implementation Issues Monitoring
- Info security review very weak
- Obsolete risks not removed
- New risks not fully added
14. Implementation Issues Internal Audit
- Predominantly CISO and team are the Auditees
- Sampling of other asset owners rare
- Absence of qualified internal auditors
15. Implementation Issues Management Review
- All review inputs as required by the standard not
addressed
- Management appreciation for security issues very low
16. Implementation Issues Improvement
- CA is more prevalent than PA
- Analysis of incidents / non-compliances weak
17. Implementation Issues External Parties
- Third party agreements do not stress security requirements
- Third party Vendors not conspicuously identified in the
facility
18. Implementation Issues Asset Management
- Server based software owners are identified but not their
custodians
- Only critical IT assets identified
- Some core assets not properly identified
19. Implementation Issues H R security
- Removal of access rights weak
- Awareness of social engineering very low
20. Implementation Issues Physical and Environmental
Security
- Network cables run outside the security perimeter
- No controls on piggy-backing
- Structured cabling absent
- Security of equipment off-premises very weak
- Movement of media eg. CDs not-controlled
21. Implementation Issues Communications and Operations
Management
- Disposal of media very weak
- Safety of media-in-transit not properly addressed
- Logs not reviewed periodically
- Clock synchronization not done
22. Implementation Issues Access Control
- Privilege management weak
- Printouts on printers not picked
- Clear desk clear screen policy most violated
- Unabated installation of freeware, shareware etc.
- Laptops dont have updated virus signature
23. Implementation Issues IS acquisition, development and
maintenance
- Applies only for the IS developed to run the business Eg. ERP,
Enterprise Project Management etc.
- Impact analysis to changes very weak
- Fallback plan on a un-successful software upgrade weak
24. Implementation Issues Incident Management
- Incident management seen as an impossible activity
- Awareness to report an incident very low
25. Implementation Issues BCP
- Scale of BCP very low vis--vis business need
26. Implementation Issues Compliance
- One comprehensive list of applicable rules & regulations
absent
27. Queries
28. Thank You R.Ramkumar