#211 creating the isms system) management security ... · session 211 3 28.3.2000 creating the isms...

Session 211 1 28.3.2000

#211Creating the ISMS

(Information Security Management System)

Peter R. Bitterli, CISAhttp://[email protected]

Please observe the copyright: You are allowed to use and further

distribute this presentation only with this copyright notice attached.

If you use parts of this documentation in presentations or other

diagrams you have to refer to the source. Any commercial use of

this presentation is only allowed with written consent of the author.

Session 211 2 28.3.2000

Published Session ContentsCreating the Information Security Management System

The participants will learn about:Information Security Policies andProcedures

Information SecurityOrganisation: Tasks, Staffing,Reporting

Examples of Key InformationSecurity Projects: IT ResourcesOwnership, Security Awareness,Single Point of Reference

Effective Operation andMonitoring of Security Controls

Periodic Review of ImplementedControls

Organising the Information SecurityManagement System in medium to

large enterprises can be quiet adifficult task. This session willdemonstrate how to set up an

information security organisationthat defines, regulates, coordinates

and reviews the corporateinformation security issues.

Based on ideas of the INFOSECBusiness Advisory Group of the EU

framework, the session willprovide workable directions on

how to get the job done.

Session 211 3 28.3.2000

Creating the ISMSAn expansion of the IBAG Framework for Commercial IT-Security

Members (1994/95)European Security Forum (ESF)Comité Européen des Assurances (CEA)International Chamber of Commerce (ICC)International Information Integrity Institute (I4)Associated Banks of Europe Corporation (ABECOR)Information Systems Audit and Control Association (ISACA)European Confederation of Institutes of Internal Auditing (ECIIA)X/Open, OSITOP, EWOS, ECMA, EUROBIT, …

IBAG=Infosec Business Advisory Group of the European Community

Session 211 4 28.3.2000

Commercial IT Security InterestsIBAG Framework for Commercial IT-Security

Session 211 5 28.3.2000

The “Original” IBAG FrameworkCreating the Information Security Management System

PolicySecurityPolicy

Organisation

PracticesAreas/Topics

BaselineControls

SpecificControls

ProceduresMonitoring/

ReviewInstallation/Operation

ori

gina

lly

7 K

ey T

asks

Session 211 6 28.3.2000

9 K

ey T

asks

The Enhanced IBAG FrameworkCreating the Information Security Management System

Structure and some ideas taken from IBAG.Contents of key tasks from different sources

and personal experience


Organisation Ownership Awareness


BaselineControls

SpecificControls



My additions to theIBAG Framework

Session 211 7 28.3.2000

Policy SecurityPolicy Organisation Ownership Awareness


BaselineControls

SpecificControls

Procedures Motitoring/ReviewOperation

The IBAG Policies LevelCreating the Information Security Management System

COBIT Control Objectives

PO 6.2 Management’s Responsibility for Policies

Management should assume full responsibility for formulating,developing, documenting, promulgating and controlling policies coveringgeneral aims and directives. Regular reviews of policies forappropriateness should be carried out. The complexity of the writtenpolicies and procedures should always be commensurate with theorganisation size and management style.

PO 6.3 Communication of Organisation Policies

Management should ensure that organisational policies arecommunicated to and understood by all levels in the organisation.

PO 6.4 Policy Implementation Resources

After communication, appropriate resources should be earmarked bymanagement for the implementation of its policies. Management shouldalso monitor the timeliness of the policy implementation.

PO 6.5 Maintenance of Policies

Policies should be adjusted regularly to accommodate changingconditions. Policies should be re-evaluated, at least annually or uponsignificant changes to the operating or business environment, to assesstheir adequacy and appropriateness, and amended as necessary.Management should provide a framework and process for the periodicreview and approval of standards, policies, directives and procedures.

PO 6.6 Compliance with Policies, Procedures and Standards

Management should ensure that appropriate procedures are in place todetermine whether personnel understand the implemented policies andprocedures, and that the polices and procedures are being followed.Compliance procedures for ethical, security and internal control standardsshould be set by top management and promoted by example.

PO 6.8 Security and Internal Control Framework Policy

Senior management should assume full responsibility for developing andmaintaining a framework policy which establishes the organisation’s overallapproach to security and internal control. The policy should comply withoverall business objectives and be aimed at minimisation of risks throughpreventive measures, timely identification of irregularities, limitation of lossesand timely restoration. Measures should be based on cost-benefit analyses andshould be prioritised. In addition, senior management should ensure that thishigh-level security and internal control policy specifies the purpose andobjectives, the management structure, the scope within the organisation, thedefinition and assignment of responsibilities for implemen-tation at all levels,and the definition of penalties and disciplinary actions associated with failingto comply with security and internal control policies.

Session 211 8 28.3.2000

IT Security PolicyCreating the Information Security Management System

Foundation for allsecurity related workNeeds support bysenior management

Three tier approachPolicy shouldintegrate all securityrelated activities K

ey T

ask

#1

HighLevelPolicy

DetailedPolicy

(Baseline ControlObjectives)

Guidelines

Session 211 9 28.3.2000

High level IT Security PolicyCreating the Information Security Management System

ContainsDefinition of IT securityResponsibilities

Business managersIT security officersIT security steering groupOwners of IT resourcesAll employees

Legal requirementsData protection / privacySoftware copyrightIntellectual property rightsSafeguarding of recordsTransborder data flow

Key

Tas

k #1

High level policySigned by the CEOPurpose/scope of IT securityHigh-level requirements validfor everyoneKnown to all employees (shouldconfirm receipt, understandingand future compliance)

Session 211 10 28.3.2000

7 PHYSICAL AND ENVIRONMENTAL SECURITY

7.1 Secure Areas

Critical or sensitive business information processes and facilities to

support them should be housed in secure areas. Such facilities

should also be physically protected from unauthorized access,

damage and interference.

Objective: To prevent unauthorized access, damage

and interference to business premises and

information services.

7.1.1 Physical security perimeter

a M The perimeter of any XXXXXX building or site should be

physically sound. The external walls should be of solid construction

and all external doors should be suitably protected against un-

authorized access (e.g. control mechanisms, bars, alarms etc.).

External protection should be considered for windows, particular at

ground level.

There should be no gaps in the perimeter or areas

where a break-in could easily occur.

b M Security perimeters should be clearly defined for all (inside) areas.

The security of the perimeter should be consistent with the value or

classification of the assets or services under protection.

A security perimeter is something which builds a

barrier e.g. a wall, a card controlled entry gate or a

manned reception desk (see 7.1.3). The siting and

strength of each barrier depends on the result of a

risk assessment.

c M A manned reception area or other means to control physical access

to the site or building should be in place.

Access to sites and buildings should be restricted to

holders of valid identity passes.

d R All fire doors on a security perimeter should alarmed and should

slam shut.

7.1.2 Physical entry controls

a M Visitors should be supervised or cleared and their date and time of

entry and departure recorded. Visitors should stay inside a separated

visitor visiting area, if possible, and only be granted access to the

rest of the building for specific, authorized purposes. There they

should be required to wear some form of visible identification.

Visitors and long term contractors should be issued

with instructions on the security requirements of the

site and on emergency procedures.

b M All personnel should be encouraged to question unescorted strangers

not wearing visible identification.

c M Access rights should be revoked immediately for staff and third

parties (e.g. consultants and contractors) who stop working for

XXXXXX.

d M Access rights should be updated and regularly reviewed (i.e. once

every three months).

This ensures continued business need of existing

privileges granted.

e M Access to archives containing sensitive information, to computer or

communications rooms and to other secure must be controlled and

restricted to authorized staff only. An audit trail of all access should

be securely maintained.

Access should be granted through use of

authentication controls (e.g. swipe card) to authorize

and validate all access.

7.1.3 Securing offices, rooms and facilities

a M Key facilities should be sited to avoid access by public. They should

give minimum indication of their purpose, with no obvious signs,

outside or inside the building. Directories and internal telephone

books identifying locations of sensitive information processing

facilities should not be publicly available.

Personnel should only be aware of the existence of,

or activities within, a secure area on a need to know

basis.

Middle levelCreating the ISMS

Middle level policiesDefinition of responsibility,authority, accountabilitySecurity objectives for“all” topics (see area/topics)

30-100 more general

or 400-600 detailed

Re-evaluate anuallyUse “Areas/Topics” forstructure

Example on the right taken from theBSI Code of Practice (BS7799-1:1999);changed by author; for demonstrationpurposes only.

Key

Tas

k #1

Session 211 11 28.3.2000

GuidelinesCreating the ISMS

Lower level guidelinesTwo types

General / generic

Technology specific

Clear and conciseEasy to handleIn electronic formUse “Areas/Topics” forstructure

Example guideline “Physical AccessSecurity” on the right fordemonstration purposes only!

Key

Tas

k #1

Guideline Physical Access Security (Part 3)Contents for demonstration purposes only!

3.1 Zoning concept

3.1.1 The floor space should be divided in clearly defined areas (i.e. zones), grouping together

common activities and responsibilities. For each zone, the group of persons allowed

access to it and the relevant access times should be clearly defined.

3.1.2 Areas for receiving visitors should be clearly separated from the rest of the building.

3.1.3 Every department head must regularly receive and review a listing of all persons in their

zone who currently are allowed access.

3.1.4 A list of managers who are authorised to grant access to the premises should be kept up-

to-date. This list should be periodically reviewed by the higher-level managers.

3.1.5 High-risk tasks (e.g. handling large volumes of valuables) and critical IT resources (e.g.

telephone exchange, servers, host, ...) should each be in a separate " high-risk" zone.

3.1.6 High-risk zones should be further compartmentalised (e.g. to prevent access to critical IT

resources). If more than a very limited number of persons have access to such a high risk-

zone, modems, servers and other equipment should be placed inside locked racks or

partitioned off with lattice.

3.2 Access control

3.2.1 The access to the building should be physically restricted to authorised persons.

3.2.2 Access to any inside zone should be regulated by an automatic access control system,

operated by an identification badge. All such doors should sound an audible alarm if the

door stays open for more than just a few seconds.

3.2.3 All employees and other authorised persons should visibly wear an identification badge

on their outer garments so that the information on the badge is clearly visible.

3.2.4 Identification badges and physical access cards that have been lost or stolen should be

reported immediately.

3.2.5 Employees who have forgotten their identification badge must obtain a temporary badge

by providing a driver's license or another piece of picture identification. Such a temporary

badge is valid for a single day only.

3.2.6 Employees must not permit unknown or unauthorised persons to pass through doors and

other entrances to restricted areas at the same time when authorised persons go through.

3.2.7 Employees should not attempt to enter restricted areas for which they have not received

access authorisation.

Session 211 12 28.3.2000

IT Security OrganisationCreating the Information Security Management System

Single point of focus

Must integrate and co-ordinateall security tasks and activities

Must provide necessaryknow-howMust be business oriented K

ey T

ask

#2

Become the security hub of your company – recognised,competent and available (Pierre-Luc Réfalo, France)

Session 211 13 28.3.2000

Business Trends Foster ChangesCreating the Information Security Management System

Some business trendsHigh rate of restructuring,take-over, spin-off, …Shorter cycles for developingcrucial business applicationsFurther outsourcing of key ITelements (e.g. WAN, fire-walls,web-server, LAN, PC support)E-business (B2B, B2C)Further decentralisation withhigh diversity of ITBudget cuts

This will meanIT related security risks and theresponsibilities of IT securitystaff will grow at a high rateMore and increasinglyprofessional staff is neededIT security responsibilities aswell as know-how will moveoutwards to business unitsBusiness managers are forced tomonitor adequacy of system ofinternal controls

Key

Tas

k #2

Session 211 14 28.3.2000

Sound Organisation StructureCreating the Information Security Management System

Responsibility for securityResponsibility will shift fromIT to business (dangerous ?)

Information securitycommittee (steering group)

High level bodyBalancing the different needs,projects and activitiesApproving policies, guidelines,action plans, budgetsMonitoring status, costsRegular meetings (3-6/year)

Key

Tas

k #2

Information Security OfficersSmall team for entire companyOne per business unitMake things happenShare know-how and experience

Security co-ordination(informal or formal)

Physical security & safetyLegal departmentPersonnelRisk Management…

Session 211 15 28.3.2000

Owner 1

Owner 2Owner 3

Key

Tas

k #3

OwnershipCreating the Information Security Management System


PO 4.7 Ownership and Custodianship

Management should create a structure forformally appointing the data owners andcustodians. Their roles and responsibilities shouldbe clearly defined.

PO 4.8 Data and System OwnershipManagement should ensure that all informationassets (data and systems) have an appointedowner who makes decisions about classificationand access rights. System owners typicallydelegate day-to-day custodianship to the systemsdelivery/operations group and delegate securityresponsibilities to a security administrator.Owners, however, remain accountable for themaintenance of appropriate security measures.

The key to success

Individual accountability

Augments efficiency andeffectiveness of security

Practicable ifconsequently applied

Session 211 16 28.3.2000

Business Objectives/DriversCreating the Information Security Management System

Objectives of ownership:Achieve personal accountabilityfor all IT resourcesAgree and communicate thelevel of protection requiredDefine/implement monitoringand incident handlingDefine/implement changemanagementHighlight the most critical ITresources

based on ideas of the European Security Forum

Business drivers for ownership:Minimising risk of majorincidentsPushing risk decisions back tobusinessKeeping up with good practiceEnsuring compliance withstatutory obligationsClarifying externalresponsibilities (3rd parties)Demonstrating properstewardship

Key

Tas

k #3

Session 211 17 28.3.2000

Ownership Types - QuestionsCreating the Information Security Management System

Types of ownersOwners of business processesOwners of IT resources (COBIT)

Information: Data objects in their widestsense, i.e., external and internal, structured andnon-structured, graphics, sound, etc.

Application systems: Understood to be thesum of manual and programmed procedures

Technology: Covers hardware, operatingsystems, database management systems,networking, multimedia, etc

Facilities: Resources to house and supportinformation systems

People: Staff skills, awareness and productivityto plan, organise, acquire, deliver, support andmonitor information systems and services

Key

Tas

k #3

PO, AI, DS, M: importantIT processes (COBIT)

Peo

ple

Business process

Information

Application System

Technology

Facilities

Peo

ple

PO2

PO10/11, AI1/2/5/6, DS11

DS4/5/9

DS4/5/12

PO6/7, DS7/8

PO9/10, AI4/5/6, DS11/13, M1/2

Session 211 18 28.3.2000

Ownership Roles - QuestionsCreating the Information Security Management System

Peo

ple

Business process

Information

Application System

Technology

Facilities

?

?

Key

Tas

k #3

Owner

User

Custodian(Operations)

Owner 2InformationExchangeAgreement

Custodian(Developers)

BusinessRequirementsSpecifications

PO10/11, AI1/2/4/5

ServiceLevel

AgreementDS1/2/3/4/5/10

help desk

DS8/10

UserProcedures

Manual

AI 4.3

PO, AI, DS, M: importantIT processes (COBIT)

Session 211 19 28.3.2000

Benefits of OwnershipCreating the Information Security Management System

Sound ownershiparrangements benefit abusiness by:

Strengthening accountabilityAvoiding expenditure onunnecessary controlsEstablishing levels of protectioncommensurate with riskReducing security incidentsFostering 3rd-parties’ tradingFacilitating the secureinterchange of information

Key

Tas

k #3

Not so much to do, because:Many forms of ownership arealready in place informallyAll owners of businessprocesses are (should be)known anyhowLegal obligations indirectlyfoster ownership issues

Data protection legislation

Banking legislation

Governance standards

Session 211 20 28.3.2000

Key

Tas

k #4

Security AwarenessCreating the Information Security Management System


PO 6.11 Communication of IT Security Awareness

An information technology security awareness programmeshould communicate the information technology securitypolicy to each information technology user and assure acomplete understanding of the importance of informationtechnology security. It should convey the message thatinformation technology security is to the benefit of theorganisation, all its employees, and that everybody isresponsible for it. The information technology securityawareness programme should be supported by, andrepresent, the view of senior management.

DS 7.3 Security Principles and Awareness Training

All personnel should be trained and educated in systemsecurity principles. Senior management should provide aneducation and training programme that includes: ethicalconduct of the information services function, securitypractices to protect against harm from failures affectingavailability, confidentiality, integrity and performance ofduties in a secure manner.

Permanent task ofmanagement

Seeks/provides positiveattitude

Close collaboration ofinternal control structure

Needs formal program andprofessional marketing

Managers, employeesThird-partiesCustomers, businesspartners, media

Session 211 21 28.3.2000

Selling IT SecurityCreating the Information Security Management System

Why is it so difficult to sellIT Security?

Unsuccessful track recordFailure to fulfil management’sexpectationsLack of organisationalunderstanding by security staffFailure in co-ordination in thecontrol functionsEvolving organisationstructuresLack of co-ordinated ITsecurity sales program

Some marketing issuesMake people want to be secureDisplay high-level supportEncourage people to be alertPoint out the risksBe simple but comprehensiveBe targeted and never assumeknowledgeBe entertaining and amusingBe two-way

Key

Tas

k #4

Adequate control (i.e. security)without awareness is impossible !

Session 211 22 28.3.2000

Selling IT Security (Key Issues)Creating the Information Security Management System

Know your businessKnow business objectivesUnderstand operationsAnalyse business needs andwhat could threaten businessobjectives being met

Sales strategySell to more than just one levelKnow your target audienceAvoid negative securityawarenessKnow sales techniques

Prepare productArticle and violation reporting

Poster, flyers, mouse mats, …

Personal presentations

Video and film presentations

One-to-one selling

Implementation

MaintenanceKeep management informedDemonstrate resultsPublish successesCarry out approved plans

Key

Tas

k #4

Session 211 23 28.3.2000

Selling IT Security to ManagersCreating the Information Security Management System

Security Policy, BaselineControls, Guidelines

Present and ask for feedbackLet them explain to others

Awareness materialsPresent and discuss; ask foraccompanying letterHave them talk about thisduring meetings

Distribute articlesWith a commenting letterIn person (“have you seen …?”)

Report on security mattersIn person once every monthFixed item on agenda

Encourage managers to attendmeetings, seminars, conferences

Be prepared before facingsenior management

Anticipate questions andobjections (FAQ)Ask them for a decisionHandout materialFollow-up visit

Key

Tas

k #4

Session 211 24 28.3.2000

Policy SecurityPolicy Organisation Ownership Awareness

Practices Areas/Topics

BaselineControls

SpecificControls

Procedures Monitoring/Review

ImplementationOperation

The IBAG Practices LevelCreating the Information Security Management System


PO 6.8 Security and Internal Control Framework Policy

… Measures should be based on cost-benefit analyses and should beprioritised …

PO 9.1 Business Risk Assessment

Management should establish a systematic risk assessment framework.Such a framework should incorporate a regular assessment of therelevant information risks to the achievement of the business objectives,forming a basis for determining how the risks should be managed to anacceptable level. The process should provide for risk assessments at boththe global level and system specific levels (for new projects as well as on arecurring basis) and should ensure regular updates of the riskassessment information with results of audits, inspections and identifiedincidents.

PO 9.2 Risk Assessment Approach

Management should establish a general risk assessment approach whichdefines the scope and boundaries, the methodology to be adopted for riskassessments, the responsibilities and the required skills. The quality ofthe risk assessments should be ensured by a structured method andskilled risk assessors.

PO 9.3 Risk Identification

The risk assessment approach should focus on the examination of theessential elements of risk such as assets, threats, vulnerabilities,safeguards, consequences and likelihood of threat.

PO 9.4 Risk Measurement

The risk assessment approach should ensure that the analysis of riskidentification information results in a quantitative and/or qualitativemeasurement of risk to which the examined area is exposed. The riskacceptance capacity of the organisation should also be assessed.

PO 9.5 Risk Action Plan

The risk assessment approach should provide for the definition of a riskaction plan to ensure that cost-effective controls and security measuresmitigate exposure to risks on a continuing basis.

PO 9.6 Risk Acceptance

The risk assessment approach should ensure the formal acceptance ofthe residual risk, depending on risk identification and measurement,organisational policy, uncertainty incorporated in the risk assessmentapproach itself and the cost effectiveness of implementing safeguardsand controls. The residual risk should be offset with adequate insurancecoverage.

Session 211 25 28.3.2000

Define Areas/Topics (Scope)Creating the Information Security Management System

Define areas of focus/interestConsider business priorities

Consider IT security issues

DTI Code of Practice (BS7799)• security policy & organisation• personnel security• asset classification and control• system access control• physical & environmental security• computer and network management• system development/maintenance• business continuity planning• compliance CISA Candidates Guide

• organisation & management• operations• system software• logical, physical & environmental security• business continuity planning• system development/maintenance• application

IBAG Framework• management of security• personnel & organisation• physical access• logical access• data security• hardware• environment• operating system• software utilities• operations• communications• applications development• purchased software• end-user computing

COBIT 2nd editionPO 1 Define a Strategic IT PlanPO 2 Define the Information ArchitecturePO 3 Determine the Technological DirectionPO 4 Define the IT Organisation and RelationshipsPO 5 Manage the IT InvestmentPO 6 Communicate Management Aims and DirectionPO 7 Manage Human ResourcesPO 8 Ensure Compliance with External RequirementsPO 9 Assess RisksPO 10 Manage ProjectsPO 11 Manage QualityAI 1 Identify SolutionsAI 2 Acquire and Maintain Application SoftwareAI 3 Acquire and Maintain Technology ArchitectureAI 4 Develop and Maintain IT ProceduresAI 5 Install and Accredit SystemsAI 6 Manage ChangesDS 1 Define Service LevelsDS 2 Manage Third-Party ServicesDS 3 Manage Performance and CapacityDS 4 Ensure Continuous ServiceDS 5 Ensure Systems SecurityDS 6 Identify and Attribute CostsDS 7 Educate and Train UsersDS 8 Assist and Advise IT CustomersDS 9 Manage the ConfigurationDS 10 Manage Problems and IncidentsDS 11 Manage DataDS 12 Manage FacilitiesDS 13 Manage OperationsM 1 Monitor the ProcessesM 2 Assess Internal Control AdequacyM 3 Obtain Independent AssuranceM 4 Provide for Independent Audit

Key

Tas

k #5

Session 211 26 28.3.2000

Areas/Topics: Set PrioritiesCreating the Information Security Management System

Business issues/prioritiesTravelling userE-Business

Business to business

Business to customers

Virtual enterprisesTime to productive use of newsystemsUse COBIT’s “Management’sIT Concerns Diagnostic” form

Key

Tas

k #5

IT security issues/prioritiesSingle-sign onSingle point of referenceNotebook encryptionVPNActive contentWeb-servers / DMZ / firewall

Session 211 27 28.3.2000

Technology Concerns to Management (Gartner Group) Management Internet / IntranetEnterprise Packaged

SolutionsClient/Server Architecture

Workgroups and

GroupWareNetwork Management

RISK FACTORS

IT in

itia

tive

s in

lin

ew

ith b

usi

ness

str

ate

gy

IT p

olic

ies

and c

orp

ora

te

gove

rnance

Util

isin

g I

T f

or

com

pe

titiv

e a

dva

nta

ge

Conso

lidatin

g the IT

infr

ast

ruct

ure

Reduci

ng c

ost

of

IT o

wners

hip

Acq

uirin

g a

nd d

eve

lopin

gsk

ills

Unauth

orise

d a

ccess

to c

orp

ora

te n

etw

ork

Unauth

orise

d a

ccess

to

confid

entia

l mess

ages

Loss

of

inte

grity

–co

rpora

te tra

nsa

ctio

ns

Leaka

ge o

fco

nfid

en

tial d

ata

Inte

rru

ptio

n t

o s

erv

ice

ava

ilab

ility

Vir

us

Infe

ctio

n

Fa

ilure

to

me

et

use

rre

quirem

ents

Failu

re t

o in

tegra

te

No

t co

mp

atib

le w

ithte

chnic

al i

nfr

ast

ruct

ure

Vendor

support

pro

ble

ms

Exp

en

sive

/co

mp

lex

imp

lem

en

tatio

n

Failu

re t

o c

oord

inate

requirem

ents

Acc

ess

contr

ol p

roble

ms

No

t co

mp

atib

le w

ithte

chnic

al i

nfr

ast

ruct

ure

End u

ser

managem

ent

pro

ble

ms

Contr

ol o

f so

ftw

are

vers

ions

Hig

h c

ost

s of ow

ners

hip

Qu

alit

y co

ntr

ol

Acc

ess

contr

ol

Info

rmal p

roce

dure

s

Da

ta in

teg

rity

Config

ura

tion c

ontr

ol

Ava

ilab

ility

Se

curi

ty

Config

ura

tion c

ontr

ol

Inci

dent

managem

ent

Cost

s

Support

and

main

tenance

PLANNING & ORGANISATION

PO1 Define a Strategic IT Plan

PO2 Define the Information Architecture

PO3 Determine the Technological Direction

PO4 Define the IT Oranisation and Relationships

PO5 Manage the Investment in IT

PO6 Communicate Management Aims and Direction

PO7 Manage Human Resources

PO8 Ensure Compliance with External Requirements

PO9 Assess Risks

PO10 Manage Projects

PO11 Manage Quality

ACQUISITION & IMPLEMENTATIONAI1 Identify Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology Architecture

AI4 Develop and Maintain IT Procedures

AI5 Install and Accredit Systems

AI6 Manage Changes

DELIVERY & SUPPORT

DS1 Define Service Levels

DS2 Manage Third-Party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Attribute Costs

DS7 Educate and Train Users

DS8 Assist and Advise IT Customers

DS9 Manage the Configuration

DS10 Manage Problems and Incidents

DS11 Manage Data

DS12 Manage Facilities

DS13 Manage Operations

MONITORING

M1 Monitor the Processes

M2 Assess Internal Control Adequacy

M3 Obtain Independent Assurance

M4 Provide for Independent Audit

Management s IT ConcernsCreating the Information Security Management System

Key

Tas

k #5

COBIT Implementation Tool Set

Session 211 28 28.3.2000

Baseline controls= best practices

COBITCode of Practice (BS7799-1:1999)

Must correspond to policies

Don’t reinvent the wheel

Do what experts agree isimportant

1.1

2.1

2.2

3.13.2

4.14.2

4.35.1

5.2

6.1

6.2

6.3

6.46.

56.6

6.7

7.17.27.3

7.4

7.5

7.6

7.78.1

8.28.3

8.49.

110

.1

10.2

10.3 Key

Tas

k #6

Baseline ControlsCreating the Information Security Management System

Avoid detailed riskassessment and savetime and money

X

Session 211 29 28.3.2000

The COBIT Framework isfocussed on IT governance,not information securitymanagement.

COBIT (part III) containscontrol objectives, notcontrols (control procedures)

Example on the right taken fromCOBIT 2nd edition; changed by author;for demonstration purposes only.

Baseline Controls Source: COBITCreating the Information Security Management System

Key

Tas

k #6

Business Processes

IT Resources

information criteria• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability

Monitoring

Delivery &Support

Acquisition &Implementation

Planing &Organisation

• data• applications• technology• facilites• people

PO7 Manage Human Resources

Control over the IT process of

managing human resources

that satisfies the business requirement

to maximise personnel contributions to the IT processes

is enabled by

sound personnel management techniques

and takes into consideration

• recruitment and promotion

• qualification requirements

• training

• awareness building• cross training

• clearance procedures

• objective and measurable performance evaluation

PO 7.1 Personnel Recruitment and Promotion

Management should implement and regularly assess the needed processes to ensure that personnel recruiting and

promotion practices are based on objective criteria and consider education, experience and responsibility. These

processes should be in line with the overall organisation’s policies and procedures in this regard.

PO 7.2 Personnel Qualifications

Management of the information services function should regularly verify that personnel performing specific tasks are

qualified on the basis of appropriate education, training and/or experience, as required. Management should encourage

personnel to obtain membership in professional organisations.

PO 7.3 Personnel Training

Management should ensure that employees are provided with orientation upon hiring and with on-going training to

maintain their knowledge, skills, abilities and security awareness to the level required to perform effectively. Education

and training programmes conducted to effectively raise the technical and management skill levels of personnel should

be reviewed regularly.

PO 7.4 Cross-Training or Staff Back-up

Management should provide for sufficient cross-training or back-up of identified key personnel to address

unavailabilities. Personnel in sensitive positions should be required to take uninterrupted holidays of sufficient length to

exercise the organisation’s ability to cope with unavailabilities and to detect fraudulent activity.

PO 7.5 Personnel Clearance Procedures

Management of the information services function should ensure that their personnel are subjected to security clearance

before they are hired, transferred or promoted, depending on the sensitivity of the position. An employee who was not

subjected to such a clearance when first hired, should not be placed in a sensitive position until a security clearance has

been obtained.

PO 7.6 Employee Job Performance Evaluation

Management should implement an employee performance evaluation process and make sure that the evaluation is

performed against established standards and specific job responsibilities on a regular basis. Employees should receive

counseling on performance or conduct whenever appropriate.

PO 7.7 Job Change and Termination

Session 211 30 28.3.2000

The BSI Code of Practice forInformation SecurityManagement (CoP) isfocussed on informationsecurity management, noton IT governance.

Example on the right taken from theBSI Code of Practice (BS7799-1:1999);changed by author; for demonstrationpurposes only.

6 PERSONNEL SECURITY

6.1 Security in job definition and resourcing

Security should be addressed at the recruitment stage, included in

job descriptions and contracts, and monitored during an individual’semployment.

6.1.1 Including security in job description

a Managers should ensure that job descriptions address all relevantsecurity roles and responsibilities.

6.1.2 Personnel screening and policy

a At the time of a job application the following checks should be

made for all types of employees:

• availability of at least two satisfactory character references, one

business and one personal;

• a check (for completeness and accuracy) of the applicant’scurriculum vitae;

• confirmation of claimed academic and professionalqualifications;

• independent identity check (passport or similar document).

c A similar screening process should be carried out for contractors and

temporary staff (see 6.1.2 a and 6.1.2 b).

Where these staff are provided through an agency, the contract with

the agency should clearly specify the agency’s responsibilities for

screening and the notification procedures they need to follow if

screening has not been completed or if the results give cause fordoubt or concern.

e The work of all staff should be subject to periodic review andapproval procedures by a more senior member of staff.

6.1.3 Confidentiality agreements

a All employees should sign a separate confidentiality (non-

disclosure) agreement as part of their initial conditions ofemployment.

b Agency staff and third party staff (including all temporary staff)

should be required to personally sign a confidentiality (non-

disclosure) agreement prior to access to the premises or connectionto the information processing facilities.

6.1.4 Terms and condition of employment

a The terms and conditions of employment should state theemployee’s responsibilities for information security. In particular:

• legal responsibilities e.g. regarding copyright laws, data

protection legislation;

• classification and management of employer’s data.

Baseline Controls Source: COPCreating the Information Security Management System

Key

Tas

k #6

Code ofPractice

1Sicherheitsvorschriften

1.1Vorschriften zur

Informationssicherheit

2Sicherheitsorganisation

2.1Organisation der

Informationssicherheit

2.2Sicherheit beim Zugang

durch Fremdunternehmen

3Klassifizierung/Überwachung

der Anlagen und Bestände

3.1Verantwortlichkeiten fürAnlagen und Bestände

3.2Klassifizierungder Information

4Sicherheit beim Personal

4.1Sicherheit in der

Personalanstellung

4.2Benutzerschulung

4.3Reaktion auf sicherheits-

relevante Vorfälle

5Physische und umgebungs-

bezogene Sicherheit

5.1Sicherheitszonen

5.2Sicherheit der Geräte

6Computer- und

Netzwerkmanagement

6.1Betriebsverfahren undVerantwortlichkeiten

6.2Planung/Übernahme von

Anwendungen

6.3Schutz vor

bösartiger Software

6.4Operating und

Datensicherung

6.5Netzwerkmanagementund Netzwerksicherheit

6.6Sicherer

Umgang mit Medien

6.7Daten- und

Softwareaustausch

7Kontrolle der

Systemzugriffe

7.1Geschäftsanforderungenfür den Systemzugriff

7.2Administration

von Berechtigungen

7.3Verantwortung der Benutzer

7.4Sicherheit des

Zugriffs zum Netz

7.5Sicherheit des

Zugriffs zum Computer

7.6ApplikatorischerZugriffssicherheit

7.7Überwachung von

Systemzugriff/-benutzung

8Entwicklung und Unterhaltvon Anwendungssystemen

8.1Festlegung von

Sicherheitsanforderungen

8.2Sicherheit in

Anwendungssystemen

8.3Sicherheit von

Anwendungssystemdateien

8.4Sicherheit in Entwicklungs-

und Supportumgebungen

9Geschäftskontinuitätsplanung

9.1Verfahren der

Geschäftskontinuitätsplanung

10Erfüllung der

Verpflichtungen

10.1Erfüllung gesetzlicher

Verpflichtungen

10.2Sicherheitsprüfungen

von IT–Systemen

10.3Überlegungen zur

Systemrevision

Session 211 31 28.3.2000

Specific ControlsCreating the Information Security Management System


PO 6.10 Issue Specific Policies

Measures should be put in place to ensure that issue-specific policiesare established to document management decisions in addressingparticular activities, applications, systems or technologies.

PO 10.9 Planning of Assurance Methods

Assurance tasks are to be identified during the planning phase of theproject management framework. Assurance tasks should supportthe accreditation of new or modified systems and should assure thatinternal controls and security features meet the relatedrequirements.

AI 1.8 Risk Analysis Report

The organisation’s system development life cycle methodologyshould provide, in each proposed information system development,implementation or modification project, for an analysis anddocumentation of the security threats, potential vulnerabilities andimpacts, and the feasible security and internal control safeguards forreducing or eliminating the identified risk. This should be realised inline with the overall risk assessment framework.

AI 1.9 Cost-Effective Security Controls

Management should ensure that the costs and benefits of security arecarefully examined in monetary and non-monetary terms toguarantee that the costs of controls do not exceed benefits. Thedecision requires formal management sign-off.

AI 2.12 Controllability

The organisation’s system development life cycle methodologyshould require that adequate mechanisms for assuring the internalcontrol and security requirements be specified for each informationsystem development or modification project. The methodologyshould further ensure that information systems are designed toinclude application controls which guarantee the accuracy,completeness, timeliness and authorisation of inputs, processing andoutputs. Sensitivity assessment should be performed duringinitiation of system development or modification. The basic securityand internal control aspects of a system to be developed or modifiedshould be assessed along with the conceptual design of the system inorder to integrate security concepts in the design as early as possible.

AI 5.7 Security Testing and Accreditation

Management should define and implement procedures to ensure thatoperations and user management formally accept the test results andthe level of security for the systems, along with the remainingresidual risk.

Key

Tas

k #7

Baseline Controls

Spec

ific

Con

trol

s

Spec

ific

Con

trol

s

Spec

ific

Con

trol

s

Session 211 32 28.3.2000

Implementing Specific ControlsCreating the Information Security Management System

Key

Tas

k #7

Evaluate threats, exposures,risks

Define additional controlobjectives

Specify, select or developspecific controls

Determine if controls areadequate

Evaluate residual risks

Baseline Controls

Spec

ific

Con

trol

s

Spec

ific

Con

trol

s

Spec

ific

Con

trol

s

Session 211 33 28.3.2000

Threat / Risk AssessmentCreating the Information Security Management System

Key

Tas

k #7

Control risks•Control environment, culture•Reorganisations, outsourcing•Employees, stress, overtime•Management’s control attitude•Leadership, board, key staff•Policies, procedures, documents•Segregation of duties•Confidentiality, integrity, availability,efficiency, effectiveness

•Compliance, reliability

Risikoanalyse zur Ermittlung kritischer PC'sDescription/Question Weight/Key Factor Result

1 Does your department use amicrocomputer?

0 = No5 = Yes

1

2 Internal Storage Capacity 0 = No PC1 = Up to 16K2 = Up to 32K3 = Up to 64 K4 = Up to 128K5 = More than 128 K

3

3 Is micro shared with otherdepartments ?

0 = No PC / No5 = Yes

1

4 Languages 0 = No PC / No3 = Basic5 = Other

2

5 How long has yourdepartment been using amicrocomputer?

0 = No PC1 = less than 6 months3 = 6-12 months5 = Over 12 months

1

6 Average hours used perweek

0 = No PC1 = Up to 102 = 11-203 = 21-304 = 31 - 405 = greater than 40

1

7 Peripherals 0 = No PC1 = Printer2 = Floppy disk3 = Printer & floppies4 = Fixed disk5 = Modem/IRMA Board

3

8 Purchased Software 0 = No PC1 = Text editor / Word processor3 = Financial Accounting5 = Complex/multiple applications

2

9 In-House DevelopedApplications

0 = No PC1 = Text editor / Word processor3 = Financial Accounting5 = Complex/multiple applications

3

10 Source of Input Data 0 = No PC / none3 = Other5 = B&D files or DB

1

11 Is your micro linked to othermicros or mainframes?

0 = No PC / No3 = To other micros

3

12 Documentation available 0 = No PC1 = Operations, SW-Program3 = Operations, no software5 = None

1

13 Future acquisition/development plans

0 = None3 = Long term5 = Short term

1

14 Number of persons usingmicrocomputer

0 = No PC3 = 2-55 = One or greater than 5

1

15 Training provided 0 = No PC1 = Formal training3 = Other5 = None

1

16 Do you have controlconcerns or other commentsregarding your micro?

0 = No PC / No5 = Yes

1

TotalVerfahren Black & Decker, 1984

1 2 3 4 5 6 7 8 9 10

01

23

45

1.1

2.1

2.23.1

3.24.1

4.24.3

5.15.2

6.1

6.2

6.36.

46.56.6

6.7

7.17.27.37.4

7.5

7.67.7

8.18.2

8.38.4

9.1

10.1

10.2

10.3

II0%

20%

40%

60%

AACC

survival?serious

significantlow

none

Business/inherent risks•Products /service offered•Market (national/international)•Size, financial situation•Contracts and liability•Operations•Tax and political situation• Information technology used•Technological trends anddevelopments

•Complexity--

- S

chaden +

++

--- Wahrscheinlichkeit +++

Risk = Probability x DamageRi = wi * Ai

Total riskR = Ri = (wi * Ai)(Sum of all partly risks)

An illusion of mathematical correctness

Session 211 34 28.3.2000

Risk Analysis to Discover Crititcal IT-Processes (Typical Example)

Importance Performance Xnotrated

X does not apply X not sure

X not sure X poor

X not important X satisfactory

X somewhat important X very good

X very important IT-Process X excellent

X PO1 Define a Strategic Information Technology Plan X

X PO2 Define the Information Architecture X

X PO3 Determine Technological Direction X

X PO4 Define the IT Organisation and Relationships X

X PO5 Manage the Investment in Information Technology X

X PO6 Communicate Management Aims and Direction X

X PO7 Manage Human Resources X

X PO8 Ensure Compliance with External Requirements X

X PO9 Assess Risks X

X PO10 Manage Projects X

X PO11 Manage Quality X

X AI1 Identify Solutions X

X AI2 Acquire and Maintain Application Software X

X AI3 Acquire and Maintain Technology Architecture X

X AI4 Develop and Maintain IT-Procedures X

X AI5 Install and Accredit Systems X

X AI6 Managing Changes X

X DS1 Define Service Levels X

X DS2 Manage Third-Party Services X

X DS3 Manage Performance and Capacity X

X DS4 Ensure Continuous Service X

X DS5 Ensure Systems Security X

X DS6 Identify and Allocate Costs X

X DS7 Educate and Train Users X

X DS8 Assisting and Advising IT-Customers X

X DS9 Manage the Configuration X

X DS10 Manage Problems and Incidents X

X DS11 Manage Data X

X DS12 Manage Facilities X

X DS13 Manage Operations X

X M1 Monitor the Process X

X M2 Assess Internal Control Adequacy X

X M3 Obtain Independent Assurance X

X M4 Provide for Independent Audit X

COBIT 2nd Edititon Implementation Tool Set, 1998

Risk AnalysisCOBIT (34 IT-Processes)

Critical IT-Processes (Example)

excellent very good satisfactory poor not sure

veryimportant

PO10 DS11 M1PO9 DS2 DS4

DS10 PO1 DS1 PO3

somewhatimportant

PO5 PO11 AI2AI6 DS5

PO4 AI4 DS8DS13

AI3 M2 PO8

not important DS6 DS12 DS3 DS9 PO6 AI1 AI5 M4 DS7 M3

not sure PO2 PO7

Identify critical IT processesfor a particular application

Key

Tas

k #7

Session 211 35 28.3.2000

Policy SecurityPolicy


Practices Areas/Topics

BaselineControls

SpecificControls

Procedures Monitoring/Review

Implementation/

Operation

The IBAG Procedures LevelCreating the Information Security Management System


AI 4.2 User Procedures Manuals

The organisation’s system development life cycle methodology shouldprovide that adequate user procedures manuals be prepared andrefreshed as part of every information system development,implementation or modification project.

AI 4.3 Operations Manual

The organisation’s system development life cycle methodology shouldprovide that an adequate operations manual be prepared and kept up-to-date as part of every information system development, implementation ormodification project.

DS 8.1 Help Desk

User support should be established within a ”help desk” function.Individuals responsible for performing this function should closelyinteract with problem management personnel.

DS 10.1 Problem Management System

Information services function management should define and implementa problem management system to ensure that all operational eventswhich are not part of the standard operation (incidents, problems anderrors) are recorded, analysed and resolved in a timely manner. Incidentreports should be established in the case of significant problems.

DS 10.2 Problem Escalation

Management should define and implement problem escalation proceduresto ensure that identified problems are solved in the most efficient way on atimely basis. These procedures should ensure that these priorities areappropriately set. The procedures should also document the escalationprocess for the activation of the information technology continuity plan.

DS 10.3 Problem Tracking and Audit Trail

The problem management system should provide for adequate audit trailfacilities which allow tracing from incident to underlying cause (e.g.,package release or urgent change implementation) and back. It shouldclosely interwork with change management, availability management andconfiguration management.

DS 13.1 Processing Operations Procedures and Instructions Manual

The information services function should establish and documentstandard procedures for information technology operations (includingnetwork operations). All information technology solutions and platformsin place should be operated using these procedures, which should bereviewed periodically to ensure effectiveness and adherence.

DS 13.6 Operations Logs

Management controls should guarantee that sufficient chronologicalinformation is being stored in operations logs to enable the reconstruction,timely review and examination of the time sequences of processing andother activities surrounding or supporting processing.

Session 211 36 28.3.2000

Life Cycle Approach

Key

Tas

k #8

Implementation & OperationCreating the Information Security Management System

Establish implementationplan

Install and updateproducts and systems

Implement and updateprocedures

Train staff and users

Operate securitymechanisms

Re-adjust wherenecessary

(IT) Security

AwarenessResponsibilityPolicy

Baseline Security Controls

System Specific Controls

Defi

nit

ion

Imp

lem

enta

tio

n

Op

erat

ion

Mo

nit

ori

ng

Au

dit

/Rev

iew

Ch

ang

e-M

gm

t.

Session 211 37 28.3.2000

M 1.1 Collecting Monitoring Data

M 2.2 Timely Operation of Internal Controls

M 2.3 Internal Control Level Reporting

M 2.1 Internal Control Monitoring

M 2.4 Operational Security and Internal Control Assurance

M 3.1 Independent Security and Internal Control Certification/Accreditation of Information Technology

Services

M 3.2 Independent Security and Internal Control Certification/Accreditation of Third-Party Service Providers

M 3.3 Independent Effectiveness Evaluation of Information Technology Services

M 3.4 Independent Effectiveness Evaluation of Third-Party Service Providers

M 3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments

M 3.6 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitmentsby Third-Party Service Providers

Key

Tas

k #9

Monitor & Review OperationsCreating the Information Security Management System


PO 3.2 Monitor Future Trends and Regulations

PO 4.9 Supervision

PO 6.6 Compliance with Policies, Procedures and Standards

PO 8.1 External Requirements Review

PO 8.2 Practices and Procedures for Complying with ExternalRequirements

PO 8.3 Safety and Ergonomic Compliance

PO 8.4 Privacy, Intellectual Property and Data Flow

PO 8.6 Compliance with Insurance Contracts

DS 1.4 Monitoring and Reporting

DS 2.8 Monitoring

DS 5.7 Security Surveillance

DS 5.10 Violation and Security Activity Reports

DS 5.11 Incident Handling

DS 10.3 Problem Tracking and Audit Trail

Session 211 38 28.3.2000 Key

Tas

k #9

Monitoring ComplianceCreating the Information Security Management System

Compliance Monitoring /Review Process

Defined requirementssufficient?Policies, regulations andguidelines still adequate?Policies are complied withControls are effectiveControls are relevant tobusinessRecommend improvements

Monitoring & InvestigationAn incident response team willbecome more importantIncidents (attacks) are highlydifficult to investigateBeware of data protectionlegislation

… be preparedAwareness training is betterthan sanctioningDefine sanctions in advanceBe fair and consistent

Session 211 39 28.3.2000




BaselineControls

SpecificControls



SummaryCreating the Information Security Management System

Only 9 key tasks

Start tomorrow

You needLong term commitment from

Senior management

Team members and leader

Team of 5-7, well trained anddedicatedA top “IT Security Officer”

#211 creating the isms system) management security ... · session 211 3 28.3.2000 creating the isms...

Documents