information security management – management system requirements, code of practice for controls,...
TRANSCRIPT
Information Security Management – Management System Requirements, Code of Practice for Controls, and Risk Management
supervisionAssistant Professor Assistant Professor Dr. Sana’a Wafa Al-Dr. Sana’a Wafa Al-SayeghSayegh
ITGD 2202 Tamer abo lehia
Security Management
Background of ISMS StandardsInformation Security Management System (ISMS) standards have been produced to help organisations come up with cost effective answers to questions like:
– Why do the same type of information security problem come up again and again?
– Why does the IT department keep asking for more and more money to solve information security problems (that don’t go away)?
– How can we do information security well when IT is core to our business, but not our core business?
Origins in UK business in the 1990’s, pooling knowledge of best practice– Initial focus on controls (now published as ISO/IEC 17799:2005)– Enhanced with a management decision making framework (now
published as ISO/IEC 27001:2005)
Recently internationalised and updated by ISO/IEC
STANDARDS AUSTRALIA SECURITY FORUM
Nationally:– Large corporates (e.g. ANZ, Shell, Bluescope, Telstra) – Information and IT security specialists (e.g. Witham Labs, Pacific
Research, Fujitsu, Megaprime)
Internationally:– Representatives from large corporates in the IT and other
sectors, information security specialists from specialist business and government organizations
• Australia, Austria, Belgium, Brazil, Canada, China, Czech Republic, Denmark, Finland, France, Germany, India, Italy, Japan, Kenya, Luxembourg, Malaysia, New Zealand, Netherlands, Norway, Poland, Russia, Singapore, Spain, South Africa, South Korea,Sri Lanka, Sweden, Switzerland, UK, Ukraine, USA
Organisations involved in the development of the ISMS Standards
STANDARDS AUSTRALIA SECURITY FORUM
These standards are relevant to any organisation reliant on information and IT
– Large corporates– SMEs– Government agencies
Focus is on organizations that can’t justify a staff of information security specialists
– Value is provided by making pooled, peer reviewed, best practices for the management and implementation of an information security programme available to all at a modest cost
The target audience and the value the ISMS Standards bring to the market
STANDARDS AUSTRALIA SECURITY FORUM
The ISMS standards specify a framework for organisations to manage information security aspects of their business, and if necessary to demonstrate to other parties (e.g. business partners, auditors, customers, suppliers) their ability to manage information security.
Objectives of the Standards
STANDARDS AUSTRALIA SECURITY FORUM
ISO/IEC 27001: ‘Information Security Management Systems - Requirements’ is the foundational standard; it is applicable to all types of organisation and all sectors of the economy.
It specifies a risk-based management system that is designed to ensure that organisations select and operate adequate and proportionate (i.e. cost effective) security controls to protect information assets.
– It uses the ‘plan-do-check-act (improve)’ model used in environment and quality management standards.
– It is specified to allow implementation integrated within broader management systems.
• The standard shows how requirements relate to the OECD Guidelines for the Security of Information Systems and Networks.
Key Elements / Scope of the ISMS Standards
STANDARDS AUSTRALIA SECURITY FORUM
Foundations (ISO/IEC 27001):- Establishing, implementing, operating,
maintaining and improving an ISMS
- Documentation requirements
- Management responsibilities
- Internal audits and management reviews
Supporting Standards:ISO/IEC 27000 - ISMS fundamentals and vocabulary (under development)
ISO/IEC 27002 - Code of practice for information security management (controls) (ISO/IEC 17799 to be renumbered next year)
ISO/IEC 27003 - ISMS implementation Guide (under development) ISO/IEC 27004 – Measurement and metrics (under development) ISO/IEC 27005 – Risk management (under development) ISO/IEC 27006 – Requirements for the accreditation of bodies providing
certification of ISMS (under development)
Content of the ISMS Standards Plan
Do
Check
ActMaintain andimprove the ISMS
Maintain andimprove the ISMS
Establish theISMS
Establish theISMS
Implement andoperate the ISMS
Implement andoperate the ISMS
Monitor andreview the ISMS
Monitor andreview the ISMS
STANDARDS AUSTRALIA SECURITY FORUM
There are also generally applicable ISO/IEC and/or Australian/NZ Standards covering:
- Digital signatures
- Encryption (algorithms,modes of operation,key management)
- Entity authentication
- Hash functions
- Intrusion detection
- IT evidence collection
- Message authentication codes
ISMS - the tip of the iceberg
- Network security
- Non repudiation
- Prime numbers
- Random numbers
- Security evaluation of products
- Security incident management
- Time-stamping
- Trusted third party services
STANDARDS AUSTRALIA SECURITY FORUM
Call to action
Poor information security outcomesare commonly the result of
poor managementand not
poor technical controls.
The 27000 series of ISMS Standards tackle the information problems we face from the management perspective.
- It is not easy, but it is best practice and it works
STANDARDS AUSTRALIA SECURITY FORUM