An Overviewby

Zaituni Mmari(Information Security Officer)

Four Questions

What’s it all about?Why does it matter to the Government of

Tanzania?How does it work?What do we have to do to the Government of

Tanzania?

What is Information Security? The use of an ISMS (Information Security Management System) for the

systematic preservation, in the Government of Tanzania, of the Availability Confidentiality Integrity Of its information (and its information systems)Information risk

All information systems have vulnerabilities that can be exploited by threats in ways that can have significant impacts on the government of TZ info system effectiveness,value and long term survival have significant impacts on the government of Tanzania effectiveness, profitability, value

and long term survival. when exploited, those threats will have an impact on the TZ government IS effectiveness and NOT directly on the TZ gov effectiveness

Also involves Authenticity Accountability Non-repudiation Reliability

Why do we need to Implement an ISMS to the Government of Tanzania?We have valuable assets

Intellectual Property Government valuable information Data about staff, customers, suppliers Organizational know-how

We have legal and regulatory compliance requirements Data protection and privacy Specific legislation

We are IT dependent An IT failure (eg hardware, power failure, acts of

nature) is a institution failure IT is not completely secure IT is not inter-compatible

Why does information security matter to the Government of Tanzania?External threats

Viruses, worms, Trojans 100,000+ ‘in the wild’

Hackers – with automated attacks Now big business (botnets, zero-day attacks)

Spam – 80%+ of all e-mail Now big business (botnets, blended attacks)

Cyber-criminals – phishing, identify theft, grand larceny Fraud, cyber terrorism Competitors Malcontents, activists Anyone with a computer!

Internal threats fraud, error, unauthorized or illegal

system use, data theft

How can ISO27001/ISO17799 standard Help the Government of Tanzania? A Standard is

“a document established by consensus and approved by a recognized body, that provides for common and repeated use rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context”

Two part ISMS standard ISO 27001 (BS7799-2) specifies how to design an information

security management system (‘ISMS’) How the ISMS should work, not what should be in it

ISO17799 (BS7799-1) is an international code of practice for information security best practice that supports and fleshes out BS7799-2 What should be in the ISMS, not how it should work

History and future BS7799 originated in UK, part 1 adopted by ISO Revised every five years Now ten years old 1300+ BS7799-2 certifications Even more ISO17799 systems in place No the ISO 27001 series from November 2005

Why the Government of Tanzania have to use the standard?Best practice specification and guidanceA MANAGEMENT SYSTEM

Technology agnostic Non-technical Non-jurisdictional

Systematic and comprehensiveProven in many industries and organizations Includes international best practice Internationally understoodCapable of external certificationCommonly accepted best practice100+ new BS7799-2 certifications

/month ISO27001 and ISO9001

What is an ISMS? A defined, documented management system (within a defined organization, the ‘scope’). It contains A board approved, high level information security policy

Defines information security, the components and purpose of the ISMS, and evidences to the business that management are committed to a defined and systematic approach to information security

A corporate risk treatment plan Describes how different types of risk are to be treated

An inventory of important information assets (data and systems) that fall within the scope

An assessment of vulnerabilities, threats and risks (‘risk assessment’) to those assets An ISMS Manual that contains a Statement of Applicability

identifies a set of controls (responses to/countermeasures for) that respond to each of the identified risks

A comprehensive, inter-related suite of processes, policies, procedures & work instructions

The ISMS must be Systematically implemented and managed Reviewed, audited and checked Continuously improved

Certification Valuable but not always essential The final stage Carried out by a third party certification body Evidence as to the completeness and quality of the ISMS

ISO 27001 - a Closer Look ISO 27001:2005 (BS7799-2:2005) is the current version“Information security management systems – specification

with guidance for use”“Specification” means “this is how it must be done”

Specification forEstablishing and managing the ISMSImplementing and operating the ISMSMonitoring and reviewing the ISMSMaintaining and improving the ISMSControl of documentsManagement responsibilityManagement review of the ISMSISMS ImprovementControl objectives and controls (Annex A)

Not exhaustive

What is a ‘Control’? A vulnerability gives rise to a threat

A threat might have an impact (financial, operational) if it materialises A risk is a threat that has a likelihood of materialising and an impact Risks are at different levels (eg high/catastrophic, medium/affordable,

low/insignificant A control is a response to or countermeasure for a risk

(a threat ≠ a risk) Controls reduce risk, they don’t eliminate them

Controls should only be implemented in response to a specific, identified risks

A combination of technology, behaviour and procedure Eg: anti-virus control:

Software installed on gateway and desktops Procedure for ensuring regular updates Trained to not open unexpected attachments

Cost of control ≤ cost of impact Every asset has multiple risks Every risk has a control Some controls apply to many risks ISO17799 has best practice guidance on control selection

ISO17799 – a Closer LookISO/IEC 17799:2005 is the current version“Information technology – Security Techniques - Code of

practice for information security management”“establishes guidelines and general principles for

initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management”

“The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. [It] is intendedas a common basis and practical guideline for developing the Government of Tanzania security standards andeffective security management practices, and tohelp build confidence in inter-organizational activities.”

ISO 17799:2005 - Contents11 Chapters, 132 controlsBest practice control objectives and controls for:

security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and

maintenance; information security incident management; business continuity management; compliance

Not exhaustive

How do we create an ISMS?PLAN

Identify assets, scope, carry out risk assessment, create policies, processes

DO

Implement the defined and agreed processes

No action required for accepted risks

CHECK

Assess performance against defined policies

ACT

Take corrective and preventive action to continually improve the operation of the ISMS

PLAN

ACT

CHECK

DO

• PDCA

ISMS Project Roadmap

Documentation StructureFour tiers

Document type (required authorization)

Detail in ISMS Manual 2.2

Making the policy work - detailed, step-by-step descriptions of how to perform individual tasks – subject to regular review and improvement

Records of what happened – minutes, logs, reports, etc – information about how the ISMS is performing

1: Policy(Board)

2: Procedures(Executive)

3: Work Instructions(Operational)

4: Records(All users and usages)

Setting the policy - strategic, high level, relatively unchanging – Board approved ISMS manual, SoA, risk treatment plan all reflect principles and demonstrate board accountability

Implementing the policy – setting out business requirements, procedures and processes – change infrequently but have multiple overlaps and impacts on operational activity and business behaviours

Sequential mini-projects Design and implement the ISMS area-by-area

Divisional, geographic, functional OR

Control-by-control (priority determined by a high level strategic risk assessment)

Standard PDCA approach always applies Identify scope of the mini-project (plan) Identify assets within the scope (plan)

Allow for multiple scopes applying to the same assets Risk assessment for those assets (plan) Identify appropriate control(s) and gain approval (plan)

Ensure overlaps are identified and allowed for Cross linkages are already in the templates

Implement chosen control (including training) (do) Monitor, review and audit control operation (check) Identify and implement improvements (act)

Massively parallel approach Designed to get the whole organization to project completion

quickly and completely All procedures tackled simultaneously All work instructions tackled simultaneously and in parallel Implementation of procedures and work instructions happens as

soon as each is complete Monitor, audit and review cycle starts immediately each work

instruction is implemented This approach works best in organizations that already have an

ISMS that needs to be documented and brought into line with international best practice

Only possible using the ITG toolkit, because thetemplates all exist and all cross-linkages and dependencies have been identified and included.

Requires experienced project management, a committed project team and focused top managementsupport

Some concerns? Procedure for procedure’s sake

Leads to robust, improvable processes that make the business work better

Restrictive on staff Yes, but it also clarifies what is acceptable and what isn’t, so that

everyone is ‘on the same page’ Just another management system

It’s an extension to existing management systems (and is integrated into them)

Removes IT uncertainty, improves internal efficiencies, improves customer service

Who really cares? Our users Regulators and the law Our business partners You – because it makes your working environment more

efficient with fewer interruptions

Summary of benefitsRecognized accreditation

Assurance to our customers that their data is safe with us

Assurance to our employees, partners and suppliers that their data is safe with us

Information security policy that fits the business needsReduced outages, stoppages and other information

security frustrationsAligned with government goalsSecurity spend proportionate to value at riskEveryone responsible, not just IT departmentFormalisation of policies and procedures that

are already in place

Next steps Management owns information security, approves the policy Departments are responsible for their own assets and processes,

risks and counter-measures You are all responsible for key parts of the information and IT

infrastructure Information asset and process inventory Identification, by asset and process, of vulnerabilities, threats,

impacts and risks Finalization of draft procedures to tie in with policy and

Statement of Applicability Commencement of work instruction drafting

Should be carried out by individual asset owners/system administrators Timetable

Start date Finish date

Other issues

Remember!

???

Thank you