1. Popular pitfalls in ISMS Compliance A Certifying Bodys perspective

2. Contents

Introduction

Standard Evolution

Standard Organization

Future of the standard

Implementation issues

3. Standard Evolution 1995 1998 Initiative from Department of Trade and Industry BS 7799Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun2005 ISO 17799:2005 ISO/IEC 27001:2005 Oct2005 4. Standard Organization CONTROLS CONTROL OBJECTIVES DOMAINS 5. Standard Organization ComplianceA.15 Business Continuity ManagementA.14 Information Security Incident ManagementA.13 Information Systems Acquisition, Development and MaintenanceA.12 Access ControlA.11 Communications and Operations ManagementA.10 Physical and Environmental SecurityA.9 Human Resources SecurityA.8 Asset ManagementA.7 Organization of Information SecurityA.6 Information Security PolicyA.5 ISMS improvement 8 Management review of the ISMS 7 Internal ISMS Audits 6 Management Responsibility 5 Information Security Management System 4 6. Standard Organization(contd.) Security policy Access control Asset ManagementOrganization of Information Security Human ResourcesSecurity Physical andEnvironmental security Communicationsand operations managementInformation Systems Acquisition Development and Maintenance Information Incident Security Management Business Continuity Management Information Integrity Confidentiality Availability Compliance 7. Future of the standard Risk Management(BS 7799-3) 27005 Metrics and Measurement 27004 Implementation Guidance 27003 Code of Practice (ISO17799:2005) 27002 Specification 27001 Vocabulary and definitions 27000 Description ISO/IEC Standard 8. What is an implementation issue?

Standard directly demands and not complied with

Diluted implementation

Mis-interpretation of the standard

9. Implementation Issues - Scope

Scope of ISMS

• Scope is very hazy, not including all the assets and technology

A good example of ISMS scope

• The ISMS scope covers all critical systems, applications, networks, telecommunication links, human resources, and information assets. The scope also includes business operations, administrative functions, customer information, buildings, equipment, tools and utilities used in the execution of business of the organization at site A and site B.

10. Implementation Issues - Policy

Security Policy

• Not visible in the organization

• Not spread across the organization

• Does not help in arriving at security objectives

Other Policies

• Many other policies not defined

• Eg. Clear Desk Clear Screen policy

• Mobile computing policy, Teleworking policy

11. Implementation Issues Risk Assessment

Risk assessment not systematic

Risk assessment kicked off with false comfort of existing controls

Some core assets not identified

• Eg. Design document in an IT organization

Arriving at acceptable risk level not scientific

Projects a no-residual-risk scenario

12. Implementation Issues SoA Preparation

Only exclusions justified, inclusions should also be justified

Bi-directional tracing from risks to control and vice versa absent

13. Implementation Issues Monitoring

Info security review very weak

Obsolete risks not removed

New risks not fully added

14. Implementation Issues Internal Audit

Predominantly CISO and team are the Auditees

Sampling of other asset owners rare

Absence of qualified internal auditors

15. Implementation Issues Management Review

All review inputs as required by the standard not addressed

Management appreciation for security issues very low

16. Implementation Issues Improvement

CA is more prevalent than PA

Analysis of incidents / non-compliances weak

17. Implementation Issues External Parties

Third party agreements do not stress security requirements

Third party Vendors not conspicuously identified in the facility

18. Implementation Issues Asset Management

Server based software owners are identified but not their custodians

Only critical IT assets identified

Some core assets not properly identified

Asset labeling improper

19. Implementation Issues H R security

No systematic screening

Awareness training weak

Removal of access rights weak

Awareness of social engineering very low

20. Implementation Issues Physical and Environmental Security

Network cables run outside the security perimeter

No controls on piggy-backing

Structured cabling absent

Security of equipment off-premises very weak

Movement of media eg. CDs not-controlled

21. Implementation Issues Communications and Operations Management

Disposal of media very weak

Safety of media-in-transit not properly addressed

Logs not reviewed periodically

Clock synchronization not done

22. Implementation Issues Access Control

Privilege management weak

Printouts on printers not picked

Clear desk clear screen policy most violated

Unabated installation of freeware, shareware etc.

Laptops dont have updated virus signature

23. Implementation Issues IS acquisition, development and maintenance

Applies only for the IS developed to run the business Eg. ERP, Enterprise Project Management etc.

Impact analysis to changes very weak

Fallback plan on a un-successful software upgrade weak

24. Implementation Issues Incident Management

Incident management seen as an impossible activity

Awareness to report an incident very low

25. Implementation Issues BCP

BCPs are static

Scale of BCP very low vis--vis business need

BCP Testing not done

26. Implementation Issues Compliance

One comprehensive list of applicable rules & regulations absent

27. Queries

Floor is yours!

28. Thank You R.Ramkumar