Upload
balaware
View
219
Download
0
Embed Size (px)
Citation preview
8/8/2019 08 Information Security Management System - Introduction
1/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 1
Information Security Management System (ISMS)Information Security Management System (ISMS)IntroductionIntroduction
Inger Nordin
8/8/2019 08 Information Security Management System - Introduction
2/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 2
AgendaAgenda
s
Information Security Management System, ISMS Introduction to Business needs and advantages of information security
Brief history and standards, ISO/IEC 17799:2000 and BS 7799-2:2002
s Implementation of an ISMS Risk management
Process approachs Accreditation and certification ISMS
EA Guidelines
ISMS Certification
s Comparison ISMS, ISO 9001:2000 and ISO 14001:1996
s
Certification status in Sweden and other countriess Lessons learned
s Future trends
s Further information
8/8/2019 08 Information Security Management System - Introduction
3/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 3
Introduction setting the sceneIntroduction setting the scene
Is Information Security Important?Is Information Security Important?
Information is the key to success
and growth for an organisation.
15.000 hospital records found in a waste bin
30.000 passwords to Internet accounts published onthe Internet
25 people from the development departmentmoved to a competitor
Banks pay millions to blackmailing crackers
300.000 account numbers stolen - some published
on the WEB Suspected spy employed by ABB
Fire in a tunnel outside of Stockholm, Sweden
8/8/2019 08 Information Security Management System - Introduction
4/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 4
Introduction setting the sceneIntroduction setting the scene
Information SecurityInformation Security important for the survival of a company important for the survival of a company
Gsta ngell, former CEO, ABB Facilities Management:
- Facilities Management is a great deal about handlingclient information. It is therefore essential to be ableto show that we are a company to trust.
8/8/2019 08 Information Security Management System - Introduction
5/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 5
s
Fastest growing interest today - the market is global... Singapore, India, Japan, China, Australia, Finland, Denmark,
Sweden, Taiwan, Korea, Ireland, Germany, England, ...
s Certified companies in 25 countries (China, Japan, Holland,
England, Sweden, Norway, Finland, USA, etc.)
s
Benchmark mergers and acquisitions
outsourcing
supplier control
trade between companies
s Business Continuity Planning!!!
Introduction Business needs and advantages of ISMSIntroduction Business needs and advantages of ISMS
Business dependent on ISMS?Business dependent on ISMS?
8/8/2019 08 Information Security Management System - Introduction
6/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 6
IntroductionIntroduction
Benefits of implementing a Business Management SystemBenefits of implementing a Business Management System
(BMS)(BMS)s Heightened security awarenesss
Identification of critical assetss Providing a structure for continuous improvements Confidence factor internally as well as externallys Ensuring that the knowledge capital will be stored in
a business management systems
Management awarenesss Enabling future demands from clients, stockholders and
partners to be mets More businesses
Erik Fogelberg, Information SecurityManager, Gesab Enginering AB:We know that all our employees feelresponsible for information security withinthe company
8/8/2019 08 Information Security Management System - Introduction
7/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 7
Introduction brief historyIntroduction brief history
The Development of 7799 up to todayThe Development of 7799 up to today
1995
1998
Initiative from Department of Trade and Industry
BS 7799
Project ISMS starts in Sweden
Swedish Standard SS 62 77 99 Part 1 & 2
1999 New issues of BS 7799 Part 1 & 2
2000
ISO/IEC 17799
2001 SS-ISO/IEC 17799
BS 7799 Part 2
Part 1
2002
ISO 17799-2???
BS 7799 part 2:2002
8/8/2019 08 Information Security Management System - Introduction
8/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 8
BS 7799 Part 2Specifications
Guidelines
(procedures)
& Control Catalogues
Information security incident management
ISO/IEC 17799
Technical standards
& specifications
IT network security
Electronic Signatures
Encryption Authentication
Access control
Non-repudiationTime stamping
TTP Services
Product & product
system testing
Evaluation
ISO 15408
EN45011
Protection ProfileRegister
Protection
Profile
Specification
Framework for
IT Security
Assurance
Management
system
audits,
certification
& accreditation
ISO 19011
ISO Guide 62
EN 45012
EA 7/03
Guidelines
(processes)GMITS Part 3 GMITS Part 4
ISO 9001
Introduction mapping of standards
8/8/2019 08 Information Security Management System - Introduction
9/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 9
IntroductionIntroduction
Information Security - structureInformation Security - structure
Information SecurityInformation Security
AdministrativeSecurity
AdministrativeSecurity IT-Security
IT-Security
EDP-SecurityEDP-Security Communication SecurityCommunication Security
25%75%
8/8/2019 08 Information Security Management System - Introduction
10/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 10
IntroductionIntroduction
What is information security?What is information security?
Confidentiality
Integrity
Availability
TRACE
ABILITY
TRACEABILITY
8/8/2019 08 Information Security Management System - Introduction
11/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 11
IntroductionIntroduction
How to identify the security requirements?How to identify the security requirements?
CORRECT controls and required degree offlexibility from the START!
1. Security risks
2. Legal and contractual requirements
3. Internal principles, objectives and requirements
8/8/2019 08 Information Security Management System - Introduction
12/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 12
IntroductionIntroduction
Information Security Management System - ISMSInformation Security Management System - ISMS
Interestedparties
Managedinformation security
Plan
Do
Check
ActImplementand operate
the ISMS
Maintain andimprove the
ISMS
Establish theISMS
Monitor and
review the ISMS
Development,maintenance
andimprovement
cycle
Interestedparties
Informationsecurity
requirements andexpectations
8/8/2019 08 Information Security Management System - Introduction
13/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 13
Move Avoid
Reduce
Consequence
Probability
Accept
IntroductionIntroduction
Risk assessment and risk managementRisk assessment and risk management
8/8/2019 08 Information Security Management System - Introduction
14/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 14
Business
needs
Threat, Probability &
Consequence = Risk
Need for
protection
IntroductionIntroduction
Security levelSecurity level
CostsRisks
8/8/2019 08 Information Security Management System - Introduction
15/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 15
IntroductionIntroduction
ComparisonComparisonSHALL and SHOULD standardsSHALL and SHOULD standardsBS 7799-2:2002 -- SHALL1 Scope
2 Normative references3 Terms and definitions4 Information security
management system5 Management responsibility6 Management review of the ISMS7 ISMS improvement
Annex A (normative) Controlobjectives and controls- table mapping ISO/IEC 17799Annex B (informative) Guidance onuse of the standardAnnex C (informative) Comparisonbetween ISO 9001:2000, ISO
14001:1996 and BS 7799-2:2002Annex D (informative) Changes tointernal numbering
ISO/IEC 17799:2000 -- SHOULD1 Scope
2 Terms and definitions3 Security policy4 Organizational security5 Asset classification and control6 Personnel security7 Physical and environmental
security8 Communications andoperations management
9 Access control10 Systems development and
maintenance11 Business continuity
management12 Compliance
8/8/2019 08 Information Security Management System - Introduction
16/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 16
Changes from BS 7799, part 2:1999 toChanges from BS 7799, part 2:1999 to
BS 7799-2:2002BS 7799-2:2002
s Adopted to ISO 9001 and ISO 14001
Better description of management system Focus on Plan, Do, Check and Act - process
Focus on risk assessment, risk handling, ...
Corresponding tables BS 7799, part 2, ISO 9001:2000 och ISO 14001 BS 7799, part 2:1999 and BS 7799, part 2:2002
s BS 7799-2 and ISO/IEC 17799 should be viewed asan entity
Requirements in part 2 including description of theISMS and Annex A with all the ISO/IEC 17799controls
8/8/2019 08 Information Security Management System - Introduction
17/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 17
ISO/IEC 17799:2000ISO/IEC 17799:2000
Chapter 1 ScopeChapter 1 Scope
s
This standard gives recommendations for information securitymanagement for use by those who are responsible for initiating,
implementing or maintaining security in their organization.
s It is intended to provide a common basis for developing
organizational security standards and effective security
management practice and to provide confidence in inter-organizational dealings.
s Recommendations from this standard should be selected and
used in accordance with applicable laws and regulations.
8/8/2019 08 Information Security Management System - Introduction
18/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 18
BS 7799-2:2002BS 7799-2:2002
Chapter 1 ScopeChapter 1 Scope
s This standard specifies the requirements for establishing,implementing, operating, monitoring, reviewing, maintaining andimproving a documented ISMS within the context of theorganizations overall business risks.
s It specifies requirements for the implementation of securitycontrols customized to the needs of individual organizationsor part thereof.
s The ISMS is designed to ensure adequate and proportionatesecurity controls that adequately protect information assetsand give confidence to customers and other interested parties.This can be translated into maintaining and improvingcompetitive edge, cash flow, profitability, legal compliance andcommercial image.
8/8/2019 08 Information Security Management System - Introduction
19/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 19
IntroductionIntroduction
3 Terms and definitions3 Terms and definitions3.1 availabilitys ensuring that authorized users have access to information and associated
assets when required[ISO/IEC 17799:2000]3.2 confidentialitys ensuring that information is accessible only to those authorized to have
access [ISO/IEC 17799:2000]
3.3 information securitys preservation of confidentiality, integrity and availability of information
3.4 information security management system, ISMSs that part of the overall management system, based on a business risk
approach, to establish, implement, operate, monitor, review, maintain and
improve information security
3.5 integritys safeguarding the accuracy and completeness of information and
processing methods [ISO/IEC 17799:2000]
8/8/2019 08 Information Security Management System - Introduction
20/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 20
IntroductionIntroduction
3 Terms and definitions3 Terms and definitions3.6 risk acceptances decision to accept a risk [ISO Guide 73]
3.7 risk analysiss systematic use of information to identify sources and to estimate the risk[ISO Guide 73]
3.8 risk assessments overall process of risk analysis and risk evaluation [ISO Guide 73]
3.9 risk evaluations process of comparing the estimated risk against given risk criteria todetermine the significance of risk [ISO Guide 73]
3.10 risk managements coordinated activities to direct and control an organization with regards to
risk [ISO Guide 73]
3.11 risk treatments treatment process of selection and implementation of measures to modify
risk [ISO Guide 73]
ISMS I l i di BS 99 2 2002
8/8/2019 08 Information Security Management System - Introduction
21/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 21
ISMS Implementation according to BS 7799-2:2002ISMS Implementation according to BS 7799-2:2002
Process ApproachProcess ApproachPlanPlan
Establish the ISMSa) Define scope of the ISMS
b) Define an ISMS policy
c) Define a systematic approach to risk assessment
d) Identify risks
e) Assess the risksf) Identify and evaluate options for the treatment of risks
g) Select control objectives and controls for the treatment of risks
h) Prepare a Statement of Applicability
ISMS I l t ti di t BS 7799 2 2002
8/8/2019 08 Information Security Management System - Introduction
22/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 22
DoDo
PlanPlan
Establish the ISMS
Implement and operate the ISMSa) Formulate a risk treatment plan
b) Implement the risk treatment plan
c) Implement controls
d) Implement training and awareness programmes
e) Manage operationsf) Manage resources
g) Implement procedures and other controls for incident handling
ISMS Implementation according to BS 7799-2:2002ISMS Implementation according to BS 7799-2:2002
Process ApproachProcess Approach
ISMS I l t ti di t BS 7799 2 2002ISMS I l t ti di t BS 7799 2 2002
8/8/2019 08 Information Security Management System - Introduction
23/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 23
PlanPlan
Establish the ISMS
DoDoImplement andoperate the ISMS
CCheckheck
Monitor and review the ISMS
a) Execute monitoring procedures and other controls
b) Undertake regular reviews of the effectiveness of the ISMS
c) Review the level of residual risk and acceptable risk
d) Conduct internal ISMS audits
e) Undertake management review of the ISMS
f) Record actions and events that could have an impact on the
effectiveness or performance of the ISMS
ISMS Implementation according to BS 7799-2:2002ISMS Implementation according to BS 7799-2:2002
Process ApproachProcess Approach
ISMS I l t ti di t BS 7799 2 2002ISMS I l t ti di t BS 7799 2 2002
8/8/2019 08 Information Security Management System - Introduction
24/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 24
Maintain and improve the ISMS
a) Implement the identified
improvements
b) Take appropriate corrective and
preventive actionsc) Communicate the results and
actions and agree with all
interested parties
d) Ensure that the improvements
achieve their intended objectives
ActAct
PlanPlan
Establish the ISMS
DoDoImplement andoperate the ISMS
CheckCheck
Monitor andreview theISMS
ISMS Implementation according to BS 7799-2:2002ISMS Implementation according to BS 7799-2:2002
Process ApproachProcess Approach
ISMS I l t ti di t BS 7799 2 2002ISMS I l t ti di t BS 7799 2 2002
8/8/2019 08 Information Security Management System - Introduction
25/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 25
Development,
maintenanceand
improvementcycle
ISMS Implementation according to BS 7799-2:2002ISMS Implementation according to BS 7799-2:2002
Process ApproachProcess ApproachPlanPlan
Establish the ISMS
DoDo
Implement andoperate the ISMS
CheckCheckMonitorand reviewthe ISMS
ActAct
Maintain andimprove theISMS
ISMS ImplementationISMS Implementation
8/8/2019 08 Information Security Management System - Introduction
26/27
2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 26
Assurance(informationsecurity)
Information
Security
Management
Systemdevelopment
Time
Per
for
man
c
e
P
D C
A
ISMS ImplementationISMS Implementation
Continual ImprovementContinual Improvement
IntroductionIntroduction
8/8/2019 08 Information Security Management System - Introduction
27/27
IntroductionIntroduction
Who needs ISMS?Who needs ISMS?
s Every organisation, company, firm institution handling
information: BASICALLY EVERYBODY!!!!!!!!!!!!!!! Banks
IT companies
Government (example: tax office)
Consultancy Firms
Hospitals
Schools and Universities
Insurance Companies
Certificate Service Providers, CSPs
.just to name a few!