08 Information Security Management System - Introduction

8/8/2019 08 Information Security Management System - Introduction

1/27

2003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 1

Information Security Management System (ISMS)Information Security Management System (ISMS)IntroductionIntroduction

Inger Nordin


2/27


AgendaAgenda

s

Information Security Management System, ISMS Introduction to Business needs and advantages of information security

Brief history and standards, ISO/IEC 17799:2000 and BS 7799-2:2002

s Implementation of an ISMS Risk management

Process approachs Accreditation and certification ISMS

EA Guidelines

ISMS Certification

s Comparison ISMS, ISO 9001:2000 and ISO 14001:1996

s

Certification status in Sweden and other countriess Lessons learned

s Future trends

s Further information


3/27


Introduction setting the sceneIntroduction setting the scene

Is Information Security Important?Is Information Security Important?

Information is the key to success

and growth for an organisation.

15.000 hospital records found in a waste bin

30.000 passwords to Internet accounts published onthe Internet

25 people from the development departmentmoved to a competitor

Banks pay millions to blackmailing crackers

300.000 account numbers stolen - some published

on the WEB Suspected spy employed by ABB

Fire in a tunnel outside of Stockholm, Sweden


4/27


Introduction setting the sceneIntroduction setting the scene

Information SecurityInformation Security important for the survival of a company important for the survival of a company

Gsta ngell, former CEO, ABB Facilities Management:

- Facilities Management is a great deal about handlingclient information. It is therefore essential to be ableto show that we are a company to trust.


5/27


s

Fastest growing interest today - the market is global... Singapore, India, Japan, China, Australia, Finland, Denmark,

Sweden, Taiwan, Korea, Ireland, Germany, England, ...

s Certified companies in 25 countries (China, Japan, Holland,

England, Sweden, Norway, Finland, USA, etc.)

s

Benchmark mergers and acquisitions

outsourcing

supplier control

trade between companies

s Business Continuity Planning!!!

Introduction Business needs and advantages of ISMSIntroduction Business needs and advantages of ISMS

Business dependent on ISMS?Business dependent on ISMS?


6/27


IntroductionIntroduction

Benefits of implementing a Business Management SystemBenefits of implementing a Business Management System

(BMS)(BMS)s Heightened security awarenesss

Identification of critical assetss Providing a structure for continuous improvements Confidence factor internally as well as externallys Ensuring that the knowledge capital will be stored in

a business management systems

Management awarenesss Enabling future demands from clients, stockholders and

partners to be mets More businesses

Erik Fogelberg, Information SecurityManager, Gesab Enginering AB:We know that all our employees feelresponsible for information security withinthe company


7/272003-02 May-Lis Farnes and Inger Nordin, Lithuania 24-27 Feb-03, Security: Public 7

Introduction brief historyIntroduction brief history

The Development of 7799 up to todayThe Development of 7799 up to today

1995

1998

Initiative from Department of Trade and Industry

BS 7799

Project ISMS starts in Sweden

Swedish Standard SS 62 77 99 Part 1 & 2

1999 New issues of BS 7799 Part 1 & 2

2000

ISO/IEC 17799

2001 SS-ISO/IEC 17799

BS 7799 Part 2

Part 1

2002

ISO 17799-2???

BS 7799 part 2:2002



BS 7799 Part 2Specifications

Guidelines

(procedures)

& Control Catalogues

Information security incident management

ISO/IEC 17799

Technical standards

& specifications

IT network security

Electronic Signatures

Encryption Authentication

Access control

Non-repudiationTime stamping

TTP Services

Product & product

system testing

Evaluation

ISO 15408

EN45011

Protection ProfileRegister

Protection

Profile

Specification

Framework for

IT Security

Assurance

Management

system

audits,

certification

& accreditation

ISO 19011

ISO Guide 62

EN 45012

EA 7/03

Guidelines

(processes)GMITS Part 3 GMITS Part 4

ISO 9001

Introduction mapping of standards




Information Security - structureInformation Security - structure

Information SecurityInformation Security

AdministrativeSecurity

AdministrativeSecurity IT-Security

IT-Security

EDP-SecurityEDP-Security Communication SecurityCommunication Security

25%75%




What is information security?What is information security?

Confidentiality

Integrity

Availability

TRACE

ABILITY

TRACEABILITY




How to identify the security requirements?How to identify the security requirements?

CORRECT controls and required degree offlexibility from the START!

1. Security risks

2. Legal and contractual requirements

3. Internal principles, objectives and requirements




Information Security Management System - ISMSInformation Security Management System - ISMS

Interestedparties

Managedinformation security

Plan

Do

Check

ActImplementand operate

the ISMS

Maintain andimprove the

ISMS

Establish theISMS

Monitor and

review the ISMS

Development,maintenance

andimprovement

cycle

Interestedparties

Informationsecurity

requirements andexpectations



Move Avoid

Reduce

Consequence

Probability

Accept


Risk assessment and risk managementRisk assessment and risk management



Business

needs

Threat, Probability &

Consequence = Risk

Need for

protection


Security levelSecurity level

CostsRisks




ComparisonComparisonSHALL and SHOULD standardsSHALL and SHOULD standardsBS 7799-2:2002 -- SHALL1 Scope

2 Normative references3 Terms and definitions4 Information security

management system5 Management responsibility6 Management review of the ISMS7 ISMS improvement

Annex A (normative) Controlobjectives and controls- table mapping ISO/IEC 17799Annex B (informative) Guidance onuse of the standardAnnex C (informative) Comparisonbetween ISO 9001:2000, ISO

14001:1996 and BS 7799-2:2002Annex D (informative) Changes tointernal numbering

ISO/IEC 17799:2000 -- SHOULD1 Scope

2 Terms and definitions3 Security policy4 Organizational security5 Asset classification and control6 Personnel security7 Physical and environmental

security8 Communications andoperations management

9 Access control10 Systems development and

maintenance11 Business continuity

management12 Compliance



Changes from BS 7799, part 2:1999 toChanges from BS 7799, part 2:1999 to

BS 7799-2:2002BS 7799-2:2002

s Adopted to ISO 9001 and ISO 14001

Better description of management system Focus on Plan, Do, Check and Act - process

Focus on risk assessment, risk handling, ...

Corresponding tables BS 7799, part 2, ISO 9001:2000 och ISO 14001 BS 7799, part 2:1999 and BS 7799, part 2:2002

s BS 7799-2 and ISO/IEC 17799 should be viewed asan entity

Requirements in part 2 including description of theISMS and Annex A with all the ISO/IEC 17799controls



ISO/IEC 17799:2000ISO/IEC 17799:2000

Chapter 1 ScopeChapter 1 Scope

s

This standard gives recommendations for information securitymanagement for use by those who are responsible for initiating,

implementing or maintaining security in their organization.

s It is intended to provide a common basis for developing

organizational security standards and effective security

management practice and to provide confidence in inter-organizational dealings.

s Recommendations from this standard should be selected and

used in accordance with applicable laws and regulations.


18/27


BS 7799-2:2002BS 7799-2:2002

Chapter 1 ScopeChapter 1 Scope

s This standard specifies the requirements for establishing,implementing, operating, monitoring, reviewing, maintaining andimproving a documented ISMS within the context of theorganizations overall business risks.

s It specifies requirements for the implementation of securitycontrols customized to the needs of individual organizationsor part thereof.

s The ISMS is designed to ensure adequate and proportionatesecurity controls that adequately protect information assetsand give confidence to customers and other interested parties.This can be translated into maintaining and improvingcompetitive edge, cash flow, profitability, legal compliance andcommercial image.


19/27



3 Terms and definitions3 Terms and definitions3.1 availabilitys ensuring that authorized users have access to information and associated

assets when required[ISO/IEC 17799:2000]3.2 confidentialitys ensuring that information is accessible only to those authorized to have

access [ISO/IEC 17799:2000]

3.3 information securitys preservation of confidentiality, integrity and availability of information

3.4 information security management system, ISMSs that part of the overall management system, based on a business risk

approach, to establish, implement, operate, monitor, review, maintain and

improve information security

3.5 integritys safeguarding the accuracy and completeness of information and

processing methods [ISO/IEC 17799:2000]


20/27



3 Terms and definitions3 Terms and definitions3.6 risk acceptances decision to accept a risk [ISO Guide 73]

3.7 risk analysiss systematic use of information to identify sources and to estimate the risk[ISO Guide 73]

3.8 risk assessments overall process of risk analysis and risk evaluation [ISO Guide 73]

3.9 risk evaluations process of comparing the estimated risk against given risk criteria todetermine the significance of risk [ISO Guide 73]

3.10 risk managements coordinated activities to direct and control an organization with regards to

risk [ISO Guide 73]

3.11 risk treatments treatment process of selection and implementation of measures to modify

risk [ISO Guide 73]

ISMS I l i di BS 99 2 2002


21/27


ISMS Implementation according to BS 7799-2:2002ISMS Implementation according to BS 7799-2:2002

Process ApproachProcess ApproachPlanPlan

Establish the ISMSa) Define scope of the ISMS

b) Define an ISMS policy

c) Define a systematic approach to risk assessment

d) Identify risks

e) Assess the risksf) Identify and evaluate options for the treatment of risks

g) Select control objectives and controls for the treatment of risks

h) Prepare a Statement of Applicability

ISMS I l t ti di t BS 7799 2 2002


22/27


DoDo

PlanPlan

Establish the ISMS

Implement and operate the ISMSa) Formulate a risk treatment plan

b) Implement the risk treatment plan

c) Implement controls

d) Implement training and awareness programmes

e) Manage operationsf) Manage resources

g) Implement procedures and other controls for incident handling


Process ApproachProcess Approach

ISMS I l t ti di t BS 7799 2 2002ISMS I l t ti di t BS 7799 2 2002


23/27


PlanPlan

Establish the ISMS

DoDoImplement andoperate the ISMS

CCheckheck

Monitor and review the ISMS

a) Execute monitoring procedures and other controls

b) Undertake regular reviews of the effectiveness of the ISMS

c) Review the level of residual risk and acceptable risk

d) Conduct internal ISMS audits

e) Undertake management review of the ISMS

f) Record actions and events that could have an impact on the

effectiveness or performance of the ISMS





24/27


Maintain and improve the ISMS

a) Implement the identified

improvements

b) Take appropriate corrective and

preventive actionsc) Communicate the results and

actions and agree with all

interested parties

d) Ensure that the improvements

achieve their intended objectives

ActAct

PlanPlan

Establish the ISMS

DoDoImplement andoperate the ISMS

CheckCheck

Monitor andreview theISMS





25/27


Development,

maintenanceand

improvementcycle


Process ApproachProcess ApproachPlanPlan

Establish the ISMS

DoDo

Implement andoperate the ISMS

CheckCheckMonitorand reviewthe ISMS

ActAct

Maintain andimprove theISMS

ISMS ImplementationISMS Implementation


26/27


Assurance(informationsecurity)

Information

Security

Management

Systemdevelopment

Time

Per

for

man

c

e

P

D C

A

ISMS ImplementationISMS Implementation

Continual ImprovementContinual Improvement



27/27


Who needs ISMS?Who needs ISMS?

s Every organisation, company, firm institution handling

information: BASICALLY EVERYBODY!!!!!!!!!!!!!!! Banks

IT companies

Government (example: tax office)

Consultancy Firms

Hospitals

Schools and Universities

Insurance Companies

Certificate Service Providers, CSPs

.just to name a few!

Documents

08 Information Security Management System - Introduction