Project implementation (ISO 10006 and ISO

27003)

IT Governance

CEN 667

1

Project proposal (week 4) • Goal of the projects are to find applicable measurement and metric methods to improve processes:

– For 27000 series of standards 27001 and 27004 – For ITIL – For Business Continuity and BS 25999 – For Disaster Recovery – For Penetration testing – For Operational and Security Incident management – For Risk Management – Secure method for visual authentication – Mobile securty access with speach recognition – Other agreed with lecturer

• Literature review on selected topic - between 500 and 1000 words • Proposal / for improvements of choosen method, approach, techniqe, - up to

2000 words • List of references • Document prepared in two columns as it should Be prepared for the conference paper • Week report on updates

2

Project proposal (week 9)

3

Candidate Topic Literature review draft

Paper

Azizah Ibrahim Mobile IPv6 handover packet loss avoidance

NO NO

Emina Aličković A Novel Intrusion System Based on Support Vector Machines

NO

NO

Jasmin Kevrić Algorithm improvement for the network anomaly detection using improved KDD 2009

NO

NO

Adnan Miljković Implementation of two factor authentication for web appliacation

YES (463 words)

NO

Fatih Ozturk Evolutionary Computation Method Application for Network Intrusion Detection System using Real Network Data

NO

NO

Tarik Kraljić NO

NO

NO

Adnan Kraljić NO NO NO

IT Governance

CEN 667

4

Project implementation (ISO 10006 and ISO

27003)

5

Week Topic

Week 1 Introduction to IT governance

Week 2

Overwiev of Information Security standards - ISO 27000 series of standards (27001,

27002, 27003, 27004, 27005)

Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2

Week 4 ITIL

Week 5 Business Continuity and BS 25999-1 and BS 25999-2

Week 6 Disaster Recovery

Week 7 COBIT

Week 8 Midterm

Week 9 Project implementation (ISO 10006 and ISO 27003)

Week 10 Risk Managament (ISO 27005)

Week 11 Application and Network Security and security testing

Week 12 Specific Requirements and Controls Implementation (ISO 27002)

Week 13 Operational and Security Incident managament

Week 14 Perforamnce Measurement and Metrics (ISO 27004)

Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus

Lectures Schedule

6

• Standard Title: ISO/IEC 27003:2010 Information technology — Security techniques — Information security management system implementation guidance

• ISO/IEC 27003 provides implementation guidance to help those implementing the ISO27k standards.

• Purpose of the standard – ISO/IEC 27003 guides the design of an ISO/IEC 27001-compliant ISMS, leading

up to the initiation of an ISMS [implementation] project. It describes the process of ISMS specification and design from inception to the production of implementation project plans, covering the preparation and planning activities prior to the actual implementation, and taking in key elements such as: • Management approval and final authorization to proceed with the implementation

project; • Scoping and defining the boundaries in terms of ICT and physical locations; • Assessing information security risks and planning appropriate risk treatments, where

necessary defining information security control requirements; • Designing the ISMS; • Planning the implementation project. • The standard references and builds upon other ISO27k standards, particularly the

normative standards ISO/IEC 27000 and ISO/IEC 27001.

7

Structure and content of the 27003:2010 standard

• Here is the structure, down to the second level headings:

• 1. Scope

• 2. Normative references

• 3. Terms and definitions

8

• 4. Structure of this international standard

– 4.1 General structure of clauses

– 4.2 General structure of a clause

– 4.3 Diagrams

9

• 5. Obtaining management approval for initiating an ISMS project

– 5.1 Overview of management approval for initiating the ISMS project

– 5.2 Clarify the organization’s priorities to develop an ISMS

– 5.3 Define the preliminary ISMS scope

– 5.4 Create the business case and the project plan for management approval

10

• 6 Defining ISMS scope, boundaries and ISMS policy

– 6.1 Overview on defining ISMS scope, boundaries and ISMS policy

– 6.2 Define organizational scope and boundaries

– 6.3 Define information communication technology (ICT) scope and boundaries

– 6.4 Define physical scope and boundaries

– 6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries

– 6.6 Develop the ISMS policy and obtain approval from management

11

• 7 Conducting information security requirements analysis

– 7.1 Overview of conducting information security requirements analysis

– 7.2 Define information security requirements for the ISMS process

– 7.3 Identify assets within the ISMS scope

– 7.4 Conduct an information security assessment

12

• 8 Conducting risk assessment and planning risk treatment

– 8.1 Overview of conducting a risk assessment and risk treatment planning

– 8.2 Conduct risk assessment

– 8.3 Select the control objectives and controls

– 8.4 Obtain management authorization for implementing and operating an ISMS

13

• 9 Design the ISMS – 9.1 Overview of designing an ISMS – 9.2 Design organizational information security – 9.3 Design ICT and physical information security – 9.4 Design ISMS specific information security – 9.5 Produce the final ISMS project plan

• Annex A

– An ISMS implementation checklist

• Annex B – Roles and responsibilities for information security

• Annex C – Information about internal auditing

• Annex D – Information security policy structure

• Annex E – Monitoring and measuring the ISMS

• Bibliography

14

ISO 10006:2004 Quality managament systems – Guidlines for quality managamenet in projects

4. Quality managament systems in project 4.1 Project characteristics 4.2 Quality managament systems

5. Managament responsibility 5.1 Managament comitment 5.2 Strategic process 5.3 Managament reviews and process evaluations

6. Resource managament 6.1 Resource-related processes 6.2 Personel-related processes

7. Product realization 7.1 General 7.2 Interdependency-related processes 7.3 Scope-related processes 7.4 Time-related processes 7.5 Cost-related processes 7.6 Risk-related processes 7.8 Purchasing-related processes

8 Measurement, analysis and improvement 8.1 Improvement -related processes 8.2 Measurement and analysis 8.3 Continual improvement

15

16

ISO/IEC 27003:2010

17

5. Obtaining management approval for initiating an ISMS project 5.1 Overview of management approval for initiating the ISMS project 5.2 Clarify the organization’s priorities to develop an ISMS 5.3 Define the preliminary ISMS scope 5.4 Create the business case and the project plan for management approval

ISO/IEC 27003:2010

18

6 Defining ISMS scope, boundaries and ISMS policy 6.1 Overview on defining ISMS scope, boundaries and ISMS policy 6.2 Define organizational scope and boundaries 6.3 Define information communication technology (ICT) scope and boundaries 6.4 Define physical scope and boundaries 6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries 6.6 Develop the ISMS policy and obtain approval from management

ISO/IEC 27003:2010

19

7 Conducting information security requirements analysis 7.1 Overview of conducting information security requirements analysis 7.2 Define information security requirements for the ISMS process 7.3 Identify assets within the ISMS scope 7.4 Conduct an information security assessment

ISO/IEC 27003:2010

20

8 Conducting risk assessment and planning risk treatment 8.1 Overview of conducting a risk assessment and risk treatment planning 8.2 Conduct risk assessment 8.3 Select the control objectives and controls 8.4 Obtain management authorization for implementing and operating an ISMS

ISO/IEC 27003:2010

21

9 Design the ISMS 9.1 Overview of designing an ISMS 9.2 Design organizational information security 9.3 Design ICT and physical information security 9.4 Design ISMS specific information security 9.5 Produce the final ISMS project plan

ISO/IEC 27003:2010

22

9 Design the ISMS 9.1 Overview of designing an ISMS 9.2 Design organizational information security 9.3 Design ICT and physical information security 9.4 Design ISMS specific information security 9.5 Produce the final ISMS project plan

ISO/IEC 27003:2010

23

9 Design the ISMS 9.1 Overview of designing an ISMS 9.2 Design organizational information security 9.3 Design ICT and physical information security 9.4 Design ISMS specific information security 9.5 Produce the final ISMS project plan

ISO/IEC 27003:2010

24

ISO/IEC 27003:2010

25

PLAN DO CHECK ACT

Project

borders

agreement

Asset

collection &

Asset value

Governing

Board

policy

aproved

Risk

assessment

Statement of

applicability

Governing board

approval

Gap analysis

Training and

awareness

Monitoring

and

Auditing

Improvements

Implementation

of controls,

procedures...

Record

collection

ISMS Roadmap

Proces

maping

Thank you

26