CHALLENGES OF AN ISMS IMPLEMENTATION

VIJANDRAN RAMASAMY - CISSP INFORMATION SECURITY OFFICER ISM INSURANCE SERVICES MALAYSIA BERHAD

CHALLENGES OF AN ISMS IMPLEMENTATION

AGENDA Certification Program at ISM Common Problems Faced Key Concerns on the Current Standard Critical Success Factors Recommendations Resources

BUSINESS FOCUS FOR ISM

ISM Insurance Services Malaysia Berhad is the leading provider of insurance and takaful shared services in the region. ISM Knowledge Management System (ISMKMS) ISM Fraud Management System (ISM-FMS) ISM Electronic Exchange System (ISM-EES)

ISMS STANDARD
The ISO/IEC 27001:2005 International Standard establishes guidelines, and general principles for initiating, implementing, maintaining, & improving information security management in an organization. The control objectives, & controls of this International Standard are intended to be implemented to meet the requirements identified by a risk assessment.

PURPOSE OF ISMS
To protect ISM Insurance Services Malaysia Berhad (ISM) from adverse impact on its reputation, & operations that could result from failures of Confidentiality, Integrity, and Availability. Information security is the preservation of C-I-A.

SCOPE OF CERTIFICATION FOR ISMS

The ISMS scope is for the entire operations of ISM. ISM is made up of 5 functional units:
1.

2.

3. 4. 5.

Actuarial & Statistical Services Administration & Accounts Anti-Fraud Services IT Services Research & Development Services

ISMS CONTROL OBJECTIVES AND CONTROLS

There are in total 11 control objectives, & 133 individual controls. For ISM, it has been determined that 131 controls are applicable for our organization.

ISMS CONTROL OBJECTIVES

Security Policy (1)
Management direction and support

Organization of Information Security (2)

Infrastructure, third party access and controlling security of outsourced information processing

Asset Management (3)

Identifying, classifying and protecting assets and information

ISMS CONTROL OBJECTIVES

Human Resources Security (4)
Addressing roles and responsibilities, screening, training, disciplinary process, termination.

Physical and Environmental Security (5)

Managing physical access to prevent loss, damage, theft, compromise.

ISMS CONTROL OBJECTIVES

Communications and Operations Management (6)
Ensuring correct and secure operations in computer and network systems, third party services, media (disks), electronic messaging, monitoring.

Access Control (7)

Controlling access to information, enforced by controlling and monitoring access rights to networked devices, operating systems, applications, both directly on the organizations network and via remote access.

ISMS CONTROL OBJECTIVES

Information Systems Acquisition, Development and Maintenance (8)
Building security into information systems.

Information Security Incident Management (9)

Damage control, reporting, collecting evidence.

ISMS CONTROL OBJECTIVES

Business Continuity Management (10)
Counteracting interruptions and minimizing their impact.

Compliance (11)
Avoiding breaches of law, regulatory or contractual requirements.

CHALLENGES OF AN ISMS IMPLEMENTATION

CERTIFICATION PROGRAM AT ISM
One of the key initiatives set by the Board of Directors. Balancing the need for accessibility and the preservation of C-I-A. Comprehensive insurance databases requires clearly defined security responsibilities that establish accountability. As Key Performance Indicator (KPI) for the organization.

CHALLENGES OF AN ISMS IMPLEMENTATION

CERTIFICATION PROGRAM AT ISM December 2005 Program Start. August 2006 Stage 1 Audit by SIRIM. September 2006 Stage 2 Audit by SIRIM. November 2006 Obtained ISMS certification in accordance to ISO/IEC 27001:2005.

CONSIDERATIONS FOR OBTAINING ISMS CERTIFICATION

Obtaining senior management commitment. Setting the ISMS scope. Personnel awareness and training. No magic bullet/formula. Asset identification and classification. Implementation flaws. Risk assessment. Resources.

VENDOR SELECTION CRTERIA

Service fee structure. RFP scope requirements. Technology infrastructure. Organization track record customer base. Other factors ISMS certified.

CHALLENGES OF AN ISMS IMPLEMENTATION

ISMS IMPLEMENTATION CONCEPT PLAN-DO-CHECK-ACT PDCA Model was adopted to provide systematic approach in developing, implementing, and improving the ISMS.

PHASE 1: ISMS PLANNING

ISMS Certification Road Map

Establish Roles

Develop Training & Security Awareness on Policy ISO/IEC 27001:2005

Certification Roadmap

Information Security Forum ISMS Steering Committee ISMS Secretariats ISMS Internal Auditor ISMS Implementation Team

ISMS Policy Information Security Policy

ISMS Awareness Training Security Awareness Training ISO/IEC 27001:2005 Implementation Course ISO/IEC 27001:2005 Lead Auditor Course

PHASE 2: ISMS IMPLEMENTATION

Internal Audit, Corrective & Preventive Action

Scoping & Definition of ISMS

Risk Gap Assessment & Analysis Treatment

Implement Controls & Procedures

Management Review

ISMS Scope Statement ISMS Scope Document ISMS Statement of Applicability

Gap Analysis Report

IS Risk Assessment Methodology IS Risk Assessment Report Risk Treatment Plan Develop relevant policies & procedures Develop security metrics

Records Maintenance

Internal Audit Report Corrective Action Preventive Action

Review on ISMS Effectiveness

PHASE 3: ISMS CERTIFICATION

Application

Stage 1 Audit

Stage 2 Audit

Certification

Application for Certification to SIRIM

Documentation Audit

Onsite Audit

Certified

PHASE 4: ISMS MAINTENANCE AND CONTINOUS IMPROVEMENT Enhance security controls and implementation. Evaluation of controls effectiveness. Measurement of effectiveness of control. Enhance security metrics.

COMMON PROBLEMS FACED

Lack of understanding of the requirements. Unrealistic or impractical scoping. Resource allocation. Inadequate enforcement. Security is not well integrated into current management systems or processes. Keeping the ball rolling.

KEY CONCERNS ON THE CURRENT STANDARD

Control-driven, extensive elaboration on control implementation.
Lose sight on some of the mandatory requirements in ISO/IEC 27001:2005

Tendency for individual interpretation of the standard, different auditors may have different focus and expectations.

KEY CONCERNS ON THE CURRENT STANDARD

Efficient method for security risk assessment is still lacking. Lack of guidance on security metrics measurement.
How do I measure effectiveness of ISMS? How do I define the desired state of my ISMS? How do I benchmark my ISMS implementation?

CRITICAL SUCCESS FACTORS

Senior management commitment resources, funding, time, people. Seamless integration of ISMS into current management systems. Proper assurance and governance framework established. Balancing of business and security requirements.

POST-IMPLEMENTATION IMPROVEMENTS
Account Management SUM Site-To-Site VPN (STS-VPN) High availability and load balancing of ISM computer and communication systems. Development of applications based on SDLC as per ISMS control objective. Implementation and testing of disaster recovery plans. Establishment of DRC site.

RECOMMENDATIONS
Guidance on effective ISMS scoping. Interrelate to other standards and regulatory compliance (e.g. ITIL, GPIS-1, SOX, Basel II, etc.). To supplement ISO/IEC 27001:2005 with more implementation guidance, especially in the are of security metrics and measurement, risk assessment. To have more objective way of measurement based on a security maturity model or progressive improvement. ISO/IEC 27003 Working Draft for ISMS Implementation Guidance.

RESOURCES
Here are a few good resources to check when considering ISMS implementations and certifications: www.irca.org www.iso27001security.com www.iso27001certificates.com www.sirim.my/iscg

THANK YOU INFORMATION SECURITY IS EVERYONES RESPONSIBILITY EVERY DAY

[email protected] WWW.ISM.NET.MY